Public bug reported:

gnome-shell in GNOME Shell 2.31.5 places a zero-length directory name in
the LD_LIBRARY_PATH, which allows local users to gain privileges via a
Trojan horse shared library in the current working directory.

The bug exists in src/gnome-shell.in in the following snippet.

232     pkgconfig = subprocess.Popen(['pkg-config', '--variable=sdkdir', 
'mozilla-js'],
233                                  stdout=subprocess.PIPE)
234     mozjs_sdkdir = pkgconfig.communicate()[0].strip()
235     pkgconfig.wait()
236     if pkgconfig.returncode == 0:
237         mozjs_libdir = re.sub('-(sdk|devel)', '', mozjs_sdkdir)
238         if os.path.exists(mozjs_libdir + '/libmozjs.so'):
239             env['LD_LIBRARY_PATH'] = os.environ.get('LD_LIBRARY_PATH', '') 
+ ':' + mozjs_libdir

If LD_LIBRARY_PATH is not set, you have the empty field in the
LD_LIBRARY_PATH environment variable.

** Affects: gnome-shell (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: cve-2010-4000

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/930854

Title:
  gnome-shell in GNOME Shell 2.31.5 places a zero-length directory name
  in the LD_LIBRARY_PATH

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnome-shell/+bug/930854/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to