Public bug reported:
gnome-shell in GNOME Shell 2.31.5 places a zero-length directory name in
the LD_LIBRARY_PATH, which allows local users to gain privileges via a
Trojan horse shared library in the current working directory.
The bug exists in src/gnome-shell.in in the following snippet.
232 pkgconfig = subprocess.Popen(['pkg-config', '--variable=sdkdir',
'mozilla-js'],
233 stdout=subprocess.PIPE)
234 mozjs_sdkdir = pkgconfig.communicate()[0].strip()
235 pkgconfig.wait()
236 if pkgconfig.returncode == 0:
237 mozjs_libdir = re.sub('-(sdk|devel)', '', mozjs_sdkdir)
238 if os.path.exists(mozjs_libdir + '/libmozjs.so'):
239 env['LD_LIBRARY_PATH'] = os.environ.get('LD_LIBRARY_PATH', '')
+ ':' + mozjs_libdir
If LD_LIBRARY_PATH is not set, you have the empty field in the
LD_LIBRARY_PATH environment variable.
** Affects: gnome-shell (Ubuntu)
Importance: Undecided
Status: New
** Tags: cve-2010-4000
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/930854
Title:
gnome-shell in GNOME Shell 2.31.5 places a zero-length directory name
in the LD_LIBRARY_PATH
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnome-shell/+bug/930854/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
