Public bug reported: gnome-shell in GNOME Shell 2.31.5 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory.
The bug exists in src/gnome-shell.in in the following snippet. 232 pkgconfig = subprocess.Popen(['pkg-config', '--variable=sdkdir', 'mozilla-js'], 233 stdout=subprocess.PIPE) 234 mozjs_sdkdir = pkgconfig.communicate()[0].strip() 235 pkgconfig.wait() 236 if pkgconfig.returncode == 0: 237 mozjs_libdir = re.sub('-(sdk|devel)', '', mozjs_sdkdir) 238 if os.path.exists(mozjs_libdir + '/libmozjs.so'): 239 env['LD_LIBRARY_PATH'] = os.environ.get('LD_LIBRARY_PATH', '') + ':' + mozjs_libdir If LD_LIBRARY_PATH is not set, you have the empty field in the LD_LIBRARY_PATH environment variable. ** Affects: gnome-shell (Ubuntu) Importance: Undecided Status: New ** Tags: cve-2010-4000 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/930854 Title: gnome-shell in GNOME Shell 2.31.5 places a zero-length directory name in the LD_LIBRARY_PATH To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-shell/+bug/930854/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs