what you don't know can hurt you

Mandriva Linux Security Advisory 2010-241

Mandriva Linux Security Advisory 2010-241
Posted Nov 24, 2010
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2010-241 - gnc-test-env in GnuCash 2.3.15 and earlier places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory. The affected /usr/bin/gnc-test-env file has been removed to mitigate the vulnerability as gnc-test-env is only used for tests and while building gnucash. Additionally for Mandriva 2010.1 gnucash-2.2.9 was not compatible with guile. This update adapts gnucash to the new API of guile.

tags | advisory, local, trojan
systems | linux, mandriva
advisories | CVE-2010-3999
MD5 | 6d0716a6b5cdf4bc7ce4efa4f7d8cfdf

Mandriva Linux Security Advisory 2010-241

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2010:241
http://www.mandriva.com/security/
_______________________________________________________________________

Package : gnucash
Date : November 24, 2010
Affected: 2010.0, 2010.1
_______________________________________________________________________

Problem Description:

A vulnerability was discovered and corrected in gnucash:

gnc-test-env in GnuCash 2.3.15 and earlier places a zero-length
directory name in the LD_LIBRARY_PATH, which allows local users to
gain privileges via a Trojan horse shared library in the current
working directory (CVE-2010-3999).

The affected /usr/bin/gnc-test-env file has been removed to mitigate
the CVE-2010-3999 vulnerability as gnc-test-env is only used for
tests and while building gnucash.

Additionally for Mandriva 2010.1 gnucash-2.2.9 was not compatible
with guile. This update adapts gnucash to the new API of guile.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3999
https://qa.mandriva.com/59304
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2010.0:
56cf958fe980c5a0200c4ee9a83ea97f 2010.0/i586/gnucash-2.2.9-4.1mdv2010.0.i586.rpm
c7479e27310a06eaf93a5eb0c0e858e5 2010.0/i586/gnucash-hbci-2.2.9-4.1mdv2010.0.i586.rpm
1297d123c6f533b5430089bbdd82f43e 2010.0/i586/gnucash-ofx-2.2.9-4.1mdv2010.0.i586.rpm
515b01c7d01e108712e9899f373142fa 2010.0/i586/gnucash-sql-2.2.9-4.1mdv2010.0.i586.rpm
d0df126101c1b36c12fa50368e08765c 2010.0/i586/libgnucash0-2.2.9-4.1mdv2010.0.i586.rpm
3a9ea97884237c0806e30551cbde20de 2010.0/i586/libgnucash-devel-2.2.9-4.1mdv2010.0.i586.rpm
9dacaaaf7a396cc1dfd41e4f70fd3abe 2010.0/SRPMS/gnucash-2.2.9-4.1mdv2010.0.src.rpm

Mandriva Linux 2010.0/X86_64:
2a5205e0b385b3d075eba704b70fd546 2010.0/x86_64/gnucash-2.2.9-4.1mdv2010.0.x86_64.rpm
8302623562d64617f4ea24ecb4435a63 2010.0/x86_64/gnucash-hbci-2.2.9-4.1mdv2010.0.x86_64.rpm
dfe6fb4bb37b6e5d11655ceec2d769fb 2010.0/x86_64/gnucash-ofx-2.2.9-4.1mdv2010.0.x86_64.rpm
618d692845b97a450222742901a544bc 2010.0/x86_64/gnucash-sql-2.2.9-4.1mdv2010.0.x86_64.rpm
9141713f798d366397a2ec986d1c21c0 2010.0/x86_64/lib64gnucash0-2.2.9-4.1mdv2010.0.x86_64.rpm
a513d026d03c8de42580865b0b45e2bc 2010.0/x86_64/lib64gnucash-devel-2.2.9-4.1mdv2010.0.x86_64.rpm
9dacaaaf7a396cc1dfd41e4f70fd3abe 2010.0/SRPMS/gnucash-2.2.9-4.1mdv2010.0.src.rpm

Mandriva Linux 2010.1:
4cb058dc1f74fef7b4b3eb3a696685d9 2010.1/i586/gnucash-2.2.9-8.1mdv2010.1.i586.rpm
3331f3c7f123f22f513e5cd7806343fd 2010.1/i586/gnucash-hbci-2.2.9-8.1mdv2010.1.i586.rpm
f59bc5b7fbfaf74d2c7b201ebb99da28 2010.1/i586/gnucash-ofx-2.2.9-8.1mdv2010.1.i586.rpm
273cc89a4dc4853f14108a1a1943bb69 2010.1/i586/gnucash-sql-2.2.9-8.1mdv2010.1.i586.rpm
5af2c774e9eb77a8065bcc3f5a5d6a28 2010.1/i586/libgnucash0-2.2.9-8.1mdv2010.1.i586.rpm
850779757f61e59053f2449df7ee8048 2010.1/i586/libgnucash-devel-2.2.9-8.1mdv2010.1.i586.rpm
fbb320190b8294bc3db5ee1b0d2f85b3 2010.1/SRPMS/gnucash-2.2.9-8.1mdv2010.1.src.rpm

Mandriva Linux 2010.1/X86_64:
a07444c2b30334707a51745bf76c6551 2010.1/x86_64/gnucash-2.2.9-8.1mdv2010.1.x86_64.rpm
286b7a849261b8f1dc9c032b6e182a67 2010.1/x86_64/gnucash-hbci-2.2.9-8.1mdv2010.1.x86_64.rpm
da91c9d1a6e5c5f8560ac4d9f8302304 2010.1/x86_64/gnucash-ofx-2.2.9-8.1mdv2010.1.x86_64.rpm
9c7dd297b265a6eef2f23eeb05ffd290 2010.1/x86_64/gnucash-sql-2.2.9-8.1mdv2010.1.x86_64.rpm
6ef57480ae7da1991c101324430a961f 2010.1/x86_64/lib64gnucash0-2.2.9-8.1mdv2010.1.x86_64.rpm
90f9563f9f323fe42f7d37ab12632bfd 2010.1/x86_64/lib64gnucash-devel-2.2.9-8.1mdv2010.1.x86_64.rpm
fbb320190b8294bc3db5ee1b0d2f85b3 2010.1/SRPMS/gnucash-2.2.9-8.1mdv2010.1.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFM7UwFmqjQ0CJFipgRAkssAJ0YVPrj6+kerANWGsZRfaDWfq18dgCguRgq
5kjT/nubYxdyH5aHKNUIuvs=
=JfiB
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    15 Files
  • 2
    Oct 2nd
    16 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    11 Files
  • 6
    Oct 6th
    6 Files
  • 7
    Oct 7th
    2 Files
  • 8
    Oct 8th
    1 Files
  • 9
    Oct 9th
    13 Files
  • 10
    Oct 10th
    16 Files
  • 11
    Oct 11th
    15 Files
  • 12
    Oct 12th
    23 Files
  • 13
    Oct 13th
    13 Files
  • 14
    Oct 14th
    12 Files
  • 15
    Oct 15th
    2 Files
  • 16
    Oct 16th
    16 Files
  • 17
    Oct 17th
    16 Files
  • 18
    Oct 18th
    14 Files
  • 19
    Oct 19th
    8 Files
  • 20
    Oct 20th
    7 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close