Mandriva Linux Security Advisory 2010-241 - gnc-test-env in GnuCash 2.3.15 and earlier places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory. The affected /usr/bin/gnc-test-env file has been removed to mitigate the vulnerability as gnc-test-env is only used for tests and while building gnucash. Additionally for Mandriva 2010.1 gnucash-2.2.9 was not compatible with guile. This update adapts gnucash to the new API of guile.
6d0716a6b5cdf4bc7ce4efa4f7d8cfdf-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2010:241
http://www.mandriva.com/security/
_______________________________________________________________________
Package : gnucash
Date : November 24, 2010
Affected: 2010.0, 2010.1
_______________________________________________________________________
Problem Description:
A vulnerability was discovered and corrected in gnucash:
gnc-test-env in GnuCash 2.3.15 and earlier places a zero-length
directory name in the LD_LIBRARY_PATH, which allows local users to
gain privileges via a Trojan horse shared library in the current
working directory (CVE-2010-3999).
The affected /usr/bin/gnc-test-env file has been removed to mitigate
the CVE-2010-3999 vulnerability as gnc-test-env is only used for
tests and while building gnucash.
Additionally for Mandriva 2010.1 gnucash-2.2.9 was not compatible
with guile. This update adapts gnucash to the new API of guile.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3999
https://qa.mandriva.com/59304
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2010.0:
56cf958fe980c5a0200c4ee9a83ea97f 2010.0/i586/gnucash-2.2.9-4.1mdv2010.0.i586.rpm
c7479e27310a06eaf93a5eb0c0e858e5 2010.0/i586/gnucash-hbci-2.2.9-4.1mdv2010.0.i586.rpm
1297d123c6f533b5430089bbdd82f43e 2010.0/i586/gnucash-ofx-2.2.9-4.1mdv2010.0.i586.rpm
515b01c7d01e108712e9899f373142fa 2010.0/i586/gnucash-sql-2.2.9-4.1mdv2010.0.i586.rpm
d0df126101c1b36c12fa50368e08765c 2010.0/i586/libgnucash0-2.2.9-4.1mdv2010.0.i586.rpm
3a9ea97884237c0806e30551cbde20de 2010.0/i586/libgnucash-devel-2.2.9-4.1mdv2010.0.i586.rpm
9dacaaaf7a396cc1dfd41e4f70fd3abe 2010.0/SRPMS/gnucash-2.2.9-4.1mdv2010.0.src.rpm
Mandriva Linux 2010.0/X86_64:
2a5205e0b385b3d075eba704b70fd546 2010.0/x86_64/gnucash-2.2.9-4.1mdv2010.0.x86_64.rpm
8302623562d64617f4ea24ecb4435a63 2010.0/x86_64/gnucash-hbci-2.2.9-4.1mdv2010.0.x86_64.rpm
dfe6fb4bb37b6e5d11655ceec2d769fb 2010.0/x86_64/gnucash-ofx-2.2.9-4.1mdv2010.0.x86_64.rpm
618d692845b97a450222742901a544bc 2010.0/x86_64/gnucash-sql-2.2.9-4.1mdv2010.0.x86_64.rpm
9141713f798d366397a2ec986d1c21c0 2010.0/x86_64/lib64gnucash0-2.2.9-4.1mdv2010.0.x86_64.rpm
a513d026d03c8de42580865b0b45e2bc 2010.0/x86_64/lib64gnucash-devel-2.2.9-4.1mdv2010.0.x86_64.rpm
9dacaaaf7a396cc1dfd41e4f70fd3abe 2010.0/SRPMS/gnucash-2.2.9-4.1mdv2010.0.src.rpm
Mandriva Linux 2010.1:
4cb058dc1f74fef7b4b3eb3a696685d9 2010.1/i586/gnucash-2.2.9-8.1mdv2010.1.i586.rpm
3331f3c7f123f22f513e5cd7806343fd 2010.1/i586/gnucash-hbci-2.2.9-8.1mdv2010.1.i586.rpm
f59bc5b7fbfaf74d2c7b201ebb99da28 2010.1/i586/gnucash-ofx-2.2.9-8.1mdv2010.1.i586.rpm
273cc89a4dc4853f14108a1a1943bb69 2010.1/i586/gnucash-sql-2.2.9-8.1mdv2010.1.i586.rpm
5af2c774e9eb77a8065bcc3f5a5d6a28 2010.1/i586/libgnucash0-2.2.9-8.1mdv2010.1.i586.rpm
850779757f61e59053f2449df7ee8048 2010.1/i586/libgnucash-devel-2.2.9-8.1mdv2010.1.i586.rpm
fbb320190b8294bc3db5ee1b0d2f85b3 2010.1/SRPMS/gnucash-2.2.9-8.1mdv2010.1.src.rpm
Mandriva Linux 2010.1/X86_64:
a07444c2b30334707a51745bf76c6551 2010.1/x86_64/gnucash-2.2.9-8.1mdv2010.1.x86_64.rpm
286b7a849261b8f1dc9c032b6e182a67 2010.1/x86_64/gnucash-hbci-2.2.9-8.1mdv2010.1.x86_64.rpm
da91c9d1a6e5c5f8560ac4d9f8302304 2010.1/x86_64/gnucash-ofx-2.2.9-8.1mdv2010.1.x86_64.rpm
9c7dd297b265a6eef2f23eeb05ffd290 2010.1/x86_64/gnucash-sql-2.2.9-8.1mdv2010.1.x86_64.rpm
6ef57480ae7da1991c101324430a961f 2010.1/x86_64/lib64gnucash0-2.2.9-8.1mdv2010.1.x86_64.rpm
90f9563f9f323fe42f7d37ab12632bfd 2010.1/x86_64/lib64gnucash-devel-2.2.9-8.1mdv2010.1.x86_64.rpm
fbb320190b8294bc3db5ee1b0d2f85b3 2010.1/SRPMS/gnucash-2.2.9-8.1mdv2010.1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFM7UwFmqjQ0CJFipgRAkssAJ0YVPrj6+kerANWGsZRfaDWfq18dgCguRgq
5kjT/nubYxdyH5aHKNUIuvs=
=JfiB
-----END PGP SIGNATURE-----
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!