[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE request: mono loading shared libs from cwd
From: Thomas Biege <thomas () suse ! de>
Date: 2010-11-10 14:25:01
Message-ID: 201011101525.01464.thomas () suse ! de
[Download RAW message or body]
missed to add:
http://lists.ximian.com/pipermail/mono-patches/2010-October/177900.html
Am Mittwoch 10 November 2010 15:18:26 schrieb Thomas Biege:
> Hello folks,
>
> from our bugzilla.
>
> "
> http://www.mono-project.com/DllNotFoundException explains that the mono
> runtime
> searches the current working directory for DLLs. This opens a serious
> security
> hole. Malicious code can be given the same name as a DLL and left in a
> directory the user might visit. Also, it means that no mono application
> can safely set the current working directory.
>
> Microsoft themselves addressed this issue in Windows
> http://msdn.microsoft.com/en-us/library/ms682586(v=VS.85).aspx
>
> It's a well known "dummies" question for Unix why you must not have "." on
> your
> path
> http://www.unix.com/unix-dummies-questions-answers/22806-why-bad-idea-inser
> t- dot-path.html
>
> Mono is exposing users to these same old hat problems.
>
> (As a related problem, many mono programs seem to *assume* that they will
> be run with the CWD set to their installed directory, and break if it
> isn't.) "
>
> Filed by Richard Brooksby.
>
--
Thomas Biege <thomas@suse.de>, SUSE LINUX, Security Support & Auditing
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
--
Wer aufhoert besser werden zu wollen, hoert auf gut zu sein.
-- Marie von Ebner-Eschenbach
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic