[Mono-bugs] [Bug 75786][Maj] New - Mono strong naming loader will
load assemblies that do not match manifest
bugzilla-daemon at bugzilla.ximian.com
bugzilla-daemon at bugzilla.ximian.com
Thu Aug 11 16:07:35 EDT 2005
Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.
Changed by paul.betts at gmail.com.
http://bugzilla.ximian.com/show_bug.cgi?id=75786
--- shadow/75786 2005-08-11 16:07:35.000000000 -0400
+++ shadow/75786.tmp.28182 2005-08-11 16:07:35.000000000 -0400
@@ -0,0 +1,48 @@
+Bug#: 75786
+Product: Mono: Runtime
+Version: 1.1
+OS:
+OS Details:
+Status: NEW
+Resolution:
+Severity:
+Priority: Major
+Component: JIT
+AssignedTo: mono-bugs at ximian.com
+ReportedBy: Paul.Betts at Gmail.com
+QAContact: mono-bugs at ximian.com
+TargetMilestone: ---
+URL:
+Cc:
+Summary: Mono strong naming loader will load assemblies that do not match manifest
+
+Description of Problem:
+One of the features of strong naming in .NET is that if an EXE and its DLLs
+are strongly named, it is guaranteed that DLLs cannot be swapped out for
+another DLL with the different code, even if the version and public key are
+the same. This ensures that an application cannot be subverted using a
+malicious DLL.
+
+Mono currently loads the DLL anyways, even though it does not match the one
+it was compiled against. This is a security hazard if application
+developers are trusting that this behavior is as it is on .NET.
+
+Steps to reproduce the problem:
+1. Build a strongly-named EXE that uses a strongly-named DLL
+2. Create a DLL with the same Name, Version, and .snk file
+3. Swap out the original DLL with the new DLL.
+
+Actual Results:
+Mono executes it without complaint
+
+Expected Results (from .NET):
+System.IO.FileLoadException: The located assembly's manifest definition
+with name '<the DLL>' does not match the assembly reference.
+
+How often does this happen?
+Always
+
+Additional Information:
+Unfortunately, fixing this will exacerbate the current problems regarding
+DLL versioning issues, but it is definitely a security issue that needs to
+be addressed.
More information about the mono-bugs
mailing list