[Mono-bugs] [Bug 75786][Maj] New - Mono strong naming loader will load assemblies that do not match manifest

bugzilla-daemon at bugzilla.ximian.com bugzilla-daemon at bugzilla.ximian.com
Thu Aug 11 16:07:35 EDT 2005


Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by paul.betts at gmail.com.

http://bugzilla.ximian.com/show_bug.cgi?id=75786

--- shadow/75786	2005-08-11 16:07:35.000000000 -0400
+++ shadow/75786.tmp.28182	2005-08-11 16:07:35.000000000 -0400
@@ -0,0 +1,48 @@
+Bug#: 75786
+Product: Mono: Runtime
+Version: 1.1
+OS: 
+OS Details: 
+Status: NEW   
+Resolution: 
+Severity: 
+Priority: Major
+Component: JIT
+AssignedTo: mono-bugs at ximian.com                            
+ReportedBy: Paul.Betts at Gmail.com               
+QAContact: mono-bugs at ximian.com
+TargetMilestone: ---
+URL: 
+Cc: 
+Summary: Mono strong naming loader will load assemblies that do not match manifest
+
+Description of Problem:
+One of the features of strong naming in .NET is that if an EXE and its DLLs
+are strongly named, it is guaranteed that DLLs cannot be swapped out for
+another DLL with the different code, even if the version and public key are
+the same. This ensures that an application cannot be subverted using a
+malicious DLL. 
+
+Mono currently loads the DLL anyways, even though it does not match the one
+it was compiled against. This is a security hazard if application
+developers are trusting that this behavior is as it is on .NET.
+
+Steps to reproduce the problem:
+1. Build a strongly-named EXE that uses a strongly-named DLL 
+2. Create a DLL with the same Name, Version, and .snk file
+3. Swap out the original DLL with the new DLL.
+
+Actual Results:
+Mono executes it without complaint
+
+Expected Results (from .NET):
+System.IO.FileLoadException: The located assembly's manifest definition
+with name '<the DLL>' does not match the assembly reference.
+
+How often does this happen? 
+Always
+
+Additional Information:
+Unfortunately, fixing this will exacerbate the current problems regarding
+DLL versioning issues, but it is definitely a security issue that needs to
+be addressed.


More information about the mono-bugs mailing list