[Mono-bugs] [Bug 641915] New: Security hole: Mono should not search current directory for DLLs
bugzilla_noreply at novell.com
bugzilla_noreply at novell.com
Sun Sep 26 06:48:04 EDT 2010
https://bugzilla.novell.com/show_bug.cgi?id=641915
https://bugzilla.novell.com/show_bug.cgi?id=641915#c0
Summary: Security hole: Mono should not search current
directory for DLLs
Classification: Mono
Product: Mono: Runtime
Version: 2.6.x
Platform: Macintosh
OS/Version: Mac OS X 10.6
Status: NEW
Severity: Normal
Priority: P5 - None
Component: misc
AssignedTo: mono-bugs at lists.ximian.com
ReportedBy: rb at ravenbrook.com
QAContact: mono-bugs at lists.ximian.com
Found By: ---
Blocker: ---
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-us)
AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5
http://www.mono-project.com/DllNotFoundException explains that the mono runtime
searches the current working directory for DLLs. This opens a serious security
hole. Malicious code can be given the same name as a DLL and left in a
directory the user might visit. Also, it means that no mono application can
safely set the current working directory.
Microsoft themselves addressed this issue in Windows
http://msdn.microsoft.com/en-us/library/ms682586(v=VS.85).aspx
It's a well known "dummies" question for Unix why you must not have "." on your
path
http://www.unix.com/unix-dummies-questions-answers/22806-why-bad-idea-insert-dot-path.html
Mono is exposing users to these same old hat problems.
(As a related problem, many mono programs seem to *assume* that they will be
run with the CWD set to their installed directory, and break if it isn't.)
Reproducible: Always
Steps to Reproduce:
1.
2.
3.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
You are the assignee for the bug.
More information about the mono-bugs
mailing list