[Mono-bugs] [Bug 641915] New: Security hole: Mono should not search current directory for DLLs

bugzilla_noreply at novell.com bugzilla_noreply at novell.com
Sun Sep 26 06:48:04 EDT 2010


https://bugzilla.novell.com/show_bug.cgi?id=641915

https://bugzilla.novell.com/show_bug.cgi?id=641915#c0


           Summary: Security hole: Mono should not search current
                    directory for DLLs
    Classification: Mono
           Product: Mono: Runtime
           Version: 2.6.x
          Platform: Macintosh
        OS/Version: Mac OS X 10.6
            Status: NEW
          Severity: Normal
          Priority: P5 - None
         Component: misc
        AssignedTo: mono-bugs at lists.ximian.com
        ReportedBy: rb at ravenbrook.com
         QAContact: mono-bugs at lists.ximian.com
          Found By: ---
           Blocker: ---


User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-us)
AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5

http://www.mono-project.com/DllNotFoundException explains that the mono runtime
searches the current working directory for DLLs.  This opens a serious security
hole.  Malicious code can be given the same name as a DLL and left in a
directory the user might visit.  Also, it means that no mono application can
safely set the current working directory.

Microsoft themselves addressed this issue in Windows
http://msdn.microsoft.com/en-us/library/ms682586(v=VS.85).aspx

It's a well known "dummies" question for Unix why you must not have "." on your
path
http://www.unix.com/unix-dummies-questions-answers/22806-why-bad-idea-insert-dot-path.html

Mono is exposing users to these same old hat problems.

(As a related problem, many mono programs seem to *assume* that they will be
run with the CWD set to their installed directory, and break if it isn't.)

Reproducible: Always

Steps to Reproduce:
1.
2.
3.

-- 
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
You are the assignee for the bug.


More information about the mono-bugs mailing list