unsafe use of dlopen(3)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
vde2 (Ubuntu) |
Triaged
|
Undecided
|
Unassigned |
Bug Description
TRY_DLOPEN("%s%s", modname, MODULES_EXT);
TRY_DLOPEN(
TRY_DLOPEN(
TRY_DLOPEN("%s%s", PLUGINS_DIR, modname);
TRY_DLOPEN(
It is generally considered poor form to load executable content from the current working directory (as this code does if getenv("HOME") fails), and loading code from a home directory seems suspect to me. However, I do not know the design well enough to make this determination myself.
Please consider if this is unsafe or intentional. If it is intentional, make sure that the documentation accurately reflects the risk of allowing executable content to exist in current working directories or home directories.
Changed in vde2 (Ubuntu): | |
status: | New → Triaged |
information type: | Private Security → Public Security |
https:/ /sourceforge. net/tracker/ ?func=detail& aid=3603899& group_id= 95403&atid= 611248