Ubuntu
vdr package

Comment 10 for bug 930700

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-02-15:

#10

This bug was fixed in the package vdr - 1.6.0-18ubuntu1.1

---------------
vdr (1.6.0-18ubuntu1.1) maverick-security; urgency=low

  * SECURITY UPDATE: vdrleaktest in Video Disk Recorder (VDR) 1.6.0 places a
    zero-length directory name in the LD_LIBRARY_PATH, which allows local users
    to gain privileges via a Trojan horse shared library in the current working
    directory. (LP: #930700)
    - http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/natty/vdr/natty/revision/24#debian/vdrleaktest
      and
      http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/natty/vdr/natty/revision/25#debian/vdrleaktest
    - debian/vdrtestleak: changed to set LD_LIBRARY_PATH securely
    - CVE-2010-3387
-- Zubin Mithra <email address hidden> Tue, 14 Feb 2012 10:38:34 -0800