MDVSA-2010:241

Package name

gnucash

Date

2010-11-24

Advisory ID

MDVSA-2010:241

Affected versions

2010.1 x86_64 , 2010.1 i586 , 2010.0 x86_64 , 2010.0 i586

Problem description

A vulnerability was discovered and corrected in gnucash:

gnc-test-env in GnuCash 2.3.15 and earlier places a zero-length
directory name in the LD_LIBRARY_PATH, which allows local users to
gain privileges via a Trojan horse shared library in the current
working directory (CVE-2010-3999).

The affected /usr/bin/gnc-test-env file has been removed to mitigate
the CVE-2010-3999 vulnerability as gnc-test-env is only used for
tests and while building gnucash.

Additionally for Mandriva 2010.1 gnucash-2.2.9 was not compatible
with guile. This update adapts gnucash to the new API of guile.

Updated packages

2010.1 x86_64

 a07444c2b30334707a51745bf76c6551  2010.1/x86_64/gnucash-2.2.9-8.1mdv2010.1.x86_64.rpm
 286b7a849261b8f1dc9c032b6e182a67  2010.1/x86_64/gnucash-hbci-2.2.9-8.1mdv2010.1.x86_64.rpm
 da91c9d1a6e5c5f8560ac4d9f8302304  2010.1/x86_64/gnucash-ofx-2.2.9-8.1mdv2010.1.x86_64.rpm
 9c7dd297b265a6eef2f23eeb05ffd290  2010.1/x86_64/gnucash-sql-2.2.9-8.1mdv2010.1.x86_64.rpm
 6ef57480ae7da1991c101324430a961f  2010.1/x86_64/lib64gnucash0-2.2.9-8.1mdv2010.1.x86_64.rpm
 90f9563f9f323fe42f7d37ab12632bfd  2010.1/x86_64/lib64gnucash-devel-2.2.9-8.1mdv2010.1.x86_64.rpm 
 fbb320190b8294bc3db5ee1b0d2f85b3  2010.1/SRPMS/gnucash-2.2.9-8.1mdv2010.1.src.rpm

2010.1 i586

 4cb058dc1f74fef7b4b3eb3a696685d9  2010.1/i586/gnucash-2.2.9-8.1mdv2010.1.i586.rpm
 3331f3c7f123f22f513e5cd7806343fd  2010.1/i586/gnucash-hbci-2.2.9-8.1mdv2010.1.i586.rpm
 f59bc5b7fbfaf74d2c7b201ebb99da28  2010.1/i586/gnucash-ofx-2.2.9-8.1mdv2010.1.i586.rpm
 273cc89a4dc4853f14108a1a1943bb69  2010.1/i586/gnucash-sql-2.2.9-8.1mdv2010.1.i586.rpm
 5af2c774e9eb77a8065bcc3f5a5d6a28  2010.1/i586/libgnucash0-2.2.9-8.1mdv2010.1.i586.rpm
 850779757f61e59053f2449df7ee8048  2010.1/i586/libgnucash-devel-2.2.9-8.1mdv2010.1.i586.rpm 
 fbb320190b8294bc3db5ee1b0d2f85b3  2010.1/SRPMS/gnucash-2.2.9-8.1mdv2010.1.src.rpm

2010.0 x86_64

 2a5205e0b385b3d075eba704b70fd546  2010.0/x86_64/gnucash-2.2.9-4.1mdv2010.0.x86_64.rpm
 8302623562d64617f4ea24ecb4435a63  2010.0/x86_64/gnucash-hbci-2.2.9-4.1mdv2010.0.x86_64.rpm
 dfe6fb4bb37b6e5d11655ceec2d769fb  2010.0/x86_64/gnucash-ofx-2.2.9-4.1mdv2010.0.x86_64.rpm
 618d692845b97a450222742901a544bc  2010.0/x86_64/gnucash-sql-2.2.9-4.1mdv2010.0.x86_64.rpm
 9141713f798d366397a2ec986d1c21c0  2010.0/x86_64/lib64gnucash0-2.2.9-4.1mdv2010.0.x86_64.rpm
 a513d026d03c8de42580865b0b45e2bc  2010.0/x86_64/lib64gnucash-devel-2.2.9-4.1mdv2010.0.x86_64.rpm 
 9dacaaaf7a396cc1dfd41e4f70fd3abe  2010.0/SRPMS/gnucash-2.2.9-4.1mdv2010.0.src.rpm

2010.0 i586

 56cf958fe980c5a0200c4ee9a83ea97f  2010.0/i586/gnucash-2.2.9-4.1mdv2010.0.i586.rpm
 c7479e27310a06eaf93a5eb0c0e858e5  2010.0/i586/gnucash-hbci-2.2.9-4.1mdv2010.0.i586.rpm
 1297d123c6f533b5430089bbdd82f43e  2010.0/i586/gnucash-ofx-2.2.9-4.1mdv2010.0.i586.rpm
 515b01c7d01e108712e9899f373142fa  2010.0/i586/gnucash-sql-2.2.9-4.1mdv2010.0.i586.rpm
 d0df126101c1b36c12fa50368e08765c  2010.0/i586/libgnucash0-2.2.9-4.1mdv2010.0.i586.rpm
 3a9ea97884237c0806e30551cbde20de  2010.0/i586/libgnucash-devel-2.2.9-4.1mdv2010.0.i586.rpm 
 9dacaaaf7a396cc1dfd41e4f70fd3abe  2010.0/SRPMS/gnucash-2.2.9-4.1mdv2010.0.src.rpm

References

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3999
• https://qa.mandriva.com/show_bug.cgi?id=59304