From Gentoo bugzilla: /usr/bin/tomboy from app-misc/tomboy contains line: export LD_LIBRARY_PATH="/usr/lib64/tomboy:$LD_LIBRARY_PATH" which yields to LD_LIBRARY_PATH="/usr/lib64/tomboy:", what means that required libraries are also looked up in current directory. In the case of tomboy, it is usually user's home directory, but user may run application from directories like /tmp as well. If someone is able to copy bogus system libraries to this directory, user could potentially run enemy code.
A CVE name for the issue has been requested.
This is covered by CVE-2005-4790, though it will most likely will get another CVE name (as CVE-2005-4790 describes more unrelated issues and just for SuSE).
Please use CVE-2005-4790. Mitre person changed his mind and he will not assign another identifier.
This also need fixing for F8 and devel. This is wel lover 2 months old. Please make an update as soon as possible!
CVE id CVE-2005-4790 actually covers this issue for three apps: (1) beagle, (2) tomboy, or (3) blam. beagle and tomboy are fixed and use ${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH} latest versions of blam are affected: /usr/bin/blam LD_LIBRARY_PATH="/usr/lib/blam:/usr/lib/firefox-2.0.0.9:$LD_LIBRARY_PATH"
Upstream blam 1.8.4 contains updated startup script, which addresses this issue.
Thanks, Tomas. Builds for Blam which include the upstream fix for it are churning through Koji now.
Fixed now also in Blam. https://admin.fedoraproject.org/updates/F7/FEDORA-2007-3792 https://admin.fedoraproject.org/updates/F8/FEDORA-2007-3798