Common Vulnerabilities and Exposures assigned an identifier CVE-2010-3364 to the following vulnerability: The vips-7.22 script in VIPS 7.22.2 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3364 [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598296 Affected versions: ================= This issue affects the versions of the vips package, as shipped with Fedora of release: 1, 12. Relevant script is in BUILD/vips-7.18.2/src/scripts/vips-7.18 Affected code line being: 108 export LD_LIBRARY_PATH=$VIPSHOME/lib:$LD_LIBRARY_PATH 2, 13. Relevant script is in BUILD/vips-7.20.7/tools/scripts/vips-7.20 Affected code line being: 108 export LD_LIBRARY_PATH=$VIPSHOME/lib:$LD_LIBRARY_PATH The above used re-setting of LD_LIBRARY_PATH variable is insecure. Tomas Hoger suggests (https://bugzilla.redhat.com/show_bug.cgi?id=638384#c2) the following one-liner as a solution: export LD_LIBRARY_PATH=/usr/lib/foo${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH} You can also query Red Hat Bugzilla system for "insecure library loading vulnerability" string, to get further information about all affected packages and particular patches. F-14 and F-15 pre-versions of vips (vips-7.22.2-1.fc14.2 and vips-7.22.2-3.fc15) are affected by this deficiency too, just the particular vulnerable script has different name and location.
Created vips tracking bugs for this issue Affects: fedora-all [bug 645472]
All currently-supported versions of Fedora ship a newer vips without this vulnerability.