Fedora Account System
Red Hat Associate
Red Hat Customer
Dmitri Gribenko reported that the script used to launch Mozilla applications on Linux was effectively including the current working directory in the LD_LIBRARY_PATH environment variable. If an attacker was able to place into the current working directory a malicious shared library with the same name as a library that the bootstrapping script depends on the attacker could have their library loaded instead of the legitimate library.
This is now public: http://www.mozilla.org/security/announce/2010/mfsa2010-71.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2010:0780 https://rhn.redhat.com/errata/RHSA-2010-0780.html
This issue has been addressed in following products: Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Via RHSA-2010:0781 https://rhn.redhat.com/errata/RHSA-2010-0781.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2010:0782 https://rhn.redhat.com/errata/RHSA-2010-0782.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2010:0861 https://rhn.redhat.com/errata/RHSA-2010-0861.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2010:0896 https://rhn.redhat.com/errata/RHSA-2010-0896.html