| Bug ID | 931208 |
|---|---|
| Summary | VUL-0: CVE-2015-3887: Re: CVE request for proxychains-ng : current path as the first directory for the library search path |
| Classification | openSUSE |
| Product | openSUSE Distribution |
| Version | 13.2 |
| Hardware | Other |
| OS | Other |
| Status | NEW |
| Severity | Normal |
| Priority | P5 - None |
| Component | Maintenance |
| Assignee | bnc-team-screening@forge.provo.novell.com |
| Reporter | abergmann@suse.com |
| QA Contact | qa-bugs@suse.de |
| Found By | Security Response Team |
| Blocker | --- |
Via oss-security. http://seclists.org/oss-sec/2015/q2/415 ... proxychains4, which firstly sets LD_PRELOAD to dlopen libproxychains4.so (contained in the same binary rpm) and execvp() the arbitrary command user has specified. Looking at the code, this program (proxychains4) sets the current directory as the first path to search libproxychains4.so. ref: https://github.com/rofl0r/proxychains-ng/blob/master/src/main.c#L35 Use CVE-2015-3887. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3887 http://seclists.org/oss-sec/2015/q2/430 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3887 https://bugzilla.redhat.com/show_bug.cgi?id=1147013