Secure testing team - Aug 2010 - Bug#594414: CVE-2010-2945: insecure PATH assignment

Package: slim
Severity: grave
Tags: security

The following was reported to oss-security:

--

SLiM versions prior to 1.3.1 assigned logged on users a predefined PATH
which included ''./''. This allowed unintentional code execution
(e.g.
planted binary) and has been fixed by the developers in version 1.3.2.

Fix:
http://svn.berlios.de/wsvn/slim?op=comp&compare[]=/@170&compare[]=/@171

--

Cheers,
        Moritz


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, ''unstable'')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15 at euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages slim depends on:
ii  debconf [debconf-2.0]         1.5.35     Debian configuration management sy
ii  libc6                         2.11.2-2   Embedded GNU C Library: Shared lib
ii  libgcc1                       1:4.4.4-9  GCC support library
ii  libjpeg62                     6b1-1      The Independent JPEG
Group''s JPEG
ii  libpam0g                      1.1.1-4    Pluggable Authentication Modules l
ii  libpng12-0                    1.2.44-1   PNG library - runtime
ii  libstdc++6                    4.4.4-9    The GNU Standard C++ Library v3
ii  libx11-6                      2:1.3.3-3  X11 client-side library
ii  libxft2                       2.1.14-2   FreeType-based font drawing librar
ii  libxmu6                       2:1.0.5-1  X11 miscellaneous utility library

slim recommends no packages.

Versions of packages slim suggests:
pn  scrot                         <none>     (no description available)