FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2012-0883

This CVE name corresponds to:

Entered Topic
2012-08-01 Apache -- Insecure LD_LIBRARY_PATH handling

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

CVE-2012-0883 at cve.mitre.org

Details

Type Candidate
Name CVE-2012-0883
Phase Assigned(20120119)

Description

envvars (aka envvars-std) in the Apache HTTP Server before 2.4.2 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse DSO in the current working directory during execution of apachectl.

References

Source Reference
MLIST [dev] 20120417 [ANNOUNCEMENT] Apache HTTP Server 2.4.2 Released
CONFIRM http://svn.apache.org/viewvc?view=revision&revision=1296428
CONFIRM http://www.apache.org/dist/httpd/Announcement2.4.html
CONFIRM http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf
CONFIRM http://support.apple.com/kb/HT5880
APPLE APPLE-SA-2013-09-12-1
HP HPSBUX02791
HP SSRT100856
HP HPSBMU02900
HP SSRT101209
SUSE openSUSE-SU-2013:0243
SUSE openSUSE-SU-2013:0248
SECTRACK 1026932
SECUNIA 48849

Copyright © 2005 The MITRE Corporation.

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.