Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 12 May 2015 15:51:57 +0900
From: Mamoru TASAKA<>
To: ""<>
Cc: ""<>
Subject: CVE request for proxychains-ng : current path as the first directory for
 the library search path

Dear All:

Here I submit a CVE request for proxychains-ng as it is requested as

Sincerely yours,
Mamoru TASAKA <>

------- Forwarded Message
Date :Mon, 11 May 2015 23:49:57 -0600
Subject :Re: bug 1147013 : current path as the first directory for the library search path

On 05/11/2015 11:27 PM, Mamoru TASAKA wrote:
> Dear security responsible team:
> Please correct me if it is not suitable to contact you for the below case.
> I am currently reviewing new package's "Review Request" for
> proxychains-ng as
> Source available as
> Rebuilt proxychains-ng binary.rpm contains proxychains4,
> which firstly sets LD_PRELOAD to dlopen
> (contained in the same binary rpm) and execvp() the arbitrary
> command user has specified.
> Looking at the code, this program (proxychains4) sets the current
> directory as the first path to search ref:
> I would appreciate it if you would answer to me if this
> is permitted from the viewpoint of security.
> Sincerely yours,
> Mamoru TASAKA 

This is def a security flaw, similar to CVE-2009-0415 for example. Can
you please post a copy of this to
requesting a CVE # for this vulnerability? Also please use in future, it has a response SLA, this email address
does not. Thanks!

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Download attachment "signature.asc" of type "application/pgp-signature" (855 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ