Description: CVE-2017-10140: Reads DB_CONFIG from the current working directory Do not access DB_CONFIG when db_home is not set. Origin: vendor, https://src.fedoraproject.org/rpms/libdb/raw/8047fa8580659fcae740c25e91b490539b8453eb/f/db-5.3.28-cwd-db_config.patch Bug-Debian: https://bugs.debian.org/872436 Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464032 Bug-SuSE: https://bugzilla.novell.com/show_bug.cgi?id=1043886 Forwarded: no Author: Petr Kubat Reviewed-by: Salvatore Bonaccorso Last-Update: 2017-08-17 --- db-5.3.28/src/env/env_open.c.old 2017-06-26 10:32:11.011419981 +0200 +++ db-5.3.28/src/env/env_open.c 2017-06-26 10:32:46.893721233 +0200 @@ -473,7 +473,7 @@ env->db_mode = mode == 0 ? DB_MODE_660 : mode; /* Read the DB_CONFIG file. */ - if ((ret = __env_read_db_config(env)) != 0) + if (env->db_home != NULL && (ret = __env_read_db_config(env)) != 0) return (ret); /*