[Debian-ha-maintainers] Bug#598549: [Linux-ha-dev] Fwd: Bug#598549: cluster-agents: CVE-2010-3389: insecure library loading
Simon Horman
horms at verge.net.au
Fri Oct 1 15:22:41 UTC 2010
On Fri, Oct 01, 2010 at 07:55:02PM +1000, Aníbal Monsalve Salazar wrote:
> On Thu, Sep 30, 2010 at 10:44:42AM +0900, Simon Horman wrote:
> >I received this through the Debian bug tracker.
> >Its not immediately clear to me what an appropriate fix would be.
>
> The following diff shows how I fixed "qtparted: CVE-2010-3375: insecure
> library loading" bug.
>
> -export LD_LIBRARY_PATH="$QTDIR/lib:$LD_LIBRARY_PATH"
> +LD_LIBRARY_PATH=$( echo "$LD_LIBRARY_PATH" | sed "s/\s//g" )
> +if [ -n "$LD_LIBRARY_PATH" ]
> +then
> + export LD_LIBRARY_PATH="$QTDIR/lib:$LD_LIBRARY_PATH"
> +else
> + export LD_LIBRARY_PATH="$QTDIR/lib"
> +fi
> export PATH=/sbin:/usr/sbin:/bin:/usr/bin:$PATH
>
> Please note that if you also set PATH as above, you'll have to check
> $PATH before adding it with ":$PATH" to PATH.
>
> if $PATH is empty then ":$PATH" is equivalent to ":." and you don't want
> to add "." to the path search.
>
Thanks Aníbal,
poking a little further it seems that the problem has been addressed
by the following recent upstream patch. Do you have any thoughts on it?
# HG changeset patch
# User Dejan Muhamedagic <dejan at hello-penguin.com>
# Date 1284894558 -7200
# Node ID 2773e5850003fb90995a27811752224fde96c2b7
# Parent 9d67fff01b34e87b6a855f1ea9b8a8accb771680
Low: SAPDatabase,SAPInstance: improve LD_LIBRARY_PATH processing (bnc#640026)
diff -r 9d67fff01b34 -r 2773e5850003 heartbeat/SAPDatabase
--- a/heartbeat/SAPDatabase Thu Sep 16 09:48:04 2010 +0200
+++ b/heartbeat/SAPDatabase Sun Sep 19 13:09:18 2010 +0200
@@ -967,7 +967,8 @@
# as root user we need the library path to the SAP kernel to be able to call executables
if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then
- LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
+ LD_LIBRARY_PATH=$DIR_EXECUTABLE${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH
+ export LD_LIBRARY_PATH
fi
sidadm="`echo $SID | tr [:upper:] [:lower:]`adm"
diff -r 9d67fff01b34 -r 2773e5850003 heartbeat/SAPInstance
--- a/heartbeat/SAPInstance Thu Sep 16 09:48:04 2010 +0200
+++ b/heartbeat/SAPInstance Sun Sep 19 13:09:18 2010 +0200
@@ -297,7 +297,8 @@
# as root user we need the library path to the SAP kernel to be able to call sapcontrol
if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then
- LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
+ LD_LIBRARY_PATH=$DIR_EXECUTABLE${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH
+ export LD_LIBRARY_PATH
fi
sidadm="`echo $SID | tr [:upper:] [:lower:]`adm"
More information about the Debian-ha-maintainers
mailing list