[Debian-ha-maintainers] Bug#598549: Bug#598549: cluster-agents: NMU diff for 1:1.0.3-3.1 (Intent to NMU)

Sun Oct 17 23:27:08 UTC 2010

Simon Horman <horms at verge.net.au> writes:

> On Sat, Oct 16, 2010 at 08:40:30PM +0300, jari.aalto at cante.net wrote:
>
>> 
>> Dear maintainer,
>> 
>> Here is the NMU diff according to DevRef 5.11.1[1][2] for bug: #598549.
>> See the debian/patches directory for the important fixes.
>> 
>> Let me know if it's okay to proceed with the NMU.
>> 
>> Thank you for maintaining the package,
>
> Hi Jari,
>
> Its unclear to me that this patch covers all cases.
>
> e.g
>
> $ DIR_EXECUTABLE=/abc
> $ LD_LIBRARY_PATH="::"
> $ /bin/echo "$DIR_EXECUTABLE${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
> /abc:::
>
> Am I missing something?

Nice catch. Here is an update that incorporates this:

    Ldpath ()
    {
       # Vulnerability fix for insecure library loading
       # Make sure "::", "^:" or ":$" is not in $LD_LIBRARY_PATH

       local tmp
       tmp=$(echo $LD_LIBRARY_PATH | sed -e 's/::\+// ; s/^:// ; s/:$//' )

       [ "$tmp" ] && echo "$tmp"
    }

    ( DIR_EXECUTABLE=/abc
      LD_LIBRARY_PATH="::"
      LD_LIBRARY_PATH="$DIR_EXECUTABLE${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
      Ldpath
    )

    # => abc

Jari

-------------- next part --------------
A non-text attachment was scrubbed...
Name: cluster-agents_1.0.3-3--1.0.3-3.1.deb.diff
Type: text/x-diff
Size: 22679 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/debian-ha-maintainers/attachments/20101018/fe37c621/attachment-0001.diff>