[Debian-ha-maintainers] Bug#598549: cluster-agents: CVE-2010-3389: insecure library loading
Simon Horman
horms at verge.net.au
Tue Oct 19 14:05:57 UTC 2010
On Tue, Oct 19, 2010 at 01:40:38PM +0300, Jari Aalto wrote:
>
> Simon Horman <horms at verge.net.au> writes:
> > Its unclear to me that this patch covers all cases.
> >
> > e.g
> >
> > $ DIR_EXECUTABLE=/abc
> > $ LD_LIBRARY_PATH="::"
> > $ /bin/echo "$DIR_EXECUTABLE${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
> > /abc:::
> >
> > Am I missing something?
>
> Julien Cristau from release team suggests that:
>
> IRC #debian-qa
>
> <jcristau> if the user set LD_LIBRARY_PATH="::" then they shot
> themselves in the foot, and you're not
> supposed to clean up after them.
>
> So, we use revert back to simple approach:
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598549#40
If that is fine by them, its fine by me too.
I'm now comfortable with this upload.
More information about the Debian-ha-maintainers
mailing list