Bug#598422: scilab: CVE-2010-3378: insecure library loading
Raphael Geissert
geissert at debian.org
Thu Sep 30 00:42:59 UTC 2010
On 28 September 2010 16:15, Sylvestre Ledru <sylvestre at debian.org> wrote:
>
>> The vulnerability is introduced by an insecure change to
>> LD_LIBRARY_PATH, an environment variable used by ld.so(8) to look for
>> libraries on a directory other than the standard paths.
> OK. I will fix that asap (today or tomorrow)
> To you, what would be the best way to fix this issue ?
If you prefer readability:
if [ -n "$LD_LIBRARY_PATH" ]; then
LD_LIBRARY_PATH=/foo
else
LD_LIBRARY_PATH=/foo:$LD_LIBRARY_PATH
fi
But if you want a one-liner to avoid duplication:
LD_LIBRARY_PATH=/foo${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}
(be careful with the two colons, removing the first one re-introduces
the vulnerability)
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
More information about the debian-science-maintainers
mailing list