[Pkg-erlang-devel] Bug#594412: CouchDB insecure library loading
Gerfried Fuchs
rhonda at deb.at
Tue Sep 7 07:58:18 UTC 2010
Hi again!
* Gerfried Fuchs <rhonda at deb.at> [2010-08-30 14:40:28 CEST]:
> * Moritz Muehlenhoff <jmm at debian.org> [2010-08-25 21:50:53 CEST]:
> > Package: couchdb
> > Severity: grave
> > Tags: security
> >
> > The vulnerability was introduced by Debian patch
> > "mozjs1.9_ldlibpath.patch" on 3/24/2009.
>
> I fail to find this patch neither in the lenny package nor in the
> squeeze package, and there was no changelog entry or upload around the
> mentioned time. Are you sure about these fineprints?
Alright, after some chat with Moritz and other security people I better
understand the issue, the patch icu-config.patch in the lenny package
also has the problem, it would depend on an already set LD_LIBRARY_PATH
environment variable. In the case it isn't set (which is the default) it
has the insecure behavior depending on the current directory.
A test for existence of the variable should be done and depending on
that either get extended or explicitly set only to the variable. I
though question the need of the patch - /usr/lib is searched by default
anyway? What's the background of that? I didn't find any hint in the
changelog - and that's one of the reasons why a comment in the patch
file would be really helpful. :)
Thanks!
Rhonda
--
https://flattr.com/thing/47066/Debian-BTS-cleaning-up
More information about the Pkg-erlang-devel
mailing list