Hi, many wrapper scripts contain things like
export LD_LIBRARY_PATH=foo:$LD_LIBRARY_PATH This is bad because if LD_LIBRARY_PATH is unset, it will expand to LD_LIBRARY_PATH=foo: which is interpreted as LD_LIBRARY_PATH=foo:. This means that the current directory is searched for libraries before /lib and /usr/lib, which can have security implications. The fix is to use "${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}" instead of ":$LD_LIBRARY_PATH". This will get rid of the colon if LD_LIBRARY_PATH is unset. (Actually, some scripts use "${LD_LIBRARY_PATH+: $LD_LIBRARY_PATH}", which seems to work, too. But this is not documented in the bash man page, at least I can't find it.) This is not a new issue: CVE-2005-4790 and CVE-2005-4791 have been found two years ago. Unfortunately, they were first announced as SuSE specific packaging errors and were missed by the security teams. I filed #451548 for liferea, but many more packages are affected. I intend to file a wishlist bug for lintian to check for this. But since this will take some time to get implemented, if someone has a local mirror and wants to do some QA work, a complete check of the archive would be good. Of course "$LD_LIBRARY_PATH:" is just as bad as ":$LD_LIBRARY_PATH". Maybe there are other environment variables that could be affected by the same problem. For $PATH it is not a problem, because it should always be set. More ideas? Cheers, Stefan
signature.asc
Description: This is a digitally signed message part.