Package: liferea
Version: 1.0.27-2
Severity: important
Tags: security
Liferea 1.4.6-1 sets
LD_LIBRARY_PATH=/usr/lib/xulrunner:$LD_LIBRARY_PATH
in its start script. If LD_LIBRARY_PATH is empty, this will result in
LD_LIBRARY_PATH=/usr/lib/xulrunner:
which is equivalent to
LD_LIBRARY_PATH=/usr/lib/xulrunner:.
This means the current working directory is searched for libraries before /lib
and /usr/lib, which is of course a security problem.
Liferea 1.0.27-2 uses
LD_LIBRARY_PATH=:$LD_LIBRARY_PATH
which is even insecure if LD_LIBRARY_PATH was set.
Instead of ":$LD_LIBRARY_PATH" use
"${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}", which expands to nothing (not
even a colon) if LD_LIBRARY_PATH is empty.
Please mention the CVE id in the changelog.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
