On Nov 16, 2007 8:57 PM, Stefan Fritsch <[EMAIL PROTECTED]> wrote:
> Package: liferea
> Version: 1.0.27-2
> Severity: important
> Tags: security
>
> Liferea 1.4.6-1 sets
>
> LD_LIBRARY_PATH=/usr/lib/xulrunner:$LD_LIBRARY_PATH
>
> in its start script. If LD_LIBRARY_PATH is empty, this will result in
>
> LD_LIBRARY_PATH=/usr/lib/xulrunner:
>
> which is equivalent to
>
> LD_LIBRARY_PATH=/usr/lib/xulrunner:.
>
> This means the current working directory is searched for libraries before /lib
> and /usr/lib, which is of course a security problem.
>
> Liferea 1.0.27-2 uses
>
> LD_LIBRARY_PATH=:$LD_LIBRARY_PATH
>
> which is even insecure if LD_LIBRARY_PATH was set.
>
> Instead of ":$LD_LIBRARY_PATH" use
> "${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}", which expands to nothing (not
> even a colon) if LD_LIBRARY_PATH is empty.
>
> Please mention the CVE id in the changelog.
Upstream I implemented the following solution:
Index: src/liferea.in
===================================================================
--- src/liferea.in (Revision 3546)
+++ src/liferea.in (Arbeitskopie)
@@ -14,8 +14,18 @@
params="$@"
[EMAIL PROTECTED]@:$LD_LIBRARY_PATH
-export LD_LIBRARY_PATH
+#
+# If we run with Gecko or XulRunner we need to set
+# LD_LIBRARY_PATH (WebKit and GtkHTML do not need this).
+#
+if [ "@MOZILLA_LIB_ROOT@" != "" ]; then
+ if [ "$LD_LIBRARY_PATH" = ""]; then
+ [EMAIL PROTECTED]@
+ else
+ [EMAIL PROTECTED]@:$LD_LIBRARY_PATH
+ fi
+ export LD_LIBRARY_PATH
+fi
if [ -z "$DBUS_SESSION_BUS_ADDRESS" ]; then
eval `dbus-launch`
Do you think this is sufficient?
Best Regards,
Lars
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
