vdrleaktest in Video Disk Recorder (VDR) 1.6.0 places a zero-length directory name in the LD_LIBRARY_PATH
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
vdr (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
This bug is related to CVE-2010-3387(which has been linked to this bug). There is another bug linked to the same CVE but does not deal with it(you can find it at https:/
The Maverick version of vdrtestleak contains the following line :-
LANG=C LD_LIBRARY_
Just a small test, when LD_LIBRARY_PATH is not set
$ echo "/usr/lib/
/usr/lib/debug;
According to the CVE, this is a security vulnerability. However, as ":" is the seperator, this does not seem to be a security vulnerability. The discussion at http://
The patch suggested seems to be :-
-LANG=C LD_LIBRARY_
+LANG=C LD_LIBRARY_
In such a case, however, if LD_LIBRARY_PATH were not set, you would have something like the following:-
$ echo "/usr/lib/
/usr/lib/debug:
While the original issue seems to be a nonexploitable bug, I doubt that the patch might cause a security issue(if LD_LIBRARY_PATH is not set to anything).
Related branches
CVE References
description: | updated |
I feel that this issue requires a CVE to be issued, please refer to a similar bug which had a CVE issued here => https:/ /bugs.launchpad .net/ubuntu/ +source/ gnome-shell/ +bug/930854