2012-02-12 07:33:25 |
Zubin Mithra |
description |
This bug is related to CVE-2010-3387(which has been linked to this bug). There is another bug linked to the same CVE but does not deal with it(you can find it at https://bugs.launchpad.net/ubuntu/+source/vdr/+bug/669105).
The Maverick version of vdrtestleak contains the following line :-
LANG=C LD_LIBRARY_PATH="/usr/lib/debug;$LD_LIBRARY_PATH" \
Just a small test, when LD_LIBRARY_PATH is not set
$ echo "/usr/lib/debug;$LD_LIBRARY_PATH"
/usr/lib/debug;
According to the CVE, this is a security vulnerability. However, as ":" is the seperator, this does not seem to be a security vulnerability. The discussion at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598308 seems to suggest the same.
The patch suggested seems to be :-
-LANG=C LD_LIBRARY_PATH="/usr/lib/debug;$LD_LIBRARY_PATH" \
+LANG=C LD_LIBRARY_PATH="/usr/lib/debug:${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}" \
In such a case, however, if LD_LIBRARY_PATH were not set, you would have something like the following:-
$ echo "/usr/lib/debug:${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
/usr/lib/debug:
While the original issue seems to be a nonexploitable bug, I doubt that the patch might cause a security issue. |
This bug is related to CVE-2010-3387(which has been linked to this bug). There is another bug linked to the same CVE but does not deal with it(you can find it at https://bugs.launchpad.net/ubuntu/+source/vdr/+bug/669105).
The Maverick version of vdrtestleak contains the following line :-
LANG=C LD_LIBRARY_PATH="/usr/lib/debug;$LD_LIBRARY_PATH" \
Just a small test, when LD_LIBRARY_PATH is not set
$ echo "/usr/lib/debug;$LD_LIBRARY_PATH"
/usr/lib/debug;
According to the CVE, this is a security vulnerability. However, as ":" is the seperator, this does not seem to be a security vulnerability. The discussion at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598308 seems to suggest the same.
The patch suggested seems to be :-
-LANG=C LD_LIBRARY_PATH="/usr/lib/debug;$LD_LIBRARY_PATH" \
+LANG=C LD_LIBRARY_PATH="/usr/lib/debug:${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}" \
In such a case, however, if LD_LIBRARY_PATH were not set, you would have something like the following:-
$ echo "/usr/lib/debug:${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
/usr/lib/debug:
While the original issue seems to be a nonexploitable bug, I doubt that the patch might cause a security issue(if LD_LIBRARY_PATH is not set to anything). |
|