[Debian-ha-maintainers] Bug#598549: cluster-agents: CVE-2010-3389: insecure library loading
Jari Aalto
jari.aalto at cante.net
Tue Oct 19 10:40:38 UTC 2010
Simon Horman <horms at verge.net.au> writes:
> Its unclear to me that this patch covers all cases.
>
> e.g
>
> $ DIR_EXECUTABLE=/abc
> $ LD_LIBRARY_PATH="::"
> $ /bin/echo "$DIR_EXECUTABLE${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
> /abc:::
>
> Am I missing something?
Julien Cristau from release team suggests that:
IRC #debian-qa
<jcristau> if the user set LD_LIBRARY_PATH="::" then they shot
themselves in the foot, and you're not
supposed to clean up after them.
So, we use revert back to simple approach:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598549#40
Jari
More information about the Debian-ha-maintainers
mailing list