treewide: Fix unsafe concatenation of $LD_LIBRARY_PATH, round 2

Naive concatenation of $LD_LIBRARY_PATH can result in an empty colon-delimited segment; this tells glibc to load libraries from the current directory, which is definitely wrong, and may be a security vulnerability if the current directory is untrusted. (See #67234, for example.) Fix this throughout the tree. Followup to #76804. Fixes #144646. Signed-off-by: Anders Kaseorg <andersk@mit.edu>
author: Anders Kaseorg <andersk@mit.edu> 2021-11-04 16:14:48 -0700
committer: Anders Kaseorg <andersk@mit.edu> 2021-11-04 16:15:05 -0700
commit: e12f4db55640401ff06749231a4f4ffcef9a7269 (patch)
tree: 457adf28c44553cc6c401a0acf278c06b2ad333b /pkgs/applications/office/jabref/default.nix
parent: b67e752c29f18a0ca5534a07661366d6a2c2e649 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/pkgs/applications/office/jabref/default.nix b/pkgs/applications/office/jabref/default.nix
index b87e74c256f6c..0b4ce74cdfa73 100644
--- a/pkgs/applications/office/jabref/default.nix
+++ b/pkgs/applications/office/jabref/default.nix
@@ -52,7 +52,7 @@ stdenv.mkDerivation rec {
 
     makeWrapper $out/lib/runtime/bin/java $out/bin/jabref \
       --add-flags '-Djava.library.path=${systemLibPaths}' --add-flags "-p $out/lib/app -m org.jabref/org.jabref.JabRefLauncher" \
-      --run 'export LD_LIBRARY_PATH=${systemLibPaths}:$LD_LIBRARY_PATH'
+      --prefix LD_LIBRARY_PATH : '${systemLibPaths}'
 
     cp -r ${desktopItem}/share/applications $out/share/
author	Anders Kaseorg <andersk@mit.edu>	2021-11-04 16:14:48 -0700
committer	Anders Kaseorg <andersk@mit.edu>	2021-11-04 16:15:05 -0700
commit	e12f4db55640401ff06749231a4f4ffcef9a7269 (patch)
tree	457adf28c44553cc6c401a0acf278c06b2ad333b /pkgs/applications/office/jabref/default.nix
parent	b67e752c29f18a0ca5534a07661366d6a2c2e649 (diff)