diff options
author | Anders Kaseorg <andersk@mit.edu> | 2020-05-31 01:40:07 -0700 |
---|---|---|
committer | Anders Kaseorg <andersk@mit.edu> | 2020-05-31 01:42:09 -0700 |
commit | 665dfc26ed8f8547ea97fad66334d6dca79e4ab6 (patch) | |
tree | 3526758d6518176a81652fd75fc550a2c7f95be8 /pkgs | |
parent | 135073a87b7e2c631739f4ffa016e1859b1a425e (diff) |
libversion: Fix unsafe concatenation of $LD_LIBRARY_PATH
Naive concatenation of $LD_LIBRARY_PATH can result in an empty colon-delimited segment; this tells glibc to load libraries from the current directory, which is definitely wrong, and may be a security vulnerability if the current directory is untrusted. This particular case probably has no security relevance, but we should avoid this unsafe pattern anyway in case it gets copied. See #76804. Signed-off-by: Anders Kaseorg <andersk@mit.edu>
Diffstat (limited to 'pkgs')
-rw-r--r-- | pkgs/development/libraries/libversion/default.nix | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/pkgs/development/libraries/libversion/default.nix b/pkgs/development/libraries/libversion/default.nix index e1dc591f8b5d7..cee04fa79e43f 100644 --- a/pkgs/development/libraries/libversion/default.nix +++ b/pkgs/development/libraries/libversion/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ cmake ]; preCheck = '' - export LD_LIBRARY_PATH=/build/source/build/libversion/:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=/build/source/build/libversion/''${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH ''; doCheck = true; checkTarget = "test"; |