libversion: Fix unsafe concatenation of $LD_LIBRARY_PATH

Naive concatenation of $LD_LIBRARY_PATH can result in an empty colon-delimited segment; this tells glibc to load libraries from the current directory, which is definitely wrong, and may be a security vulnerability if the current directory is untrusted. This particular case probably has no security relevance, but we should avoid this unsafe pattern anyway in case it gets copied. See #76804. Signed-off-by: Anders Kaseorg <andersk@mit.edu>
author: Anders Kaseorg <andersk@mit.edu> 2020-05-31 01:40:07 -0700
committer: Anders Kaseorg <andersk@mit.edu> 2020-05-31 01:42:09 -0700
commit: 665dfc26ed8f8547ea97fad66334d6dca79e4ab6 (patch)
tree: 3526758d6518176a81652fd75fc550a2c7f95be8 /pkgs
parent: 135073a87b7e2c631739f4ffa016e1859b1a425e (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/pkgs/development/libraries/libversion/default.nix b/pkgs/development/libraries/libversion/default.nix
index e1dc591f8b5d7..cee04fa79e43f 100644
--- a/pkgs/development/libraries/libversion/default.nix
+++ b/pkgs/development/libraries/libversion/default.nix
@@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ cmake ];
 
   preCheck = ''
-    export LD_LIBRARY_PATH=/build/source/build/libversion/:$LD_LIBRARY_PATH
+    export LD_LIBRARY_PATH=/build/source/build/libversion/''${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH
   '';
   doCheck = true;
   checkTarget = "test";
author	Anders Kaseorg <andersk@mit.edu>	2020-05-31 01:40:07 -0700
committer	Anders Kaseorg <andersk@mit.edu>	2020-05-31 01:42:09 -0700
commit	665dfc26ed8f8547ea97fad66334d6dca79e4ab6 (patch)
tree	3526758d6518176a81652fd75fc550a2c7f95be8 /pkgs
parent	135073a87b7e2c631739f4ffa016e1859b1a425e (diff)