From 3cd8ce3bce1e3d89b21caa0d3ad458193f5179ba Mon Sep 17 00:00:00 2001 From: Anders Kaseorg Date: Wed, 1 Jan 2020 16:29:34 -0800 Subject: treewide: Fix unsafe concatenation of $LD_LIBRARY_PATH Naive concatenation of $LD_LIBRARY_PATH can result in an empty colon-delimited segment; this tells glibc to load libraries from the current directory, which is definitely wrong, and may be a security vulnerability if the current directory is untrusted. (See #67234, for example.) Fix this throughout the tree. Signed-off-by: Anders Kaseorg --- pkgs/development/compilers/halide/default.nix | 2 +- pkgs/development/compilers/llvm/4/llvm.nix | 2 +- pkgs/development/compilers/llvm/5/llvm.nix | 2 +- pkgs/development/compilers/llvm/6/llvm.nix | 2 +- pkgs/development/compilers/llvm/7/llvm.nix | 2 +- pkgs/development/compilers/llvm/8/llvm.nix | 2 +- pkgs/development/compilers/llvm/9/llvm.nix | 2 +- pkgs/development/compilers/mlton/20130715.nix | 2 +- pkgs/development/compilers/solc/default.nix | 2 +- pkgs/development/guile-modules/guile-lib/default.nix | 2 +- pkgs/development/interpreters/pure/default.nix | 2 +- pkgs/development/libraries/boxfort/default.nix | 2 +- pkgs/development/libraries/caf/default.nix | 4 ++-- pkgs/development/libraries/criterion/default.nix | 2 +- pkgs/development/libraries/cutelyst/default.nix | 2 +- pkgs/development/libraries/exiv2/default.nix | 2 +- pkgs/development/libraries/glib/default.nix | 2 +- pkgs/development/libraries/grpc/default.nix | 2 +- pkgs/development/libraries/jsoncpp/default.nix | 4 ++-- pkgs/development/libraries/libtins/default.nix | 4 ++-- pkgs/development/libraries/orcania/default.nix | 2 +- pkgs/development/libraries/qt-4.x/4.8/default.nix | 2 +- pkgs/development/libraries/qt-5/modules/qtbase.nix | 2 +- pkgs/development/libraries/science/math/arpack/default.nix | 4 ++-- pkgs/development/libraries/science/math/scalapack/default.nix | 2 +- pkgs/development/libraries/yder/default.nix | 2 +- pkgs/development/pharo/vm/build-vm.nix | 2 +- pkgs/development/python-modules/pytorch/default.nix | 2 +- 28 files changed, 32 insertions(+), 32 deletions(-) (limited to 'pkgs/development') diff --git a/pkgs/development/compilers/halide/default.nix b/pkgs/development/compilers/halide/default.nix index 0b28b61a27b21..44c079af9263a 100644 --- a/pkgs/development/compilers/halide/default.nix +++ b/pkgs/development/compilers/halide/default.nix @@ -29,7 +29,7 @@ in llvmPackages.stdenv.mkDerivation { # To handle the lack of 'local' RPATH; required, as they call one of # their built binaries requiring their libs, in the build process. preBuild = '' - export LD_LIBRARY_PATH="$(pwd)/lib:$LD_LIBRARY_PATH" + export LD_LIBRARY_PATH="$(pwd)/lib''${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH" ''; enableParallelBuilding = true; diff --git a/pkgs/development/compilers/llvm/4/llvm.nix b/pkgs/development/compilers/llvm/4/llvm.nix index d5f640414861b..0d3ce1614ded1 100644 --- a/pkgs/development/compilers/llvm/4/llvm.nix +++ b/pkgs/development/compilers/llvm/4/llvm.nix @@ -143,7 +143,7 @@ stdenv.mkDerivation ({ ''; preCheck = '' - export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$PWD/lib + export LD_LIBRARY_PATH=$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}$PWD/lib ''; postInstall = stdenv.lib.optionalString enableSharedLibraries '' diff --git a/pkgs/development/compilers/llvm/5/llvm.nix b/pkgs/development/compilers/llvm/5/llvm.nix index cd26b7d17a92d..2ce17765d633a 100644 --- a/pkgs/development/compilers/llvm/5/llvm.nix +++ b/pkgs/development/compilers/llvm/5/llvm.nix @@ -119,7 +119,7 @@ stdenv.mkDerivation ({ ''; preCheck = '' - export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$PWD/lib + export LD_LIBRARY_PATH=$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}$PWD/lib ''; postInstall = '' diff --git a/pkgs/development/compilers/llvm/6/llvm.nix b/pkgs/development/compilers/llvm/6/llvm.nix index 8faab6b94a925..80acd3fa2fe1c 100644 --- a/pkgs/development/compilers/llvm/6/llvm.nix +++ b/pkgs/development/compilers/llvm/6/llvm.nix @@ -120,7 +120,7 @@ stdenv.mkDerivation ({ ''; preCheck = '' - export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$PWD/lib + export LD_LIBRARY_PATH=$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}$PWD/lib ''; postInstall = '' diff --git a/pkgs/development/compilers/llvm/7/llvm.nix b/pkgs/development/compilers/llvm/7/llvm.nix index 62be8bbedabee..d7fb1fe4b93f3 100644 --- a/pkgs/development/compilers/llvm/7/llvm.nix +++ b/pkgs/development/compilers/llvm/7/llvm.nix @@ -141,7 +141,7 @@ in stdenv.mkDerivation ({ ''; preCheck = '' - export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$PWD/lib + export LD_LIBRARY_PATH=$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}$PWD/lib ''; postInstall = '' diff --git a/pkgs/development/compilers/llvm/8/llvm.nix b/pkgs/development/compilers/llvm/8/llvm.nix index 18946f5d640bf..a9c4a6b0ba25e 100644 --- a/pkgs/development/compilers/llvm/8/llvm.nix +++ b/pkgs/development/compilers/llvm/8/llvm.nix @@ -117,7 +117,7 @@ in stdenv.mkDerivation ({ ''; preCheck = '' - export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$PWD/lib + export LD_LIBRARY_PATH=$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}$PWD/lib ''; postInstall = '' diff --git a/pkgs/development/compilers/llvm/9/llvm.nix b/pkgs/development/compilers/llvm/9/llvm.nix index c0e750dc31c0f..2cdc5a5fd0669 100644 --- a/pkgs/development/compilers/llvm/9/llvm.nix +++ b/pkgs/development/compilers/llvm/9/llvm.nix @@ -134,7 +134,7 @@ in stdenv.mkDerivation (rec { ''; preCheck = '' - export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$PWD/lib + export LD_LIBRARY_PATH=$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}$PWD/lib ''; postInstall = '' diff --git a/pkgs/development/compilers/mlton/20130715.nix b/pkgs/development/compilers/mlton/20130715.nix index 207ed8f29bc75..52bb0a0775cf1 100644 --- a/pkgs/development/compilers/mlton/20130715.nix +++ b/pkgs/development/compilers/mlton/20130715.nix @@ -77,7 +77,7 @@ stdenv.mkDerivation rec { chmod u+x $(pwd)/../${usr_prefix}/bin/mlton # So the builder runs the binary compiler with gmp. - export LD_LIBRARY_PATH=${gmp.out}/lib:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=${gmp.out}/lib''${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH '' + stdenv.lib.optionalString stdenv.isLinux '' # Patch ELF interpreter. diff --git a/pkgs/development/compilers/solc/default.nix b/pkgs/development/compilers/solc/default.nix index 23e6c64f3ffcb..0f71ed79e7ee3 100644 --- a/pkgs/development/compilers/solc/default.nix +++ b/pkgs/development/compilers/solc/default.nix @@ -49,7 +49,7 @@ stdenv.mkDerivation rec { checkPhase = '' while IFS= read -r -d ''' dir do - LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$(pwd)/$dir + LD_LIBRARY_PATH=$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}$(pwd)/$dir export LD_LIBRARY_PATH done < <(find . -type d -print0) diff --git a/pkgs/development/guile-modules/guile-lib/default.nix b/pkgs/development/guile-modules/guile-lib/default.nix index cea464ad5d279..97f501f41db75 100644 --- a/pkgs/development/guile-modules/guile-lib/default.nix +++ b/pkgs/development/guile-modules/guile-lib/default.nix @@ -21,7 +21,7 @@ in stdenv.mkDerivation { preCheck = '' # Make `libgcc_s.so' visible for `pthread_cancel'. export LD_LIBRARY_PATH=\ - "$(dirname $(echo ${stdenv.cc.cc.lib}/lib*/libgcc_s.so)):$LD_LIBRARY_PATH" + "$(dirname $(echo ${stdenv.cc.cc.lib}/lib*/libgcc_s.so))''${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH" ''; meta = with stdenv.lib; { diff --git a/pkgs/development/interpreters/pure/default.nix b/pkgs/development/interpreters/pure/default.nix index 9c35fc3549765..764ee241aff3a 100644 --- a/pkgs/development/interpreters/pure/default.nix +++ b/pkgs/development/interpreters/pure/default.nix @@ -24,7 +24,7 @@ stdenv.mkDerivation rec { configureFlags = [ "--enable-release" ]; doCheck = true; checkPhase = '' - LD_LIBRARY_PATH=$LD_LIBRARY_PATH:${llvm}/lib make check + LD_LIBRARY_PATH=$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}${llvm}/lib make check ''; postInstall = '' wrapProgram $out/bin/pure --prefix LD_LIBRARY_PATH : ${llvm}/lib diff --git a/pkgs/development/libraries/boxfort/default.nix b/pkgs/development/libraries/boxfort/default.nix index 95c1afd090f4a..fb6e735c46e74 100644 --- a/pkgs/development/libraries/boxfort/default.nix +++ b/pkgs/development/libraries/boxfort/default.nix @@ -29,7 +29,7 @@ stdenv.mkDerivation rec { doCheck = true; preCheck = '' - export LD_LIBRARY_PATH=`pwd`:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=`pwd`''${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH ''; outputs = [ "dev" "out" ]; diff --git a/pkgs/development/libraries/caf/default.nix b/pkgs/development/libraries/caf/default.nix index ecf991cb59ce6..e32ec16957924 100644 --- a/pkgs/development/libraries/caf/default.nix +++ b/pkgs/development/libraries/caf/default.nix @@ -22,8 +22,8 @@ stdenv.mkDerivation rec { doCheck = true; checkTarget = "test"; preCheck = '' - export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$PWD/lib - export DYLD_LIBRARY_PATH=$DYLD_LIBRARY_PATH:$PWD/lib + export LD_LIBRARY_PATH=$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}$PWD/lib + export DYLD_LIBRARY_PATH=$DYLD_LIBRARY_PATH''${DYLD_LIBRARY_PATH:+:}$PWD/lib ''; meta = with stdenv.lib; { diff --git a/pkgs/development/libraries/criterion/default.nix b/pkgs/development/libraries/criterion/default.nix index c2721d3839a11..3dc4b4624048f 100644 --- a/pkgs/development/libraries/criterion/default.nix +++ b/pkgs/development/libraries/criterion/default.nix @@ -30,7 +30,7 @@ stdenv.mkDerivation rec { cmakeFlags = [ "-DCTESTS=ON" ]; doCheck = true; preCheck = '' - export LD_LIBRARY_PATH=`pwd`:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=`pwd`''${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH ''; checkTarget = "criterion_tests test"; diff --git a/pkgs/development/libraries/cutelyst/default.nix b/pkgs/development/libraries/cutelyst/default.nix index 6cd464e55390b..2cf611eed2752 100644 --- a/pkgs/development/libraries/cutelyst/default.nix +++ b/pkgs/development/libraries/cutelyst/default.nix @@ -24,7 +24,7 @@ stdenv.mkDerivation rec { ]; preBuild = '' - export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:`pwd`/Cutelyst:`pwd`/EventLoopEPoll" + export LD_LIBRARY_PATH="$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}`pwd`/Cutelyst:`pwd`/EventLoopEPoll" ''; postBuild = '' diff --git a/pkgs/development/libraries/exiv2/default.nix b/pkgs/development/libraries/exiv2/default.nix index 21f63e07335df..425346df816ea 100644 --- a/pkgs/development/libraries/exiv2/default.nix +++ b/pkgs/development/libraries/exiv2/default.nix @@ -69,7 +69,7 @@ stdenv.mkDerivation rec { ''} ${stdenv.lib.optionalString stdenv.isDarwin '' - export DYLD_LIBRARY_PATH=$DYLD_LIBRARY_PATH:`pwd`/lib + export DYLD_LIBRARY_PATH=$DYLD_LIBRARY_PATH''${DYLD_LIBRARY_PATH:+:}`pwd`/lib # Removing tests depending on charset conversion substituteInPlace ../test/Makefile --replace "conversions.sh" "" rm -f ../tests/bugfixes/redmine/test_issue_460.py diff --git a/pkgs/development/libraries/glib/default.nix b/pkgs/development/libraries/glib/default.nix index 4a7d6cce90b07..1875621323001 100644 --- a/pkgs/development/libraries/glib/default.nix +++ b/pkgs/development/libraries/glib/default.nix @@ -160,7 +160,7 @@ stdenv.mkDerivation rec { checkInputs = [ tzdata libxml2 desktop-file-utils shared-mime-info ]; preCheck = optionalString doCheck '' - export LD_LIBRARY_PATH="$NIX_BUILD_TOP/${pname}-${version}/glib/.libs:$LD_LIBRARY_PATH" + export LD_LIBRARY_PATH="$NIX_BUILD_TOP/${pname}-${version}/glib/.libs''${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH" export TZDIR="${tzdata}/share/zoneinfo" export XDG_CACHE_HOME="$TMP" export XDG_RUNTIME_HOME="$TMP" diff --git a/pkgs/development/libraries/grpc/default.nix b/pkgs/development/libraries/grpc/default.nix index abcd3abaf3097..dfec171f1dbcb 100644 --- a/pkgs/development/libraries/grpc/default.nix +++ b/pkgs/development/libraries/grpc/default.nix @@ -38,7 +38,7 @@ stdenv.mkDerivation rec { ''; preBuild = '' - export LD_LIBRARY_PATH=$(pwd):$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=$(pwd)''${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH ''; NIX_CFLAGS_COMPILE = stdenv.lib.optionalString stdenv.cc.isClang "-Wno-error=unknown-warning-option"; diff --git a/pkgs/development/libraries/jsoncpp/default.nix b/pkgs/development/libraries/jsoncpp/default.nix index 72158e186ac2a..7b06cc8ad4e64 100644 --- a/pkgs/development/libraries/jsoncpp/default.nix +++ b/pkgs/development/libraries/jsoncpp/default.nix @@ -23,9 +23,9 @@ stdenv.mkDerivation rec { # Hack to be able to run the test, broken because we use # CMAKE_SKIP_BUILD_RPATH to avoid cmake resetting rpath on install preBuild = if stdenv.isDarwin then '' - export DYLD_LIBRARY_PATH="`pwd`/src/lib_json:$DYLD_LIBRARY_PATH" + export DYLD_LIBRARY_PATH="`pwd`/src/lib_json''${DYLD_LIBRARY_PATH:+:}$DYLD_LIBRARY_PATH" '' else '' - export LD_LIBRARY_PATH="`pwd`/src/lib_json:$LD_LIBRARY_PATH" + export LD_LIBRARY_PATH="`pwd`/src/lib_json''${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH" ''; nativeBuildInputs = [ cmake python ]; diff --git a/pkgs/development/libraries/libtins/default.nix b/pkgs/development/libraries/libtins/default.nix index c90cff31677b1..60bb092c6fa4b 100644 --- a/pkgs/development/libraries/libtins/default.nix +++ b/pkgs/development/libraries/libtins/default.nix @@ -32,8 +32,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; doCheck = true; preCheck = '' - export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$PWD${placeholder "out"}/lib - export DYLD_LIBRARY_PATH=$DYLD_LIBRARY_PATH:$PWD${placeholder "out"}/lib + export LD_LIBRARY_PATH=$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}$PWD${placeholder "out"}/lib + export DYLD_LIBRARY_PATH=$DYLD_LIBRARY_PATH''${DYLD_LIBRARY_PATH:+:}$PWD${placeholder "out"}/lib ''; checkTarget = "tests test"; diff --git a/pkgs/development/libraries/orcania/default.nix b/pkgs/development/libraries/orcania/default.nix index bc27011c58875..2f8765f9a7259 100644 --- a/pkgs/development/libraries/orcania/default.nix +++ b/pkgs/development/libraries/orcania/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { doCheck = true; preCheck = '' - export LD_LIBRARY_PATH="$(pwd):$LD_LIBRARY_PATH" + export LD_LIBRARY_PATH="$(pwd)''${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH" export DYLD_FALLBACK_LIBRARY_PATH="$(pwd):$DYLD_FALLBACK_LIBRARY_PATH" ''; diff --git a/pkgs/development/libraries/qt-4.x/4.8/default.nix b/pkgs/development/libraries/qt-4.x/4.8/default.nix index 25953949eb76a..379f5b3d80e0b 100644 --- a/pkgs/development/libraries/qt-4.x/4.8/default.nix +++ b/pkgs/development/libraries/qt-4.x/4.8/default.nix @@ -125,7 +125,7 @@ stdenv.mkDerivation rec { ]; preConfigure = '' - export LD_LIBRARY_PATH="`pwd`/lib:$LD_LIBRARY_PATH" + export LD_LIBRARY_PATH="`pwd`/lib''${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH" configureFlags+=" -docdir $out/share/doc/${name} -plugindir $out/lib/qt4/plugins diff --git a/pkgs/development/libraries/qt-5/modules/qtbase.nix b/pkgs/development/libraries/qt-5/modules/qtbase.nix index bc23d0f9cafe1..930c59d347b14 100644 --- a/pkgs/development/libraries/qt-5/modules/qtbase.nix +++ b/pkgs/development/libraries/qt-5/modules/qtbase.nix @@ -164,7 +164,7 @@ stdenv.mkDerivation { setOutputFlags = false; preConfigure = '' - export LD_LIBRARY_PATH="$PWD/lib:$PWD/plugins/platforms:$LD_LIBRARY_PATH" + export LD_LIBRARY_PATH="$PWD/lib:$PWD/plugins/platforms''${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH" ${lib.optionalString (compareVersion "5.9.0" < 0) '' # We need to set LD to CXX or otherwise we get nasty compile errors export LD=$CXX diff --git a/pkgs/development/libraries/science/math/arpack/default.nix b/pkgs/development/libraries/science/math/arpack/default.nix index 36576de056317..89f3aa94247b9 100644 --- a/pkgs/development/libraries/science/math/arpack/default.nix +++ b/pkgs/development/libraries/science/math/arpack/default.nix @@ -30,9 +30,9 @@ stdenv.mkDerivation { ]; preCheck = if stdenv.isDarwin then '' - export DYLD_LIBRARY_PATH=$DYLD_LIBRARY_PATH:`pwd`/lib + export DYLD_LIBRARY_PATH=$DYLD_LIBRARY_PATH''${DYLD_LIBRARY_PATH:+:}`pwd`/lib '' else '' - export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:`pwd`/lib + export LD_LIBRARY_PATH=$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}`pwd`/lib '' + '' # Prevent tests from using all cores export OMP_NUM_THREADS=2 diff --git a/pkgs/development/libraries/science/math/scalapack/default.nix b/pkgs/development/libraries/science/math/scalapack/default.nix index bff0d9a85fa2c..fda902f320c9b 100644 --- a/pkgs/development/libraries/science/math/scalapack/default.nix +++ b/pkgs/development/libraries/science/math/scalapack/default.nix @@ -40,7 +40,7 @@ stdenv.mkDerivation rec { # Run single threaded export OMP_NUM_THREADS=1 - export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:`pwd`/lib + export LD_LIBRARY_PATH=$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}`pwd`/lib ''; meta = with stdenv.lib; { diff --git a/pkgs/development/libraries/yder/default.nix b/pkgs/development/libraries/yder/default.nix index 7025fd2eb1cc5..5ddb1d1a1313f 100644 --- a/pkgs/development/libraries/yder/default.nix +++ b/pkgs/development/libraries/yder/default.nix @@ -32,7 +32,7 @@ stdenv.mkDerivation rec { doCheck = true; preCheck = '' - export LD_LIBRARY_PATH="$(pwd):$LD_LIBRARY_PATH" + export LD_LIBRARY_PATH="$(pwd)''${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH" export DYLD_FALLBACK_LIBRARY_PATH="$(pwd):$DYLD_FALLBACK_LIBRARY_PATH" ''; diff --git a/pkgs/development/pharo/vm/build-vm.nix b/pkgs/development/pharo/vm/build-vm.nix index 5fc747cbc8c29..38516cc191452 100644 --- a/pkgs/development/pharo/vm/build-vm.nix +++ b/pkgs/development/pharo/vm/build-vm.nix @@ -117,7 +117,7 @@ stdenv.mkDerivation rec { cat > "$out/bin/${cmd}" <