Do not append CWD to (empty) LD_LIBRARY_PATH

Witko / nvidia-xrun

Utility to run separate X with discrete nvidia graphics with full performance

GNU General Public License v2.0

488 stars 69 forks source link

Do not append CWD to (empty) LD_LIBRARY_PATH #146

Open resilar opened 4 years ago

resilar commented 4 years ago

If LD_LIBRARY_PATH is unset, nvidia-xinitrc exports LD_LIBRARY_PATH with a trailing colon (':') which is interpreted as an empty path, i.e., the current working directory (CWD). This creates a security vulnerability known as "Uncontrolled Search Path Element" (CWE-427). The commit avoids appending a trailing colon if LD_LIBRARY_PATH is empty.

resilar commented 4 years ago

For more information, see the links below.

Stack Overflow: how to smart append LD_LIBRARY_PATH in shell when nounset
Stack Overflow: What corner cases must we consider when parsing $PATH on Linux?
How Torch broke ls and made me vulnerable (or the hidden dangers of LD_LIBRARY_PATH)