Closed szsam closed 7 months ago
This is nothing we can do about it. If you don't like this behaviour, remove the code or mangle getenv
function calls. Actually, every dynamic linked application may use LD_PRELOAD
dynamic variable, so the security is not a question for this.
The value of the first argument of dlopen() may come from getenv. Using externally controlled strings in a process operation can allow an attacker to execute malicious commands.
https://github.com/alsa-project/alsa-lib/blob/ed6b07084bfea4155bbc98bcf38508ab81bdd008/src/dlmisc.c#L155 https://github.com/alsa-project/alsa-lib/blob/ed6b07084bfea4155bbc98bcf38508ab81bdd008/src/pcm/pcm_ladspa.c#L1094