perexg
commented
7 months ago This is nothing we can do about it. If you don't like this behaviour, remove the code or mangle getenv function calls. Actually, every dynamic linked application may use LD_PRELOAD dynamic variable, so the security is not a question for this.
The value of the first argument of dlopen() may come from getenv. Using externally controlled strings in a process operation can allow an attacker to execute malicious commands.
https://github.com/alsa-project/alsa-lib/blob/ed6b07084bfea4155bbc98bcf38508ab81bdd008/src/dlmisc.c#L155 https://github.com/alsa-project/alsa-lib/blob/ed6b07084bfea4155bbc98bcf38508ab81bdd008/src/pcm/pcm_ladspa.c#L1094