search

halfbridge1974 / arduino

Automatically exported from code.google.com/p/arduino
0 stars 0 forks source link

Potential security issue in arduino run script #15

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
If $LD_LIBRARY_PATH is empty, it could allow arbitrary code to be executed
from the directory it's run.  Line 13 should read:

LD_LIBRARY_PATH=`pwd`/lib${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}

Original issue reported on code.google.com by nixpho...@gmail.com on 18 Apr 2009 at 5:08

GoogleCodeExporter commented 9 years ago 
How?

Does it matter?

Original comment by dmel...@gmail.com on 15 Jun 2009 at 7:55

GoogleCodeExporter commented 9 years ago 
See http://bugs.gentoo.org/show_bug.cgi?id=188806 for a good description.  I 
don't
know if it's a huge problem for arduino (I can't remember if it's linked to any
libraries and the computer it's installed on is down atm).

Original comment by nixpho...@gmail.com on 15 Jun 2009 at 9:12

GoogleCodeExporter commented 9 years ago 
I'm new and need some help 
how do i link two pin # together

Original comment by alisoqua...@yahoo.com on 8 Aug 2011 at 12:54

GoogleCodeExporter commented 9 years ago 
[deleted comment]
GoogleCodeExporter commented 9 years ago 
Note that this change in comment #2 has already been applied to Arduino 1.0.1.

Original comment by john.ve...@gmail.com on 1 Jul 2012 at 8:00

GoogleCodeExporter commented 9 years ago 
I added a print of the resulti LD_LIBRARY_PATH and I checked that with the 
latest arduino:

xxx@xxx:~/git/arduino/build/linux/work$ LD_LIBRARY_PATH="" ./arduino 
/home/xxx/git/arduino/build/linux/work/lib

xxx@xxx:~/git/arduino/build/linux/work$ LD_LIBRARY_PATH="blah" ./arduino 
/home/xxx/git/arduino/build/linux/work/lib:blah

it seems that the problem is fixed.
Feel free to reopen the issue if not.

C

Original comment by c.mag...@bug.st on 27 Nov 2012 at 9:40