LD_LIBRARY_PATH setup not ideal

[dol]

gvm exports the LD_LIBRARY_PATH variable to allow vendor packaging. The current solution looks like this:

export LD_LIBRARY_PATH; LD_LIBRARY_PATH="${GVM_OVERLAY_PREFIX}/lib:${LD_LIBRARY_PATH}"

Now here comes the problem. If ${LD_LIBRARY_PATH} is not exported (or empty) the exported LD_LIBRARY_PATH will result in something like:

/home/user/.gvm/pkgsets/go1.5.1/global/overlay/lib:

The double colon at the end will search for the linked library at the current path. This is not a good behaviour and could lead to a simple shared library attack [1].

To reproduce the issue on a Linux system:

# Create random folder
$ mktemp -d
$ cd <random folder>
$ ldd /usr/bin/dig|fgrep libdns|cut -f2|cut -f1 -d' '|xargs -I{} touch {}
$ ls -la
$ /usr/bin/dig
# Should print something like: dig: error while loading shared libraries: libdns.so.100: file too short

To fix this issue, only append :${LD_LIBRARY_PATH} if LD_LIBRARY_PATH is a not empty string.

This issue may apply to DYLD_LIBRARY_PATH and PKG_CONFIG_PATH.

[1] http://www.oocities.org/margineantm/syspp/background/shared_libraries.html

[dol]

Good read about how to avoid LD_LIBRARY_PATH with cgo. http://gridengine.eu/index.php/other-stories/232-avoiding-the-ldlibrarypath-with-shared-libs-in-go-cgo-applications-2015-12-21