search

moovweb / gvm

Go Version Manager
http://github.com/moovweb/gvm
MIT License
9.91k stars 522 forks source link

Fix gvm path inclusion vulnerability #358

Closed ddworken closed 11 months ago

ddworken commented 3 years ago

If LD_LIBRARY_PATH (or DYLD_LIBRARY_PATH) is not set, the install/activate script will cause the environment variable to be set to something like:

LD_LIBRARY_PATH=/home/david/.gvm/pkgsets/go1.13/global/overlay/lib:

This means that the dynamic library loader will attempt to load libraries from two locations:

  1. "/home/david/.gvm/pkgsets/go1.13/global/overlay/lib"
  2. "" which is interpreted as the current working directory

This means that it becomes unsafe to run any terminal commands from an untrusted directory. Ie, running ls inside of an untrusted git repository could lead to arbitrary code execution.

In order to fix this, we simply change the shell expansion such that if LD_LIBRARY_PATH is not set it does not include a trailing : at the end.

Fixes #353, #190

ddworken commented 3 years ago

@BenKnigge @jbussdieker @alouche Can you please take a look?

emesterhazy commented 3 years ago

Aside from being a security issue, this breaks buildroot:

You seem to have the current working directory in your
LD_LIBRARY_PATH environment variable. This doesn't work.
make[1]: *** [support/dependencies/dependencies.mk:27: dependencies] Error 1
make: *** [Makefile:84: _all] Error 2

The sooner we can get this simple fix merged in the better.