Closed ddworken closed 11 months ago
@BenKnigge @jbussdieker @alouche Can you please take a look?
Aside from being a security issue, this breaks buildroot:
You seem to have the current working directory in your
LD_LIBRARY_PATH environment variable. This doesn't work.
make[1]: *** [support/dependencies/dependencies.mk:27: dependencies] Error 1
make: *** [Makefile:84: _all] Error 2
The sooner we can get this simple fix merged in the better.
If LD_LIBRARY_PATH (or DYLD_LIBRARY_PATH) is not set, the install/activate script will cause the environment variable to be set to something like:
This means that the dynamic library loader will attempt to load libraries from two locations:
This means that it becomes unsafe to run any terminal commands from an untrusted directory. Ie, running
ls
inside of an untrusted git repository could lead to arbitrary code execution.In order to fix this, we simply change the shell expansion such that if LD_LIBRARY_PATH is not set it does not include a trailing
:
at the end.Fixes #353, #190