Install script causes `$LD_LIBRARY_PATH` to include `cwd`.

[wapiflapi]

The install scripts causes .bashrc to source ~/torch/install/bin/torch-activate which in turn exports some environnement variables. This is defined here https://github.com/torch/distro/blob/master/install.sh#L168

There is an issue with the way LD_LIBRARY_PATH is handled:

export LD_LIBRARY_PATH=/home/wapiflapi/torch/install/lib:$LD_LIBRARY_PATH

When $LD_LIBRARY_PATH didn't exist or was empty before, it will now end with a colon this means the last "path" after said colon is empty which causes the linker to look in the current working directory for libraries.

This is a security issue because unexpected code can get run simply by visiting "untrusted" directories (for example checking out a git repo or cd-ing into a tarball.)

Demo:

wapiflapi@box:/tmp/demo$ export LD_LIBRARY_PATH=""  # Plausible initial state.
wapiflapi@box:/tmp/demo$ head -c4k /lib/x86_64-linux-gnu/libc.so.6 > libc.so.6 # corrupted libc.
wapiflapi@box:/tmp/demo$ ls
libc.so.6
wapiflapi@box:/tmp/demo$ . ~/torch/install/bin/torch-activate
wapiflapi@box:/tmp/demo$ ls
Bus error
wapiflapi@box:/tmp/demo$ echo $LD_LIBRARY_PATH # This is why.
/home/wapiflapi/torch/install/lib:
wapiflapi@box:/tmp/demo$ 

[jainal09]

Thank me later! Use this docker file for torch installation! https://github.com/runwayml/alpha_models/blob/master/densecap/Dockerfile