Bug#451559: lintian: Check for insecure LD_LIBRARY_PATH in wrapper scripts
Package: lintian
Version: 1.23.36
Severity: wishlist
Many wrapper scripts contain things like
export LD_LIBRARY_PATH=foo:$LD_LIBRARY_PATH
This is bad because if LD_LIBRARY_PATH is unset, it will expand to
LD_LIBRARY_PATH=foo:
which is interpreted as
LD_LIBRARY_PATH=foo:.
This means that the current directory is searched for libraries before
/lib and /usr/lib, which can have security implications.
The fix is to use "${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}" instead of
":$LD_LIBRARY_PATH". This will get rid of the colon if LD_LIBRARY_PATH
is unset.
I wrote this message [1], maybe there will be some useful discussion or even a
change in the dynamic linker to not treat an empty field as a dot.
Until then, it would be useful to have lintian check for this. The attached
perl regex seems to do the trick. This should be executed on all shell scripts
in binary packages (or maybe just in /bin and /usr/bin).
[1] http://lists.debian.org/debian-security/2007/11/msg00009.html
m/^\s* # optionally leading space
(?:export\s*)? # allow "export "
LD_LIBRARY_PATH=
(?:.*?:)? # optionally foo:
\$(?: # literal $ and either
\{LD_LIBRARY_PATH(?::-)?\} # {LD_LIBRARY_PATH} or {LD_LIBRARY_PATH:-}
# (the latter is common with "set -u")
| # or
LD_LIBRARY_PATH # LD_LIBRARY_PATH
)
(?::.*?)? # optionally :foo
(?:\s+|$|;) # followed by space, line end or ;
/x
Reply to: