[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: run-icecat.sh possible vulnerability
From: |
Giuseppe Scrivano |
Subject: |
Re: run-icecat.sh possible vulnerability |
Date: |
Fri, 17 Jun 2011 10:00:13 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.0.50 (gnu/linux) |
Thanks again for the patch! I have just committed it.
Cheers,
Giuseppe
Hayawardh V <address@hidden> writes:
> Hi,
>
> Here it is. Please edit it as you see fit.
>
> * browser/branding/unofficial/run-icecat.sh: Fix insecure
> LD_LIBRARY_PATH, patch by Hayawardh Vijayakumar <address@hidden>
>
> Thanks,
> Hayawardh
>
> On Wed, Jun 1, 2011 at 3:19 AM, Giuseppe Scrivano <address@hidden>
> wrote:
>
> Thanks, the patch looks fine. Can you please also provide the
> ChangeLog
> file entry?
>
> Cheers,
> Giuseppe
>
>
>
>
>
>
> Hayawardh V <address@hidden> writes:
>
> > Hi,
> >
> > I am attaching a patch for the same.
> > Please keep me updated on the course of action regarding this.
> >
> > Thanks,
> > Hayawardh
> >
> > On Mon, May 30, 2011 at 7:22 PM, Hayawardh V
> <address@hidden>
> > wrote:
> >
> > Hi,
> >
> > In run-icecat.sh in the latest icecat svn are lines such as
> :
> > LD_LIBRARY_PATH=${MOZ_DIST_BIN}:${MOZ_DIST_BIN}/plugins:$
> > {MRE_HOME}${LD_LIBRARY_PATH+":$LD_LIBRARY_PATH"}
> >
> > Note that this insecure LD_LIBRARY_PATH would lead icecat to
> > search in the current working directory for libraries. If
> > malicious libraries are, for example, downloaded off the
> Internet,
> > then those would be loaded instead.
> >
> > This can be simply fixed as follows (note the : following
> > LD_LIBRARY_PATH):
> >
> > LD_LIBRARY_PATH=${MOZ_DIST_BIN}:${MOZ_DIST_BIN}/plugins:$
> > {MRE_HOME}${LD_LIBRARY_PATH:+":$LD_LIBRARY_PATH"}
> >
> > It seems similar to the issue that Firefox had a few months
> before
> > :
> > https://bugzilla.mozilla.org/show_bug.cgi?id=590753
> >
> > Thanks,
> > Hayawardh
> >
> >
> >
> >
> >
>
> > --- run-icecat.sh.orig 2011-05-30 14:16:14.000000000
> -0400
> > +++ run-icecat.sh 2011-05-30 19:39:03.000000000 -0400
> > @@ -310,36 +310,36 @@
> > }
> > if moz_should_set_ld_library_path
> > then
> > - LD_LIBRARY_PATH=${MOZ_DIST_BIN}:${MOZ_DIST_BIN}/plugins:$
> {MRE_HOME}${LD_LIBRARY_PATH+":$LD_LIBRARY_PATH"}
> > + LD_LIBRARY_PATH=${MOZ_DIST_BIN}:${MOZ_DIST_BIN}/plugins:$
> {MRE_HOME}${LD_LIBRARY_PATH:+":$LD_LIBRARY_PATH"}
> > fi
> >
> > if [ -n "$LD_LIBRARYN32_PATH" ]
> > then
> > - LD_LIBRARYN32_PATH=${MOZ_DIST_BIN}:$
> {MOZ_DIST_BIN}/plugins:${MRE_HOME}$
> {LD_LIBRARYN32_PATH+":$LD_LIBRARYN32_PATH"}
> > + LD_LIBRARYN32_PATH=${MOZ_DIST_BIN}:$
> {MOZ_DIST_BIN}/plugins:${MRE_HOME}$
> {LD_LIBRARYN32_PATH:+":$LD_LIBRARYN32_PATH"}
> > fi
> > if [ -n "$LD_LIBRARYN64_PATH" ]
> > then
> > - LD_LIBRARYN64_PATH=${MOZ_DIST_BIN}:$
> {MOZ_DIST_BIN}/plugins:${MRE_HOME}$
> {LD_LIBRARYN64_PATH+":$LD_LIBRARYN64_PATH"}
> > + LD_LIBRARYN64_PATH=${MOZ_DIST_BIN}:$
> {MOZ_DIST_BIN}/plugins:${MRE_HOME}$
> {LD_LIBRARYN64_PATH:+":$LD_LIBRARYN64_PATH"}
> > fi
> > if [ -n "$LD_LIBRARY_PATH_64" ]; then
> > - LD_LIBRARY_PATH_64=${MOZ_DIST_BIN}:$
> {MOZ_DIST_BIN}/plugins:${MRE_HOME}$
> {LD_LIBRARY_PATH_64+":$LD_LIBRARY_PATH_64"}
> > + LD_LIBRARY_PATH_64=${MOZ_DIST_BIN}:$
> {MOZ_DIST_BIN}/plugins:${MRE_HOME}$
> {LD_LIBRARY_PATH_64:+":$LD_LIBRARY_PATH_64"}
> > fi
> > #
> > #
> > ## Set SHLIB_PATH for HPUX
> > -SHLIB_PATH=${MOZ_DIST_BIN}:${MRE_HOME}$
> {SHLIB_PATH+":$SHLIB_PATH"}
> > +SHLIB_PATH=${MOZ_DIST_BIN}:${MRE_HOME}$
> {SHLIB_PATH:+":$SHLIB_PATH"}
> > #
> > ## Set LIBPATH for AIX
> > -LIBPATH=${MOZ_DIST_BIN}:${MRE_HOME}${LIBPATH+":$LIBPATH"}
> > +LIBPATH=${MOZ_DIST_BIN}:${MRE_HOME}${LIBPATH:+":$LIBPATH"}
> > #
> > ## Set DYLD_LIBRARY_PATH for Mac OS X (Darwin)
> > -DYLD_LIBRARY_PATH=${MOZ_DIST_BIN}:${MRE_HOME}$
> {DYLD_LIBRARY_PATH+":$DYLD_LIBRARY_PATH"}
> > +DYLD_LIBRARY_PATH=${MOZ_DIST_BIN}:${MRE_HOME}$
> {DYLD_LIBRARY_PATH:+":$DYLD_LIBRARY_PATH"}
> > #
> > ## Set LIBRARY_PATH for BeOS
> > -LIBRARY_PATH=${MOZ_DIST_BIN}:${MOZ_DIST_BIN}/components:$
> {MRE_HOME}${LIBRARY_PATH+":$LIBRARY_PATH"}
> > +LIBRARY_PATH=${MOZ_DIST_BIN}:${MOZ_DIST_BIN}/components:$
> {MRE_HOME}${LIBRARY_PATH:+":$LIBRARY_PATH"}
> > #
> > ## Set ADDON_PATH for BeOS
> > -ADDON_PATH=${MOZ_DIST_BIN}${ADDON_PATH+":$ADDON_PATH"}
> > +ADDON_PATH=${MOZ_DIST_BIN}${ADDON_PATH:+":$ADDON_PATH"}
> > #
> > ## Solaris Xserver(Xsun) tuning - use shared memory transport
> if available
> > if [ "$XSUNTRANSPORT" = "" ]
> > --
> > http://gnuzilla.gnu.org
>