Re: run-icecat.sh possible vulnerability

bug-gnuzilla

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: run-icecat.sh possible vulnerability

From:	Giuseppe Scrivano
Subject:	Re: run-icecat.sh possible vulnerability
Date:	Fri, 17 Jun 2011 10:00:13 +0200
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/24.0.50 (gnu/linux)

Thanks again for the patch!  I have just committed it.

Cheers,
Giuseppe



Hayawardh V <address@hidden> writes:

> Hi, 
>
> Here it is. Please edit it as you see fit. 
>
> * browser/branding/unofficial/run-icecat.sh: Fix insecure 
> LD_LIBRARY_PATH, patch by Hayawardh Vijayakumar <address@hidden>
>
> Thanks, 
> Hayawardh
>
> On Wed, Jun 1, 2011 at 3:19 AM, Giuseppe Scrivano <address@hidden>
> wrote:
>
>     Thanks, the patch looks fine.  Can you please also provide the
>     ChangeLog
>     file entry?
>     
>     Cheers,
>     Giuseppe
>     
>     
>     
>     
>     
>     
>     Hayawardh V <address@hidden> writes:
>     
>     > Hi,
>     >
>     > I am attaching a patch for the same.
>     > Please keep me updated on the course of action regarding this.
>     >
>     > Thanks,
>     > Hayawardh
>     >
>     > On Mon, May 30, 2011 at 7:22 PM, Hayawardh V
>     <address@hidden>
>     > wrote:
>     >
>     >     Hi,
>     >
>     >     In run-icecat.sh in the latest icecat svn are lines such as
>     :
>     >     LD_LIBRARY_PATH=${MOZ_DIST_BIN}:${MOZ_DIST_BIN}/plugins:$
>     >     {MRE_HOME}${LD_LIBRARY_PATH+":$LD_LIBRARY_PATH"}
>     >
>     >     Note that this insecure LD_LIBRARY_PATH would lead icecat to
>     >     search in the current working directory for libraries. If
>     >     malicious libraries are, for example, downloaded off the
>     Internet,
>     >     then those would be loaded instead.
>     >
>     >     This can be simply fixed as follows (note the : following
>     >     LD_LIBRARY_PATH):
>     >
>     >     LD_LIBRARY_PATH=${MOZ_DIST_BIN}:${MOZ_DIST_BIN}/plugins:$
>     >     {MRE_HOME}${LD_LIBRARY_PATH:+":$LD_LIBRARY_PATH"}
>     >
>     >     It seems similar to the issue that Firefox had a few months
>     before
>     >     :
>     >     https://bugzilla.mozilla.org/show_bug.cgi?id=590753
>     >
>     >     Thanks,
>     >     Hayawardh
>     >
>     >
>     >
>     >
>     >
>     
>     > --- run-icecat.sh.orig        2011-05-30 14:16:14.000000000
>     -0400
>     > +++ run-icecat.sh     2011-05-30 19:39:03.000000000 -0400
>     > @@ -310,36 +310,36 @@
>     >  }
>     >  if moz_should_set_ld_library_path
>     >  then
>     > -     LD_LIBRARY_PATH=${MOZ_DIST_BIN}:${MOZ_DIST_BIN}/plugins:$
>     {MRE_HOME}${LD_LIBRARY_PATH+":$LD_LIBRARY_PATH"}
>     > +     LD_LIBRARY_PATH=${MOZ_DIST_BIN}:${MOZ_DIST_BIN}/plugins:$
>     {MRE_HOME}${LD_LIBRARY_PATH:+":$LD_LIBRARY_PATH"}
>     >  fi
>     >
>     >  if [ -n "$LD_LIBRARYN32_PATH" ]
>     >  then
>     > -     LD_LIBRARYN32_PATH=${MOZ_DIST_BIN}:$
>     {MOZ_DIST_BIN}/plugins:${MRE_HOME}$
>     {LD_LIBRARYN32_PATH+":$LD_LIBRARYN32_PATH"}
>     > +     LD_LIBRARYN32_PATH=${MOZ_DIST_BIN}:$
>     {MOZ_DIST_BIN}/plugins:${MRE_HOME}$
>     {LD_LIBRARYN32_PATH:+":$LD_LIBRARYN32_PATH"}
>     >  fi
>     >  if [ -n "$LD_LIBRARYN64_PATH" ]
>     >  then
>     > -     LD_LIBRARYN64_PATH=${MOZ_DIST_BIN}:$
>     {MOZ_DIST_BIN}/plugins:${MRE_HOME}$
>     {LD_LIBRARYN64_PATH+":$LD_LIBRARYN64_PATH"}
>     > +     LD_LIBRARYN64_PATH=${MOZ_DIST_BIN}:$
>     {MOZ_DIST_BIN}/plugins:${MRE_HOME}$
>     {LD_LIBRARYN64_PATH:+":$LD_LIBRARYN64_PATH"}
>     >  fi
>     >  if [ -n "$LD_LIBRARY_PATH_64" ]; then
>     > -     LD_LIBRARY_PATH_64=${MOZ_DIST_BIN}:$
>     {MOZ_DIST_BIN}/plugins:${MRE_HOME}$
>     {LD_LIBRARY_PATH_64+":$LD_LIBRARY_PATH_64"}
>     > +     LD_LIBRARY_PATH_64=${MOZ_DIST_BIN}:$
>     {MOZ_DIST_BIN}/plugins:${MRE_HOME}$
>     {LD_LIBRARY_PATH_64:+":$LD_LIBRARY_PATH_64"}
>     >  fi
>     >  #
>     >  #
>     >  ## Set SHLIB_PATH for HPUX
>     > -SHLIB_PATH=${MOZ_DIST_BIN}:${MRE_HOME}$
>     {SHLIB_PATH+":$SHLIB_PATH"}
>     > +SHLIB_PATH=${MOZ_DIST_BIN}:${MRE_HOME}$
>     {SHLIB_PATH:+":$SHLIB_PATH"}
>     >  #
>     >  ## Set LIBPATH for AIX
>     > -LIBPATH=${MOZ_DIST_BIN}:${MRE_HOME}${LIBPATH+":$LIBPATH"}
>     > +LIBPATH=${MOZ_DIST_BIN}:${MRE_HOME}${LIBPATH:+":$LIBPATH"}
>     >  #
>     >  ## Set DYLD_LIBRARY_PATH for Mac OS X (Darwin)
>     > -DYLD_LIBRARY_PATH=${MOZ_DIST_BIN}:${MRE_HOME}$
>     {DYLD_LIBRARY_PATH+":$DYLD_LIBRARY_PATH"}
>     > +DYLD_LIBRARY_PATH=${MOZ_DIST_BIN}:${MRE_HOME}$
>     {DYLD_LIBRARY_PATH:+":$DYLD_LIBRARY_PATH"}
>     >  #
>     >  ## Set LIBRARY_PATH for BeOS
>     > -LIBRARY_PATH=${MOZ_DIST_BIN}:${MOZ_DIST_BIN}/components:$
>     {MRE_HOME}${LIBRARY_PATH+":$LIBRARY_PATH"}
>     > +LIBRARY_PATH=${MOZ_DIST_BIN}:${MOZ_DIST_BIN}/components:$
>     {MRE_HOME}${LIBRARY_PATH:+":$LIBRARY_PATH"}
>     >  #
>     >  ## Set ADDON_PATH for BeOS
>     > -ADDON_PATH=${MOZ_DIST_BIN}${ADDON_PATH+":$ADDON_PATH"}
>     > +ADDON_PATH=${MOZ_DIST_BIN}${ADDON_PATH:+":$ADDON_PATH"}
>     >  #
>     >  ## Solaris Xserver(Xsun) tuning - use shared memory transport
>     if available
>     >  if [ "$XSUNTRANSPORT" = "" ]
>     > --
>     > http://gnuzilla.gnu.org
>

[Prev in Thread]

Current Thread

[Next in Thread]

Re: run-icecat.sh possible vulnerability, Giuseppe Scrivano, 2011/06/01
- Re: run-icecat.sh possible vulnerability, Hayawardh V, 2011/06/15
  - Re: run-icecat.sh possible vulnerability, Giuseppe Scrivano <=

Prev by Date: Re: run-icecat.sh possible vulnerability
Next by Date: five?
Previous by thread: Re: run-icecat.sh possible vulnerability
Next by thread: Free addons for IceCat
Index(es):
- Date
- Thread