bug-gnuzilla
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

run-icecat.sh possible vulnerability


From: Hayawardh V
Subject: run-icecat.sh possible vulnerability
Date: Mon, 30 May 2011 19:22:26 -0400

Hi,

In run-icecat.sh in the latest icecat svn are lines such as :
LD_LIBRARY_PATH=${MOZ_DIST_BIN}:${MOZ_DIST_BIN}/plugins:${MRE_HOME}${LD_LIBRARY_PATH+":$LD_LIBRARY_PATH"}

Note that this insecure LD_LIBRARY_PATH would lead icecat to search in the current working directory for libraries. If malicious libraries are, for example, downloaded off the Internet, then those would be loaded instead.

This can be simply fixed as follows (note the : following LD_LIBRARY_PATH):

LD_LIBRARY_PATH=${MOZ_DIST_BIN}:${MOZ_DIST_BIN}/plugins:${MRE_HOME}${LD_LIBRARY_PATH:+":$LD_LIBRARY_PATH"}

It seems similar to the issue that Firefox had a few months before :
https://bugzilla.mozilla.org/show_bug.cgi?id=590753

Thanks,
Hayawardh



reply via email to

[Prev in Thread] Current Thread [Next in Thread]