bug-gnuzilla
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: run-icecat.sh possible vulnerability

From: Hayawardh V
Subject: Re: run-icecat.sh possible vulnerability
Date: Mon, 30 May 2011 19:40:02 -0400
Hi,

I am attaching a patch for the same.
Please keep me updated on the course of action regarding this.

Thanks,
Hayawardh

On Mon, May 30, 2011 at 7:22 PM, Hayawardh V <address@hidden> wrote:
Hi,

In run-icecat.sh in the latest icecat svn are lines such as :
LD_LIBRARY_PATH=${MOZ_DIST_BIN}:${MOZ_DIST_BIN}/plugins:${MRE_HOME}${LD_LIBRARY_PATH+":$LD_LIBRARY_PATH"}

Note that this insecure LD_LIBRARY_PATH would lead icecat to search in the current working directory for libraries. If malicious libraries are, for example, downloaded off the Internet, then those would be loaded instead.

This can be simply fixed as follows (note the : following LD_LIBRARY_PATH):

LD_LIBRARY_PATH=${MOZ_DIST_BIN}:${MOZ_DIST_BIN}/plugins:${MRE_HOME}${LD_LIBRARY_PATH:+":$LD_LIBRARY_PATH"}

It seems similar to the issue that Firefox had a few months before :
https://bugzilla.mozilla.org/show_bug.cgi?id=590753

Thanks,
Hayawardh



Attachment: run-icecat.sh.patch
Description: Text Data

reply via email to
[Prev in Thread] Current Thread [Next in Thread]