From 665dfc26ed8f8547ea97fad66334d6dca79e4ab6 Mon Sep 17 00:00:00 2001 From: Anders Kaseorg Date: Sun, 31 May 2020 01:40:07 -0700 Subject: [PATCH] libversion: Fix unsafe concatenation of $LD_LIBRARY_PATH Naive concatenation of $LD_LIBRARY_PATH can result in an empty colon-delimited segment; this tells glibc to load libraries from the current directory, which is definitely wrong, and may be a security vulnerability if the current directory is untrusted. This particular case probably has no security relevance, but we should avoid this unsafe pattern anyway in case it gets copied. See #76804. Signed-off-by: Anders Kaseorg --- pkgs/development/libraries/libversion/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/libraries/libversion/default.nix b/pkgs/development/libraries/libversion/default.nix index e1dc591f8b5..cee04fa79e4 100644 --- a/pkgs/development/libraries/libversion/default.nix +++ b/pkgs/development/libraries/libversion/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ cmake ]; preCheck = '' - export LD_LIBRARY_PATH=/build/source/build/libversion/:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=/build/source/build/libversion/''${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH ''; doCheck = true; checkTarget = "test";