gvm icon indicating copy to clipboard operation
gvm copied to clipboard

Published 20 hours ago verified publisher icon moovweb

Fix gvm path inclusion vulnerability

Open ddworken opened this issue 5 years ago • 2 comments

If LD_LIBRARY_PATH (or DYLD_LIBRARY_PATH) is not set, the install/activate script will cause the environment variable to be set to something like:

LD_LIBRARY_PATH=/home/david/.gvm/pkgsets/go1.13/global/overlay/lib:

This means that the dynamic library loader will attempt to load libraries from two locations:

  1. "/home/david/.gvm/pkgsets/go1.13/global/overlay/lib"
  2. "" which is interpreted as the current working directory

This means that it becomes unsafe to run any terminal commands from an untrusted directory. Ie, running ls inside of an untrusted git repository could lead to arbitrary code execution.

In order to fix this, we simply change the shell expansion such that if LD_LIBRARY_PATH is not set it does not include a trailing : at the end.

Fixes #353, #190

ddworken avatar Sep 24 '20 19:09 ddworken

@BenKnigge @jbussdieker @alouche Can you please take a look?

ddworken avatar Sep 25 '20 18:09 ddworken

Aside from being a security issue, this breaks buildroot:

You seem to have the current working directory in your
LD_LIBRARY_PATH environment variable. This doesn't work.
make[1]: *** [support/dependencies/dependencies.mk:27: dependencies] Error 1
make: *** [Makefile:84: _all] Error 2

The sooner we can get this simple fix merged in the better.

emesterhazy avatar Apr 14 '21 16:04 emesterhazy