CVE Request: sblim-sfcb: insecure LD_LIBRARY_PATH usage

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Originally found at:
https://bugzilla.novell.com/show_bug.cgi?id=770234

Marcus Meissner 2012-07-06 12:18:54 UTC

found by grep.

/etc/init.d/sfcb uses:

LD_LIBRARY_PATH=/usr/lib:$LD_LIBRARY_PATH

which is insecure if LD_LIBRARY_PATH is empty. It makes binaries use
libraries from the current directory, which is a problem if e.g. a
administrator
starts the sfcb service from a untrusted directory.

Also it uses it to set /usr/lib, a default path.

Just get rid of the whole if ... as it is useless.

This is now filed in Red Hat:
https://bugzilla.redhat.com/show_bug.cgi?id=838160



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP91uBAAoJEBYNRVNeJnmTKW4QALklqfWzdbraJkF1nLWPGGK/
WKq7LPunaDlN+4HgwL/96zSeUkw2NeoOW6+1SNWJLLQx1u2W8hvHCAzIYoQTPGzi
OI7j5146He2Zaxle44AwRQGrb59eYaX7SL2mQfGFec1zZr5MeOMvOHg8v+sXltLb
/iTVR0oblgpMZ6AxE6O6m84Fbkhwv+cTjHjbYkExtDqtVORjOVMj1GbBQljXjxOt
Lcw1XQEux86/n/V12Ef71O4i6QdvW6Z3tg3GlukrA0G7Igofl3mgCRki3kRaazER
b5cb1r7OhDtaqIFmHukS7W3RjK+mX0A/dcDSUqJ2CfhsKyGm+gAyNtwLixoiFpoY
oAbkqY3tXOV6SkXEikayTB34M+2GSv/k3iVnAK8DQ2HLSj+5iWaXZK/R43f0E6bj
1TmlQKqu0GI/3LwwvWUROF0NI+Gwp87yLJfFnyy7OW2amQrYpY50dCuZzMyDMOT6
pBUEsZFuFTkOqzrOCVTRk18GTBW+233CgGFbc33VXdNxyJv+EY32Wl0kb15fag6L
4DfsKUZToa4exOHncFiRfNKWBpleBPQd/mBPXHrI+PGhiVkCqPpNmSEXl4gr9Yz2
lK90vBGU2Pn6PkkRyBC0Ov8Z2o0RiCcnwveUxLQy8kfTApw4GBaHkfO0kIlVr8Tm
uYTMZWbteB7c6Sy8tkOS
=fr9l
-----END PGP SIGNATURE-----