treewide: Fix unsafe concatenation of $LD_LIBRARY_PATH

Naive concatenation of $LD_LIBRARY_PATH can result in an empty
colon-delimited segment; this tells glibc to load libraries from the
current directory, which is definitely wrong, and may be a security
vulnerability if the current directory is untrusted.  (See #67234, for
example.)  Fix this throughout the tree.

Signed-off-by: Anders Kaseorg <andersk@mit.edu>

1 files changed, 1 insertions, 1 deletions

diff --git a/pkgs/development/libraries/qt-4.x/4.8/default.nix b/pkgs/development/libraries/qt-4.x/4.8/default.nix
index 25953949eb7..379f5b3d80e 100644
--- a/pkgs/development/libraries/qt-4.x/4.8/default.nix
+++ b/pkgs/development/libraries/qt-4.x/4.8/default.nix
@@ -125,7 +125,7 @@ stdenv.mkDerivation rec {
       ];
 
   preConfigure = ''
-    export LD_LIBRARY_PATH="`pwd`/lib:$LD_LIBRARY_PATH"
+    export LD_LIBRARY_PATH="`pwd`/lib''${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH"
     configureFlags+="
       -docdir $out/share/doc/${name}
       -plugindir $out/lib/qt4/plugins