diff options
author | Anders Kaseorg <andersk@mit.edu> | 2020-01-01 16:29:34 -0800 |
---|---|---|
committer | Frederik Rietdijk <freddyrietdijk@fridh.nl> | 2020-01-15 09:47:03 +0100 |
commit | 3cd8ce3bce1e3d89b21caa0d3ad458193f5179ba (patch) | |
tree | 7a1f1889004dce271903d69dce5c1f5a2cf92b07 /pkgs/development/libraries | |
parent | 2e5051e2235f93829f0d6531ace21e87f2a486a4 (diff) | |
download | nixpkgs-3cd8ce3bce1e3d89b21caa0d3ad458193f5179ba.tar nixpkgs-3cd8ce3bce1e3d89b21caa0d3ad458193f5179ba.tar.gz nixpkgs-3cd8ce3bce1e3d89b21caa0d3ad458193f5179ba.tar.bz2 nixpkgs-3cd8ce3bce1e3d89b21caa0d3ad458193f5179ba.tar.lz nixpkgs-3cd8ce3bce1e3d89b21caa0d3ad458193f5179ba.tar.xz nixpkgs-3cd8ce3bce1e3d89b21caa0d3ad458193f5179ba.tar.zst nixpkgs-3cd8ce3bce1e3d89b21caa0d3ad458193f5179ba.zip |
treewide: Fix unsafe concatenation of $LD_LIBRARY_PATH
Naive concatenation of $LD_LIBRARY_PATH can result in an empty colon-delimited segment; this tells glibc to load libraries from the current directory, which is definitely wrong, and may be a security vulnerability if the current directory is untrusted. (See #67234, for example.) Fix this throughout the tree. Signed-off-by: Anders Kaseorg <andersk@mit.edu>
Diffstat (limited to 'pkgs/development/libraries')
-rw-r--r-- | pkgs/development/libraries/boxfort/default.nix | 2 | ||||
-rw-r--r-- | pkgs/development/libraries/caf/default.nix | 4 | ||||
-rw-r--r-- | pkgs/development/libraries/criterion/default.nix | 2 | ||||
-rw-r--r-- | pkgs/development/libraries/cutelyst/default.nix | 2 | ||||
-rw-r--r-- | pkgs/development/libraries/exiv2/default.nix | 2 | ||||
-rw-r--r-- | pkgs/development/libraries/glib/default.nix | 2 | ||||
-rw-r--r-- | pkgs/development/libraries/grpc/default.nix | 2 | ||||
-rw-r--r-- | pkgs/development/libraries/jsoncpp/default.nix | 4 | ||||
-rw-r--r-- | pkgs/development/libraries/libtins/default.nix | 4 | ||||
-rw-r--r-- | pkgs/development/libraries/orcania/default.nix | 2 | ||||
-rw-r--r-- | pkgs/development/libraries/qt-4.x/4.8/default.nix | 2 | ||||
-rw-r--r-- | pkgs/development/libraries/qt-5/modules/qtbase.nix | 2 | ||||
-rw-r--r-- | pkgs/development/libraries/science/math/arpack/default.nix | 4 | ||||
-rw-r--r-- | pkgs/development/libraries/science/math/scalapack/default.nix | 2 | ||||
-rw-r--r-- | pkgs/development/libraries/yder/default.nix | 2 |
15 files changed, 19 insertions, 19 deletions
diff --git a/pkgs/development/libraries/boxfort/default.nix b/pkgs/development/libraries/boxfort/default.nix index 95c1afd090f..fb6e735c46e 100644 --- a/pkgs/development/libraries/boxfort/default.nix +++ b/pkgs/development/libraries/boxfort/default.nix @@ -29,7 +29,7 @@ stdenv.mkDerivation rec { doCheck = true; preCheck = '' - export LD_LIBRARY_PATH=`pwd`:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=`pwd`''${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH ''; outputs = [ "dev" "out" ]; diff --git a/pkgs/development/libraries/caf/default.nix b/pkgs/development/libraries/caf/default.nix index ecf991cb59c..e32ec169579 100644 --- a/pkgs/development/libraries/caf/default.nix +++ b/pkgs/development/libraries/caf/default.nix @@ -22,8 +22,8 @@ stdenv.mkDerivation rec { doCheck = true; checkTarget = "test"; preCheck = '' - export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$PWD/lib - export DYLD_LIBRARY_PATH=$DYLD_LIBRARY_PATH:$PWD/lib + export LD_LIBRARY_PATH=$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}$PWD/lib + export DYLD_LIBRARY_PATH=$DYLD_LIBRARY_PATH''${DYLD_LIBRARY_PATH:+:}$PWD/lib ''; meta = with stdenv.lib; { diff --git a/pkgs/development/libraries/criterion/default.nix b/pkgs/development/libraries/criterion/default.nix index c2721d3839a..3dc4b462404 100644 --- a/pkgs/development/libraries/criterion/default.nix +++ b/pkgs/development/libraries/criterion/default.nix @@ -30,7 +30,7 @@ stdenv.mkDerivation rec { cmakeFlags = [ "-DCTESTS=ON" ]; doCheck = true; preCheck = '' - export LD_LIBRARY_PATH=`pwd`:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=`pwd`''${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH ''; checkTarget = "criterion_tests test"; diff --git a/pkgs/development/libraries/cutelyst/default.nix b/pkgs/development/libraries/cutelyst/default.nix index 6cd464e5539..2cf611eed27 100644 --- a/pkgs/development/libraries/cutelyst/default.nix +++ b/pkgs/development/libraries/cutelyst/default.nix @@ -24,7 +24,7 @@ stdenv.mkDerivation rec { ]; preBuild = '' - export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:`pwd`/Cutelyst:`pwd`/EventLoopEPoll" + export LD_LIBRARY_PATH="$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}`pwd`/Cutelyst:`pwd`/EventLoopEPoll" ''; postBuild = '' diff --git a/pkgs/development/libraries/exiv2/default.nix b/pkgs/development/libraries/exiv2/default.nix index 21f63e07335..425346df816 100644 --- a/pkgs/development/libraries/exiv2/default.nix +++ b/pkgs/development/libraries/exiv2/default.nix @@ -69,7 +69,7 @@ stdenv.mkDerivation rec { ''} ${stdenv.lib.optionalString stdenv.isDarwin '' - export DYLD_LIBRARY_PATH=$DYLD_LIBRARY_PATH:`pwd`/lib + export DYLD_LIBRARY_PATH=$DYLD_LIBRARY_PATH''${DYLD_LIBRARY_PATH:+:}`pwd`/lib # Removing tests depending on charset conversion substituteInPlace ../test/Makefile --replace "conversions.sh" "" rm -f ../tests/bugfixes/redmine/test_issue_460.py diff --git a/pkgs/development/libraries/glib/default.nix b/pkgs/development/libraries/glib/default.nix index 4a7d6cce90b..18756213230 100644 --- a/pkgs/development/libraries/glib/default.nix +++ b/pkgs/development/libraries/glib/default.nix @@ -160,7 +160,7 @@ stdenv.mkDerivation rec { checkInputs = [ tzdata libxml2 desktop-file-utils shared-mime-info ]; preCheck = optionalString doCheck '' - export LD_LIBRARY_PATH="$NIX_BUILD_TOP/${pname}-${version}/glib/.libs:$LD_LIBRARY_PATH" + export LD_LIBRARY_PATH="$NIX_BUILD_TOP/${pname}-${version}/glib/.libs''${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH" export TZDIR="${tzdata}/share/zoneinfo" export XDG_CACHE_HOME="$TMP" export XDG_RUNTIME_HOME="$TMP" diff --git a/pkgs/development/libraries/grpc/default.nix b/pkgs/development/libraries/grpc/default.nix index abcd3abaf30..dfec171f1db 100644 --- a/pkgs/development/libraries/grpc/default.nix +++ b/pkgs/development/libraries/grpc/default.nix @@ -38,7 +38,7 @@ stdenv.mkDerivation rec { ''; preBuild = '' - export LD_LIBRARY_PATH=$(pwd):$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=$(pwd)''${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH ''; NIX_CFLAGS_COMPILE = stdenv.lib.optionalString stdenv.cc.isClang "-Wno-error=unknown-warning-option"; diff --git a/pkgs/development/libraries/jsoncpp/default.nix b/pkgs/development/libraries/jsoncpp/default.nix index 72158e186ac..7b06cc8ad4e 100644 --- a/pkgs/development/libraries/jsoncpp/default.nix +++ b/pkgs/development/libraries/jsoncpp/default.nix @@ -23,9 +23,9 @@ stdenv.mkDerivation rec { # Hack to be able to run the test, broken because we use # CMAKE_SKIP_BUILD_RPATH to avoid cmake resetting rpath on install preBuild = if stdenv.isDarwin then '' - export DYLD_LIBRARY_PATH="`pwd`/src/lib_json:$DYLD_LIBRARY_PATH" + export DYLD_LIBRARY_PATH="`pwd`/src/lib_json''${DYLD_LIBRARY_PATH:+:}$DYLD_LIBRARY_PATH" '' else '' - export LD_LIBRARY_PATH="`pwd`/src/lib_json:$LD_LIBRARY_PATH" + export LD_LIBRARY_PATH="`pwd`/src/lib_json''${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH" ''; nativeBuildInputs = [ cmake python ]; diff --git a/pkgs/development/libraries/libtins/default.nix b/pkgs/development/libraries/libtins/default.nix index c90cff31677..60bb092c6fa 100644 --- a/pkgs/development/libraries/libtins/default.nix +++ b/pkgs/development/libraries/libtins/default.nix @@ -32,8 +32,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; doCheck = true; preCheck = '' - export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$PWD${placeholder "out"}/lib - export DYLD_LIBRARY_PATH=$DYLD_LIBRARY_PATH:$PWD${placeholder "out"}/lib + export LD_LIBRARY_PATH=$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}$PWD${placeholder "out"}/lib + export DYLD_LIBRARY_PATH=$DYLD_LIBRARY_PATH''${DYLD_LIBRARY_PATH:+:}$PWD${placeholder "out"}/lib ''; checkTarget = "tests test"; diff --git a/pkgs/development/libraries/orcania/default.nix b/pkgs/development/libraries/orcania/default.nix index bc27011c588..2f8765f9a72 100644 --- a/pkgs/development/libraries/orcania/default.nix +++ b/pkgs/development/libraries/orcania/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { doCheck = true; preCheck = '' - export LD_LIBRARY_PATH="$(pwd):$LD_LIBRARY_PATH" + export LD_LIBRARY_PATH="$(pwd)''${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH" export DYLD_FALLBACK_LIBRARY_PATH="$(pwd):$DYLD_FALLBACK_LIBRARY_PATH" ''; diff --git a/pkgs/development/libraries/qt-4.x/4.8/default.nix b/pkgs/development/libraries/qt-4.x/4.8/default.nix index 25953949eb7..379f5b3d80e 100644 --- a/pkgs/development/libraries/qt-4.x/4.8/default.nix +++ b/pkgs/development/libraries/qt-4.x/4.8/default.nix @@ -125,7 +125,7 @@ stdenv.mkDerivation rec { ]; preConfigure = '' - export LD_LIBRARY_PATH="`pwd`/lib:$LD_LIBRARY_PATH" + export LD_LIBRARY_PATH="`pwd`/lib''${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH" configureFlags+=" -docdir $out/share/doc/${name} -plugindir $out/lib/qt4/plugins diff --git a/pkgs/development/libraries/qt-5/modules/qtbase.nix b/pkgs/development/libraries/qt-5/modules/qtbase.nix index bc23d0f9caf..930c59d347b 100644 --- a/pkgs/development/libraries/qt-5/modules/qtbase.nix +++ b/pkgs/development/libraries/qt-5/modules/qtbase.nix @@ -164,7 +164,7 @@ stdenv.mkDerivation { setOutputFlags = false; preConfigure = '' - export LD_LIBRARY_PATH="$PWD/lib:$PWD/plugins/platforms:$LD_LIBRARY_PATH" + export LD_LIBRARY_PATH="$PWD/lib:$PWD/plugins/platforms''${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH" ${lib.optionalString (compareVersion "5.9.0" < 0) '' # We need to set LD to CXX or otherwise we get nasty compile errors export LD=$CXX diff --git a/pkgs/development/libraries/science/math/arpack/default.nix b/pkgs/development/libraries/science/math/arpack/default.nix index 36576de0563..89f3aa94247 100644 --- a/pkgs/development/libraries/science/math/arpack/default.nix +++ b/pkgs/development/libraries/science/math/arpack/default.nix @@ -30,9 +30,9 @@ stdenv.mkDerivation { ]; preCheck = if stdenv.isDarwin then '' - export DYLD_LIBRARY_PATH=$DYLD_LIBRARY_PATH:`pwd`/lib + export DYLD_LIBRARY_PATH=$DYLD_LIBRARY_PATH''${DYLD_LIBRARY_PATH:+:}`pwd`/lib '' else '' - export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:`pwd`/lib + export LD_LIBRARY_PATH=$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}`pwd`/lib '' + '' # Prevent tests from using all cores export OMP_NUM_THREADS=2 diff --git a/pkgs/development/libraries/science/math/scalapack/default.nix b/pkgs/development/libraries/science/math/scalapack/default.nix index bff0d9a85fa..fda902f320c 100644 --- a/pkgs/development/libraries/science/math/scalapack/default.nix +++ b/pkgs/development/libraries/science/math/scalapack/default.nix @@ -40,7 +40,7 @@ stdenv.mkDerivation rec { # Run single threaded export OMP_NUM_THREADS=1 - export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:`pwd`/lib + export LD_LIBRARY_PATH=$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}`pwd`/lib ''; meta = with stdenv.lib; { diff --git a/pkgs/development/libraries/yder/default.nix b/pkgs/development/libraries/yder/default.nix index 7025fd2eb1c..5ddb1d1a131 100644 --- a/pkgs/development/libraries/yder/default.nix +++ b/pkgs/development/libraries/yder/default.nix @@ -32,7 +32,7 @@ stdenv.mkDerivation rec { doCheck = true; preCheck = '' - export LD_LIBRARY_PATH="$(pwd):$LD_LIBRARY_PATH" + export LD_LIBRARY_PATH="$(pwd)''${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH" export DYLD_FALLBACK_LIBRARY_PATH="$(pwd):$DYLD_FALLBACK_LIBRARY_PATH" ''; |