Hello everyone,
Recently I was looking at CVE-2010-3387(for purposes of patching it
downstream) and I glanced upon the discussion and the patch that had been
proposed earlier - you can view them at [1].
As discussed earlier, I feel that the original issue was not a security
issue as it had a ";"(semi-colon) in the LD_LIBRARY_PATH.
$ echo "/usr/lib/debug;$LD_LIBRARY_PATH"
/usr/lib/debug;
However, if the case of the patch, if LD_LIBRARY_PATH were not defined,
you'd have :-
$ echo "/usr/lib/debug:${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
/usr/lib/debug:
and ld.so would treat the empty item as '.'
Cheers,
zm
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598308
