Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

project_loader, formatting_utils: take empty env values into account #3345

Merged
merged 3 commits into from Dec 5, 2020

Conversation

sergiusens
Copy link
Collaborator

A general solution for a specific problem with LD_LIBRARY_PATH and
PATH where the env can contain two successive colons and that being
interpreted as the CWD.

Signed-off-by: Sergio Schvezov sergio.schvezov@canonical.com

  • Have you followed the guidelines for contributing?
  • Have you signed the CLA?
  • Have you successfully run ./runtests.sh static?
  • Have you successfully run ./runtests.sh tests/unit?

Prevent library injection vulnerability on strict mode snaps built
with Snapcraft via misconfigured LD_LIBRARY_PATH:

- project_loader: do not export empty environment
- meta: do not export empty environment. Warn on empty environment.

CVE-2020-27348
LP: #1901572

Signed-off-by: Sergio Schvezov <sergio.schvezov@canonical.com>
Copy link
Contributor

@cjp256 cjp256 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@sergiusens sergiusens merged commit a0ceca9 into snapcore:master Dec 5, 2020
1 of 2 checks passed
@sergiusens sergiusens deleted the env branch December 5, 2020 00:30
abitrolly pushed a commit to abitrolly/snapcraft that referenced this pull request Mar 31, 2021
…napcore#3345)

Prevent library injection vulnerability on strict mode snaps built
with Snapcraft via misconfigured LD_LIBRARY_PATH:

- project_loader: do not export empty environment
- meta: do not export empty environment. Warn on empty environment.

CVE-2020-27348
LP: #1901572

Signed-off-by: Sergio Schvezov <sergio.schvezov@canonical.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants