Fix insecure handling of LD_LIBRARY_PATH that could lead to the

current working directory to be searched for DSOs

CVE-2012-0883

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1296428 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 5e7f017f6fb9fab84cf6fd4fc8d2c3a5c1334b27..a3b1d3a1c287e3d5a29b7c481fe9dbc1f9959633 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) SECURITY: CVE-2012-0883 (cve.mitre.org)
+     envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the
+     current working directory to be searched for DSOs. [Stefan Fritsch]
+
   *) Fix MPM DSO load failure on AIX.  [Jeff Trawick]
 
   *) core: Add the port number to the vhost's name in the scoreboard.

diff --git a/support/envvars-std.in b/support/envvars-std.in
index cf50c5c75e5152dce86ef6bd361b78474fac9feb..9493bc749ca20788438360e1e5538be92a5ca360 100644 (file)
--- a/support/envvars-std.in
+++ b/support/envvars-std.in
@@ -18,7 +18,11 @@
 #
 # This file is generated from envvars-std.in
 #
-@SHLIBPATH_VAR@="@exp_libdir@:$@SHLIBPATH_VAR@"
+if test "x$@SHLIBPATH_VAR@" != "x" ; then
+  @SHLIBPATH_VAR@="@exp_libdir@:$@SHLIBPATH_VAR@"
+else
+  @SHLIBPATH_VAR@="@exp_libdir@"
+fi
 export @SHLIBPATH_VAR@
 #
 @OS_SPECIFIC_VARS@