Merge r1296428 from trunk:

Fix insecure handling of LD_LIBRARY_PATH that could lead to the
current working directory to be searched for DSOs

CVE-2012-0883

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1341651 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 53b98b851e4e24e3b72336ca4ddacb8732c06602..4da3193addca56f2bb39914e5f49fe51164f82ae 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.23
 
+  *) SECURITY: CVE-2012-0883 (cve.mitre.org)
+     envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the
+     current working directory to be searched for DSOs. [Stefan Fritsch]
+
   *) core: Fix building against PCRE 8.30 by switching from the obsolete
      pcre_info() to pcre_fullinfo(). PR 52623 [Ruediger Pluem, Rainer Jung]
 

diff --git a/support/envvars-std.in b/support/envvars-std.in
index cf50c5c75e5152dce86ef6bd361b78474fac9feb..9493bc749ca20788438360e1e5538be92a5ca360 100644 (file)
--- a/support/envvars-std.in
+++ b/support/envvars-std.in
@@ -18,7 +18,11 @@
 #
 # This file is generated from envvars-std.in
 #
-@SHLIBPATH_VAR@="@exp_libdir@:$@SHLIBPATH_VAR@"
+if test "x$@SHLIBPATH_VAR@" != "x" ; then
+  @SHLIBPATH_VAR@="@exp_libdir@:$@SHLIBPATH_VAR@"
+else
+  @SHLIBPATH_VAR@="@exp_libdir@"
+fi
 export @SHLIBPATH_VAR@
 #
 @OS_SPECIFIC_VARS@