From: Stefan Fritsch <sf@apache.org>
Date: Fri, 2 Mar 2012 20:06:34 +0000 (+0000)
Subject: Fix insecure handling of LD_LIBRARY_PATH that could lead to the
X-Git-Tag: 2.5.0-alpha~7422
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5d9207c78c138a941a763b8fe14eca26c43698d7;p=thirdparty%2Fapache%2Fhttpd.git

Fix insecure handling of LD_LIBRARY_PATH that could lead to the
current working directory to be searched for DSOs

CVE-2012-0883


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1296428 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 5e7f017f6fb..a3b1d3a1c28 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) SECURITY: CVE-2012-0883 (cve.mitre.org)
+     envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the
+     current working directory to be searched for DSOs. [Stefan Fritsch]
+
   *) Fix MPM DSO load failure on AIX.  [Jeff Trawick]
 
   *) core: Add the port number to the vhost's name in the scoreboard.
diff --git a/support/envvars-std.in b/support/envvars-std.in
index cf50c5c75e5..9493bc749ca 100644
--- a/support/envvars-std.in
+++ b/support/envvars-std.in
@@ -18,7 +18,11 @@
 #
 # This file is generated from envvars-std.in
 #
-@SHLIBPATH_VAR@="@exp_libdir@:$@SHLIBPATH_VAR@"
+if test "x$@SHLIBPATH_VAR@" != "x" ; then
+  @SHLIBPATH_VAR@="@exp_libdir@:$@SHLIBPATH_VAR@"
+else
+  @SHLIBPATH_VAR@="@exp_libdir@"
+fi
 export @SHLIBPATH_VAR@
 #
 @OS_SPECIFIC_VARS@