Update LD_LIBRARY_PATH in snapcraft.yaml

This fixes CVE-2020-27348 where snapcraft/snapd don't set an LD_LIBRARY_PATH upon invoking a snap so including `:$LD_LIBRARY_PATH` at the end of our custom setting we were causing an empty entry to be appended. This causes the ability for someone to potentially load an arbitrary library into our runtime because the empty entry in the search path means the dynamic linker will search the "current working directory" of where the app was launched from outside of confinement. We also include the SuperBuild `lib` directory in the search path.
2022-08-29 20:51:49 +01:00 · 2022-08-29 20:51:49 +01:00 · c6508b3f8b
commit c6508b3f8b
--- a/snap/snapcraft.yaml
+++ b/snap/snapcraft.yaml
@ -200,7 +200,7 @@ apps:
    command: odm/run.sh
    environment:
      # Ensure libraries are found
-      LD_LIBRARY_PATH: $SNAP/usr/lib/$SNAPCRAFT_ARCH_TRIPLET/blas:$SNAP/usr/lib/$SNAPCRAFT_ARCH_TRIPLET/lapack:$LD_LIBRARY_PATH
+      LD_LIBRARY_PATH: $SNAP/odm/SuperBuild/install/lib:$SNAP/usr/lib/$SNAPCRAFT_ARCH_TRIPLET/blas:$SNAP/usr/lib/$SNAPCRAFT_ARCH_TRIPLET/lapack
      PYTHONPATH: $SNAP/odm/SuperBuild/install:$SNAP/lib/python3.8/site-packages:$SNAP/usr/lib/python3/dist-packages/:$SNAP/usr/lib/python3.8
    plugs:
      - home