From c6508b3f8bee4e6586d6b1fe285eaad4410abb62 Mon Sep 17 00:00:00 2001 From: Dani Llewellyn Date: Mon, 29 Aug 2022 20:51:49 +0100 Subject: [PATCH] Update LD_LIBRARY_PATH in snapcraft.yaml This fixes CVE-2020-27348 where snapcraft/snapd don't set an LD_LIBRARY_PATH upon invoking a snap so including `:$LD_LIBRARY_PATH` at the end of our custom setting we were causing an empty entry to be appended. This causes the ability for someone to potentially load an arbitrary library into our runtime because the empty entry in the search path means the dynamic linker will search the "current working directory" of where the app was launched from outside of confinement. We also include the SuperBuild `lib` directory in the search path. --- snap/snapcraft.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index e17ab37d..6856a9a8 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -200,7 +200,7 @@ apps: command: odm/run.sh environment: # Ensure libraries are found - LD_LIBRARY_PATH: $SNAP/usr/lib/$SNAPCRAFT_ARCH_TRIPLET/blas:$SNAP/usr/lib/$SNAPCRAFT_ARCH_TRIPLET/lapack:$LD_LIBRARY_PATH + LD_LIBRARY_PATH: $SNAP/odm/SuperBuild/install/lib:$SNAP/usr/lib/$SNAPCRAFT_ARCH_TRIPLET/blas:$SNAP/usr/lib/$SNAPCRAFT_ARCH_TRIPLET/lapack PYTHONPATH: $SNAP/odm/SuperBuild/install:$SNAP/lib/python3.8/site-packages:$SNAP/usr/lib/python3/dist-packages/:$SNAP/usr/lib/python3.8 plugs: - home