The vulnerability is introduced by an insecure change to LD_LIBRARY_PATH, an environment variable used by ld.so(8) to look for libraries on a directory other than the standard paths. Vulnerable code follows: /usr/bin/scilab-adv-cli line 280: LD_LIBRARY_PATH="$JAVA_HOME/../Libraries:$LD_LIBRARY_PATH" /usr/bin/scilab-adv-cli line 459: LD_LIBRARY_PATH="$JRE_HOME/lib/$proc/:$JRE_HOME/lib/$proc/server/:$JRE_HOME/lib/$proc/native_threads/:$LD_LIBRARY_PATH" /usr/bin/scilab-adv-cli line 518: LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/sw/lib/" /usr/bin/scilab-adv-cli line 534: LD_LIBRARY_PATH=/usr/lib/scilab/:/usr/lib64/scilab/:$LD_LIBRARY_PATH /usr/bin/scilab line 283: LD_LIBRARY_PATH="$JAVA_HOME/../Libraries:$LD_LIBRARY_PATH" /usr/bin/scilab line 462: LD_LIBRARY_PATH="$JRE_HOME/lib/$proc/:$JRE_HOME/lib/$proc/server/:$JRE_HOME/lib/$proc/native_threads/:$LD_LIBRARY_PATH" /usr/bin/scilab line 521: LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/sw/lib/" /usr/bin/scilab line 537: LD_LIBRARY_PATH=/usr/lib/scilab/:/usr/lib64/scilab/:$LD_LIBRARY_PATH When there's an empty item on the colon-separated list of LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.) If the given script is executed from a directory where a potential, local, attacker can write files to, there's a chance to exploit this bug.
По сравнению с debian у нас в scilab из shell-скриптов есть только /usr/bin/scilab Там есть несколько точек с небезопасным изменением LD_LIBRARY_PATH: /usr/bin/scilab line 398: LD_LIBRARY_PATH="$JRE_HOME/lib/$proc/:$JRE_HOME/lib/$proc/server/:$JRE_HOME/lib/$proc/native_threads/:$LD_LIBRARY_PATH" /usr/bin/scilab line 442: LD_LIBRARY_PATH=$SCILIB${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH} В последнем случае лучше заменить на: LD_LIBRARY_PATH=$SCILIB${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}
Это не ко мне уже. Заодно исправьте ошибку с арифметическим переполнением при компиляции фортрана.
$ ssh git.alt acl sisyphus scilab show scilab nbr @everybody перевесьте пакет на nobody@
В scilab-6.1.1-alt1 есть обработка пустых значений переменных в LD_LIBRARY_PATH