# HG changeset patch
# User Deepak Bhole <dbhole@redhat.com>
# Date 1297709995 18000
# Node ID af8d359d6daa19d4e3971c98c344dd2ee12192fe
# Parent  cc8c67ed615e112e1e8f1c16c61f9acf1406e769
Fixed S6983554, CVE-2010-4450: Launcher incorrect processing of empty library path entries

diff -r cc8c67ed615e -r af8d359d6daa ChangeLog
--- a/ChangeLog	Thu Feb 10 11:19:53 2011 -0500
+++ b/ChangeLog	Mon Feb 14 13:59:55 2011 -0500
@@ -1,3 +1,10 @@
+2011-02-11  Deepak Bhole <dbhole@redhat.com>
+
+	Fix S6983554, CVE-2010-4450: Launcher incorrect processing of empty
+	library path entries
+	* NEWS: Updated.
+	* launcher/java_md.c: Ignore empty LD_LIBRARY_PATH.
+
 2011-02-10  Deepak Bhole <dbhole@redhat.com>
 
 	* netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java (initialize):
diff -r cc8c67ed615e -r af8d359d6daa NEWS
--- a/NEWS	Thu Feb 10 11:19:53 2011 -0500
+++ b/NEWS	Mon Feb 14 13:59:55 2011 -0500
@@ -10,6 +10,9 @@
 
 New in release 1.0.1 (2011-XX-XX):
 
+* Security updates
+  - S6983554, CVE-2010-4450: Launcher incorrect processing of empty library path entries 
+
 New in release 1.0 (2011-02-02):
 
 * Initial release of IcedTea-Web
diff -r cc8c67ed615e -r af8d359d6daa launcher/java_md.c
--- a/launcher/java_md.c	Thu Feb 10 11:19:53 2011 -0500
+++ b/launcher/java_md.c	Mon Feb 14 13:59:55 2011 -0500
@@ -484,7 +484,7 @@
        * LD_LIBRARY_PATH.  Note that this prevents any possible infinite
        * loop of execv() because we test for the prefix, above.
        */
-      if (runpath != 0) {
+      if (runpath != 0 && (runpath[0] != '\0')) {
         strcat(new_runpath, ":");
         strcat(new_runpath, runpath);
       }