Mercurial > hg > release > icedtea-web-1.0

changeset 99:af8d359d6daa

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fixed S6983554, CVE-2010-4450: Launcher incorrect processing of empty library path entries
author Deepak Bhole <dbhole@redhat.com>
date Mon, 14 Feb 2011 13:59:55 -0500
parents cc8c67ed615e
children 9199a6ec1f0c
files ChangeLog NEWS launcher/java_md.c
diffstat 3 files changed, 11 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/ChangeLog	Thu Feb 10 11:19:53 2011 -0500
+++ b/ChangeLog	Mon Feb 14 13:59:55 2011 -0500
@@ -1,3 +1,10 @@
+2011-02-11  Deepak Bhole <dbhole@redhat.com>
+
+	Fix S6983554, CVE-2010-4450: Launcher incorrect processing of empty
+	library path entries
+	* NEWS: Updated.
+	* launcher/java_md.c: Ignore empty LD_LIBRARY_PATH.
+
 2011-02-10  Deepak Bhole <dbhole@redhat.com>
 
 	* netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java (initialize):
--- a/NEWS	Thu Feb 10 11:19:53 2011 -0500
+++ b/NEWS	Mon Feb 14 13:59:55 2011 -0500
@@ -10,6 +10,9 @@
 
 New in release 1.0.1 (2011-XX-XX):
 
+* Security updates
+  - S6983554, CVE-2010-4450: Launcher incorrect processing of empty library path entries 
+
 New in release 1.0 (2011-02-02):
 
 * Initial release of IcedTea-Web
--- a/launcher/java_md.c	Thu Feb 10 11:19:53 2011 -0500
+++ b/launcher/java_md.c	Mon Feb 14 13:59:55 2011 -0500
@@ -484,7 +484,7 @@
        * LD_LIBRARY_PATH.  Note that this prevents any possible infinite
        * loop of execv() because we test for the prefix, above.
        */
-      if (runpath != 0) {
+      if (runpath != 0 && (runpath[0] != '\0')) {
         strcat(new_runpath, ":");
         strcat(new_runpath, runpath);
       }