Insecure LD_LIBRARY_PATH usage in OpenOffice.org shell scripts
- Synopsis: The OpenOffice.org start script and other shell scripts expand the LD_LIBRARY_PATH in a insecure way
- State: Resolved
The OpenOffice.org start script and other shell scripts expand the LD_LIBRARY_PATH in a way that the current directory might be searched for libraries before /lib and /usr/lib, which can have security implications.
2. Affected releases
- All versions of OpenOffice.org 3 prior to version 3.3
Note: OpenOffice.org 2 is not impacted by this issue. Earlier versions of OpenOffice.org are no longer supported and will not be evaluated regarding this issue.
There are no predictable symptoms that would indicate this issue has occurred.
To workaround the described issue, make sure that LD_LIBRARY_PATH is not empty before running soffice or other OpenOffice.org shell scripts.
This issue is addressed in the following release: OpenOffice.org 3.3
OpenOffice.org acknowledges with thanks, Dmitri Gribenko.