From e12f4db55640401ff06749231a4f4ffcef9a7269 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Thu, 4 Nov 2021 16:14:48 -0700
Subject: [PATCH] treewide: Fix unsafe concatenation of $LD_LIBRARY_PATH, round
 2

Naive concatenation of $LD_LIBRARY_PATH can result in an empty
colon-delimited segment; this tells glibc to load libraries from the
current directory, which is definitely wrong, and may be a security
vulnerability if the current directory is untrusted.  (See #67234, for
example.)  Fix this throughout the tree.

Followup to #76804.  Fixes #144646.

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 doc/using/overlays.chapter.md                               | 2 +-
 pkgs/applications/office/jabref/default.nix                 | 2 +-
 pkgs/development/compilers/llvm/rocm/llvm/default.nix       | 2 +-
 pkgs/development/libraries/spdlog/default.nix               | 2 +-
 .../python-modules/openbabel-bindings/default.nix           | 2 +-
 pkgs/development/tools/poetry2nix/poetry2nix/overrides.nix  | 6 +++---
 pkgs/tools/games/gamemode/preload-nix-workaround.patch      | 2 +-
 7 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/doc/using/overlays.chapter.md b/doc/using/overlays.chapter.md
index d2e3b49a6aa..df152bc14e7 100644
--- a/doc/using/overlays.chapter.md
+++ b/doc/using/overlays.chapter.md
@@ -112,7 +112,7 @@ self: super:
 This overlay uses Intel's MKL library for both BLAS and LAPACK interfaces. Note that the same can be accomplished at runtime using `LD_LIBRARY_PATH` of `libblas.so.3` and `liblapack.so.3`. For instance:
 
 ```ShellSession
-$ LD_LIBRARY_PATH=$(nix-build -A mkl)/lib:$LD_LIBRARY_PATH nix-shell -p octave --run octave
+$ LD_LIBRARY_PATH=$(nix-build -A mkl)/lib${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH nix-shell -p octave --run octave
 ```
 
 Intel MKL requires an `openmp` implementation when running with multiple processors. By default, `mkl` will use Intel's `iomp` implementation if no other is specified, but this is a runtime-only dependency and binary compatible with the LLVM implementation. To use that one instead, Intel recommends users set it with `LD_PRELOAD`. Note that `mkl` is only available on `x86_64-linux` and `x86_64-darwin`. Moreover, Hydra is not building and distributing pre-compiled binaries using it.
diff --git a/pkgs/applications/office/jabref/default.nix b/pkgs/applications/office/jabref/default.nix
index b87e74c256f..0b4ce74cdfa 100644
--- a/pkgs/applications/office/jabref/default.nix
+++ b/pkgs/applications/office/jabref/default.nix
@@ -52,7 +52,7 @@ stdenv.mkDerivation rec {
 
     makeWrapper $out/lib/runtime/bin/java $out/bin/jabref \
       --add-flags '-Djava.library.path=${systemLibPaths}' --add-flags "-p $out/lib/app -m org.jabref/org.jabref.JabRefLauncher" \
-      --run 'export LD_LIBRARY_PATH=${systemLibPaths}:$LD_LIBRARY_PATH'
+      --prefix LD_LIBRARY_PATH : '${systemLibPaths}'
 
     cp -r ${desktopItem}/share/applications $out/share/
 
diff --git a/pkgs/development/compilers/llvm/rocm/llvm/default.nix b/pkgs/development/compilers/llvm/rocm/llvm/default.nix
index 129cc69bf6d..06dfd1870b0 100644
--- a/pkgs/development/compilers/llvm/rocm/llvm/default.nix
+++ b/pkgs/development/compilers/llvm/rocm/llvm/default.nix
@@ -74,7 +74,7 @@ in stdenv.mkDerivation rec {
   '';
 
   preCheck = ''
-    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$PWD/lib
+    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}$PWD/lib
   '';
 
   postInstall = ''
diff --git a/pkgs/development/libraries/spdlog/default.nix b/pkgs/development/libraries/spdlog/default.nix
index 0c75bdb9dd8..d21477d806e 100644
--- a/pkgs/development/libraries/spdlog/default.nix
+++ b/pkgs/development/libraries/spdlog/default.nix
@@ -36,7 +36,7 @@ let
       '';
 
       doCheck = true;
-      preCheck = "export LD_LIBRARY_PATH=$(pwd):$LD_LIBRARY_PATH";
+      preCheck = "export LD_LIBRARY_PATH=$(pwd)\${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH";
 
       meta = with lib; {
         description    = "Very fast, header only, C++ logging library";
diff --git a/pkgs/development/python-modules/openbabel-bindings/default.nix b/pkgs/development/python-modules/openbabel-bindings/default.nix
index 6488b8fad2f..fad677987bf 100644
--- a/pkgs/development/python-modules/openbabel-bindings/default.nix
+++ b/pkgs/development/python-modules/openbabel-bindings/default.nix
@@ -13,7 +13,7 @@ buildPythonPackage rec {
   # some functionality to work (inparticular, pybel).
   # see https://openbabel.org/docs/dev/Installation/install.html
   BABEL_LIBDIR = "${openbabel}/lib/openbabel/3.1.0";
-  LD_LIBRARY_PATH = "$LD_LIBRARY_PATH:${openbabel}/lib";
+  LD_LIBRARY_PATH = "${openbabel}/lib";
 
   doCheck = false;
   pythonImportsCheck = [ "openbabel" ];
diff --git a/pkgs/development/tools/poetry2nix/poetry2nix/overrides.nix b/pkgs/development/tools/poetry2nix/poetry2nix/overrides.nix
index ab1a5324c98..e464a08c849 100644
--- a/pkgs/development/tools/poetry2nix/poetry2nix/overrides.nix
+++ b/pkgs/development/tools/poetry2nix/poetry2nix/overrides.nix
@@ -1700,7 +1700,7 @@ self: super:
           if (!enableCuda) then ''
             export USE_CUDA=0
           '' else ''
-            export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${cudatoolkit}/targets/x86_64-linux/lib"
+            export LD_LIBRARY_PATH="$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}${cudatoolkit}/targets/x86_64-linux/lib"
           '';
         preFixup = lib.optionalString (!enableCuda) ''
           # For some reason pytorch retains a reference to libcuda even if it
@@ -1739,9 +1739,9 @@ self: super:
       ];
       preConfigure =
         if (enableCuda) then ''
-          export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${self.torch}/${self.python.sitePackages}/torch/lib:${lib.makeLibraryPath [ cudatoolkit "${cudatoolkit}" ]}"
+          export LD_LIBRARY_PATH="$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}${self.torch}/${self.python.sitePackages}/torch/lib:${lib.makeLibraryPath [ cudatoolkit "${cudatoolkit}" ]}"
         '' else ''
-          export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${self.torch}/${self.python.sitePackages}/torch/lib"
+          export LD_LIBRARY_PATH="$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}${self.torch}/${self.python.sitePackages}/torch/lib"
         '';
     }))
     { };
diff --git a/pkgs/tools/games/gamemode/preload-nix-workaround.patch b/pkgs/tools/games/gamemode/preload-nix-workaround.patch
index 06989ff984a..9c8db37f5d9 100644
--- a/pkgs/tools/games/gamemode/preload-nix-workaround.patch
+++ b/pkgs/tools/games/gamemode/preload-nix-workaround.patch
@@ -6,7 +6,7 @@ index 573b3e4..6f2799e 100755
  
  # ld will find the right path to load the library, including for 32-bit apps.
  LD_PRELOAD="${GAMEMODEAUTO_NAME}${LD_PRELOAD:+:$LD_PRELOAD}"
-+LD_LIBRARY_PATH="@libraryPath@${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
++LD_LIBRARY_PATH="@libraryPath@${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH"
  
 -exec env LD_PRELOAD="${LD_PRELOAD}" $GAMEMODERUNEXEC "$@"
 +exec env LD_PRELOAD="${LD_PRELOAD}" LD_LIBRARY_PATH="${LD_LIBRARY_PATH}" $GAMEMODERUNEXEC "$@"