Release of LPM version 1.60 (*IMPORTANT SECURITY FIX*)

Skip to first unread message

Masahiro Kasahara

Nov 21, 2014, 1:11:10 AM11/21/14
Dear all,

We released LPM ver 1.60, which includes an important security fix.
All users must update to the new version immediately.

* Description of Security Issue with LPM 1.59 or Earlier
LPM set LD_LIBRARY_PATH in a wrong way. On a system where
LD_LIBRARY_PATH is unset or empty, LPM adds an empty path
to LD_LIBRARY_PATH inadvertently. If you run any program
linked with dynamic libraries (in other words, almost all
programs) in an untrusted directory (i.e., a directory writable
by others, such as /tmp), you had a risk of running malicious
code put in the untrusted directory by another user on the system.

This issue had existed since the very first version of LPM,
so all users must update to the latest version immediately.

* How to Update and Fix the Problem
Type 'lpm updateself', then the latest version will be
downloaded and installed. After updating, you still need
to modify shell scripts generated by previous versions of LPM.
The easiest way to do that is just type 'lpm list' just after
you login (to make sure that the current directory is your
home directory, which can be usually trusted.). If you have
any problem, it will show you both an error message and how
to fix it. If you have not manually edit the startup shell
scripts, a single command shown to you will fix the problem.

LPM will not work if it detects the problematic setting,
so if 'lpm list' works, it means that you do not have the
problem. If it does not work after you modified the start
shell scripts as suggested, it is very likely that either
you or your administrator sets an inappropriate
LD_LIBRARY_PATH, which also should be fixed. If you have
no idea how to fix it, please send an e-mail to this ML.

* Other Changes
On MacOS X, the output format of tar is different from GNU
tar, which lead to failure in detecting the top directory
in a tar ball. The problem is fixed in this release.

We thank Naohisa Goto for reporting the security issue
and contributors for reviewing the patch.

We welcome any feedback and comments.

Masahiro Kasahara
Reply all
Reply to author
0 new messages