Loading library with absolute path

- Loading libraries without specifying an absolute path could allow an
  attacker to load a malicious library by changing $LD_* or other aspects
  of the program's execution environment.

Change-Id: Ic51469d1ffab14008e8ef550ae604ee7f3138994
Signed-off-by: Jiwoong Im <jiwoong.im@samsung.com>

diff --git a/CMakeLists.txt b/CMakeLists.txt
index eb774bb843dc4603334f59a3c6103afad82028aa..69662f00c80b19fc06f1581ddb3db3aa26930777 100644 (file)
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -15,6 +15,7 @@ INCLUDE_DIRECTORIES(${CMAKE_CURRENT_SOURCE_DIR}/include)
 ADD_DEFINITIONS("-DPREFIX=\"${CMAKE_INSTALL_PREFIX}\"")
 ADD_DEFINITIONS("-DDATAFS=\"${DATADIR}\"")
 ADD_DEFINITIONS("-DENABLE_UG_CREATE_CB")
+ADD_DEFINITIONS("-DUG_LIB_DIR=\"${LIB_INSTALL_DIR}\"")
 SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fvisibility=hidden -Wall")
 
 INCLUDE(FindPkgConfig)

diff --git a/src/engine.c b/src/engine.c
index bf9e32a92758bd22245a52df13fa14018781460c..a208ceb1ae1e2f42a2d04859709004aa521689d1 100644 (file)
--- a/src/engine.c
+++ b/src/engine.c
@@ -51,7 +51,7 @@ struct ug_engine *ug_engine_load()
                return NULL;
        }
 
-       handle = dlopen("libui-gadget-1-efl-engine.so", RTLD_LAZY);
+       handle = dlopen(UG_LIB_DIR"/libui-gadget-1-efl-engine.so", RTLD_LAZY);
        if (!handle) {
                _ERR("dlopen failed: %s", dlerror());
                goto engine_free;