We have a segfault when setting LD_LIBRARY_PATH to a special value $LIB $ORIGIN or $PLATFORM. Any other value is ignored. This was working fine on RHEL7 (glibc 2.17) but is starting to fail starting 2.18 or 2.19 up to current version. Issue is reproducible on all tested distribution (debian, rhel, fedora..) and can be triggered with: LD_LIBRARY_PATH='$LIB' ldconfig # Build latest version using: git clone git://sourceware.org/git/glibc.git mkdir glibc-build && cd glibc-build ../glibc/configure --disable-sanity-checks make -j LD_LIBRARY_PATH='$LIB' ./elf/ldconfig -p Stacktrace: (gdb) info stack #0 0x000000000049032b in expand_dynamic_string_token (l=0x0, input=0x7ffe35525c60 "$LIB") at dl-load.c:400 #1 0x0000000000490442 in fillin_rpath (rpath=<optimized out>, rpath@entry=0x7ffe35525c60 "$LIB", result=0x14c65e0, sep=sep@entry=0x4c5f10 ":;", what=what@entry=0x4b1ac9 "LD_LIBRARY_PATH", where=where@entry=0x0, l=l@entry=0x0) at dl-load.c:465 #2 0x000000000049094f in _dl_init_paths (llp=<optimized out>, source=0x4b1ac9 "LD_LIBRARY_PATH", glibc_hwcaps_prepend=<optimized out>, glibc_hwcaps_mask=<optimized out>) at dl-load.c:825 #3 0x00000000004648e2 in _dl_non_dynamic_init () at dl-support.c:344 #4 0x0000000000465b96 in __libc_init_first (argc=2, argv=0x7ffe35525f58, envp=0x7ffe35525f70) at init-first.c:68 #5 0x00000000004094b4 in __libc_start_main_impl (main=0x4016f0 <main>, argc=2, argv=0x7ffe35525f58, init=<optimized out>, fini=<optimized out>, rtld_fini=0x0, stack_end=0x7ffe35525f48) at ../csu/libc-start.c:362 #6 0x0000000000401cb1 in _start () at ../sysdeps/x86_64/start.S:116 Issue seems to be in elf/dl-load.c::_dl_init_paths, where 'llp="$LIB" and *l=NULL. then null pointer is propagated.
Looks like this was reported in: - Fedora 28 (https://bugzilla.redhat.com/show_bug.cgi?id=1609351) - Fedora 33 (https://bugzilla.redhat.com/show_bug.cgi?id=1715110) it was said to be reported upstream, but I can't find any related ticket here.
There's a reference to the upstream bug in the Links section of the first (glibc) bug. *** This bug has been marked as a duplicate of bug 23462 ***