This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/19749] New: Filter duplicate environment variables
- From: "fweimer at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Tue, 01 Mar 2016 15:44:56 +0000
- Subject: [Bug libc/19749] New: Filter duplicate environment variables
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=19749
Bug ID: 19749
Summary: Filter duplicate environment variables
Product: glibc
Version: 2.24
Status: NEW
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: fweimer at redhat dot com
CC: drepper.fsp at gmail dot com
Target Milestone: ---
Flags: security+
The Simson & Garfinkel's âPractical UNIX & Internet Securityâ (2nd edition,
1996) mentions an attack against SUID/SGID binaries involving duplicate
environment variables. In essence, this is an interpretation conflict between
different environment variable list parsers (getenv, setenv, putenv, iterating
through environ, looking at the envp argument to main). Some implementations
will pick the first variable, some will pick the last.
We should traverse the environment very early at process startup and normalize
it, removing duplicates.
Related security advisory for CVE-2016-2381:
https://lists.debian.org/debian-security-announce/2016/msg00072.html
--
You are receiving this mail because:
You are on the CC list for the bug.