This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug libc/19749] New: Filter duplicate environment variables


https://sourceware.org/bugzilla/show_bug.cgi?id=19749

            Bug ID: 19749
           Summary: Filter duplicate environment variables
           Product: glibc
           Version: 2.24
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: fweimer at redhat dot com
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---
             Flags: security+

The Simson & Garfinkel's âPractical UNIX & Internet Securityâ (2nd edition,
1996) mentions an attack against SUID/SGID binaries involving duplicate
environment variables.  In essence, this is an interpretation conflict between
different environment variable list parsers (getenv, setenv, putenv, iterating
through environ, looking at the envp argument to main).  Some implementations
will pick the first variable, some will pick the last.

We should traverse the environment very early at process startup and normalize
it, removing duplicates.

Related security advisory for CVE-2016-2381:

https://lists.debian.org/debian-security-announce/2016/msg00072.html

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]