This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: Tunables-related security regression
- From: Zack Weinberg <zackw at panix dot com>
- To: Siddhesh Poyarekar <siddhesh at gotplt dot org>
- Cc: Florian Weimer <fweimer at redhat dot com>, GNU C Library <libc-alpha at sourceware dot org>
- Date: Mon, 23 Jan 2017 09:59:05 -0500
- Subject: Re: Tunables-related security regression
- Authentication-results: sourceware.org; auth=none
- References: <e9cbe93c-e788-f67c-bfce-4c8feda220e0@redhat.com> <CAKCAbMh71Ahe9Dve1w=MqwKYUS18HCtfoBiNmoyukb-omPOJVQ@mail.gmail.com> <bf8181fd-a653-22fd-e4be-84501810536b@gotplt.org>
On Mon, Jan 23, 2017 at 8:00 AM, Siddhesh Poyarekar <siddhesh@gotplt.org> wrote:
> - all of the other MALLOC_* envvars
by which I think you mean "all of the MALLOC_* envvars except MALLOC_TRACE"?
> are ignored in AT_SECURE, but are passed on to
> non-AT_SECURE subprocesses.
MALLOC_CHECK_ is also clearly unsafe to pass on, and all of the others
look like they could at least be used for denial of service.
> I suppose if the threat perception of
> passing on envvars from AT_SECURE to non-AT_SECURE is high enough, it
> could be a case for simply dropping category (2) completely.
That's where I am right now.
zw