This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug libc/17100] secure_getenv() does not seem to properly detect if an environment is secure

From: "busterb at gmail dot com" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Sun, 29 Jun 2014 13:36:02 +0000
Subject: [Bug libc/17100] secure_getenv() does not seem to properly detect if an environment is secure
Auto-submitted: auto-generated
References: <bug-17100-131 at http dot sourceware dot org/bugzilla/>

https://sourceware.org/bugzilla/show_bug.cgi?id=17100

--- Comment #4 from Brent Cook <busterb at gmail dot com> ---
Thank you for the clarification.

Though AT_SECURE is available in all kernels that glibc supports, is there be
any way for an adversary to cause the fallback case to be triggered through
external means?

That there is a fallback case is a little misleading since it does not also
perform the capabilities checks that the kernel does, so I don't think one
would want it to inadvertently execute on any kernel that implements
capabilities:

http://lxr.free-electrons.com/source/security/commoncap.c#L590

-- 
You are receiving this mail because:
You are on the CC list for the bug.

References:
- [Bug libc/17100] New: secure_getenv() does not seem to properly detect if an environment is secure
  - From: busterb at gmail dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]