Bug#4190: serious security hole in libc (resolver)

To: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>
Cc: 4190@bugs.debian.org
Subject: Bug#4190: serious security hole in libc (resolver)
From: David Engel <david@elo.ods.com>
Date: Tue, 3 Sep 1996 14:07:12 -0500 (CDT)
Message-id: <[🔎] Pine.LNX.3.94.960903140526.3174D-100000@elo.ods.com>
Reply-to: David Engel <david@elo.ods.com>, 4190@bugs.debian.org
In-reply-to: <199608292049.WAA12807@i17linuxb.ists.pwr.wroc.pl>

On Thu, 29 Aug 1996, Marek Michalkiewicz wrote:
> David Engel wrote:
> > About the best I can do, without further guidance, is make libc not
> > echo the problem lines to stderr.  Is that acceptable?
> 
> I'm not sure.  Someone could still read special files as root
> (they would not see the contents, but merely reading them might
> sometimes cause troubles too, if reading changes the state of
> the device - as is the case with tapes, for example).
> 
> My suggestion (not tested, but it is rather simple) - replace
> all occurrences of getenv() in the resolver with safe_getenv(),
> implemented like this:
> ...

OK.  Seeing that GNU libc, aka Linux libc 6.x, does not support the
environment variables, does anyone object to me just removing them
altogether?

David
---
David Engel                        Optical Data Systems, Inc.
david@ods.com                      1101 E. Arapaho Road
(214) 234-6400                     Richardson, TX  75081

Reply to:

Prev by Date: Bug#4384: gcc_2.7.2.1-1.deb & g77_0.5.18-2.deb incompatible
Next by Date: Re: 96 New Debian i386 Packages
Previous by thread: New X Set-Up
Next by thread: Bug#4390: xpdf doesn't set itself up to be launched
Index(es):
- Date
- Thread