Bug#4190: serious security hole in libc (resolver)
On Thu, 29 Aug 1996, Marek Michalkiewicz wrote:
> David Engel wrote:
> > About the best I can do, without further guidance, is make libc not
> > echo the problem lines to stderr. Is that acceptable?
>
> I'm not sure. Someone could still read special files as root
> (they would not see the contents, but merely reading them might
> sometimes cause troubles too, if reading changes the state of
> the device - as is the case with tapes, for example).
>
> My suggestion (not tested, but it is rather simple) - replace
> all occurrences of getenv() in the resolver with safe_getenv(),
> implemented like this:
> ...
OK. Seeing that GNU libc, aka Linux libc 6.x, does not support the
environment variables, does anyone object to me just removing them
altogether?
David
---
David Engel Optical Data Systems, Inc.
david@ods.com 1101 E. Arapaho Road
(214) 234-6400 Richardson, TX 75081
Reply to: