Re: 'export RESOLV_HOST_CONF= any file you want' local vulnerability
On Tue, Jan 09, 2001 at 09:29:46AM -0500, Ben Collins wrote:
> Potato is not vulnerable. This is a woody/sid only bug (i.e. glibc
> 2.1.9x and greater, such as the 2.2 in woody/sid). The bug is not that
> it prints this info, but that it uses the env variable even when
> suid/sgid. This wasn't supposed to happen, and the actual fix was a
> missing comma in the list of secure env vars that were supposed to be
> cleared when a program starts up suid/sgid (including RESOLV_HOST_CONF).
What is the purpose of $RESOLV_HOST_CONF anyway, ie what problem
is it intended to solve?
Hamish
--
Hamish Moffatt VK3SB <hamish@debian.org> <hamish@cloud.net.au>
Reply to: