FreeBSD Security Advisory FreeBSD-SA-09:16.rtld
Dmitry Pryanishnikov
lynx.ripe at gmail.com
Thu Dec 3 19:13:43 UTC 2009
> Just in case there is some other way of exploiting the fact that rtld.c didn't
> check whether unsetenv was successful (which I bet people are now looking for)
> I'd apply the patch to 6.3 and 6.4 also, just to be sure.
Well, they can search as long as they wish - _but_ there's just nothing to
search:
void
unsetenv(name)
const char *name;
{
extern char **environ;
char **p;
int offset;
while (__findenv(name, &offset)) /* if set multiple times */
for (p = &environ[offset];; ++p)
if (!(*p = *(p + 1)))
break;
}
So unsetenv in 6.* just won't return until __findenv(name) returns NULL - but
then __findenv() will return NULL next time in getenv(name). So we had robust,
consistent implementation in 6.* and before; now we haven't ;(
Sincerely, Dmitry
--
nic-hdl: LYNX-RIPE
More information about the freebsd-security
mailing list