FreeBSD Security Advisory FreeBSD-SA-09:16.rtld
Dmitry Pryanishnikov
lynx.ripe at gmail.com
Fri Dec 4 22:30:51 UTC 2009
Hello!
> So it would be possible to set an
> environment
> variable which in this case is not UNSETABLE or SETABLE (unsetenv and
> putenv/setenv
> respectively), in my eyes this is a bad behaviour of the enviroment handling
> routines
> introduced recently in FreeBSD.
Yes, this is a very dangerous situation when environmental variable can't
be unset yet can be read. I would only understand that if we supported
readonly variables. But officially we haven't them, yet virtually they can
exist due to the corrupted environment ;(
Generally speaking, IMHO, having destroying function that can fail is the
thing which should be avoided if possible. Imagine free() which could fail...
Sounds really weird, but current unsetenv() behaviour resembles that.
Sincerely, Dmitry
--
nic-hdl: LYNX-RIPE
More information about the freebsd-security
mailing list