svn commit: r199983 - in head: lib/libc/stdlib
tools/regression/environ
Sean C. Farley
scf at FreeBSD.org
Tue Dec 1 16:25:17 UTC 2009
On Tue, 1 Dec 2009, Robert Watson wrote:
> On Mon, 30 Nov 2009, Colin Percival wrote:
*snip*
>> We've already had two major security issues arising out of getenv.c
>> in the past year, and I'd like to make sure we don't have a third.
>
> I think it's fair to say that the POSIXization of the environment code
> has been an unmitigated disaster, and speaks to the necessity for
> careful review of those sorts of code changes.
As the author of the environment code, I agree that it has been a
painful process.
Interestingly, the security issue was a combination of r169661 to
rtld.c, which is a correct action, and the new environ code which was
developed, as opposed to committed, at the same time. Separately, the
security issue would not have existed.
Sean
--
scf at FreeBSD.org
More information about the svn-src-head
mailing list