Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld
On 12/03/2009 08:15 PM, Andrew Thompson wrote:
> On Thu, Dec 03, 2009 at 08:06:40PM +0100, Timo Schoeler wrote:
>> On 12/03/2009 08:01 PM, Pieter de Boer wrote:
>>> Jamie Landeg Jones wrote:
>>>>
>>>> However, I'd still apply the patch in case some other way to exploit
>>>> the non-checking of the unsetenv return status crops up elsewhere.
>>>>
>>>> It can't do any harm.
>>>
>>> The problem with that is, on 6.x, unsetenv() returns 'void', so there's
>>> no return value to check on.
>>>
>>> On 6.x (I've looked at 6.4-RELEASE-p7, it may be different in other
>>> versions), the unsetenv() uses __findenv() in a while loop to remove the
>>> given setting. The getenv() function also uses __findenv() to find the
>>> given environment setting. The issue described in the advisory simply
>>> doesn't exist in 6(.4-RELEASE-p7).
>>
>> patch doesn't complain on the diff, but compiling gives me the following
>> error on 6.4-STABLE (i386):
>
> To quote the advisory
>
> "Affects: FreeBSD 7.0 and later."
i) there was not a big discussion on this list
ii) humans are impeccable
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 18 之 24 篇):