[11947] in bugtraq
Re: A few bugs...
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Tue Sep 21 13:08:33 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990920111441.A11022@monad.swb.de>
Date: Mon, 20 Sep 1999 11:14:41 +0200
Reply-To: Olaf Kirch <okir@MONAD.SWB.DE>
From: Olaf Kirch <okir@MONAD.SWB.DE>
X-To: Tymm Twillman <tymm@COE.MISSOURI.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.SGI.4.05.9909171301070.1395986-100000@tiger.coe.missouri.edu>; from Tymm Twillman on Fri, Sep 17,
1999 at 02:23:48PM -0500
On Fri, Sep 17, 1999 at 02:23:48PM -0500, Tymm Twillman wrote:
> - Glibc 2.1.1:
>
> o unsetenv() off-by-one error:
> The unsetenv function in glibc 2.1.1 suffers from a problem whereby
> when running through the environment variables, if the name of the
> variable being unset is present twice consecutively, the second is
> not destroyed.
>
> unsetenv is sometimes used by programs that depend on it clearing out
> variables for protection against evil environment variables.
In particular, by ld.so. While this hole doesn't affect setuid programs
themselves, it means that programs run by the setuid application can be
fooled into using the LD_* variables.
Olaf
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir@caldera.de +-------------------- Why Not?! -----------------------
UNIX, n.: Spanish manufacturer of fire extinguishers.
