Bug 1032684

Summary: Use secure_getenv() in proxymech.so
Product: Red Hat Enterprise Linux 7 Reporter: Dmitri Pal <dpal>
Component: gssproxyAssignee: Guenther Deschner <gdeschner>
Status: CLOSED CURRENTRELEASE QA Contact: JianHong Yin <jiyin>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: eguan, fweimer, gdeschner, qcai, ssorce
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: gssproxy-0.3.0-4.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-16 08:18:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1032680    

Description Dmitri Pal 2013-11-20 15:09:41 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/gss-proxy/ticket/110

It would be safer to avoid reading environment variables if proxymech.so is ever used in a setuid program.

Change the code to use secure_getenv() to accomplish that.
Comment 1 Guenther Deschner 2013-11-27 17:38:02 UTC 
Fix pushed, package built.
Comment 3 JianHong Yin 2013-12-19 02:40:59 UTC 
review the code, and SanityOnly

[root@dhcp12-241 gssproxy-0.3.0]# grep secure_getenv -r  ../../SOURCES/
../../SOURCES/gssproxy-0.3.1-secure_getenv.patch:Subject: [PATCH 3/3] Use secure_getenv in client and mechglue module
../../SOURCES/gssproxy-0.3.1-secure_getenv.patch:practices and use secure_getenv() if available.
../../SOURCES/gssproxy-0.3.1-secure_getenv.patch:Fallback to poorman emulation when secure_getenv() is not available.
../../SOURCES/gssproxy-0.3.1-secure_getenv.patch:+AC_CHECK_FUNCS([__secure_getenv secure_getenv])
../../SOURCES/gssproxy-0.3.1-secure_getenv.patch:+    return secure_getenv(name);
../../SOURCES/gssproxy-0.3.1-secure_getenv.patch:+    return __secure_getenv(name);
../../SOURCES/gssproxy-0.3.1-secure_getenv.patch:+#warning secure_getenv not available, falling back to poorman emulation
[root@dhcp12-241 gssproxy-0.3.0]# vim ../../SOURCES/gssproxy-0.3.1-secure_getenv.patch
[root@dhcp12-241 gssproxy-0.3.0]# grep secure_getenv -r .
./configure.ac:AC_CHECK_FUNCS([__secure_getenv secure_getenv])
./src/gp_util.c.strerror_r:    return secure_getenv(name);
./src/gp_util.c.strerror_r:    return __secure_getenv(name);
./src/gp_util.c.strerror_r:#warning secure_getenv not available, falling back to poorman emulation
./src/gp_util.c:    return secure_getenv(name);
./src/gp_util.c:    return __secure_getenv(name);
./src/gp_util.c:#warning secure_getenv not available, falling back to poorman emulation

https://beaker.engineering.redhat.com/jobs/563445
https://beaker.engineering.redhat.com/jobs/563446
Comment 4 Ludek Smid 2014-06-16 08:18:55 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.