Bug 1344591

Summary: gnutls as a library shouldn't use getenv() to obtain any environment variable
Product: Red Hat Enterprise Linux 7 Reporter: Nikos Mavrogiannopoulos <nmavrogi>
Component: gnutlsAssignee: Nikos Mavrogiannopoulos <nmavrogi>
Status: CLOSED ERRATA QA Contact: Stanislav Zidek <szidek>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: szidek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: gnutls-3.3.23-4.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 00:58:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nikos Mavrogiannopoulos 2016-06-10 06:50:48 UTC 
Description of problem:
 Currently gnutls uses getenv() to obtain some environment variables. These variables seem harmless (c.f. the fedora bug [0]), but there is not clear threat model for an attack on a set-uid binary, and any deviation from standard execution could be significant for an attack. For that, it may be better to be on the safe side rather than being sorry. For that secure_getenv() should be used in all instances where getenv() is being called.

I've included this change already in upstream code:
https://gitlab.com/gnutls/gnutls/commit/b0a3048e56611a2deee4976aeba3b8c0740655a6

[0]. https://bugzilla.redhat.com/show_bug.cgi?id=1343505
Comment 8 errata-xmlrpc 2016-11-04 00:58:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2218.html