Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 41290

Summary: at crashes when invoked with invalid environment variables
Product: [Retired] Red Hat Linux Reporter: Need Real Name <wp>
Component: atAssignee: Crutcher Dunnavant <crutcher>
Status: CLOSED RAWHIDE QA Contact: Aaron Brown <abrown>
Severity: low Docs Contact:
Priority: low    
Version: 7.1   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://cliph.linux.pl/at-3.1.8-nullenv.patch
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-05-18 11:00:42 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Attachments:
Description Flags
Simple fix. none

Description Need Real Name 2001-05-18 10:54:46 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.2.19 i686)

Description of problem:
If you execute at with invalid environment array it crashes with SIGSEGV.
The problem occur only if environment array contains string without ,,=''
character (without value to the variable.

How reproducible:
Always

Steps to Reproduce:
1. Compile following program: 
int main() 
{
	char * envp[]={ "blah", NULL };
	execle("/usr/bin/at", "at", "now", NULL, envp); 
}
2. Execute it and look how /usr/bin/at crashes.


Actual Results:  at receives SIGSEGV and crashes because of improper
pointer setting


Expected Results:  It should not crash ;)

Additional info:

Tested on at-3.1.8-12 and at-3.1.8-16 (from rawhide) on RH 7.0.
Patch available at: http://cliph.linux.pl/at-3.1.8-nullenv.patch
It doesn't seem to be exploitable.
Comment 1 Need Real Name 2001-05-18 11:00:38 EDT
Created attachment 18930 [details]
Simple fix.
Comment 2 Crutcher Dunnavant 2001-06-25 21:44:55 EDT
ok