Bug 1032684 - Use secure_getenv() in proxymech.so
Summary: Use secure_getenv() in proxymech.so
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: gssproxy
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Guenther Deschner
QA Contact: JianHong Yin
URL:
Whiteboard:
Depends On:
Blocks: 1032680
TreeView+ depends on / blocked
 
Reported: 2013-11-20 15:09 UTC by Dmitri Pal
Modified: 2014-06-18 05:23 UTC (History)
5 users (show)

Fixed In Version: gssproxy-0.3.0-4.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-16 08:18:55 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Dmitri Pal 2013-11-20 15:09:41 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/gss-proxy/ticket/110

It would be safer to avoid reading environment variables if proxymech.so is ever used in a setuid program.

Change the code to use secure_getenv() to accomplish that.
Comment 1 Guenther Deschner 2013-11-27 17:38:02 UTC 
Fix pushed, package built.
Comment 3 JianHong Yin 2013-12-19 02:40:59 UTC 
review the code, and SanityOnly

[root@dhcp12-241 gssproxy-0.3.0]# grep secure_getenv -r  ../../SOURCES/
../../SOURCES/gssproxy-0.3.1-secure_getenv.patch:Subject: [PATCH 3/3] Use secure_getenv in client and mechglue module
../../SOURCES/gssproxy-0.3.1-secure_getenv.patch:practices and use secure_getenv() if available.
../../SOURCES/gssproxy-0.3.1-secure_getenv.patch:Fallback to poorman emulation when secure_getenv() is not available.
../../SOURCES/gssproxy-0.3.1-secure_getenv.patch:+AC_CHECK_FUNCS([__secure_getenv secure_getenv])
../../SOURCES/gssproxy-0.3.1-secure_getenv.patch:+    return secure_getenv(name);
../../SOURCES/gssproxy-0.3.1-secure_getenv.patch:+    return __secure_getenv(name);
../../SOURCES/gssproxy-0.3.1-secure_getenv.patch:+#warning secure_getenv not available, falling back to poorman emulation
[root@dhcp12-241 gssproxy-0.3.0]# vim ../../SOURCES/gssproxy-0.3.1-secure_getenv.patch
[root@dhcp12-241 gssproxy-0.3.0]# grep secure_getenv -r .
./configure.ac:AC_CHECK_FUNCS([__secure_getenv secure_getenv])
./src/gp_util.c.strerror_r:    return secure_getenv(name);
./src/gp_util.c.strerror_r:    return __secure_getenv(name);
./src/gp_util.c.strerror_r:#warning secure_getenv not available, falling back to poorman emulation
./src/gp_util.c:    return secure_getenv(name);
./src/gp_util.c:    return __secure_getenv(name);
./src/gp_util.c:#warning secure_getenv not available, falling back to poorman emulation

https://beaker.engineering.redhat.com/jobs/563445
https://beaker.engineering.redhat.com/jobs/563446
Comment 4 Ludek Smid 2014-06-16 08:18:55 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.
Note You need to log in before you can comment on or make changes to this bug.