Bug 1032684 - Use secure_getenv() in proxymech.so
Use secure_getenv() in proxymech.so
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: gssproxy (Show other bugs)
7.0
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Guenther Deschner
Yin.JianHong
:
Depends On:
Blocks: 1032680
  Show dependency treegraph
 
Reported: 2013-11-20 10:09 EST by Dmitri Pal
Modified: 2014-06-18 01:23 EDT (History)
5 users (show)

See Also:
Fixed In Version: gssproxy-0.3.0-4.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-16 04:18:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dmitri Pal 2013-11-20 10:09:41 EST
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/gss-proxy/ticket/110

It would be safer to avoid reading environment variables if proxymech.so is ever used in a setuid program.

Change the code to use secure_getenv() to accomplish that.
Comment 1 Guenther Deschner 2013-11-27 12:38:02 EST
Fix pushed, package built.
Comment 3 Yin.JianHong 2013-12-18 21:40:59 EST
review the code, and SanityOnly

[root@dhcp12-241 gssproxy-0.3.0]# grep secure_getenv -r  ../../SOURCES/
../../SOURCES/gssproxy-0.3.1-secure_getenv.patch:Subject: [PATCH 3/3] Use secure_getenv in client and mechglue module
../../SOURCES/gssproxy-0.3.1-secure_getenv.patch:practices and use secure_getenv() if available.
../../SOURCES/gssproxy-0.3.1-secure_getenv.patch:Fallback to poorman emulation when secure_getenv() is not available.
../../SOURCES/gssproxy-0.3.1-secure_getenv.patch:+AC_CHECK_FUNCS([__secure_getenv secure_getenv])
../../SOURCES/gssproxy-0.3.1-secure_getenv.patch:+    return secure_getenv(name);
../../SOURCES/gssproxy-0.3.1-secure_getenv.patch:+    return __secure_getenv(name);
../../SOURCES/gssproxy-0.3.1-secure_getenv.patch:+#warning secure_getenv not available, falling back to poorman emulation
[root@dhcp12-241 gssproxy-0.3.0]# vim ../../SOURCES/gssproxy-0.3.1-secure_getenv.patch
[root@dhcp12-241 gssproxy-0.3.0]# grep secure_getenv -r .
./configure.ac:AC_CHECK_FUNCS([__secure_getenv secure_getenv])
./src/gp_util.c.strerror_r:    return secure_getenv(name);
./src/gp_util.c.strerror_r:    return __secure_getenv(name);
./src/gp_util.c.strerror_r:#warning secure_getenv not available, falling back to poorman emulation
./src/gp_util.c:    return secure_getenv(name);
./src/gp_util.c:    return __secure_getenv(name);
./src/gp_util.c:#warning secure_getenv not available, falling back to poorman emulation

https://beaker.engineering.redhat.com/jobs/563445
https://beaker.engineering.redhat.com/jobs/563446
Comment 4 Ludek Smid 2014-06-16 04:18:55 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.