From owner-freebsd-security@FreeBSD.ORG  Thu Dec  3 19:01:58 2009
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 02421106566B
	for <freebsd-security@freebsd.org>;
	Thu,  3 Dec 2009 19:01:58 +0000 (UTC)
	(envelope-from pieter@thedarkside.nl)
Received: from mail.thelostparadise.com (router.thelostparadise.com
	[IPv6:2a02:898:0:30::30:1])
	by mx1.freebsd.org (Postfix) with ESMTP id 988CF8FC13
	for <freebsd-security@freebsd.org>;
	Thu,  3 Dec 2009 19:01:57 +0000 (UTC)
Received: from [192.168.1.13] (home [85.145.92.158])
	by mail.thelostparadise.com (Postfix) with ESMTP id 2BBA461C4B;
	Thu,  3 Dec 2009 20:01:30 +0100 (CET)
Message-ID: <4B180B03.1040405@thedarkside.nl>
Date: Thu, 03 Dec 2009 20:01:23 +0100
From: Pieter de Boer <pieter@thedarkside.nl>
User-Agent: Thunderbird 2.0.0.23 (X11/20090907)
MIME-Version: 1.0
To: Jamie Landeg Jones <jamie@bishopston.net>
References: <200912030930.nB39UhW9038238@freefall.freebsd.org>	<4B179B90.10307@netfence.it>	<8ABB1EE2-4521-40EC-9E85-4A0E771D6B7F@mac.com>
	<200912031837.nB3IbEKB036114@catflap.bishopston.net>
In-Reply-To: <200912031837.nB3IbEKB036114@catflap.bishopston.net>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: freebsd-security@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2009 19:01:58 -0000

Jamie Landeg Jones wrote:
> 
> However, I'd still apply the patch in case some other way to exploit
> the non-checking of the unsetenv return status crops up elsewhere.
> 
> It can't do any harm.

The problem with that is, on 6.x, unsetenv() returns 'void', so there's
no return value to check on.

On 6.x (I've looked at 6.4-RELEASE-p7, it may be different in other
versions), the unsetenv() uses __findenv() in a while loop to remove the
given setting. The getenv() function also uses __findenv() to find the
given environment setting. The issue described in the advisory simply
doesn't exist in 6(.4-RELEASE-p7).

-- 
Pieter