From owner-freebsd-security@FreeBSD.ORG  Thu Dec  3 19:06:45 2009
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 628621065672
	for <freebsd-security@freebsd.org>;
	Thu,  3 Dec 2009 19:06:45 +0000 (UTC)
	(envelope-from timo.schoeler@riscworks.net)
Received: from tydirium.riscworks.net (tydirium.riscworks.net [213.73.89.76])
	by mx1.freebsd.org (Postfix) with ESMTP id 181DA8FC16
	for <freebsd-security@freebsd.org>;
	Thu,  3 Dec 2009 19:06:44 +0000 (UTC)
Received: by tydirium.riscworks.net (Postfix, from userid 65534)
	id 051BC142765; Thu,  3 Dec 2009 20:06:15 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	tydirium.riscworks.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED,AWL
	autolearn=failed version=3.2.5
Received: from relentless.interdotnet.de (95-89-45-47-dynip.superkabel.de
	[95.89.45.47])
	(using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
	(No client certificate requested)
	by tydirium.riscworks.net (Postfix) with ESMTPSA id 85E3E142731
	for <freebsd-security@freebsd.org>;
	Thu,  3 Dec 2009 20:06:12 +0100 (CET)
Message-ID: <4B180C40.3040001@riscworks.net>
Date: Thu, 03 Dec 2009 20:06:40 +0100
From: Timo Schoeler <timo.schoeler@riscworks.net>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US;
	rv:1.9.1.4pre) Gecko/20090922 Fedora/3.0-3.9.b4.fc12
	Thunderbird/3.0b4
MIME-Version: 1.0
To: freebsd-security@freebsd.org
References: <200912030930.nB39UhW9038238@freefall.freebsd.org>	<4B179B90.10307@netfence.it>	<8ABB1EE2-4521-40EC-9E85-4A0E771D6B7F@mac.com>	<200912031837.nB3IbEKB036114@catflap.bishopston.net>
	<4B180B03.1040405@thedarkside.nl>
In-Reply-To: <4B180B03.1040405@thedarkside.nl>
X-Enigmail-Version: 0.97a
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2009 19:06:45 -0000

On 12/03/2009 08:01 PM, Pieter de Boer wrote:
> Jamie Landeg Jones wrote:
>>
>> However, I'd still apply the patch in case some other way to exploit
>> the non-checking of the unsetenv return status crops up elsewhere.
>>
>> It can't do any harm.
> 
> The problem with that is, on 6.x, unsetenv() returns 'void', so there's
> no return value to check on.
> 
> On 6.x (I've looked at 6.4-RELEASE-p7, it may be different in other
> versions), the unsetenv() uses __findenv() in a while loop to remove the
> given setting. The getenv() function also uses __findenv() to find the
> given environment setting. The issue described in the advisory simply
> doesn't exist in 6(.4-RELEASE-p7).

patch doesn't complain on the diff, but compiling gives me the following
error on 6.4-STABLE (i386):

# make depend
rm -f .depend
mkdep -f .depend -a    -DFREEBSD_ELF -DIN_RTLD
-I/usr/src/libexec/rtld-elf/i386 -I/usr/src/libexec/rtld-elf -DPIC
/usr/src/libexec/rtld-elf/i386/rtld_start.S
/usr/src/libexec/rtld-elf/i386/reloc.c /usr/src/libexec/rtld-elf/rtld.c
/usr/src/libexec/rtld-elf/rtld_lock.c
/usr/src/libexec/rtld-elf/map_object.c
/usr/src/libexec/rtld-elf/malloc.c /usr/src/libexec/rtld-elf/xmalloc.c
/usr/src/libexec/rtld-elf/debug.c /usr/src/libexec/rtld-elf/libmap.c
echo ld-elf.so.1: /usr/lib/libc_pic.a >> .depend
test# make
cc -O2 -fno-strict-aliasing -pipe  -Wall -DFREEBSD_ELF -DIN_RTLD
-I/usr/src/libexec/rtld-elf/i386 -I/usr/src/libexec/rtld-elf -elf -fpic
-DPIC -std=gnu99 -Wformat=2 -Wno-format-extra-args -Werror -c
/usr/src/libexec/rtld-elf/i386/rtld_start.S
cc -O2 -fno-strict-aliasing -pipe  -Wall -DFREEBSD_ELF -DIN_RTLD
-I/usr/src/libexec/rtld-elf/i386 -I/usr/src/libexec/rtld-elf -elf -fpic
-DPIC -std=gnu99 -Wformat=2 -Wno-format-extra-args -Werror -c
/usr/src/libexec/rtld-elf/i386/reloc.c
cc -O2 -fno-strict-aliasing -pipe  -Wall -DFREEBSD_ELF -DIN_RTLD
-I/usr/src/libexec/rtld-elf/i386 -I/usr/src/libexec/rtld-elf -elf -fpic
-DPIC -std=gnu99 -Wformat=2 -Wno-format-extra-args -Werror -c
/usr/src/libexec/rtld-elf/rtld.c
/usr/src/libexec/rtld-elf/rtld.c: In function `_rtld':
/usr/src/libexec/rtld-elf/rtld.c:352: error: void value not ignored as
it ought to be
/usr/src/libexec/rtld-elf/rtld.c:352: error: void value not ignored as
it ought to be
/usr/src/libexec/rtld-elf/rtld.c:353: error: void value not ignored as
it ought to be
/usr/src/libexec/rtld-elf/rtld.c:353: error: void value not ignored as
it ought to be
/usr/src/libexec/rtld-elf/rtld.c:354: error: void value not ignored as
it ought to be
*** Error code 1

Stop in /usr/src/libexec/rtld-elf.
#

Best,

Timo