From owner-freebsd-security@FreeBSD.ORG Thu Dec 3 19:13:43 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AE242106566B for ; Thu, 3 Dec 2009 19:13:43 +0000 (UTC) (envelope-from lynx.ripe@gmail.com) Received: from mail-bw0-f213.google.com (mail-bw0-f213.google.com [209.85.218.213]) by mx1.freebsd.org (Postfix) with ESMTP id 39E188FC12 for ; Thu, 3 Dec 2009 19:13:43 +0000 (UTC) Received: by bwz5 with SMTP id 5so1385148bwz.3 for ; Thu, 03 Dec 2009 11:13:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:content-type :content-transfer-encoding; bh=IhmFBfbU5M5Q3+4kQJTMDOeqJEzE+JofZq8ov5j5goE=; b=pD2stwBPV2GNsqnNXJ6IitdtxGfNd7b5sVjcpJGuW+kCo0wBLeEjl2DPEOjars+yTj yYx7o6eST0PH22NCevPplzz1FwOlqKWoChByd5ZckxgPlfLyugBmPPk6FexpqSrSik/E n3y/CvZsn1EnRi0kc9W891nc/DumqynT0YIvQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :content-type:content-transfer-encoding; b=wDjKdjxKiRGuz15f9xp56QpLOJvx/An6dEk4Tt5ZJrmTaxn5YVE0g+8akX0MAANKVY fQxpfkE2ObH7zz5LHq5FBRUA2M9yrZIABoYHB75qgs70yyt1O845XmQ89N7B6eSfWw3P EUD3bijfDlgS5H1FB/C5k4oJTg0rpHT5uOJys= Received: by 10.204.32.204 with SMTP id e12mr2077904bkd.51.1259867622217; Thu, 03 Dec 2009 11:13:42 -0800 (PST) Received: from lynx.homenet (130-129-132-95.pool.ukrtel.net [95.132.129.130]) by mx.google.com with ESMTPS id 13sm860848fxm.1.2009.12.03.11.13.40 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 03 Dec 2009 11:13:41 -0800 (PST) Message-ID: <4B180DE3.9010304@gmail.com> Date: Thu, 03 Dec 2009 21:13:39 +0200 From: Dmitry Pryanishnikov User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.23) Gecko/20090906 SeaMonkey/1.1.18 MIME-Version: 1.0 To: Jamie Landeg Jones Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 03 Dec 2009 20:18:17 +0000 Cc: freebsd-security@freebsd.org, timo.schoeler@riscworks.net Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:16.rtld X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2009 19:13:43 -0000 > Just in case there is some other way of exploiting the fact that rtld.c didn't > check whether unsetenv was successful (which I bet people are now looking for) > I'd apply the patch to 6.3 and 6.4 also, just to be sure. Well, they can search as long as they wish - _but_ there's just nothing to search: void unsetenv(name) const char *name; { extern char **environ; char **p; int offset; while (__findenv(name, &offset)) /* if set multiple times */ for (p = &environ[offset];; ++p) if (!(*p = *(p + 1))) break; } So unsetenv in 6.* just won't return until __findenv(name) returns NULL - but then __findenv() will return NULL next time in getenv(name). So we had robust, consistent implementation in 6.* and before; now we haven't ;( Sincerely, Dmitry -- nic-hdl: LYNX-RIPE