Date: Tue, 1 Dec 2009 10:25:16 -0600 (CST) From: "Sean C. Farley" <scf@FreeBSD.org> To: Robert Watson <rwatson@FreeBSD.org> Cc: svn-src-head@FreeBSD.org, Brian Feldman <green@FreeBSD.org>, svn-src-all@FreeBSD.org, src-committers@FreeBSD.org, Colin Percival <cperciva@FreeBSD.org> Subject: Re: svn commit: r199983 - in head: lib/libc/stdlib tools/regression/environ Message-ID: <alpine.BSF.2.00.0912011002210.68765@thor.farley.org> In-Reply-To: <alpine.BSF.2.00.0912011514510.84941@fledge.watson.org> References: <200912010504.nB154VnS053167@svn.freebsd.org> <4B14B32C.3060409@freebsd.org> <alpine.BSF.2.00.0912011514510.84941@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 1 Dec 2009, Robert Watson wrote: > On Mon, 30 Nov 2009, Colin Percival wrote: *snip* >> We've already had two major security issues arising out of getenv.c >> in the past year, and I'd like to make sure we don't have a third. > > I think it's fair to say that the POSIXization of the environment code > has been an unmitigated disaster, and speaks to the necessity for > careful review of those sorts of code changes. As the author of the environment code, I agree that it has been a painful process. Interestingly, the security issue was a combination of r169661 to rtld.c, which is a correct action, and the new environ code which was developed, as opposed to committed, at the same time. Separately, the security issue would not have existed. Sean -- scf@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.0912011002210.68765>