ports/94170: Port security/chroot_safe unintended environment leak (minor security flaw)
Kenneth Vestergaard Schmidt
kvs at binarysolutions.dk
Tue Mar 7 14:20:29 UTC 2006
>Number: 94170
>Category: ports
>Synopsis: Port security/chroot_safe unintended environment leak (minor security flaw)
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Mar 07 14:20:05 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Kenneth Vestergaard Schmidt
>Release: FreeBSD 7.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD donkey.binarysolutions.dk 7.0-CURRENT FreeBSD 7.0-CURRENT #6: Fri Feb 3 01:17:43 CET 2006 root at donkey.binarysolutions.dk:/usr/obj/usr/src/sys/X30 i386
>Description:
The putenv(3) library call doesn't unset environment variables on
FreeBSD as it apparently does on Linux. The correct usage is unsetenv(3).
This has the effect that CHROOT_USER, CHROOT_ROOT and LD_PRELOAD are leaked
into the chroot'ed programs environment.
>How-To-Repeat:
Dump the environment after invoking something with chroot_safe.so preloaded.
>Fix:
Apply the following diff to the port's Makefile. It will replace the usage of
putenv(3) with unsetenv(3).
--- Makefile.orig Thu Mar 2 23:42:49 2006
+++ Makefile Thu Mar 2 23:42:10 2006
@@ -25,5 +25,6 @@
-e 's|-o chroot_safe.so|chroot_safe.cpp -o chroot_safe.so|' \
${WRKSRC}/Makefile.in
${REINPLACE_CMD} 's|chroot(1)|chroot(8)|' ${WRKSRC}/chroot_safe.1.in
+ ${REINPLACE_CMD} 's|putenv|unsetenv|' ${WRKSRC}/chroot_safe.cpp
.include <bsd.port.mk>
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list