ports/94170: Port security/chroot_safe unintended environment leak (minor security flaw)

Kenneth Vestergaard Schmidt kvs at binarysolutions.dk
Tue Mar 7 14:20:29 UTC 2006


>Number:         94170
>Category:       ports
>Synopsis:       Port security/chroot_safe unintended environment leak (minor security flaw)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Mar 07 14:20:05 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Kenneth Vestergaard Schmidt
>Release:        FreeBSD 7.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD donkey.binarysolutions.dk 7.0-CURRENT FreeBSD 7.0-CURRENT #6: Fri Feb 3 01:17:43 CET 2006 root at donkey.binarysolutions.dk:/usr/obj/usr/src/sys/X30 i386

>Description:
        The putenv(3) library call doesn't unset environment variables on
        FreeBSD as it apparently does on Linux. The correct usage is unsetenv(3).
        This has the effect that CHROOT_USER, CHROOT_ROOT and LD_PRELOAD are leaked
        into the chroot'ed programs environment.
>How-To-Repeat:
        Dump the environment after invoking something with chroot_safe.so preloaded.
>Fix:
        Apply the following diff to the port's Makefile. It will replace the usage of
        putenv(3) with unsetenv(3).

--- Makefile.orig       Thu Mar  2 23:42:49 2006
+++ Makefile    Thu Mar  2 23:42:10 2006
@@ -25,5 +25,6 @@
                -e 's|-o chroot_safe.so|chroot_safe.cpp -o chroot_safe.so|' \
                ${WRKSRC}/Makefile.in
        ${REINPLACE_CMD} 's|chroot(1)|chroot(8)|' ${WRKSRC}/chroot_safe.1.in
+       ${REINPLACE_CMD} 's|putenv|unsetenv|' ${WRKSRC}/chroot_safe.cpp
 
 .include <bsd.port.mk>

>Release-Note:
>Audit-Trail:
>Unformatted:



More information about the freebsd-ports-bugs mailing list