| Use secure_getenv instead of getenv for setuid programs |
| |
| (bnc#694598 CVE-2011-2709 bnc#831805) |
| |
| import from: |
| https://build.opensuse.org/package/view_file/openSUSE:Factory/libgssglue/secure-getenv.patch |
| |
| Upstream-Status: Pending |
| |
| Signed-off-by: Jackie Huang <jackie.huang@windriver.com> |
| |
| diff --git a/src/g_initialize.c b/src/g_initialize.c |
| index 200f173..935a9fa 100644 |
| --- a/src/g_initialize.c |
| +++ b/src/g_initialize.c |
| @@ -26,6 +26,7 @@ |
| * This function will initialize the gssapi mechglue library |
| */ |
| |
| +#define _GNU_SOURCE |
| #include "mglueP.h" |
| #include <stdlib.h> |
| |
| @@ -197,8 +198,7 @@ static void solaris_initialize () |
| void *dl; |
| gss_mechanism (*sym)(void), mech; |
| |
| - if ((getuid() != geteuid()) || |
| - ((filename = getenv("GSSAPI_MECH_CONF")) == NULL)) |
| + if ((filename = secure_getenv("GSSAPI_MECH_CONF")) == NULL) |
| filename = MECH_CONF; |
| |
| if ((conffile = fopen(filename, "r")) == NULL) { |
| @@ -274,8 +274,7 @@ static void linux_initialize () |
| void *dl; |
| gss_mechanism (*sym)(void), mech; |
| |
| - if ((getuid() != geteuid()) || |
| - ((filename = getenv("GSSAPI_MECH_CONF")) == NULL)) |
| + if ((filename = secure_getenv("GSSAPI_MECH_CONF")) == NULL) |
| filename = MECH_CONF; |
| |
| if ((conffile = fopen(filename, "r")) == NULL) { |