| Richard Marian Thomaiyar | 14fddef | 2018-07-13 23:55:56 +0530 | [diff] [blame] | 1 | Use secure_getenv instead of getenv for setuid programs |
| 2 | |
| 3 | (bnc#694598 CVE-2011-2709 bnc#831805) |
| 4 | |
| 5 | import from: |
| 6 | https://build.opensuse.org/package/view_file/openSUSE:Factory/libgssglue/secure-getenv.patch |
| 7 | |
| 8 | Upstream-Status: Pending |
| 9 | |
| 10 | Signed-off-by: Jackie Huang <jackie.huang@windriver.com> |
| 11 | |
| 12 | diff --git a/src/g_initialize.c b/src/g_initialize.c |
| 13 | index 200f173..935a9fa 100644 |
| 14 | --- a/src/g_initialize.c |
| 15 | +++ b/src/g_initialize.c |
| 16 | @@ -26,6 +26,7 @@ |
| 17 | * This function will initialize the gssapi mechglue library |
| 18 | */ |
| 19 | |
| 20 | +#define _GNU_SOURCE |
| 21 | #include "mglueP.h" |
| 22 | #include <stdlib.h> |
| 23 | |
| 24 | @@ -197,8 +198,7 @@ static void solaris_initialize () |
| 25 | void *dl; |
| 26 | gss_mechanism (*sym)(void), mech; |
| 27 | |
| 28 | - if ((getuid() != geteuid()) || |
| 29 | - ((filename = getenv("GSSAPI_MECH_CONF")) == NULL)) |
| 30 | + if ((filename = secure_getenv("GSSAPI_MECH_CONF")) == NULL) |
| 31 | filename = MECH_CONF; |
| 32 | |
| 33 | if ((conffile = fopen(filename, "r")) == NULL) { |
| 34 | @@ -274,8 +274,7 @@ static void linux_initialize () |
| 35 | void *dl; |
| 36 | gss_mechanism (*sym)(void), mech; |
| 37 | |
| 38 | - if ((getuid() != geteuid()) || |
| 39 | - ((filename = getenv("GSSAPI_MECH_CONF")) == NULL)) |
| 40 | + if ((filename = secure_getenv("GSSAPI_MECH_CONF")) == NULL) |
| 41 | filename = MECH_CONF; |
| 42 | |
| 43 | if ((conffile = fopen(filename, "r")) == NULL) { |