Bug #877: Use secure_getenv (or equivalent) when getting env. vars. involving paths - LTTng-UST - LTTng bugs repository

Actions

Copy link

Bug #877

closed

Use secure_getenv (or equivalent) when getting env. vars. involving paths

Added by Mathieu Desnoyers almost 10 years ago. Updated over 9 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Mathieu Desnoyers

Target version:

LTTng - 2.5

Start date:

01/23/2015

Due date:

% Done:

Estimated time:

Actions

Copy link

Updated by Mathieu Desnoyers over 9 years ago

Status changed from New to Resolved
Assignee set to Mathieu Desnoyers
Target version changed from 2.7 to 2.5

Fixed in stable-2.5, stable-2.6, master.

Master commit:

commit 13efba44993b2b2679677edb5cf75ef17849d621
Author: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Date:   Thu Apr 23 18:45:05 2015 -0400

    Fix: use lttng_secure_getenv to handle env. vars. involving paths

    This is a security fix for applications linked against liblttng-ust
    which are exposed as setuid binaries.

    A malicious user which can run those applications could target those
    environment variable paths to locations that would allow it to create
    files in various areas of the filesystem.

    Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

LTTng » LTTng-UST

Bug #877

Use secure_getenv (or equivalent) when getting env. vars. involving paths

Updated by Mathieu Desnoyers over 9 years ago