Hi, is there any way to change the subject line of an already existing bug report? This hole is a really *serious* (not moderate) one - it lets any local and remote users read any file on the system.
I think there are two possible ways to fix it: (1) ignore the dangerous environment variables completely (is anyone actually using them? I heard about them for the first time from the security alert...). If anyone needs these features - create a separate full-featured resolver library people can use (for non-setuid programs only) by setting LD_PRELOAD. (2) ignore them if (geteuid() != getuid() || getegid() != getgid()). Problem: you can pass them to login via telnetd, so telnetd needs to be fixed too. Anyway, I think telnetd should do what the one in NetKit-0.08 does: allow only a few (known to be safe) environment variables, and don't allow the rest. Right now, we check for a few variables known to be dangerous - and we can't be sure that there are no more. The bash man page mentions BASH_ENV in one place, and it's not checked by telnetd. Marek