Hi,
is there any way to change the subject line of an already existing
bug report? This hole is a really *serious* (not moderate) one -
it lets any local and remote users read any file on the system.
I think there are two possible ways to fix it:
(1) ignore the dangerous environment variables completely (is anyone
actually using them? I heard about them for the first time from
the security alert...). If anyone needs these features - create
a separate full-featured resolver library people can use (for
non-setuid programs only) by setting LD_PRELOAD.
(2) ignore them if (geteuid() != getuid() || getegid() != getgid()).
Problem: you can pass them to login via telnetd, so telnetd
needs to be fixed too. Anyway, I think telnetd should do what
the one in NetKit-0.08 does: allow only a few (known to be safe)
environment variables, and don't allow the rest. Right now, we
check for a few variables known to be dangerous - and we can't
be sure that there are no more. The bash man page mentions
BASH_ENV in one place, and it's not checked by telnetd.
Marek
