tag 435841 security thanks Looking at bug #435841, I came across the following code, which is the direct source of the problem:
---------------------------------------------------------------------- void SwitchUser::SetEnvironment() { char *term = getenv("TERM"); * char** environ; * environ = (char **) new char*[2]; * environ[0] = 0; if(term) putenv(StrConcat("TERM=", term)); putenv(StrConcat("HOME=", Pw->pw_dir)); ... [ several more calls to putenv, no further use of environ ] ... chdir(...) } ---------------------------------------------------------------------- Changing the starred lines to a call to clearenv() ought to solve this particular bug. However, those lines are such a silly mistake that it makes me think the author was either sleep or very inexperienced. This app being a login manager, it really needs careful coding to make sure there are as few as possible security issues. Thus, I *do not* recommend this fix be applied as is, but to have someone with security experience have a *good* look at the code.
signature.asc
Description: Digital signature