tag 435841 security thanks Looking at bug #435841, I came across the following code, which is the direct source of the problem:
----------------------------------------------------------------------
void SwitchUser::SetEnvironment() {
char *term = getenv("TERM");
* char** environ;
* environ = (char **) new char*[2];
* environ[0] = 0;
if(term)
putenv(StrConcat("TERM=", term));
putenv(StrConcat("HOME=", Pw->pw_dir));
... [ several more calls to putenv, no further use of environ ] ...
chdir(...)
}
----------------------------------------------------------------------
Changing the starred lines to a call to clearenv() ought to solve this
particular bug.
However, those lines are such a silly mistake that it makes me
think the author was either sleep or very inexperienced. This app
being a login manager, it really needs careful coding to make sure
there are as few as possible security issues.
Thus, I *do not* recommend this fix be applied as is, but to have
someone with security experience have a *good* look at the code.
signature.asc
Description: Digital signature
