]> git.ipfire.org Git - people/stevee/ipfire-3.x.git/blob - glibc/patches/glibc-2.10.1-sanitize_env.patch.off
projects / people / stevee / ipfire-3.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Change file layout of the makefiles.
[people/stevee/ipfire-3.x.git] / glibc / patches / glibc-2.10.1-sanitize_env.patch.off
1 From: http://sisyphus.ru/srpm/Sisyphus/glibc/patches/10
2
3 I added MUDFLAP_OPTIONS to sysdeps/generic/unsecvars.h.
4
5 diff -Naur glibc-2.8-20080929.orig/argp/argp-help.c glibc-2.8-20080929/argp/argp-help.c
6 --- glibc-2.8-20080929.orig/argp/argp-help.c 2007-03-15 20:08:18.000000000 +0000
7 +++ glibc-2.8-20080929/argp/argp-help.c 2008-10-15 00:30:49.000000000 +0000
8 @@ -165,7 +165,7 @@
9 static void
10 fill_in_uparams (const struct argp_state *state)
11 {
12 - const char *var = getenv ("ARGP_HELP_FMT");
13 + const char *var = __secure_getenv ("ARGP_HELP_FMT");
14
15 #define SKIPWS(p) do { while (isspace (*p)) p++; } while (0);
16
17 diff -Naur glibc-2.8-20080929.orig/catgets/catgets.c glibc-2.8-20080929/catgets/catgets.c
18 --- glibc-2.8-20080929.orig/catgets/catgets.c 2002-05-15 03:46:42.000000000 +0000
19 +++ glibc-2.8-20080929/catgets/catgets.c 2008-10-15 00:30:49.000000000 +0000
20 @@ -50,7 +50,7 @@
21 || (__libc_enable_secure && strchr (env_var, '/') != NULL))
22 env_var = "C";
23
24 - nlspath = getenv ("NLSPATH");
25 + nlspath = __secure_getenv ("NLSPATH");
26 if (nlspath != NULL && *nlspath != '\0')
27 {
28 /* Append the system dependent directory. */
29 diff -Naur glibc-2.8-20080929.orig/debug/pcprofile.c glibc-2.8-20080929/debug/pcprofile.c
30 --- glibc-2.8-20080929.orig/debug/pcprofile.c 2001-07-06 04:54:45.000000000 +0000
31 +++ glibc-2.8-20080929/debug/pcprofile.c 2008-10-15 00:30:49.000000000 +0000
32 @@ -38,7 +38,7 @@
33 {
34 /* See whether the environment variable `PCPROFILE_OUTPUT' is defined.
35 If yes, it should name a FIFO. We open it and mark ourself as active. */
36 - const char *outfile = getenv ("PCPROFILE_OUTPUT");
37 + const char *outfile = __secure_getenv ("PCPROFILE_OUTPUT");
38
39 if (outfile != NULL && *outfile != '\0')
40 {
41 diff -Naur glibc-2.8-20080929.orig/debug/segfault.c glibc-2.8-20080929/debug/segfault.c
42 --- glibc-2.8-20080929.orig/debug/segfault.c 2007-08-22 06:52:12.000000000 +0000
43 +++ glibc-2.8-20080929/debug/segfault.c 2008-10-15 00:30:49.000000000 +0000
44 @@ -149,7 +149,7 @@
45 install_handler (void)
46 {
47 struct sigaction sa;
48 - const char *sigs = getenv ("SEGFAULT_SIGNALS");
49 + const char *sigs = __secure_getenv ("SEGFAULT_SIGNALS");
50 const char *name;
51
52 sa.sa_handler = (void *) catch_segfault;
53 @@ -157,7 +157,7 @@
54 sa.sa_flags = SA_RESTART;
55
56 /* Maybe we are expected to use an alternative stack. */
57 - if (getenv ("SEGFAULT_USE_ALTSTACK") != 0)
58 + if (__secure_getenv ("SEGFAULT_USE_ALTSTACK") != 0)
59 {
60 void *stack_mem = malloc (2 * SIGSTKSZ);
61 struct sigaltstack ss;
62 @@ -203,7 +203,7 @@
63 }
64
65 /* Preserve the output file name if there is any given. */
66 - name = getenv ("SEGFAULT_OUTPUT_NAME");
67 + name = __secure_getenv ("SEGFAULT_OUTPUT_NAME");
68 if (name != NULL && name[0] != '\0')
69 {
70 int ret = access (name, R_OK | W_OK);
71 diff -Naur glibc-2.8-20080929.orig/elf/Versions glibc-2.8-20080929/elf/Versions
72 --- glibc-2.8-20080929.orig/elf/Versions 2008-03-08 05:42:26.000000000 +0000
73 +++ glibc-2.8-20080929/elf/Versions 2008-10-15 00:30:49.000000000 +0000
74 @@ -60,6 +60,8 @@
75 _dl_make_stack_executable;
76 # Only here for gdb while a better method is developed.
77 _dl_debug_state;
78 + # For sanitizing environment.
79 + __libc_security_mask;
80 # Pointer protection.
81 __pointer_chk_guard;
82 }
83 diff -Naur glibc-2.8-20080929.orig/elf/dl-support.c glibc-2.8-20080929/elf/dl-support.c
84 --- glibc-2.8-20080929.orig/elf/dl-support.c 2007-06-20 03:18:16.000000000 +0000
85 +++ glibc-2.8-20080929/elf/dl-support.c 2008-10-15 00:30:49.000000000 +0000
86 @@ -163,6 +163,7 @@
87 internal_function
88 _dl_aux_init (ElfW(auxv_t) *av)
89 {
90 + int security_mask = 0;
91 int seen = 0;
92 uid_t uid = 0;
93 gid_t gid = 0;
94 @@ -196,25 +197,27 @@
95 break;
96 #endif
97 case AT_UID:
98 + if (seen & 1) break;
99 uid ^= av->a_un.a_val;
100 seen |= 1;
101 break;
102 case AT_EUID:
103 + if (seen & 2) break;
104 uid ^= av->a_un.a_val;
105 seen |= 2;
106 break;
107 case AT_GID:
108 + if (seen & 4) break;
109 gid ^= av->a_un.a_val;
110 seen |= 4;
111 break;
112 case AT_EGID:
113 + if (seen & 8) break;
114 gid ^= av->a_un.a_val;
115 seen |= 8;
116 break;
117 case AT_SECURE:
118 - seen = -1;
119 - __libc_enable_secure = av->a_un.a_val;
120 - __libc_enable_secure_decided = 1;
121 + security_mask |= av->a_un.a_val != 0;
122 break;
123 # ifdef DL_PLATFORM_AUXV
124 DL_PLATFORM_AUXV
125 @@ -222,7 +225,9 @@
126 }
127 if (seen == 0xf)
128 {
129 - __libc_enable_secure = uid != 0 || gid != 0;
130 + security_mask |= ((uid != 0) << 1) | ((gid != 0) << 2);
131 + __libc_security_mask = security_mask;
132 + __libc_enable_secure = __libc_security_mask != 0;
133 __libc_enable_secure_decided = 1;
134 }
135 }
136 @@ -239,19 +244,19 @@
137 if (!_dl_pagesize)
138 _dl_pagesize = __getpagesize ();
139
140 - _dl_verbose = *(getenv ("LD_WARN") ?: "") == '\0' ? 0 : 1;
141 + _dl_verbose = *(__secure_getenv ("LD_WARN") ?: "") == '\0' ? 0 : 1;
142
143 /* Initialize the data structures for the search paths for shared
144 objects. */
145 - _dl_init_paths (getenv ("LD_LIBRARY_PATH"));
146 + _dl_init_paths (__secure_getenv ("LD_LIBRARY_PATH"));
147
148 - _dl_lazy = *(getenv ("LD_BIND_NOW") ?: "") == '\0';
149 + _dl_lazy = *(__secure_getenv ("LD_BIND_NOW") ?: "") == '\0';
150
151 - _dl_bind_not = *(getenv ("LD_BIND_NOT") ?: "") != '\0';
152 + _dl_bind_not = *(__secure_getenv ("LD_BIND_NOT") ?: "") != '\0';
153
154 - _dl_dynamic_weak = *(getenv ("LD_DYNAMIC_WEAK") ?: "") == '\0';
155 + _dl_dynamic_weak = *(__secure_getenv ("LD_DYNAMIC_WEAK") ?: "") == '\0';
156
157 - _dl_profile_output = getenv ("LD_PROFILE_OUTPUT");
158 + _dl_profile_output = __secure_getenv ("LD_PROFILE_OUTPUT");
159 if (_dl_profile_output == NULL || _dl_profile_output[0] == '\0')
160 _dl_profile_output
161 = &"/var/tmp\0/var/profile"[__libc_enable_secure ? 9 : 0];
162 @@ -264,6 +269,8 @@
163 EXTRA_UNSECURE_ENVVARS
164 #endif
165 ;
166 + static const char restricted_envvars[] =
167 + RESTRICTED_ENVVARS;
168 const char *cp = unsecure_envvars;
169
170 while (cp < unsecure_envvars + sizeof (unsecure_envvars))
171 @@ -272,8 +279,31 @@
172 cp = (const char *) __rawmemchr (cp, '\0') + 1;
173 }
174
175 - if (__access ("/etc/suid-debug", F_OK) != 0)
176 - __unsetenv ("MALLOC_CHECK_");
177 + if (__libc_security_mask & 2)
178 + {
179 + static const char unsecure_uid_envvars[] =
180 + UNSECURE_UID_ENVVARS;
181 +
182 + cp = unsecure_uid_envvars;
183 + while (cp < unsecure_uid_envvars + sizeof (unsecure_uid_envvars))
184 + {
185 + __unsetenv (cp);
186 + cp = (const char *) __rawmemchr (cp, '\0') + 1;
187 + }
188 + }
189 +
190 + /* This loop is buggy: it will only check the first occurrence of each
191 + variable (but will correctly remove all in case of a match). This
192 + may be a problem if the list is later re-ordered or accessed by an
193 + application with something other than the glibc getenv(). */
194 + cp = restricted_envvars;
195 + while (cp < restricted_envvars + sizeof (restricted_envvars))
196 + {
197 + const char *value = getenv (cp);
198 + if (value && (value[0] == '.' || strchr(value, '/')))
199 + __unsetenv (cp);
200 + cp = (const char *) __rawmemchr (cp, '\0') + 1;
201 + }
202 }
203
204 #ifdef DL_PLATFORM_INIT
205 diff -Naur glibc-2.8-20080929.orig/elf/dl-sysdep.c glibc-2.8-20080929/elf/dl-sysdep.c
206 --- glibc-2.8-20080929.orig/elf/dl-sysdep.c 2008-03-08 07:28:36.000000000 +0000
207 +++ glibc-2.8-20080929/elf/dl-sysdep.c 2008-10-15 00:30:49.000000000 +0000
208 @@ -54,8 +54,10 @@
209 #ifdef NEED_DL_BASE_ADDR
210 ElfW(Addr) _dl_base_addr;
211 #endif
212 -int __libc_enable_secure attribute_relro = 0;
213 +int __libc_enable_secure attribute_relro = 1;
214 INTVARDEF(__libc_enable_secure)
215 +int __libc_security_mask attribute_relro = 0x7fffffff;
216 +INTVARDEF(__libc_security_mask)
217 int __libc_multiple_libcs = 0; /* Defining this here avoids the inclusion
218 of init-first. */
219 /* This variable contains the lowest stack address ever used. */
220 @@ -80,6 +82,10 @@
221 # define DL_STACK_END(cookie) ((void *) (cookie))
222 #endif
223
224 +#ifdef HAVE_AUX_XID
225 +#undef HAVE_AUX_XID
226 +#endif
227 +
228 ElfW(Addr)
229 _dl_sysdep_start (void **start_argptr,
230 void (*dl_main) (const ElfW(Phdr) *phdr, ElfW(Word) phnum,
231 @@ -89,19 +95,19 @@
232 ElfW(Word) phnum = 0;
233 ElfW(Addr) user_entry;
234 ElfW(auxv_t) *av;
235 -#ifdef HAVE_AUX_SECURE
236 + int security_mask = 0;
237 +#if 0
238 # define set_seen(tag) (tag) /* Evaluate for the side effects. */
239 -# define set_seen_secure() ((void) 0)
240 #else
241 uid_t uid = 0;
242 gid_t gid = 0;
243 unsigned int seen = 0;
244 -# define set_seen_secure() (seen = -1)
245 # ifdef HAVE_AUX_XID
246 # define set_seen(tag) (tag) /* Evaluate for the side effects. */
247 # else
248 # define M(type) (1 << (type))
249 # define set_seen(tag) seen |= M ((tag)->a_type)
250 +# define is_seen(tag) seen & M ((tag)->a_type)
251 # endif
252 #endif
253 #ifdef NEED_DL_SYSINFO
254 @@ -135,21 +141,18 @@
255 _dl_base_addr = av->a_un.a_val;
256 break;
257 #endif
258 -#ifndef HAVE_AUX_SECURE
259 case AT_UID:
260 case AT_EUID:
261 + if (is_seen (av)) break;
262 uid ^= av->a_un.a_val;
263 break;
264 case AT_GID:
265 case AT_EGID:
266 + if (is_seen (av)) break;
267 gid ^= av->a_un.a_val;
268 break;
269 -#endif
270 case AT_SECURE:
271 -#ifndef HAVE_AUX_SECURE
272 - seen = -1;
273 -#endif
274 - INTUSE(__libc_enable_secure) = av->a_un.a_val;
275 + security_mask |= av->a_un.a_val != 0;
276 break;
277 case AT_PLATFORM:
278 GLRO(dl_platform) = (void *) av->a_un.a_val;
279 @@ -178,8 +181,6 @@
280 #endif
281 }
282
283 -#ifndef HAVE_AUX_SECURE
284 - if (seen != -1)
285 {
286 /* Fill in the values we have not gotten from the kernel through the
287 auxiliary vector. */
288 @@ -191,12 +192,12 @@
289 SEE (GID, gid, gid);
290 SEE (EGID, gid, egid);
291 # endif
292 -
293 - /* If one of the two pairs of IDs does not match this is a setuid
294 - or setgid run. */
295 - INTUSE(__libc_enable_secure) = uid | gid;
296 }
297 -#endif
298 + /* If one of the two pairs of IDs does not match
299 + this is a setuid or setgid run. */
300 + security_mask |= ((uid != 0) << 1) | ((gid != 0) << 2);
301 + INTUSE(__libc_security_mask) = security_mask;
302 + INTUSE(__libc_enable_secure) = security_mask != 0;
303
304 #ifndef HAVE_AUX_PAGESIZE
305 if (GLRO(dl_pagesize) == 0)
306 diff -Naur glibc-2.8-20080929.orig/elf/enbl-secure.c glibc-2.8-20080929/elf/enbl-secure.c
307 --- glibc-2.8-20080929.orig/elf/enbl-secure.c 2005-12-14 08:46:07.000000000 +0000
308 +++ glibc-2.8-20080929/elf/enbl-secure.c 2008-10-15 00:30:49.000000000 +0000
309 @@ -27,11 +27,17 @@
310 int __libc_enable_secure_decided;
311 /* Safest assumption, if somehow the initializer isn't run. */
312 int __libc_enable_secure = 1;
313 +int __libc_security_mask = 0x7fffffff;
314
315 void
316 __libc_init_secure (void)
317 {
318 if (__libc_enable_secure_decided == 0)
319 - __libc_enable_secure = (__geteuid () != __getuid ()
320 - || __getegid () != __getgid ());
321 + {
322 + __libc_security_mask =
323 + ((__geteuid () != __getuid ()) << 1) |
324 + ((__getegid () != __getgid ()) << 2);
325 + __libc_enable_secure = __libc_security_mask != 0;
326 + __libc_security_mask |= __libc_enable_secure;
327 + }
328 }
329 diff -Naur glibc-2.8-20080929.orig/elf/rtld.c glibc-2.8-20080929/elf/rtld.c
330 --- glibc-2.8-20080929.orig/elf/rtld.c 2008-03-08 07:29:40.000000000 +0000
331 +++ glibc-2.8-20080929/elf/rtld.c 2008-10-15 00:30:49.000000000 +0000
332 @@ -2500,6 +2500,7 @@
333 GLRO(dl_profile_output)
334 = &"/var/tmp\0/var/profile"[INTUSE(__libc_enable_secure) ? 9 : 0];
335
336 + if (__builtin_expect (!INTUSE(__libc_enable_secure), 1))
337 while ((envline = _dl_next_ld_env_entry (&runp)) != NULL)
338 {
339 size_t len = 0;
340 @@ -2566,8 +2567,7 @@
341 case 9:
342 /* Test whether we want to see the content of the auxiliary
343 array passed up from the kernel. */
344 - if (!INTUSE(__libc_enable_secure)
345 - && memcmp (envline, "SHOW_AUXV", 9) == 0)
346 + if (memcmp (envline, "SHOW_AUXV", 9) == 0)
347 _dl_show_auxv ();
348 break;
349
350 @@ -2580,8 +2580,7 @@
351
352 case 11:
353 /* Path where the binary is found. */
354 - if (!INTUSE(__libc_enable_secure)
355 - && memcmp (envline, "ORIGIN_PATH", 11) == 0)
356 + if (memcmp (envline, "ORIGIN_PATH", 11) == 0)
357 GLRO(dl_origin_path) = &envline[12];
358 break;
359
360 @@ -2600,8 +2599,7 @@
361 break;
362 }
363
364 - if (!INTUSE(__libc_enable_secure)
365 - && memcmp (envline, "DYNAMIC_WEAK", 12) == 0)
366 + if (memcmp (envline, "DYNAMIC_WEAK", 12) == 0)
367 GLRO(dl_dynamic_weak) = 1;
368 break;
369
370 @@ -2611,8 +2609,7 @@
371 #ifdef EXTRA_LD_ENVVARS_13
372 EXTRA_LD_ENVVARS_13
373 #endif
374 - if (!INTUSE(__libc_enable_secure)
375 - && memcmp (envline, "USE_LOAD_BIAS", 13) == 0)
376 + if (memcmp (envline, "USE_LOAD_BIAS", 13) == 0)
377 {
378 GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0;
379 break;
380 @@ -2624,8 +2621,7 @@
381
382 case 14:
383 /* Where to place the profiling data file. */
384 - if (!INTUSE(__libc_enable_secure)
385 - && memcmp (envline, "PROFILE_OUTPUT", 14) == 0
386 + if (memcmp (envline, "PROFILE_OUTPUT", 14) == 0
387 && envline[15] != '\0')
388 GLRO(dl_profile_output) = &envline[15];
389 break;
390 @@ -2669,16 +2665,39 @@
391 EXTRA_UNSECURE_ENVVARS
392 #endif
393 UNSECURE_ENVVARS;
394 + static const char restricted_envvars[] =
395 + RESTRICTED_ENVVARS;
396 const char *nextp;
397
398 - nextp = unsecure_envvars;
399 - do
400 + for (nextp = unsecure_envvars; *nextp != '\0';
401 + nextp = (char *) rawmemchr (nextp, '\0') + 1)
402 {
403 unsetenv (nextp);
404 - /* We could use rawmemchr but this need not be fast. */
405 - nextp = (char *) (strchr) (nextp, '\0') + 1;
406 }
407 - while (*nextp != '\0');
408 +
409 + if (__builtin_expect (INTUSE(__libc_security_mask) & 2, 0))
410 + {
411 + static const char unsecure_uid_envvars[] =
412 + UNSECURE_UID_ENVVARS;
413 +
414 + for (nextp = unsecure_uid_envvars; *nextp != '\0';
415 + nextp = (char *) rawmemchr (nextp, '\0') + 1)
416 + {
417 + unsetenv (nextp);
418 + }
419 + }
420 +
421 + /* This loop is buggy: it will only check the first occurrence of each
422 + variable (but will correctly remove all in case of a match). This
423 + may be a problem if the list is later re-ordered or accessed by an
424 + application with something other than the glibc getenv(). */
425 + for (nextp = restricted_envvars; *nextp != '\0';
426 + nextp = (char *) rawmemchr (nextp, '\0') + 1)
427 + {
428 + const char *value = getenv (nextp);
429 + if (value && (value[0] == '.' || strchr(value, '/')))
430 + unsetenv (nextp);
431 + }
432
433 if (__access ("/etc/suid-debug", F_OK) != 0)
434 {
435 diff -Naur glibc-2.8-20080929.orig/gmon/gmon.c glibc-2.8-20080929/gmon/gmon.c
436 --- glibc-2.8-20080929.orig/gmon/gmon.c 2008-03-19 06:43:31.000000000 +0000
437 +++ glibc-2.8-20080929/gmon/gmon.c 2008-10-15 00:30:49.000000000 +0000
438 @@ -326,8 +326,8 @@
439 # define O_NOFOLLOW 0
440 #endif
441
442 - env = getenv ("GMON_OUT_PREFIX");
443 - if (env != NULL && !__libc_enable_secure)
444 + env = __secure_getenv ("GMON_OUT_PREFIX");
445 + if (env != NULL)
446 {
447 size_t len = strlen (env);
448 char buf[len + 20];
449 diff -Naur glibc-2.8-20080929.orig/iconv/gconv_cache.c glibc-2.8-20080929/iconv/gconv_cache.c
450 --- glibc-2.8-20080929.orig/iconv/gconv_cache.c 2007-07-28 19:00:25.000000000 +0000
451 +++ glibc-2.8-20080929/iconv/gconv_cache.c 2008-10-15 00:30:49.000000000 +0000
452 @@ -55,7 +55,7 @@
453
454 /* We cannot use the cache if the GCONV_PATH environment variable is
455 set. */
456 - __gconv_path_envvar = getenv ("GCONV_PATH");
457 + __gconv_path_envvar = __secure_getenv ("GCONV_PATH");
458 if (__gconv_path_envvar != NULL)
459 return -1;
460
461 diff -Naur glibc-2.8-20080929.orig/include/unistd.h glibc-2.8-20080929/include/unistd.h
462 --- glibc-2.8-20080929.orig/include/unistd.h 2006-07-31 05:57:52.000000000 +0000
463 +++ glibc-2.8-20080929/include/unistd.h 2008-10-15 00:30:49.000000000 +0000
464 @@ -142,10 +142,12 @@
465 and some functions contained in the C library ignore various
466 environment variables that normally affect them. */
467 extern int __libc_enable_secure attribute_relro;
468 +extern int __libc_security_mask attribute_relro;
469 extern int __libc_enable_secure_decided;
470 #ifdef IS_IN_rtld
471 /* XXX The #ifdef should go. */
472 extern int __libc_enable_secure_internal attribute_relro attribute_hidden;
473 +extern int __libc_security_mask_internal attribute_relro attribute_hidden;
474 #endif
475
476
477 diff -Naur glibc-2.8-20080929.orig/intl/dcigettext.c glibc-2.8-20080929/intl/dcigettext.c
478 --- glibc-2.8-20080929.orig/intl/dcigettext.c 2008-03-31 00:37:17.000000000 +0000
479 +++ glibc-2.8-20080929/intl/dcigettext.c 2008-10-15 00:30:49.000000000 +0000
480 @@ -1391,7 +1391,7 @@
481
482 if (!output_charset_cached)
483 {
484 - const char *value = getenv ("OUTPUT_CHARSET");
485 + const char *value = __secure_getenv ("OUTPUT_CHARSET");
486
487 if (value != NULL && value[0] != '\0')
488 {
489 diff -Naur glibc-2.8-20080929.orig/io/getdirname.c glibc-2.8-20080929/io/getdirname.c
490 --- glibc-2.8-20080929.orig/io/getdirname.c 2001-07-06 04:54:53.000000000 +0000
491 +++ glibc-2.8-20080929/io/getdirname.c 2008-10-15 00:30:49.000000000 +0000
492 @@ -31,7 +31,7 @@
493 char *pwd;
494 struct stat64 dotstat, pwdstat;
495
496 - pwd = getenv ("PWD");
497 + pwd = __secure_getenv ("PWD");
498 if (pwd != NULL
499 && stat64 (".", &dotstat) == 0
500 && stat64 (pwd, &pwdstat) == 0
501 diff -Naur glibc-2.8-20080929.orig/libidn/toutf8.c glibc-2.8-20080929/libidn/toutf8.c
502 --- glibc-2.8-20080929.orig/libidn/toutf8.c 2005-02-22 01:25:30.000000000 +0000
503 +++ glibc-2.8-20080929/libidn/toutf8.c 2008-10-15 00:30:49.000000000 +0000
504 @@ -74,7 +74,7 @@
505 const char *
506 stringprep_locale_charset (void)
507 {
508 - const char *charset = getenv ("CHARSET"); /* flawfinder: ignore */
509 + const char *charset = __secure_getenv ("CHARSET");
510
511 if (charset && *charset)
512 return charset;
513 diff -Naur glibc-2.8-20080929.orig/locale/newlocale.c glibc-2.8-20080929/locale/newlocale.c
514 --- glibc-2.8-20080929.orig/locale/newlocale.c 2008-03-31 00:37:03.000000000 +0000
515 +++ glibc-2.8-20080929/locale/newlocale.c 2008-10-15 00:30:49.000000000 +0000
516 @@ -104,7 +104,7 @@
517 locale_path = NULL;
518 locale_path_len = 0;
519
520 - locpath_var = getenv ("LOCPATH");
521 + locpath_var = __secure_getenv ("LOCPATH");
522 if (locpath_var != NULL && locpath_var[0] != '\0')
523 {
524 if (__argz_create_sep (locpath_var, ':',
525 diff -Naur glibc-2.8-20080929.orig/locale/setlocale.c glibc-2.8-20080929/locale/setlocale.c
526 --- glibc-2.8-20080929.orig/locale/setlocale.c 2008-03-31 00:37:03.000000000 +0000
527 +++ glibc-2.8-20080929/locale/setlocale.c 2008-10-15 00:30:49.000000000 +0000
528 @@ -246,7 +246,7 @@
529 locale_path = NULL;
530 locale_path_len = 0;
531
532 - locpath_var = getenv ("LOCPATH");
533 + locpath_var = __secure_getenv ("LOCPATH");
534 if (locpath_var != NULL && locpath_var[0] != '\0')
535 {
536 if (__argz_create_sep (locpath_var, ':',
537 diff -Naur glibc-2.8-20080929.orig/malloc/arena.c glibc-2.8-20080929/malloc/arena.c
538 --- glibc-2.8-20080929.orig/malloc/arena.c 2007-12-12 00:11:27.000000000 +0000
539 +++ glibc-2.8-20080929/malloc/arena.c 2008-10-15 00:30:49.000000000 +0000
540 @@ -494,10 +494,10 @@
541 # undef NO_STARTER
542 # endif
543 #endif
544 + s = NULL;
545 #ifdef _LIBC
546 secure = __libc_enable_secure;
547 - s = NULL;
548 - if (__builtin_expect (_environ != NULL, 1))
549 + if (! secure && __builtin_expect (_environ != NULL, 1))
550 {
551 char **runp = _environ;
552 char *envline;
553 @@ -520,26 +520,20 @@
554 s = &envline[7];
555 break;
556 case 8:
557 - if (! secure)
558 - {
559 if (memcmp (envline, "TOP_PAD_", 8) == 0)
560 mALLOPt(M_TOP_PAD, atoi(&envline[9]));
561 else if (memcmp (envline, "PERTURB_", 8) == 0)
562 mALLOPt(M_PERTURB, atoi(&envline[9]));
563 - }
564 break;
565 case 9:
566 - if (! secure && memcmp (envline, "MMAP_MAX_", 9) == 0)
567 + if (memcmp (envline, "MMAP_MAX_", 9) == 0)
568 mALLOPt(M_MMAP_MAX, atoi(&envline[10]));
569 break;
570 case 15:
571 - if (! secure)
572 - {
573 if (memcmp (envline, "TRIM_THRESHOLD_", 15) == 0)
574 mALLOPt(M_TRIM_THRESHOLD, atoi(&envline[16]));
575 else if (memcmp (envline, "MMAP_THRESHOLD_", 15) == 0)
576 mALLOPt(M_MMAP_THRESHOLD, atoi(&envline[16]));
577 - }
578 break;
579 default:
580 break;
581 diff -Naur glibc-2.8-20080929.orig/malloc/memusage.c glibc-2.8-20080929/malloc/memusage.c
582 --- glibc-2.8-20080929.orig/malloc/memusage.c 2006-12-08 17:13:24.000000000 +0000
583 +++ glibc-2.8-20080929/malloc/memusage.c 2008-10-15 00:30:49.000000000 +0000
584 @@ -214,7 +214,7 @@
585 static void
586 me (void)
587 {
588 - const char *env = getenv ("MEMUSAGE_PROG_NAME");
589 + const char *env = __secure_getenv ("MEMUSAGE_PROG_NAME");
590 size_t prog_len = strlen (__progname);
591
592 initialized = -1;
593 @@ -250,7 +250,7 @@
594 if (!start_sp)
595 start_sp = GETSP ();
596
597 - outname = getenv ("MEMUSAGE_OUTPUT");
598 + outname = __secure_getenv ("MEMUSAGE_OUTPUT");
599 if (outname != NULL && outname[0] != '\0'
600 && (access (outname, R_OK | W_OK) == 0 || errno == ENOENT))
601 {
602 @@ -273,7 +273,7 @@
603 /* Determine the buffer size. We use the default if the
604 environment variable is not present. */
605 buffer_size = DEFAULT_BUFFER_SIZE;
606 - if (getenv ("MEMUSAGE_BUFFER_SIZE") != NULL)
607 + if (__secure_getenv ("MEMUSAGE_BUFFER_SIZE") != NULL)
608 {
609 buffer_size = atoi (getenv ("MEMUSAGE_BUFFER_SIZE"));
610 if (buffer_size == 0 || buffer_size > DEFAULT_BUFFER_SIZE)
611 @@ -281,7 +281,7 @@
612 }
613
614 /* Possibly enable timer-based stack pointer retrieval. */
615 - if (getenv ("MEMUSAGE_NO_TIMER") == NULL)
616 + if (__secure_getenv ("MEMUSAGE_NO_TIMER") == NULL)
617 {
618 struct sigaction act;
619
620 @@ -302,7 +302,7 @@
621 }
622 }
623
624 - if (!not_me && getenv ("MEMUSAGE_TRACE_MMAP") != NULL)
625 + if (!not_me && __secure_getenv ("MEMUSAGE_TRACE_MMAP") != NULL)
626 trace_mmap = true;
627 }
628 }
629 diff -Naur glibc-2.8-20080929.orig/nis/nis_defaults.c glibc-2.8-20080929/nis/nis_defaults.c
630 --- glibc-2.8-20080929.orig/nis/nis_defaults.c 2006-10-11 16:22:34.000000000 +0000
631 +++ glibc-2.8-20080929/nis/nis_defaults.c 2008-10-15 00:30:49.000000000 +0000
632 @@ -358,7 +358,7 @@
633
634 char *cptr = defaults;
635 if (cptr == NULL)
636 - cptr = getenv ("NIS_DEFAULTS");
637 + cptr = __secure_getenv ("NIS_DEFAULTS");
638
639 if (cptr != NULL)
640 {
641 @@ -385,7 +385,7 @@
642
643 char *cptr = defaults;
644 if (cptr == NULL)
645 - cptr = getenv ("NIS_DEFAULTS");
646 + cptr = __secure_getenv ("NIS_DEFAULTS");
647
648 if (cptr != NULL)
649 {
650 @@ -417,7 +417,7 @@
651 return searchttl (defaults);
652 }
653
654 - cptr = getenv ("NIS_DEFAULTS");
655 + cptr = __secure_getenv ("NIS_DEFAULTS");
656 if (cptr == NULL)
657 return DEFAULT_TTL;
658
659 @@ -445,7 +445,7 @@
660 result = searchaccess (param, result);
661 else
662 {
663 - cptr = getenv ("NIS_DEFAULTS");
664 + cptr = __secure_getenv ("NIS_DEFAULTS");
665 if (cptr != NULL && strstr (cptr, "access=") != NULL)
666 result = searchaccess (cptr, result);
667 }
668 diff -Naur glibc-2.8-20080929.orig/nis/nis_local_names.c glibc-2.8-20080929/nis/nis_local_names.c
669 --- glibc-2.8-20080929.orig/nis/nis_local_names.c 2006-04-07 06:52:01.000000000 +0000
670 +++ glibc-2.8-20080929/nis/nis_local_names.c 2008-10-15 00:30:49.000000000 +0000
671 @@ -30,7 +30,7 @@
672
673 char *cptr;
674 if (__nisgroup[0] == '\0'
675 - && (cptr = getenv ("NIS_GROUP")) != NULL
676 + && (cptr = __secure_getenv ("NIS_GROUP")) != NULL
677 && strlen (cptr) < NIS_MAXNAMELEN)
678 {
679 char *cp = stpcpy (__nisgroup, cptr);
680 diff -Naur glibc-2.8-20080929.orig/nis/nis_subr.c glibc-2.8-20080929/nis/nis_subr.c
681 --- glibc-2.8-20080929.orig/nis/nis_subr.c 2007-07-28 20:43:36.000000000 +0000
682 +++ glibc-2.8-20080929/nis/nis_subr.c 2008-10-15 00:30:49.000000000 +0000
683 @@ -178,7 +178,7 @@
684 }
685
686 /* Get the search path, where we have to search "name" */
687 - path = getenv ("NIS_PATH");
688 + path = __secure_getenv ("NIS_PATH");
689 if (path == NULL)
690 path = strdupa ("$");
691 else
692 diff -Naur glibc-2.8-20080929.orig/posix/execvp.c glibc-2.8-20080929/posix/execvp.c
693 --- glibc-2.8-20080929.orig/posix/execvp.c 2007-01-03 23:01:15.000000000 +0000
694 +++ glibc-2.8-20080929/posix/execvp.c 2008-10-15 00:30:49.000000000 +0000
695 @@ -90,7 +90,7 @@
696 {
697 size_t pathlen;
698 size_t alloclen = 0;
699 - char *path = getenv ("PATH");
700 + char *path = __secure_getenv ("PATH");
701 if (path == NULL)
702 {
703 pathlen = confstr (_CS_PATH, (char *) NULL, 0);
704 @@ -116,11 +116,11 @@
705 if (path == NULL)
706 {
707 /* There is no `PATH' in the environment.
708 - The default search path is the current directory
709 - followed by the path `confstr' returns for `_CS_PATH'. */
710 + The default search path is what `confstr' returns
711 + for `_CS_PATH'. */
712 path = name + pathlen + len + 1;
713 - path[0] = ':';
714 - (void) confstr (_CS_PATH, path + 1, pathlen);
715 + path[0] = '\0';
716 + (void) confstr (_CS_PATH, path, pathlen);
717 }
718
719 /* Copy the file name at the top. */
720 diff -Naur glibc-2.8-20080929.orig/posix/glob.c glibc-2.8-20080929/posix/glob.c
721 --- glibc-2.8-20080929.orig/posix/glob.c 2007-10-15 04:59:03.000000000 +0000
722 +++ glibc-2.8-20080929/posix/glob.c 2008-10-15 00:30:49.000000000 +0000
723 @@ -557,7 +557,7 @@
724 && (dirname[2] == '\0' || dirname[2] == '/')))
725 {
726 /* Look up home directory. */
727 - const char *home_dir = getenv ("HOME");
728 + const char *home_dir = __secure_getenv ("HOME");
729 # ifdef _AMIGA
730 if (home_dir == NULL || home_dir[0] == '\0')
731 home_dir = "SYS:";
732 diff -Naur glibc-2.8-20080929.orig/posix/wordexp.c glibc-2.8-20080929/posix/wordexp.c
733 --- glibc-2.8-20080929.orig/posix/wordexp.c 2007-01-25 00:43:39.000000000 +0000
734 +++ glibc-2.8-20080929/posix/wordexp.c 2008-10-15 00:30:49.000000000 +0000
735 @@ -320,7 +320,7 @@
736 results are unspecified. We do a lookup on the uid if
737 HOME is unset. */
738
739 - home = getenv ("HOME");
740 + home = __secure_getenv ("HOME");
741 if (home != NULL)
742 {
743 *word = w_addstr (*word, word_length, max_length, home);
744 @@ -1493,7 +1493,7 @@
745 }
746 }
747 else
748 - value = getenv (env);
749 + value = __secure_getenv (env);
750
751 if (value == NULL && (flags & WRDE_UNDEF))
752 {
753 @@ -2262,7 +2262,7 @@
754 /* Find out what the field separators are.
755 * There are two types: whitespace and non-whitespace.
756 */
757 - ifs = getenv ("IFS");
758 + ifs = __secure_getenv ("IFS");
759
760 if (ifs == NULL)
761 /* IFS unset - use <space><tab><newline>. */
762 diff -Naur glibc-2.8-20080929.orig/resolv/res_hconf.c glibc-2.8-20080929/resolv/res_hconf.c
763 --- glibc-2.8-20080929.orig/resolv/res_hconf.c 2007-11-23 03:03:31.000000000 +0000
764 +++ glibc-2.8-20080929/resolv/res_hconf.c 2008-10-15 00:30:49.000000000 +0000
765 @@ -304,7 +304,7 @@
766
767 memset (&_res_hconf, '\0', sizeof (_res_hconf));
768
769 - hconf_name = getenv (ENV_HOSTCONF);
770 + hconf_name = __secure_getenv (ENV_HOSTCONF);
771 if (hconf_name == NULL)
772 hconf_name = _PATH_HOSTCONF;
773
774 @@ -323,23 +323,23 @@
775 fclose (fp);
776 }
777
778 - envval = getenv (ENV_SPOOF);
779 + envval = __secure_getenv (ENV_SPOOF);
780 if (envval)
781 arg_spoof (ENV_SPOOF, 1, envval);
782
783 - envval = getenv (ENV_MULTI);
784 + envval = __secure_getenv (ENV_MULTI);
785 if (envval)
786 arg_bool (ENV_MULTI, 1, envval, HCONF_FLAG_MULTI);
787
788 - envval = getenv (ENV_REORDER);
789 + envval = __secure_getenv (ENV_REORDER);
790 if (envval)
791 arg_bool (ENV_REORDER, 1, envval, HCONF_FLAG_REORDER);
792
793 - envval = getenv (ENV_TRIM_ADD);
794 + envval = __secure_getenv (ENV_TRIM_ADD);
795 if (envval)
796 arg_trimdomain_list (ENV_TRIM_ADD, 1, envval);
797
798 - envval = getenv (ENV_TRIM_OVERR);
799 + envval = __secure_getenv (ENV_TRIM_OVERR);
800 if (envval)
801 {
802 _res_hconf.num_trimdomains = 0;
803 diff -Naur glibc-2.8-20080929.orig/resolv/res_init.c glibc-2.8-20080929/resolv/res_init.c
804 --- glibc-2.8-20080929.orig/resolv/res_init.c 2008-04-07 17:20:25.000000000 +0000
805 +++ glibc-2.8-20080929/resolv/res_init.c 2008-10-15 00:30:49.000000000 +0000
806 @@ -201,7 +201,7 @@
807 #endif
808
809 /* Allow user to override the local domain definition */
810 - if ((cp = getenv("LOCALDOMAIN")) != NULL) {
811 + if ((cp = __secure_getenv("LOCALDOMAIN")) != NULL) {
812 (void)strncpy(statp->defdname, cp, sizeof(statp->defdname) - 1);
813 statp->defdname[sizeof(statp->defdname) - 1] = '\0';
814 haveenv++;
815 @@ -470,7 +470,7 @@
816 #endif /* !RFC1535 */
817 }
818
819 - if ((cp = getenv("RES_OPTIONS")) != NULL)
820 + if ((cp = __secure_getenv("RES_OPTIONS")) != NULL)
821 res_setoptions(statp, cp, "env");
822 statp->options |= RES_INIT;
823 return (0);
824 diff -Naur glibc-2.8-20080929.orig/resolv/res_query.c glibc-2.8-20080929/resolv/res_query.c
825 --- glibc-2.8-20080929.orig/resolv/res_query.c 2007-02-09 23:43:25.000000000 +0000
826 +++ glibc-2.8-20080929/resolv/res_query.c 2008-10-15 00:30:49.000000000 +0000
827 @@ -474,7 +474,7 @@
828
829 if (statp->options & RES_NOALIASES)
830 return (NULL);
831 - file = getenv("HOSTALIASES");
832 + file = __secure_getenv("HOSTALIASES");
833 if (file == NULL || (fp = fopen(file, "r")) == NULL)
834 return (NULL);
835 setbuf(fp, NULL);
836 diff -Naur glibc-2.8-20080929.orig/stdlib/fmtmsg.c glibc-2.8-20080929/stdlib/fmtmsg.c
837 --- glibc-2.8-20080929.orig/stdlib/fmtmsg.c 2006-05-15 18:41:18.000000000 +0000
838 +++ glibc-2.8-20080929/stdlib/fmtmsg.c 2008-10-15 00:30:49.000000000 +0000
839 @@ -205,8 +205,8 @@
840 static void
841 init (void)
842 {
843 - const char *msgverb_var = getenv ("MSGVERB");
844 - const char *sevlevel_var = getenv ("SEV_LEVEL");
845 + const char *msgverb_var = __secure_getenv ("MSGVERB");
846 + const char *sevlevel_var = __secure_getenv ("SEV_LEVEL");
847
848 if (msgverb_var != NULL && msgverb_var[0] != '\0')
849 {
850 diff -Naur glibc-2.8-20080929.orig/sunrpc/rpc_svcout.c glibc-2.8-20080929/sunrpc/rpc_svcout.c
851 --- glibc-2.8-20080929.orig/sunrpc/rpc_svcout.c 2005-11-21 15:43:03.000000000 +0000
852 +++ glibc-2.8-20080929/sunrpc/rpc_svcout.c 2008-10-15 00:30:49.000000000 +0000
853 @@ -897,7 +897,7 @@
854 f_print (fout, "\t\t_rpcpmstart = 1;\n");
855 if (logflag)
856 open_log_file (infile, "\t\t");
857 - f_print (fout, "\t\tif ((netid = getenv(\"NLSPROVIDER\")) == NULL) {\n");
858 + f_print (fout, "\t\tif ((netid = __secure_getenv(\"NLSPROVIDER\")) == NULL) {\n");
859 sprintf (_errbuf, "cannot get transport name");
860 print_err_message ("\t\t\t");
861 f_print (fout, "\t\t} else if ((nconf = getnetconfigent(netid)) == NULL) {\n");
862 diff -Naur glibc-2.8-20080929.orig/sysdeps/generic/unsecvars.h glibc-2.8-20080929/sysdeps/generic/unsecvars.h
863 --- glibc-2.8-20080929.orig/sysdeps/generic/unsecvars.h 2006-10-11 16:24:05.000000000 +0000
864 +++ glibc-2.8-20080929/sysdeps/generic/unsecvars.h 2008-10-15 00:32:09.000000000 +0000
865 @@ -2,25 +2,87 @@
866 all stuffed in a single string which means they have to be terminated
867 with a '\0' explicitly. */
868 #define UNSECURE_ENVVARS \
869 - "GCONV_PATH\0" \
870 - "GETCONF_DIR\0" \
871 - "HOSTALIASES\0" \
872 - "LD_AUDIT\0" \
873 - "LD_DEBUG\0" \
874 - "LD_DEBUG_OUTPUT\0" \
875 - "LD_DYNAMIC_WEAK\0" \
876 - "LD_LIBRARY_PATH\0" \
877 - "LD_ORIGIN_PATH\0" \
878 - "LD_PRELOAD\0" \
879 - "LD_PROFILE\0" \
880 - "LD_SHOW_AUXV\0" \
881 - "LD_USE_LOAD_BIAS\0" \
882 - "LOCALDOMAIN\0" \
883 - "LOCPATH\0" \
884 - "MALLOC_TRACE\0" \
885 - "NIS_PATH\0" \
886 - "NLSPATH\0" \
887 - "RESOLV_HOST_CONF\0" \
888 - "RES_OPTIONS\0" \
889 - "TMPDIR\0" \
890 + "ARGP_HELP_FMT\0" \
891 + "DATEMSK\0" \
892 + "GCONV_PATH\0" \
893 + "GETCONF_DIR\0" \
894 + "GMON_OUT_PREFIX\0" \
895 + "HESIOD_CONFIG\0" \
896 + "HES_DOMAIN\0" \
897 + "HOSTALIASES\0" \
898 + "LD_AUDIT\0" \
899 + "LD_BIND_NOT\0" \
900 + "LD_BIND_NOW\0" \
901 + "LD_DEBUG\0" \
902 + "LD_DEBUG_OUTPUT\0" \
903 + "LD_DYNAMIC_WEAK\0" \
904 + "LD_HWCAP_MASK\0" \
905 + "LD_LIBRARY_PATH\0" \
906 + "LD_ORIGIN_PATH\0" \
907 + "LD_POINTER_GUARD\0" \
908 + "LD_PRELOAD\0" \
909 + "LD_PROFILE\0" \
910 + "LD_PROFILE_OUTPUT\0" \
911 + "LD_SHOW_AUXV\0" \
912 + "LD_TRACE_LOADED_OBJECTS\0" \
913 + "LD_TRACE_PRELINKING\0" \
914 + "LD_USE_LOAD_BIAS\0" \
915 + "LD_VERBOSE\0" \
916 + "LD_WARN\0" \
917 + "LOCALDOMAIN\0" \
918 + "LOCPATH\0" \
919 + "MALLOC_CHECK_\0" \
920 + "MALLOC_MMAP_MAX_\0" \
921 + "MALLOC_MMAP_THRESHOLD_\0" \
922 + "MALLOC_PERTURB_\0" \
923 + "MALLOC_TOP_PAD_\0" \
924 + "MALLOC_TRACE\0" \
925 + "MALLOC_TRIM_THRESHOLD_\0" \
926 + "MEMUSAGE_BUFFER_SIZE\0" \
927 + "MEMUSAGE_NO_TIMER\0" \
928 + "MEMUSAGE_OUTPUT\0" \
929 + "MEMUSAGE_PROG_NAME\0" \
930 + "MEMUSAGE_TRACE_MMAP\0" \
931 + "MSGVERB\0" \
932 + "MUDFLAP_OPTIONS\0" \
933 + "NIS_DEFAULTS\0" \
934 + "NIS_GROUP\0" \
935 + "NIS_PATH\0" \
936 + "NLSPATH\0" \
937 + "PCPROFILE_OUTPUT\0" \
938 + "POSIXLY_CORRECT\0" \
939 + "PWD\0" \
940 + "RESOLV_ADD_TRIM_DOMAINS\0" \
941 + "RESOLV_HOST_CONF\0" \
942 + "RESOLV_MULTI\0" \
943 + "RESOLV_OVERRIDE_TRIM_DOMAINS\0" \
944 + "RESOLV_REORDER\0" \
945 + "RESOLV_SPOOF_CHECK\0" \
946 + "RES_OPTIONS\0" \
947 + "SEGFAULT_OUTPUT_NAME\0" \
948 + "SEGFAULT_SIGNALS\0" \
949 + "SEGFAULT_USE_ALTSTACK\0" \
950 + "SEV_LEVEL\0" \
951 + "TZ\0" \
952 "TZDIR\0"
953 +
954 +#define UNSECURE_UID_ENVVARS \
955 + "TMPDIR\0"
956 +
957 +#define RESTRICTED_ENVVARS \
958 + "LANG\0" \
959 + "LANGUAGE\0" \
960 + "LC_ADDRESS\0" \
961 + "LC_ALL\0" \
962 + "LC_COLLATE\0" \
963 + "LC_CTYPE\0" \
964 + "LC_IDENTIFICATION\0" \
965 + "LC_MEASUREMENT\0" \
966 + "LC_MESSAGES\0" \
967 + "LC_MONETARY\0" \
968 + "LC_NAME\0" \
969 + "LC_NUMERIC\0" \
970 + "LC_PAPER\0" \
971 + "LC_TELEPHONE\0" \
972 + "LC_TIME\0" \
973 + "LC_XXX\0"
974 diff -Naur glibc-2.8-20080929.orig/sysdeps/posix/spawni.c glibc-2.8-20080929/sysdeps/posix/spawni.c
975 --- glibc-2.8-20080929.orig/sysdeps/posix/spawni.c 2006-06-04 22:16:05.000000000 +0000
976 +++ glibc-2.8-20080929/sysdeps/posix/spawni.c 2008-10-15 00:30:49.000000000 +0000
977 @@ -227,16 +227,15 @@
978 }
979
980 /* We have to search for FILE on the path. */
981 - path = getenv ("PATH");
982 + path = __secure_getenv ("PATH");
983 if (path == NULL)
984 {
985 /* There is no `PATH' in the environment.
986 - The default search path is the current directory
987 - followed by the path `confstr' returns for `_CS_PATH'. */
988 + The default search path is ehat `confstr' returns
989 + for `_CS_PATH'. */
990 len = confstr (_CS_PATH, (char *) NULL, 0);
991 - path = (char *) __alloca (1 + len);
992 - path[0] = ':';
993 - (void) confstr (_CS_PATH, path + 1, len);
994 + path = (char *) __alloca (len);
995 + (void) confstr (_CS_PATH, path, len);
996 }
997
998 len = strlen (file) + 1;
999 diff -Naur glibc-2.8-20080929.orig/sysdeps/unix/sysv/linux/dl-librecon.h glibc-2.8-20080929/sysdeps/unix/sysv/linux/dl-librecon.h
1000 --- glibc-2.8-20080929.orig/sysdeps/unix/sysv/linux/dl-librecon.h 2004-03-05 10:14:48.000000000 +0000
1001 +++ glibc-2.8-20080929/sysdeps/unix/sysv/linux/dl-librecon.h 2008-10-15 00:30:49.000000000 +0000
1002 @@ -53,7 +53,7 @@
1003
1004 #define DL_OSVERSION_INIT \
1005 do { \
1006 - char *assume_kernel = getenv ("LD_ASSUME_KERNEL"); \
1007 + char *assume_kernel = __secure_getenv ("LD_ASSUME_KERNEL"); \
1008 if (assume_kernel) \
1009 _dl_osversion_init (assume_kernel); \
1010 } while (0)
1011 diff -Naur glibc-2.8-20080929.orig/sysdeps/unix/sysv/linux/i386/dl-librecon.h glibc-2.8-20080929/sysdeps/unix/sysv/linux/i386/dl-librecon.h
1012 --- glibc-2.8-20080929.orig/sysdeps/unix/sysv/linux/i386/dl-librecon.h 2004-10-14 01:53:55.000000000 +0000
1013 +++ glibc-2.8-20080929/sysdeps/unix/sysv/linux/i386/dl-librecon.h 2008-10-15 00:30:49.000000000 +0000
1014 @@ -57,6 +57,7 @@
1015 /* Extra unsecure variables. The names are all stuffed in a single
1016 string which means they have to be terminated with a '\0' explicitly. */
1017 #define EXTRA_UNSECURE_ENVVARS \
1018 + "LD_LIBRARY_VERSION\0" \
1019 "LD_AOUT_LIBRARY_PATH\0" \
1020 "LD_AOUT_PRELOAD\0"
1021
1022 diff -Naur glibc-2.8-20080929.orig/time/getdate.c glibc-2.8-20080929/time/getdate.c
1023 --- glibc-2.8-20080929.orig/time/getdate.c 2007-12-10 01:40:43.000000000 +0000
1024 +++ glibc-2.8-20080929/time/getdate.c 2008-10-15 00:30:49.000000000 +0000
1025 @@ -115,7 +115,7 @@
1026 struct stat64 st;
1027 int mday_ok = 0;
1028
1029 - datemsk = getenv ("DATEMSK");
1030 + datemsk = __secure_getenv ("DATEMSK");
1031 if (datemsk == NULL || *datemsk == '\0')
1032 return 1;
1033
1034 diff -Naur glibc-2.8-20080929.orig/time/tzfile.c glibc-2.8-20080929/time/tzfile.c
1035 --- glibc-2.8-20080929.orig/time/tzfile.c 2007-11-06 01:03:43.000000000 +0000
1036 +++ glibc-2.8-20080929/time/tzfile.c 2008-10-15 00:30:49.000000000 +0000
1037 @@ -149,7 +149,7 @@
1038 unsigned int len, tzdir_len;
1039 char *new, *tmp;
1040
1041 - tzdir = getenv ("TZDIR");
1042 + tzdir = __secure_getenv ("TZDIR");
1043 if (tzdir == NULL || *tzdir == '\0')
1044 {
1045 tzdir = default_tzdir;
1046 diff -Naur glibc-2.8-20080929.orig/time/tzset.c glibc-2.8-20080929/time/tzset.c
1047 --- glibc-2.8-20080929.orig/time/tzset.c 2008-03-19 06:43:34.000000000 +0000
1048 +++ glibc-2.8-20080929/time/tzset.c 2008-10-15 00:30:49.000000000 +0000
1049 @@ -383,8 +383,11 @@
1050 return;
1051 is_initialized = 1;
1052
1053 - /* Examine the TZ environment variable. */
1054 - tz = getenv ("TZ");
1055 + /* Examine the TZ environment variable. This doesn't really have to be
1056 + a __secure_getenv() call as __tzfile_read() tries to only read files
1057 + found under a trusted directory, but this helps reduce the amount of
1058 + security-critical code. */
1059 + tz = __secure_getenv ("TZ");
1060 if (tz == NULL && !explicit)
1061 /* Use the site-wide default. This is a file name which means we
1062 would not see changes to the file if we compare only the file
Stefan's tree of IPFire 3.x.