Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 11 Apr 2017 23:25:04 +0800
From:      Ben Woods <woodsb02@gmail.com>
To:        Jan Beich <jbeich@freebsd.org>
Cc:        Ben Woods <woodsb02@freebsd.org>,  "ports-committers@FreeBSD.org" <ports-committers@freebsd.org>, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   Re: svn commit: r429481 - in head: . x11 x11/lightdm x11/lightdm-gtk-greeter x11/lightdm/files
Message-ID:  <CAOc73CB_0Ah1ZwVmWJpi54aN9Cnu%2BkqkwGJpZ35pEvPeNRYZgQ@mail.gmail.com>
In-Reply-To: <h91y-joxl-wny@FreeBSD.org>
References:  <201612260653.uBQ6rbp5054319@repo.freebsd.org> <20161226072913.0371FFAE@freefall.freebsd.org> <h91y-joxl-wny@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hi Jan,

Apologies, I think I do remember seeing this, but the solution was not
immediately obvious to me and I seem to have forgotten it.

I have raised a PR to continue discussion and to ensure it doesn't get lost:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218564

I would be grateful if you could add text to that bug explaining the
potential security implications, and elaborate on your proposed fix.

Regards,
Ben

--
From: Benjamin Woods
woodsb02@gmail.com

On 9 April 2017 at 10:27, Jan Beich <jbeich@freebsd.org> wrote:

> jbeich@freebsd.org (Jan Beich) writes:
>
> >> --- /dev/null        00:00:00 1970   (empty, because file is newly
> added)
> >> +++ head/x11/lightdm/files/patch-src_process.c       Mon Dec 26
> 06:53:37 2016        (r429481)
> >> @@ -0,0 +1,11 @@
> >> +--- src/process.c.orig      2016-12-08 21:38:14 UTC
> >> ++++ src/process.c
> >> +@@ -231,7 +231,7 @@ process_start (Process *process, gboolea
> >> + #ifdef HAVE_CLEARENV
> >> +             clearenv ();
> >> + #else
> >> +-            environ = NULL;
> >> ++            putenv ("environ=NULL");
> >> + #endif
> >> +         for (i = 0; i < env_length; i++)
> >> +             setenv (env_keys[i], env_values[i], TRUE);
> >
> > Looks bogus, see environ(7). Maybe use "env -i" version:
> >
> >   extern char **environ;
> >   char *cleanenv[1];
> >   environ = cleanenv;
> >   cleanenv[0] = NULL;
>
> Did you ignore this despite possible security implications? I'm not a user,
> so just guessing.
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOc73CB_0Ah1ZwVmWJpi54aN9Cnu%2BkqkwGJpZ35pEvPeNRYZgQ>