diff mbox series

[committed,1/2] Propagate GLIBC_TUNABLES in setxid binaries

Message ID	20231003170811.64957-2-siddhesh@sourceware.org
State	Committed
Commit	0d5f9ea97f1b39f2a855756078771673a68497e1
Headers	DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 7CDB43858D28 sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 290146C1C80; Tue, 3 Oct 2023 17:08:18 +0000 (UTC) sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a208.dreamhost.com (Postfix) with ESMTPSA id 4S0PR55hzKzn8; Tue, 3 Oct 2023 10:08:17 -0700 (PDT) From: Siddhesh Poyarekar <siddhesh@sourceware.org> To: libc-alpha@sourceware.org Cc: Carlos O'Donell <carlos@redhat.com> Subject: [committed 1/2] Propagate GLIBC_TUNABLES in setxid binaries Date: Tue, 3 Oct 2023 13:08:10 -0400 Message-ID: <20231003170811.64957-2-siddhesh@sourceware.org> In-Reply-To: <20231003170811.64957-1-siddhesh@sourceware.org> References: <20231003170811.64957-1-siddhesh@sourceware.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org
Series	[committed,1/2] Propagate GLIBC_TUNABLES in setxid binaries \| [committed,1/2] Propagate GLIBC_TUNABLES in setxid binaries [committed,2/2] tunables: Terminate if end of input is reached (CVE-2023-4911)

Checks

Context	Check	Description
linaro-tcwg-bot/tcwg_glibc_build--master-arm	warning	Patch is already merged
linaro-tcwg-bot/tcwg_glibc_build--master-aarch64	warning	Patch is already merged
linaro-tcwg-bot/tcwg_glibc_check--master-aarch64	warning	Patch is already merged
linaro-tcwg-bot/tcwg_glibc_check--master-arm	warning	Patch is already merged

Commit Message

Siddhesh Poyarekar Oct. 3, 2023, 5:08 p.m. UTC

  GLIBC_TUNABLES scrubbing happens earlier than envvar scrubbing and some
tunables are required to propagate past setxid boundary, like their
env_alias.  Rely on tunable scrubbing to clean out GLIBC_TUNABLES like
before, restoring behaviour in glibc 2.37 and earlier.

Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
---
 sysdeps/generic/unsecvars.h | 1 -
 1 file changed, 1 deletion(-)

diff mbox series

Patch

diff --git a/sysdeps/generic/unsecvars.h b/sysdeps/generic/unsecvars.h
index 81397fb90b..8278c50a84 100644
--- a/sysdeps/generic/unsecvars.h
+++ b/sysdeps/generic/unsecvars.h
@@ -4,7 +4,6 @@ 
 #define UNSECURE_ENVVARS \
   "GCONV_PATH\0"							      \
   "GETCONF_DIR\0"							      \
-  "GLIBC_TUNABLES\0"							      \
   "HOSTALIASES\0"							      \
   "LD_AUDIT\0"								      \
   "LD_DEBUG\0"								      \