www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Enrik Berkhan <en...@inka.de>
Subject mod_cgi/179: suEXEC wrapper allocates PATH on the stack
Date Tue, 18 Feb 1997 22:50:01 GMT

>Number:         179
>Category:       mod_cgi
>Synopsis:       suEXEC wrapper allocates PATH on the stack
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    gnats-admin (GNATS administrator)
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Tue Feb 18 14:50:00 1997
>Originator:     enrik@inka.de
>Release:        1.2b6
Debian/GNU Linux 1.2
Linux quechua 2.0.27 #4 Thu Dec 5 22:57:45 MET 1996 i586
gcc version
Within the clean_env function, the buffer for the newly set PATH environment
variable is allocated on the stack. If the buffer would be used up to its end,
even the subsequent call to exec could overwrite parts of the buffer before
the exec can copy the environment. The situation gets even worse if somebody
decides to extend suexec.c and to call other functions between clean_env() and
try a (pathologic ;-) SAFE_PATH in suexec.h of nearly 512 characters
change the variable to stati

View raw message