www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Enrik Berkhan <en...@inka.de>
Subject mod_cgi/179: suEXEC wrapper allocates PATH on the stack
Date Tue, 18 Feb 1997 22:50:01 GMT

>Number:         179
>Category:       mod_cgi
>Synopsis:       suEXEC wrapper allocates PATH on the stack
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    gnats-admin (GNATS administrator)
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Tue Feb 18 14:50:00 1997
>Originator:     enrik@inka.de
>Organization:
apache
>Release:        1.2b6
>Environment:
Debian/GNU Linux 1.2
Linux quechua 2.0.27 #4 Thu Dec 5 22:57:45 MET 1996 i586
gcc version 2.7.2.1
libc.so.5.4.13
>Description:
Within the clean_env function, the buffer for the newly set PATH environment
variable is allocated on the stack. If the buffer would be used up to its end,
even the subsequent call to exec could overwrite parts of the buffer before
the exec can copy the environment. The situation gets even worse if somebody
decides to extend suexec.c and to call other functions between clean_env() and
execv().
>How-To-Repeat:
try a (pathologic ;-) SAFE_PATH in suexec.h of nearly 512 characters
>Fix:
change the variable to stati
>Audit-Trail:
>Unformatted:



Mime
View raw message