This is the mail archive of the
mailing list for the glibc project.
Re: [PATCH] posix_spawn_file_actions_addopen needs to copy the path argument (BZ 17048)
- From: Florian Weimer <fweimer at redhat dot com>
- To: Allan McRae <allan at archlinux dot org>, Roland McGrath <roland at hack dot frob dot com>
- Cc: GNU C Library <libc-alpha at sourceware dot org>
- Date: Mon, 16 Jun 2014 11:11:02 +0200
- Subject: Re: [PATCH] posix_spawn_file_actions_addopen needs to copy the path argument (BZ 17048)
- Authentication-results: sourceware.org; auth=none
- References: <5398C182 dot 4040906 at redhat dot com> <20140611210111 dot 92DF92C39A5 at topped-with-meat dot com> <5398C7BD dot 5000304 at redhat dot com> <539CF22A dot 8090204 at archlinux dot org>
On 06/15/2014 03:08 AM, Allan McRae wrote:
On 12/06/14 07:18, Florian Weimer wrote:
On 06/11/2014 11:01 PM, Roland McGrath wrote:
This looks fine to me except for some trivia.
Thanks, committed with the suggested changes.
We normally add a news item for fixed CVEs. How does this sound?
We didn't know if this would qualify for a CVE at the time of commit.
* CVE-2014-4043 The posix_spawn_file_actions_addopen implementation did not
copy the path argument. This allowed programs to trigger use-after-free
bugs or other situations where the path is mutated. (Bugzilla #17048).
The second sentence seems a bit rough. Perhaps:
"This allowed programs to cause posix_spawn to deference a dangling
pointer, or use an unexpected pathname argument if the string was
modified after the posix_spawn_file_actions_addopen invocation."
Florian Weimer / Red Hat Product Security Team