This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH] Harden put*ent functions against data injection [BZ #18724]

From: Florian Weimer <fweimer at redhat dot com>
To: "Carlos O'Donell" <carlos at redhat dot com>, GNU C Library <libc-alpha at sourceware dot org>
Date: Fri, 2 Oct 2015 11:38:30 +0200
Subject: Re: [PATCH] Harden put*ent functions against data injection [BZ #18724]
Authentication-results: sourceware.org; auth=none
References: <55B64BE2 dot 9060905 at redhat dot com> <55B68DBE dot 2050009 at redhat dot com>

On 07/27/2015 09:59 PM, Carlos O'Donell wrote:
> On 07/27/2015 11:18 AM, Florian Weimer wrote:
>> This patch addresses a âBobby Tablesâ issue in the put*ent functions and
>> the getent program, similar to one of the recent libuser issues.
>>
>> I believe this is just hardening because users of the put*ent functions
>> already have appropriate checks before they call these functions, so
>> this is definitely post-freeze material.
>>
>> Tested on x86_64-redhat-linux-gnu.  Okay to commit after master reopens?
> 
> Looks good to me for 2.23 with testsuite comment nits fixed.

Thanks, I committed this with the changes suggested in this thread.

Florian

Follow-Ups:
- Re: [PATCH] Harden put*ent functions against data injection [BZ #18724]
  - From: Joseph Myers

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]