This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] Harden put*ent functions against data injection [BZ #18724]
- From: Florian Weimer <fweimer at redhat dot com>
- To: "Carlos O'Donell" <carlos at redhat dot com>, GNU C Library <libc-alpha at sourceware dot org>
- Date: Fri, 2 Oct 2015 11:38:30 +0200
- Subject: Re: [PATCH] Harden put*ent functions against data injection [BZ #18724]
- Authentication-results: sourceware.org; auth=none
- References: <55B64BE2 dot 9060905 at redhat dot com> <55B68DBE dot 2050009 at redhat dot com>
On 07/27/2015 09:59 PM, Carlos O'Donell wrote:
> On 07/27/2015 11:18 AM, Florian Weimer wrote:
>> This patch addresses a âBobby Tablesâ issue in the put*ent functions and
>> the getent program, similar to one of the recent libuser issues.
>>
>> I believe this is just hardening because users of the put*ent functions
>> already have appropriate checks before they call these functions, so
>> this is definitely post-freeze material.
>>
>> Tested on x86_64-redhat-linux-gnu. Okay to commit after master reopens?
>
> Looks good to me for 2.23 with testsuite comment nits fixed.
Thanks, I committed this with the changes suggested in this thread.
Florian