Glibc 2.1.1 contains a vulnerability in the unsetenv() function
24 Sep. 1999
Summary
The unsetenv() function in glibc 2.1.1 suffers from a problem where by running through the environment variables, if the name of the variable being unset is present twice consecutively, the second is not destroyed. This poses a danger because the unsetenv() function is commonly used by programmer in order to remove unwanted and possibly dangerous (containing some arbitrary codes, or a very large buffer, and etc.) environment variables.
unsetenv() is sometimes used by programs that depend on it clearing out variables for protection against evil environment variables.
glibc 2.1.2 is not vulnerable, and older should be upgraded.
To test your glibc for this problem, compile and run the following program:
#include <stdlib.h>
#include <stdio.h>
extern char **environ;
int main()
{
char *env[] = {
"bob=trash",
"bob=uh-oh",
NULL};
environ = env;
printf("bob = %s\n", env[0]);
unsetenv("bob");
printf("bob = %s\n", getenv("bob"));
return 0;
}
If the output isn't "bob = (null)", unsetenv() isn't doing its job. (also, note that not all libcs support unsetenv, or even the environ variable, so this may not compile/link on many non-glibc systems).
