On 08/17/2013 12:29 AM, Caroline Tice wrote:
OK, I *think* I have done as you requested.  I have to try the
environment variable before falling back on stderr (there's a program
we want to use this on that disables the ability to write to stderr).
I have added the secure_getenv stuff as you requested. The fixed patch
is attached.

Please review the patch and let me know if this is OK to commit.  Thanks!

I found a packaged version of autoconf 2.64 and bootstrapped with --enable-vtable-verify. It's a bit confusing that libvtv is always built, but ends up being empty.

It seems that HAVE_*SECURE_GETENV is not properly passed down to the compiler invocation:

/bin/bash ./libtool --tag=CXX --mode=compile /home/fw/src/gnu/gcc/build/./gcc/xgcc -B/home/fw/src/gnu/gcc/build/./gcc/ -I. -I../../../git/libvtv -I../../../git/libvtv/../include -D_GNU_SOURCE -Wall -Wextra -fno-exceptions -I./../libstdc++-v3/include -I./../libstdc++-v3/include/x86_64-unknown-linux-gnu -I../../../git/libvtv/../libstdc++-v3/libsupc++ -Wl,-u_vtable_map_vars_start,-u_vtable_map_vars_end -g -O2 -D_GNU_SOURCE -MT vtv_utils.lo -MD -MP -MF .deps/vtv_utils.Tpo -c -o vtv_utils.lo ../../../git/libvtv/vtv_utils.cc libtool: compile: /home/fw/src/gnu/gcc/build/./gcc/xgcc -B/home/fw/src/gnu/gcc/build/./gcc/ -I. -I../../../git/libvtv -I../../../git/libvtv/../include -D_GNU_SOURCE -Wall -Wextra -fno-exceptions -I./../libstdc++-v3/include -I./../libstdc++-v3/include/x86_64-unknown-linux-gnu -I../../../git/libvtv/../libstdc++-v3/libsupc++ -Wl,-u_vtable_map_vars_start,-u_vtable_map_vars_end -g -O2 -D_GNU_SOURCE -MT vtv_utils.lo -MD -MP -MF .deps/vtv_utils.Tpo -c ../../../git/libvtv/vtv_utils.cc -fPIC -DPIC -o .libs/vtv_utils.o

As a result, the DSO ends up referencing getenv, even though secure_getenv is available (and has been detected by the autoconf check).

Sorry, I don't know what's wrong here. I'm not familiar with the GCC autoconf machinery. Perhaps you need a config.h.in file?

You can check this yourself with "readelf -s libvtv.so | grep getenv". It should print a line containing "secure_getenv" or "__secure_getenv", but not plain "getenv".

--
Florian Weimer / Red Hat Product Security Team

Reply via email to