On 08/17/2013 12:29 AM, Caroline Tice wrote:
OK, I *think* I have done as you requested. I have to try the
environment variable before falling back on stderr (there's a program
we want to use this on that disables the ability to write to stderr).
I have added the secure_getenv stuff as you requested. The fixed patch
is attached.
Please review the patch and let me know if this is OK to commit. Thanks!
I found a packaged version of autoconf 2.64 and bootstrapped with
--enable-vtable-verify. It's a bit confusing that libvtv is always
built, but ends up being empty.
It seems that HAVE_*SECURE_GETENV is not properly passed down to the
compiler invocation:
/bin/bash ./libtool --tag=CXX --mode=compile
/home/fw/src/gnu/gcc/build/./gcc/xgcc
-B/home/fw/src/gnu/gcc/build/./gcc/ -I. -I../../../git/libvtv
-I../../../git/libvtv/../include -D_GNU_SOURCE -Wall -Wextra
-fno-exceptions -I./../libstdc++-v3/include
-I./../libstdc++-v3/include/x86_64-unknown-linux-gnu
-I../../../git/libvtv/../libstdc++-v3/libsupc++
-Wl,-u_vtable_map_vars_start,-u_vtable_map_vars_end -g -O2 -D_GNU_SOURCE
-MT vtv_utils.lo -MD -MP -MF .deps/vtv_utils.Tpo -c -o vtv_utils.lo
../../../git/libvtv/vtv_utils.cc
libtool: compile: /home/fw/src/gnu/gcc/build/./gcc/xgcc
-B/home/fw/src/gnu/gcc/build/./gcc/ -I. -I../../../git/libvtv
-I../../../git/libvtv/../include -D_GNU_SOURCE -Wall -Wextra
-fno-exceptions -I./../libstdc++-v3/include
-I./../libstdc++-v3/include/x86_64-unknown-linux-gnu
-I../../../git/libvtv/../libstdc++-v3/libsupc++
-Wl,-u_vtable_map_vars_start,-u_vtable_map_vars_end -g -O2 -D_GNU_SOURCE
-MT vtv_utils.lo -MD -MP -MF .deps/vtv_utils.Tpo -c
../../../git/libvtv/vtv_utils.cc -fPIC -DPIC -o .libs/vtv_utils.o
As a result, the DSO ends up referencing getenv, even though
secure_getenv is available (and has been detected by the autoconf check).
Sorry, I don't know what's wrong here. I'm not familiar with the GCC
autoconf machinery. Perhaps you need a config.h.in file?
You can check this yourself with "readelf -s libvtv.so | grep getenv".
It should print a line containing "secure_getenv" or "__secure_getenv",
but not plain "getenv".
--
Florian Weimer / Red Hat Product Security Team
