You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apache-bugdb@apache.org by Enrik Berkhan <en...@inka.de> on 1997/02/18 23:50:01 UTC

mod_cgi/179: suEXEC wrapper allocates PATH on the stack

>Number:         179
>Category:       mod_cgi
>Synopsis:       suEXEC wrapper allocates PATH on the stack
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    gnats-admin (GNATS administrator)
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Tue Feb 18 14:50:00 1997
>Originator:     enrik@inka.de
>Organization:
apache
>Release:        1.2b6
>Environment:
Debian/GNU Linux 1.2
Linux quechua 2.0.27 #4 Thu Dec 5 22:57:45 MET 1996 i586
gcc version 2.7.2.1
libc.so.5.4.13
>Description:
Within the clean_env function, the buffer for the newly set PATH environment
variable is allocated on the stack. If the buffer would be used up to its end,
even the subsequent call to exec could overwrite parts of the buffer before
the exec can copy the environment. The situation gets even worse if somebody
decides to extend suexec.c and to call other functions between clean_env() and
execv().
>How-To-Repeat:
try a (pathologic ;-) SAFE_PATH in suexec.h of nearly 512 characters
>Fix:
change the variable to stati
>Audit-Trail:
>Unformatted: