You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
At this point, there is still a pointer to the freed environment variable assignment string in environ.
Subsequent calls by the same process to exec or posix_spawn will pass this pointer along. If the memory has been recycled, this may leak secrets into other processes.
To Reproduce
code inspection
Expected behavior
no putenv abuse
The text was updated successfully, but these errors were encountered:
Describe the bug
_gsskrb5_store_cred_into2 sometimes allocates an environment variable assignment with malloc:
heimdal/lib/gssapi/krb5/store_cred.c
Line 335 in 1b954fa
heimdal/lib/gssapi/krb5/store_cred.c
Line 71 in 1b954fa
heimdal/lib/gssapi/mech/gss_buffer_set.c
Line 85 in 1b954fa
Then it passes this assignment to putenv:
heimdal/lib/gssapi/krb5/store_cred.c
Line 345 in 1b954fa
heimdal/lib/gssapi/krb5/store_cred.c
Line 87 in 1b954fa
Then it frees the assignment:
heimdal/lib/gssapi/krb5/store_cred.c
Line 347 in 1b954fa
heimdal/lib/gssapi/mech/gss_buffer_set.c
Line 112 in 1b954fa
heimdal/lib/gssapi/mech/gss_release_buffer.c
Line 38 in 1b954fa
At this point, there is still a pointer to the freed environment variable assignment string in environ.
Subsequent calls by the same process to exec or posix_spawn will pass this pointer along. If the memory has been recycled, this may leak secrets into other processes.
To Reproduce
code inspection
Expected behavior
no putenv abuse
The text was updated successfully, but these errors were encountered: