From d9e43ae9a2b61c41c3143db8187b050d0c2e3725 Mon Sep 17 00:00:00 2001
From: Seyeong Kim <seyeong.kim@canonical.com>
Date: Sun, 8 Mar 2026 04:49:56 +0000
Subject: [PATCH] Fix dangling pointer from putenv() with stack buffer

putenv() does not copy the string; it inserts the pointer directly into
the environment array (POSIX, glibc >= 2.1.2). Passing a local char[]
to putenv() causes a dangling pointer when the function returns and the
stack frame is reclaimed (SEI CERT C POS34-C violation).

Replace putenv() with setenv(), which copies the value internally.

Signed-off-by: Seyeong Kim <seyeong.kim@canonical.com>
---
 src/dwarf_parser.cc | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/dwarf_parser.cc b/src/dwarf_parser.cc
index 7a2722e..9daf3bb 100644
--- a/src/dwarf_parser.cc
+++ b/src/dwarf_parser.cc
@@ -766,8 +766,7 @@ static int handle_module(Dwfl_Module *dwflmod, void **userdata,
 int DwarfParser::parse() {
   if(getenv("DEBUGINFOD_URLS") == NULL) {
     //If the DEBUGINFOD_URLS is not set, set it to https://debuginfod.ubuntu.com as default
-    char envs[] = "DEBUGINFOD_URLS=https://debuginfod.ubuntu.com";
-    putenv(envs);
+    setenv("DEBUGINFOD_URLS", "https://debuginfod.ubuntu.com", 0);
   }
 
   for (auto dwfl: dwfls) {