Merge pull request #202 from seetharaman-rajagopal/filter-rsh-env-set…

…tings-in-rundump CVE-2022-37704 - privilege escalation from root to amandbackup using R…
zmanda · Feb 21, 2023 · e06005c · e06005c
2 parents ee766ef + ecf1d6e
commit e06005c
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/client-src/rundump.c b/client-src/rundump.c
@@ -197,6 +197,24 @@ main(
     amfree(cmdline);
 
     env = safe_env();
+    //Filter or Discard RSH Environmental variable
+    int env_count = 0;
+    for (int i = 0; env[i] != NULL; i++){
+        env_count++;
+    }
+    for (int i = 0; i < env_count; i++){
+        if (strncmp(env[i], "RSH=", 4) == 0){
+            // Remove RSH
+            g_free(env[i]);
+            // move array elements one step left - which are after "RSH"
+            for (int j = i; j < env_count; j++){
+                env[j] = env[j + 1];
+            }
+            //decrease the variable count
+            env[env_count-1] = NULL;
+            break;
+        }
+    }
     execve(dump_program, argv, env);
     free_env(env);