Boost logo

Boost :

Subject: Re: [boost] [stacktrace] Partial review
From: Antony Polukhin (antoshkka_at_[hidden])
Date: 2017-04-22 09:42:37

2017-03-27 14:19 GMT+03:00 Florian Weimer <fw_at_[hidden]>:
> * Antony Polukhin:
>>> addr2line_pipe uses execvp, which could lead to evaluation of the PATH
>>> variable from programs which underwent an AT_SECURE transition (e.g.,
>>> SUID programs), which could lead to privilege escalation issues.
>> I'm providing an absolute path to the executable, so there must be no
>> PATH evaluation. Am I missing something?
> I'm talking about this:
> char prog_name[] = "addr2line";
> As far as I can see, this is not just used as the argv[0] argument,
> but also as the program to execute.

Fixed. The docs will be updated soon.

Best regards,
Antony Polukhin

Boost list run by bdawes at, gregod at, cpdaniel at, john at