Subject: Re: [boost] [stacktrace] Partial review
From: Antony Polukhin (antoshkka_at_[hidden])
Date: 2017-04-22 09:42:37
2017-03-27 14:19 GMT+03:00 Florian Weimer <fw_at_[hidden]>:
> * Antony Polukhin:
>>> addr2line_pipe uses execvp, which could lead to evaluation of the PATH
>>> variable from programs which underwent an AT_SECURE transition (e.g.,
>>> SUID programs), which could lead to privilege escalation issues.
>> I'm providing an absolute path to the executable, so there must be no
>> PATH evaluation. Am I missing something?
> I'm talking about this:
> char prog_name = "addr2line";
> As far as I can see, this is not just used as the argv argument,
> but also as the program to execute.
Fixed. The docs will be updated soon.
-- Best regards, Antony Polukhin
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk