Boost :

Subject: Re: [boost] [stacktrace] Partial review
From: Antony Polukhin (antoshkka_at_[hidden])
Date: 2017-04-22 09:42:37

• Next message: Niall Douglas: "Re: [boost] [1.64][process] Windows line endings in headers"
• Previous message: Antony Polukhin: "Re: [boost] [stacktrace] Two days remaining before review ends"
• In reply to: Florian Weimer: "Re: [boost] [stacktrace] Partial review"
• Next in thread: Edward Diener: "Re: [boost] [Stacktrace] Second review begins today 17th Mar ends 26th Mar"

2017-03-27 14:19 GMT+03:00 Florian Weimer <fw_at_[hidden]>:
> * Antony Polukhin:
>
>>> addr2line_pipe uses execvp, which could lead to evaluation of the PATH
>>> variable from programs which underwent an AT_SECURE transition (e.g.,
>>> SUID programs), which could lead to privilege escalation issues.
>>
>> I'm providing an absolute path to the executable, so there must be no
>> PATH evaluation. Am I missing something?
>
> I'm talking about this:
>
> char prog_name[] = "addr2line";
>
> As far as I can see, this is not just used as the argv[0] argument,
> but also as the program to execute.

Fixed. The docs will be updated soon.

-- 
Best regards,
Antony Polukhin

• Next message: Niall Douglas: "Re: [boost] [1.64][process] Windows line endings in headers"
• Previous message: Antony Polukhin: "Re: [boost] [stacktrace] Two days remaining before review ends"
• In reply to: Florian Weimer: "Re: [boost] [stacktrace] Partial review"
• Next in thread: Edward Diener: "Re: [boost] [Stacktrace] Second review begins today 17th Mar ends 26th Mar"

Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk