COMMAND

    glibc

SYSTEMS AFFECTED

    glibc 2.1.1

PROBLEM

    Tymm Twillman  found following.   The unsetenv  function in  glibc
    2.1.1  suffers  from  a  problem  whereby when running through the
    environment variables, if the name of the variable being unset  is
    present twice consecutively, the second is not destroyed.

    unsetenv is sometimes used by programs that depend on it  clearing
    out variables for  protection against evil  environment variables.
    In particular,  by ld.so.  While this  hole doesn't  affect setuid
    programs  themselves,  it  means  that  programs run by the setuid
    application can be fooled into using the LD_* variables.

    To see if your libc has the problem, compile and run the following
    program:

    #include <stdlib.h>
    #include <stdio.h>

    extern char **environ;

    int main()
    {
      char *env[] = {
       "bob=trash",
       "bob=uh-oh",
      NULL
    };

    environ = env;

    printf("bob = %s\n", env[0]);

    unsetenv("bob");

    printf("bob = %s\n", getenv("bob"));

    return 0;
    }

    If the  output isn't  "bob =  (null)", unsetenv()  isn't doing its
    job.   (also note  that not  all libc's  support unsetenv, or even
    the  environ  variable,  so  this  may  not  compile/link  on many
    non-glibc systems).

SOLUTION

    It appears as  though this was  found by someone  else before Tymm
    stumbled across it; glibc 2.1.2 should not be vulnerable.