diff options
| author |   deraadt <deraadt@openbsd.org> | 2015-10-14 20:57:28 +0000 |
|---|---|---|
| committer | deraadt <deraadt@openbsd.org> | 2015-10-14 20:57:28 +0000 |
| commit | 2a567ea3f66b963ebeeaa70d31c98b018428ca26 (patch) | |
| tree | 4c7765862389bcc23b629c7692660393d2004711 /lib/libcrypto/objects/obj_dat.c | |
| parent | we dump esc_code if we have an esc_class, code may be (and actually was) (diff) | |
| download | wireguard-openbsd-2a567ea3f66b963ebeeaa70d31c98b018428ca26.tar.xz wireguard-openbsd-2a567ea3f66b963ebeeaa70d31c98b018428ca26.zip | |
Use a strict $PATH of "/usr/bin:/usr/local/bin" to run the (de)compressors
(gzip, compress, bzip2) rather than following the user's path. This
seems easier than hardcoding the paths elsewhere and using basename().
pax/tar is pledged itself, but it can spawn one of these programs if
asked. The three found at the strict path use pledge "stdio" very early
during startup, providing a warm fuzzy pledge->exec->no-pledge->pledge
interlock. For bzip2, this assumes use of the ports/packages version
installed to /usr/local/bin, which has been pledged by sthen@.
Doing a 'tar tvfz hostile.tgz' becomes a bit safer, since an attacker
finding a buffer overflow or use after free has significantly fewer
system calls available (only pledge "stdio" in the decompressor).
ok millert sthen
Diffstat (limited to 'lib/libcrypto/objects/obj_dat.c')
0 files changed, 0 insertions, 0 deletions