mirrors/nixpkgs
1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-18 11:40:45 +00:00
Code Issues Wiki Activity

Merge pull request #285587 from edef1c/wrapper-cve-2023-6246

Browse source 
nixos/modules/security/wrappers: limit argv0 to 512 bytes
This commit is contained in:
Pierre Bourdon 2024-02-01 19:18:45 +01:00 committed by GitHub
parent 9312d7840b b4c9840652
commit 3484985991
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 7 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
nixos/modules/security/wrappers/wrapper.c
View file

@ -172,6 +172,13 @@ static int make_caps_ambient(const char *self_path) {
int main(int argc, char **argv) {
ASSERT(argc >= 1);
// argv[0] goes into a lot of places, to a far greater degree than other elements
// of argv. glibc has had buffer overflows relating to argv[0], eg CVE-2023-6246.
// Since we expect the wrappers to be invoked from either $PATH or /run/wrappers/bin,
// there should be no reason to pass any particularly large values here, so we can
// be strict for strictness' sake.
ASSERT(strlen(argv[0]) < 512);
int debug = getenv(wrapper_debug) != NULL;
// Drop insecure environment variables explicitly