1. 08 Sep, 2015 1 commit
  2. 31 Aug, 2015 1 commit
    • José Hiram Soltren's avatar
      Use secure_getenv(3) to improve security · d1f9c16b
      José Hiram Soltren authored
      
      
      This patch is in response to the following security vulnerabilities
      (CVEs) reported to NVIDIA against libvdpau:
      
      CVE-2015-5198
      CVE-2015-5199
      CVE-2015-5200
      
      To address these CVEs, this patch:
      
      - replaces all uses of getenv(3) with secure_getenv(3);
      - uses secure_getenv(3) when available, with a fallback option;
      - protects VDPAU_DRIVER against directory traversal by checking for '/'
      
      On platforms where secure_getenv(3) is not available, the C preprocessor
      will print a warning at compile time. Then, a preprocessor macro will
      replace secure_getenv(3) with our getenv_wrapper(), which utilizes the check:
      
        getuid() == geteuid() && getgid() == getegid()
      
      See getuid(2) and getgid(2) for further details.
      Signed-off-by: default avatarAaron Plattner <aplattner@nvidia.com>
      Reviewed-by: default avatarFlorian Weimer <fweimer@redhat.com>
      d1f9c16b