Debian Bug report logs - #679323
clearenv(3): implies that it's a security tool

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>

To: submit@bugs.debian.org

Subject: manpages-dev: clearenv(3) implies that it's a security tool

Date: Wed, 27 Jun 2012 14:04:24 -0700

Package: manpages-dev
Severity: normal

I was researching ways to securely purge environment variables, e.g.
where they're used to pass credentials.  clearenv(3) says in the NOTES
section:

       Used  in  security-conscious  applications.   If  it is unavailable the
       assignment

           environ = NULL;

       will probably do.

The implementation in glibc just frees the memory and sets the environ
pointer to NULL.  Neither this, nor environ = NULL will actually
overwrite the memory used for the environment, so it's misleading to say
that it's used in security-conscious applications.  The environment
needs to be zeroed out in order to be securely cleared.

-- 
 - mdz

Message #14 received at 679323@bugs.debian.org (full text, mbox, reply):

From: Stéphane Aulery <saulery@free.fr>

To: 679323@bugs.debian.org, mdz@debian.org

Cc: linux-man@vger.kernel.org

Subject: clearenv(3): implies that it's a security tool

Date: Thu, 18 Feb 2016 18:28:19 +0100 (CET)

severity 679323 minor
stop
-----

Hello Matt,

I dig your bug reports about the clearenv() function.

Does the sentence below would do, please?


   Used by security-conscious application, with the reservation
   that the memory is not zeroed by the glibc implementation
   before release.


Regards,

-- 
Stéphane Aulery

Message #21 received at 679323@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>

To: Stéphane Aulery <saulery@free.fr>

Cc: 679323@bugs.debian.org, linux-man@vger.kernel.org

Subject: Re: clearenv(3): implies that it's a security tool

Date: Thu, 18 Feb 2016 12:34:48 -0800

Thanks for following up.  My recommendation is to say something like:

This function DOES NOT securely erase the contents of the environment.
Security-conscious applications which need to do this should use ....
instead.

On Thu, Feb 18, 2016 at 06:28:19PM +0100, Stéphane Aulery wrote:
> severity 679323 minor
> stop
> -----
> 
> Hello Matt,
> 
> I dig your bug reports about the clearenv() function.
> 
> Does the sentence below would do, please?
> 
> 
>    Used by security-conscious application, with the reservation
>    that the memory is not zeroed by the glibc implementation
>    before release.
> 
> 
> Regards,
> 
> -- 
> Stéphane Aulery

-- 
 - mdz

Message #26 received at 679323@bugs.debian.org (full text, mbox, reply):

From: Stéphane Aulery <saulery@free.fr>

To: Matt Zimmerman <mdz@debian.org>, 679323@bugs.debian.org

Cc: linux-man@vger.kernel.org

Subject: Re: Bug#679323: clearenv(3): implies that it's a security tool

Date: Thu, 18 Feb 2016 22:44:40 +0100

Hello Matt,

Le 18/02/2016 21:34, Matt Zimmerman a écrit :
> Thanks for following up.  My recommendation is to say something like:
>
> This function DOES NOT securely erase the contents of the environment.
> Security-conscious applications which need to do this should use ....
> instead.

Thanks for your reply. To match the note recommending a solution of 
withdrawal, then I suggest:

-----

If it is unavailable the assignment

    environ = NULL;

will probably do.

But these solutions DO NOT securely erase the contents of the 
environment. ecurity-conscious applications which need to do this should 
use [...] instead.

----

Problem, I have no idea of good security practice. A helping hand, please?

Regards,

-- 
Stéphane Aulery

Message #31 received at 679323@bugs.debian.org (full text, mbox, reply):

From: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>

To: Matt Zimmerman <mdz@debian.org>

Cc: Stéphane Aulery <saulery@free.fr>, 679323@bugs.debian.org, linux-man <linux-man@vger.kernel.org>

Subject: Re: clearenv(3): implies that it's a security tool

Date: Fri, 19 Feb 2016 12:59:05 +0100

On 18 February 2016 at 21:34, Matt Zimmerman <mdz@debian.org> wrote:
> Thanks for following up.  My recommendation is to say something like:
>
> This function DOES NOT securely erase the contents of the environment.
> Security-conscious applications which need to do this should use ....
> instead.

So, I think this report is a little confused, but mainly because of
the poor description in the man page.

The security-conscious applications in this context are those that
want to precisely control the environment passed to an exec()ed
program. clearenv() cannot, indeed must not, try to erase the buffers
containing the environment definitions. (See putenv(3) to understand
why.) I've adjusted the man page in away that I hope explains things
better:

       The  clearenv()  function  may  be  useful  in security-conscious
       applications that want to precisely control the environment  that
       is  passed  to  programs executed using exec(3).  The application
       would do this by first clearing the environment and  then  adding
       select environment variables.

       Note that the main effect of clearenv() is to adjust the value of
       the pointer environ(7); this function does not erase the contents
       of the buffers containing the environment definitions.

Cheers,

Michael

Message #36 received at 679323@bugs.debian.org (full text, mbox, reply):

From: Stéphane Aulery <saulery@free.fr>

To: mtk manpages <mtk.manpages@gmail.com>

Cc: Matt Zimmerman <mdz@debian.org>, 679323@bugs.debian.org, linux-man <linux-man@vger.kernel.org>

Subject: Re: clearenv(3): implies that it's a security tool

Date: Fri, 19 Feb 2016 13:25:07 +0100 (CET)

Hello Michael and Matt,

----- Michael Kerrisk (man-pages) <mtk.manpages@gmail.com> a écrit :
> On 18 February 2016 at 21:34, Matt Zimmerman <mdz@debian.org> wrote:
> > Thanks for following up.  My recommendation is to say something like:
> >
> > This function DOES NOT securely erase the contents of the environment.
> > Security-conscious applications which need to do this should use ....
> > instead.
> 
> So, I think this report is a little confused, but mainly because of
> the poor description in the man page.
> 
> The security-conscious applications in this context are those that
> want to precisely control the environment passed to an exec()ed
> program. clearenv() cannot, indeed must not, try to erase the buffers
> containing the environment definitions. (See putenv(3) to understand
> why.) I've adjusted the man page in away that I hope explains things
> better:
> 
>        The  clearenv()  function  may  be  useful  in security-conscious
>        applications that want to precisely control the environment  that
>        is  passed  to  programs executed using exec(3).  The application
>        would do this by first clearing the environment and  then  adding
>        select environment variables.
> 
>        Note that the main effect of clearenv() is to adjust the value of
>        the pointer environ(7); this function does not erase the contents
>        of the buffers containing the environment definitions.


It's much better that I can do.
If no objection Matt,
I pass the bug report in fixed-upstream.


Regards,

-- 
Stéphane Aulery

Message #43 received at 679323@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>

To: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>

Cc: Stéphane Aulery <saulery@free.fr>, 679323@bugs.debian.org, linux-man <linux-man@vger.kernel.org>

Subject: Re: clearenv(3): implies that it's a security tool

Date: Fri, 19 Feb 2016 08:22:23 -0800

On Fri, Feb 19, 2016 at 12:59:05PM +0100, Michael Kerrisk (man-pages) wrote:
> On 18 February 2016 at 21:34, Matt Zimmerman <mdz@debian.org> wrote:
> > Thanks for following up.  My recommendation is to say something like:
> >
> > This function DOES NOT securely erase the contents of the environment.
> > Security-conscious applications which need to do this should use ....
> > instead.
> 
> So, I think this report is a little confused, but mainly because of
> the poor description in the man page.
> 
> The security-conscious applications in this context are those that
> want to precisely control the environment passed to an exec()ed
> program. clearenv() cannot, indeed must not, try to erase the buffers
> containing the environment definitions. (See putenv(3) to understand
> why.) I've adjusted the man page in away that I hope explains things
> better:
> 
>        The  clearenv()  function  may  be  useful  in security-conscious
>        applications that want to precisely control the environment  that
>        is  passed  to  programs executed using exec(3).  The application
>        would do this by first clearing the environment and  then  adding
>        select environment variables.
> 
>        Note that the main effect of clearenv() is to adjust the value of
>        the pointer environ(7); this function does not erase the contents
>        of the buffers containing the environment definitions.

Yes, that's much clearer, thank you!

-- 
 - mdz

Message #48 received at 679323@bugs.debian.org (full text, mbox, reply):

From: Stéphane Aulery <saulery@free.fr>

To: Matt Zimmerman <mdz@debian.org>, control@bugs.debian.org

Cc: "Michael Kerrisk " <mtk.manpages@gmail.com>, 679323@bugs.debian.org, linux-man <linux-man@vger.kernel.org>

Subject: Re: clearenv(3): implies that it's a security tool

Date: Fri, 19 Feb 2016 17:43:57 +0100 (CET)

tags 679323 + fixed-upstream
stop

-----

Will be fixed in man-pages-4.04.

See commit c66649c83598652222ff2a464e5b82284e6b1acf 
by Michael Kerrisk <mtk.manpages@gmail.com>, 2016-02-19 12:04:51 (GMT)

https://git.kernel.org/cgit/docs/man-pages/man-pages.git/commit/man3/clearenv.3?id=c66649c83598652222ff2a464e5b82284e6b1acf



----- Matt Zimmerman <mdz@debian.org> a écrit :
> On Fri, Feb 19, 2016 at 12:59:05PM +0100, Michael Kerrisk (man-pages) wrote:
> > On 18 February 2016 at 21:34, Matt Zimmerman <mdz@debian.org> wrote:
> > > Thanks for following up.  My recommendation is to say something like:
> > >
> > > This function DOES NOT securely erase the contents of the environment.
> > > Security-conscious applications which need to do this should use ....
> > > instead.
> > 
> > So, I think this report is a little confused, but mainly because of
> > the poor description in the man page.
> > 
> > The security-conscious applications in this context are those that
> > want to precisely control the environment passed to an exec()ed
> > program. clearenv() cannot, indeed must not, try to erase the buffers
> > containing the environment definitions. (See putenv(3) to understand
> > why.) I've adjusted the man page in away that I hope explains things
> > better:
> > 
> >        The  clearenv()  function  may  be  useful  in security-conscious
> >        applications that want to precisely control the environment  that
> >        is  passed  to  programs executed using exec(3).  The application
> >        would do this by first clearing the environment and  then  adding
> >        select environment variables.
> > 
> >        Note that the main effect of clearenv() is to adjust the value of
> >        the pointer environ(7); this function does not erase the contents
> >        of the buffers containing the environment definitions.
> 
> Yes, that's much clearer, thank you!

Case classified, thank you for your help Matt and Michael!

Regards,

-- 
Stéphane Aulery

Message #55 received at 679323-close@bugs.debian.org (full text, mbox, reply):

From: toddy@debian.org (Dr. Tobias Quathamer)

To: 679323-close@bugs.debian.org

Subject: Bug#679323: fixed in manpages 4.05-1

Date: Wed, 16 Mar 2016 16:49:38 +0000

Source: manpages
Source-Version: 4.05-1

We believe that the bug you reported is fixed in the latest version of
manpages, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 679323@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dr. Tobias Quathamer <toddy@debian.org> (supplier of updated manpages package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 16 Mar 2016 17:23:06 +0100
Source: manpages
Binary: manpages manpages-dev
Architecture: source all
Version: 4.05-1
Distribution: unstable
Urgency: medium
Maintainer: Martin Schulze <joey@debian.org>
Changed-By: Dr. Tobias Quathamer <toddy@debian.org>
Description:
 manpages   - Manual pages about using a GNU/Linux system
 manpages-dev - Manual pages about using GNU/Linux for development
Closes: 285444 679323 756599 780544 794876 797479
Changes:
 manpages (4.05-1) unstable; urgency=medium
 .
   * Imported Upstream version 4.05
     - write.2: Document behaviour on tty devices. (Closes: #797479)
     - clearenv.3: Clarify the use and effect of clearenv(). (Closes: #679323)
     - perror.3: Suggest use of strerror(3) in place of deprecated
       'sys_errlist'. (Closes: #794876)
     - printf.3: Remove stray asterisk in "NAN*". (Closes: #756599)
     - unicode.7: Document "Private Use Areas". (Closes: #285444)
   * Do not install sk98lin.4 (Closes: #780544)
   * Refresh patches
   * Remove obsolete installation script
   * Update d/copyright and d/watch
Checksums-Sha1:
 85e65694045ac087c6c417b7cd55c7d997613572 1954 manpages_4.05-1.dsc
 629065a7d408bb272f6d605943341746e2cea3d9 1452936 manpages_4.05.orig.tar.xz
 d2d0096332f9f58b0eeb88a579071f74483dde54 74596 manpages_4.05-1.debian.tar.xz
 8a77706f318e19f9635dedccd5be4c5b8ae22727 2076882 manpages-dev_4.05-1_all.deb
 c8d4b68da8404413f5fdbcd42c19879bed8451ed 1133302 manpages_4.05-1_all.deb
Checksums-Sha256:
 80ec7e5a27ebb9825faf60de2486cd18463a5953dbf73ef479d014c1234b7820 1954 manpages_4.05-1.dsc
 460051b94c2a0a4d158276e5d3f68e7114cb5782a050d878645e33b81f56a60d 1452936 manpages_4.05.orig.tar.xz
 70a6261ff6c9f05c00597e1a1534f89f6e681a828ec8532cccca95dea0831807 74596 manpages_4.05-1.debian.tar.xz
 a83b79f56d1a7bea87b9699bc6dc31040a79b4c24823648712e8e747d5df1ea5 2076882 manpages-dev_4.05-1_all.deb
 68829d17643e3d2beba2c3b12d754a901489438d2e1986d70362e41e8f836bf1 1133302 manpages_4.05-1_all.deb
Files:
 d3540f8a126aaa0eda7e88de3a55b966 1954 doc standard manpages_4.05-1.dsc
 9c32c8487d753f5894f6fba425b12add 1452936 doc standard manpages_4.05.orig.tar.xz
 e8dbb5b1ffbf90e0cf813aa80013131e 74596 doc standard manpages_4.05-1.debian.tar.xz
 a3096a735d46d56aed8184be1eccb9b1 2076882 doc optional manpages-dev_4.05-1_all.deb
 ed97fa7858e548a82a95f1b1bfbfeedf 1133302 doc standard manpages_4.05-1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJW6Y2VAAoJEBMC8fA26+sZ6hQP/ijEV8x4vCE/QIOaEL6Y1PA1
uEUQduS/H1u+rHBUckAet3+Oe+51Kl+Y8W5LbuuMJqvA+Mc2dr2w3ZtWANy2H13M
vHNoeLCFXgDW3j5vOF4l6v26Sar4S8AWxNHJDB5PABy7/YGpiZXCMCNxR9xZ3JsV
/mUv5RTymeamWUu5P9uZHxgz/atrxsnEpxbOdb/4jIaAjXi0A4CGy0sU6fbetAtr
W9vdXT6iGZg3jmqBcXPVeW8akAzTHaDl/9/CXpPpntGdjvlA16pOxpafaj2pGEP8
6bG55hg3KXcixB08dahem9lqhzzXU/GtZFRcdlwkiYTM6DKUT9oc6EMvN/KG+q8o
SACRGWdLdtM430Dp9cYGKrVLgj1cxDV66nhsi30Smz/mceIphKhyZaIhuH9PWB3n
hAYspkD96qXJ22Ib5SHz5i4nKX0O6ge2HrvD0cADzc1XcGxsox7aHiTcZcZlu3bx
nNUf78lbxiDBtwI8SwHjEpEwO/yzD6VSo7odkm+mX7S2zkdVSah/3N8blgk3CnY5
jf5bpzm/zC3J6+jw3lvcdQmlrynBKdBqfizuoEmNQjN9q9zqkPN9ms9/p8EHTQoV
1AHZ/rx3rYpEakmL2aaOVoYZDaTZ/eIv2NnCN+aNcjo11BqxsbkrZivebJXy2t1V
QgaZXgWZY6kNJ3AG0xqc
=g1WQ
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.