Re: SECURITY PROBLEM: autofs [all versions]
Lars Wirzenius wrote:
>
> [ I removed a number of people from the To and Cc lines. ]
>
> "Christopher W. Curtis" <ccurtis@aet-usa.com>:
> > int main()
> > { FILE *foo = popen( "non-executable.file", "r+ );
> > fprintf( foo, "hmm" );
> > }
>
> This crashes because popen returns NULL, and you use that value without
> checking for NULL. This is quite regardless of whether the program
> can be executed or not - popen has a large number of reasons why it can
> return NULL and anyone not checking the return value deserves to be
> eaten alive by bulimic carrier pigeons.
And the same should apply to init scripts that try to run a program
without first checking to see if it is executable. As I said, "the lack
of a core dump does not mean it's correct".
Christopher
Reply to: