headius
commented
3 years ago Never closed and marked this when it was released, but it was fixed in 3.1.8.
Closed headius closed 3 years ago
headius
commented
3 years ago Never closed and marked this when it was released, but it was fixed in 3.1.8.
In CVE-2014-4043 it was reported that glibc prior to 2.2 does not perform a preemptive copy of the filename string that can be passed to posix_spawn via the posix_spawn_file_actions_addopen function. As a result, the string can get freed before posix_spawn reads it.
Apparently RHEL did not patch this and so there's platforms out there where this use-after-free can still happen. We should take the safe route and make sure we dup these strings before the call to posix_spawn_file_actions_addopen and free them after the call to posix_spawn.
https://access.redhat.com/security/cve/CVE-2014-4043