This is the mail archive of the cygwin-patches@cygwin.com mailing list for the Cygwin project.
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
Other format: | [Raw text] |
Now that 1.5.7 is out I am continuing to look at security issues in the Cygwin core. I can refresh the tty patch of mid December on demand. Meanwhile here is a very straightforward patch involving only deletions. ciresrv.parent is a handle to the parent process for fork and spawn fixups. It has the DUPLICATE_HANDLE security risk. Fortunately it is never used in the case of spawn: all handles are inherited, or the parent does the work (sockets). In the case of fork there is no security issue. This initial patch simply removes the creation and closing of the handle. If no trouble develop (I have been running for several weeks), a second patch will remove the unused parent argument in the numerous fixup_after_exec calls. Pierre 2004-01-31 Pierre Humblet <pierre.humblet@ieee.org> * spawn.cc (spawn_guts): Do not set ciresrv.parent. * child_info.h (~child_info_spawn): Do not close parent. Update CURR_CHILD_INFO_MAGIC. * dcrt0.cc (dll_crt0_0): Do not close spawn_info->parent. Pass NULL to cygheap->fdtab.fixup_after_exec().
Attachment:
parent.diff
Description: Text document
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |