jhalfs paco patch HLFS-uClibc bug tracing: Help needed
david.rosal at upf.edu
Sun Apr 2 08:34:53 PDT 2006
Tor Olav Stava wrote:
> David Rosal wrote:
>> Paco-1.10.4 uses the function wordexp() to parse the configuration
>> file. This allows for expanding any environment variable (and not
>> only HOME).
>> Summarizing: for paco >= 1.10.5, passing WORDEXP=y in uClibc won't be
>> required, but if WORDEXP is enabled then paco will be able to expand
>> any environment variable in pacorc.
> Thanks for clearing that up.
> However, the wordexp() issue with uClibc is actually quite minor
> considering that I can't log the uClibc install. :(
> Everything else seems fine, its only the uClibc install I'm having
> trouble with so far.
> Enabling wordexp() in uClibc is no problem, unless it poses some
> sequrity threat (..?), I'll just put a note about it in the patch readme.
The use of wordexp() may be very dangerous since it performs command
substitution, either with backtics (`command`) or in a bash fashion (
Though in paco the command substitution is disabled, in other programs
where it is enabled it can be a big security hole.
Regarding paco-1.10.5, I'm thinking that it would be better to let this
be set in configure time, for instance with an option --enable-wordexp.
More information about the alfs-discuss