jhalfs paco patch HLFS-uClibc bug tracing: Help needed

David Rosal david.rosal at upf.edu
Sun Apr 2 08:34:53 PDT 2006


Tor Olav Stava wrote:

> David Rosal wrote:
>
>> Paco-1.10.4 uses the function wordexp() to parse the configuration 
>> file. This allows for expanding any environment variable (and not 
>> only HOME).
>> (...)
>> Summarizing: for paco >= 1.10.5, passing WORDEXP=y in uClibc won't be 
>> required, but if WORDEXP is enabled then paco will be able to expand 
>> any environment variable in pacorc.
>
>
> Thanks for clearing that up.
>
> However, the wordexp() issue with uClibc is actually quite minor 
> considering that I can't log the uClibc install. :(
> Everything else seems fine, its only the uClibc install I'm having 
> trouble with so far.
> Enabling wordexp() in uClibc is no problem, unless it poses some 
> sequrity threat (..?), I'll just put a note about it in the patch readme.


The use of wordexp() may be very dangerous since it performs command 
substitution, either with backtics (`command`) or in a bash fashion ( 
$(command) ).
Though in paco the command substitution is disabled, in other programs 
where it is enabled it can be a big security hole.

Regarding paco-1.10.5, I'm thinking that it would be better to let this 
be set in configure time, for instance with an option --enable-wordexp.


*david



More information about the alfs-discuss mailing list