Date: Fri, 13 Jul 2007 13:25:42 GMT From: "William D. Colburn" <schlake+freebsd@nmt.edu> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/114552: pengo (and possibly others) trust/use the users path in /usr/ports Message-ID: <200707131325.l6DDPg5E005219@www.freebsd.org> Resent-Message-ID: <200707131330.l6DDU2Wq059015@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 114552 >Category: misc >Synopsis: pengo (and possibly others) trust/use the users path in /usr/ports >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Jul 13 13:30:01 GMT 2007 >Closed-Date: >Last-Modified: >Originator: William D. Colburn >Release: 6.2 >Organization: >Environment: FreeBSD eeep 6.2-STABLE FreeBSD 6.2-STABLE #7: Fri Jan 26 14:17:55 MST 2007 >Description: I'm not at the most current update, but I doubt it matters. I attempted to make /usr/ports/graphics/pengo but it failed. Looking through the output I saw that it had used my version of "strings" from my path instead of the system version of strings. The port system probably should not trust the users path, as users are quite malicious and will put all kinds of foolish things into it. >How-To-Repeat: Replace "common" system tools, such as strings, with alternates in ~/bin and put ~/bin ahead of the system libraries then attempt to make a package that uses that system tool. >Fix: Don't trust the user! >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200707131325.l6DDPg5E005219>