From owner-freebsd-bugs@FreeBSD.ORG Fri Jul 13 13:30:02 2007 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D9CE816A401 for ; Fri, 13 Jul 2007 13:30:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id A103F13C494 for ; Fri, 13 Jul 2007 13:30:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l6DDU2d2059016 for ; Fri, 13 Jul 2007 13:30:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l6DDU2Wq059015; Fri, 13 Jul 2007 13:30:02 GMT (envelope-from gnats) Resent-Date: Fri, 13 Jul 2007 13:30:02 GMT Resent-Message-Id: <200707131330.l6DDU2Wq059015@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, "William D. Colburn" Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 108D716A403 for ; Fri, 13 Jul 2007 13:25:43 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [69.147.83.33]) by mx1.freebsd.org (Postfix) with ESMTP id F203413C4A6 for ; Fri, 13 Jul 2007 13:25:42 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.13.1/8.13.1) with ESMTP id l6DDPgpV005220 for ; Fri, 13 Jul 2007 13:25:42 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.13.1/8.13.1/Submit) id l6DDPg5E005219; Fri, 13 Jul 2007 13:25:42 GMT (envelope-from nobody) Message-Id: <200707131325.l6DDPg5E005219@www.freebsd.org> Date: Fri, 13 Jul 2007 13:25:42 GMT From: "William D. Colburn" To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.0 Cc: Subject: misc/114552: pengo (and possibly others) trust/use the users path in /usr/ports X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jul 2007 13:30:02 -0000 >Number: 114552 >Category: misc >Synopsis: pengo (and possibly others) trust/use the users path in /usr/ports >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Jul 13 13:30:01 GMT 2007 >Closed-Date: >Last-Modified: >Originator: William D. Colburn >Release: 6.2 >Organization: >Environment: FreeBSD eeep 6.2-STABLE FreeBSD 6.2-STABLE #7: Fri Jan 26 14:17:55 MST 2007 >Description: I'm not at the most current update, but I doubt it matters. I attempted to make /usr/ports/graphics/pengo but it failed. Looking through the output I saw that it had used my version of "strings" from my path instead of the system version of strings. The port system probably should not trust the users path, as users are quite malicious and will put all kinds of foolish things into it. >How-To-Repeat: Replace "common" system tools, such as strings, with alternates in ~/bin and put ~/bin ahead of the system libraries then attempt to make a package that uses that system tool. >Fix: Don't trust the user! >Release-Note: >Audit-Trail: >Unformatted: