misc/114552: pengo (and possibly others) trust/use the users path
in /usr/ports
William D. Colburn
schlake+freebsd at nmt.edu
Fri Jul 13 13:30:02 UTC 2007
>Number: 114552
>Category: misc
>Synopsis: pengo (and possibly others) trust/use the users path in /usr/ports
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Jul 13 13:30:01 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: William D. Colburn
>Release: 6.2
>Organization:
>Environment:
FreeBSD eeep 6.2-STABLE FreeBSD 6.2-STABLE #7: Fri Jan 26 14:17:55 MST 2007
>Description:
I'm not at the most current update, but I doubt it matters.
I attempted to make /usr/ports/graphics/pengo but it failed. Looking through the output I saw that it had used my version of "strings" from my path instead of the system version of strings.
The port system probably should not trust the users path, as users are quite malicious and will put all kinds of foolish things into it.
>How-To-Repeat:
Replace "common" system tools, such as strings, with alternates in ~/bin and put ~/bin ahead of the system libraries then attempt to make a package that uses that system tool.
>Fix:
Don't trust the user!
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list