[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[sr #110961] 3 Vulnerabilities Result in Code Execution upon running `au
From: |
Zack Weinberg |
Subject: |
[sr #110961] 3 Vulnerabilities Result in Code Execution upon running `autoconf` with crafted `configure.ac` file |
Date: |
Mon, 27 Nov 2023 08:58:07 -0500 (EST) |
Follow-up Comment #2, sr #110961 (project autoconf):
I want to emphasize that you did _not_ find any security vulnerabilities
here.
Rather, _by design_ we honor the user's PATH setting when running programs
from inside both `autoconf` itself and the generated configure script, and _by
design_ `configure.ac` is allowed to use `m4_syscmd` to invoke external
programs. Both of these are relied on by real users of Autoconf. For example,
your suggested change to hardcode `/usr/bin/cat` instead of `cat` would break
Nix, Guix, etc where there _is_ no `/usr/bin/cat`, and `m4_syscmd` is commonly
used to invoke `git describe` and similar commands that extract the software's
version number from its revision control system.
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/support/?110961>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/