NetBSD Problem Report #50752
From www@NetBSD.org Tue Feb 2 20:50:32 2016
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.NetBSD.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id 4C25B7ABFD
for <gnats-bugs@gnats.NetBSD.org>; Tue, 2 Feb 2016 20:50:32 +0000 (UTC)
Message-Id: <20160202205031.5C8287ACB3@mollari.NetBSD.org>
Date: Tue, 2 Feb 2016 20:50:31 +0000 (UTC)
From: jmmv@meroh.net
Reply-To: jmmv@meroh.net
To: gnats-bugs@NetBSD.org
Subject: Sanitize ENV
X-Send-Pr-Version: www-1.0
>Number: 50752
>Category: pkg
>Synopsis: Sanitize ENV
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: jperkin
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Feb 02 20:55:00 +0000 2016
>Closed-Date:
>Last-Modified: Fri Mar 01 19:24:36 +0000 2024
>Originator: Julio Merino
>Release: pkgsrc as of today
>Organization:
>Environment:
N/A
>Description:
pkgsrc currently does not sanitize the ENV environment variable. As a result, compilations can break at random when ENV is defined by the user and points at a file that won't work within pkgsrc.
Consider, for example:
ENV="${HOME}/.shrc"
where "${HOME}/.shrc" sources another file "${HOME}/foo". When .shrc is read within a pkgsrc build, the script fails because ${HOME}/foo is not valid (because HOME has been reset to point within the package's work directory and thus /foo is missing).
Regardless of this particular example, reading any of the ENV contents within pkgsrc is semantically wrong because arbitrary user settings can affect the build results in unexpected manners so this should be disallowed.
>How-To-Repeat:
>Fix:
The fix is trivial: add ALL_ENV+=ENV= to bsd.pkg.mk so that ENV is cleared during the build. However, I haven't touched pkgsrc internals for a long time so I'm wary of doing this change myself. Filing this PR so this can be tracked and assessed.
>Release-Note:
>Audit-Trail:
From: David Holland <dholland-gnats@netbsd.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: pkg/50752: Sanitize ENV
Date: Tue, 15 Mar 2016 06:07:04 +0000
(sent to gnats-admin instead of gnats-bugs)
------
From: Jonathan Perkin <jperkin@joyent.com>
To: gnats-admin@netbsd.org
Subject: Re: pkg/50752: Sanitize ENV
Date: Wed, 3 Feb 2016 14:57:41 +0000
FWIW I'm pushing this change through a bulk build to check there's no
obvious fallout. Results to come later.
--
Jonathan Perkin - Joyent, Inc. - www.joyent.com
State-Changed-From-To: open->feedback
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Mon, 06 Jun 2022 06:11:58 +0000
State-Changed-Why:
What became of this? grep -w ENV mk/** shows nothing (except some cmake
goop) but this seems like something that should be done and the last
comment was six years ago...
Responsible-Changed-From-To: pkg-manager->jperkin
Responsible-Changed-By: bsiegert@NetBSD.org
Responsible-Changed-When: Fri, 01 Mar 2024 19:24:36 +0000
Responsible-Changed-Why:
Jonathan, you wanted to look into this, eight years ago.
State-Changed-From-To: feedback->open
State-Changed-By: bsiegert@NetBSD.org
State-Changed-When: Fri, 01 Mar 2024 19:24:36 +0000
State-Changed-Why:
owner should take action
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home