NetBSD Problem Report #50752

From www@NetBSD.org  Tue Feb  2 20:50:32 2016
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.NetBSD.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 4C25B7ABFD
	for <gnats-bugs@gnats.NetBSD.org>; Tue,  2 Feb 2016 20:50:32 +0000 (UTC)
Message-Id: <20160202205031.5C8287ACB3@mollari.NetBSD.org>
Date: Tue,  2 Feb 2016 20:50:31 +0000 (UTC)
From: jmmv@meroh.net
Reply-To: jmmv@meroh.net
To: gnats-bugs@NetBSD.org
Subject: Sanitize ENV
X-Send-Pr-Version: www-1.0

>Number:         50752
>Category:       pkg
>Synopsis:       Sanitize ENV
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Feb 02 20:55:00 +0000 2016
>Last-Modified:  Tue Mar 15 06:10:00 +0000 2016
>Originator:     Julio Merino
>Release:        pkgsrc as of today
>Organization:
>Environment:
N/A
>Description:
pkgsrc currently does not sanitize the ENV environment variable. As a result, compilations can break at random when ENV is defined by the user and points at a file that won't work within pkgsrc.

Consider, for example:

ENV="${HOME}/.shrc"

where "${HOME}/.shrc" sources another file "${HOME}/foo". When .shrc is read within a pkgsrc build, the script fails because ${HOME}/foo is not valid (because HOME has been reset to point within the package's work directory and thus /foo is missing).

Regardless of this particular example, reading any of the ENV contents within pkgsrc is semantically wrong because arbitrary user settings can affect the build results in unexpected manners so this should be disallowed.
>How-To-Repeat:

>Fix:
The fix is trivial: add ALL_ENV+=ENV= to bsd.pkg.mk so that ENV is cleared during the build. However, I haven't touched pkgsrc internals for a long time so I'm wary of doing this change myself. Filing this PR so this can be tracked and assessed.

>Audit-Trail:
From: David Holland <dholland-gnats@netbsd.org>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: pkg/50752: Sanitize ENV
Date: Tue, 15 Mar 2016 06:07:04 +0000

 (sent to gnats-admin instead of gnats-bugs)

    ------

 From: Jonathan Perkin <jperkin@joyent.com>
 To: gnats-admin@netbsd.org
 Subject: Re: pkg/50752: Sanitize ENV
 Date: Wed, 3 Feb 2016 14:57:41 +0000

 FWIW I'm pushing this change through a bulk build to check there's no
 obvious fallout.  Results to come later.

 -- 
 Jonathan Perkin  -  Joyent, Inc.  -  www.joyent.com

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.