NetBSD Problem Report #50752

From  Tue Feb  2 20:50:32 2016
Return-Path: <>
Received: from ( [])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "", Issuer "Postmaster" (verified OK))
	by (Postfix) with ESMTPS id 4C25B7ABFD
	for <>; Tue,  2 Feb 2016 20:50:32 +0000 (UTC)
Message-Id: <>
Date: Tue,  2 Feb 2016 20:50:31 +0000 (UTC)
Subject: Sanitize ENV
X-Send-Pr-Version: www-1.0

>Number:         50752
>Category:       pkg
>Synopsis:       Sanitize ENV
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          feedback
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Feb 02 20:55:00 +0000 2016
>Last-Modified:  Mon Jun 06 06:12:14 +0000 2022
>Originator:     Julio Merino
>Release:        pkgsrc as of today
pkgsrc currently does not sanitize the ENV environment variable. As a result, compilations can break at random when ENV is defined by the user and points at a file that won't work within pkgsrc.

Consider, for example:


where "${HOME}/.shrc" sources another file "${HOME}/foo". When .shrc is read within a pkgsrc build, the script fails because ${HOME}/foo is not valid (because HOME has been reset to point within the package's work directory and thus /foo is missing).

Regardless of this particular example, reading any of the ENV contents within pkgsrc is semantically wrong because arbitrary user settings can affect the build results in unexpected manners so this should be disallowed.

The fix is trivial: add ALL_ENV+=ENV= to so that ENV is cleared during the build. However, I haven't touched pkgsrc internals for a long time so I'm wary of doing this change myself. Filing this PR so this can be tracked and assessed.


From: David Holland <>
Subject: Re: pkg/50752: Sanitize ENV
Date: Tue, 15 Mar 2016 06:07:04 +0000

 (sent to gnats-admin instead of gnats-bugs)


 From: Jonathan Perkin <>
 Subject: Re: pkg/50752: Sanitize ENV
 Date: Wed, 3 Feb 2016 14:57:41 +0000

 FWIW I'm pushing this change through a bulk build to check there's no
 obvious fallout.  Results to come later.

 Jonathan Perkin  -  Joyent, Inc.  -

State-Changed-From-To: open->feedback
State-Changed-When: Mon, 06 Jun 2022 06:11:58 +0000
What became of this? grep -w ENV mk/** shows nothing (except some cmake
goop) but this seems like something that should be done and the last
comment was six years ago...


NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD:,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.