|Here's a patch that I wrote to address that security "hole" in |config.guess. I sent it to [EMAIL PROTECTED] on June 4, 2002 but |have not heard from them since. The patch works with GNU config.guess |2002-05-29, available at ftp://ftp.gnu.org/pub/gnu/config/config.guess | | |The patch tries to ensure that config.guess will only produce |non-existent dummy filenames. It generates dummy filenames by checking |the existence of dummy-$$-n and dummy-$$-n.{c,o,rel,s}, where n=1 and |keeps incrementing, until no such files exist. | | |This doesn't necessarily prevent the symlink attack, but I believe |it'll harden config.guess signficantly. Also, I used this method |instead of generating a random hash value because I think we can't |assume that config.guess will always run on hosts with md5sum or cksum |available. | | |I'm not an expert at portable Bourne shell scripting, and there may be |other issues with the patch, so if possible, please let me know what |you think. Thank you. | | |Lawrence
All this discussion ought to be where the config.* claim it should be, i.e., not here. ~/src/bison-exp % config/config.guess --help nostromo Err 2 Usage: config/config.guess [OPTION] Output the configuration name of the system `config.guess' is run on. Operation modes: -h, --help print this help, then exit -t, --time-stamp print date of last modification, then exit -v, --version print version number, then exit Report bugs and patches to <[EMAIL PROTECTED]>. Please, resent your patch there.
