Update of sr #110961 (project autoconf):
Severity: 6 - Security => 2 - Minor
Status: Done => Invalid
Privacy: Private => Public
Summary: 3 Vulnerabilities Result in Code Execution upon
running `autoconf` with crafted `configure.ac` file => Arbitrary Code
Execution upon running `autoconf` with crafted `configure.ac` file
_______________________________________________________
Follow-up Comment #3:
Recategorizing as non-security and changing resolution to "invalid" since the
bulk of the report is, in fact, invalid. We do still appreciate your report,
since it brought to our attention that `m4_file_append` was unused and could
be removed.
For the record, the proper way (given the facilities available in Unix) to
deal with the possibility that a build-time operation could execute malicious
code, is to run that build in a "sandbox" environment -- a dedicated, non-root
user account with known-good PATH, etc., and that does not have write access
to anything else on the system. See for example
https://guix.gnu.org/en/manual/en/html_node/Build-Environment-Setup.html for a
high level description of how to put together such an environment.
(Also, realize that even if you sandbox the build, you're still probably going
to _run the program_ with the privileges of a normal user, or maybe even root.
No presently common desktop OS is designed to protect a user from the
programs they run; academic designs capable of this do exist, but they're very
different from Unix.)
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/support/?110961>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
