Update of sr #110961 (project autoconf):
Status: None => Done
Open/Closed: Open => Closed
_______________________________________________________
Follow-up Comment #1:
Thanks for the bug report. I installed
[https://git.savannah.gnu.org/cgit/autoconf.git/commit/?id=11d8824daada20055c855f46ad7c45237c1ff455
a patch on Savannah] that should fix things by simply removing m4_file_append,
which hasn't been needed since the year 2000 but which we forgot to remove two
decades ago.
There are still many opportunities for arbitrary code execution in Autoconf.
For example 'autoconf' itself is a shell script that respects PATH. That's OK,
though, as 'autoconf' is expected to be run in an environment with a benign
PATH, and with benign inputs (since inputs expand into shell scripts that can
do arbitrary things anyway).
Although it wasn't urgent to fix this bug I installed the fix now as it's
trivial.
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/support/?110961>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
