Follow-up Comment #2, sr #110961 (project autoconf): I want to emphasize that you did _not_ find any security vulnerabilities here.
Rather, _by design_ we honor the user's PATH setting when running programs from inside both `autoconf` itself and the generated configure script, and _by design_ `configure.ac` is allowed to use `m4_syscmd` to invoke external programs. Both of these are relied on by real users of Autoconf. For example, your suggested change to hardcode `/usr/bin/cat` instead of `cat` would break Nix, Guix, etc where there _is_ no `/usr/bin/cat`, and `m4_syscmd` is commonly used to invoke `git describe` and similar commands that extract the software's version number from its revision control system. _______________________________________________________ Reply to this item at: <https://savannah.gnu.org/support/?110961> _______________________________________________ Message sent via Savannah https://savannah.gnu.org/