Follow-up Comment #2, sr #110961 (project autoconf):
I want to emphasize that you did _not_ find any security vulnerabilities
here.
Rather, _by design_ we honor the user's PATH setting when running programs
from inside both `autoconf` itself and the generated configure script, and _by
design_ `configure.ac` is allowed to use `m4_syscmd` to invoke external
programs. Both of these are relied on by real users of Autoconf. For example,
your suggested change to hardcode `/usr/bin/cat` instead of `cat` would break
Nix, Guix, etc where there _is_ no `/usr/bin/cat`, and `m4_syscmd` is commonly
used to invoke `git describe` and similar commands that extract the software's
version number from its revision control system.
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/support/?110961>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
