Package: dpkg
Version 1.12.2
Tags: patch
dpkg `configure` allows configuration of run-time tools via
environment variables (`PATCH`, `TAR`, etc.). These variables are
apparently expected to be populated by bare program names, though this
requirement is not documented anyway, and I only discovered it by
reading the source. Configuring these variables with fully-qualified
pathnames causes run-time errors like:
$ sudo dpkg -i
Password:
dpkg: warning: '/usr/local/opt/gnu-tar/bin/gtar' not found in PATH or
not executable
dpkg: error: 1 expected program not found in PATH or not executable
Note: root's PATH should usually contain /usr/local/sbin, /usr/sbin and /sbin
There are deployment environments in which fixed paths would be more
appropriate, rather than relying on runtime `PATH` settings. If I
understand correctly, the tools are launched via `execvp()`, which
handles full pathnames just fine.
Therefore, I propose the attached patch, which fixes `find_command()`
to only build candidate paths for unqualified names, and test
fully-qualified paths as-is.
diff --git a/src/main/help.c b/src/main/help.c
index 7762aca..f7d9d16 100644
--- a/src/main/help.c
+++ b/src/main/help.c
@@ -83,6 +83,10 @@ find_command(const char *prog)
const char *path, *path_end;
size_t path_len;
+ if (*prog == '/') {
+ return stat(prog, &stab) == 0 && (stab.st_mode & 0111);
+ }
+
path_list = getenv("PATH");
if (!path_list)
ohshit(_("PATH is not set"));
