Arnaud Giersch <[EMAIL PROTECTED]> writes: > I don't believe that this patch really solves the security issue. An > user may still be vulnerable if he wants to run his freshly compiled > (but not installed now) elinks. This user would typically run it as > /path/to/elinks/src/elinks. If his cwd is not in the elinks sources, > a wrong gettext catalog may be opened.
Thank you for your concern. The patched ELinks 0.12.GIT (d1fa336f7f390d9b51456498fac5dda8f54c18a4) appears to open the correct gettext catalog in this case, regardless of what the current working directory is. Please see the GDB session below. $ gdb --args ~/build/i686-pc-linux-gnu/elinks-0.12/src/elinks -no-connect GNU gdb 6.5-debian Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i486-linux-gnu"...Using host libthread_db library "/lib/tls/libthread_db.so.1". (gdb) list /home/Kalle/src/elinks-0.12/src/intl/gettext/loadmsgcat.c:207,229 207 /* This is hacked for ELinks - we want to look up for the translations at the 208 * correct place even if we are being ran from the source/build tree. */ 209 static struct string * 210 add_filename_to_string(struct string *str, struct loaded_l10nfile *domain_file) 211 { 212 unsigned char *slash = strrchr(program.path, '/'); 213 size_t dirnamelen = (slash ? slash - program.path + 1 : 0); 214 215 /* Check if elinks is being run from the source tree. */ 216 if (dirnamelen < 4 217 || strncmp(program.path + dirnamelen - 4, "src", 3)) 218 return NULL; 219 220 if ((dirnamelen && !add_bytes_to_string(str, program.path, dirnamelen)) 221 || !add_to_string(str, "../po/") 222 || !add_bytes_to_string(str, 223 (unsigned char *) domain_file->langdirname, 224 domain_file->langdirnamelen) 225 || !add_to_string(str, ".gmo")) 226 return NULL; 227 228 return str; 229 } (gdb) break add_filename_to_string Breakpoint 1 at 0x80c5453: file /home/Kalle/src/elinks-0.12/src/intl/gettext/loadmsgcat.c, line 212. (gdb) run Starting program: /home/Kalle/build/i686-pc-linux-gnu/elinks-0.12/src/elinks -no-connect [Thread debugging using libthread_db enabled] [New Thread -1216120064 (LWP 8749)] [Switching to Thread -1216120064 (LWP 8749)] Breakpoint 1, add_filename_to_string (str=0xbfbc844c, domain_file=0x819b820) at /home/Kalle/src/elinks-0.12/src/intl/gettext/loadmsgcat.c:212 212 unsigned char *slash = strrchr(program.path, '/'); (gdb) print program.path $1 = (unsigned char *) 0xbfbc942e "/home/Kalle/build/i686-pc-linux-gnu/elinks-0.12/src/elinks" (gdb) next 213 size_t dirnamelen = (slash ? slash - program.path + 1 : 0); (gdb) print slash $2 = (unsigned char *) 0xbfbc9461 "/elinks" (gdb) next 216 if (dirnamelen < 4 (gdb) print dirnamelen $3 = 52 (gdb) print program.path + dirnamelen - 4 $4 = (unsigned char *) 0xbfbc945e "src/elinks" (gdb) next 220 if ((dirnamelen && !add_bytes_to_string(str, program.path, dirnamelen)) (gdb) print *str $5 = {magic = 777777777, source = 0x81c3550 "", length = 0} (gdb) print domain_file->[EMAIL PROTECTED]>langdirnamelen $6 = "fi_FI.UTF-8" (gdb) next 228 return str; (gdb) print *str $7 = {magic = 777777777, source = 0x81c3550 "/home/Kalle/build/i686-pc-linux-gnu/elinks-0.12/src/../po/fi_FI.UTF-8.gmo", length = 73} (gdb)
pgpQkmvByuZGV.pgp
Description: PGP signature