On 12/10/19 1:45 pm, Andrew Gregory wrote:
> system() runs the provided command via a shell, which is subject to
> command injection.  Even though pacman already provides a mechanism to
> sign and verify the databases containing the urls, certain distributions
> have yet to get their act together and start signing databases, leaving
> them vulnerable to MITM attacks.  Replacing the system call with an
> almost equivalent exec call removes the possibility of a shell-injection
> attack for those users.
> 
> Signed-off-by: Andrew Gregory <andrew.gregor...@gmail.com>
> ---
> v2:
>     * properly deal with signals
>     * pass errno via pipe instead of mmap
>     * fix debug logging
> 
>  src/pacman/conf.c                   | 129 ++++++++++++++++++++++++----
>  src/pacman/conf.h                   |   2 +
>  test/pacman/tests/sync200.py        |   2 +-
>  test/pacman/tests/xfercommand001.py |   2 +-
>  4 files changed, 116 insertions(+), 19 deletions(-)
> 
> diff --git a/src/pacman/conf.c b/src/pacman/conf.c
> index 2d8518c4..9a39bba9 100644
> --- a/src/pacman/conf.c
> +++ b/src/pacman/conf.c
> @@ -29,6 +29,7 @@
>  #include <sys/stat.h>
>  #include <sys/types.h>
>  #include <sys/utsname.h> /* uname */
> +#include <sys/wait.h>
>  #include <unistd.h>
>  
>  /* pacman */
> @@ -153,6 +154,7 @@ int config_free(config_t *oldconfig)
>       free(oldconfig->print_format);
>       free(oldconfig->arch);
>       free(oldconfig);
> +     wordsplit_free(oldconfig->xfercommand_argv);

This line needs to be one higher.

A

Reply via email to