[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FYI] Re: Vulnerability in libtool 1.5

From: Gary V. Vaughan
Subject: Re: [FYI] Re: Vulnerability in libtool 1.5
Date: Mon, 05 Jan 2004 14:45:32 +0000
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20030925 Thunderbird/0.3

Hash: SHA1

Scott James Remnant wrote:
| On Sun, 2004-01-04 at 20:06, Gary V.Vaughan wrote:
|>I have no problem with starting to use shell functions to libtool now,
|>and infact I think that it is the best way to bring some sanity to the
|>code spaghetti we are trying to maintain.  For now, I don't think it is
|>safe to rely on any more advanced shell function features than
|>enumerated parameter passing.
| Here's what Blinn has to say:
| /bin/sh on older shells, including (at least) ULTRIX don't support them,
| do we drop support for those platforms?
| Some shells also would overwrite libtool's own $1...$# once the first
| function is called, so we should be sure to capture all shell script
| arguments before calling any function lest they be lost.
| On ULTRIX and HP-UX there's a /bin/sh5 which supports functions and
| positional parameter stacking.

I certainly don't propose that we drop support for HP-UX.  I suspect that
no-one would notice if we dropped support for ULTRIX these days:  I last used
one about 10 years ago, and it was considered to be legacy even then.

Autoconf is starting the process of adding code to configure to search for a
CONFIG_SHELL that has function support.  Libtool already has a function (only
called on cygwin, but still parsed elsewhere) that has been around for some
time without causing complaint.

At worst, for those few platforms with a default shell that doesn't support
functions, and until autoconf adds re-execing with a shell that does, the user
might need to 'export CONFIG_SHELL=/bin/sh5'.  There was a thread on the
autoconf list recently that concluded there were no longer any platforms
(which would need a modern autoconf) that had no shell supporting shell 

We could even add an interrim hack that re-execs libtool with a known good
shell for major platforms.  Are there more than just Ultrix?

IIRC, the positional parameter overwriting is a shell archaeology discovery
(i.e. a curiosity of shells that are no longer in use on machines that want to
run a modern libtool/autoconf).

- --
Gary V. Vaughan      ())_.  address@hidden,}
Research Scientist   ( '/
GNU Hacker           / )=
Technical Author   `(_~)_
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -


reply via email to

[Prev in Thread] Current Thread [Next in Thread]