Re: [FYI] Re: Vulnerability in libtool 1.5

[Gary V. Vaughan]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Scott James Remnant wrote:
| On Sun, 2004-01-04 at 20:06, Gary V.Vaughan wrote:
|
|
|>I have no problem with starting to use shell functions to libtool now,
|>and infact I think that it is the best way to bring some sanity to the
|>code spaghetti we are trying to maintain.  For now, I don't think it is
|>safe to rely on any more advanced shell function features than
|>enumerated parameter passing.
|>
|
| Here's what Blinn has to say:
|
| /bin/sh on older shells, including (at least) ULTRIX don't support them,
| do we drop support for those platforms?
|
| Some shells also would overwrite libtool's own $1...$# once the first
| function is called, so we should be sure to capture all shell script
| arguments before calling any function lest they be lost.
|
| On ULTRIX and HP-UX there's a /bin/sh5 which supports functions and
| positional parameter stacking.

I certainly don't propose that we drop support for HP-UX.  I suspect that
no-one would notice if we dropped support for ULTRIX these days:  I last used
one about 10 years ago, and it was considered to be legacy even then.

Autoconf is starting the process of adding code to configure to search for a
CONFIG_SHELL that has function support.  Libtool already has a function (only
called on cygwin, but still parsed elsewhere) that has been around for some
time without causing complaint.

At worst, for those few platforms with a default shell that doesn't support
functions, and until autoconf adds re-execing with a shell that does, the user
might need to 'export CONFIG_SHELL=/bin/sh5'.  There was a thread on the
autoconf list recently that concluded there were no longer any platforms
(which would need a modern autoconf) that had no shell supporting shell 
functions.

We could even add an interrim hack that re-execs libtool with a known good
shell for major platforms.  Are there more than just Ultrix?

IIRC, the positional parameter overwriting is a shell archaeology discovery
(i.e. a curiosity of shells that are no longer in use on machines that want to
run a modern libtool/autoconf).

Cheers,
        Gary.
- --
Gary V. Vaughan      ())_.  address@hidden,gnu.org}
Research Scientist   ( '/   http://www.oranda.demon.co.uk
GNU Hacker           / )=   http://www.gnu.org/software/libtool
Technical Author   `(_~)_   http://sources.redhat.com/autobook
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQE/+XiLFRMICSmD1gYRAvowAJ9/1uo39K93GQgjP9KXUFfVElAoMwCeJ8mY
7KqUpOc0MIxNCaxjRfLyzIY=
=yNvy
-----END PGP SIGNATURE-----