On 12/10/19 1:45 pm, Andrew Gregory wrote:
system() runs the provided command via a shell, which is subject to command injection. Even though pacman already provides a mechanism to sign and verify the databases containing the urls, certain distributions have yet to get their act together and start signing databases, leaving them vulnerable to MITM attacks. Replacing the system call with an almost equivalent exec call removes the possibility of a shell-injection attack for those users.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com> --- v2: * properly deal with signals * pass errno via pipe instead of mmap * fix debug logging
src/pacman/conf.c | 129 ++++++++++++++++++++++++---- src/pacman/conf.h | 2 + test/pacman/tests/sync200.py | 2 +- test/pacman/tests/xfercommand001.py | 2 +- 4 files changed, 116 insertions(+), 19 deletions(-)
diff --git a/src/pacman/conf.c b/src/pacman/conf.c index 2d8518c4..9a39bba9 100644 --- a/src/pacman/conf.c +++ b/src/pacman/conf.c @@ -29,6 +29,7 @@ #include <sys/stat.h> #include <sys/types.h> #include <sys/utsname.h> /* uname */ +#include <sys/wait.h> #include <unistd.h>
/* pacman */ @@ -153,6 +154,7 @@ int config_free(config_t *oldconfig) free(oldconfig->print_format); free(oldconfig->arch); free(oldconfig); + wordsplit_free(oldconfig->xfercommand_argv);
This line needs to be one higher. A