[pacman-dev] [PATCH 2/2] [WIP] run XferCommand via exec

Eli Schwartz eschwartz at archlinux.org
Thu Oct 17 15:47:58 UTC 2019

On 10/17/19 11:04 AM, Morten Linderud wrote:
> On Thu, Oct 17, 2019 at 05:01:46PM +0200, Morten Linderud wrote:
>> On Sun, Jun 09, 2019 at 10:13:55AM -0700, Andrew Gregory wrote:
>>> ---
>>> systemvp should pretty much be a drop-in replacement for system with
>>> the exception that it takes an argv array and uses exec.  If anybody
>>> wants to play with it to stress test it a little, I have
>>> a self-contained copy and test program at:
>>> https://github.com/andrewgregory/snippets/blob/systemv/c/systemv.c
>>> TODO:
>>>     * update docs
>>>     * fix debug logging
>>>     * should the command be run with PATH lookup (execv vs execvp)?
>>>     * Is the use of mmap with MAP_ANONYMOUS okay?  MAP_ANONYMOUS is
>>>       not POSIX but "most systems also support MAP_ANONYMOUS (or its
>>>       synonym MAP_ANON)" (mmap(2)).
>>>     * should we reset signals prior to exec'ing like we do with
>>>       hooks/scripts?
>> This issue was assigned CVE-2019-18182.
>> https://security.archlinux.org/CVE-2019-18182
>> I'm fixing the AVG whenever pacman 5.2 is released if Xfer isn't included.
> Uh. I might not have paid attention. Eli mentioned on -security Xfer might not
> be included in the upcomming release, but then anthraxx pointed out it's in
> master :o Whats the status?

Just to clarify, "might not be included in the upcoming release" was
before the v2 patch series posted on Friday. Before then, it was unclear
if the v1 patch series (which was marked as WIP with some TODO items)
would be finished before the upcoming release.

This has landed in master as the following commit:


And is mentioned in the NEWS file which is prepared here:

Eli Schwartz
Bug Wrangler and Trusted User

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1601 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20191017/c94391d6/attachment.sig>

More information about the pacman-dev mailing list