[pacman-dev] [PATCH 2/2] [WIP] run XferCommand via exec
foxboron at archlinux.org
Thu Oct 17 15:50:35 UTC 2019
On Thu, Oct 17, 2019 at 11:47:58AM -0400, Eli Schwartz wrote:
> On 10/17/19 11:04 AM, Morten Linderud wrote:
> > On Thu, Oct 17, 2019 at 05:01:46PM +0200, Morten Linderud wrote:
> >> On Sun, Jun 09, 2019 at 10:13:55AM -0700, Andrew Gregory wrote:
> >>> ---
> >>> systemvp should pretty much be a drop-in replacement for system with
> >>> the exception that it takes an argv array and uses exec. If anybody
> >>> wants to play with it to stress test it a little, I have
> >>> a self-contained copy and test program at:
> >>> https://github.com/andrewgregory/snippets/blob/systemv/c/systemv.c
> >>> TODO:
> >>> * update docs
> >>> * fix debug logging
> >>> * should the command be run with PATH lookup (execv vs execvp)?
> >>> * Is the use of mmap with MAP_ANONYMOUS okay? MAP_ANONYMOUS is
> >>> not POSIX but "most systems also support MAP_ANONYMOUS (or its
> >>> synonym MAP_ANON)" (mmap(2)).
> >>> * should we reset signals prior to exec'ing like we do with
> >>> hooks/scripts?
> >> This issue was assigned CVE-2019-18182.
> >> https://security.archlinux.org/CVE-2019-18182
> >> I'm fixing the AVG whenever pacman 5.2 is released if Xfer isn't included.
> > Uh. I might not have paid attention. Eli mentioned on -security Xfer might not
> > be included in the upcomming release, but then anthraxx pointed out it's in
> > master :o Whats the status?
> Just to clarify, "might not be included in the upcoming release" was
> before the v2 patch series posted on Friday. Before then, it was unclear
> if the v1 patch series (which was marked as WIP with some TODO items)
> would be finished before the upcoming release.
> This has landed in master as the following commit:
> And is mentioned in the NEWS file which is prepared here:
Ack thanks. That was what anthraxx also wrote to me but the previous mail was
sent a bit too quickly.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the pacman-dev