[pacman-dev] [PATCH 2/2] [WIP] run XferCommand via exec

Morten Linderud foxboron at archlinux.org
Thu Oct 17 15:50:35 UTC 2019 

On Thu, Oct 17, 2019 at 11:47:58AM -0400, Eli Schwartz wrote:
> On 10/17/19 11:04 AM, Morten Linderud wrote:
> > On Thu, Oct 17, 2019 at 05:01:46PM +0200, Morten Linderud wrote:
> >> On Sun, Jun 09, 2019 at 10:13:55AM -0700, Andrew Gregory wrote:
> >>> ---
> >>>
> >>> systemvp should pretty much be a drop-in replacement for system with
> >>> the exception that it takes an argv array and uses exec.  If anybody
> >>> wants to play with it to stress test it a little, I have
> >>> a self-contained copy and test program at:
> >>> https://github.com/andrewgregory/snippets/blob/systemv/c/systemv.c
> >>>
> >>> TODO:
> >>>     * update docs
> >>>     * fix debug logging
> >>>     * should the command be run with PATH lookup (execv vs execvp)?
> >>>     * Is the use of mmap with MAP_ANONYMOUS okay?  MAP_ANONYMOUS is
> >>>       not POSIX but "most systems also support MAP_ANONYMOUS (or its
> >>>       synonym MAP_ANON)" (mmap(2)).
> >>>     * should we reset signals prior to exec'ing like we do with
> >>>       hooks/scripts?
> >>
> >> This issue was assigned CVE-2019-18182.
> >>
> >> https://security.archlinux.org/CVE-2019-18182
> >>
> >> I'm fixing the AVG whenever pacman 5.2 is released if Xfer isn't included.
> >>
> > 
> > Uh. I might not have paid attention. Eli mentioned on -security Xfer might not
> > be included in the upcomming release, but then anthraxx pointed out it's in
> > master :o Whats the status?
> 
> Just to clarify, "might not be included in the upcoming release" was
> before the v2 patch series posted on Friday. Before then, it was unclear
> if the v1 patch series (which was marked as WIP with some TODO items)
> would be finished before the upcoming release.
> 
> This has landed in master as the following commit:
> 
> https://git.archlinux.org/pacman.git/commit/?id=808a4f15ce82d2ed7eeb06de73d0f313620558ee
> 
> And is mentioned in the NEWS file which is prepared here:
> https://patchwork.archlinux.org/patch/1280/
> 

Ack thanks. That was what anthraxx also wrote to me but the previous mail was
sent a bit too quickly.




-- 
Morten Linderud
PGP: 9C02FF419FECBE16
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20191017/27497a00/attachment.sig>

More information about the pacman-dev mailing list