On Fri, Nov 03, 2006 at 10:18:59PM +0100, Stephan A Suerken wrote: > > pwd_optionsfile is declared as char*, then used via strcpy() without > > initialization. And conveniently, this is in the code related to retrieving > > $HOME from the environment. Looks like a broken Debian patch to me.
> Argl, what a bummer ;(. For simplicity, -4 will have this patch > disabled, and will close the bug. > Re-open if that does not fix the problem, but it smells just like it. Ok. FWIW, the original upstream code also appears to contain a security hole, because reading configuration data from the current directory means other users may have control over your configuration -- in the case of an emulator like uae, I would imagine this could amount to an arbitrary code execution bug. Would you accept a patch that completely drops reading the config from $PWD? Thanks, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
