[18952] in bugtraq
Re: String vun. in m4 macro processor (same as in man)
daemon@ATHENA.MIT.EDU (Daniel Jacobowitz)
Fri Feb 2 05:44:38 2001
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-ID: <20010201153528.A10913@drow.them.org>
Date: Thu, 1 Feb 2001 15:35:28 -0500
Reply-To: Daniel Jacobowitz <dmj+@ANDREW.CMU.EDU>
From: Daniel Jacobowitz <dmj+@ANDREW.CMU.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010201142020.A2205@ania.profnet.pl>; from mezon@PROFNET.PL on
Thu, Feb 01, 2001 at 02:20:20PM +0100
On Thu, Feb 01, 2001 at 02:20:20PM +0100, Tomasz Kuzniar wrote:
> Hi,
> bug same as provious in man on debian (suse also?).
> Just look:
> mezon@beata$ m4 -G %x%x%x%x
> m4: 40012a48380491e00: No such file or directory
> mezon@beata$
>
> or
>
> mezon@beata$ m4 -G %p
> m4: 0x40012a48: No such file or directory
Well, this is certainly a bug, but:
If anyone is allowing arbitrary options to be passed to m4 in a
priviledged context, they deserve what they get! Read the m4 info
page:
`m4' also has builtin functions for including files, running
shell commands, doing arithmetic, etc.
m4 isn't setuid, and anyone who allows arbitrary filenames to be passed
to it has other problems.
Dan
/--------------------------------\ /--------------------------------\
| Daniel Jacobowitz |__| SCS Class of 2002 |
| Debian GNU/Linux Developer __ Carnegie Mellon University |
| dan@debian.org | | dmj+@andrew.cmu.edu |
\--------------------------------/ \--------------------------------/
