[Pkg-openldap-devel] Bug#637166: openldap: Potentially unsafe cp command in debian/rules

Lesley Longhurst developer at opus.co.nz
Tue Aug 9 02:05:14 UTC 2011 

Package: openldap
Severity: minor
Tags: squeeze lenny patch

I have made this patch to debian/rules for my local build of openldap, and am
submitting it so that maintainers can adopt it if desired. It can be applied
in both openldap-2.4.23 and openldap-2.4.25.

Instead of copying config.* from /usr/share/misc, explicitly copy the files
that are needed.  Anyone can download the source package and build it on any
host, so there is no way to know what else might be in that directory.
Admittedly, the chances of any extra files actually have any effect on the
code are slim, but I feel this is a tidier way of doing it.

Also, and possibly more useful, I have added comments explaining why this copy
is done.


-- System Information:
Debian Release: 6.0.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/1 CPU core)
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-------------- next part --------------
Don't assume that there are no other config.* files in /usr/share/misc/
besides config.{sub,guess}. It would probably do no harm to copy any
such files, but we don't know for sure what might be found on some
random build server.

Also added a comment explaining why we copy them.
--- a/debian/rules
+++ b/debian/rules
@@ -86,8 +86,16 @@
 	    done; \
 	fi
 
-	cp -f /usr/share/misc/config.* build/
-	cp -f /usr/share/misc/config.* contrib/ldapc++/
+	# Assume that config.{sub,guess} provided by autotools-dev
+	# are more recent than those provided in the source.
+	# It will almost certainly (~99.9%) be correct.
+	# This is important for building on hardware that may not
+	# be covered by older versions.
+	for ending in sub guess; do \
+		cp -f /usr/share/misc/config.$$ending build/config.$$ending; \
+		cp -f /usr/share/misc/config.$$ending contrib/ldapc++/config.$$ending; \
+	done
+
 	mkdir -p $(builddir)
 	chmod 755 $(CURDIR)/autogen.sh
 	./autogen.sh

More information about the Pkg-openldap-devel mailing list