Vendredi 04 mai 2007, vers 09:57:07 (+0200), Kalle Olavi Niemitalo a écrit :
>> * Don't look for gettext message catalogs in ../po/ (closes: #417789). >> Thanks, Arnaud Giersch! Reference: CVE-2007-2027. > > A less paranoid fix has been checked in to elinks-0.11 and > elinks-0.12 in Git. If you want to review it, now is the time. > > http://pasky.or.cz/gitweb.cgi?p=elinks.git;a=commit;h=928f364ba2803f98d71775dc03b694d6403c0754 > http://pasky.or.cz/gitweb.cgi?p=elinks.git;a=commit;h=110c564af3c12f40743b7e1adcfd3a034d73b601 Hi, I don't believe that this patch really solves the security issue. An user may still be vulnerable if he wants to run his freshly compiled (but not installed now) elinks. This user would typically run it as /path/to/elinks/src/elinks. If his cwd is not in the elinks sources, a wrong gettext catalog may be opened. I however agree that the risk is pretty low. I was personally more concerned by autofs failing to mount /home/po/ each time I ran elinks from my home directory. I understand that it is an important feature for translators. IMHO, a suitable solution can be : * enabling this code with --enable-debug like you apparently thought about ; * removing the hard-coded "../po/" path, and letting the user specify his preferred path, either with a command line option, or with some environment variable. Regards, Arnaud Giersch
