Bug 560362
Summary: | Dangerous "rm -fr" and poorly tested makewhatis | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | JW <ohtmvyyn> |
Component: | man | Assignee: | Ivana Varekova <varekova> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 12 | CC: | varekova |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | 1.6f-25.fc12 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-02-02 20:42:21 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
man-1.6f-25.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/man-1.6f-25.fc12 Thanks for the report. The makewhatis script really deserves rewriting so will be done soon. Your version is welcomed. man-1.6f-25.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update man'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1329 man-1.6f-25.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: makewhatis contains this gem: > > trap "rm -rf $TMPFILEDIR; exit 255" 1 2 3 15 > But nowhere is the variable TMPFILEDIR defined. That means that should somebody for some reason has a TMPFILEDIR=/ defined in their environment then they might lose their entire filesystem! Or if for some unrelated purpose they have a TMPFILEDIR=/tmp in their environment then they might lose all of /tmp! And makewhatis runs as root! How does this sort of sloppy coding make its way into "production" code? Version-Release number of selected component (if applicable): man-1.6f-22 How reproducible: Always Steps to Reproduce: 1. vi /usr/sbin/makewhatis 2. 82G Actual results: See above Expected results: That line should be deleted. Additional info: But wait ... there is more. It is pointless doing a "rm -fr" on $TMPFILE because it is a file not a directory. It isn't safe practice to go around using "rm -fr" everywhere when a simple "rm -f" is correct. Also, makewhatis should be re-written in perl because of that horrible, and not very accurate, awk coding (I have already re-written it if you want a copy).