kdesvn-build security update

[Michael Pyne]

Hi all,

I noticed last night that there was a commit made to kdesvn-build with the 
commit message of security fix.

This piqued my interest so I checked out the diff and this was the result:

------------------

Index: kdesvn-build
===================================================================
--- kdesvn-build        (working copy)
+++ kdesvn-build        (revision 523403)
@@ -3438,9 +3438,9 @@
     # Also remove more than one colon.
     for ($path, $libdir)
     {
+        s/:+/:/;
         s/^:*//;
         s/:*$//;
-        s/:+/:/;
     }

     # Everyone loves unsermake.  It's a pity that not every module will 
compile with it.

------------------

The code in question applies 3 filters to $PATH and $LD_LIBRARY_PATH, in this 
order:

1. Remove all consecutive colons from the beginning of the path.
2. Remove all consecutive colons from the end of the path.
3. Compact all sequences of more than one consecutive colon to 1 colon.

i.e. It would transform something like PATH = "::/usr/bin:::/bin:" 
=> "/usr/bin:/bin"

What the patch does is moves step 3 to become step 1, i.e. remove duplicate 
colons first.

After looking at the patch I'll admit that I'm not sure what it actually 
fixes, and if it is security related I'd like to know about it so that it 
doesn't happen again, so if anyone could clue me in I'd appreciate it. :)

Regards,
 - Michael Pyne
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20060327/2b0d82f4/attachment.sig>