NEWS: Note security (non-)implications of substvars bug

author: Patrick McDermott <patrick.mcdermott@libiquity.com> 2019-04-02 12:59:51 (EDT)
committer: Patrick McDermott <patrick.mcdermott@libiquity.com> 2019-04-02 12:59:51 (EDT)
commit: 5470ff699fbf1394cc165c984511d618ea5d7fd1 (patch)
tree: f2ab1ce9c50054cb1fa2e4d9f0e6fb394d837c7e /NEWS
parent: c63ca5bd8fd02c09b94bcf22e24fbcd3b18028f1 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/NEWS b/NEWS
index 276cce0..d438541 100644
--- a/NEWS
+++ b/NEWS
@@ -10,7 +10,11 @@ Bug fixes and minor changes:
   * configure no longer checks for make.  This was needed for mksysconf,
     which was removed in version 4.0.0.
   * Substitution variables are now correctly set for binary packages
-    with non-alphanumeric characters in their names.
+    with non-alphanumeric characters in their names.  Unsanitized data
+    was passed to eval, however it was first validated to not contain
+    characters such as whitespace and it was interpolated into a string
+    that couldn't yield a command name that would normally exist on any
+    system.
 
 opkbuild version 4.0.0
 ----------------------
author	Patrick McDermott <patrick.mcdermott@libiquity.com>	2019-04-02 12:59:51 (EDT)
committer	Patrick McDermott <patrick.mcdermott@libiquity.com>	2019-04-02 12:59:51 (EDT)
commit	5470ff699fbf1394cc165c984511d618ea5d7fd1 (patch)
tree	f2ab1ce9c50054cb1fa2e4d9f0e6fb394d837c7e /NEWS
parent	c63ca5bd8fd02c09b94bcf22e24fbcd3b18028f1 (diff)