security of package environment files
ghc will read package environment files owned by other users than the current user, in directories below the current directory. So using ghc in shared directories like /tmp is now a security concern.
joey@darkstar:/tmp/test/sub>ls -l ../../.ghc.environment.x86_64-linux-8.2.2
-rw-r--r-- 1 mail mail 9 Aug 25 15:03 ../../.ghc.environment.x86_64-linux-8.2.2
joey@darkstar:/tmp/test/sub>cat ../../.ghc.environment.x86_64-linux-8.2.2
outdated
joey@darkstar:/tmp/test/sub>ghc --make foo
<command line>: cannot satisfy -package-id outdated
(use -v for more information)
I suppose this could at least be used to trick ghc into building against an older version of some package that was updated with a security fix. It might be possible to exploit in other ways, perhaps by pointing to a backdoored build of a package?