At the moment, when invoking chrpath or strip, the tool seems to be using popen, which underneath just calls system with a command as a string.

chrpath_cmd << chrpath_path << " -c -r \"" << rpath << "\" " << deploy_path;

Unfortunately that command is not properly escapend, since if a library happens to include a quote, it basically allows "shell injection".

Moreover the deploy_path doesn't seem to be quoted at all.

(Granted, it is very unlikely that a library contains "strange" characters, like say libunsafe"; rm -Rf .;.so, however a tool should be safe regardless.)

Yeah, this is how it's supposed to go. If someone doesn't already pick this up, I'll try to get to it soon.