From: Brian Dolbec <dolsen@gentoo.org>
To: gentoo-portage-dev@lists.gentoo.org
Subject: Re: [gentoo-portage-dev] [PATCH v3] ebuild-helpers: avoid exec loops or fork bombs in wrappers (bug 547086)
Date: Tue, 28 Apr 2015 07:46:11 -0700 [thread overview]
Message-ID: <20150428074611.7b0eb153.dolsen@gentoo.org> (raw)
In-Reply-To: <1430185982-29249-1-git-send-email-zmedico@gentoo.org>
On Mon, 27 Apr 2015 18:53:02 -0700
Zac Medico <zmedico@gentoo.org> wrote:
> Since commit 130c01b9e561dd6ff7733a4905b21a0a921e9a22, extra portage
> paths in PATH could trigger exec loops or fork bombs in wrappers.
>
> Fixes: 130c01b9e561 ("_doebuild_path: add fallback for temp
> PORTAGE_BIN_PATH (bug 547086)") X-Gentoo-Bug: 547086
> X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=547086
> ---
> [PATCH v3] fixes broken ${X} references
>
> bin/ebuild-helpers/bsd/sed | 4 +++-
> bin/ebuild-helpers/portageq | 4 +++-
> bin/ebuild-helpers/unprivileged/chown | 4 +++-
> bin/ebuild-helpers/xattr/install | 14 +++++++++++++-
> 4 files changed, 22 insertions(+), 4 deletions(-)
>
> diff --git a/bin/ebuild-helpers/bsd/sed b/bin/ebuild-helpers/bsd/sed
> index 01b8847..9a7f2d4 100755
> --- a/bin/ebuild-helpers/bsd/sed
> +++ b/bin/ebuild-helpers/bsd/sed
> @@ -1,5 +1,5 @@
> #!/bin/bash
> -# Copyright 2007-2012 Gentoo Foundation
> +# Copyright 2007-2015 Gentoo Foundation
> # Distributed under the terms of the GNU General Public License v2
>
> scriptpath=${BASH_SOURCE[0]}
> @@ -15,6 +15,8 @@ else
>
> for path in $PATH; do
> if [[ -x ${path}/${scriptname} ]]; then
> + [[ ${path} ==
> ${PORTAGE_OVERRIDE_EPREFIX}/usr/lib*/portage/* ]] && continue
> + [[ ${path} == */._portage_reinstall_.* ]] &&
> continue [[ ${path}/${scriptname} -ef ${scriptpath} ]] && continue
> exec "${path}/${scriptname}" "$@"
> exit 0
> diff --git a/bin/ebuild-helpers/portageq b/bin/ebuild-helpers/portageq
> index 4151bac..ba889eb 100755
> --- a/bin/ebuild-helpers/portageq
> +++ b/bin/ebuild-helpers/portageq
> @@ -1,5 +1,5 @@
> #!/bin/bash
> -# Copyright 2009-2013 Gentoo Foundation
> +# Copyright 2009-2015 Gentoo Foundation
> # Distributed under the terms of the GNU General Public License v2
>
> scriptpath=${BASH_SOURCE[0]}
> @@ -15,6 +15,8 @@ set -f # in case ${PATH} contains any shell glob
> characters
> for path in ${PATH}; do
> [[ -x ${path}/${scriptname} ]] || continue
> + [[ ${path} == ${PORTAGE_OVERRIDE_EPREFIX}/usr/lib*/portage/*
> ]] && continue
> + [[ ${path} == */._portage_reinstall_.* ]] && continue
> [[ ${path}/${scriptname} -ef ${scriptpath} ]] && continue
> PYTHONPATH=${PORTAGE_PYTHONPATH:-${PORTAGE_PYM_PATH}} \
> exec "${PORTAGE_PYTHON:-/usr/bin/python}" \
> diff --git a/bin/ebuild-helpers/unprivileged/chown
> b/bin/ebuild-helpers/unprivileged/chown index 08fa650..2f1f161 100755
> --- a/bin/ebuild-helpers/unprivileged/chown
> +++ b/bin/ebuild-helpers/unprivileged/chown
> @@ -1,5 +1,5 @@
> #!/bin/bash
> -# Copyright 2012-2013 Gentoo Foundation
> +# Copyright 2012-2015 Gentoo Foundation
> # Distributed under the terms of the GNU General Public License v2
>
> scriptpath=${BASH_SOURCE[0]}
> @@ -9,6 +9,8 @@ IFS=':'
>
> for path in ${PATH}; do
> [[ -x ${path}/${scriptname} ]] || continue
> + [[ ${path} == ${PORTAGE_OVERRIDE_EPREFIX}/usr/lib*/portage/*
> ]] && continue
> + [[ ${path} == */._portage_reinstall_.* ]] && continue
> [[ ${path}/${scriptname} -ef ${scriptpath} ]] && continue
> IFS=$' \t\n'
> output=$("${path}/${scriptname}" "$@" 2>&1)
> diff --git a/bin/ebuild-helpers/xattr/install
> b/bin/ebuild-helpers/xattr/install index d572fe6..2d2a693 100755
> --- a/bin/ebuild-helpers/xattr/install
> +++ b/bin/ebuild-helpers/xattr/install
> @@ -1,5 +1,5 @@
> #!/bin/bash
> -# Copyright 2013 Gentoo Foundation
> +# Copyright 2013-2015 Gentoo Foundation
> # Distributed under the terms of the GNU General Public License v2
>
> PORTAGE_BIN_PATH=${PORTAGE_BIN_PATH:-/usr/lib/portage/bin}
> @@ -24,6 +24,18 @@ else
> fi
> fi
>
> +# Filter internal portage paths from PATH, in order to avoid
> +# a possible exec loop or fork bomb (see bug 547086).
> +IFS=':'
> +set -f
> +path=
> +for x in ${PATH}; do
> + [[ ${x} == ${PORTAGE_OVERRIDE_EPREFIX}/usr/lib*/portage/* ]]
> && continue
> + [[ ${x} == */._portage_reinstall_.* ]] && continue
> + path+=":${x}"
> +done
> +PATH=${path#:}
> +
> if [[ "${implementation}" == "c" ]]; then
> exec "${INSTALL_XATTR}" "$@"
> elif [[ "${implementation}" == "python" ]]; then
looks good
--
Brian Dolbec <dolsen>
prev parent reply other threads:[~2015-04-28 14:49 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-27 20:29 [gentoo-portage-dev] [PATCH] ebuild-helpers: avoid exec loops or fork bombs in wrappers (bug 547086) Zac Medico
2015-04-28 1:27 ` [gentoo-portage-dev] [PATCH v2] " Zac Medico
2015-04-28 1:53 ` [gentoo-portage-dev] [PATCH v3] " Zac Medico
2015-04-28 14:46 ` Brian Dolbec [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150428074611.7b0eb153.dolsen@gentoo.org \
--to=dolsen@gentoo.org \
--cc=gentoo-portage-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox