From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 654FE138C9D for ; Tue, 28 Apr 2015 14:49:08 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 0446AE09EB; Tue, 28 Apr 2015 14:46:21 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 69E3DE09EA for ; Tue, 28 Apr 2015 14:46:15 +0000 (UTC) Received: from big_daddy.dol-sen.ca (S010634bdfa9ecf80.vc.shawcable.net [96.49.31.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: dolsen) by smtp.gentoo.org (Postfix) with ESMTPSA id 6A31A340C09 for ; Tue, 28 Apr 2015 14:46:14 +0000 (UTC) Date: Tue, 28 Apr 2015 07:46:11 -0700 From: Brian Dolbec To: gentoo-portage-dev@lists.gentoo.org Subject: Re: [gentoo-portage-dev] [PATCH v3] ebuild-helpers: avoid exec loops or fork bombs in wrappers (bug 547086) Message-ID: <20150428074611.7b0eb153.dolsen@gentoo.org> In-Reply-To: <1430185982-29249-1-git-send-email-zmedico@gentoo.org> References: <1430166552-21981-1-git-send-email-zmedico@gentoo.org> <1430185982-29249-1-git-send-email-zmedico@gentoo.org> Organization: Gentoo Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-portage-dev@lists.gentoo.org Reply-to: gentoo-portage-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Archives-Salt: 9ac45194-2e0d-4c0c-99b9-a4c09f829dd8 X-Archives-Hash: 019a179a4640ec0ea4fa95e7af5f18fa On Mon, 27 Apr 2015 18:53:02 -0700 Zac Medico wrote: > Since commit 130c01b9e561dd6ff7733a4905b21a0a921e9a22, extra portage > paths in PATH could trigger exec loops or fork bombs in wrappers. > > Fixes: 130c01b9e561 ("_doebuild_path: add fallback for temp > PORTAGE_BIN_PATH (bug 547086)") X-Gentoo-Bug: 547086 > X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=547086 > --- > [PATCH v3] fixes broken ${X} references > > bin/ebuild-helpers/bsd/sed | 4 +++- > bin/ebuild-helpers/portageq | 4 +++- > bin/ebuild-helpers/unprivileged/chown | 4 +++- > bin/ebuild-helpers/xattr/install | 14 +++++++++++++- > 4 files changed, 22 insertions(+), 4 deletions(-) > > diff --git a/bin/ebuild-helpers/bsd/sed b/bin/ebuild-helpers/bsd/sed > index 01b8847..9a7f2d4 100755 > --- a/bin/ebuild-helpers/bsd/sed > +++ b/bin/ebuild-helpers/bsd/sed > @@ -1,5 +1,5 @@ > #!/bin/bash > -# Copyright 2007-2012 Gentoo Foundation > +# Copyright 2007-2015 Gentoo Foundation > # Distributed under the terms of the GNU General Public License v2 > > scriptpath=${BASH_SOURCE[0]} > @@ -15,6 +15,8 @@ else > > for path in $PATH; do > if [[ -x ${path}/${scriptname} ]]; then > + [[ ${path} == > ${PORTAGE_OVERRIDE_EPREFIX}/usr/lib*/portage/* ]] && continue > + [[ ${path} == */._portage_reinstall_.* ]] && > continue [[ ${path}/${scriptname} -ef ${scriptpath} ]] && continue > exec "${path}/${scriptname}" "$@" > exit 0 > diff --git a/bin/ebuild-helpers/portageq b/bin/ebuild-helpers/portageq > index 4151bac..ba889eb 100755 > --- a/bin/ebuild-helpers/portageq > +++ b/bin/ebuild-helpers/portageq > @@ -1,5 +1,5 @@ > #!/bin/bash > -# Copyright 2009-2013 Gentoo Foundation > +# Copyright 2009-2015 Gentoo Foundation > # Distributed under the terms of the GNU General Public License v2 > > scriptpath=${BASH_SOURCE[0]} > @@ -15,6 +15,8 @@ set -f # in case ${PATH} contains any shell glob > characters > for path in ${PATH}; do > [[ -x ${path}/${scriptname} ]] || continue > + [[ ${path} == ${PORTAGE_OVERRIDE_EPREFIX}/usr/lib*/portage/* > ]] && continue > + [[ ${path} == */._portage_reinstall_.* ]] && continue > [[ ${path}/${scriptname} -ef ${scriptpath} ]] && continue > PYTHONPATH=${PORTAGE_PYTHONPATH:-${PORTAGE_PYM_PATH}} \ > exec "${PORTAGE_PYTHON:-/usr/bin/python}" \ > diff --git a/bin/ebuild-helpers/unprivileged/chown > b/bin/ebuild-helpers/unprivileged/chown index 08fa650..2f1f161 100755 > --- a/bin/ebuild-helpers/unprivileged/chown > +++ b/bin/ebuild-helpers/unprivileged/chown > @@ -1,5 +1,5 @@ > #!/bin/bash > -# Copyright 2012-2013 Gentoo Foundation > +# Copyright 2012-2015 Gentoo Foundation > # Distributed under the terms of the GNU General Public License v2 > > scriptpath=${BASH_SOURCE[0]} > @@ -9,6 +9,8 @@ IFS=':' > > for path in ${PATH}; do > [[ -x ${path}/${scriptname} ]] || continue > + [[ ${path} == ${PORTAGE_OVERRIDE_EPREFIX}/usr/lib*/portage/* > ]] && continue > + [[ ${path} == */._portage_reinstall_.* ]] && continue > [[ ${path}/${scriptname} -ef ${scriptpath} ]] && continue > IFS=$' \t\n' > output=$("${path}/${scriptname}" "$@" 2>&1) > diff --git a/bin/ebuild-helpers/xattr/install > b/bin/ebuild-helpers/xattr/install index d572fe6..2d2a693 100755 > --- a/bin/ebuild-helpers/xattr/install > +++ b/bin/ebuild-helpers/xattr/install > @@ -1,5 +1,5 @@ > #!/bin/bash > -# Copyright 2013 Gentoo Foundation > +# Copyright 2013-2015 Gentoo Foundation > # Distributed under the terms of the GNU General Public License v2 > > PORTAGE_BIN_PATH=${PORTAGE_BIN_PATH:-/usr/lib/portage/bin} > @@ -24,6 +24,18 @@ else > fi > fi > > +# Filter internal portage paths from PATH, in order to avoid > +# a possible exec loop or fork bomb (see bug 547086). > +IFS=':' > +set -f > +path= > +for x in ${PATH}; do > + [[ ${x} == ${PORTAGE_OVERRIDE_EPREFIX}/usr/lib*/portage/* ]] > && continue > + [[ ${x} == */._portage_reinstall_.* ]] && continue > + path+=":${x}" > +done > +PATH=${path#:} > + > if [[ "${implementation}" == "c" ]]; then > exec "${INSTALL_XATTR}" "$@" > elif [[ "${implementation}" == "python" ]]; then looks good -- Brian Dolbec