[gentoo-commits] proj/portage:master commit in: /, bin/, bin/install-qa-check.d/ - gentoo-commits

From:	Sam James <sam@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/portage:master commit in: /, bin/, bin/install-qa-check.d/
Date:	Sat, 31 Dec 2022 14:48:17
Message-Id:	`1672497935.0f4f85ee3c19ff3acbcf724bf49a52db0766c7a5.sam@gentoo`

1

commit:     0f4f85ee3c19ff3acbcf724bf49a52db0766c7a5

2

Author:     Sam James <sam <AT> gentoo <DOT> org>

3

AuthorDate: Sat Dec 31 14:40:47 2022 +0000

4

Commit:     Sam James <sam <AT> gentoo <DOT> org>

5

CommitDate: Sat Dec 31 14:45:35 2022 +0000

6

URL:        https://gitweb.gentoo.org/proj/portage.git/commit/?id=0f4f85ee

7

8

bin: pass -S to file to disable seccomp

9

10

Files being installed by Portage are generally trusted but also the

11

syscalls allowed by file are quite broad anyway.

12

13

Things can go catastrophically wrong if file misses valid input,

14

as we may have invalid VDB metadata.

15

16

Bug: https://bugs.gentoo.org/811462

17

Bug: https://bugs.gentoo.org/815877

18

Bug: https://bugs.gentoo.org/889046

19

Signed-off-by: Sam James <sam <AT> gentoo.org>

20

21

 NEWS                                   | 16 +++++++++++++---

22

 bin/estrip                             |  2 +-

23

 bin/install-qa-check.d/10ignored-flags |  2 +-

24

 bin/misc-functions.sh                  |  2 +-

25

 4 files changed, 16 insertions(+), 6 deletions(-)

26

27

diff --git a/NEWS b/NEWS

28

index 77fd317b7..773df02b0 100644

29

--- a/NEWS

30

+++ b/NEWS

31

@@ -6,15 +6,25 @@ Features:

32

33

 Bug fixes:

34

 * checksum: Rewrite Whirlpool implementation as a C extension to substantially improve

35

-  performance. This only takes effect with OpenSSL 3 and newer. See bug #885909.

36

+  performance (bug #885909).

37

+

38

+  This only takes effect with OpenSSL 3 and newer (unnecessary otherwise).

39

40

   Whirlpool is considered deprecated within Portage and we recommend that

41

   repository maintainers remove it from `metadata/layout.conf`!

42

43

 * sync: git: Fix "is shallow git repository" check.

44

45

-* bin/*: Rewrite signal handling which will now correctly rethrow SIGINT

46

-  and not confuse shells. See bug #887817.

47

+* bin: Rewrite signal handling which will now correctly rethrow SIGINT

48

+  and not confuse shells (bug #887817).

49

+

50

+* bin: Pass -S to file(1) to avoid seccomp sandbox issues (bug #811462, bug #889046).

51

+

52

+  Files being installed by Portage are generally trusted but also the

53

+  syscalls allowed by file are quite broad anyway.

54

+

55

+  Things can go catastrophically wrong if file misses valid input,

56

+  as we may have invalid VDB metadata.

57

58

 portage-3.0.42 (2022-12-26)

59

 --------------

60

61

diff --git a/bin/estrip b/bin/estrip

62

index 6738fb4d3..cb4caca3e 100755

63

--- a/bin/estrip

64

+++ b/bin/estrip

65

@@ -489,7 +489,7 @@ do

66

67

(

68

 	__multijob_child_init

69

-	f=$(file "${x}") || exit 0

70

+	f=$(file -S "${x}") || exit 0

71

 	[[ -z ${f} ]] && exit 0

72

73

 	if ${SKIP_STRIP} ; then

74

75

diff --git a/bin/install-qa-check.d/10ignored-flags b/bin/install-qa-check.d/10ignored-flags

76

index 0bda8eced..b55b074e1 100644

77

--- a/bin/install-qa-check.d/10ignored-flags

78

+++ b/bin/install-qa-check.d/10ignored-flags

79

@@ -31,7 +31,7 @@ ignored_flag_check() {

80

 			# Separate out file types that are known to support

81

 			# .GCC.command.line sections, using the `file` command

82

 			# similar to how prepstrip uses it.

83

-			f=$(file "${x}") || continue

84

+			f=$(file -S "${x}") || continue

85

 			[[ -z ${f} ]] && continue

86

 			if [[ ${f} == *"SB executable"* || ${f} == *"SB pie executable"* ||

87

 				${f} == *"SB shared object"* ]] ; then

88

89

diff --git a/bin/misc-functions.sh b/bin/misc-functions.sh

90

index fc2a36fb3..55c4afe73 100755

91

--- a/bin/misc-functions.sh

92

+++ b/bin/misc-functions.sh

93

@@ -212,7 +212,7 @@ install_qa_check() {

94

 				needed=${l%%;*}; l=${l#*;}

95

96

 				# Infer implicit soname from basename (bug 715162).

97

-				if [[ -z ${soname} && $(file "${D%/}${obj}") == *"SB shared object"* ]]; then

98

+				if [[ -z ${soname} && $(file -S "${D%/}${obj}") == *"SB shared object"* ]]; then

99

 					soname=${obj##*/}

100

fi

1	commit: 0f4f85ee3c19ff3acbcf724bf49a52db0766c7a5
2	Author: Sam James <sam <AT> gentoo <DOT> org>
3	AuthorDate: Sat Dec 31 14:40:47 2022 +0000
4	Commit: Sam James <sam <AT> gentoo <DOT> org>
5	CommitDate: Sat Dec 31 14:45:35 2022 +0000
6	URL: https://gitweb.gentoo.org/proj/portage.git/commit/?id=0f4f85ee
7
8	bin: pass -S to file to disable seccomp
9
10	Files being installed by Portage are generally trusted but also the
11	syscalls allowed by file are quite broad anyway.
12
13	Things can go catastrophically wrong if file misses valid input,
14	as we may have invalid VDB metadata.
15
16	Bug: https://bugs.gentoo.org/811462
17	Bug: https://bugs.gentoo.org/815877
18	Bug: https://bugs.gentoo.org/889046
19	Signed-off-by: Sam James <sam <AT> gentoo.org>
20
21	NEWS \| 16 +++++++++++++---
22	bin/estrip \| 2 +-
23	bin/install-qa-check.d/10ignored-flags \| 2 +-
24	bin/misc-functions.sh \| 2 +-
25	4 files changed, 16 insertions(+), 6 deletions(-)
26
27	diff --git a/NEWS b/NEWS
28	index 77fd317b7..773df02b0 100644
29	--- a/NEWS
30	+++ b/NEWS
31	@@ -6,15 +6,25 @@ Features:
32
33	Bug fixes:
34	* checksum: Rewrite Whirlpool implementation as a C extension to substantially improve
35	- performance. This only takes effect with OpenSSL 3 and newer. See bug #885909.
36	+ performance (bug #885909).
37	+
38	+ This only takes effect with OpenSSL 3 and newer (unnecessary otherwise).
39
40	Whirlpool is considered deprecated within Portage and we recommend that
41	repository maintainers remove it from `metadata/layout.conf`!
42
43	* sync: git: Fix "is shallow git repository" check.
44
45	-* bin/*: Rewrite signal handling which will now correctly rethrow SIGINT
46	- and not confuse shells. See bug #887817.
47	+* bin: Rewrite signal handling which will now correctly rethrow SIGINT
48	+ and not confuse shells (bug #887817).
49	+
50	+* bin: Pass -S to file(1) to avoid seccomp sandbox issues (bug #811462, bug #889046).
51	+
52	+ Files being installed by Portage are generally trusted but also the
53	+ syscalls allowed by file are quite broad anyway.
54	+
55	+ Things can go catastrophically wrong if file misses valid input,
56	+ as we may have invalid VDB metadata.
57
58	portage-3.0.42 (2022-12-26)
59	--------------
60
61	diff --git a/bin/estrip b/bin/estrip
62	index 6738fb4d3..cb4caca3e 100755
63	--- a/bin/estrip
64	+++ b/bin/estrip
65	@@ -489,7 +489,7 @@ do
66
67	(
68	__multijob_child_init
69	- f=$(file "${x}") \|\| exit 0
70	+ f=$(file -S "${x}") \|\| exit 0
71	[[ -z ${f} ]] && exit 0
72
73	if ${SKIP_STRIP} ; then
74
75	diff --git a/bin/install-qa-check.d/10ignored-flags b/bin/install-qa-check.d/10ignored-flags
76	index 0bda8eced..b55b074e1 100644
77	--- a/bin/install-qa-check.d/10ignored-flags
78	+++ b/bin/install-qa-check.d/10ignored-flags
79	@@ -31,7 +31,7 @@ ignored_flag_check() {
80	# Separate out file types that are known to support
81	# .GCC.command.line sections, using the `file` command
82	# similar to how prepstrip uses it.
83	- f=$(file "${x}") \|\| continue
84	+ f=$(file -S "${x}") \|\| continue
85	[[ -z ${f} ]] && continue
86	if [[ ${f} == "SB executable" \|\| ${f} == "SB pie executable" \|\|
87	${f} == "SB shared object" ]] ; then
88
89	diff --git a/bin/misc-functions.sh b/bin/misc-functions.sh
90	index fc2a36fb3..55c4afe73 100755
91	--- a/bin/misc-functions.sh
92	+++ b/bin/misc-functions.sh
93	@@ -212,7 +212,7 @@ install_qa_check() {
94	needed=${l%%;}; l=${l#;}
95
96	# Infer implicit soname from basename (bug 715162).
97	- if [[ -z ${soname} && $(file "${D%/}${obj}") == "SB shared object" ]]; then
98	+ if [[ -z ${soname} && $(file -S "${D%/}${obj}") == "SB shared object" ]]; then
99	soname=${obj##*/}
100	fi

Gentoo Archives: gentoo-commits