| 1 |
Files being installed by Portage are generally trusted but also the |
| 2 |
syscalls allowed by file are quite broad anyway. |
| 3 |
|
| 4 |
With e.g. new libc or sandbox version (or any number of things...), the |
| 5 |
syscalls used by file can change which leads to its seccomp filter killing |
| 6 |
the process. This is an acceptable tradeoff when users are calling file(1), |
| 7 |
but it makes less sense with trusted input within Portage, especially |
| 8 |
where it may lead to confusing errors (swallowed within pipes, subshells, |
| 9 |
etc). |
| 10 |
|
| 11 |
Indeed, it might even be the case that file(1) is broken, but the user |
| 12 |
needs to complete a world upgrade to get a newer file/portage/???, but |
| 13 |
can't because of various ebuilds (like ones using this eclass) failing. |
| 14 |
|
| 15 |
Disable seccomp for these calls to keep working. |
| 16 |
|
| 17 |
Bug: https://bugs.gentoo.org/811462 |
| 18 |
Bug: https://bugs.gentoo.org/815877 |
| 19 |
Bug: https://bugs.gentoo.org/889046 |
| 20 |
Signed-off-by: Sam James <sam@g.o> |
| 21 |
--- |
| 22 |
eclass/unpacker.eclass | 8 ++++---- |
| 23 |
1 file changed, 4 insertions(+), 4 deletions(-) |
| 24 |
|
| 25 |
diff --git a/eclass/unpacker.eclass b/eclass/unpacker.eclass |
| 26 |
index 5ce681ebaa0d4..326b2fa675249 100644 |
| 27 |
--- a/eclass/unpacker.eclass |
| 28 |
+++ b/eclass/unpacker.eclass |
| 29 |
@@ -1,4 +1,4 @@ |
| 30 |
-# Copyright 1999-2022 Gentoo Authors |
| 31 |
+# Copyright 1999-2023 Gentoo Authors |
| 32 |
# Distributed under the terms of the GNU General Public License v2 |
| 33 |
|
| 34 |
# @ECLASS: unpacker.eclass |
| 35 |
@@ -122,7 +122,7 @@ unpack_pdv() { |
| 36 |
local tmpfile="${T}/${FUNCNAME}" |
| 37 |
tail -c +$((${tailskip}+1)) ${src} 2>/dev/null | head -c 512 > "${tmpfile}" |
| 38 |
|
| 39 |
- local iscompressed=$(file -b "${tmpfile}") |
| 40 |
+ local iscompressed=$(file -S -b "${tmpfile}") |
| 41 |
if [[ ${iscompressed:0:8} == "compress" ]] ; then |
| 42 |
iscompressed=1 |
| 43 |
mv "${tmpfile}"{,.Z} |
| 44 |
@@ -130,7 +130,7 @@ unpack_pdv() { |
| 45 |
else |
| 46 |
iscompressed=0 |
| 47 |
fi |
| 48 |
- local istar=$(file -b "${tmpfile}") |
| 49 |
+ local istar=$(file -S -b "${tmpfile}") |
| 50 |
if [[ ${istar:0:9} == "POSIX tar" ]] ; then |
| 51 |
istar=1 |
| 52 |
else |
| 53 |
@@ -244,7 +244,7 @@ unpack_makeself() { |
| 54 |
|
| 55 |
# lets grab the first few bytes of the file to figure out what kind of archive it is |
| 56 |
local decomp= filetype suffix |
| 57 |
- filetype=$("${exe[@]}" 2>/dev/null | head -c 512 | file -b -) || die |
| 58 |
+ filetype=$("${exe[@]}" 2>/dev/null | head -c 512 | file -S -b -) || die |
| 59 |
case ${filetype} in |
| 60 |
*tar\ archive*) |
| 61 |
decomp=cat |
| 62 |
-- |
| 63 |
2.39.0 |
Archives