Fix rpmbuild world writable empty (tmp) dirs in debuginfo (#641022)

This commit is contained in:
Mark Wielaard 2017-04-25 17:45:30 +02:00
parent 9eaad7b89c
commit 968a569040
2 changed files with 114 additions and 1 deletions

View File

@ -0,0 +1,107 @@
commit c707ab26362e795d3f9dba4eb87dc7ed99a28bcb
Author: Robin Lee <cheeselee@fedoraproject.org>
Date: Sat Apr 8 21:21:39 2017 +0800
Fix non-standard inherented modes of directories in debuginfo
In case that binary compiled from source generated in /tmp, a
/usr/src/debug/tmp directory will be created with the same mode as
/tmp, a.k.a 777, which should be avoided.
Fixes: rhbz#641022
diff --git a/scripts/find-debuginfo.sh b/scripts/find-debuginfo.sh
old mode 100644
new mode 100755
index 547dbd9..6f38e19
--- a/scripts/find-debuginfo.sh
+++ b/scripts/find-debuginfo.sh
@@ -490,9 +490,10 @@ if [ -s "$SOURCEFILE" ]; then
mkdir -p "${RPM_BUILD_ROOT}${debug_dest_name}"
LC_ALL=C sort -z -u "$SOURCEFILE" | grep -E -v -z '(<internal>|<built-in>)$' |
(cd "${debug_base_name}"; cpio -pd0mL "${RPM_BUILD_ROOT}${debug_dest_name}")
- # stupid cpio creates new directories in mode 0700, fixup
+ # stupid cpio creates new directories in mode 0700,
+ # and non-standard modes may be inherented from original directories, fixup
find "${RPM_BUILD_ROOT}${debug_dest_name}" -type d -print0 |
- xargs --no-run-if-empty -0 chmod a+rx
+ xargs --no-run-if-empty -0 chmod 0755
fi
if [ -d "${RPM_BUILD_ROOT}/usr/lib" -o -d "${RPM_BUILD_ROOT}/usr/src" ]; then
commit e795899780337dea751d85db8f381eff3fe75275
Author: Mark Wielaard <mark@klomp.org>
Date: Fri Apr 21 17:33:26 2017 +0200
debugedit: Only output comp_dir under build dir (once).
The fix for rhbz#444310 (commit c1a5eb - Include empty CU current dirs)
was a little greedy. It would also include comp_dirs outside the build
root. Those are unnecessary and we don't have a good way to store them.
Such dirs (e.g. /tmp) would then show up at the root of /usr/src/debug.
Fix this by including only comp_dirs under base_dir. Also only output
all dirs once (during phase zero) and don't output empty dirs (which
was harmless but would produce a warning from cpio).
This still includes all empty dirs from the original rhbz#444310
nodir testcase and it is an alternative fix for rhbz#641022
(commit c707ab).
Both fixes are necessary in case of an unexpected mode for a directory
actually in the build root that we want to include in the source list.
Signed-off-by: Mark Wielaard <mark@klomp.org>
diff --git a/tools/debugedit.c b/tools/debugedit.c
index 8444e03..bf11513 100644
--- a/tools/debugedit.c
+++ b/tools/debugedit.c
@@ -1680,30 +1680,23 @@ edit_attributes (DSO *dso, unsigned char *ptr, struct abbrev_tag *t, int phase)
/* Ensure the CU current directory will exist even if only empty. Source
filenames possibly located in its parent directories refer relatively to
it and the debugger (GDB) cannot safely optimize out the missing
- CU current dir subdirectories. */
- if (comp_dir && list_file_fd != -1)
+ CU current dir subdirectories. Only do this once in phase one. And
+ only do this for dirs under our build/base_dir. Don't output the
+ empty string (in case the comp_dir == base_dir). */
+ if (phase == 0 && base_dir && comp_dir && list_file_fd != -1)
{
- const char *p = NULL;
- size_t size;
-
- if (base_dir)
- {
- p = skip_dir_prefix (comp_dir, base_dir);
- if (p == NULL && dest_dir != NULL)
- p = skip_dir_prefix (comp_dir, dest_dir);
- }
-
- if (p == NULL)
- p = comp_dir;
-
- size = strlen (p) + 1;
- while (size > 0)
- {
- ssize_t ret = write (list_file_fd, p, size);
- if (ret == -1)
- break;
- size -= ret;
- p += ret;
+ const char *p = skip_dir_prefix (comp_dir, base_dir);
+ if (p != NULL && p[0] != '\0')
+ {
+ size_t size = strlen (p) + 1;
+ while (size > 0)
+ {
+ ssize_t ret = write (list_file_fd, p, size);
+ if (ret == -1)
+ break;
+ size -= ret;
+ p += ret;
+ }
}
}

View File

@ -33,7 +33,7 @@
Summary: The RPM package management system Summary: The RPM package management system
Name: rpm Name: rpm
Version: %{rpmver} Version: %{rpmver}
Release: %{?snapver:0.%{snapver}.}19%{?dist} Release: %{?snapver:0.%{snapver}.}20%{?dist}
Group: System Environment/Base Group: System Environment/Base
Url: http://www.rpm.org/ Url: http://www.rpm.org/
Source0: http://rpm.org/releases/%{srcdir}/%{name}-%{srcver}.tar.bz2 Source0: http://rpm.org/releases/%{srcdir}/%{name}-%{srcver}.tar.bz2
@ -101,6 +101,9 @@ Patch271: 0022-unbreak-short-circuit.patch
Patch272: 0023-minisymtab-exe-sh.patch Patch272: 0023-minisymtab-exe-sh.patch
Patch273: 0024-no-recompute-build-id.patch Patch273: 0024-no-recompute-build-id.patch
# World writable empty (tmp) dirs in debuginfo packages (#641022)
Patch280: rpm-4.13.x-writable-tmp-dir.patch
# OpenSSL backend # OpenSSL backend
Patch300: 0001-Add-OpenSSL-support-for-digest-and-signatures.patch Patch300: 0001-Add-OpenSSL-support-for-digest-and-signatures.patch
@ -606,6 +609,9 @@ exit 0
%doc doc/librpm/html/* %doc doc/librpm/html/*
%changelog %changelog
* Tue Apr 25 2017 Mark Wielaard <mjw@fedoraproject.org> - 4.13.0.1-20
- Fix rpmbuild world writable empty (tmp) dirs in debuginfo (#641022)
* Sat Apr 15 2017 Mark Wielaard <mjw@fedoraproject.org> - 4.13.0.1-19 * Sat Apr 15 2017 Mark Wielaard <mjw@fedoraproject.org> - 4.13.0.1-19
- Minisymtab should only be added for executables or shared libraries. - Minisymtab should only be added for executables or shared libraries.
- Add find-debuginfo.sh -n (debugedit --no-recompute-build-id) option. - Add find-debuginfo.sh -n (debugedit --no-recompute-build-id) option.