Fix rpmbuild world writable empty (tmp) dirs in debuginfo (#641022)

2017-04-25 17:45:30 +02:00 · 2017-04-25 17:45:30 +02:00 · 968a569040
commit 968a569040
parent 9eaad7b89c
2 changed files with 114 additions and 1 deletions
--- a/rpm-4.13.x-writable-tmp-dir.patch
+++ b/rpm-4.13.x-writable-tmp-dir.patch
@ -0,0 +1,107 @@
+commit c707ab26362e795d3f9dba4eb87dc7ed99a28bcb
+Author: Robin Lee <cheeselee@fedoraproject.org>
+Date:   Sat Apr 8 21:21:39 2017 +0800
+
+    Fix non-standard inherented modes of directories in debuginfo
+    
+    In case that binary compiled from source generated in /tmp, a
+    /usr/src/debug/tmp directory will be created with the same mode as
+    /tmp, a.k.a 777, which should be avoided.
+    
+    Fixes: rhbz#641022
+
+diff --git a/scripts/find-debuginfo.sh b/scripts/find-debuginfo.sh
+old mode 100644
+new mode 100755
+index 547dbd9..6f38e19
+--- a/scripts/find-debuginfo.sh
+++ b/scripts/find-debuginfo.sh
+@@ -490,9 +490,10 @@ if [ -s "$SOURCEFILE" ]; then
+   mkdir -p "${RPM_BUILD_ROOT}${debug_dest_name}"
+   LC_ALL=C sort -z -u "$SOURCEFILE" | grep -E -v -z '(<internal>|<built-in>)$' |
+   (cd "${debug_base_name}"; cpio -pd0mL "${RPM_BUILD_ROOT}${debug_dest_name}")
+-  # stupid cpio creates new directories in mode 0700, fixup
+  # stupid cpio creates new directories in mode 0700,
+  # and non-standard modes may be inherented from original directories, fixup
+   find "${RPM_BUILD_ROOT}${debug_dest_name}" -type d -print0 |
+-  xargs --no-run-if-empty -0 chmod a+rx
+  xargs --no-run-if-empty -0 chmod 0755
+ fi
+ 
+ if [ -d "${RPM_BUILD_ROOT}/usr/lib" -o -d "${RPM_BUILD_ROOT}/usr/src" ]; then
+
+commit e795899780337dea751d85db8f381eff3fe75275
+Author: Mark Wielaard <mark@klomp.org>
+Date:   Fri Apr 21 17:33:26 2017 +0200
+
+    debugedit: Only output comp_dir under build dir (once).
+    
+    The fix for rhbz#444310 (commit c1a5eb - Include empty CU current dirs)
+    was a little greedy. It would also include comp_dirs outside the build
+    root. Those are unnecessary and we don't have a good way to store them.
+    Such dirs (e.g. /tmp) would then show up at the root of /usr/src/debug.
+    
+    Fix this by including only comp_dirs under base_dir. Also only output
+    all dirs once (during phase zero) and don't output empty dirs (which
+    was harmless but would produce a warning from cpio).
+    
+    This still includes all empty dirs from the original rhbz#444310
+    nodir testcase and it is an alternative fix for rhbz#641022
+    (commit c707ab).
+    
+    Both fixes are necessary in case of an unexpected mode for a directory
+    actually in the build root that we want to include in the source list.
+    
+    Signed-off-by: Mark Wielaard <mark@klomp.org>
+
+diff --git a/tools/debugedit.c b/tools/debugedit.c
+index 8444e03..bf11513 100644
+--- a/tools/debugedit.c
+++ b/tools/debugedit.c
+@@ -1680,30 +1680,23 @@ edit_attributes (DSO *dso, unsigned char *ptr, struct abbrev_tag *t, int phase)
+   /* Ensure the CU current directory will exist even if only empty.  Source
+      filenames possibly located in its parent directories refer relatively to
+      it and the debugger (GDB) cannot safely optimize out the missing
+-     CU current dir subdirectories.  */
+-  if (comp_dir && list_file_fd != -1)
+     CU current dir subdirectories.  Only do this once in phase one. And
+     only do this for dirs under our build/base_dir.  Don't output the
+     empty string (in case the comp_dir == base_dir).  */
+  if (phase == 0 && base_dir && comp_dir && list_file_fd != -1)
+     {
+-      const char *p = NULL;
+-      size_t size;
+-
+-      if (base_dir)
+-	{
+-	  p = skip_dir_prefix (comp_dir, base_dir);
+-	  if (p == NULL && dest_dir != NULL)
+-	    p = skip_dir_prefix (comp_dir, dest_dir);
+-	}
+-
+-      if (p == NULL)
+-	p = comp_dir;
+-
+-      size = strlen (p) + 1;
+-      while (size > 0)
+-	{
+-	  ssize_t ret = write (list_file_fd, p, size);
+-	  if (ret == -1)
+-	    break;
+-	  size -= ret;
+-	  p += ret;
+      const char *p = skip_dir_prefix (comp_dir, base_dir);
+      if (p != NULL && p[0] != '\0')
+        {
+	  size_t size = strlen (p) + 1;
+	  while (size > 0)
+	    {
+	      ssize_t ret = write (list_file_fd, p, size);
+	      if (ret == -1)
+		break;
+	      size -= ret;
+	      p += ret;
+	    }
+ 	}
+     }
+ 
--- a/rpm.spec
+++ b/rpm.spec
@ -33,7 +33,7 @@
 Summary: The RPM package management system
 Name: rpm
 Version: %{rpmver}
-Release: %{?snapver:0.%{snapver}.}19%{?dist}
+Release: %{?snapver:0.%{snapver}.}20%{?dist}
 Group: System Environment/Base
 Url: http://www.rpm.org/
 Source0: http://rpm.org/releases/%{srcdir}/%{name}-%{srcver}.tar.bz2
@ -101,6 +101,9 @@ Patch271: 0022-unbreak-short-circuit.patch
 Patch272: 0023-minisymtab-exe-sh.patch
 Patch273: 0024-no-recompute-build-id.patch

+# World writable empty (tmp) dirs in debuginfo packages (#641022)
+Patch280: rpm-4.13.x-writable-tmp-dir.patch
+
 # OpenSSL backend
 Patch300: 0001-Add-OpenSSL-support-for-digest-and-signatures.patch

@ -606,6 +609,9 @@ exit 0
 %doc doc/librpm/html/*

 %changelog
+* Tue Apr 25 2017 Mark Wielaard <mjw@fedoraproject.org> - 4.13.0.1-20
+- Fix rpmbuild world writable empty (tmp) dirs in debuginfo (#641022)
+
 * Sat Apr 15 2017 Mark Wielaard <mjw@fedoraproject.org> - 4.13.0.1-19
 - Minisymtab should only be added for executables or shared libraries.
 - Add find-debuginfo.sh -n (debugedit --no-recompute-build-id) option.