From 968a56904007205f247ca25de688e39a63d4197d Mon Sep 17 00:00:00 2001 From: Mark Wielaard Date: Apr 25 2017 15:45:30 +0000 Subject: Fix rpmbuild world writable empty (tmp) dirs in debuginfo (#641022) --- diff --git a/rpm-4.13.x-writable-tmp-dir.patch b/rpm-4.13.x-writable-tmp-dir.patch new file mode 100644 index 0000000..f2dda3f --- /dev/null +++ b/rpm-4.13.x-writable-tmp-dir.patch @@ -0,0 +1,107 @@ +commit c707ab26362e795d3f9dba4eb87dc7ed99a28bcb +Author: Robin Lee +Date: Sat Apr 8 21:21:39 2017 +0800 + + Fix non-standard inherented modes of directories in debuginfo + + In case that binary compiled from source generated in /tmp, a + /usr/src/debug/tmp directory will be created with the same mode as + /tmp, a.k.a 777, which should be avoided. + + Fixes: rhbz#641022 + +diff --git a/scripts/find-debuginfo.sh b/scripts/find-debuginfo.sh +old mode 100644 +new mode 100755 +index 547dbd9..6f38e19 +--- a/scripts/find-debuginfo.sh ++++ b/scripts/find-debuginfo.sh +@@ -490,9 +490,10 @@ if [ -s "$SOURCEFILE" ]; then + mkdir -p "${RPM_BUILD_ROOT}${debug_dest_name}" + LC_ALL=C sort -z -u "$SOURCEFILE" | grep -E -v -z '(|)$' | + (cd "${debug_base_name}"; cpio -pd0mL "${RPM_BUILD_ROOT}${debug_dest_name}") +- # stupid cpio creates new directories in mode 0700, fixup ++ # stupid cpio creates new directories in mode 0700, ++ # and non-standard modes may be inherented from original directories, fixup + find "${RPM_BUILD_ROOT}${debug_dest_name}" -type d -print0 | +- xargs --no-run-if-empty -0 chmod a+rx ++ xargs --no-run-if-empty -0 chmod 0755 + fi + + if [ -d "${RPM_BUILD_ROOT}/usr/lib" -o -d "${RPM_BUILD_ROOT}/usr/src" ]; then + +commit e795899780337dea751d85db8f381eff3fe75275 +Author: Mark Wielaard +Date: Fri Apr 21 17:33:26 2017 +0200 + + debugedit: Only output comp_dir under build dir (once). + + The fix for rhbz#444310 (commit c1a5eb - Include empty CU current dirs) + was a little greedy. It would also include comp_dirs outside the build + root. Those are unnecessary and we don't have a good way to store them. + Such dirs (e.g. /tmp) would then show up at the root of /usr/src/debug. + + Fix this by including only comp_dirs under base_dir. Also only output + all dirs once (during phase zero) and don't output empty dirs (which + was harmless but would produce a warning from cpio). + + This still includes all empty dirs from the original rhbz#444310 + nodir testcase and it is an alternative fix for rhbz#641022 + (commit c707ab). + + Both fixes are necessary in case of an unexpected mode for a directory + actually in the build root that we want to include in the source list. + + Signed-off-by: Mark Wielaard + +diff --git a/tools/debugedit.c b/tools/debugedit.c +index 8444e03..bf11513 100644 +--- a/tools/debugedit.c ++++ b/tools/debugedit.c +@@ -1680,30 +1680,23 @@ edit_attributes (DSO *dso, unsigned char *ptr, struct abbrev_tag *t, int phase) + /* Ensure the CU current directory will exist even if only empty. Source + filenames possibly located in its parent directories refer relatively to + it and the debugger (GDB) cannot safely optimize out the missing +- CU current dir subdirectories. */ +- if (comp_dir && list_file_fd != -1) ++ CU current dir subdirectories. Only do this once in phase one. And ++ only do this for dirs under our build/base_dir. Don't output the ++ empty string (in case the comp_dir == base_dir). */ ++ if (phase == 0 && base_dir && comp_dir && list_file_fd != -1) + { +- const char *p = NULL; +- size_t size; +- +- if (base_dir) +- { +- p = skip_dir_prefix (comp_dir, base_dir); +- if (p == NULL && dest_dir != NULL) +- p = skip_dir_prefix (comp_dir, dest_dir); +- } +- +- if (p == NULL) +- p = comp_dir; +- +- size = strlen (p) + 1; +- while (size > 0) +- { +- ssize_t ret = write (list_file_fd, p, size); +- if (ret == -1) +- break; +- size -= ret; +- p += ret; ++ const char *p = skip_dir_prefix (comp_dir, base_dir); ++ if (p != NULL && p[0] != '\0') ++ { ++ size_t size = strlen (p) + 1; ++ while (size > 0) ++ { ++ ssize_t ret = write (list_file_fd, p, size); ++ if (ret == -1) ++ break; ++ size -= ret; ++ p += ret; ++ } + } + } + diff --git a/rpm.spec b/rpm.spec index 1b0a9c4..73f3a51 100644 --- a/rpm.spec +++ b/rpm.spec @@ -33,7 +33,7 @@ Summary: The RPM package management system Name: rpm Version: %{rpmver} -Release: %{?snapver:0.%{snapver}.}19%{?dist} +Release: %{?snapver:0.%{snapver}.}20%{?dist} Group: System Environment/Base Url: http://www.rpm.org/ Source0: http://rpm.org/releases/%{srcdir}/%{name}-%{srcver}.tar.bz2 @@ -101,6 +101,9 @@ Patch271: 0022-unbreak-short-circuit.patch Patch272: 0023-minisymtab-exe-sh.patch Patch273: 0024-no-recompute-build-id.patch +# World writable empty (tmp) dirs in debuginfo packages (#641022) +Patch280: rpm-4.13.x-writable-tmp-dir.patch + # OpenSSL backend Patch300: 0001-Add-OpenSSL-support-for-digest-and-signatures.patch @@ -606,6 +609,9 @@ exit 0 %doc doc/librpm/html/* %changelog +* Tue Apr 25 2017 Mark Wielaard - 4.13.0.1-20 +- Fix rpmbuild world writable empty (tmp) dirs in debuginfo (#641022) + * Sat Apr 15 2017 Mark Wielaard - 4.13.0.1-19 - Minisymtab should only be added for executables or shared libraries. - Add find-debuginfo.sh -n (debugedit --no-recompute-build-id) option.