Check-in [3f2773a83d]

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:MFT: Jail all package untarring in case of bsdtar/libarchive vulns
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | 3.0.x
Files: files | file ages | folders
SHA1: 3f2773a83d826656e487ce8167455c4c19e163a9
User & Date: bdrewery 2013-06-02 12:13:52
Context
2013-06-08
11:08
Tag 3.0.3 Release check-in: 2d290e7f87 user: bdrewery tags: 3.0.x, 3.0.3
2013-06-02
12:13
MFT: Jail all package untarring in case of bsdtar/libarchive vulns check-in: 3f2773a83d user: bdrewery tags: 3.0.x
12:13
MFT: bulk: Jail pkg-repo again. This reverts [c9ef811ac5] We should keep this jailed to avoid pkg(8) and libarchive exploits in case some package has dangerous data in its manifest, etc. check-in: 7de42de5fe user: bdrewery tags: 3.0.x
Changes

Changes to src/share/poudriere/common.sh.

1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
....
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
....
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
....
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
....
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
....
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
deps_file() {
	[ $# -ne 1 ] && eargs pkg
	local pkg=$1
	local depfile=$(pkg_cache_dir ${pkg})/deps

	if [ ! -f "${depfile}" ]; then
		if [ "${PKG_EXT}" = "tbz" ]; then
			tar -qxf "${pkg}" -O +CONTENTS | awk '$1 == "@pkgdep" { print $2 }' > "${depfile}"
		else
			injail /poudriere/pkg-static info -qdF "/packages/All/${pkg##*/}" > "${depfile}"
		fi
	fi

	echo ${depfile}
}
................................................................................
	local pkg=$1
	local originfile=$(pkg_cache_dir ${pkg})/origin
	local origin=$2

	if [ ! -f "${originfile}" ]; then
		if [ -z "${origin}" ]; then
			if [ "${PKG_EXT}" = "tbz" ]; then
				origin=$(tar -qxf "${pkg}" -O +CONTENTS | \
					awk -F: '$1 == "@comment ORIGIN" { print $2 }')
			else
				origin=$(injail /poudriere/pkg-static query -F \
					"/packages/All/${pkg##*/}" "%o")
			fi
		fi
		echo ${origin} > "${originfile}"
................................................................................
	[ $# -ne 1 ] && eargs pkg
	local pkg=$1
	local dep_origin_file=$(pkg_cache_dir ${pkg})/dep_origin
	local compiled_dep_origins

	if [ ! -f "${dep_origin_file}" ]; then
		if [ "${PKG_EXT}" = "tbz" ]; then
			compiled_dep_origins=$(tar -qxf "${pkg}" -O +CONTENTS | \
				awk -F: '$1 == "@comment DEPORIGIN" {print $2}' | tr '\n' ' ')
		else
			compiled_dep_origins=$(injail /poudriere/pkg-static query -F \
				"/packages/All/${pkg##*/}" '%do' | tr '\n' ' ')
		fi
		echo "${compiled_dep_origins}" > "${dep_origin_file}"
		echo "${compiled_dep_origins}"
................................................................................
	[ $# -ne 1 ] && eargs pkg
	local pkg=$1
	local optionsfile=$(pkg_cache_dir ${pkg})/options
	local compiled_options

	if [ ! -f "${optionsfile}" ]; then
		if [ "${PKG_EXT}" = "tbz" ]; then
			compiled_options=$(tar -qxf "${pkg}" -O +CONTENTS | \
				awk -F: '$1 == "@comment OPTIONS" {print $2}' | tr ' ' '\n' | \
				sed -n 's/^\+\(.*\)/\1/p' | sort | tr '\n' ' ')
		else
			compiled_options=$(injail /poudriere/pkg-static query -F \
				"/packages/All/${pkg##*/}" '%Ov%Ok' | sed '/^off/d;s/^on//' | sort | tr '\n' ' ')
		fi
		echo "${compiled_options}" > "${optionsfile}"
................................................................................
	local pkg=$1
	local origin=$2
	local cachedir=$(pkg_cache_dir ${pkg})
	local originfile=${cachedir}/origin
	local mnt=$(my_path)

	if [ ${PKGNG} -eq 1 -a ! -x ${mnt}/poudriere/pkg-static ]; then
		tar xf ${mnt}/packages/Latest/pkg.txz -C ${mnt} \
			-s ",/.*/,poudriere/,g" "*/pkg-static"
	fi
	mkdir -p $(pkg_cache_dir ${pkg})
	pkg_get_options ${pkg} > /dev/null
	pkg_get_origin ${pkg} ${origin} > /dev/null
	pkg_get_dep_origin ${pkg} > /dev/null
	deps_file ${pkg} > /dev/null
................................................................................
		:> ${log}/.poudriere.ports.built
		:> ${log}/.poudriere.ports.failed
		:> ${log}/.poudriere.ports.ignored
		:> ${log}/.poudriere.ports.skipped
	fi

	if [ ${PKGNG} -eq 1 -a -e ${MASTERMNT}/packages/Latest/pkg.txz ]; then
		tar xf ${MASTERMNT}/packages/Latest/pkg.txz -C ${MASTERMNT} \
			-s ",/.*/,poudriere/,g" "*/pkg-static"
	elif [ ${PKGNG} -eq 1 -a ${SKIPSANITY} -eq 0 ]; then
		msg "pkg package missing, skipping sanity"
		SKIPSANITY=1
	fi

	if [ $SKIPSANITY -eq 0 ]; then







|







 







|







 







|







 







|







 







|







 







|







1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
....
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
....
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
....
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
....
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
....
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
deps_file() {
	[ $# -ne 1 ] && eargs pkg
	local pkg=$1
	local depfile=$(pkg_cache_dir ${pkg})/deps

	if [ ! -f "${depfile}" ]; then
		if [ "${PKG_EXT}" = "tbz" ]; then
			injail tar -qxf "/packages/All/${pkg##*/}" -O +CONTENTS | awk '$1 == "@pkgdep" { print $2 }' > "${depfile}"
		else
			injail /poudriere/pkg-static info -qdF "/packages/All/${pkg##*/}" > "${depfile}"
		fi
	fi

	echo ${depfile}
}
................................................................................
	local pkg=$1
	local originfile=$(pkg_cache_dir ${pkg})/origin
	local origin=$2

	if [ ! -f "${originfile}" ]; then
		if [ -z "${origin}" ]; then
			if [ "${PKG_EXT}" = "tbz" ]; then
				origin=$(injail tar -qxf "/packages/All/${pkg##*/}" -O +CONTENTS | \
					awk -F: '$1 == "@comment ORIGIN" { print $2 }')
			else
				origin=$(injail /poudriere/pkg-static query -F \
					"/packages/All/${pkg##*/}" "%o")
			fi
		fi
		echo ${origin} > "${originfile}"
................................................................................
	[ $# -ne 1 ] && eargs pkg
	local pkg=$1
	local dep_origin_file=$(pkg_cache_dir ${pkg})/dep_origin
	local compiled_dep_origins

	if [ ! -f "${dep_origin_file}" ]; then
		if [ "${PKG_EXT}" = "tbz" ]; then
			compiled_dep_origins=$(injail tar -qxf "/packages/All/${pkg##*/}" -O +CONTENTS | \
				awk -F: '$1 == "@comment DEPORIGIN" {print $2}' | tr '\n' ' ')
		else
			compiled_dep_origins=$(injail /poudriere/pkg-static query -F \
				"/packages/All/${pkg##*/}" '%do' | tr '\n' ' ')
		fi
		echo "${compiled_dep_origins}" > "${dep_origin_file}"
		echo "${compiled_dep_origins}"
................................................................................
	[ $# -ne 1 ] && eargs pkg
	local pkg=$1
	local optionsfile=$(pkg_cache_dir ${pkg})/options
	local compiled_options

	if [ ! -f "${optionsfile}" ]; then
		if [ "${PKG_EXT}" = "tbz" ]; then
			compiled_options=$(injail tar -qxf "/packages/All/${pkg##*/}" -O +CONTENTS | \
				awk -F: '$1 == "@comment OPTIONS" {print $2}' | tr ' ' '\n' | \
				sed -n 's/^\+\(.*\)/\1/p' | sort | tr '\n' ' ')
		else
			compiled_options=$(injail /poudriere/pkg-static query -F \
				"/packages/All/${pkg##*/}" '%Ov%Ok' | sed '/^off/d;s/^on//' | sort | tr '\n' ' ')
		fi
		echo "${compiled_options}" > "${optionsfile}"
................................................................................
	local pkg=$1
	local origin=$2
	local cachedir=$(pkg_cache_dir ${pkg})
	local originfile=${cachedir}/origin
	local mnt=$(my_path)

	if [ ${PKGNG} -eq 1 -a ! -x ${mnt}/poudriere/pkg-static ]; then
		injail tar xf /packages/Latest/pkg.txz -C / \
			-s ",/.*/,poudriere/,g" "*/pkg-static"
	fi
	mkdir -p $(pkg_cache_dir ${pkg})
	pkg_get_options ${pkg} > /dev/null
	pkg_get_origin ${pkg} ${origin} > /dev/null
	pkg_get_dep_origin ${pkg} > /dev/null
	deps_file ${pkg} > /dev/null
................................................................................
		:> ${log}/.poudriere.ports.built
		:> ${log}/.poudriere.ports.failed
		:> ${log}/.poudriere.ports.ignored
		:> ${log}/.poudriere.ports.skipped
	fi

	if [ ${PKGNG} -eq 1 -a -e ${MASTERMNT}/packages/Latest/pkg.txz ]; then
		injail tar xf /packages/Latest/pkg.txz -C / \
			-s ",/.*/,poudriere/,g" "*/pkg-static"
	elif [ ${PKGNG} -eq 1 -a ${SKIPSANITY} -eq 0 ]; then
		msg "pkg package missing, skipping sanity"
		SKIPSANITY=1
	fi

	if [ $SKIPSANITY -eq 0 ]; then