commit: b891bf13e47694eb1d36a34efb03d21c4b382669
Author: Zac Medico <zmedico <AT> gentoo <DOT> org>
AuthorDate: Mon Apr 27 20:26:35 2015 +0000
Commit: Zac Medico <zmedico <AT> gentoo <DOT> org>
CommitDate: Tue Apr 28 23:30:53 2015 +0000
URL: https://gitweb.gentoo.org/proj/portage.git/commit/?id=b891bf13
ebuild-helpers: avoid exec loops or fork bombs in wrappers (bug 547086)
Since commit 130c01b9e561dd6ff7733a4905b21a0a921e9a22, extra portage
paths in PATH could trigger exec loops or fork bombs in wrappers.
Fixes: 130c01b9e561 ("_doebuild_path: add fallback for temp PORTAGE_BIN_PATH
(bug 547086)")
X-Gentoo-Bug: 547086
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=547086
Acked-by: Brian Dolbec <dolsen <AT> gentoo.org>
bin/ebuild-helpers/bsd/sed | 4 +++-
bin/ebuild-helpers/portageq | 4 +++-
bin/ebuild-helpers/unprivileged/chown | 4 +++-
bin/ebuild-helpers/xattr/install | 14 +++++++++++++-
4 files changed, 22 insertions(+), 4 deletions(-)
diff --git a/bin/ebuild-helpers/bsd/sed b/bin/ebuild-helpers/bsd/sed
index 01b8847..9a7f2d4 100755
--- a/bin/ebuild-helpers/bsd/sed
+++ b/bin/ebuild-helpers/bsd/sed
@@ -1,5 +1,5 @@
#!/bin/bash
-# Copyright 2007-2012 Gentoo Foundation
+# Copyright 2007-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
scriptpath=${BASH_SOURCE[0]}
@@ -15,6 +15,8 @@ else
for path in $PATH; do
if [[ -x ${path}/${scriptname} ]]; then
+ [[ ${path} ==
${PORTAGE_OVERRIDE_EPREFIX}/usr/lib*/portage/* ]] && continue
+ [[ ${path} == */._portage_reinstall_.* ]] && continue
[[ ${path}/${scriptname} -ef ${scriptpath} ]] &&
continue
exec "${path}/${scriptname}" "$@"
exit 0
diff --git a/bin/ebuild-helpers/portageq b/bin/ebuild-helpers/portageq
index 4151bac..ba889eb 100755
--- a/bin/ebuild-helpers/portageq
+++ b/bin/ebuild-helpers/portageq
@@ -1,5 +1,5 @@
#!/bin/bash
-# Copyright 2009-2013 Gentoo Foundation
+# Copyright 2009-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
scriptpath=${BASH_SOURCE[0]}
@@ -15,6 +15,8 @@ set -f # in case ${PATH} contains any shell glob characters
for path in ${PATH}; do
[[ -x ${path}/${scriptname} ]] || continue
+ [[ ${path} == ${PORTAGE_OVERRIDE_EPREFIX}/usr/lib*/portage/* ]] &&
continue
+ [[ ${path} == */._portage_reinstall_.* ]] && continue
[[ ${path}/${scriptname} -ef ${scriptpath} ]] && continue
PYTHONPATH=${PORTAGE_PYTHONPATH:-${PORTAGE_PYM_PATH}} \
exec "${PORTAGE_PYTHON:-/usr/bin/python}" \
diff --git a/bin/ebuild-helpers/unprivileged/chown
b/bin/ebuild-helpers/unprivileged/chown
index 08fa650..2f1f161 100755
--- a/bin/ebuild-helpers/unprivileged/chown
+++ b/bin/ebuild-helpers/unprivileged/chown
@@ -1,5 +1,5 @@
#!/bin/bash
-# Copyright 2012-2013 Gentoo Foundation
+# Copyright 2012-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
scriptpath=${BASH_SOURCE[0]}
@@ -9,6 +9,8 @@ IFS=':'
for path in ${PATH}; do
[[ -x ${path}/${scriptname} ]] || continue
+ [[ ${path} == ${PORTAGE_OVERRIDE_EPREFIX}/usr/lib*/portage/* ]] &&
continue
+ [[ ${path} == */._portage_reinstall_.* ]] && continue
[[ ${path}/${scriptname} -ef ${scriptpath} ]] && continue
IFS=$' \t\n'
output=$("${path}/${scriptname}" "$@" 2>&1)
diff --git a/bin/ebuild-helpers/xattr/install b/bin/ebuild-helpers/xattr/install
index d572fe6..2d2a693 100755
--- a/bin/ebuild-helpers/xattr/install
+++ b/bin/ebuild-helpers/xattr/install
@@ -1,5 +1,5 @@
#!/bin/bash
-# Copyright 2013 Gentoo Foundation
+# Copyright 2013-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
PORTAGE_BIN_PATH=${PORTAGE_BIN_PATH:-/usr/lib/portage/bin}
@@ -24,6 +24,18 @@ else
fi
fi
+# Filter internal portage paths from PATH, in order to avoid
+# a possible exec loop or fork bomb (see bug 547086).
+IFS=':'
+set -f
+path=
+for x in ${PATH}; do
+ [[ ${x} == ${PORTAGE_OVERRIDE_EPREFIX}/usr/lib*/portage/* ]] && continue
+ [[ ${x} == */._portage_reinstall_.* ]] && continue
+ path+=":${x}"
+done
+PATH=${path#:}
+
if [[ "${implementation}" == "c" ]]; then
exec "${INSTALL_XATTR}" "$@"
elif [[ "${implementation}" == "python" ]]; then
