Arch-projects September 2019

arch-projects@lists.archlinux.org

6 participants
11 discussions

[arch-projects] [namcap] [PATCH] Add RUNPATH rule
by Jelle van der Waa 29 Sep '19

29 Sep '19

From: Jelle van der Waa <jelle(a)vdwaa.nl> Include a rule to check for vulnerable RUNPATH ELF binary entries, which allow arbitrary code execution by loading shared libraries from an attacker controller path. --- Namcap/rules/__init__.py | 1 + Namcap/rules/runpath.py | 71 ++++++++++++++++++++++++++++++++++++++++ namcap-tags | 1 + namcap.1 | 3 ++ 4 files changed, 76 insertions(+) create mode 100644 Namcap/rules/runpath.py diff --git a/Namcap/rules/__init__.py b/Namcap/rules/__init__.py index 525dbc6..ee400e2 100644 --- a/Namcap/rules/__init__.py +++ b/Namcap/rules/__init__.py @@ -44,6 +44,7 @@ from . import ( permissions, py_mtime, rpath, + runpath, scrollkeeper, shebangdepends, sodepends, diff --git a/Namcap/rules/runpath.py b/Namcap/rules/runpath.py new file mode 100644 index 0000000..053923e --- /dev/null +++ b/Namcap/rules/runpath.py @@ -0,0 +1,71 @@ +# namcap rules - runpath +# +# Copyright (C) 2019 Jelle van der Waa <jelle(a)archlinux.org> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +from Namcap.util import is_elf +from Namcap.ruleclass import TarballRule + +from elftools.elf.elffile import ELFFile +from elftools.elf.dynamic import DynamicSection + +allowed = ('/usr/lib', '/usr/lib32', '/lib', '$ORIGIN', '${ORIGIN}') +allowed_toplevels = (s + '/' for s in allowed) +warn = ['/usr/local/lib'] + + +def get_runpaths(fileobj): + elffile = ELFFile(fileobj) + for section in elffile.iter_sections(): + if not isinstance(section, DynamicSection): + continue + for tag in section.iter_tags(): + if tag.entry.d_tag != 'DT_RUNPATH': + continue + for path in tag.runpath.split(':'): + yield path + + +class package(TarballRule): + name = "runpath" + description = "Verifies if RUNPATH is secure" + + def analyze(self, pkgingo, tar): + for entry in tar: + if not entry.isfile(): + continue + + fileobj = tar.extractfile(entry) + if not is_elf(fileobj): + continue + + for path in get_runpaths(fileobj): + path_ok = path in allowed + for allowed_toplevel in allowed_toplevels: + if path.startswith(allowed_toplevel): + path_ok = True + + if not path_ok: + self.errors.append(("insecure-runpath %s %s", + (path, entry.name))) + break + + if path in warn and entry.name not in insecure_rpaths: + self.warnings.append(("insecure-runpath %s %s", + (path, entry.name))) + + +# vim: set ts=4 sw=4 noet: diff --git a/namcap-tags b/namcap-tags index 84cc3f7..1f7bc69 100644 --- a/namcap-tags +++ b/namcap-tags @@ -44,6 +44,7 @@ incorrect-owner %s (%s:%s) :: File (%s) is owned by %s:%s invalid-filename :: File name %s contains non standard characters info-dir-file-present %s :: Info directory file (%s) should not be present insecure-rpath %s %s :: Insecure RPATH '%s' in file ('%s') +insecure-runpath %s %s :: Insecure RUNPATH '%s' in file ('%s') libtool-file-present %s :: File (%s) is a libtool file library-no-package-associated %s :: Referenced library '%s' is an uninstalled dependency link-level-dependence %s in %s :: Link-level dependence (%s) in file %s diff --git a/namcap.1 b/namcap.1 index fcea8ed..9243087 100644 --- a/namcap.1 +++ b/namcap.1 @@ -108,6 +108,9 @@ Checks basic file and and directory permissions. It returns warnings about worl .B rpath Gives an error if a binary has RPATH set to something other than /usr/lib .TP +.B runpath +Gives an error if a binary has RUNPATH set to something other than /usr/lib, /usr/lib32 +.TP .B scrollkeeper Verifies that there aren't any scrollkeeper directories .TP -- 2.23.0

1 0

[arch-projects] [devtools] [GIT] The official devtools repository branch bpiotrowski/debug deleted. 20171108-13-g73b9f7b
by Levente Polyak 28 Sep '19

28 Sep '19

This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The official devtools repository". The branch, bpiotrowski/debug has been deleted was 73b9f7bfccf277e45f921920cc53d1cfb1331ca7 - Log ----------------------------------------------------------------- 73b9f7bfccf277e45f921920cc53d1cfb1331ca7 commitpkg: Use printf format strings for messages about debug packages ----------------------------------------------------------------------- hooks/post-receive -- The official devtools repository

1 0

[arch-projects] [devtools] [GIT] The official devtools repository branch master updated. 20190912-10-g74f65db
by Levente Polyak 27 Sep '19

27 Sep '19

This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The official devtools repository". The branch, master has been updated via 74f65db396038caafcba20e4302fba080d8cc100 (commit) via 64b7d995040fc670aaed5fbd048157b3feba0574 (commit) via f32a264796b3b43662b4734f1730d7a819d32484 (commit) via fd6e801cfb0910c00a789c6b3f17461d8610c99b (commit) via a3868cf5423d68a3614020376840a67da3a6f0d4 (commit) via 62a2f118ce84deb9077cf163c45d3b22af741269 (commit) via 723ad23b4859de69cfdb2b2c7ba9415832b42c58 (commit) via 5dd90ef848e99e86601807fd829f6586dc2ab6fc (commit) via 5246cb9aa5bdc390c793dc261b28f3439aaad4c0 (commit) via 144f8966608211f85fb492a4cce3c159989dd2eb (commit) from bbcff883d59e2fce4b26d241892bf83c70e9b704 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 74f65db396038caafcba20e4302fba080d8cc100 Author: Levente Polyak <anthraxx(a)archlinux.org> Date: Sat Sep 14 00:33:11 2019 +0200 zsh_completion: add offload-build completion Signed-off-by: Levente Polyak <anthraxx(a)archlinux.org> commit 64b7d995040fc670aaed5fbd048157b3feba0574 Author: Levente Polyak <anthraxx(a)archlinux.org> Date: Fri Sep 13 01:32:57 2019 +0200 zsh_completion: add sogrep completions Transform sogrep into an in-prog so we can benefit from the m4 macro to specify valid repos in a single place of truth. Signed-off-by: Levente Polyak <anthraxx(a)archlinux.org> commit f32a264796b3b43662b4734f1730d7a819d32484 Author: Levente Polyak <anthraxx(a)archlinux.org> Date: Thu Sep 19 20:58:00 2019 +0200 commitpkg: prefer explicit signature+data parameters for gpg --verify Lets prefer the explicit variant of gpg --verify by providing both, the signature and the data file as parameters. For the unlikely case there is a matching signature file already present that was created outside of the toolchain and has an embedded signature with data, we at least could detect it early with this check. Signed-off-by: Levente Polyak <anthraxx(a)archlinux.org> commit fd6e801cfb0910c00a789c6b3f17461d8610c99b Author: Levente Polyak <anthraxx(a)archlinux.org> Date: Fri Sep 13 21:17:20 2019 +0200 commitpkg: disallow if PKGBUILD hash mismatches package's enclosed hash Several cases showed that we release packages that were built with different PKGBUILDs than the one commited to the source tree. This is bad for obvious reasons plus sploils reproducible builds. We, under no circumstances, want to allow using commitpkg to publish and release a packages whose PKGBUILD doesn't match the one to be commited. Signed-off-by: Levente Polyak <anthraxx(a)archlinux.org> commit a3868cf5423d68a3614020376840a67da3a6f0d4 Author: Levente Polyak <anthraxx(a)archlinux.org> Date: Fri Sep 13 21:15:23 2019 +0200 commitpkg: fix wrongly ordered find_cached_package call The unknown packager check didn't worked so far as the wrongly ordered call to find_cached_package lead to the enclosing block never being executed. Signed-off-by: Levente Polyak <anthraxx(a)archlinux.org> commit 62a2f118ce84deb9077cf163c45d3b22af741269 Author: Levente Polyak <anthraxx(a)archlinux.org> Date: Fri Sep 13 02:13:27 2019 +0200 make: add target to tag a new version Signed-off-by: Levente Polyak <anthraxx(a)archlinux.org> commit 723ad23b4859de69cfdb2b2c7ba9415832b42c58 Author: Levente Polyak <anthraxx(a)archlinux.org> Date: Fri Sep 13 01:13:31 2019 +0200 zsh_completion: overhaul all completions to match actual options Signed-off-by: Levente Polyak <anthraxx(a)archlinux.org> commit 5dd90ef848e99e86601807fd829f6586dc2ab6fc Author: Levente Polyak <anthraxx(a)archlinux.org> Date: Thu Sep 12 23:34:22 2019 +0200 checkpkg: add option to print a warning in case of differences Sometimes its desired to be explicitly made aware of differences reporter by checkpkg via printing a warning instead of a regular message. Automatically use --warn for makechrootpkg builds so packagers are made visibly aware of a soname bump by simply looking out for colors indicating non success messages. Signed-off-by: Levente Polyak <anthraxx(a)archlinux.org> commit 5246cb9aa5bdc390c793dc261b28f3439aaad4c0 Author: Levente Polyak <anthraxx(a)archlinux.org> Date: Thu Sep 12 21:28:34 2019 +0200 checkpkg: add option to avoid keeping the tmp dir In some cases, like default makechrootpkg execution, the temporary directory used to assemble the differences is not required. Add an option to checkpkg that allows to get rid of that directory after run and call it automatically like that in makechrootpkg. Signed-off-by: Levente Polyak <anthraxx(a)archlinux.org> commit 144f8966608211f85fb492a4cce3c159989dd2eb Author: Levente Polyak <anthraxx(a)archlinux.org> Date: Wed Sep 11 23:10:04 2019 +0200 makechrootpkg: run checkpkg automatically after build Cache previous versions required for checkpkg via pacman to avoid multiple downloads when running multiple times. In case we can't download the packages, like while building out of repo packages, print a warning instead of running checkpkg Signed-off-by: Levente Polyak <anthraxx(a)archlinux.org> ----------------------------------------------------------------------- Summary of changes: .gitignore | 1 + Makefile | 12 +++++++--- archbuild.in | 2 +- checkpkg.in | 53 ++++++++++++++++++++++++++++++++++++++++++-- commitpkg.in | 13 +++++++---- doc/checkpkg.1.asciidoc | 13 +++++++++++ lib/valid-repos.sh | 31 ++++++++++++++++++++++++++ makechrootpkg.in | 20 ++++++++++++++++- sogrep => sogrep.in | 12 +++++----- zsh_completion.in | 58 ++++++++++++++++++++++++++++++++++++++++--------- 10 files changed, 187 insertions(+), 28 deletions(-) create mode 100644 lib/valid-repos.sh rename sogrep => sogrep.in (92%) hooks/post-receive -- The official devtools repository

1 0

[arch-projects] [devtools] [GIT] The official devtools repository branch feature/disallow-pkgbuild-mismatch deleted. 20190912-2-ge9f1a1f
by Levente Polyak 21 Sep '19

21 Sep '19

This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The official devtools repository". The branch, feature/disallow-pkgbuild-mismatch has been deleted was e9f1a1fb027498c463ee87724f88086da045d818 - Log ----------------------------------------------------------------- e9f1a1fb027498c463ee87724f88086da045d818 commitpkg: disallow if PKGBUILD hash mismatches package's enclosed hash ----------------------------------------------------------------------- hooks/post-receive -- The official devtools repository

1 0

[arch-projects] [devtools] [GIT] The official devtools repository branch feature/disallow-pkgbuild-mismatch created. 20190912-2-ge9f1a1f
by Levente Polyak 21 Sep '19

21 Sep '19

This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The official devtools repository". The branch, feature/disallow-pkgbuild-mismatch has been created at e9f1a1fb027498c463ee87724f88086da045d818 (commit) - Log ----------------------------------------------------------------- commit e9f1a1fb027498c463ee87724f88086da045d818 Author: Levente Polyak <anthraxx(a)archlinux.org> Date: Fri Sep 13 21:17:20 2019 +0200 commitpkg: disallow if PKGBUILD hash mismatches package's enclosed hash Several cases showed that we release packages that were built with different PKGBUILDs than the one commited to the source tree. This is bad for obvious reasons plus sploils reproducible builds. We, under no circumstances, want to allow using commitpkg to publish and release a packages whose PKGBUILD doesn't match the one to be commited. commit 3e2cae8ce9a43a6647eba4758024c722203fc301 Author: Levente Polyak <anthraxx(a)archlinux.org> Date: Fri Sep 13 21:15:23 2019 +0200 commitpkg: fix wrongly ordered find_cached_package call The unknown packager check didn't worked so far as the wrongly ordered call to find_cached_package lead to the enclosing block never being executed. ----------------------------------------------------------------------- hooks/post-receive -- The official devtools repository

1 0

[arch-projects] [devtools] [PATCH] commitpkg: Avoid excess blank lines
by Daniel M. Capella 17 Sep '19

17 Sep '19

Most of the time we're just bumping the pkgver and checksums, where a commit body isn't needed. Referencing commit ee970f0bde3c90a0dff909c366d4ab1a1bff9b9d Signed-off-by: Daniel M. Capella <polyzen(a)archlinux.org> --- commitpkg.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/commitpkg.in b/commitpkg.in index 3fc3fa6..a626531 100644 --- a/commitpkg.in +++ b/commitpkg.in @@ -104,10 +104,10 @@ if [[ -z $server ]]; then fi if [[ -n $(svn status -q) ]]; then - msgtemplate="upgpkg: $pkgbase $(get_full_version)"$'\n\n' + msgtemplate="upgpkg: $pkgbase $(get_full_version)" if [[ -n $1 ]]; then stat_busy 'Committing changes to trunk' - svn commit -q -m "${msgtemplate}${1}" || die + svn commit -q -m "${msgtemplate}\n\n${1}" || die stat_done else msgfile="$(mktemp)" -- 2.23.0

2 1

[arch-projects] [mkinitcpio] [GIT] The official mkinitcpio repository branch master updated. 25-7-gbc41c8b
by grazzolini＠archlinux.org 16 Sep '19

16 Sep '19

This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The official mkinitcpio repository". The branch, master has been updated via bc41c8b3c51263e52ff21f5ff52fce5c778a35d9 (commit) via 06bc15f71a3e627b62c8de589f8c511deaaca791 (commit) via 9120dabfb0408d312ef312691d37942bf562976f (commit) via e9ba7b678ecf6a6e69afa2ec569a131a0a98de48 (commit) via ec1b6f789b3f94848f428df3b9277e45ceaf14ca (commit) from 74d5acfa3c33121ed119698080dbcfb79b21e881 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit bc41c8b3c51263e52ff21f5ff52fce5c778a35d9 Merge: 74d5acf 06bc15f Author: Giancarlo Razzolini <grazzolini(a)archlinux.org> Date: Sun Sep 15 23:06:24 2019 -0300 Merge remote-tracking branch 'github/master' commit 06bc15f71a3e627b62c8de589f8c511deaaca791 Merge: 74d5acf 9120dab Author: Giancarlo Razzolini <grazzolini(a)archlinux.org> Date: Sun Sep 15 23:01:22 2019 -0300 Merge branch 'Foxboron-morten/copyright' commit 9120dabfb0408d312ef312691d37942bf562976f Merge: 74d5acf e9ba7b6 Author: Giancarlo Razzolini <grazzolini(a)archlinux.org> Date: Sun Sep 15 23:00:35 2019 -0300 Merge branch 'morten/copyright' of https://github.com/Foxboron/mkinitcpio into Foxboron-morten/copyright commit e9ba7b678ecf6a6e69afa2ec569a131a0a98de48 Author: Morten Linderud <morten(a)linderud.pw> Date: Sun Sep 15 12:20:03 2019 +0200 [README] Add grazzolini to the copyright commit ec1b6f789b3f94848f428df3b9277e45ceaf14ca Author: Morten Linderud <morten(a)linderud.pw> Date: Tue Sep 10 22:57:22 2019 +0200 Updated copyright year ----------------------------------------------------------------------- Summary of changes: README | 3 ++- man/lsinitcpio.1.txt | 2 +- man/mkinitcpio.8.txt | 2 +- man/mkinitcpio.conf.5.txt | 2 +- 4 files changed, 5 insertions(+), 4 deletions(-) hooks/post-receive -- The official mkinitcpio repository

1 0

[arch-projects] [mkinitcpio] [GIT] The official mkinitcpio repository branch master updated. 25-2-g74d5acf
by grazzolini＠archlinux.org 14 Sep '19

14 Sep '19

This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The official mkinitcpio repository". The branch, master has been updated via 74d5acfa3c33121ed119698080dbcfb79b21e881 (commit) via ca8f13e11d422fa01bc031ff0610442b82ea6b65 (commit) from a3cb799a8f63186b843db6a57da12d74a9320686 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 74d5acfa3c33121ed119698080dbcfb79b21e881 Merge: a3cb799 ca8f13e Author: Giancarlo Razzolini <grazzolini(a)users.noreply.github.com> Date: Sat Sep 14 01:08:00 2019 -0300 Merge pull request #1 from esotericnonsense/esotericnonsense/reproducible mkinitcpio: Produce reproducible initramfs images commit ca8f13e11d422fa01bc031ff0610442b82ea6b65 Author: Daniel Edgecumbe <git(a)esotericnonsense.com> Date: Sat Sep 7 11:15:26 2019 +0100 mkinitcpio: Produce reproducible initramfs images We achieve this by stripping timestamps from within the filesystem, and by using a pipeline to strip inodes from the cpio archive. It functions for at least the 'gzip', 'xz', 'bzip2', 'lz4' and 'cat' compressors. The 'lzop' compressor embeds a runtime timestamp. Motivation: https://reproducible-builds.org Signed-off-by: Daniel Edgecumbe <git(a)esotericnonsense.com> ----------------------------------------------------------------------- Summary of changes: man/mkinitcpio.8.txt | 16 ++++++++++++++++ mkinitcpio | 23 +++++++++++++---------- 2 files changed, 29 insertions(+), 10 deletions(-) hooks/post-receive -- The official mkinitcpio repository

1 0

[arch-projects] [devtools] [GIT] The official devtools repository annotated tag 20190912 created. 20190912
by Levente Polyak 12 Sep '19

12 Sep '19

This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The official devtools repository". The annotated tag, 20190912 has been created at 168da4af67c5173e0271983a947d77bf883c9757 (tag) tagging bbcff883d59e2fce4b26d241892bf83c70e9b704 (commit) replaces 20190821 tagged by Levente Polyak on Thu Sep 12 23:04:32 2019 +0200 - Log ----------------------------------------------------------------- Version 20190912 -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE4kC1fixGMLp2ji8m/BtUfI2BcsgFAl16suUACgkQ/BtUfI2B csg6pA//fCsXZcl+yCeWx/77g5hm72B+N+oQH0DXp8LR8Ju20PKSl+FD1otkqFUR K5eTwvz7vCwZ5Kzw2GRbNZLqS4EB/SpIg0XGnQe6741JJXdyCNKX7M54CCzXV50k /Xm51x288MS5a7PnG8GyMaB+T3RXuyv3qVB5rhUNuhNZ3zlmcMc6V9hS1OgCNjp+ gWvHiXGk2qQxkGJjdfV+AzinOjCLm0Tw6HffUMVEjQ1Zmt7J6oBGJ/st5mqvpR/7 OWu4tKsf2MCZ1G24eusiogbCtkVbsenAS7+l3UyBB72bZ+chYvKAT25VcaVcDO85 STkoOHvL/Qw4k0Boya4MPiljOyCPwURUgZnSslCJ4WuovGdHmATrBoDPjIQYja2p OtpCrnmrSrY0mXYhV/wrIW8VfUE2Wi58UyDRxCC2rzHvNATONoiljNRwygifQM81 G2v+reB2R+Czluqkwr4gwkLozJ16Hj90QOG+gJPjtsXcwsIVDLO+a5rVxy0ak2Gz pCKr9sBEjwBNDpWDojVjCkcGJax0b6KomV6IdepLvhymyeaUVQDodBCTyPmU14q6 foVbvOQZmvGrHf7GzPw+H1B9T0l1ukD4OL7+91I6arKDITWstRSo6NdBUR2te6x4 twpAxM95QWAnPaPVM5JyzqlAAXh2ZfnEczduzknGtgu2AHLJne8= =78mE -----END PGP SIGNATURE----- Eli Schwartz (1): Revert "makechrootpkg: with -n, check if the package failed to install" Levente Polyak (1): Version 20190912 ----------------------------------------------------------------------- hooks/post-receive -- The official devtools repository

1 0

[arch-projects] [devtools] [GIT] The official devtools repository branch master updated. 20190821-2-gbbcff88
by Levente Polyak 12 Sep '19

12 Sep '19

1 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Arch-projects September 2019