[pacman-dev] [PATCH v3 1/2] makepkg: don't let the strip routine mess up file attributes

[Allan McRae]

On 8/2/21 2:09 pm, Eli Schwartz wrote:
> It updates the stripped/objcopied file by creating a temp file,
> chown/chmodding it, and replacing the original file. But upstream
> binutils has CVE-worthy issues with this if running strip as root, and
> some recent versions of strip don't play nicely with fakeroot.
> 
> Also, this has always destroyed xattrs. :/
> 
> Sidestep the issue by telling strip/objcopy to write to a temporary
> file, and manually dump the contents of that back into the original
> binary. Since the original binary is intact, albeit with different
> contents, it retains its correct attributes in fakeroot.
> 
> Signed-off-by: Eli Schwartz <eschwartz at archlinux.org>
> ---
> 
> v3: use mktemp to prevent clobbering mysterious packaged *.temp files
> 

Thanks - this version is good.


>  scripts/libmakepkg/tidy/strip.sh.in | 11 +++++++++--
>  1 file changed, 9 insertions(+), 2 deletions(-)
> 
> diff --git a/scripts/libmakepkg/tidy/strip.sh.in b/scripts/libmakepkg/tidy/strip.sh.in
> index 868b96f3b..9cb0fd8d0 100644
> --- a/scripts/libmakepkg/tidy/strip.sh.in
> +++ b/scripts/libmakepkg/tidy/strip.sh.in
> @@ -69,7 +69,10 @@ strip_file() {
>  		# copy debug symbols to debug directory
>  		mkdir -p "$dbgdir/${binary%/*}"
>  		objcopy --only-keep-debug "$binary" "$dbgdir/$binary.debug"
> -		objcopy --add-gnu-debuglink="$dbgdir/${binary#/}.debug" "$binary"
> +		local tempfile=$(mktemp "$binary.XXXXXX")
> +		objcopy --add-gnu-debuglink="$dbgdir/${binary#/}.debug" "$binary" "$tempfile"
> +		cat "$tempfile" > "$binary"
> +		rm "$tempfile"
> 
>  		# create any needed hardlinks
>  		while IFS= read -rd '' file ; do
> @@ -93,7 +96,11 @@ strip_file() {
>  		fi
>  	fi
> 
> -	strip $@ "$binary"
> +	local tempfile=$(mktemp "$binary.XXXXXX")
> +	if strip "$@" "$binary" -o "$tempfile"; then
> +		cat "$tempfile" > "$binary"
> +	fi
> +	rm -f "$tempfile"
>  }
> 
> 
> --
> 2.30.0
> .
>