From nobody Sat Nov 23 18:16:32 2024
X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XwgCN3Q1qz5ddwM;
	Sat, 23 Nov 2024 18:16:32 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4XwgCN2rGQz4Z1y;
	Sat, 23 Nov 2024 18:16:32 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1732385792;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=EErxbUnT9bN2wx0OxNrrkGafi9vVk6RskXJKuHy7cdc=;
	b=rpAC7+KVa0M3HVrJHoViuC1o/IElYcucVKvLuz8H3EYgu62mAszpfSD3ANSclz8xI4mzKS
	MjiezdbIW3p4xB0ZGohHCmulXxnVjWF/2Q/0Lu49KRtMyryCkW0tra8mMR28xVqbuH27lT
	HDwG7FyHfhjNrYo6y92BtWXtqttzAuHatngQ/yPHB0AlXPaMdg9gs5SFjHIp+vz3UAiCdZ
	DEJUhPVM04ikVsYEi/r6Ma3T0sdnHgJe+Of++qWae0RLcOm+6gXG6BdwaokOOby4KnNmlT
	YCQ9x+e8Ug67PLd5sFcCbIfjbv+Sybgk84d0ocDcg+9OThHdQjN/2ocN0JRNQw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1732385792;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=EErxbUnT9bN2wx0OxNrrkGafi9vVk6RskXJKuHy7cdc=;
	b=Lu9rOhXEZZIi2n8acLRlIAXA54Y6m5Tn9iJ7mTW6bYcKcHhFq9ryvjFHys+YrF9zTbLVwQ
	/nepM2Ov1QRcB6RVbBeMugGVRbtuteRM3P4bKL3QXKr+gZuILm0dqmnz+n7rTSNZajSzZA
	fFaqFTxHbSlP/c3mHsAncfZGWXSAn9UPBJB8pfpLY3QLCVhidWm/SUmX5ply/XHuG7pCGV
	rKfB4oKm58/bHOSFi0oBfQcahM1tZFRWsyzHpXLbPnvXyt6I2r1U/aporUhsM6w28Zb0zA
	ZUYhPiDCmJdPHt+iMtge0jUdMQFwKTeO0Nf/TatQNlubPel5wBVcQYEWEr6GWA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1732385792; a=rsa-sha256; cv=none;
	b=xjNzh2tmXrhxk8uuuZX3sq0TLUSQRPAMphcPAlxpESMzjqKqJ66H24wsGLf1ovSKRJz1QT
	ZUuzr7QeN8twN0yffllmcvCsmksqV8yLeQrb01OMQWPMRgpL6OFw6oEKB0PacmXwYgtmFr
	rpJ/GGvkMpNyGrWwxTckzd6i+AGxD9ri1PZ+AXuFRWX0VzEbBy3rJ1zSqAFOYoPS6bG/u9
	x4FXSXvt8jnWcLZW5mjFJbmkvbPQCX2tL8aIGAGPExr/mnfwd6+XVxFlbC+jHjuLkW19Nc
	/l6bFqR7LYDkIsyGfmUI8qSxuMAMOd20WEDHh5YkTkybcTZLCWX7R2YotVvP5Q==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4XwgCN29f9zKcx;
	Sat, 23 Nov 2024 18:16:32 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 4ANIGWhh021681;
	Sat, 23 Nov 2024 18:16:32 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 4ANIGW47021678;
	Sat, 23 Nov 2024 18:16:32 GMT
	(envelope-from git)
Date: Sat, 23 Nov 2024 18:16:32 GMT
Message-Id: <202411231816.4ANIGW47021678@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
        dev-commits-ports-main@FreeBSD.org
From: Michael Gmelin <grembo@FreeBSD.org>
Subject: git: c4139815d8f3 - main - sysutils/iocage: Add hardening
  measures on untar
List-Id: Commits to the main branch of the FreeBSD ports repository <dev-commits-ports-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main
List-Help: <mailto:dev-commits-ports-main+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-ports-main@freebsd.org
Sender: owner-dev-commits-ports-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: grembo
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: c4139815d8f3472317e6461da7f2589cc5a7ccbf
Auto-Submitted: auto-generated

The branch main has been updated by grembo:

URL: https://cgit.FreeBSD.org/ports/commit/?id=c4139815d8f3472317e6461da7f2589cc5a7ccbf

commit c4139815d8f3472317e6461da7f2589cc5a7ccbf
Author:     Michael Gmelin <grembo@FreeBSD.org>
AuthorDate: 2024-11-23 17:37:49 +0000
Commit:     Michael Gmelin <grembo@FreeBSD.org>
CommitDate: 2024-11-23 18:15:34 +0000

    sysutils/iocage: Add hardening measures on untar
    
    This adds hardening measures while untaring archives fetched
    over the network (including FreeBSD tarballs and iocage plugins),
    as implemented by TrueNAS.
    
    This reduces the impact of intentionally malicious or accidentally
    broken archives.
    
    Please note that users are still advised to only fetch from
    trusted sources and make use of TLS to prevent MITM attacks.
    
    While there, add patch to store man pages in the correct location.
    
    Obtained from:          https://github.com/truenas/iocage/pull/358
---
 sysutils/iocage/Makefile                           |  1 +
 .../iocage/files/patch-iocage__lib_ioc__fetch.py   | 22 ++++++++++++++++++++++
 .../iocage/files/patch-iocage__lib_ioc__plugin.py  | 22 ++++++++++++++++++++++
 sysutils/iocage/files/patch-setup.py               | 15 +++++++++++++++
 4 files changed, 60 insertions(+)

diff --git a/sysutils/iocage/Makefile b/sysutils/iocage/Makefile
index bd966a2674fe..a6d03c6a02cb 100644
--- a/sysutils/iocage/Makefile
+++ b/sysutils/iocage/Makefile
@@ -1,5 +1,6 @@
 PORTNAME=	iocage
 PORTVERSION=	1.8
+PORTREVISION=	1
 CATEGORIES=	sysutils python
 PKGNAMEPREFIX=	${PYTHON_PKGNAMEPREFIX}
 
diff --git a/sysutils/iocage/files/patch-iocage__lib_ioc__fetch.py b/sysutils/iocage/files/patch-iocage__lib_ioc__fetch.py
new file mode 100644
index 000000000000..73d8b6e58068
--- /dev/null
+++ b/sysutils/iocage/files/patch-iocage__lib_ioc__fetch.py
@@ -0,0 +1,22 @@
+--- iocage_lib/ioc_fetch.py.orig	2024-09-20 06:45:27 UTC
++++ iocage_lib/ioc_fetch.py
+@@ -47,7 +47,10 @@ import iocage_lib.ioc_start
+ from iocage_lib.pools import Pool
+ from iocage_lib.dataset import Dataset
+ 
++# deliberately crash if tarfile doesn't have required filter
++tarfile.tar_filter
+ 
++
+ class IOCFetch:
+ 
+     """Fetch a RELEASE for use as a jail base."""
+@@ -817,7 +820,7 @@ class IOCFetch:
+             # removing them first.
+             member = self.__fetch_extract_remove__(f)
+             member = self.__fetch_check_members__(member)
+-            f.extractall(dest, members=member)
++            f.extractall(dest, members=member, filter='tar')
+ 
+     def fetch_update(self, cli=False, uuid=None):
+         """This calls 'freebsd-update' to update the fetched RELEASE."""
diff --git a/sysutils/iocage/files/patch-iocage__lib_ioc__plugin.py b/sysutils/iocage/files/patch-iocage__lib_ioc__plugin.py
new file mode 100644
index 000000000000..be9ee84d1e3f
--- /dev/null
+++ b/sysutils/iocage/files/patch-iocage__lib_ioc__plugin.py
@@ -0,0 +1,22 @@
+--- iocage_lib/ioc_plugin.py.orig	2024-09-20 06:45:27 UTC
++++ iocage_lib/ioc_plugin.py
+@@ -61,7 +61,10 @@ from iocage_lib.dataset import Dataset
+ GIT_LOCK = threading.Lock()
+ RE_PLUGIN_VERSION = re.compile(r'"path":"([/\.\+,\d\w-]*)\.txz"')
+ 
++# deliberately crash if tarfile doesn't have required filter
++tarfile.tar_filter
+ 
++
+ class IOCPlugin(object):
+ 
+     """
+@@ -157,7 +160,7 @@ class IOCPlugin(object):
+                             shutil.copyfileobj(r.raw, f)
+ 
+                     with tarfile.open(packagesite_txz_path) as p_file:
+-                        p_file.extractall(path=tmpdir)
++                        p_file.extractall(path=tmpdir, filter='data')
+ 
+                     packagesite_path = os.path.join(tmpdir, 'packagesite.yaml')
+                     if not os.path.exists(packagesite_path):
diff --git a/sysutils/iocage/files/patch-setup.py b/sysutils/iocage/files/patch-setup.py
new file mode 100644
index 000000000000..cad071146d2d
--- /dev/null
+++ b/sysutils/iocage/files/patch-setup.py
@@ -0,0 +1,15 @@
+--- setup.py.orig	2024-09-20 06:45:27 UTC
++++ setup.py
+@@ -30,10 +30,10 @@ from setuptools import find_packages, setup
+ 
+ if os.path.isdir("/".join([sys.prefix, "etc/init.d"])):
+     _data = [('etc/init.d', ['rc.d/iocage']),
+-             ('man/man8', ['iocage.8.gz'])]
++             ('share/man/man8', ['iocage.8.gz'])]
+ else:
+     _data = [('etc/rc.d', ['rc.d/iocage']),
+-             ('man/man8', ['iocage.8.gz'])]
++             ('share/man/man8', ['iocage.8.gz'])]
+ 
+ if os.path.isdir("/".join([sys.prefix, "share/zsh/site-functions/"])):
+     _data.append(('share/zsh/site-functions', ['zsh-completion/_iocage']))