Site Navigation

Date:      Sat, 23 Nov 2024 18:16:33 GMT
From:      Michael Gmelin <grembo@FreeBSD.org>
To:        ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
Subject:   git: a4b2dd46482c - main - sysutils/iocage-devel: Add hardening measures on untar
Message-ID:  <202411231816.4ANIGX2Y021727@gitrepo.freebsd.org>

---

next in thread | raw e-mail | index | archive | help

---

The branch main has been updated by grembo:

URL: https://cgit.FreeBSD.org/ports/commit/?id=a4b2dd46482c6a039f9ca296fa738b83752b1457

commit a4b2dd46482c6a039f9ca296fa738b83752b1457
Author:     Michael Gmelin <grembo@FreeBSD.org>
AuthorDate: 2024-11-23 18:11:44 +0000
Commit:     Michael Gmelin <grembo@FreeBSD.org>
CommitDate: 2024-11-23 18:15:38 +0000

    sysutils/iocage-devel: Add hardening measures on untar
    
    This adds hardening measures while untaring archives fetched
    over the network (including FreeBSD tarballs and iocage plugins),
    as implemented by TrueNAS.
    
    This reduces the impact of intentionally malicious or accidentally
    broken archives.
    
    Please note that users are still advised to only fetch from
    trusted sources and make use of TLS to prevent MITM attacks.
    
    While there, add patch to store man pages in the correct location.
    
    Obtained from:          https://github.com/truenas/iocage/pull/358
---
 sysutils/iocage-devel/Makefile                     |  1 +
 .../files/patch-iocage__lib_ioc__fetch.py          | 22 ++++++++++++++++++++++
 .../files/patch-iocage__lib_ioc__plugin.py         | 22 ++++++++++++++++++++++
 sysutils/iocage-devel/files/patch-setup.py         | 15 +++++++++++++++
 4 files changed, 60 insertions(+)

diff --git a/sysutils/iocage-devel/Makefile b/sysutils/iocage-devel/Makefile
index 548871820f6b..21db6054355a 100644
--- a/sysutils/iocage-devel/Makefile
+++ b/sysutils/iocage-devel/Makefile
@@ -1,5 +1,6 @@
 PORTNAME=	iocage-devel
 PORTVERSION=	1.8.20241014
+PORTREVISION=	1
 PORTEPOCH=	1
 CATEGORIES=	sysutils python
 PKGNAMEPREFIX=	${PYTHON_PKGNAMEPREFIX}
diff --git a/sysutils/iocage-devel/files/patch-iocage__lib_ioc__fetch.py b/sysutils/iocage-devel/files/patch-iocage__lib_ioc__fetch.py
new file mode 100644
index 000000000000..73d8b6e58068
--- /dev/null
+++ b/sysutils/iocage-devel/files/patch-iocage__lib_ioc__fetch.py
@@ -0,0 +1,22 @@
+--- iocage_lib/ioc_fetch.py.orig	2024-09-20 06:45:27 UTC
++++ iocage_lib/ioc_fetch.py
+@@ -47,7 +47,10 @@ import iocage_lib.ioc_start
+ from iocage_lib.pools import Pool
+ from iocage_lib.dataset import Dataset
+ 
++# deliberately crash if tarfile doesn't have required filter
++tarfile.tar_filter
+ 
++
+ class IOCFetch:
+ 
+     """Fetch a RELEASE for use as a jail base."""
+@@ -817,7 +820,7 @@ class IOCFetch:
+             # removing them first.
+             member = self.__fetch_extract_remove__(f)
+             member = self.__fetch_check_members__(member)
+-            f.extractall(dest, members=member)
++            f.extractall(dest, members=member, filter='tar')
+ 
+     def fetch_update(self, cli=False, uuid=None):
+         """This calls 'freebsd-update' to update the fetched RELEASE."""
diff --git a/sysutils/iocage-devel/files/patch-iocage__lib_ioc__plugin.py b/sysutils/iocage-devel/files/patch-iocage__lib_ioc__plugin.py
new file mode 100644
index 000000000000..be9ee84d1e3f
--- /dev/null
+++ b/sysutils/iocage-devel/files/patch-iocage__lib_ioc__plugin.py
@@ -0,0 +1,22 @@
+--- iocage_lib/ioc_plugin.py.orig	2024-09-20 06:45:27 UTC
++++ iocage_lib/ioc_plugin.py
+@@ -61,7 +61,10 @@ from iocage_lib.dataset import Dataset
+ GIT_LOCK = threading.Lock()
+ RE_PLUGIN_VERSION = re.compile(r'"path":"([/\.\+,\d\w-]*)\.txz"')
+ 
++# deliberately crash if tarfile doesn't have required filter
++tarfile.tar_filter
+ 
++
+ class IOCPlugin(object):
+ 
+     """
+@@ -157,7 +160,7 @@ class IOCPlugin(object):
+                             shutil.copyfileobj(r.raw, f)
+ 
+                     with tarfile.open(packagesite_txz_path) as p_file:
+-                        p_file.extractall(path=tmpdir)
++                        p_file.extractall(path=tmpdir, filter='data')
+ 
+                     packagesite_path = os.path.join(tmpdir, 'packagesite.yaml')
+                     if not os.path.exists(packagesite_path):
diff --git a/sysutils/iocage-devel/files/patch-setup.py b/sysutils/iocage-devel/files/patch-setup.py
new file mode 100644
index 000000000000..cad071146d2d
--- /dev/null
+++ b/sysutils/iocage-devel/files/patch-setup.py
@@ -0,0 +1,15 @@
+--- setup.py.orig	2024-09-20 06:45:27 UTC
++++ setup.py
+@@ -30,10 +30,10 @@ from setuptools import find_packages, setup
+ 
+ if os.path.isdir("/".join([sys.prefix, "etc/init.d"])):
+     _data = [('etc/init.d', ['rc.d/iocage']),
+-             ('man/man8', ['iocage.8.gz'])]
++             ('share/man/man8', ['iocage.8.gz'])]
+ else:
+     _data = [('etc/rc.d', ['rc.d/iocage']),
+-             ('man/man8', ['iocage.8.gz'])]
++             ('share/man/man8', ['iocage.8.gz'])]
+ 
+ if os.path.isdir("/".join([sys.prefix, "share/zsh/site-functions/"])):
+     _data.append(('share/zsh/site-functions', ['zsh-completion/_iocage']))

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202411231816.4ANIGX2Y021727>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact