Created attachment 424390 [details] Asan output I discovered that a crafted file is causing a stack OOB. Crafted file: http://dev.gentoo.org/~ago/qfile-OOB-crash.log
where exactly are you putting this file ? qfile doesn't read specific files like qlop's -f flag, so it's not clear what you're doing. please describe in full how to reproduce.
(In reply to SpanKY from comment #1) > where exactly are you putting this file ? qfile doesn't read specific files > like qlop's -f flag, so it's not clear what you're doing. please describe > in full how to reproduce. qfile --help reports: -f, --from <arg> * Read arguments from file <arg> ("-" for stdin) SO: ago@willoughby /tmp $ echo "/bin/nano" > emerge.log ago@willoughby /tmp $ qfile -f emerge.log app-editors/nano (/bin/nano)
oh, for argv processing. no one uses that flag :p. i think i'll just delete it and see if anyone complains.
(In reply to SpanKY from comment #3) > oh, for argv processing. no one uses that flag :p. i think i'll just > delete it and see if anyone complains. You are free to delete it, but did you do a survey to know that no one uses it? :D
(In reply to Agostino Sarubbo from comment #4) if someone misses it, they'll file a bug for me
dropped it here: https://gitweb.gentoo.org/proj/portage-utils.git/commit/?id=070f64a84544f74ad633f08c9c07f99a06aea551 commit message also explains how to trivially replace all uses of `qfile -f` with `xargs -a ... qfile`.
well, do you mind to make a new upstream version so we can stabilize that? it will fix also bug 573106. Thanks
0.61 in the tree now https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e5ba4a518a1fc671562fda1e57193e73498095bd
Is this ready to go stable?
stabilizing through bug 573106
So instead of fixing it, you just remove the option, breaking reverse dependencies? Nice.
(In reply to Ulrich Müller from comment #11) the option was not well written in the first place, both internally and externally. read the details in comment 6. the fact it wasn't failing in the edge cases for you was purely a happy accident. that isn't how one writes reliable/good tooling.
(In reply to SpanKY from comment #6) > commit message also explains how to trivially replace all uses of `qfile -f` > with `xargs -a ... qfile`. BTW, that won't work on all systems because the -a option is a GNU extension. (xargs with input redirection can be used, of course.)
might want to actually remove it from the manual too...
(In reply to Ulrich Müller from comment #13) as a practical matter, i don't think that's terribly relevant. we pretty much require GNU/findutils in the tree, so if you're building things, you have it. (In reply to Rick Farina (Zero_Chaos) from comment #14) that's what we get for writing documentation ;) https://gitweb.gentoo.org/proj/portage-utils.git/commit/?id=3fb265e0863689e3e352fc6abcedc77a262323f2
@maintainer(s), please clean the vulnerable versions from the tree. While there is no PoC, it is safest to clean the vulnerable versions. We will close this as [noglsa] due to the lack of such proof. If anyone wants this audited then please reopen and assign to the auditing team.
bump for cleanup.
https://github.com/gentoo/gentoo/pull/3620
Tree is clean