Bug 664602

Summary:	[hardening] x11-base/xorg-server compilation fails when sys-apps/gawk is compiled with forced-sandbox USE-flag
Product:	Gentoo Linux	Reporter:	Matt <jackdachef>
Component:	Current packages	Assignee:	The Gentoo Linux Hardened Team <hardened>
Status:	UNCONFIRMED ---
Severity:	normal	CC:	hardened, sam
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Matt 2018-08-25 23:11:25 UTC

/var/tmp/portage/x11-base/xorg-server-1.20.1/work/xorg-server-1.20.1/hw/xfree86/xkb/xkbKillSrv.c
gawk: cmd. line:11: fatal: redirection not allowed in sandbox mode
make[4]: *** [Makefile:1175: sdksyms.c] Error 2
make[4]: *** Waiting for unfinished jobs....


stumbling upon the following issue entry of original-mawk on github:
https://github.com/ThomasDickey/original-mawk/issues/49

I enabled the forced-sandbox use-flag to harden the system from arbitrary code injection in awk-scripts, preventing easy access to system()

This has been the first failing package due to that change.

If it's easy to fix, it should be considered to set forced-sandbox for gawk in the future.

Comment 1 Matt Turner gentoo-dev

2018-08-30 16:42:37 UTC

hardened@: please Cc x11@ when you have a proposed fix.

Comment 2 Magnus Granberg gentoo-dev

2018-08-31 01:13:11 UTC

emerge --info and buildlog
Xorg-server should be fixed upstream

Comment 3 Matt Turner gentoo-dev

2018-08-31 08:16:48 UTC

Maybe you misunderstood me. I have no idea what is going on in this bug and I'm not going to spend the time to figure it out. If hardened@ cares to solve the bug and it requires fixing xorg-server, then feel free to Cc x11@.

Until then, leave us out.