| Summary: | unpacker.eclass: zstd unpacker accepts junk as input | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Michał Górny <mgorny> |
| Component: | Eclasses | Assignee: | Gentoo's Team for Core System packages <base-system> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | ||
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: | https://bugs.gentoo.org/show_bug.cgi?id=873352 | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=665ed4ce5c2a6c749bf794860ccd4d62e8f278e0 commit 665ed4ce5c2a6c749bf794860ccd4d62e8f278e0 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2022-09-24 13:44:29 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2022-09-27 20:27:56 +0000 unpacker.eclass: Remove `-f` from zstd arguments Remove `-f` from zstd arguments. This option causes zstd to ignore input errors, notably causing it to pass invalid files through rather than returning an error. Closes: https://bugs.gentoo.org/872662 Signed-off-by: Michał Górny <mgorny@gentoo.org> eclass/unpacker.eclass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) |
unpacker.eclass unpacks .zst files with -f option that is documented as: • -f, --force: disable input and output checks. Allows overwriting existing files, input from console, output to stdout, operating on links, block devices, etc. This also means that if input isn't a zstd compressed file, zstd just pipes it through and returns success. In other words: $ zstd -cfd /etc/gentoo-release ; echo $? Gentoo Base System release 2.9 0 Any file with .zst suffix in SRC_URI that is invalid will be copied verbatim by unpacker.eclass into the output file instead of triggering an error. I don't think this is desirable. Will include a patch in my upcoming patchset.