Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 927918

Summary: net-firewall/ipset init script TEMP_SUFFIX with unescaped . causes unintended regex matches
Product: Gentoo Linux Reporter: Hank Leininger <hlein>
Component: Current packagesAssignee: Gentoo's Team for Core System packages <base-system>
Status: RESOLVED FIXED    
Severity: normal CC: hlein, me, mpagano, robbat2
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=908235
https://github.com/gentoo/gentoo/pull/35939
Whiteboard:
Package list:
Runtime testing required: ---

Description Hank Leininger 2024-03-26 20:50:05 UTC 
Since ipset-7.17-r1 we've used a short suffix for temp ipset names.

But as pointed out in https://bugs.gentoo.org/908235#c4, the suffix chosen, '.t', causes misbehavior when that is used to grep for the existence of a set by that name, because the . is a regex wildcard.

We either need to forbid . in suffixes, or add escaping when building a regex.

There's some other implicit restrictions on the characters allowed in TEMP_SUFFIX, because we embed it in sed s/// commands and such. a / is legal in a set name, but would break our init script.

So we should enforce restricting and/or sanitizing more characters than just ., but anything that we can't support correctly.

We also probably should quote set names more thoroughly.
Comment 1 Hank Leininger 2024-03-26 21:49:52 UTC 
I'm working on a PR that addresses the primary issue plus various additional checks.
Comment 2 Larry the Git Cow gentoo-dev 2024-04-30 06:41:58 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=efef1aaf36c98fa6ce64e492a52124d404ec2888

commit efef1aaf36c98fa6ce64e492a52124d404ec2888
Author:     Hank Leininger <hlein@korelogic.com>
AuthorDate: 2024-03-26 22:02:20 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-04-30 06:37:49 +0000

    net-firewall/ipset: enforce safe chars in set names & suffix
    
    Signed-off-by: Hank Leininger <hlein@korelogic.com>
    Closes: https://bugs.gentoo.org/927918
    Closes: https://github.com/gentoo/gentoo/pull/35939
    Signed-off-by: Sam James <sam@gentoo.org>

 net-firewall/ipset/files/ipset.initd-r7 | 127 ++++++++++++++++++++++++++++++++
 net-firewall/ipset/ipset-7.21-r1.ebuild | 116 +++++++++++++++++++++++++++++
 2 files changed, 243 insertions(+)