| Summary: | net-p2p/kubo: potential vulnerability? | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Michał Górny <mgorny> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | CONFIRMED --- | ||
| Severity: | normal | CC: | davidroman96, gentoo+bugs, hurikhan77+bgo, proxy-maint |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: | https://github.com/ipfs/fs-repo-migrations/issues/148 | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
|
Description
Michał Górny
2024-04-29 02:33:57 UTC
Whenever I can I will set-up a proper system to test it, but grepping the source code only seems to show references to /tmp for running tests I was in a rush before. I can confirm that the migration code downloads code into /tmp and tries to execute it: > Fetching with HTTP: "https://trustless-gateway.link/ipfs/QmZPedUiZNe6Gq9oDvoizuuCMVoeb7shwq9xKhysq7exMo/fs-repo-13-to-14/v1.0.0/fs-repo-13-to-14_v1.0.0_linux-amd64.tar.gz" > Downloaded and unpacked migration: /tmp/migrations788496017/fs-repo-13-to-14 (v1.0.0) > Running migration fs-repo-12-to-13 ... > => Running: /tmp/migrations788496017/fs-repo-12-to-13 -path=/root/.ipfs -verbose=true > The migrations of fs-repo failed: > migration fs-repo-12-to-13 failed: fork/exec /tmp/migrations788496017/fs-repo-12-to-13: permission denied > If you think this is a bug, please file an issue and include this whole log output. > https://github.com/ipfs/fs-repo-migrations > Error: migration fs-repo-12-to-13 failed: fork/exec /tmp/migrations788496017/fs-repo-12-to-13: permission denied There is a relevant issue already opened: https://github.com/ipfs/fs-repo-migrations/issues/148 As I understand it we should package the migration programs also, somehow. |