Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 664602 - [hardening] x11-base/xorg-server compilation fails when sys-apps/gawk is compiled with forced-sandbox USE-flag
Summary: [hardening] x11-base/xorg-server compilation fails when sys-apps/gawk is comp...
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: The Gentoo Linux Hardened Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-25 23:11 UTC by Matt
Modified: 2018-08-31 08:16 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matt 2018-08-25 23:11:25 UTC
/var/tmp/portage/x11-base/xorg-server-1.20.1/work/xorg-server-1.20.1/hw/xfree86/xkb/xkbKillSrv.c
gawk: cmd. line:11: fatal: redirection not allowed in sandbox mode
make[4]: *** [Makefile:1175: sdksyms.c] Error 2
make[4]: *** Waiting for unfinished jobs....


stumbling upon the following issue entry of original-mawk on github:
https://github.com/ThomasDickey/original-mawk/issues/49

I enabled the forced-sandbox use-flag to harden the system from arbitrary code injection in awk-scripts, preventing easy access to system()

This has been the first failing package due to that change.

If it's easy to fix, it should be considered to set forced-sandbox for gawk in the future.
Comment 1 Matt Turner gentoo-dev 2018-08-30 16:42:37 UTC
hardened@: please Cc x11@ when you have a proposed fix.
Comment 2 Magnus Granberg gentoo-dev 2018-08-31 01:13:11 UTC
emerge --info and buildlog
Xorg-server should be fixed upstream
Comment 3 Matt Turner gentoo-dev 2018-08-31 08:16:48 UTC
Maybe you misunderstood me. I have no idea what is going on in this bug and I'm not going to spend the time to figure it out. If hardened@ cares to solve the bug and it requires fixing xorg-server, then feel free to Cc x11@.

Until then, leave us out.