Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 872662 - unpacker.eclass: zstd unpacker accepts junk as input
Summary: unpacker.eclass: zstd unpacker accepts junk as input
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Eclasses (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-09-24 13:22 UTC by Michał Górny
Modified: 2022-09-28 21:15 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-09-24 13:22:48 UTC
unpacker.eclass unpacks .zst files with -f option that is documented as:

       •   -f, --force: disable input and output checks. Allows overwriting existing files, input from console, output  to  stdout,
           operating on links, block devices, etc.

This also means that if input isn't a zstd compressed file, zstd just pipes it through and returns success.  In other words:

$ zstd -cfd /etc/gentoo-release ; echo $?
Gentoo Base System release 2.9
0

Any file with .zst suffix in SRC_URI that is invalid will be copied verbatim by unpacker.eclass into the output file instead of triggering an error.  I don't think this is desirable.

Will include a patch in my upcoming patchset.
Comment 1 Larry the Git Cow gentoo-dev 2022-09-27 20:28:52 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=665ed4ce5c2a6c749bf794860ccd4d62e8f278e0

commit 665ed4ce5c2a6c749bf794860ccd4d62e8f278e0
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2022-09-24 13:44:29 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2022-09-27 20:27:56 +0000

    unpacker.eclass: Remove `-f` from zstd arguments
    
    Remove `-f` from zstd arguments.  This option causes zstd to ignore
    input errors, notably causing it to pass invalid files through rather
    than returning an error.
    
    Closes: https://bugs.gentoo.org/872662
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 eclass/unpacker.eclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)