#206 lint runs untrusted rpmlint config code without confirmation
Opened 6 years ago by tibbs. Modified 4 years ago

So fedpkg lint will by default call rpmlint -f .rpmlint. Which sounds nice, but rpmlint config files are executable python.

ἐπιθυμία:~/work/my-packages/amanda/❯ ls -l /tmp/hacked
ls: cannot access '/tmp/hacked': No such file or directory

ἐπιθυμία:~/work/my-packages/amanda/❯ fedpkg lint
No srpm found
No rpm found
0 packages and 1 specfiles checked; 0 errors, 0 warnings.

ἐπιθυμία:~/work/my-packages/amanda/❯ ls -l /tmp/hacked
-rw-rw----. 1 tibbs tibbs 0 Mar  2 11:51 /tmp/hacked

ἐπιθυμία:~/work/my-packages/amanda/❯ rpm -qi pyrpkg
Name        : pyrpkg
Version     : 1.49
Release     : 1.fc25

The file used by default really, really should not be hidden. And even then, running that code is inadvisable without some kind of confirmation. I know that fedpkg local and probably even mockbuild aren't actually safe, but still seems unwise to act by default on a file that is both untrusted and hidden.

The file used by default really, really should not be hidden.

What file?

@cqi: Unless the -f option is used, rpkg uses .rpmlint file in the repository.

I'm not sure there is much else we can do other than rename the file so that it's at least visible. A log message could also be printed about what file is used.

Since rpkg-1.53, the default rpmlint configuration file is <module_name>.rpmlintrc. If .rpmlint is still being used, a message will be output to tell using the new filename. This should be a step-forward for this issue. @tibbs If you think the new change is an acceptable solution for this issue, shall we close this issue?

So I noticed that F27 has a sufficiently new rpkg and tried it out.

It's certainly better that it complains in preparation for the actual deprecation, but I wouldn't think that anything is fixed until the actual deprecation happens and nothing looks at .rpmlint at all. But I don't know what your plans for the deprecation are, and whether you want to keep a ticket open as a reminder. That's up to you.

This issue has been unresolved for more than a year, and is going to be closed within a week if no further action is taken. If you feel this is in error, please contact me.
This is a cleaning process suggested by Jay Greguske. Copy of this ticket was already closed in JIRA tracker.

Well, I mean, it's still a security issue. If those just go away because they're old then I guess the security job has gotten much easier.

rpmlint has supposedly grown some form of non-executable configuration support. I don't know how that works yet or if it exists in a released version. If that's the case then all that would remain is to ensure that fepdkg lint will never used the old executable format. That deserves more investigation.

Login to comment on this ticket.