[Bug 1127138] New: YaST runs programs with wrong absolute path
http://bugzilla.suse.com/show_bug.cgi?id=1127138 Bug ID: 1127138 Summary: YaST runs programs with wrong absolute path Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: All OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: YaST2 Assignee: yast2-maintainers@suse.de Reporter: mvidner@suse.com QA Contact: jsrain@suse.com Found By: --- Blocker: --- In a recent security hardening (bsc#1118291) we changed an invocation of system "mkdir #{dir}" to system "/usr/sbin/mkdir #{dir.shellescape}" which is wrong because the correct path is /usr/bin/mkdir. Finding this particular problem has prompted us to look for similar bugs, be they introduced by wrongly absolutizing program paths or by programs changing their location. I have found: yast/yast-nfs-client/src/modules/Nfs.rb:563 "/usr/sbin/rpcinfo" yast/yast-yast2/library/network/src/modules/NetworkPopup.rb:198 is /sbin/rpcinfo yast/yast-users/src/modules/UsersRoutines.pm:49 "/usr/sbin/cryptconfig" removed in 15.0, https://doc.opensuse.org/release-notes/x86_64/openSUSE/Leap/15.0/ yast/yast-bootloader/src/lib/bootloader/boot_record_backup.rb:39 "/usr/sbin/mkdir" is /usr/bin/mkdir yast/yast-packager/src/include/checkmedia/ui.rb:542 "/bin/eject" is /usr/bin/eject yast/yast-yast2/library/general/src/scrconf/run_ifconfig.scr:49 "/sbin/ifconfig" is /usr/bin/ifconfig in net-tools-deprecated used by yast/yast-instserver/src/modules/Instserver.rb:673 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1127138 Martin Vidner <mvidner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS URL| |https://trello.com/c/plarcs | |bX -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1127138 http://bugzilla.suse.com/show_bug.cgi?id=1127138#c1 --- Comment #1 from Martin Vidner <mvidner@suse.com> --- Fixes for the simple cases, under review: - https://github.com/yast/yast-bootloader/pull/555 - https://github.com/yast/yast-nfs-client/pull/80 - https://github.com/yast/yast-yast2/pull/898 - https://github.com/yast/yast-packager/pull/404 The cryptconfig case in yast2-users seems to be embedded in a bigger chunk of dead code, I'm checking it now -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1127138 http://bugzilla.suse.com/show_bug.cgi?id=1127138#c2 --- Comment #2 from Martin Vidner <mvidner@suse.com> --- The above PRs are merged. The last one: https://github.com/yast/yast-users/pull/198 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1127138 http://bugzilla.suse.com/show_bug.cgi?id=1127138#c3 --- Comment #3 from Martin Vidner <mvidner@suse.com> --- Created attachment 798386 --> http://bugzilla.suse.com/attachment.cgi?id=798386&action=edit check-program-paths This is the script that I used to find the bugs -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1127138 http://bugzilla.suse.com/show_bug.cgi?id=1127138#c4 Martin Vidner <mvidner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #4 from Martin Vidner <mvidner@suse.com> --- All PRs merged. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1127138 http://bugzilla.suse.com/show_bug.cgi?id=1127138#c5 Frederic Crozat <fcrozat@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fcrozat@suse.com --- Comment #5 from Frederic Crozat <fcrozat@suse.com> --- (In reply to Martin Vidner from comment #0)
yast/yast-yast2/library/general/src/scrconf/run_ifconfig.scr:49 "/sbin/ifconfig" is /usr/bin/ifconfig in net-tools-deprecated used by yast/yast-instserver/src/modules/Instserver.rb:673
this module should be adapted to use ip and no longer ifconfig. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com