bug-guix
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#38422: .png files in /gnu/store with executable permissions (555)

From: Mark H Weaver
Subject: bug#38422: .png files in /gnu/store with executable permissions (555)
Date: Fri, 29 Nov 2019 07:20:41 -0500 
Hi Bengt,

Bengt Richter <address@hidden> wrote:
> I was wanting to check on some executable files in the store,
> and happened to see some executable .png files ;-/
> 
> I suspect they came in when I was playing with icecat
> and let it load  a "theme", but I am not sure some didn't
> also happen trying to get firefox radio buttons to work ;-/

Certainly not.  Unless you ran icecat as root, it would not have
sufficient permissions to modify /gnu/store.  Installing a theme or
addon in IceCat, or changing its configuration, modifies files in your
~/.mozilla, not /gnu/store.

> Anyway, does anyone else get 555 permissions on files like these?
> These are all *.png files with 555 permissons, but I trimmed back to see 
> common prefixes.
> Obviously the moka-con-theme was most of it, but also faba and docbook look 
> iffy.

I looked at docbook-xsl-1.79.1, since I happen to have it installed on
my system.  Some of the *.png files are incorrectly given executable
permissions within the upstream source tarball itself.  I guess it's
probably the same issue with moka-icon-theme and faba-icon-theme, since
I don't see anything in our package code that would have done it.

Most of the entries in your list that end with "png" but not ".png" are
actually programs whose name ends with "png", so they *should* be
executable.  The files in /gnu/store/.links that end with "png" are just
random chance, because the file names themselves are hashes.

> Is this zero-day stuff with a nasty somewhere, waiting for referencing
> by another nasty, or am I being paranoid?

I think you're being paranoid in this case.  I don't see anything here
to be concerned about, just some minor sloppiness by 3 upstreams.

> What is the safe way to detoxify this mess?

The proper solution is to send bug reports to the upstream developers of
docbook-xsl, faba-icon-theme, and moka-icon-theme, asking them to fix
the permissions of the *.png files in their source tarballs.

> I know I shouldn't directly chmod anything in store, right?

Right, *never* modify files in /gnu/store directly.

> The icecat discussion got moved to mozilla,

Which discussion are you referring to?

     Thanks,
       Mark
reply via email to
[Prev in Thread] Current Thread [Next in Thread]