From mboxrd@z Thu Jan 1 00:00:00 1970 From: Bengt Richter Subject: bug#38422: .png files in /gnu/store with executable permissions (555) Date: Fri, 29 Nov 2019 04:22:36 -0800 Message-ID: <20191129122236.GA67682@PhantoNv4ArchGx.localdomain> References: <20191129075938.GA55971@PhantoNv4ArchGx.localdomain> <87r21r9fn1.fsf@elephly.net> Reply-To: Bengt Richter Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:35180) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iafIh-0001rz-1Z for bug-guix@gnu.org; Fri, 29 Nov 2019 07:23:08 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iafIc-0002V4-4m for bug-guix@gnu.org; Fri, 29 Nov 2019 07:23:03 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:53696) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1iafIb-0002UN-VJ for bug-guix@gnu.org; Fri, 29 Nov 2019 07:23:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1iafIb-0007TB-SS for bug-guix@gnu.org; Fri, 29 Nov 2019 07:23:01 -0500 Sender: "Debbugs-submit" Resent-Message-ID: Content-Disposition: inline In-Reply-To: <87r21r9fn1.fsf@elephly.net> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Ricardo Wurmus Cc: 38422@debbugs.gnu.org Hi Ricardo, On +2019-11-29 10:49:06 +0100, Ricardo Wurmus wrote: > > Bengt Richter writes: > > > $ find /gnu -type f -perm /111 -iname '*png'|xargs stat -c '%a %A %N'|cut -d '-' -f5,6,7,8|less|uniq -c|less > > --8<---------------cut here---------------start------------->8--- > > 1 x '/gnu/store/.links/1s94fymqj8xba55rg8xbdni9a215kxsxkddyh2qyb7y6fl7srpng' > > 1 x '/gnu/store/.links/05dsk06ffdwgjdqgsy03zhnsrcd44yyi8ylk9qyb1a3n89aplpng' > > 97 x '/gnu/store/jf7i57glqykwgm1k7zb5k8x6f1yd47l8-faba-icon-theme > > 1 x '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/gdparttopng' > > 1 x '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/gdtopng' > > 1 x '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/webpng' > > 1 x '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/gd2topng' > > 1 x '/gnu/store/x9c77i6r5fmarslij6ng81awgrxblplm-texlive-bin-20180414/bin/dvipng' > > 34143 x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme > > 1 x '/gnu/store/7mxkdn6cp7x8sac49p2g80qw5j1aavi3-texlive-20180414/bin/dvipng' > > 62 x '/gnu/store/6d79d8za76pj5f2flhckpmdvdgqhqxaa-docbook-xsl-1.79.1/xml/xsl/docbook > > 1 x '/gnu/store/azd3rg350gjkgzvzps3s4j3kpz5kxh57-texlive-bin-20180414/bin/dvipng' > > 1 x '/gnu/store/9w1hi2hr4zczc5jd5r2xmff9zf4gwc1n-texlive-union-49435/bin/dvipng' > > 1 x '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/gdparttopng' > > 1 x '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/gdtopng' > > 1 x '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/webpng' > > 1 x '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/gd2topng' > > 1 x '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/gdparttopng' > > 1 x '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/gdtopng' > > 1 x '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/webpng' > > 1 x '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/gd2topng' > > > > --8<---------------cut here---------------end--------------->8--- > > Maybe I’m missing something, but none of the above are PNGs. > Most of them are executables, others are directories, so having them > executable is expected. > > Did I misunderstand? > No, you just didn't see it ;-) ┌───────────────────────────────────────────────────────────────────────────────────────────────┐ │ Sorry I didn't highlight well enough that I had trimmed off the full paths that ended in .png │ │ in what you snipped out above the above (see box below): │ └───────────────────────────────────────────────────────────────────────────────────────────────┘ --8<----(the part you snipped out)-----------cut here---------------start------------->8--- Hi Guix, I was wanting to check on some executable files in the store, and happened to see some executable .png files ;-/ I suspect they came in when I was playing with icecat and let it load a "theme", but I am not sure some didn't also happen trying to get firefox radio buttons to work ;-/ Anyway, does anyone else get 555 permissions on files like these? ┌───────────────────────────────────────────────────────────────────────────────────────────┐ │ These are all *.png files with 555 permissons, but I trimmed back to see common prefixes. │ │ Obviously the moka-con-theme was most of it, but also faba and docbook look iffy. │ └───────────────────────────────────────────────────────────────────────────────────────────┘ Is this zero-day stuff with a nasty somewhere, waiting for referencing by another nasty, or am I being paranoid? What is the safe way to detoxify this mess? I know I shouldn't directly chmod anything in store, right? The icecat discussion got moved to mozilla, but in case someone else did whatever I did, I thought I'd post a heads-up here. I'll try to cc Mark :) --8<----(the part you snipped out)-----------cut here---------------end--------------->8--- Note the cut -d '-' etc from above --8<---------------cut here---------------start------------->8--- > > $ find /gnu -type f -perm /111 -iname '*png'|xargs stat -c '%a %A %N'|cut -d '-' -f5,6,7,8|less|uniq -c|less --8<---------------cut here---------------end--------------->8--- I thought the 34143 moka-icon-theme items looked especially iffy, being so many: --8<---------------cut here---------------start------------->8--- > > 34143 x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme --8<---------------cut here---------------end--------------->8--- So let's not cut that tail and just grab some of those moka-icon-theme items full length: $ find /gnu -type f -perm /111 -iname '*png'|xargs stat -c '%a %A %N'|grep moka-icon-theme|head --8<---------------cut here---------------start------------->8--- 555 -r-xr-xr-x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme-5.4.0/share/icons/Moka/64x64@2x/emblems/emblem-insync-synced.png' 555 -r-xr-xr-x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme-5.4.0/share/icons/Moka/64x64@2x/emblems/emblem-synchronizing.png' 555 -r-xr-xr-x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme-5.4.0/share/icons/Moka/64x64@2x/emblems/emblem-insync-synced-callbacks-active.png' 555 -r-xr-xr-x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme-5.4.0/share/icons/Moka/64x64@2x/emblems/emblem-insync-syncing.png' 555 -r-xr-xr-x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme-5.4.0/share/icons/Moka/64x64@2x/emblems/emblem-dropbox-uptodate.png' 555 -r-xr-xr-x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme-5.4.0/share/icons/Moka/64x64@2x/emblems/emblem-readonly.png' 555 -r-xr-xr-x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme-5.4.0/share/icons/Moka/64x64@2x/emblems/emblem-important.png' 555 -r-xr-xr-x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme-5.4.0/share/icons/Moka/64x64@2x/emblems/emblem-danger.png' 555 -r-xr-xr-x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme-5.4.0/share/icons/Moka/64x64@2x/emblems/emblem-web.png' 555 -r-xr-xr-x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme-5.4.0/share/icons/Moka/64x64@2x/emblems/emblem-symbolic-link.png' --8<---------------cut here---------------end--------------->8--- Some executables ending in png are legit, like conversion programs from something to .png format. > -- > Ricardo > PS. Thinking about it, I'm pretty sure I used normal guix install ... yes: --8<----(555s were in source tarball)-----------cut here---------------start------------->8--- $ guix package -I|grep -i moka moka-icon-theme 5.4.0 out /gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme-5.4.0 $ mkdir ~/my-roots $ guix build -r ~/my-roots/moka -S moka-icon-theme substitute: updating substitutes from 'https://ci.guix.gnu.org'... 100.0% 67.4 MB will be downloaded: /gnu/store/vd3l2qbmdw0i9v9knqjm3q42sfwli2nl-moka-icon-theme-5.4.0.tar.gz substituting /gnu/store/vd3l2qbmdw0i9v9knqjm3q42sfwli2nl-moka-icon-theme-5.4.0.tar.gz... downloading from https://ci.guix.gnu.org/nar/vd3l2qbmdw0i9v9knqjm3q42sfwli2nl-moka-icon-theme-5.4.0.tar.gz... moka-icon-theme-5.4.0.tar.gz 64.3MiB 1.5MiB/s 00:44 [##################] 100.0% /gnu/store/vd3l2qbmdw0i9v9knqjm3q42sfwli2nl-moka-icon-theme-5.4.0.tar.gz $ lsc ~/my-roots/* 72 2019-11-29 03:53:27 [@] /home/bokr/my-roots/moka -> /gnu/store/vd3l2qbmdw0i9v9knqjm3q42sfwli2nl-moka-icon-theme-5.4.0.tar.gz $ tar -tzvf ~/my-roots/moka|egrep -m5 'png$' lrwxrwxrwx root/root 0 2018-06-16 09:06 moka-icon-theme-5.4.0/Moka/16x16/actions/exit.png -> system-log-out.png lrwxrwxrwx root/root 0 2018-06-16 09:06 moka-icon-theme-5.4.0/Moka/16x16/actions/gnome-lockscreen.png -> system-lock-screen.png lrwxrwxrwx root/root 0 2018-06-16 09:06 moka-icon-theme-5.4.0/Moka/16x16/actions/gnome-logout.png -> system-log-out.png lrwxrwxrwx root/root 0 2018-06-16 09:06 moka-icon-theme-5.4.0/Moka/16x16/actions/gnome-run.png -> system-run.png lrwxrwxrwx root/root 0 2018-06-16 09:06 moka-icon-theme-5.4.0/Moka/16x16/actions/gnome-session-reboot.png -> system-restart.png Oops, those were links, let's try again: $ tar -tzvf ~/my-roots/moka|egrep -m5 '^[^l].*png$' -rwxrwxr-x root/root 633 2018-06-16 09:06 moka-icon-theme-5.4.0/Moka/16x16/actions/system-lock-screen.png -rwxrwxr-x root/root 537 2018-06-16 09:06 moka-icon-theme-5.4.0/Moka/16x16/actions/system-log-out.png -rwxrwxr-x root/root 554 2018-06-16 09:06 moka-icon-theme-5.4.0/Moka/16x16/actions/system-restart.png -rwxrwxr-x root/root 549 2018-06-16 09:06 moka-icon-theme-5.4.0/Moka/16x16/actions/system-run.png -rwxrwxr-x root/root 544 2018-06-16 09:06 moka-icon-theme-5.4.0/Moka/16x16/actions/system-shutdown.png --8<----(555s were in source tarball)-----------cut here---------------end--------------->8--- -- Regards, Bengt Richter