unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
From: Mark H Weaver <mhw@netris.org>
To: Bengt Richter <bokr@bokr.com>
Cc: 38422@debbugs.gnu.org
Subject: bug#38422: .png files in /gnu/store with executable permissions (555)
Date: Fri, 29 Nov 2019 07:20:41 -0500	[thread overview]
Message-ID: <878sny6fgr.fsf@netris.org> (raw)
In-Reply-To: <20191129075938.GA55971@PhantoNv4ArchGx.localdomain>

Hi Bengt,

Bengt Richter <bokr@bokr.com> wrote:
> I was wanting to check on some executable files in the store,
> and happened to see some executable .png files ;-/
> 
> I suspect they came in when I was playing with icecat
> and let it load  a "theme", but I am not sure some didn't
> also happen trying to get firefox radio buttons to work ;-/

Certainly not.  Unless you ran icecat as root, it would not have
sufficient permissions to modify /gnu/store.  Installing a theme or
addon in IceCat, or changing its configuration, modifies files in your
~/.mozilla, not /gnu/store.

> Anyway, does anyone else get 555 permissions on files like these?
> These are all *.png files with 555 permissons, but I trimmed back to see common prefixes.
> Obviously the moka-con-theme was most of it, but also faba and docbook look iffy.

I looked at docbook-xsl-1.79.1, since I happen to have it installed on
my system.  Some of the *.png files are incorrectly given executable
permissions within the upstream source tarball itself.  I guess it's
probably the same issue with moka-icon-theme and faba-icon-theme, since
I don't see anything in our package code that would have done it.

Most of the entries in your list that end with "png" but not ".png" are
actually programs whose name ends with "png", so they *should* be
executable.  The files in /gnu/store/.links that end with "png" are just
random chance, because the file names themselves are hashes.

> Is this zero-day stuff with a nasty somewhere, waiting for referencing
> by another nasty, or am I being paranoid?

I think you're being paranoid in this case.  I don't see anything here
to be concerned about, just some minor sloppiness by 3 upstreams.

> What is the safe way to detoxify this mess?

The proper solution is to send bug reports to the upstream developers of
docbook-xsl, faba-icon-theme, and moka-icon-theme, asking them to fix
the permissions of the *.png files in their source tarballs.

> I know I shouldn't directly chmod anything in store, right?

Right, *never* modify files in /gnu/store directly.

> The icecat discussion got moved to mozilla,

Which discussion are you referring to?

     Thanks,
       Mark

  parent reply	other threads:[~2019-11-29 12:22 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-29  7:59 bug#38422: .png files in /gnu/store with executable permissions (555) Bengt Richter
2019-11-29  9:49 ` Ricardo Wurmus
2019-11-29 10:59   ` zimoun
2019-11-29 11:28   ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2019-11-29 12:22   ` Bengt Richter
2019-11-29 12:20 ` Mark H Weaver [this message]
2019-11-29 15:03   ` Bengt Richter
2019-11-30  4:08     ` Mark H Weaver
2019-11-30  4:24       ` Brett Gilio
2019-11-30  7:45       ` Julien Lepiller
2019-11-30 20:07         ` Bengt Richter
2019-12-02 15:20           ` zimoun
2020-01-22  0:22 ` bug#38422: Bug status? '.png' files with executable permissions zimoun
2020-01-22  2:28   ` Bengt Richter
2020-01-27 19:55     ` zimoun
2020-01-22  0:31 ` bug#38422: zimoun

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=878sny6fgr.fsf@netris.org \
    --to=mhw@netris.org \
    --cc=38422@debbugs.gnu.org \
    --cc=bokr@bokr.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).