From mboxrd@z Thu Jan  1 00:00:00 1970
From: Bengt Richter <bokr@bokr.com>
Subject: bug#38422: .png files in /gnu/store with executable permissions (555)
Date: Thu, 28 Nov 2019 23:59:38 -0800
Message-ID: <20191129075938.GA55971@PhantoNv4ArchGx.localdomain>
Reply-To: Bengt Richter <bokr@bokr.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:45588)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1iabDI-00032M-Mb
 for bug-guix@gnu.org; Fri, 29 Nov 2019 03:01:22 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1iabDA-0005Zt-9l
 for bug-guix@gnu.org; Fri, 29 Nov 2019 03:01:10 -0500
Received: from debbugs.gnu.org ([209.51.188.43]:53359)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1iabD6-0005Vi-RA
 for bug-guix@gnu.org; Fri, 29 Nov 2019 03:01:06 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1iabD3-00010T-Pb
 for bug-guix@gnu.org; Fri, 29 Nov 2019 03:01:01 -0500
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.38422.B.15750144043734@debbugs.gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:43745)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <bokr@oz.net>) id 1iabC2-0002SA-IC
 for bug-guix@gnu.org; Fri, 29 Nov 2019 03:00:00 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <bokr@oz.net>) id 1iabBw-000272-4l
 for bug-guix@gnu.org; Fri, 29 Nov 2019 02:59:55 -0500
Received: from imta-38.everyone.net ([216.200.145.38]:58118)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <bokr@oz.net>) id 1iabBv-0001qt-Ry
 for bug-guix@gnu.org; Fri, 29 Nov 2019 02:59:52 -0500
Content-Disposition: inline
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: 38422@debbugs.gnu.org

Hi Guix,

I was wanting to check on some executable files in the store,
and happened to see some executable .png files ;-/

I suspect they came in when I was playing with icecat
and let it load  a "theme", but I am not sure some didn't
also happen trying to get firefox radio buttons to work ;-/

Anyway, does anyone else get 555 permissions on files like these?
These are all *.png files with 555 permissons, but I trimmed back to see common prefixes.
Obviously the moka-con-theme was most of it, but also faba and docbook look iffy.

Is this zero-day stuff with a nasty somewhere, waiting for referencing by another nasty, or am I being paranoid?
What is the safe way to detoxify this mess? I know I shouldn't directly chmod anything in store, right?

The icecat discussion got moved to mozilla, but in case someone else did whatever I did,
I thought I'd post a heads-up here.
I'll try to cc Mark :)

$ find /gnu -type f -perm /111 -iname '*png'|xargs stat -c '%a %A %N'|cut -d '-' -f5,6,7,8|less|uniq -c|less
--8<---------------cut here---------------start------------->8---
      1 x '/gnu/store/.links/1s94fymqj8xba55rg8xbdni9a215kxsxkddyh2qyb7y6fl7srpng'
      1 x '/gnu/store/.links/05dsk06ffdwgjdqgsy03zhnsrcd44yyi8ylk9qyb1a3n89aplpng'
     97 x '/gnu/store/jf7i57glqykwgm1k7zb5k8x6f1yd47l8-faba-icon-theme
      1 x '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/gdparttopng'
      1 x '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/gdtopng'
      1 x '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/webpng'
      1 x '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/gd2topng'
      1 x '/gnu/store/x9c77i6r5fmarslij6ng81awgrxblplm-texlive-bin-20180414/bin/dvipng'
  34143 x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme
      1 x '/gnu/store/7mxkdn6cp7x8sac49p2g80qw5j1aavi3-texlive-20180414/bin/dvipng'
     62 x '/gnu/store/6d79d8za76pj5f2flhckpmdvdgqhqxaa-docbook-xsl-1.79.1/xml/xsl/docbook
      1 x '/gnu/store/azd3rg350gjkgzvzps3s4j3kpz5kxh57-texlive-bin-20180414/bin/dvipng'
      1 x '/gnu/store/9w1hi2hr4zczc5jd5r2xmff9zf4gwc1n-texlive-union-49435/bin/dvipng'
      1 x '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/gdparttopng'
      1 x '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/gdtopng'
      1 x '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/webpng'
      1 x '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/gd2topng'
      1 x '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/gdparttopng'
      1 x '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/gdtopng'
      1 x '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/webpng'
      1 x '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/gd2topng'

--8<---------------cut here---------------end--------------->8---

-- 
Regards,
Bengt Richter