bug#47576: [security] ibus-daemon launches ungrafted subprocesses

["Ludovic Courtès" <ludo@gnu.org>]

[-- Attachment #1: Type: text/plain, Size: 3296 bytes --]

Hi,

Mark H Weaver <mhw@netris.org> skribis:

> I found them:
>
>   ~/.cache/ibus/bus/registry
>   /var/lib/gdm/.cache/ibus/bus/registry
>
> On my system, those files include absolute pathnames to programs in
> /gnu/store/a4r6q1fbfqapy5hrrxap1yg96rjgln6q-ibus-1.5.22, which I
> compiled last December.

Looks like <https://issues.guix.gnu.org/22707>.

The problem seems to generally affect GLib/GNOME-ish caches.

From a quick look at ibusregistry.c & co, I think the values that end up
in the cache are taken from these XML files:

--8<---------------cut here---------------start------------->8---
$ grep /gnu/store $(find $(guix build ibus) -name \*.xml)
/gnu/store/a7lxf1i35yqil6pxwxhzvr5q3xcqldyq-ibus-1.5.22/share/ibus/component/gtkpanel.xml:	<exec>/gnu/store/a7lxf1i35yqil6pxwxhzvr5q3xcqldyq-ibus-1.5.22/libexec/ibus-ui-gtk3</exec>
/gnu/store/a7lxf1i35yqil6pxwxhzvr5q3xcqldyq-ibus-1.5.22/share/ibus/component/dconf.xml:	<exec>/gnu/store/a7lxf1i35yqil6pxwxhzvr5q3xcqldyq-ibus-1.5.22/libexec/ibus-dconf</exec>
/gnu/store/a7lxf1i35yqil6pxwxhzvr5q3xcqldyq-ibus-1.5.22/share/ibus/component/simple.xml:	<exec>/gnu/store/a7lxf1i35yqil6pxwxhzvr5q3xcqldyq-ibus-1.5.22/libexec/ibus-engine-simple</exec>
/gnu/store/a7lxf1i35yqil6pxwxhzvr5q3xcqldyq-ibus-1.5.22/share/ibus/component/gtkextension.xml:	<exec>/gnu/store/a7lxf1i35yqil6pxwxhzvr5q3xcqldyq-ibus-1.5.22/libexec/ibus-extension-gtk3</exec>
--8<---------------cut here---------------end--------------->8---

It’s the ‘components’ field of _IBusRegistryPrivate:

--8<---------------cut here---------------start------------->8---
struct _IBusRegistryPrivate {
    /* a list of IBusObservedPath objects. */
    GList *observed_paths;

    /* a list of IBusComponent objects that are created from component XML
     * files (or from the cache of them). */
    GList *components;

    gboolean changed;

    /* a mapping from GFile to GFileMonitor. */
    GHashTable *monitor_table;

    guint monitor_timeout_id;
};
--8<---------------cut here---------------end--------------->8---

The attached patch does the following:

  1. change the above <exec> file names in XML files to relative file
     names;

  2. change ibuscomponent.c to automatically prepend $libexecdir to
     <exec> items that are relative file names.

That way, XML files and thus caches should only contain relative file
names for ibus’ own executables.

The attached patch builds with:

  guix build ibus --with-patch=ibus=/tmp/ibus.patch

… but I don’t know if it actually works.  Testing welcome.  :-)

Unfortunately this strategy doesn’t help with IBus extensions:

--8<---------------cut here---------------start------------->8---
$ grep exec $(find $(guix build ibus-anthy) -name \*.xml)
/gnu/store/d3mfffz41as1blfb28m8n461j42i6zjr-ibus-anthy-1.5.9/share/ibus/component/anthy.xml:	<exec>/gnu/store/d3mfffz41as1blfb28m8n461j42i6zjr-ibus-anthy-1.5.9/libexec/ibus-engine-anthy --ibus</exec>
/gnu/store/d3mfffz41as1blfb28m8n461j42i6zjr-ibus-anthy-1.5.9/share/ibus/component/anthy.xml:	<engines exec="/gnu/store/d3mfffz41as1blfb28m8n461j42i6zjr-ibus-anthy-1.5.9/libexec/ibus-engine-anthy --xml" />
--8<---------------cut here---------------end--------------->8---

Thoughts?

Ludo’.


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: the patch --]
[-- Type: text/x-patch, Size: 4383 bytes --]

diff --git a/conf/dconf/dconf.xml.in b/conf/dconf/dconf.xml.in
index 4205cb0..538f500 100644
--- a/conf/dconf/dconf.xml.in
+++ b/conf/dconf/dconf.xml.in
@@ -3,7 +3,7 @@
 <component>
 	<name>org.freedesktop.IBus.Config</name>
 	<description>Dconf Config Component</description>
-	<exec>@libexecdir@/ibus-dconf</exec>
+	<exec>ibus-dconf</exec>
 	<version>@VERSION@</version>
 	<author>Daiki Ueno &lt;ueno@unixuser.org&gt;</author>
 	<license>GPL</license>
diff --git a/conf/memconf/memconf.xml.in b/conf/memconf/memconf.xml.in
index d6ea690..9f51bcc 100644
--- a/conf/memconf/memconf.xml.in
+++ b/conf/memconf/memconf.xml.in
@@ -2,7 +2,7 @@
 <component>
 	<name>org.freedesktop.IBus.Config</name>
 	<description>On-memory Config Component</description>
-	<exec>@libexecdir@/ibus-memconf</exec>
+	<exec>ibus-memconf</exec>
 	<version>@VERSION@</version>
 	<author>Peng Huang &lt;shawn.p.huang@gmail.com&gt;, modified by the Chromium OS Authors</author>
 	<license>GPL</license>
diff --git a/engine/simple.xml.in b/engine/simple.xml.in
index fc1541e..47cbea1 100644
--- a/engine/simple.xml.in
+++ b/engine/simple.xml.in
@@ -2,7 +2,7 @@
 <component>
 	<name>org.freedesktop.IBus.Simple</name>
 	<description>A table based simple engine</description>
-	<exec>@libexecdir@/ibus-engine-simple</exec>
+	<exec>ibus-engine-simple</exec>
 	<version>@VERSION@</version>
 	<author>Peng Huang &lt;shawn.p.huang@gmail.com&gt;</author>
 	<license>GPL</license>
diff --git a/src/Makefile.am b/src/Makefile.am
index a8e3d07..2c461ee 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -49,6 +49,7 @@ AM_CPPFLAGS =                                           \
     @GLIB2_CFLAGS@                                      \
     @GOBJECT2_CFLAGS@                                   \
     @GIO2_CFLAGS@                                       \
+    -DLIBEXECDIR=\"$(libexecdir)\"			\
     -DIBUS_CACHE_DIR=\""$(localstatedir)/cache/ibus"\"  \
     -DIBUS_DATA_DIR=\"$(pkgdatadir)\"                   \
     -DIBUS_DISABLE_DEPRECATION_WARNINGS                 \
diff --git a/src/Makefile.in b/src/Makefile.in
index 2a9c2ab..c3dfd87 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -613,6 +613,7 @@ CLEANFILES = $(am__append_2) $(BUILT_SOURCES) stamp-ibusmarshalers.h \
 # C preprocessor flags
 AM_CPPFLAGS = -DG_LOG_DOMAIN=\"IBUS\" @GLIB2_CFLAGS@ @GOBJECT2_CFLAGS@ \
 	@GIO2_CFLAGS@ \
+	-DLIBEXECDIR=\"$(libexecdir)\" \
 	-DIBUS_CACHE_DIR=\""$(localstatedir)/cache/ibus"\" \
 	-DIBUS_DATA_DIR=\"$(pkgdatadir)\" \
 	-DIBUS_DISABLE_DEPRECATION_WARNINGS -DIBUS_COMPILATION \
diff --git a/src/ibuscomponent.c b/src/ibuscomponent.c
index 9837f47..4b55a66 100644
--- a/src/ibuscomponent.c
+++ b/src/ibuscomponent.c
@@ -614,6 +614,18 @@ ibus_component_parse_engines (IBusComponent *component,
 
     if (exec != NULL) {
         gchar *output = NULL;
+
+        if (exec[0] != '/') {
+            /* EXEC is a relative file name, so assume it's the name of an
+               executable in $libexecdir and expand it.  */
+            GString *absolute = g_string_new (LIBEXECDIR);
+            g_string_append (absolute, "/");
+            g_string_append (absolute, exec);
+
+            g_free (exec);
+            exec = g_string_free (absolute, FALSE);
+        }
+
         if (g_spawn_command_line_sync (exec, &output, NULL, NULL, NULL)) {
             engines_node = ibus_xml_parse_buffer (output);
             g_free (output);
diff --git a/ui/gtk3/gtkextension.xml.in b/ui/gtk3/gtkextension.xml.in
index b8157c9..fc945ab 100644
--- a/ui/gtk3/gtkextension.xml.in
+++ b/ui/gtk3/gtkextension.xml.in
@@ -3,7 +3,7 @@
 <component>
 	<name>org.freedesktop.IBus.Panel.Extension</name>
 	<description>Gtk Panel Extension Component</description>
-	<exec>@libexecdir@/ibus-extension-gtk3</exec>
+	<exec>ibus-extension-gtk3</exec>
 	<version>@VERSION@</version>
 	<author>Takao Fujiwara &lt;takao.fujiwara1@gmail.com&gt;</author>
 	<license>GPL</license>
diff --git a/ui/gtk3/gtkpanel.xml.in b/ui/gtk3/gtkpanel.xml.in
index b61f400..2175b93 100644
--- a/ui/gtk3/gtkpanel.xml.in
+++ b/ui/gtk3/gtkpanel.xml.in
@@ -3,7 +3,7 @@
 <component>
 	<name>org.freedesktop.IBus.Panel</name>
 	<description>Gtk Panel Component</description>
-	<exec>@libexecdir@/ibus-ui-gtk3</exec>
+	<exec>ibus-ui-gtk3</exec>
 	<version>@VERSION@</version>
 	<author>Peng Huang &lt;shawn.p.huang@gmail.com&gt;</author>
 	<license>GPL</license>