Bug 227027 - devel/qt5: insecure file perms in the pkg tarballs
Summary: devel/qt5: insecure file perms in the pkg tarballs
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: kde
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-03-28 10:00 UTC by grarpamp
Modified: 2018-04-08 12:14 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (kde)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description grarpamp 2018-03-28 10:00:22 UTC
There are at least 4400 instances of insecure g+w file perms in the qt5-* tarballs that pkg unpacks into /usr/local/include/qt5 on amd64 and likely all platforms.

This changed sometime between mid Nov and end Jan.

tar -tvf <tarball> | egrep '^.....w'

Fix is to revert back to the correct and secure g-w.

Incomplete tarball list...

qt5-concurrent-5.9.4.txz
qt5-core-5.9.4.txz
qt5-dbus-5.9.4.txz
qt5-gui-5.9.4_2.txz
qt5-network-5.9.4_1.txz
qt5-opengl-5.9.4.txz
qt5-printsupport-5.9.4.txz
qt5-svg-5.9.4.txz
qt5-widgets-5.9.4.txz
qt5-x11extras-5.9.4.txz
Comment 1 commit-hook freebsd_committer 2018-03-29 19:03:27 UTC
A commit references this bug:

Author: tcberner
Date: Thu Mar 29 19:03:24 UTC 2018
New revision: 465911
URL: https://svnweb.freebsd.org/changeset/ports/465911

Log:
  Fix permissions in installed Qt5 header files

  For the qt5-* ports bsd.qt.mk sets EXTRACT_AFTER_ARGS, and
  thereby does not get the normal default value of
        --no-same-owner --no-same-permissions
  passed when extracting. This lead to for example header files
  being installed (i.e. copied), with permissions group write
  permissions.

  Manually append that to the bsd.qt.mk shenanigans (also do the
  same in www/qt5-webchannel, which opts out of the bsd.qt.mk value)

  PR:		227027
  Reported by:	grarpamp@gmail.com

Changes:
  head/Mk/bsd.qt.mk
  head/accessibility/qt5-speech/Makefile
  head/comms/qt5-connectivity/Makefile
  head/comms/qt5-sensors/Makefile
  head/comms/qt5-serialbus/Makefile
  head/comms/qt5-serialport/Makefile
  head/databases/qt5-sql/Makefile
  head/devel/qt5-assistant/Makefile
  head/devel/qt5-buildtools/Makefile
  head/devel/qt5-concurrent/Makefile
  head/devel/qt5-core/Makefile
  head/devel/qt5-dbus/Makefile
  head/devel/qt5-designer/Makefile
  head/devel/qt5-help/Makefile
  head/devel/qt5-linguist/Makefile
  head/devel/qt5-linguisttools/Makefile
  head/devel/qt5-location/Makefile
  head/devel/qt5-qdbus/Makefile
  head/devel/qt5-qdbusviewer/Makefile
  head/devel/qt5-qdoc/Makefile
  head/devel/qt5-qdoc-data/Makefile
  head/devel/qt5-qmake/Makefile
  head/devel/qt5-script/Makefile
  head/devel/qt5-scripttools/Makefile
  head/devel/qt5-scxml/Makefile
  head/devel/qt5-testlib/Makefile
  head/devel/qt5-uitools/Makefile
  head/graphics/qt5-3d/Makefile
  head/graphics/qt5-graphicaleffects/Makefile
  head/graphics/qt5-imageformats/Makefile
  head/graphics/qt5-opengl/Makefile
  head/graphics/qt5-pixeltool/Makefile
  head/graphics/qt5-svg/Makefile
  head/graphics/qt5-wayland/Makefile
  head/lang/qt5-qml/Makefile
  head/misc/qt5-doc/Makefile
  head/misc/qt5-examples/Makefile
  head/misc/qt5-l10n/Makefile
  head/multimedia/qt5-multimedia/Makefile
  head/net/qt5-network/Makefile
  head/print/qt5-printsupport/Makefile
  head/sysutils/qt5-qtdiag/Makefile
  head/sysutils/qt5-qtpaths/Makefile
  head/sysutils/qt5-qtplugininfo/Makefile
  head/textproc/qt5-xml/Makefile
  head/textproc/qt5-xmlpatterns/Makefile
  head/www/qt5-webchannel/Makefile
  head/www/qt5-webengine/Makefile
  head/www/qt5-websockets/Makefile
  head/www/qt5-websockets-qml/Makefile
  head/x11/qt5-qev/Makefile
  head/x11/qt5-x11extras/Makefile
  head/x11-toolkits/qt5-canvas3d/Makefile
  head/x11-toolkits/qt5-charts/Makefile
  head/x11-toolkits/qt5-datavis3d/Makefile
  head/x11-toolkits/qt5-gamepad/Makefile
  head/x11-toolkits/qt5-gui/Makefile
  head/x11-toolkits/qt5-quick/Makefile
  head/x11-toolkits/qt5-quickcontrols/Makefile
  head/x11-toolkits/qt5-quickcontrols2/Makefile
  head/x11-toolkits/qt5-uiplugin/Makefile
  head/x11-toolkits/qt5-virtualkeyboard/Makefile
  head/x11-toolkits/qt5-widgets/Makefile
Comment 2 Tobias C. Berner freebsd_committer 2018-04-08 12:14:01 UTC
A fix has been committed. Thanks for the report :)