There are at least 4400 instances of insecure g+w file perms in the qt5-* tarballs that pkg unpacks into /usr/local/include/qt5 on amd64 and likely all platforms. This changed sometime between mid Nov and end Jan. tar -tvf <tarball> | egrep '^.....w' Fix is to revert back to the correct and secure g-w. Incomplete tarball list... qt5-concurrent-5.9.4.txz qt5-core-5.9.4.txz qt5-dbus-5.9.4.txz qt5-gui-5.9.4_2.txz qt5-network-5.9.4_1.txz qt5-opengl-5.9.4.txz qt5-printsupport-5.9.4.txz qt5-svg-5.9.4.txz qt5-widgets-5.9.4.txz qt5-x11extras-5.9.4.txz
A commit references this bug: Author: tcberner Date: Thu Mar 29 19:03:24 UTC 2018 New revision: 465911 URL: https://svnweb.freebsd.org/changeset/ports/465911 Log: Fix permissions in installed Qt5 header files For the qt5-* ports bsd.qt.mk sets EXTRACT_AFTER_ARGS, and thereby does not get the normal default value of --no-same-owner --no-same-permissions passed when extracting. This lead to for example header files being installed (i.e. copied), with permissions group write permissions. Manually append that to the bsd.qt.mk shenanigans (also do the same in www/qt5-webchannel, which opts out of the bsd.qt.mk value) PR: 227027 Reported by: grarpamp@gmail.com Changes: head/Mk/bsd.qt.mk head/accessibility/qt5-speech/Makefile head/comms/qt5-connectivity/Makefile head/comms/qt5-sensors/Makefile head/comms/qt5-serialbus/Makefile head/comms/qt5-serialport/Makefile head/databases/qt5-sql/Makefile head/devel/qt5-assistant/Makefile head/devel/qt5-buildtools/Makefile head/devel/qt5-concurrent/Makefile head/devel/qt5-core/Makefile head/devel/qt5-dbus/Makefile head/devel/qt5-designer/Makefile head/devel/qt5-help/Makefile head/devel/qt5-linguist/Makefile head/devel/qt5-linguisttools/Makefile head/devel/qt5-location/Makefile head/devel/qt5-qdbus/Makefile head/devel/qt5-qdbusviewer/Makefile head/devel/qt5-qdoc/Makefile head/devel/qt5-qdoc-data/Makefile head/devel/qt5-qmake/Makefile head/devel/qt5-script/Makefile head/devel/qt5-scripttools/Makefile head/devel/qt5-scxml/Makefile head/devel/qt5-testlib/Makefile head/devel/qt5-uitools/Makefile head/graphics/qt5-3d/Makefile head/graphics/qt5-graphicaleffects/Makefile head/graphics/qt5-imageformats/Makefile head/graphics/qt5-opengl/Makefile head/graphics/qt5-pixeltool/Makefile head/graphics/qt5-svg/Makefile head/graphics/qt5-wayland/Makefile head/lang/qt5-qml/Makefile head/misc/qt5-doc/Makefile head/misc/qt5-examples/Makefile head/misc/qt5-l10n/Makefile head/multimedia/qt5-multimedia/Makefile head/net/qt5-network/Makefile head/print/qt5-printsupport/Makefile head/sysutils/qt5-qtdiag/Makefile head/sysutils/qt5-qtpaths/Makefile head/sysutils/qt5-qtplugininfo/Makefile head/textproc/qt5-xml/Makefile head/textproc/qt5-xmlpatterns/Makefile head/www/qt5-webchannel/Makefile head/www/qt5-webengine/Makefile head/www/qt5-websockets/Makefile head/www/qt5-websockets-qml/Makefile head/x11/qt5-qev/Makefile head/x11/qt5-x11extras/Makefile head/x11-toolkits/qt5-canvas3d/Makefile head/x11-toolkits/qt5-charts/Makefile head/x11-toolkits/qt5-datavis3d/Makefile head/x11-toolkits/qt5-gamepad/Makefile head/x11-toolkits/qt5-gui/Makefile head/x11-toolkits/qt5-quick/Makefile head/x11-toolkits/qt5-quickcontrols/Makefile head/x11-toolkits/qt5-quickcontrols2/Makefile head/x11-toolkits/qt5-uiplugin/Makefile head/x11-toolkits/qt5-virtualkeyboard/Makefile head/x11-toolkits/qt5-widgets/Makefile
A fix has been committed. Thanks for the report :)
Fyi, this issue has either reappeared, or the fix was not applied broadly enough, or did not make it upstream... Possibly incomplete tarball list, ~500 g+w perms... qt5-qmake-5.13.2.txz
Confirmed. In my *local* poudriere builds, the issue is not present, ``` $ tar tvzf /usr/local/poudriere/data/packages/120amd64-ports-area51-default/All/qt5-qmake-5.13.2.txz | grep linux.conf -rw-r--r-- 0 root wheel 1369 Oct 25 09:16 /usr/local/lib/qt5/mkspecs/common/linux.conf ``` But in the package obtained from the official servers, ``` tar tvzf qt5-qmake-5.13.2.txz | grep linux.conf -rw-rw-r-- 0 root wheel 1369 Oct 25 09:16 /usr/local/lib/qt5/mkspecs/common/linux.conf ```
Looks like the changes from the last time got lost when Qt moved from bsd.qt.mk to Uses/qt.mk (and in particular, qt-dist.mk). See https://reviews.freebsd.org/D22999
A commit references this bug: Author: adridg Date: Thu Jan 2 20:13:11 UTC 2020 New revision: 521876 URL: https://svnweb.freebsd.org/changeset/ports/521876 Log: Fix up file permissions in Qt ports. Because qt-dist.mk sets EXTRACT_AFTER_ARGS, the framework-standard --no-same-owner and --no-same-permissions aren't added. That means that the files end up in packages with the permissions from the tarball, and in particular that official packages contain group-writable (wheel) includes (C++ headers) and other files. This was reported in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=227027 and fixed in 465911 (18 months ago) but the move from bsd.qt.mk to Uses/qt-dist.mk lost those settings again. Re-add them to the Uses/ file to improve package security. (The problem does not seem to be present in my local poudriere builds) PR: 227027 Reported by: grarpamp@gmail.com Reviewed by: tcberner Approved by: tcberner MFH: 2020Q1 Differential Revision: https://reviews.freebsd.org/D22999 Changes: head/Mk/Uses/qt-dist.mk
A commit references this bug: Author: adridg Date: Thu Jan 2 22:08:28 UTC 2020 New revision: 521884 URL: https://svnweb.freebsd.org/changeset/ports/521884 Log: MFH: r521876 Fix up file permissions in Qt ports. Because qt-dist.mk sets EXTRACT_AFTER_ARGS, the framework-standard --no-same-owner and --no-same-permissions aren't added. That means that the files end up in packages with the permissions from the tarball, and in particular that official packages contain group-writable (wheel) includes (C++ headers) and other files. This was reported in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=227027 and fixed in 465911 (18 months ago) but the move from bsd.qt.mk to Uses/qt-dist.mk lost those settings again. Re-add them to the Uses/ file to improve package security. (The problem does not seem to be present in my local poudriere builds) PR: 227027 Reported by: grarpamp@gmail.com Reviewed by: tcberner Approved by: tcberner Differential Revision: https://reviews.freebsd.org/D22999 Approved by: portmgr (joneum) Changes: _U branches/2020Q1/ branches/2020Q1/Mk/Uses/qt-dist.mk
This isn't really resolved until the packages are rebuilt, which requires either a PORTREVISION bump or a newer Qt version (and qmake version, and some other bits).
A commit references this bug: Author: adridg Date: Mon Jan 13 11:56:43 UTC 2020 New revision: 522879 URL: https://svnweb.freebsd.org/changeset/ports/522879 Log: Bump PORTREVISION to force rebuild of devel/qt5-qmake This should have happened with r521876, which changed some Qt5 infrastructure to add --no-same-owner --no-same-permissions to extract args. This possibly needs to happen in other Qt ports as well (or wait for 5.14 to land). PR: 227027 Changes: head/devel/qt5-qmake/Makefile
Today, june 28 2020, I retrieved the official packages built by the FreeBSD cluster, from http://pkg.freebsd.org/FreeBSD:12:amd64/latest/All/qt5-qmake-5.14.2.txz, and obtain ``` [adridg@beastie /tmp]$ tar tvzf qt5-qmake-5.14.2.txz | grep linux.conf -rw-r--r-- 0 root wheel 1369 Mar 27 10:49 /usr/local/lib/qt5/mkspecs/common/linux.conf ```