237070 – graphics/qgis: installs world-writable files

Bug 237070 - graphics/qgis: installs world-writable files

Summary: graphics/qgis: installs world-writable files

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	freebsd-ports-bugs (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-04-07 13:37 UTC by Martin Birgmeier
Modified:	2019-06-28 08:35 UTC (History)
CC List:	1 user (show)

See Also:

Flags:	rhurlin: maintainer-feedback+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Martin Birgmeier 2019-04-07 13:37:07 UTC

Scenario:
- Updating qgis using portmaster

Result:
- Excerpt from the install log:

Installing qgis-3.6.0_5...
===> SECURITY REPORT: 
      This port has installed the following world-writable files/directories.
/usr/local/share/qgis/resources/data/contributors.json
/usr/local/share/qgis/resources/data/qgis-hackfests.qml
/usr/local/share/qgis/resources/data/world_map.shp
/usr/local/share/qgis/resources/data/qgis-hackfests.json
/usr/local/share/qgis/resources/data/world_map.shx
/usr/local/share/qgis/resources/data/world_map.qix
/usr/local/share/qgis/resources/data/world_map.prj
/usr/local/share/qgis/resources/data/world_map.qml
/usr/local/share/qgis/resources/data/contributors.qml
/usr/local/share/qgis/resources/data/world_map.dbf

      If there are vulnerabilities in these programs there may be a security
      risk to the system. FreeBSD makes no guarantee about the security of
      ports included in the Ports Collection. Please type 'make deinstall'
      to deinstall the port if this is a concern.

      For more information, and contact details about the security
      status of this software, see the following webpage: 
https://qgis.org/en/site/

Expected result:
- No world-writable files are installed

-- Martin

Comment 1 Rainer Hurling freebsd_committer

2019-04-14 10:31:01 UTC

(In reply to Martin Birgmeier from comment #0)

Hi Martin,

Many thanks for the report and sorry for the late answer.

Once with the introduction of QGIS 3 on FreeBSD, I made these files writable, because QGIS 3 complained about them, when starting 'Project Properties', 'Project Coordinate Reference System (CRS)' or rather CTRL-SHIFT-P:

Warning 4: Failed to open /usr/local/share/qgis/resources/data/world_map.shp: Permission denied.

But it seems, this is not really necessary. The world_map files do not need any world writable rights[1]. So with the next update of graphics/qgis I will change back in the port from writable files to only readable ones.

Regards,
Rainer


[1] https://issues.qgis.org/issues/17980

Comment 2 Martin Birgmeier 2019-04-14 16:00:45 UTC

Hi Rainer,

Thank you for taking care of this small issue.

Big thanks for taking care of qgis on FreeBSD!

Best regards, Martin

Comment 3 Martin Birgmeier 2019-06-28 08:35:44 UTC

Seems to be fixed by r501190 which I just installed.

Thanks for fixing this.

-- Martin

Commit log:

r501190 | fernape | 2019-05-10 20:19:03 +0200 (Fri, 10 May 2019) | 13 lines
Changed paths:
   M /head/graphics/qgis/Makefile
   M /head/graphics/qgis/distinfo
   M /head/graphics/qgis/pkg-plist

graphics/qgis: update to 3.6.2

ChangeLog can be found here:
https://qgis.org/en/site/forusers/visualchangelog36/index.html

* Update several Python dependencies
* Add USES=gnome, USE_GNOME=libxml2, USE_QT=gamepad, and
  LIB_DEPENDS=libsz.so:science/szip to pet 'make DEVELOPER=yes'
* Remove 'world writeable rights' in pkg-plist (bug #237070, comment #1)

PR:     237755
Submitted by:   rhurlin@gwdg.de (maintainer)