From nobody Sat Nov 23 18:26:53 2024
X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XwgRK5ddtz5dg4H;
	Sat, 23 Nov 2024 18:26:53 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4XwgRK4MrFz4b2D;
	Sat, 23 Nov 2024 18:26:53 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1732386413;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=2ZUc+/Rg3b2Cp61IX9WHeNkW74zuydYLNP/pYJpdues=;
	b=SqR3EINm+3oQPl/CwCLkF8W+bLzISNi7wZVAkncwt5Om8nQd0ysD2qdRtE0xKk7rXQlUQ4
	Jop3Z6ajrQAE+NeWJ5ekiXrgQMzh6NbKFgw5zJoyJ1J42cyKQMZ5X/QcGcOD+ZgJoUdOQT
	m0784QHbBkl552g0GNNSmhjsfsFIcB1rxgQdc86z6Lk7wSYaXZ/u4XYELjka0HkyflxJT1
	inNXwSe3aUYvrvT7t8ejH/nH78N5u92liUs5NwNPybYQ1uWJSJ+FhV3AvpNBsBt0T/zp6+
	2SQcOC8nXUlLccZu1A6Eby8wI2VXoZdc3U5zWuHPl7p9daHsAEJFUUQY6SpdDg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1732386413;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=2ZUc+/Rg3b2Cp61IX9WHeNkW74zuydYLNP/pYJpdues=;
	b=vjAF7mzyXUh8bFsu1uFGugkjxCbw4RZwje5JjzcsluawHGgWS4fZZlh6b65NClH8rxpMNU
	Hpe6VmON7OpU79U9Rqf+IvDSk0lQVy58C0uAsD81V4RmEYrWJIkrnE96xKpYQtt9tSQMRd
	hOy6u08n4ynO6mRheTUdxjG+2KxeT6+AhDNGN571OljP/10NDPG6Kkdx+NqkHv5mM4650i
	zCjmmA38ld1kpKzTKehLzVlADwwYrgl0Rzle3XppKK24rJNZtfQPP4iISTjGxtLoGw4hBy
	GRHv68+jqroX276AkZTTkLx7NXZhkSBIbcQdxl/E/eP6ws6DbgDenho3qGzCFA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1732386413; a=rsa-sha256; cv=none;
	b=O3corgiApSJBa6f7PlI6tRGCDQd3/1W8SC9Gz8JI3toAi6qfPR4BKqsUm/8frp9fSNzu46
	OupfmdjhemMAa3SQmWgNr7ZTg6kuLL05deV2g9sj3cvui7sI4GEkX1J/deTdG0JGyDEJY0
	4lRNl26tFAcH+nociX1TQAUxZ3/x4qGuTLQFS8X1/GuKniIgNQOaRw6w8Qpm1F4Z4OxtbF
	HWcM4btyS0teBXqCpfM692dzPXeo6p7aOACt9Z+aVFqAr/aALEGiNLDEg4aRvqKk3oUJWf
	WYqo2ip1x+rHcWqy3aJDP2mhERNWkTzQ1q5lqheRPm3573Tp8kVlebWqtyGgjw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4XwgRK3pdHzL3w;
	Sat, 23 Nov 2024 18:26:53 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 4ANIQrdB039942;
	Sat, 23 Nov 2024 18:26:53 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 4ANIQrMw039939;
	Sat, 23 Nov 2024 18:26:53 GMT
	(envelope-from git)
Date: Sat, 23 Nov 2024 18:26:53 GMT
Message-Id: <202411231826.4ANIQrMw039939@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
        dev-commits-ports-branches@FreeBSD.org
From: Michael Gmelin <grembo@FreeBSD.org>
Subject: git: 48716a2641e3 - 2024Q4 - sysutils/iocage: Add hardening
  measures on untar
List-Id: Commit messages for all branches of the ports repository <dev-commits-ports-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all
List-Help: <mailto:dev-commits-ports-all+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-ports-all@freebsd.org
Sender: owner-dev-commits-ports-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: grembo
X-Git-Repository: ports
X-Git-Refname: refs/heads/2024Q4
X-Git-Reftype: branch
X-Git-Commit: 48716a2641e3edb9782ad69813ad50f4ecad9bb1
Auto-Submitted: auto-generated

The branch 2024Q4 has been updated by grembo:

URL: https://cgit.FreeBSD.org/ports/commit/?id=48716a2641e3edb9782ad69813ad50f4ecad9bb1

commit 48716a2641e3edb9782ad69813ad50f4ecad9bb1
Author:     Michael Gmelin <grembo@FreeBSD.org>
AuthorDate: 2024-11-23 17:37:49 +0000
Commit:     Michael Gmelin <grembo@FreeBSD.org>
CommitDate: 2024-11-23 18:22:58 +0000

    sysutils/iocage: Add hardening measures on untar
    
    This adds hardening measures while untaring archives fetched
    over the network (including FreeBSD tarballs and iocage plugins),
    as implemented by TrueNAS.
    
    This reduces the impact of intentionally malicious or accidentally
    broken archives.
    
    Please note that users are still advised to only fetch from
    trusted sources and make use of TLS to prevent MITM attacks.
    
    While there, add patch to store man pages in the correct location.
    
    Obtained from:          https://github.com/truenas/iocage/pull/358
    
    (cherry picked from commit c4139815d8f3472317e6461da7f2589cc5a7ccbf)
---
 sysutils/iocage/Makefile                           |  1 +
 .../iocage/files/patch-iocage__lib_ioc__fetch.py   | 22 ++++++++++++++++++++++
 .../iocage/files/patch-iocage__lib_ioc__plugin.py  | 22 ++++++++++++++++++++++
 sysutils/iocage/files/patch-setup.py               | 15 +++++++++++++++
 4 files changed, 60 insertions(+)

diff --git a/sysutils/iocage/Makefile b/sysutils/iocage/Makefile
index 7382360fb479..5b743bb4344a 100644
--- a/sysutils/iocage/Makefile
+++ b/sysutils/iocage/Makefile
@@ -1,5 +1,6 @@
 PORTNAME=	iocage
 PORTVERSION=	1.8
+PORTREVISION=	1
 CATEGORIES=	sysutils python
 PKGNAMEPREFIX=	${PYTHON_PKGNAMEPREFIX}
 
diff --git a/sysutils/iocage/files/patch-iocage__lib_ioc__fetch.py b/sysutils/iocage/files/patch-iocage__lib_ioc__fetch.py
new file mode 100644
index 000000000000..73d8b6e58068
--- /dev/null
+++ b/sysutils/iocage/files/patch-iocage__lib_ioc__fetch.py
@@ -0,0 +1,22 @@
+--- iocage_lib/ioc_fetch.py.orig	2024-09-20 06:45:27 UTC
++++ iocage_lib/ioc_fetch.py
+@@ -47,7 +47,10 @@ import iocage_lib.ioc_start
+ from iocage_lib.pools import Pool
+ from iocage_lib.dataset import Dataset
+ 
++# deliberately crash if tarfile doesn't have required filter
++tarfile.tar_filter
+ 
++
+ class IOCFetch:
+ 
+     """Fetch a RELEASE for use as a jail base."""
+@@ -817,7 +820,7 @@ class IOCFetch:
+             # removing them first.
+             member = self.__fetch_extract_remove__(f)
+             member = self.__fetch_check_members__(member)
+-            f.extractall(dest, members=member)
++            f.extractall(dest, members=member, filter='tar')
+ 
+     def fetch_update(self, cli=False, uuid=None):
+         """This calls 'freebsd-update' to update the fetched RELEASE."""
diff --git a/sysutils/iocage/files/patch-iocage__lib_ioc__plugin.py b/sysutils/iocage/files/patch-iocage__lib_ioc__plugin.py
new file mode 100644
index 000000000000..be9ee84d1e3f
--- /dev/null
+++ b/sysutils/iocage/files/patch-iocage__lib_ioc__plugin.py
@@ -0,0 +1,22 @@
+--- iocage_lib/ioc_plugin.py.orig	2024-09-20 06:45:27 UTC
++++ iocage_lib/ioc_plugin.py
+@@ -61,7 +61,10 @@ from iocage_lib.dataset import Dataset
+ GIT_LOCK = threading.Lock()
+ RE_PLUGIN_VERSION = re.compile(r'"path":"([/\.\+,\d\w-]*)\.txz"')
+ 
++# deliberately crash if tarfile doesn't have required filter
++tarfile.tar_filter
+ 
++
+ class IOCPlugin(object):
+ 
+     """
+@@ -157,7 +160,7 @@ class IOCPlugin(object):
+                             shutil.copyfileobj(r.raw, f)
+ 
+                     with tarfile.open(packagesite_txz_path) as p_file:
+-                        p_file.extractall(path=tmpdir)
++                        p_file.extractall(path=tmpdir, filter='data')
+ 
+                     packagesite_path = os.path.join(tmpdir, 'packagesite.yaml')
+                     if not os.path.exists(packagesite_path):
diff --git a/sysutils/iocage/files/patch-setup.py b/sysutils/iocage/files/patch-setup.py
new file mode 100644
index 000000000000..cad071146d2d
--- /dev/null
+++ b/sysutils/iocage/files/patch-setup.py
@@ -0,0 +1,15 @@
+--- setup.py.orig	2024-09-20 06:45:27 UTC
++++ setup.py
+@@ -30,10 +30,10 @@ from setuptools import find_packages, setup
+ 
+ if os.path.isdir("/".join([sys.prefix, "etc/init.d"])):
+     _data = [('etc/init.d', ['rc.d/iocage']),
+-             ('man/man8', ['iocage.8.gz'])]
++             ('share/man/man8', ['iocage.8.gz'])]
+ else:
+     _data = [('etc/rc.d', ['rc.d/iocage']),
+-             ('man/man8', ['iocage.8.gz'])]
++             ('share/man/man8', ['iocage.8.gz'])]
+ 
+ if os.path.isdir("/".join([sys.prefix, "share/zsh/site-functions/"])):
+     _data.append(('share/zsh/site-functions', ['zsh-completion/_iocage']))