From 68f92b551c2a8f4a3e7945a95704ac32f6df9083 Mon Sep 17 00:00:00 2001
From: Radostin Stoyanov <rstoyanov@fedoraproject.org>
Date: Fri, 11 Jul 2025 22:16:49 +0100
Subject: [PATCH] images: remove symlink for descriptor.proto

Currently the build scripts create the following symlink:

  criu-4.1/images/google/protobuf/descriptor.proto -> /usr/include/google/protobuf/descriptor.proto

This symlink points to a system-wide absolute-path target. Also,
this symlink ends up in the release tarball. The tarball may later be
downloaded and unpacked by e.g. OS distributions. If unpacking is
done using Python 3.14+, it will fail.

This happens because Python 3.14 will switch the default behavior of
extractall() from "fully trusting the content of archive" to
"disallow common attack vectors while extracting the archive".
With this new behavior, extractall() raises an exception when at
least one file in the archive extracts or points to outside of the
extraction directory (these are called path traversal attacks and
zip slip attacks).

Reported-by: Dmitrii Kuvaiskii <dimakuv@amazon.de>
Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
---
 .cirrus.yml                             |  7 -------
 .lgtm.yml                               |  5 -----
 images/Makefile                         | 17 ++++++++++++++++-
 images/google/protobuf/descriptor.proto |  1 -
 4 files changed, 16 insertions(+), 14 deletions(-)
 delete mode 120000 images/google/protobuf/descriptor.proto

diff --git a/.cirrus.yml b/.cirrus.yml
index a4b53a54b..bddd5a3f1 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -15,7 +15,6 @@ task:
   setup_script: |
     scripts/ci/apt-install make gcc pkg-config git perl-modules iproute2 kmod wget cpu-checker
     sudo kvm-ok
-    ln -sf /usr/include/google/protobuf/descriptor.proto images/google/protobuf/descriptor.proto
   build_script: |
     make -C scripts/ci vagrant-fedora-no-vdso
 
@@ -33,7 +32,6 @@ task:
     memory: 8G
 
   setup_script: |
-    ln -sf /usr/include/google/protobuf/descriptor.proto images/google/protobuf/descriptor.proto
     dnf config-manager --set-enabled crb # Same as CentOS 8 powertools
     dnf -y install epel-release epel-next-release
     dnf -y install --allowerasing asciidoc gcc git gnutls-devel libaio-devel libasan libcap-devel libnet-devel libnl3-devel libbsd-devel libselinux-devel make protobuf-c-devel protobuf-devel python-devel python-PyYAML python-protobuf python-junit_xml python3-importlib-metadata xmlto libdrm-devel libuuid-devel
@@ -67,7 +65,6 @@ task:
   setup_script: |
     scripts/ci/apt-install make gcc pkg-config git perl-modules iproute2 kmod wget cpu-checker
     sudo kvm-ok
-    ln -sf /usr/include/google/protobuf/descriptor.proto images/google/protobuf/descriptor.proto
   build_script: |
     make -C scripts/ci vagrant-fedora-rawhide
 
@@ -88,7 +85,6 @@ task:
   setup_script: |
     scripts/ci/apt-install make gcc pkg-config git perl-modules iproute2 kmod wget cpu-checker
     sudo kvm-ok
-    ln -sf /usr/include/google/protobuf/descriptor.proto images/google/protobuf/descriptor.proto
   build_script: |
     make -C scripts/ci vagrant-fedora-non-root
 
@@ -101,7 +97,6 @@ task:
   script: uname -a
   build_script: |
     scripts/ci/apt-install make
-    ln -sf /usr/include/google/protobuf/descriptor.proto images/google/protobuf/descriptor.proto
     make -C scripts/ci local
 
 task:
@@ -113,7 +108,6 @@ task:
   script: uname -a
   build_script: |
     scripts/ci/apt-install make
-    ln -sf /usr/include/google/protobuf/descriptor.proto images/google/protobuf/descriptor.proto
     make -C scripts/ci local CLANG=1
 
 task:
@@ -125,6 +119,5 @@ task:
   script: uname -a
   build_script: |
     scripts/ci/prepare-for-fedora-rawhide.sh
-    ln -sf /usr/include/google/protobuf/descriptor.proto images/google/protobuf/descriptor.proto
     make -C scripts/ci/ local CC=gcc SKIP_CI_PREP=1 SKIP_CI_TEST=1 CD_TO_TOP=1
     make -C test/zdtm -j 4
diff --git a/.lgtm.yml b/.lgtm.yml
index 0dd49cda4..4beadcc63 100644
--- a/.lgtm.yml
+++ b/.lgtm.yml
@@ -23,8 +23,3 @@ extraction:
       - "python3-yaml"
       - "libnl-route-3-dev"
       - "gnutls-dev"
-    configure:
-      command:
-      - "ls -laR images/google"
-      - "ln -s /usr/include/google/protobuf/descriptor.proto images/google/protobuf/descriptor.proto"
-      - "ls -laR images/google"
diff --git a/images/Makefile b/images/Makefile
index d966fbfca..e94346eee 100644
--- a/images/Makefile
+++ b/images/Makefile
@@ -58,7 +58,6 @@ proto-obj-y	+= ext-file.o
 proto-obj-y	+= cgroup.o
 proto-obj-y	+= userns.o
 proto-obj-y	+= pidns.o
-proto-obj-y	+= google/protobuf/descriptor.o # To make protoc happy and compile opts.proto
 proto-obj-y	+= opts.o
 proto-obj-y	+= seccomp.o
 proto-obj-y	+= binfmt-misc.o
@@ -91,6 +90,22 @@ endef
 
 makefile-deps := Makefile $(obj)/Makefile
 
+#
+# Generate descriptor.pb-c.c and descriptor.pb-c.h to compile opts.proto.
+PROTOBUF_DIR := images/google
+DESCRIPTOR_DIR := $(PROTOBUF_DIR)/protobuf
+GOOGLE_INCLUDE=$(shell pkg-config protobuf --variable=includedir)/google/protobuf
+$(DESCRIPTOR_DIR)/descriptor.pb-c.c: $(GOOGLE_INCLUDE)/descriptor.proto
+	$$(Q) echo "Generating descriptor.pb-c.c"
+	$$(Q) protoc --proto_path=/usr/include --proto_path=$(obj)/ --c_out=$(obj)/ $<
+
+cleanup-y += $(DESCRIPTOR_DIR)/descriptor.pb-c.d
+
+submrproper:
+	$$(Q) rm -rf $(PROTOBUF_DIR)
+.PHONY: submrproper
+mrproper: submrproper
+
 #
 # Generates rules needed to compile protobuf files.
 define gen-proto-rules
diff --git a/images/google/protobuf/descriptor.proto b/images/google/protobuf/descriptor.proto
deleted file mode 120000
index 07a4c9add..000000000
--- a/images/google/protobuf/descriptor.proto
+++ /dev/null
@@ -1 +0,0 @@
-/usr/include/google/protobuf/descriptor.proto
\ No newline at end of file