mir/criu
2
0
Fork 0
mirror of https://github.com/checkpoint-restore/criu synced 2025-08-22 01:51:51 +00:00
Code Issues Releases Wiki Activity

images: remove symlink for descriptor.proto

Browse Source 
Currently the build scripts create the following symlink:

  criu-4.1/images/google/protobuf/descriptor.proto -> /usr/include/google/protobuf/descriptor.proto

This symlink points to a system-wide absolute-path target. Also,
this symlink ends up in the release tarball. The tarball may later be
downloaded and unpacked by e.g. OS distributions. If unpacking is
done using Python 3.14+, it will fail.

This happens because Python 3.14 will switch the default behavior of
extractall() from "fully trusting the content of archive" to
"disallow common attack vectors while extracting the archive".
With this new behavior, extractall() raises an exception when at
least one file in the archive extracts or points to outside of the
extraction directory (these are called path traversal attacks and
zip slip attacks).

Reported-by: Dmitrii Kuvaiskii <dimakuv@amazon.de>
Signed-off-by: Radostin Stoyanov <rstoyanov@fedoraproject.org>
This commit is contained in:
Radostin Stoyanov 2025-07-11 22:16:49 +01:00 committed by Andrei Vagin
parent 1bfa74d904
commit 68f92b551c
4 changed files with 16 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.cirrus.yml
View File

@ -15,7 +15,6 @@ task:
setup_script: | setup_script: |
scripts/ci/apt-install make gcc pkg-config git perl-modules iproute2 kmod wget cpu-checker scripts/ci/apt-install make gcc pkg-config git perl-modules iproute2 kmod wget cpu-checker
sudo kvm-ok sudo kvm-ok
ln -sf /usr/include/google/protobuf/descriptor.proto images/google/protobuf/descriptor.proto
build_script: | build_script: |
make -C scripts/ci vagrant-fedora-no-vdso make -C scripts/ci vagrant-fedora-no-vdso
@ -33,7 +32,6 @@ task:
memory: 8G memory: 8G
setup_script: | setup_script: |
ln -sf /usr/include/google/protobuf/descriptor.proto images/google/protobuf/descriptor.proto
dnf config-manager --set-enabled crb # Same as CentOS 8 powertools dnf config-manager --set-enabled crb # Same as CentOS 8 powertools
dnf -y install epel-release epel-next-release dnf -y install epel-release epel-next-release
dnf -y install --allowerasing asciidoc gcc git gnutls-devel libaio-devel libasan libcap-devel libnet-devel libnl3-devel libbsd-devel libselinux-devel make protobuf-c-devel protobuf-devel python-devel python-PyYAML python-protobuf python-junit_xml python3-importlib-metadata xmlto libdrm-devel libuuid-devel dnf -y install --allowerasing asciidoc gcc git gnutls-devel libaio-devel libasan libcap-devel libnet-devel libnl3-devel libbsd-devel libselinux-devel make protobuf-c-devel protobuf-devel python-devel python-PyYAML python-protobuf python-junit_xml python3-importlib-metadata xmlto libdrm-devel libuuid-devel
@ -67,7 +65,6 @@ task:
setup_script: | setup_script: |
scripts/ci/apt-install make gcc pkg-config git perl-modules iproute2 kmod wget cpu-checker scripts/ci/apt-install make gcc pkg-config git perl-modules iproute2 kmod wget cpu-checker
sudo kvm-ok sudo kvm-ok
ln -sf /usr/include/google/protobuf/descriptor.proto images/google/protobuf/descriptor.proto
build_script: | build_script: |
make -C scripts/ci vagrant-fedora-rawhide make -C scripts/ci vagrant-fedora-rawhide
@ -88,7 +85,6 @@ task:
setup_script: | setup_script: |
scripts/ci/apt-install make gcc pkg-config git perl-modules iproute2 kmod wget cpu-checker scripts/ci/apt-install make gcc pkg-config git perl-modules iproute2 kmod wget cpu-checker
sudo kvm-ok sudo kvm-ok
ln -sf /usr/include/google/protobuf/descriptor.proto images/google/protobuf/descriptor.proto
build_script: | build_script: |
make -C scripts/ci vagrant-fedora-non-root make -C scripts/ci vagrant-fedora-non-root
@ -101,7 +97,6 @@ task:
script: uname -a script: uname -a
build_script: | build_script: |
scripts/ci/apt-install make scripts/ci/apt-install make
ln -sf /usr/include/google/protobuf/descriptor.proto images/google/protobuf/descriptor.proto
make -C scripts/ci local make -C scripts/ci local
task: task:
@ -113,7 +108,6 @@ task:
script: uname -a script: uname -a
build_script: | build_script: |
scripts/ci/apt-install make scripts/ci/apt-install make
ln -sf /usr/include/google/protobuf/descriptor.proto images/google/protobuf/descriptor.proto
make -C scripts/ci local CLANG=1 make -C scripts/ci local CLANG=1
task: task:
@ -125,6 +119,5 @@ task:
script: uname -a script: uname -a
build_script: | build_script: |
scripts/ci/prepare-for-fedora-rawhide.sh scripts/ci/prepare-for-fedora-rawhide.sh
ln -sf /usr/include/google/protobuf/descriptor.proto images/google/protobuf/descriptor.proto
make -C scripts/ci/ local CC=gcc SKIP_CI_PREP=1 SKIP_CI_TEST=1 CD_TO_TOP=1 make -C scripts/ci/ local CC=gcc SKIP_CI_PREP=1 SKIP_CI_TEST=1 CD_TO_TOP=1
make -C test/zdtm -j 4 make -C test/zdtm -j 4

5
.lgtm.yml
View File

@ -23,8 +23,3 @@ extraction:
- "python3-yaml" - "python3-yaml"
- "libnl-route-3-dev" - "libnl-route-3-dev"
- "gnutls-dev" - "gnutls-dev"
configure:
command:
- "ls -laR images/google"
- "ln -s /usr/include/google/protobuf/descriptor.proto images/google/protobuf/descriptor.proto"
- "ls -laR images/google"

17
images/Makefile
View File

@ -58,7 +58,6 @@ proto-obj-y += ext-file.o
proto-obj-y += cgroup.o proto-obj-y += cgroup.o
proto-obj-y += userns.o proto-obj-y += userns.o
proto-obj-y += pidns.o proto-obj-y += pidns.o
proto-obj-y += google/protobuf/descriptor.o # To make protoc happy and compile opts.proto
proto-obj-y += opts.o proto-obj-y += opts.o
proto-obj-y += seccomp.o proto-obj-y += seccomp.o
proto-obj-y += binfmt-misc.o proto-obj-y += binfmt-misc.o
@ -91,6 +90,22 @@ endef
makefile-deps := Makefile $(obj)/Makefile makefile-deps := Makefile $(obj)/Makefile
#
# Generate descriptor.pb-c.c and descriptor.pb-c.h to compile opts.proto.
PROTOBUF_DIR := images/google
DESCRIPTOR_DIR := $(PROTOBUF_DIR)/protobuf
GOOGLE_INCLUDE=$(shell pkg-config protobuf --variable=includedir)/google/protobuf
$(DESCRIPTOR_DIR)/descriptor.pb-c.c: $(GOOGLE_INCLUDE)/descriptor.proto
$$(Q) echo "Generating descriptor.pb-c.c"
$$(Q) protoc --proto_path=/usr/include --proto_path=$(obj)/ --c_out=$(obj)/ $<
cleanup-y += $(DESCRIPTOR_DIR)/descriptor.pb-c.d
submrproper:
$$(Q) rm -rf $(PROTOBUF_DIR)
.PHONY: submrproper
mrproper: submrproper
# #
# Generates rules needed to compile protobuf files. # Generates rules needed to compile protobuf files.
define gen-proto-rules define gen-proto-rules

1
images/google/protobuf/descriptor.proto
View File

@ -1 +0,0 @@
/usr/include/google/protobuf/descriptor.proto