xbps icon indicating copy to clipboard operation
xbps copied to clipboard
verified publisher icon void-linux

Bug in xbps-create when a relative symlink point to an absolute symlink

Open tornaria opened this issue 4 years ago • 1 comments

Simple script to reproduce

#! /bin/sh

set -e

PKGVER=bug-1_1
ARCH=x86_64
DESC="Package to show a bug in xbps-create"

DESTDIR=/tmp/bug-1

mkdir -p $DESTDIR/etc/A
ln -s /etc/os-release $DESTDIR/etc/abs
ln -s ../abs $DESTDIR/etc/A/rel

xbps-create --arch "$ARCH" --desc "$DESC" --pkgver "$PKGVER" $DESTDIR

After running this script you'll end up with a badly formed package. Contents are ok:

$ tar tvf bug-1_1.x86_64.xbps
-rw-r--r-- root/root       503 1969-12-31 21:00 ./props.plist
-rw-r--r-- root/root       744 1969-12-31 21:00 ./files.plist
lrwxrwxrwx 0/0               0 2021-11-28 20:06 ./etc/abs -> /etc/os-release
lrwxrwxrwx 0/0               0 2021-11-28 20:06 ./etc/A/rel -> ../abs

But files.plist is wrong:

$ tar xOf bug-1_1.x86_64.xbps ./files.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>dirs</key>
	<array>
		<dict>
			<key>file</key>
			<string>/etc</string>
		</dict>
		<dict>
			<key>file</key>
			<string>/etc/A</string>
		</dict>
	</array>
	<key>links</key>
	<array>
		<dict>
			<key>file</key>
			<string>/etc/A/rel</string>
			<key>mtime</key>
			<integer>1638140801</integer>
			<key>target</key>
			<string>lease</string>
		</dict>
		<dict>
			<key>file</key>
			<string>/etc/abs</string>
			<key>mtime</key>
			<integer>1638140801</integer>
			<key>target</key>
			<string>/etc/os-release</string>
		</dict>
	</array>
</dict>
</plist>

What is going on I think is:

  • the file in destdir /etc/A/rel is a symlink and readlink gives ../abs which is understood to be relative since it starts with .
  • the filename is then canonicalized (using realpath) to /etc/os-release
  • since the symlink was thought to be relative, this is expected to be inside destdir
  • hence we drop the destdir prefix /tmp/bug-1, that's 10 characters so /etc/os-release minus 10 characters gives lease

This actually bit us in the wip sagemath package. The net result is that those symlinks that are badly reported in files.plistare not removed by xbps-remove.

I've since made a workaround in the sagemath package so this won't affect us, but it'd be nice to fix this logic (whiich is kind of hard to understand), at the very least check that the prefix for the link is indeed the destdir before droping it naively and complain if not.

All of this is affected by whether the canonicalized path is actually an existing file; that's why I chose /etc/os-release which should always exist (if this file is not there, the bug doesn't trigger).

tornaria avatar Nov 28 '21 23:11 tornaria

That canonicalizing links is buggy in more ways (try link with last component being ..). I would remove it and store relative target, as it is currently done for symlinks pointing outside of package. This was already done but reverted immediately at a05e039cce with little reason.

Alternatively, something more appropriate than sometimes-realpath, like xbps_path_clean can be tried.

https://github.com/void-linux/xbps/blob/6e3309b564a1e8b32b158d9b6288dd6317c22598/bin/xbps-create/main.c#L355-L422

Chocimier avatar Nov 29 '21 18:11 Chocimier