From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 3C71A1FF183 for ; Wed, 19 Nov 2025 15:28:40 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 26B41EF1C; Wed, 19 Nov 2025 15:28:45 +0100 (CET) From: Robert Obkircher To: pve-devel@lists.proxmox.com Date: Wed, 19 Nov 2025 15:24:56 +0100 Message-ID: <20251119142738.26840-5-r.obkircher@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20251119142738.26840-1-r.obkircher@proxmox.com> References: <20251119142738.26840-1-r.obkircher@proxmox.com> MIME-Version: 1.0 X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1763562461165 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.073 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment POISEN_SPAM_PILL 0.1 Meta: its spam POISEN_SPAM_PILL_1 0.1 random spam to be learned in bayes POISEN_SPAM_PILL_3 0.1 random spam to be learned in bayes SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] [PATCH v6 pve-container 4/5] fix #6897: constrain and untaint path for systemd version detection X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" Ensure that the concatenated path stays within the container and untaint it to make it callable from other hooks that run in taint mode and would otherwise get an "Insecure dependency in exec" error. Signed-off-by: Robert Obkircher --- src/PVE/LXC/Setup/Base.pm | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/PVE/LXC/Setup/Base.pm b/src/PVE/LXC/Setup/Base.pm index 370f3fa..6865225 100644 --- a/src/PVE/LXC/Setup/Base.pm +++ b/src/PVE/LXC/Setup/Base.pm @@ -605,9 +605,16 @@ sub clear_machine_id { sub get_systemd_version { my ($self, $init) = @_; + my $binary = abs_path($self->{rootdir} . $init); + if ($binary =~ /(^\Q$self->{rootdir}\E.*)/) { + $binary = $1; # untainted + } else { + die "Could not construct path to systemd binary: $self->{rootdir}, $init"; + } + my $version = undef; PVE::Tools::run_command( - ['objdump', '-p', $self->{rootdir} . $init], + ['objdump', '-p', $binary], outfunc => sub { my $line = shift; if ($line =~ /libsystemd-shared-(\d+)(?:[-_.][a-zA-Z0-9]+)*\.so:?$/) { -- 2.47.3 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel