Re: extfs trpm

From: Leonard den Ottolander <leonard den ottolander nl>
To: MC Devel <mc-devel gnome org>
Subject: Re: extfs trpm
Date: Wed, 27 Oct 2004 16:27:43 +0200

Hi,

I wrote:
> This is rather academical and rpm names starting with a hyphen will
> break a lot of other tools, so the chance they are being used is
> practically zero. And if they are used this will only break output and
> not cause "bad things".

There is one occurrence of rpm -e "$1". I don't think this is
exploitable, but I've decided to add -- before all "$1"s in rpm calls. I
can't hurt. See attached patch.

Leonard.

-- 
mount -t life -o ro /dev/dna /genetic/research

--- vfs/extfs/trpm.000	2003-05-30 22:27:08.000000000 +0200
+++ vfs/extfs/trpm	2004-10-20 00:34:50.000000000 +0200
@@ -19,6 +19,12 @@ unset LC_ALL
 LC_TIME=C
 export LC_TIME
 
+if rpm --nosignature --version >/dev/null 2>&1; then
+  RPM="rpm --nosignature"
+else
+  RPM="rpm"
+fi
+
 mcrpmfs_list ()
 {
     # set MCFASTRPM_DFLT to 1 for faster rpm files handling by default, to 0 for
@@ -28,36 +34,36 @@ mcrpmfs_list ()
       MCFASTRPM=$MCFASTRPM_DFLT
     fi
     FILEPREF="-r--r--r--   1 root     root    "
-    DESC=`rpm -qi $1`
-    DATE=`rpm -q --qf "%{BUILDTIME:date}" $1 | cut -c 5-11,21-24`
+    DESC=`$RPM -qi -- "$1"`
+    DATE=`$RPM -q --qf "%{BUILDTIME:date}" -- "$1" | cut -c 5-11,21-24`
     HEADERSIZE=`echo "$DESC" | wc -c`
     echo "-r--r--r--   1 root     root  $HEADERSIZE $DATE HEADER"
-    echo "-r-xr-xr-x   1 root     root    39 $DATE UNINSTALL"
+    echo "-r-xr-xr-x   1 root     root    40 $DATE UNINSTALL"
     echo "dr-xr-xr-x   3 root     root	   0 $DATE INFO"
     echo "$FILEPREF 0 $DATE INFO/NAME-VERSION-RELEASE"
     echo "$FILEPREF 0 $DATE INFO/GROUP"
     echo "$FILEPREF 0 $DATE INFO/BUILDHOST"
     echo "$FILEPREF 0 $DATE INFO/SOURCERPM"
     if test "$MCFASTRPM" = 0 ; then
-     test "`rpm -q --qf \"%{DISTRIBUTION}\" $1`" = "(none)" ||
+     test "`$RPM -q --qf \"%{DISTRIBUTION}\" -- "$1"`" = "(none)" ||
  	 echo "$FILEPREF 0 $DATE INFO/DISTRIBUTION"
-     test "`rpm -q --qf \"%{VENDOR}\" $1`" = "(none)" ||
+     test "`$RPM -q --qf \"%{VENDOR}\" -- "$1"`" = "(none)" ||
 	 echo "$FILEPREF 0 $DATE INFO/VENDOR"
-     test "`rpm -q --qf \"%{DESCRIPTION}\" $1`" = "(none)" ||
+     test "`$RPM -q --qf \"%{DESCRIPTION}\" -- "$1"`" = "(none)" ||
          echo "$FILEPREF 0 $DATE INFO/DESCRIPTION"
-     test "`rpm -q --qf \"%{SUMMARY}\" $1`" = "(none)" ||
+     test "`$RPM -q --qf \"%{SUMMARY}\" -- "$1"`" = "(none)" ||
          echo "$FILEPREF 0 $DATE INFO/SUMMARY"
-     if test "`rpm -q --qf \"%{RPMTAG_PREIN}%{RPMTAG_POSTIN}%{RPMTAG_PREUN}%{RPMTAG_POSTUN}%{VERIFYSCRIPT}\" $1`" != "(none)(none)(none)(none)(none)"; then
+     if test "`$RPM -q --qf \"%{RPMTAG_PREIN}%{RPMTAG_POSTIN}%{RPMTAG_PREUN}%{RPMTAG_POSTUN}%{VERIFYSCRIPT}\" -- "$1"`" != "(none)(none)(none)(none)(none)"; then
 	echo "dr-xr-xr-x   1 root     root     0 $DATE INFO/SCRIPTS"
-	test "`rpm -q --qf \"%{RPMTAG_PREIN}\" $1`" = '(none)' ||
+	test "`$RPM -q --qf \"%{RPMTAG_PREIN}\" -- "$1"`" = '(none)' ||
 	   echo "$FILEPREF 0 $DATE INFO/SCRIPTS/PREIN"
-	test "`rpm -q --qf \"%{RPMTAG_POSTIN}\" $1`" = '(none)' ||
+	test "`$RPM -q --qf \"%{RPMTAG_POSTIN}\" -- "$1"`" = '(none)' ||
 	   echo "$FILEPREF 0 $DATE INFO/SCRIPTS/POSTIN"
-	test "`rpm -q --qf \"%{RPMTAG_PREUN}\" $1`" = '(none)' ||
+	test "`$RPM -q --qf \"%{RPMTAG_PREUN}\" -- "$1"`" = '(none)' ||
 	   echo "$FILEPREF 0 $DATE INFO/SCRIPTS/PREUN"
-	test "`rpm -q --qf \"%{RPMTAG_POSTUN}\" $1`" = '(none)' ||
+	test "`$RPM -q --qf \"%{RPMTAG_POSTUN}\" -- "$1"`" = '(none)' ||
 	   echo "$FILEPREF 0 $DATE INFO/SCRIPTS/POSTUN"
-	test "`rpm -q --qf \"%{VERIFYSCRIPT}\" $1`" = '(none)' ||
+	test "`$RPM -q --qf \"%{VERIFYSCRIPT}\" -- "$1"`" = '(none)' ||
 	   echo "$FILEPREF 0 $DATE INFO/SCRIPTS/VERIFYSCRIPT"
         echo "$FILEPREF 0 $DATE INFO/SCRIPTS/ALL"
      fi
@@ -75,88 +81,96 @@ mcrpmfs_list ()
      echo "$FILEPREF 0 $DATE INFO/SCRIPTS/ALL"
     fi
     if test "$MCFASTRPM" = 0 ; then
-     test "`rpm -q --qf \"%{PACKAGER}\" $1`" = "(none)" ||
+     test "`$RPM -q --qf \"%{PACKAGER}\" -- "$1"`" = "(none)" ||
 	 echo "$FILEPREF 0 $DATE INFO/PACKAGER"
-     test "`rpm -q --qf \"%{URL}\" $1`" = "(none)" ||
+     test "`$RPM -q --qf \"%{URL}\" -- "$1"`" = "(none)" ||
 	 echo "$FILEPREF 0 $DATE INFO/URL"
-     test "`rpm -q --qf \"%{SERIAL}\" $1`" = "(none)" ||
+     test "`$RPM -q --qf \"%{SERIAL}\" -- "$1"`" = "(none)" ||
 	 echo "$FILEPREF 0 $DATE INFO/SERIAL"
-     test "`rpm -q --qf \"%{COPYRIGHT}\" $1`" = "(none)" ||
+     test "`$RPM -q --qf \"%{COPYRIGHT}\" -- "$1"`" = "(none)" ||
 	 echo "$FILEPREF 0 $DATE INFO/COPYRIGHT"
+     test "`$RPM -q --qf \"%{LICENSE}\" -- "$1"`" = "(none)" ||
+	 echo "$FILEPREF 0 $DATE INFO/LICENSE"
     else
 	 echo "$FILEPREF 0 $DATE INFO/PACKAGER"
 	 echo "$FILEPREF 0 $DATE INFO/URL"
 	 echo "$FILEPREF 0 $DATE INFO/SERIAL"
 	 echo "$FILEPREF 0 $DATE INFO/COPYRIGHT"
+	 echo "$FILEPREF 0 $DATE INFO/LICENSE"
     fi
     echo "$FILEPREF 0 $DATE INFO/BUILDTIME"
     echo "$FILEPREF 0 $DATE INFO/RPMVERSION"
     echo "$FILEPREF 0 $DATE INFO/OS"
     echo "$FILEPREF 0 $DATE INFO/SIZE"
     if test "$MCFASTRPM" != 0 ; then
-    rpm -q --qf "[%{REQUIRENAME}\n]" $1 | grep "(none)" > /dev/null ||
+    $RPM -q --qf "[%{REQUIRENAME}\n]" -- "$1" | grep "(none)" > /dev/null ||
 	echo "$FILEPREF 0 $DATE INFO/REQUIRENAME"
-    rpm -q --qf "[%{PROVIDES}\n]" $1 | grep "(none)" > /dev/null ||
+    $RPM -q --qf "[%{OBSOLETES}\n]" -- "$1" | grep "(none)" > /dev/null ||
+	echo "$FILEPREF 0 $DATE INFO/OBSOLETES"
+    $RPM -q --qf "[%{PROVIDES}\n]" -- "$1" | grep "(none)" > /dev/null ||
 	echo "$FILEPREF 0 $DATE INFO/PROVIDES"
-    test "`rpm -q --qf \"%{CHANGELOGTEXT}\" $1`" = "(none)" ||
+    test "`$RPM -q --qf \"%{CHANGELOGTEXT}\" -- "$1"`" = "(none)" ||
        echo "$FILEPREF 0 $DATE INFO/CHANGELOG"
     else 
 	echo "$FILEPREF 0 $DATE INFO/REQUIRENAME"
+	echo "$FILEPREF 0 $DATE INFO/OBSOLETES"
 	echo "$FILEPREF 0 $DATE INFO/PROVIDES"
         echo "$FILEPREF 0 $DATE INFO/CHANGELOG"
     fi
 
-    rpm -qlv $1 | grep '^[A-Za-z0-9-]'
+    $RPM -qlv -- "$1" | grep '^[A-Za-z0-9-]'
 }
 
 mcrpmfs_copyout ()
 {
     case "$2" in
-	HEADER) rpm -qi $1 > $3; exit 0;;
-	UNINSTALL) echo "# Run this to uninstall this RPM package" > $3; exit 0;;
-	INFO/NAME-VERSION-RELEASE)	rpm -q --qf "%{NAME}-%{VERSION}-%{RELEASE}\n" $1 > $3; exit 0;;
-	INFO/RELEASE)		rpm -q --qf "%{RELEASE}\n" $1 > $3; exit 0;;
-	INFO/GROUP)		rpm -q --qf "%{GROUP}\n" $1 > $3; exit 0;;
-	INFO/DISTRIBUTION) 	rpm -q --qf "%{DISTRIBUTION}\n" $1 > $3; exit 0;;
-	INFO/VENDOR)		rpm -q --qf "%{VENDOR}\n" $1 > $3; exit 0;;
-	INFO/BUILDHOST)		rpm -q --qf "%{BUILDHOST}\n" $1 > $3; exit 0;;
-	INFO/SOURCERPM)		rpm -q --qf "%{SOURCERPM}\n" $1 > $3; exit 0;;
-	INFO/DESCRIPTION)	rpm -q --qf "%{DESCRIPTION}\n" $1 > $3; exit 0;;
-	INFO/PACKAGER)		rpm -q --qf "%{PACKAGER}\n" $1 > $3; exit 0;;
-	INFO/URL)		rpm -q --qf "%{URL}\n" $1 >$3; exit 0;;
-	INFO/BUILDTIME)		rpm -q --qf "%{BUILDTIME:date}\n" $1 >$3; exit 0;;
-	INFO/SERIAL)		rpm -q --qf "%{SERIAL}\n" $1 >$3; exit 0;;
-	INFO/COPYRIGHT)		rpm -q --qf "%{COPYRIGHT}\n" $1 >$3; exit 0;;
-	INFO/RPMVERSION)	rpm -q --qf "%{RPMVERSION}\n" $1 >$3; exit 0;;
-	INFO/REQUIRENAME)	rpm -q --qf "[%{REQUIRENAME} %{REQUIREFLAGS:depflags} %{REQUIREVERSION}\n]" $1 >$3; exit 0;;
-	INFO/PROVIDES)		rpm -q --qf "[%{PROVIDES}\n]" $1 >$3; exit 0;;
-	INFO/SCRIPTS/PREIN)	rpm -q --qf "%{RPMTAG_PREIN}\n" $1 >$3; exit 0;;
-	INFO/SCRIPTS/POSTIN)	rpm -q --qf "%{RPMTAG_POSTIN}\n" $1 >$3; exit 0;;
-	INFO/SCRIPTS/PREUN)	rpm -q --qf "%{RPMTAG_PREUN}\n" $1 >$3; exit 0;;
-	INFO/SCRIPTS/POSTUN)	rpm -q --qf "%{RPMTAG_POSTUN}\n" $1 >$3; exit 0;;
-	INFO/SCRIPTS/VERIFYSCRIPT)	rpm -q --qf "%{VERIFYSCRIPT}\n" $1 >$3; exit 0;;
-	INFO/SCRIPTS/ALL)		rpm -q --scripts $1 > $3; exit 0;;
-	INFO/SUMMARY)		rpm -q --qf "%{SUMMARY}\n" $1 > $3; exit 0;;
-	INFO/OS)		rpm -q --qf "%{OS}\n" $1 > $3; exit 0;;
-	INFO/CHANGELOG)		rpm -q --qf "[* %{CHANGELOGTIME:date} %{CHANGELOGNAME}\n%{CHANGELOGTEXT}\n\n]\n" $1 > $3; exit 0;;
-	INFO/SIZE)		rpm -q --qf "%{SIZE} bytes\n" $1 > $3; exit 0;;
+	HEADER) $RPM -qi -- "$1" > "$3"; exit 0;;
+	UNINSTALL) echo "# Run this to uninstall this RPM package" > "$3"; exit 0;;
+	INFO/NAME-VERSION-RELEASE)	$RPM -q --qf "%{NAME}-%{VERSION}-%{RELEASE}\n" -- "$1" > "$3"; exit 0;;
+	INFO/RELEASE)		$RPM -q --qf "%{RELEASE}\n" -- "$1" > "$3"; exit 0;;
+	INFO/GROUP)		$RPM -q --qf "%{GROUP}\n" -- "$1" > "$3"; exit 0;;
+	INFO/DISTRIBUTION) 	$RPM -q --qf "%{DISTRIBUTION}\n" -- "$1" > "$3"; exit 0;;
+	INFO/VENDOR)		$RPM -q --qf "%{VENDOR}\n" -- "$1" > "$3"; exit 0;;
+	INFO/BUILDHOST)		$RPM -q --qf "%{BUILDHOST}\n" -- "$1" > "$3"; exit 0;;
+	INFO/SOURCERPM)		$RPM -q --qf "%{SOURCERPM}\n" -- "$1" > "$3"; exit 0;;
+	INFO/DESCRIPTION)	$RPM -q --qf "%{DESCRIPTION}\n" -- "$1" > "$3"; exit 0;;
+	INFO/PACKAGER)		$RPM -q --qf "%{PACKAGER}\n" -- "$1" > "$3"; exit 0;;
+	INFO/URL)		$RPM -q --qf "%{URL}\n" -- "$1" > "$3"; exit 0;;
+	INFO/BUILDTIME)		$RPM -q --qf "%{BUILDTIME:date}\n" -- "$1" > "$3"; exit 0;;
+	INFO/SERIAL)		$RPM -q --qf "%{SERIAL}\n" -- "$1" > "$3"; exit 0;;
+	INFO/COPYRIGHT)		$RPM -q --qf "%{COPYRIGHT}\n" -- "$1" > "$3"; exit 0;;
+	INFO/LICENSE)		$RPM -q --qf "%{LICENSE}\n" -- "$1" > "$3"; exit 0;;
+	INFO/RPMVERSION)	$RPM -q --qf "%{RPMVERSION}\n" -- "$1" > "$3"; exit 0;;
+	INFO/REQUIRENAME)	$RPM -q --qf "[%{REQUIRENAME} %{REQUIREFLAGS:depflags} %{REQUIREVERSION}\n]" -- "$1" > "$3"; exit 0;;
+	INFO/OBSOLETES)		$RPM -q --qf "[%{OBSOLETENAME} %|OBSOLETEFLAGS?{%{OBSOLETEFLAGS:depflags} %{OBSOLETEVERSION}}:{}|\n]" -- "$1" > "$3"; exit 0;;
+	INFO/PROVIDES)		$RPM -q --qf "[%{PROVIDES}\n]" -- "$1" > "$3"; exit 0;;
+	INFO/SCRIPTS/PREIN)	$RPM -q --qf "%{RPMTAG_PREIN}\n" -- "$1" > "$3"; exit 0;;
+	INFO/SCRIPTS/POSTIN)	$RPM -q --qf "%{RPMTAG_POSTIN}\n" -- "$1" > "$3"; exit 0;;
+	INFO/SCRIPTS/PREUN)	$RPM -q --qf "%{RPMTAG_PREUN}\n" -- "$1" > "$3"; exit 0;;
+	INFO/SCRIPTS/POSTUN)	$RPM -q --qf "%{RPMTAG_POSTUN}\n" -- "$1" > "$3"; exit 0;;
+	INFO/SCRIPTS/VERIFYSCRIPT)	$RPM -q --qf "%{VERIFYSCRIPT}\n" -- "$1" > "$3"; exit 0;;
+	INFO/SCRIPTS/ALL)		$RPM -q --scripts -- "$1" > "$3"; exit 0;;
+	INFO/SUMMARY)		$RPM -q --qf "%{SUMMARY}\n" -- "$1" > "$3"; exit 0;;
+	INFO/OS)		$RPM -q --qf "%{OS}\n" -- "$1" > "$3"; exit 0;;
+	INFO/CHANGELOG)		$RPM -q --qf "[* %{CHANGELOGTIME:date} %{CHANGELOGNAME}\n%{CHANGELOGTEXT}\n\n]\n" -- "$1" > "$3"; exit 0;;
+	INFO/SIZE)		$RPM -q --qf "%{SIZE} bytes\n" -- "$1" > "$3"; exit 0;;
 	*)
-	    cp /$2 $3
+	    cp "/$2" "$3"
     esac
 }
 
 mcrpmfs_run ()
 {
     case "$2" in
-	UNINSTALL) echo "Uninstalling $1"; rpm -e $1; exit 0;;
+	UNINSTALL) echo "Uninstalling $1"; rpm -e -- "$1"; exit 0;;
     esac
 }
 
 name=`sed 's/.*\///;s/\.trpm$//' "$2"`
 
 case "$1" in
-  list) mcrpmfs_list $name; exit 0;;
-  copyout) mcrpmfs_copyout $name $3 $4; exit 0;;
-  run) mcrpmfs_run $name $3; exit 1;;
+  list) mcrpmfs_list "$name"; exit 0;;
+  copyout) mcrpmfs_copyout "$name" "$3" "$4"; exit 0;;
+  run) mcrpmfs_run "$name" "$3"; exit 1;;
 esac
 exit 1

References:
- extfs trpm
  - From: Leonard den Ottolander
- Re: extfs trpm
  - From: Leonard den Ottolander
- Re: extfs trpm
  - From: Roland Illig
- Re: extfs trpm
  - From: Leonard den Ottolander

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]