[Bug 227027] devel/qt5: insecure file perms in the pkg tarballs
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Thu Jan 2 20:13:25 GMT 2020
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=227027
--- Comment #6 from commit-hook at freebsd.org ---
A commit references this bug:
Author: adridg
Date: Thu Jan 2 20:13:11 UTC 2020
New revision: 521876
URL: https://svnweb.freebsd.org/changeset/ports/521876
Log:
Fix up file permissions in Qt ports.
Because qt-dist.mk sets EXTRACT_AFTER_ARGS, the framework-standard
--no-same-owner and --no-same-permissions aren't added. That means
that the files end up in packages with the permissions from the tarball,
and in particular that official packages contain group-writable (wheel)
includes (C++ headers) and other files.
This was reported in
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=227027
and fixed in 465911 (18 months ago) but the move from bsd.qt.mk
to Uses/qt-dist.mk lost those settings again. Re-add them to
the Uses/ file to improve package security.
(The problem does not seem to be present in my local poudriere builds)
PR: 227027
Reported by: grarpamp at gmail.com
Reviewed by: tcberner
Approved by: tcberner
MFH: 2020Q1
Differential Revision: https://reviews.freebsd.org/D22999
Changes:
head/Mk/Uses/qt-dist.mk
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the kde-freebsd
mailing list