sysutils/iocage-devel: Add hardening measures on untar

This adds hardening measures while untaring archives fetched over the network (including FreeBSD tarballs and iocage plugins), as implemented by TrueNAS. This reduces the impact of intentionally malicious or accidentally broken archives. Please note that users are still advised to only fetch from trusted sources and make use of TLS to prevent MITM attacks. While there, add patch to store man pages in the correct location. Obtained from: https://github.com/truenas/iocage/pull/358
2025-04-28 09:36:41 -04:00 · 2024-11-23 18:11:44 +00:00 · 2024-11-23 18:11:44 +00:00 · a4b2dd4648
commit a4b2dd4648
parent c4139815d8
4 changed files with 60 additions and 0 deletions
--- a/sysutils/iocage-devel/Makefile
+++ b/sysutils/iocage-devel/Makefile
@ -1,5 +1,6 @@
 PORTNAME=	iocage-devel
 PORTVERSION=	1.8.20241014
+PORTREVISION=	1
 PORTEPOCH=	1
 CATEGORIES=	sysutils python
 PKGNAMEPREFIX=	${PYTHON_PKGNAMEPREFIX}
--- a/sysutils/iocage-devel/files/patch-iocage__lib_ioc__fetch.py
+++ b/sysutils/iocage-devel/files/patch-iocage__lib_ioc__fetch.py
@ -0,0 +1,22 @@
+--- iocage_lib/ioc_fetch.py.orig	2024-09-20 06:45:27 UTC
+++ iocage_lib/ioc_fetch.py
+@@ -47,7 +47,10 @@ import iocage_lib.ioc_start
+ from iocage_lib.pools import Pool
+ from iocage_lib.dataset import Dataset
+ 
+# deliberately crash if tarfile doesn't have required filter
+tarfile.tar_filter
+ 
+
+ class IOCFetch:
+ 
+     """Fetch a RELEASE for use as a jail base."""
+@@ -817,7 +820,7 @@ class IOCFetch:
+             # removing them first.
+             member = self.__fetch_extract_remove__(f)
+             member = self.__fetch_check_members__(member)
+-            f.extractall(dest, members=member)
+            f.extractall(dest, members=member, filter='tar')
+ 
+     def fetch_update(self, cli=False, uuid=None):
+         """This calls 'freebsd-update' to update the fetched RELEASE."""
--- a/sysutils/iocage-devel/files/patch-iocage__lib_ioc__plugin.py
+++ b/sysutils/iocage-devel/files/patch-iocage__lib_ioc__plugin.py
@ -0,0 +1,22 @@
+--- iocage_lib/ioc_plugin.py.orig	2024-09-20 06:45:27 UTC
+++ iocage_lib/ioc_plugin.py
+@@ -61,7 +61,10 @@ from iocage_lib.dataset import Dataset
+ GIT_LOCK = threading.Lock()
+ RE_PLUGIN_VERSION = re.compile(r'"path":"([/\.\+,\d\w-]*)\.txz"')
+ 
+# deliberately crash if tarfile doesn't have required filter
+tarfile.tar_filter
+ 
+
+ class IOCPlugin(object):
+ 
+     """
+@@ -157,7 +160,7 @@ class IOCPlugin(object):
+                             shutil.copyfileobj(r.raw, f)
+ 
+                     with tarfile.open(packagesite_txz_path) as p_file:
+-                        p_file.extractall(path=tmpdir)
+                        p_file.extractall(path=tmpdir, filter='data')
+ 
+                     packagesite_path = os.path.join(tmpdir, 'packagesite.yaml')
+                     if not os.path.exists(packagesite_path):
--- a/sysutils/iocage-devel/files/patch-setup.py
+++ b/sysutils/iocage-devel/files/patch-setup.py
@ -0,0 +1,15 @@
+--- setup.py.orig	2024-09-20 06:45:27 UTC
+++ setup.py
+@@ -30,10 +30,10 @@ from setuptools import find_packages, setup
+ 
+ if os.path.isdir("/".join([sys.prefix, "etc/init.d"])):
+     _data = [('etc/init.d', ['rc.d/iocage']),
+-             ('man/man8', ['iocage.8.gz'])]
+             ('share/man/man8', ['iocage.8.gz'])]
+ else:
+     _data = [('etc/rc.d', ['rc.d/iocage']),
+-             ('man/man8', ['iocage.8.gz'])]
+             ('share/man/man8', ['iocage.8.gz'])]
+ 
+ if os.path.isdir("/".join([sys.prefix, "share/zsh/site-functions/"])):
+     _data.append(('share/zsh/site-functions', ['zsh-completion/_iocage']))