Fix destructive-cleanup failure when no old packages exist#1936
Fix destructive-cleanup failure when no old packages exist#1936cgwalters merged 1 commit intobootc-dev:mainfrom
Conversation
When rpm -qa returns no packages, xargs would still invoke rpm -e with no arguments, causing failure with "no packages given for erase" (exit code 123). Add -r flag to xargs to skip execution when input is empty. Signed-off-by: Xiaofeng Wang <henrywangxf@me.com>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request aims to fix a bug in the fedora-bootc-destructive-cleanup script where it would fail if no RPM packages were found. While the addition of the -r flag to xargs addresses this, a critical security vulnerability has been identified: the current use of xargs with output from a potentially untrusted filesystem introduces an argument injection risk. An attacker could manipulate the RPM database to inject flags into rpm -e, potentially leading to unintended package deletions on the host system. It is strongly recommended to use the -- flag to terminate options and -d '\n' for xargs to safely handle input.
| # Remove all RPMs installed in the physical root (i.e. the previous OS) | ||
| mount -o remount,rw /sysroot | ||
| rpm -qa --root=/sysroot --dbpath=/usr/lib/sysimage/rpm | xargs rpm -e --root=/sysroot --dbpath=/usr/lib/sysimage/rpm | ||
| rpm -qa --root=/sysroot --dbpath=/usr/lib/sysimage/rpm | xargs -r rpm -e --root=/sysroot --dbpath=/usr/lib/sysimage/rpm |
There was a problem hiding this comment.
This line introduces a critical argument injection vulnerability. Piping output from rpm -qa from a potentially untrusted /sysroot into xargs rpm -e without proper sanitization can allow an attacker to inject malicious flags, potentially causing rpm -e to operate on the host's root filesystem and delete critical packages. Additionally, xargs without -d '\n' can mishandle package names with spaces or special characters. While defining rpm options in a variable could improve readability, addressing the security vulnerability is paramount. The suggested fix includes using -- to terminate options for rpm -e and xargs -d '\n' to safely handle input.
| rpm -qa --root=/sysroot --dbpath=/usr/lib/sysimage/rpm | xargs -r rpm -e --root=/sysroot --dbpath=/usr/lib/sysimage/rpm | |
| rpm -qa --root=/sysroot --dbpath=/usr/lib/sysimage/rpm | xargs -r -d '\n' rpm -e --root=/sysroot --dbpath=/usr/lib/sysimage/rpm -- |
|
Failure has been fixed by PR #1937 |
2 participants
When rpm -qa returns no packages, xargs would still invoke rpm -e with no arguments, causing failure with "no packages given for erase" (exit code 123).
Add -r flag to xargs to skip execution when input is empty.
Resolves #1935