From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 04BD415806C for ; Sun, 13 Jul 2025 04:20:15 +0000 (UTC) Received: from lists.gentoo.org (bobolink.gentoo.org [140.211.166.189]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (No client certificate requested) (Authenticated sender: relay-lists.gentoo.org@gentoo.org) by smtp.gentoo.org (Postfix) with ESMTPSA id E50C9341F71 for ; Sun, 13 Jul 2025 04:20:14 +0000 (UTC) Received: from bobolink.gentoo.org (localhost [127.0.0.1]) by bobolink.gentoo.org (Postfix) with ESMTP id 0F360110565; Sun, 13 Jul 2025 04:19:54 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (No client certificate requested) by bobolink.gentoo.org (Postfix) with ESMTPS id 0873D110565 for ; Sun, 13 Jul 2025 04:19:54 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id A431F341F20 for ; Sun, 13 Jul 2025 04:19:53 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 4B07E30E5 for ; Sun, 13 Jul 2025 04:19:51 +0000 (UTC) From: "Sam James" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sam James" Message-ID: <1752380344.adc977d92024b6bf88e808e5e11a5c4cfc0226b1.sam@gentoo> Subject: [gentoo-commits] proj/portage:master commit in: bin/ X-VCS-Repository: proj/portage X-VCS-Files: bin/ebuild.sh X-VCS-Directories: bin/ X-VCS-Committer: sam X-VCS-Committer-Name: Sam James X-VCS-Revision: adc977d92024b6bf88e808e5e11a5c4cfc0226b1 X-VCS-Branch: master Date: Sun, 13 Jul 2025 04:19:51 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: ab1e2854-48a6-4dde-8408-d64d18b990b4 X-Archives-Hash: 4a6e48555a60f12daeb683a06b2e84cd commit: adc977d92024b6bf88e808e5e11a5c4cfc0226b1 Author: Kerin Millar plushkava net> AuthorDate: Mon Jul 7 12:30:25 2025 +0000 Commit: Sam James gentoo org> CommitDate: Sun Jul 13 04:19:04 2025 +0000 URL: https://gitweb.gentoo.org/proj/portage.git/commit/?id=adc977d9 ebuild.sh: rectify a format string injection Presently, the "ebuild.sh" utility contains a routine that merges the values of the 'SANDBOX_DENY', 'SANDBOX_PREDICT', 'SANDBOX_READ' and 'SANDBOX_WRITE' variables with those of their counterparts that are prefixed with "PORTAGE_". In the course of doing so, it directly injects arbitrary pathnames into the format string given to an invocation of the printf builtin. Refrain from doing so. Fixes: 078abd42ede4b69f618b67c86a698030fe9d3c3b Signed-off-by: Kerin Millar plushkava.net> Signed-off-by: Sam James gentoo.org> bin/ebuild.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/ebuild.sh b/bin/ebuild.sh index a7f67a89b0..c81f4436e1 100755 --- a/bin/ebuild.sh +++ b/bin/ebuild.sh @@ -582,7 +582,7 @@ then export ${x}="${!y}" elif [[ -n "${!y}" && "${!y}" != "${!x}" ]]; then # Filter out dupes - export ${x}="$(printf "${!y}:${!x}" | tr ":" "\0" | \ + export ${x}="$(printf '%s:%s' "${!y}" "${!x}" | tr ":" "\0" | \ sort -z -u | tr "\0" ":")" fi export ${x}="${!x%:}"