GNU bug report logs - #38422
.png files in /gnu/store with executable permissions (555)

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix; Reported by: Bengt Richter <bokr@HIDDEN>; dated Fri, 29 Nov 2019 08:01:01 UTC; Maintainer for guix is bug-guix@HIDDEN.

Message received at 38422 <at> debbugs.gnu.org:


Received: (at 38422) by debbugs.gnu.org; 29 Nov 2019 12:22:52 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Nov 29 07:22:51 2019
Received: from localhost ([127.0.0.1]:59669 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iafIR-0007Sl-CV
	for submit <at> debbugs.gnu.org; Fri, 29 Nov 2019 07:22:51 -0500
Received: from imta-37.everyone.net ([216.200.145.37]:51410
 helo=imta-38.everyone.net)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <bokr@HIDDEN>) id 1iafIP-0007Sb-Bp
 for 38422 <at> debbugs.gnu.org; Fri, 29 Nov 2019 07:22:50 -0500
Received: from pps.filterd (m0004962.ppops.net [127.0.0.1])
 by imta-38.everyone.net (8.16.0.27/8.16.0.27) with SMTP id xATCB3vh023623;
 Fri, 29 Nov 2019 04:22:47 -0800
X-Eon-Originating-Account: 2FqbA40Ms6ZfKL-so9lBOWqkkLvyuXpURdt_i14vcyw
X-Eon-Dm: m0116787.ppops.net
Received: by m0116787.mta.everyone.net (EON-AUTHRELAY2 - 32d0d199)
 id m0116787.5dc217be.5c4a4e; Fri, 29 Nov 2019 04:22:46 -0800
X-Eon-Sig: AQMHrIJd4Q2W8c/n7gIAAAAC,6c1063df24dad3d9a0ffc771ecc55af6
X-Eip: f5BFQQHdr76i77yBP2OAMBoJR8WPf_ALW2ZBo-3DFBc
Date: Fri, 29 Nov 2019 04:22:36 -0800
From: Bengt Richter <bokr@HIDDEN>
To: Ricardo Wurmus <rekado@HIDDEN>
Subject: Re: bug#38422: .png files in /gnu/store with executable permissions
 (555)
Message-ID: <20191129122236.GA67682@HIDDEN>
References: <20191129075938.GA55971@HIDDEN>
 <87r21r9fn1.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <87r21r9fn1.fsf@HIDDEN>
User-Agent: Mutt/1.12.2 (2019-09-21)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, ,
 definitions=2019-11-29_03:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0
 priorityscore=1501 malwarescore=0
 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1034
 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1911140001
 definitions=main-1911290108
X-Spam-Score: -0.4 (/)
X-Debbugs-Envelope-To: 38422
Cc: 38422 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Reply-To: Bengt Richter <bokr@HIDDEN>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.4 (-)

Hi Ricardo,

On +2019-11-29 10:49:06 +0100, Ricardo Wurmus wrote:
> 
> Bengt Richter <bokr@HIDDEN> writes:
> 
> > $ find /gnu -type f -perm /111 -iname '*png'|xargs stat -c '%a %A %N'|cut -d '-' -f5,6,7,8|less|uniq -c|less
> > --8<---------------cut here---------------start------------->8---
> >       1 x '/gnu/store/.links/1s94fymqj8xba55rg8xbdni9a215kxsxkddyh2qyb7y6fl7srpng'
> >       1 x '/gnu/store/.links/05dsk06ffdwgjdqgsy03zhnsrcd44yyi8ylk9qyb1a3n89aplpng'
> >      97 x '/gnu/store/jf7i57glqykwgm1k7zb5k8x6f1yd47l8-faba-icon-theme
> >       1 x '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/gdparttopng'
> >       1 x '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/gdtopng'
> >       1 x '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/webpng'
> >       1 x '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/gd2topng'
> >       1 x '/gnu/store/x9c77i6r5fmarslij6ng81awgrxblplm-texlive-bin-20180414/bin/dvipng'
> >   34143 x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme
> >       1 x '/gnu/store/7mxkdn6cp7x8sac49p2g80qw5j1aavi3-texlive-20180414/bin/dvipng'
> >      62 x '/gnu/store/6d79d8za76pj5f2flhckpmdvdgqhqxaa-docbook-xsl-1.79.1/xml/xsl/docbook
> >       1 x '/gnu/store/azd3rg350gjkgzvzps3s4j3kpz5kxh57-texlive-bin-20180414/bin/dvipng'
> >       1 x '/gnu/store/9w1hi2hr4zczc5jd5r2xmff9zf4gwc1n-texlive-union-49435/bin/dvipng'
> >       1 x '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/gdparttopng'
> >       1 x '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/gdtopng'
> >       1 x '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/webpng'
> >       1 x '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/gd2topng'
> >       1 x '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/gdparttopng'
> >       1 x '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/gdtopng'
> >       1 x '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/webpng'
> >       1 x '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/gd2topng'
> >
> > --8<---------------cut here---------------end--------------->8---
> 
> Maybe I’m missing something, but none of the above are PNGs.
> Most of them are executables, others are directories, so having them
> executable is expected.
> 
> Did I misunderstand?
>

No, you just didn't see it ;-)
┌───────────────────────────────────────────────────────────────────────────────────────────────┐
│ Sorry I didn't highlight well enough that I had trimmed off the full paths that ended in .png │
│ in what you snipped out above the above (see box below):                                      │
└───────────────────────────────────────────────────────────────────────────────────────────────┘

--8<----(the part you snipped out)-----------cut here---------------start------------->8---
Hi Guix,

I was wanting to check on some executable files in the store,
and happened to see some executable .png files ;-/

I suspect they came in when I was playing with icecat
and let it load  a "theme", but I am not sure some didn't
also happen trying to get firefox radio buttons to work ;-/

Anyway, does anyone else get 555 permissions on files like these?
┌───────────────────────────────────────────────────────────────────────────────────────────┐
│ These are all *.png files with 555 permissons, but I trimmed back to see common prefixes. │
│ Obviously the moka-con-theme was most of it, but also faba and docbook look iffy.         │
└───────────────────────────────────────────────────────────────────────────────────────────┘

Is this zero-day stuff with a nasty somewhere, waiting for referencing by another nasty, or am I being paranoid?
What is the safe way to detoxify this mess? I know I shouldn't directly chmod anything in store, right?

The icecat discussion got moved to mozilla, but in case someone else did whatever I did,
I thought I'd post a heads-up here.
I'll try to cc Mark :)
--8<----(the part you snipped out)-----------cut here---------------end--------------->8---


Note the cut -d '-' etc from above
--8<---------------cut here---------------start------------->8---
> > $ find /gnu -type f -perm /111 -iname '*png'|xargs stat -c '%a %A %N'|cut -d '-' -f5,6,7,8|less|uniq -c|less
--8<---------------cut here---------------end--------------->8---

I thought the 34143 moka-icon-theme items looked especially iffy, being so many:
--8<---------------cut here---------------start------------->8---
> >   34143 x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme
--8<---------------cut here---------------end--------------->8---

So let's not cut that tail and just grab some of those moka-icon-theme items full length:
$ find /gnu -type f -perm /111 -iname '*png'|xargs stat -c '%a %A %N'|grep moka-icon-theme|head
--8<---------------cut here---------------start------------->8---
555 -r-xr-xr-x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme-5.4.0/share/icons/Moka/64x64@2x/emblems/emblem-insync-synced.png'
555 -r-xr-xr-x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme-5.4.0/share/icons/Moka/64x64@2x/emblems/emblem-synchronizing.png'
555 -r-xr-xr-x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme-5.4.0/share/icons/Moka/64x64@2x/emblems/emblem-insync-synced-callbacks-active.png'
555 -r-xr-xr-x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme-5.4.0/share/icons/Moka/64x64@2x/emblems/emblem-insync-syncing.png'
555 -r-xr-xr-x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme-5.4.0/share/icons/Moka/64x64@2x/emblems/emblem-dropbox-uptodate.png'
555 -r-xr-xr-x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme-5.4.0/share/icons/Moka/64x64@2x/emblems/emblem-readonly.png'
555 -r-xr-xr-x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme-5.4.0/share/icons/Moka/64x64@2x/emblems/emblem-important.png'
555 -r-xr-xr-x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme-5.4.0/share/icons/Moka/64x64@2x/emblems/emblem-danger.png'
555 -r-xr-xr-x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme-5.4.0/share/icons/Moka/64x64@2x/emblems/emblem-web.png'
555 -r-xr-xr-x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme-5.4.0/share/icons/Moka/64x64@2x/emblems/emblem-symbolic-link.png'
--8<---------------cut here---------------end--------------->8---

Some executables ending in png are legit, like conversion programs from something to .png format.

> -- 
> Ricardo
> 

PS. Thinking about it, I'm pretty sure I used normal guix install ... yes:

--8<----(555s were in source tarball)-----------cut here---------------start------------->8---
$ guix package -I|grep -i moka
moka-icon-theme 5.4.0   out     /gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme-5.4.0
$ mkdir ~/my-roots
$ guix build -r ~/my-roots/moka -S moka-icon-theme
substitute: updating substitutes from 'https://ci.guix.gnu.org'... 100.0%
67.4 MB will be downloaded:
   /gnu/store/vd3l2qbmdw0i9v9knqjm3q42sfwli2nl-moka-icon-theme-5.4.0.tar.gz
substituting /gnu/store/vd3l2qbmdw0i9v9knqjm3q42sfwli2nl-moka-icon-theme-5.4.0.tar.gz...
downloading from https://ci.guix.gnu.org/nar/vd3l2qbmdw0i9v9knqjm3q42sfwli2nl-moka-icon-theme-5.4.0.tar.gz...
 moka-icon-theme-5.4.0.tar.gz  64.3MiB                                                                                1.5MiB/s 00:44 [##################] 100.0%

/gnu/store/vd3l2qbmdw0i9v9knqjm3q42sfwli2nl-moka-icon-theme-5.4.0.tar.gz
$ lsc ~/my-roots/*
                 72 2019-11-29 03:53:27 [@] /home/bokr/my-roots/moka -> /gnu/store/vd3l2qbmdw0i9v9knqjm3q42sfwli2nl-moka-icon-theme-5.4.0.tar.gz
$ tar -tzvf ~/my-roots/moka|egrep -m5 'png$'
lrwxrwxrwx root/root         0 2018-06-16 09:06 moka-icon-theme-5.4.0/Moka/16x16/actions/exit.png -> system-log-out.png
lrwxrwxrwx root/root         0 2018-06-16 09:06 moka-icon-theme-5.4.0/Moka/16x16/actions/gnome-lockscreen.png -> system-lock-screen.png
lrwxrwxrwx root/root         0 2018-06-16 09:06 moka-icon-theme-5.4.0/Moka/16x16/actions/gnome-logout.png -> system-log-out.png
lrwxrwxrwx root/root         0 2018-06-16 09:06 moka-icon-theme-5.4.0/Moka/16x16/actions/gnome-run.png -> system-run.png
lrwxrwxrwx root/root         0 2018-06-16 09:06 moka-icon-theme-5.4.0/Moka/16x16/actions/gnome-session-reboot.png -> system-restart.png

Oops, those were links, let's try again:

$ tar -tzvf ~/my-roots/moka|egrep -m5 '^[^l].*png$'
-rwxrwxr-x root/root       633 2018-06-16 09:06 moka-icon-theme-5.4.0/Moka/16x16/actions/system-lock-screen.png
-rwxrwxr-x root/root       537 2018-06-16 09:06 moka-icon-theme-5.4.0/Moka/16x16/actions/system-log-out.png
-rwxrwxr-x root/root       554 2018-06-16 09:06 moka-icon-theme-5.4.0/Moka/16x16/actions/system-restart.png
-rwxrwxr-x root/root       549 2018-06-16 09:06 moka-icon-theme-5.4.0/Moka/16x16/actions/system-run.png
-rwxrwxr-x root/root       544 2018-06-16 09:06 moka-icon-theme-5.4.0/Moka/16x16/actions/system-shutdown.png
--8<----(555s were in source tarball)-----------cut here---------------end--------------->8---

-- 
Regards,
Bengt Richter




Information forwarded to bug-guix@HIDDEN:
bug#38422; Package guix. Full text available.

Message received at 38422 <at> debbugs.gnu.org:


Received: (at 38422) by debbugs.gnu.org; 29 Nov 2019 12:21:43 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Nov 29 07:21:43 2019
Received: from localhost ([127.0.0.1]:59665 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iafHL-0007Qw-0n
	for submit <at> debbugs.gnu.org; Fri, 29 Nov 2019 07:21:43 -0500
Received: from world.peace.net ([64.112.178.59]:53160)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mhw@HIDDEN>) id 1iafHI-0007Qp-L1
 for 38422 <at> debbugs.gnu.org; Fri, 29 Nov 2019 07:21:41 -0500
Received: from mhw by world.peace.net with esmtpsa
 (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89)
 (envelope-from <mhw@HIDDEN>)
 id 1iafHH-0004CZ-NW; Fri, 29 Nov 2019 07:21:39 -0500
From: Mark H Weaver <mhw@HIDDEN>
To: Bengt Richter <bokr@HIDDEN>
Subject: Re: .png files in /gnu/store with executable permissions (555)
In-Reply-To: <20191129075938.GA55971@HIDDEN>
References: <20191129075938.GA55971@HIDDEN>
Date: Fri, 29 Nov 2019 07:20:41 -0500
Message-ID: <878sny6fgr.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 38422
Cc: 38422 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi Bengt,

Bengt Richter <bokr@HIDDEN> wrote:
> I was wanting to check on some executable files in the store,
> and happened to see some executable .png files ;-/
> 
> I suspect they came in when I was playing with icecat
> and let it load  a "theme", but I am not sure some didn't
> also happen trying to get firefox radio buttons to work ;-/

Certainly not.  Unless you ran icecat as root, it would not have
sufficient permissions to modify /gnu/store.  Installing a theme or
addon in IceCat, or changing its configuration, modifies files in your
~/.mozilla, not /gnu/store.

> Anyway, does anyone else get 555 permissions on files like these?
> These are all *.png files with 555 permissons, but I trimmed back to see common prefixes.
> Obviously the moka-con-theme was most of it, but also faba and docbook look iffy.

I looked at docbook-xsl-1.79.1, since I happen to have it installed on
my system.  Some of the *.png files are incorrectly given executable
permissions within the upstream source tarball itself.  I guess it's
probably the same issue with moka-icon-theme and faba-icon-theme, since
I don't see anything in our package code that would have done it.

Most of the entries in your list that end with "png" but not ".png" are
actually programs whose name ends with "png", so they *should* be
executable.  The files in /gnu/store/.links that end with "png" are just
random chance, because the file names themselves are hashes.

> Is this zero-day stuff with a nasty somewhere, waiting for referencing
> by another nasty, or am I being paranoid?

I think you're being paranoid in this case.  I don't see anything here
to be concerned about, just some minor sloppiness by 3 upstreams.

> What is the safe way to detoxify this mess?

The proper solution is to send bug reports to the upstream developers of
docbook-xsl, faba-icon-theme, and moka-icon-theme, asking them to fix
the permissions of the *.png files in their source tarballs.

> I know I shouldn't directly chmod anything in store, right?

Right, *never* modify files in /gnu/store directly.

> The icecat discussion got moved to mozilla,

Which discussion are you referring to?

     Thanks,
       Mark




Information forwarded to bug-guix@HIDDEN:
bug#38422; Package guix. Full text available.

Message received at 38422 <at> debbugs.gnu.org:


Received: (at 38422) by debbugs.gnu.org; 29 Nov 2019 11:28:35 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Nov 29 06:28:34 2019
Received: from localhost ([127.0.0.1]:59432 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iaeRu-0005pN-Ic
	for submit <at> debbugs.gnu.org; Fri, 29 Nov 2019 06:28:34 -0500
Received: from tobias.gr ([80.241.217.52]:53814)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <me@HIDDEN>) id 1iaeRq-0005pC-UF
 for 38422 <at> debbugs.gnu.org; Fri, 29 Nov 2019 06:28:33 -0500
Received: by tobias.gr (OpenSMTPD) with ESMTP id 3addb680;
 Fri, 29 Nov 2019 11:28:27 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=tobias.gr; h=from:to
 :subject:references:in-reply-to:date:message-id:mime-version
 :content-type; s=2018; i=me@HIDDEN; bh=eiIe0HUeFM6ugvSSvTmEMC
 eXW31/SwigZIR/6XLIHRo=; b=Z88yWK/oN42kLHeoU+ZtoJLhT4PJoVOi4lh5J9
 fINkt7G+eM/aI4PbOgacXyorR+bCO8Oss7ioErU78DVK8Fj+so9QCQpv6wXwfsj6
 1iW0O801QHP0eBQZVVitDHBcB2TIkwijeswKdqg7deoN7Oar83A1PxVk9YcrH5AF
 4edzn+4stsAG6LR8uD+bXXWzy6Kwpd7NgW8MnpzU8IpzI/fyx1rA4/uK2OplYcCs
 Fr0t3QMEFlMeMwMJtrihKah2CVIu4CvoZB10zqd1eQv+XaCWA43M7EC3cJJJyrAY
 o7JWdALQQcgPryLRTrvuFipRT+6YGTVXEloExpBWQAB9qJ7w==
Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id fd0a6cc7
 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); 
 Fri, 29 Nov 2019 11:28:27 +0000 (UTC)
From: Tobias Geerinckx-Rice <me@HIDDEN>
To: Bengt Richter <bokr@HIDDEN>, 38422 <at> debbugs.gnu.org
Subject: Re: bug#38422: .png files in /gnu/store with executable permissions
 (555)
References: <20191129075938.GA55971@HIDDEN>
 <87r21r9fn1.fsf@HIDDEN>
In-reply-to: <87r21r9fn1.fsf@HIDDEN>
Date: Fri, 29 Nov 2019 12:28:26 +0100
Message-ID: <87r21q9b1h.fsf@nckx>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 38422
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

--=-=-=
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable

Bengt, Ricardo,

I see similar results here with =E2=80=98guix install moka-icon-theme=E2=80=
=99,=20
and I'm sure the rest of my (and everyone's) store is full of=20
misperm'd files too.  It's kind of generally known.

This seems to be particularly common in Meson packages: for some=20
reason, Meson installs everything as executable by default.

Bengt Richter =E5=86=99=E9=81=93=EF=BC=9A
> Is this zero-day stuff with a nasty somewhere, waiting for=20
> referencing
> by another nasty, or am I being paranoid?

What's the threat model there?  Respectfully, I think you might=20
be, but maybe I'm naive=E2=80=A6

Otherwise I consider this a merely cosmetic issue, but we still=20
welcome fixes for those!

Checking whether Meson behaves differently on other distributions=20
would be a good start.

Ricardo Wurmus =E5=86=99=E9=81=93=EF=BC=9A
> Bengt Richter <bokr@HIDDEN> writes:
>
>> $ find /gnu -type f -perm /111 -iname '*png'|xargs stat -c '%a=20
>> %A %N'|cut -d '-' -f5,6,7,8|less|uniq -c|less
>> --8<---------------cut=20
>> here---------------start------------->8---
>>       1 x=20
>>       '/gnu/store/.links/1s94fymqj8xba55rg8xbdni9a215kxsxkddyh2qyb7y6fl7=
srpng'
>>       1 x=20
>>       '/gnu/store/.links/05dsk06ffdwgjdqgsy03zhnsrcd44yyi8ylk9qyb1a3n89a=
plpng'
>>      97 x=20
>>      '/gnu/store/jf7i57glqykwgm1k7zb5k8x6f1yd47l8-faba-icon-theme
>>       1 x=20
>>       '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/gdpartto=
png'
>>       1 x=20
>>       '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/gdtopng'
>>       1 x=20
>>       '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/webpng'
>>       1 x=20
>>       '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/gd2topng'
>>       1 x=20
>>       '/gnu/store/x9c77i6r5fmarslij6ng81awgrxblplm-texlive-bin-20180414/=
bin/dvipng'
>>   34143 x=20
>>   '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme
>>       1 x=20
>>       '/gnu/store/7mxkdn6cp7x8sac49p2g80qw5j1aavi3-texlive-20180414/bin/=
dvipng'
>>      62 x=20
>>      '/gnu/store/6d79d8za76pj5f2flhckpmdvdgqhqxaa-docbook-xsl-1.79.1/xml=
/xsl/docbook
>>       1 x=20
>>       '/gnu/store/azd3rg350gjkgzvzps3s4j3kpz5kxh57-texlive-bin-20180414/=
bin/dvipng'
>>       1 x=20
>>       '/gnu/store/9w1hi2hr4zczc5jd5r2xmff9zf4gwc1n-texlive-union-49435/b=
in/dvipng'
>>       1 x=20
>>       '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/gdpartto=
png'
>>       1 x=20
>>       '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/gdtopng'
>>       1 x=20
>>       '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/webpng'
>>       1 x=20
>>       '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/gd2topng'
>>       1 x=20
>>       '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/gdpartto=
png'
>>       1 x=20
>>       '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/gdtopng'
>>       1 x=20
>>       '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/webpng'
>>       1 x=20
>>       '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/gd2topng'
>>
>> --8<---------------cut=20
>> here---------------end--------------->8---
>
> Maybe I=E2=80=99m missing something, but none of the above are PNGs.
> Most of them are executables, others are directories, so having=20
> them
> executable is expected.

Bengt's clever pipeline tallies the number of executable *png=20
files in each top-level store directory.  It does not include=20
directories.

It's true that the '*png' above should be replaced with '*.png',=20
but these /bin files are just the very noisy outliers.

The meat is in:

> 34143 x=20
> '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme

i.e. 34143 executable '*png' files in that directory alone.

Kind regards,

T G-R

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl3hANoACgkQ2Imw8BjF
STyoQw/8DY28FMGC7nexg4kH6CfHc7IQS3YoWG6EosQfagSQdKF0dZlWtQhuDLLH
l3e3yhXI03Aumu+mI/TkZcpNmUAWmkeuWUqlqb3ZRjQvbLUJaztRj23bb/ahVzQi
WGfHM9GejPLMDg70947V/SQPYcRo4MYf9lL5n2rEL2DvagSaTU6JfeOXbw3Xkchz
+AhyLvAPqt+8G8YIGSs7cyqYx/id+Gwal6rqs6zae0jD7dw/rIAOjqiDiCUPvGGD
U0saWXxkNi3YRpLsUExBj+RkCs8ZqATHq4/nB0a2aWbx4P3VjDlnZB+gAwLw4EB9
CidFl9QfiF6JzYtrYDuW7vN2mks/2hJjMNwrHXubeA8P4oMybOL20R43sGnBBy6J
WKi/S7toUAy2B4FV91d2GD2aqk62rScyMYN6tVFHmZaGA1s2hWAtrMns1xGz2ERq
XWsZd6DookQ9ezZlpw2M+WWLzKA4D8whZWE2WNIfVCEQw752liWScawQMJyJ3ahk
ZzOeNZs001esxdyoorYrZLRVHvAJ9SQrLXEnKNf7vQOR/WztKRM3UQlyyuQr4pFQ
agSRmHGwBKfKJ7+UzvOdRPXdkCzwI9TpS7sG6mtWgO2wF6AfUMfJhMnHmLw532U7
tQG9DltBQNx/CDt9zgp4JI9skaSTVlJs+S+hBiWVAebE6AqMvyw=
=aFZ0
-----END PGP SIGNATURE-----
--=-=-=--




Information forwarded to bug-guix@HIDDEN:
bug#38422; Package guix. Full text available.

Message received at 38422 <at> debbugs.gnu.org:


Received: (at 38422) by debbugs.gnu.org; 29 Nov 2019 11:00:06 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Nov 29 06:00:06 2019
Received: from localhost ([127.0.0.1]:59403 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iae0M-000573-E5
	for submit <at> debbugs.gnu.org; Fri, 29 Nov 2019 06:00:06 -0500
Received: from mail-qt1-f174.google.com ([209.85.160.174]:45809)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <zimon.toutoune@HIDDEN>) id 1iae0J-000560-JO
 for 38422 <at> debbugs.gnu.org; Fri, 29 Nov 2019 06:00:05 -0500
Received: by mail-qt1-f174.google.com with SMTP id p5so1282871qtq.12
 for <38422 <at> debbugs.gnu.org>; Fri, 29 Nov 2019 03:00:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc:content-transfer-encoding;
 bh=a0SRLHYEcmn0i9x4xx7bEV67I9fvfMKaoGKyW0+IUFs=;
 b=kMoUYVM8cXcDQWuDt4tpzHJ227S0Z/vtSBZ0C2x1eMy0veVst2qlj2bS72fe/RIwdW
 7RFg4ua7v7c6ZccvBLWpcnGYEsJ2JFs0rdGU3/8usw4FloYaiOOKZNbIld2YBVa/G1Tu
 FV+TnQKDKBMQ4BzgFqfQpqTPpUS2mMpL0XBERc0czJ6NMsw19GQ+agIrF9umjSfHlIsS
 7G77eMuXwdkGB0txLLsRn20+1wp0DrJG6dxV8FV6wtwuJQvrVvar6yXTPhFYl99OXCq3
 Jep+8HIPXsbyrXK/0y5zUulfkcLU9PfKdA3BMeEKj6kP7yoSzhledWlvTdbljjZ90Q2D
 tQMw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc:content-transfer-encoding;
 bh=a0SRLHYEcmn0i9x4xx7bEV67I9fvfMKaoGKyW0+IUFs=;
 b=jKG3GRp+1EHIkDhf+COdC6CH+8UnK6EE3gcOQWRjJPraLFQCplyVbfsGUjxoHNdjWN
 LC1tmkSXz/J7y4HQ5jfu7F1D6OIgNwvOLwn1v+eqdVt6Ezv5Z+9joOWcs1CXbiHf/Ui/
 eleJj2EmK557wY2lDZQZ5++RDd8bklVzKz43a0QEs2i+lt6EbvCZ4Hv5EbuRGNMRYCZw
 AWL5QNRrUAe9zKWbibMfNpZM1LMxgLcbuvmg/HMscEP/rUZVNs0oyx2/+eNT118GD9h7
 6HvFXhZ34zggvlB2vzFIMo6TYRKK+ZDXvH42E2bgWQAA0SlW8JBsNhHL/e3HiR5wuFdt
 Pokg==
X-Gm-Message-State: APjAAAWqgb+CycPSZ1kJQHyLimA079PUUV7Gq9CtRdl54n+9hlhI7wKS
 eTyPqpmIJ8jKsnTWY4+7t0gBFwCkqxILqTtqbbeN1HTI
X-Google-Smtp-Source: APXvYqyEQYCdA7+VnnboaF1NcfqzjdJXM9KxK4abHnLKNJ458kBWxykh+vOvMAktsEfA9bEpzKcolt9NtkyfXdsKwRU=
X-Received: by 2002:ac8:7957:: with SMTP id r23mr49126150qtt.211.1575025198009; 
 Fri, 29 Nov 2019 02:59:58 -0800 (PST)
MIME-Version: 1.0
References: <20191129075938.GA55971@HIDDEN>
 <87r21r9fn1.fsf@HIDDEN>
In-Reply-To: <87r21r9fn1.fsf@HIDDEN>
From: zimoun <zimon.toutoune@HIDDEN>
Date: Fri, 29 Nov 2019 11:59:46 +0100
Message-ID: <CAJ3okZ21-vxmBFrHp=26Cz7VMa+Z-e=i5o1wB8oGsE+96-M3pg@HIDDEN>
Subject: Re: bug#38422: .png files in /gnu/store with executable permissions
 (555)
To: Ricardo Wurmus <rekado@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 38422
Cc: 38422 <at> debbugs.gnu.org, Bengt Richter <bokr@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi,

On Fri, 29 Nov 2019 at 11:43, Ricardo Wurmus <rekado@HIDDEN> wrote:

> Maybe I=E2=80=99m missing something, but none of the above are PNGs.
> Most of them are executables, others are directories, so having them
> executable is expected.

I am not sure to understand the issue but for example:

   find /gnu/store/ -type f -perm /111 -iname '*.png' -print

returns this file:

/gnu/store/xj7kn8vw1nkcg7qpl3491b831p88i9wn-python-coverage-4.5.3/lib/pytho=
n3.7/site-packages/coverage/htmlfiles/keybd_open.png


Hope that helps,
simon




Information forwarded to bug-guix@HIDDEN:
bug#38422; Package guix. Full text available.

Message received at 38422 <at> debbugs.gnu.org:


Received: (at 38422) by debbugs.gnu.org; 29 Nov 2019 09:49:15 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Nov 29 04:49:15 2019
Received: from localhost ([127.0.0.1]:59366 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iactm-0003SB-V4
	for submit <at> debbugs.gnu.org; Fri, 29 Nov 2019 04:49:15 -0500
Received: from sender4-of-o54.zoho.com ([136.143.188.54]:21416)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rekado@HIDDEN>) id 1iactl-0003S3-3Y
 for 38422 <at> debbugs.gnu.org; Fri, 29 Nov 2019 04:49:14 -0500
ARC-Seal: i=1; a=rsa-sha256; t=1575020950; cv=none; 
 d=zohomail.com; s=zohoarc; 
 b=JpsYR/Au0lMjGLOfRTD1pU9uocZSYh37iof5XAYdxrDTtEsRJNyCORKGkGkbPnYLkR7MUxrz+v6OQd9ViXJyE94ImuBXCWsaF+obgwpOi5gNHK6HHgVe1ZXzh/nGamYKIaXSxmMafA3rKk7rFsVg4DcA02YMi8ezFx+OKXuaeGg=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc; t=1575020950;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To;
 bh=W1sWKFTtBKAxVKtnIAd7P0xC7dpeO/dFGVW7uBkHlY4=; 
 b=WU4ajehkes8x4KpKJCnVth+DqZ9BnilBKQRAbOpMTx2R3jvRdzQ/HSxUmbi2+RK889WqTY4QBRmD49M90mPE5+IFZKXLeuD5E7XpZdq9aMKdJUk1esugSNbrYUfKxzHqYuFJFy30sH0SnN/SJ912HShsox7qpimLoMhICDHRvCw=
ARC-Authentication-Results: i=1; mx.zohomail.com;
 dkim=pass  header.i=elephly.net;
 spf=pass  smtp.mailfrom=rekado@HIDDEN;
 dmarc=pass header.from=<rekado@HIDDEN> header.from=<rekado@HIDDEN>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1575020950; 
 s=zoho; d=elephly.net; i=rekado@HIDDEN;
 h=References:From:To:Cc:Subject:In-reply-to:Date:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding;
 bh=W1sWKFTtBKAxVKtnIAd7P0xC7dpeO/dFGVW7uBkHlY4=;
 b=cb7176EvKGeDxR9pNLltQHa+DOwlXOXcb1o4IdbWA2l/V2yBDU6zN9RJF0Wpvgu8
 9m/zOTQt5BFqXeXJzDoPw7xlBCn9tYk4BcngwgRpnMB55HTW26sB52sliH0VW9qhxPR
 /6bOtxFWJybbxWJTqb4xhQarq7iUGlHO0ZEQSlO4=
Received: from localhost (p54AD4E2A.dip0.t-ipconnect.de [84.173.78.42]) by
 mx.zohomail.com with SMTPS id 1575020950042370.6568247833118;
 Fri, 29 Nov 2019 01:49:10 -0800 (PST)
References: <20191129075938.GA55971@HIDDEN>
User-agent: mu4e 1.2.0; emacs 26.3
From: Ricardo Wurmus <rekado@HIDDEN>
To: Bengt Richter <bokr@HIDDEN>
Subject: Re: bug#38422: .png files in /gnu/store with executable permissions
 (555)
In-reply-to: <20191129075938.GA55971@HIDDEN>
X-URL: https://elephly.net
X-PGP-Key: https://elephly.net/rekado.pubkey
X-PGP-Fingerprint: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
Date: Fri, 29 Nov 2019 10:49:06 +0100
Message-ID: <87r21r9fn1.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-ZohoMailClient: External
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 38422
Cc: 38422 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)


Bengt Richter <bokr@HIDDEN> writes:

> $ find /gnu -type f -perm /111 -iname '*png'|xargs stat -c '%a %A %N'|cut=
 -d '-' -f5,6,7,8|less|uniq -c|less
> --8<---------------cut here---------------start------------->8---
>       1 x '/gnu/store/.links/1s94fymqj8xba55rg8xbdni9a215kxsxkddyh2qyb7y6=
fl7srpng'
>       1 x '/gnu/store/.links/05dsk06ffdwgjdqgsy03zhnsrcd44yyi8ylk9qyb1a3n=
89aplpng'
>      97 x '/gnu/store/jf7i57glqykwgm1k7zb5k8x6f1yd47l8-faba-icon-theme
>       1 x '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/gdpar=
ttopng'
>       1 x '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/gdtop=
ng'
>       1 x '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/webpn=
g'
>       1 x '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/gd2to=
png'
>       1 x '/gnu/store/x9c77i6r5fmarslij6ng81awgrxblplm-texlive-bin-201804=
14/bin/dvipng'
>   34143 x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme
>       1 x '/gnu/store/7mxkdn6cp7x8sac49p2g80qw5j1aavi3-texlive-20180414/b=
in/dvipng'
>      62 x '/gnu/store/6d79d8za76pj5f2flhckpmdvdgqhqxaa-docbook-xsl-1.79.1=
/xml/xsl/docbook
>       1 x '/gnu/store/azd3rg350gjkgzvzps3s4j3kpz5kxh57-texlive-bin-201804=
14/bin/dvipng'
>       1 x '/gnu/store/9w1hi2hr4zczc5jd5r2xmff9zf4gwc1n-texlive-union-4943=
5/bin/dvipng'
>       1 x '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/gdpar=
ttopng'
>       1 x '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/gdtop=
ng'
>       1 x '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/webpn=
g'
>       1 x '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/gd2to=
png'
>       1 x '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/gdpar=
ttopng'
>       1 x '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/gdtop=
ng'
>       1 x '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/webpn=
g'
>       1 x '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/gd2to=
png'
>
> --8<---------------cut here---------------end--------------->8---

Maybe I=E2=80=99m missing something, but none of the above are PNGs.
Most of them are executables, others are directories, so having them
executable is expected.

Did I misunderstand?

--=20
Ricardo





Information forwarded to bug-guix@HIDDEN:
bug#38422; Package guix. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 29 Nov 2019 08:00:04 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Nov 29 03:00:04 2019
Received: from localhost ([127.0.0.1]:59331 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iabC7-0000y8-U0
	for submit <at> debbugs.gnu.org; Fri, 29 Nov 2019 03:00:04 -0500
Received: from lists.gnu.org ([209.51.188.17]:43732)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <bokr@HIDDEN>) id 1iabC5-0000xF-Tx
 for submit <at> debbugs.gnu.org; Fri, 29 Nov 2019 03:00:03 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:43745)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <bokr@HIDDEN>) id 1iabC2-0002SA-IC
 for bug-guix@HIDDEN; Fri, 29 Nov 2019 03:00:00 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=5.0 tests=BAYES_50,RCVD_IN_DNSWL_LOW
 autolearn=disabled version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <bokr@HIDDEN>) id 1iabBw-000272-4l
 for bug-guix@HIDDEN; Fri, 29 Nov 2019 02:59:55 -0500
Received: from imta-38.everyone.net ([216.200.145.38]:58118)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <bokr@HIDDEN>) id 1iabBv-0001qt-Ry
 for bug-guix@HIDDEN; Fri, 29 Nov 2019 02:59:52 -0500
Received: from pps.filterd (omta003.sj2.proofpoint.com [127.0.0.1])
 by imta-38.everyone.net (8.16.0.27/8.16.0.27) with SMTP id xAT7xHaf019699;
 Thu, 28 Nov 2019 23:59:47 -0800
X-Eon-Originating-Account: YAOVHFHREiSPe400ra6mogcACNu_LYSS-9rDrkL0a50
X-Eon-Dm: m0116293.ppops.net
Received: by m0116293.mta.everyone.net (EON-AUTHRELAY2 - 32d0d199)
 id m0116293.5dc217be.4c030e; Thu, 28 Nov 2019 23:59:46 -0800
X-Eon-Sig: AQMHrIJd4M/yF88RbgIAAAAC,ded51b802eb16bcfd03c18ae8269d7c5
X-Eip: SDCQkL3IZJ1eHnDaWiHLGNIyyrnKOYJzbGqUZTNa_JQ
Date: Thu, 28 Nov 2019 23:59:38 -0800
From: Bengt Richter <bokr@HIDDEN>
To: New-Bug <bug-guix@HIDDEN>
Subject: .png files in /gnu/store with executable permissions (555)
Message-ID: <20191129075938.GA55971@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
User-Agent: Mutt/1.12.2 (2019-09-21)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, ,
 definitions=2019-11-29_01:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0
 priorityscore=1501 malwarescore=0
 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1034
 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1911140001
 definitions=main-1911290069
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy]
X-Received-From: 216.200.145.38
X-Spam-Score: -1.1 (-)
X-Debbugs-Envelope-To: submit
Cc: Mark H Weaver <mhw@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Reply-To: Bengt Richter <bokr@HIDDEN>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.1 (--)

Hi Guix,

I was wanting to check on some executable files in the store,
and happened to see some executable .png files ;-/

I suspect they came in when I was playing with icecat
and let it load  a "theme", but I am not sure some didn't
also happen trying to get firefox radio buttons to work ;-/

Anyway, does anyone else get 555 permissions on files like these?
These are all *.png files with 555 permissons, but I trimmed back to see common prefixes.
Obviously the moka-con-theme was most of it, but also faba and docbook look iffy.

Is this zero-day stuff with a nasty somewhere, waiting for referencing by another nasty, or am I being paranoid?
What is the safe way to detoxify this mess? I know I shouldn't directly chmod anything in store, right?

The icecat discussion got moved to mozilla, but in case someone else did whatever I did,
I thought I'd post a heads-up here.
I'll try to cc Mark :)

$ find /gnu -type f -perm /111 -iname '*png'|xargs stat -c '%a %A %N'|cut -d '-' -f5,6,7,8|less|uniq -c|less
--8<---------------cut here---------------start------------->8---
      1 x '/gnu/store/.links/1s94fymqj8xba55rg8xbdni9a215kxsxkddyh2qyb7y6fl7srpng'
      1 x '/gnu/store/.links/05dsk06ffdwgjdqgsy03zhnsrcd44yyi8ylk9qyb1a3n89aplpng'
     97 x '/gnu/store/jf7i57glqykwgm1k7zb5k8x6f1yd47l8-faba-icon-theme
      1 x '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/gdparttopng'
      1 x '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/gdtopng'
      1 x '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/webpng'
      1 x '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/gd2topng'
      1 x '/gnu/store/x9c77i6r5fmarslij6ng81awgrxblplm-texlive-bin-20180414/bin/dvipng'
  34143 x '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme
      1 x '/gnu/store/7mxkdn6cp7x8sac49p2g80qw5j1aavi3-texlive-20180414/bin/dvipng'
     62 x '/gnu/store/6d79d8za76pj5f2flhckpmdvdgqhqxaa-docbook-xsl-1.79.1/xml/xsl/docbook
      1 x '/gnu/store/azd3rg350gjkgzvzps3s4j3kpz5kxh57-texlive-bin-20180414/bin/dvipng'
      1 x '/gnu/store/9w1hi2hr4zczc5jd5r2xmff9zf4gwc1n-texlive-union-49435/bin/dvipng'
      1 x '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/gdparttopng'
      1 x '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/gdtopng'
      1 x '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/webpng'
      1 x '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/gd2topng'
      1 x '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/gdparttopng'
      1 x '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/gdtopng'
      1 x '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/webpng'
      1 x '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/gd2topng'

--8<---------------cut here---------------end--------------->8---

-- 
Regards,
Bengt Richter




Acknowledgement sent to Bengt Richter <bokr@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#38422; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Fri, 29 Nov 2019 12:30:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.