Community Packages

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#62193 - [uucp] several executables are not stripped

Attached to Project: Community Packages
Opened by Klaus Alexander Seistrup (kseistrup) - Saturday, 30 March 2019, 10:58 GMT
Last edited by Sergej Pupykin (sergej) - Friday, 17 May 2019, 15:34 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Sergej Pupykin (sergej)
Architecture x86_64
Severity Very Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

The following executables are not stripped:

- /usr/bin/cu
- /usr/bin/uucico
- /usr/bin/uucp
- /usr/bin/uuname
- /usr/bin/uustat
- /usr/bin/uux
- /usr/bin/uuxqt

Steps to reproduce:

$ file $(pacman --query --list uucp | awk '$2 ~ "/usr/bin/.+" {print $2}') | grep 'not stripped'
This task depends upon

Closed by  Sergej Pupykin (sergej)
Friday, 17 May 2019, 15:34 GMT
Reason for closing:  Fixed
Comment by loqs (loqs) - Saturday, 30 March 2019, 13:15 GMT
strip requires write access to the binary it is to strip. makepkg does not appear to produce any output when strip fails.
From the upstream Makefile
for f in uucico uuxqt; do \
chown $(OWNER) $(DESTDIR)$(sbindir)/$${f}; \
chmod 4555 $(DESTDIR)$(sbindir)/$${f}; \
done
for f in uux uucp uustat uuname cu; do \
chown $(OWNER) $(DESTDIR)$(bindir)/$${f}; \
chmod 4555 $(DESTDIR)$(bindir)/$${f}; \
done
Additionally the chown calls have no effect as the uucp user is no longer used.
Edit:
Which means the binaries execute as setuid root not setuid uucp.
Comment by Klaus Alexander Seistrup (kseistrup) - Monday, 01 April 2019, 08:54 GMT
Well spotted!

Shouldn't the risk of running several of the executables a setuid root justify raising the severity level to a level higher than the current “very low”?

Loading...