[pve-devel] [PATCH v4 pve-container 4/5] fix #6897: constrain and untaint path when detecting systemd version
Robert Obkircher
r.obkircher at proxmox.com
Thu Nov 13 16:03:03 CET 2025
Ensure that the concatenated path stays within the container and
untaint it to make it callable from other hooks that run in taint mode
and would otherwise get an "Insecure dependency in exec" error.
Signed-off-by: Robert Obkircher <r.obkircher at proxmox.com>
---
src/PVE/LXC/Setup/Base.pm | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/PVE/LXC/Setup/Base.pm b/src/PVE/LXC/Setup/Base.pm
index 12e3097..bd595ab 100644
--- a/src/PVE/LXC/Setup/Base.pm
+++ b/src/PVE/LXC/Setup/Base.pm
@@ -604,9 +604,16 @@ sub clear_machine_id {
sub get_systemd_version {
my ($self, $init) = @_;
+ my $binary = abs_path($self->{rootdir} . $init);
+ if ($binary =~ /(^\Q$self->{rootdir}\E.*)/) {
+ $binary = $1; # untainted
+ } else {
+ die "Could not construct path to systemd binary: $self->{rootdir}, $init";
+ }
+
my $version = undef;
PVE::Tools::run_command(
- ['objdump', '-p', $self->{rootdir} . $init],
+ ['objdump', '-p', $binary],
outfunc => sub {
my $line = shift;
if ($line =~ /libsystemd-shared-(\d+)(?:[-_.][a-zA-Z0-9]+)*\.so:?$/) {
--
2.47.3
More information about the pve-devel
mailing list