ruby.rpmlintrc: Recover the filter to ignore a false positive missing-call-to-chdir-with-chroot error.

The filter was deleted at the b0ce095f6d . But it is still needed to pass Zuul CI.
2022-03-14 19:47:41 +01:00 · 2022-03-14 19:47:41 +01:00 · df8cc89df4
commit df8cc89df4
parent 9e774fba70
1 changed files with 11 additions and 0 deletions
--- a/ruby.rpmlintrc
+++ b/ruby.rpmlintrc
@ -38,6 +38,17 @@ addFilter(r'^ruby-libs\.\w+: E: shared-library-without-dependency-information /u
 # These are Ruby plugins, where Ruby always load glibc prior the library.
 addFilter(r'^ruby-libs\.\w+: W: library-not-linked-against-libc /usr/lib(64)?/ruby/.*.so$')

+# The function `chroot` without using `chdir` is detected by rpmlint with the
+# following message. However it looks a false positive as the `chroot` in the
+# `dir.c` is just used as a Ruby binding `Dir.chroot` for the function.
+#
+# ruby-libs.x86_64: E: missing-call-to-chdir-with-chroot /usr/lib64/libruby.so.N.N.N
+# This executable appears to call chroot without using chdir to change the
+# current directory. This is likely an error and permits an attacker to break
+# out of the chroot by using fchdir. While that's not always a security issue,
+# this has to be checked.
+addFilter(r'^ruby-libs\.\w+: E: missing-call-to-chdir-with-chroot /usr/lib(64)?/libruby.so.[\d/.]+$')
+
 # Rake ships some examples.
 addFilter(r'^rubygem-rake.noarch: W: devel-file-in-non-devel-package /usr/share/gems/gems/rake-[\d\.]+/doc/example/\w+.c$')