[BUG] Multiple Critical Issues Found in Arch Linux No Beep ProjectΒ #151
Description
Bug Report Summary
A comprehensive security and code review has identified multiple critical bugs and vulnerabilities across the Arch Linux No Beep project. These issues range from security vulnerabilities to build system failures that could impact users.
Critical Issues (High Priority)
π΄ 1. Race Condition in Flask App (app.py:23-33)
Location: app.py:23-33
Severity: Critical
Description: The subprocess handling doesn't properly manage process lifecycle. If the build process hangs, the EventSource connection remains open indefinitely, causing memory leaks.
Impact: Server crashes, memory exhaustion, denial of service
π΄ 2. Path Traversal Vulnerability (app.py:37-42)
Location: app.py:37-42
Severity: Critical
Description: The download endpoint doesn't validate the ISO filename, potentially allowing directory traversal attacks.
Impact: Arbitrary file access, data exposure
π΄ 3. Privileged Container Security Risk
Location: dockerfile:31, Dockerfile.gui:31
Severity: Critical
Description: Running containers with --privileged flag poses significant security risks when building ISOs.
Impact: Container escape, host system compromise
Security Issues (High Priority)
π 4. Unsafe File Operations (scripts/entrypoint.sh:48-51)
Location: scripts/entrypoint.sh:48-51
Severity: High
Description: Direct file writing without atomic operations could lead to corrupted configuration files.
Impact: Build failures, system instability
π 5. Missing Input Validation
Location: Multiple files
Severity: High
Description: Various endpoints lack proper input validation and sanitization.
Impact: Injection attacks, system compromise
Build System Issues (Medium Priority)
π‘ 6. Inconsistent Service Configuration (no-beep.service:12-13)
Location: airootfs/etc/systemd/system/no-beep.service:12-13
Severity: Medium
Description: Service tries to write to sysfs paths without existence checks.
Impact: Service failures, incomplete beep disabling
π‘ 7. Mirror Selection Failure (select-mirrors.sh:38-42)
Location: scripts/select-mirrors.sh:38-42
Severity: Medium
Description: Build continues with potentially broken package sources if reflector fails.
Impact: Build failures, package installation issues
π‘ 8. Incorrect Compression Options (profiledef.sh:18-24)
Location: profiledef.sh:18-24
Severity: Medium
Description: XZ compression uses incorrect block size option syntax.
Impact: Build failures, corrupted ISO images
Resource Management Issues (Medium Priority)
π‘ 9. Memory Leak in Build Process (app.py:23-28)
Location: app.py:23-28
Severity: Medium
Description: Subprocess stdout not properly closed if process is killed unexpectedly.
Impact: Memory leaks, resource exhaustion
π‘ 10. Docker Cache Invalidation (build.yml:39-45)
Location: .github/workflows/build.yml:39-45
Severity: Medium
Description: Cache key doesn't include pacman.conf, potentially using outdated configurations.
Impact: Inconsistent builds, cache pollution
Logic Errors (Low Priority)
π’ 11. Incomplete Beep Disabling (entrypoint.sh:42-51)
Location: scripts/entrypoint.sh:42-51
Severity: Low
Description: Script doesn't verify blacklist syntax correctness.
Impact: Incomplete beep disabling
π’ 12. Missing Validation (entrypoint.sh:123-136)
Location: scripts/entrypoint.sh:123-136
Severity: Low
Description: Validate function checks file existence but not content syntax.
Impact: Silent failures, build issues
System Information
- Project: Arch Linux Without the Beeps
- Review Date: 2025-10-22
- Scope: Complete codebase security and functionality review
Recommended Actions
- Immediate: Address critical security vulnerabilities (issues 1-3)
- Short-term: Fix build system and resource management issues (issues 4-10)
- Long-term: Improve validation and error handling (issues 11-12)
Additional Context
N/A
Files Affected:
app.pyscripts/entrypoint.shscripts/select-mirrors.shprofiledef.shdockerfileDockerfile.gui.github/workflows/build.ymlairootfs/etc/systemd/system/no-beep.servicetemplates/index.html