snap: Fix "stack smashing" error in wrapper

certbot.wrapper had implicit dependencies on sed, awk and coreutils, which were being accidentally provided through the host system. Because certbot.wrapper modifies LD_LIBRARY_PATH, this was causing some systems to load an incompatible combination of shared libraries, resulting sed crashing. This commit reduces the dependencies of this script to just gawk, and explicitly stages it as part of the Certbot snap. It additionally moves invocations of all host system programs to a moment prior to the modification of LD_LIBRARY_PATH, and the invocation of snapped programs to after the modification. Fixes #8245
2026-06-07 15:52:08 -04:00 · 2020-09-01 13:43:09 +10:00 · 2020-09-01 13:43:09 +10:00 · 9b3b161d82
commit 9b3b161d82
parent d62d853ea4
3 changed files with 8 additions and 1 deletions
--- a/certbot.wrapper
+++ b/certbot.wrapper
@ -27,10 +27,14 @@ case "${SNAP_ARCH}" in
        exit 1
 esac

+snap_connections=$(snap connections certbot)
+
 PARTIAL_LIBRARY_PATH="${SNAP}/usr/lib/${ARCH_TRIPLET}/"
 export LD_LIBRARY_PATH="${PARTIAL_LIBRARY_PATH}:${LD_LIBRARY_PATH}"
 export CERTBOT_AUGEAS_PATH="${PARTIAL_LIBRARY_PATH}libaugeas.so.0"

+# Below this line, all invoked programs must be provided by the snap rather than the host (#8245)
+
 join() {
    sep=$1
    first=$2
@ -42,6 +46,6 @@ join() {
    fi
 }

-paths=$(for plugin_snap in $(snap connections certbot|sed -n '2,$p'|awk '$1=="content[certbot-1]"{print $3}'|cut -d: -f1); do echo /snap/$plugin_snap/current/lib/python3.8/site-packages; done)
+paths=$(for plugin_snap in $(gawk 'NR>1 { if ($1 == "content[certbot-1]") { split($3,a,":"); print a[1]; } }'<<<"$snap_connections"); do echo /snap/$plugin_snap/current/lib/python3.8/site-packages; done)
 export CERTBOT_PLUGIN_PATH=$(join : $paths)
 exec certbot "$@"
--- a/certbot/CHANGELOG.md
+++ b/certbot/CHANGELOG.md
@ -19,6 +19,7 @@ Certbot adheres to [Semantic Versioning](https://semver.org/).
  fail to load the Augeas library it depends on has been fixed.
 * The `acme` library can now tell the ACME server to clear contact information by passing an empty
  `tuple` to the `contact` field of a `Registration` message. 
+* Fixed the `*** stack smashing detected ***` error in the Certbot snap on some systems.

 More details about these changes can be found on our GitHub repo.

--- a/snap/snapcraft.yaml
+++ b/snap/snapcraft.yaml
@ -71,6 +71,8 @@ parts:
      - python3-distutils
      - python3-pkg-resources
      - python3.8-minimal
+      # added for certbot.wrapper script:
+      - gawk
    # To build cryptography and cffi if needed
    build-packages: [gcc, libffi-dev, libssl-dev, git, libaugeas-dev, python3-dev]
    build-environment: