Pull Request #8249: snap: Fix "stack smashing" error in wrapper

certbot.wrapper had implicit dependencies on sed, awk and coreutils,
which were being accidentally provided through the host system. Because
certbot.wrapper modifies LD_LIBRARY_PATH, this was causing some systems
to load an incompatible combination of shared libraries, resulting sed
crashing.

This commit reduces the dependencies of this script to just gawk, and
explicitly stages it as part of the Certbot snap.

It additionally moves invocations of all host system programs to a
moment prior to the modification of LD_LIBRARY_PATH, and the invocation
of snapped programs to after the modification.

Fixes #8245

certbot.wrapper

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 set -e
 
 # This code is based on snapcraft's own patch to work around this problem at
@@ -27,21 +27,9 @@ case "${SNAP_ARCH}" in
         exit 1
 esac
 
-PARTIAL_LIBRARY_PATH="${SNAP}/usr/lib/${ARCH_TRIPLET}/"
-export LD_LIBRARY_PATH="${PARTIAL_LIBRARY_PATH}:${LD_LIBRARY_PATH}"
-export CERTBOT_AUGEAS_PATH="${PARTIAL_LIBRARY_PATH}libaugeas.so.0"
+export CERTBOT_AUGEAS_PATH="${SNAP}/usr/lib/${ARCH_TRIPLET}/libaugeas.so.0"
 
-join() {
-    sep=$1
-    first=$2
-    if [ "$first" != "" ]; then
-        shift 2
-        echo -n "${first}"
-        for item in "$@"; do echo -n "${sep}${item}"; done
-        echo
-    fi
-}
+CERTBOT_PLUGIN_PATH="$(snap connections certbot | gawk 'BEGIN {ORS=""} NR>1 { if ($1 == "content[certbot-1]") { split($3,a,":"); PLUGINS=PLUGINS":/snap/"a[1]"/current/lib/python3.8/site-packages/"; next; } } END { print substr(PLUGINS, 2) }')"
+export CERTBOT_PLUGIN_PATH
 
-paths=$(for plugin_snap in $(snap connections certbot|sed -n '2,$p'|awk '$1=="content[certbot-1]"{print $3}'|cut -d: -f1); do echo /snap/$plugin_snap/current/lib/python3.8/site-packages; done)
-export CERTBOT_PLUGIN_PATH=$(join : $paths)
 exec certbot "$@"

certbot/CHANGELOG.md

@@ -19,6 +19,7 @@ Certbot adheres to [Semantic Versioning](https://semver.org/).
   fail to load the Augeas library it depends on has been fixed.
 * The `acme` library can now tell the ACME server to clear contact information by passing an empty
   `tuple` to the `contact` field of a `Registration` message. 
+* Fixed the `*** stack smashing detected ***` error in the Certbot snap on some systems.
 
 More details about these changes can be found on our GitHub repo.
 

snap/hooks/configure

@@ -1,3 +1,3 @@
-#!/bin/bash -e
+#!/bin/sh -e
 
 exit 0

snap/hooks/prepare-plug-plugin

@@ -1,4 +1,4 @@
-#!/bin/bash -e
+#!/bin/sh -e
 
 if [ "$(snapctl get trust-plugin-with-root)" = "ok" ]; then
     # allow the connection, but reset config to allow for other slots to go through this auth flow

snap/snapcraft.yaml

@@ -71,6 +71,8 @@ parts:
       - python3-distutils
       - python3-pkg-resources
       - python3.8-minimal
+      # added for certbot.wrapper script:
+      - gawk
     # To build cryptography and cffi if needed
     build-packages: [gcc, libffi-dev, libssl-dev, git, libaugeas-dev, python3-dev]
     build-environment: