!43 [sync] PR-42: Remove unused i option in authvar

From: @openeuler-sync-bot 
Reviewed-by: @caodongxia 
Signed-off-by: @caodongxia

Bugfix-Free-resources-if-certificate-cannot-be-found.patch

@@ -0,0 +1,39 @@
+From d8ea40d773dc1bcd90d8fc3b1f71ce49044ccef0 Mon Sep 17 00:00:00 2001
+From: Chenxi Mao <chenxi.mao@suse.com>
+Date: Tue, 13 Dec 2022 22:12:29 +0800
+Subject: [PATCH 1/1] Free resources if certificate cannot be found
+
+In find_certificate_by_callback, function return -1 directly without
+free resource if node is null, that will lead to nss shut down failed.
+
+The error message as below:
+could not shut down NSS: NSS could not shutdown. Objects are still in use.
+
+To fix this issue, free all resources before function return -1.
+
+Signed-off-by: Chenxi Mao <chenxi.mao@suse.com>
+---
+ src/cms_common.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/cms_common.c b/src/cms_common.c
+index 1c54c90..24576f2 100644
+--- a/src/cms_common.c
++++ b/src/cms_common.c
+@@ -878,8 +878,12 @@ find_certificate_by_callback(cms_context *cms,
+ 		}
+ 	}
+ 
+-	if (!node)
++	if (!node) {
++		PK11_DestroySlotListElement(slots, &psle);
++		PK11_FreeSlotList(slots);
++		CERT_DestroyCertList(certlist);
+ 		cnreterr(-1, cms, "Could not find certificate");
++	}
+ 
+ 	*cert = CERT_DupCertificate(node->cert);
+ 
+-- 
+2.33.0
+

Bugfix-cms_common-fix-cert-match-check.patch

@@ -0,0 +1,29 @@
+From c6a38cd80916e7a412227836b1865685e8d1ccfd Mon Sep 17 00:00:00 2001
+From: Huaxin Lu <luhuaxin1@huawei.com>
+Date: Fri, 11 Nov 2022 11:20:35 +0800
+Subject: [PATCH] cms_common: fix cert match check
+
+In find_certificate_by_callback(), the match() returns 1
+when cert subject is matched.
+
+Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
+---
+ src/cms_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/cms_common.c b/src/cms_common.c
+index 1c54c90..d3e6dea 100644
+--- a/src/cms_common.c
++++ b/src/cms_common.c
+@@ -872,7 +872,7 @@ find_certificate_by_callback(cms_context *cms,
+ 			continue;
+ 
+ 		int rc = match(tmpnode->cert, cbdata);
+-		if (rc == 0) {
++		if (rc == 1) {
+ 			node = tmpnode;
+ 			break;
+ 		}
+-- 
+2.33.0
+

Feature-pesign-support-SM2-signature-algorithm.patch

@@ -21,8 +21,8 @@ index afa00e2..4aabf5d 100644
 +		SECItem *content, SECOidData *oid)
 +{
 +	int ret = -1;
-+	SECKEYPublicKey *pubkey;
++	SECKEYPublicKey *pubkey = NULL;
-+	unsigned char *buf;
++	unsigned char *buf = NULL;
 +	SECStatus status;
 +	SECItem sig_raw = { 0 };
 +

Fix-CVE-2022-3560.patch

@@ -0,0 +1,80 @@
+From d8a8c259994d0278c59b30b41758a8dd0abff998 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Wed, 18 Jan 2023 14:00:22 -0500
+Subject: [PATCH] Use normal file permissions instead of ACLs
+
+Fixes a symlink attack that can't be mitigated using getfacl/setfacl.
+
+pesign-authorize is now deprecated and will be removed in a future
+release.
+
+Resolves: CVE-2022-3560
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+---
+ src/pesign-authorize.in | 50 +++--------------------------------------
+ 1 file changed, 3 insertions(+), 47 deletions(-)
+
+diff --git a/src/pesign-authorize.in b/src/pesign-authorize.in
+index 69797d5..b4e89e0 100644
+--- a/src/pesign-authorize.in
++++ b/src/pesign-authorize.in
+@@ -2,56 +2,12 @@
+ set -e
+ set -u
+ 
+-#
+-# With /run/pesign/socket on tmpfs, a simple way of restoring the
+-# acls for specific users is useful
+-#
+-#  Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
+-#
+-
+ # License: GPLv2
+-declare -a fileusers=()
+-declare -a dirusers=()
+-while read -r user ; do
+-	dirusers[${#dirusers[@]}]=-m
+-	dirusers[${#dirusers[@]}]="u:$user:rwx"
+-	fileusers[${#fileusers[@]}]=-m
+-	fileusers[${#fileusers[@]}]="u:$user:rw"
+-done </etc/pesign/users
+-
+-declare -a filegroups=()
+-declare -a dirgroups=()
+-while read -r group ; do
+-	dirgroups[${#dirgroups[@]}]=-m
+-	dirgroups[${#dirgroups[@]}]="g:$group:rwx"
+-	filegroups[${#filegroups[@]}]=-m
+-	filegroups[${#filegroups[@]}]="g:$group:rw"
+-done </etc/pesign/groups
+-
+-update_subdir() {
+-	subdir=$1 && shift
+ 
+-	setfacl -bk "${subdir}"
+-	setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
+-	for x in "${subdir}"* ; do
+-		if [ -d "${x}" ]; then
+-			setfacl -bk "${x}"
+-			setfacl "${dirusers[@]}" "${dirgroups[@]}" "${x}"
+-			update_subdir "${x}/"
+-		elif [ -e "${x}" ]; then
+-			setfacl -bk "${x}"
+-			setfacl "${fileusers[@]}" "${filegroups[@]}" "${x}"
+-		else
+-			:;
+-		fi
+-	done
+-}
++# This script is deprecated and will be removed in a future release.
+ 
+ sleep 3
+ for x in @@RUNDIR@@pesign/ /etc/pki/pesign/ ; do
+-	if [ -d "${x}" ]; then
+-		update_subdir "${x}"
+-	else
+-		:;
+-	fi
++	chown -R pesign:pesign "${x}" || true
++	chmod -R ug+rwX "${x}" || true
+ done

Fix-build-error-of-gcc-version-too-low.patch

@@ -0,0 +1,53 @@
+From 3afba00007f294baca8c7cfbc20cec24899fe5f1 Mon Sep 17 00:00:00 2001
+From: jinlun <jinlun@huawei.com>
+Date: Mon, 7 Nov 2022 20:41:08 +0800
+Subject: [PATCH] fix build error of gcc version too low
+
+---
+ src/daemon.c   | 3 ---
+ src/password.c | 3 ---
+ 2 files changed, 6 deletions(-)
+
+diff --git a/src/daemon.c b/src/daemon.c
+index 0a66deb..c5061bd 100644
+--- a/src/daemon.c
++++ b/src/daemon.c
+@@ -920,8 +920,6 @@ do_shutdown(context *ctx, int nsockets, struct pollfd *pollfds)
+ 
+ /* GCC -fanalyzer has trouble with realloc
+  * https://bugzilla.redhat.com/show_bug.cgi?id=2047926 */
+-#pragma GCC diagnostic push
+-#pragma GCC diagnostic ignored "-Wanalyzer-use-of-uninitialized-value"
+ static int
+ handle_events(context *ctx)
+ {
+@@ -1000,7 +998,6 @@ shutdown:
+ 	}
+ 	return 0;
+ }
+-#pragma GCC diagnostic pop
+ 
+ static int
+ get_uid_and_gid(context *ctx, char **homedir)
+diff --git a/src/password.c b/src/password.c
+index 05add9a..0f359d2 100644
+--- a/src/password.c
++++ b/src/password.c
+@@ -304,14 +304,11 @@ SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg)
+ 
+ 		/* Workaround for -fanalzer/reallocarray() bug
+ 		 * https://bugzilla.redhat.com/show_bug.cgi?id=2047926 */
+-#pragma GCC diagnostic push
+-#pragma GCC diagnostic ignored "-Wanalyzer-mismatching-deallocation"
+ 		new_phrases = reallocarray(phrases, nphrases + 1, sizeof(struct token_pass));
+ 		if (!new_phrases)
+ 			goto err_phrases;
+ 		phrases = new_phrases;
+ 		memset(&new_phrases[nphrases], 0, sizeof(struct token_pass));
+-#pragma GCC diagnostic pop
+ 
+ 		span = strspn(start, whitespace_and_eol_chars);
+ 		dprintf("whitespace span is %zd", span);
+-- 
+2.27.0
+

Fix-the-build-with-nss-3.44.patch

@@ -1,42 +0,0 @@
-From b535d1ac5cbcdf18a97d97a92581e38080d9e521 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Tue, 14 May 2019 11:28:38 -0400
-Subject: [PATCH] efikeygen: Fix the build with nss 3.44
-
-NSS 3.44 adds some certificate types, which changes a type and makes
-some encoding stuff weird.  As a result, we get:
-
-gcc8 -I/wrkdirs/usr/ports/sysutils/pesign/work/pesign-0.110/include -O2 -pipe  -fstack-protector-strong -Wl,-rpath=/usr/local/lib/gcc8 -isystem /usr/local/include -fno-strict-aliasing  -g -O0 -g -O0  -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function -I../include/  -I/usr/local/include/nss -I/usr/local/include/nss/nss -I/usr/local/include/nspr  -Werror -fPIC -isystem /usr/local/include -DCONFIG_amd64 -DCONFIG_amd64 -c efikeygen.c -o efikeygen.o
-In file included from /usr/local/include/nss/nss/cert.h:22,
-                 from efikeygen.c:39:
-efikeygen.c: In function 'add_cert_type':
-/usr/local/include/nss/nss/certt.h:445:5: error: unsigned conversion from 'int' to 'unsigned char' changes value from '496' to '240' [-Werror=overflow]
-     (NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \
-     ^
-efikeygen.c:208:23: note: in expansion of macro 'NS_CERT_TYPE_APP'
-  unsigned char type = NS_CERT_TYPE_APP;
-                       ^~~~~~~~~~~~~~~~
-cc1: all warnings being treated as errors
-
-This is fixed by just making it an int.
-
-Fixes github issue #48.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- src/efikeygen.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/efikeygen.c b/src/efikeygen.c
-index ede76ef..2cd953e 100644
---- a/src/efikeygen.c
-+++ b/src/efikeygen.c
-@@ -208,7 +208,7 @@ static int
- add_cert_type(cms_context *cms, void *extHandle, int is_ca)
- {
- 	SECItem bitStringValue;
--	unsigned char type = NS_CERT_TYPE_APP;
-+	int type = NS_CERT_TYPE_APP;
- 
- 	if (is_ca)
- 		type |= NS_CERT_TYPE_SSL_CA |

Remove-unused-i-option-in-authvar.patch

@@ -0,0 +1,16 @@
+diff -Nur a/src/authvar.c b/src/authvar.c
+--- a/src/authvar.c	2022-03-09 01:46:30.000000000 +0800
++++ b/src/authvar.c	2023-05-31 16:47:15.329069974 +0800
+@@ -324,12 +324,6 @@
+ 		 .arg = &ctx.valuefile,
+ 		 .descrip = "read value from <file>",
+ 		 .argDescrip = "<file>" },
+-		{.longName = "import",
+-		 .shortName = 'i',
+-		 .argInfo = POPT_ARG_STRING,
+-		 .arg = &ctx.importfile,
+-		 .descrip = "import variable from <file>",
+-		 .argDescrip = "<file>" },
+ 		{.longName = "export",
+ 		 .shortName = 'e',
+ 		 .argInfo = POPT_ARG_STRING,

pesign.spec

@@ -1,11 +1,11 @@
 %global macrosdir %(d=%{_rpmconfigdir}/macros.d; [ -d $d ] || d=%{_sysconfdir}/rpm; echo $d)
 Name:          pesign
 Summary:       Signing utility for UEFI binaries
-Version:       0.113
+Version:       115
-Release:       7
+Release:       5
 License:       GPLv2
-URL:           https://github.com/vathpela/pesign
+URL:           https://github.com/rhboot/pesign
-Source0:       https://github.com/rhboot/pesign/archive/113.tar.gz
+Source0:       https://github.com/rhboot/pesign/archive/refs/tags/115.tar.gz
 Source1:       certs.tar.xz
 Source2:       pesign.py
 Source3:       euleros-certs.tar.bz2
@@ -14,14 +14,16 @@ Requires:      nspr nss nss-util popt rpm
 Requires(pre): shadow-utils
 BuildRequires: nspr nss nss-util popt-devel nss-tools nspr-devel >= 4.9.2-1
 BuildRequires: nss-devel >= 3.13.6-1 efivar-devel >= 31-1 libuuid-devel tar xz
-BuildRequires: python3-rpm-macros python3 systemd python3-devel gcc
+BuildRequires: python3-rpm-macros python3 systemd python3-devel gcc mandoc
-
-Patch0001:     Fix-the-build-with-nss-3.44.patch
-Patch0002:     remove-superfluous-type-settings.patch
 
+Patch0001:     Bugfix-cms_common-fix-cert-match-check.patch
+Patch0002:     Bugfix-Free-resources-if-certificate-cannot-be-found.patch
+Patch0003:     Remove-unused-i-option-in-authvar.patch
 # Feature: support SM2 and SM3
 Patch9000:     Feature-pesign-support-SM3-digest-algorithm.patch
 Patch9001:     Feature-pesign-support-SM2-signature-algorithm.patch
+Patch9002:     Fix-build-error-of-gcc-version-too-low.patch
+Patch9003:     Fix-CVE-2022-3560.patch
 
 %description
 pesign is a command line tool for manipulating signatures and
@@ -35,7 +37,7 @@ Requires:       %{name} = %{version}-%{release}
 Files for help with pesign.
 
 %prep
-%autosetup -n %{name}-113 -p1 -T -b 0 -D -c -a 1
+%autosetup -n %{name}-%{version} -p1 -T -b 0 -D -c -a 1
 tar -jxf %{SOURCE3}
 
 %build
@@ -49,7 +51,7 @@ install -D etc/pki/pesign/* %{buildroot}%{_sysconfdir}/pki/pesign/
 install -D etc/pki/pesign-rh-test/* %{buildroot}%{_sysconfdir}/pki/pesign-rh-test/
 mv euleros-certs/etc/pki/pesign/euleros-pesign-db %{buildroot}/etc/pki/pesign/
 install -D %{buildroot}%{_sysconfdir}/rpm/macros.pesign %{buildroot}%{macrosdir}/macros.pesign
-rm -vf %{buildroot}/usr/share/doc/pesign-113/COPYING
+rm -vf %{buildroot}/usr/share/doc/pesign-%{version}/COPYING
 install -d -m 0755 %{buildroot}%{python3_sitelib}/mockbuild/plugins/
 install -m 0755 %{SOURCE2} %{buildroot}%{python3_sitelib}/mockbuild/plugins/
 
@@ -78,10 +80,10 @@ exit 0
 %dir %attr(0775,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/
 %config(noreplace) %attr(0664,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/*
 %{_libexecdir}/pesign/pesign-authorize
+%{_libexecdir}/pesign/pesign-rpmbuild-helper
 %config(noreplace)/%{_sysconfdir}/pesign/*
 %{_sysconfdir}/popt.d/pesign.popt
 %{macrosdir}/macros.pesign
-%dir %attr(0770, pesign, pesign) %{_localstatedir}/run/%{name}
 %dir %attr(0775,pesign,pesign) /etc/pki/pesign/euleros-pesign-db
 %attr(0644,pesign,pesign) /etc/pki/pesign/euleros-pesign-db/*
 %ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/socket
@@ -98,13 +100,31 @@ exit 0
 %{_mandir}/man*/*
 
 %changelog
+* Wed May 31 2023 liyanan <thistleslyn@163.com> - 115-5
+- Remove unused i option in authvar 
+
+* Tue Feb 14 2023 luopihui <luopihui@ncti-gba.cn> - 115-4
+- Fix CVE-2022-3560
+
+* Mon Dec 19 2022 Chenxi Mao <chenxi.mao@suse.com> - 115-3
+- Free resources if certification cannot be found. 
+
+* Sat Nov 12 2022 luhuaxin <luhuaxin1@huawei.com> - 115-2
+- fix certificate chain bug
+
+* Mon Nov 7 2022 jinlun <jinlun@huawei.com> - 115-1
+- Type:bugfix
+- Id:NA
+- SUG:NA
+- DESC:update to 115
+
 * Mon Oct 31 2022 luhuaxin <luhuaxin1@huawei.com> - 0.113-7
 - fix the algorithm flag for sm2,sm3
 
 * Mon Oct 10 2022 godcansee <liu332084460@foxmail.com> - 0.113-6
 - add feature to support for sm2,sm3 
 
-* Sat July 31 2021 Shenmei Tu <tushenmei@huawei.com> - 0.113-5
+* Sat Jul 31 2021 Shenmei Tu <tushenmei@huawei.com> - 0.113-5
 - remove-superfluous-type-settings.patch
 
 * Mon May 31 2021 huanghaitao <huanghaitao8@huawei.com> - 0.113-4

remove-superfluous-type-settings.patch

@@ -1,19 +0,0 @@
-diff -Nur pesign-113/src/pesigcheck.c pesign-113-new/src/pesigcheck.c
---- pesign-113/src/pesigcheck.c	2019-05-11 02:53:51.000000000 +0800
-+++ pesign-113-new/src/pesigcheck.c	2021-07-30 11:25:25.000000000 +0800
-@@ -318,7 +318,6 @@
- 			reason->type = SIGNATURE;
- 			reason->sig.data = data;
- 			reason->sig.len = datalen;
--			reason->type = siBuffer;
- 			nreason += 1;
- 			is_invalid = true;
- 		}
-@@ -330,7 +329,6 @@
- 			reason->type = SIGNATURE;
- 			reason->sig.data = data;
- 			reason->sig.len = datalen;
--			reason->type = siBuffer;
- 			nreason += 1;
- 			has_valid_cert = true;
- 		}