packages/rpm
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!109 upgrade version to 4.17.0

Browse Source 
Merge pull request !109 from renxichen/openEuler-22.03-LTS-Next
This commit is contained in:
openeuler-ci-bot 2021-12-29 03:02:17 +00:00 committed by Gitee
commit c1c26b21cd
49 changed files with 133 additions and 2523 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
Add-digest-list-plugin.patch
View File

@ -17,9 +17,9 @@ index 402749362..8619c1323 100644
--- a/macros.in --- a/macros.in
+++ b/macros.in +++ b/macros.in
@@ -1184,6 +1184,7 @@ package or when debugging this package.\ @@ -1184,6 +1184,7 @@ package or when debugging this package.\
%__transaction_ima %{__plugindir}/ima.so
%__transaction_prioreset %{__plugindir}/prioreset.so %__transaction_prioreset %{__plugindir}/prioreset.so
%__transaction_audit %{__plugindir}/audit.so %__transaction_audit %{__plugindir}/audit.so
%__transaction_dbus_announce %{__plugindir}/dbus_announce.so
+%__transaction_digest_list %{__plugindir}/digest_list.so +%__transaction_digest_list %{__plugindir}/digest_list.so
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
@ -41,10 +41,11 @@ new file mode 100644
index 000000000..beb397309 index 000000000..beb397309
--- /dev/null --- /dev/null
+++ b/plugins/digest_list.c +++ b/plugins/digest_list.c
@@ -0,0 +1,498 @@ @@ -0,0 +1,499 @@
+#include "system.h" +#include "system.h"
+#include "errno.h" +#include "errno.h"
+ +
+#include <fcntl.h>
+#include <rpm/rpmlog.h> +#include <rpm/rpmlog.h>
+#include <rpm/rpmts.h> +#include <rpm/rpmts.h>
+#include <rpm/header.h> +#include <rpm/header.h>
@ -565,7 +566,7 @@ index 46cd0f31a..3c6b18b53 100644
} break; } break;
case 4: case 4:
@@ -658,6 +659,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen, @@ -658,6 +659,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen,
if (p > (h + hlen)) if (p > hend)
return 1; return 1;
+ _digp->data = p; + _digp->data = p;

102
CVE-2021-20266.patch
View File

@ -1,102 +0,0 @@
From 8f4b3c3cab8922a2022b9e47c71f1ecf906077ef Mon Sep 17 00:00:00 2001
From: Demi Marie Obenour <athena@invisiblethingslab.com>
Date: Mon, 8 Feb 2021 16:05:01 -0500
Subject: [PATCH] hdrblobInit() needs bounds checks too
Users can pass untrusted data to hdrblobInit() and it must be robust
against this.
---
lib/header.c | 48 +++++++++++++++++++++++++++++++-----------------
1 file changed, 31 insertions(+), 17 deletions(-)
diff --git a/lib/header.c b/lib/header.c
index ea39e679f4..ebba9c2b09 100644
--- a/lib/header.c
+++ b/lib/header.c
@@ -11,6 +11,7 @@
#include "system.h"
#include <netdb.h>
#include <errno.h>
+#include <inttypes.h>
#include <rpm/rpmtypes.h>
#include <rpm/rpmstring.h>
#include "lib/header_internal.h"
@@ -1912,6 +1913,25 @@ hdrblob hdrblobFree(hdrblob blob)
return NULL;
}
+static rpmRC hdrblobVerifyLengths(rpmTagVal regionTag, uint32_t il, uint32_t dl,
+ char **emsg) {
+ uint32_t il_max = HEADER_TAGS_MAX;
+ uint32_t dl_max = HEADER_DATA_MAX;
+ if (regionTag == RPMTAG_HEADERSIGNATURES) {
+ il_max = 32;
+ dl_max = 64 * 1024 * 1024;
+ }
+ if (hdrchkRange(il_max, il)) {
+ rasprintf(emsg, _("hdr tags: BAD, no. of tags(%" PRIu32 ") out of range"), il);
+ return RPMRC_FAIL;
+ }
+ if (hdrchkRange(dl_max, dl)) {
+ rasprintf(emsg, _("hdr data: BAD, no. of bytes(%" PRIu32 ") out of range"), dl);
+ return RPMRC_FAIL;
+ }
+ return RPMRC_OK;
+}
+
rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrblob blob, char **emsg)
{
int32_t block[4];
@@ -1924,13 +1944,6 @@ rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrbl
size_t nb;
rpmRC rc = RPMRC_FAIL; /* assume failure */
int xx;
- int32_t il_max = HEADER_TAGS_MAX;
- int32_t dl_max = HEADER_DATA_MAX;
-
- if (regionTag == RPMTAG_HEADERSIGNATURES) {
- il_max = 32;
- dl_max = 64 * 1024 * 1024;
- }
memset(block, 0, sizeof(block));
if ((xx = Freadall(fd, bs, blen)) != blen) {
@@ -1943,15 +1956,9 @@ rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrbl
goto exit;
}
il = ntohl(block[2]);
- if (hdrchkRange(il_max, il)) {
- rasprintf(emsg, _("hdr tags: BAD, no. of tags(%d) out of range"), il);
- goto exit;
- }
dl = ntohl(block[3]);
- if (hdrchkRange(dl_max, dl)) {
- rasprintf(emsg, _("hdr data: BAD, no. of bytes(%d) out of range"), dl);
+ if (hdrblobVerifyLengths(regionTag, il, dl, emsg))
goto exit;
- }
nb = (il * sizeof(struct entryInfo_s)) + dl;
uc = sizeof(il) + sizeof(dl) + nb;
@@ -1995,11 +2002,18 @@ rpmRC hdrblobInit(const void *uh, size_t uc,
struct hdrblob_s *blob, char **emsg)
{
rpmRC rc = RPMRC_FAIL;
-
memset(blob, 0, sizeof(*blob));
+ if (uc && uc < 8) {
+ rasprintf(emsg, _("hdr length: BAD"));
+ goto exit;
+ }
+
blob->ei = (int32_t *) uh; /* discards const */
- blob->il = ntohl(blob->ei[0]);
- blob->dl = ntohl(blob->ei[1]);
+ blob->il = ntohl((uint32_t)(blob->ei[0]));
+ blob->dl = ntohl((uint32_t)(blob->ei[1]));
+ if (hdrblobVerifyLengths(regionTag, blob->il, blob->dl, emsg) != RPMRC_OK)
+ goto exit;
+
blob->pe = (entryInfo) &(blob->ei[2]);
blob->pvlen = sizeof(blob->il) + sizeof(blob->dl) +
(blob->il * sizeof(*blob->pe)) + blob->dl;

2
Don-t-add-dist-to-release-if-it-is-already-there.patch
View File

@ -20,7 +20,7 @@ index 147059bb5..c3d898b4c 100644
+ (dist && strstr(field, dist)) ? "" : dist); + (dist && strstr(field, dist)) ? "" : dist);
free(dist); free(dist);
} }
if (rpmCharCheck(spec, field, WHITELIST_VERREL)) if (rpmCharCheck(spec, field, ALLOWED_CHARS_VERREL))
-- --
2.27.GIT 2.27.GIT

8
Generate-digest-lists.patch
View File

@ -39,19 +39,19 @@ index 6dfd801c8..ab6938d8c 100644
static void nullAttrRec(AttrRec ar) static void nullAttrRec(AttrRec ar)
{ {
memset(ar, 0, sizeof(*ar)); memset(ar, 0, sizeof(*ar));
@@ -984,11 +991,13 @@ static void genCpioListAndHeader(FileList fl, Package pkg, int isSrc) @@ -997,11 +997,14 @@ static void genCpioListAndHeader(FileList fl, Package pkg, int isSrc)
{ {
FileListRec flp; FileListRec flp;
char buf[BUFSIZ]; char buf[BUFSIZ];
+ char file_info[BUFSIZ]; + char file_info[BUFSIZ];
+ char file_digest[128 * 2 + 1]; + char file_digest[128 * 2 + 1];
int i, npaths = 0; int i, npaths = 0;
int fail_on_dupes = rpmExpandNumeric("%{?_duplicate_files_terminate_build}") > 0;
uint32_t defaultalgo = PGPHASHALGO_MD5, digestalgo; uint32_t defaultalgo = PGPHASHALGO_MD5, digestalgo;
rpm_loff_t totalFileSize = 0; rpm_loff_t totalFileSize = 0;
Header h = pkg->header; /* just a shortcut */ Header h = pkg->header; /* just a shortcut */
- int override_date = 0; + int processed = 0;
+ int override_date = 0, processed = 0; time_t source_date_epoch = 0;
time_t source_date_epoch;
char *srcdate = getenv("SOURCE_DATE_EPOCH"); char *srcdate = getenv("SOURCE_DATE_EPOCH");
@@ -1058,8 +1067,9 @@ static void genCpioListAndHeader(FileList fl, Package pkg, int isSrc) @@ -1058,8 +1067,9 @@ static void genCpioListAndHeader(FileList fl, Package pkg, int isSrc)

36
Silence-spurious-error-message-from-lsetfilecon-on-E.patch
View File

@ -1,36 +0,0 @@
From 4a71a3eccd7e9e14ee0e83b1cb300386a93622cd Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Fri, 13 Dec 2019 14:14:10 +0200
Subject: [PATCH] Silence spurious error message from lsetfilecon() on
-EOPNOTSUPP
We already filter out -EOPNOTSUPP and return OK, but the message was
getting logged before the filtering so we'd spit out spurious error
messages on filesystems that don't support SELinux (RhBug:1777502)
---
plugins/selinux.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/plugins/selinux.c b/plugins/selinux.c
index a51f95e..ba37ffa 100644
--- a/plugins/selinux.c
+++ b/plugins/selinux.c
@@ -168,11 +168,12 @@ static rpmRC selinux_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
if (selabel_lookup_raw(sehandle, &scon, dest, file_mode) == 0) {
int conrc = lsetfilecon(path, scon);
- rpmlog(loglvl(conrc < 0), "lsetfilecon: (%s, %s) %s\n",
- path, scon, (conrc < 0 ? strerror(errno) : ""));
-
if (conrc == 0 || (conrc < 0 && errno == EOPNOTSUPP))
rc = RPMRC_OK;
+
+ rpmlog(loglvl(rc != RPMRC_OK), "lsetfilecon: (%s, %s) %s\n",
+ path, scon, (conrc < 0 ? strerror(errno) : ""));
+
freecon(scon);
} else {
/* No context for dest is not our headache */
--
1.8.3.1

2
Unbundle-config-site-and-add-RPM-LD-FLAGS-macro.patch
View File

@ -31,7 +31,7 @@ index fe9803a..4027493 100644
+ CONFIG_SITE=${CONFIG_SITE:-NONE}\ + CONFIG_SITE=${CONFIG_SITE:-NONE}\
+ export CONFIG_SITE\ + export CONFIG_SITE\
\ \
%{verbose:set -x}\ %[%{verbose}?"set -x":""]\
umask 022\ umask 022\
-- --
1.8.3.1 1.8.3.1

113
Use-common-error-logic-regardless-of-setexecfilecon-.patch
View File

@ -1,113 +0,0 @@
From 153c5c219844f0f294862c9043b20f4d24f7fa69 Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Tue, 18 Feb 2020 15:50:40 +0200
Subject: [PATCH] Use common error logic regardless of setexecfilecon()
availability
Refactor the custom exec context setting code to look like setexecfilecon()
in case the real one is not available to eliminate pesky behavioral
differences between the two cases.
This fixes a concrete bug of libselinux setexecfilecon() returning with
an error when security_getenforce() returns with -1 (such as a bare
chroot with no /sys mounts etc), causing us to spit out useless error
messages in that case ever since fixing the bogus if-logic in
commit ab601b882b9d9d8248250111317615db1aa7b7c6.
Fixes: #1077
---
plugins/selinux.c | 44 +++++++++++++++++++++-----------------------
1 file changed, 21 insertions(+), 23 deletions(-)
diff --git a/plugins/selinux.c b/plugins/selinux.c
index ba37ffabe..12545174d 100644
--- a/plugins/selinux.c
+++ b/plugins/selinux.c
@@ -94,65 +94,63 @@ static rpmRC selinux_psm_pre(rpmPlugin plugin, rpmte te)
return rc;
}
-static rpmRC selinux_scriptlet_fork_post(rpmPlugin plugin,
- const char *path, int type)
-{
- rpmRC rc = RPMRC_FAIL;
- int xx;
#ifndef HAVE_SETEXECFILECON
+static int setexecfilecon(const char *path, const char *fallback_type)
+{
+ int rc = -1;
security_context_t mycon = NULL, fcon = NULL, newcon = NULL;
context_t con = NULL;
- if (sehandle == NULL)
- return RPMRC_OK;
-
/* Figure the context to for next exec() */
if (getcon(&mycon) < 0)
goto exit;
if (getfilecon(path, &fcon) < 0)
goto exit;
- if (security_compute_create(mycon, fcon, string_to_security_class("process"), &newcon) < 0)
+ if (security_compute_create(mycon, fcon,
+ string_to_security_class("process"), &newcon) < 0)
goto exit;
if (rstreq(mycon, newcon)) {
- /* No default transition, use rpm_script_t for now. */
- const char * script_type = "rpm_script_t";
-
con = context_new(mycon);
if (!con)
goto exit;
- if (context_type_set(con, script_type))
+ if (context_type_set(con, fallback_type))
goto exit;
freecon(newcon);
newcon = xstrdup(context_str(con));
}
- if ((xx = setexeccon(newcon)) == 0)
- rc = RPMRC_OK;
-
- rpmlog(loglvl(xx < 0), "setexeccon: (%s, %s) %s\n",
- path, newcon, (xx < 0 ? strerror(errno) : ""));
+ rc = setexeccon(newcon);
exit:
context_free(con);
freecon(newcon);
freecon(fcon);
freecon(mycon);
+ return rc;
+}
+#endif
+
+static rpmRC selinux_scriptlet_fork_post(rpmPlugin plugin,
+ const char *path, int type)
+{
+ /* No default transition, use rpm_script_t for now. */
+ const char *script_type = "rpm_script_t";
+ rpmRC rc = RPMRC_FAIL;
-#else
if (sehandle == NULL)
return RPMRC_OK;
- if ((xx = setexecfilecon(path, "rpm_script_t")) == 0)
+ if (setexecfilecon(path, script_type) == 0)
rc = RPMRC_OK;
- rpmlog(loglvl(xx < 0), "setexecfilecon: (%s) %s\n",
- path, (xx < 0 ? strerror(errno) : ""));
-#endif
/* If selinux is not enforcing, we don't care either */
if (rc && security_getenforce() < 1)
rc = RPMRC_OK;
+ rpmlog(loglvl(rc), "setexecfilecon: (%s, %s) %s\n",
+ path, script_type, rc ? strerror(errno) : "");
+
return rc;
}
--

2
add-dist-to-release-by-default.patch
View File

@ -20,7 +20,7 @@ index b0a17c8..cac899a 100644
+ rasprintf(&field,"%s%s",field,dist); + rasprintf(&field,"%s%s",field,dist);
+ free(dist); + free(dist);
+ } + }
if (rpmCharCheck(spec, field, WHITELIST_VERREL)) if (rpmCharCheck(spec, field, ALLOWED_CHARS_VERREL))
goto exit; goto exit;
headerPutString(pkg->header, tag, field); headerPutString(pkg->header, tag, field);
@@ -987,6 +992,8 @@ static rpmRC handlePreambleTag(rpmSpec spec, Package pkg, rpmTagVal tag, @@ -987,6 +992,8 @@ static rpmRC handlePreambleTag(rpmSpec spec, Package pkg, rpmTagVal tag,

55
backport-0001-CVE-2021-3521.patch
View File

@ -1,55 +0,0 @@
From 7b399fcb8f52566e6f3b4327197a85facd08db91 Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Thu, 30 Sep 2021 09:51:10 +0300
Subject: [PATCH] Process MPI's from all kinds of signatures
---
rpmio/rpmpgp.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
index 33bef0b..b353fe6 100644
--- a/rpmio/rpmpgp.c
+++ b/rpmio/rpmpgp.c
@@ -511,7 +511,7 @@ pgpDigAlg pgpDigAlgFree(pgpDigAlg alg)
return NULL;
}
-static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo, uint8_t sigtype,
+static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo,
const uint8_t *p, const uint8_t *h, size_t hlen,
pgpDigParams sigp)
{
@@ -524,10 +524,8 @@ static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo, uint8_t sigtype,
int mpil = pgpMpiLen(p);
if (pend - p < mpil)
break;
- if (sigtype == PGPSIGTYPE_BINARY || sigtype == PGPSIGTYPE_TEXT) {
- if (sigalg->setmpi(sigalg, i, p))
- break;
- }
+ if (sigalg->setmpi(sigalg, i, p))
+ break;
p += mpil;
}
@@ -601,7 +599,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen,
p = ((uint8_t *)v) + sizeof(*v);
_digp->data = p;
- rc = pgpPrtSigParams(tag, v->pubkey_algo, v->sigtype, p, h, hlen, _digp);
+ rc = pgpPrtSigParams(tag, v->pubkey_algo, p, h, hlen, _digp);
} break;
case 4:
{ pgpPktSigV4 v = (pgpPktSigV4)h;
@@ -660,7 +658,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen,
return 1;
_digp->data = p;
- rc = pgpPrtSigParams(tag, v->pubkey_algo, v->sigtype, p, h, hlen, _digp);
+ rc = pgpPrtSigParams(tag, v->pubkey_algo, p, h, hlen, _digp);
} break;
default:
rpmlog(RPMLOG_WARNING, _("Unsupported version of key: V%d\n"), version);
--
2.27.0

49
backport-0002-CVE-2021-3521.patch
View File

@ -1,49 +0,0 @@
From 236b802a4aa48711823a191d1b7f753c82a89ec5 Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Thu, 30 Sep 2021 09:56:20 +0300
Subject: [PATCH] Refactor pgpDigParams construction to helper function
---
rpmio/rpmpgp.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
index b353fe6..ee97f07 100644
--- a/rpmio/rpmpgp.c
+++ b/rpmio/rpmpgp.c
@@ -1000,6 +1000,13 @@ unsigned int pgpDigParamsAlgo(pgpDigParams digp, unsigned int algotype)
return algo;
}
+static pgpDigParams pgpDigParamsNew(uint8_t tag)
+{
+ pgpDigParams digp = xcalloc(1, sizeof(*digp));
+ digp->tag = tag;
+ return digp;
+}
+
int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
pgpDigParams * ret)
{
@@ -1017,8 +1024,7 @@ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
if (pkttype && pkt.tag != pkttype) {
break;
} else {
- digp = xcalloc(1, sizeof(*digp));
- digp->tag = pkt.tag;
+ digp = pgpDigParamsNew(pkt.tag);
}
}
@@ -1066,8 +1072,7 @@ int pgpPrtParamsSubkeys(const uint8_t *pkts, size_t pktlen,
digps = xrealloc(digps, alloced * sizeof(*digps));
}
- digps[count] = xcalloc(1, sizeof(**digps));
- digps[count]->tag = PGPTAG_PUBLIC_SUBKEY;
+ digps[count] = pgpDigParamsNew(PGPTAG_PUBLIC_SUBKEY);
/* Copy UID from main key to subkey */
digps[count]->userid = xstrdup(mainkey->userid);
--
2.27.0

309
backport-0003-CVE-2021-3521.patch
View File

@ -1,309 +0,0 @@
From e233fb844adda74a5199057d1fd7fa20d994564d Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Thu, 30 Sep 2021 09:59:30 +0300
Subject: [PATCH] Validate and require subkey binding signatures on PGP public keys
---
rpmio/rpmpgp.c | 98 +++++++++++++++++--
tests/Makefile.am | 3 +
tests/data/keys/CVE-2021-3521-badbind.asc | 24 +++++
.../data/keys/CVE-2021-3521-nosubsig-last.asc | 25 +++++
tests/data/keys/CVE-2021-3521-nosubsig.asc | 36 +++++++
tests/rpmsigdig.at | 28 ++++++
6 files changed, 207 insertions(+), 7 deletions(-)
create mode 100644 tests/data/keys/CVE-2021-3521-badbind.asc
create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig-last.asc
create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig.asc
diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
index ee97f07..2b6e173 100644
--- a/rpmio/rpmpgp.c
+++ b/rpmio/rpmpgp.c
@@ -1007,37 +1007,121 @@ static pgpDigParams pgpDigParamsNew(uint8_t tag)
return digp;
}
+static int hashKey(DIGEST_CTX hash, const struct pgpPkt *pkt, int exptag)
+{
+ int rc = -1;
+ if (pkt->tag == exptag) {
+ uint8_t head[] = {
+ 0x99,
+ (pkt->blen >> 8),
+ (pkt->blen ),
+ };
+
+ rpmDigestUpdate(hash, head, 3);
+ rpmDigestUpdate(hash, pkt->body, pkt->blen);
+ rc = 0;
+ }
+ return rc;
+}
+
+static int pgpVerifySelf(pgpDigParams key, pgpDigParams selfsig,
+ const struct pgpPkt *all, int i)
+{
+ int rc = -1;
+ DIGEST_CTX hash = NULL;
+
+ switch (selfsig->sigtype) {
+ case PGPSIGTYPE_SUBKEY_BINDING:
+ hash = rpmDigestInit(selfsig->hash_algo, 0);
+ if (hash) {
+ rc = hashKey(hash, &all[0], PGPTAG_PUBLIC_KEY);
+ if (!rc)
+ rc = hashKey(hash, &all[i-1], PGPTAG_PUBLIC_SUBKEY);
+ }
+ break;
+ default:
+ /* ignore types we can't handle */
+ rc = 0;
+ break;
+ }
+
+ if (hash && rc == 0)
+ rc = pgpVerifySignature(key, selfsig, hash);
+
+ rpmDigestFinal(hash, NULL, NULL, 0);
+
+ return rc;
+}
+
int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
pgpDigParams * ret)
{
const uint8_t *p = pkts;
const uint8_t *pend = pkts + pktlen;
pgpDigParams digp = NULL;
- struct pgpPkt pkt;
+ pgpDigParams selfsig = NULL;
+ int i = 0;
+ int alloced = 16; /* plenty for normal cases */
+ struct pgpPkt *all = xmalloc(alloced * sizeof(*all));
int rc = -1; /* assume failure */
+ int expect = 0;
+ int prevtag = 0;
while (p < pend) {
- if (decodePkt(p, (pend - p), &pkt))
+ struct pgpPkt *pkt = &all[i];
+ if (decodePkt(p, (pend - p), pkt))
break;
if (digp == NULL) {
- if (pkttype && pkt.tag != pkttype) {
+ if (pkttype && pkt->tag != pkttype) {
break;
} else {
- digp = pgpDigParamsNew(pkt.tag);
+ digp = pgpDigParamsNew(pkt->tag);
}
}
- if (pgpPrtPkt(&pkt, digp))
+ if (expect) {
+ if (pkt->tag != expect)
+ break;
+ selfsig = pgpDigParamsNew(pkt->tag);
+ }
+
+ if (pgpPrtPkt(pkt, selfsig ? selfsig : digp))
break;
- p += (pkt.body - pkt.head) + pkt.blen;
+ if (selfsig) {
+ /* subkeys must be followed by binding signature */
+ if (prevtag == PGPTAG_PUBLIC_SUBKEY) {
+ if (selfsig->sigtype != PGPSIGTYPE_SUBKEY_BINDING)
+ break;
+ }
+
+ int xx = pgpVerifySelf(digp, selfsig, all, i);
+
+ selfsig = pgpDigParamsFree(selfsig);
+ if (xx)
+ break;
+ expect = 0;
+ }
+
+ if (pkt->tag == PGPTAG_PUBLIC_SUBKEY)
+ expect = PGPTAG_SIGNATURE;
+ prevtag = pkt->tag;
+
+ i++;
+ p += (pkt->body - pkt->head) + pkt->blen;
if (pkttype == PGPTAG_SIGNATURE)
break;
+
+ if (alloced <= i) {
+ alloced *= 2;
+ all = xrealloc(all, alloced * sizeof(*all));
+ }
}
- rc = (digp && (p == pend)) ? 0 : -1;
+ rc = (digp && (p == pend) && expect == 0) ? 0 : -1;
+ free(all);
if (ret && rc == 0) {
*ret = digp;
} else {
diff --git a/tests/Makefile.am b/tests/Makefile.am
index ab92353..585e7a2 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -104,6 +104,9 @@ EXTRA_DIST += data/SPECS/hello-config-buildid.spec
EXTRA_DIST += data/SPECS/hello-cd.spec
EXTRA_DIST += data/keys/rpm.org-rsa-2048-test.pub
EXTRA_DIST += data/keys/rpm.org-rsa-2048-test.secret
+EXTRA_DIST += data/keys/CVE-2021-3521-badbind.asc
+EXTRA_DIST += data/keys/CVE-2021-3521-nosubsig.asc
+EXTRA_DIST += data/keys/CVE-2021-3521-nosubsig-last.asc
EXTRA_DIST += data/macros.testfile
EXTRA_DIST += data/macros.debug
EXTRA_DIST += data/SOURCES/foo.c
diff --git a/tests/data/keys/CVE-2021-3521-badbind.asc b/tests/data/keys/CVE-2021-3521-badbind.asc
new file mode 100644
index 0000000..701ffda
--- /dev/null
+++ b/tests/data/keys/CVE-2021-3521-badbind.asc
@@ -0,0 +1,24 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: rpm-4.17.90 (NSS-3)
+
+mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
+HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
+91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
+eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
+7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
+1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
+c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
+CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
+Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
+BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
+XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
+fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
+BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
+zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
+iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
+Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
+KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
+L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAE=
+=WCfs
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/tests/data/keys/CVE-2021-3521-nosubsig-last.asc b/tests/data/keys/CVE-2021-3521-nosubsig-last.asc
new file mode 100644
index 0000000..2aaa0a0
--- /dev/null
+++ b/tests/data/keys/CVE-2021-3521-nosubsig-last.asc
@@ -0,0 +1,25 @@
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: rpm-4.17.90 (NSS-3)
+
+mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
+HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
+91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
+eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
+7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
+1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
+c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
+CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
+Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
+BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
+XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
+fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
+BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
+zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
+iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
+Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
+KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
+L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAE=
+=WCfs
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/tests/data/keys/CVE-2021-3521-nosubsig.asc b/tests/data/keys/CVE-2021-3521-nosubsig.asc
new file mode 100644
index 0000000..9743d55
--- /dev/null
+++ b/tests/data/keys/CVE-2021-3521-nosubsig.asc
@@ -0,0 +1,36 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: rpm-4.17.90 (NSS-3)
+
+mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
+HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
+91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
+eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
+7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
+1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
+c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
+CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
+Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
+BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
+XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
+fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
+BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
+zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
+iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
+Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
+KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
+L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAG5AQ0EWOY5GAEIAKT68NmshdC4
+VcRhOhlXBvZq23NtskkKoPvW+ZlMuxbRDG48pGBtxhjOngriVUGceEWsXww5Q7En
+uRBYglkxkW34ENym0Ji6tsPYfhbbG+dZWKIL4vMIzPOIwlPrXrm558vgkdMM/ELZ
+8WIz3KtzvYubKUk2Qz+96lPXbwnlC/SBFRpBseJC5LoOb/5ZGdR/HeLz1JXiacHF
+v9Nr3cZWqg5yJbDNZKfASdZgC85v3kkvhTtzknl//5wqdAMexbuwiIh2xyxbO+B/
+qqzZFrVmu3sV2Tj5lLZ/9p1qAuEM7ULbixd/ld8yTmYvQ4bBlKv2bmzXtVfF+ymB
+Tm6BzyQEl/MAEQEAAYkBHwQYAQgACQUCWOY5GAIbDAAKCRBDRFkeGWTF/PANB/9j
+mifmj6z/EPe0PJFhrpISt9PjiUQCt0IPtiL5zKAkWjHePIzyi+0kCTBF6DDLFxos
+3vN4bWnVKT1kBhZAQlPqpJTg+m74JUYeDGCdNx9SK7oRllATqyu+5rncgxjWVPnQ
+zu/HRPlWJwcVFYEVXYL8xzfantwQTqefjmcRmBRdA2XJITK+hGWwAmrqAWx+q5xX
+Pa8wkNMxVzNS2rUKO9SoVuJ/wlUvfoShkJ/VJ5HDp3qzUqncADfdGN35TDzscngQ
+gHvnMwVBfYfSCABV1hNByoZcc/kxkrWMmsd/EnIyLd1Q1baKqc3cEDuC6E6/o4yJ
+E4XX4jtDmdZPreZALsiB
+=rRop
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at
index 91c205e..c780deb 100644
--- a/tests/rpmsigdig.at
+++ b/tests/rpmsigdig.at
@@ -225,6 +225,34 @@ gpg(185e6146f00650f8) = 4:185e6146f00650f8-58e63918
[])
AT_CLEANUP
+AT_SETUP([rpmkeys --import invalid keys])
+AT_KEYWORDS([rpmkeys import])
+RPMDB_INIT
+
+AT_CHECK([
+runroot rpmkeys --import /data/keys/CVE-2021-3521-badbind.asc
+],
+[1],
+[],
+[error: /data/keys/CVE-2021-3521-badbind.asc: key 1 import failed.]
+)
+AT_CHECK([
+runroot rpmkeys --import /data/keys/CVE-2021-3521-nosubsig.asc
+],
+[1],
+[],
+[error: /data/keys/CVE-2021-3521-nosubsig.asc: key 1 import failed.]
+)
+
+AT_CHECK([
+runroot rpmkeys --import /data/keys/CVE-2021-3521-nosubsig-last.asc
+],
+[1],
+[],
+[error: /data/keys/CVE-2021-3521-nosubsig-last.asc: key 1 import failed.]
+)
+AT_CLEANUP
+
# ------------------------------
# Test pre-built package verification
AT_SETUP([rpmkeys -K <signed> 1])
--
2.27.0

26
backport-Add-missing-terminator-to-copyTagsFromMainDebug-arra.patch
View File

@ -1,26 +0,0 @@
From 213a4064a4b1b5b260a55b3933170599e617494d Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Tue, 1 Sep 2020 12:15:33 +0300
Subject: [PATCH] Add missing terminator to copyTagsFromMainDebug array
headerCopyTags() expects a 0-terminated array, this was overflowing
(spotted by address-sanitizer)
---
build/files.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/build/files.c b/build/files.c
index f06f9ac74..47625905c 100644
--- a/build/files.c
+++ b/build/files.c
@@ -2838,6 +2838,7 @@ static rpmTag copyTagsFromMainDebug[] = {
RPMTAG_OS,
RPMTAG_PLATFORM,
RPMTAG_OPTFLAGS,
+ 0
};
/* this is a hack: patch the summary and the description to include
--
2.27.0

32
backport-Always-close-libelf-handle-1313.patch
View File

@ -1,32 +0,0 @@
From 38c03ddb18e86c84d89af695f72442d8365eb64e Mon Sep 17 00:00:00 2001
From: Florian Festi <ffesti@redhat.com>
Date: Tue, 21 Jul 2020 10:45:20 +0200
Subject: [PATCH] Always close libelf handle (#1313)
Otherwise executables that are not proper elf files are leaking libelf
handles. This results in file being left open (mmap'ed) and fails the
build on NFS as those files can't be deleted properly there.
Resolves: rhbz#1840728
See also: https://bugzilla.redhat.com/show_bug.cgi?id=1840728
---
build/files.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/build/files.c b/build/files.c
index f675306f7..62489c07c 100644
--- a/build/files.c
+++ b/build/files.c
@@ -1935,8 +1935,8 @@ static int generateBuildIDs(FileList fl, ARGV_t *files)
if (terminate)
rc = 1;
}
- elf_end (elf);
}
+ elf_end (elf);
close (fd);
}
}
--
2.27.0

169
backport-CVE-2021-20271.patch
View File

@ -1,169 +0,0 @@
From d6a86b5e69e46cc283b1e06c92343319beb42e21 Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Thu, 4 Mar 2021 13:21:19 +0200
Subject: [PATCH] Be much more careful about copying data from the signature
header
Conflict:NA
Reference:https://github.com/rpm-software-management/rpm/commit/d6a86b5e69e46cc283b1e06c92343319beb42e21
Only look for known tags, and ensure correct type and size where known
before copying over. Bump the old arbitrary 16k count limit to 16M limit
though, it's not inconceivable that a package could have that many files.
While at it, ensure none of these tags exist in the main header,
which would confuse us greatly.
This is optimized for backporting ease, upstream can remove redundancies
and further improve checking later.
Reported and initial patches by Demi Marie Obenour.
Fixes: RhBug:1935049, RhBug:1933867, RhBug:1935035, RhBug:1934125, ...
Fixes: CVE-2021-3421, CVE-2021-20271
---
lib/package.c | 112 +++++++++++++++++++++++++---------------------------------
1 file changed, 49 insertions(+), 63 deletions(-)
diff --git a/lib/package.c b/lib/package.c
index db70d13..6f10bb9 100644
--- a/lib/package.c
+++ b/lib/package.c
@@ -31,82 +31,67 @@ struct pkgdata_s {
rpmRC rc;
};
+struct taglate_s {
+ rpmTagVal stag;
+ rpmTagVal xtag;
+ rpm_count_t count;
+} const xlateTags[] = {
+ { RPMSIGTAG_SIZE, RPMTAG_SIGSIZE, 1 },
+ { RPMSIGTAG_PGP, RPMTAG_SIGPGP, 0 },
+ { RPMSIGTAG_MD5, RPMTAG_SIGMD5, 16 },
+ { RPMSIGTAG_GPG, RPMTAG_SIGGPG, 0 },
+ /* { RPMSIGTAG_PGP5, RPMTAG_SIGPGP5, 0 }, */ /* long obsolete, dont use */
+ { RPMSIGTAG_PAYLOADSIZE, RPMTAG_ARCHIVESIZE, 1 },
+ { RPMSIGTAG_FILESIGNATURES, RPMTAG_FILESIGNATURES, 0 },
+ { RPMSIGTAG_FILESIGNATURELENGTH, RPMTAG_FILESIGNATURELENGTH, 1 },
+ { RPMSIGTAG_SHA1, RPMTAG_SHA1HEADER, 1 },
+ { RPMSIGTAG_SHA256, RPMTAG_SHA256HEADER, 1 },
+ { RPMSIGTAG_DSA, RPMTAG_DSAHEADER, 0 },
+ { RPMSIGTAG_RSA, RPMTAG_RSAHEADER, 0 },
+ { RPMSIGTAG_LONGSIZE, RPMTAG_LONGSIGSIZE, 1 },
+ { RPMSIGTAG_LONGARCHIVESIZE, RPMTAG_LONGARCHIVESIZE, 1 },
+ { 0 }
+};
+
/** \ingroup header
* Translate and merge legacy signature tags into header.
* @param h header (dest)
* @param sigh signature header (src)
+ * @return failing tag number, 0 on success
*/
static
-void headerMergeLegacySigs(Header h, Header sigh)
+rpmTagVal headerMergeLegacySigs(Header h, Header sigh, char **msg)
{
- HeaderIterator hi;
+ const struct taglate_s *xl;
struct rpmtd_s td;
-
- hi = headerInitIterator(sigh);
- for (; headerNext(hi, &td); rpmtdFreeData(&td))
- {
- switch (td.tag) {
- /* XXX Translate legacy signature tag values. */
- case RPMSIGTAG_SIZE:
- td.tag = RPMTAG_SIGSIZE;
- break;
- case RPMSIGTAG_PGP:
- td.tag = RPMTAG_SIGPGP;
- break;
- case RPMSIGTAG_MD5:
- td.tag = RPMTAG_SIGMD5;
- break;
- case RPMSIGTAG_GPG:
- td.tag = RPMTAG_SIGGPG;
- break;
- case RPMSIGTAG_PGP5:
- td.tag = RPMTAG_SIGPGP5;
- break;
- case RPMSIGTAG_PAYLOADSIZE:
- td.tag = RPMTAG_ARCHIVESIZE;
- break;
- case RPMSIGTAG_FILESIGNATURES:
- td.tag = RPMTAG_FILESIGNATURES;
- break;
- case RPMSIGTAG_FILESIGNATURELENGTH:
- td.tag = RPMTAG_FILESIGNATURELENGTH;
- break;
- case RPMSIGTAG_SHA1:
- case RPMSIGTAG_SHA256:
- case RPMSIGTAG_DSA:
- case RPMSIGTAG_RSA:
- default:
- if (!(td.tag >= HEADER_SIGBASE && td.tag < HEADER_TAGBASE))
- continue;
- break;
- }
- if (!headerIsEntry(h, td.tag)) {
- switch (td.type) {
- case RPM_NULL_TYPE:
- continue;
+ rpmtdReset(&td);
+ for (xl = xlateTags; xl->stag; xl++) {
+ /* There mustn't be one in the main header */
+ if (headerIsEntry(h, xl->xtag))
+ if (headerGet(sigh, xl->stag, &td, HEADERGET_RAW|HEADERGET_MINMEM)) {
+ /* Translate legacy tags */
+ if (xl->stag != xl->xtag)
+ td.tag = xl->xtag;
+ /* Ensure type and tag size match expectations */
+ if (td.type != rpmTagGetTagType(td.tag))
break;
- case RPM_CHAR_TYPE:
- case RPM_INT8_TYPE:
- case RPM_INT16_TYPE:
- case RPM_INT32_TYPE:
- case RPM_INT64_TYPE:
- if (td.count != 1)
- continue;
+ if (td.count < 1 || td.count > 16*1024*1024)
break;
- case RPM_STRING_TYPE:
- case RPM_STRING_ARRAY_TYPE:
- case RPM_BIN_TYPE:
- if (td.count >= 16*1024)
- continue;
+ if (xl->count && td.count != xl->count)
break;
- case RPM_I18NSTRING_TYPE:
- continue;
+ if (!headerPut(h, &td, HEADERPUT_DEFAULT))
break;
- }
- (void) headerPut(h, &td, HEADERPUT_DEFAULT);
+ rpmtdFreeData(&td);
}
}
- headerFreeIterator(hi);
+ rpmtdFreeData(&td);
+
+ if (xl->stag) {
+ rasprintf(msg, "invalid signature tag %s (%d)",
+ rpmTagGetName(xl->xtag), xl->xtag);
+ }
+
+ return xl->stag;
}
/**
@@ -369,7 +354,8 @@ rpmRC rpmReadPackageFile(rpmts ts, FD_t fd, const char * fn, Header * hdrp)
goto exit;
/* Append (and remap) signature tags to the metadata. */
- headerMergeLegacySigs(h, sigh);
+ if (headerMergeLegacySigs(h, sigh, &msg))
+ goto exit;
applyRetrofits(h);
/* Bump reference count for return. */
--
1.8.3.1

28
backport-Do-not-allow-extra-packets-to-follow-a-signature.patch
View File

@ -1,28 +0,0 @@
From 5ff86764b17f31535cb247543a90dd739076ec38 Mon Sep 17 00:00:00 2001
From: Demi Marie Obenour <demi@invisiblethingslab.com>
Date: Thu, 6 May 2021 18:34:45 -0400
Subject: [PATCH] Do not allow extra packets to follow a signature
Conflict:NA
Reference:https://github.com/rpm-software-management/rpm/commit/5ff86764b17f31535cb247543a90dd739076ec38
---
rpmio/rpmpgp.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
index b174a40..629378a 100644
--- a/rpmio/rpmpgp.c
+++ b/rpmio/rpmpgp.c
@@ -1025,6 +1025,8 @@ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
break;
p += (pkt.body - pkt.head) + pkt.blen;
+ if (pkttype == PGPTAG_SIGNATURE)
+ break;
}
rc = (digp && (p == pend)) ? 0 : -1;
--
2.27.0

64
backport-Don-t-look-into-source-package-provides-in-depsolvin.patch
View File

@ -1,64 +0,0 @@
From a4afbb62c94c6e0dc18c1bf08336aeb4a91f82de Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Wed, 22 Apr 2020 14:12:47 +0300
Subject: [PATCH] Don't look into source package provides in depsolving
Fixes regressions from commit 75ec16e660e784d7897b37cac1a2b9b135825f25:
the newly added provides of to-be-built packages were being used for
dependency resolution, such as spec satifying its own buildrequires,
and matched against conflicts in installed packages.
Source packages cannot obsolete anything or provide capabilities or files
to transactions, don't add them to rpmal at all. Explicitly skip checks
against source provides, similarly to what we already did with obsoletes.
Fixes: #1189
---
lib/depends.c | 8 ++++----
lib/rpmal.c | 4 ++++
2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/lib/depends.c b/lib/depends.c
index 6acb21dc3..579451926 100644
--- a/lib/depends.c
+++ b/lib/depends.c
@@ -1040,6 +1040,10 @@ int rpmtsCheck(rpmts ts)
checkDS(ts, dcache, p, rpmteNEVRA(p), rpmteDS(p, RPMTAG_OBSOLETENAME),
tscolor);
+ /* Skip obsoletion and provides checks for source packages (ie build) */
+ if (rpmteIsSource(p))
+ continue;
+
/* Check provides against conflicts in installed packages. */
while (rpmdsNext(provides) >= 0) {
checkInstDeps(ts, dcache, p, RPMTAG_CONFLICTNAME, NULL, provides, 0);
@@ -1047,10 +1051,6 @@ int rpmtsCheck(rpmts ts)
checkInstDeps(ts, dcache, p, RPMTAG_REQUIRENAME, NULL, provides, 1);
}
- /* Skip obsoletion checks for source packages (ie build) */
- if (rpmteIsSource(p))
- continue;
-
/* Check package name (not provides!) against installed obsoletes */
checkInstDeps(ts, dcache, p, RPMTAG_OBSOLETENAME, NULL, rpmteDS(p, RPMTAG_NAME), 0);
diff --git a/lib/rpmal.c b/lib/rpmal.c
index 3c8acd63a..8a47d025a 100644
--- a/lib/rpmal.c
+++ b/lib/rpmal.c
@@ -247,6 +247,10 @@ void rpmalAdd(rpmal al, rpmte p)
rpmalNum pkgNum;
availablePackage alp;
+ /* Source packages don't provide anything to depsolving */
+ if (rpmteIsSource(p))
+ return;
+
if (al->size == al->alloced) {
al->alloced += al->delta;
al->list = xrealloc(al->list, sizeof(*al->list) * al->alloced);
--
2.27.0

31
backport-Don-t-require-signature-header-to-be-in-single-conti.patch
View File

@ -1,31 +0,0 @@
From bb30f997c4b22c0d5cf6752f15d2af17538f91f0 Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Thu, 9 Jan 2020 10:24:39 +0200
Subject: [PATCH] Don't require signature header to be in single contiguous
region part II
The generic case was reported in #270 and fixed quite a while ago in
commit 34c2ba3c6a80a778cdf2e42a9193b3264e08e1b3, but signing uses a
different code path and require the same treatment.
Fixes: #1002
---
lib/signature.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/signature.c b/lib/signature.c
index 6f04962e8..21f04c7f2 100644
--- a/lib/signature.c
+++ b/lib/signature.c
@@ -65,7 +65,7 @@ rpmRC rpmReadSignature(FD_t fd, Header * sighp, char ** msg)
if (sighp)
*sighp = NULL;
- if (hdrblobRead(fd, 1, 1, RPMTAG_HEADERSIGNATURES, &blob, &buf) != RPMRC_OK)
+ if (hdrblobRead(fd, 1, 0, RPMTAG_HEADERSIGNATURES, &blob, &buf) != RPMRC_OK)
goto exit;
/* OK, blob looks sane, load the header. */
--
2.27.0

218
backport-Fix-POPT_ARG_STRING-memleaks-in-librpmbuild.patch
View File

@ -1,218 +0,0 @@
From 307872f71b357a3839fd037514a1c3dabfacc611 Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Mon, 3 Feb 2020 14:54:16 +0200
Subject: [PATCH] Fix POPT_ARG_STRING memleaks in librpmbuild
popt always returned malloc'ed memory for POPT_ARG_STRING items, but
for whatever historical reason rpm systematically passed const char *
pointers as targets, making them look non-freeable. Besides changing
just the types and adding free()'s, const-correctness requires extra
tweaks as there's mixed use from string literals and poptGetArg() which
does return const pointers.
---
build/parseDescription.c | 11 +++++++----
build/parseFiles.c | 5 +++--
build/parsePolicies.c | 5 +++--
build/parsePrep.c | 6 +++++-
build/parseScript.c | 11 +++++++----
build/policies.c | 8 ++++++--
6 files changed, 31 insertions(+), 15 deletions(-)
diff --git a/build/parseDescription.c b/build/parseDescription.c
index c0737c0..72811f5 100644
--- a/build/parseDescription.c
+++ b/build/parseDescription.c
@@ -19,8 +19,8 @@ int parseDescription(rpmSpec spec)
int rc, argc;
int arg;
const char **argv = NULL;
- const char *name = NULL;
- const char *lang = RPMBUILD_DEFAULT_LANG;
+ char *name = NULL;
+ char *lang = NULL;
const char *descr = "";
poptContext optCon = NULL;
struct poptOption optionsTable[] = {
@@ -52,7 +52,7 @@ int parseDescription(rpmSpec spec)
if (poptPeekArg(optCon)) {
if (name == NULL)
- name = poptGetArg(optCon);
+ name = xstrdup(poptGetArg(optCon));
if (poptPeekArg(optCon)) {
rpmlog(RPMLOG_ERR, _("line %d: Too many names: %s\n"),
spec->lineNum,
@@ -75,12 +75,15 @@ int parseDescription(rpmSpec spec)
}
if (addLangTag(spec, pkg->header,
- RPMTAG_DESCRIPTION, descr, lang)) {
+ RPMTAG_DESCRIPTION, descr,
+ lang ? lang : RPMBUILD_DEFAULT_LANG)) {
nextPart = PART_ERROR;
}
exit:
freeStringBuf(sb);
+ free(lang);
+ free(name);
free(argv);
poptFreeContext(optCon);
return nextPart;
diff --git a/build/parseFiles.c b/build/parseFiles.c
index 69935d4..0dc1f17 100644
--- a/build/parseFiles.c
+++ b/build/parseFiles.c
@@ -17,7 +17,7 @@ int parseFiles(rpmSpec spec)
int rc, argc;
int arg;
const char ** argv = NULL;
- const char *name = NULL;
+ char *name = NULL;
int flag = PART_SUBNAME;
poptContext optCon = NULL;
struct poptOption optionsTable[] = {
@@ -52,7 +52,7 @@ int parseFiles(rpmSpec spec)
if (poptPeekArg(optCon)) {
if (name == NULL)
- name = poptGetArg(optCon);
+ name = xstrdup(poptGetArg(optCon));
if (poptPeekArg(optCon)) {
rpmlog(RPMLOG_ERR, _("line %d: Too many names: %s\n"),
spec->lineNum,
@@ -89,6 +89,7 @@ int parseFiles(rpmSpec spec)
exit:
rpmPopMacro(NULL, "license");
free(argv);
+ free(name);
poptFreeContext(optCon);
return res;
diff --git a/build/parsePolicies.c b/build/parsePolicies.c
index 118b92c..64b95b1 100644
--- a/build/parsePolicies.c
+++ b/build/parsePolicies.c
@@ -19,7 +19,7 @@ int parsePolicies(rpmSpec spec)
int rc, argc;
int arg;
const char **argv = NULL;
- const char *name = NULL;
+ char *name = NULL;
int flag = PART_SUBNAME;
poptContext optCon = NULL;
@@ -50,7 +50,7 @@ int parsePolicies(rpmSpec spec)
if (poptPeekArg(optCon)) {
if (name == NULL)
- name = poptGetArg(optCon);
+ name = xstrdup(poptGetArg(optCon));
if (poptPeekArg(optCon)) {
rpmlog(RPMLOG_ERR, _("line %d: Too many names: %s\n"),
spec->lineNum, spec->line);
@@ -66,6 +66,7 @@ int parsePolicies(rpmSpec spec)
exit:
free(argv);
+ free(name);
poptFreeContext(optCon);
return res;
diff --git a/build/parsePrep.c b/build/parsePrep.c
index fe37575..cafb050 100644
--- a/build/parsePrep.c
+++ b/build/parsePrep.c
@@ -242,7 +242,7 @@ static int doSetupMacro(rpmSpec spec, const char *line)
int leaveDirs = 0, skipDefaultAction = 0;
int createDir = 0, quietly = 0;
int buildInPlace = 0;
- const char * dirName = NULL;
+ char * dirName = NULL;
struct poptOption optionsTable[] = {
{ NULL, 'a', POPT_ARG_STRING, NULL, 'a', NULL, NULL},
{ NULL, 'b', POPT_ARG_STRING, NULL, 'b', NULL, NULL},
@@ -373,6 +373,7 @@ exit:
freeStringBuf(before);
freeStringBuf(after);
poptFreeContext(optCon);
+ free(dirName);
free(argv);
return rc;
@@ -484,6 +485,9 @@ static rpmRC doPatchMacro(rpmSpec spec, const char *line)
exit:
argvFree(patchnums);
+ free(opt_b);
+ free(opt_d);
+ free(opt_o);
free(argv);
poptFreeContext(optCon);
return rc;
diff --git a/build/parseScript.c b/build/parseScript.c
index bdf6ab3..e037bba 100644
--- a/build/parseScript.c
+++ b/build/parseScript.c
@@ -100,9 +100,9 @@ int parseScript(rpmSpec spec, int parsePart)
int arg;
const char **argv = NULL;
poptContext optCon = NULL;
- const char *name = NULL;
- const char *prog = "/bin/sh";
- const char *file = NULL;
+ char *name = NULL;
+ char *prog = xstrdup("/bin/sh");
+ char *file = NULL;
int priority = 1000000;
struct poptOption optionsTable[] = {
{ NULL, 'p', POPT_ARG_STRING, &prog, 'p', NULL, NULL},
@@ -326,7 +326,7 @@ int parseScript(rpmSpec spec, int parsePart)
if (poptPeekArg(optCon)) {
if (name == NULL)
- name = poptGetArg(optCon);
+ name = xstrdup(poptGetArg(optCon));
if (poptPeekArg(optCon)) {
rpmlog(RPMLOG_ERR, _("line %d: Too many names: %s\n"),
spec->lineNum,
@@ -465,6 +465,9 @@ exit:
free(reqargs);
freeStringBuf(sb);
free(progArgv);
+ free(prog);
+ free(name);
+ free(file);
free(argv);
poptFreeContext(optCon);
diff --git a/build/policies.c b/build/policies.c
index d3b1930..e92df19 100644
--- a/build/policies.c
+++ b/build/policies.c
@@ -276,16 +276,20 @@ static rpmRC processPolicies(rpmSpec spec, Package pkg, int test)
}
if (writeModuleToHeader(mod, pkg) != RPMRC_OK) {
- freeModule(mod);
goto exit;
}
- freeModule(mod);
+ mod = freeModule(mod);
+ name = _free(name);
+ types = _free(types);
}
rc = RPMRC_OK;
exit:
+ freeModule(mod);
+ free(name);
+ free(types);
return rc;
}
--
2.27.0

39
backport-Fix-a-minor-memory-leak-on-suppressed-inhibition-loc.patch
View File

@ -1,39 +0,0 @@
From 4ddab4fb7e1ccc7dc466534250177b7d2682a9e2 Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Wed, 29 Jan 2020 15:39:58 +0200
Subject: [PATCH] Fix a minor memory leak on suppressed inhibition lock warning
message
Commit 708e61307bc3fd027b016fdf5a1d1a5274c1843c introduced a memory leak
on the error object: if the message is suppressed then the error object
is never freed. Test for the suppression conditions separately to fix.
---
plugins/systemd_inhibit.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/plugins/systemd_inhibit.c b/plugins/systemd_inhibit.c
index 0ddca9cd8..ecff30533 100644
--- a/plugins/systemd_inhibit.c
+++ b/plugins/systemd_inhibit.c
@@ -52,12 +52,14 @@ static int inhibit(void)
dbus_message_unref(reply);
}
- if (dbus_error_is_set(&err)
- && !dbus_error_has_name(&err, DBUS_ERROR_NO_SERVER)
- && !dbus_error_has_name(&err, DBUS_ERROR_FILE_NOT_FOUND)) {
- rpmlog(RPMLOG_WARNING,
+ if (dbus_error_is_set(&err)) {
+ if (!dbus_error_has_name(&err, DBUS_ERROR_NO_SERVER) &&
+ !dbus_error_has_name(&err, DBUS_ERROR_FILE_NOT_FOUND))
+ {
+ rpmlog(RPMLOG_WARNING,
"Unable to get systemd shutdown inhibition lock: %s\n",
err.message);
+ }
dbus_error_free(&err);
}
--
2.27.0

35
backport-Fix-build-regression-in-commit-307872f71b357a3839fd0.patch
View File

@ -1,35 +0,0 @@
From 67f8dadebdf290c4ade36a7d3a27e52048d96032 Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Tue, 4 Feb 2020 10:36:43 +0200
Subject: [PATCH] Fix build regression in commit
307872f71b357a3839fd037514a1c3dabfacc611
Commit 307872f71b357a3839fd037514a1c3dabfacc611 broke build with
SELinux enabled but was accidentally merged. Fix the breakage.
---
build/policies.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/build/policies.c b/build/policies.c
index e92df194a..16d5f87e6 100644
--- a/build/policies.c
+++ b/build/policies.c
@@ -221,6 +221,7 @@ static rpmRC processPolicies(rpmSpec spec, Package pkg, int test)
char *types = NULL;
uint32_t flags = 0;
poptContext optCon = NULL;
+ ModuleRec mod = NULL;
rpmRC rc = RPMRC_FAIL;
@@ -236,7 +237,6 @@ static rpmRC processPolicies(rpmSpec spec, Package pkg, int test)
}
for (ARGV_const_t pol = pkg->policyList; *pol != NULL; pol++) {
- ModuleRec mod;
const char *line = *pol;
const char **argv = NULL;
int argc = 0;
--
2.27.0

60
backport-Fix-bump-up-the-limit-of-signature-header-to-64MB.patch
View File

@ -1,60 +0,0 @@
From 486579912381ede82172dc6d0ff3941a6d0536b5 Mon Sep 17 00:00:00 2001
From: Hongxu Jia <hongxu.jia@windriver.com>
Date: Wed, 3 Jun 2020 10:25:24 +0800
Subject: [PATCH] Fix: bump up the limit of signature header to 64MB
Since commits [Place file signatures into the signature header where they
belong][1] applied, run `rpm -Kv **.rpm' failed if signature header
is larger than 64KB. Here are steps:
1) A unsigned rpm package, the size is 227560 bytes
$ ls -al xz-src-5.2.5-r0.corei7_64.rpm
-rw-------. 1 mockbuild 1000 227560 Jun 3 09:59
2) Sign the rpm package
$ rpmsign --addsign ... xz-src-5.2.5-r0.corei7_64.rpm
3) The size of signed rpm is 312208 bytes
$ ls -al xz-src-5.2.5-r0.corei7_64.rpm
-rw-------. 1 mockbuild 1000 312208 Jun 3 09:48
4) Run `rpm -Kv' failed with signature hdr data out of range
$ rpm -Kv xz-src-5.2.5-r0.corei7_64.rpm
xz-src-5.2.5-r0.corei7_64.rpm:
error: xz-src-5.2.5-r0.corei7_64.rpm: signature hdr data: BAD, no. of
bytes(88864) out of range
From 1) and 3), the size of signed rpm package increased
312208 - 227560 = 84648, so the check of dl_max (64KB,65536)
is not enough.
As [1] said:
This also means the signature header can be MUCH bigger than ever
before,so bump up the limit (to 64MB, arbitrary something for now)
So [1] missed to multiply by 1024.
[1] https://github.com/rpm-software-management/rpm/commit/f558e886050c4e98f6cdde391df679a411b3f62c
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
lib/header.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/header.c b/lib/header.c
index f9152ba90..e59d63744 100644
--- a/lib/header.c
+++ b/lib/header.c
@@ -1903,7 +1903,7 @@ rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrbl
if (regionTag == RPMTAG_HEADERSIGNATURES) {
il_max = 32;
- dl_max = 64 * 1024;
+ dl_max = 64 * 1024 * 1024;
}
memset(block, 0, sizeof(block));
--
2.27.0

98
backport-Fix-changelog-trimming-to-work-relative-to-newest-ex.patch
View File

@ -1,98 +0,0 @@
From a58725822651f791b2e74fe40a6e85b3b7e72aca Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Mon, 10 Aug 2020 11:01:37 +0300
Subject: [PATCH] Fix changelog trimming to work relative to newest
existing
entry (#1301)
%_changelog_trimtime is an absolute timestamp which needs to be
%constantly
pushed forward to preserve the same relative age, and will start
trimming
entries from unchanged packages until none are left, leading to
unexpected
and confusing behavior (RhBug:1722806, ...)
It's better to trim by age relative to newest changelog entry. This way
the
number of trimmed entries will not change unless the spec changes, and
at
least one entry is always preserved. Introduce a new %_changelog_trimage
macro for this and mark the broken by design %_changelog_trimtime as
deprecated, but autoconvert an existing trimtime into relative for now.
As a seemingly unrelated change, move the "time" variable declaration
to a narrower scope to unmask the time() function for use on entry.
Fixes: #1301
---
build/parseChangelog.c | 16 +++++++++++++++-
macros.in | 6 +++++-
2 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/build/parseChangelog.c b/build/parseChangelog.c
index ad6d834..22f445e 100644
--- a/build/parseChangelog.c
+++ b/build/parseChangelog.c
@@ -200,18 +200,26 @@ static rpmRC addChangelog(Header h, ARGV_const_t sb)
rpmRC rc = RPMRC_FAIL; /* assume failure */
char *s, *sp;
int i;
- time_t time;
+ time_t firstTime = 0;
time_t lastTime = 0;
time_t trimtime = rpmExpandNumeric("%{?_changelog_trimtime}");
+ time_t trimage = rpmExpandNumeric("%{?_changelog_trimage}");
char *date, *name, *text, *next;
int date_words; /* number of words in date string */
+ /* Convert _changelog_trimtime to age for backwards compatibility */
+ if (trimtime && !trimage) {
+ trimage = time(NULL) - trimtime;
+ trimtime = 0;
+ }
+
s = sp = argvJoin(sb, "");
/* skip space */
SKIPSPACE(s);
while (*s != '\0') {
+ time_t time;
if (*s != '*') {
rpmlog(RPMLOG_ERR, _("%%changelog entries must start with *\n"));
goto exit;
@@ -235,6 +243,12 @@ static rpmRC addChangelog(Header h, ARGV_const_t sb)
rpmlog(RPMLOG_ERR, _("bad date in %%changelog: %s\n"), date);
goto exit;
}
+ /* Changelog trimming is always relative to first entry */
+ if (!firstTime) {
+ firstTime = time;
+ if (trimage)
+ trimtime = firstTime - trimage;
+ }
if (lastTime && lastTime < time) {
rpmlog(RPMLOG_ERR,
_("%%changelog not in descending chronological order\n"));
diff --git a/macros.in b/macros.in
index 8619c13..5b45d73 100644
--- a/macros.in
+++ b/macros.in
@@ -230,8 +230,12 @@ package or when debugging this package.\
# The path to the gzip executable (legacy, use %{__gzip} instead).
%_gzipbin %{__gzip}
+# Maximum age of preserved changelog entries in binary packages,
+# relative to newest existing entry. Unix timestamp format.
+%_changelog_trimage 0
+
# The Unix time of the latest kept changelog entry in binary packages.
-# Any older entry is not packaged in binary packages.
+# DEPRACATED, use %_changelog_trimage instead.
%_changelog_trimtime 0
# If true, set the SOURCE_DATE_EPOCH environment variable
--
2.27.0

32
backport-Fix-data-race-in-packageBinaries-function.patch
View File

@ -1,32 +0,0 @@
From c9bb0c30d0eab5ff7db80d920d40c02623732f71 Mon Sep 17 00:00:00 2001
From: Tom Stellard <tstellar@redhat.com>
Date: Tue, 9 Jun 2020 21:05:16 +0000
Subject: [PATCH] Fix data race in packageBinaries() function
The pkg variable used in the parallel loop was declared outside
of the omp parallel construct, so it was shared among tasks. This
had the potential to cause a data race. The gcc openmp implementation
did not hit this problem, but I uncovered it while trying to compile with
clang. My best guess as to what was happening is that after the last
task was launched, all tasks had the same value of pkg and were operating
on the same data at the same time.
This patch declares the variable inside the omp parallel construct, so each
task gets its own copy of the variable.
---
build/pack.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/build/pack.c b/build/pack.c
index 1f3d432bb3..8d6f74935e 100644
--- a/build/pack.c
+++ b/build/pack.c
@@ -765,7 +765,7 @@ rpmRC packageBinaries(rpmSpec spec, const char *cookie, int cheating)
#pragma omp parallel
#pragma omp single
for (int i = 0; i < npkgs; i++) {
- pkg = tasks[i];
+ Package pkg = tasks[i];
#pragma omp task untied priority(i)
{
pkg->rc = packageBinary(spec, pkg, cookie, cheating, &pkg->filename);

41
backport-Fix-isUnorderedReq-for-multiple-qualifiers.patch
View File

@ -1,41 +0,0 @@
From d937b04fb1cb5d3ca303bd458169c352a4b52669 Mon Sep 17 00:00:00 2001
From: Florian Festi <ffesti@redhat.com>
Date: Fri, 31 Jan 2020 12:27:26 +0100
Subject: [PATCH] Fix isUnorderedReq() for multiple qualifiers
isUnorderedReq() returned True as soon as any qualifier that does not
require ordering is passed. But some qulifiers - basically the scriptlets
run during installation and erasure of the package - may still require
the dependency to be taken into account during ordering.
Now isUnorderedReq() returns 0 if any of those are also set.
Resolves: #1030
---
lib/rpmds.h | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/lib/rpmds.h b/lib/rpmds.h
index 491d8738d..d160c948e 100644
--- a/lib/rpmds.h
+++ b/lib/rpmds.h
@@ -82,12 +82,14 @@ typedef rpmFlags rpmsenseFlags;
_notpre(RPMSENSE_SCRIPT_PREUN|RPMSENSE_SCRIPT_POSTUN)
#define _UNORDERED_ONLY_MASK \
_notpre(RPMSENSE_RPMLIB|RPMSENSE_CONFIG|RPMSENSE_PRETRANS|RPMSENSE_POSTTRANS|RPMSENSE_SCRIPT_VERIFY)
+#define _FORCE_ORDER_ONLY_MASK \
+ _notpre(RPMSENSE_SCRIPT_PRE|RPMSENSE_SCRIPT_POST|RPMSENSE_SCRIPT_PREUN|RPMSENSE_SCRIPT_POSTUN)
#define isLegacyPreReq(_x) (((_x) & _ALL_REQUIRES_MASK) == RPMSENSE_PREREQ)
#define isInstallPreReq(_x) ((_x) & _INSTALL_ONLY_MASK)
#define isErasePreReq(_x) ((_x) & _ERASE_ONLY_MASK)
-#define isUnorderedReq(_x) ((_x) & _UNORDERED_ONLY_MASK)
-
+#define isUnorderedReq(_x) ((_x) & _UNORDERED_ONLY_MASK && \
+ !((_x) & _FORCE_ORDER_ONLY_MASK))
/** \ingroup rpmds
--
2.27.0

54
backport-Fix-logic-error-in-grabArgs.patch
View File

@ -1,54 +0,0 @@
From 6d7fa91949337c7a86bab3359b39558fdae07dce Mon Sep 17 00:00:00 2001
From: Michael Schroeder <mls@suse.de>
Date: Fri, 23 Oct 2020 14:02:35 +0200
Subject: [PATCH] Fix logic error in grabArgs()
If there was a \ at the end of the buffer, the code would
return a pointer after the trailing \0 leading to unallocated
memory access and weird results in some cases.
See commit 817959609b95afe34ce0f7f6c3dc5d7d0d9a8470.
---
rpmio/macro.c | 2 +-
tests/rpmmacro.at | 5 +++++
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/rpmio/macro.c b/rpmio/macro.c
index 1edcb39e6..a1ed9b288 100644
--- a/rpmio/macro.c
+++ b/rpmio/macro.c
@@ -947,7 +947,7 @@ grabArgs(MacroBuf mb, const rpmMacroEntry me, const char * se,
splitQuoted(&argv, s, " \t");
free(s);
- cont = ((*lastc == '\0' || *lastc == '\n') && *(lastc-1) != '\\') ?
+ cont = (*lastc == '\0') || (*lastc == '\n' && *(lastc-1) != '\\') ?
lastc : lastc + 1;
}
diff --git a/tests/rpmmacro.at b/tests/rpmmacro.at
index d972a1197..a21952c46 100644
--- a/tests/rpmmacro.at
+++ b/tests/rpmmacro.at
@@ -179,6 +179,9 @@ runroot rpm \
--eval '%foo %{quote: 2 3 5} %{quote:%{nil}}' \
--eval '%foo x%{quote:y}z 123' \
--eval '%foo x%{quote:%{nil}}z' \
+ --eval '%foo 1 \
+bar' \
+ --eval '%foo 1 \' \
],
[0],
[1:"1"
@@ -190,6 +193,8 @@ runroot rpm \
2:" 2 3 5" ""
2:"xyz" "123"
1:"xz"
+2:"1" "\"bar
+2:"1" "\"
])
AT_CLEANUP
--
2.27.0

33
backport-Fix-pointer-dereference-before-testing-for-NULL-in-r.patch
View File

@ -1,33 +0,0 @@
From c886b359ba5f05eec6a8da34b55437834b7d80ee Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Thu, 6 Feb 2020 14:51:14 +0200
Subject: [PATCH] Fix pointer dereference before testing for NULL in
rpmtdGetNumber()
---
lib/rpmtd.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/lib/rpmtd.c b/lib/rpmtd.c
index e33c8cb53..41c6a50e8 100644
--- a/lib/rpmtd.c
+++ b/lib/rpmtd.c
@@ -210,12 +210,12 @@ const char * rpmtdGetString(rpmtd td)
uint64_t rpmtdGetNumber(rpmtd td)
{
- uint64_t val = 0;
- int ix = (td->ix >= 0 ? td->ix : 0);
-
if (td == NULL)
return 0;
+ uint64_t val = 0;
+ int ix = (td->ix >= 0 ? td->ix : 0);
+
switch (td->type) {
case RPM_INT64_TYPE:
val = *((uint64_t *) td->data + ix);
--
2.27.0

40
backport-Fix-possible-read-beyond-buffer-in-rstrnlenhash.patch
View File

@ -1,40 +0,0 @@
From 747b7119ae89a3ccaceeae4f5570c7ab83d2cf5d Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Tue, 1 Sep 2020 13:14:35 +0300
Subject: [PATCH] Fix possible read beyond buffer in rstrnlenhash()
On strings that are not \0-terminated (which are a big reason for the
existence of this function), the while-loop would try to compare the
first character beyond the specified buffer for '\0' before realizing
we're already beyond the end when checking n. Should be mostly harmless
in practise as the check for n would still terminate it, but not right.
In particular this trips up address sanitizer with the bdb backend where
some of the returned strings are not \0-terminated.
Test for string length first, and move the decrementing side-effect into
the loop for better readability.
---
rpmio/rpmstrpool.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/rpmio/rpmstrpool.c b/rpmio/rpmstrpool.c
index 776ca6dea..0db0b5313 100644
--- a/rpmio/rpmstrpool.c
+++ b/rpmio/rpmstrpool.c
@@ -88,11 +88,12 @@ static inline unsigned int rstrnlenhash(const char * str, size_t n, size_t * len
unsigned int hash = 0xe4721b68;
const char * s = str;
- while (*s != '\0' && n-- > 0) {
+ while (n > 0 && *s != '\0') {
hash += *s;
hash += (hash << 10);
hash ^= (hash >> 6);
s++;
+ n--;
}
hash += (hash << 3);
hash ^= (hash >> 11);
--
2.27.0

29
backport-Fix-regression-on-v3-package-handling-on-database-re.patch
View File

@ -1,29 +0,0 @@
From 85e5a70368854da0537099128530b0df69ca2216 Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Wed, 29 Jan 2020 13:58:16 +0200
Subject: [PATCH] Fix regression on v3 package handling on database rebuild
Introduced in commit 27ea3f8624560bd158fc7bc801639310a0ffab10, the
wrong header is being added in case of v3 packages.
Fixes: #1017
---
lib/rpmdb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/rpmdb.c b/lib/rpmdb.c
index 7ae67563f..91543eb68 100644
--- a/lib/rpmdb.c
+++ b/lib/rpmdb.c
@@ -2557,7 +2557,7 @@ int rpmdbRebuild(const char * prefix, rpmts ts,
/* Deleted entries are eliminated in legacy headers by copy. */
if (headerIsEntry(h, RPMTAG_HEADERIMAGE)) {
Header nh = headerReload(headerCopy(h), RPMTAG_HEADERIMAGE);
- rc = rpmdbAdd(newdb, h);
+ rc = rpmdbAdd(newdb, nh);
headerFree(nh);
} else {
rc = rpmdbAdd(newdb, h);
--
2.27.0

49
backport-Fix-resource-leaks-on-zstd-open-error-paths.patch
View File

@ -1,49 +0,0 @@
From 6b18e76f3db5dd3db5a468c947309322d8bc11aa Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Thu, 21 Nov 2019 12:22:45 +0200
Subject: [PATCH] Fix resource leaks on zstd open error paths
If zstd stream initialization fails, the opened fd and the stream
itself are leaked. Handle error exit in a central label.
---
rpmio/rpmio.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/rpmio/rpmio.c b/rpmio/rpmio.c
index 243942411..10ba20cd6 100644
--- a/rpmio/rpmio.c
+++ b/rpmio/rpmio.c
@@ -1128,13 +1128,13 @@ static rpmzstd rpmzstdNew(int fdno, const char *fmode)
if ((flags & O_ACCMODE) == O_RDONLY) { /* decompressing */
if ((_stream = (void *) ZSTD_createDStream()) == NULL
|| ZSTD_isError(ZSTD_initDStream(_stream))) {
- return NULL;
+ goto err;
}
nb = ZSTD_DStreamInSize();
} else { /* compressing */
if ((_stream = (void *) ZSTD_createCStream()) == NULL
|| ZSTD_isError(ZSTD_initCStream(_stream, level))) {
- return NULL;
+ goto err;
}
nb = ZSTD_CStreamOutSize();
}
@@ -1149,6 +1149,14 @@ static rpmzstd rpmzstdNew(int fdno, const char *fmode)
zstd->b = xmalloc(nb);
return zstd;
+
+err:
+ fclose(fp);
+ if ((flags & O_ACCMODE) == O_RDONLY)
+ ZSTD_freeDStream(_stream);
+ else
+ ZSTD_freeCStream(_stream);
+ return NULL;
}
static FD_t zstdFdopen(FD_t fd, int fdno, const char * fmode)
--
2.27.0

48
backport-If-fork-fails-in-getOutputFrom-close-opened-unused-p.patch
View File

@ -1,48 +0,0 @@
From 83a5a20352dccd336a0114238c5988f0a9fa6d3e Mon Sep 17 00:00:00 2001
From: Denys Vlasenko <dvlasenk@redhat.com>
Date: Thu, 23 Jan 2020 14:21:26 +0100
Subject: [PATCH] If fork fails in getOutputFrom(), close opened unused pipe
fds on error code path
Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
---
build/rpmfc.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/build/rpmfc.c b/build/rpmfc.c
index f5f3793b9..81101518b 100644
--- a/build/rpmfc.c
+++ b/build/rpmfc.c
@@ -277,6 +277,17 @@ static int getOutputFrom(ARGV_t argv,
}
child = fork();
+ if (child < 0) {
+ rpmlog(RPMLOG_ERR, _("Couldn't fork %s: %s\n"),
+ argv[0], strerror(errno));
+ if (doio) {
+ close(toProg[1]);
+ close(toProg[0]);
+ close(fromProg[0]);
+ close(fromProg[1]);
+ }
+ return -1;
+ }
if (child == 0) {
close(toProg[1]);
close(fromProg[0]);
@@ -299,11 +310,6 @@ static int getOutputFrom(ARGV_t argv,
argv[0], strerror(errno));
_exit(EXIT_FAILURE);
}
- if (child < 0) {
- rpmlog(RPMLOG_ERR, _("Couldn't fork %s: %s\n"),
- argv[0], strerror(errno));
- return -1;
- }
if (!doio)
goto reap;
--
2.27.0

31
backport-Make-fdSeek-return-0-on-success-1-on-error.patch
View File

@ -1,31 +0,0 @@
From d1dee9c00af418004f578a97e9b794676daf6d37 Mon Sep 17 00:00:00 2001
From: Matthew Almond <malmond@fb.com>
Date: Mon, 28 Sep 2020 12:41:22 -0700
Subject: [PATCH] Make fdSeek return 0 on success, -1 on error
This code eliminates a false positive failure when the destination
position is > 2GiB. This is done by changing the contract for `Fseek`.
Now it returns `0` on success instead of an `int` offset.
Care should be used to interpret the result as there is a difference in
semantics between the POSIX `fseek(2)`. Existing code is correct: negative
results are still failures.
---
rpmio/rpmio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/rpmio/rpmio.c b/rpmio/rpmio.c
index 10a28a923..9f4a60aa1 100644
--- a/rpmio/rpmio.c
+++ b/rpmio/rpmio.c
@@ -382,7 +382,7 @@ static ssize_t fdWrite(FDSTACK_t fps, const void * buf, size_t count)
static int fdSeek(FDSTACK_t fps, off_t pos, int whence)
{
- return lseek(fps->fdno, pos, whence);
+ return (lseek(fps->fdno, pos, whence) == -1) ? -1 : 0;
}
static int fdClose(FDSTACK_t fps)
--
2.27.0

31
backport-Reduce-undefined-pointer-arithmetic.patch
View File

@ -1,31 +0,0 @@
From 072588ca7908ef894be4161066c9384edaadd748 Mon Sep 17 00:00:00 2001
From: Demi Marie Obenour <demi@invisiblethingslab.com>
Date: Thu, 17 Jun 2021 14:11:54 -0400
Subject: [PATCH] Reduce undefined pointer arithmetic
Conflict:NA
Reference:https://github.com/rpm-software-management/rpm/commit/072588ca7908ef894be4161066c9384edaadd748
---
rpmio/rpmpgp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
index 436c46d..b174a40 100644
--- a/rpmio/rpmpgp.c
+++ b/rpmio/rpmpgp.c
@@ -520,9 +520,9 @@ static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo, uint8_t sigtype,
int i;
pgpDigAlg sigalg = pgpSignatureNew(pubkey_algo);
- for (i = 0; i < sigalg->mpis && p + 2 <= pend; i++) {
+ for (i = 0; i < sigalg->mpis && pend - p >= 2; i++) {
int mpil = pgpMpiLen(p);
- if (p + mpil > pend)
+ if (pend - p < mpil)
break;
if (sigtype == PGPSIGTYPE_BINARY || sigtype == PGPSIGTYPE_TEXT) {
if (sigalg->setmpi(sigalg, i, p))
--
2.27.0

33
backport-Remove-compare-of-global-array-tagsByName-to-NULL.patch
View File

@ -1,33 +0,0 @@
From 92a78e6acf3f056faccebb25a9d310ee96f8015d Mon Sep 17 00:00:00 2001
From: Cerul Alain <ae@metaeducation.com>
Date: Mon, 13 Jul 2020 00:34:42 -0400
Subject: [PATCH] Remove compare of global array tagsByName to NULL
A 2016 change (57a96d2486c26142ebb168a1f00b0374d35bf044) apparently
changed tagsByName from dynamic allocation to being static, so that
Valgrind would not complain about lost memory. The definition is:
static headerTagTableEntry tagsByName[TABLESIZE];
But a comparison was left of `tagsByName == NULL` in lib/tagname.c
and compiling with clang gives a warning, saying it is never NULL.
---
lib/tagname.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/tagname.c b/lib/tagname.c
index 68b252991..4efd847eb 100644
--- a/lib/tagname.c
+++ b/lib/tagname.c
@@ -234,7 +234,7 @@ int rpmTagGetNames(rpmtd tagnames, int fullname)
pthread_once(&tagsLoaded, loadTags);
- if (tagnames == NULL || tagsByName == NULL)
+ if (tagnames == NULL)
return 0;
rpmtdReset(tagnames);
--
2.27.0

101
backport-Use-libelf-for-determining-file-colors.patch
View File

@ -1,101 +0,0 @@
From 3c061be6aeaec1be793b406fac9f667dc5d1429b Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Wed, 4 Mar 2020 11:15:02 +0200
Subject: [PATCH] Use libelf for determining file colors
libmagic strings are notoriously unreliable as the details from version
to version. We link to libelf anyway so we might as well as get the
info straight from the horse's mouth.
Besides being more reliable, this detaches the coloring business from
the hardcoded rpmfcTokens struct and informative-only FILECLASS
contents,
opening the door for other changes in that area.
---
build/rpmfc.c | 35 +++++++++++++++++++++++++++++------
1 file changed, 29 insertions(+), 6 deletions(-)
diff --git a/build/rpmfc.c b/build/rpmfc.c
index aaa0dca..0886616 100644
--- a/build/rpmfc.c
+++ b/build/rpmfc.c
@@ -7,6 +7,7 @@
#include <signal.h>
#include <magic.h>
#include <regex.h>
+#include <gelf.h>
#include <rpm/header.h>
#include <rpm/argv.h>
@@ -595,7 +596,7 @@ exit:
return rc;
}
-/* Only used for elf coloring and controlling RPMTAG_FILECLASS inclusion now */
+/* Only used for controlling RPMTAG_FILECLASS inclusion now */
static const struct rpmfcTokens_s rpmfcTokens[] = {
{ "directory", RPMFC_INCLUDE },
@@ -1076,6 +1077,29 @@ static int initAttrs(rpmfc fc)
return nattrs;
}
+static uint32_t getElfColor(const char *fn)
+{
+ uint32_t color = 0;
+ int fd = open(fn, O_RDONLY);
+ if (fd >= 0) {
+ Elf *elf = elf_begin (fd, ELF_C_READ, NULL);
+ GElf_Ehdr ehdr;
+ if (elf && gelf_getehdr(elf, &ehdr)) {
+ switch (ehdr.e_ident[EI_CLASS]) {
+ case ELFCLASS64:
+ color = RPMFC_ELF64;
+ break;
+ case ELFCLASS32:
+ color = RPMFC_ELF32;
+ break;
+ }
+ elf_end(elf);
+ }
+ close(fd);
+ }
+ return color;
+}
+
rpmRC rpmfcClassify(rpmfc fc, ARGV_t argv, rpm_mode_t * fmode)
{
int msflags = MAGIC_CHECK | MAGIC_COMPRESS | MAGIC_NO_CHECK_TOKENS;
@@ -1187,8 +1211,6 @@ rpmRC rpmfcClassify(rpmfc fc, ARGV_t argv, rpm_mode_t * fmode)
/* Add attributes based on file type and/or path */
rpmfcAttributes(fc, ix, ftype, s);
- fc->fcolor[ix] = fcolor;
-
/* Add to file class dictionary and index array */
#pragma omp ordered
if (fcolor != RPMFC_WHITE && (fcolor & RPMFC_INCLUDE)) {
@@ -1202,6 +1224,10 @@ rpmRC rpmfcClassify(rpmfc fc, ARGV_t argv, rpm_mode_t * fmode)
}
/* Pool id's start from 1, for headers we want it from 0 */
fc->fcdictx[ix] = ftypeId - 1;
+
+ /* Add ELF colors */
+ if (S_ISREG(mode) && is_executable)
+ fc->fcolor[ix] = getElfColor(s);
}
if (ms != NULL)
@@ -1493,9 +1519,6 @@ rpmRC rpmfcGenerateDepends(const rpmSpec spec, Package pkg)
goto exit;
/* Add per-file colors(#files) */
- /* XXX Make sure only primary (i.e. Elf32/Elf64) colors are added. */
- for (int i = 0; i < fc->nfiles; i++)
- fc->fcolor[i] &= 0x0f;
headerPutUint32(pkg->header, RPMTAG_FILECOLORS, fc->fcolor, fc->nfiles);
/* Add classes(#classes) */
--
2.27.0

29
backport-Use-root-as-default-UID_0_USER-and-UID_0_GROUP.patch Normal file
View File

@ -0,0 +1,29 @@
From 7b3a3f004f96ed3cb9cc377f7e64bfc88195dfc2 Mon Dec 13 16:41:34 2021
From: From: Florian Festi <ffesti@redhat.com>
Date: Mon, 13 Dec 2021 16:41:34 +0800
Subject: [PATCH] Use root as default UID_0_USER and UID_0_GROUP
If /etc/passwd or /etc/group was not available during building rpm itself
these ended up empty. This affects builds done later on using rpmbuild.
Resolves: #1838
---
configure.ac | 2 ++
1 file changed, 2 insertions(+)
diff --git a/configure.ac b/configure.ac
index cdaf2b6..8656043 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1050,6 +1050,8 @@ fi
user_with_uid0=$(awk -F: '$3==0 {print $1;exit}' /etc/passwd)
group_with_gid0=$(awk -F: '$3==0 {print $1;exit}' /etc/group)
+if test -z "$user_with_uid0" ; then user_with_uid0=root ; fi
+if test -z "$group_with_gid0" ; then group_with_gid0=root ; fi
AC_DEFINE_UNQUOTED([UID_0_USER],["$user_with_uid0"],[Get the user name having userid 0])
AC_DEFINE_UNQUOTED([GID_0_GROUP],["$group_with_gid0"],[Get the group name having groupid 0])
--
1.8.3.1

132
backport-build-prioritize-large-packages.patch
View File

@ -1,132 +0,0 @@
From 6f6f5e70f16bef21523c3e2f19e7557bfcaa2546 Mon Sep 17 00:00:00 2001
From: Michal Domonkos <mdomonko@redhat.com>
Date: Tue, 21 Apr 2020 11:38:25 +0200
Subject: [PATCH] build: prioritize large packages
Binary packages come in different sizes and so their build time can vary
greatly. Dynamic scheduling, which we currently use for parallel
building, is a good strategy to combat such differences and load-balance
the available CPU cores.
That said, knowing that the build time of a package is proportional to
its size, we can reduce the overall time even further by cleverly
ordering the task queue.
As an example, consider a set of 5 packages, 4 of which take 1 unit of
time to build and one takes 4 units. If we were to build these on a
dual-core system, one possible unit distribution would look like this:
TIME --->
CPU 1 * * * * * * # package 1, 3 and 5
CPU 2 * * # package 2 and 4
Now, compare that to a different distribution where the largest package
5 gets built early on:
TIME --->
CPU 1 * * * * # package 5
CPU 2 * * * * # package 1, 2, 3 and 4
It's obvious that processing the largest packages first gives better
results when dealing with such a mix of small and large packages
(typically a regular package and its debuginfo counterpart,
respectively).
Now, with dynamic scheduling in OpenMP, we cannot directly control the
task queue; we can only generate the tasks and let the runtime system do
its work. What we can do, however, is to provide a hint to the runtime
system for the desired ordering, using the "priority" clause.
So, in this commit, we use the clause to assign a priority value to each
build task based on the respective package size (the bigger the size,
the higher the priority), to help achieve an optimal execution order.
Indeed, in my testing, the priorities were followed to the letter (but
remember, that's not guaranteed by the specification). Interestingly,
even without the use of priorities, simply generating the tasks in the
desired order resulted in the same execution order for me, but that's,
again, just an implementation detail.
Also note that OpenMP is allowed to stop the thread generating the tasks
at any time, and make it execute some of the tasks instead. If the
chosen task happens to be a long-duration one, we might hit a starvation
scenario where the other threads have exhausted the task queue and
there's nobody to generate new tasks. To counter that, this commit also
adds the "untied" clause which allows other threads to pick up where the
generating thread left off, and continue generating new tasks.
Resolves #1045.
---
build/pack.c | 38 +++++++++++++++++++++++++++++++++++---
1 file changed, 35 insertions(+), 3 deletions(-)
diff --git a/build/pack.c b/build/pack.c
index a44a3fe9c8..bc40683c4f 100644
--- a/build/pack.c
+++ b/build/pack.c
@@ -6,6 +6,7 @@
#include "system.h"
#include <errno.h>
+#include <stdlib.h>
#include <sys/wait.h>
#include <rpm/rpmlib.h> /* RPMSIGTAG*, rpmReadPackageFile */
@@ -726,16 +727,45 @@ static rpmRC packageBinary(rpmSpec spec, Package pkg, const char *cookie, int ch
return rc;
}
+static int compareBinaries(const void *p1, const void *p2) {
+ Package pkg1 = *(Package *)p1;
+ Package pkg2 = *(Package *)p2;
+ uint64_t size1 = headerGetNumber(pkg1->header, RPMTAG_LONGSIZE);
+ uint64_t size2 = headerGetNumber(pkg2->header, RPMTAG_LONGSIZE);
+ if (size1 > size2)
+ return -1;
+ if (size1 < size2)
+ return 1;
+ return 0;
+}
+
+/*
+ * Run binary creation in parallel, with task priority based on package size
+ * (largest first) to help achieve an optimal load distribution.
+ */
rpmRC packageBinaries(rpmSpec spec, const char *cookie, int cheating)
{
rpmRC rc = RPMRC_OK;
Package pkg;
+ Package *tasks;
+ int npkgs = 0;
+
+ for (pkg = spec->packages; pkg != NULL; pkg = pkg->next)
+ npkgs++;
+ tasks = xcalloc(npkgs, sizeof(Package));
+
+ pkg = spec->packages;
+ for (int i = 0; i < npkgs; i++) {
+ tasks[i] = pkg;
+ pkg = pkg->next;
+ }
+ qsort(tasks, npkgs, sizeof(Package), compareBinaries);
- /* Run binary creation in parallel */
#pragma omp parallel
#pragma omp single
- for (pkg = spec->packages; pkg != NULL; pkg = pkg->next) {
- #pragma omp task
+ for (int i = 0; i < npkgs; i++) {
+ pkg = tasks[i];
+ #pragma omp task untied priority(i)
{
pkg->rc = packageBinary(spec, pkg, cookie, cheating, &pkg->filename);
rpmlog(RPMLOG_DEBUG,
@@ -754,6 +784,8 @@ rpmRC packageBinaries(rpmSpec spec, const char *cookie, int cheating)
if (rc == RPMRC_OK)
checkPackageSet(spec->packages);
+ free(tasks);
+
return rc;
}

29
backport-fix-zstd-magic.patch
View File

@ -1,29 +0,0 @@
From c464f1ece501346da11ed7582b8d46682363a285 Mon Sep 17 00:00:00 2001
From: Thierry Vignaud <tvignaud@redhat.com>
Date: Mon, 23 Dec 2019 16:51:49 +0100
Subject: [PATCH] fix zstd magic
I spot it while adding support for zstd compressed metadata in
URPM/urpmi, which was broken by this typo
typo introduced in commit 3684424fe297c996bb05bb64631336fa2903df12
---
rpmio/rpmfileutil.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/rpmio/rpmfileutil.c b/rpmio/rpmfileutil.c
index bda97adf1..84ee34f4d 100644
--- a/rpmio/rpmfileutil.c
+++ b/rpmio/rpmfileutil.c
@@ -188,7 +188,7 @@ int rpmFileIsCompressed(const char * file, rpmCompressedMagic * compressed)
(magic[4] == 0x5a) && (magic[5] == 0x00)) {
/* new style xz (lzma) with magic */
*compressed = COMPRESSED_XZ;
- } else if ((magic[0] == 0x28) && (magic[1] == 0x85) &&
+ } else if ((magic[0] == 0x28) && (magic[1] == 0xB5) &&
(magic[2] == 0x2f) ) {
*compressed = COMPRESSED_ZSTD;
} else if ((magic[0] == 'L') && (magic[1] == 'Z') &&
--
2.27.0

28
backport-ndb-only-clear-the-dbenv-in-the-rpmdb-if-the-last-re.patch
View File

@ -1,28 +0,0 @@
From 52c3ee60a1ce0e7e527dc396dd1e1a0e29b7b0ed Mon Sep 17 00:00:00 2001
From: Michael Schroeder <mls@suse.de>
Date: Fri, 10 Jan 2020 15:47:13 +0100
Subject: [PATCH] ndb: only clear the dbenv in the rpmdb if the last reference
is gone
Otherwise we will segfault if just one index is closed.
---
lib/backend/ndb/glue.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/backend/ndb/glue.c b/lib/backend/ndb/glue.c
index 376e360e3..841c2fe42 100644
--- a/lib/backend/ndb/glue.c
+++ b/lib/backend/ndb/glue.c
@@ -52,8 +52,8 @@ static void closeEnv(rpmdb rdb)
if (ndbenv->data)
free(ndbenv->data);
free(ndbenv);
+ rdb->db_dbenv = 0;
}
- rdb->db_dbenv = 0;
}
static struct ndbEnv_s *openEnv(rpmdb rdb)
--
2.27.0

42
backport-optimize-signature-header-merge-a-bit.patch
View File

@ -1,42 +0,0 @@
From a427c3cd2776bc523bd40491a5d92d98d071ffea Mon Sep 17 00:00:00 2001
From: Demi Marie Obenour <athena@invisiblethingslab.com>
Date: Tue, 16 Mar 2021 11:41:16 +0200
Subject: [PATCH] Optimize signature header merge a bit
Look up possible offending tags from the main header first in a separate
loop, this avoids having to re-sort after each headerPut() operation
---
lib/package.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/lib/package.c b/lib/package.c
index 6f10bb9..355c3e7 100644
--- a/lib/package.c
+++ b/lib/package.c
@@ -64,10 +64,14 @@ rpmTagVal headerMergeLegacySigs(Header h, Header sigh, char **msg)
{
const struct taglate_s *xl;
struct rpmtd_s td;
- rpmtdReset(&td);
for (xl = xlateTags; xl->stag; xl++) {
/* There mustn't be one in the main header */
if (headerIsEntry(h, xl->xtag))
+ goto exit;
+ }
+
+ rpmtdReset(&td);
+ for (xl = xlateTags; xl->stag; xl++) {
if (headerGet(sigh, xl->stag, &td, HEADERGET_RAW|HEADERGET_MINMEM)) {
/* Translate legacy tags */
if (xl->stag != xl->xtag)
@@ -86,6 +90,7 @@ rpmTagVal headerMergeLegacySigs(Header h, Header sigh, char **msg)
}
rpmtdFreeData(&td);
+exit:
if (xl->stag) {
rasprintf(msg, "invalid signature tag %s (%d)",
rpmTagGetName(xl->xtag), xl->xtag);
--
2.27.0

47
backport-rpmfiArchiveRead-use-signed-return-value-to-handle-1.patch
View File

@ -1,47 +0,0 @@
From f34030816d84dfbf52f259404b32b81e53c21fbb Mon Sep 17 00:00:00 2001
From: Jes Sorensen <jsorensen@fb.com>
Date: Fri, 3 Apr 2020 14:09:18 -0400
Subject: [PATCH] rpmfiArchiveRead() use signed return value to handle -1 on
error
size_t is unsigned, so returning -1 is not going to have the expected
behavior. Fix it to return ssize_t.
Signed-off-by: Jes Sorensen <jsorensen@fb.com>
---
lib/rpmarchive.h | 4 ++--
lib/rpmfi.c | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/lib/rpmarchive.h b/lib/rpmarchive.h
index c864e5b56..2484b4d71 100644
--- a/lib/rpmarchive.h
+++ b/lib/rpmarchive.h
@@ -122,9 +122,9 @@ int rpmfiArchiveWriteFile(rpmfi fi, FD_t fd);
* @param fi file info
* @param buf pointer to buffer
* @param size number of bytes to read
- * @return bytes actually read
+ * @return bytes actually read, -1 on error
*/
-size_t rpmfiArchiveRead(rpmfi fi, void * buf, size_t size);
+ssize_t rpmfiArchiveRead(rpmfi fi, void * buf, size_t size);
/** \ingroup payload
* Has current file content stored in the archive
diff --git a/lib/rpmfi.c b/lib/rpmfi.c
index c314a8b29..af428468c 100644
--- a/lib/rpmfi.c
+++ b/lib/rpmfi.c
@@ -2261,7 +2261,7 @@ int rpmfiArchiveHasContent(rpmfi fi)
return res;
}
-size_t rpmfiArchiveRead(rpmfi fi, void * buf, size_t size)
+ssize_t rpmfiArchiveRead(rpmfi fi, void * buf, size_t size)
{
if (fi == NULL || fi->archive == NULL)
return -1;
--
2.27.0

30
backport-rpmio-initialise-libgcrypt.patch
View File

@ -1,30 +0,0 @@
From 61ea5a8ea64dc130713da889f3f0c8da1a547bd9 Mon Sep 17 00:00:00 2001
From: Ross Burton <ross.burton@intel.com>
Date: Wed, 4 Dec 2019 17:13:10 +0000
Subject: [PATCH] rpmio: initialise libgcrypt
If we're using libgcrypt for hashing we need to initialise libgcrypt as
otherwise it is not thread-safe. Without this it will crash when used
in parallel packaging runs.
Fixes #968
---
rpmio/digest_libgcrypt.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/rpmio/digest_libgcrypt.c b/rpmio/digest_libgcrypt.c
index b31fda569..291187f60 100644
--- a/rpmio/digest_libgcrypt.c
+++ b/rpmio/digest_libgcrypt.c
@@ -20,6 +20,8 @@ struct DIGEST_CTX_s {
/**************************** init ************************************/
int rpmInitCrypto(void) {
+ gcry_check_version (NULL);
+ gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
return 0;
}
--
2.27.0

25
bugfix-rpm-4.14.2-fix-tty-failed.patch
View File

@ -1,25 +0,0 @@
From 733a0997ba5608f6b37d0b6d47c7bbd6f9d62381 Mon Sep 17 00:00:00 2001
From: openeuler-basic <shenyangyang4@huawei.com>
Date: Fri, 10 Jan 2020 10:29:16 +0800
Subject: [PATCH] bugfix rpm 4.14.2 fix tty failed
---
rpmpopt.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/rpmpopt.in b/rpmpopt.in
index 8e4ef02..9585422 100644
--- a/rpmpopt.in
+++ b/rpmpopt.in
@@ -219,7 +219,7 @@ rpmbuild alias --buildpolicy --define '__os_install_post %{_rpmconfigdir}/brp-!#
--POPTargs=$"<policy>"
# Minimally preserve rpmbuild's --sign functionality
rpmbuild alias --sign \
- --pipe 'rpm --addsign `grep ".*: .*\.rpm$"|cut -d: -f2` < "/dev/"`ps -p $$ -o tty | tail -n 1`' \
+ --pipe "grep '.*: .*\.rpm$'|cut -d: -f2|xargs -r rpm --addsign" \
--POPTdesc=$"generate GPG signature (deprecated, use command rpmsign instead)"
rpmbuild alias --trace --eval '%trace' \
--POPTdesc=$"trace macro expansion"
--
1.8.3.1

46
change-rpmsigdig-test-s-SHA256HEADER-SHA1HEADER-SIGM.patch
View File

@ -1,46 +0,0 @@
From ab2179452c5be276a6b96c591afded485c7e58c3 Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Wed, 13 Nov 2019 11:38:07 +0200
Subject: [PATCH] change rpmsigdig test's SHA256HEADER SHA1HEADER SIGMD5 value
---
tests/rpmsigdig.at | 6 +++---
tests/rpmtests | 6 +++---
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at
index 3c15221..91c205e 100644
--- a/tests/rpmsigdig.at
+++ b/tests/rpmsigdig.at
@@ -146,9 +146,9 @@ done
runroot rpmkeys -Kv /build/RPMS/noarch/attrtest-1.0-1.noarch.rpm
],
[0],
-[SHA256HEADER: 8d150309b6988914994ad609ff8267718f23e8034affe260e6d4361a83a45a62
-SHA1HEADER: 78606c9281c44f34470d26df2caebba117b9d183
-SIGMD5: 3269c96a8e88bf4514647c570c66723b
+[SHA256HEADER: 340fcc0e848922c0a0c5e9f988482683038b4c753d29ef4682a3ca279cef2ef4
+SHA1HEADER: 12352190a4557cd595387fbf0474ae65fd324158
+SIGMD5: 3dc56bbd5166fca1d2c7cb637a057049
PAYLOADDIGEST: 749d8980cc5889419da8cdbe9a5b3292742af8a227db3635f84966481b7612a8
/build/RPMS/noarch/attrtest-1.0-1.noarch.rpm:
Header SHA256 digest: OK
diff --git a/tests/rpmtests b/tests/rpmtests
index 6fa80e3..ae95856 100644
--- a/tests/rpmtests
+++ b/tests/rpmtests
@@ -14547,9 +14547,9 @@ runroot rpmkeys -Kv /build/RPMS/noarch/attrtest-1.0-1.noarch.rpm
at_status=$? at_failed=false
$at_check_filter
at_fn_diff_devnull "$at_stderr" || at_failed=:
-echo >>"$at_stdout"; $as_echo "SHA256HEADER: 8d150309b6988914994ad609ff8267718f23e8034affe260e6d4361a83a45a62
-SHA1HEADER: 78606c9281c44f34470d26df2caebba117b9d183
-SIGMD5: 3269c96a8e88bf4514647c570c66723b
+echo >>"$at_stdout"; $as_echo "SHA256HEADER: 340fcc0e848922c0a0c5e9f988482683038b4c753d29ef4682a3ca279cef2ef4
+SHA1HEADER: 12352190a4557cd595387fbf0474ae65fd324158
+SIGMD5: 3dc56bbd5166fca1d2c7cb637a057049
PAYLOADDIGEST: 749d8980cc5889419da8cdbe9a5b3292742af8a227db3635f84966481b7612a8
/build/RPMS/noarch/attrtest-1.0-1.noarch.rpm:
Header SHA256 digest: OK
--

30
find-debuginfo.sh-decompress-DWARF-compressed-ELF-se.patch
View File

@ -1,30 +0,0 @@
From f2bc669cd0a080792522dd1bb7f50ef7025f16f0 Mon Sep 17 00:00:00 2001
From: Mark Wielaard <mark@klomp.org>
Date: Sat, 21 Jul 2018 10:13:04 +0200
Subject: [PATCH] find-debuginfo.sh: decompress DWARF compressed ELF sections
debugedit and dwz do not support DWARF compressed ELF sections, let's
just decompress those before extracting debuginfo.
Tested-by: Igor Gnatenko <i.gnatenko.brain@gmail.com>
---
scripts/find-debuginfo.sh | 3 +++
1 file changed, 3 insertions(+)
diff --git a/scripts/find-debuginfo.sh b/scripts/find-debuginfo.sh
index 90a44942d..7b01bc036 100755
--- a/scripts/find-debuginfo.sh
+++ b/scripts/find-debuginfo.sh
@@ -357,6 +357,9 @@ do_file()
get_debugfn "$f"
[ -f "${debugfn}" ] && return
+ echo "explicitly decompress any DWARF compressed ELF sections in $f"
+ eu-elfcompress -q -p -t none "$f"
+
echo "extracting debug info from $f"
# See also cpio SOURCEFILE copy. Directories must match up.
debug_base_name="$RPM_BUILD_DIR"
--
2.18.0

42
get-in-use-of-ndb.patch Normal file
View File

@ -0,0 +1,42 @@
From 8ba0780a26429bbb474e23112627ebbaeb9abfee Mon Sep 17 00:00:00 2001
From: renmingshuai <renmingshuai@huawei.com>
Date: Mon, 29 Nov 2021 10:53:24 +0800
Subject: [PATCH] get in use of ndb
---
configure.ac | 4 ++--
macros.in | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/configure.ac b/configure.ac
index 6b161dc..ab1c667 100644
--- a/configure.ac
+++ b/configure.ac
@@ -490,9 +490,9 @@ AM_CONDITIONAL([BDB_RO], [test "$enable_bdb_ro" = yes])
# Check for SQLITE support
AC_ARG_ENABLE([sqlite],
[AS_HELP_STRING([--enable-sqlite=@<:@yes/no/auto@:>@)],
- [build with sqlite rpm database format support (default=yes)])],
+ [build with sqlite rpm database format support (default=auto)])],
[enable_sqlite="$enableval"],
- [enable_sqlite=yes])
+ [enable_sqlite=auto])
AS_IF([test "x$enable_sqlite" != "xno"], [
PKG_CHECK_MODULES([SQLITE], [sqlite3 >= 3.22.0], [have_sqlite=yes], [have_sqlite=no])
diff --git a/macros.in b/macros.in
index 22f675c..3e81918 100644
--- a/macros.in
+++ b/macros.in
@@ -602,7 +602,7 @@ package or when debugging this package.\
# sqlite Sqlite database
# dummy dummy backend (no actual functionality)
#
-%_db_backend sqlite
+%_db_backend ndb
#==============================================================================
# ---- GPG/PGP/PGP5 signature macros.
--
1.8.3.1

BIN
rpm-4.15.1.tar.bz2
View File

Binary file not shown.

BIN
rpm-4.17.0.tar.bz2 Normal file
View File

Binary file not shown.

130
rpm.spec
View File

@ -1,72 +1,35 @@
Name: rpm Name: rpm
Version: 4.15.1 Version: 4.17.0
Release: 32 Release: 1
Summary: RPM Package Manager Summary: RPM Package Manager
License: GPLv2+ License: GPLv2+
URL: http://www.rpm.org/ URL: http://www.rpm.org/
Source0: http://ftp.rpm.org/releases/rpm-4.15.x/%{name}-%{version}.tar.bz2 Source0: http://ftp.rpm.org/releases/rpm-4.17.x/%{name}-%{version}.tar.bz2
Patch1: Unbundle-config-site-and-add-RPM-LD-FLAGS-macro.patch Patch1: Unbundle-config-site-and-add-RPM-LD-FLAGS-macro.patch
Patch2: rpm-4.12.0-rpm2cpio-hack.patch Patch2: rpm-4.12.0-rpm2cpio-hack.patch
Patch3: find-debuginfo.sh-decompress-DWARF-compressed-ELF-se.patch Patch3: add-dist-to-release-by-default.patch
Patch4: skip-updating-the-preferences.patch Patch4: revert-always-execute-file-trigger-scriptlet-callbac.patch
Patch5: add-dist-to-release-by-default.patch Patch5: bugfix-rpm-4.11.3-add-aarch64_ilp32-arch.patch
Patch6: Silence-spurious-error-message-from-lsetfilecon-on-E.patch Patch6: bugfix-rpm-4.14.2-wait-once-get-rpmlock-fail.patch
Patch7: revert-always-execute-file-trigger-scriptlet-callbac.patch Patch7: Generate-digest-lists.patch
Patch8: change-rpmsigdig-test-s-SHA256HEADER-SHA1HEADER-SIGM.patch Patch8: Add-digest-list-plugin.patch
Patch9: Don-t-add-dist-to-release-if-it-is-already-there.patch
Patch10: Use-user.digest_list-to-avoid-duplicate-processing-o.patch
Patch11: call-process_digest_list-after-files-are-added.patch
Patch12: fix-lsetxattr-error-in-container.patch
Patch13: rpm-selinux-plugin-check-context-file-exist.patch
Patch14: get-in-use-of-ndb.patch
Patch15: backport-Use-root-as-default-UID_0_USER-and-UID_0_GROUP.patch
Patch9: bugfix-rpm-4.11.3-add-aarch64_ilp32-arch.patch BuildRequires: gcc autoconf automake libtool make gawk popt-devel openssl-devel readline-devel
Patch10: bugfix-rpm-4.14.2-fix-tty-failed.patch
Patch11: bugfix-rpm-4.14.2-wait-once-get-rpmlock-fail.patch
Patch12: Use-common-error-logic-regardless-of-setexecfilecon-.patch
Patch13: Generate-digest-lists.patch
Patch14: Add-digest-list-plugin.patch
Patch15: Don-t-add-dist-to-release-if-it-is-already-there.patch
Patch16: Use-user.digest_list-to-avoid-duplicate-processing-o.patch
Patch17: call-process_digest_list-after-files-are-added.patch
Patch18: backport-Fix-changelog-trimming-to-work-relative-to-newest-ex.patch
Patch19: backport-Fix-resource-leaks-on-zstd-open-error-paths.patch
Patch20: backport-rpmio-initialise-libgcrypt.patch
Patch21: backport-fix-zstd-magic.patch
Patch22: backport-Don-t-require-signature-header-to-be-in-single-conti.patch
Patch23: backport-ndb-only-clear-the-dbenv-in-the-rpmdb-if-the-last-re.patch
Patch24: backport-Fix-regression-on-v3-package-handling-on-database-re.patch
Patch25: backport-Fix-a-minor-memory-leak-on-suppressed-inhibition-loc.patch
Patch26: backport-Fix-POPT_ARG_STRING-memleaks-in-librpmbuild.patch
Patch27: backport-Fix-build-regression-in-commit-307872f71b357a3839fd0.patch
Patch28: backport-Fix-isUnorderedReq-for-multiple-qualifiers.patch
Patch29: backport-If-fork-fails-in-getOutputFrom-close-opened-unused-p.patch
Patch30: backport-Fix-pointer-dereference-before-testing-for-NULL-in-r.patch
Patch31: backport-Don-t-look-into-source-package-provides-in-depsolvin.patch
Patch32: backport-rpmfiArchiveRead-use-signed-return-value-to-handle-1.patch
Patch33: backport-Fix-bump-up-the-limit-of-signature-header-to-64MB.patch
Patch34: backport-Remove-compare-of-global-array-tagsByName-to-NULL.patch
Patch35: backport-Always-close-libelf-handle-1313.patch
Patch36: backport-Add-missing-terminator-to-copyTagsFromMainDebug-arra.patch
Patch37: backport-Fix-possible-read-beyond-buffer-in-rstrnlenhash.patch
Patch38: backport-Make-fdSeek-return-0-on-success-1-on-error.patch
Patch39: backport-Fix-logic-error-in-grabArgs.patch
Patch40: backport-Use-libelf-for-determining-file-colors.patch
Patch41: backport-CVE-2021-20271.patch
Patch42: backport-optimize-signature-header-merge-a-bit.patch
Patch43: CVE-2021-20266.patch
Patch44: backport-build-prioritize-large-packages.patch
Patch45: backport-Fix-data-race-in-packageBinaries-function.patch
Patch46: fix-lsetxattr-error-in-container.patch
Patch47: backport-Reduce-undefined-pointer-arithmetic.patch
Patch48: backport-Do-not-allow-extra-packets-to-follow-a-signature.patch
Patch49: backport-0001-CVE-2021-3521.patch
Patch50: backport-0002-CVE-2021-3521.patch
Patch51: backport-0003-CVE-2021-3521.patch
Patch52: rpm-selinux-plugin-check-context-file-exist.patch
BuildRequires: gcc autoconf automake libtool make gawk popt-devel openssl-devel readline-devel libdb-devel
BuildRequires: zlib-devel libzstd-devel xz-devel bzip2-devel libarchive-devel ima-evm-utils-devel BuildRequires: zlib-devel libzstd-devel xz-devel bzip2-devel libarchive-devel ima-evm-utils-devel
BuildRequires: dbus-devel fakechroot elfutils-devel elfutils-libelf-devel ima-evm-utils BuildRequires: dbus-devel fakechroot elfutils-devel elfutils-libelf-devel ima-evm-utils
BuildRequires: lua-devel libcap-devel libacl-devel libselinux-devel file-devel gettext-devel ncurses-devel BuildRequires: lua-devel libcap-devel libacl-devel libselinux-devel file-devel gettext-devel ncurses-devel
BuildRequires: system-rpm-config dwz gnupg2 BuildRequires: system-rpm-config dwz gnupg2
Requires: coreutils popt curl zstd libcap crontabs logrotate libdb-utils BuildRequires: debugedit
Requires: coreutils popt curl zstd libcap crontabs logrotate
Requires: debugedit
Obsoletes: %{name}-build-libs %{name}-sign-libs %{name}-sign %{name}-cron Obsoletes: %{name}-build-libs %{name}-sign-libs %{name}-sign %{name}-cron
Provides: %{name}-build-libs %{name}-sign-libs %{name}-sign %{name}-cron Provides: %{name}-build-libs %{name}-sign-libs %{name}-sign %{name}-cron
Obsoletes: %{name}-plugin-selinux %{name}-plugin-syslog %{name}-plugin-systemd-inhibit < 4.15.1-28 %{name}-plugin-ima %{name}-plugin-prioreset Obsoletes: %{name}-plugin-selinux %{name}-plugin-syslog %{name}-plugin-systemd-inhibit < 4.15.1-28 %{name}-plugin-ima %{name}-plugin-prioreset
@ -81,11 +44,11 @@ The RPM Package Manager (RPM) is a powerful package management system capability
-verifying integrity of packaged software and resulting software installation -verifying integrity of packaged software and resulting software installation
%package libs %package libs
Summary: Shared library of rpm 4.15 Summary: Shared library of rpm 4.17
Requires: %{name} = %{version}-%{release} Requires: %{name} = %{version}-%{release}
%description libs %description libs
Shared library of rpm 4.15. Shared library of rpm 4.17.
%package build %package build
Summary: Scripts and executable programs used to build packages Summary: Scripts and executable programs used to build packages
@ -138,8 +101,6 @@ Obsoletes: apidocs
%prep %prep
%autosetup -n %{name}-%{version} -p1 %autosetup -n %{name}-%{version} -p1
sed -ie 's:^python test:python2 test:g' tests/rpmtests tests/local.at
%build %build
CPPFLAGS="$CPPFLAGS -DLUA_COMPAT_APIINTCASTS" CPPFLAGS="$CPPFLAGS -DLUA_COMPAT_APIINTCASTS"
CFLAGS="$RPM_OPT_FLAGS -DLUA_COMPAT_APIINTCASTS" CFLAGS="$RPM_OPT_FLAGS -DLUA_COMPAT_APIINTCASTS"
@ -169,6 +130,10 @@ done;
--with-imaevm \ --with-imaevm \
--enable-zstd \ --enable-zstd \
--enable-python \ --enable-python \
--enable-bdb-ro \
--enable-ndb \
--enable-bdb=no \
--enable-sqlite=no \
--with-crypto=openssl --with-crypto=openssl
%make_build %make_build
@ -197,18 +162,10 @@ mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/rpm
mkdir -p $RPM_BUILD_ROOT%{_rpmconfigdir}/macros.d mkdir -p $RPM_BUILD_ROOT%{_rpmconfigdir}/macros.d
mkdir -p $RPM_BUILD_ROOT/var/lib/rpm mkdir -p $RPM_BUILD_ROOT/var/lib/rpm
for dbi in \ ./rpmdb --define "_db_backend ndb" --dbpath=$(pwd)/ndb/ --initdb
Basenames Conflictname Dirnames Group Installtid Name Obsoletename \ cp -va ndb/. $RPM_BUILD_ROOT/var/lib/rpm/
Packages Providename Requirename Triggername Sha1header Sigmd5 \
__db.001 __db.002 __db.003 __db.004 __db.005 __db.006 __db.007 \
__db.008 __db.009
do
touch $RPM_BUILD_ROOT/var/lib/rpm/$dbi
done
#./rpmdb --dbpath=$RPM_BUILD_ROOT/var/lib/rpm --initdb for dbutil in recover stat upgrade verify
for dbutil in dump load recover stat upgrade verify
do do
ln -s ../../bin/db_${dbutil} $RPM_BUILD_ROOT/usr/lib/rpm/rpmdb_${dbutil} ln -s ../../bin/db_${dbutil} $RPM_BUILD_ROOT/usr/lib/rpm/rpmdb_${dbutil}
done done
@ -232,6 +189,17 @@ make check || (cat tests/rpmtests.log; exit 0)
%postun libs -p /sbin/ldconfig %postun libs -p /sbin/ldconfig
%posttrans
{
set -e
dbpath=$(rpm -E %{_dbpath})
while [ -e ${dbpath}/Packages ]
do
date >> /var/log/rebuilddb.log 2>&1
rpm -vvv --rebuilddb >> /var/log/rebuilddb.log 2>&1
done
} &
%files -f %{name}.lang %files -f %{name}.lang
%defattr(-,root,root) %defattr(-,root,root)
%license COPYING %license COPYING
@ -241,7 +209,8 @@ make check || (cat tests/rpmtests.log; exit 0)
%config(noreplace) %{_sysconfdir}/logrotate.d/rpm %config(noreplace) %{_sysconfdir}/logrotate.d/rpm
%dir %{_sysconfdir}/rpm %dir %{_sysconfdir}/rpm
%dir /var/lib/rpm %dir /var/lib/rpm
%attr(0644, root, root) %verify(not md5 size mtime) %ghost %config(missingok,noreplace) /var/lib/rpm/* %attr(0644, root, root) %ghost %config(missingok,noreplace) /var/lib/rpm/*
%attr(0644, root, root) %ghost /var/lib/rpm/.*.lock
%lang(fr) %{_mandir}/fr/man[18]/*.[18]* %lang(fr) %{_mandir}/fr/man[18]/*.[18]*
%lang(ko) %{_mandir}/ko/man[18]/*.[18]* %lang(ko) %{_mandir}/ko/man[18]/*.[18]*
%lang(ja) %{_mandir}/ja/man[18]/*.[18]* %lang(ja) %{_mandir}/ja/man[18]/*.[18]*
@ -261,6 +230,7 @@ make check || (cat tests/rpmtests.log; exit 0)
%{_rpmconfigdir}/rpm2cpio.sh %{_rpmconfigdir}/rpm2cpio.sh
%{_rpmconfigdir}/tgpg %{_rpmconfigdir}/tgpg
%{_rpmconfigdir}/platform %{_rpmconfigdir}/platform
%{_sysconfdir}/dbus-1/system.d/org.rpm.conf
%{_libdir}/rpm-plugins/ %{_libdir}/rpm-plugins/
%exclude %{_libdir}/rpm-plugins/systemd_inhibit.so %exclude %{_libdir}/rpm-plugins/systemd_inhibit.so
%dir %{_rpmconfigdir}/fileattrs %dir %{_rpmconfigdir}/fileattrs
@ -284,16 +254,12 @@ make check || (cat tests/rpmtests.log; exit 0)
%{_rpmconfigdir}/brp-* %{_rpmconfigdir}/brp-*
%{_rpmconfigdir}/check-* %{_rpmconfigdir}/check-*
%{_rpmconfigdir}/debugedit
%{_rpmconfigdir}/sepdebugcrcfix
%{_rpmconfigdir}/find-debuginfo.sh
%{_rpmconfigdir}/find-lang.sh %{_rpmconfigdir}/find-lang.sh
%{_rpmconfigdir}/*provides* %{_rpmconfigdir}/*provides*
%{_rpmconfigdir}/*requires* %{_rpmconfigdir}/*requires*
%{_rpmconfigdir}/*deps* %{_rpmconfigdir}/*deps*
%{_rpmconfigdir}/*.prov %{_rpmconfigdir}/*.prov
%{_rpmconfigdir}/*.req %{_rpmconfigdir}/*.req
%{_rpmconfigdir}/config.*
%{_rpmconfigdir}/mkinstalldirs %{_rpmconfigdir}/mkinstalldirs
%{_rpmconfigdir}/fileattrs/* %{_rpmconfigdir}/fileattrs/*
@ -315,13 +281,19 @@ make check || (cat tests/rpmtests.log; exit 0)
%files help %files help
%defattr(-,root,root) %defattr(-,root,root)
%doc doc/manual/[a-z]* %doc docs/manual/[a-z]*
%doc doc/librpm/html/* %doc docs/librpm/html/*
%{_mandir}/man8/rpm*.8* %{_mandir}/man8/rpm*.8*
%exclude %{_mandir}/man8/rpm-plugin-systemd-inhibit.8* %exclude %{_mandir}/man8/rpm-plugin-systemd-inhibit.8*
%{_mandir}/man1/gendiff.1* %{_mandir}/man1/gendiff.1*
%changelog %changelog
* Tue Dec 13 2021 renhongxun<renhongxun@huawei.com> - 4.17.0-1
- Type:requirement
- ID:NA
- SUG:NA
- DESC:upgrade to 4.17.0
* Fri Dec 3 2021 luhuaxin<1539327763@qq.com> - 4.15.1-32 * Fri Dec 3 2021 luhuaxin<1539327763@qq.com> - 4.15.1-32
- Type:bugfix - Type:bugfix
- ID:NA - ID:NA

39
skip-updating-the-preferences.patch
View File

@ -1,39 +0,0 @@
From 90e2b3a3b1a6d2b18c4421ed17a94aa5c56108a8 Mon Sep 17 00:00:00 2001
From: openEuler Buildteam <buildteam@openeuler.org>
Date: Thu, 13 Feb 2020 21:32:33 +0800
Subject: [PATCH] skip updating the preferences
---
tests/Makefile.am | 2 +-
tests/Makefile.in | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 10f095b..ab92353 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -167,7 +167,7 @@ populate_testing:
for prog in gzip cat patch tar sh ln chmod rm mkdir uname grep sed find file ionice mktemp nice cut sort diff touch install wc coreutils xargs; do p=`which $${prog}`; if [ "$${p}" != "" ]; then ln -s $${p} testing/$(bindir)/; fi; done
for d in /proc /sys /selinux /etc/selinux; do if [ -d $${d} ]; then ln -s $${d} testing/$${d}; fi; done
(cd testing/magic && file -C)
- HOME=$(abs_builddir)/testing gpg2 --import ${abs_srcdir}/data/keys/*.secret
+ HOME=$(abs_builddir)/testing gpg2 --import --batch ${abs_srcdir}/data/keys/*.secret
check_DATA = atconfig atlocal $(TESTSUITE)
diff --git a/tests/Makefile.in b/tests/Makefile.in
index 16bcdd5..5603c54 100644
--- a/tests/Makefile.in
+++ b/tests/Makefile.in
@@ -695,7 +695,7 @@ populate_testing:
for prog in gzip cat patch tar sh ln chmod rm mkdir uname grep sed find file ionice mktemp nice cut sort diff touch install wc coreutils xargs; do p=`which $${prog}`; if [ "$${p}" != "" ]; then ln -s $${p} testing/$(bindir)/; fi; done
for d in /proc /sys /selinux /etc/selinux; do if [ -d $${d} ]; then ln -s $${d} testing/$${d}; fi; done
(cd testing/magic && file -C)
- HOME=$(abs_builddir)/testing gpg2 --import ${abs_srcdir}/data/keys/*.secret
+ HOME=$(abs_builddir)/testing gpg2 --import --batch ${abs_srcdir}/data/keys/*.secret
@HAVE_FAKECHROOT_TRUE@check-local: $(check_DATA) populate_testing
@HAVE_FAKECHROOT_TRUE@ $(SHELL) '$(TESTSUITE)' $(TESTSUITEFLAGS)
--
1.8.3.1