!46 [sync] PR-41: fix CVE-2022-2806

From: @openeuler-sync-bot 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen

0001-hoperun-openeuler-sos-policy.patch

@@ -1,55 +0,0 @@
-From 96ac9e7f7c2502f64f7ebae77fbca18ce2b6fdb9 Mon Sep 17 00:00:00 2001
-From: jeff200902 <jeff200902@163.com>
-Date: Mon, 13 Jul 2020 09:52:11 +0000
-Subject: [PATCH] hoperun-openeuler-sos-policy
-
----
- sos/policies/openEuler.py | 36 ++++++++++++++++++++++++++++++++++++
- 1 file changed, 36 insertions(+)
- create mode 100644 sos/policies/openEuler.py
-
-diff --git a/sos/policies/openEuler.py b/sos/policies/openEuler.py
-new file mode 100644
-index 0000000..de58f92
---- /dev/null
-+++ b/sos/policies/openEuler.py
-@@ -0,0 +1,36 @@
-+# Copyright (C) Huawei, Inc. 2020
-+
-+# This file is part of the sos project: https://github.com/sosreport/sos
-+#
-+# This copyrighted material is made available to anyone wishing to use,
-+# modify, copy, or redistribute it subject to the terms and conditions of
-+# version 2 of the GNU General Public License.
-+#
-+# See the LICENSE file in the source distribution for further information.
-+
-+# This enables the use of with syntax in python 2.5 (e.g. jython)
-+from __future__ import print_function
-+
-+from sos.policies.redhat import RedHatPolicy, OS_RELEASE
-+import os
-+
-+
-+class OpenEulerPolicy(RedHatPolicy):
-+
-+    distro = "OpenEuler"
-+    vendor = "the openEuler Project"
-+    vendor_url = "https://openeuler.org/"
-+
-+    def __init__(self, sysroot=None):
-+        super(OpenEulerPolicy, self).__init__(sysroot=sysroot)
-+
-+    @classmethod
-+    def check(cls):
-+        """This method checks to see if we are running on OpenEuler. It returns
-+        True or False."""
-+        return os.path.isfile('/etc/openEuler-release')
-+
-+    def openEuler_version(self):
-+        pkg = self.pkg_by_name("openEuler-release") or \
-+            self.all_pkgs_by_name_regex("openEuler-release-.*")[-1]
-+        return int(pkg["version"])
--- 
-2.23.0
-

Fix-sos-command-failed-in-sos-4.0.patch

@@ -0,0 +1,46 @@
+From e024511400e23d28b47c25df79ab162d8e1991ae Mon Sep 17 00:00:00 2001
+From: wei dong <weidong@uniontech.com>
+Date: Tue, 22 Feb 2022 10:24:18 +0800
+Subject: [PATCH] Fix sos command failed in sos 4.0
+
+Signed-off-by: wei dong <weidong@uniontech.com>
+---
+ sos/policies/uniontech.py | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/sos/policies/uniontech.py b/sos/policies/uniontech.py
+index cd30136..535335b 100644
+--- a/sos/policies/uniontech.py
++++ b/sos/policies/uniontech.py
+@@ -1,6 +1,3 @@
+-from __future__ import print_function
+-
+-from sos.plugins import RedHatPlugin
+ from sos.policies.redhat import RedHatPolicy, OS_RELEASE
+ import os
+ 
+@@ -10,11 +7,18 @@ class UnionTechPolicy(RedHatPolicy):
+     vendor = "the UnionTech Project"
+     vendor_url = "https://www.chinauos.com/"
+ 
+-    def __init__(self, sysroot=None):
+-        super(UnionTechPolicy, self).__init__(sysroot=sysroot)
++    def __init__(self, sysroot=None, init=None, probe_runtime=True,
++                 remote_exec=None):
++        super(UnionTechPolicy, self).__init__(sysroot=sysroot, init=init,
++                                           probe_runtime=probe_runtime,
++                                           remote_exec=remote_exec)
+ 
+     @classmethod
+-    def check(cls):
++    def check(cls, remote=''):
++        
++        if remote:
++            return cls.distro in remote
++
+         if not os.path.exists(OS_RELEASE):
+             return False
+ 
+-- 
+2.27.0
+

add-uniontech-os-support.patch

@@ -0,0 +1,45 @@
+From dcb9273e1f5f55fec2957629a5a69ca396f28c51 Mon Sep 17 00:00:00 2001
+From: root <root@localhost.localdomain>
+Date: Mon, 19 Jul 2021 15:48:03 +0800
+Subject: [PATCH] add uniontech os support
+
+---
+ sos/policies/uniontech.py | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+ create mode 100644 sos/policies/uniontech.py
+
+diff --git a/sos/policies/uniontech.py b/sos/policies/uniontech.py
+new file mode 100644
+index 0000000..cd30136
+--- /dev/null
++++ b/sos/policies/uniontech.py
+@@ -0,0 +1,26 @@
++from __future__ import print_function
++
++from sos.plugins import RedHatPlugin
++from sos.policies.redhat import RedHatPolicy, OS_RELEASE
++import os
++
++class UnionTechPolicy(RedHatPolicy):
++
++    distro = "UnionTech"
++    vendor = "the UnionTech Project"
++    vendor_url = "https://www.chinauos.com/"
++
++    def __init__(self, sysroot=None):
++        super(UnionTechPolicy, self).__init__(sysroot=sysroot)
++
++    @classmethod
++    def check(cls):
++        if not os.path.exists(OS_RELEASE):
++            return False
++
++        with open(OS_RELEASE, 'r') as f:
++            for line in f:
++                if line.startswith('NAME'):
++                    if 'UnionTech' in line:
++                        return True
++        return False
+-- 
+2.23.0
+

backport-Fix-dict-order-py38-incompatibility.patch

@@ -0,0 +1,34 @@
+From 1d7bab6c7ce3f78758113ca3cdf3e9fa1762df24 Mon Sep 17 00:00:00 2001
+From: Eric Desrochers <eric.desrochers@canonical.com>
+Date: Wed, 19 Aug 2020 17:44:07 -0400
+Subject: [PATCH] [options] Fix dict order py38 incompatibility
+
+python-3.8 dict changes introduce a traceback during our config file
+parsing for options with `-` characters in them.
+
+Fix this by changing an iteration of the dict keys from `dict.keys()`
+that returns a dict_keys view, to `list(dict)` which returns a list copy
+of the keys.
+
+Closes: #2206
+Resolves: #2207
+
+Signed-off-by: Eric Desrochers <eric.desrochers@canonical.com>
+Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
+---
+ sos/options.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sos/options.py b/sos/options.py
+index 3a2b4292f..ba3db1303 100644
+--- a/sos/options.py
++++ b/sos/options.py
+@@ -186,7 +186,7 @@ def _update_from_section(section, config):
+                 if 'verbose' in odict.keys():
+                     odict['verbosity'] = int(odict.pop('verbose'))
+                 # convert options names
+-                for key in odict.keys():
++                for key in list(odict):
+                     if '-' in key:
+                         odict[key.replace('-', '_')] = odict.pop(key)
+                 # set the values according to the config file

backport-ovirt-answer-files-Filter-out-all-password-keys.patch

@@ -0,0 +1,66 @@
+From 5fd872c64c53af37015f366295e0c2418c969757 Mon Sep 17 00:00:00 2001
+From: Yedidyah Bar David <didi@redhat.com>
+Date: Thu, 26 May 2022 16:43:21 +0300
+Subject: [PATCH] [ovirt] answer files: Filter out all password keys
+
+Instead of hard-coding specific keys and having to maintain them over
+time, replace the values of all keys that have 'password' in their name.
+I think this covers all our current and hopefully future keys. It might
+add "false positives" - keys that are not passwords but have 'password'
+in their name - and I think that's a risk worth taking.
+
+Sadly, the engine admin password prompt's name is
+'OVESETUP_CONFIG_ADMIN_SETUP', which does not include 'password', so has
+to be listed specifically.
+
+A partial list of keys added since the replaced code was written:
+- grafana-related stuff
+- keycloak-related stuff
+- otopi-style answer files
+
+Signed-off-by: Yedidyah Bar David <didi@redhat.com>
+Change-Id: I416c6e4078e7c3638493eb271d08d73a0c22b5ba
+---
+ sos/report/plugins/ovirt.py | 23 +++++++++++++----------
+ 1 file changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/sos/report/plugins/ovirt.py b/sos/report/plugins/ovirt.py
+index 09647bf1..3b1bb29b 100644
+--- a/sos/report/plugins/ovirt.py
++++ b/sos/report/plugins/ovirt.py
+@@ -241,19 +241,22 @@ class Ovirt(Plugin, RedHatPlugin):
+                 r'{key}=********'.format(key=key)
+             )
+ 
+-        # Answer files contain passwords
+-        for key in (
+-            'OVESETUP_CONFIG/adminPassword',
+-            'OVESETUP_CONFIG/remoteEngineHostRootPassword',
+-            'OVESETUP_DWH_DB/password',
+-            'OVESETUP_DB/password',
+-            'OVESETUP_REPORTS_CONFIG/adminPassword',
+-            'OVESETUP_REPORTS_DB/password',
++        # Answer files contain passwords.
++        # Replace all keys that have 'password' in them, instead of hard-coding
++        # here the list of keys, which changes between versions.
++        # Sadly, the engine admin password prompt name does not contain
++        # 'password'... so neither does the env key.
++        for item in (
++            'password',
++            'OVESETUP_CONFIG_ADMIN_SETUP',
+         ):
+             self.do_path_regex_sub(
+                 r'/var/lib/ovirt-engine/setup/answers/.*',
+-                r'{key}=(.*)'.format(key=key),
+-                r'{key}=********'.format(key=key)
++                re.compile(
++                    r'(?P<key>[^=]*{item}[^=]*)=.*'.format(item=item),
++                    flags=re.IGNORECASE
++                ),
++                r'\g<key>=********'
+             )
+ 
+         # aaa profiles contain passwords
+-- 
+2.27.0
+

openEuler-add-openEuler-policy.patch

@@ -0,0 +1,50 @@
+From 3b76979a51f8b8e65991c00cd4ebab2f23a467a6 Mon Sep 17 00:00:00 2001
+From: shixuantong <shixuantong@huawei.com>
+Date: Mon, 8 Mar 2021 20:56:05 +0800
+Subject: [PATCH] add openEuler policy
+
+this patch is based on sos-4.0, not applicable to the lower version.
+---
+ sos/policies/openEuler.py | 30 ++++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+ create mode 100644 sos/policies/openEuler.py
+
+diff --git a/sos/policies/openEuler.py b/sos/policies/openEuler.py
+new file mode 100644
+index 0000000..ea65ba2
+--- /dev/null
++++ b/sos/policies/openEuler.py
+@@ -0,0 +1,30 @@
++from __future__ import print_function
++
++from sos.report.plugins import RedHatPlugin
++from sos.policies.redhat import RedHatPolicy, OS_RELEASE
++import os
++
++class OpenEulerPolicy(RedHatPolicy):
++
++    distro = "OpenEuler"
++    vendor = "the openEuler Project"
++    vendor_url = "https://openeuler.org/"
++
++    def __init__(self, sysroot=None, init=None, probe_runtime=True,
++                 remote_exec=None):
++        super(OpenEulerPolicy, self).__init__(sysroot=sysroot, init=init, 
++                                              probe_runtime=probe_runtime,
++                                              remote_exec=remote_exec)
++
++    @classmethod
++    def check(cls, remote=''):
++        """This method checks to see if we are running on OpenEuler. It returns
++        True or False."""
++        if remote:
++            return cls.distro in remote
++        return os.path.isfile('/etc/openEuler-release')
++
++    def openEuler_version(self):
++       pkg = self.pkg_by_name("openEuler-release") or \
++            self.all_pkgs_by_name_regex("openEuler-release-.*")[-1]
++       return int(pkg["version"])
+-- 
+1.8.3.1
+

sos.spec

@@ -2,15 +2,20 @@
 
 Name:          sos
 Version:       4.0
-Release:       1
+Release:       6
 Summary:       A set of tools to gather troubleshooting information from a system
 License:       GPLv2+
 URL:           https://github.com/sosreport/sos
 Source0:       https://github.com/sosreport/sos/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
-Patch0000:     0001-hoperun-openeuler-sos-policy.patch
-BuildRequires: python3-devel gettext python3-six
-Requires:      libxml2-python3 bzip2 xz python3-six
-Conflicts:     vdsm <= 4.30.17
+
+Patch6000:     backport-Fix-dict-order-py38-incompatibility.patch
+Patch9000:     openEuler-add-openEuler-policy.patch
+Patch9001:     add-uniontech-os-support.patch
+Patch9002:     Fix-sos-command-failed-in-sos-4.0.patch
+Patch9003:     backport-ovirt-answer-files-Filter-out-all-password-keys.patch
+
+BuildRequires: python3-devel gettext
+Requires:      libxml2-python3 bzip2 xz python3-rpm tar python3-pexpect
 BuildArch:     noarch
 
 %description
@@ -27,15 +32,25 @@ aimed at Linux distributions and other UNIX-like operating systems.
 
 %install
 %py3_install '--install-scripts=%{_sbindir}'
-install -Dm644 %{name}.conf %{buildroot}%{_sysconfdir}/%{name}.conf
+
+install -d -m 755 %{buildroot}%{_sysconfdir}/%{name}
+install -d -m 700 %{buildroot}%{_sysconfdir}/%{name}/cleaner
+install -d -m 755 %{buildroot}%{_sysconfdir}/%{name}/presets.d
+install -d -m 755 %{buildroot}%{_sysconfdir}/%{name}/groups.d
+install -d -m 755 %{buildroot}%{_sysconfdir}/%{name}/extras.d
+install -m 644 %{name}.conf %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf
 
 %find_lang %{name} || echo 0
 
 %files -f %{name}.lang
 %license LICENSE
 %defattr(-,root,root)
-%config(noreplace) %{_sysconfdir}/sos.conf
+%config(noreplace) %{_sysconfdir}/sos/sos.conf
 %{_sbindir}/sos*
+%dir /etc/sos/cleaner
+%dir /etc/sos/presets.d
+%dir /etc/sos/extras.d
+%dir /etc/sos/groups.d
 %{python3_sitelib}/*
 %exclude %{_datadir}/doc/sos/{AUTHORS,README.md}
 
@@ -46,6 +61,21 @@ install -Dm644 %{name}.conf %{buildroot}%{_sysconfdir}/%{name}.conf
 %{_mandir}/man5/*
 
 %changelog
+* Mon May 06 2024 GuoCe <guoce@kylinos.cn> - 4.0-6
+- Fix CVE-2022-2806
+
+* Tue Feb 22 2022 weidong <weidong@uniontech.com> - 4.0-5
+- Fix sos command failed in sos 4.0
+
+* Mon Jul 19 2021 liugang <liuganga@uniontech.com> - 4.0-4
+- add UnionTech policy
+
+* Mon Mar 08 2021 shixuantong <shixuantong@huawei.com> - 4.0-3
+- add openEuler policy
+
+* Tue Mar 03 2021 shixuantong <shixuantong@huawei.com> - 4.0-2
+- fix unable to read configure file /etc/sos/sos.conf issue
+
 * Tue Feb 02 2021 shixuantong <shixuantong@huawei.com> - 4.0-1
 - Upgrade to version 4.0