!18 [sync] PR-16: fix CVE-2023-5557

From: @openeuler-sync-bot 
Reviewed-by: @zhang__3125 
Signed-off-by: @zhang__3125

CVE-2023-5557.patch

@@ -0,0 +1,126 @@
+From 8523cc78c18d13f1b2f278ac86a5031b95bc739e Mon Sep 17 00:00:00 2001
+From: technology208 <technology@208suo.com>
+Date: Mon, 20 May 2024 16:32:52 +0800
+Subject: [PATCH] CreatePatch
+
+---
+ .../tracker-seccomp.c                         | 23 +++++++++++++++++++
+ src/tracker-extract/tracker-extract.c         |  5 ----
+ src/tracker-extract/tracker-main.c            | 19 +++++++++++----
+ 3 files changed, 38 insertions(+), 9 deletions(-)
+
+diff --git a/src/libtracker-miners-common/tracker-seccomp.c b/src/libtracker-miners-common/tracker-seccomp.c
+index 01887e8..a2b7ed9 100644
+--- a/src/libtracker-miners-common/tracker-seccomp.c
++++ b/src/libtracker-miners-common/tracker-seccomp.c
+@@ -100,6 +100,7 @@ tracker_seccomp_init (void)
+ 	ALLOW_RULE (lstat);
+ 	ALLOW_RULE (lstat64);
+ 	ALLOW_RULE (statx);
++        ALLOW_RULE (fstatfs);
+ 	ALLOW_RULE (access);
+ 	ALLOW_RULE (getdents);
+ 	ALLOW_RULE (getdents64);
+@@ -168,6 +169,23 @@ tracker_seccomp_init (void)
+ 	ALLOW_RULE (getpeername);
+ 	ALLOW_RULE (shutdown);
+ 
++       ERROR_RULE (inotify_init1, EINVAL);
++       ERROR_RULE (inotify_init, EINVAL);
++
++       ERROR_RULE (mkdir, EPERM);
++       ERROR_RULE (rename, EPERM);
++       ERROR_RULE (unlink, EPERM);
++       ERROR_RULE (ioctl, EBADF);
++       ERROR_RULE (bind, EACCES);
++       ERROR_RULE (setsockopt, EBADF);
++       ERROR_RULE (sched_getattr, EPERM);
++
++       /* Allow prlimit64, only if no new limits are being set */
++       if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(prlimit64), 1,
++                             SCMP_CMP(2, SCMP_CMP_EQ, 0)) < 0)
++               goto out;
++
++
+ 	/* Special requirements for socket/socketpair, only on AF_UNIX/AF_LOCAL */
+ 	if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 1,
+ 	                      SCMP_CMP(0, SCMP_CMP_EQ, AF_UNIX)) < 0)
+@@ -175,6 +193,11 @@ tracker_seccomp_init (void)
+ 	if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 1,
+ 	                      SCMP_CMP(0, SCMP_CMP_EQ, AF_LOCAL)) < 0)
+ 		goto out;
++
++       if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(socket), 1,
++                             SCMP_CMP(0, SCMP_CMP_EQ, AF_NETLINK)) < 0)
++               goto out;
++
+ 	if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair), 1,
+ 	                      SCMP_CMP(0, SCMP_CMP_EQ, AF_UNIX)) < 0)
+ 		goto out;
+diff --git a/src/tracker-extract/tracker-extract.c b/src/tracker-extract/tracker-extract.c
+index 3406164..209c76b 100644
+--- a/src/tracker-extract/tracker-extract.c
++++ b/src/tracker-extract/tracker-extract.c
+@@ -30,8 +30,6 @@
+ #include <gio/gunixinputstream.h>
+ #include <gio/gunixfdlist.h>
+ 
+-#include <libtracker-miners-common/tracker-common.h>
+-
+ #include <libtracker-extract/tracker-extract.h>
+ 
+ #include "tracker-extract.h"
+@@ -523,9 +521,6 @@ get_metadata (TrackerExtractTask *task)
+ static gpointer
+ single_thread_get_metadata (GAsyncQueue *queue)
+ {
+-	if (!tracker_seccomp_init ())
+-		g_assert_not_reached ();
+-
+ 	while (TRUE) {
+ 		TrackerExtractTask *task;
+ 
+diff --git a/src/tracker-extract/tracker-main.c b/src/tracker-extract/tracker-main.c
+index 2a646cc..484be22 100644
+--- a/src/tracker-extract/tracker-main.c
++++ b/src/tracker-extract/tracker-main.c
+@@ -292,7 +292,7 @@ get_cache_dir (TrackerDomainOntology *domain_ontology)
+ }
+ 
+ int
+-main (int argc, char *argv[])
++do_main (int argc, char *argv[])
+ {
+ 	GOptionContext *context;
+ 	GError *error = NULL;
+@@ -311,9 +311,6 @@ main (int argc, char *argv[])
+ 	bind_textdomain_codeset (GETTEXT_PACKAGE, "UTF-8");
+ 	textdomain (GETTEXT_PACKAGE);
+ 
+-	/* This makes sure we don't steal all the system's resources */
+-	initialize_priority_and_scheduling ();
+-
+ 	/* Translators: this message will appear immediately after the  */
+ 	/* usage string - Usage: COMMAND [OPTION]... <THIS_MESSAGE>     */
+ 	context = g_option_context_new (_("— Extract file meta data"));
+@@ -487,3 +484,17 @@ main (int argc, char *argv[])
+ 
+ 	return EXIT_SUCCESS;
+ }
++
++int
++main (int argc, char *argv[])
++{
++       /* This function is untouchable! Add things to do_main() */
++
++       /* This makes sure we don't steal all the system's resources */
++       initialize_priority_and_scheduling ();
++
++       if (!tracker_seccomp_init ())
++               g_assert_not_reached ();
++
++       return do_main (argc, argv);
++}
+-- 
+2.33.0
+

tracker-miners-3.0.5-sw.patch

@@ -0,0 +1,13 @@
+diff -Naur tracker-miners-3.0.5.org/src/libtracker-miners-common/tracker-ioprio.c tracker-miners-3.0.5.sw/src/libtracker-miners-common/tracker-ioprio.c
+--- tracker-miners-3.0.5.org/src/libtracker-miners-common/tracker-ioprio.c	2022-06-14 15:00:54.220000000 +0000
++++ tracker-miners-3.0.5.sw/src/libtracker-miners-common/tracker-ioprio.c	2022-06-14 15:01:54.590000000 +0000
+@@ -62,6 +62,9 @@
+ #elif defined(__ia64__)
+ #define __NR_ioprio_set                 1274
+ #define __NR_ioprio_get                 1275
++#elif defined(__sw_64__)
++#define __NR_ioprio_set                 442
++#define __NR_ioprio_get                 443
+ #elif defined(__alpha__)
+ #define __NR_ioprio_set                 442
+ #define __NR_ioprio_get                 443

tracker3-miners.conf

@@ -0,0 +1 @@
+/usr/lib64/tracker-miners-3.0

tracker3-miners.spec

@@ -0,0 +1,107 @@
+%global systemd_units tracker-extract-3.service tracker-miner-fs-3.service tracker-miner-fs-control-3.service tracker-writeback-3.service
+
+Name:           tracker3-miners
+Version:        3.0.5
+Release:        5
+Summary:        One of two parts of tracker mainly contains the indexer daemon and tools. 
+
+License:        GPLv2+ and LGPLv2+
+URL:            https://wiki.gnome.org/Projects/Tracker
+Source0:        https://download.gnome.org/sources/tracker-miners/3.0/tracker-miners-%{version}.tar.xz
+Source1: 	tracker3-miners.conf
+Patch1:         tracker-miners-3.0.5-sw.patch
+Patch2:         CVE-2023-5557.patch
+
+BuildRequires:  asciidoc libxslt coreutils glib2 glib2-devel gcc giflib-devel meson systemd
+BuildRequires:  pkgconfig(tracker-sparql-3.0) pkgconfig(tracker-testutils-3.0)
+BuildRequires:	pkgconfig(dbus-1) pkgconfig(exempi-2.0)
+BuildRequires:	pkgconfig(gexiv2) pkgconfig(gio-2.0) pkgconfig(gio-unix-2.0) pkgconfig(glib-2.0)
+BuildRequires:	pkgconfig(gmodule-2.0) pkgconfig(gobject-2.0) pkgconfig(gstreamer-1.0)
+BuildRequires:	pkgconfig(gstreamer-audio-1.0) pkgconfig(gstreamer-pbutils-1.0) pkgconfig(gstreamer-tag-1.0)
+BuildRequires:	pkgconfig(gupnp-dlna-2.0) pkgconfig(gupnp-dlna-gst-2.0) pkgconfig(icu-i18n) pkgconfig(icu-uc)
+BuildRequires:	pkgconfig(libexif) pkgconfig(libgsf-1) pkgconfig(libgxps) 
+BuildRequires:	pkgconfig(libiptcdata) pkgconfig(libjpeg) pkgconfig(libosinfo-1.0) pkgconfig(libpng)
+BuildRequires:	pkgconfig(libseccomp) pkgconfig(libtiff-4) pkgconfig(libxml-2.0) pkgconfig(poppler-glib)
+BuildRequires:	pkgconfig(totem-plparser) pkgconfig(upower-glib) pkgconfig(libnm)
+BuildRequires:	pkgconfig(enca) pkgconfig(systemd) chrpath
+
+%{?systemd_requires}
+Requires:       tracker3%{?_isa}
+
+%description
+Tracker is an efficient search engine and for desktop, embedded
+and mobile.
+
+tracker-miners contains the indexer daemon (*tracker-miner-fs*)
+and tools to extract metadata from many different filetypes.
+
+this is for version 3 series.
+
+%prep
+%autosetup -n tracker-miners-%{version} -p1
+
+%build
+%meson \
+  -Dtracker_core=system \
+  -Dcue=disabled \
+  -Dminer_rss=false \
+  -Dsystemd_user_services_dir=%{_userunitdir} \
+  %{nil}
+
+%meson_build
+
+%install
+%meson_install
+
+%find_lang tracker3-miners
+chrpath -d %{buildroot}%{_libexecdir}/tracker-*
+chrpath -d %{buildroot}%{_libexecdir}/tracker3/*
+chrpath -d %{buildroot}%{_libdir}/tracker-miners-3.0/libtracker-miner-3.0.so
+
+install -d %{buildroot}%{_sysconfdir}/ld.so.conf.d
+install -m 0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
+%ifarch sw_64
+sed -i 's/lib64/lib/g' %{buildroot}%{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
+%endif
+
+%post
+%systemd_user_post %{systemd_units}
+/sbin/ldconfig
+
+%preun
+%systemd_user_preun %{systemd_units}
+
+%postun
+%systemd_user_postun_with_restart %{systemd_units}
+/sbin/ldconfig
+
+%files -f tracker3-miners.lang
+%license COPYING*
+%doc AUTHORS NEWS README.md
+%config(noreplace) %{_sysconfdir}/xdg/autostart/tracker-miner-fs-3.desktop
+%{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
+%{_libdir}/tracker-miners-3.0/
+%{_libexecdir}/tracker*
+%{_datadir}/dbus-1/interfaces/org.freedesktop.Tracker3.Miner*.xml
+%{_datadir}/dbus-1/services/org.freedesktop.Tracker*
+%{_datadir}/glib-2.0/schemas/*
+%{_datadir}/tracker3-miners/
+%{_mandir}/man1/tracker*.1*
+%{_userunitdir}/tracker*.service
+
+
+%changelog
+* Mon May 20 2024 technology208 <technology@208suo.com> - 3.0.5-5
+- fix CVE-2023-5557
+
+* Wed Oct 26 2022 wuzx<wuzx1226@qq.com> - 3.0.5-4
+- Add sw64 architecture
+
+* Thu Sep 23 2021 weijin deng <weijin.deng@turbolinux.com.cn> - 3.0.5-3
+- Add dynamic library search path with file
+
+* Thu Sep 09 2021 sunguoshuai <sunguoshuai@huawei.com> - 3.0.5-2
+- del rpath in some binaries
+
+* Thu Jun 17 2021 weijin deng <weijin.deng@turbolinux.com.cn> - 3.0.5-1
+- Package init with version 3.0.5