rpms/booth
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c9-beta
Branches Tags
rpms:c8
rpms:c9
rpms:c10s
rpms:c9s
rpms:c8s
rpms:c9-beta
rpms:c8-beta
rpms:imports/c9/booth-1.1-2.el9
rpms:imports/c10s/booth-1.2-3.el10
rpms:imports/c10s/booth-1.2-2.el10
rpms:imports/c8/booth-1.1-1.el8_10.1
rpms:imports/c9/booth-1.1-1.el9_4.1
rpms:imports/c8/booth-1.1-1.el8
rpms:imports/c9/booth-1.1-1.el9
rpms:imports/c8/booth-1.0-283.1.9d4029a.git.el8
rpms:imports/c9/booth-1.0-283.1.9d4029a.git.el9
rpms:imports/c9-beta/booth-1.0-283.1.9d4029a.git.el9
rpms:imports/c8-beta/booth-1.0-283.1.9d4029a.git.el8
rpms:imports/c8s/booth-1.0-283.1.9d4029a.git.el8
rpms:imports/c9/booth-1.0-251.5.bfb2f92.git.el9_1
rpms:imports/c9/booth-1.0-251.4.bfb2f92.git.el9
rpms:imports/c8/booth-1.0-199.2.ac1d34c.git.el8
rpms:imports/c9-beta/booth-1.0-251.3.bfb2f92.git.el9_0.1
rpms:imports/c8-beta/booth-1.0-199.1.ac1d34c.git.el8_6.1
rpms:imports/c8s/booth-1.0-199.2.ac1d34c.git.el8
rpms:imports/c9/booth-1.0-251.3.bfb2f92.git.el9_0.1
rpms:imports/c8/booth-1.0-199.1.ac1d34c.git.el8_6.1
rpms:imports/c8s/booth-1.0-199.1.ac1d34c.git.el8_6.1
rpms:imports/c9/booth-1.0-251.2.bfb2f92.git.el9
rpms:imports/c9-beta/booth-1.0-251.2.bfb2f92.git.el9
rpms:imports/c8-beta/booth-1.0-199.1.ac1d34c.git.el8
rpms:imports/c8-beta/booth-1.0-6.ac1d34c.git.el8.2
rpms:imports/c8-beta/booth-1.0-5.f2d38ce.git.el8
rpms:imports/c8s/booth-1.0-199.1.ac1d34c.git.el8
rpms:imports/c8s/booth-1.0-6.ac1d34c.git.el8.2
rpms:imports/c8/booth-1.0-199.1.ac1d34c.git.el8
rpms:imports/c8/booth-1.0-6.ac1d34c.git.el8.2
rpms:imports/c8/booth-1.0-5.f2d38ce.git.el8
...
pull from: rpms:c8
Branches Tags
rpms:c9
rpms:c10s
rpms:c8
rpms:c9s
rpms:c8s
rpms:c9-beta
rpms:c8-beta
rpms:imports/c9/booth-1.1-2.el9
rpms:imports/c10s/booth-1.2-3.el10
rpms:imports/c10s/booth-1.2-2.el10
rpms:imports/c8/booth-1.1-1.el8_10.1
rpms:imports/c9/booth-1.1-1.el9_4.1
rpms:imports/c8/booth-1.1-1.el8
rpms:imports/c9/booth-1.1-1.el9
rpms:imports/c8/booth-1.0-283.1.9d4029a.git.el8
rpms:imports/c9/booth-1.0-283.1.9d4029a.git.el9
rpms:imports/c9-beta/booth-1.0-283.1.9d4029a.git.el9
rpms:imports/c8-beta/booth-1.0-283.1.9d4029a.git.el8
rpms:imports/c8s/booth-1.0-283.1.9d4029a.git.el8
rpms:imports/c9/booth-1.0-251.5.bfb2f92.git.el9_1
rpms:imports/c9/booth-1.0-251.4.bfb2f92.git.el9
rpms:imports/c8/booth-1.0-199.2.ac1d34c.git.el8
rpms:imports/c9-beta/booth-1.0-251.3.bfb2f92.git.el9_0.1
rpms:imports/c8-beta/booth-1.0-199.1.ac1d34c.git.el8_6.1
rpms:imports/c8s/booth-1.0-199.2.ac1d34c.git.el8
rpms:imports/c9/booth-1.0-251.3.bfb2f92.git.el9_0.1
rpms:imports/c8/booth-1.0-199.1.ac1d34c.git.el8_6.1
rpms:imports/c8s/booth-1.0-199.1.ac1d34c.git.el8_6.1
rpms:imports/c9/booth-1.0-251.2.bfb2f92.git.el9
rpms:imports/c9-beta/booth-1.0-251.2.bfb2f92.git.el9
rpms:imports/c8-beta/booth-1.0-199.1.ac1d34c.git.el8
rpms:imports/c8-beta/booth-1.0-6.ac1d34c.git.el8.2
rpms:imports/c8-beta/booth-1.0-5.f2d38ce.git.el8
rpms:imports/c8s/booth-1.0-199.1.ac1d34c.git.el8
rpms:imports/c8s/booth-1.0-6.ac1d34c.git.el8.2
rpms:imports/c8/booth-1.0-199.1.ac1d34c.git.el8
rpms:imports/c8/booth-1.0-6.ac1d34c.git.el8.2
rpms:imports/c8/booth-1.0-5.f2d38ce.git.el8

No commits in common. "c9-beta" and "c8" have entirely different histories.
c9-beta ... c8

4 changed files with 152 additions and 110 deletions
Show Stats Expand all files Collapse all files

1
.booth.metadata
View File

@ -1 +0,0 @@
7d9cbffc7e0392a7857af08d6f466d9d97631f72 SOURCES/booth-1.1.tar.gz

37
SOURCES/RHEL-32613-1-attr-Fix-reading-of-server_reply.patch Normal file
View File

@ -0,0 +1,37 @@
From 4bdd96d767fc38239c4fac9e95404da99f61ac65 Mon Sep 17 00:00:00 2001
From: Jan Friesse <jfriesse@redhat.com>
Date: Wed, 21 Feb 2024 17:40:11 +0100
Subject: [PATCH 1/4] attr: Fix reading of server_reply
read_server_reply first reads boothc header and then rest of packet
which contains hmac info. This should go in memory right after
boothc_header and not after full length of packet, because full length
of packet already contains hmac info.
Solution is to simply use length of header and not length of packet.
Longer term and better solution would be to drop read_server_reply
completely and use recv_auth which is used for everything else but attr
set and delete.
Signed-off-by: Jan Friesse <jfriesse@redhat.com>
---
src/attr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/attr.c b/src/attr.c
index 44061e3..bc154f0 100644
--- a/src/attr.c
+++ b/src/attr.c
@@ -142,7 +142,7 @@ static int read_server_reply(
return -2;
}
len = ntohl(header->length);
- rv = tpt->recv(site, msg+len, len-sizeof(*header));
+ rv = tpt->recv(site, msg+sizeof(*header), len-sizeof(*header));
if (rv < 0) {
return -1;
}
--
2.44.0

65
SOURCES/RHEL-32613-2-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch Normal file
View File

@ -0,0 +1,65 @@
From 91fcfb5708f829ecff7d098ed4c0fc8f2da6d599 Mon Sep 17 00:00:00 2001
From: Jan Friesse <jfriesse@redhat.com>
Date: Wed, 21 Feb 2024 18:12:28 +0100
Subject: [PATCH 2/4] auth: Check result of gcrypt gcry_md_get_algo_dlen
When unknown hash is passed to gcry_md_get_algo_dlen 0 is returned. This
value is then used for memcmp so wrong hmac might be accepted as
correct.
Signed-off-by: Jan Friesse <jfriesse@redhat.com>
---
src/auth.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/src/auth.c b/src/auth.c
index 8f86b9a..a3b3d20 100644
--- a/src/auth.c
+++ b/src/auth.c
@@ -28,6 +28,11 @@ int calc_hmac(const void *data, size_t datalen,
{
static gcry_md_hd_t digest;
gcry_error_t err;
+ int hlen;
+
+ hlen = gcry_md_get_algo_dlen(hid);
+ if (!hlen)
+ return -1;
if (!digest) {
err = gcry_md_open(&digest, hid, GCRY_MD_FLAG_HMAC);
@@ -42,7 +47,7 @@ int calc_hmac(const void *data, size_t datalen,
}
}
gcry_md_write(digest, data, datalen);
- memcpy(result, gcry_md_read(digest, 0), gcry_md_get_algo_dlen(hid));
+ memcpy(result, gcry_md_read(digest, 0), hlen);
gcry_md_reset(digest);
return 0;
}
@@ -54,15 +59,20 @@ int verify_hmac(const void *data, size_t datalen,
{
unsigned char *our_hmac;
int rc;
+ int hlen;
+
+ hlen = gcry_md_get_algo_dlen(hid);
+ if (!hlen)
+ return -1;
- our_hmac = malloc(gcry_md_get_algo_dlen(hid));
+ our_hmac = malloc(hlen);
if (!our_hmac)
return -1;
rc = calc_hmac(data, datalen, hid, our_hmac, key, keylen);
if (rc)
goto out_free;
- rc = memcmp(our_hmac, hmac, gcry_md_get_algo_dlen(hid));
+ rc = memcmp(our_hmac, hmac, hlen);
out_free:
if (our_hmac)
--
2.44.0

159
SPECS/booth.spec
View File

@ -22,7 +22,7 @@
%bcond_with html_man
%bcond_with glue
%bcond_with run_build_tests
%bcond_with include_unit_test
%bcond_without include_unit_test
## User and group to use for nonprivileged services (should be in sync with pacemaker)
%global uname hacluster
@ -41,12 +41,14 @@
Name: booth
Version: 1.1
Release: 1%{?dist}
Release: 1%{?dist}.1
Summary: Ticket Manager for Multi-site Clusters
License: GPLv2+
Url: https://github.com/%{github_owner}/%{name}
Source0: https://github.com/%{github_owner}/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz
Patch0: rhel-specific-0001-config-Add-enable-authfile-option.patch
Patch1: RHEL-32613-1-attr-Fix-reading-of-server_reply.patch
Patch2: RHEL-32613-2-auth-Check-result-of-gcrypt-gcry_md_get_algo_dlen.patch
# direct build process dependencies
BuildRequires: autoconf
@ -56,7 +58,7 @@ BuildRequires: make
## ./autogen.sh
BuildRequires: /bin/sh
# general build dependencies
BuildRequires: asciidoctor
BuildRequires: asciidoc
BuildRequires: gcc
BuildRequires: pkgconfig
# linking dependencies
@ -83,8 +85,8 @@ BuildRequires: systemd
## for autosetup
BuildRequires: git
%if 0%{?with_run_build_tests}
# check scriptlet (for perl and ss)
BuildRequires: perl-interpreter iproute
# check scriptlet (for perl and netstat)
BuildRequires: perl-interpreter net-tools
%endif
# this is for a composite-requiring-its-components arranged
@ -168,8 +170,8 @@ Requires: %{__python3}
%if 0%{?with_include_unit_test}
Requires: python3-pexpect
%endif
# runtests.py suite (for perl and ss)
Requires: perl-interpreter iproute
# runtests.py suite (for perl and netstat)
Requires: perl-interpreter net-tools
%description test
Automated tests for running Booth, ticket manager for multi-site clusters.
@ -295,139 +297,78 @@ VERBOSE=1 make check
%{_usr}/lib/ocf/resource.d/booth/sharedrsc
%changelog
* Thu Nov 23 2023 Jan Friesse <jfriesse@redhat.com> - 1.1-1
- Resolves: RHEL-15268
- Resolves: RHEL-7029
* Tue Apr 30 2024 Jan Friesse <jfriesse@redhat.com> - 1.1-1.1
- Resolves: RHEL-32613
- New upstream release (RHEL-15268)
- attr: Fix reading of server_reply
- auth: Check result of gcrypt gcry_md_get_algo_dlen (fixes CVE-2024-3049)
* Thu Nov 23 2023 Jan Friesse <jfriesse@redhat.com> - 1.1-1
- Resolves: RHEL-15265
- New upstream release (RHEL-15265)
- Upstream releases should now be released regularly, so convert spec
to use them instead of git snapshots (RHEL-15268)
- Fix exit code on grant/revoke command error (RHEL-7029)
to use them instead of git snapshots (RHEL-15265)
* Mon Nov 21 2022 Jan Friesse <jfriesse@redhat.com> - 1.0-283.1.9d4029a.git
- Resolves: rhbz#2135866
- Resolves: rhbz#2135865
- Update to current snapshot (commit 9d4029a) (rhbz#2135866)
- Update to current snapshot (commit 9d4029a) (rhbz#2135865)
* Tue Oct 25 2022 Jan Friesse <jfriesse@redhat.com> - 1.0-251.5.bfb2f92.git
- Resolves: rhbz#2133833
- unit file: Remove Alias directive
* Tue Aug 09 2022 Jan Friesse <jfriesse@redhat.com> - 1.0-251.4.bfb2f92.git
- Related: rhbz#2111669
- Remove template unit from systemd_(post|preun|postun_with_restart) macro
* Wed Aug 03 2022 Jan Friesse <jfriesse@redhat.com> - 1.0-251.3.bfb2f92.git
- Resolves: rhbz#2111669
* Wed Aug 03 2022 Jan Friesse <jfriesse@redhat.com> - 1.0-199.2.ac1d34c.git
- Resolves: rhbz#2111668
- Fix authfile directive handling in booth config file
(fixes CVE-2022-2553)
- Add enable-authfile option
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.0-251.2.bfb2f92.git
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Thu May 20 2021 Jan Friesse <jfriesse@redhat.com> - 1.0-251.1.bfb2f92.git
- Related: rhbz#1961216
- Rebase to newest upstream snapshot
* Tue May 18 2021 Jan Friesse <jfriesse@redhat.com> - 1.0-249.1.977726e.git
- Resolves: rhbz#1961216
- Do not include unit-test by default
- Rebase to newest upstream snapshot
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 1.0-239.3.52ec255.git
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-239.2.52ec255.git
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Mon Nov 23 2020 Jan Friesse <jfriesse@redhat.com> - 1.0-239.1.52ec255.git
- Rebase to newest upstream snapshot
* Thu Oct 15 2020 Jan Friesse <jfriesse@redhat.com> - 1.0-237.2.dd88847.git
- Fix dist macro
* Thu Oct 15 2020 Jan Friesse <jfriesse@redhat.com> - 1.0-237.1.dd88847.git
- Rebase to newest upstream snapshot
* Thu Oct 15 2020 Jan Friesse <jfriesse@redhat.com> - 1.0-199.1.ac1d34c.git
- Implement new versioning scheme
- Resolves: rhbz#1873948
- Resolves: rhbz#1768172
* Tue Sep 29 2020 Jan Friesse <jfriesse@redhat.com> - 1.0-6.ac1d34c.git.5
- Remove net-tools (netstat) dependency and replace it with iproute (ss)
- Disable running tests during build by default (conditional run_build_tests)
- Fix versioning scheme to handle updates better
- Handle updated exit code of crm_ticket
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-6.ac1d34c.git.4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jun 3 2020 Jan Friesse <jfriesse@redhat.com> - 1.0-6.ac1d34c.git.2
- Related: rhbz#1835831
* Wed Jun 3 2020 Jan Friesse <jfriesse@redhat.com> - 1.0-6.ac1d34c.git.3
- Do not link with the pcmk libraries
- Generate runtests.py and boothtestenv.py with -Es as make check does
* Tue Jun 2 2020 Jan Friesse <jfriesse@redhat.com> - 1.0-6.ac1d34c.git.2
- Require the Python interpreter directly instead of using the package name
* Tue Jun 2 2020 Jan Friesse <jfriesse@redhat.com> - 1.0-6.ac1d34c.git.1
- Update to current snapshot (commit ac1d34c) to fix test suite
- Resolves: rhbz#1602455
- Resolves: rhbz#1682122
- Resolves: rhbz#1768369
- Resolves: rhbz#1835831
* Mon Jun 1 2020 Jan Friesse <jfriesse@redhat.com> - 1.0-5.385cc25.git.3
- Update to current snapshot (commit ac1d34c) to fix test suite,
build warnings and build with gcc10
- Fix hardcoded-library-path
- Package /var/lib/booth where booth can chroot
- Add '?dist' macro to release field
- Pass full path of Python3 to configure
- Add CI tests
- Enable gating
- Fix hardcoded-library-path
* Mon Jun 1 2020 Jan Friesse <jfriesse@redhat.com> - 1.0-5.385cc25.git.2
- Package /var/lib/booth where booth can chroot
* Wed Sep 19 2018 Tomas Orsava <torsava@redhat.com> - 1.0-5.f2d38ce.git
- Require the Python interpreter directly instead of using the package name
- Related: rhbz#1619153
* Thu May 28 2020 Jan Friesse <jfriesse@redhat.com> - 1.0-5.385cc25.git.1
- Fix test subpackage generating
* Thu Jul 19 2018 Jan Pokorný <jpokorny+rpm-booth@redhat.com> - 1.0-4.f2d38ce.git
- revert back to using asciidoc instead of asciidoctor for generating man pages
(rhbz#1603119)
- fix some issues in the shell scripts (rhbz#1602455)
* Wed May 27 2020 Jan Friesse <jfriesse@redhat.com> - 1.0-5.385cc25.git
- Update to current snapshot (commit 385cc25) to fix build warnings
* Wed May 13 2020 Jan Friesse <jfriesse@redhat.com> - 1.0-4.5d837d2.git.2
- Rebuild for the new libqb
* Mon May 4 2020 Jan Friesse <jfriesse@redhat.com> - 1.0-4.5d837d2.git.1
- Add '?dist' macro to release field
* Mon May 4 2020 Jan Friesse <jfriesse@redhat.com> - 1.0-4.5d837d2.git
- Update to current snapshot (commit 5d837d2) to build with gcc10
- Pass full path of Python3 to configure
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-3.f2d38ce.git.3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-3.f2d38ce.git.2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-3.f2d38ce.git.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri Jul 13 2018 Jan Pokorný <jpokorny+rpm-booth@fedoraproject.org> - 1.0-3.f2d38ce.git
* Mon Jul 16 2018 Jan Pokorný <jpokorny+rpm-booth@redhat.com> - 1.0-3.f2d38ce.git
- update for another, current snapshot beyond booth-1.0
(commit f2d38ce), including:
. support for solely manually managed tickets (9a365f9)
. use asciidoctor instead of asciidoc for generating man pages (65e6a6b)
- switch to using Python 3 for the tests instead of Python 2
(behind unversioned "python" references; rhbz#1555651)
(behind unversioned "python" references; rhbz#1590856)
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-2.570876d.git.6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-2.570876d.git.5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-2.570876d.git.4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-2.570876d.git.3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Thu Jun 21 2018 Troy Dawson <tdawson@redhat.com> - 1.0-2.570876d.git.3
- Fix python shebangs (#1580601)
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-2.570876d.git.2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild