Import rpm: c8s

This commit is contained in:
James Antill 2023-02-27 12:34:35 -05:00
commit 3683c52c44
7 changed files with 326 additions and 0 deletions

2
.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
SOURCES/dbxtool-8.tar.bz2
/dbxtool-8.tar.bz2

View File

@ -0,0 +1,28 @@
From 8a6039df37353a3ef9208de0c4d63b611f549922 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 19 Oct 2017 12:46:53 -0400
Subject: [PATCH 1/2] *don't* use -f in dbxtool.service
Use -q to make it quiet but don't try to override it when we think it
won't work.
Related: rhbz#1489942
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/dbxtool.service | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/dbxtool.service b/src/dbxtool.service
index fcfb6e6..1a2a829 100644
--- a/src/dbxtool.service
+++ b/src/dbxtool.service
@@ -7,4 +7,4 @@ WantedBy=multi-user.target
[Service]
RemainAfterExit=yes
-ExecStart=/usr/bin/dbxtool -a /usr/share/dbxtool/ -q -f
+ExecStart=/usr/bin/dbxtool -a /usr/share/dbxtool/ -q
--
2.14.2

View File

@ -0,0 +1,36 @@
From 946380463bb9a233381fc122a8374806d77b1778 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 23 Oct 2017 09:45:48 -0400
Subject: [PATCH 2/2] Make quiet exit on missing PK/KEK not return error
status.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/dbxtool.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/dbxtool.c b/src/dbxtool.c
index 717c991..b2cb587 100644
--- a/src/dbxtool.c
+++ b/src/dbxtool.c
@@ -541,13 +541,14 @@ check_pk_and_kek(bool force, bool quiet)
}
}
if (!all_found) {
- if (!quiet) {
+ if (quiet) {
+ if (!force)
+ exit(0);
+ } else {
if (!force)
errx(1, "Not attempting to apply updates.");
warnx("attempting to apply updates anyway.");
}
- if (!force)
- exit(1);
}
}
--
2.14.2

View File

@ -0,0 +1,70 @@
From 50b302ea7b6bd41c38d50b2af9d89af5f715068a Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Wed, 16 May 2018 14:06:48 +0200
Subject: [PATCH] fix relop in esl_iter_next()
esl_iter_next() seeks to the next EFI_SIGNATURE_LIST object in the
signature database that's being processed.
- The position of the current (just processed) EFI_SIGNATURE_LIST object
in the signature database is "iter->offset".
- The size of the same is in "iter->esl->SignatureListSize".
- The size of the whole signature dabatase (containing the current
EFI_SIGNATURE_LIST) is in "iter->len".
Thus, we need to advance "iter->offset" by "iter->esl->SignatureListSize",
to reach the next EFI_SIGNATURE_LIST object.
While advancing, we must not exceed the whole signature database. In other
words, the (exclusive) end of the just processed EFI_SIGNATURE_LIST object
is required to precede, or equal, the (exclusive) end of the signature
database. Hence the "good" condition is:
iter->offset + iter->esl->SignatureListSize <= iter->len
The "bad" condition is the negation of the above:
iter->offset + iter->esl->SignatureListSize > iter->len
Because we don't trust "iter->esl->SignatureListSize" (since that was
simply read from the binary blob, not computed by ourselves), we don't
want to add to it or subtract from it (integer overflow!), we just want to
use it naked for comparison. So we subtract "iter->offset" from both
sides: "iter->offset" and "iter->len" are known-good because we've checked
and computed them all along, so we can perform integer operations on them.
After the subtraction, we have the following condition for *bad*:
iter->esl->SignatureListSize > iter->len - iter->offset
Another way to put the same condition, for *bad*, is to swing the sides
around the relop (giving a spin to the relop as well):
iter->len - iter->offset < iter->esl->SignatureListSize
The controlling expression in esl_iter_next() is just this, except for the
typo in the relational operator. Fix it.
Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1508808
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
src/iter.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/iter.c b/src/iter.c
index 45ee059e74c..f19166ab276 100644
--- a/src/iter.c
+++ b/src/iter.c
@@ -222,7 +222,7 @@ esl_iter_next(esl_iter *iter, efi_guid_t *type,
vprintf("Getting next EFI_SIGNATURE_LIST\n");
efi_guid_t type;
esl_get_type(iter, &type);
- if (iter->len - iter->offset > iter->esl->SignatureListSize) {
+ if (iter->len - iter->offset < iter->esl->SignatureListSize) {
warnx("EFI Signature List is malformed");
errx(1, "list has %zd bytes left, element is %"PRIu32" bytes",
iter->len - iter->offset,
--
2.29.2

45
dbxtool-8-ccldflags.patch Normal file
View File

@ -0,0 +1,45 @@
From f229181c015f7353602e6b32e6ed61f9b47480ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C5=A0abata?= <contyk@redhat.com>
Date: Thu, 12 Apr 2018 12:58:51 +0200
Subject: [PATCH] Respect environment CCLDFLAGS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Allow passing custom flags for the linker.
Signed-off-by: Petr Šabata <contyk@redhat.com>
---
Make.defaults | 2 +-
src/Makefile | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/Make.defaults b/Make.defaults
index 9bfa5b2..1030be9 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -14,7 +14,7 @@ BUILDFLAGS = $(CFLAGS) -fPIC -fshort-wchar -fno-strict-aliasing \
--param=ssp-buffer-size=4 -fexceptions
ASFLAGS =
LDFLAGS = -nostdlib
-CCLDFLAGS = -shared
+CCLDFLAGS += -shared
INSTALL = install
COMPILER ?=
diff --git a/src/Makefile b/src/Makefile
index 1a6277a..669bfab 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -6,7 +6,7 @@ include $(TOPDIR)/Make.defaults
PKLIBS = efivar
LIBS = popt
LDFLAGS =
-CCLDFLAGS = $(foreach pklib,$(PKLIBS), $(shell pkg-config --libs-only-L $(pklib)))
+CCLDFLAGS += $(foreach pklib,$(PKLIBS), $(shell pkg-config --libs-only-L $(pklib)))
BUILDFLAGS += $(foreach pklib,$(PKLIBS), $(shell pkg-config --cflags $(pklib)))
TARGETS = dbxtool
--
2.17.0

144
dbxtool.spec Normal file
View File

@ -0,0 +1,144 @@
Name: dbxtool
Version: 8
Release: 5%{?dist}.2
Summary: Secure Boot DBX updater
License: GPLv2
URL: https://github.com/vathpela/dbxtool
ExclusiveArch: i386 x86_64 aarch64
BuildRequires: popt-devel git systemd
BuildRequires: efivar-devel >= 31-3
Requires: efivar >= 31-3
Requires(post): systemd
Requires(preun):systemd
Source0: https://github.com/vathpela/dbxtool/releases/download/dbxtool-%{version}/dbxtool-%{version}.tar.bz2
Patch0000: %{name}-8-ccldflags.patch
Patch0001: 0001-don-t-use-f-in-dbxtool.service.patch
Patch0002: 0002-Make-quiet-exit-on-missing-PK-KEK-not-return-error-s.patch
Patch0003: 0003-fix-relop-in-esl_iter_next.patch
%description
This package contains DBX updates for UEFI Secure Boot.
%prep
%setup -q -n %{name}-%{version}
git init
git config user.email "%{name}-owner@fedoraproject.org"
git config user.name "Fedora Ninjas"
git add .
git commit -a -q -m "%{version} baseline."
git am %{patches} </dev/null
git config --unset user.email
git config --unset user.name
%build
make PREFIX=%{_prefix} LIBDIR=%{_libdir} CFLAGS="$RPM_OPT_FLAGS" CCLDFLAGS="%{__global_ldflags}"
%install
rm -rf $RPM_BUILD_ROOT
mkdir -p %{buildroot}/%{_libdir}
make PREFIX=%{_prefix} LIBDIR=%{_libdir} INSTALLROOT=%{buildroot} \
install
rm -f %{buildroot}/%{_docdir}/%{name}/COPYING
%post
%systemd_post dbxtool.service
%preun
%systemd_preun dbxtool.service
%files
%{!?_licensedir:%global license %%doc}
%license COPYING
%{_bindir}/dbxtool
%doc %{_mandir}/man1/*
%dir %{_datadir}/dbxtool/
%{_datadir}/dbxtool/*.bin
%{_unitdir}/dbxtool.service
%changelog
* Wed Jan 20 2021 Jan Hlavac <jhlavac@redhat.com> - 8-5.el8_3.2
- Enable manual gating
Related: rhbz#1681753
Related: rhbz#1912474
* Fri Jan 15 2021 Javier Martinez Canillas <javierm@redhat.com> - 8-5.el8_3.1
- Fix 'EFI Signature List is malformed' error (lersek)
Resolves: rhbz#1912474
* Thu Apr 12 2018 Petr Šabata <contyk@redhat.com> - 8-5
- Fix build flags injection (rhbz#1548123)
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 8-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Mon Oct 23 2017 Peter Jones <pjones@redhat.com> - 8-3
- Also don't return error if we're using --quiet and PK/KEK are absent.
Resolves: rhbz#1489942
* Thu Oct 19 2017 Peter Jones <pjones@redhat.com> - 8-2
- Don't use -f in dbxtool.service; that'll make it do the thing we're
trying to avoid.
Resolves: rhbz#1489942
* Wed Oct 18 2017 Peter Jones <pjones@redhat.com> - 8-1
- Update to dbxtool 8
- Make a "make coverity" rule to scan the source
Results at: https://scan.coverity.com/projects/rhboot-dbxtool
- Don't try to apply anything if PK and KEK aren't enrolled
- Add --force and --quiet for the PK/KEK checker, and use them in the
systemd service.
Resolves: rhbz#1489942
- Add a .syntastic_c_config for vim's Syntastic modules
- Use tsearch()/tfind()/tdestroy() from libc instead of ccan htables
- Don't open the dbx file with O_RDWR|O_CREAT, use O_RDONLY.
- Lots of minor bug fixes gcc -Wextra and friends found.
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 7-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 7-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Sat Jul 08 2017 Peter Jones <pjones@redhat.com> - 7-4
- Rebuild for efivar-31-1.fc26
Related: rhbz#1468841
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 7-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Wed Aug 17 2016 Peter Jones <pjones@redhat.com> - 7-2
- Rebuild for newer efivar.
* Wed Aug 10 2016 Peter Jones <pjones@redhat.com> - 7-1
- Update to version 7
- Add new dbxupdate.bin for CVE-2016-3320 and
https://support.microsoft.com/en-us/kb/3179577
* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.6-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.6-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Mon Feb 23 2015 Peter Jones <pjones@redhat.com> - 0.6-4
- Zbigniew Jędrzejewski-Szmek was kind enough to audit the systemd service,
and had some suggestions, as did Harald Hoyer and Lennart Poettering.
Related: rhbz#1181568
* Tue Dec 09 2014 Peter Jones <pjones@redhat.com> - 0.6-3
- Add systemd scriptlets for the service.
* Thu Oct 09 2014 Peter Jones <pjones@redhat.com> - 0.6-2
- Require efivar >= 0.14-1 specifically.
* Wed Oct 08 2014 Peter Jones <pjones@redhat.com> - 0.6-1
- Update to 0.6
- make "dbxtool -l" correctly show not-well-known guids.
* Tue Oct 07 2014 Peter Jones <pjones@redhat.com> - 0.5-1
- Update to 0.5:
- make applying to dbx when it doesn't exist work (lersek)
- make displaying KEK work right
* Wed Aug 20 2014 Peter Jones <pjones@redhat.com> - 0.4-1
- First packaging attempt.

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (dbxtool-8.tar.bz2) = 28918c05d3a2a55238f4267e969116bdd3c9fc9f308b1e0249fe22cc06e95a6388e54406273c3b3d076a619a6ac0723b05cacb84bd84f797c954d60f22a86b85