From 4134b11f7ffc2ae0bf116984e40b78e1aa0e356d Mon Sep 17 00:00:00 2001
From: Radomir Vrbovsky <rvrbovsk@redhat.com>
Date: Wed, 10 Sep 2025 22:22:34 +0200
Subject: [PATCH] kpatch: List CVEs for loaded livepatch modules

JIRA: https://issues.redhat.com/browse/RHEL-113127
Upstream: RHEL-ONLY

Enhances the list subcommand to display the CVE identifiers addressed
by each installed patch module.

The CVEs are extracted directly from the RPM changelogs of the corresponding
modules, giving users clearer insight into the security issues mitigated
by livepatch updates.

V2:
* Remove temporary files in favor of associative arrays
* Use printf and sed for indentation instead of a loop

V3:
* Syntactic changes using ShellCheck

Resolves: RHEL-113127

Signed-off-by: Radomir Vrbovsky <rvrbovsk@redhat.com>
---
 ...st-CVEs-for-loaded-livepatch-modules.patch | 101 ++++++++++++++++++
 kpatch.spec                                   |   8 +-
 2 files changed, 108 insertions(+), 1 deletion(-)
 create mode 100644 0004-kpatch-List-CVEs-for-loaded-livepatch-modules.patch

diff --git a/0004-kpatch-List-CVEs-for-loaded-livepatch-modules.patch b/0004-kpatch-List-CVEs-for-loaded-livepatch-modules.patch
new file mode 100644
index 0000000..9392b81
--- /dev/null
+++ b/0004-kpatch-List-CVEs-for-loaded-livepatch-modules.patch
@@ -0,0 +1,101 @@
+From a80d2aa1381b901ec0e1da547b607b66e7bd96a1 Mon Sep 17 00:00:00 2001
+From: Radomir Vrbovsky <rvrbovsk@redhat.com>
+Date: Tue, 9 Sep 2025 21:56:27 +0200
+Subject: [PATCH] kpatch: List CVEs for loaded livepatch modules
+
+JIRA: https://issues.redhat.com/browse/RHEL-113127
+Upstream: RHEL-ONLY
+
+Enhances the list subcommand to display the CVE identifiers addressed
+by each installed patch module.
+
+The CVEs are extracted directly from the RPM changelogs of the corresponding
+modules, giving users clearer insight into the security issues mitigated
+by livepatch updates.
+
+V2:
+* Remove temporary files in favor of associative arrays
+* Use printf and sed for indentation instead of a loop
+
+V3:
+* Syntactic changes using ShellCheck
+
+Signed-off-by: Radomir Vrbovsky <rvrbovsk@redhat.com>
+---
+ kpatch/kpatch | 33 +++++++++++++++++++++++++++++++++
+ 1 file changed, 33 insertions(+)
+
+diff --git a/kpatch/kpatch b/kpatch/kpatch
+index c16a108..f029b59 100755
+--- a/kpatch/kpatch
++++ b/kpatch/kpatch
+@@ -24,12 +24,15 @@
+ # displaying information about kernel patch modules installed on the system.
+ 
+ INSTALLDIR=/var/lib/kpatch
++RPMINSTALLDIR=/lib/kpatch
+ SCRIPTDIR="$(readlink -f "$(dirname "$(type -p "$0")")")"
+ VERSION="0.9.10"
+ POST_ENABLE_WAIT=15	# seconds
+ POST_SIGNAL_WAIT=60	# seconds
+ MODULE_REF_WAIT=15	# seconds
+ 
++declare -A CVE_LIST
++
+ # How many times to try loading the patch if activeness safety check fails.
+ MAX_LOAD_ATTEMPTS=5
+ # How long to wait before retry, in seconds.
+@@ -446,6 +449,32 @@ get_module_version() {
+ 	MODVER="${MODVER/ */}"
+ }
+ 
++query_module_cves() {
++	local module=$1
++	local rpm_log
++	local cve_list
++
++	[[ -z "$module" ]] && return
++
++	rpm_log=$(rpm -q --changelog "$(rpm -q --whatprovides "$module")")
++	[[ -z "$rpm_log" ]] && return
++
++	cve_list=$(echo "$rpm_log" | grep -oP '.*{\K[^}]+' | grep -o 'CVE[0-9-]\+' | sort -n | uniq)
++
++	CVE_LIST[$MODNAME]=$cve_list
++}
++
++query_cves() {
++	for kdir in "$RPMINSTALLDIR"/*; do
++		[[ -e "$kdir" ]] || continue
++		for module in "$kdir"/*.ko; do
++			[[ -e "$module" ]] || continue
++			mod_name "$module"
++			query_module_cves "$module"
++		done
++	done
++}
++
+ unset MODULE
+ 
+ # Initialize the $SYSFS var.  This only works if the core module has been
+@@ -593,6 +622,7 @@ case "$1" in
+ 
+ "list")
+ 	[[ "$#" -ne 1 ]] && usage
++	query_cves
+ 	echo "Loaded patch modules:"
+ 	for module in "$SYSFS"/*; do
+ 		if [[ -e "$module" ]]; then
+@@ -605,6 +635,9 @@ case "$1" in
+ 							 || state="disabled"
+ 			fi
+ 			echo "$modname [$state]"
++			if [[ -v "CVE_LIST[$MODNAME]" ]]; then
++				printf "%s\n" "${CVE_LIST[$MODNAME]}" | sed 's/^/\t/'
++			fi
+ 		fi
+ 	done
+ 	show_stalled_processes
+-- 
+2.48.1
+
diff --git a/kpatch.spec b/kpatch.spec
index d6490c5..c23762b 100644
--- a/kpatch.spec
+++ b/kpatch.spec
@@ -2,7 +2,7 @@
 
 Name:		kpatch
 Version:	0.9.10
-Release:	5%{?dist}
+Release:	20%{?dist}
 Summary:	Dynamic kernel patch manager
 
 Group:		System Environment/Kernel
@@ -15,6 +15,7 @@ Source1:	kpatch-dnf-v%{kpatch_dnf_ver}.tar.gz
 Patch0:		0001-contrib-disable-upstart-kpatch.conf-install.patch
 Patch1:		0002-kpatch-clarify-unload-unsupport.patch
 Patch2:		0003-do-not-rm-selinux-rpm-owned-directory.patch
+Patch3:		0004-kpatch-List-CVEs-for-loaded-livepatch-modules.patch
 
 # Upstream backports (inactive -- for future reference)
 #Patch100:	0100-xxx.patch
@@ -53,6 +54,7 @@ kpatch-patch packages updates.
 %patch -P 0 -p1
 %patch -P 1 -p1
 %patch -P 2 -p1
+%patch -P 3 -p1
 # Use this to apply upstream patches to kpatch
 #%patch -P 100 -p1
 
@@ -94,6 +96,10 @@ echo "To enable automatic kpatch-patch subscription, run:"
 echo -e "\t$ dnf kpatch auto"
 
 %changelog
+* Tue Sep 09 2025 Rado Vrbovsky <rvrbovsk@redhat.com> 0.9.7-20
+- Rebase kpatch with upstream to v0.9.10 (RHEL-113127)
+- Provide a list of CVEs currently patched using live patches (RHEL-106283)
+
 * Thu Apr 10 2025 Rado Vrbovsky <rvrbovsk@redhat.com> 0.9.7-5
 - Rebase kpatch DNF plugin with upstream to 0.5 (RHEL-85686)