import CS git kpatch-0.9.10-10.el9

.gitignore

@@ -1,2 +1,2 @@
-SOURCES/kpatch-dnf-v0.4.tar.gz
-SOURCES/v0.9.7.tar.gz
+SOURCES/kpatch-dnf-v0.5.tar.gz
+SOURCES/v0.9.10.tar.gz

.kpatch.metadata

@@ -1,2 +1,2 @@
-fa86620559069e8253b5172849797a6d03b509be SOURCES/kpatch-dnf-v0.4.tar.gz
-da88fa82b005bbafc1719c59bd00847ce2a22a60 SOURCES/v0.9.7.tar.gz
+28103e07453017fa2db783425dc1c23c3e7f3073 SOURCES/kpatch-dnf-v0.5.tar.gz
+75965e61bf14d5e7c8660e327ef2f0f8c12d0d00 SOURCES/v0.9.10.tar.gz

SOURCES/0004-kpatch-List-CVEs-for-loaded-livepatch-modules.patch

@@ -0,0 +1,101 @@
+From a80d2aa1381b901ec0e1da547b607b66e7bd96a1 Mon Sep 17 00:00:00 2001
+From: Radomir Vrbovsky <rvrbovsk@redhat.com>
+Date: Tue, 9 Sep 2025 21:56:27 +0200
+Subject: [PATCH] kpatch: List CVEs for loaded livepatch modules
+
+JIRA: https://issues.redhat.com/browse/RHEL-103845
+Upstream: RHEL-ONLY
+
+Enhances the list subcommand to display the CVE identifiers addressed
+by each installed patch module.
+
+The CVEs are extracted directly from the RPM changelogs of the corresponding
+modules, giving users clearer insight into the security issues mitigated
+by livepatch updates.
+
+V2:
+* Remove temporary files in favor of associative arrays
+* Use printf and sed for indentation instead of a loop
+
+V3:
+* Syntactic changes using ShellCheck
+
+Signed-off-by: Radomir Vrbovsky <rvrbovsk@redhat.com>
+---
+ kpatch/kpatch | 33 +++++++++++++++++++++++++++++++++
+ 1 file changed, 33 insertions(+)
+
+diff --git a/kpatch/kpatch b/kpatch/kpatch
+index c16a108..f029b59 100755
+--- a/kpatch/kpatch
++++ b/kpatch/kpatch
+@@ -24,12 +24,15 @@
+ # displaying information about kernel patch modules installed on the system.
+ 
+ INSTALLDIR=/var/lib/kpatch
++RPMINSTALLDIR=/lib/kpatch
+ SCRIPTDIR="$(readlink -f "$(dirname "$(type -p "$0")")")"
+ VERSION="0.9.10"
+ POST_ENABLE_WAIT=15	# seconds
+ POST_SIGNAL_WAIT=60	# seconds
+ MODULE_REF_WAIT=15	# seconds
+ 
++declare -A CVE_LIST
++
+ # How many times to try loading the patch if activeness safety check fails.
+ MAX_LOAD_ATTEMPTS=5
+ # How long to wait before retry, in seconds.
+@@ -446,6 +449,32 @@ get_module_version() {
+ 	MODVER="${MODVER/ */}"
+ }
+ 
++query_module_cves() {
++	local module=$1
++	local rpm_log
++	local cve_list
++
++	[[ -z "$module" ]] && return
++
++	rpm_log=$(rpm -q --changelog "$(rpm -q --whatprovides "$module")")
++	[[ -z "$rpm_log" ]] && return
++
++	cve_list=$(echo "$rpm_log" | grep -oP '.*{\K[^}]+' | grep -o 'CVE[0-9-]\+' | sort -n | uniq)
++
++	CVE_LIST[$MODNAME]=$cve_list
++}
++
++query_cves() {
++	for kdir in "$RPMINSTALLDIR"/*; do
++		[[ -e "$kdir" ]] || continue
++		for module in "$kdir"/*.ko; do
++			[[ -e "$module" ]] || continue
++			mod_name "$module"
++			query_module_cves "$module"
++		done
++	done
++}
++
+ unset MODULE
+ 
+ # Initialize the $SYSFS var.  This only works if the core module has been
+@@ -593,6 +622,7 @@ case "$1" in
+ 
+ "list")
+ 	[[ "$#" -ne 1 ]] && usage
++	query_cves
+ 	echo "Loaded patch modules:"
+ 	for module in "$SYSFS"/*; do
+ 		if [[ -e "$module" ]]; then
+@@ -605,6 +635,9 @@ case "$1" in
+ 							 || state="disabled"
+ 			fi
+ 			echo "$modname [$state]"
++			if [[ -v "CVE_LIST[$MODNAME]" ]]; then
++				printf "%s\n" "${CVE_LIST[$MODNAME]}" | sed 's/^/\t/'
++			fi
+ 		fi
+ 	done
+ 	show_stalled_processes
+-- 
+2.48.1
+

SPECS/kpatch.spec

@@ -1,8 +1,8 @@
-%define kpatch_dnf_ver	0.4
+%define kpatch_dnf_ver	0.5
 
 Name:		kpatch
-Version:	0.9.7
-Release:	2%{?dist}
+Version:	0.9.10
+Release:	10%{?dist}
 Summary:	Dynamic kernel patch manager
 
 Group:		System Environment/Kernel
@@ -15,12 +15,13 @@ Source1:	kpatch-dnf-v%{kpatch_dnf_ver}.tar.gz
 Patch0:		0001-contrib-disable-upstart-kpatch.conf-install.patch
 Patch1:		0002-kpatch-clarify-unload-unsupport.patch
 Patch2:		0003-do-not-rm-selinux-rpm-owned-directory.patch
+Patch3:		0004-kpatch-List-CVEs-for-loaded-livepatch-modules.patch
 
 # Upstream backports (inactive -- for future reference)
-#Patch100:	0100-xxx.patch
+# %%Patch100:	0100-xxx.patch
 
 # kpatch-dnf backports (inactive -- for future reference)
-#Patch200:	0200-foo-bar-etcetera.patch
+# %%Patch200:	0200-foo-bar-etcetera.patch
 
 Requires:	bash kmod binutils
 Recommends:	kpatch-dnf
@@ -39,7 +40,7 @@ Summary:	kpatch-patch manager plugin for DNF
 Version:	%{version}_%{kpatch_dnf_ver}
 BuildRequires:	python3-devel python3-dnf
 Requires:	python3-dnf python3-hawkey
-Provides:	kpatch-dnf
+Provides:	kpatch-dnf = %{version}-%{release}
 
 %description -n kpatch-dnf
 kpatch-dnf is a DNF plugin that manages subscription to kpatch-patch updates.
@@ -48,18 +49,19 @@ kpatch-patch packages updates.
 
 %prep
 %setup -q
-%patch0 -p1
-%patch1 -p1
-%patch2 -p1
+%patch -P 0 -p1
+%patch -P 1 -p1
+%patch -P 2 -p1
+%patch -P 3 -p1
 # Use this to apply upstream patches to kpatch
-#%patch100 -p1
+# %%patch100 -p1
 
-%setup -D -T -a 1
+%setup -D -T -a 1 -q
 
 # Use this to apply patches to kpatch-dnf (inactive)
-#cd kpatch-dnf-%{kpatch_dnf_ver}
-#%patch200 -p1
-#cd ..
+# cd kpatch-dnf-%%{kpatch_dnf_ver}
+# %%patch200 -p1
+# cd ..
 
 %build
 make -C man
@@ -75,6 +77,9 @@ rm -f %{buildroot}/usr/share/man/man1/kpatch-build.1.gz
 
 make install PREFIX=/usr DESTDIR=%{buildroot} PYTHONSITES=%{python3_sitelib} -C kpatch-dnf-%{kpatch_dnf_ver}
 
+%check
+# No check available
+
 %files
 %{_sbindir}/kpatch
 %{_usr}/lib/systemd/system/kpatch.service
@@ -92,6 +97,13 @@ echo "To enable automatic kpatch-patch subscription, run:"
 echo -e "\t$ dnf kpatch auto"
 
 %changelog
+* Thu Sep 11 2025 Rado Vrbovsky <rvrbovsk@redhat.com> 0.9.7-10
+- Rebase kpatch with upstream to v0.9.10 (RHEL-113130)
+- Provide a list of CVEs currently patched using live patches (RHEL-103845)
+
+* Fri Mar 07 2025 Rado Vrbovsky <rvrbovsk@redhat.com> 0.9.7-3
+- Rebase kpatch DNF plugin with upstream to 0.5 (RHEL-77113)
+
 * Wed Nov 16 2022 Yannick Cote <ycote@redhat.com> 0.9.7-2
 - augment kpatch-dnf package versioning to satisfy build (rhbz#2121212)