SOURCES/db-5.3.28-add_getopt_h.patch

@@ -0,0 +1,14 @@
+Patch for coverity issue:
+    https://cov01.lab.eng.brq.redhat.com/el8-results/el8/libdb-5.3.28-31.el8+7/scan-results-imp.html#def182
+
+diff -up db-5.3.28/util/db_dump185.c.add_getopt_h db-5.3.28/util/db_dump185.c
+--- db-5.3.28/util/db_dump185.c.add_getopt_h	2019-02-11 10:20:37.739871387 +0100
++++ db-5.3.28/util/db_dump185.c	2019-02-11 10:21:11.348371222 +0100
+@@ -19,6 +19,7 @@ static const char copyright[] =
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <getopt.h>
+ 
+ #ifdef HAVE_DB_185_H
+ #include <db_185.h>

SOURCES/db-5.3.28-add_stdio_h.patch

@@ -0,0 +1,14 @@
+Patch for https://cov01.lab.eng.brq.redhat.com/el8-results/el8/libdb-5.3.28-31.el8+7/scan-results-imp.html#def1
+
+
+diff -up db-5.3.28/db.1.85/PORT/clib/snprintf.c.add_stdio_h db-5.3.28/db.1.85/PORT/clib/snprintf.c
+--- db-5.3.28/db.1.85/PORT/clib/snprintf.c.add_stdio_h	2019-02-11 10:01:03.386405802 +0100
++++ db-5.3.28/db.1.85/PORT/clib/snprintf.c	2019-02-11 10:01:26.805754113 +0100
+@@ -2,6 +2,7 @@
+ #include <sys/cdefs.h>
+ 
+ #include <compat.h>
++#include <stdio.h>
+ 
+ #ifdef __STDC__
+ #include <stdarg.h>

SOURCES/db-5.3.28-add_sys_file_h.patch

@@ -0,0 +1,14 @@
+Patch for coverity issue:
+    https://cov01.lab.eng.brq.redhat.com/el8-results/el8/libdb-5.3.28-31.el8+7/scan-results-imp.html#def141
+
+diff -up db-5.3.28/src/os/os_flock.c.add_sys_file_h db-5.3.28/src/os/os_flock.c
+--- db-5.3.28/src/os/os_flock.c.add_sys_file_h	2019-02-11 10:17:20.575939063 +0100
++++ db-5.3.28/src/os/os_flock.c	2019-02-11 10:17:41.037243374 +0100
+@@ -9,6 +9,7 @@
+ #include "db_config.h"
+ 
+ #include "db_int.h"
++#include <sys/file.h>
+ 
+ #if !defined(HAVE_FCNTL) || !defined(HAVE_FLOCK)
+ static int __os_filelocking_notsup __P((ENV *));

SOURCES/db-5.3.28-fix-CWE-686-398.patch

@@ -1,54 +0,0 @@
-This patch fixes: CWE-686,CWE-398
-
-diff -ur db-5.3.28/src/log/log_verify_int.c new/src/log/log_verify_int.c
---- db-5.3.28/src/log/log_verify_int.c	2013-09-09 17:35:08.000000000 +0200
-+++ new/src/log/log_verify_int.c	2021-08-05 13:33:06.378608924 +0200
-@@ -433,9 +433,9 @@
- 		putflag = DB_CURRENT;
- 		doput = 1;
- 	}
-+    if (doput)
-+        ret = __dbc_put(csr, &key, &data, putflag);
- 
--	if (doput && (ret = __dbc_put(csr, &key, &data, putflag)) != 0)
--		goto err;
- err:
- 	if (csr != NULL && (tret = __dbc_close(csr)) != 0 && ret == 0)
- 		ret = tret;
-diff -ur db-5.3.28/src/log/log_verify_util.c new/src/log/log_verify_util.c
---- db-5.3.28/src/log/log_verify_util.c	2013-09-09 17:35:08.000000000 +0200
-+++ new/src/log/log_verify_util.c	2021-08-04 15:10:07.900854238 +0200
-@@ -2140,8 +2140,7 @@
- 	for (ret = __dbc_pget(csr, &key, &data2, &data, DB_SET); ret == 0;
- 	    ret = __dbc_pget(csr, &key, &data2, &data, DB_NEXT_DUP))
- 		BDBOP(__db_put(pdb, lvh->ip, NULL, &data2, &key2, 0));
--	if ((ret = __del_txn_pages(lvh, ctxn)) != 0 && ret != DB_NOTFOUND)
--		goto err;
-+    ret = __del_txn_pages(lvh, ctxn);
- err:
- 	if (csr != NULL && (tret = __dbc_close(csr)) != 0 && ret == 0)
- 		ret = tret;
-diff -ur db-5.3.28/src/rep/rep_backup.c new/src/rep/rep_backup.c
---- db-5.3.28/src/rep/rep_backup.c	2013-09-09 17:35:09.000000000 +0200
-+++ new/src/rep/rep_backup.c	2021-08-04 14:47:51.967782566 +0200
-@@ -542,8 +542,6 @@
- 
- 	ret = __memp_fput(dbp->mpf, ip, pagep, dbc->priority);
- 	pagep = NULL;
--	if (ret != 0)
--		goto err;
- err:
- 	/*
- 	 * Check status of pagep in case any new error paths out leave
-diff -ur db-5.3.28/util/db_dump185.c new/util/db_dump185.c
---- db-5.3.28/util/db_dump185.c	2013-09-09 17:35:12.000000000 +0200
-+++ new/util/db_dump185.c	2021-08-04 14:45:37.592794678 +0200
-@@ -19,7 +19,7 @@
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
--
-+#include <unistd.h>
- #ifdef HAVE_DB_185_H
- #include <db_185.h>
- #else

SOURCES/db-5.3.28-mmap-high-cpu-usage.patch

@@ -1,18 +1,28 @@
 Author: Filip Januš <fjanus@redhat.com>
 Date: 6 Sep 2021
 Related: https://bugzilla.redhat.com/show_bug.cgi?id=1992402
-Patch was created based on the discussion in the previous link
-diff -ur db-5.3.28/src/os/os_map.c db_patch/src/os/os_map.c
+
+Changing the size to max if set in the environment.
+
+Do it also every-time on aarch64 as this issue caused rpm to hang staring 8.4.0
+(likely influenced by changes in other components) and rpm is not able to set
+the environment this way.
+
+diff -ur db-5.3.28/src/os/os_map.c db-patched/src/os/os_map.c
 --- db-5.3.28/src/os/os_map.c	2013-09-09 17:35:09.000000000 +0200
-+++ db_patch/src/os/os_map.c	2021-09-09 07:33:12.027328265 +0200
-@@ -213,7 +213,10 @@
++++ db-patched/src/os/os_map.c	2021-09-08 21:45:16.914146219 +0200
+@@ -213,7 +213,14 @@
  	if (rp->max < rp->size)
  		rp->max = rp->size;
  	if (ret == 0 && F_ISSET(infop, REGION_CREATE)) {
 -		if (F_ISSET(dbenv, DB_ENV_REGION_INIT))
-+
-+		rp->size = rp->max;
-+
++#ifdef HAVE_MLOCK
++        if (F_ISSET(env, ENV_LOCKDOWN))
++            rp->size = rp->max;
++#endif
++#if defined(__aarch64__)
++	    rp->size = rp->max;
++#endif
 +        if (F_ISSET(dbenv, DB_ENV_REGION_INIT))
  			ret = __db_file_write(env, infop->fhp,
  			    rp->size / MEGABYTE, rp->size % MEGABYTE, 0x00);

SOURCES/db-5.3.28-openssl.patch

@@ -0,0 +1,207 @@
+diff -up db-5.3.28/dist/aclocal/options.m4.openssl db-5.3.28/dist/aclocal/options.m4
+--- db-5.3.28/dist/aclocal/options.m4.openssl	2013-09-09 17:35:02.000000000 +0200
++++ db-5.3.28/dist/aclocal/options.m4	2018-10-22 11:02:08.037182417 +0200
+@@ -406,7 +406,7 @@ AC_ARG_WITH([cryptography],
+ 	AC_HELP_STRING([--with-cryptography=yes|no|ipp], [Build database cryptography support @<:@default=yes@:>@.]),
+ 	[], [with_cryptography=$enable_cryptography])
+ case "$with_cryptography" in
+-yes|no|ipp) ;;
++yes|no|ipp|openssl) ;;
+ *) AC_MSG_ERROR([unknown --with-cryptography argument \'$with_cryptography\']) ;;
+ esac
+ db_cv_build_cryptography="$with_cryptography"
+diff -up db-5.3.28/dist/configure.ac.openssl db-5.3.28/dist/configure.ac
+--- db-5.3.28/dist/configure.ac.openssl	2018-10-22 11:02:08.019182151 +0200
++++ db-5.3.28/dist/configure.ac	2018-10-22 14:40:52.467991248 +0200
+@@ -994,6 +994,18 @@ in the configured include path.]))
+ 		AC_DEFINE(HAVE_CRYPTO_IPP)
+ 		AH_TEMPLATE(HAVE_CRYPTO_IPP,
+ 		    [Define to 1 if using Intel IPP for cryptography.])
++    else
++        if test "$db_cv_build_cryptography" = "openssl"; then
++            AC_CHECK_HEADERS(openssl/conf.h openssl/evp.h, [], AC_MSG_ERROR([\
++Openssl header files required for OPENSSL cryptography support were not found \
++in the configured include path.]))
++            AC_DEFINE(HAVE_CRYPTO_OPENSSL)
++            AC_CHECK_LIB(crypto, EVP_CIPHER_CTX_new,
++                [LDFLAGS="-lcrypto $LDFLAGS"], AC_MSG_ERROR([\
++Libcrypto was not found in the configured library path.]))
++            AH_TEMPLATE(HAVE_CRYPTO_OPENSSL,
++                [Define to 1 if using OpenSSL for cryptography.])
++        fi
+ 	fi
+ else
+ 	CRYPTO_OBJS="crypto_stub${o}"
+diff -up db-5.3.28/dist/Makefile.in.openssl db-5.3.28/dist/Makefile.in
+--- db-5.3.28/dist/Makefile.in.openssl	2018-10-22 11:02:07.997181825 +0200
++++ db-5.3.28/dist/Makefile.in	2018-10-22 11:30:39.442854972 +0200
+@@ -305,9 +305,10 @@ CXX_OBJS=\
+ 	cxx_except@o@ cxx_lock@o@ cxx_logc@o@ cxx_mpool@o@ cxx_multi@o@ \
+ 	cxx_rid@o@ cxx_seq@o@ cxx_site@o@ cxx_txn@o@
+ 
++CRYPTO_OBJS_RIJNDAEL=\
++	rijndael-alg-fst@o@ rijndael-api-fst@o@
+ CRYPTO_OBJS=\
+-	aes_method@o@ crypto@o@ mt19937db@o@ rijndael-alg-fst@o@ \
+-	rijndael-api-fst@o@
++	aes_method@o@ crypto@o@ mt19937db@o@
+ 
+ JAVA_OBJS=\
+ 	db_java_wrap@o@
+diff -up db-5.3.28/src/crypto/aes_method.c.openssl db-5.3.28/src/crypto/aes_method.c
+--- db-5.3.28/src/crypto/aes_method.c.openssl	2013-09-09 17:35:07.000000000 +0200
++++ db-5.3.28/src/crypto/aes_method.c	2018-10-22 17:54:53.439276678 +0200
+@@ -17,6 +17,10 @@
+ 
+ #ifdef HAVE_CRYPTO_IPP
+ #include <ippcp.h>
++#elif defined(HAVE_CRYPTO_OPENSSL)
++#define OPENSSL_AES_ERROR -101
++#include <openssl/conf.h>
++#include <openssl/evp.h>
+ #endif
+ 
+ static void __aes_err __P((ENV *, int));
+@@ -119,11 +123,13 @@ __aes_decrypt(env, aes_data, iv, cipher,
+ 	AES_CIPHER *aes;
+ #ifdef	HAVE_CRYPTO_IPP
+ 	IppStatus ipp_ret;
++#elif defined(HAVE_CRYPTO_OPENSSL)
++   EVP_CIPHER_CTX *ctx;
++   int temp_len;
+ #else
+ 	cipherInstance c;
+-#endif
+ 	int ret;
+-
++#endif
+ 	aes = (AES_CIPHER *)aes_data;
+ 	if (iv == NULL || cipher == NULL)
+ 		return (EINVAL);
+@@ -137,6 +143,32 @@ __aes_decrypt(env, aes_data, iv, cipher,
+ 		__aes_err(env, (int)ipp_ret);
+ 		return (EAGAIN);
+ 	}
++#elif defined(HAVE_CRYPTO_OPENSSL)
++    if(!(ctx = EVP_CIPHER_CTX_new())) {
++		__aes_err(env, OPENSSL_AES_ERROR);
++        return (EAGAIN);
++    }
++    if(1 != EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, aes->key,
++        (unsigned char*)iv)) {
++		__aes_err(env, OPENSSL_AES_ERROR);
++        return (EAGAIN);
++    }
++
++    EVP_CIPHER_CTX_set_padding(ctx, 0);
++
++    if(1 != EVP_DecryptUpdate(ctx, (unsigned char*)cipher, &temp_len,
++        (unsigned char*)cipher, cipher_len)) {
++		__aes_err(env, OPENSSL_AES_ERROR);
++        return (EAGAIN);
++    }
++    cipher_len = temp_len;
++    if(1 != EVP_DecryptFinal_ex(ctx, ((unsigned char*)cipher) + temp_len,
++        &temp_len)) {
++		__aes_err(env, OPENSSL_AES_ERROR);
++        return (EAGAIN);
++    }
++    cipher_len += temp_len;
++    EVP_CIPHER_CTX_free(ctx);
+ #else
+ 	/*
+ 	 * Initialize the cipher
+@@ -174,6 +206,9 @@ __aes_encrypt(env, aes_data, iv, data, d
+ 	AES_CIPHER *aes;
+ #ifdef	HAVE_CRYPTO_IPP
+ 	IppStatus ipp_ret;
++#elif defined(HAVE_CRYPTO_OPENSSL)
++   EVP_CIPHER_CTX *ctx;
++   int temp_len;
+ #else
+ 	cipherInstance c;
+ #endif
+@@ -204,6 +239,32 @@ __aes_encrypt(env, aes_data, iv, data, d
+ 		__aes_err(env, (int)ipp_ret);
+ 		return (EAGAIN);
+ 	}
++#elif defined(HAVE_CRYPTO_OPENSSL)
++    if(!(ctx = EVP_CIPHER_CTX_new())) {
++		__aes_err(env, OPENSSL_AES_ERROR);
++        return (EAGAIN);
++    }
++    if(1 != EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, aes->key,
++        (unsigned char*)tmp_iv)) {
++		__aes_err(env, OPENSSL_AES_ERROR);
++        return (EAGAIN);
++    }
++
++    EVP_CIPHER_CTX_set_padding(ctx, 0);
++
++    if(1 != EVP_EncryptUpdate(ctx, (unsigned char*)data, &temp_len,
++        (unsigned char*)data, data_len)) {
++		__aes_err(env, OPENSSL_AES_ERROR);
++        return (EAGAIN);
++    }
++    data_len = temp_len;
++    if(1 != EVP_EncryptFinal_ex(ctx, ((unsigned char*)data) + temp_len,
++        &temp_len)) {
++		__aes_err(env, OPENSSL_AES_ERROR);
++        return (EAGAIN);
++    }
++    data_len += temp_len;
++    EVP_CIPHER_CTX_free(ctx);
+ #else
+ 	/*
+ 	 * Initialize the cipher
+@@ -254,7 +315,7 @@ __aes_derivekeys(env, db_cipher, passwd,
+ 	SHA1_CTX ctx;
+ #ifdef	HAVE_CRYPTO_IPP
+ 	IppStatus ipp_ret;
+-#else
++#elif !defined(HAVE_CRYPTO_OPENSSL)
+ 	int ret;
+ #endif
+ 	u_int32_t temp[DB_MAC_KEY/4];
+@@ -278,6 +339,8 @@ __aes_derivekeys(env, db_cipher, passwd,
+ 		__aes_err(env, (int)ipp_ret);
+ 		return (EAGAIN);
+ 	}
++#elif defined(HAVE_CRYPTO_OPENSSL)
++    memcpy(aes->key, (unsigned char*) temp, DB_AES_CHUNK);
+ #else
+ 	if ((ret = __db_makeKey(&aes->encrypt_ki, DIR_ENCRYPT,
+ 	    DB_AES_KEYLEN, (char *)temp)) != TRUE) {
+@@ -320,6 +383,10 @@ __aes_err(env, err)
+ 	case ippStsUnderRunErr:
+ 		errstr = DB_STR("0185", "IPP AES srclen size error");
+ 		break;
++#elif defined(HAVE_CRYPTO_OPENSSL)
++	case OPENSSL_AES_ERROR:
++		errstr = DB_STR("0193", "AES unknown error");
++		break;
+ #else
+ 	case BAD_KEY_DIR:
+ 		errstr = DB_STR("0186", "AES key direction is invalid");
+diff -up db-5.3.28/src/dbinc/crypto.h.openssl db-5.3.28/src/dbinc/crypto.h
+--- db-5.3.28/src/dbinc/crypto.h.openssl	2013-09-09 17:35:08.000000000 +0200
++++ db-5.3.28/src/dbinc/crypto.h	2018-10-22 11:02:08.038182432 +0200
+@@ -59,7 +60,9 @@ struct __db_cipher {
+ 
+ #ifdef HAVE_CRYPTO
+ 
++#ifndef HAVE_CRYPTO_OPENSSL
+ #include "crypto/rijndael/rijndael-api-fst.h"
++#endif
+ 
+ /*
+  * Shared ciphering structure
+@@ -77,6 +80,8 @@ typedef struct __cipher {
+ typedef struct __aes_cipher {
+ #ifdef	HAVE_CRYPTO_IPP
+ 	void		*ipp_ctx;	/* IPP key instance */
++#elif defined(HAVE_CRYPTO_OPENSSL)
++    unsigned char key[DB_AES_CHUNK];
+ #else
+ 	keyInstance	decrypt_ki;	/* Decryption key instance */
+ 	keyInstance	encrypt_ki;	/* Encryption key instance */

SOURCES/db-5.3.28-wbool_compare.patch

@@ -0,0 +1,30 @@
+Patch for coverity issues:
+    https://cov01.lab.eng.brq.redhat.com/el8-results/el8/libdb-5.3.28-31.el8+7/scan-results-imp.html#def41
+    https://cov01.lab.eng.brq.redhat.com/el8-results/el8/libdb-5.3.28-31.el8+7/scan-results-imp.html#def42
+    https://cov01.lab.eng.brq.redhat.com/el8-results/el8/libdb-5.3.28-31.el8+7/scan-results-imp.html#def44
+    https://cov01.lab.eng.brq.redhat.com/el8-results/el8/libdb-5.3.28-31.el8+7/scan-results-imp.html#def45
+
+diff -up db-5.3.28/lang/sql/generated/sqlite3.c.libdb-5.3.28-31_coverity_41_42 db-5.3.28/lang/sql/generated/sqlite3.c
+--- db-5.3.28/lang/sql/generated/sqlite3.c.libdb-5.3.28-31_coverity_41_42	2018-11-26 15:01:56.427828116 +0100
++++ db-5.3.28/lang/sql/generated/sqlite3.c	2018-11-26 14:59:10.085403911 +0100
+@@ -114393,7 +114394,7 @@ static int deserializeGeometry(sqlite3_v
+   int nBlob;
+ 
+   /* Check that value is actually a blob. */
+-  if( !sqlite3_value_type(pValue)==SQLITE_BLOB ) return SQLITE_ERROR;
++  if( !(sqlite3_value_type(pValue)==SQLITE_BLOB) ) return SQLITE_ERROR;
+ 
+   /* Check that the blob is roughly the right size. */
+   nBlob = sqlite3_value_bytes(pValue);
+diff -up db-5.3.28/lang/sql/sqlite/ext/rtree/rtree.c.libdb-5.3.28-31_coverity_44_45 db-5.3.28/lang/sql/sqlite/ext/rtree/rtree.c
+--- db-5.3.28/lang/sql/sqlite/ext/rtree/rtree.c.libdb-5.3.28-31_coverity_44_45	2018-11-26 15:07:02.732326934 +0100
++++ db-5.3.28/lang/sql/sqlite/ext/rtree/rtree.c	2018-11-26 15:07:43.104917470 +0100
+@@ -1193,7 +1193,7 @@ static int deserializeGeometry(sqlite3_v
+   int nBlob;
+ 
+   /* Check that value is actually a blob. */
+-  if( !sqlite3_value_type(pValue)==SQLITE_BLOB ) return SQLITE_ERROR;
++  if( !(sqlite3_value_type(pValue)==SQLITE_BLOB) ) return SQLITE_ERROR;
+ 
+   /* Check that the blob is roughly the right size. */
+   nBlob = sqlite3_value_bytes(pValue);

SOURCES/java8-fix.patch

@@ -0,0 +1,23 @@
+diff -up db-5.3.28/lang/java/src/com/sleepycat/asm/ClassReader.java.fix db-5.3.28/lang/java/src/com/sleepycat/asm/ClassReader.java
+--- db-5.3.28/lang/java/src/com/sleepycat/asm/ClassReader.java.fix	2013-09-09 17:35:04.000000000 +0200
++++ db-5.3.28/lang/java/src/com/sleepycat/asm/ClassReader.java	2014-07-14 11:51:27.584432754 +0200
+@@ -163,7 +163,7 @@ public class ClassReader {
+     public ClassReader(final byte[] b, final int off, final int len) {
+         this.b = b;
+         // checks the class version
+-        if (readShort(6) > Opcodes.V1_7) {
++        if (readShort(6) > Opcodes.V1_8) {
+             throw new IllegalArgumentException();
+         }
+         // parses the constant pool
+diff -up db-5.3.28/lang/java/src/com/sleepycat/asm/Opcodes.java.fix db-5.3.28/lang/java/src/com/sleepycat/asm/Opcodes.java
+--- db-5.3.28/lang/java/src/com/sleepycat/asm/Opcodes.java.fix	2014-07-14 11:50:50.432336160 +0200
++++ db-5.3.28/lang/java/src/com/sleepycat/asm/Opcodes.java	2014-07-14 11:51:36.781456666 +0200
+@@ -56,6 +56,7 @@ public interface Opcodes {
+     int V1_5 = 0 << 16 | 49;
+     int V1_6 = 0 << 16 | 50;
+     int V1_7 = 0 << 16 | 51;
++    int V1_8 = 0 << 16 | 52;
+
+     // access flags
+

SPECS/libdb.spec

@@ -1,11 +1,10 @@
 %define __soversion_major 5
 %define __soversion %{__soversion_major}.3
-%define __tclversion 8.6
 
 Summary: The Berkeley DB database library for C
 Name: libdb
 Version: 5.3.28
-Release: 53%{?dist}
+Release: 42%{?dist}
 Source0: http://download.oracle.com/berkeley-db/db-%{version}.tar.gz
 Source1: http://download.oracle.com/berkeley-db/db.1.85.tar.gz
 # For mt19937db.c
@@ -25,6 +24,8 @@ Patch24: db-4.5.20-jni-include-dir.patch
 # License clarification patch
 # http://devel.trisquel.info/gitweb/?p=package-helpers.git;a=blob;f=helpers/DATA/db4.8/007-mt19937db.c_license.patch;h=1036db4d337ce4c60984380b89afcaa63b2ef88f;hb=df48d40d3544088338759e8bea2e7f832a564d48
 Patch25: 007-mt19937db.c_license.patch
+#Adds missing constant to Optcodes.java and changes ClassReader.java to use it. This makes package to build with Java 8. 
+Patch26: java8-fix.patch
 # memp_stat fix provided by upstream (rhbz#1211871)
 Patch27: db-5.3.21-memp_stat-upstream-fix.patch
 # fix for mutexes not being released provided by upstream (rhbz#1277887)
@@ -45,29 +46,44 @@ Patch34: libdb-5.3.21-region-size-check.patch
 # Patch sent upstream
 Patch35: checkpoint-opd-deadlock.patch
 Patch36: db-5.3.28-atomic_compare_exchange.patch
-# CDB race (rhbz #1099509)
+# CDB race (rhbz #1616259)
 Patch37: libdb-cbd-race.patch
+
+# Use AES from openssl
+Patch38: db-5.3.28-openssl.patch
 # Limit concurrency to max 1024 CPUs (rhbz#1245410)
 # A fix for the issue should be in an upstream release already
 # https://community.oracle.com/message/13274780#13274780
-Patch38: libdb-limit-cpu.patch
-# rhbz#1608749 Patch sent upstream
+Patch39: libdb-limit-cpu.patch
+
+# rhbz#1670768 Patch sent upstream
 # Expects libdb-5.3.21-mutex_leak.patch applied
-Patch39: libdb-5.3.21-trickle_cpu.patch
-# cve-2019-2708 fixed by mmuzila
-Patch40: db-5.3.28_cve-2019-2708.patch
-# Downstream covscan patch
-Patch41: db-5.3.28-fix-CWE-686-398.patch
+Patch40: libdb-5.3.21-trickle_cpu.patch
+
+Patch41: db-5.3.28_cve-2019-2708.patch
+
+# https://cov01.lab.eng.brq.redhat.com/el8-results/el8/libdb-5.3.28-31.el8+7/scan-results-imp.html#def182
+Patch200: db-5.3.28-add_getopt_h.patch
+# https://cov01.lab.eng.brq.redhat.com/el8-results/el8/libdb-5.3.28-31.el8+7/scan-results-imp.html#def1
+Patch201: db-5.3.28-add_stdio_h.patch
+# https://cov01.lab.eng.brq.redhat.com/el8-results/el8/libdb-5.3.28-31.el8+7/scan-results-imp.html#def141
+Patch202: db-5.3.28-add_sys_file_h.patch
+# https://cov01.lab.eng.brq.redhat.com/el8-results/el8/libdb-5.3.28-31.el8+7/scan-results-imp.html#def41
+# https://cov01.lab.eng.brq.redhat.com/el8-results/el8/libdb-5.3.28-31.el8+7/scan-results-imp.html#def42
+# https://cov01.lab.eng.brq.redhat.com/el8-results/el8/libdb-5.3.28-31.el8+7/scan-results-imp.html#def44
+# https://cov01.lab.eng.brq.redhat.com/el8-results/el8/libdb-5.3.28-31.el8+7/scan-results-imp.html#def45
+Patch203: db-5.3.28-wbool_compare.patch
 Patch42: db-5.3.28-mmap-high-cpu-usage.patch
 
 URL: http://www.oracle.com/database/berkeley-db/
 License: BSD and LGPLv2 and Sleepycat
-BuildRequires: gcc gcc-c++
+Group: System Environment/Libraries
 BuildRequires: perl-interpreter libtool
-BuildRequires: tcl-devel >= %{__tclversion}
+BuildRequires: tcl-devel >= 8.5.2-3
+BuildRequires: java-devel >= 1:1.6.0
 BuildRequires: chrpath
 BuildRequires: zlib-devel
-BuildRequires: make
+BuildRequires: openssl-devel
 Conflicts: filesystem < 3
 
 %description
@@ -76,12 +92,13 @@ provides embedded database support for both traditional and
 client/server applications. The Berkeley DB includes B+tree, Extended
 Linear Hashing, Fixed and Variable-length record access methods,
 transactions, locking, logging, shared memory caching, and database
-recovery. The Berkeley DB supports C, C++, and Perl APIs. It is
+recovery. The Berkeley DB supports C, C++, Java, and Perl APIs. It is
 used by many applications, including Python and Perl, so this should
 be installed on all systems.
 
 %package utils
 Summary: Command line tools for managing Berkeley DB databases
+Group: Applications/Databases
 Requires: %{name}%{?_isa} = %{version}-%{release}
 
 %description utils
@@ -90,10 +107,11 @@ provides embedded database support for both traditional and
 client/server applications. Berkeley DB includes B+tree, Extended
 Linear Hashing, Fixed and Variable-length record access methods,
 transactions, locking, logging, shared memory caching, and database
-recovery. DB supports C, C++ and Perl APIs.
+recovery. DB supports C, C++, Java and Perl APIs.
 
 %package devel
 Summary: C development files for the Berkeley DB library
+Group: Development/Libraries
 Requires: %{name}%{?_isa} = %{version}-%{release}
 
 %description devel
@@ -105,6 +123,7 @@ Berkeley DB.
 
 %package devel-doc
 Summary: C development documentation files for the Berkeley DB library
+Group: Documentation
 Requires: %{name} = %{version}-%{release}
 Requires: %{name}-devel = %{version}-%{release}
 BuildArch: noarch
@@ -118,6 +137,7 @@ Berkeley DB.
 
 %package devel-static
 Summary: Berkeley DB static libraries
+Group: Development/Libraries
 Requires: %{name}-devel%{?_isa} = %{version}-%{release}
 
 %description devel-static
@@ -129,6 +149,7 @@ Berkeley DB.
 
 %package cxx
 Summary: The Berkeley DB database library for C++
+Group: System Environment/Libraries
 Requires: %{name}%{?_isa} = %{version}-%{release}
 
 %description cxx
@@ -137,12 +158,13 @@ provides embedded database support for both traditional and
 client/server applications. The Berkeley DB includes B+tree, Extended
 Linear Hashing, Fixed and Variable-length record access methods,
 transactions, locking, logging, shared memory caching, and database
-recovery. The Berkeley DB supports C, C++, and Perl APIs. It is
+recovery. The Berkeley DB supports C, C++, Java, and Perl APIs. It is
 used by many applications, including Python and Perl, so this should
 be installed on all systems.
 
 %package cxx-devel
 Summary: The Berkeley DB database library for C++
+Group: System Environment/Libraries
 Requires: %{name}-cxx%{?_isa} = %{version}-%{release}
 Requires: %{name}-devel%{?_isa} = %{version}-%{release}
 
@@ -152,12 +174,13 @@ provides embedded database support for both traditional and
 client/server applications. The Berkeley DB includes B+tree, Extended
 Linear Hashing, Fixed and Variable-length record access methods,
 transactions, locking, logging, shared memory caching, and database
-recovery. The Berkeley DB supports C, C++, and Perl APIs. It is
+recovery. The Berkeley DB supports C, C++, Java, and Perl APIs. It is
 used by many applications, including Python and Perl, so this should
 be installed on all systems.
 
 %package tcl
 Summary: Development files for using the Berkeley DB with tcl
+Group: Development/Libraries
 Requires: %{name}%{?_isa} = %{version}-%{release}
 
 %description tcl
@@ -168,6 +191,7 @@ for building programs which use the Berkeley DB in Tcl.
 
 %package tcl-devel
 Summary: Development files for using the Berkeley DB with tcl
+Group: Development/Libraries
 Requires: %{name}-tcl%{?_isa} = %{version}-%{release}
 
 %description tcl-devel
@@ -178,6 +202,7 @@ for building programs which use the Berkeley DB in Tcl.
 
 %package sql
 Summary: Development files for using the Berkeley DB with sql
+Group: Development/Libraries
 Requires: %{name}%{?_isa} = %{version}-%{release}
 
 %description sql
@@ -188,6 +213,7 @@ for building programs which use the Berkeley DB in SQL.
 
 %package sql-devel
 Summary: Development files for using the Berkeley DB with sql
+Group: Development/Libraries
 Requires: %{name}-sql%{?_isa} = %{version}-%{release}
 
 %description sql-devel
@@ -196,6 +222,28 @@ provides embedded database support for both traditional and
 client/server applications. This package contains the libraries
 for building programs which use the Berkeley DB in SQL.
 
+%package java
+Summary: Development files for using the Berkeley DB with Java
+Group: Development/Libraries
+Requires: %{name}%{?_isa} = %{version}-%{release}
+
+%description java
+The Berkeley Database (Berkeley DB) is a programmatic toolkit that
+provides embedded database support for both traditional and
+client/server applications. This package contains the libraries
+for building programs which use the Berkeley DB in Java.
+
+%package java-devel
+Summary: Development files for using the Berkeley DB with Java
+Group: Development/Libraries
+Requires: %{name}-java%{?_isa} = %{version}-%{release}
+
+%description java-devel
+The Berkeley Database (Berkeley DB) is a programmatic toolkit that
+provides embedded database support for both traditional and
+client/server applications. This package contains the libraries
+for building programs which use the Berkeley DB in Java.
+
 %prep
 %setup -q -n db-%{version} -a 1
 cp %{SOURCE2} .
@@ -215,6 +263,7 @@ popd
 %patch22 -p1
 %patch24 -p1
 %patch25 -p1
+%patch26 -p1
 %patch27 -p1
 %patch28 -p1
 %patch29 -p1
@@ -226,13 +275,22 @@ popd
 %patch35 -p1
 %patch36 -p1
 %patch37 -p1
-%patch38 -p1
+%patch38 -p1 -b .openssl
 %patch39 -p1
-%patch40 -p1 -b .cve-2019-2708
-%patch41 -p1
+%patch40 -p1
+%patch41 -p1 -b .cve-2019-2708
+%patch200 -p1
+%patch201 -p1
+%patch202 -p1
+%patch203 -p1
 %patch42 -p1
 
+
+# Delete internal AES implementation
+rm -rf src/crypto/rijndael
+
 cd dist
+./s_include
 ./s_config
 cd ..
 
@@ -241,13 +299,17 @@ CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing"
 CFLAGS="$CFLAGS -DSHAREDSTATEDIR='\"%{_sharedstatedir}\"' -DSQLITE_ENABLE_COLUMN_METADATA=1 -DSQLITE_DISABLE_DIRSYNC=1 -DSQLITE_ENABLE_FTS3=3 -DSQLITE_ENABLE_RTREE=1 -DSQLITE_SECURE_DELETE=1 -DSQLITE_ENABLE_UNLOCK_NOTIFY=1 -I../../../lang/sql/sqlite/ext/fts3/"
 export CFLAGS
 
+# building with PIE
+LDFLAGS="$LDFLAGS $RPM_LD_FLAGS"
+export LDFLAGS
+
 # Build the old db-185 libraries.
 make -C db.1.85/PORT/%{_os} OORG="$CFLAGS"
 
 test -d dist/dist-tls || mkdir dist/dist-tls
 # Static link db_dump185 with old db-185 libraries.
-/bin/sh libtool --tag=CC --mode=compile	%{__cc} $RPM_OPT_FLAGS  -Idb.1.85/PORT/%{_os}/include -D_REENTRANT -c util/db_dump185.c -o dist/dist-tls/db_dump185.lo
-/bin/sh libtool --tag=LD --mode=link %{__cc} $RPM_LD_FLAGS -o dist/dist-tls/db_dump185 dist/dist-tls/db_dump185.lo db.1.85/PORT/%{_os}/libdb.a
+/bin/sh libtool --tag=CC --mode=compile	%{__cc} $RPM_OPT_FLAGS -Idb.1.85/PORT/%{_os}/include -D_REENTRANT -c util/db_dump185.c -o dist/dist-tls/db_dump185.lo
+/bin/sh libtool --tag=CC --mode=link %{__cc} $RPM_LD_FLAGS -o dist/dist-tls/db_dump185 dist/dist-tls/db_dump185.lo db.1.85/PORT/%{_os}/libdb.a
 
 # Update config files to understand aarch64
 for dir in dist lang/sql/sqlite lang/sql/jdbc lang/sql/odbc; do
@@ -261,10 +323,11 @@ pushd dist/dist-tls
 	--enable-shared --enable-static \
 	--enable-tcl --with-tcl=%{_libdir} \
 	--enable-cxx --enable-sql \
+	--enable-java \
 	--enable-test \
+    --with-cryptography=openssl \
 	--disable-rpath \
-    --with-cryptography=no \
-  --with-tcl=%{_libdir}/tcl%{__tclversion}
+  --with-tcl=%{_libdir}/tcl8.6
 
 # Remove libtool predep_objects and postdep_objects wonkiness so that
 # building without -nostdlib doesn't include them twice.  Because we
@@ -274,7 +337,13 @@ perl -pi -e 's/^predep_objects=".*$/predep_objects=""/' libtool
 perl -pi -e 's/^postdep_objects=".*$/postdep_objects=""/' libtool
 perl -pi -e 's/-shared -nostdlib/-shared/' libtool
 
-%make_build
+make %{?_smp_mflags}
+
+# XXX hack around libtool not creating ./libs/libdb_java-X.Y.lai
+LDBJ=./.libs/libdb_java-%{__soversion}.la
+if test -f ${LDBJ} -a ! -f ${LDBJ}i; then
+	sed -e 's,^installed=no,installed=yes,' < ${LDBJ} > ${LDBJ}i
+fi
 
 # Run some quick subsystem checks
 echo "source ../../test/tcl/test.tcl; r env; r mut; r memp" | tclsh
@@ -286,7 +355,7 @@ mkdir -p ${RPM_BUILD_ROOT}%{_includedir}
 mkdir -p ${RPM_BUILD_ROOT}%{_libdir}
 mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/man1
 
-%make_install STRIP=/bin/true -C dist/dist-tls
+%makeinstall STRIP=/bin/true -C dist/dist-tls
 
 # XXX Nuke non-versioned archives and symlinks
 rm -f ${RPM_BUILD_ROOT}%{_libdir}/{libdb.a,libdb_cxx.a,libdb_tcl.a,libdb_sql.a}
@@ -303,6 +372,10 @@ for i in db.h db_cxx.h db_185.h; do
 	ln -s %{name}/$i ${RPM_BUILD_ROOT}%{_includedir}
 done
 
+# Move java jar file to the correct place
+mkdir -p ${RPM_BUILD_ROOT}%{_datadir}/java
+mv ${RPM_BUILD_ROOT}%{_libdir}/*.jar ${RPM_BUILD_ROOT}%{_datadir}/java
+
 # Eliminate installed doco
 rm -rf ${RPM_BUILD_ROOT}%{_prefix}/docs
 
@@ -322,18 +395,39 @@ rm -rf docs/installation
 mv examples docs
 mv man/* ${RPM_BUILD_ROOT}%{_mandir}/man1
 
-%ldconfig_scriptlets
-%ldconfig_scriptlets cxx
-%ldconfig_scriptlets sql
-%ldconfig_scriptlets tcl
+%clean
+rm -rf ${RPM_BUILD_ROOT}
+
+%post -p /sbin/ldconfig
+
+%postun -p /sbin/ldconfig
+
+%post -p /sbin/ldconfig cxx
+
+%postun -p /sbin/ldconfig cxx
+
+%post -p /sbin/ldconfig sql
+
+%postun -p /sbin/ldconfig sql
+
+%post -p /sbin/ldconfig tcl
+
+%postun -p /sbin/ldconfig tcl
+
+%post -p /sbin/ldconfig java
+
+%postun -p /sbin/ldconfig java
 
 %files
+%defattr(-,root,root,-)
+%{!?_licensedir:%global license %%doc}
 %license LICENSE lgpl-2.1.txt
 %doc README
 %{_libdir}/libdb-%{__soversion}.so
 %{_libdir}/libdb-%{__soversion_major}.so
 
 %files devel
+%defattr(-,root,root,-)
 %{_libdir}/libdb.so
 %dir %{_includedir}/%{name}
 %{_includedir}/%{name}/db.h
@@ -342,15 +436,19 @@ mv man/* ${RPM_BUILD_ROOT}%{_mandir}/man1
 %{_includedir}/db_185.h
 
 %files devel-doc
+%defattr(-,root,root,-)
 %doc	docs/*
 
 %files devel-static
+%defattr(-,root,root,-)
 %{_libdir}/libdb-%{__soversion}.a
 %{_libdir}/libdb_cxx-%{__soversion}.a
 %{_libdir}/libdb_tcl-%{__soversion}.a
 %{_libdir}/libdb_sql-%{__soversion}.a
+%{_libdir}/libdb_java-%{__soversion}.a
 
 %files utils
+%defattr(-,root,root,-)
 %{_bindir}/db*_archive
 %{_bindir}/db*_checkpoint
 %{_bindir}/db*_deadlock
@@ -367,108 +465,85 @@ mv man/* ${RPM_BUILD_ROOT}%{_mandir}/man1
 %{_mandir}/man1/db_*
 
 %files cxx
+%defattr(-,root,root,-)
 %{_libdir}/libdb_cxx-%{__soversion}.so
 %{_libdir}/libdb_cxx-%{__soversion_major}.so
 
 %files cxx-devel
+%defattr(-,root,root,-)
 %{_includedir}/%{name}/db_cxx.h
 %{_includedir}/db_cxx.h
 %{_libdir}/libdb_cxx.so
 
 %files tcl
+%defattr(-,root,root,-)
 %{_libdir}/libdb_tcl-%{__soversion}.so
 %{_libdir}/libdb_tcl-%{__soversion_major}.so
 
 %files tcl-devel
+%defattr(-,root,root,-)
 %{_libdir}/libdb_tcl.so
 
 %files sql
+%defattr(-,root,root,-)
 %{_libdir}/libdb_sql-%{__soversion}.so
 %{_libdir}/libdb_sql-%{__soversion_major}.so
 
 %files sql-devel
+%defattr(-,root,root,-)
 %{_bindir}/dbsql
 %{_libdir}/libdb_sql.so
 %{_includedir}/%{name}/dbsql.h
 
-%changelog
-* Wed Nov 24 2021 Filip Januš <fjanus@redhat.com> - 5.3.28-53
-- Add missing RPM_LD_FLAGS for db_dump185
-- Resolves: #2026417
+%files java
+%defattr(-,root,root,-)
+%{_libdir}/libdb_java-%{__soversion_major}*.so
+%{_datadir}/java/*.jar
 
-* Mon Sep 13 2021 Filip Januš <fjanus@redhat.com> - 5.3.28-52
+%files java-devel
+%defattr(-,root,root,-)
+%{_libdir}/libdb_java.so
+
+%changelog
+* Wed Sep 8 2021 Filip Januš <fjanus@redhat.com> 5.3.28-42
+- Apply the previous change only on aarch64 to limit the risk of unwanted impact
+- Resolves: #1992402
+
+* Mon Sep 6 2021 Filip Januš <fjanus@redhat.com> 5.3.28-41
 - Bad order of sys calls cause high CPU usage
-- Related: #2002186
+- Resolves: #1992402
 - Patch no. 42 was added
 
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 5.3.28-51
-- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
-  Related: rhbz#1991688
+* Mon Jul 27 2020 Matej Mužila <mmuzila@redhat.com> 5.3.28-40
+- Resolves: CVE-2019-2708
+- Resolves: #1856237
 
-* Thu Aug 05 2021 Filip Januš <fjanus@redhat.com> - 5.3.28-50
-- fix static analyzer issues CWE-686-398
-- Resolves: #1938760
+* Thu Jun 18 2020 Petr Kubat <pkubat@redhat.com> 5.3.28-39
+- Rebuild for rhel 8.3.0
 
-* Mon Jul 12 2021 Filip Januš <fjanus@redhat.com> - 5.3.28-49
-- Rebuild due to glibc
-- Resolves: #1980975
+* Thu Dec 12 2019 Petr Kubat <pkubat@redhat.com> 5.3.28-38
+- Optimize trickle thread CPU usage (#1670768)
 
-* Fri Jun 25 2021 Filip Januš <fjanus@redhat.com> - 5.3.28-48
-- Disable crypto support
-- Resolves: #1974657
+* Mon Jun 03 2019 Matej Mužila <mmzuila@redhat.com> - 5.3.28-37
+- Fixed flaws found by coverity
+- Resolves: #1606978
 
-* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 5.3.28-47
-- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
-
-* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.3.28-46
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Wed Dec 02 2020 Matej Mužila <mmuzila@redhat.com> 5.3.28-45
-- Resolves: CVE-2019-2708 (#1853243)
-
-* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.3.28-44
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Tue Jul 21 2020 Tom Stellard <tstellar@redhat.com> - 5.3.28-43
-- Use make macros
-- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
-
-* Tue Jul 14 2020 Ondrej Dubaj <odubaj@redhat.com> - 5.3.28-42
-- Remove java subpackage due to jdk-11 (#1846398)
-
-* Sat Jul 11 2020 Jiri Vanek <jvanek@redhat.com> - 5.3.28-41
-- Rebuilt for JDK-11, see https://fedoraproject.org/wiki/Changes/Java11
-
-* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.3.28-40
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Thu Aug 22 2019 Petr Kubat <pkubat@redhat.com> 5.3.28-39
-- Set correct tcl-devel version for BuildRequires (#1712532)
-
-* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.3.28-38
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.3.28-37
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Wed Jan 30 2019 Petr Kubat <pkubat@redhat.com> 5.3.28-36
-- Optimize trickle thread CPU usage (#1608749)
-
-* Wed Jan 16 2019 Petr Kubat <pkubat@redhat.com> - 5.3.28-35
+* Tue Jan 22 2019 Petr Kubat <pkubat@redhat.com> - 5.3.28-36
 - Add patch to workaround issues on large systems (>1024 CPU)
-  Resolves: #1245410
+  Resolves: #1664031
 
-* Wed Sep 05 2018 Petr Kubat <pkubat@redhat.com> - 5.3.28-34
-- Add patch for CDB race issue (#1099509)
+* Tue Nov 27 2018 Matej Mužila <mmuzila@redhat.com> - 5.3.28-35
+- Use AES from OpenSSL for encryption
+- Resolves: #1618640
 
-* Tue Jul 24 2018 Petr Kubat <pkubat@redhat.com> - 5.3.28-33
-- Add BuildRequires for gcc and gcc-c++ (#1604566)
+* Mon Oct 08 2018 Matej Mužila <mmuzila@redhat.com> - 5.3.28-33
+- Link db_dump185 with RPM_LD_FLAGS (#1624127)
 
-* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 5.3.28-32
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+* Wed Sep 05 2018 Petr Kubat <pkubat@redhat.com> - 5.3.28-32
+- Add patch for CDB race issue (#1616259)
 
 * Wed May 23 2018 Petr Kubat <pkubat@redhat.com> - 5.3.28-31
-- Rename __atomic_compare_exchange to not clash with gcc built-in
+- Rename __atomic_compare_exchange to not clash with gcc built-in (#1580756)
 
 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 5.3.28-30
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild