.gitignore

@@ -1 +1 @@
-SOURCES/libmaxminddb-1.5.2.tar.gz
+SOURCES/libmaxminddb-1.2.0.tar.gz

.libmaxminddb.metadata

@@ -1 +1 @@
-9e00fef11ceb8df1dc56ce3276bf2193c5baa5c8 SOURCES/libmaxminddb-1.5.2.tar.gz
+27b3a1cdf8f7053fa1b053ca8b31d4497ffa6019 SOURCES/libmaxminddb-1.2.0.tar.gz

SOURCES/0000-CVE-2020-28241.patch

@@ -0,0 +1,123 @@
+From eac45e29196bcde1d123a6035c15d30356bed248 Mon Sep 17 00:00:00 2001
+From: Gregory Oschwald <goschwald@maxmind.com>
+Date: Wed, 5 Aug 2020 14:16:17 -0700
+Subject: [PATCH] Replace most malloc uses with calloc
+
+Closes #236.
+---
+ Changes.md          |  4 ++++
+ bin/mmdblookup.c    | 10 +++++-----
+ doc/libmaxminddb.md |  2 +-
+ src/maxminddb.c     | 21 ++++++++++++---------
+ 4 files changed, 22 insertions(+), 15 deletions(-)
+
+diff --git a/bin/mmdblookup.c b/bin/mmdblookup.c
+index 4a3403c6..d7ec3fff 100644
+--- a/bin/mmdblookup.c
++++ b/bin/mmdblookup.c
+@@ -294,7 +294,7 @@ LOCAL const char **get_options(
+     }
+ 
+     const char **lookup_path =
+-        malloc(sizeof(const char *) * ((argc - optind) + 1));
++        calloc((argc - optind) + 1, sizeof(const char *));
+     int i;
+     for (i = 0; i < argc - optind; i++) {
+         lookup_path[i] = argv[i + optind];
+diff --git a/doc/libmaxminddb.md b/doc/libmaxminddb.md
+index 191637b3..6e841cbc 100644
+--- a/doc/libmaxminddb.md
++++ b/doc/libmaxminddb.md
+@@ -307,7 +307,7 @@ libmaxminddb code.
+ 
+ The `utf8_string`, `bytes`, and (maybe) the `uint128` members of this structure
+ are all pointers directly into the database's data section. This can either be
+-a `malloc`'d or `mmap`'d block of memory. In either case, these pointers will
++a `calloc`'d or `mmap`'d block of memory. In either case, these pointers will
+ become invalid after `MMDB_close()` is called.
+ 
+ If you need to refer to this data after that time you should copy the data
+diff --git a/src/maxminddb.c b/src/maxminddb.c
+index 21c18f2b..b45d5afa 100644
+--- a/src/maxminddb.c
++++ b/src/maxminddb.c
+@@ -36,7 +36,7 @@
+     do {                                                        \
+         char *binary = byte_to_binary(byte);                    \
+         if (NULL == binary) {                                   \
+-            fprintf(stderr, "Malloc failed in DEBUG_BINARY\n"); \
++            fprintf(stderr, "Calloc failed in DEBUG_BINARY\n"); \
+             abort();                                            \
+         }                                                       \
+         fprintf(stderr, fmt "\n", binary);                      \
+@@ -54,7 +54,7 @@
+ #ifdef MMDB_DEBUG
+ DEBUG_FUNC char *byte_to_binary(uint8_t byte)
+ {
+-    char *bits = malloc(sizeof(char) * 9);
++    char *bits = calloc(9, sizeof(char));
+     if (NULL == bits) {
+         return bits;
+     }
+@@ -704,7 +704,7 @@ LOCAL int populate_languages_metadata(MMDB_s *mmdb, MMDB_s *metadata_db,
+                               MMDB_INVALID_METADATA_ERROR);
+ 
+     mmdb->metadata.languages.count = 0;
+-    mmdb->metadata.languages.names = malloc(array_size * sizeof(char *));
++    mmdb->metadata.languages.names = calloc(array_size, sizeof(char *));
+     if (NULL == mmdb->metadata.languages.names) {
+         return MMDB_OUT_OF_MEMORY_ERROR;
+     }
+@@ -722,7 +722,7 @@ LOCAL int populate_languages_metadata(MMDB_s *mmdb, MMDB_s *metadata_db,
+         if (NULL == mmdb->metadata.languages.names[i]) {
+             return MMDB_OUT_OF_MEMORY_ERROR;
+         }
+-        // We assign this as we go so that if we fail a malloc and need to
++        // We assign this as we go so that if we fail a calloc and need to
+         // free it, the count is right.
+         mmdb->metadata.languages.count = i + 1;
+     }
+@@ -774,7 +774,7 @@ LOCAL int populate_description_metadata(MMDB_s *mmdb, MMDB_s *metadata_db,
+                               MMDB_INVALID_METADATA_ERROR);
+ 
+     mmdb->metadata.description.descriptions =
+-        malloc(map_size * sizeof(MMDB_description_s *));
++        calloc(map_size, sizeof(MMDB_description_s *));
+     if (NULL == mmdb->metadata.description.descriptions) {
+         status = MMDB_OUT_OF_MEMORY_ERROR;
+         goto cleanup;
+@@ -782,7 +782,7 @@ LOCAL int populate_description_metadata(MMDB_s *mmdb, MMDB_s *metadata_db,
+ 
+     for (uint32_t i = 0; i < map_size; i++) {
+         mmdb->metadata.description.descriptions[i] =
+-            malloc(sizeof(MMDB_description_s));
++            calloc(1, sizeof(MMDB_description_s));
+         if (NULL == mmdb->metadata.description.descriptions[i]) {
+             status = MMDB_OUT_OF_MEMORY_ERROR;
+             goto cleanup;
+@@ -1134,7 +1134,7 @@ int MMDB_vget_value(MMDB_entry_s *const start,
+     MAYBE_CHECK_SIZE_OVERFLOW(length, SIZE_MAX / sizeof(const char *) - 1,
+                               MMDB_INVALID_METADATA_ERROR);
+ 
+-    const char **path = malloc((length + 1) * sizeof(const char *));
++    const char **path = calloc(length + 1, sizeof(const char *));
+     if (NULL == path) {
+         return MMDB_OUT_OF_MEMORY_ERROR;
+     }
+@@ -2010,6 +2010,7 @@ LOCAL MMDB_entry_data_list_s *dump_entry_data_list(
+             char *hex_string =
+                 bytes_to_hex((uint8_t *)entry_data_list->entry_data.bytes,
+                              entry_data_list->entry_data.data_size);
++
+             if (NULL == hex_string) {
+                 *status = MMDB_OUT_OF_MEMORY_ERROR;
+                 return NULL;
+@@ -2103,7 +2104,7 @@ LOCAL char *bytes_to_hex(uint8_t *bytes, uint32_t size)
+     char *hex_string;
+     MAYBE_CHECK_SIZE_OVERFLOW(size, SIZE_MAX / 2 - 1, NULL);
+ 
+-    hex_string = malloc((size * 2) + 1);
++    hex_string = calloc((size * 2) + 1, sizeof(char));
+     if (NULL == hex_string) {
+         return NULL;
+     }

SPECS/libmaxminddb.spec

@@ -1,42 +1,47 @@
 Name:           libmaxminddb
 Summary:        C library for the MaxMind DB file format
-Version:        1.5.2
+Version:        1.2.0
-Release:        3%{?dist}
+Release:        10%{?dist}.1
 URL:            https://maxmind.github.io/libmaxminddb
-Source:         https://github.com/maxmind/libmaxminddb/releases/download/%{version}/%{name}-%{version}.tar.gz
+Source0:        https://github.com/maxmind/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz
 
 # original libmaxminddb code is Apache Licence 2.0
 # src/maxminddb-compat-util.h is BSD
 License:        ASL 2.0 and BSD
 
-BuildRequires:  gcc
-BuildRequires:  autoconf
-BuildRequires:  automake
-BuildRequires:  libtool
 BuildRequires:  perl-interpreter
-BuildRequires:  perl(FindBin)
+Recommends:		geolite2-city, geolite2-country
-BuildRequires:  make
+
+Patch0000: 0000-CVE-2020-28241.patch
 
 %description
 The package contains libmaxminddb library.
 
 %package devel
+Requires:       %{name}%{?_isa} = %{version}-%{release}
+Requires:       pkgconfig
+#the only binary in -devel subpackage has been moved to the main package
+#this means that the -devel-debuginfo pkg is missing and it would interrupt update path
+Obsoletes:      libmaxminddb-devel-debuginfo < 1.2.0-8
 Summary:        Development header files for libmaxminddb
-Requires:       %{name}%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release}
 
 %description devel
 The package contains development header files for the libmaxminddb library
 and the mmdblookup utility which allows IP address lookup in a MaxMind DB file.
 
 %prep
-%autosetup
+%setup -q
-sed -i -e '/AM_CFLAGS=/d' common.mk
+
-sed -i -e '/CFLAGS=/d' configure.ac
+%patch0000 -p1 -b .cve-2020-28241
 
 %build
-autoreconf -vfi
 %configure --disable-static
-%make_build
+# remove embeded RPATH
+sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
+sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
+# link only requried libraries
+sed -i -e 's! -shared ! -Wl,--as-needed\0!g' libtool
+make %{?_smp_mflags}
 
 %check
 # tests are linked dynamically, preload the library as we have removed RPATH
@@ -44,9 +49,9 @@ LD_PRELOAD=%{buildroot}%{_libdir}/libmaxminddb.so make check
 
 %install
 %make_install
-rm -v %{buildroot}%{_libdir}/*.la
+rm -fv %{buildroot}%{_libdir}/*.la
 
-#downstream fix for multilib install of devel pkg
+#fix multilib install of devel pkg
 mv %{buildroot}%{_includedir}/maxminddb_config.h \
    %{buildroot}%{_includedir}/maxminddb_config-%{__isa_bits}.h
 cat > %{buildroot}%{_includedir}/maxminddb_config.h << EOF
@@ -61,11 +66,16 @@ cat > %{buildroot}%{_includedir}/maxminddb_config.h << EOF
 #endif
 EOF
 
+
+%post -p /sbin/ldconfig
+
+%postun -p /sbin/ldconfig
+
 %files
 %license LICENSE
-%{_libdir}/libmaxminddb.so.0*
+%{_libdir}/libmaxminddb.so.*
 %{_bindir}/mmdblookup
-%{_mandir}/man1/*.1*
+%{_mandir}/man1/mmdblookup.1.gz
 
 %files devel
 %license NOTICE
@@ -74,53 +84,27 @@ EOF
 %{_includedir}/maxminddb_config*.h
 %{_libdir}/libmaxminddb.so
 %{_libdir}/pkgconfig/libmaxminddb.pc
-%{_mandir}/man3/*.3*
+%{_mandir}/man3/*
 
 %changelog
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.5.2-3
+* Thu Jan 04 2024 Michal Ruprich <mruprich@redhat.com> - 1.2.0-10.1
-- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+- Resolves: RHEL-20594 - improper initialization in dump_entry_data_list() in maxminddb.c
-  Related: rhbz#1991688
 
-* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.5.2-2
+* Mon Jun 08 2020 Michal Ruprich <michalruprich@gmail.com> - 1.2.0-10
-- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+- Related: #1642001 - Obsoleting -devel-debuginfo to enable clean update path
 
-* Tue Mar 16 2021 Michal Ruprich <mruprich@redhat.com> - 1.5.2-1
+* Mon May 25 2020 Michal Ruprich <michalruprich@gmail.com> - 1.2.0-9
-- Update to 1.5.2
+- Related: #1642001 - moving manpage of mmdblookup from -devel subpackage
 
-* Tue Jan 26 2021 Michal Ruprich <mruprich@redhat.com> - 1.5.0-1
+* Fri May 15 2020 Michal Ruprich <michalruprich@gmail.com> - 1.2.0-8
-- Update to 1.5.0
+- Resolves: #1642001 - binary mmdblookup is in libmaxminddb-devel
 
-* Thu Dec 10 2020 Michal Ruprich <mruprich@redhat.com> - 1.4.3-1
+* Thu Jan 09 2020 Michal Ruprich <mruprich@redhat.com> - 1.2.0-7
-- Update to 1.4.3
+- Resolves: #1788956 - conflicts with multilib install
-- Resolves: #1758843 - libmaxminddb-devel i686 can't be installed in parallel to x86_64
-- Fix for CVE-2020-28241
 
-* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.2-3
+* Thu Aug 02 2018 Michal Ruprich <mruprich@redhat.com> - 1.2.0-6
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+- Adding libmaxminddb as a new package to RHEL-8 (rhbz#1607927)
-
+- Adding Recommends tag for geolite2 databases
-* Tue Jun 02 2020 Michal Ruprich <michalruprich@gmail.com> - 1.4.2-2
-- Move manpage for mmdblookup from -devel to the main package
-
-* Tue May 12 2020 Igor Raits <ignatenkobrain@fedoraproject.org> - 1.4.2-1
-- Update to 1.4.2
-
-* Mon Mar 30 2020 Michal Ruprich <mruprich@redhat.com> - 1.3.2-3
-- Move mmdblookup binary from -devel to the main package
-
-* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.2-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Mon Oct 21 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.3.2-1
-- Update to 1.3.2
-
-* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.0-8
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.0-7
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.0-6
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 
 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.0-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild