From 465459b0483d3f2869ee19c5ffd4a3a7b9597249 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 26 Jul 2019 21:42:14 +0200 Subject: [PATCH] Remove patches unused since 1.6.0 releases MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The patches should have been removed together with 1.6.0 release commit. Signed-off-by: Fabiano Fidêncio --- ...db-Avoid-dereference-of-null-pointer.patch | 62 ------- ...Avoid-use-of-memory-after-it-s-freed.patch | 50 ------ ...p-_create_from_location_async_helper.patch | 92 ---------- ...tall-script-Add-config-file-f-option.patch | 170 ------------------ ...ript-Deprecate-config-user-admin-pas.patch | 59 ------ 5 files changed, 433 deletions(-) delete mode 100644 0001-db-Avoid-dereference-of-null-pointer.patch delete mode 100644 0002-tree-Avoid-use-of-memory-after-it-s-freed.patch delete mode 100644 0003-tree-Cleanup-_create_from_location_async_helper.patch delete mode 100644 0004-tools-install-script-Add-config-file-f-option.patch delete mode 100644 0005-tools-install-script-Deprecate-config-user-admin-pas.patch diff --git a/0001-db-Avoid-dereference-of-null-pointer.patch b/0001-db-Avoid-dereference-of-null-pointer.patch deleted file mode 100644 index e6947a8..0000000 --- a/0001-db-Avoid-dereference-of-null-pointer.patch +++ /dev/null @@ -1,62 +0,0 @@ -From cb509ad153a35053e1e003d73fd0ece53bd2c3d8 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= -Date: Tue, 21 May 2019 13:01:26 +0200 -Subject: [PATCH 1/3] db: Avoid dereference of null pointer -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -As any consumer of libosinfo API may pass NULL as the @matched argument -of compare_tree(), the current code could be dereferencing a NULL -pointer when calling `osinfo_tree_set_os()`. - -In order to avoid doing so, let's set the os to the OsinfoTree at the -moment the @matched argument is set. - -Signed-off-by: Fabiano Fidêncio -Reviewed-by: Cole Robinson -(cherry picked from commit 949ad5e05480470ba1a5913fbec538314807dfc2) ---- - osinfo/osinfo_db.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/osinfo/osinfo_db.c b/osinfo/osinfo_db.c -index b7da2b7..c4cd1e4 100644 ---- a/osinfo/osinfo_db.c -+++ b/osinfo/osinfo_db.c -@@ -790,6 +790,7 @@ static gboolean compare_tree(OsinfoTree *tree, - OsinfoTreeList *tree_list = osinfo_os_get_tree_list(os); - GList *trees = osinfo_list_get_elements(OSINFO_LIST(tree_list)); - GList *tree_iter; -+ gboolean found = FALSE; - - for (tree_iter = trees; tree_iter; tree_iter = tree_iter->next) { - OsinfoTree *os_tree = OSINFO_TREE(tree_iter->data); -@@ -820,8 +821,11 @@ static gboolean compare_tree(OsinfoTree *tree, - match_regex(os_treeinfo_version, treeinfo_version) && - match_regex(os_treeinfo_arch, treeinfo_arch)) { - *ret_os = os; -- if (matched != NULL) -+ if (matched != NULL) { - *matched = os_tree; -+ osinfo_tree_set_os(*matched, *ret_os); -+ found = TRUE; -+ } - break; - } - } -@@ -829,10 +833,8 @@ static gboolean compare_tree(OsinfoTree *tree, - g_list_free(trees); - g_object_unref(tree_list); - -- if (*ret_os != NULL) { -- osinfo_tree_set_os(*matched, *ret_os); -+ if (found) - return TRUE; -- } - } - - return FALSE; --- -2.21.0 - diff --git a/0002-tree-Avoid-use-of-memory-after-it-s-freed.patch b/0002-tree-Avoid-use-of-memory-after-it-s-freed.patch deleted file mode 100644 index d607cf9..0000000 --- a/0002-tree-Avoid-use-of-memory-after-it-s-freed.patch +++ /dev/null @@ -1,50 +0,0 @@ -From d1baaf2946513be06f97ab66e7845e14073add3d Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= -Date: Tue, 21 May 2019 13:29:18 +0200 -Subject: [PATCH 2/3] tree: Avoid use of memory after it's freed -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -We've been passing data->location as the @url argument of -osinfo_tree_create_from_location_async_helper(), freeing it and trying -to g_strdup() it as the new content of data->location. - -In order to avoid doing so, let's set the data->location only once, in -the first caller of osinfo_tree_create_from_location_async_helper(), as -its content is always going to be the same doesn't matter the treeinfo -format to be used with. - -Signed-off-by: Fabiano Fidêncio -Reviewed-by: Cole Robinson -(cherry picked from commit d7bc838a96acf5f058e13d2b49157b4ba396cd87) ---- - osinfo/osinfo_tree.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/osinfo/osinfo_tree.c b/osinfo/osinfo_tree.c -index 88a2d6e..ab498f0 100644 ---- a/osinfo/osinfo_tree.c -+++ b/osinfo/osinfo_tree.c -@@ -702,9 +702,6 @@ osinfo_tree_create_from_location_async_helper(const gchar *url, - g_clear_object(&data->file); - data->file = g_file_new_for_uri(location); - -- g_free(data->location); -- data->location = g_strdup(url); -- - g_free(data->treeinfo); - data->treeinfo = g_strdup(treeinfo); - -@@ -740,6 +737,8 @@ void osinfo_tree_create_from_location_async(const gchar *location, - user_data); - g_task_set_priority(data->res, priority); - -+ data->location = g_strdup(location); -+ - osinfo_tree_create_from_location_async_helper(location, - ".treeinfo", - cancellable, --- -2.21.0 - diff --git a/0003-tree-Cleanup-_create_from_location_async_helper.patch b/0003-tree-Cleanup-_create_from_location_async_helper.patch deleted file mode 100644 index c5d4de8..0000000 --- a/0003-tree-Cleanup-_create_from_location_async_helper.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 97d60a2e53439d6ad1a462267c3bdf0f09a6f7c8 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= -Date: Tue, 21 May 2019 13:33:27 +0200 -Subject: [PATCH 3/3] tree: Cleanup _create_from_location_async_helper() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -There's no need to pass neither the URL nor the cancellable to this -function as those can be taken directly from data. - -Signed-off-by: Fabiano Fidêncio -Reviewed-by: Cole Robinson -(cherry picked from commit dfda02598034737610b69fdd08d62f62cbf5b0cb) ---- - osinfo/osinfo_tree.c | 27 ++++++++------------------- - 1 file changed, 8 insertions(+), 19 deletions(-) - -diff --git a/osinfo/osinfo_tree.c b/osinfo/osinfo_tree.c -index ab498f0..0f14276 100644 ---- a/osinfo/osinfo_tree.c -+++ b/osinfo/osinfo_tree.c -@@ -631,10 +631,8 @@ static OsinfoTree *load_keyinfo(const gchar *location, - } - - static void --osinfo_tree_create_from_location_async_helper(const gchar *url, -- const gchar *treeinfo, -- GCancellable *cancellable, -- CreateFromLocationAsyncData *data); -+osinfo_tree_create_from_location_async_helper(CreateFromLocationAsyncData *data, -+ const gchar *treeinfo); - - static void on_location_read(GObject *source, - GAsyncResult *res, -@@ -657,10 +655,7 @@ static void on_location_read(GObject *source, - /* It means no ".treeinfo" file has been found. Try again, this time - * looking for a "treeinfo" file. */ - if (g_str_equal(data->treeinfo, ".treeinfo")) { -- osinfo_tree_create_from_location_async_helper(data->location, -- "treeinfo", -- g_task_get_cancellable(data->res), -- data); -+ osinfo_tree_create_from_location_async_helper(data, "treeinfo"); - return; - } - -@@ -687,17 +682,14 @@ static void on_location_read(GObject *source, - } - - static void --osinfo_tree_create_from_location_async_helper(const gchar *url, -- const gchar *treeinfo, -- GCancellable *cancellable, -- CreateFromLocationAsyncData *data) -+osinfo_tree_create_from_location_async_helper(CreateFromLocationAsyncData *data, -+ const gchar *treeinfo) - { - gchar *location; - -- g_return_if_fail(url != NULL); - g_return_if_fail(treeinfo != NULL); - -- location = g_strdup_printf("%s/%s", url, treeinfo); -+ location = g_strdup_printf("%s/%s", data->location, treeinfo); - - g_clear_object(&data->file); - data->file = g_file_new_for_uri(location); -@@ -706,7 +698,7 @@ osinfo_tree_create_from_location_async_helper(const gchar *url, - data->treeinfo = g_strdup(treeinfo); - - g_file_load_contents_async(data->file, -- cancellable, -+ g_task_get_cancellable(data->res), - on_location_read, - data); - g_free(location); -@@ -739,10 +731,7 @@ void osinfo_tree_create_from_location_async(const gchar *location, - - data->location = g_strdup(location); - -- osinfo_tree_create_from_location_async_helper(location, -- ".treeinfo", -- cancellable, -- data); -+ osinfo_tree_create_from_location_async_helper(data, ".treeinfo"); - } - - --- -2.21.0 - diff --git a/0004-tools-install-script-Add-config-file-f-option.patch b/0004-tools-install-script-Add-config-file-f-option.patch deleted file mode 100644 index be355aa..0000000 --- a/0004-tools-install-script-Add-config-file-f-option.patch +++ /dev/null @@ -1,170 +0,0 @@ -From 08fb8316b4ac42fe74c1fa5ca0ac593222cdf81a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= -Date: Wed, 3 Jul 2019 14:55:24 +0200 -Subject: [PATCH] tools,install-script: Add --config-file (-f) option -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Let's add a new option so users can set their config from a file, -instead of directly passing the values via command-line. - -CVE-2019-13313 -Libosinfo: osinfo-install-script option leaks password via command line -argument. 'osinfo-install-script' is used to generate a script for -automated guest installations. It accepts user and admin passwords via -command line arguments, thus leaking them via process listing. - -Signed-off-by: Fabiano Fidêncio -Reviewed-by: Daniel P. Berrangé ---- - tools/osinfo-install-script.c | 103 +++++++++++++++++++++++++++++++++- - 1 file changed, 102 insertions(+), 1 deletion(-) - -diff --git a/tools/osinfo-install-script.c b/tools/osinfo-install-script.c -index 15af48d..af58440 100644 ---- a/tools/osinfo-install-script.c -+++ b/tools/osinfo-install-script.c -@@ -37,6 +37,34 @@ static gboolean list_profile = FALSE; - static gboolean list_inj_method = FALSE; - static gboolean quiet = FALSE; - -+static const gchar *configs[] = { -+ OSINFO_INSTALL_CONFIG_PROP_HARDWARE_ARCH, -+ OSINFO_INSTALL_CONFIG_PROP_L10N_TIMEZONE, -+ OSINFO_INSTALL_CONFIG_PROP_L10N_LANGUAGE, -+ OSINFO_INSTALL_CONFIG_PROP_L10N_KEYBOARD, -+ OSINFO_INSTALL_CONFIG_PROP_ADMIN_PASSWORD, -+ OSINFO_INSTALL_CONFIG_PROP_USER_PASSWORD, -+ OSINFO_INSTALL_CONFIG_PROP_USER_LOGIN, -+ OSINFO_INSTALL_CONFIG_PROP_USER_REALNAME, -+ OSINFO_INSTALL_CONFIG_PROP_USER_AUTOLOGIN, -+ OSINFO_INSTALL_CONFIG_PROP_USER_ADMIN, -+ OSINFO_INSTALL_CONFIG_PROP_REG_LOGIN, -+ OSINFO_INSTALL_CONFIG_PROP_REG_PASSWORD, -+ OSINFO_INSTALL_CONFIG_PROP_REG_PRODUCTKEY, -+ OSINFO_INSTALL_CONFIG_PROP_HOSTNAME, -+ OSINFO_INSTALL_CONFIG_PROP_TARGET_DISK, -+ OSINFO_INSTALL_CONFIG_PROP_SCRIPT_DISK, -+ OSINFO_INSTALL_CONFIG_PROP_AVATAR_LOCATION, -+ OSINFO_INSTALL_CONFIG_PROP_AVATAR_DISK, -+ OSINFO_INSTALL_CONFIG_PROP_PRE_INSTALL_DRIVERS_DISK, -+ OSINFO_INSTALL_CONFIG_PROP_PRE_INSTALL_DRIVERS_LOCATION, -+ OSINFO_INSTALL_CONFIG_PROP_POST_INSTALL_DRIVERS_DISK, -+ OSINFO_INSTALL_CONFIG_PROP_POST_INSTALL_DRIVERS_LOCATION, -+ OSINFO_INSTALL_CONFIG_PROP_DRIVER_SIGNING, -+ OSINFO_INSTALL_CONFIG_PROP_INSTALLATION_URL, -+ NULL -+}; -+ - static OsinfoInstallConfig *config; - - static gboolean handle_config(const gchar *option_name G_GNUC_UNUSED, -@@ -65,6 +93,47 @@ static gboolean handle_config(const gchar *option_name G_GNUC_UNUSED, - } - - -+static gboolean handle_config_file(const gchar *option_name G_GNUC_UNUSED, -+ const gchar *value, -+ gpointer data G_GNUC_UNUSED, -+ GError **error) -+{ -+ GKeyFile *key_file = NULL; -+ gchar *val = NULL; -+ gsize i; -+ gboolean ret = FALSE; -+ -+ key_file = g_key_file_new(); -+ if (!g_key_file_load_from_file(key_file, value, G_KEY_FILE_NONE, error)) -+ goto error; -+ -+ for (i = 0; configs[i] != NULL; i++) { -+ val = g_key_file_get_string(key_file, "install-script", configs[i], error); -+ if (val == NULL) { -+ if (g_error_matches(*error, G_KEY_FILE_ERROR, -+ G_KEY_FILE_ERROR_KEY_NOT_FOUND)) { -+ g_clear_error(error); -+ continue; -+ } -+ -+ goto error; -+ } -+ -+ osinfo_entity_set_param(OSINFO_ENTITY(config), -+ configs[i], -+ val); -+ g_free(val); -+ } -+ -+ ret = TRUE; -+ -+error: -+ g_key_file_unref(key_file); -+ -+ return ret; -+} -+ -+ - static GOptionEntry entries[] = - { - { "profile", 'p', 0, G_OPTION_ARG_STRING, (void*)&profile, -@@ -78,6 +147,9 @@ static GOptionEntry entries[] = - { "config", 'c', 0, G_OPTION_ARG_CALLBACK, - handle_config, - N_("Set configuration parameter"), "key=value" }, -+ { "config-file", 'f', 0, G_OPTION_ARG_CALLBACK, -+ handle_config_file, -+ N_("Set configuration parameters"), "file:///path/to/config/file" }, - { "list-config", '\0', 0, G_OPTION_ARG_NONE, (void*)&list_config, - N_("List configuration parameters"), NULL }, - { "list-profiles", '\0', 0, G_OPTION_ARG_NONE, (void*)&list_profile, -@@ -448,6 +520,15 @@ script. Defaults to C, but can also be C. - - Set the configuration parameter C to C. - -+=item B<--config-file=config-file> -+ -+Set the configurations parameters according to the config-file passed. -+ -+Note that use of --config-file is strongly recommended if the user or -+admin passwords need to be set. Providing passwords directly using -+B<--config=> is insecure as the password is visible to all processes -+and users on the same host. -+ - =back - - =head1 CONFIGURATION KEYS -@@ -510,9 +591,29 @@ The software registration user password - - =back - -+=head1 CONFIGURATION FILE FORMAT -+ -+The configuration file must consist in a file which contains a -+`install-script` group and, under this group, C=C -+pairs, as shown below: -+ -+[install-script] -+l10n-timezone=GMT -+l10n-keyboard=uk -+l10n-language=en_GB -+admin-password=123456 -+user-login=berrange -+user-password=123456 -+user-realname="Daniel P Berrange" -+ - =head1 EXAMPLE USAGE - --The following usage generates a Fedora 16 kickstart script -+The following usages generates a Fedora 16 kickstart script -+ -+ # osinfo-install-script \ -+ --profile jeos \ -+ --config-file /path/to/config/file \ -+ fedora16 - - # osinfo-install-script \ - --profile jeos \ --- -2.21.0 - diff --git a/0005-tools-install-script-Deprecate-config-user-admin-pas.patch b/0005-tools-install-script-Deprecate-config-user-admin-pas.patch deleted file mode 100644 index 3889bfd..0000000 --- a/0005-tools-install-script-Deprecate-config-user-admin-pas.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 3654abee6ead9f11f8bb9ba8fc71efd6fa4dabbc Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= -Date: Wed, 3 Jul 2019 14:59:07 +0200 -Subject: [PATCH] tools,install-script: Deprecate --config - {user,admin}-password -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Let's deprecate user-password and admin-password options of --config and -also warn out whenever they're passed to osinfo-install-script. - -CVE-2019-13313 -Libosinfo: osinfo-install-script option leaks password via command line -argument. 'osinfo-install-script' is used to generate a script for -automated guest installations. It accepts user and admin passwords via -command line arguments, thus leaking them via process listing. - -Signed-off-by: Fabiano Fidêncio -Reviewed-by: Daniel P. Berrangé ---- - tools/osinfo-install-script.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/tools/osinfo-install-script.c b/tools/osinfo-install-script.c -index af58440..c0528e7 100644 ---- a/tools/osinfo-install-script.c -+++ b/tools/osinfo-install-script.c -@@ -85,6 +85,12 @@ static gboolean handle_config(const gchar *option_name G_GNUC_UNUSED, - val++; - key = g_strndup(value, len); - -+ if (g_str_equal(key, OSINFO_INSTALL_CONFIG_PROP_USER_PASSWORD) || -+ g_str_equal(key, OSINFO_INSTALL_CONFIG_PROP_ADMIN_PASSWORD)) { -+ g_warning("When setting user or admin password, use --config-file " -+ "instead.\n"); -+ } -+ - osinfo_entity_set_param(OSINFO_ENTITY(config), - key, - val); -@@ -556,10 +562,14 @@ The local language - =item C - - The administrator password -+This option has been deprecated, use B<--config-file> -+for setting the admin password. - - =item C - - The user password -+This option has been deprecated, use B<--config-file> -+for setting the user password. - - =item C - --- -2.21.0 -