Import from AlmaLinux stable repository

2024-05-15 07:42:31 +00:00 · 2024-05-15 07:42:31 +00:00 · 144674e9d1
commit 144674e9d1
parent f70a497a4d
2 changed files with 140 additions and 4 deletions
--- a/SOURCES/rabbitmq-c-CVE-2023-35789.patch
+++ b/SOURCES/rabbitmq-c-CVE-2023-35789.patch
@ -0,0 +1,125 @@
+commit 463054383fbeef889b409a7f843df5365288e2a0
+Author: Christian Kastner <ckk@kvr.at>
+Date:   Tue Jun 13 14:21:52 2023 +0200
+
+    Add option to read username/password from file (#781)
+    
+    * Add option to read username/password from file
+
+diff --git a/tools/common.c b/tools/common.c
+index 73b47e2..7efe557 100644
+--- a/tools/common.c
+++ b/tools/common.c
+@@ -18,6 +18,11 @@
+ #include "compat.h"
+ #endif
+ 
+/* For when reading auth data from a file */
+#define MAXAUTHTOKENLEN 128
+#define USERNAMEPREFIX "username:"
+#define PASSWORDPREFIX "password:"
+
+ void die(const char *fmt, ...) {
+   va_list ap;
+   va_start(ap, fmt);
+@@ -125,6 +130,7 @@ static char *amqp_vhost;
+ static char *amqp_username;
+ static char *amqp_password;
+ static int amqp_heartbeat = 0;
+static char *amqp_authfile;
+ #ifdef WITH_SSL
+ static int amqp_ssl = 0;
+ static char *amqp_cacert = "/etc/ssl/certs/cacert.pem";
+@@ -147,6 +153,8 @@ struct poptOption connect_options[] = {
+      "the password to login with", "password"},
+     {"heartbeat", 0, POPT_ARG_INT, &amqp_heartbeat, 0,
+      "heartbeat interval, set to 0 to disable", "heartbeat"},
+    {"authfile", 0, POPT_ARG_STRING, &amqp_authfile, 0,
+     "path to file containing username/password for authentication", "file"},
+ #ifdef WITH_SSL
+     {"ssl", 0, POPT_ARG_NONE, &amqp_ssl, 0, "connect over SSL/TLS", NULL},
+     {"cacert", 0, POPT_ARG_STRING, &amqp_cacert, 0,
+@@ -158,6 +166,50 @@ struct poptOption connect_options[] = {
+ #endif /* WITH_SSL */
+     {NULL, '\0', 0, NULL, 0, NULL, NULL}};
+ 
+void read_authfile(const char *path) {
+  size_t n;
+  FILE *fp = NULL;
+  char token[MAXAUTHTOKENLEN];
+
+  if ((amqp_username = malloc(MAXAUTHTOKENLEN)) == NULL ||
+      (amqp_password = malloc(MAXAUTHTOKENLEN)) == NULL) {
+    die("Out of memory");
+  } else if ((fp = fopen(path, "r")) == NULL) {
+    die("Could not read auth data file %s", path);
+  }
+
+  if (fgets(token, MAXAUTHTOKENLEN, fp) == NULL ||
+      strncmp(token, USERNAMEPREFIX, strlen(USERNAMEPREFIX))) {
+    die("Malformed auth file (missing username)");
+  }
+  strncpy(amqp_username, &token[strlen(USERNAMEPREFIX)], MAXAUTHTOKENLEN);
+  /* Missing newline means token was cut off */
+  n = strlen(amqp_username);
+  if (amqp_username[n - 1] != '\n') {
+    die("Username too long");
+  } else {
+    amqp_username[n - 1] = '\0';
+  }
+
+  if (fgets(token, MAXAUTHTOKENLEN, fp) == NULL ||
+      strncmp(token, PASSWORDPREFIX, strlen(PASSWORDPREFIX))) {
+    die("Malformed auth file (missing password)");
+  }
+  strncpy(amqp_password, &token[strlen(PASSWORDPREFIX)], MAXAUTHTOKENLEN);
+  /* Missing newline means token was cut off */
+  n = strlen(amqp_password);
+  if (amqp_password[n - 1] != '\n') {
+    die("Password too long");
+  } else {
+    amqp_password[n - 1] = '\0';
+  }
+
+  (void)fgetc(fp);
+  if (!feof(fp)) {
+    die("Malformed auth file (trailing data)");
+  }
+}
+
+ static void init_connection_info(struct amqp_connection_info *ci) {
+   ci->user = NULL;
+   ci->password = NULL;
+@@ -237,6 +289,8 @@ static void init_connection_info(struct amqp_connection_info *ci) {
+   if (amqp_username) {
+     if (amqp_url) {
+       die("--username and --url options cannot be used at the same time");
+    } else if (amqp_authfile) {
+      die("--username and --authfile options cannot be used at the same time");
+     }
+ 
+     ci->user = amqp_username;
+@@ -245,11 +299,23 @@ static void init_connection_info(struct amqp_connection_info *ci) {
+   if (amqp_password) {
+     if (amqp_url) {
+       die("--password and --url options cannot be used at the same time");
+    } else if (amqp_authfile) {
+      die("--password and --authfile options cannot be used at the same time");
+     }
+ 
+     ci->password = amqp_password;
+   }
+ 
+  if (amqp_authfile) {
+    if (amqp_url) {
+      die("--authfile and --url options cannot be used at the same time");
+    }
+
+    read_authfile(amqp_authfile);
+    ci->user = amqp_username;
+    ci->password = amqp_password;
+  }
+
+   if (amqp_vhost) {
+     if (amqp_url) {
+       die("--vhost and --url options cannot be used at the same time");
--- a/SPECS/librabbitmq.spec
+++ b/SPECS/librabbitmq.spec
@ -19,7 +19,7 @@
 Name:      %{libname}
 Summary:   Client library for AMQP
 Version:   0.11.0
-Release:   5%{?dist}
+Release:   7%{?dist}
 License:   MIT
 URL:       https://github.com/alanxz/rabbitmq-c

@ -29,6 +29,8 @@ Source0:   https://github.com/%{gh_owner}/%{gh_project}/archive/%{gh_commit}/%{g
 Patch0:    %{gh_project}-static.patch
 # fix version for cmake module
 Patch1:    %{gh_project}-version.patch
+# CVE-2023-35789
+Patch2:     rabbitmq-c-CVE-2023-35789.patch

 BuildRequires: gcc
 BuildRequires: cmake > 2.8
@ -56,7 +58,7 @@ for %{name}.

 %package tools
 Summary:    Example tools built using the librabbitmq package
-Requires:   %{name}%{?_isa} = %{version}
+Requires:   %{name}%{?_isa} = %{version}-%{release}

 %description tools
 This package contains example tools built using %{name}.
@ -71,8 +73,9 @@ amqp-publish        Publish a message on an AMQP server

 %prep
 %setup -q -n %{gh_project}-%{gh_commit}
-%patch0 -p1
-%patch1 -p1
+%patch -P0 -p1
+%patch -P1 -p1
+%patch -P2 -p1

 # Copy sources to be included in -devel docs.
 cp -pr examples Examples
@ -146,6 +149,14 @@ make test


 %changelog
+* Fri Jun 23 2023 Than Ngo <than@redhat.com> - 0.11.0-7
+- add missing gating.yaml
+- fix rpminspect issue
+Related: #2215766
+
+* Fri Jun 23 2023 Than Ngo <than@redhat.com> - 0.11.0-6
+- Resolves: #2215766, insecure credentials submission
+
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.11.0-5
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688