From 144674e9d1128daba133e97023472b9053384b19 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 15 May 2024 07:42:31 +0000 Subject: [PATCH] Import from AlmaLinux stable repository --- SOURCES/rabbitmq-c-CVE-2023-35789.patch | 125 ++++++++++++++++++++++++ SPECS/librabbitmq.spec | 19 +++- 2 files changed, 140 insertions(+), 4 deletions(-) create mode 100644 SOURCES/rabbitmq-c-CVE-2023-35789.patch diff --git a/SOURCES/rabbitmq-c-CVE-2023-35789.patch b/SOURCES/rabbitmq-c-CVE-2023-35789.patch new file mode 100644 index 0000000..71f8ba9 --- /dev/null +++ b/SOURCES/rabbitmq-c-CVE-2023-35789.patch @@ -0,0 +1,125 @@ +commit 463054383fbeef889b409a7f843df5365288e2a0 +Author: Christian Kastner +Date: Tue Jun 13 14:21:52 2023 +0200 + + Add option to read username/password from file (#781) + + * Add option to read username/password from file + +diff --git a/tools/common.c b/tools/common.c +index 73b47e2..7efe557 100644 +--- a/tools/common.c ++++ b/tools/common.c +@@ -18,6 +18,11 @@ + #include "compat.h" + #endif + ++/* For when reading auth data from a file */ ++#define MAXAUTHTOKENLEN 128 ++#define USERNAMEPREFIX "username:" ++#define PASSWORDPREFIX "password:" ++ + void die(const char *fmt, ...) { + va_list ap; + va_start(ap, fmt); +@@ -125,6 +130,7 @@ static char *amqp_vhost; + static char *amqp_username; + static char *amqp_password; + static int amqp_heartbeat = 0; ++static char *amqp_authfile; + #ifdef WITH_SSL + static int amqp_ssl = 0; + static char *amqp_cacert = "/etc/ssl/certs/cacert.pem"; +@@ -147,6 +153,8 @@ struct poptOption connect_options[] = { + "the password to login with", "password"}, + {"heartbeat", 0, POPT_ARG_INT, &amqp_heartbeat, 0, + "heartbeat interval, set to 0 to disable", "heartbeat"}, ++ {"authfile", 0, POPT_ARG_STRING, &amqp_authfile, 0, ++ "path to file containing username/password for authentication", "file"}, + #ifdef WITH_SSL + {"ssl", 0, POPT_ARG_NONE, &amqp_ssl, 0, "connect over SSL/TLS", NULL}, + {"cacert", 0, POPT_ARG_STRING, &amqp_cacert, 0, +@@ -158,6 +166,50 @@ struct poptOption connect_options[] = { + #endif /* WITH_SSL */ + {NULL, '\0', 0, NULL, 0, NULL, NULL}}; + ++void read_authfile(const char *path) { ++ size_t n; ++ FILE *fp = NULL; ++ char token[MAXAUTHTOKENLEN]; ++ ++ if ((amqp_username = malloc(MAXAUTHTOKENLEN)) == NULL || ++ (amqp_password = malloc(MAXAUTHTOKENLEN)) == NULL) { ++ die("Out of memory"); ++ } else if ((fp = fopen(path, "r")) == NULL) { ++ die("Could not read auth data file %s", path); ++ } ++ ++ if (fgets(token, MAXAUTHTOKENLEN, fp) == NULL || ++ strncmp(token, USERNAMEPREFIX, strlen(USERNAMEPREFIX))) { ++ die("Malformed auth file (missing username)"); ++ } ++ strncpy(amqp_username, &token[strlen(USERNAMEPREFIX)], MAXAUTHTOKENLEN); ++ /* Missing newline means token was cut off */ ++ n = strlen(amqp_username); ++ if (amqp_username[n - 1] != '\n') { ++ die("Username too long"); ++ } else { ++ amqp_username[n - 1] = '\0'; ++ } ++ ++ if (fgets(token, MAXAUTHTOKENLEN, fp) == NULL || ++ strncmp(token, PASSWORDPREFIX, strlen(PASSWORDPREFIX))) { ++ die("Malformed auth file (missing password)"); ++ } ++ strncpy(amqp_password, &token[strlen(PASSWORDPREFIX)], MAXAUTHTOKENLEN); ++ /* Missing newline means token was cut off */ ++ n = strlen(amqp_password); ++ if (amqp_password[n - 1] != '\n') { ++ die("Password too long"); ++ } else { ++ amqp_password[n - 1] = '\0'; ++ } ++ ++ (void)fgetc(fp); ++ if (!feof(fp)) { ++ die("Malformed auth file (trailing data)"); ++ } ++} ++ + static void init_connection_info(struct amqp_connection_info *ci) { + ci->user = NULL; + ci->password = NULL; +@@ -237,6 +289,8 @@ static void init_connection_info(struct amqp_connection_info *ci) { + if (amqp_username) { + if (amqp_url) { + die("--username and --url options cannot be used at the same time"); ++ } else if (amqp_authfile) { ++ die("--username and --authfile options cannot be used at the same time"); + } + + ci->user = amqp_username; +@@ -245,11 +299,23 @@ static void init_connection_info(struct amqp_connection_info *ci) { + if (amqp_password) { + if (amqp_url) { + die("--password and --url options cannot be used at the same time"); ++ } else if (amqp_authfile) { ++ die("--password and --authfile options cannot be used at the same time"); + } + + ci->password = amqp_password; + } + ++ if (amqp_authfile) { ++ if (amqp_url) { ++ die("--authfile and --url options cannot be used at the same time"); ++ } ++ ++ read_authfile(amqp_authfile); ++ ci->user = amqp_username; ++ ci->password = amqp_password; ++ } ++ + if (amqp_vhost) { + if (amqp_url) { + die("--vhost and --url options cannot be used at the same time"); diff --git a/SPECS/librabbitmq.spec b/SPECS/librabbitmq.spec index b77aacb..a0b3456 100644 --- a/SPECS/librabbitmq.spec +++ b/SPECS/librabbitmq.spec @@ -19,7 +19,7 @@ Name: %{libname} Summary: Client library for AMQP Version: 0.11.0 -Release: 5%{?dist} +Release: 7%{?dist} License: MIT URL: https://github.com/alanxz/rabbitmq-c @@ -29,6 +29,8 @@ Source0: https://github.com/%{gh_owner}/%{gh_project}/archive/%{gh_commit}/%{g Patch0: %{gh_project}-static.patch # fix version for cmake module Patch1: %{gh_project}-version.patch +# CVE-2023-35789 +Patch2: rabbitmq-c-CVE-2023-35789.patch BuildRequires: gcc BuildRequires: cmake > 2.8 @@ -56,7 +58,7 @@ for %{name}. %package tools Summary: Example tools built using the librabbitmq package -Requires: %{name}%{?_isa} = %{version} +Requires: %{name}%{?_isa} = %{version}-%{release} %description tools This package contains example tools built using %{name}. @@ -71,8 +73,9 @@ amqp-publish Publish a message on an AMQP server %prep %setup -q -n %{gh_project}-%{gh_commit} -%patch0 -p1 -%patch1 -p1 +%patch -P0 -p1 +%patch -P1 -p1 +%patch -P2 -p1 # Copy sources to be included in -devel docs. cp -pr examples Examples @@ -146,6 +149,14 @@ make test %changelog +* Fri Jun 23 2023 Than Ngo - 0.11.0-7 +- add missing gating.yaml +- fix rpminspect issue +Related: #2215766 + +* Fri Jun 23 2023 Than Ngo - 0.11.0-6 +- Resolves: #2215766, insecure credentials submission + * Mon Aug 09 2021 Mohan Boddu - 0.11.0-5 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688