import UBI librepo-1.19.0-1.el10

2026-05-19 18:51:19 -04:00 · 2026-05-19 18:51:19 -04:00 · 820fafe68a
commit 820fafe68a
parent fcc809d849
8 changed files with 38 additions and 157 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-librepo-1.18.0.tar.gz
+librepo-1.19.0.tar.gz
--- a/0001-Propagate-return-value-from-prepare_repo_download_ta.patch
+++ b/0001-Propagate-return-value-from-prepare_repo_download_ta.patch
@ -1,9 +1,14 @@
-From 089eac540f395db8303e42bc9716a14851b1132c Mon Sep 17 00:00:00 2001
+From 65b7fe41f6a367e8f2c91f377721896512308c72 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ale=C5=A1=20Mat=C4=9Bj?= <amatej@redhat.com>
 Date: Mon, 9 Jun 2025 09:25:39 +0200
 Subject: [PATCH] Propagate return value from `prepare_repo_download_targets`
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit

 It also ensures that when return value is false there is some error set.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
 ---
 librepo/yum.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)
@ -27,5 +32,5 @@ index 56bca3e..482d4d9 100644
     if (!targets)
         return TRUE;
 -- 
-2.49.0
+2.52.0

--- a/0001-Use-rpm-sequoia-on-RHEL-10.patch
+++ b/0001-Use-rpm-sequoia-on-RHEL-10.patch
@ -1,31 +0,0 @@
-From f94e05110f5d670c71624c18cb479083c3ae3e51 Mon Sep 17 00:00:00 2001
-From: Yaakov Selkowitz <yselkowi@redhat.com>
-Date: Mon, 8 Jul 2024 11:28:30 -0400
-Subject: [PATCH] Use rpm-sequoia on RHEL 10+
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-RHEL 10 also has a sufficiently new RPM with rpm-sequoia enabled.
-
-Signed-off-by: Petr Písař <ppisar@redhat.com>
---
- librepo.spec | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/librepo.spec b/librepo.spec
-index 25dc741..62035dc 100644
--- a/librepo.spec
-+++ b/librepo.spec
-@@ -8,7 +8,7 @@
- %bcond_without zchunk
- %endif
- 
-%if 0%{?fedora} >= 39
-+%if 0%{?fedora} >= 39 || 0%{?rhel} >= 10
- %bcond_with use_gpgme
- %bcond_with use_selinux
- %else
-- 
-2.45.2
-
--- a/0002-Fix-a-memory-leak-in-select_next_target.patch
+++ b/0002-Fix-a-memory-leak-in-select_next_target.patch
@ -1,69 +0,0 @@
-From 3c85711f35b987bd0ce17dd0fbaa0d9f2521c444 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
-Date: Thu, 11 Jul 2024 15:40:03 +0200
-Subject: [PATCH] Fix a memory leak in select_next_target()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If a next target URL was found (non-NULL full_url) and then a transfer was
-canceled or an off-line mode was requested, full_url string was not freed and a
-memory leaked.
-
-Discovered with Covscan:
-
-    16. librepo-1.18.0/librepo/downloader.c:891:13: alloc_fn: Storage is returned from allocation function "g_strdup_inline".
-    17. librepo-1.18.0/librepo/downloader.c:891:13: var_assign: Assigning: "full_url" = storage returned from "g_strdup_inline(target->target->path)".
-    22. librepo-1.18.0/librepo/downloader.c:919:9: noescape: Resource "full_url" is not freed or pointed-to in "lr_is_local_path".
-    24. librepo-1.18.0/librepo/downloader.c:924:13: noescape: Assuming resource "full_url" is not freed or pointed-to as ellipsis argument to "g_debug".
-    28. librepo-1.18.0/librepo/downloader.c:956:17: leaked_storage: Variable "full_url" going out of scope leaks the storage it points to.
-    #   954|                               "and no local URL is available",
-    #   955|                               target->target->path);
-    #   956|->                 return FALSE;
-    #   957|               }
-    #   958|           }
-
-    16. librepo-1.18.0/librepo/downloader.c:891:13: alloc_fn: Storage is returned from allocation function "g_strdup_inline".
-    17. librepo-1.18.0/librepo/downloader.c:891:13: var_assign: Assigning: "full_url" = storage returned from "g_strdup_inline(target->target->path)".
-    22. librepo-1.18.0/librepo/downloader.c:919:9: noescape: Resource "full_url" is not freed or pointed-to in "lr_is_local_path".
-    24. librepo-1.18.0/librepo/downloader.c:924:13: noescape: Assuming resource "full_url" is not freed or pointed-to as ellipsis argument to "g_debug".
-    27. librepo-1.18.0/librepo/downloader.c:946:21: leaked_storage: Variable "full_url" going out of scope leaks the storage it points to.
-    #   944|                       g_set_error(err, LR_DOWNLOADER_ERROR, LRE_CBINTERRUPTED,
-    #   945|                               "Interrupted by LR_CB_ERROR from end callback");
-    #   946|->                     return FALSE;
-    #   947|                   }
-    #   948|               }
-
-This patch fixes it.
-
-The bug was introduced in 1.7.14 version
-(08e4810fcdd753ce4728bd88b252f7b3d34b2cdb commit).
-
-Signed-off-by: Petr Písař <ppisar@redhat.com>
---
- librepo/downloader.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/librepo/downloader.c b/librepo/downloader.c
-index 364c0af..40dbeb2 100644
--- a/librepo/downloader.c
-+++ b/librepo/downloader.c
-@@ -943,6 +943,7 @@ select_next_target(LrDownload *dd,
-                             "from end callback", __func__);
-                     g_set_error(err, LR_DOWNLOADER_ERROR, LRE_CBINTERRUPTED,
-                             "Interrupted by LR_CB_ERROR from end callback");
-+                    g_free(full_url);
-                     return FALSE;
-                 }
-             }
-@@ -953,6 +954,7 @@ select_next_target(LrDownload *dd,
-                             "Cannot download %s: Offline mode is specified "
-                             "and no local URL is available",
-                             target->target->path);
-+                g_free(full_url);
-                 return FALSE;
-             }
-         }
-- 
-2.45.2
-
--- a/0002-Test-importing-keys-with-prefix-and-suffix.patch
+++ b/0002-Test-importing-keys-with-prefix-and-suffix.patch
@ -1,9 +1,14 @@
-From 3db1cd8a7260f83170d247422976c8a8d4af09d9 Mon Sep 17 00:00:00 2001
+From 30dbb9976c8b6bc8dfd5e60b1344e864c201d89b Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ale=C5=A1=20Mat=C4=9Bj?= <amatej@redhat.com>
 Date: Mon, 30 Jun 2025 11:23:49 +0200
 Subject: [PATCH] Test importing keys with prefix and suffix
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit

 Test the fix from: 1be89319d30d2ea2a027d6bd06bb1b76bd682f87
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
 ---
 tests/test_gpg.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)
@ -73,5 +78,5 @@ index 6642cc7..b865991 100644
     return s;
 }
 -- 
-2.50.0
+2.52.0

--- a/0004-Fix-input-termination-for-pgpParsePkts.patch
+++ b/0004-Fix-input-termination-for-pgpParsePkts.patch
@ -1,42 +0,0 @@
-From 06f979fc87ca16046df0a9117ef1ca8c1751135c Mon Sep 17 00:00:00 2001
-From: Jaroslav Rohel <jrohel@redhat.com>
-Date: Wed, 2 Oct 2024 10:00:34 +0200
-Subject: [PATCH] Fix input termination for pgpParsePkts
-
-The `pgpParsePkts` function needs the OpenPGP ASCII armored input to be
-null terminated. The librepo contains code that checks if the input is
-null-terminated. If it is not, the code creates a local null-terminated
-copy of the input.
-
-There was a bug in the code, so it may look for a terminating null
-several bytes behind the input buffer. And when a null was found behind
-the input buffer, the termination was not done. This caused
-the `pgpParsePkts` function to process several extra characters after
-the input buffer. These characters are generally random and sometimes
-cause the `pgpParsePkts` function to return an error.
---
- librepo/gpg_rpm.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/librepo/gpg_rpm.c b/librepo/gpg_rpm.c
-index a1613ee8..692c64ec 100644
--- a/librepo/gpg_rpm.c
-+++ b/librepo/gpg_rpm.c
-@@ -350,7 +350,7 @@ lr_gpg_import_key_from_memory(const char *key, size_t key_len, const char *home_
- 
-     // `pgpParsePkts` needs null-terminated input, if null byte not found, make a local null-terminated copy
-     g_autofree gchar * key_with_null_byte = NULL;
-    if (memchr(block_begin, '\0', key_len) == NULL) {
-+    if (memchr(block_begin, '\0', key_len - (block_begin - key)) == NULL) {
-         key_with_null_byte = g_new(gchar, key_len + 1);
-         memcpy(key_with_null_byte, key, key_len);
-         key_with_null_byte[key_len] = '\0';
-@@ -533,7 +533,7 @@ check_signature(const gchar * sig_buf, ssize_t sig_buf_len, const gchar * data,
- 
-         // `pgpParsePkts` needs null-terminated input, if null byte not found, make a local null-terminated copy
-         g_autofree gchar * sig_buf_with_null_byte = NULL;
-        if (memchr(block_begin, '\0', sig_buf_len) == NULL) {
-+        if (memchr(block_begin, '\0', sig_buf_len - (block_begin - sig_buf)) == NULL) {
-             sig_buf_with_null_byte = g_new(gchar, sig_buf_len + 1);
-             memcpy(sig_buf_with_null_byte, sig_buf, sig_buf_len);
-             sig_buf_with_null_byte[sig_buf_len] = '\0';
--- a/librepo.spec
+++ b/librepo.spec
@ -19,6 +19,8 @@
 # Needs to match how gnupg2 is compiled
 %bcond_with run_gnupg_user_socket

+%bcond_with sanitizers
+
 %if %{with use_gpgme} && %{with use_selinux}
 %global need_selinux 1
 %else
@ -28,19 +30,16 @@
 %global dnf_conflict 2.8.8

 Name:           librepo
-Version:        1.18.0
-Release:        6%{?dist}
+Version:        1.19.0
+Release:        1%{?dist}
 Summary:        Repodata downloading library

 License:        LGPL-2.1-or-later
 URL:            https://github.com/rpm-software-management/librepo
 Source0:        %{url}/archive/%{version}/%{name}-%{version}.tar.gz
-Patch1:         0001-Use-rpm-sequoia-on-RHEL-10.patch
-Patch2:         0002-Fix-a-memory-leak-in-select_next_target.patch
-Patch3:         0003-Propagate-return-value-from-prepare_repo_download_ta.patch
+Patch1:         0001-Propagate-return-value-from-prepare_repo_download_ta.patch
 # https://github.com/rpm-software-management/librepo/pull/325
-Patch4:         0004-Fix-input-termination-for-pgpParsePkts.patch
-Patch5:         0005-Test-importing-keys-with-prefix-and-suffix.patch
+Patch2:         0002-Test-importing-keys-with-prefix-and-suffix.patch

 BuildRequires:  cmake
 BuildRequires:  gcc
@ -65,6 +64,12 @@ BuildRequires:  pkgconfig(zck) >= 0.9.11
 %endif
 Requires:       libcurl%{?_isa} >= %{libcurl_version}

+%if %{with sanitizers}
+BuildRequires:  libasan
+BuildRequires:  liblsan
+BuildRequires:  libubsan
+%endif
+
 %description
 A library providing C and Python (libcURL like) API to downloading repository
 metadata.
@ -103,7 +108,12 @@ Python 3 bindings for the librepo library.
    -DWITH_ZCHUNK=%{?with_zchunk:ON}%{!?with_zchunk:OFF} \
    -DUSE_GPGME=%{?with_use_gpgme:ON}%{!?with_use_gpgme:OFF} \
    -DUSE_RUN_GNUPG_USER_SOCKET=%{?with_run_gnupg_user_socket:ON}%{!?with_run_gnupg_user_socket:OFF} \
-    -DENABLE_SELINUX=%{?need_selinux:ON}%{!?need_selinux:OFF}
+    -DWITH_SANITIZERS=%{?with_sanitizers:ON}%{!?with_sanitizers:OFF} \
+%if %{need_selinux}
+    -DENABLE_SELINUX=ON
+%else
+    -DENABLE_SELINUX=OFF
+%endif
 %cmake_build

 %check
@ -133,8 +143,11 @@ Python 3 bindings for the librepo library.
 %{python3_sitearch}/%{name}/

 %changelog
+* Tue Nov 25 2025 Petr Pisar <ppisar@redhat.com> - 1.19.0-1
+- Rebase to 1.19.0 (RHEL-126292)
+
 * Thu Jul 03 2025 Ales Matej <amatej@redhat.com> - 1.18.0-6
- Test for: Fix input termination for pgpParsePkts (RHEL-125130)
+- Test for: Fix input termination for pgpParsePkts (RHEL-61730)

 * Tue Jun 24 2025 Romain Geissler <romain.geissler@amadeus.com> - 1.18.0-5
 - Fix input termination for pgpParsePkts
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (librepo-1.18.0.tar.gz) = 6630b4751163ff6a34c32b94f6d0ecdc34926ade6aa92342c99eef9a514edd25405e051c58f6630615dd9cd04ef5c0404ebc4805708356477b97d351baa19a73
+SHA512 (librepo-1.19.0.tar.gz) = dd6c0cc69a3fa7324e0753b260a394a0ac5587ca73a6d5d567c63e92ced0d71b35b48db573130cfcce2b6bd582fe486f40ca3299439742f0287778f613195e2d