diff --git a/.gitignore b/.gitignore index f41a3b2..22cb93a 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -librepo-1.18.0.tar.gz +librepo-1.19.0.tar.gz diff --git a/0003-Propagate-return-value-from-prepare_repo_download_ta.patch b/0001-Propagate-return-value-from-prepare_repo_download_ta.patch similarity index 81% rename from 0003-Propagate-return-value-from-prepare_repo_download_ta.patch rename to 0001-Propagate-return-value-from-prepare_repo_download_ta.patch index fcdd178..25924dd 100644 --- a/0003-Propagate-return-value-from-prepare_repo_download_ta.patch +++ b/0001-Propagate-return-value-from-prepare_repo_download_ta.patch @@ -1,9 +1,14 @@ -From 089eac540f395db8303e42bc9716a14851b1132c Mon Sep 17 00:00:00 2001 +From 65b7fe41f6a367e8f2c91f377721896512308c72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ale=C5=A1=20Mat=C4=9Bj?= Date: Mon, 9 Jun 2025 09:25:39 +0200 Subject: [PATCH] Propagate return value from `prepare_repo_download_targets` +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit It also ensures that when return value is false there is some error set. + +Signed-off-by: Petr Písař --- librepo/yum.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) @@ -27,5 +32,5 @@ index 56bca3e..482d4d9 100644 if (!targets) return TRUE; -- -2.49.0 +2.52.0 diff --git a/0001-Use-rpm-sequoia-on-RHEL-10.patch b/0001-Use-rpm-sequoia-on-RHEL-10.patch deleted file mode 100644 index 0169c54..0000000 --- a/0001-Use-rpm-sequoia-on-RHEL-10.patch +++ /dev/null @@ -1,31 +0,0 @@ -From f94e05110f5d670c71624c18cb479083c3ae3e51 Mon Sep 17 00:00:00 2001 -From: Yaakov Selkowitz -Date: Mon, 8 Jul 2024 11:28:30 -0400 -Subject: [PATCH] Use rpm-sequoia on RHEL 10+ -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -RHEL 10 also has a sufficiently new RPM with rpm-sequoia enabled. - -Signed-off-by: Petr Písař ---- - librepo.spec | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/librepo.spec b/librepo.spec -index 25dc741..62035dc 100644 ---- a/librepo.spec -+++ b/librepo.spec -@@ -8,7 +8,7 @@ - %bcond_without zchunk - %endif - --%if 0%{?fedora} >= 39 -+%if 0%{?fedora} >= 39 || 0%{?rhel} >= 10 - %bcond_with use_gpgme - %bcond_with use_selinux - %else --- -2.45.2 - diff --git a/0002-Fix-a-memory-leak-in-select_next_target.patch b/0002-Fix-a-memory-leak-in-select_next_target.patch deleted file mode 100644 index 1e679e1..0000000 --- a/0002-Fix-a-memory-leak-in-select_next_target.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 3c85711f35b987bd0ce17dd0fbaa0d9f2521c444 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= -Date: Thu, 11 Jul 2024 15:40:03 +0200 -Subject: [PATCH] Fix a memory leak in select_next_target() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If a next target URL was found (non-NULL full_url) and then a transfer was -canceled or an off-line mode was requested, full_url string was not freed and a -memory leaked. - -Discovered with Covscan: - - 16. librepo-1.18.0/librepo/downloader.c:891:13: alloc_fn: Storage is returned from allocation function "g_strdup_inline". - 17. librepo-1.18.0/librepo/downloader.c:891:13: var_assign: Assigning: "full_url" = storage returned from "g_strdup_inline(target->target->path)". - 22. librepo-1.18.0/librepo/downloader.c:919:9: noescape: Resource "full_url" is not freed or pointed-to in "lr_is_local_path". - 24. librepo-1.18.0/librepo/downloader.c:924:13: noescape: Assuming resource "full_url" is not freed or pointed-to as ellipsis argument to "g_debug". - 28. librepo-1.18.0/librepo/downloader.c:956:17: leaked_storage: Variable "full_url" going out of scope leaks the storage it points to. - # 954| "and no local URL is available", - # 955| target->target->path); - # 956|-> return FALSE; - # 957| } - # 958| } - - 16. librepo-1.18.0/librepo/downloader.c:891:13: alloc_fn: Storage is returned from allocation function "g_strdup_inline". - 17. librepo-1.18.0/librepo/downloader.c:891:13: var_assign: Assigning: "full_url" = storage returned from "g_strdup_inline(target->target->path)". - 22. librepo-1.18.0/librepo/downloader.c:919:9: noescape: Resource "full_url" is not freed or pointed-to in "lr_is_local_path". - 24. librepo-1.18.0/librepo/downloader.c:924:13: noescape: Assuming resource "full_url" is not freed or pointed-to as ellipsis argument to "g_debug". - 27. librepo-1.18.0/librepo/downloader.c:946:21: leaked_storage: Variable "full_url" going out of scope leaks the storage it points to. - # 944| g_set_error(err, LR_DOWNLOADER_ERROR, LRE_CBINTERRUPTED, - # 945| "Interrupted by LR_CB_ERROR from end callback"); - # 946|-> return FALSE; - # 947| } - # 948| } - -This patch fixes it. - -The bug was introduced in 1.7.14 version -(08e4810fcdd753ce4728bd88b252f7b3d34b2cdb commit). - -Signed-off-by: Petr Písař ---- - librepo/downloader.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/librepo/downloader.c b/librepo/downloader.c -index 364c0af..40dbeb2 100644 ---- a/librepo/downloader.c -+++ b/librepo/downloader.c -@@ -943,6 +943,7 @@ select_next_target(LrDownload *dd, - "from end callback", __func__); - g_set_error(err, LR_DOWNLOADER_ERROR, LRE_CBINTERRUPTED, - "Interrupted by LR_CB_ERROR from end callback"); -+ g_free(full_url); - return FALSE; - } - } -@@ -953,6 +954,7 @@ select_next_target(LrDownload *dd, - "Cannot download %s: Offline mode is specified " - "and no local URL is available", - target->target->path); -+ g_free(full_url); - return FALSE; - } - } --- -2.45.2 - diff --git a/0005-Test-importing-keys-with-prefix-and-suffix.patch b/0002-Test-importing-keys-with-prefix-and-suffix.patch similarity index 92% rename from 0005-Test-importing-keys-with-prefix-and-suffix.patch rename to 0002-Test-importing-keys-with-prefix-and-suffix.patch index 9fc72ff..ac206b9 100644 --- a/0005-Test-importing-keys-with-prefix-and-suffix.patch +++ b/0002-Test-importing-keys-with-prefix-and-suffix.patch @@ -1,9 +1,14 @@ -From 3db1cd8a7260f83170d247422976c8a8d4af09d9 Mon Sep 17 00:00:00 2001 +From 30dbb9976c8b6bc8dfd5e60b1344e864c201d89b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ale=C5=A1=20Mat=C4=9Bj?= Date: Mon, 30 Jun 2025 11:23:49 +0200 Subject: [PATCH] Test importing keys with prefix and suffix +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit Test the fix from: 1be89319d30d2ea2a027d6bd06bb1b76bd682f87 + +Signed-off-by: Petr Písař --- tests/test_gpg.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) @@ -73,5 +78,5 @@ index 6642cc7..b865991 100644 return s; } -- -2.50.0 +2.52.0 diff --git a/0004-Fix-input-termination-for-pgpParsePkts.patch b/0004-Fix-input-termination-for-pgpParsePkts.patch deleted file mode 100644 index 8db56f7..0000000 --- a/0004-Fix-input-termination-for-pgpParsePkts.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 06f979fc87ca16046df0a9117ef1ca8c1751135c Mon Sep 17 00:00:00 2001 -From: Jaroslav Rohel -Date: Wed, 2 Oct 2024 10:00:34 +0200 -Subject: [PATCH] Fix input termination for pgpParsePkts - -The `pgpParsePkts` function needs the OpenPGP ASCII armored input to be -null terminated. The librepo contains code that checks if the input is -null-terminated. If it is not, the code creates a local null-terminated -copy of the input. - -There was a bug in the code, so it may look for a terminating null -several bytes behind the input buffer. And when a null was found behind -the input buffer, the termination was not done. This caused -the `pgpParsePkts` function to process several extra characters after -the input buffer. These characters are generally random and sometimes -cause the `pgpParsePkts` function to return an error. ---- - librepo/gpg_rpm.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/librepo/gpg_rpm.c b/librepo/gpg_rpm.c -index a1613ee8..692c64ec 100644 ---- a/librepo/gpg_rpm.c -+++ b/librepo/gpg_rpm.c -@@ -350,7 +350,7 @@ lr_gpg_import_key_from_memory(const char *key, size_t key_len, const char *home_ - - // `pgpParsePkts` needs null-terminated input, if null byte not found, make a local null-terminated copy - g_autofree gchar * key_with_null_byte = NULL; -- if (memchr(block_begin, '\0', key_len) == NULL) { -+ if (memchr(block_begin, '\0', key_len - (block_begin - key)) == NULL) { - key_with_null_byte = g_new(gchar, key_len + 1); - memcpy(key_with_null_byte, key, key_len); - key_with_null_byte[key_len] = '\0'; -@@ -533,7 +533,7 @@ check_signature(const gchar * sig_buf, ssize_t sig_buf_len, const gchar * data, - - // `pgpParsePkts` needs null-terminated input, if null byte not found, make a local null-terminated copy - g_autofree gchar * sig_buf_with_null_byte = NULL; -- if (memchr(block_begin, '\0', sig_buf_len) == NULL) { -+ if (memchr(block_begin, '\0', sig_buf_len - (block_begin - sig_buf)) == NULL) { - sig_buf_with_null_byte = g_new(gchar, sig_buf_len + 1); - memcpy(sig_buf_with_null_byte, sig_buf, sig_buf_len); - sig_buf_with_null_byte[sig_buf_len] = '\0'; diff --git a/librepo.spec b/librepo.spec index 77b913e..5ee4199 100644 --- a/librepo.spec +++ b/librepo.spec @@ -19,6 +19,8 @@ # Needs to match how gnupg2 is compiled %bcond_with run_gnupg_user_socket +%bcond_with sanitizers + %if %{with use_gpgme} && %{with use_selinux} %global need_selinux 1 %else @@ -28,19 +30,16 @@ %global dnf_conflict 2.8.8 Name: librepo -Version: 1.18.0 -Release: 6%{?dist} +Version: 1.19.0 +Release: 1%{?dist} Summary: Repodata downloading library License: LGPL-2.1-or-later URL: https://github.com/rpm-software-management/librepo Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz -Patch1: 0001-Use-rpm-sequoia-on-RHEL-10.patch -Patch2: 0002-Fix-a-memory-leak-in-select_next_target.patch -Patch3: 0003-Propagate-return-value-from-prepare_repo_download_ta.patch +Patch1: 0001-Propagate-return-value-from-prepare_repo_download_ta.patch # https://github.com/rpm-software-management/librepo/pull/325 -Patch4: 0004-Fix-input-termination-for-pgpParsePkts.patch -Patch5: 0005-Test-importing-keys-with-prefix-and-suffix.patch +Patch2: 0002-Test-importing-keys-with-prefix-and-suffix.patch BuildRequires: cmake BuildRequires: gcc @@ -65,6 +64,12 @@ BuildRequires: pkgconfig(zck) >= 0.9.11 %endif Requires: libcurl%{?_isa} >= %{libcurl_version} +%if %{with sanitizers} +BuildRequires: libasan +BuildRequires: liblsan +BuildRequires: libubsan +%endif + %description A library providing C and Python (libcURL like) API to downloading repository metadata. @@ -103,7 +108,12 @@ Python 3 bindings for the librepo library. -DWITH_ZCHUNK=%{?with_zchunk:ON}%{!?with_zchunk:OFF} \ -DUSE_GPGME=%{?with_use_gpgme:ON}%{!?with_use_gpgme:OFF} \ -DUSE_RUN_GNUPG_USER_SOCKET=%{?with_run_gnupg_user_socket:ON}%{!?with_run_gnupg_user_socket:OFF} \ - -DENABLE_SELINUX=%{?need_selinux:ON}%{!?need_selinux:OFF} + -DWITH_SANITIZERS=%{?with_sanitizers:ON}%{!?with_sanitizers:OFF} \ +%if %{need_selinux} + -DENABLE_SELINUX=ON +%else + -DENABLE_SELINUX=OFF +%endif %cmake_build %check @@ -133,8 +143,11 @@ Python 3 bindings for the librepo library. %{python3_sitearch}/%{name}/ %changelog +* Tue Nov 25 2025 Petr Pisar - 1.19.0-1 +- Rebase to 1.19.0 (RHEL-126292) + * Thu Jul 03 2025 Ales Matej - 1.18.0-6 -- Test for: Fix input termination for pgpParsePkts (RHEL-125130) +- Test for: Fix input termination for pgpParsePkts (RHEL-61730) * Tue Jun 24 2025 Romain Geissler - 1.18.0-5 - Fix input termination for pgpParsePkts diff --git a/sources b/sources index 4ecab35..722258d 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (librepo-1.18.0.tar.gz) = 6630b4751163ff6a34c32b94f6d0ecdc34926ade6aa92342c99eef9a514edd25405e051c58f6630615dd9cd04ef5c0404ebc4805708356477b97d351baa19a73 +SHA512 (librepo-1.19.0.tar.gz) = dd6c0cc69a3fa7324e0753b260a394a0ac5587ca73a6d5d567c63e92ced0d71b35b48db573130cfcce2b6bd582fe486f40ca3299439742f0287778f613195e2d