.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -1 +1,2 @@
-SOURCES/luksmeta-9.tar.bz2
+/luksmeta-9.tar.bz2
+/luksmeta-10.tar.bz2

.luksmeta.metadata

@@ -1 +0,0 @@
-ea7cf9cee7ff08b7fcdd1a4a7d659506ce8c012a SOURCES/luksmeta-9.tar.bz2

SOURCES/0001-Define-log-callback-function-to-use-with-libcryptset.patch

@@ -1,45 +0,0 @@
-From 785ebee43a8c34be3fa8ec0387892b9e70a169fd Mon Sep 17 00:00:00 2001
-From: Sergio Correia <scorreia@redhat.com>
-Date: Mon, 11 Nov 2019 18:06:13 -0500
-Subject: [PATCH] Define log callback function to use with libcryptsetup
-
-Logs from libcryptsetup now go to stderr and this prevents issues like
-the one reported in https://bugzilla.redhat.com/show_bug.cgi?id=1770395
----
- luksmeta.c | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/luksmeta.c b/luksmeta.c
-index a79da82..1c72787 100644
---- a/luksmeta.c
-+++ b/luksmeta.c
-@@ -45,6 +45,17 @@ struct options {
-     int slot;
- };
- 
-+#define LUKSMETA_LIBCRYPTSETUP_LOG_LEVEL CRYPT_LOG_ERROR
-+
-+static void
-+luksmeta_libcryptsetup_log(int level, const char *msg, void *usrptr)
-+{
-+    if (level != LUKSMETA_LIBCRYPTSETUP_LOG_LEVEL) {
-+       return;
-+    }
-+    fprintf(stderr, "%s", msg);
-+}
-+
- static int
- cmd_test(const struct options *opts, struct crypt_device *cd)
- {
-@@ -485,6 +496,8 @@ main(int argc, char *argv[])
-             return EX_IOERR;
-         }
- 
-+        crypt_set_log_callback(cd, luksmeta_libcryptsetup_log, NULL);
-+
-         r = crypt_load(cd, NULL, NULL);
-         if (r != 0) {
-             fprintf(stderr, "Unable to read LUKSv1 header (%s): %s\n",
--- 
-2.18.1
-

SOURCES/0002-Fix-handling-of-large-metadata.patch

@@ -1,91 +0,0 @@
-From 27c2157f4718030b19e2913fc3684268ffc74d11 Mon Sep 17 00:00:00 2001
-From: Sergio Correia <scorreia@redhat.com>
-Date: Wed, 22 Oct 2025 15:58:01 +0100
-Subject: [PATCH 2/2] Fix handling of large metadata
-
-Prevent metadata from being written beyond the gap between the LUKS
-header and encrypted data. The overflow check now correctly validates
-that the end position of new metadata does not exceed the hard limit,
-preventing corruption of encrypted data.
-
-Also add upfront size validation to reject metadata larger than the
-total available space.
-
-Fix: CVE-2025-11568
-
-Signed-off-by: Sergio Correia <scorreia@redhat.com>
----
- libluksmeta.c | 13 +++++++++++--
- test-luksmeta | 16 ++++++++++++++++
- 2 files changed, 27 insertions(+), 2 deletions(-)
-
-diff --git a/libluksmeta.c b/libluksmeta.c
-index b653223..d2f7e42 100644
---- a/libluksmeta.c
-+++ b/libluksmeta.c
-@@ -69,8 +69,12 @@ checksum(lm_t lm)
- }
- 
- static inline bool
--overlap(const lm_t *lm, uint32_t start, size_t end)
-+overlap(const lm_t *lm, uint32_t start, size_t end, uint32_t hard_limit)
- {
-+    /* Make sure the data fits the available area in the gap. */
-+    if (end > hard_limit)
-+        return true;
-+
-     for (int i = 0; i < LUKS_NSLOTS; i++) {
-         const lm_slot_t *s = &lm->slots[i];
-         uint32_t e = s->offset + s->length;
-@@ -90,8 +94,13 @@ find_gap(const lm_t *lm, uint32_t length, size_t size)
- {
-     size = ALIGN(size, true);
- 
-+    /* Make sure the data is not larger than the total available
-+     * area in the gap. */
-+    if (length < size)
-+        return 0;
-+
-     for (uint32_t off = ALIGN(1, true); off < length; off += ALIGN(1, true)) {
--        if (!overlap(lm, off, off + size))
-+        if (!overlap(lm, off, off + size, lm->slots[0].offset + length))
-             return off;
-     }
- 
-diff --git a/test-luksmeta b/test-luksmeta
-index f1e8b2e..884a33a 100755
---- a/test-luksmeta
-+++ b/test-luksmeta
-@@ -3,9 +3,12 @@
- trap 'exit' ERR
- 
- export tmp=`mktemp /tmp/luksmeta.XXXXXXXXXX`
-+export tmpdata=`mktemp /tmp/luksmeta.XXXXXXXXXX`
-+
- 
- function onexit() {
-     rm -f $tmp
-+    rm -f "${tmpdata}"
- }
- 
- trap 'onexit' EXIT
-@@ -50,3 +53,16 @@ echo hi | ./luksmeta save -s 0 -u 23149359-1b61-4803-b818-774ab730fbec -d $tmp
- test "`./luksmeta load -s 0 -d $tmp`" == "hi"
- ./luksmeta init -n -f -d $tmp
- ! ./luksmeta load -s 0 -d $tmp
-+
-+# CVE-2025-11568 - test attempt to store extremely large amount of data in a slot.
-+./luksmeta init -f -d "${tmp}"
-+dd bs=1024k count=1 </dev/zero >"${tmpdata}"
-+! ./luksmeta save -s 1 -u 23149359-1b61-4803-b818-774ab730fbec -d "${tmp}" < "${tmpdata}"
-+
-+# Additional test for CVE-2025-11568 boundary conditions.
-+# Verify overflow protection with multiple existing slots at various offsets.
-+./luksmeta init -f -d "${tmp}"
-+echo "a" | ./luksmeta save -s 0 -u 11111111-1111-1111-1111-111111111111 -d "${tmp}"
-+echo "b" | ./luksmeta save -s 1 -u 22222222-2222-2222-2222-222222222222 -d "${tmp}"
-+dd bs=1024 count=900 </dev/zero >"${tmpdata}"
-+! ./luksmeta save -s 2 -u 33333333-3333-3333-3333-333333333333 -d "${tmp}" < "${tmpdata}"
--- 
-2.43.7
-

SOURCES/Relax-content-tests-in-test-suite.patch

@@ -1,151 +0,0 @@
-From e48ec659ca813f233769ff0752087c76a14442a9 Mon Sep 17 00:00:00 2001
-From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
-Date: Mon, 10 Dec 2018 14:25:33 +0100
-Subject: [PATCH] Relax content tests in test suite
-
-Starting with version 2.0.5, cryptsetup wipes the full LUKS header
-and fills unused sections with random data, this was introduced
-in commit
-
-    commit c2bce3e93ecee41f661b589ee28f112eb538259e
-    Author: Milan Broz <gmazyland@gmail.com>
-    Date:   Sun Oct 14 13:11:50 2018 +0200
-
-        Wipe full header areas (including unused) during LUKS format.
-
-While this is the right thing to do, it breaks luksmeta tests. So
-relax them.
-
-Bug-Debian: https://bugs.debian.org/915256
-Resolves: https://github.com/latchset/luksmeta/issues/6
----
- test-lm-assumptions.c | 3 ++-
- test-lm-big.c         | 4 ++--
- test-lm-init.c        | 4 ++--
- test-lm-one.c         | 4 ++--
- test-lm-two.c         | 8 ++++----
- 5 files changed, 12 insertions(+), 11 deletions(-)
-
-diff --git a/test-lm-assumptions.c b/test-lm-assumptions.c
-index d9ff20b..b4f293f 100644
---- a/test-lm-assumptions.c
-+++ b/test-lm-assumptions.c
-@@ -28,7 +28,8 @@ main(int argc, char *argv[])
-     /* Test the layout state. */
-     assert(test_layout((range_t[]) {
-         { 0, 1024 },                    /* LUKS header */
--        END(1024),                    /* Rest of the file */
-+        { 1024, 3072, true },           /* Keyslot Area */
-+        { 0, 0 },
-     }));
- 
-     unlink(filename);
-diff --git a/test-lm-big.c b/test-lm-big.c
-index 6098e59..eb94d3b 100644
---- a/test-lm-big.c
-+++ b/test-lm-big.c
-@@ -111,7 +111,7 @@ main(int argc, char *argv[])
- 
-     assert(test_layout((range_t[]) {
-         { 0, 1024 },                   /* LUKS header */
--        { 1024, offset - 1024, true }, /* Keyslot Area */
-+        { 1024, 3072, true },          /* Keyslot Area */
-         { offset, 4096 },              /* luksmeta header */
-         { offset + 4096, 4096 },       /* luksmeta slot 0 */
-         { offset + 8192, 4096 },       /* luksmeta slot 0 (cont) */
-@@ -127,7 +127,7 @@ main(int argc, char *argv[])
- 
-     assert(test_layout((range_t[]) {
-         { 0, 1024 },                   /* LUKS header */
--        { 1024, offset - 1024, true }, /* Keyslot Area */
-+        { 1024, 3072, true },          /* Keyslot Area */
-         { offset, 4096 },              /* luksmeta header */
-         END(offset + 4096),            /* Rest of the file */
-     }));
-diff --git a/test-lm-init.c b/test-lm-init.c
-index 2a6cb45..b16d597 100644
---- a/test-lm-init.c
-+++ b/test-lm-init.c
-@@ -57,7 +57,7 @@ main(int argc, char *argv[])
-     /* Test the layout state. */
-     assert(test_layout((range_t[]) {
-         { 0, 1024 },                   /* LUKS header */
--        { 1024, offset - 1024, true }, /* Keyslot Area */
-+        { 1024, 3072, true },          /* Keyslot Area */
-         { offset, 4096 },              /* luksmeta header */
-         END(offset + 4096),            /* Rest of the file */
-     }));
-@@ -106,7 +106,7 @@ main(int argc, char *argv[])
-     assert(luksmeta_test(cd) == -ENOENT);
-     assert(test_layout((range_t[]) {
-         { 0, 1024 },                   /* LUKS header */
--        { 1024, offset - 1024, true }, /* Keyslot Area */
-+        { 1024, 3072, true },          /* Keyslot Area */
-         END(offset),                   /* Rest of the file */
-     }));
- 
-diff --git a/test-lm-one.c b/test-lm-one.c
-index 8deb70a..18613e0 100644
---- a/test-lm-one.c
-+++ b/test-lm-one.c
-@@ -49,7 +49,7 @@ main(int argc, char *argv[])
-     /* Test the layout state. */
-     assert(test_layout((range_t[]) {
-         { 0, 1024 },                   /* LUKS header */
--        { 1024, offset - 1024, true }, /* Keyslot Area */
-+        { 1024, 3072, true },          /* Keyslot Area */
-         { offset, 4096 },              /* luksmeta header */
-         { offset + 4096, 4096 },       /* luksmeta slot 0 */
-         END(offset + 8192),            /* Rest of the file */
-@@ -68,7 +68,7 @@ main(int argc, char *argv[])
-     /* Test the layout state. */
-     assert(test_layout((range_t[]) {
-         { 0, 1024 },                   /* LUKS header */
--        { 1024, offset - 1024, true }, /* Keyslot Area */
-+        { 1024, 3072, true },          /* Keyslot Area */
-         { offset, 4096 },              /* luksmeta header */
-         END(offset + 4096),            /* Rest of the file */
-     }));
-diff --git a/test-lm-two.c b/test-lm-two.c
-index 78fea5b..9f0b1c5 100644
---- a/test-lm-two.c
-+++ b/test-lm-two.c
-@@ -53,7 +53,7 @@ main(int argc, char *argv[])
- 
-     assert(test_layout((range_t[]) {
-         { 0, 1024 },                   /* LUKS header */
--        { 1024, offset - 1024, true }, /* Keyslot Area */
-+        { 1024, 3072, true },          /* Keyslot Area */
-         { offset, 4096 },              /* luksmeta header */
-         { offset + 4096, 4096 },       /* luksmeta slot 0 */
-         END(offset + 8192),            /* Rest of the file */
-@@ -70,7 +70,7 @@ main(int argc, char *argv[])
- 
-     assert(test_layout((range_t[]) {
-         { 0, 1024 },                   /* LUKS header */
--        { 1024, offset - 1024, true }, /* Keyslot Area */
-+        { 1024, 3072, true },          /* Keyslot Area */
-         { offset, 4096 },              /* luksmeta header */
-         { offset + 4096, 4096 },       /* luksmeta slot 0 */
-         { offset + 8192, 4096 },       /* luksmeta slot 1 */
-@@ -88,7 +88,7 @@ main(int argc, char *argv[])
-     assert(luksmeta_wipe(cd, 0, UUID0) == 0);
-     assert(test_layout((range_t[]) {
-         { 0, 1024 },                   /* LUKS header */
--        { 1024, offset - 1024, true }, /* Keyslot Area */
-+        { 1024, 3072, true },          /* Keyslot Area */
-         { offset, 4096 },              /* luksmeta header */
-         { offset + 4096, 4096, true }, /* luksmeta slot 0 */
-         { offset + 8192, 4096 },       /* luksmeta slot 1 */
-@@ -99,7 +99,7 @@ main(int argc, char *argv[])
-     assert(luksmeta_wipe(cd, 1, UUID1) == 0);
-     assert(test_layout((range_t[]) {
-         { 0, 1024 },                   /* LUKS header */
--        { 1024, offset - 1024, true }, /* Keyslot Area */
-+        { 1024, 3072, true },          /* Keyslot Area */
-         { offset, 4096 },              /* luksmeta header */
-         END(offset + 4096),            /* Rest of the file */
-     }));
--- 
-2.19.2
-

SOURCES/luksmeta-9-tests.patch

@@ -1,26 +0,0 @@
-From 052c5d53d56f52cba95a569b3f2648b7cd647f1e Mon Sep 17 00:00:00 2001
-From: Nathaniel McCallum <npmccallum@redhat.com>
-Date: Thu, 9 Aug 2018 15:07:17 -0400
-Subject: [PATCH] Specify LUKSv1 during luksFormat
-
-This fixes tests on builds of cryptsetup which default to LUKSv2.
----
- test-luksmeta | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/test-luksmeta b/test-luksmeta
-index fd17ead..f1e8b2e 100755
---- a/test-luksmeta
-+++ b/test-luksmeta
-@@ -11,7 +11,7 @@ function onexit() {
- trap 'onexit' EXIT
- 
- truncate -s 4M $tmp
--echo -n foo | cryptsetup luksFormat $tmp -
-+echo -n foo | cryptsetup luksFormat --type luks1 $tmp -
- 
- ! ./luksmeta test -d $tmp
- 
--- 
-2.17.1
-

ci.tests.fmf

@@ -0,0 +1,12 @@
+/e2e_internal:
+  plan:
+    import:
+      url: https://github.com/RedHat-SP-Security/luksmeta-plans.git
+      name: /generic/e2e_ci
+
+/rpmverify:
+  plan:
+    import:
+      url: https://github.com/RedHat-SP-Security/luksmeta-plans.git
+      name: /generic/rpmverify
+

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

luksmeta.spec

@@ -1,21 +1,18 @@
 Name:           luksmeta
-Version:        9
-Release:        4%{?dist}.1
+Version:        10
+Release:        1%{?dist}
 Summary:        Utility for storing small metadata in the LUKSv1 header
 
 License:        LGPLv2+
 URL:            https://github.com/latchset/%{name}
 Source0:        https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.bz2
-Patch0:         luksmeta-9-tests.patch
-Patch1:         Relax-content-tests-in-test-suite.patch
-Patch2:         0001-Define-log-callback-function-to-use-with-libcryptset.patch
-Patch3:         0002-Fix-handling-of-large-metadata.patch
 
 BuildRequires:  gcc
 BuildRequires:  asciidoc
 BuildRequires:  pkgconfig
-BuildRequires:  cryptsetup
 BuildRequires:  cryptsetup-devel
+BuildRequires:  cryptsetup
+BuildRequires: make
 Requires: lib%{name}%{?_isa} = %{version}-%{release}
 
 %description
@@ -52,8 +49,7 @@ rm -rf %{buildroot}/%{_libdir}/libluksmeta.la
 %check
 make %{?_smp_mflags} check
 
-%post -n lib%{name} -p /sbin/ldconfig
-%postun -n lib%{name} -p /sbin/ldconfig
+%ldconfig_scriptlets -n lib%{name}
 
 %files
 %{_bindir}/luksmeta
@@ -69,19 +65,42 @@ make %{?_smp_mflags} check
 %{_libdir}/pkgconfig/luksmeta.pc
 
 %changelog
-* Fri Nov 28 2025 Sergio Correia <scorreia@redhat.com> - 9-4.1
-- Fix handling of large metadata
-  Resolves: RHEL-122138
+* Wed Nov 26 2025 Sergio Correia <scorreia@redhat.com> - 10-1
+- New upstream release v10
+  Resolves: RHEL-122139
 
-* Sat Nov 30 2019 Sergio Correia <scorreia@redhat.com> - 9-4
-- LUKSMeta now sets error level from libcryptsetup to CRYPT_LOG_ERROR, and
-  this output is logged to stderr
-  Resolves: rhbz#1770395
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 9-12
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
 
-* Mon Dec 10 2018 Daniel Kopecek <dkopecek@redhat.com> - 9-3
-- Enabled build gating
-- Synced layout test assumtions with recent cryptsetup changes
-  Resolves: rhbz#1625683
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 9-11
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Mon Apr 05 2021 Sergio Correia <scorreia@redhat.com> - 9-10
+- Add cryptsetup as a package required during build time.
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 9-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 9-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 9-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Tue Dec 31 2019 Sergio Correia <scorreia@redhat.com> - 9-6
+- Define log callback function to use with libcryptsetup
+  Logs from libcryptsetup now go to stderr and this prevents issues like
+  the one reported in https://bugzilla.redhat.com/show_bug.cgi?id=1770395
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 9-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Mon Jun 03 2019 Daniel Kopecek <dkopecek@redhat.com> - 9-4
+- Add patch to fix tests on newer kernels 
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 9-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 
 * Thu Aug 09 2018 Nathaniel McCallum <npmccallum@redhat.com> - 9-2
 - Add (upstream) patch to fix tests on LUKSv2-default cryptsetup

sources

@@ -0,0 +1 @@
+SHA512 (luksmeta-10.tar.bz2) = 03994598c7d573492eea571677d0e9b61413fc305f5a8efb04985c38e727534c6b484f847cd0dd96a53b3d2982399441bf2e269860dd0bc12bcf690d5829d93b