From 15f15a0efabc9f36999fb026d0ee31a6f05de390 Mon Sep 17 00:00:00 2001 From: Tomas Halman Date: Fri, 30 Apr 2021 14:16:13 +0200 Subject: [PATCH] Remove the unnecessary LTO patch Resolves: rhbz#1951277 --- mod_auth_openidc-2.4.3-nonlto.patch | 15 --- mod_auth_openidc.spec | 9 +- test-segfault.patch | 167 ---------------------------- 3 files changed, 5 insertions(+), 186 deletions(-) delete mode 100644 mod_auth_openidc-2.4.3-nonlto.patch delete mode 100644 test-segfault.patch diff --git a/mod_auth_openidc-2.4.3-nonlto.patch b/mod_auth_openidc-2.4.3-nonlto.patch deleted file mode 100644 index 5d63a19..0000000 --- a/mod_auth_openidc-2.4.3-nonlto.patch +++ /dev/null @@ -1,15 +0,0 @@ ---- mod_auth_openidc-2.4.3/Makefile.in.nonlto -+++ mod_auth_openidc-2.4.3/Makefile.in -@@ -73,8 +73,11 @@ - @NAMEVER@.tar.gz: $(DISTFILES) - tar -c --transform="s#^#@NAMEVER@/#" -vzf $@ $(DISTFILES) - -+APXS_CFLAGS := $(shell @APXS2@ -q CFLAGS | sed 's/-f[^ ]*lto[^ ]* //g') $(CFLAGS) $(shell @APXS2@ -q EXTRA_CPPFLAGS) -+APXS_CC := $(shell @APXS2@ -q CC) $(APXS_CFLAGS) $(shell @APXS2@ -q EXTRA_INCLUDES) -+ - test/test test/test-cmd: test/test.c test/test-cmd.c test/stub.c src/mod_auth_openidc.la -- @APXS2@ @APXS2_OPTS@ -Wc,"-DNAMEVER=\"@NAMEVER@\" $(CFLAGS)" -Wl,"$(LIBS)" -Isrc -Wc,-Wall -Wc,-g -c -o $@ $@.c test/stub.c $(SRC:.c=.lo) @APR_LIBS@ -+ $(APXS_CC) -DNAMEVER=\"@NAMEVER@\" $(CFLAGS) $(LIBS) -Isrc -Wall -g -o $@ $@.c test/stub.c $(SRC:.c=.o) @APR_LIBS@ - - test-compile: test/test test/test-cmd - diff --git a/mod_auth_openidc.spec b/mod_auth_openidc.spec index decab6d..39ff69a 100644 --- a/mod_auth_openidc.spec +++ b/mod_auth_openidc.spec @@ -1,4 +1,4 @@ -%{!?_httpd_mmn: %{expand: %%global _httpd_mmn %%(cat %{_includedir}/httpd/.mmn || echo 0-0)}} +%{!?_httpd_mmn: %{expand: %%global _httpd_mmn %%(cat %{_includedir}/httpd/.mmn 2>/dev/null || echo 0-0)}} %{!?_httpd_moddir: %{expand: %%global _httpd_moddir %%{_libdir}/httpd/modules}} %{!?_httpd_confdir: %{expand: %%global _httpd_confdir %{_sysconfdir}/httpd/conf.d}} @@ -15,13 +15,12 @@ Name: mod_auth_openidc Version: 2.4.4.1 -Release: 2%{?dist} +Release: 3%{?dist} Summary: OpenID Connect auth module for Apache HTTP Server License: ASL 2.0 URL: https://github.com/zmartzone/mod_auth_openidc Source0: https://github.com/zmartzone/mod_auth_openidc/archive/v%{version}.tar.gz -Patch0: mod_auth_openidc-2.4.3-nonlto.patch BuildRequires: gcc BuildRequires: httpd-devel @@ -42,7 +41,6 @@ an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server. %prep %setup -q -%patch0 -p1 -b .nonlto %build # workaround rpm-buildroot-usage @@ -96,6 +94,9 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/cache %changelog +* Fri Apr 30 2021 Tomas Halman - 2.4.4.1-3 +- Resolves: rhbz#1951277 - Remove unnecessary LTO patch + * Fri Apr 16 2021 Mohan Boddu - 2.4.4.1-2 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 diff --git a/test-segfault.patch b/test-segfault.patch deleted file mode 100644 index 34bf7f0..0000000 --- a/test-segfault.patch +++ /dev/null @@ -1,167 +0,0 @@ -commit fe7dfb14c45262df3b15bda374b2ee390b43cfb4 -Author: John Dennis -Date: Tue Aug 14 18:08:56 2018 -0400 - - test_proto_authorization_request() segfault due to uninitialized value - - Many thanks to Florian Weimer for his assistence - in helping diagnose the problem. - - In test_proto_authorization_request() it creates a provider object but - fails to fully initialize it. In particular it fails to initialize - auth_request_method to OIDC_AUTH_REQUEST_METHOD_GET. - - The function oidc_proto_authorization_request() in the file - src/proto.c has a weak test for provider->auth_request_method on line - 646. - - if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_POST) { - /* construct a HTML POST auto-submit page with the authorization request parameters */ - } else { - /* construct the full authorization request URL */ - } - - The assumption is provider->auth_request_method must be one of - OIDC_AUTH_REQUEST_METHOD_GET or OIDC_AUTH_REQUEST_METHOD_POST but if - the provider struct is not properly initialized it could be any random - value. Therefore the fact provider->auth_request_method does not equal - OIDC_AUTH_REQUEST_METHOD_POST does not imply it's - OIDC_AUTH_REQUEST_METHOD_GET. The test would also be a problem if - OIDC_AUTH_REQUEST_METHOD ever added a new enumerated value. - - The defined values for OIDC_AUTH_REQUEST_METHOD are: - define OIDC_AUTH_REQUEST_METHOD_GET 0 - define OIDC_AUTH_REQUEST_METHOD_POST 1 - - So what the test on line src/proto.c:646 is really saying is this: - if provider->auth_request_method != 1 then use the GET method. - - The unit test works most of the time because it's unlikely the - unitialized auth_request_method member will be exactly 1. Except on - some architectures it is (e.g. s390x). Of course what's on the stack - is influenced by a variety of factors (all unknown). - - The segfault occurs because oidc_proto_authorization_request() takes - the OIDC_AUTH_REQUEST_METHOD_POST branch and calls - oidc_proto_html_post() which then operates on more uninitialized - data. Specfically request->connection->bucket_alloc is - NULL. Fortunately the request object was intialized to zero via - apr_pcalloc() so at least bucket_alloc will consistetnly be NULL. - - Here is the stack trace: - - Program received signal SIGSEGV, Segmentation fault. - 0x00007ffff6b9f67a in apr_bucket_alloc () from /lib64/libaprutil-1.so.0 - (gdb) bt - from /lib64/libaprutil-1.so.0 - data=0x6adfe0 "\n\n \n \n Submitting"..., - data_len=825, content_type=0x47311a "text/html", success_rvalue=-2) - at src/util.c:1307 - title=0x46bf28 "Submitting...", html_head=0x0, - on_load=0x46bf0d "document.forms[0].submit()", - html_body=0x6add40 " <p>Submitting Authentication Request...</p>\n <form method=\"post\" action=\"https://idp.example.com/authorize\">\n <p>\n <input type=\"hidden\" name=\"response_type\" value=\"code\">\n <input"..., status_code=-2) at src/util.c:1349 - url=0x465758 "https://idp.example.com/authorize", params=0x6acf30) - at src/proto.c:544 - provider=0x7fffffffd260, login_hint=0x0, - redirect_uri=0x465790 "https://www.example.com/protected/", - state=0x4657b3 "12345", proto_state=0x68e5f0, id_token_hint=0x0, - nge=0x0, auth_request_params=0x0, path_scope=0x0) at src/proto.c:650 - - This patch does the following: - - 1) Initializes the provider struct created on the stack in - test_proto_authorization_request to zero so it's at least - initialized to known consistent values. - - 2) Initializes provider.auth_request_method to - OIDC_AUTH_REQUEST_METHOD_GET. - - 3) Initializes request->connection->bucket_alloc via - apr_bucket_alloc_create() so if one does enter that code it won't - segfault. - - It's easy to verify the above observations. - - If you explicitly intialize provider.auth_request_method to - OIDC_AUTH_REQUEST_METHOD_POST in test_proto_authorization_request() - instead of allowing it to be a random stack value you will segfault - every time. However if you initialize request->connection->bucket_alloc - the segfault goes away and the unit test correctly reports the error, - e.g. - - Failed: # test_proto_authorization_request: error in oidc_proto_authorization_request (1): result "0" != expected "1" - - WARNING: This patch does not address the test in proto.c:646. That - test should be augmented to assure only valid enumerated values are - operated on and if the enumerated value is not valid it should return - an error. - -Note: The above was fixed in the following commit. - - Signed-off-by: John Dennis <jdennis@redhat.com> - -diff --git a/test/test.c b/test/test.c -index 16f09b5..87d3700 100755 ---- a/test/test.c -+++ b/test/test.c -@@ -1019,6 +1019,9 @@ static char *test_proto_validate_code(request_rec *r) { - static char * test_proto_authorization_request(request_rec *r) { - - oidc_provider_t provider; -+ -+ memset(&provider, 0, sizeof(provider)); -+ - provider.issuer = "https://idp.example.com"; - provider.authorization_endpoint_url = "https://idp.example.com/authorize"; - provider.scope = "openid"; -@@ -1028,6 +1031,8 @@ static char * test_proto_authorization_request(request_rec *r) { - provider.auth_request_params = NULL; - provider.request_object = NULL; - provider.token_binding_policy = OIDC_TOKEN_BINDING_POLICY_OPTIONAL; -+ provider.auth_request_method = OIDC_AUTH_REQUEST_METHOD_GET; -+ - const char *redirect_uri = "https://www.example.com/protected/"; - const char *state = "12345"; - -@@ -1260,6 +1265,7 @@ static request_rec * test_setup(apr_pool_t *pool) { - sizeof(struct process_rec)); - request->server->process->pool = request->pool; - request->connection = apr_pcalloc(request->pool, sizeof(struct conn_rec)); -+ request->connection->bucket_alloc = apr_bucket_alloc_create(request->pool); - request->connection->local_addr = apr_pcalloc(request->pool, - sizeof(apr_sockaddr_t)); - -commit aca77a82c1ce2f1ec8f363066ffbc480b3bd75c8 -Author: Hans Zandbelt <hans.zandbelt@zmartzone.eu> -Date: Wed Aug 15 07:47:57 2018 +0200 - - add sanity check on provider->auth_request_method; closes #382 - - thanks @jdennis; bump to 2.3.8rc4 - - Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu> - -diff --git a/src/proto.c b/src/proto.c -index e9dbc99..ac7696a 100644 ---- a/src/proto.c -+++ b/src/proto.c -@@ -649,7 +649,7 @@ int oidc_proto_authorization_request(request_rec *r, - rv = oidc_proto_html_post(r, provider->authorization_endpoint_url, - params); - -- } else { -+ } else if (provider->auth_request_method == OIDC_AUTH_REQUEST_METHOD_GET) { - - /* construct the full authorization request URL */ - authorization_request = oidc_util_http_query_encoded_url(r, -@@ -666,6 +666,10 @@ int oidc_proto_authorization_request(request_rec *r, - /* and tell Apache to return an HTTP Redirect (302) message */ - rv = HTTP_MOVED_TEMPORARILY; - } -+ } else { -+ oidc_error(r, "provider->auth_request_method set to wrong value: %d", -+ provider->auth_request_method); -+ return HTTP_INTERNAL_SERVER_ERROR; - } - - /* add a referred token binding request for the provider if enabled */