import CS rpm-4.14.3-31.el8
This commit is contained in:
parent
4a3a1b81b3
commit
246439bd2c
@ -0,0 +1,107 @@
|
|||||||
|
From 186e0ab025b9ad92d900697f611633a6f6162f3b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Panu Matilainen <pmatilai@redhat.com>
|
||||||
|
Date: Wed, 9 Feb 2022 14:47:14 +0200
|
||||||
|
Subject: [PATCH] Add optional callback on directory changes during rpmfi
|
||||||
|
iteration
|
||||||
|
|
||||||
|
Internal only for now in case we need to fiddle with the API some more,
|
||||||
|
but no reason this couldn't be made public later.
|
||||||
|
---
|
||||||
|
lib/rpmfi.c | 24 ++++++++++++++++++++----
|
||||||
|
lib/rpmfi_internal.h | 17 +++++++++++++++++
|
||||||
|
2 files changed, 37 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/rpmfi.c b/lib/rpmfi.c
|
||||||
|
index aec8220a3..6c631fdb5 100644
|
||||||
|
--- a/lib/rpmfi.c
|
||||||
|
+++ b/lib/rpmfi.c
|
||||||
|
@@ -53,6 +53,9 @@ struct rpmfi_s {
|
||||||
|
int intervalStart; /*!< Start of iterating interval. */
|
||||||
|
int intervalEnd; /*!< End of iterating interval. */
|
||||||
|
|
||||||
|
+ rpmfiChdirCb onChdir; /*!< Callback for directory changes */
|
||||||
|
+ void *onChdirData; /*!< Caller private callback data */
|
||||||
|
+
|
||||||
|
rpmfiles files; /*!< File info set */
|
||||||
|
rpmcpio_t archive; /*!< Archive with payload */
|
||||||
|
unsigned char * found; /*!< Bit field of files found in the archive */
|
||||||
|
@@ -298,11 +301,16 @@ rpm_count_t rpmfiDC(rpmfi fi)
|
||||||
|
return (fi != NULL ? rpmfilesDC(fi->files) : 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
-#ifdef NOTYET
|
||||||
|
-int rpmfiDI(rpmfi fi)
|
||||||
|
+int rpmfiSetOnChdir(rpmfi fi, rpmfiChdirCb cb, void *data)
|
||||||
|
{
|
||||||
|
+ int rc = -1;
|
||||||
|
+ if (fi != NULL) {
|
||||||
|
+ fi->onChdir = cb;
|
||||||
|
+ fi->onChdirData = data;
|
||||||
|
+ rc = 0;
|
||||||
|
+ }
|
||||||
|
+ return rc;
|
||||||
|
}
|
||||||
|
-#endif
|
||||||
|
|
||||||
|
int rpmfiFX(rpmfi fi)
|
||||||
|
{
|
||||||
|
@@ -314,9 +322,17 @@ int rpmfiSetFX(rpmfi fi, int fx)
|
||||||
|
int i = -1;
|
||||||
|
|
||||||
|
if (fi != NULL && fx >= 0 && fx < rpmfilesFC(fi->files)) {
|
||||||
|
+ int dx = fi->j;
|
||||||
|
i = fi->i;
|
||||||
|
fi->i = fx;
|
||||||
|
fi->j = rpmfilesDI(fi->files, fi->i);
|
||||||
|
+ i = fi->i;
|
||||||
|
+
|
||||||
|
+ if (fi->j != dx && fi->onChdir) {
|
||||||
|
+ int chrc = fi->onChdir(fi, fi->onChdirData);
|
||||||
|
+ if (chrc < 0)
|
||||||
|
+ i = chrc;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
return i;
|
||||||
|
}
|
||||||
|
@@ -1682,9 +1698,9 @@ static rpmfi initIter(rpmfiles files, int itype, int link)
|
||||||
|
if (files && itype>=0 && itype<=RPMFILEITERMAX) {
|
||||||
|
fi = xcalloc(1, sizeof(*fi));
|
||||||
|
fi->i = -1;
|
||||||
|
+ fi->j = -1;
|
||||||
|
fi->files = link ? rpmfilesLink(files) : files;
|
||||||
|
fi->next = nextfuncs[itype];
|
||||||
|
- fi->i = -1;
|
||||||
|
if (itype == RPMFI_ITER_BACK) {
|
||||||
|
fi->i = rpmfilesFC(fi->files);
|
||||||
|
} else if (itype >=RPMFI_ITER_READ_ARCHIVE
|
||||||
|
diff --git a/lib/rpmfi_internal.h b/lib/rpmfi_internal.h
|
||||||
|
index dccc6ccbe..37f1d45f5 100644
|
||||||
|
--- a/lib/rpmfi_internal.h
|
||||||
|
+++ b/lib/rpmfi_internal.h
|
||||||
|
@@ -13,6 +13,23 @@
|
||||||
|
extern "C" {
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+/** \ingroup rpmfi
|
||||||
|
+ * Callback on file iterator directory changes
|
||||||
|
+ * @param fi file info
|
||||||
|
+ * @param data caller private callback data
|
||||||
|
+ * @return 0 on success, < 0 on error (to stop iteration)
|
||||||
|
+ */
|
||||||
|
+typedef int (*rpmfiChdirCb)(rpmfi fi, void *data);
|
||||||
|
+
|
||||||
|
+/** \ingroup rpmfi
|
||||||
|
+ * Set a callback for directory changes during iteration.
|
||||||
|
+ * @param fi file info
|
||||||
|
+ * @param cb callback function
|
||||||
|
+ * @param data caller private callback data
|
||||||
|
+ * @return string pool handle (weak reference)
|
||||||
|
+ */
|
||||||
|
+int rpmfiSetOnChdir(rpmfi fi, rpmfiChdirCb cb, void *data);
|
||||||
|
+
|
||||||
|
/** \ingroup rpmfi
|
||||||
|
* Return file info set string pool handle
|
||||||
|
* @param fi file info
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -0,0 +1,30 @@
|
|||||||
|
From 6c66abd34cccbb5b3c063f8f613e0c2faffc415f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Panu Matilainen <pmatilai@redhat.com>
|
||||||
|
Date: Wed, 13 Dec 2023 11:57:50 +0200
|
||||||
|
Subject: [PATCH] Don't warn about missing user/group on skipped files
|
||||||
|
|
||||||
|
There's no reason to complain about missing user/group for entities
|
||||||
|
we don't create at all. It's cosmetical only, but "regressed" in the
|
||||||
|
4.17 fsm robustness rewrite.
|
||||||
|
|
||||||
|
Reported in https://issues.redhat.com/browse/RHEL-18037
|
||||||
|
---
|
||||||
|
lib/fsm.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/lib/fsm.c b/lib/fsm.c
|
||||||
|
index 2189bd84c..a54e43bae 100644
|
||||||
|
--- a/lib/fsm.c
|
||||||
|
+++ b/lib/fsm.c
|
||||||
|
@@ -903,7 +903,7 @@ int rpmPackageFilesInstall(rpmts ts, rpmte te, rpmfiles files,
|
||||||
|
fp->fpath = fsmFsPath(fi, fp->suffix);
|
||||||
|
|
||||||
|
/* Remap file perms, owner, and group. */
|
||||||
|
- rc = rpmfiStat(fi, 1, &fp->sb);
|
||||||
|
+ rc = rpmfiStat(fi, (fp->skip == 0), &fp->sb);
|
||||||
|
|
||||||
|
/* Hardlinks are tricky and handled elsewhere for install */
|
||||||
|
fp->setmeta = (fp->skip == 0) &&
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
35
SOURCES/0001-Eliminate-code-duplication-from-rpmfiNext.patch
Normal file
35
SOURCES/0001-Eliminate-code-duplication-from-rpmfiNext.patch
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
From 0bc13d75b5883ccf4d6579f7a60fb1badd104649 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Panu Matilainen <pmatilai@redhat.com>
|
||||||
|
Date: Thu, 10 Feb 2022 10:23:22 +0200
|
||||||
|
Subject: [PATCH] Eliminate code duplication from rpmfiNext()
|
||||||
|
|
||||||
|
Now that we can, let rpmfiSetFX() take care of the details.
|
||||||
|
---
|
||||||
|
lib/rpmfi.c | 11 ++---------
|
||||||
|
1 file changed, 2 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/rpmfi.c b/lib/rpmfi.c
|
||||||
|
index 689ead2c5..aec8220a3 100644
|
||||||
|
--- a/lib/rpmfi.c
|
||||||
|
+++ b/lib/rpmfi.c
|
||||||
|
@@ -856,15 +856,8 @@ int rpmfiNext(rpmfi fi)
|
||||||
|
next = fi->next(fi);
|
||||||
|
} while (next == RPMERR_ITER_SKIP);
|
||||||
|
|
||||||
|
- if (next >= 0 && next < rpmfilesFC(fi->files)) {
|
||||||
|
- fi->i = next;
|
||||||
|
- fi->j = rpmfilesDI(fi->files, fi->i);
|
||||||
|
- } else {
|
||||||
|
- fi->i = -1;
|
||||||
|
- if (next >= 0) {
|
||||||
|
- next = -1;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
+ if (next >= 0)
|
||||||
|
+ next = rpmfiSetFX(fi, next);
|
||||||
|
}
|
||||||
|
return next;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -0,0 +1,66 @@
|
|||||||
|
From c140768202e271b60910644c1e4bf848a50218d3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Panu Matilainen <pmatilai@redhat.com>
|
||||||
|
Date: Mon, 27 Nov 2023 11:52:34 +0200
|
||||||
|
Subject: [PATCH] Emit full paths for file disposition diagnostics on
|
||||||
|
--fsmdebug
|
||||||
|
|
||||||
|
The full path is visible in the actual file operations later, but the
|
||||||
|
pre-flight disposition diagnostics is unreadable without the full path.
|
||||||
|
This regressed in the switch to relative paths for the *at() API family
|
||||||
|
for the symlink CVE fixes.
|
||||||
|
---
|
||||||
|
lib/fsm.c | 12 ++++++------
|
||||||
|
1 file changed, 6 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/fsm.c b/lib/fsm.c
|
||||||
|
index 091e90554..fcd764648 100644
|
||||||
|
--- a/lib/fsm.c
|
||||||
|
+++ b/lib/fsm.c
|
||||||
|
@@ -482,14 +482,14 @@ static void removeSBITS(int dirfd, const char *path)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
-static void fsmDebug(const char *fpath, rpmFileAction action,
|
||||||
|
+static void fsmDebug(const char *dn, const char *fpath, rpmFileAction action,
|
||||||
|
const struct stat *st)
|
||||||
|
{
|
||||||
|
- rpmlog(RPMLOG_DEBUG, "%-10s %06o%3d (%4d,%4d)%6d %s\n",
|
||||||
|
+ rpmlog(RPMLOG_DEBUG, "%-10s %06o%3d (%4d,%4d)%6d %s%s\n",
|
||||||
|
fileActionString(action), (int)st->st_mode,
|
||||||
|
(int)st->st_nlink, (int)st->st_uid,
|
||||||
|
(int)st->st_gid, (int)st->st_size,
|
||||||
|
- (fpath ? fpath : ""));
|
||||||
|
+ (dn ? dn : ""), (fpath ? fpath : ""));
|
||||||
|
}
|
||||||
|
|
||||||
|
static int fsmSymlink(const char *opath, int dirfd, const char *path)
|
||||||
|
@@ -910,7 +910,7 @@ int rpmPackageFilesInstall(rpmts ts, rpmte te, rpmfiles files,
|
||||||
|
(fp->sb.st_nlink == 1 || fp->action == FA_TOUCH);
|
||||||
|
|
||||||
|
setFileState(fs, fx);
|
||||||
|
- fsmDebug(fp->fpath, fp->action, &fp->sb);
|
||||||
|
+ fsmDebug(rpmfiDN(fi), fp->fpath, fp->action, &fp->sb);
|
||||||
|
|
||||||
|
fp->stage = FILE_PRE;
|
||||||
|
}
|
||||||
|
@@ -975,7 +975,7 @@ int rpmPackageFilesInstall(rpmts ts, rpmte te, rpmfiles files,
|
||||||
|
rpmlog(RPMLOG_DEBUG, "file %s vanished unexpectedly\n",
|
||||||
|
fp->fpath);
|
||||||
|
fp->action = FA_CREATE;
|
||||||
|
- fsmDebug(fp->fpath, fp->action, &fp->sb);
|
||||||
|
+ fsmDebug(rpmfiDN(fi), fp->fpath, fp->action, &fp->sb);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* When touching we don't need any of this... */
|
||||||
|
@@ -1138,7 +1138,7 @@ int rpmPackageFilesRemove(rpmts ts, rpmte te, rpmfiles files,
|
||||||
|
|
||||||
|
rc = fsmStat(di.dirfd, fp->fpath, 1, &fp->sb);
|
||||||
|
|
||||||
|
- fsmDebug(fp->fpath, fp->action, &fp->sb);
|
||||||
|
+ fsmDebug(rpmfiDN(fi), fp->fpath, fp->action, &fp->sb);
|
||||||
|
|
||||||
|
/* Run fsm file pre hook for all plugins */
|
||||||
|
rc = rpmpluginsCallFsmFilePre(plugins, fi, fp->fpath,
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
@ -0,0 +1,46 @@
|
|||||||
|
From 89ce4e7ca592f5abafc3f25aeaa07d36a7b43a61 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Panu Matilainen <pmatilai@redhat.com>
|
||||||
|
Date: Tue, 14 Nov 2023 11:37:48 +0200
|
||||||
|
Subject: [PATCH] Fix wrong return code on O_DIRECTORY open of invalid symlink
|
||||||
|
|
||||||
|
The dir argument to fsmOpenpath() is supposed to be a rough O_DIRECTORY
|
||||||
|
equivalent, and if the path is actually a misowned symlink it should
|
||||||
|
return ENOTDIR instead of ELOOP. Makes the resulting error messages
|
||||||
|
at least a little more comprehensible.
|
||||||
|
---
|
||||||
|
lib/fsm.c | 5 +++--
|
||||||
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/fsm.c b/lib/fsm.c
|
||||||
|
index 51f439ef3..091e90554 100644
|
||||||
|
--- a/lib/fsm.c
|
||||||
|
+++ b/lib/fsm.c
|
||||||
|
@@ -304,6 +304,7 @@ static int fsmOpenat(int dirfd, const char *path, int flags, int dir)
|
||||||
|
struct stat lsb, sb;
|
||||||
|
int sflags = flags | O_NOFOLLOW;
|
||||||
|
int fd = openat(dirfd, path, sflags);
|
||||||
|
+ int ffd = fd;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Only ever follow symlinks by root or target owner. Since we can't
|
||||||
|
@@ -312,7 +313,7 @@ static int fsmOpenat(int dirfd, const char *path, int flags, int dir)
|
||||||
|
* it could've only been the link owner or root.
|
||||||
|
*/
|
||||||
|
if (fd < 0 && errno == ELOOP && flags != sflags) {
|
||||||
|
- int ffd = openat(dirfd, path, flags);
|
||||||
|
+ ffd = openat(dirfd, path, flags);
|
||||||
|
if (ffd >= 0) {
|
||||||
|
if (fstatat(dirfd, path, &lsb, AT_SYMLINK_NOFOLLOW) == 0) {
|
||||||
|
if (fstat(ffd, &sb) == 0) {
|
||||||
|
@@ -327,7 +328,7 @@ static int fsmOpenat(int dirfd, const char *path, int flags, int dir)
|
||||||
|
}
|
||||||
|
|
||||||
|
/* O_DIRECTORY equivalent */
|
||||||
|
- if (dir && fd >= 0 && fstat(fd, &sb) == 0 && !S_ISDIR(sb.st_mode)) {
|
||||||
|
+ if (dir && ((fd != ffd) || (fd >= 0 && fstat(fd, &sb) == 0 && !S_ISDIR(sb.st_mode)))) {
|
||||||
|
errno = ENOTDIR;
|
||||||
|
fsmClose(&fd);
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
@ -0,0 +1,153 @@
|
|||||||
|
From ac7b0dbd5a18d2c57a942ca14ac856b8047425ff Mon Sep 17 00:00:00 2001
|
||||||
|
From: Panu Matilainen <pmatilai@redhat.com>
|
||||||
|
Date: Tue, 15 Feb 2022 10:43:13 +0200
|
||||||
|
Subject: [PATCH] Pass file descriptor to file prepare plugin hook, use when
|
||||||
|
possible
|
||||||
|
|
||||||
|
Sadly the thing that allegedly makes things better mostly just makes
|
||||||
|
things more complicated as symlinks can't be opened, so we'll now have
|
||||||
|
to deal with both cases in plugins too. To make matters worse, most
|
||||||
|
APIs out there support either an fd or a path, but very few support
|
||||||
|
the *at() style dirfd + basename approach so plugins are stuck with
|
||||||
|
absolute paths for now.
|
||||||
|
|
||||||
|
This is of course a plugin API/ABI change too.
|
||||||
|
---
|
||||||
|
lib/rpmplugin.h | 2 +-
|
||||||
|
lib/rpmplugins.c | 4 ++--
|
||||||
|
lib/rpmplugins.h | 3 ++-
|
||||||
|
plugins/ima.c | 9 +++++++--
|
||||||
|
plugins/selinux.c | 13 ++++++++-----
|
||||||
|
5 files changed, 20 insertions(+), 11 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/rpmplugin.h b/lib/rpmplugin.h
|
||||||
|
index fd81aec8d..fab4b3e83 100644
|
||||||
|
--- a/lib/rpmplugin.h
|
||||||
|
+++ b/lib/rpmplugin.h
|
||||||
|
@@ -57,7 +57,7 @@ typedef rpmRC (*plugin_fsm_file_post_func)(rpmPlugin plugin, rpmfi fi,
|
||||||
|
const char* path, mode_t file_mode,
|
||||||
|
rpmFsmOp op, int res);
|
||||||
|
typedef rpmRC (*plugin_fsm_file_prepare_func)(rpmPlugin plugin, rpmfi fi,
|
||||||
|
- const char* path,
|
||||||
|
+ int fd, const char* path,
|
||||||
|
const char *dest,
|
||||||
|
mode_t file_mode, rpmFsmOp op);
|
||||||
|
|
||||||
|
diff --git a/lib/rpmplugins.c b/lib/rpmplugins.c
|
||||||
|
index 65e684e84..923084b78 100644
|
||||||
|
--- a/lib/rpmplugins.c
|
||||||
|
+++ b/lib/rpmplugins.c
|
||||||
|
@@ -384,7 +384,7 @@ rpmRC rpmpluginsCallFsmFilePost(rpmPlugins plugins, rpmfi fi, const char *path,
|
||||||
|
}
|
||||||
|
|
||||||
|
rpmRC rpmpluginsCallFsmFilePrepare(rpmPlugins plugins, rpmfi fi,
|
||||||
|
- const char *path, const char *dest,
|
||||||
|
+ int fd, const char *path, const char *dest,
|
||||||
|
mode_t file_mode, rpmFsmOp op)
|
||||||
|
{
|
||||||
|
plugin_fsm_file_prepare_func hookFunc;
|
||||||
|
@@ -394,7 +394,7 @@ rpmRC rpmpluginsCallFsmFilePrepare(rpmPlugins plugins, rpmfi fi,
|
||||||
|
for (i = 0; i < plugins->count; i++) {
|
||||||
|
rpmPlugin plugin = plugins->plugins[i];
|
||||||
|
RPMPLUGINS_SET_HOOK_FUNC(fsm_file_prepare);
|
||||||
|
- if (hookFunc && hookFunc(plugin, fi, path, dest, file_mode, op) == RPMRC_FAIL) {
|
||||||
|
+ if (hookFunc && hookFunc(plugin, fi, fd, path, dest, file_mode, op) == RPMRC_FAIL) {
|
||||||
|
rpmlog(RPMLOG_ERR, "Plugin %s: hook fsm_file_prepare failed\n", plugin->name);
|
||||||
|
rc = RPMRC_FAIL;
|
||||||
|
}
|
||||||
|
diff --git a/lib/rpmplugins.h b/lib/rpmplugins.h
|
||||||
|
index 39762c376..ddf5d7048 100644
|
||||||
|
--- a/lib/rpmplugins.h
|
||||||
|
+++ b/lib/rpmplugins.h
|
||||||
|
@@ -156,6 +156,7 @@ rpmRC rpmpluginsCallFsmFilePost(rpmPlugins plugins, rpmfi fi, const char* path,
|
||||||
|
* permissions etc, but before committing file to destination path.
|
||||||
|
* @param plugins plugins structure
|
||||||
|
* @param fi file info iterator (or NULL)
|
||||||
|
+ * @param fd file descriptor (or -1 if not available)
|
||||||
|
* @param path file object current path
|
||||||
|
* @param dest file object destination path
|
||||||
|
* @param mode file object mode
|
||||||
|
@@ -164,7 +165,7 @@ rpmRC rpmpluginsCallFsmFilePost(rpmPlugins plugins, rpmfi fi, const char* path,
|
||||||
|
*/
|
||||||
|
RPM_GNUC_INTERNAL
|
||||||
|
rpmRC rpmpluginsCallFsmFilePrepare(rpmPlugins plugins, rpmfi fi,
|
||||||
|
- const char *path, const char *dest,
|
||||||
|
+ int fd, const char *path, const char *dest,
|
||||||
|
mode_t mode, rpmFsmOp op);
|
||||||
|
|
||||||
|
#ifdef __cplusplus
|
||||||
|
diff --git a/plugins/fapolicyd.c b/plugins/fapolicyd.c
|
||||||
|
index 7ac44f0d0..1ff50c30f 100644
|
||||||
|
--- a/plugins/fapolicyd.c
|
||||||
|
+++ b/plugins/fapolicyd.c
|
||||||
|
@@ -145,7 +145,8 @@ static rpmRC fapolicyd_scriptlet_pre(rpmPlugin plugin, const char *s_name,
|
||||||
|
}
|
||||||
|
|
||||||
|
static rpmRC fapolicyd_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
|
||||||
|
- const char *path, const char *dest,
|
||||||
|
+ int fd, const char *path,
|
||||||
|
+ const char *dest,
|
||||||
|
mode_t file_mode, rpmFsmOp op)
|
||||||
|
{
|
||||||
|
/* not ready */
|
||||||
|
--- a/plugins/ima.c 2020-04-28 14:50:11.835399269 +0200
|
||||||
|
+++ b/plugins/ima.c 2023-12-13 11:19:58.835948660 +0100
|
||||||
|
@@ -39,7 +39,7 @@
|
||||||
|
return (memcmp(fsig, &zero_hdr, sizeof(zero_hdr)) == 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
-static rpmRC ima_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
|
||||||
|
+static rpmRC ima_fsm_file_prepare(rpmPlugin plugin, rpmfi fi, int fd,
|
||||||
|
const char *path,
|
||||||
|
const char *dest,
|
||||||
|
mode_t file_mode, rpmFsmOp op)
|
||||||
|
@@ -63,8 +63,14 @@
|
||||||
|
|
||||||
|
fsig = rpmfiFSignature(fi, &len);
|
||||||
|
if (fsig && (check_zero_hdr(fsig, len) == 0)) {
|
||||||
|
- if (lsetxattr(path, XATTR_NAME_IMA, fsig, len, 0) < 0) {
|
||||||
|
- rpmlog(RPMLOG_ERR,
|
||||||
|
+ int xx;
|
||||||
|
+ if (fd >= 0)
|
||||||
|
+ xx = fsetxattr(fd, XATTR_NAME_IMA, fsig, len, 0);
|
||||||
|
+ else
|
||||||
|
+ xx = lsetxattr(path, XATTR_NAME_IMA, fsig, len, 0);
|
||||||
|
+ if (xx < 0) {
|
||||||
|
+ int is_err = errno != EOPNOTSUPP;
|
||||||
|
+ rpmlog(is_err?RPMLOG_ERR:RPMLOG_DEBUG,
|
||||||
|
"ima: could not apply signature on '%s': %s\n",
|
||||||
|
path, strerror(errno));
|
||||||
|
rc = RPMRC_FAIL;
|
||||||
|
--- a/plugins/selinux.c 2023-12-13 11:21:54.935009141 +0100
|
||||||
|
+++ b/plugins/selinux.c 2023-12-13 11:22:23.172510285 +0100
|
||||||
|
@@ -149,7 +149,7 @@
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static rpmRC selinux_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
|
||||||
|
+static rpmRC selinux_fsm_file_prepare(rpmPlugin plugin, rpmfi fi, int fd,
|
||||||
|
const char *path, const char *dest,
|
||||||
|
mode_t file_mode, rpmFsmOp op)
|
||||||
|
{
|
||||||
|
@@ -159,14 +159,17 @@
|
||||||
|
if (sehandle && !XFA_SKIPPING(action)) {
|
||||||
|
security_context_t scon = NULL;
|
||||||
|
if (selabel_lookup_raw(sehandle, &scon, dest, file_mode) == 0) {
|
||||||
|
- int conrc = lsetfilecon(path, scon);
|
||||||
|
+ int conrc;
|
||||||
|
+ if (fd >= 0)
|
||||||
|
+ conrc = fsetfilecon(fd, scon);
|
||||||
|
+ else
|
||||||
|
+ conrc = lsetfilecon(path, scon);
|
||||||
|
|
||||||
|
if (conrc == 0 || (conrc < 0 && errno == EOPNOTSUPP))
|
||||||
|
rc = RPMRC_OK;
|
||||||
|
|
||||||
|
- rpmlog((rc != RPMRC_OK) ? RPMLOG_ERR : RPMLOG_DEBUG,
|
||||||
|
- "lsetfilecon: (%s, %s) %s\n",
|
||||||
|
- path, scon, (conrc < 0 ? strerror(errno) : ""));
|
||||||
|
+ rpmlog((rc != RPMRC_OK) ? RPMLOG_ERR : RPMLOG_DEBUG, "lsetfilecon: (%d %s, %s) %s\n",
|
||||||
|
+ fd, path, scon, (conrc < 0 ? strerror(errno) : ""));
|
||||||
|
|
||||||
|
freecon(scon);
|
||||||
|
} else {
|
32
SOURCES/0001-Print-full-path-if-file-removal-fails.patch
Normal file
32
SOURCES/0001-Print-full-path-if-file-removal-fails.patch
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
From f1503ab6e898430b80017c0f8347860f3a74d5bb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florian Festi <ffesti@redhat.com>
|
||||||
|
Date: Mon, 11 Dec 2023 15:50:15 +0100
|
||||||
|
Subject: [PATCH] Print full path if file removal fails
|
||||||
|
|
||||||
|
For normal debug output the basename of the files are sufficient as when
|
||||||
|
debugging is enabled the directories are also printed. But here the
|
||||||
|
warning is given without a debug flag so we need the full context right
|
||||||
|
there.
|
||||||
|
---
|
||||||
|
lib/fsm.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/fsm.c b/lib/fsm.c
|
||||||
|
index fcd764648..2189bd84c 100644
|
||||||
|
--- a/lib/fsm.c
|
||||||
|
+++ b/lib/fsm.c
|
||||||
|
@@ -1174,9 +1174,9 @@ int rpmPackageFilesRemove(rpmts ts, rpmte te, rpmfiles files,
|
||||||
|
|
||||||
|
if (rc) {
|
||||||
|
int lvl = strict_erasures ? RPMLOG_ERR : RPMLOG_WARNING;
|
||||||
|
- rpmlog(lvl, _("%s %s: remove failed: %s\n"),
|
||||||
|
+ rpmlog(lvl, _("%s %s%s: remove failed: %s\n"),
|
||||||
|
S_ISDIR(fp->sb.st_mode) ? _("directory") : _("file"),
|
||||||
|
- fp->fpath, strerror(errno));
|
||||||
|
+ rpmfiDN(fi), fp->fpath, strerror(errno));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
@ -0,0 +1,90 @@
|
|||||||
|
From 6dd62720fe84f7e2ad902c915b952fc0b29e3dcd Mon Sep 17 00:00:00 2001
|
||||||
|
From: Panu Matilainen <pmatilai@redhat.com>
|
||||||
|
Date: Tue, 15 Feb 2022 11:34:37 +0200
|
||||||
|
Subject: [PATCH] Swap over to dirfd+basename based operation within the fsm
|
||||||
|
|
||||||
|
Within fsm this is just a matter of adjusting error messages to include
|
||||||
|
the directory... if it only wasn't for the plugins requiring absolute
|
||||||
|
paths for outside users. For the plugins, we need to assemble absolute
|
||||||
|
paths as needed, both in ensureDir() and plugin file slots.
|
||||||
|
---
|
||||||
|
lib/rpmplugins.c | 20 +++++++++++++++++---
|
||||||
|
2 files changed, 36 insertions(+), 14 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/rpmplugins.c b/lib/rpmplugins.c
|
||||||
|
index 703368c0d..f06fd7895 100644
|
||||||
|
--- a/lib/rpmplugins.c
|
||||||
|
+++ b/lib/rpmplugins.c
|
||||||
|
@@ -350,21 +350,31 @@ rpmRC rpmpluginsCallScriptletPost(rpmPlugins plugins, const char *s_name, int ty
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static char *abspath(rpmfi fi, const char *path)
|
||||||
|
+{
|
||||||
|
+ if (*path == '/')
|
||||||
|
+ return xstrdup(path);
|
||||||
|
+ else
|
||||||
|
+ return rstrscat(NULL, rpmfiDN(fi), path, NULL);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
rpmRC rpmpluginsCallFsmFilePre(rpmPlugins plugins, rpmfi fi, const char *path,
|
||||||
|
mode_t file_mode, rpmFsmOp op)
|
||||||
|
{
|
||||||
|
plugin_fsm_file_pre_func hookFunc;
|
||||||
|
int i;
|
||||||
|
rpmRC rc = RPMRC_OK;
|
||||||
|
+ char *apath = abspath(fi, path);
|
||||||
|
|
||||||
|
for (i = 0; i < plugins->count; i++) {
|
||||||
|
rpmPlugin plugin = plugins->plugins[i];
|
||||||
|
RPMPLUGINS_SET_HOOK_FUNC(fsm_file_pre);
|
||||||
|
- if (hookFunc && hookFunc(plugin, fi, path, file_mode, op) == RPMRC_FAIL) {
|
||||||
|
+ if (hookFunc && hookFunc(plugin, fi, apath, file_mode, op) == RPMRC_FAIL) {
|
||||||
|
rpmlog(RPMLOG_ERR, "Plugin %s: hook fsm_file_pre failed\n", plugin->name);
|
||||||
|
rc = RPMRC_FAIL;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+ free(apath);
|
||||||
|
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
@@ -375,14 +385,16 @@ rpmRC rpmpluginsCallFsmFilePost(rpmPlugins plugins, rpmfi fi, const char *path,
|
||||||
|
plugin_fsm_file_post_func hookFunc;
|
||||||
|
int i;
|
||||||
|
rpmRC rc = RPMRC_OK;
|
||||||
|
+ char *apath = abspath(fi, path);
|
||||||
|
|
||||||
|
for (i = 0; i < plugins->count; i++) {
|
||||||
|
rpmPlugin plugin = plugins->plugins[i];
|
||||||
|
RPMPLUGINS_SET_HOOK_FUNC(fsm_file_post);
|
||||||
|
- if (hookFunc && hookFunc(plugin, fi, path, file_mode, op, res) == RPMRC_FAIL) {
|
||||||
|
+ if (hookFunc && hookFunc(plugin, fi, apath, file_mode, op, res) == RPMRC_FAIL) {
|
||||||
|
rpmlog(RPMLOG_WARNING, "Plugin %s: hook fsm_file_post failed\n", plugin->name);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+ free(apath);
|
||||||
|
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
@@ -394,15 +406,17 @@ rpmRC rpmpluginsCallFsmFilePrepare(rpmPlugins plugins, rpmfi fi,
|
||||||
|
plugin_fsm_file_prepare_func hookFunc;
|
||||||
|
int i;
|
||||||
|
rpmRC rc = RPMRC_OK;
|
||||||
|
+ char *apath = abspath(fi, path);
|
||||||
|
|
||||||
|
for (i = 0; i < plugins->count; i++) {
|
||||||
|
rpmPlugin plugin = plugins->plugins[i];
|
||||||
|
RPMPLUGINS_SET_HOOK_FUNC(fsm_file_prepare);
|
||||||
|
- if (hookFunc && hookFunc(plugin, fi, fd, path, dest, file_mode, op) == RPMRC_FAIL) {
|
||||||
|
+ if (hookFunc && hookFunc(plugin, fi, fd, apath, dest, file_mode, op) == RPMRC_FAIL) {
|
||||||
|
rpmlog(RPMLOG_ERR, "Plugin %s: hook fsm_file_prepare failed\n", plugin->name);
|
||||||
|
rc = RPMRC_FAIL;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+ free(apath);
|
||||||
|
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
1654
SOURCES/0001-Use-file-state-machine-from-rpm-4.19.patch
Normal file
1654
SOURCES/0001-Use-file-state-machine-from-rpm-4.19.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,46 @@
|
|||||||
|
From acbf558c486ee3518aca74045504f05872da4a58 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lumir Balhar <lbalhar@redhat.com>
|
||||||
|
Date: Tue, 26 Sep 2023 13:14:44 +0200
|
||||||
|
Subject: [PATCH] brp-python-bytecompile compatibility with newer pythons
|
||||||
|
|
||||||
|
---
|
||||||
|
scripts/brp-python-bytecompile | 8 ++++----
|
||||||
|
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/scripts/brp-python-bytecompile b/scripts/brp-python-bytecompile
|
||||||
|
index 4a9b49e..472bf10 100644
|
||||||
|
--- a/scripts/brp-python-bytecompile
|
||||||
|
+++ b/scripts/brp-python-bytecompile
|
||||||
|
@@ -58,7 +58,7 @@ EOF
|
||||||
|
# and below /usr/lib/python3.1/, we're targeting /usr/bin/python3.1
|
||||||
|
|
||||||
|
shopt -s nullglob
|
||||||
|
-for python_libdir in `find "$RPM_BUILD_ROOT" -type d|grep -E "/usr/lib(64)?/python[0-9]\.[0-9]$"`;
|
||||||
|
+for python_libdir in `find "$RPM_BUILD_ROOT" -type d|grep -E "/usr/lib(64)?/python[0-9]\.[0-9]+$"`;
|
||||||
|
do
|
||||||
|
python_binary=/usr/bin/$(basename $python_libdir)
|
||||||
|
if [ "$python_binary" = "/usr/bin/python3.6" ]; then
|
||||||
|
@@ -97,17 +97,17 @@ fi
|
||||||
|
|
||||||
|
# Figure out if there are files to be bytecompiled with the default_python at all
|
||||||
|
# this prevents unnecessary default_python invocation
|
||||||
|
-find "$RPM_BUILD_ROOT" -type f -name "*.py" | grep -Ev "/bin/|/sbin/|/usr/lib(64)?/python[0-9]\.[0-9]|/usr/share/doc" || exit 0
|
||||||
|
+find "$RPM_BUILD_ROOT" -type f -name "*.py" | grep -Ev "/bin/|/sbin/|/usr/lib(64)?/python[0-9]\.[0-9]+|/usr/share/doc" || exit 0
|
||||||
|
|
||||||
|
# Generate normal (.pyc) byte-compiled files.
|
||||||
|
-python_bytecompile "" $default_python "/bin/|/sbin/|/usr/lib(64)?/python[0-9]\.[0-9]|/usr/share/doc" "$RPM_BUILD_ROOT" "$depth" "/"
|
||||||
|
+python_bytecompile "" $default_python "/bin/|/sbin/|/usr/lib(64)?/python[0-9]\.[0-9]+|/usr/share/doc" "$RPM_BUILD_ROOT" "$depth" "/"
|
||||||
|
if [ $? -ne 0 -a 0$errors_terminate -ne 0 ]; then
|
||||||
|
# One or more of the files had a syntax error
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Generate optimized (.pyo) byte-compiled files.
|
||||||
|
-python_bytecompile "-O" $default_python "/bin/|/sbin/|/usr/lib(64)?/python[0-9]\.[0-9]|/usr/share/doc" "$RPM_BUILD_ROOT" "$depth" "/"
|
||||||
|
+python_bytecompile "-O" $default_python "/bin/|/sbin/|/usr/lib(64)?/python[0-9]\.[0-9]+|/usr/share/doc" "$RPM_BUILD_ROOT" "$depth" "/"
|
||||||
|
if [ $? -ne 0 -a 0$errors_terminate -ne 0 ]; then
|
||||||
|
# One or more of the files had a syntax error
|
||||||
|
exit 1
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -32,7 +32,7 @@
|
|||||||
|
|
||||||
%global rpmver 4.14.3
|
%global rpmver 4.14.3
|
||||||
#global snapver rc2
|
#global snapver rc2
|
||||||
%global rel 26
|
%global rel 31
|
||||||
|
|
||||||
%global srcver %{version}%{?snapver:-%{snapver}}
|
%global srcver %{version}%{?snapver:-%{snapver}}
|
||||||
%global srcdir %{?snapver:testing}%{!?snapver:%{name}-%(echo %{version} | cut -d'.' -f1-2).x}
|
%global srcdir %{?snapver:testing}%{!?snapver:%{name}-%(echo %{version} | cut -d'.' -f1-2).x}
|
||||||
@ -119,6 +119,16 @@ Patch165: rpm-4.16.1.3-rpm2archive-error-handling.patch
|
|||||||
Patch166: rpm-4.14.3-rpm2archive-nocompression.patch
|
Patch166: rpm-4.14.3-rpm2archive-nocompression.patch
|
||||||
Patch167: rpm-4.14.3-rpm2archive-parse-popt-options.patch
|
Patch167: rpm-4.14.3-rpm2archive-parse-popt-options.patch
|
||||||
Patch168: rpm-4.14.3-rpm2archive-Don-t-print-usage.patch
|
Patch168: rpm-4.14.3-rpm2archive-Don-t-print-usage.patch
|
||||||
|
# Backport fsm to fix CVEs
|
||||||
|
Patch169: 0001-Eliminate-code-duplication-from-rpmfiNext.patch
|
||||||
|
Patch170: 0001-Add-optional-callback-on-directory-changes-during-rp.patch
|
||||||
|
Patch171: 0001-Pass-file-descriptor-to-file-prepare-plugin-hook-use.patch
|
||||||
|
Patch172: 0001-Swap-over-to-dirfd-basename-based-operation-within-t.patch
|
||||||
|
Patch173: 0001-Use-file-state-machine-from-rpm-4.19.patch
|
||||||
|
Patch174: 0001-Emit-full-paths-for-file-disposition-diagnostics-on-.patch
|
||||||
|
Patch175: 0001-Fix-wrong-return-code-on-O_DIRECTORY-open-of-invalid.patch
|
||||||
|
Patch176: 0001-Print-full-path-if-file-removal-fails.patch
|
||||||
|
Patch177: 0001-Don-t-warn-about-missing-user-group-on-skipped-files.patch
|
||||||
|
|
||||||
# Python 3 string API sanity
|
# Python 3 string API sanity
|
||||||
Patch500: 0001-In-Python-3-return-all-our-string-data-as-surrogate-.patch
|
Patch500: 0001-In-Python-3-return-all-our-string-data-as-surrogate-.patch
|
||||||
@ -150,6 +160,8 @@ Patch1000: disable-python-extra.patch
|
|||||||
Patch1001: compile-with-Platform-Python-binary-where-relevant.patch
|
Patch1001: compile-with-Platform-Python-binary-where-relevant.patch
|
||||||
# make unversioned %%__python an error unless explicitly overridden
|
# make unversioned %%__python an error unless explicitly overridden
|
||||||
Patch1002: rpm-4.14.2-unversioned-python.patch
|
Patch1002: rpm-4.14.2-unversioned-python.patch
|
||||||
|
# Make brp-python-bytecompile compatible with Python 3.10+
|
||||||
|
Patch1003: brp-python-bytecompile-compatibility-with-newer-pyth.patch
|
||||||
|
|
||||||
# Partially GPL/LGPL dual-licensed and some bits with BSD
|
# Partially GPL/LGPL dual-licensed and some bits with BSD
|
||||||
# SourceLicense: (GPLv2+ and LGPLv2+ with exceptions) and BSD
|
# SourceLicense: (GPLv2+ and LGPLv2+ with exceptions) and BSD
|
||||||
@ -699,7 +711,15 @@ make check || cat tests/rpmtests.log
|
|||||||
%doc doc/librpm/html/*
|
%doc doc/librpm/html/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Mon Dec 19 2022 Florian Festi <ffesti@redhat.com> - 4.14.4-26
|
* Tue Dec 12 2023 Florian Festi <ffesti@redhat.com> - 4.14.3-31
|
||||||
|
- Backport file handling code from rpm-4.19 to fix CVE-2021-35937,
|
||||||
|
CVE-2021-35938 and CVE-2021-35939
|
||||||
|
|
||||||
|
* Tue Sep 26 2023 Lumír Balhar <lbalhar@redhat.com> - 4.14.3-27
|
||||||
|
- Make brp-python-bytecompile script compatible with Python 3.10+
|
||||||
|
Resolves: RHEL-6423
|
||||||
|
|
||||||
|
* Mon Dec 19 2022 Florian Festi <ffesti@redhat.com> - 4.14.3-26
|
||||||
- Add --nocompression to rpm2archive (#2129345)
|
- Add --nocompression to rpm2archive (#2129345)
|
||||||
|
|
||||||
* Tue Sep 13 2022 Michal Domonkos <mdomonko@redhat.com> - 4.14.3-24
|
* Tue Sep 13 2022 Michal Domonkos <mdomonko@redhat.com> - 4.14.3-24
|
||||||
|
Loading…
Reference in New Issue
Block a user