- newer git snapshot to keep patch-count down

- fixes CVE-2012-0060, CVE-2012-0061 and CVE-2012-0815
- fix obsoletes in installing set getting matched on provides (#810077)
This commit is contained in:
Panu Matilainen 2012-04-05 12:12:57 +03:00
parent 871a7817ae
commit 302bffb0be
10 changed files with 8 additions and 321 deletions

1
.gitignore vendored
View File

@ -1 +1,2 @@
/rpm-4.9.90.git11505.tar.bz2 /rpm-4.9.90.git11505.tar.bz2
/rpm-4.9.90.git11519.tar.bz2

View File

@ -1,24 +0,0 @@
commit 2e5d83e3d1a27044ee59f13f66b06e9011d1ac9f
Author: Panu Matilainen <pmatilai@redhat.com>
Date: Fri Mar 30 09:56:43 2012 +0300
Axe leftover CANONARCH assignment messing up our "base" archs (RhBug:808250)
- This should've been in commit 2a8d03669732f68f02fa7b21ec87ee3f65d11e5b,
the leftover CANONARCH resets the "base arch" we just set to a wrong
value.
(cherry picked from commit 7c39c65da4b1b012061ffbac179a650643d00ba9)
diff --git a/installplatform b/installplatform
index c56d5665..f7ae241 100755
--- a/installplatform
+++ b/installplatform
@@ -111,8 +111,6 @@ for ARCH in noarch `grep ^arch_canon $RPMRC | cut -d: -f2`; do
# skip architectures for which we dont have full config parameters
[ -z "$CANONARCH" ] && continue
- CANONARCH="`echo $ARCH|sed -e "$canonarch_sed"`"
-
if [ "$OS" = "linux" ] && [ "$CANONCOLOR" = 3 ]; then
LIB=${LIB}64
fi

View File

@ -1,70 +0,0 @@
commit 0b8c3218027c99a6d92c2ca53fe7f42cf87f30a4
Author: Panu Matilainen <pmatilai@redhat.com>
Date: Fri Mar 23 14:17:47 2012 +0200
Eliminate broken data end calculation in dataLength()
- If the caller doesn't know the end pointer, we dont have a whole lot
of chance to come up with a reasonable one either. Just assume
the terminating \0's are there when end boundary is not specified:
when this happens we're dealing with relatively "trusted" data
anyway, the more critical case of reading in unknown headers does
always pass end pointers.
- While capping the end pointer to HEADER_DATA_MAX seems like a
reasonable thing to do (as was done in commit
f79909d04e43cbfbbcdc588530a8c8033c5e0a7c), it doesn't really help
(bad data would likely run past bounds anyway), and it's not right
either: the pointer can be to a stack address, and the stack can be
near the top of addressable range, and ptr + HEADER_DATA_MAX can
cause pointer wraparound. Notably that's exactly what happens
when running 32bit personality process on 64bit system on Linux,
at least in case of i386 process on x86_64, causing all sorts of
breakage..
diff --git a/lib/header.c b/lib/header.c
index d741552..023c6e3 100644
--- a/lib/header.c
+++ b/lib/header.c
@@ -301,16 +301,27 @@ unsigned headerSizeof(Header h, int magicp)
return size;
}
-/* Bounded header string (array) size calculation, return -1 on error */
+/*
+ * Header string (array) size calculation, bounded if end is non-NULL.
+ * Return length (including \0 termination) on success, -1 on error.
+ */
static inline int strtaglen(const char *str, rpm_count_t c, const char *end)
{
const char *start = str;
const char *s;
- while ((s = memchr(start, '\0', end-start))) {
- if (--c == 0 || s > end)
- break;
- start = s + 1;
+ if (end) {
+ while ((s = memchr(start, '\0', end-start))) {
+ if (--c == 0 || s > end)
+ break;
+ start = s + 1;
+ }
+ } else {
+ while ((s = strchr(start, '\0'))) {
+ if (--c == 0)
+ break;
+ start = s + 1;
+ }
}
return (c > 0) ? -1 : (s - str + 1);
}
@@ -328,8 +339,7 @@ static int dataLength(rpm_tagtype_t type, rpm_constdata_t p, rpm_count_t count,
int onDisk, rpm_constdata_t pend)
{
const char * s = p;
- /* Not all callers supply data end, avoid falling over edge of the world */
- const char * se = pend ? pend : s + HEADER_DATA_MAX;
+ const char * se = pend;
int length = 0;
switch (type) {

View File

@ -1,67 +0,0 @@
commit dd05fdd35f680dfff606731a664859ae45762bb1
Author: Panu Matilainen <pmatilai@redhat.com>
Date: Mon Mar 26 13:03:03 2012 +0300
Dont bother building internal versions of db utilities we dont need
- rpmdb_dump, load, recover, verify, stat etc are useful at times,
but these are not. This also fixes build with internal db for
more recent versions of Berkeley DB.
diff --git a/lib/Makefile.am b/lib/Makefile.am
index 8c3b970..2245c19 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -82,29 +82,6 @@ CLEANFILES += $(libdb_la)
rpmlibexec_PROGRAMS =
-rpmlibexec_PROGRAMS += rpmdb_archive
-rpmdb_archive_SOURCES =
-rpmdb_archive_LDADD = \
- $(top_builddir)/db3/db_archive.o \
- $(top_builddir)/db3/util_sig.o \
- librpm.la
-
-rpmlibexec_PROGRAMS += rpmdb_checkpoint
-rpmdb_checkpoint_SOURCES =
-rpmdb_checkpoint_LDADD = \
- $(top_builddir)/db3/db_checkpoint.o \
- $(top_builddir)/db3/util_log.o \
- $(top_builddir)/db3/util_sig.o \
- librpm.la
-
-rpmlibexec_PROGRAMS += rpmdb_deadlock
-rpmdb_deadlock_SOURCES =
-rpmdb_deadlock_LDADD = \
- $(top_builddir)/db3/db_deadlock.o \
- $(top_builddir)/db3/util_log.o \
- $(top_builddir)/db3/util_sig.o \
- librpm.la
-
rpmlibexec_PROGRAMS += rpmdb_dump
rpmdb_dump_SOURCES =
rpmdb_dump_LDADD = \
@@ -121,22 +98,6 @@ rpmdb_load_LDADD = \
$(top_builddir)/db3/util_sig.o \
librpm.la
-rpmlibexec_PROGRAMS += rpmdb_printlog
-rpmdb_printlog_SOURCES =
-rpmdb_printlog_LDADD = \
- $(top_builddir)/db3/db_printlog.o \
- $(top_builddir)/db3/btree_autop.o \
- $(top_builddir)/db3/crdel_autop.o \
- $(top_builddir)/db3/db_autop.o \
- $(top_builddir)/db3/dbreg_autop.o \
- $(top_builddir)/db3/fileops_autop.o \
- $(top_builddir)/db3/hash_autop.o \
- $(top_builddir)/db3/qam_autop.o \
- $(top_builddir)/db3/rep_autop.o \
- $(top_builddir)/db3/txn_autop.o \
- $(top_builddir)/db3/util_sig.o \
- librpm.la
-
rpmlibexec_PROGRAMS += rpmdb_recover
rpmdb_recover_SOURCES =
rpmdb_recover_LDADD = \

View File

@ -1,37 +0,0 @@
commit c5a140133505dbe3cf59c97bbf40c2f5526e5f5b
Author: Panu Matilainen <pmatilai@redhat.com>
Date: Thu Mar 22 12:24:55 2012 +0200
Oops, "magic eight" is necessary here afterall
- Fix regression from commit 807b402d95702f3f91e9e2bfbd2b5ca8c9964ed9,
the array gets passed as a pointer (how else would it work at all),
so despite having seemingly correct type, sizeof(keyid) depends
on the pointer size. This happens to be 8 on x86_64 and friends
but breaks on eg i386.
- Also return the explicit size from pgpExtractPubkeyFingerprint(),
this has been "broken" for much longer but then all callers should
really care about is -1 for error.
diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
index 4aac23d..e70cf70 100644
--- a/rpmio/rpmpgp.c
+++ b/rpmio/rpmpgp.c
@@ -757,7 +757,7 @@ static int getFingerprint(const uint8_t *h, size_t hlen, pgpKeyID_t keyid)
(void) rpmDigestFinal(ctx, (void **)&d, &dlen, 0);
if (d) {
- memcpy(keyid, (d + (dlen-sizeof(keyid))), sizeof(keyid));
+ memcpy(keyid, (d + (dlen-8)), 8);
free(d);
rc = 0;
}
@@ -787,7 +787,7 @@ int pgpExtractPubkeyFingerprint(const char * b64pkt, pgpKeyID_t keyid)
if (rpmBase64Decode(b64pkt, (void **)&pkt, &pktlen) == 0) {
if (pgpPubkeyFingerprint(pkt, pktlen, keyid) == 0) {
/* if there ever was a bizarre return code for success... */
- rc = sizeof(keyid);
+ rc = 8;
}
free(pkt);
}

View File

@ -1,44 +0,0 @@
commit 9a2547ff49ae2fa9a4c9118e5472bba045379f3d
Author: Panu Matilainen <pmatilai@redhat.com>
Date: Thu Mar 29 11:26:57 2012 +0300
Accept files as command line arguments again in rpmdeps (RhBug:807767)
- Commit a25c3c7bac95ab7eb55f0ecf0b8793d8da341611 removed what was
supposedly a non-supported method of passing files as arguments
(instead of the normal stdin method) to rpmdeps. Turns out
rpmdeps is even documented to take files as cli args, and that's
how Fedora's %filter_setup macros are calling it...
- Allow files as arguments again, but in a way that doesn't cause
argvFoo() vs popt crash-n-burn.
(cherry picked from commit fe252f21b370331016a952b085465cd97837aaef)
diff --git a/tools/rpmdeps.c b/tools/rpmdeps.c
index 6b0b527..c3112eb 100644
--- a/tools/rpmdeps.c
+++ b/tools/rpmdeps.c
@@ -60,11 +60,19 @@ main(int argc, char *argv[])
if (optCon == NULL)
goto exit;
- while (fgets(buf, sizeof(buf), stdin) != NULL) {
- char *be = buf + strlen(buf) - 1;
- while (strchr("\r\n", *be) != NULL)
- *be-- = '\0';
- argvAdd(&av, buf);
+ /* normally files get passed through stdin but also accept files as args */
+ if (poptPeekArg(optCon)) {
+ const char *arg;
+ while ((arg = poptGetArg(optCon)) != NULL) {
+ argvAdd(&av, arg);
+ }
+ } else {
+ while (fgets(buf, sizeof(buf), stdin) != NULL) {
+ char *be = buf + strlen(buf) - 1;
+ while (strchr("\r\n", *be) != NULL)
+ *be-- = '\0';
+ argvAdd(&av, buf);
+ }
}
/* Make sure file names are sorted. */
argvSort(av, NULL);

View File

@ -1,34 +0,0 @@
commit 2f20f6e6b2cc6f26794678d1db16659c484a001c
Author: Panu Matilainen <pmatilai@redhat.com>
Date: Wed Mar 21 09:07:21 2012 +0200
Transaction element file info can be legally NULL in some cases
- rpmteClose() will wipe out the file info to free memory, we only
should care whether we failed to (re)load the file info. This
thinko in commit 06a2f1269b035a3a76464149834f2a5a8c4e89f2
broke %posttrans scriptlets (and without commit
274dbf557d1cac90f7c278f9b6d6af05997d92df, %pretrans in other
circumstances), whoopsie *blush*. Now, off to write a test-case
for our scriptlet behavior...
diff --git a/lib/rpmte.c b/lib/rpmte.c
index 65e1e76..65d65af 100644
--- a/lib/rpmte.c
+++ b/lib/rpmte.c
@@ -693,11 +693,12 @@ static int rpmteOpen(rpmte te, int reload_fi)
}
if (h != NULL) {
if (reload_fi) {
+ /* This can fail if we get a different, bad header from callback */
te->fi = getFI(te, h);
+ rc = (te->fi != NULL);
+ } else {
+ rc = 1;
}
-
- /* This can fail if we get a different, bad header from callback */
- rc = (te->fi != NULL);
rpmteSetHeader(te, h);
headerFree(h);

View File

@ -1,28 +0,0 @@
commit 274dbf557d1cac90f7c278f9b6d6af05997d92df
Author: Panu Matilainen <pmatilai@redhat.com>
Date: Tue Mar 20 16:32:54 2012 +0200
Don't free up file info sets on transaction test-runs, take II
- Despite commit cef18c94807af0935b7796c462aab8ed39f0f376, we'd still
end up freeing the file info sets via rpmteClose() while going
through the test-transaction packages. This together with commit
06a2f1269b035a3a76464149834f2a5a8c4e89f2 caused install failures
on packages which have %pretrans scriptlets, if a test-transaction
was first performed on the same transaction set that gets used
for the "real" transaction as well. How wonderfully obscure...
diff --git a/lib/rpmte.c b/lib/rpmte.c
index d1e4f87..65e1e76 100644
--- a/lib/rpmte.c
+++ b/lib/rpmte.c
@@ -917,7 +917,8 @@ int rpmteProcess(rpmte te, pkgGoal goal)
{
/* Only install/erase resets pkg file info */
int scriptstage = (goal != PKG_INSTALL && goal != PKG_ERASE);
- int reset_fi = (scriptstage == 0);
+ int test = (rpmtsFlags(te->ts) & RPMTRANS_FLAG_TEST);
+ int reset_fi = (scriptstage == 0 && test == 0);
int failed = 1;
/* Dont bother opening for elements without pre/posttrans scripts */

View File

@ -12,7 +12,7 @@
%define rpmhome /usr/lib/rpm %define rpmhome /usr/lib/rpm
%define rpmver 4.9.90 %define rpmver 4.9.90
%define snapver git11505 %define snapver git11519
%define srcver %{rpmver}%{?snapver:.%{snapver}} %define srcver %{rpmver}%{?snapver:.%{snapver}}
%define bdbname libdb %define bdbname libdb
@ -46,13 +46,6 @@ Patch5: rpm-4.9.90-armhfp.patch
Patch6: rpm-4.9.0-armhfp-logic.patch Patch6: rpm-4.9.0-armhfp-logic.patch
# Patches already in upstream # Patches already in upstream
Patch200: rpm-4.9.90-rpmte-fileinfo.patch
Patch201: rpm-4.9.90-rpmte-fileinfo-2.patch
Patch202: rpm-4.9.90-keyid-size.patch
Patch203: rpm-4.9.90-header-datalength.patch
Patch204: rpm-4.9.90-rpmdeps-args.patch
Patch205: rpm-4.9.90-canonarch.patch
Patch206: rpm-4.9.90-int-libdb.patch
# These are not yet upstream # These are not yet upstream
Patch301: rpm-4.6.0-niagara.patch Patch301: rpm-4.6.0-niagara.patch
@ -222,14 +215,6 @@ packages on a system.
%patch3 -p1 -b .no-man-dirs %patch3 -p1 -b .no-man-dirs
%patch4 -p1 -b .use-gpg2 %patch4 -p1 -b .use-gpg2
%patch200 -p1 -b .rpmte-fileinfo
%patch201 -p1 -b .rpmte-fileinfo-2
%patch202 -p1 -b .keyid-size
%patch203 -p1 -b .header-datalength
%patch204 -p1 -b .rpmdeps-args
%patch205 -p1 -b .canonarch
%patch206 -p1 -b .int-libdb
%patch301 -p1 -b .niagara %patch301 -p1 -b .niagara
%patch302 -p1 -b .geode %patch302 -p1 -b .geode
%patch304 -p1 -b .ldflags %patch304 -p1 -b .ldflags
@ -455,6 +440,11 @@ exit 0
%doc COPYING doc/librpm/html/* %doc COPYING doc/librpm/html/*
%changelog %changelog
* Thu Apr 05 2012 Panu Matilainen <pmatilai@redhat.com> - 4.9.90-0.git11519.1
- newer git snapshot to keep patch-count down
- fixes CVE-2012-0060, CVE-2012-0061 and CVE-2012-0815
- fix obsoletes in installing set getting matched on provides (#810077)
* Wed Apr 04 2012 Jindrich Novy <jnovy@redhat.com> - 4.9.90-0.git11505.12 * Wed Apr 04 2012 Jindrich Novy <jnovy@redhat.com> - 4.9.90-0.git11505.12
- rebuild against new libdb - rebuild against new libdb

View File

@ -1 +1 @@
9206167147441cda84a56c338de9ebaa rpm-4.9.90.git11505.tar.bz2 7e59625daeda485a9aef80c175712d1a rpm-4.9.90.git11519.tar.bz2