Fix-up IMA signature lengths patch

Related: #2018937
2021-12-13 16:06:19 +01:00 · 2021-12-13 16:06:19 +01:00 · 43a9b03766
commit 43a9b03766
parent e2e5e2b2d1
2 changed files with 48 additions and 24 deletions
--- a/rpm-4.16.1.3-fix-IMA-sig-len-assumed-const.patch
+++ b/rpm-4.16.1.3-fix-IMA-sig-len-assumed-const.patch
@ -1,4 +1,4 @@
-From 495f25f7198fb1e0163a7ae55de55576d9dc6fe5 Mon Sep 17 00:00:00 2001
+From 1f63621d098741158b5e1e7158cc570a415d88cd Mon Sep 17 00:00:00 2001
 From: Panu Matilainen <pmatilai@redhat.com>
 Date: Mon, 29 Nov 2021 14:01:39 +0200
 Subject: [PATCH] Fix IMA signature lengths assumed constant (#1833,
@ -22,20 +22,22 @@ not a lot to gain anyhow.

 Fixes: #1833

-Combined with 0c1ad364d65c4144ff71c376e0b49fbc322b686d and backported
-for 4.16.1.3.  Note that the test case has been removed due to it
-including a binary file (test package) for which we'd have to use -Sgit
-with %autopatch and thus depend on git-core at build time.
-Nevertheless, we do have this BZ covered in our internal test suite, so
-no need for it anyway.
+Backported for 4.16.1.3 and combined with:
+31e9daf823f7052135d1decc0802b6fa775a88c5 (fix-up)
+0c1ad364d65c4144ff71c376e0b49fbc322b686d (python bindings)
+
+Note that the test case has been removed due to it including a binary
+file (test package) for which we'd have to use -Sgit with %autopatch and
+thus depend on git-core at build time.  Nevertheless, we do have this BZ
+covered in our internal test suite, so no need for it anyway.
 ---
- lib/rpmfi.c          | 43 ++++++++++++++++++++++++++++++++++---------
- python/rpmfiles-py.c | 18 ++++++++++++++++++
- sign/rpmsignfiles.c  |  5 ++++-
- 3 files changed, 56 insertions(+), 10 deletions(-)
+ lib/rpmfi.c          | 59 +++++++++++++++++++++++++++++++++-----------
+ python/rpmfiles-py.c | 18 ++++++++++++++
+ sign/rpmsignfiles.c  |  5 +++-
+ 3 files changed, 67 insertions(+), 15 deletions(-)

 diff --git a/lib/rpmfi.c b/lib/rpmfi.c
-index af428468c..0878d78f2 100644
+index af428468c..ed8927fd5 100644
 --- a/lib/rpmfi.c
 +++ b/lib/rpmfi.c
@@ -115,7 +115,8 @@ struct rpmfiles_s {
@ -43,7 +45,7 @@ index af428468c..0878d78f2 100644
 
     int digestalgo;		/*!< File digest algorithm */
 -    int signaturelength;	/*!< File signature length */
-+    int *signaturelengths;	/*!< File signature length */
+    int *signaturelengths;	/*!< File signature lengths */
 +    int signaturemaxlen;	/*!< Largest file signature length */
     unsigned char * digests;	/*!< File digests in binary. */
     unsigned char * signatures; /*!< File signatures in binary. */
@ -56,7 +58,7 @@ index af428468c..0878d78f2 100644
 +	    signature = fi->signatures + (fi->signaturemaxlen * ix);
 	if (len)
 -	    *len = fi->signaturelength;
-+	    *len = fi->signaturelengths[ix];
+	    *len = fi->signaturelengths ? fi->signaturelengths[ix] : 0;
     }
     return signature;
 }
@ -68,7 +70,7 @@ index af428468c..0878d78f2 100644
 	fi->fcaps = _free(fi->fcaps);
 
 	fi->cdict = _free(fi->cdict);
-@@ -1486,15 +1488,38 @@ err:
+@@ -1486,23 +1488,52 @@ err:
 }
 
 /* Convert a tag of hex strings to binary presentation */
@ -83,12 +85,13 @@ index af428468c..0878d78f2 100644
     if (headerGet(h, tag, &td, HEADERGET_MINMEM) && rpmtdCount(&td) == num) {
 -	uint8_t *t = bin = xmalloc(num * len);
 	const char *s;
- 
+	int maxl = 0;
+	int *lens = NULL;
+
 +	/* Figure string sizes + max length for allocation purposes */
 +	if (lengths) {
-+	    int maxl = 0;
-+	    int *lens = xmalloc(num * sizeof(*lens));
 +	    int i = 0;
+	    lens = xmalloc(num * sizeof(*lens));
 +
 +	    while ((s = rpmtdNextString(&td))) {
 +		lens[i] = strlen(s) / 2;
@ -99,17 +102,35 @@ index af428468c..0878d78f2 100644
 +
 +	    *lengths = lens;
 +	    *maxlen = maxl;
-+	    len = maxl;
 +
 +	    /* Reinitialize iterator for next round */
 +	    rpmtdInit(&td);
+	} else {
+	    maxl = len;
 +	}
-+
-+	uint8_t *t = bin = xmalloc(num * len);
+ 
+	uint8_t *t = bin = xmalloc(num * maxl);
+	int i = 0;
 	while ((s = rpmtdNextString(&td))) {
 	    if (*s == '\0') {
- 		memset(t, 0, len);
-@@ -1570,15 +1595,15 @@ static int rpmfilesPopulate(rpmfiles fi, Header h, rpmfiFlags flags)
+-		memset(t, 0, len);
+-		t += len;
+-		continue;
+		memset(t, 0, maxl);
+	    } else {
+		if (lens)
+		    len = lens[i];
+		for (int j = 0; j < len; j++, s += 2)
+		    t[j] = (rnibble(s[0]) << 4) | rnibble(s[1]);
+ 	    }
+-	    for (int j = 0; j < len; j++, t++, s += 2)
+-		*t = (rnibble(s[0]) << 4) | rnibble(s[1]);
+	    t += maxl;
+	    i++;
+ 	}
+     }
+     rpmtdFreeData(&td);
+@@ -1570,15 +1601,15 @@ static int rpmfilesPopulate(rpmfiles fi, Header h, rpmfiFlags flags)
     /* grab hex digests from header and store in binary format */
     if (!(flags & RPMFI_NOFILEDIGESTS)) {
 	size_t diglen = rpmDigestLength(fi->digestalgo);
--- a/rpm.spec
+++ b/rpm.spec
@ -32,7 +32,7 @@

 %global rpmver 4.16.1.3
 #global snapver rc1
-%global rel 8
+%global rel 9
 %global sover 9

 %global srcver %{rpmver}%{?snapver:-%{snapver}}
@ -606,6 +606,9 @@ fi
 %doc doc/librpm/html/*

 %changelog
+* Mon Dec 13 2021 Michal Domonkos <mdomonko@redhat.com> - 4.16.1.3-9
+- Fix-up IMA signature lengths patch (#2018937)
+
 * Thu Dec 09 2021 Michal Domonkos <mdomonko@redhat.com> - 4.16.1.3-8
 - Support hash v8 databases from BDB < 4.6 (#1965147)
 - Ensure ELF files get stripped when debuginfo is disabled (#1999009)