Fix issues with backported file handling

Resolves: RHEL-14598 RHEL-14599 RHEL-14600

0001-Emit-full-paths-for-file-disposition-diagnostics-on-.patch

@@ -0,0 +1,66 @@
+From c140768202e271b60910644c1e4bf848a50218d3 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Mon, 27 Nov 2023 11:52:34 +0200
+Subject: [PATCH] Emit full paths for file disposition diagnostics on
+ --fsmdebug
+
+The full path is visible in the actual file operations later, but the
+pre-flight disposition diagnostics is unreadable without the full path.
+This regressed in the switch to relative paths for the *at() API family
+for the symlink CVE fixes.
+---
+ lib/fsm.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/lib/fsm.c b/lib/fsm.c
+index 091e90554..fcd764648 100644
+--- a/lib/fsm.c
++++ b/lib/fsm.c
+@@ -482,14 +482,14 @@ static void removeSBITS(int dirfd, const char *path)
+     }
+ }
+ 
+-static void fsmDebug(const char *fpath, rpmFileAction action,
++static void fsmDebug(const char *dn, const char *fpath, rpmFileAction action,
+ 		     const struct stat *st)
+ {
+-    rpmlog(RPMLOG_DEBUG, "%-10s %06o%3d (%4d,%4d)%6d %s\n",
++    rpmlog(RPMLOG_DEBUG, "%-10s %06o%3d (%4d,%4d)%6d %s%s\n",
+ 	   fileActionString(action), (int)st->st_mode,
+ 	   (int)st->st_nlink, (int)st->st_uid,
+ 	   (int)st->st_gid, (int)st->st_size,
+-	    (fpath ? fpath : ""));
++	    (dn ? dn : ""), (fpath ? fpath : ""));
+ }
+ 
+ static int fsmSymlink(const char *opath, int dirfd, const char *path)
+@@ -910,7 +910,7 @@ int rpmPackageFilesInstall(rpmts ts, rpmte te, rpmfiles files,
+ 		      (fp->sb.st_nlink == 1 || fp->action == FA_TOUCH);
+ 
+ 	setFileState(fs, fx);
+-	fsmDebug(fp->fpath, fp->action, &fp->sb);
++	fsmDebug(rpmfiDN(fi), fp->fpath, fp->action, &fp->sb);
+ 
+ 	fp->stage = FILE_PRE;
+     }
+@@ -975,7 +975,7 @@ int rpmPackageFilesInstall(rpmts ts, rpmte te, rpmfiles files,
+ 		rpmlog(RPMLOG_DEBUG, "file %s vanished unexpectedly\n",
+ 			fp->fpath);
+ 		fp->action = FA_CREATE;
+-		fsmDebug(fp->fpath, fp->action, &fp->sb);
++		fsmDebug(rpmfiDN(fi), fp->fpath, fp->action, &fp->sb);
+ 	    }
+ 
+ 	    /* When touching we don't need any of this... */
+@@ -1138,7 +1138,7 @@ int rpmPackageFilesRemove(rpmts ts, rpmte te, rpmfiles files,
+ 
+ 	rc = fsmStat(di.dirfd, fp->fpath, 1, &fp->sb);
+ 
+-	fsmDebug(fp->fpath, fp->action, &fp->sb);
++	fsmDebug(rpmfiDN(fi), fp->fpath, fp->action, &fp->sb);
+ 
+ 	/* Run fsm file pre hook for all plugins */
+ 	rc = rpmpluginsCallFsmFilePre(plugins, fi, fp->fpath,
+-- 
+2.43.0
+

0001-Fix-wrong-return-code-on-O_DIRECTORY-open-of-invalid.patch

@@ -0,0 +1,46 @@
+From 89ce4e7ca592f5abafc3f25aeaa07d36a7b43a61 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Tue, 14 Nov 2023 11:37:48 +0200
+Subject: [PATCH] Fix wrong return code on O_DIRECTORY open of invalid symlink
+
+The dir argument to fsmOpenpath() is supposed to be a rough O_DIRECTORY
+equivalent, and if the path is actually a misowned symlink it should
+return ENOTDIR instead of ELOOP. Makes the resulting error messages
+at least a little more comprehensible.
+---
+ lib/fsm.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lib/fsm.c b/lib/fsm.c
+index 51f439ef3..091e90554 100644
+--- a/lib/fsm.c
++++ b/lib/fsm.c
+@@ -304,6 +304,7 @@ static int fsmOpenat(int dirfd, const char *path, int flags, int dir)
+     struct stat lsb, sb;
+     int sflags = flags | O_NOFOLLOW;
+     int fd = openat(dirfd, path, sflags);
++    int ffd = fd;
+ 
+     /*
+      * Only ever follow symlinks by root or target owner. Since we can't
+@@ -312,7 +313,7 @@ static int fsmOpenat(int dirfd, const char *path, int flags, int dir)
+      * it could've only been the link owner or root.
+      */
+     if (fd < 0 && errno == ELOOP && flags != sflags) {
+-	int ffd = openat(dirfd, path, flags);
++	ffd = openat(dirfd, path, flags);
+ 	if (ffd >= 0) {
+ 	    if (fstatat(dirfd, path, &lsb, AT_SYMLINK_NOFOLLOW) == 0) {
+ 		if (fstat(ffd, &sb) == 0) {
+@@ -327,7 +328,7 @@ static int fsmOpenat(int dirfd, const char *path, int flags, int dir)
+     }
+ 
+     /* O_DIRECTORY equivalent */
+-    if (dir && fd >= 0 && fstat(fd, &sb) == 0 && !S_ISDIR(sb.st_mode)) {
++    if (dir && ((fd != ffd) || (fd >= 0 && fstat(fd, &sb) == 0 && !S_ISDIR(sb.st_mode)))) {
+ 	errno = ENOTDIR;
+ 	fsmClose(&fd);
+     }
+-- 
+2.43.0
+

0001-Pass-file-descriptor-to-file-prepare-plugin-hook-use.patch

@@ -101,7 +101,7 @@ index fe6d3ad7f..9c28a41a3 100644
 +	    else
 +		xx = lsetxattr(path, XATTR_NAME_IMA, fsig, len, 0);
 +	    if (xx < 0) {
-+		int is_err = xx != EOPNOTSUPP;
++		int is_err = errno != EOPNOTSUPP;
  	        rpmlog(is_err?RPMLOG_ERR:RPMLOG_DEBUG,
  			"ima: could not apply signature on '%s': %s\n",
  			path, strerror(errno));

rpm.spec

@@ -100,10 +100,12 @@ Patch127: 0001-Add-optional-callback-on-directory-changes-during-rp.patch
 Patch128: 0001-Pass-file-descriptor-to-file-prepare-plugin-hook-use.patch
 Patch129: 0001-Swap-over-to-dirfd-basename-based-operation-within-t.patch
 Patch130: 0001-Use-file-state-machine-from-rpm-4.19.patch
+Patch131: 0001-Emit-full-paths-for-file-disposition-diagnostics-on-.patch
+Patch132: 0001-Fix-wrong-return-code-on-O_DIRECTORY-open-of-invalid.patch
 
-Patch131: 0001-Fix-short-circuiting-of-version-strings-in-expressio.patch
-Patch132: 0001-Fix-a-copy-paste-help-description-of-whatconflicts-R.patch
-Patch133: 0001-Expose-and-document-rpmdb-verifydb-operation.patch
+Patch133: 0001-Fix-short-circuiting-of-version-strings-in-expressio.patch
+Patch134: 0001-Fix-a-copy-paste-help-description-of-whatconflicts-R.patch
+Patch135: 0001-Expose-and-document-rpmdb-verifydb-operation.patch
 
 # These are not yet upstream
 Patch906: rpm-4.7.1-geode-i686.patch
@@ -653,10 +655,11 @@ fi
 %doc doc/librpm/html/*
 
 %changelog
-* Thu 16 Nov 2023 Florian Festi <ffesti@redhat.com> - 4.16.1.3-27
+* Mon Nov 27 2023 Florian Festi <ffesti@redhat.com> - 4.16.1.3-27
 - Fix short circuiting of version strings in expressions (RHEL-15688)
 - Fix description of whatconflicts in the man page (RHEL-6303)
 - Expose and document rpmdb --verifydb operation (RHEL-14591)
+- Fixes to the file handling backport
 
 * Fri Nov 10 2023 Florian Festi <ffesti@redhat.com> - 4.16.1.3-26
 - Backport file handling code from rpm-4.19 to fix CVE-2021-35937,