diff --git a/SOURCES/0001-Macroize-find-debuginfo-script-location.patch b/SOURCES/0001-Macroize-find-debuginfo-script-location.patch new file mode 100644 index 0000000..4cc4459 --- /dev/null +++ b/SOURCES/0001-Macroize-find-debuginfo-script-location.patch @@ -0,0 +1,51 @@ +From 1a2554da434548e916240796fe7ca9689c5771fe Mon Sep 17 00:00:00 2001 +From: Panu Matilainen +Date: Thu, 27 May 2021 13:58:58 +0300 +Subject: [PATCH] Macroize find-debuginfo script location + +Makes it easier to handle varying paths, mainly in preparation for the +next step. + +(cherry picked from commit ce48167f37af59b6366083fb78a314f7931c0c6b) +--- + configure.ac | 1 + + macros.in | 4 +++- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 39f9a0e5b..35b4dff4c 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -113,6 +113,7 @@ AC_PATH_PROG(__NM, nm, /usr/bin/nm, $MYPATH) + AC_PATH_PROG(__OBJCOPY, objcopy, /usr/bin/objcopy, $MYPATH) + AC_PATH_PROG(__OBJDUMP, objdump, /usr/bin/objdump, $MYPATH) + AC_PATH_PROG(__STRIP, strip, /usr/bin/strip, $MYPATH) ++AC_PATH_PROG(__FIND_DEBUGINFO, find-debuginfo, /usr/bin/find-debuginfo, $MYPATH) + + AC_PATH_PROG(__GIT, git, /usr/bin/git, $MYPATH) + AC_PATH_PROG(__HG, hg, /usr/bin/hg, $MYPATH) +diff --git a/macros.in b/macros.in +index 24b124702..2bcf07ef8 100644 +--- a/macros.in ++++ b/macros.in +@@ -80,6 +80,8 @@ + %__remsh %{__rsh} + %__strip @__STRIP@ + ++%__find_debuginfo @__FIND_DEBUGINFO@ ++ + #============================================================================== + # Conditional build stuff. + +@@ -149,7 +151,7 @@ + # _find_debuginfo_vendor_opts to pass options to the script. + # + %__debug_install_post \ +- %{_rpmconfigdir}/find-debuginfo.sh \\\ ++ %{__find_debuginfo} \\\ + %{?_smp_build_ncpus:-j%{_smp_build_ncpus}} \\\ + %{?_missing_build_ids_terminate_build:--strict-build-id} \\\ + %{?_no_recompute_build_ids:-n} \\\ +-- +2.41.0 + diff --git a/SOURCES/rpm-4.16.1.3-IMA-without-xattr.patch b/SOURCES/rpm-4.16.1.3-IMA-without-xattr.patch new file mode 100644 index 0000000..665a232 --- /dev/null +++ b/SOURCES/rpm-4.16.1.3-IMA-without-xattr.patch @@ -0,0 +1,41 @@ +Based on + +From 7db2efa95d859cebda2b095ffdffac42812bd6d9 Mon Sep 17 00:00:00 2001 +From: Darren Kenny +Date: Tue, 22 Feb 2022 16:57:00 +0000 +Subject: [PATCH] ima: Install on filesystems without xattr support without + failing + +If an RPM contains IMA signed digests and rpm-plugin-ima is installed, +then any attempt to install to a filesystem that doesn't support +extended attributes will cause the RPM installation to fail. + +This can be seen, for example, if installing a file /boot, which is +usually a vFAT filesystem. + +The rpm-plugin for selinux fixed this some time back, and that same +logic can be applied to IMA too - where, if a failure to set an extended +attribute results in an errno that is set to EOPNOTSUPP, then this +should not cause a complete failure, but should instead just be logged +at a debug level. + +Signed-off-by: Darren Kenny + +--- rpm-4.16.1.3/plugins/ima.c.orig 2023-05-02 18:19:25.095992859 +0200 ++++ rpm-4.16.1.3/plugins/ima.c 2023-05-02 18:21:46.032941008 +0200 +@@ -69,10 +69,13 @@ + fsig = rpmfiFSignature(fi, &len); + if (fsig && (check_zero_hdr(fsig, len) == 0)) { + if (lsetxattr(path, XATTR_NAME_IMA, fsig, len, 0) < 0) { +- rpmlog(RPMLOG_ERR, ++ int is_err = errno != EOPNOTSUPP; ++ rpmlog(is_err?RPMLOG_ERR:RPMLOG_DEBUG, + "ima: could not apply signature on '%s': %s\n", + path, strerror(errno)); +- rc = RPMRC_FAIL; ++ if (is_err) { ++ rc = RPMRC_FAIL; ++ } + } + } + diff --git a/SOURCES/rpm-4.16.1.3-external-debugedit.patch b/SOURCES/rpm-4.16.1.3-external-debugedit.patch new file mode 100644 index 0000000..b5bf2f5 --- /dev/null +++ b/SOURCES/rpm-4.16.1.3-external-debugedit.patch @@ -0,0 +1,11 @@ +--- rpm-4.16.1.3/tests/Makefile.am.orig 2023-05-03 12:44:36.287582896 +0200 ++++ rpm-4.16.1.3/tests/Makefile.am 2023-05-03 12:46:34.182938006 +0200 +@@ -170,7 +170,7 @@ + for d in dev etc magic tmp var; do if [ ! -d testing/$${d} ]; then mkdir testing/$${d}; fi; done + for node in urandom stdin stderr stdout null full; do ln -s /dev/$${node} testing/dev/$${node}; done + for cf in hosts resolv.conf passwd shadow group gshadow mtab ; do [ -f /etc/$${cf} ] && ln -s /etc/$${cf} testing/etc/$${cf}; done +- for prog in gzip cat patch tar sh ln chmod rm mkdir uname grep sed find file ionice mktemp nice cut sort diff touch install wc coreutils xargs; do p=`which $${prog}`; if [ "$${p}" != "" ]; then ln -s $${p} testing/$(bindir)/; fi; done ++ for prog in gzip cat patch tar sh ln chmod rm mkdir uname grep sed find file ionice mktemp nice cut sort diff touch install wc coreutils xargs debugedit find-debuginfo find-debuginfo.sh ; do p=`which $${prog}`; if [ "$${p}" != "" ]; then ln -s $${p} testing/$(bindir)/; fi; done + for d in /proc /sys /selinux /etc/selinux; do if [ -d $${d} ]; then ln -s $${d} testing/$${d}; fi; done + (cd testing/magic && file -C) + chmod -R u-w testing/ diff --git a/SPECS/rpm.spec b/SPECS/rpm.spec index fd964f8..e14a0e8 100644 --- a/SPECS/rpm.spec +++ b/SPECS/rpm.spec @@ -32,7 +32,7 @@ %global rpmver 4.16.1.3 #global snapver rc1 -%global rel 22 +%global rel 25 %global sover 9 %global srcver %{rpmver}%{?snapver:-%{snapver}} @@ -93,12 +93,14 @@ Patch121: rpm-4.16.1.3-rpm2archive-nocompression.patch Patch122: rpm-4.16.1.3-Support-long-languages-names-for-QT.patch Patch123: rpm-4.14.3-rpm2archive-parse-popt-options.patch Patch124: rpm-4.14.3-rpm2archive-Don-t-print-usage.patch +Patch125: rpm-4.16.1.3-IMA-without-xattr.patch # These are not yet upstream Patch906: rpm-4.7.1-geode-i686.patch # Probably to be upstreamed in slightly different form Patch907: rpm-4.15.x-ldflags.patch Patch908: 0001-Give-warning-on-not-supported-hash-for-RSA-keys.patch +Patch909: rpm-4.16.1.3-external-debugedit.patch # Not yet (all) upstream, debugedit DWARF5 # https://code.wildebeest.org/git/user/mjw/rpm/log/?h=gcc-dwarf5-4.16.1.2 @@ -112,6 +114,7 @@ Patch916: 0006-debugedit-Handle-DWARF-5-debug_line-and-debug_line_s.patch # Downstream-only patches Patch1000: rpm-4.16.1.3-hashtab-use-after-free-fix.patch Patch1001: rpm-4.16.1.3-find_debuginfo_vendor_opts.patch +Patch1002: 0001-Macroize-find-debuginfo-script-location.patch # Partially GPL/LGPL dual-licensed and some bits with BSD # SourceLicense: (GPLv2+ and LGPLv2+ with exceptions) and BSD @@ -127,7 +130,7 @@ BuildRequires: libdb-devel %endif %if %{with check} -BuildRequires: fakechroot gnupg2 +BuildRequires: fakechroot gnupg2 debugedit %endif # XXX generally assumed to be installed but make it explicit as rpm @@ -244,6 +247,7 @@ Suggests: gdb-minimal # "just work" while allowing for alternatives, depend on a virtual # provide, typically coming from redhat-rpm-config. Requires: system-rpm-config +Requires: debugedit %description build The rpm-build package contains the scripts and executable programs @@ -415,6 +419,19 @@ pushd python %py3_install popd +cat > $RPM_BUILD_ROOT/%{rpmhome}/debugedit << END +#!/bin/sh +/usr/bin/debugedit "\$@" +END +cat > $RPM_BUILD_ROOT/%{rpmhome}/sepdebugcrcfix << END +#!/bin/sh +/usr/bin/sepdebugcrcfix "\$@" +END +cat > $RPM_BUILD_ROOT/%{rpmhome}/find-debuginfo.sh << END +#!/bin/sh +/usr/bin/find-debuginfo.sh "\$@" +END + mkdir -p $RPM_BUILD_ROOT%{_unitdir} install -m 644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir} @@ -627,6 +644,18 @@ fi %changelog +* Fri Jun 30 2023 Florian Festi - 4.16.1.3-25 +- Followup on #2166383 +- Add compat scripts calling external find-debug, sepdebugcrcfix and debugedit +- Add %%__find_debuginfo macro + +* Thu May 04 2023 Florian Festi - 4.16.1.3-24 +- Use external find-debug and debugedit (#2166383) + +* Wed May 03 2023 Florian Festi - 4.16.1.3-23 +- Don't error out on IMA signatures on files not supporting them + (#2157835, #2157836) + * Mon Dec 19 2022 Florian Festi - 4.16.1.3-22 - Fix option handling in rpm2archive for #2150804