import rpm-4.14.3-20.el8
This commit is contained in:
parent
0af3b82203
commit
9ae23daa16
|
@ -0,0 +1,194 @@
|
||||||
|
From 5e26aa82fb1792c0441131db8dc87976d2d653bb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Michal Domonkos <mdomonko@redhat.com>
|
||||||
|
Date: Mon, 16 Aug 2021 18:21:02 +0200
|
||||||
|
Subject: [PATCH] Add support for RPMDBI_BASENAMES on file queries
|
||||||
|
|
||||||
|
There are legitimate reasons (such as rhbz#1940895 or the included test)
|
||||||
|
for wanting the former behavior where all file states were considered in
|
||||||
|
file queries prior to commit 9ad57bda4a82b9847826daa766b4421d877bb3d9,
|
||||||
|
so celebrate the tenth anniversary of that commit by adding a CLI switch
|
||||||
|
(a new package selector --path), as contemplated back then.
|
||||||
|
|
||||||
|
Update the man page for --file to reflect it's current behavior and make
|
||||||
|
--path that more obvious.
|
||||||
|
|
||||||
|
Resolves: rhbz#1940895
|
||||||
|
|
||||||
|
Combined with d1aebda01033bc8ba0d748b49f6fad9a5c0caa3f and backported
|
||||||
|
for 4.14.3.
|
||||||
|
---
|
||||||
|
doc/rpm.8 | 9 ++++++--
|
||||||
|
lib/poptQV.c | 6 +++++-
|
||||||
|
lib/query.c | 7 +++++--
|
||||||
|
lib/rpmcli.h | 1 +
|
||||||
|
tests/rpmquery.at | 52 +++++++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
5 files changed, 70 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/doc/rpm.8 b/doc/rpm.8
|
||||||
|
index 15a3db25f..74604c8ec 100644
|
||||||
|
--- a/doc/rpm.8
|
||||||
|
+++ b/doc/rpm.8
|
||||||
|
@@ -57,7 +57,7 @@ rpm \- RPM Package Manager
|
||||||
|
.PP
|
||||||
|
|
||||||
|
[\fB\fIPACKAGE_NAME\fB\fR]
|
||||||
|
- [\fB-a,--all [\fISELECTOR\fR]\fR] [\fB-f,--file \fIFILE\fB\fR]
|
||||||
|
+ [\fB-a,--all [\fISELECTOR\fR]\fR] [\fB-f,--file \fIFILE\fB\fR] [\fB--path \fIPATH\fB\fR]
|
||||||
|
[\fB-g,--group \fIGROUP\fB\fR] {\fB-p,--package \fIPACKAGE_FILE\fB\fR]
|
||||||
|
[\fB--hdrid \fISHA1\fB\fR] [\fB--pkgid \fIMD5\fB\fR] [\fB--tid \fITID\fB\fR]
|
||||||
|
[\fB--querybynumber \fIHDRNUM\fB\fR] [\fB--triggeredby \fIPACKAGE_NAME\fB\fR]
|
||||||
|
@@ -555,7 +555,7 @@ starts with "b".
|
||||||
|
List duplicated packages.
|
||||||
|
.TP
|
||||||
|
\fB-f, --file \fIFILE\fB\fR
|
||||||
|
-Query package owning \fIFILE\fR.
|
||||||
|
+Query package owning installed \fIFILE\fR.
|
||||||
|
.TP
|
||||||
|
\fB--filecaps\fR
|
||||||
|
List file names with POSIX1.e capabilities.
|
||||||
|
@@ -598,6 +598,11 @@ that will be expanded to paths that are substituted in place of
|
||||||
|
the package manifest as additional \fIPACKAGE_FILE\fR
|
||||||
|
arguments to the query.
|
||||||
|
.TP
|
||||||
|
+\fB--path \fIPATH\fB\fR
|
||||||
|
+Query package(s) owning \fIPATH\fR, whether the file is installed or not.
|
||||||
|
+Multiple packages may own a \fIPATH\fR, but the file is only owned by the
|
||||||
|
+package installed last.
|
||||||
|
+.TP
|
||||||
|
\fB--pkgid \fIMD5\fB\fR
|
||||||
|
Query package that contains a given package identifier, i.e. the
|
||||||
|
\fIMD5\fR digest of the combined header and
|
||||||
|
diff --git a/lib/poptQV.c b/lib/poptQV.c
|
||||||
|
index 9021d7b3c..f752d8b82 100644
|
||||||
|
--- a/lib/poptQV.c
|
||||||
|
+++ b/lib/poptQV.c
|
||||||
|
@@ -27,6 +27,7 @@ struct rpmQVKArguments_s rpmQVKArgs;
|
||||||
|
#define POPT_WHATENHANCES -1014
|
||||||
|
#define POPT_WHATOBSOLETES -1015
|
||||||
|
#define POPT_WHATCONFLICTS -1016
|
||||||
|
+#define POPT_QUERYBYPATH -1017
|
||||||
|
|
||||||
|
/* ========== Query/Verify/Signature source args */
|
||||||
|
static void rpmQVSourceArgCallback( poptContext con,
|
||||||
|
@@ -58,6 +59,7 @@ static void rpmQVSourceArgCallback( poptContext con,
|
||||||
|
case POPT_WHATSUPPLEMENTS: qva->qva_source |= RPMQV_WHATSUPPLEMENTS; break;
|
||||||
|
case POPT_WHATENHANCES: qva->qva_source |= RPMQV_WHATENHANCES; break;
|
||||||
|
case POPT_TRIGGEREDBY: qva->qva_source |= RPMQV_TRIGGEREDBY; break;
|
||||||
|
+ case POPT_QUERYBYPATH: qva->qva_source |= RPMQV_PATH_ALL; break;
|
||||||
|
case POPT_QUERYBYPKGID: qva->qva_source |= RPMQV_PKGID; break;
|
||||||
|
case POPT_QUERYBYHDRID: qva->qva_source |= RPMQV_HDRID; break;
|
||||||
|
case POPT_QUERYBYTID: qva->qva_source |= RPMQV_TID; break;
|
||||||
|
@@ -80,7 +82,9 @@ struct poptOption rpmQVSourcePoptTable[] = {
|
||||||
|
{ "checksig", 'K', POPT_ARGFLAG_DOC_HIDDEN, NULL, 'K',
|
||||||
|
N_("rpm checksig mode"), NULL },
|
||||||
|
{ "file", 'f', 0, 0, 'f',
|
||||||
|
- N_("query/verify package(s) owning file"), "FILE" },
|
||||||
|
+ N_("query/verify package(s) owning installed file"), "FILE" },
|
||||||
|
+ { "path", '\0', 0, 0, POPT_QUERYBYPATH,
|
||||||
|
+ N_("query/verify package(s) owning path, installed or not"), "PATH" },
|
||||||
|
{ "group", 'g', 0, 0, 'g',
|
||||||
|
N_("query/verify package(s) in group"), "GROUP" },
|
||||||
|
{ "package", 'p', 0, 0, 'p',
|
||||||
|
diff --git a/lib/query.c b/lib/query.c
|
||||||
|
index 26cdecf10..e6ea1fa2d 100644
|
||||||
|
--- a/lib/query.c
|
||||||
|
+++ b/lib/query.c
|
||||||
|
@@ -440,6 +440,7 @@ static rpmdbMatchIterator initQueryIterator(QVA_t qva, rpmts ts, const char * ar
|
||||||
|
}
|
||||||
|
/* fallthrough on absolute and relative paths */
|
||||||
|
case RPMQV_PATH:
|
||||||
|
+ case RPMQV_PATH_ALL:
|
||||||
|
{ char * fn;
|
||||||
|
|
||||||
|
for (s = arg; *s != '\0'; s++)
|
||||||
|
@@ -458,8 +459,10 @@ static rpmdbMatchIterator initQueryIterator(QVA_t qva, rpmts ts, const char * ar
|
||||||
|
fn = xstrdup(arg);
|
||||||
|
(void) rpmCleanPath(fn);
|
||||||
|
|
||||||
|
- /* XXX Add a switch to enable former BASENAMES behavior? */
|
||||||
|
- mi = rpmtsInitIterator(ts, RPMDBI_INSTFILENAMES, fn, 0);
|
||||||
|
+ rpmDbiTagVal tag = RPMDBI_INSTFILENAMES;
|
||||||
|
+ if (qva->qva_source == RPMQV_PATH_ALL)
|
||||||
|
+ tag = RPMDBI_BASENAMES;
|
||||||
|
+ mi = rpmtsInitIterator(ts, tag, fn, 0);
|
||||||
|
if (mi == NULL)
|
||||||
|
mi = rpmtsInitIterator(ts, RPMDBI_PROVIDENAME, fn, 0);
|
||||||
|
|
||||||
|
diff --git a/lib/rpmcli.h b/lib/rpmcli.h
|
||||||
|
index 99af2585a..330fd956f 100644
|
||||||
|
--- a/lib/rpmcli.h
|
||||||
|
+++ b/lib/rpmcli.h
|
||||||
|
@@ -82,6 +82,7 @@ rpmcliFini(poptContext optCon);
|
||||||
|
enum rpmQVSources_e {
|
||||||
|
RPMQV_PACKAGE = 0, /*!< ... from package name db search. */
|
||||||
|
RPMQV_PATH, /*!< ... from file path db search. */
|
||||||
|
+ RPMQV_PATH_ALL, /*!< ... from file path db search (all states). */
|
||||||
|
RPMQV_ALL, /*!< ... from each installed package. */
|
||||||
|
RPMQV_RPM, /*!< ... from reading binary rpm package. */
|
||||||
|
RPMQV_GROUP, /*!< ... from group db search. */
|
||||||
|
diff --git a/tests/rpmquery.at b/tests/rpmquery.at
|
||||||
|
index 36c62339a..ad580f664 100644
|
||||||
|
--- a/tests/rpmquery.at
|
||||||
|
+++ b/tests/rpmquery.at
|
||||||
|
@@ -194,6 +194,58 @@ runroot rpm \
|
||||||
|
|
||||||
|
AT_CLEANUP
|
||||||
|
|
||||||
|
+# ------------------------------
|
||||||
|
+# query a package by a file
|
||||||
|
+AT_SETUP([rpm -qf])
|
||||||
|
+AT_KEYWORDS([query])
|
||||||
|
+AT_CHECK([
|
||||||
|
+RPMDB_INIT
|
||||||
|
+runroot rpm \
|
||||||
|
+ --nodeps \
|
||||||
|
+ -i /data/RPMS/hello-1.0-1.i386.rpm
|
||||||
|
+runroot rpm \
|
||||||
|
+ -qf /usr/local/bin/hello
|
||||||
|
+],
|
||||||
|
+[0],
|
||||||
|
+[hello-1.0-1.i386
|
||||||
|
+],
|
||||||
|
+[])
|
||||||
|
+AT_CLEANUP
|
||||||
|
+
|
||||||
|
+AT_SETUP([rpm -qf on non-installed file])
|
||||||
|
+AT_KEYWORDS([query])
|
||||||
|
+AT_CHECK([
|
||||||
|
+RPMDB_INIT
|
||||||
|
+runroot rpm \
|
||||||
|
+ --nodeps \
|
||||||
|
+ --excludedocs \
|
||||||
|
+ -i /data/RPMS/hello-1.0-1.i386.rpm
|
||||||
|
+runroot rpm \
|
||||||
|
+ -qf /usr/share/doc/hello-1.0/FAQ
|
||||||
|
+],
|
||||||
|
+[1],
|
||||||
|
+[],
|
||||||
|
+[error: file /usr/share/doc/hello-1.0/FAQ: No such file or directory
|
||||||
|
+])
|
||||||
|
+AT_CLEANUP
|
||||||
|
+
|
||||||
|
+AT_SETUP([rpm -q --path on non-installed file])
|
||||||
|
+AT_KEYWORDS([query])
|
||||||
|
+AT_CHECK([
|
||||||
|
+RPMDB_INIT
|
||||||
|
+runroot rpm \
|
||||||
|
+ --nodeps \
|
||||||
|
+ --excludedocs \
|
||||||
|
+ -i /data/RPMS/hello-1.0-1.i386.rpm
|
||||||
|
+runroot rpm \
|
||||||
|
+ -q --path /usr/share/doc/hello-1.0/FAQ
|
||||||
|
+],
|
||||||
|
+[0],
|
||||||
|
+[hello-1.0-1.i386
|
||||||
|
+],
|
||||||
|
+[])
|
||||||
|
+AT_CLEANUP
|
||||||
|
+
|
||||||
|
# ------------------------------
|
||||||
|
AT_SETUP([integer array query])
|
||||||
|
AT_KEYWORDS([query])
|
||||||
|
--
|
||||||
|
2.33.1
|
||||||
|
|
|
@ -0,0 +1,38 @@
|
||||||
|
From 77007d68782b66f2d00d7b200516731246876dca Mon Sep 17 00:00:00 2001
|
||||||
|
From: Panu Matilainen <pmatilai@redhat.com>
|
||||||
|
Date: Thu, 27 May 2021 13:58:58 +0300
|
||||||
|
Subject: [PATCH] Macroize find-debuginfo script location
|
||||||
|
|
||||||
|
Makes it easier to handle varying paths, mainly in preparation for the
|
||||||
|
next step.
|
||||||
|
|
||||||
|
Backported for 4.14.3.
|
||||||
|
---
|
||||||
|
macros.in | 4 +++-
|
||||||
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/macros.in b/macros.in
|
||||||
|
index a6069ee4d..be28a3b28 100644
|
||||||
|
--- a/macros.in
|
||||||
|
+++ b/macros.in
|
||||||
|
@@ -82,6 +82,8 @@
|
||||||
|
%__remsh %{__rsh}
|
||||||
|
%__strip @__STRIP@
|
||||||
|
|
||||||
|
+%__find_debuginfo %{_rpmconfigdir}/find-debuginfo.sh
|
||||||
|
+
|
||||||
|
# XXX avoid failures if tools are not installed when rpm is built.
|
||||||
|
%__libtoolize libtoolize
|
||||||
|
%__aclocal aclocal
|
||||||
|
@@ -177,7 +179,7 @@
|
||||||
|
# the script. See the script for details.
|
||||||
|
#
|
||||||
|
%__debug_install_post \
|
||||||
|
- %{_rpmconfigdir}/find-debuginfo.sh \\\
|
||||||
|
+ %{__find_debuginfo} \\\
|
||||||
|
%{?_smp_mflags} \\\
|
||||||
|
%{?_missing_build_ids_terminate_build:--strict-build-id} \\\
|
||||||
|
%{?_no_recompute_build_ids:-n} \\\
|
||||||
|
--
|
||||||
|
2.33.1
|
||||||
|
|
|
@ -0,0 +1,386 @@
|
||||||
|
From 92d942a2da619852c2b223e09a645110e867fc67 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Demi Marie Obenour <demi@invisiblethingslab.com>
|
||||||
|
Date: Thu, 6 May 2021 18:34:45 -0400
|
||||||
|
Subject: [PATCH] Validate and require subkey binding signatures on PGP public
|
||||||
|
keys
|
||||||
|
|
||||||
|
All subkeys must be followed by a binding signature by the primary key
|
||||||
|
as per the OpenPGP RFC, enforce the presence and validity in the parser.
|
||||||
|
|
||||||
|
The implementation is as kludgey as they come to work around our
|
||||||
|
simple-minded parser structure without touching API, to maximise
|
||||||
|
backportability. Store all the raw packets internally as we decode them
|
||||||
|
to be able to access previous elements at will, needed to validate ordering
|
||||||
|
and access the actual data. Add testcases for manipulated keys whose
|
||||||
|
import previously would succeed.
|
||||||
|
|
||||||
|
Combined with:
|
||||||
|
5ff86764b17f31535cb247543a90dd739076ec38
|
||||||
|
b5e8bc74b2b05aa557f663fe227b94d2bc64fbd8
|
||||||
|
9f03f42e2614a68f589f9db8fe76287146522c0c
|
||||||
|
|
||||||
|
Fixes CVE-2021-3521.
|
||||||
|
---
|
||||||
|
rpmio/rpmpgp.c | 123 +++++++++++++++---
|
||||||
|
tests/Makefile.am | 3 +
|
||||||
|
tests/data/keys/CVE-2021-3521-badbind.asc | 25 ++++
|
||||||
|
.../data/keys/CVE-2021-3521-nosubsig-last.asc | 25 ++++
|
||||||
|
tests/data/keys/CVE-2021-3521-nosubsig.asc | 37 ++++++
|
||||||
|
tests/rpmsigdig.at | 28 ++++
|
||||||
|
6 files changed, 224 insertions(+), 17 deletions(-)
|
||||||
|
create mode 100644 tests/data/keys/CVE-2021-3521-badbind.asc
|
||||||
|
create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig-last.asc
|
||||||
|
create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig.asc
|
||||||
|
|
||||||
|
diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
|
||||||
|
index 46cd0f31a..fbb131a28 100644
|
||||||
|
--- a/rpmio/rpmpgp.c
|
||||||
|
+++ b/rpmio/rpmpgp.c
|
||||||
|
@@ -511,7 +511,7 @@ pgpDigAlg pgpDigAlgFree(pgpDigAlg alg)
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo, uint8_t sigtype,
|
||||||
|
+static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo,
|
||||||
|
const uint8_t *p, const uint8_t *h, size_t hlen,
|
||||||
|
pgpDigParams sigp)
|
||||||
|
{
|
||||||
|
@@ -524,10 +524,8 @@ static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo, uint8_t sigtype,
|
||||||
|
int mpil = pgpMpiLen(p);
|
||||||
|
if (p + mpil > pend)
|
||||||
|
break;
|
||||||
|
- if (sigtype == PGPSIGTYPE_BINARY || sigtype == PGPSIGTYPE_TEXT) {
|
||||||
|
- if (sigalg->setmpi(sigalg, i, p))
|
||||||
|
- break;
|
||||||
|
- }
|
||||||
|
+ if (sigalg->setmpi(sigalg, i, p))
|
||||||
|
+ break;
|
||||||
|
p += mpil;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -600,7 +598,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen,
|
||||||
|
}
|
||||||
|
|
||||||
|
p = ((uint8_t *)v) + sizeof(*v);
|
||||||
|
- rc = pgpPrtSigParams(tag, v->pubkey_algo, v->sigtype, p, h, hlen, _digp);
|
||||||
|
+ rc = pgpPrtSigParams(tag, v->pubkey_algo, p, h, hlen, _digp);
|
||||||
|
} break;
|
||||||
|
case 4:
|
||||||
|
{ pgpPktSigV4 v = (pgpPktSigV4)h;
|
||||||
|
@@ -658,7 +656,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen,
|
||||||
|
if (p > (h + hlen))
|
||||||
|
return 1;
|
||||||
|
|
||||||
|
- rc = pgpPrtSigParams(tag, v->pubkey_algo, v->sigtype, p, h, hlen, _digp);
|
||||||
|
+ rc = pgpPrtSigParams(tag, v->pubkey_algo, p, h, hlen, _digp);
|
||||||
|
} break;
|
||||||
|
default:
|
||||||
|
rpmlog(RPMLOG_WARNING, _("Unsupported version of key: V%d\n"), version);
|
||||||
|
@@ -999,36 +997,128 @@ unsigned int pgpDigParamsAlgo(pgpDigParams digp, unsigned int algotype)
|
||||||
|
return algo;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static pgpDigParams pgpDigParamsNew(uint8_t tag)
|
||||||
|
+{
|
||||||
|
+ pgpDigParams digp = xcalloc(1, sizeof(*digp));
|
||||||
|
+ digp->tag = tag;
|
||||||
|
+ return digp;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int hashKey(DIGEST_CTX hash, const struct pgpPkt *pkt, int exptag)
|
||||||
|
+{
|
||||||
|
+ int rc = -1;
|
||||||
|
+ if (pkt->tag == exptag) {
|
||||||
|
+ uint8_t head[] = {
|
||||||
|
+ 0x99,
|
||||||
|
+ (pkt->blen >> 8),
|
||||||
|
+ (pkt->blen ),
|
||||||
|
+ };
|
||||||
|
+
|
||||||
|
+ rpmDigestUpdate(hash, head, 3);
|
||||||
|
+ rpmDigestUpdate(hash, pkt->body, pkt->blen);
|
||||||
|
+ rc = 0;
|
||||||
|
+ }
|
||||||
|
+ return rc;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int pgpVerifySelf(pgpDigParams key, pgpDigParams selfsig,
|
||||||
|
+ const struct pgpPkt *all, int i)
|
||||||
|
+{
|
||||||
|
+ int rc = -1;
|
||||||
|
+ DIGEST_CTX hash = NULL;
|
||||||
|
+
|
||||||
|
+ switch (selfsig->sigtype) {
|
||||||
|
+ case PGPSIGTYPE_SUBKEY_BINDING:
|
||||||
|
+ hash = rpmDigestInit(selfsig->hash_algo, 0);
|
||||||
|
+ if (hash) {
|
||||||
|
+ rc = hashKey(hash, &all[0], PGPTAG_PUBLIC_KEY);
|
||||||
|
+ if (!rc)
|
||||||
|
+ rc = hashKey(hash, &all[i-1], PGPTAG_PUBLIC_SUBKEY);
|
||||||
|
+ }
|
||||||
|
+ break;
|
||||||
|
+ default:
|
||||||
|
+ /* ignore types we can't handle */
|
||||||
|
+ rc = 0;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (hash && rc == 0)
|
||||||
|
+ rc = pgpVerifySignature(key, selfsig, hash);
|
||||||
|
+
|
||||||
|
+ rpmDigestFinal(hash, NULL, NULL, 0);
|
||||||
|
+
|
||||||
|
+ return rc;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
|
||||||
|
pgpDigParams * ret)
|
||||||
|
{
|
||||||
|
const uint8_t *p = pkts;
|
||||||
|
const uint8_t *pend = pkts + pktlen;
|
||||||
|
pgpDigParams digp = NULL;
|
||||||
|
- struct pgpPkt pkt;
|
||||||
|
+ pgpDigParams selfsig = NULL;
|
||||||
|
+ int i = 0;
|
||||||
|
+ int alloced = 16; /* plenty for normal cases */
|
||||||
|
+ struct pgpPkt *all = xmalloc(alloced * sizeof(*all));
|
||||||
|
int rc = -1; /* assume failure */
|
||||||
|
+ int expect = 0;
|
||||||
|
+ int prevtag = 0;
|
||||||
|
|
||||||
|
while (p < pend) {
|
||||||
|
- if (decodePkt(p, (pend - p), &pkt))
|
||||||
|
+ struct pgpPkt *pkt = &all[i];
|
||||||
|
+ if (decodePkt(p, (pend - p), pkt))
|
||||||
|
break;
|
||||||
|
|
||||||
|
if (digp == NULL) {
|
||||||
|
- if (pkttype && pkt.tag != pkttype) {
|
||||||
|
+ if (pkttype && pkt->tag != pkttype) {
|
||||||
|
break;
|
||||||
|
} else {
|
||||||
|
- digp = xcalloc(1, sizeof(*digp));
|
||||||
|
- digp->tag = pkt.tag;
|
||||||
|
+ digp = pgpDigParamsNew(pkt->tag);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (pgpPrtPkt(&pkt, digp))
|
||||||
|
+ if (expect) {
|
||||||
|
+ if (pkt->tag != expect)
|
||||||
|
+ break;
|
||||||
|
+ selfsig = pgpDigParamsNew(pkt->tag);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (pgpPrtPkt(pkt, selfsig ? selfsig : digp))
|
||||||
|
break;
|
||||||
|
|
||||||
|
- p += (pkt.body - pkt.head) + pkt.blen;
|
||||||
|
+ if (selfsig) {
|
||||||
|
+ /* subkeys must be followed by binding signature */
|
||||||
|
+ if (prevtag == PGPTAG_PUBLIC_SUBKEY) {
|
||||||
|
+ if (selfsig->sigtype != PGPSIGTYPE_SUBKEY_BINDING)
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ int xx = pgpVerifySelf(digp, selfsig, all, i);
|
||||||
|
+
|
||||||
|
+ selfsig = pgpDigParamsFree(selfsig);
|
||||||
|
+ if (xx)
|
||||||
|
+ break;
|
||||||
|
+ expect = 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (pkt->tag == PGPTAG_PUBLIC_SUBKEY)
|
||||||
|
+ expect = PGPTAG_SIGNATURE;
|
||||||
|
+ prevtag = pkt->tag;
|
||||||
|
+
|
||||||
|
+ i++;
|
||||||
|
+ p += (pkt->body - pkt->head) + pkt->blen;
|
||||||
|
+ if (pkttype == PGPTAG_SIGNATURE)
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
+ if (alloced <= i) {
|
||||||
|
+ alloced *= 2;
|
||||||
|
+ all = xrealloc(all, alloced * sizeof(*all));
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
- rc = (digp && (p == pend)) ? 0 : -1;
|
||||||
|
+ rc = (digp && (p == pend) && expect == 0) ? 0 : -1;
|
||||||
|
|
||||||
|
+ free(all);
|
||||||
|
if (ret && rc == 0) {
|
||||||
|
*ret = digp;
|
||||||
|
} else {
|
||||||
|
@@ -1063,8 +1153,7 @@ int pgpPrtParamsSubkeys(const uint8_t *pkts, size_t pktlen,
|
||||||
|
digps = xrealloc(digps, alloced * sizeof(*digps));
|
||||||
|
}
|
||||||
|
|
||||||
|
- digps[count] = xcalloc(1, sizeof(**digps));
|
||||||
|
- digps[count]->tag = PGPTAG_PUBLIC_SUBKEY;
|
||||||
|
+ digps[count] = pgpDigParamsNew(PGPTAG_PUBLIC_SUBKEY);
|
||||||
|
/* Copy UID from main key to subkey */
|
||||||
|
digps[count]->userid = xstrdup(mainkey->userid);
|
||||||
|
|
||||||
|
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
||||||
|
index 5f5207e56..309347262 100644
|
||||||
|
--- a/tests/Makefile.am
|
||||||
|
+++ b/tests/Makefile.am
|
||||||
|
@@ -87,6 +87,9 @@ EXTRA_DIST += data/SPECS/hello-config-buildid.spec
|
||||||
|
EXTRA_DIST += data/SPECS/hello-cd.spec
|
||||||
|
EXTRA_DIST += data/keys/rpm.org-rsa-2048-test.pub
|
||||||
|
EXTRA_DIST += data/keys/rpm.org-rsa-2048-test.secret
|
||||||
|
+EXTRA_DIST += data/keys/CVE-2021-3521-badbind.asc
|
||||||
|
+EXTRA_DIST += data/keys/CVE-2021-3521-nosubsig.asc
|
||||||
|
+EXTRA_DIST += data/keys/CVE-2021-3521-nosubsig-last.asc
|
||||||
|
EXTRA_DIST += data/macros.testfile
|
||||||
|
|
||||||
|
# testsuite voodoo
|
||||||
|
diff --git a/tests/data/keys/CVE-2021-3521-badbind.asc b/tests/data/keys/CVE-2021-3521-badbind.asc
|
||||||
|
new file mode 100644
|
||||||
|
index 000000000..aea00f9d7
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/data/keys/CVE-2021-3521-badbind.asc
|
||||||
|
@@ -0,0 +1,25 @@
|
||||||
|
+-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||||
|
+Version: rpm-4.17.90 (NSS-3)
|
||||||
|
+
|
||||||
|
+mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
|
||||||
|
+HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
|
||||||
|
+91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
|
||||||
|
+eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
|
||||||
|
+7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
|
||||||
|
+1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
|
||||||
|
+c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
|
||||||
|
+CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
|
||||||
|
+Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
|
||||||
|
+BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
|
||||||
|
+XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
|
||||||
|
+fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
|
||||||
|
++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
|
||||||
|
+BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
|
||||||
|
+zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
|
||||||
|
+iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
|
||||||
|
+Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
|
||||||
|
+KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
|
||||||
|
+L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAE=
|
||||||
|
+=WCfs
|
||||||
|
+-----END PGP PUBLIC KEY BLOCK-----
|
||||||
|
+
|
||||||
|
diff --git a/tests/data/keys/CVE-2021-3521-nosubsig-last.asc b/tests/data/keys/CVE-2021-3521-nosubsig-last.asc
|
||||||
|
new file mode 100644
|
||||||
|
index 000000000..aea00f9d7
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/data/keys/CVE-2021-3521-nosubsig-last.asc
|
||||||
|
@@ -0,0 +1,25 @@
|
||||||
|
+-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||||
|
+Version: rpm-4.17.90 (NSS-3)
|
||||||
|
+
|
||||||
|
+mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
|
||||||
|
+HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
|
||||||
|
+91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
|
||||||
|
+eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
|
||||||
|
+7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
|
||||||
|
+1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
|
||||||
|
+c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
|
||||||
|
+CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
|
||||||
|
+Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
|
||||||
|
+BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
|
||||||
|
+XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
|
||||||
|
+fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
|
||||||
|
++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
|
||||||
|
+BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
|
||||||
|
+zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
|
||||||
|
+iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
|
||||||
|
+Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
|
||||||
|
+KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
|
||||||
|
+L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAE=
|
||||||
|
+=WCfs
|
||||||
|
+-----END PGP PUBLIC KEY BLOCK-----
|
||||||
|
+
|
||||||
|
diff --git a/tests/data/keys/CVE-2021-3521-nosubsig.asc b/tests/data/keys/CVE-2021-3521-nosubsig.asc
|
||||||
|
new file mode 100644
|
||||||
|
index 000000000..3a2e7417f
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/data/keys/CVE-2021-3521-nosubsig.asc
|
||||||
|
@@ -0,0 +1,37 @@
|
||||||
|
+-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||||
|
+Version: rpm-4.17.90 (NSS-3)
|
||||||
|
+
|
||||||
|
+mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
|
||||||
|
+HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
|
||||||
|
+91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
|
||||||
|
+eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
|
||||||
|
+7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
|
||||||
|
+1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
|
||||||
|
+c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
|
||||||
|
+CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
|
||||||
|
+Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
|
||||||
|
+BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
|
||||||
|
+XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
|
||||||
|
+fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
|
||||||
|
++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
|
||||||
|
+BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
|
||||||
|
+zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
|
||||||
|
+iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
|
||||||
|
+Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
|
||||||
|
+KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
|
||||||
|
+L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAG5AQ0EWOY5GAEIAKT68NmshdC4
|
||||||
|
+VcRhOhlXBvZq23NtskkKoPvW+ZlMuxbRDG48pGBtxhjOngriVUGceEWsXww5Q7En
|
||||||
|
+uRBYglkxkW34ENym0Ji6tsPYfhbbG+dZWKIL4vMIzPOIwlPrXrm558vgkdMM/ELZ
|
||||||
|
+8WIz3KtzvYubKUk2Qz+96lPXbwnlC/SBFRpBseJC5LoOb/5ZGdR/HeLz1JXiacHF
|
||||||
|
+v9Nr3cZWqg5yJbDNZKfASdZgC85v3kkvhTtzknl//5wqdAMexbuwiIh2xyxbO+B/
|
||||||
|
+qqzZFrVmu3sV2Tj5lLZ/9p1qAuEM7ULbixd/ld8yTmYvQ4bBlKv2bmzXtVfF+ymB
|
||||||
|
+Tm6BzyQEl/MAEQEAAYkBHwQYAQgACQUCWOY5GAIbDAAKCRBDRFkeGWTF/PANB/9j
|
||||||
|
+mifmj6z/EPe0PJFhrpISt9PjiUQCt0IPtiL5zKAkWjHePIzyi+0kCTBF6DDLFxos
|
||||||
|
+3vN4bWnVKT1kBhZAQlPqpJTg+m74JUYeDGCdNx9SK7oRllATqyu+5rncgxjWVPnQ
|
||||||
|
+zu/HRPlWJwcVFYEVXYL8xzfantwQTqefjmcRmBRdA2XJITK+hGWwAmrqAWx+q5xX
|
||||||
|
+Pa8wkNMxVzNS2rUKO9SoVuJ/wlUvfoShkJ/VJ5HDp3qzUqncADfdGN35TDzscngQ
|
||||||
|
+gHvnMwVBfYfSCABV1hNByoZcc/kxkrWMmsd/EnIyLd1Q1baKqc3cEDuC6E6/o4yJ
|
||||||
|
+E4XX4jtDmdZPreZALsiB
|
||||||
|
+=rRop
|
||||||
|
+-----END PGP PUBLIC KEY BLOCK-----
|
||||||
|
+
|
||||||
|
diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at
|
||||||
|
index 09fcdd525..a74f400ae 100644
|
||||||
|
--- a/tests/rpmsigdig.at
|
||||||
|
+++ b/tests/rpmsigdig.at
|
||||||
|
@@ -212,6 +212,34 @@ UNW2iqnN3BA7guhOv6OMiROF1+I7Q5nWT63mQC7IgQ==
|
||||||
|
[])
|
||||||
|
AT_CLEANUP
|
||||||
|
|
||||||
|
+AT_SETUP([rpmkeys --import invalid keys])
|
||||||
|
+AT_KEYWORDS([rpmkeys import])
|
||||||
|
+RPMDB_INIT
|
||||||
|
+
|
||||||
|
+AT_CHECK([
|
||||||
|
+runroot rpmkeys --import /data/keys/CVE-2021-3521-badbind.asc
|
||||||
|
+],
|
||||||
|
+[1],
|
||||||
|
+[],
|
||||||
|
+[error: /data/keys/CVE-2021-3521-badbind.asc: key 1 import failed.]
|
||||||
|
+)
|
||||||
|
+AT_CHECK([
|
||||||
|
+runroot rpmkeys --import /data/keys/CVE-2021-3521-nosubsig.asc
|
||||||
|
+],
|
||||||
|
+[1],
|
||||||
|
+[],
|
||||||
|
+[error: /data/keys/CVE-2021-3521-nosubsig.asc: key 1 import failed.]
|
||||||
|
+)
|
||||||
|
+
|
||||||
|
+AT_CHECK([
|
||||||
|
+runroot rpmkeys --import /data/keys/CVE-2021-3521-nosubsig-last.asc
|
||||||
|
+],
|
||||||
|
+[1],
|
||||||
|
+[],
|
||||||
|
+[error: /data/keys/CVE-2021-3521-nosubsig-last.asc: key 1 import failed.]
|
||||||
|
+)
|
||||||
|
+AT_CLEANUP
|
||||||
|
+
|
||||||
|
# ------------------------------
|
||||||
|
# Test pre-built package verification
|
||||||
|
AT_SETUP([rpmkeys -K <signed> 1])
|
||||||
|
--
|
||||||
|
2.33.1
|
||||||
|
|
|
@ -32,7 +32,7 @@
|
||||||
|
|
||||||
%global rpmver 4.14.3
|
%global rpmver 4.14.3
|
||||||
#global snapver rc2
|
#global snapver rc2
|
||||||
%global rel 19
|
%global rel 20
|
||||||
|
|
||||||
%global srcver %{version}%{?snapver:-%{snapver}}
|
%global srcver %{version}%{?snapver:-%{snapver}}
|
||||||
%global srcdir %{?snapver:testing}%{!?snapver:%{name}-%(echo %{version} | cut -d'.' -f1-2).x}
|
%global srcdir %{?snapver:testing}%{!?snapver:%{name}-%(echo %{version} | cut -d'.' -f1-2).x}
|
||||||
|
@ -109,6 +109,9 @@ Patch154: rpm-4.14.3-more-careful-sig-hdr-copy.patch
|
||||||
Patch156: rpm-4.14.3-hdrblobInit-add-bounds-check.patch
|
Patch156: rpm-4.14.3-hdrblobInit-add-bounds-check.patch
|
||||||
Patch157: rpm-4.14.3-add-read-only-support-for-sqlite.patch
|
Patch157: rpm-4.14.3-add-read-only-support-for-sqlite.patch
|
||||||
Patch158: rpm-4.14.3-imp-covscan-fixes.patch
|
Patch158: rpm-4.14.3-imp-covscan-fixes.patch
|
||||||
|
Patch159: rpm-4.14.3-add-path-query-option.patch
|
||||||
|
Patch160: rpm-4.14.3-macroize-find-debuginfo-script-location.patch
|
||||||
|
Patch161: rpm-4.14.3-validate-and-require-subkey-binding-sigs.patch
|
||||||
|
|
||||||
# Python 3 string API sanity
|
# Python 3 string API sanity
|
||||||
Patch500: 0001-In-Python-3-return-all-our-string-data-as-surrogate-.patch
|
Patch500: 0001-In-Python-3-return-all-our-string-data-as-surrogate-.patch
|
||||||
|
@ -689,6 +692,12 @@ make check || cat tests/rpmtests.log
|
||||||
%doc doc/librpm/html/*
|
%doc doc/librpm/html/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Dec 09 2021 Michal Domonkos <mdomonko@redhat.com> - 4.14.3-20
|
||||||
|
- Add --path query option (#1940895)
|
||||||
|
- Macroize find-debuginfo script location (#2019540)
|
||||||
|
- Validate and require subkey binding sigs on PGP pubkeys (#1958480)
|
||||||
|
- Fixes CVE-2021-3521
|
||||||
|
|
||||||
* Wed Oct 06 2021 Michal Domonkos <mdomonko@redhat.com> - 4.14.3-19
|
* Wed Oct 06 2021 Michal Domonkos <mdomonko@redhat.com> - 4.14.3-19
|
||||||
- Unbreak in-tree kmod strip by reverting brp-strip fix (#1967291)
|
- Unbreak in-tree kmod strip by reverting brp-strip fix (#1967291)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue