import rpm-4.16.1.3-17.el9

SOURCES/0001-Give-warning-on-not-supported-hash-for-RSA-keys.patch

@@ -0,0 +1,40 @@
+From 48546ffc0a3f3eb15bfd439a19fc9722eaea592f Mon Sep 17 00:00:00 2001
+From: Florian Festi <ffesti@redhat.com>
+Date: Tue, 28 Jun 2022 12:50:54 +0200
+Subject: [PATCH] Give warning on not supported hash for RSA keys
+
+This can happen when old keys are used on systems that have disabled SHA1
+e.g. for FIPS requirements.
+
+This is less than ideal but there is currently no way to pass a meaningful
+error code up to rpmtsImportPubkey. rpmPubkeyNew just returns a valid key
+or NULL.
+
+See rhbz#2069877
+---
+ rpmio/digest_openssl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/rpmio/digest_openssl.c b/rpmio/digest_openssl.c
+index a28a13acc..2ec5140f1 100644
+--- a/rpmio/digest_openssl.c
++++ b/rpmio/digest_openssl.c
+@@ -4,6 +4,7 @@
+ #include <openssl/rsa.h>
+ #include <openssl/dsa.h>
+ #include <rpm/rpmpgp.h>
++#include <rpm/rpmlog.h>
+ 
+ #include "rpmio/digest.h"
+ 
+@@ -483,6 +484,7 @@ static int pgpVerifySigRSA(pgpDigAlg pgpkey, pgpDigAlg pgpsig,
+ 
+     ret = EVP_PKEY_CTX_set_signature_md(pkey_ctx, getEVPMD(hash_algo));
+     if (ret < 0) {
++	rpmlog(RPMLOG_WARNING, "Signature not supported. Hash algorithm %s not available.\n", pgpValString(PGPVAL_HASHALGO, hash_algo));
+         rc = 1;
+         goto done;
+     }
+-- 
+2.36.1
+

SOURCES/rpm-4.16.1.3-Make-rpm2cpio.sh-more-robust.patch

@@ -0,0 +1,57 @@
+diff --git a/scripts/rpm2cpio.sh b/scripts/rpm2cpio.sh
+index 4531271cc..74aeed851 100755
+--- a/scripts/rpm2cpio.sh
++++ b/scripts/rpm2cpio.sh
+@@ -15,13 +15,23 @@ _dd() {
+ }
+ 
+ calcsize() {
++
++	case "$(_dd $1 bs=4 count=1 | tr -d '\0')" in
++		"$(printf '\216\255\350')"*) ;; # '\x8e\xad\xe8'
++		*) fatal "File doesn't look like rpm: $pkg" ;;
++	esac
++
+ 	offset=$(($1 + 8))
+ 
+ 	local i b b0 b1 b2 b3 b4 b5 b6 b7
+ 
+ 	i=0
+ 	while [ $i -lt 8 ]; do
+-		b="$(_dd $(($offset + $i)) bs=1 count=1)"
++		# add . to not loose \n
++		# strip \0 as it gets dropped with warning otherwise
++		b="$(_dd $(($offset + $i)) bs=1 count=1 | tr -d '\0' ; echo .)"
++		b=${b%.}    # strip . again
++
+ 		[ -z "$b" ] &&
+ 			b="0" ||
+ 			b="$(exec printf '%u\n' "'$b")"
+@@ -33,7 +43,7 @@ calcsize() {
+ 	offset=$(($offset + $rsize))
+ }
+ 
+-case "$(_dd 0 bs=8 count=1)" in
++case "$(_dd 0 bs=4 count=1 | tr -d '\0')" in
+ 	"$(printf '\355\253\356\333')"*) ;; # '\xed\xab\xee\xdb'
+ 	*) fatal "File doesn't look like rpm: $pkg" ;;
+ esac
+@@ -44,11 +54,11 @@ sigsize=$rsize
+ calcsize $(($offset + (8 - ($sigsize % 8)) % 8))
+ hdrsize=$rsize
+ 
+-case "$(_dd $offset bs=3 count=1)" in
+-	"$(printf '\102\132')"*) _dd $offset | bunzip2 ;; # '\x42\x5a'
+-	"$(printf '\037\213')"*) _dd $offset | gunzip  ;; # '\x1f\x8b'
+-	"$(printf '\375\067')"*) _dd $offset | xzcat   ;; # '\xfd\x37'
+-	"$(printf '\135\000')"*) _dd $offset | unlzma  ;; # '\x5d\x00'
+-	"$(printf '\050\265')"*) _dd $offset | unzstd  ;; # '\x28\xb5'
+-	*) fatal "Unrecognized rpm file: $pkg" ;;
++case "$(_dd $offset bs=2 count=1 | tr -d '\0')" in
++	"$(printf '\102\132')") _dd $offset | bunzip2 ;; # '\x42\x5a'
++	"$(printf '\037\213')") _dd $offset | gunzip  ;; # '\x1f\x8b'
++	"$(printf '\375\067')") _dd $offset | xzcat   ;; # '\xfd\x37'
++	"$(printf '\135')") _dd $offset | unlzma      ;; # '\x5d\x00'
++	"$(printf '\050\265')") _dd $offset | unzstd  ;; # '\x28\xb5'
++	*) fatal "Unrecognized payload compression format in rpm file: $pkg" ;;
+ esac

SOURCES/rpm-4.16.1.3-fapolicyd-make-write-nonblocking.patch

@@ -1,167 +0,0 @@
-From 534fd1f0c84b12ba6080a46e07c57ef913c77cba Mon Sep 17 00:00:00 2001
-From: Radovan Sroka <rsroka@redhat.com>
-Date: Thu, 25 Aug 2022 15:38:01 +0200
-Subject: [PATCH] fapolicyd: Make write() nonblocking
-
-- switch to read only and non blocking mode for pipe
-- add 1 minute loop to wait for pipe to reappear
-
-Sometimes during the system update/upgrade fapolicyd
-get restarted e.g. when systemd gets updated.
-That can lead to the situation where fapolicyd pipe
-has been removed and created again.
-In such cases rpm-plugin-fapolicyd gets stuck on
-write() to the pipe which does not exist anymore.
-After switching to non blocking file descriptor
-we can try to reopen the pipe if there is an error
-from write(). Assuming that a new pipe should appear
-when fapolicyd daemon starts again.
-If not then after 1 minute of waiting we expect
-fapolicyd daemon to be not active and we let the
-transaction continue.
-
-Signed-off-by: Radovan Sroka <rsroka@redhat.com>
----
- plugins/fapolicyd.c | 74 +++++++++++++++++++++++++++++++++++++++------
- 1 file changed, 65 insertions(+), 9 deletions(-)
-
-diff --git a/plugins/fapolicyd.c b/plugins/fapolicyd.c
-index 1ff50c30f..6c6322941 100644
---- a/plugins/fapolicyd.c
-+++ b/plugins/fapolicyd.c
-@@ -27,7 +27,7 @@ static rpmRC open_fifo(struct fapolicyd_data* state)
-     int fd = -1;
-     struct stat s;
- 
--    fd = open(state->fifo_path, O_RDWR);
-+    fd = open(state->fifo_path, O_WRONLY|O_NONBLOCK);
-     if (fd == -1) {
-         rpmlog(RPMLOG_DEBUG, "Open: %s -> %s\n", state->fifo_path, strerror(errno));
-         goto bad;
-@@ -55,15 +55,26 @@ static rpmRC open_fifo(struct fapolicyd_data* state)
-     }
- 
-     state->fd = fd;
-+
-     /* considering success */
-     return RPMRC_OK;
- 
-  bad:
-     if (fd >= 0)
-         close(fd);
-+
-+    state->fd = -1;
-     return RPMRC_FAIL;
- }
- 
-+static void close_fifo(struct fapolicyd_data* state)
-+{
-+    if (state->fd > 0)
-+        (void) close(state->fd);
-+
-+    state->fd = -1;
-+}
-+
- static rpmRC write_fifo(struct fapolicyd_data* state, const char * str)
- {
-     ssize_t len = strlen(str);
-@@ -86,6 +97,54 @@ static rpmRC write_fifo(struct fapolicyd_data* state, const char * str)
-     return RPMRC_FAIL;
- }
- 
-+static void try_to_write_to_fifo(struct fapolicyd_data* state, const char * str)
-+{
-+    int reload = 0;
-+    int printed = 0;
-+
-+    /* 1min/60s */
-+    const int timeout = 60;
-+
-+    /* wait up to X seconds */
-+    for (int i = 0; i < timeout; i++) {
-+
-+        if (reload) {
-+            if (!printed) {
-+                rpmlog(RPMLOG_WARNING, "rpm-plugin-fapolicyd: waiting for the service connection to resume, it can take up to %d seconds\n", timeout);
-+                printed = 1;
-+            }
-+
-+            (void) close_fifo(state);
-+            (void) open_fifo(state);
-+        }
-+
-+        if (state->fd >= 0) {
-+            if (write_fifo(state, str) == RPMRC_OK) {
-+
-+                /* write was successful after few reopens */
-+                if (reload)
-+                    rpmlog(RPMLOG_WARNING, "rpm-plugin-fapolicyd: the service connection has resumed\n");
-+
-+                break;
-+            }
-+        }
-+
-+        /* failed write or reopen */
-+        reload = 1;
-+        sleep(1);
-+
-+        /* the last iteration */
-+        /* consider failure */
-+        if (i == timeout-1) {
-+            rpmlog(RPMLOG_WARNING, "rpm-plugin-fapolicyd: the service connection has not resumed\n");
-+            rpmlog(RPMLOG_WARNING, "rpm-plugin-fapolicyd: continuing without the service\n");
-+        }
-+
-+    }
-+
-+}
-+
-+
- static rpmRC fapolicyd_init(rpmPlugin plugin, rpmts ts)
- {
-     if (rpmtsFlags(ts) & (RPMTRANS_FLAG_TEST|RPMTRANS_FLAG_BUILD_PROBS))
-@@ -102,10 +161,7 @@ static rpmRC fapolicyd_init(rpmPlugin plugin, rpmts ts)
- 
- static void fapolicyd_cleanup(rpmPlugin plugin)
- {
--    if (fapolicyd_state.fd > 0)
--        (void) close(fapolicyd_state.fd);
--
--    fapolicyd_state.fd = -1;
-+    (void) close_fifo(&fapolicyd_state);
- }
- 
- static rpmRC fapolicyd_tsm_post(rpmPlugin plugin, rpmts ts, int res)
-@@ -116,9 +172,9 @@ static rpmRC fapolicyd_tsm_post(rpmPlugin plugin, rpmts ts, int res)
-     /* we are ready */
-     if (fapolicyd_state.fd > 0) {
-         /* send a signal that transaction is over */
--        (void) write_fifo(&fapolicyd_state, "1\n");
-+        (void) try_to_write_to_fifo(&fapolicyd_state, "1\n");
-         /* flush cache */
--        (void) write_fifo(&fapolicyd_state, "2\n");
-+        (void) try_to_write_to_fifo(&fapolicyd_state, "2\n");
-     }
- 
-  end:
-@@ -133,7 +189,7 @@ static rpmRC fapolicyd_scriptlet_pre(rpmPlugin plugin, const char *s_name,
- 
-     if (fapolicyd_state.changed_files > 0) {
-         /* send signal to flush cache */
--        (void) write_fifo(&fapolicyd_state, "2\n");
-+        (void) try_to_write_to_fifo(&fapolicyd_state, "2\n");
- 
-         /* optimize flushing */
-         /* flush only when there was an actual change */
-@@ -176,7 +232,7 @@ static rpmRC fapolicyd_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
-     char * sha = rpmfiFDigestHex(fi, NULL);
- 
-     snprintf(buffer, 4096, "%s %lu %64s\n", dest, size, sha);
--    (void) write_fifo(&fapolicyd_state, buffer);
-+    (void) try_to_write_to_fifo(&fapolicyd_state, buffer);
- 
-     free(sha);
- 
--- 
-2.37.3
-

SOURCES/rpm-4.16.1.3-find_debuginfo_vendor_opts.patch

@@ -0,0 +1,20 @@
+--- rpm.orig/macros.in	2022-06-30 11:37:18.975312592 +0100
++++ rpm-4.16.1.3/macros.in	2022-06-30 11:37:43.145158323 +0100
+@@ -167,6 +167,9 @@
+ #	A spec file can %%define _find_debuginfo_opts to pass options to
+ #	the script.  See the script for details.
+ #
++#	Vendor spec files (eg redhat-rpm-config:macros) can %%define
++#       _find_debuginfo_vendor_opts to pass options to the script.
++#
+ %__debug_install_post   \
+     %{_rpmconfigdir}/find-debuginfo.sh \\\
+     %{?_smp_build_ncpus:-j%{_smp_build_ncpus}} \\\
+@@ -179,6 +182,7 @@
+     %{?_unique_debug_srcs:--unique-debug-src-base "%{name}-%{VERSION}-%{RELEASE}.%{_arch}"} \\\
+     %{?_find_debuginfo_dwz_opts} \\\
+     %{?_find_debuginfo_opts} \\\
++    %{?_find_debuginfo_vendor_opts} \\\
+     %{?_debugsource_packages:-S debugsourcefiles.list} \\\
+     "%{_builddir}/%{?buildsubdir}"\
+ %{nil}

SPECS/rpm.spec

@@ -32,7 +32,7 @@
 
 %global rpmver 4.16.1.3
 #global snapver rc1
-%global rel 12
+%global rel 17
 %global sover 9
 
 %global srcver %{rpmver}%{?snapver:-%{snapver}}
@@ -48,7 +48,7 @@
 Summary: The RPM package management system
 Name: rpm
 Version: %{rpmver}
-Release: %{?snapver:0.%{snapver}.}%{rel}%{?dist}.1
+Release: %{?snapver:0.%{snapver}.}%{rel}%{?dist}
 Url: http://www.rpm.org/
 Source0: http://ftp.rpm.org/releases/%{srcdir}/rpm-%{srcver}.tar.bz2
 %if %{with bdb} && %{with int_bdb}
@@ -82,12 +82,13 @@ Patch110: rpm-4.16.1.3-add-path-query-option.patch
 Patch111: rpm-4.16.1.3-skip-recorded-symlinks-in-setperms.patch
 Patch112: rpm-4.16.1.3-fix-regression-reading-rpm-v3-pkgs.patch
 Patch113: rpm-4.16.1.3-fix-spurious-transfiletriggerpostun-execution.patch
-Patch114: rpm-4.16.1.3-fapolicyd-make-write-nonblocking.patch
+Patch114: rpm-4.16.1.3-Make-rpm2cpio.sh-more-robust.patch
 
 # These are not yet upstream
 Patch906: rpm-4.7.1-geode-i686.patch
 # Probably to be upstreamed in slightly different form
 Patch907: rpm-4.15.x-ldflags.patch
+Patch908: 0001-Give-warning-on-not-supported-hash-for-RSA-keys.patch
 
 # Not yet (all) upstream, debugedit DWARF5
 # https://code.wildebeest.org/git/user/mjw/rpm/log/?h=gcc-dwarf5-4.16.1.2
@@ -100,6 +101,7 @@ Patch916: 0006-debugedit-Handle-DWARF-5-debug_line-and-debug_line_s.patch
 
 # Downstream-only patches
 Patch1000: rpm-4.16.1.3-hashtab-use-after-free-fix.patch
+Patch1001: rpm-4.16.1.3-find_debuginfo_vendor_opts.patch
 
 # Partially GPL/LGPL dual-licensed and some bits with BSD
 # SourceLicense: (GPLv2+ and LGPLv2+ with exceptions) and BSD
@@ -612,8 +614,14 @@ fi
 %doc doc/librpm/html/*
 
 %changelog
-* Thu Sep 15 2022 Michal Domonkos <mdomonko@redhat.com> - 4.16.1.3-12.1
-- Make write() nonblocking in fapolicyd plugin (#2124603)
+* Wed Aug 03 2022 Florian Festi <ffesti@redhat.com> - 4.16.1.3-17
+- Make rpm2cpio.sh more robust (#1983015)
+
+* Thu Jun 30 2022 Nick Clifton  <nickc@redhat.com> - 4.16.1.3-15
+- Pass _find_debuginfo_vendor_opts to the find-debuginfo script.  (#2099617)
+
+* Tue Jun 28 2022 Florian Festi <ffesti@redhat.com> - 4.16.1.3-14
+- Warning for failed key import (#2069877)
 
 * Tue Apr 05 2022 Michal Domonkos <mdomonko@redhat.com> - 4.16.1.3-12
 - Fix minor ABI regression in rpmcli.h (#2037352)