From 92a4e01c1e395000abf963358ed3c55e713ecf2b Mon Sep 17 00:00:00 2001 From: Michal Domonkos Date: Tue, 22 Apr 2025 15:17:07 +0200 Subject: [PATCH 1/2] Add patches for next release Resolves: RHEL-55284 RHEL-82284 RHEL-73173 RHEL-87384 RHEL-78693 --- ...e-_passwd_path-and-_group_path-lists.patch | 104 +++++++++++++++ 0002-Fix-memory-leak-in-rpmspec-shell.patch | 32 +++++ 0003-Fix-memory-leak-in-runGPG.patch | 37 ++++++ ...bout-rpmsign-in-the-rpmsign-man-page.patch | 66 ++++++++++ ...ndant-argument-from-rpmcliTransactio.patch | 120 ++++++++++++++++++ rpm.spec | 15 ++- 6 files changed, 373 insertions(+), 1 deletion(-) create mode 100644 0001-Make-_passwd_path-and-_group_path-lists.patch create mode 100644 0002-Fix-memory-leak-in-rpmspec-shell.patch create mode 100644 0003-Fix-memory-leak-in-runGPG.patch create mode 100644 0004-Talk-about-rpmsign-in-the-rpmsign-man-page.patch create mode 100644 0005-Revert-Drop-redundant-argument-from-rpmcliTransactio.patch diff --git a/0001-Make-_passwd_path-and-_group_path-lists.patch b/0001-Make-_passwd_path-and-_group_path-lists.patch new file mode 100644 index 0000000..5a6f69a --- /dev/null +++ b/0001-Make-_passwd_path-and-_group_path-lists.patch @@ -0,0 +1,104 @@ +From 0f3ace9f3f38e3719b83018f400d5ffa509bbd1d Mon Sep 17 00:00:00 2001 +From: Florian Festi +Date: Thu, 20 Mar 2025 13:57:56 +0100 +Subject: [PATCH 1/5] Make %_passwd_path and %_group_path lists + +Look up multiple files if they are listes in the macros separated by +colons. This way multiple sources of user and group information can be +used. + +This is needed as RPM no longer honors nsswitch as it fails for +chroots. This way one can at least configure where RPM should look for +user/group information. + +Backported from commits: +eb1ee05c6d835903b3f47bc95042790e915f569e + +Fixes: RHEL-78693 +--- + lib/rpmug.c | 21 ++++++++++++++++++++- + macros.in | 2 +- + tests/rpmverify.at | 18 ++++++++++++++++++ + 3 files changed, 39 insertions(+), 2 deletions(-) + +diff --git a/lib/rpmug.c b/lib/rpmug.c +index 807677b2c..316e326f3 100644 +--- a/lib/rpmug.c ++++ b/lib/rpmug.c +@@ -47,7 +47,7 @@ static const char *grpfile(void) + * Lookup an arbitrary field based on contents of another in a ':' delimited + * file, such as /etc/passwd or /etc/group. + */ +-static int lookup_field(const char *path, const char *val, int vcol, int rcol, ++static int lookup_field_in_file(const char *path, const char *val, int vcol, int rcol, + char **ret) + { + int rc = -1; /* assume not found */ +@@ -85,6 +85,25 @@ static int lookup_field(const char *path, const char *val, int vcol, int rcol, + return rc; + } + ++/* ++ * Lookup an arbitrary field based on contents of another in a ':' delimited ++ * file, such as /etc/passwd or /etc/group. Look at multiple files listed in ++ * path separated by colons ++ */ ++static int lookup_field(const char *path, const char *val, int vcol, int rcol, ++ char **ret) ++{ ++ ARGV_t paths = argvSplitString(path, ":", ARGV_SKIPEMPTY); ++ int rc = -1; ++ for (ARGV_t p = paths; *p; p++) { ++ rc = lookup_field_in_file(*p, val, vcol, rcol, ret); ++ if (!rc) ++ break; ++ } ++ argvFree(paths); ++ return rc; ++} ++ + /* atol() with error handling, return 0/-1 on success/failure */ + static int stol(const char *s, long *ret) + { +diff --git a/macros.in b/macros.in +index 7eb3d2b98..f2a28fa57 100644 +--- a/macros.in ++++ b/macros.in +@@ -132,7 +132,7 @@ + + %_keyringpath %{_dbpath}/pubkeys/ + +-# Location of passwd(5) and group(5) ++# Location of passwd(5) and group(5), as : separated list + %_passwd_path /etc/passwd + %_group_path /etc/group + +diff --git a/tests/rpmverify.at b/tests/rpmverify.at +index c625a1bb9..804235908 100644 +--- a/tests/rpmverify.at ++++ b/tests/rpmverify.at +@@ -648,3 +648,21 @@ runroot rpm -Vv ${VERIFYOPTS} verifyfiles + ], + []) + RPMTEST_CLEANUP ++ ++AT_SETUP([alternative passwd location]) ++AT_KEYWORDS([verify]) ++RPMDB_INIT ++ ++runroot rpmbuild -bb --quiet /data/SPECS/klang.spec ++runroot rpm -Uvh /build/RPMS/noarch/klang-* ++echo "klangd:x:1111:1111::/:/sbin/nologin\n" >> ${RPMTEST}/usr/lib/passwd ++echo "klangd:x:8888:" >> ${RPMTEST}/usr/lib/group ++ ++RPMTEST_CHECK([ ++runroot_other chown 1111:8888 /var/lib/klangd ++runroot rpm -D "_passwd_path /usr/lib/passwd:/etc/passwd" -D "_group_path /usr/lib/group:/etc/group" -V klang-server ++], ++[0], ++[], ++[]) ++RPMTEST_CLEANUP +-- +2.49.0 + diff --git a/0002-Fix-memory-leak-in-rpmspec-shell.patch b/0002-Fix-memory-leak-in-rpmspec-shell.patch new file mode 100644 index 0000000..288cbbc --- /dev/null +++ b/0002-Fix-memory-leak-in-rpmspec-shell.patch @@ -0,0 +1,32 @@ +From 891a625246a19abd5aecfa534b630f2e7d15c8d5 Mon Sep 17 00:00:00 2001 +From: Michal Domonkos +Date: Thu, 17 Apr 2025 13:04:50 +0200 +Subject: [PATCH 2/5] Fix memory leak in rpmspec --shell + +The history(3) library allocates its own copy of the line string passed +to add_history() so we need to free it ourselves. + +Found by Coverity. + +(cherry picked from commit 96fe0562712227c1764f2bae27f1b138dda7e032) + +Fixes: RHEL-55284 +--- + tools/rpmspec.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/rpmspec.c b/tools/rpmspec.c +index cf58de80e..2bf95684e 100644 +--- a/tools/rpmspec.c ++++ b/tools/rpmspec.c +@@ -74,6 +74,7 @@ static int doShell(rpmSpec spec) + free(exp); + if (*line) + add_history(line); ++ free(line); + } + return 0; + } +-- +2.49.0 + diff --git a/0003-Fix-memory-leak-in-runGPG.patch b/0003-Fix-memory-leak-in-runGPG.patch new file mode 100644 index 0000000..1270536 --- /dev/null +++ b/0003-Fix-memory-leak-in-runGPG.patch @@ -0,0 +1,37 @@ +From 0f1731d648ff37d06bf711c84459b254047b23e0 Mon Sep 17 00:00:00 2001 +From: Michal Domonkos +Date: Tue, 22 Apr 2025 14:04:31 +0200 +Subject: [PATCH 3/5] Fix memory leak in runGPG() + +Downstream only patch, upstream no longer uses gpg_path here after +commit 7f2c7136af575ba4854e579f3df547051a2eecfc. + +Fixes: RHEL-82284 +--- + sign/rpmgensig.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c +index 576e77f7d..f0b4dc891 100644 +--- a/sign/rpmgensig.c ++++ b/sign/rpmgensig.c +@@ -237,7 +237,7 @@ static int runGPG(sigTarget sigt, const char *sigfile) + int using_gpg = (strstr(out, "GnuPG") != NULL); + if (using_gpg) { + const char *tty = ttyname(STDIN_FILENO); +- const char *gpg_path = NULL; ++ char *gpg_path = NULL; + + if (!getenv("GPG_TTY") && (!tty || setenv("GPG_TTY", tty, 0))) + rpmlog(RPMLOG_WARNING, _("Could not set GPG_TTY to stdin: %m\n")); +@@ -245,6 +245,7 @@ static int runGPG(sigTarget sigt, const char *sigfile) + gpg_path = rpmExpand("%{?_gpg_path}", NULL); + if (gpg_path && *gpg_path != '\0') + (void) setenv("GNUPGHOME", gpg_path, 1); ++ free(gpg_path); + } + free(out); + +-- +2.49.0 + diff --git a/0004-Talk-about-rpmsign-in-the-rpmsign-man-page.patch b/0004-Talk-about-rpmsign-in-the-rpmsign-man-page.patch new file mode 100644 index 0000000..6ab79a0 --- /dev/null +++ b/0004-Talk-about-rpmsign-in-the-rpmsign-man-page.patch @@ -0,0 +1,66 @@ +From 9bb13c129ebd399645d173e51a5819bb9969e7c2 Mon Sep 17 00:00:00 2001 +From: Florian Festi +Date: Wed, 12 Jun 2024 15:46:12 +0200 +Subject: [PATCH 4/5] Talk about rpmsign in the rpmsign man page + +In the past handling signatures was done by the rpm / rpmbuild binaries +directly. When this functionality was split into rpmsign the man page +was not adjusted accoringly. This is the long overdue update. + +(cherry picked from commit 8e1f55c7004e8c1a7d9140ab2dd9456a7ace3e77) + +Fixes: RHEL-73173 +--- + docs/man/rpmsign.8.md | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/docs/man/rpmsign.8.md b/docs/man/rpmsign.8.md +index 04d6855e7..339e28451 100644 +--- a/docs/man/rpmsign.8.md ++++ b/docs/man/rpmsign.8.md +@@ -15,12 +15,12 @@ SYNOPSIS + SIGNING PACKAGES: + ----------------- + +-**rpm** **\--addsign\|\--resign** \[**rpmsign-options**\] *PACKAGE\_FILE ++**rpmsign** **\--addsign\|\--resign** \[**rpmsign-options**\] *PACKAGE\_FILE + \...* + +-**rpm** **\--delsign** *PACKAGE\_FILE \...* ++**rpmsign** **\--delsign** *PACKAGE\_FILE \...* + +-**rpm** **\--delfilesign** *PACKAGE\_FILE \...* ++**rpmsign** **\--delfilesign** *PACKAGE\_FILE \...* + + rpmsign-options + --------------- +@@ -35,14 +35,14 @@ new signatures for each package *PACKAGE\_FILE* given, replacing any + existing signatures. There are two options for historical reasons, there + is no difference in behavior currently. + +-To create a signature rpm needs to verify the package\'s checksum. As a ++To create a signature rpmsign needs to verify the package\'s checksum. As a + result packages with a MD5/SHA1 checksums cannot be signed in FIPS mode. + +-**rpm** **\--delsign** *PACKAGE\_FILE \...* ++**rpmsign** **\--delsign** *PACKAGE\_FILE \...* + + Delete all signatures from each package *PACKAGE\_FILE* given. + +-**rpm** **\--delfilesign** *PACKAGE\_FILE \...* ++**rpmsign** **\--delfilesign** *PACKAGE\_FILE \...* + + Delete all IMA and fsverity file signatures from each package + *PACKAGE\_FILE* given. +@@ -54,7 +54,7 @@ SIGN OPTIONS + + : Force RPM V3 header+payload signature addition. These are expensive + and redundant baggage on packages where a separate payload digest +- exists (packages built with rpm \>= 4.14). Rpm will automatically ++ exists (packages built with rpm \>= 4.14). Rpmsign will automatically + detect the need for V3 signatures, but this option can be used to + force their creation if the packages must be fully signature + verifiable with rpm \< 4.14 or other interoperability reasons. +-- +2.49.0 + diff --git a/0005-Revert-Drop-redundant-argument-from-rpmcliTransactio.patch b/0005-Revert-Drop-redundant-argument-from-rpmcliTransactio.patch new file mode 100644 index 0000000..bf3a83d --- /dev/null +++ b/0005-Revert-Drop-redundant-argument-from-rpmcliTransactio.patch @@ -0,0 +1,120 @@ +From d09149df374b0faad1d58843369b461a35ec286b Mon Sep 17 00:00:00 2001 +From: Panu Matilainen +Date: Wed, 16 Apr 2025 12:16:41 +0300 +Subject: [PATCH 5/5] Revert "Drop redundant argument from rpmcliTransaction()" + +This reverts commit 99f8997082637889e6ef08c7893d583cfaea2f04. + +The transaction does know the number of elements alright, but updates +are tracked as two elements so the exit code on a failed update of one +package becomes 2 which seems wrong. Just revert the change, it wasn't +a big cleanup anyhow, the alternative of filtering out update-related +erasures from the transaction would only be more code. + +--restore was added in the meanwhile so a plain revert doesn't suffice. +In the case of --restore the number of elements is always simply the +elements in transaction so we can just use rpmtsNElements() for that. + +Backported from commits: +c1b33879a7284cf311fa68d88f8df54b00a207ac +7931850da430c6187c3557a0dbecf753bb5be490 + +Fixes: RHEL-87384 +--- + lib/rpminstall.c | 10 +++++----- + tests/data/SPECS/deptest.spec | 4 +++- + tests/rpmdeps.at | 14 ++++++++++++++ + 3 files changed, 22 insertions(+), 6 deletions(-) + +diff --git a/lib/rpminstall.c b/lib/rpminstall.c +index 4c49507db..c7510dabb 100644 +--- a/lib/rpminstall.c ++++ b/lib/rpminstall.c +@@ -252,10 +252,10 @@ struct rpmEIU { + rpmRC rpmrc; + }; + +-static int rpmcliTransaction(rpmts ts, struct rpmInstallArguments_s * ia) ++static int rpmcliTransaction(rpmts ts, struct rpmInstallArguments_s * ia, ++ int numPackages) + { + rpmps ps; +- int numPackages = rpmtsNElements(ts); + + int rc = 0; + int stop = 0; +@@ -650,7 +650,7 @@ restart: + if (eiu->numFailed) goto exit; + + if (eiu->numRPMS) { +- int rc = rpmcliTransaction(ts, ia); ++ int rc = rpmcliTransaction(ts, ia, eiu->numPkgs); + if (rc < 0) + eiu->numFailed += eiu->numRPMS; + else if (rc > 0) +@@ -756,7 +756,7 @@ int rpmErase(rpmts ts, struct rpmInstallArguments_s * ia, ARGV_const_t argv) + free(qfmt); + + if (numFailed) goto exit; +- numFailed = rpmcliTransaction(ts, ia); ++ numFailed = rpmcliTransaction(ts, ia, numPackages); + exit: + rpmtsEmpty(ts); + rpmtsSetVSFlags(ts, ovsflags); +@@ -784,7 +784,7 @@ int rpmRestore(rpmts ts, struct rpmInstallArguments_s * ia, ARGV_const_t argv) + + rc = rpmcliArgIter(ts, qva, argv); + if (rc == 0) { +- rc = rpmcliTransaction(ts, ia); ++ rc = rpmcliTransaction(ts, ia, rpmtsNElements(ts)); + } + + rpmtsEmpty(ts); +diff --git a/tests/data/SPECS/deptest.spec b/tests/data/SPECS/deptest.spec +index 164571a40..5a1ecdc55 100644 +--- a/tests/data/SPECS/deptest.spec ++++ b/tests/data/SPECS/deptest.spec +@@ -1,5 +1,7 @@ ++%{?!ver:%define ver 1.0} ++ + Name: deptest-%{pkg} +-Version: 1.0 ++Version: %{ver} + Release: 1 + Summary: Testing dependency behavior + +diff --git a/tests/rpmdeps.at b/tests/rpmdeps.at +index f839a5fad..fac541325 100644 +--- a/tests/rpmdeps.at ++++ b/tests/rpmdeps.at +@@ -17,6 +17,11 @@ runroot rpmbuild --quiet -bb \ + --define "reqs deptest-one" \ + /data/SPECS/deptest.spec + ++runroot rpmbuild --quiet -bb \ ++ --define "pkg two" \ ++ --define "ver 2.0" \ ++ --define "reqs deptest-one deptest-not" \ ++ /data/SPECS/deptest.spec + # missing dependency + RPMTEST_CHECK([ + RPMDB_INIT +@@ -38,6 +43,15 @@ runroot rpm -U /build/RPMS/noarch/deptest-one-1.0-1.noarch.rpm /build/RPMS/noarc + [0], + [], + []) ++ ++RPMTEST_CHECK([ ++runroot rpm -U /build/RPMS/noarch/deptest-two-2.0-1.noarch.rpm ++], ++[1], ++[], ++[error: Failed dependencies: ++ deptest-not is needed by deptest-two-2.0-1.noarch ++]) + RPMTEST_CLEANUP + + # ------------------------------ +-- +2.49.0 + diff --git a/rpm.spec b/rpm.spec index 92ac9ad..694a438 100644 --- a/rpm.spec +++ b/rpm.spec @@ -27,7 +27,7 @@ %global rpmver 4.19.1.1 #global snapver rc1 -%global baserelease 12 +%global baserelease 13 %global sover 10 %global srcver %{rpmver}%{?snapver:-%{snapver}} @@ -153,6 +153,12 @@ rpm-4.18.90-weak-user-group.patch 0002-Fix-regression-on-build-id-generation-from-compresse.patch 0003-Fix-root-relocation-regression.patch +0001-Make-_passwd_path-and-_group_path-lists.patch +0002-Fix-memory-leak-in-rpmspec-shell.patch +0003-Fix-memory-leak-in-runGPG.patch +0004-Talk-about-rpmsign-in-the-rpmsign-man-page.patch +0005-Revert-Drop-redundant-argument-from-rpmcliTransactio.patch + # These are not yet upstream rpm-4.7.1-geode-i686.patch @@ -635,6 +641,13 @@ fi %doc %{_defaultdocdir}/rpm/API/ %changelog +* Tue Apr 22 2025 Michal Domonkos - 4.19.1.1-13 +- Make %%_passwd_path and %%_group_path into lists (RHEL-78693) +- Fix memory leak in rpmspec --shell (RHEL-55284) +- Fix memory leak in rpmsign (RHEL-82284) +- Fix command references in rpmsign(8) man page (RHEL-73173) +- Fix exit code regression on update failure (RHEL-87384) + * Fri Feb 07 2025 Michal Domonkos - 4.19.1.1-12 - Rebuild for ima-evm-utils 1.6 soname bump (RHEL-65378) From b54afd1d94972e7d0a6ed2139a90a1b08bf1bda4 Mon Sep 17 00:00:00 2001 From: Michal Domonkos Date: Wed, 23 Apr 2025 16:41:18 +0200 Subject: [PATCH 2/2] Fix libarchive bcond Resolves: RHEL-75147 --- rpm.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rpm.spec b/rpm.spec index 694a438..f40e80c 100644 --- a/rpm.spec +++ b/rpm.spec @@ -490,7 +490,9 @@ fi %attr(0644, root, root) %ghost /usr/lib/sysimage/rpm/.*.lock %{_bindir}/rpm +%if %{with libarchive} %{_bindir}/rpm2archive +%endif %{_bindir}/rpm2cpio %{_bindir}/rpmdb %{_bindir}/rpmkeys @@ -501,7 +503,9 @@ fi %{_mandir}/man8/rpm.8* %{_mandir}/man8/rpmdb.8* %{_mandir}/man8/rpmkeys.8* +%if %{with libarchive} %{_mandir}/man8/rpm2archive.8* +%endif %{_mandir}/man8/rpm2cpio.8* %{_mandir}/man8/rpm-misc.8* %{_mandir}/man8/rpmsort.8*