rpms/rpm
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import rpm-4.14.3-4.el8

Browse Source
This commit is contained in:
CentOS Sources 2020-11-03 06:50:53 -05:00 committed by Andrew Lukoshko
parent 3e041157de
commit d61db9f381
37 changed files with 247 additions and 1377 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/rpm-4.14.2.tar.bz2
SOURCES/rpm-4.14.3.tar.bz2

2
.rpm.metadata
View File

@ -1 +1 @@
1ca664af796ab8d05ea3fccabe2b2e4767a97c74 SOURCES/rpm-4.14.2.tar.bz2
3f8c3ef08f93eaeef12008055a43f6872306f8a2 SOURCES/rpm-4.14.3.tar.bz2

4
SOURCES/0001-Add-flag-to-use-strip-g-instead-of-full-strip-on-DSO.patch
View File

@ -77,7 +77,7 @@ Adjusted for rpm-4.14.2 in RHEL
eu-strip --remove-comment $r $g ${keep_remove_args} -f "$1" "$2" || exit
chmod 444 "$1" || exit
}
@@ -409,8 +426,12 @@
@@ -430,8 +430,12 @@
# libraries. Other executable ELF files (like kernel modules) don't need it.
if [ "$include_minidebug" = "true" -a "$strip_g" = "false" ]; then
skip_mini=true
@ -89,5 +89,5 @@ Adjusted for rpm-4.14.2 in RHEL
case "$(file -bi "$f")" in
- application/x-sharedlib*) skip_mini=false ;;
application/x-executable*) skip_mini=false ;;
application/x-pie-executable*) skip_mini=false ;;
esac
$skip_mini || add_minidebug "${debugfn}" "$f"

35
SOURCES/0001-Add-step-to-find-debuginfo.sh-script-to-compress-ann.patch
View File

@ -1,35 +0,0 @@
From cc1965ce3acaa7d9356b7671050a15e2cda2f424 Mon Sep 17 00:00:00 2001
Message-Id: <cc1965ce3acaa7d9356b7671050a15e2cda2f424.1571917336.git.pmatilai@redhat.com>
From: nickclifton <31441682+nickclifton@users.noreply.github.com>
Date: Wed, 19 Jun 2019 12:45:09 +0100
Subject: [PATCH] Add step to find-debuginfo.sh script to compress annobin
notes.
With the introduction of the annobin gcc plugin to the build process,
built binary files have become larger. Sometimes significantly so.
This is a patch that adds a new step to the post-link process performed
by rpmbuild, to run the objcopy program with the --merge-notes option
specified. This will reduce the size of the annobin notes in binary
files, thus alleviating the size growth.
---
scripts/find-debuginfo.sh | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/scripts/find-debuginfo.sh b/scripts/find-debuginfo.sh
index d75da1108..2e9d76531 100755
--- a/scripts/find-debuginfo.sh
+++ b/scripts/find-debuginfo.sh
@@ -405,6 +405,10 @@ do_file()
fi
fi
+ # Compress any annobin notes in the original binary.
+ # Ignore any errors, since older objcopy don't support --merge-notes.
+ objcopy --merge-notes "$f" 2>/dev/null || true
+
# A binary already copied into /usr/lib/debug doesn't get stripped,
# just has its file names collected and adjusted.
case "$dn" in
--
2.21.0

57
SOURCES/0001-Consolidate-allowed-version-release-evr-allowed-char.patch
View File

@ -1,57 +0,0 @@
From e8fce62467a421132f4ebb6ca9c0926b623ec00e Mon Sep 17 00:00:00 2001
Message-Id: <e8fce62467a421132f4ebb6ca9c0926b623ec00e.1574338687.git.pmatilai@redhat.com>
From: Panu Matilainen <pmatilai@redhat.com>
Date: Tue, 27 Nov 2018 13:40:21 +0200
Subject: [PATCH 1/2] Consolidate allowed version/release/evr allowed
characters to macros
Maintaining multiple variants of the same thing, that always worked
soooooo well... No functional changes here. Unless I truly messed up.
---
build/parsePreamble.c | 2 +-
build/parseReqs.c | 2 +-
build/rpmbuild_internal.h | 2 ++
3 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/build/parsePreamble.c b/build/parsePreamble.c
index 2d54abeee..f5e06bac8 100644
--- a/build/parsePreamble.c
+++ b/build/parsePreamble.c
@@ -772,7 +772,7 @@ static rpmRC handlePreambleTag(rpmSpec spec, Package pkg, rpmTagVal tag,
case RPMTAG_VERSION:
case RPMTAG_RELEASE:
SINGLE_TOKEN_ONLY;
- if (rpmCharCheck(spec, field, "._+%{}~"))
+ if (rpmCharCheck(spec, field, WHITELIST_VERREL))
goto exit;
headerPutString(pkg->header, tag, field);
break;
diff --git a/build/parseReqs.c b/build/parseReqs.c
index 2201eebf1..9b081a5ff 100644
--- a/build/parseReqs.c
+++ b/build/parseReqs.c
@@ -57,7 +57,7 @@ static rpmRC checkDep(rpmSpec spec, char *N, char *EVR, char **emsg)
rasprintf(emsg, _("Versioned file name not permitted"));
return RPMRC_FAIL;
}
- if (rpmCharCheck(spec, EVR, ".-_+:%{}~"))
+ if (rpmCharCheck(spec, EVR, WHITELIST_EVR))
return RPMRC_FAIL;
if (checkSep(EVR, '-', emsg) != RPMRC_OK ||
checkSep(EVR, ':', emsg) != RPMRC_OK ||
diff --git a/build/rpmbuild_internal.h b/build/rpmbuild_internal.h
index 86cc549a7..f758e6620 100644
--- a/build/rpmbuild_internal.h
+++ b/build/rpmbuild_internal.h
@@ -18,6 +18,8 @@
#undef HTDATATYPE
#define WHITELIST_NAME ".-_+%{}"
+#define WHITELIST_VERREL "._+%{}~"
+#define WHITELIST_EVR WHITELIST_VERREL "-:"
struct TriggerFileEntry {
int index;
--
2.23.0

38
SOURCES/0001-Correct-rpm-ql-exit-value-when-optional-p-is-omitted.patch
View File

@ -1,38 +0,0 @@
From ce11f04ed529cd84de8981b82c1185c0a30dfdcf Mon Sep 17 00:00:00 2001
From: Pavlina Moravcova Varekova <pmoravco@redhat.com>
Date: Thu, 14 Mar 2019 13:23:13 +0100
Subject: [PATCH] Correct rpm -ql exit value when optional -p is omitted
(RhBug:1680610)
---
lib/query.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/lib/query.c b/lib/query.c
index e47189ed0..e5408e211 100644
--- a/lib/query.c
+++ b/lib/query.c
@@ -568,16 +568,18 @@ int rpmcliArgIter(rpmts ts, QVA_t qva, ARGV_const_t argv)
break;
default:
for (ARGV_const_t arg = argv; arg && *arg; arg++) {
+ int ecLocal;
rpmdbMatchIterator mi = initQueryIterator(qva, ts, *arg);
- ec += rpmcliShowMatches(qva, ts, mi);
+ ecLocal = rpmcliShowMatches(qva, ts, mi);
if (mi == NULL && qva->qva_source == RPMQV_PACKAGE) {
size_t l = strlen(*arg);
if (l > 4 && !strcmp(*arg + l - 4, ".rpm")) {
rpmgi gi = rpmgiNew(ts, giFlags, argv);
- ec += rpmgiShowMatches(qva, ts, gi);
+ ecLocal = rpmgiShowMatches(qva, ts, gi);
rpmgiFree(gi);
}
}
+ ec += ecLocal;
rpmdbFreeIterator(mi);
}
break;
--
2.17.2

69
SOURCES/0001-Detect-kernel-modules-by-.modinfo-section-presence-f.patch
View File

@ -1,69 +0,0 @@
From 68d383c39cef8d58b80940b13dd132d3f41a03f0 Mon Sep 17 00:00:00 2001
Message-Id: <68d383c39cef8d58b80940b13dd132d3f41a03f0.1571917458.git.pmatilai@redhat.com>
From: Panu Matilainen <pmatilai@redhat.com>
Date: Tue, 2 Apr 2019 15:22:07 +0300
Subject: [PATCH 1/2] Detect kernel modules by .modinfo section presence for
build-id generation
File extension based heuristics only work so far at best, and break
completely on compressed files with arbitrary .gz/.xz etc extension.
This isn't supposed to change any behavior as such, only provide more
reliable detection of kernel modules.
---
build/files.c | 27 ++++++++++++++++++++++++---
1 file changed, 24 insertions(+), 3 deletions(-)
diff --git a/build/files.c b/build/files.c
index dbad9a7f3..3822be3d3 100644
--- a/build/files.c
+++ b/build/files.c
@@ -1739,6 +1739,28 @@ static int addNewIDSymlink(ARGV_t *files,
return rc;
}
+static int haveModinfo(Elf *elf)
+{
+ Elf_Scn * scn = NULL;
+ size_t shstrndx;
+ int have_modinfo = 0;
+ const char *sname;
+
+ if (elf_getshdrstrndx(elf, &shstrndx) == 0) {
+ while ((scn = elf_nextscn(elf, scn)) != NULL) {
+ GElf_Shdr shdr_mem, *shdr = gelf_getshdr(scn, &shdr_mem);
+ if (shdr == NULL)
+ continue;
+ sname = elf_strptr(elf, shstrndx, shdr->sh_name);
+ if (sname && rstreq(sname, ".modinfo")) {
+ have_modinfo = 1;
+ break;
+ }
+ }
+ }
+ return have_modinfo;
+}
+
static int generateBuildIDs(FileList fl, ARGV_t *files)
{
int rc = 0;
@@ -1803,15 +1825,14 @@ static int generateBuildIDs(FileList fl, ARGV_t *files)
int fd = open (flp->diskPath, O_RDONLY);
if (fd >= 0) {
/* Only real ELF files, that are ET_EXEC, ET_DYN or
- kernel modules (ET_REL files with names ending in .ko)
+ kernel modules (ET_REL files with .modinfo section)
should have build-ids. */
GElf_Ehdr ehdr;
Elf *elf = elf_begin (fd, ELF_C_READ, NULL);
if (elf != NULL && elf_kind(elf) == ELF_K_ELF
&& gelf_getehdr(elf, &ehdr) != NULL
&& (ehdr.e_type == ET_EXEC || ehdr.e_type == ET_DYN
- || (ehdr.e_type == ET_REL
- && rpmFileHasSuffix (flp->diskPath, ".ko")))) {
+ || (ehdr.e_type == ET_REL && haveModinfo(elf)))) {
const void *build_id;
ssize_t len = dwelf_elf_gnu_build_id (elf, &build_id);
/* len == -1 means error. Zero means no
--
2.21.0

26
SOURCES/0001-Fix-a-blindingly-obvious-memleak-in-package-verify-s.patch
View File

@ -1,26 +0,0 @@
From 788935c9ea9d2f469f24be10a9fa998594046731 Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Fri, 7 Sep 2018 11:52:33 +0300
Subject: [PATCH] Fix a blindingly obvious memleak in package verify step
Erm. Introduced in commit 765e2c72ae8be369ada41d4747b8999519a0e327,
but how on earth did this go unnoticed... *blush*
---
lib/transaction.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/lib/transaction.c b/lib/transaction.c
index 205c3f388..3969ad3fc 100644
--- a/lib/transaction.c
+++ b/lib/transaction.c
@@ -1261,6 +1261,7 @@ static int verifyPackageFiles(rpmts ts, rpm_loff_t total)
rpmteAddProblem(p, RPMPROB_VERIFY, NULL, vd.msg, 0);
vd.msg = _free(vd.msg);
+ rpmvsFree(vs);
}
rpmtsNotify(ts, NULL, RPMCALLBACK_VERIFY_STOP, total, total);
--
2.21.0

46
SOURCES/0001-Fix-ancient-python-GIL-locking-bug-on-callback-RhBug.patch
View File

@ -1,46 +0,0 @@
From 531dc8495cd3aabd3f659ecab604106fdbacbe98 Mon Sep 17 00:00:00 2001
Message-Id: <531dc8495cd3aabd3f659ecab604106fdbacbe98.1554974459.git.pmatilai@redhat.com>
From: Panu Matilainen <pmatilai@redhat.com>
Date: Wed, 3 Oct 2018 11:51:38 +0300
Subject: [PATCH] Fix ancient python GIL locking bug on callback
(RhBug:1632488)
Introduced in commit c7881d801745b4c156a8aa2afc17b95f97481e34 back in 2002,
synthesizing a python object for the callback occurs before retaking
the GIL lock, which is not allowed. Somehow this has managed to stay
latent all these years, and even now requires fairly specific conditions:
when the callback gets called without an associated key, such as erasures
or file trigger script start/stop events (in the case of RhBug:1632488),
when Python 3 is running in PYTHONMALLOC=debug mode,
it crashes with "Python memory allocator called without holding the GIL".
Simply retake the lock before any Python operations take place to fix.
---
python/rpmts-py.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/python/rpmts-py.c b/python/rpmts-py.c
index e4c5e1250..1ddfc9a1e 100644
--- a/python/rpmts-py.c
+++ b/python/rpmts-py.c
@@ -495,6 +495,8 @@ rpmtsCallback(const void * hd, const rpmCallbackType what,
if (cbInfo->cb == Py_None) return NULL;
+ PyEval_RestoreThread(cbInfo->_save);
+
/* Synthesize a python object for callback (if necessary). */
if (pkgObj == NULL) {
if (h) {
@@ -506,8 +508,6 @@ rpmtsCallback(const void * hd, const rpmCallbackType what,
} else
Py_INCREF(pkgObj);
- PyEval_RestoreThread(cbInfo->_save);
-
args = Py_BuildValue("(iLLOO)", what, amount, total, pkgObj, cbInfo->data);
result = PyEval_CallObject(cbInfo->cb, args);
Py_DECREF(args);
--
2.20.1

30
SOURCES/0001-Fix-memleak-during-transaction-verify-step-in-the-NO.patch
View File

@ -1,30 +0,0 @@
From 5188a7b35eb3672c9b15e96433e033ee36f8e6a8 Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Tue, 6 Aug 2019 13:06:16 +0300
Subject: [PATCH] Fix memleak during transaction verify step in the NOKEY case.
Found during RhBug:1714657 QA testing.
In addition, add a comment to clarify the fallthrough as intentional.
---
lib/transaction.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/lib/transaction.c b/lib/transaction.c
index 6e4d4be65..e51cff25a 100644
--- a/lib/transaction.c
+++ b/lib/transaction.c
@@ -1226,8 +1226,10 @@ static int vfyCb(struct rpmsinfo_s *sinfo, void *cbdata)
*/
if (!(vd->vfylevel & RPMSIG_SIGNATURE_TYPE))
sinfo->rc = RPMRC_OK;
+ /* fallthrough */
default:
- vd->msg = rpmsinfoMsg(sinfo);
+ if (sinfo->rc)
+ vd->msg = rpmsinfoMsg(sinfo);
break;
}
return (sinfo->rc == 0);
--
2.21.0

52
SOURCES/0001-Fix-nasty-setperms-setugids-regression-in-4.14.2-RhB.patch
View File

@ -1,52 +0,0 @@
From 0d83637769b8a122b1e80f2e960ea1bbae8b4f10 Mon Sep 17 00:00:00 2001
Message-Id: <0d83637769b8a122b1e80f2e960ea1bbae8b4f10.1540199566.git.pmatilai@redhat.com>
From: Panu Matilainen <pmatilai@redhat.com>
Date: Mon, 22 Oct 2018 10:52:39 +0300
Subject: [PATCH] Fix nasty --setperms/--setugids regression in 4.14.2 (RhBug:
1640470)
Commit 38c2f6e160d5ed3e9c3a266139c7eb2632724c15 causes --setperms and
--setugids follow symlinks instead of skipping them.
In case of --setperms, all encountered symlinks will have their
target file/directory permissions set to the 0777 of the link itself
(so world writable etc but suid/sgid stripped), temporarily or permanently,
depending on whether the symlink occurs before or after it's target in the
package file list. When the link occurs before its target, there's a short
window where the target is world writable before having it's permissions
reset to original, making it particularly bad for suid/sgid binaries.
--setugids is similarly affected with link targets owner/group changing
to that of the symlink.
Add missing parentheses to the conditions introduced in commit
38c2f6e160d5ed3e9c3a266139c7eb2632724c15 to fix.
Reported by Karel Srot, patch by Pavlina Moravcova Varekova.
---
rpmpopt.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/rpmpopt.in b/rpmpopt.in
index 8aaa91f11..42d3416a3 100644
--- a/rpmpopt.in
+++ b/rpmpopt.in
@@ -44,14 +44,14 @@ rpm alias --scripts --qf '\
--POPTdesc=$"list install/erase scriptlets from package(s)"
rpm alias --setperms -q --qf '[\[ -L %{FILENAMES:shescape} \] || \
- \[ $((%{FILEFLAGS} & 2#1001000)) != 0 \] && \[ ! -e %{FILENAMES:shescape} \] || \
+ ( \[ $((%{FILEFLAGS} & 2#1001000)) != 0 \] && \[ ! -e %{FILENAMES:shescape} \] ) || \
chmod %7{FILEMODES:octal} %{FILENAMES:shescape}\n]' \
--pipe "grep -v \(none\) | grep '^. -L ' | sed 's/chmod .../chmod /' | sh" \
--POPTdesc=$"set permissions of files in a package"
rpm alias --setugids -q --qf \
'[ch %{FILEUSERNAME:shescape} %{FILEGROUPNAME:shescape} %{FILENAMES:shescape} %{FILEFLAGS}\n]' \
- --pipe "(echo 'ch() { \[ $(($4 & 2#1001000)) != 0 \] && \[ ! -e \"$3\" \] || \
+ --pipe "(echo 'ch() { ( \[ $(($4 & 2#1001000)) != 0 \] && \[ ! -e \"$3\" \] ) || \
(chown -h -- \"$1\" \"$3\";chgrp -h -- \"$2\" \"$3\";) }'; \
grep '^ch '|grep -v \(none\))|sh" \
--POPTdesc=$"set user/group ownership of files in a package"
--
2.17.2

37
SOURCES/0001-Fix-off-by-one-in-hdrblobGet-making-last-entry-unrea.patch
View File

@ -1,37 +0,0 @@
From e219c9548d16a3c18dd261f7043bb8d221b87c77 Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Wed, 31 Jul 2019 11:56:26 +0300
Subject: [PATCH] Fix off-by-one in hdrblobGet() making last entry unreachable
(RhBug:1722921)
hdrblobGet() introduced in commits acfde0d0e812e9f8e153ab6be8c9f2682bdd4763
and 9821de18811db97238c34a564221e315f5f35b44 has an off-by-one thinko
(perhaps the idea was to skip the first, region tag) which causes
the last entry to be unreachable. In typical packages, that is
RPMSIG_PAYLOADSIZE which is not used at all in this context so it doesn't
matter, but in large packages use RPMSIG_LONGARCHIVESIZE which has a lower
tag number and leaves either RPMSIGTAG_MD5 or RPMSIGTAG_GPG last,
unreachable and thus unverifiable. Oops.
This fixes the regression introduced in rpm 4.14, affecting verification
of large packages (ie having RPMSIG_LONGARCHIVESIZE)
---
lib/header.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/header.c b/lib/header.c
index 33623884a..9ec7ed0e4 100644
--- a/lib/header.c
+++ b/lib/header.c
@@ -2015,7 +2015,7 @@ rpmRC hdrblobGet(hdrblob blob, uint32_t tag, rpmtd td)
memset(&einfo, 0, sizeof(einfo));
rpmtdReset(td);
- for (int i = 1; i < blob->il; i++, pe++) {
+ for (int i = 0; i < blob->il; i++, pe++) {
if (pe->tag != ntag)
continue;
ei2h(pe, &einfo);
--
2.21.0

39
SOURCES/0001-Fix-packages-getting-erased-on-failed-update-with-dn.patch
View File

@ -1,39 +0,0 @@
From a144c29831a39ed303d6ea8d2ae91e1c36d64c84 Mon Sep 17 00:00:00 2001
Message-Id: <a144c29831a39ed303d6ea8d2ae91e1c36d64c84.1559799452.git.pmatilai@redhat.com>
From: Panu Matilainen <pmatilai@redhat.com>
Date: Wed, 15 May 2019 13:51:19 +0300
Subject: [PATCH] Fix packages getting erased on failed update with dnf
(RhBug:1620275)
When adding update elements, we set the erase element to depend on the
install element, but if an API user adds the same erasure manually
after adding the update, we know its a duplicate erasure and filter
it out, BUT we zero out the dependent element in the process. And
if installing the update now fails, we end up removing the whole package
due to that missing dependent element.
This never happens with rpm itself so we can't easily test it, but is
100% reproducable with dnf (at least dnf 3-4). Apparently it adds all
erasures by itself (which is kind of understandable I guess, perhaps
we should better allow this in the API)
---
lib/depends.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/depends.c b/lib/depends.c
index 6e9866eae..f8a6084ab 100644
--- a/lib/depends.c
+++ b/lib/depends.c
@@ -121,7 +121,8 @@ static int removePackage(rpmts ts, Header h, rpmte depends)
/* Filter out duplicate erasures. */
if (packageHashGetEntry(tsmem->removedPackages, dboffset, &pp, NULL, NULL)) {
- rpmteSetDependsOn(pp[0], depends);
+ if (depends)
+ rpmteSetDependsOn(pp[0], depends);
return 0;
}
--
2.21.0

25
SOURCES/0001-Fix-rpmfiles-memory-leak-on-postuntrans-file-trigger.patch
View File

@ -1,25 +0,0 @@
From 475af64f64cbc210c87588d425fa9a14cd9760b6 Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Wed, 29 May 2019 11:38:53 +0300
Subject: [PATCH] Fix rpmfiles memory leak on %postuntrans file trigger
preparation
---
lib/rpmtriggers.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/lib/rpmtriggers.c b/lib/rpmtriggers.c
index cb2441c5a..b7c76e7fc 100644
--- a/lib/rpmtriggers.c
+++ b/lib/rpmtriggers.c
@@ -154,6 +154,7 @@ void rpmtriggersPrepPostUnTransFileTrigs(rpmts ts, rpmte te)
}
}
rpmdbFreeIterator(mi);
+ rpmfilesFree(files);
}
int runPostUnTransFileTrigs(rpmts ts)
--
2.21.0

60
SOURCES/0001-Fix-segfault-on-fingerprinting-symlink-round-RhBug-1.patch
View File

@ -1,60 +0,0 @@
From 050b392f8c11d111379e0d2bac52762beb97b3ae Mon Sep 17 00:00:00 2001
Message-Id: <050b392f8c11d111379e0d2bac52762beb97b3ae.1559645935.git.pmatilai@redhat.com>
From: Panu Matilainen <pmatilai@redhat.com>
Date: Tue, 2 Apr 2019 12:57:11 +0300
Subject: [PATCH] Fix segfault on fingerprinting symlink round (RhBug:1660232)
Both yum and dnf perform a test-transaction before the real thing,
and both neglet to check for an error code from the test-transaction
when there are no problem objects to return. Which can happen in
some special cases, such a using different vsflags between initial
package read and transaction (which is what both yum and dnf do),
which can cause the in-transaction package open fail on corrupt packages.
And when this failed transaction is fed back to rpmtsRun(), it
segfaults in fingerprinting as the second loop of symlink checking
doesn't check for NULL's element files like the first loop does.
Add the missing NULL check and remove bogus "can't happen" comment to fix.
FWIW, the scenario with different vsflags and corrupted packages doesn't
happen by default in rpm >= 4.14.2, the corrupt package gets caught
in the verify stage which does create problem objects and thus both
yum and dnf abort as they should.
---
lib/fprint.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/lib/fprint.c b/lib/fprint.c
index b810e4d2b..ab1891961 100644
--- a/lib/fprint.c
+++ b/lib/fprint.c
@@ -488,7 +488,7 @@ void fpCachePopulate(fingerPrintCache fpc, rpmts ts, int fileCount)
(void) rpmsqPoll();
if ((fi = rpmteFiles(p)) == NULL)
- continue; /* XXX can't happen */
+ continue;
(void) rpmswEnter(rpmtsOp(ts, RPMTS_OP_FINGERPRINT), 0);
rpmfilesFpLookup(fi, fpc);
@@ -522,6 +522,9 @@ void fpCachePopulate(fingerPrintCache fpc, rpmts ts, int fileCount)
while ((p = rpmtsiNext(pi, 0)) != NULL) {
(void) rpmsqPoll();
+ if ((fi = rpmteFiles(p)) == NULL)
+ continue;
+
fs = rpmteGetFileStates(p);
fc = rpmfsFC(fs);
(void) rpmswEnter(rpmtsOp(ts, RPMTS_OP_FINGERPRINT), 0);
@@ -531,6 +534,7 @@ void fpCachePopulate(fingerPrintCache fpc, rpmts ts, int fileCount)
fpLookupSubdir(symlinks, fpc, p, i);
}
(void) rpmswExit(rpmtsOp(ts, RPMTS_OP_FINGERPRINT), 0);
+ rpmfilesFree(fi);
}
rpmtsiFree(pi);
--
2.21.0

28
SOURCES/0001-Fix-testing-for-wrong-variable-in-selinux-plugin-deb.patch
View File

@ -1,28 +0,0 @@
From 66e0c929b203d684a4f58135f42435fcc29cdd51 Mon Sep 17 00:00:00 2001
Message-Id: <66e0c929b203d684a4f58135f42435fcc29cdd51.1554982695.git.pmatilai@redhat.com>
From: Panu Matilainen <pmatilai@redhat.com>
Date: Wed, 10 Oct 2018 12:00:19 +0300
Subject: [PATCH] Fix testing for wrong variable in selinux plugin debug log
The strerror() case couldn't be reached as we were testing for the
wrong rc, spotted by covscan.
---
plugins/selinux.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/plugins/selinux.c b/plugins/selinux.c
index 3c9d9e4ab..accd47416 100644
--- a/plugins/selinux.c
+++ b/plugins/selinux.c
@@ -169,7 +169,7 @@ static rpmRC selinux_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
if (rpmIsDebug()) {
rpmlog(RPMLOG_DEBUG, "lsetfilecon: (%s, %s) %s\n",
- path, scon, (rc < 0 ? strerror(errno) : ""));
+ path, scon, (conrc < 0 ? strerror(errno) : ""));
}
if (conrc == 0 || (conrc < 0 && errno == EOPNOTSUPP))
--
2.20.1

47
SOURCES/0001-Handle-unsupported-digests-the-same-as-disabled-ones.patch
View File

@ -1,47 +0,0 @@
From 74766d30b95f1575df8a42d185f2643caa235a8b Mon Sep 17 00:00:00 2001
Message-Id: <74766d30b95f1575df8a42d185f2643caa235a8b.1543835412.git.pmatilai@redhat.com>
From: Panu Matilainen <pmatilai@redhat.com>
Date: Fri, 23 Nov 2018 12:47:27 +0200
Subject: [PATCH] Handle unsupported digests the same as disabled ones
(RhBug:1652529)
A digest type unsupported by the underlying crypto library (whether
technically or by configuration) does not mean the digest is invalid,
it just cannot be used. Which for the purposes of verification is the
same as if that digest didn't exist at all, and that's exactly how we
handle digests and signatures disabled by configuration.
One particular case is FIPS mode which globally disables the use of MD5,
which we mishandled prior to this by showing it as OK in verification
despite actually not verifying it at all.
The exact place for handling this case is a bit subtle: the "obvious"
place for checking for supported type is in rpmvsInitRange() but this
doesn't work because of rpmDigestBundleAddID() return code semantics.
The other "obvious" place would be rpmvsVerify(), but by that point
we have even more funny cases to consider. So for now, it's actually
easiest to check for this in rpmvsFiniRange() even if it's not the
most obvious place for doing so. Might want to change the
rpmDigestBundleAddID() semantics later, but this makes for a nicer
backport (we'll need this in 4.14.x too).
---
lib/rpmvs.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/rpmvs.c b/lib/rpmvs.c
index 7b5b86f8e..622e48011 100644
--- a/lib/rpmvs.c
+++ b/lib/rpmvs.c
@@ -388,6 +388,9 @@ void rpmvsFiniRange(struct rpmvs_s *sis, int range)
if (sinfo->range == range && sinfo->rc == RPMRC_OK) {
sinfo->ctx = rpmDigestBundleDupCtx(sis->bundle, sinfo->id);
+ /* Handle unsupported digests the same as disabled ones */
+ if (sinfo->ctx == NULL)
+ sinfo->rc = RPMRC_NOTFOUND;
rpmDigestBundleFinal(sis->bundle, sinfo->id, NULL, NULL, 0);
}
}
--
2.19.2

23
SOURCES/0001-Honor-PYTHON-from-configure-when-running-tests.patch
View File

@ -28,31 +28,26 @@ index eaf817cc2..21ca216a8 100644
EXTRA_DIST += atlocal.in
diff --git a/tests/atlocal.in b/tests/atlocal.in
index d7d837f45..3b1474b56 100644
--- a/tests/atlocal.in
+++ b/tests/atlocal.in
@@ -3,7 +3,8 @@ export LD_LIBRARY_PATH
--- rpm-4.14.3/tests/atlocal.in.orig 2020-04-28 14:19:26.866602968 +0200
+++ rpm-4.14.3/tests/atlocal.in 2020-04-28 14:21:07.977910054 +0200
@@ -3,7 +3,8 @@
PATH="${abs_builddir}/testing@rpmbindir@:${abs_builddir}/testing@usrbindir@:$PATH"
export PATH
-PYLIBDIR=`python -c "from distutils.sysconfig import get_python_lib; import sys; sys.stdout.write(get_python_lib(1,0,'@execprefix@'))"`
-PYLIBDIR=`python2 -c "from distutils.sysconfig import get_python_lib; import sys; sys.stdout.write(get_python_lib(1,0,'@execprefix@'))"`
+PYTHON=@PYTHON@
+PYLIBDIR=$(${PYTHON} -c "from distutils.sysconfig import get_python_lib; import sys; sys.stdout.write(get_python_lib(1,0,'@execprefix@'))")
PYTHONPATH="${abs_builddir}/testing${PYLIBDIR}"
export PYTHONPATH
diff --git a/tests/local.at b/tests/local.at
index 48c5d3f96..4952b9d61 100644
--- a/tests/local.at
+++ b/tests/local.at
@@ -17,7 +17,7 @@ def myprint(msg = ''):
--- rpm-4.14.3/tests/local.at.orig 2020-04-28 14:28:33.106664317 +0200
+++ rpm-4.14.3/tests/local.at 2020-04-28 14:29:02.064038653 +0200
@@ -18,7 +18,7 @@
sys.stdout.write('%s\n' % msg)
$1
EOF
-python test.py
+${PYTHON} test.py
-python2 test.py
+${PYTHON} test.py test.py
]])
m4_define([RPMPY_CHECK],[
--
2.21.0

86
SOURCES/0001-Log-RPMLOG_ERR-level-messages-on-actual-errors-in-se.patch
View File

@ -1,86 +0,0 @@
From 8cbe8baf9c3ff4754369bcd29441df14ecc6889d Mon Sep 17 00:00:00 2001
Message-Id: <8cbe8baf9c3ff4754369bcd29441df14ecc6889d.1554982512.git.pmatilai@redhat.com>
From: Panu Matilainen <pmatilai@redhat.com>
Date: Thu, 14 Feb 2019 13:12:49 +0200
Subject: [PATCH] Log RPMLOG_ERR level messages on actual errors in selinux
plugin, doh.
When there's an actual error, people will want to know without having
to rerun in verbose mode. Such as in RhBug:1641631 where configured
selinux policy differs from what is installed - the former message
error: Plugin selinux: hook tsm_pre failed
...is not particularly helpful to anybody, whereas this actually provides
some clues now:
error: selabel_open: (/etc/selinux/ponies/contexts/files/file_contexts) No such file or directory
error: Plugin selinux: hook tsm_pre failed
---
plugins/selinux.c | 19 +++++++++----------
1 file changed, 9 insertions(+), 10 deletions(-)
diff --git a/plugins/selinux.c b/plugins/selinux.c
index accd47416..f1caf257c 100644
--- a/plugins/selinux.c
+++ b/plugins/selinux.c
@@ -12,6 +12,11 @@
static struct selabel_handle * sehandle = NULL;
+static inline rpmlogLvl loglvl(int iserror)
+{
+ return iserror ? RPMLOG_ERR : RPMLOG_DEBUG;
+}
+
static void sehandle_fini(int close_status)
{
if (sehandle) {
@@ -47,7 +52,7 @@ static rpmRC sehandle_init(int open_status)
sehandle = selabel_open(SELABEL_CTX_FILE, opts, 1);
- rpmlog(RPMLOG_DEBUG, "selabel_open: (%s) %s\n",
+ rpmlog(loglvl(sehandle == NULL), "selabel_open: (%s) %s\n",
path, (sehandle == NULL ? strerror(errno) : ""));
return (sehandle != NULL) ? RPMRC_OK : RPMRC_FAIL;
@@ -125,10 +130,8 @@ static rpmRC selinux_scriptlet_fork_post(rpmPlugin plugin,
if ((xx = setexeccon(newcon)) == 0)
rc = RPMRC_OK;
- if (rpmIsDebug()) {
- rpmlog(RPMLOG_DEBUG, "setexeccon: (%s, %s) %s\n",
+ rpmlog(loglvl(xx < 0), "setexeccon: (%s, %s) %s\n",
path, newcon, (xx < 0 ? strerror(errno) : ""));
- }
exit:
context_free(con);
@@ -143,10 +146,8 @@ exit:
if ((xx = setexecfilecon(path, "rpm_script_t") == 0))
rc = RPMRC_OK;
- if (rpmIsDebug()) {
- rpmlog(RPMLOG_DEBUG, "setexecfilecon: (%s) %s\n",
+ rpmlog(loglvl(xx < 0), "setexecfilecon: (%s) %s\n",
path, (xx < 0 ? strerror(errno) : ""));
- }
#endif
/* If selinux is not enforcing, we don't care either */
if (rc && security_getenforce() < 1)
@@ -167,10 +168,8 @@ static rpmRC selinux_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
if (selabel_lookup_raw(sehandle, &scon, dest, file_mode) == 0) {
int conrc = lsetfilecon(path, scon);
- if (rpmIsDebug()) {
- rpmlog(RPMLOG_DEBUG, "lsetfilecon: (%s, %s) %s\n",
+ rpmlog(loglvl(conrc < 0), "lsetfilecon: (%s, %s) %s\n",
path, scon, (conrc < 0 ? strerror(errno) : ""));
- }
if (conrc == 0 || (conrc < 0 && errno == EOPNOTSUPP))
rc = RPMRC_OK;
--
2.20.1

49
SOURCES/0001-Make-rpmsign-exit-values-more-consistent-with-our-ot.patch
View File

@ -1,49 +0,0 @@
From 2ec0832287bd1443ebf336f8a98293f30bfa2036 Mon Sep 17 00:00:00 2001
Message-Id: <2ec0832287bd1443ebf336f8a98293f30bfa2036.1554983205.git.pmatilai@redhat.com>
From: Panu Matilainen <pmatilai@redhat.com>
Date: Mon, 18 Mar 2019 15:24:54 +0200
Subject: [PATCH 1/3] Make rpmsign exit values more consistent with our other
tools
rpmPkgSign*() return -1 for failure, which is not that helpful when
returned to shell and the way it was counted could easily wrap around
when signing multiple packages. Return number of failures similarly to
how rpm -q and frieds does, avoid overflows and xargs special value 255.
---
rpmsign.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/rpmsign.c b/rpmsign.c
index ae86f666d..1a5cd59c2 100644
--- a/rpmsign.c
+++ b/rpmsign.c
@@ -134,7 +134,8 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
const char *arg;
rc = 0;
while ((arg = poptGetArg(optCon)) != NULL) {
- rc += rpmPkgSign(arg, sargs);
+ if (rpmPkgSign(arg, sargs) < 0)
+ rc++;
}
exit:
@@ -175,7 +176,8 @@ int main(int argc, char *argv[])
case MODE_DELSIGN:
ec = 0;
while ((arg = poptGetArg(optCon)) != NULL) {
- ec += rpmPkgDelSign(arg, &sargs);
+ if (rpmPkgDelSign(arg, &sargs) < 0)
+ ec++;
}
break;
case MODE_NONE:
@@ -188,5 +190,5 @@ int main(int argc, char *argv[])
exit:
rpmcliFini(optCon);
- return ec;
+ return RETVAL(ec);
}
--
2.20.1

16
SOURCES/0001-Only-read-through-payload-on-verify-if-actually-need.patch
View File

@ -61,20 +61,16 @@ index 622e48011..0d475af86 100644
static int sinfoCmp(const void *a, const void *b)
{
const struct rpmsinfo_s *sa = a;
diff --git a/lib/rpmvs.h b/lib/rpmvs.h
index b27d9a612..a836d5c94 100644
--- a/lib/rpmvs.h
+++ b/lib/rpmvs.h
@@ -75,6 +75,9 @@ void rpmvsInitRange(struct rpmvs_s *sis, int range);
RPM_GNUC_INTERNAL
--- rpm-4.14.3/lib/rpmvs.h.orig 2020-04-28 10:57:19.727347211 +0200
+++ rpm-4.14.3/lib/rpmvs.h 2020-04-28 10:57:43.622612015 +0200
@@ -66,6 +66,8 @@
void rpmvsFiniRange(struct rpmvs_s *sis, int range);
+RPM_GNUC_INTERNAL
+int rpmvsRange(struct rpmvs_s *vs);
+int rpmvsRange(struct rpmvs_s *vs);
+
RPM_GNUC_INTERNAL
int rpmvsVerify(struct rpmvs_s *sis, int type,
rpmsinfoCb cb, void *cbdata);
--
2.20.1

49
SOURCES/0001-Remove-capabilities-instead-of-setting-empty-caps-vi.patch
View File

@ -1,49 +0,0 @@
From b4178c979fff344a1c5142a305f274dd9aff8f45 Mon Sep 17 00:00:00 2001
From: Markus Linnala <markus.linnala@gmail.com>
Date: Sun, 28 Oct 2018 14:59:52 +0200
Subject: [PATCH] Remove capabilities instead of setting empty caps via.
--setcaps
If a file in a package does not have any capabilities rpm --setcaps should
remove capabilities of the file. Prior to this patch capabilities of the file
were set as empty.
Empty capabilities mean more than no capabilities. A file with no capabilities
can inherit capabilities, but file with empty capabilities can not.
When ever package does not have any capabilities set %|FILECAPS? is false.
If some files have capabilities, %|FILECAPS? is true but %{FILECAPS} is ''
when the file does not have capabilities and '= <capstring>' when there is some.
Reported and patch created by Markus Linnala
Commit message edited by Pavlina Moravcova Varekova and Florian Festi.
Fixes #585
Fixes #586
---
rpmpopt.in | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/rpmpopt.in b/rpmpopt.in
index 42d3416a3..557050a24 100644
--- a/rpmpopt.in
+++ b/rpmpopt.in
@@ -57,8 +57,13 @@ rpm alias --setugids -q --qf \
--POPTdesc=$"set user/group ownership of files in a package"
rpm alias --setcaps -q --qf \
- "[\[ -f %{FILENAMES:shescape} -a ! -L %{FILENAMES:shescape} \] \
- && setcap %|FILECAPS?{%{FILECAPS:shescape}}:{''}| %{FILENAMES:shescape}\n]" \
+ "[if \[ -f %{FILENAMES:shescape} -a ! -L %{FILENAMES:shescape} \]; then\n\
+%|FILECAPS?{ if \[ -n %{FILECAPS:shescape} \]; then\n\
+ setcap %{FILECAPS:shescape} %{FILENAMES:shescape}\n\
+ el}:{ }|if \[ -n \"\$(getcap %{FILENAMES:shescape})\" \]; then\n\
+ setcap -r %{FILENAMES:shescape}\n\
+ fi\n\
+fi\n]" \
--pipe "sh" \
--POPTdesc=$"set capabilities of files in a package"
--
2.21.0

57
SOURCES/0001-Show-list-of-files-only-once-when-use-rpm-ql-and-mul.patch
View File

@ -1,57 +0,0 @@
From 8dd8e37acc79da1ce0a36c3f86650defa474a6a9 Mon Sep 17 00:00:00 2001
From: Pavlina Moravcova Varekova <pmoravco@redhat.com>
Date: Thu, 14 Mar 2019 13:56:26 +0100
Subject: [PATCH] Show list of files only once when use rpm -ql and multiple
rpm files
---
lib/query.c | 3 ++-
tests/rpmquery.at | 18 ++++++++++++++++++
2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/lib/query.c b/lib/query.c
index e5408e211..7568f67aa 100644
--- a/lib/query.c
+++ b/lib/query.c
@@ -574,7 +574,8 @@ int rpmcliArgIter(rpmts ts, QVA_t qva, ARGV_const_t argv)
if (mi == NULL && qva->qva_source == RPMQV_PACKAGE) {
size_t l = strlen(*arg);
if (l > 4 && !strcmp(*arg + l - 4, ".rpm")) {
- rpmgi gi = rpmgiNew(ts, giFlags, argv);
+ char * const argFirst[2] = { arg[0], NULL };
+ rpmgi gi = rpmgiNew(ts, giFlags, argFirst);
ecLocal = rpmgiShowMatches(qva, ts, gi);
rpmgiFree(gi);
}
diff --git a/tests/rpmquery.at b/tests/rpmquery.at
index ab7bb3c46..0dc6d78b6 100644
--- a/tests/rpmquery.at
+++ b/tests/rpmquery.at
@@ -61,6 +61,24 @@ hello.spec
[ignore])
AT_CLEANUP
+# ------------------------------
+AT_SETUP([rpm -ql multiple *.rpm])
+AT_KEYWORDS([query])
+AT_CHECK([
+runroot rpm \
+ -ql \
+ /data/SRPMS/hello-1.0-1.src.rpm /data/RPMS/hello-1.0-1.i386.rpm
+],
+[0],
+[hello-1.0.tar.gz
+hello.spec
+/usr/local/bin/hello
+/usr/share/doc/hello-1.0
+/usr/share/doc/hello-1.0/FAQ
+],
+[ignore])
+AT_CLEANUP
+
# ------------------------------
AT_SETUP([rpmspec -q])
AT_KEYWORDS([query])
--
2.17.2

27
SOURCES/0001-Sort-list-of-hard-linked-files-in-find-debuginfo.sh-.patch
View File

@ -1,27 +0,0 @@
From 35b09eed946a7e2f2f327531b692c9f768bf9e3b Mon Sep 17 00:00:00 2001
From: Pavlina Moravcova Varekova <pmoravco@redhat.com>
Date: Sun, 7 Apr 2019 07:23:47 +0200
Subject: [PATCH] Sort list of hard linked files in find-debuginfo.sh
(RhBug:1421272)
It helps to make build results reproducible. Based on Mark Wielaard's idea.
---
scripts/find-debuginfo.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/find-debuginfo.sh b/scripts/find-debuginfo.sh
index c75d176ac..23286139e 100755
--- a/scripts/find-debuginfo.sh
+++ b/scripts/find-debuginfo.sh
@@ -350,7 +350,7 @@ trap 'rm -rf "$temp"' EXIT
touch "$temp/primary"
find "$RPM_BUILD_ROOT" ! -path "${debugdir}/*.debug" -type f \
\( -perm -0100 -or -perm -0010 -or -perm -0001 \) \
- -print |
+ -print | LC_ALL=C sort |
file -N -f - | sed -n -e 's/^\(.*\):[ ]*.*ELF.*, not stripped.*/\1/p' |
xargs --no-run-if-empty stat -c '%h %D_%i %n' |
while read nlinks inum f; do
--
2.17.2

29
SOURCES/0001-Use-dpbath-only-with-full-path-RhBug-1696408.patch
View File

@ -1,29 +0,0 @@
From d313baf1d3a4756447e398ee55f8c6760f942d50 Mon Sep 17 00:00:00 2001
From: Pavlina Moravcova Varekova <pmoravco@redhat.com>
Date: Wed, 24 Apr 2019 10:29:14 +0200
Subject: [PATCH] Use --dpbath only with full path (RhBug:1696408)
Before the patch rpm treats the relative path as a full path.
The new behavior is similar to the "--root" option.
---
lib/poptALL.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/lib/poptALL.c b/lib/poptALL.c
index 9983c1e62..69fd49846 100644
--- a/lib/poptALL.c
+++ b/lib/poptALL.c
@@ -147,6 +147,10 @@ static void rpmcliAllArgCallback( poptContext con,
break;
case POPT_DBPATH:
rpmcliConfigured();
+ if (arg && arg[0] != '/') {
+ fprintf(stderr, _("arguments to --dbpath must begin with '/'\n"));
+ exit(EXIT_FAILURE);
+ }
rpmPushMacro(NULL, "_dbpath", NULL, arg, RMIL_CMDLINE);
break;
case POPT_SHOWVERSION:
--
2.21.0

30
SOURCES/0001-rpmpgp-Handle-EOF-without-EOL-better-at-END-PGP.patch
View File

@ -1,30 +0,0 @@
From 655c4c72a3467037abd51aab29f0300e97caf54c Mon Sep 17 00:00:00 2001
Message-Id: <655c4c72a3467037abd51aab29f0300e97caf54c.1571919390.git.pmatilai@redhat.com>
From: Stepan Broz <sbroz@redhat.com>
Date: Thu, 25 Jul 2019 11:00:47 +0200
Subject: [PATCH] rpmpgp: Handle EOF without EOL better at END PGP
---
rpmio/rpmpgp.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
index 061751a4d..46cd0f31a 100644
--- a/rpmio/rpmpgp.c
+++ b/rpmio/rpmpgp.c
@@ -1289,9 +1289,10 @@ static pgpArmor decodePkts(uint8_t *b, uint8_t **pkt, size_t *pktlen)
goto exit;
}
t += (sizeof("-----")-1);
- if (t >= te) continue;
+ /* Handle EOF without EOL here, *t == '\0' at EOF */
+ if (*t && (t >= te)) continue;
/* XXX permitting \r here is not RFC-2440 compliant <shrug> */
- if (!(*t == '\n' || *t == '\r')) continue;
+ if (!(*t == '\n' || *t == '\r' || *t == '\0')) continue;
crcdec = NULL;
crclen = 0;
--
2.21.0

28
SOURCES/0001-rpmsign-man-page-Add-line-about-rpmsign-requiring-a-.patch
View File

@ -1,28 +0,0 @@
From be3347b5bff6142e86e533174fe0ec352405d159 Mon Sep 17 00:00:00 2001
From: Florian Festi <ffesti@redhat.com>
Date: Thu, 18 Jul 2019 07:45:53 +0200
Subject: [PATCH] rpmsign man page: Add line about rpmsign requiring a valid
checksum
and the limitations in FIPS mode
---
doc/rpmsign.8 | 3 +++
1 file changed, 3 insertions(+)
diff --git a/doc/rpmsign.8 b/doc/rpmsign.8
index 80ffb6a32..d895a3b8c 100644
--- a/doc/rpmsign.8
+++ b/doc/rpmsign.8
@@ -21,6 +21,9 @@ options generate and insert new signatures for each package
existing signatures. There are two options for historical reasons,
there is no difference in behavior currently.
+To create a signature rpm needs to verify the package's checksum. As a result
+packages with a MD5/SHA1 checksums cannot be signed in FIPS mode.
+
\fBrpm\fR \fB--delsign\fR \fB\fIPACKAGE_FILE\fB\fR\fI ...\fR
.PP
--
2.21.0

29
SOURCES/0002-Actually-permit-caret-in-version-release-and-evr-str.patch
View File

@ -1,29 +0,0 @@
From 15b296c324794d288750136b3b4f3350c3d0b8c7 Mon Sep 17 00:00:00 2001
Message-Id: <15b296c324794d288750136b3b4f3350c3d0b8c7.1574338687.git.pmatilai@redhat.com>
In-Reply-To: <e8fce62467a421132f4ebb6ca9c0926b623ec00e.1574338687.git.pmatilai@redhat.com>
References: <e8fce62467a421132f4ebb6ca9c0926b623ec00e.1574338687.git.pmatilai@redhat.com>
From: Panu Matilainen <pmatilai@redhat.com>
Date: Tue, 27 Nov 2018 13:50:14 +0200
Subject: [PATCH 2/2] Actually permit caret in version, release and evr strings
Should've been in commit c7e711bba58374f03347c795a567441cbef3de58 really.
---
build/rpmbuild_internal.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/build/rpmbuild_internal.h b/build/rpmbuild_internal.h
index f758e6620..948632a16 100644
--- a/build/rpmbuild_internal.h
+++ b/build/rpmbuild_internal.h
@@ -18,7 +18,7 @@
#undef HTDATATYPE
#define WHITELIST_NAME ".-_+%{}"
-#define WHITELIST_VERREL "._+%{}~"
+#define WHITELIST_VERREL "._+%{}~^"
#define WHITELIST_EVR WHITELIST_VERREL "-:"
struct TriggerFileEntry {
--
2.23.0

64
SOURCES/0002-Drop-internal-only-visibility-on-rpmvs-related-API.patch
View File

@ -1,64 +0,0 @@
From 3fd79a5564df97d512be283c5c8a4da2e7ef8bce Mon Sep 17 00:00:00 2001
Message-Id: <3fd79a5564df97d512be283c5c8a4da2e7ef8bce.1554983206.git.pmatilai@redhat.com>
In-Reply-To: <2ec0832287bd1443ebf336f8a98293f30bfa2036.1554983205.git.pmatilai@redhat.com>
References: <2ec0832287bd1443ebf336f8a98293f30bfa2036.1554983205.git.pmatilai@redhat.com>
From: Panu Matilainen <pmatilai@redhat.com>
Date: Mon, 18 Mar 2019 15:29:18 +0200
Subject: [PATCH 2/3] Drop internal-only visibility on rpmvs-related API
Makes it possible to use rpmvs API from eg librpmsign which we'll
need in the next commit. We need to make select parts of this
actually public eventually but for now...
---
lib/rpmvs.h | 12 ------------
1 file changed, 12 deletions(-)
diff --git a/lib/rpmvs.h b/lib/rpmvs.h
index a836d5c94..025895500 100644
--- a/lib/rpmvs.h
+++ b/lib/rpmvs.h
@@ -48,41 +48,29 @@ typedef int (*rpmsinfoCb)(struct rpmsinfo_s *sinfo, void *cbdata);
extern "C" {
#endif
-RPM_GNUC_INTERNAL
const char *rpmsinfoDescr(struct rpmsinfo_s *sinfo);
-RPM_GNUC_INTERNAL
char *rpmsinfoMsg(struct rpmsinfo_s *sinfo);
-RPM_GNUC_INTERNAL
struct rpmvs_s *rpmvsCreate(int vfylevel, rpmVSFlags vsflags, rpmKeyring keyring);
-RPM_GNUC_INTERNAL
void rpmvsInit(struct rpmvs_s *vs, hdrblob blob, rpmDigestBundle bundle);
-RPM_GNUC_INTERNAL
rpmVSFlags rpmvsFlags(struct rpmvs_s *vs);
-RPM_GNUC_INTERNAL
struct rpmvs_s *rpmvsFree(struct rpmvs_s *sis);
-RPM_GNUC_INTERNAL
void rpmvsAppendTag(struct rpmvs_s *sis, hdrblob blob, rpmTagVal tag);
-RPM_GNUC_INTERNAL
void rpmvsInitRange(struct rpmvs_s *sis, int range);
-RPM_GNUC_INTERNAL
void rpmvsFiniRange(struct rpmvs_s *sis, int range);
-RPM_GNUC_INTERNAL
int rpmvsRange(struct rpmvs_s *vs);
-RPM_GNUC_INTERNAL
int rpmvsVerify(struct rpmvs_s *sis, int type,
rpmsinfoCb cb, void *cbdata);
-RPM_GNUC_INTERNAL
rpmRC rpmpkgRead(struct rpmvs_s *vs, FD_t fd,
hdrblob *sigblobp, hdrblob *blobp, char **emsg);
--
2.20.1

52
SOURCES/0002-Support-build-id-generation-from-compressed-ELF-file.patch
View File

@ -1,52 +0,0 @@
From d48981ad7e36abb3500161d823acf92345c94f5d Mon Sep 17 00:00:00 2001
Message-Id: <d48981ad7e36abb3500161d823acf92345c94f5d.1571917458.git.pmatilai@redhat.com>
In-Reply-To: <68d383c39cef8d58b80940b13dd132d3f41a03f0.1571917458.git.pmatilai@redhat.com>
References: <68d383c39cef8d58b80940b13dd132d3f41a03f0.1571917458.git.pmatilai@redhat.com>
From: Panu Matilainen <pmatilai@redhat.com>
Date: Tue, 2 Apr 2019 16:07:56 +0300
Subject: [PATCH 2/2] Support build-id generation from compressed ELF files
(elfutils >= 0.175)
Use dwelf_elf_begin() for reading ELF files for build-id generation on
versions that have it to support compressed ELF files such as kernel
modules (RhBug:1650072,1650074). Note that debugedit still cannot handle
compressed files, this is only for build-id generation.
---
build/files.c | 4 ++++
configure.ac | 4 ++++
2 files changed, 8 insertions(+)
diff --git a/build/files.c b/build/files.c
index 3822be3d3..f72a7c866 100644
--- a/build/files.c
+++ b/build/files.c
@@ -1828,7 +1828,11 @@ static int generateBuildIDs(FileList fl, ARGV_t *files)
kernel modules (ET_REL files with .modinfo section)
should have build-ids. */
GElf_Ehdr ehdr;
+#if HAVE_DWELF_ELF_BEGIN
+ Elf *elf = dwelf_elf_begin(fd);
+#else
Elf *elf = elf_begin (fd, ELF_C_READ, NULL);
+#endif
if (elf != NULL && elf_kind(elf) == ELF_K_ELF
&& gelf_getehdr(elf, &ehdr) != NULL
&& (ehdr.e_type == ET_EXEC || ehdr.e_type == ET_DYN
diff --git a/configure.ac b/configure.ac
index 99ce7df32..b2d7ed806 100644
--- a/configure.ac
+++ b/configure.ac
@@ -487,6 +487,10 @@ AS_IF([test "$WITH_LIBELF" = yes],[
# If possible we also want the strtab functions from elfutils 0.167.
# But we can fall back on the (unsupported) ebl alternatives if not.
AC_CHECK_LIB(dw, dwelf_strtab_init, [HAVE_LIBDW_STRTAB=yes])
+ # whether libdw supports compressed ELF objects
+ AC_CHECK_LIB(dw, dwelf_elf_begin, [
+ AC_DEFINE(HAVE_DWELF_ELF_BEGIN, 1, [Have dwelf_elf_begin?])
+ ])
])
])
])
--
2.21.0

69
SOURCES/0002-build-check-rich-dependencies-for-special-characters.patch
View File

@ -1,69 +0,0 @@
From e7fa1f1c1c4a6161c2254c761e857fdf04fba5ef Mon Sep 17 00:00:00 2001
Message-Id: <e7fa1f1c1c4a6161c2254c761e857fdf04fba5ef.1574338784.git.pmatilai@redhat.com>
In-Reply-To: <871065ddd493c76d80345d2e80b38b9ce4c7acdd.1574338784.git.pmatilai@redhat.com>
References: <871065ddd493c76d80345d2e80b38b9ce4c7acdd.1574338784.git.pmatilai@redhat.com>
From: Igor Gnatenko <i.gnatenko.brain@gmail.com>
Date: Wed, 21 Nov 2018 15:36:35 +0100
Subject: [PATCH 2/3] build: check rich dependencies for special characters
Reported-by: Michael Schroeder <mls@suse.de
Signed-off-by: Igor Gnatenko <i.gnatenko.brain@gmail.com>
---
build/pack.c | 30 +++++++++++++++++++++++++++---
1 file changed, 27 insertions(+), 3 deletions(-)
diff --git a/build/pack.c b/build/pack.c
index daf878c76..c94964be2 100644
--- a/build/pack.c
+++ b/build/pack.c
@@ -228,12 +228,36 @@ exit:
return rc;
}
-static int haveTildeDep(Package pkg)
+struct charInDepData {
+ char c;
+ int present;
+};
+
+static rpmRC charInDepCb(void *cbdata, rpmrichParseType type,
+ const char *n, int nl, const char *e, int el, rpmsenseFlags sense,
+ rpmrichOp op, char **emsg) {
+ struct charInDepData *data = cbdata;
+ if (memchr(e, data->c, el))
+ data->present = 1;
+
+ return RPMRC_OK;
+}
+
+static int haveCharInDep(Package pkg, char c)
{
+ struct charInDepData data = {c, 0};
for (int i = 0; i < PACKAGE_NUM_DEPS; i++) {
rpmds ds = rpmdsInit(pkg->dependencies[i]);
while (rpmdsNext(ds) >= 0) {
- if (strchr(rpmdsEVR(ds), '~'))
+ if (rpmdsIsRich(ds)) {
+ const char *depstr = rpmdsN(ds);
+ rpmrichParse(&depstr, NULL, charInDepCb, &data);
+ } else {
+ const char *evr = rpmdsEVR(ds);
+ if (strchr(evr, c))
+ data.present = 1;
+ }
+ if (data.present)
return 1;
}
}
@@ -327,7 +351,7 @@ exit:
static void finalizeDeps(Package pkg)
{
/* check if the package has a dependency with a '~' */
- if (haveTildeDep(pkg))
+ if (haveCharInDep(pkg, '~'))
(void) rpmlibNeedsFeature(pkg, "TildeInVersions", "4.10.0-1");
/* check if the package has a rich dependency */
--
2.23.0

131
SOURCES/0003-Add-support-for-sorting-caret-higher-than-base-versi.patch
View File

@ -1,131 +0,0 @@
From c7e711bba58374f03347c795a567441cbef3de58 Mon Sep 17 00:00:00 2001
Message-Id: <c7e711bba58374f03347c795a567441cbef3de58.1574338784.git.pmatilai@redhat.com>
In-Reply-To: <871065ddd493c76d80345d2e80b38b9ce4c7acdd.1574338784.git.pmatilai@redhat.com>
References: <871065ddd493c76d80345d2e80b38b9ce4c7acdd.1574338784.git.pmatilai@redhat.com>
From: Igor Gnatenko <i.gnatenko.brain@gmail.com>
Date: Sat, 10 Sep 2016 11:39:23 +0200
Subject: [PATCH 3/3] Add support for sorting caret ('^') higher than base
version
1.1^20160101 means 1.1 version (base) and patches which were applied at
that date on top of it.
* 1.1^201601 > 1.1
* 1.1^201601 < 1.1.1
Having symmetry is also good.
Signed-off-by: Igor Gnatenko <i.gnatenko.brain@gmail.com>
---
build/pack.c | 4 ++++
lib/rpmds.c | 3 +++
lib/rpmvercmp.c | 19 +++++++++++++++++--
tests/rpmvercmp.at | 26 ++++++++++++++++++++++++++
4 files changed, 50 insertions(+), 2 deletions(-)
diff --git a/build/pack.c b/build/pack.c
index c94964be2..d7adcb0e2 100644
--- a/build/pack.c
+++ b/build/pack.c
@@ -354,6 +354,10 @@ static void finalizeDeps(Package pkg)
if (haveCharInDep(pkg, '~'))
(void) rpmlibNeedsFeature(pkg, "TildeInVersions", "4.10.0-1");
+ /* check if the package has a dependency with a '^' */
+ if (haveCharInDep(pkg, '^'))
+ (void) rpmlibNeedsFeature(pkg, "CaretInVersions", "4.15.0-1");
+
/* check if the package has a rich dependency */
if (haveRichDep(pkg))
(void) rpmlibNeedsFeature(pkg, "RichDependencies", "4.12.0-1");
diff --git a/lib/rpmds.c b/lib/rpmds.c
index 01aa1022b..730a58c35 100644
--- a/lib/rpmds.c
+++ b/lib/rpmds.c
@@ -1240,6 +1240,9 @@ static const struct rpmlibProvides_s rpmlibProvides[] = {
{ "rpmlib(TildeInVersions)", "4.10.0-1",
( RPMSENSE_EQUAL),
N_("dependency comparison supports versions with tilde.") },
+ { "rpmlib(CaretInVersions)", "4.15.0-1",
+ ( RPMSENSE_EQUAL),
+ N_("dependency comparison supports versions with caret.") },
{ "rpmlib(LargeFiles)", "4.12.0-1",
( RPMSENSE_EQUAL),
N_("support files larger than 4GB") },
diff --git a/lib/rpmvercmp.c b/lib/rpmvercmp.c
index b3d08faa4..13857e151 100644
--- a/lib/rpmvercmp.c
+++ b/lib/rpmvercmp.c
@@ -33,8 +33,8 @@ int rpmvercmp(const char * a, const char * b)
/* loop through each version segment of str1 and str2 and compare them */
while (*one || *two) {
- while (*one && !risalnum(*one) && *one != '~') one++;
- while (*two && !risalnum(*two) && *two != '~') two++;
+ while (*one && !risalnum(*one) && *one != '~' && *one != '^') one++;
+ while (*two && !risalnum(*two) && *two != '~' && *two != '^') two++;
/* handle the tilde separator, it sorts before everything else */
if (*one == '~' || *two == '~') {
@@ -45,6 +45,21 @@ int rpmvercmp(const char * a, const char * b)
continue;
}
+ /*
+ * Handle caret separator. Concept is the same as tilde,
+ * except that if one of the strings ends (base version),
+ * the other is considered as higher version.
+ */
+ if (*one == '^' || *two == '^') {
+ if (!*one) return -1;
+ if (!*two) return 1;
+ if (*one != '^') return 1;
+ if (*two != '^') return -1;
+ one++;
+ two++;
+ continue;
+ }
+
/* If we ran to the end of either, we are finished with the loop */
if (!(*one && *two)) break;
diff --git a/tests/rpmvercmp.at b/tests/rpmvercmp.at
index 8b32209aa..1e7c960ea 100644
--- a/tests/rpmvercmp.at
+++ b/tests/rpmvercmp.at
@@ -102,6 +102,32 @@ RPMVERCMP(1.0~rc1~git123, 1.0~rc1~git123, 0)
RPMVERCMP(1.0~rc1~git123, 1.0~rc1, -1)
RPMVERCMP(1.0~rc1, 1.0~rc1~git123, 1)
+dnl Basic testcases for caret sorting
+RPMVERCMP(1.0^, 1.0^, 0)
+RPMVERCMP(1.0^, 1.0, 1)
+RPMVERCMP(1.0, 1.0^, -1)
+RPMVERCMP(1.0^git1, 1.0^git1, 0)
+RPMVERCMP(1.0^git1, 1.0, 1)
+RPMVERCMP(1.0, 1.0^git1, -1)
+RPMVERCMP(1.0^git1, 1.0^git2, -1)
+RPMVERCMP(1.0^git2, 1.0^git1, 1)
+RPMVERCMP(1.0^git1, 1.01, -1)
+RPMVERCMP(1.01, 1.0^git1, 1)
+RPMVERCMP(1.0^20160101, 1.0^20160101, 0)
+RPMVERCMP(1.0^20160101, 1.0.1, -1)
+RPMVERCMP(1.0.1, 1.0^20160101, 1)
+RPMVERCMP(1.0^20160101^git1, 1.0^20160101^git1, 0)
+RPMVERCMP(1.0^20160102, 1.0^20160101^git1, 1)
+RPMVERCMP(1.0^20160101^git1, 1.0^20160102, -1)
+
+dnl Basic testcases for tilde and caret sorting
+RPMVERCMP(1.0~rc1^git1, 1.0~rc1^git1, 0)
+RPMVERCMP(1.0~rc1^git1, 1.0~rc1, 1)
+RPMVERCMP(1.0~rc1, 1.0~rc1^git1, -1)
+RPMVERCMP(1.0^git1~pre, 1.0^git1~pre, 0)
+RPMVERCMP(1.0^git1, 1.0^git1~pre, 1)
+RPMVERCMP(1.0^git1~pre, 1.0^git1, -1)
+
dnl These are included here to document current, arguably buggy behaviors
dnl for reference purposes and for easy checking against unintended
dnl behavior changes.
--
2.23.0

11
SOURCES/rpm-4-14.3-selinux-log-error.patch Normal file
View File

@ -0,0 +1,11 @@
--- rpm-4.14.3/plugins/selinux.c.orig 2020-05-11 16:07:22.873791795 +0200
+++ rpm-4.14.3/plugins/selinux.c 2020-05-11 16:10:11.701771157 +0200
@@ -47,7 +47,7 @@
sehandle = selabel_open(SELABEL_CTX_FILE, opts, 1);
- rpmlog(RPMLOG_DEBUG, "selabel_open: (%s) %s\n",
+ rpmlog((sehandle == NULL) ? RPMLOG_ERR : RPMLOG_DEBUG, "selabel_open: (%s) %s\n",
path, (sehandle == NULL ? strerror(errno) : ""));
return (sehandle != NULL) ? RPMRC_OK : RPMRC_FAIL;

186
SOURCES/rpm-4.14.3-GPG-Switch-back-to-pipe-7-for-signing.patch Normal file
View File

@ -0,0 +1,186 @@
diff -up rpm-4.14.3/sign/rpmgensig.c.orig rpm-4.14.3/sign/rpmgensig.c
--- rpm-4.14.3/sign/rpmgensig.c.orig 2020-06-26 15:57:43.781333983 +0200
+++ rpm-4.14.3/sign/rpmgensig.c 2020-06-26 15:58:29.819229616 +0200
@@ -8,7 +8,6 @@
#include <errno.h>
#include <sys/wait.h>
#include <popt.h>
-#include <libgen.h>
#include <rpm/rpmlib.h> /* RPMSIGTAG & related */
#include <rpm/rpmmacro.h>
@@ -33,68 +32,6 @@ typedef struct sigTarget_s {
rpm_loff_t size;
} *sigTarget;
-/*
- * There is no function for creating unique temporary fifos so create
- * unique temporary directory and then create fifo in it.
- */
-static char *mkTempFifo(void)
-{
- char *tmppath = NULL, *tmpdir = NULL, *fifofn = NULL;
- mode_t mode;
-
- tmppath = rpmExpand("%{_tmppath}", NULL);
- if (rpmioMkpath(tmppath, 0755, (uid_t) -1, (gid_t) -1))
- goto exit;
-
-
- tmpdir = rpmGetPath(tmppath, "/rpm-tmp.XXXXXX", NULL);
- mode = umask(0077);
- tmpdir = mkdtemp(tmpdir);
- umask(mode);
- if (tmpdir == NULL) {
- rpmlog(RPMLOG_ERR, _("error creating temp directory %s: %m\n"),
- tmpdir);
- tmpdir = _free(tmpdir);
- goto exit;
- }
-
- fifofn = rpmGetPath(tmpdir, "/fifo", NULL);
- if (mkfifo(fifofn, 0600) == -1) {
- rpmlog(RPMLOG_ERR, _("error creating fifo %s: %m\n"), fifofn);
- fifofn = _free(fifofn);
- }
-
-exit:
- if (fifofn == NULL && tmpdir != NULL)
- unlink(tmpdir);
-
- free(tmppath);
- free(tmpdir);
-
- return fifofn;
-}
-
-/* Delete fifo and then temporary directory in which it was located */
-static int rpmRmTempFifo(const char *fn)
-{
- int rc = 0;
- char *dfn = NULL, *dir = NULL;
-
- if ((rc = unlink(fn)) != 0) {
- rpmlog(RPMLOG_ERR, _("error delete fifo %s: %m\n"), fn);
- return rc;
- }
-
- dfn = xstrdup(fn);
- dir = dirname(dfn);
-
- if ((rc = rmdir(dir)) != 0)
- rpmlog(RPMLOG_ERR, _("error delete directory %s: %m\n"), dir);
- free(dfn);
-
- return rc;
-}
-
static int closeFile(FD_t *fdp)
{
if (fdp == NULL || *fdp == NULL)
@@ -241,27 +178,38 @@ exit:
static int runGPG(sigTarget sigt, const char *sigfile)
{
int pid = 0, status;
- FD_t fnamedPipe = NULL;
- char *namedPipeName = NULL;
+ int pipefd[2];
+ FILE *fpipe = NULL;
unsigned char buf[BUFSIZ];
ssize_t count;
ssize_t wantCount;
rpm_loff_t size;
int rc = 1; /* assume failure */
- namedPipeName = mkTempFifo();
+ if (pipe(pipefd) < 0) {
+ rpmlog(RPMLOG_ERR, _("Could not create pipe for signing: %m\n"));
+ goto exit;
+ }
- rpmPushMacro(NULL, "__plaintext_filename", NULL, namedPipeName, -1);
+ rpmPushMacro(NULL, "__plaintext_filename", NULL, "-", -1);
rpmPushMacro(NULL, "__signature_filename", NULL, sigfile, -1);
if (!(pid = fork())) {
char *const *av;
char *cmd = NULL;
- const char *gpg_path = rpmExpand("%{?_gpg_path}", NULL);
+ const char *tty = ttyname(STDIN_FILENO);
+ const char *gpg_path = NULL;
+
+ if (!getenv("GPG_TTY") && (!tty || setenv("GPG_TTY", tty, 0)))
+ rpmlog(RPMLOG_WARNING, _("Could not set GPG_TTY to stdin: %m\n"));
+ gpg_path = rpmExpand("%{?_gpg_path}", NULL);
if (gpg_path && *gpg_path != '\0')
(void) setenv("GNUPGHOME", gpg_path, 1);
+ dup2(pipefd[0], STDIN_FILENO);
+ close(pipefd[1]);
+
unsetenv("MALLOC_CHECK_");
cmd = rpmExpand("%{?__gpg_sign_cmd}", NULL);
rc = poptParseArgvString(cmd, NULL, (const char ***)&av);
@@ -276,9 +224,10 @@ static int runGPG(sigTarget sigt, const
rpmPopMacro(NULL, "__plaintext_filename");
rpmPopMacro(NULL, "__signature_filename");
- fnamedPipe = Fopen(namedPipeName, "w");
- if (!fnamedPipe) {
- rpmlog(RPMLOG_ERR, _("Fopen failed\n"));
+ close(pipefd[0]);
+ fpipe = fdopen(pipefd[1], "w");
+ if (!fpipe) {
+ rpmlog(RPMLOG_ERR, _("Could not open pipe for writing: %m\n"));
goto exit;
}
@@ -291,8 +240,8 @@ static int runGPG(sigTarget sigt, const
size = sigt->size;
wantCount = size < sizeof(buf) ? size : sizeof(buf);
while ((count = Fread(buf, sizeof(buf[0]), wantCount, sigt->fd)) > 0) {
- Fwrite(buf, sizeof(buf[0]), count, fnamedPipe);
- if (Ferror(fnamedPipe)) {
+ fwrite(buf, sizeof(buf[0]), count, fpipe);
+ if (ferror(fpipe)) {
rpmlog(RPMLOG_ERR, _("Could not write to pipe\n"));
goto exit;
}
@@ -304,8 +253,13 @@ static int runGPG(sigTarget sigt, const
sigt->fileName, Fstrerror(sigt->fd));
goto exit;
}
- Fclose(fnamedPipe);
- fnamedPipe = NULL;
+
+exit:
+
+ if (fpipe)
+ fclose(fpipe);
+ if (pipefd[1])
+ close(pipefd[1]);
(void) waitpid(pid, &status, 0);
pid = 0;
@@ -314,20 +268,6 @@ static int runGPG(sigTarget sigt, const
} else {
rc = 0;
}
-
-exit:
-
- if (fnamedPipe)
- Fclose(fnamedPipe);
-
- if (pid)
- waitpid(pid, &status, 0);
-
- if (namedPipeName) {
- rpmRmTempFifo(namedPipeName);
- free(namedPipeName);
- }
-
return rc;
}

13
SOURCES/rpm-4.14.3-python3.diff Normal file
View File

@ -0,0 +1,13 @@
--- rpm-4.14.3/configure.ac.orig 2020-05-04 21:08:41.481365399 +0200
+++ rpm-4.14.3/configure.ac 2020-05-04 21:09:03.550604043 +0200
@@ -129,8 +129,8 @@
AC_PATH_PROG(__PERL, perl, /usr/bin/perl, $MYPATH)
AC_PATH_PROG(__PGP, pgp, /usr/bin/pgp, $MYPATH)
-AC_PATH_PROG(__PYTHON, python2, /usr/bin/python2, $MYPATH)
-AC_PATH_PROG(PYTHON, python2, /usr/bin/python2, $MYPATH)
+AC_PATH_PROG(__PYTHON, python3, /usr/bin/python3, $MYPATH)
+AC_PATH_PROG(PYTHON, python3, /usr/bin/python3, $MYPATH)
AC_PATH_PROG(__RM, rm, /bin/rm, $MYPATH)
AC_PATH_PROG(__RSH, rsh, /usr/bin/rsh, $MYPATH)
AC_PATH_PROG(__SED, sed, /bin/sed, $MYPATH)

29
SOURCES/rpm-4.14.x-whitelist-name.patch
View File

@ -1,29 +0,0 @@
A partial no-op backport of commit 9e8e8bcfb1b1fa359c37499e11a302ec7bde1595
to get caret patches to apply nicely
diff --git a/build/parsePreamble.c b/build/parsePreamble.c
index 5715d2569..7d89617c2 100644
--- a/build/parsePreamble.c
+++ b/build/parsePreamble.c
@@ -22,8 +22,6 @@
#define SKIPWHITE(_x) {while (*(_x) && (risspace(*_x) || *(_x) == ',')) (_x)++;}
#define SKIPNONWHITE(_x){while (*(_x) &&!(risspace(*_x) || *(_x) == ',')) (_x)++;}
-#define WHITELIST_NAME ".-_+%{}"
-
/**
*/
static const rpmTagVal copyTagsDuringParse[] = {
diff --git a/build/rpmbuild_internal.h b/build/rpmbuild_internal.h
index 439b7d3b5..cc9de88f9 100644
--- a/build/rpmbuild_internal.h
+++ b/build/rpmbuild_internal.h
@@ -17,6 +17,8 @@
#undef HTKEYTYPE
#undef HTDATATYPE
+#define WHITELIST_NAME ".-_+%{}"
+
struct TriggerFileEntry {
int index;
char * fileName;

49
SPECS/rpm.spec
View File

@ -28,9 +28,9 @@
%define rpmhome /usr/lib/rpm
%global rpmver 4.14.2
%global rpmver 4.14.3
#global snapver rc2
%global rel 37
%global rel 4
%global srcver %{version}%{?snapver:-%{snapver}}
%global srcdir %{?snapver:testing}%{!?snapver:%{name}-%(echo %{version} | cut -d'.' -f1-2).x}
@ -72,37 +72,14 @@ Patch5: rpm-4.12.0-rpm2cpio-hack.patch
Patch7: rpm-4.14.1-Add-envvar-that-will-be-present-during-RPM-build.patch
# Patches already upstream:
Patch100: 0001-Fix-nasty-setperms-setugids-regression-in-4.14.2-RhB.patch
Patch101: rpm-4.14.2-RPMTAG_MODULARITYLABEL.patch
Patch102: 0001-Document-noverify-in-the-man-page-RhBug-1646458.patch
Patch103: 0001-Handle-unsupported-digests-the-same-as-disabled-ones.patch
Patch104: 0001-Mark-elements-with-associated-problems-as-failed.patch
Patch105: 0001-Fix-ancient-python-GIL-locking-bug-on-callback-RhBug.patch
Patch106: 0001-Fix-testing-for-wrong-variable-in-selinux-plugin-deb.patch
Patch107: 0001-Log-RPMLOG_ERR-level-messages-on-actual-errors-in-se.patch
Patch108: 0001-Only-read-through-payload-on-verify-if-actually-need.patch
Patch109: 0001-Make-rpmsign-exit-values-more-consistent-with-our-ot.patch
Patch110: 0002-Drop-internal-only-visibility-on-rpmvs-related-API.patch
Patch111: 0003-Verify-packages-before-signing-RhBug-1646388.patch
Patch112: 0001-Fix-FA_TOUCH-on-files-with-suid-sgid-bits-and-or-cap.patch
Patch113: 0001-Sort-list-of-hard-linked-files-in-find-debuginfo.sh-.patch
Patch114: 0001-Correct-rpm-ql-exit-value-when-optional-p-is-omitted.patch
Patch115: 0001-Show-list-of-files-only-once-when-use-rpm-ql-and-mul.patch
Patch116: 0001-Add-flag-to-use-strip-g-instead-of-full-strip-on-DSO.patch
Patch117: 0001-Fix-segfault-on-fingerprinting-symlink-round-RhBug-1.patch
Patch118: 0001-Fix-packages-getting-erased-on-failed-update-with-dn.patch
Patch119: 0001-Use-in-condition-to-avoid-sub-processes-in-find-debu.patch
Patch120: 0001-rpmsign-man-page-Add-line-about-rpmsign-requiring-a-.patch
Patch121: 0001-Use-dpbath-only-with-full-path-RhBug-1696408.patch
Patch122: 0001-Fix-a-blindingly-obvious-memleak-in-package-verify-s.patch
Patch123: 0001-Fix-rpmfiles-memory-leak-on-postuntrans-file-trigger.patch
Patch125: 0001-Remove-capabilities-instead-of-setting-empty-caps-vi.patch
Patch126: 0001-Fix-off-by-one-in-hdrblobGet-making-last-entry-unrea.patch
Patch127: 0001-Fix-memleak-during-transaction-verify-step-in-the-NO.patch
Patch128: 0001-Detect-kernel-modules-by-.modinfo-section-presence-f.patch
Patch129: 0002-Support-build-id-generation-from-compressed-ELF-file.patch
Patch130: 0001-Add-step-to-find-debuginfo.sh-script-to-compress-ann.patch
Patch131: 0001-rpmpgp-Handle-EOF-without-EOL-better-at-END-PGP.patch
Patch132: 0001-debugedit-Refactor-reading-writing-of-relocated-valu.patch
Patch133: 0002-Handle-.debug_macro-in-debugedit.patch
Patch134: 0003-debugedit-Make-sure-.debug_line-old-new-idx-start-eq.patch
@ -114,11 +91,7 @@ Patch139: 0001-Make-check-buildroot-check-the-build-files-in-parall.patch
Patch140: 0001-Fix-resource-leaks-on-zstd-open-error-paths.patch
# XXX should be before 0001-Pass-RPM_BUILD_NCPUS-to-build-scripts.patch
Patch141: 0001-Isolate-_smp_build_ncpus-and-use-it-for-_smp_mflags.patch
Patch143: 0002-build-check-rich-dependencies-for-special-characters.patch
Patch144: 0003-Add-support-for-sorting-caret-higher-than-base-versi.patch
Patch145: rpm-4.14.x-whitelist-name.patch
Patch146: 0001-Consolidate-allowed-version-release-evr-allowed-char.patch
Patch147: 0002-Actually-permit-caret-in-version-release-and-evr-str.patch
Patch142: rpm-4.14.3-GPG-Switch-back-to-pipe-7-for-signing.patch
# Python 3 string API sanity
Patch500: 0001-In-Python-3-return-all-our-string-data-as-surrogate-.patch
@ -131,6 +104,8 @@ Patch504: 0002-Use-Python-3-compatible-exception-syntax-in-tests.patch
Patch505: 0003-Fix-couple-of-bytes-vs-strings-issues-in-Python-test.patch
Patch506: 0004-Bump-the-minimum-Python-version-requirement-to-2.7.patch
Patch507: 0005-Drop-an-unnecessary-Python-2-vs-3-incompatibility-fr.patch
Patch508: rpm-4.14.3-python3.diff
Patch509: rpm-4-14.3-selinux-log-error.patch
# These are not yet upstream
# Audit support
@ -458,7 +433,7 @@ done;
--with-selinux \
--with-cap \
--with-acl \
%{?with_ndb: --with-ndb} \
%{?with_ndb: --enable-ndb} \
%{?with_libimaevm: --with-imaevm} \
%{?with_zstd: --enable-zstd} \
%{?with_lmdb: --enable-lmdb} \
@ -678,6 +653,18 @@ make check || cat tests/rpmtests.log
%doc doc/librpm/html/*
%changelog
* Fri Jun 26 2020 Michal Domonkos <mdomonko@redhat.com> - 4.14.3-4
- Fix hang when signing with expired key (#1746353)
* Wed May 13 2020 Panu Matilainen <pmatilai@redhat.com> - 4.14.3-3
- Fix configure option for --with ndb (#1817010, Matthew Almond)
* Mon May 11 2020 Florian Festi <ffesti@redhat.com> - 4.14.3-2
- Re-add selinux fix dropped in rebase
* Mon May 4 2020 Florian Festi <ffesti@redhat.com> - 4.14.3-1
- Rebase to 4.14.3 (#1765187)
* Fri Feb 21 2020 Michal Domonkos <mdomonko@redhat.com> - 4.14.2-37
- Add API safeguard for DNF by using Conflicts: (#1790400)