SOURCES/0001-Add-optional-callback-on-directory-changes-during-rp.patch

@@ -0,0 +1,107 @@
+From 186e0ab025b9ad92d900697f611633a6f6162f3b Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Wed, 9 Feb 2022 14:47:14 +0200
+Subject: [PATCH] Add optional callback on directory changes during rpmfi
+ iteration
+
+Internal only for now in case we need to fiddle with the API some more,
+but no reason this couldn't be made public later.
+---
+ lib/rpmfi.c          | 24 ++++++++++++++++++++----
+ lib/rpmfi_internal.h | 17 +++++++++++++++++
+ 2 files changed, 37 insertions(+), 4 deletions(-)
+
+diff --git a/lib/rpmfi.c b/lib/rpmfi.c
+index aec8220a3..6c631fdb5 100644
+--- a/lib/rpmfi.c
++++ b/lib/rpmfi.c
+@@ -53,6 +53,9 @@ struct rpmfi_s {
+     int intervalStart;		/*!< Start of iterating interval. */
+     int intervalEnd;		/*!< End of iterating interval. */
+ 
++    rpmfiChdirCb onChdir;	/*!< Callback for directory changes */
++    void *onChdirData;		/*!< Caller private callback data */
++
+     rpmfiles files;		/*!< File info set */
+     rpmcpio_t archive;		/*!< Archive with payload */
+     unsigned char * found;	/*!< Bit field of files found in the archive */
+@@ -298,11 +301,16 @@ rpm_count_t rpmfiDC(rpmfi fi)
+     return (fi != NULL ? rpmfilesDC(fi->files) : 0);
+ }
+ 
+-#ifdef	NOTYET
+-int rpmfiDI(rpmfi fi)
++int rpmfiSetOnChdir(rpmfi fi, rpmfiChdirCb cb, void *data)
+ {
++    int rc = -1;
++    if (fi != NULL) {
++	fi->onChdir = cb;
++	fi->onChdirData = data;
++	rc = 0;
++    }
++    return rc;
+ }
+-#endif
+ 
+ int rpmfiFX(rpmfi fi)
+ {
+@@ -314,9 +322,17 @@ int rpmfiSetFX(rpmfi fi, int fx)
+     int i = -1;
+ 
+     if (fi != NULL && fx >= 0 && fx < rpmfilesFC(fi->files)) {
++	int dx = fi->j;
+ 	i = fi->i;
+ 	fi->i = fx;
+ 	fi->j = rpmfilesDI(fi->files, fi->i);
++	i = fi->i;
++
++	if (fi->j != dx && fi->onChdir) {
++	    int chrc = fi->onChdir(fi, fi->onChdirData);
++	    if (chrc < 0)
++		i = chrc;
++	}
+     }
+     return i;
+ }
+@@ -1682,9 +1698,9 @@ static rpmfi initIter(rpmfiles files, int itype, int link)
+     if (files && itype>=0 && itype<=RPMFILEITERMAX) {
+ 	fi = xcalloc(1, sizeof(*fi)); 
+ 	fi->i = -1;
++	fi->j = -1;
+ 	fi->files = link ? rpmfilesLink(files) : files;
+ 	fi->next = nextfuncs[itype];
+-	fi->i = -1;
+ 	if (itype == RPMFI_ITER_BACK) {
+ 	    fi->i = rpmfilesFC(fi->files);
+ 	} else if (itype >=RPMFI_ITER_READ_ARCHIVE
+diff --git a/lib/rpmfi_internal.h b/lib/rpmfi_internal.h
+index dccc6ccbe..37f1d45f5 100644
+--- a/lib/rpmfi_internal.h
++++ b/lib/rpmfi_internal.h
+@@ -13,6 +13,23 @@
+ extern "C" {
+ #endif
+ 
++/** \ingroup rpmfi
++ * Callback on file iterator directory changes
++ * @param fi		file info
++ * @param data		caller private callback data
++ * @return		0 on success, < 0 on error (to stop iteration)
++ */
++typedef int (*rpmfiChdirCb)(rpmfi fi, void *data);
++
++/** \ingroup rpmfi
++ * Set a callback for directory changes during iteration.
++ * @param fi		file info
++ * @param cb		callback function
++ * @param data		caller private callback data
++ * @return		string pool handle (weak reference)
++ */
++int rpmfiSetOnChdir(rpmfi fi, rpmfiChdirCb cb, void *data);
++
+ /** \ingroup rpmfi
+  * Return file info set string pool handle
+  * @param fi		file info
+-- 
+2.41.0
+

SOURCES/0001-Don-t-warn-about-missing-user-group-on-skipped-files.patch

@@ -0,0 +1,30 @@
+From 6c66abd34cccbb5b3c063f8f613e0c2faffc415f Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Wed, 13 Dec 2023 11:57:50 +0200
+Subject: [PATCH] Don't warn about missing user/group on skipped files
+
+There's no reason to complain about missing user/group for entities
+we don't create at all. It's cosmetical only, but "regressed" in the
+4.17 fsm robustness rewrite.
+
+Reported in https://issues.redhat.com/browse/RHEL-18037
+---
+ lib/fsm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/fsm.c b/lib/fsm.c
+index 2189bd84c..a54e43bae 100644
+--- a/lib/fsm.c
++++ b/lib/fsm.c
+@@ -903,7 +903,7 @@ int rpmPackageFilesInstall(rpmts ts, rpmte te, rpmfiles files,
+ 	fp->fpath = fsmFsPath(fi, fp->suffix);
+ 
+ 	/* Remap file perms, owner, and group. */
+-	rc = rpmfiStat(fi, 1, &fp->sb);
++	rc = rpmfiStat(fi, (fp->skip == 0), &fp->sb);
+ 
+ 	/* Hardlinks are tricky and handled elsewhere for install */
+ 	fp->setmeta = (fp->skip == 0) &&
+-- 
+2.43.0
+

SOURCES/0001-Eliminate-code-duplication-from-rpmfiNext.patch

@@ -0,0 +1,35 @@
+From 0bc13d75b5883ccf4d6579f7a60fb1badd104649 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Thu, 10 Feb 2022 10:23:22 +0200
+Subject: [PATCH] Eliminate code duplication from rpmfiNext()
+
+Now that we can, let rpmfiSetFX() take care of the details.
+---
+ lib/rpmfi.c | 11 ++---------
+ 1 file changed, 2 insertions(+), 9 deletions(-)
+
+diff --git a/lib/rpmfi.c b/lib/rpmfi.c
+index 689ead2c5..aec8220a3 100644
+--- a/lib/rpmfi.c
++++ b/lib/rpmfi.c
+@@ -856,15 +856,8 @@ int rpmfiNext(rpmfi fi)
+ 	    next = fi->next(fi);
+ 	} while (next == RPMERR_ITER_SKIP);
+ 
+-	if (next >= 0 && next < rpmfilesFC(fi->files)) {
+-	    fi->i = next;
+-	    fi->j = rpmfilesDI(fi->files, fi->i);
+-	} else {
+-	    fi->i = -1;
+-	    if (next >= 0) {
+-		next = -1;
+-	    }
+-	}
++	if (next >= 0)
++	    next = rpmfiSetFX(fi, next);
+     }
+     return next;
+ }
+-- 
+2.41.0
+

SOURCES/0001-Emit-full-paths-for-file-disposition-diagnostics-on-.patch

@@ -0,0 +1,66 @@
+From c140768202e271b60910644c1e4bf848a50218d3 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Mon, 27 Nov 2023 11:52:34 +0200
+Subject: [PATCH] Emit full paths for file disposition diagnostics on
+ --fsmdebug
+
+The full path is visible in the actual file operations later, but the
+pre-flight disposition diagnostics is unreadable without the full path.
+This regressed in the switch to relative paths for the *at() API family
+for the symlink CVE fixes.
+---
+ lib/fsm.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/lib/fsm.c b/lib/fsm.c
+index 091e90554..fcd764648 100644
+--- a/lib/fsm.c
++++ b/lib/fsm.c
+@@ -482,14 +482,14 @@ static void removeSBITS(int dirfd, const char *path)
+     }
+ }
+ 
+-static void fsmDebug(const char *fpath, rpmFileAction action,
++static void fsmDebug(const char *dn, const char *fpath, rpmFileAction action,
+ 		     const struct stat *st)
+ {
+-    rpmlog(RPMLOG_DEBUG, "%-10s %06o%3d (%4d,%4d)%6d %s\n",
++    rpmlog(RPMLOG_DEBUG, "%-10s %06o%3d (%4d,%4d)%6d %s%s\n",
+ 	   fileActionString(action), (int)st->st_mode,
+ 	   (int)st->st_nlink, (int)st->st_uid,
+ 	   (int)st->st_gid, (int)st->st_size,
+-	    (fpath ? fpath : ""));
++	    (dn ? dn : ""), (fpath ? fpath : ""));
+ }
+ 
+ static int fsmSymlink(const char *opath, int dirfd, const char *path)
+@@ -910,7 +910,7 @@ int rpmPackageFilesInstall(rpmts ts, rpmte te, rpmfiles files,
+ 		      (fp->sb.st_nlink == 1 || fp->action == FA_TOUCH);
+ 
+ 	setFileState(fs, fx);
+-	fsmDebug(fp->fpath, fp->action, &fp->sb);
++	fsmDebug(rpmfiDN(fi), fp->fpath, fp->action, &fp->sb);
+ 
+ 	fp->stage = FILE_PRE;
+     }
+@@ -975,7 +975,7 @@ int rpmPackageFilesInstall(rpmts ts, rpmte te, rpmfiles files,
+ 		rpmlog(RPMLOG_DEBUG, "file %s vanished unexpectedly\n",
+ 			fp->fpath);
+ 		fp->action = FA_CREATE;
+-		fsmDebug(fp->fpath, fp->action, &fp->sb);
++		fsmDebug(rpmfiDN(fi), fp->fpath, fp->action, &fp->sb);
+ 	    }
+ 
+ 	    /* When touching we don't need any of this... */
+@@ -1138,7 +1138,7 @@ int rpmPackageFilesRemove(rpmts ts, rpmte te, rpmfiles files,
+ 
+ 	rc = fsmStat(di.dirfd, fp->fpath, 1, &fp->sb);
+ 
+-	fsmDebug(fp->fpath, fp->action, &fp->sb);
++	fsmDebug(rpmfiDN(fi), fp->fpath, fp->action, &fp->sb);
+ 
+ 	/* Run fsm file pre hook for all plugins */
+ 	rc = rpmpluginsCallFsmFilePre(plugins, fi, fp->fpath,
+-- 
+2.43.0
+

SOURCES/0001-Fix-wrong-return-code-on-O_DIRECTORY-open-of-invalid.patch

@@ -0,0 +1,46 @@
+From 89ce4e7ca592f5abafc3f25aeaa07d36a7b43a61 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Tue, 14 Nov 2023 11:37:48 +0200
+Subject: [PATCH] Fix wrong return code on O_DIRECTORY open of invalid symlink
+
+The dir argument to fsmOpenpath() is supposed to be a rough O_DIRECTORY
+equivalent, and if the path is actually a misowned symlink it should
+return ENOTDIR instead of ELOOP. Makes the resulting error messages
+at least a little more comprehensible.
+---
+ lib/fsm.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lib/fsm.c b/lib/fsm.c
+index 51f439ef3..091e90554 100644
+--- a/lib/fsm.c
++++ b/lib/fsm.c
+@@ -304,6 +304,7 @@ static int fsmOpenat(int dirfd, const char *path, int flags, int dir)
+     struct stat lsb, sb;
+     int sflags = flags | O_NOFOLLOW;
+     int fd = openat(dirfd, path, sflags);
++    int ffd = fd;
+ 
+     /*
+      * Only ever follow symlinks by root or target owner. Since we can't
+@@ -312,7 +313,7 @@ static int fsmOpenat(int dirfd, const char *path, int flags, int dir)
+      * it could've only been the link owner or root.
+      */
+     if (fd < 0 && errno == ELOOP && flags != sflags) {
+-	int ffd = openat(dirfd, path, flags);
++	ffd = openat(dirfd, path, flags);
+ 	if (ffd >= 0) {
+ 	    if (fstatat(dirfd, path, &lsb, AT_SYMLINK_NOFOLLOW) == 0) {
+ 		if (fstat(ffd, &sb) == 0) {
+@@ -327,7 +328,7 @@ static int fsmOpenat(int dirfd, const char *path, int flags, int dir)
+     }
+ 
+     /* O_DIRECTORY equivalent */
+-    if (dir && fd >= 0 && fstat(fd, &sb) == 0 && !S_ISDIR(sb.st_mode)) {
++    if (dir && ((fd != ffd) || (fd >= 0 && fstat(fd, &sb) == 0 && !S_ISDIR(sb.st_mode)))) {
+ 	errno = ENOTDIR;
+ 	fsmClose(&fd);
+     }
+-- 
+2.43.0
+

SOURCES/0001-Pass-file-descriptor-to-file-prepare-plugin-hook-use.patch

@@ -0,0 +1,153 @@
+From ac7b0dbd5a18d2c57a942ca14ac856b8047425ff Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Tue, 15 Feb 2022 10:43:13 +0200
+Subject: [PATCH] Pass file descriptor to file prepare plugin hook, use when
+ possible
+
+Sadly the thing that allegedly makes things better mostly just makes
+things more complicated as symlinks can't be opened, so we'll now have
+to deal with both cases in plugins too. To make matters worse, most
+APIs out there support either an fd or a path, but very few support
+the *at() style dirfd + basename approach so plugins are stuck with
+absolute paths for now.
+
+This is of course a plugin API/ABI change too.
+---
+ lib/rpmplugin.h   |  2 +-
+ lib/rpmplugins.c  |  4 ++--
+ lib/rpmplugins.h  |  3 ++-
+ plugins/ima.c     |  9 +++++++--
+ plugins/selinux.c | 13 ++++++++-----
+ 5 files changed, 20 insertions(+), 11 deletions(-)
+
+diff --git a/lib/rpmplugin.h b/lib/rpmplugin.h
+index fd81aec8d..fab4b3e83 100644
+--- a/lib/rpmplugin.h
++++ b/lib/rpmplugin.h
+@@ -57,7 +57,7 @@ typedef rpmRC (*plugin_fsm_file_post_func)(rpmPlugin plugin, rpmfi fi,
+ 					   const char* path, mode_t file_mode,
+ 					   rpmFsmOp op, int res);
+ typedef rpmRC (*plugin_fsm_file_prepare_func)(rpmPlugin plugin, rpmfi fi,
+-					      const char* path,
++					      int fd, const char* path,
+ 					      const char *dest,
+ 					      mode_t file_mode, rpmFsmOp op);
+ 
+diff --git a/lib/rpmplugins.c b/lib/rpmplugins.c
+index 65e684e84..923084b78 100644
+--- a/lib/rpmplugins.c
++++ b/lib/rpmplugins.c
+@@ -384,7 +384,7 @@ rpmRC rpmpluginsCallFsmFilePost(rpmPlugins plugins, rpmfi fi, const char *path,
+ }
+ 
+ rpmRC rpmpluginsCallFsmFilePrepare(rpmPlugins plugins, rpmfi fi,
+-				   const char *path, const char *dest,
++				   int fd, const char *path, const char *dest,
+ 				   mode_t file_mode, rpmFsmOp op)
+ {
+     plugin_fsm_file_prepare_func hookFunc;
+@@ -394,7 +394,7 @@ rpmRC rpmpluginsCallFsmFilePrepare(rpmPlugins plugins, rpmfi fi,
+     for (i = 0; i < plugins->count; i++) {
+ 	rpmPlugin plugin = plugins->plugins[i];
+ 	RPMPLUGINS_SET_HOOK_FUNC(fsm_file_prepare);
+-	if (hookFunc && hookFunc(plugin, fi, path, dest, file_mode, op) == RPMRC_FAIL) {
++	if (hookFunc && hookFunc(plugin, fi, fd, path, dest, file_mode, op) == RPMRC_FAIL) {
+ 	    rpmlog(RPMLOG_ERR, "Plugin %s: hook fsm_file_prepare failed\n", plugin->name);
+ 	    rc = RPMRC_FAIL;
+ 	}
+diff --git a/lib/rpmplugins.h b/lib/rpmplugins.h
+index 39762c376..ddf5d7048 100644
+--- a/lib/rpmplugins.h
++++ b/lib/rpmplugins.h
+@@ -156,6 +156,7 @@ rpmRC rpmpluginsCallFsmFilePost(rpmPlugins plugins, rpmfi fi, const char* path,
+  * permissions etc, but before committing file to destination path.
+  * @param plugins	plugins structure
+  * @param fi		file info iterator (or NULL)
++ * @param fd		file descriptor (or -1 if not available)
+  * @param path		file object current path
+  * @param dest		file object destination path
+  * @param mode		file object mode
+@@ -164,7 +165,7 @@ rpmRC rpmpluginsCallFsmFilePost(rpmPlugins plugins, rpmfi fi, const char* path,
+  */
+ RPM_GNUC_INTERNAL
+ rpmRC rpmpluginsCallFsmFilePrepare(rpmPlugins plugins, rpmfi fi,
+-                                   const char *path, const char *dest,
++                                   int fd, const char *path, const char *dest,
+                                    mode_t mode, rpmFsmOp op);
+ 
+ #ifdef __cplusplus
+diff --git a/plugins/fapolicyd.c b/plugins/fapolicyd.c
+index 7ac44f0d0..1ff50c30f 100644
+--- a/plugins/fapolicyd.c
++++ b/plugins/fapolicyd.c
+@@ -145,7 +145,8 @@ static rpmRC fapolicyd_scriptlet_pre(rpmPlugin plugin, const char *s_name,
+ }
+ 
+ static rpmRC fapolicyd_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
+-                                        const char *path, const char *dest,
++                                        int fd, const char *path,
++					const char *dest,
+                                         mode_t file_mode, rpmFsmOp op)
+ {
+     /* not ready  */
+--- a/plugins/ima.c	2020-04-28 14:50:11.835399269 +0200
++++ b/plugins/ima.c	2023-12-13 11:19:58.835948660 +0100
+@@ -39,7 +39,7 @@
+ 	return (memcmp(fsig, &zero_hdr, sizeof(zero_hdr)) == 0);
+ }
+ 
+-static rpmRC ima_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
++static rpmRC ima_fsm_file_prepare(rpmPlugin plugin, rpmfi fi, int fd,
+                                   const char *path,
+                                   const char *dest,
+                                   mode_t file_mode, rpmFsmOp op)
+@@ -63,8 +63,14 @@
+ 
+ 	fsig = rpmfiFSignature(fi, &len);
+ 	if (fsig && (check_zero_hdr(fsig, len) == 0)) {
+-	    if (lsetxattr(path, XATTR_NAME_IMA, fsig, len, 0) < 0) {
+-	        rpmlog(RPMLOG_ERR,
++	    int xx;
++	    if (fd >= 0)
++		xx = fsetxattr(fd, XATTR_NAME_IMA, fsig, len, 0);
++	    else
++		xx = lsetxattr(path, XATTR_NAME_IMA, fsig, len, 0);
++	    if (xx < 0) {
++		int is_err = errno != EOPNOTSUPP;
++ 	        rpmlog(is_err?RPMLOG_ERR:RPMLOG_DEBUG,
+ 			"ima: could not apply signature on '%s': %s\n",
+ 			path, strerror(errno));
+ 	        rc = RPMRC_FAIL;
+--- a/plugins/selinux.c	2023-12-13 11:21:54.935009141 +0100
++++ b/plugins/selinux.c	2023-12-13 11:22:23.172510285 +0100
+@@ -149,7 +149,7 @@
+     return rc;
+ }
+ 
+-static rpmRC selinux_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
++static rpmRC selinux_fsm_file_prepare(rpmPlugin plugin, rpmfi fi, int fd,
+ 					const char *path, const char *dest,
+ 				        mode_t file_mode, rpmFsmOp op)
+ {
+@@ -159,14 +159,17 @@
+     if (sehandle && !XFA_SKIPPING(action)) {
+ 	security_context_t scon = NULL;
+ 	if (selabel_lookup_raw(sehandle, &scon, dest, file_mode) == 0) {
+-	    int conrc = lsetfilecon(path, scon);
++	    int conrc;
++	    if (fd >= 0)
++		conrc = fsetfilecon(fd, scon);
++	    else
++		conrc = lsetfilecon(path, scon);
+ 
+ 	    if (conrc == 0 || (conrc < 0 && errno == EOPNOTSUPP))
+ 		rc = RPMRC_OK;
+ 
+-	    rpmlog((rc != RPMRC_OK) ? RPMLOG_ERR : RPMLOG_DEBUG,
+-		   "lsetfilecon: (%s, %s) %s\n",
+-		   path, scon, (conrc < 0 ? strerror(errno) : ""));
++	    rpmlog((rc != RPMRC_OK) ? RPMLOG_ERR : RPMLOG_DEBUG, "lsetfilecon: (%d %s, %s) %s\n",
++		       fd, path, scon, (conrc < 0 ? strerror(errno) : ""));
+ 
+ 	    freecon(scon);
+ 	} else {

SOURCES/0001-Print-full-path-if-file-removal-fails.patch

@@ -0,0 +1,32 @@
+From f1503ab6e898430b80017c0f8347860f3a74d5bb Mon Sep 17 00:00:00 2001
+From: Florian Festi <ffesti@redhat.com>
+Date: Mon, 11 Dec 2023 15:50:15 +0100
+Subject: [PATCH] Print full path if file removal fails
+
+For normal debug output the basename of the files are sufficient as when
+debugging is enabled the directories are also printed. But here the
+warning is given without a debug flag so we need the full context right
+there.
+---
+ lib/fsm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/fsm.c b/lib/fsm.c
+index fcd764648..2189bd84c 100644
+--- a/lib/fsm.c
++++ b/lib/fsm.c
+@@ -1174,9 +1174,9 @@ int rpmPackageFilesRemove(rpmts ts, rpmte te, rpmfiles files,
+ 
+ 	    if (rc) {
+ 		int lvl = strict_erasures ? RPMLOG_ERR : RPMLOG_WARNING;
+-		rpmlog(lvl, _("%s %s: remove failed: %s\n"),
++		rpmlog(lvl, _("%s %s%s: remove failed: %s\n"),
+ 			S_ISDIR(fp->sb.st_mode) ? _("directory") : _("file"),
+-			fp->fpath, strerror(errno));
++			rpmfiDN(fi), fp->fpath, strerror(errno));
+             }
+         }
+ 
+-- 
+2.43.0
+

SOURCES/0001-Swap-over-to-dirfd-basename-based-operation-within-t.patch

@@ -0,0 +1,90 @@
+From 6dd62720fe84f7e2ad902c915b952fc0b29e3dcd Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Tue, 15 Feb 2022 11:34:37 +0200
+Subject: [PATCH] Swap over to dirfd+basename based operation within the fsm
+
+Within fsm this is just a matter of adjusting error messages to include
+the directory... if it only wasn't for the plugins requiring absolute
+paths for outside users. For the plugins, we need to assemble absolute
+paths as needed, both in ensureDir() and plugin file slots.
+---
+ lib/rpmplugins.c | 20 +++++++++++++++++---
+ 2 files changed, 36 insertions(+), 14 deletions(-)
+
+diff --git a/lib/rpmplugins.c b/lib/rpmplugins.c
+index 703368c0d..f06fd7895 100644
+--- a/lib/rpmplugins.c
++++ b/lib/rpmplugins.c
+@@ -350,21 +350,31 @@ rpmRC rpmpluginsCallScriptletPost(rpmPlugins plugins, const char *s_name, int ty
+     return rc;
+ }
+ 
++static char *abspath(rpmfi fi, const char *path)
++{
++    if (*path == '/')
++	return xstrdup(path);
++    else
++	return rstrscat(NULL, rpmfiDN(fi), path, NULL);
++}
++
+ rpmRC rpmpluginsCallFsmFilePre(rpmPlugins plugins, rpmfi fi, const char *path,
+ 			       mode_t file_mode, rpmFsmOp op)
+ {
+     plugin_fsm_file_pre_func hookFunc;
+     int i;
+     rpmRC rc = RPMRC_OK;
++    char *apath = abspath(fi, path);
+ 
+     for (i = 0; i < plugins->count; i++) {
+ 	rpmPlugin plugin = plugins->plugins[i];
+ 	RPMPLUGINS_SET_HOOK_FUNC(fsm_file_pre);
+-	if (hookFunc && hookFunc(plugin, fi, path, file_mode, op) == RPMRC_FAIL) {
++	if (hookFunc && hookFunc(plugin, fi, apath, file_mode, op) == RPMRC_FAIL) {
+ 	    rpmlog(RPMLOG_ERR, "Plugin %s: hook fsm_file_pre failed\n", plugin->name);
+ 	    rc = RPMRC_FAIL;
+ 	}
+     }
++    free(apath);
+ 
+     return rc;
+ }
+@@ -375,14 +385,16 @@ rpmRC rpmpluginsCallFsmFilePost(rpmPlugins plugins, rpmfi fi, const char *path,
+     plugin_fsm_file_post_func hookFunc;
+     int i;
+     rpmRC rc = RPMRC_OK;
++    char *apath = abspath(fi, path);
+ 
+     for (i = 0; i < plugins->count; i++) {
+ 	rpmPlugin plugin = plugins->plugins[i];
+ 	RPMPLUGINS_SET_HOOK_FUNC(fsm_file_post);
+-	if (hookFunc && hookFunc(plugin, fi, path, file_mode, op, res) == RPMRC_FAIL) {
++	if (hookFunc && hookFunc(plugin, fi, apath, file_mode, op, res) == RPMRC_FAIL) {
+ 	    rpmlog(RPMLOG_WARNING, "Plugin %s: hook fsm_file_post failed\n", plugin->name);
+ 	}
+     }
++    free(apath);
+ 
+     return rc;
+ }
+@@ -394,15 +406,17 @@ rpmRC rpmpluginsCallFsmFilePrepare(rpmPlugins plugins, rpmfi fi,
+     plugin_fsm_file_prepare_func hookFunc;
+     int i;
+     rpmRC rc = RPMRC_OK;
++    char *apath = abspath(fi, path);
+ 
+     for (i = 0; i < plugins->count; i++) {
+ 	rpmPlugin plugin = plugins->plugins[i];
+ 	RPMPLUGINS_SET_HOOK_FUNC(fsm_file_prepare);
+-	if (hookFunc && hookFunc(plugin, fi, fd, path, dest, file_mode, op) == RPMRC_FAIL) {
++	if (hookFunc && hookFunc(plugin, fi, fd, apath, dest, file_mode, op) == RPMRC_FAIL) {
+ 	    rpmlog(RPMLOG_ERR, "Plugin %s: hook fsm_file_prepare failed\n", plugin->name);
+ 	    rc = RPMRC_FAIL;
+ 	}
+     }
++    free(apath);
+ 
+     return rc;
+ }
+-- 
+2.41.0
+

SOURCES/brp-python-bytecompile-compatibility-with-newer-pyth.patch

@@ -0,0 +1,46 @@
+From acbf558c486ee3518aca74045504f05872da4a58 Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Tue, 26 Sep 2023 13:14:44 +0200
+Subject: [PATCH] brp-python-bytecompile compatibility with newer pythons
+
+---
+ scripts/brp-python-bytecompile | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/scripts/brp-python-bytecompile b/scripts/brp-python-bytecompile
+index 4a9b49e..472bf10 100644
+--- a/scripts/brp-python-bytecompile
++++ b/scripts/brp-python-bytecompile
+@@ -58,7 +58,7 @@ EOF
+ # and below /usr/lib/python3.1/, we're targeting /usr/bin/python3.1
+ 
+ shopt -s nullglob
+-for python_libdir in `find "$RPM_BUILD_ROOT" -type d|grep -E "/usr/lib(64)?/python[0-9]\.[0-9]$"`;
++for python_libdir in `find "$RPM_BUILD_ROOT" -type d|grep -E "/usr/lib(64)?/python[0-9]\.[0-9]+$"`;
+ do
+ 	python_binary=/usr/bin/$(basename $python_libdir)
+ 	if [ "$python_binary" = "/usr/bin/python3.6" ]; then
+@@ -97,17 +97,17 @@ fi
+ 
+ # Figure out if there are files to be bytecompiled with the default_python at all
+ # this prevents unnecessary default_python invocation
+-find "$RPM_BUILD_ROOT" -type f -name "*.py" | grep -Ev "/bin/|/sbin/|/usr/lib(64)?/python[0-9]\.[0-9]|/usr/share/doc" || exit 0
++find "$RPM_BUILD_ROOT" -type f -name "*.py" | grep -Ev "/bin/|/sbin/|/usr/lib(64)?/python[0-9]\.[0-9]+|/usr/share/doc" || exit 0
+ 
+ # Generate normal (.pyc) byte-compiled files.
+-python_bytecompile "" $default_python "/bin/|/sbin/|/usr/lib(64)?/python[0-9]\.[0-9]|/usr/share/doc" "$RPM_BUILD_ROOT" "$depth" "/"
++python_bytecompile "" $default_python "/bin/|/sbin/|/usr/lib(64)?/python[0-9]\.[0-9]+|/usr/share/doc" "$RPM_BUILD_ROOT" "$depth" "/"
+ if [ $? -ne 0 -a 0$errors_terminate -ne 0 ]; then
+ 	# One or more of the files had a syntax error
+ 	exit 1
+ fi
+ 
+ # Generate optimized (.pyo) byte-compiled files.
+-python_bytecompile "-O" $default_python "/bin/|/sbin/|/usr/lib(64)?/python[0-9]\.[0-9]|/usr/share/doc" "$RPM_BUILD_ROOT" "$depth" "/"
++python_bytecompile "-O" $default_python "/bin/|/sbin/|/usr/lib(64)?/python[0-9]\.[0-9]+|/usr/share/doc" "$RPM_BUILD_ROOT" "$depth" "/"
+ if [ $? -ne 0 -a 0$errors_terminate -ne 0 ]; then
+ 	# One or more of the files had a syntax error
+ 	exit 1
+-- 
+2.41.0
+

SOURCES/rpm-4.14.3-rpm2archive-Don-t-print-usage.patch

@@ -0,0 +1,29 @@
+From fe274b8f965582fdf97e6c46f90b9e7c124b0b8b Mon Sep 17 00:00:00 2001
+From: Florian Festi <ffesti@redhat.com>
+Date: Fri, 16 Dec 2022 15:50:12 +0100
+Subject: [PATCH] rpm2archive: Don't print usage on no arguments
+
+given as we want to default to reading from stdin and writing to stdout in
+that case.
+---
+ rpm2archive.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/rpm2archive.c b/rpm2archive.c
+index 09da8d16b..53f047f58 100644
+--- a/rpm2archive.c
++++ b/rpm2archive.c
+@@ -241,10 +241,6 @@ int main(int argc, const char *argv[])
+ 	    exit(EXIT_FAILURE);
+ 	}
+     }
+-    if (argc < 2 || poptGetNextOpt(optCon) == 0) {
+-	poptPrintUsage(optCon, stderr, 0);
+-	exit(EXIT_FAILURE);
+-    }
+ 
+     rpmts ts = rpmtsCreate();
+     rpmVSFlags vsflags = 0;
+-- 
+2.38.1
+

SOURCES/rpm-4.14.3-rpm2archive-nocompression.patch

@@ -0,0 +1,138 @@
+From d8a169164cf40fc1cf6448792c1fa991f19bb375 Mon Sep 17 00:00:00 2001
+From: Florian Festi <ffesti@redhat.com>
+Date: Thu, 22 Apr 2021 14:50:34 +0200
+Subject: [PATCH] Add --nocompression option to rpm2archive
+
+Also use popt for the command line handling. As we are using librpm
+anyway there is no reason to keep the dependencies low (as with
+rpm2cpio).
+
+Resolves: #1530
+---
+ doc/rpm2archive.8 | 16 ++++++++++---
+ rpm2archive.c     | 60 ++++++++++++++++++++++++++++++++++-------------
+ 2 files changed, 57 insertions(+), 19 deletions(-)
+
+diff --git a/rpm2archive.c b/rpm2archive.c
+index d96db006ea..cb39c7a712 100644
+--- a/rpm2archive.c
++++ b/rpm2archive.c
+@@ -10,6 +10,8 @@
+ 
+ #include <rpm/rpmts.h>
+ 
++#include <popt.h>
++
+ #include <archive.h>
+ #include <archive_entry.h>
+ #include <unistd.h>
+@@ -18,6 +20,16 @@
+ 
+ #define BUFSIZE (128*1024)
+ 
++int compress = 1;
++
++static struct poptOption optionsTable[] = {
++    { "nocompression", 'n', POPT_ARG_VAL, &compress, 0,
++        N_("create uncompressed tar file"),
++        NULL },
++    POPT_AUTOHELP
++    POPT_TABLEEND
++};
++
+ static void fill_archive_entry(struct archive * a, struct archive_entry * entry, rpmfi fi)
+ {
+     archive_entry_clear(entry);
+@@ -60,7 +72,7 @@ static void write_file_content(struct archive * a, char * buf, rpmfi fi)
+     }
+ }
+ 
+-static int process_package(rpmts ts, char * filename)
++static int process_package(rpmts ts, const char * filename)
+ {
+     FD_t fdi;
+     FD_t gzdi;
+@@ -119,9 +131,11 @@ static int process_package(rpmts ts, char * filename)
+ 
+     /* create archive */
+     a = archive_write_new();
+-    if (archive_write_add_filter_gzip(a) != ARCHIVE_OK) {
+-	fprintf(stderr, "Error: Could not create gzip output filter\n");
+-	exit(EXIT_FAILURE);
++    if (compress) {
++	if (archive_write_add_filter_gzip(a) != ARCHIVE_OK) {
++	    fprintf(stderr, "%s\n", archive_error_string(a));
++	    exit(EXIT_FAILURE);
++	}
+     }
+     if (archive_write_set_format_pax_restricted(a) != ARCHIVE_OK) {
+ 	fprintf(stderr, "Error: Format pax restricted is not supported\n");
+@@ -142,7 +156,12 @@ static int process_package(rpmts ts, char * filename)
+ 	}
+ 	archive_write_open_fd(a, STDOUT_FILENO);
+     } else {
+-	char * outname = rstrscat(NULL, filename, ".tgz", NULL);
++	char * outname = rstrscat(NULL, filename, NULL);
++	if (compress) {
++	    outname = rstrscat(&outname, ".tgz", NULL);
++	} else {
++	    outname = rstrscat(&outname, ".tar", NULL);
++	}
+ 	if (archive_write_open_filename(a, outname) != ARCHIVE_OK) {
+ 	    fprintf(stderr, "Error: Can't open output file: %s\n", outname);
+ 	    exit(EXIT_FAILURE);
+@@ -203,21 +222,22 @@ static int process_package(rpmts ts, char * filename)
+     return rc;
+ }
+ 
+-int main(int argc, char *argv[])
++int main(int argc, const char *argv[])
+ {
+-    int rc = 0, i;
++    int rc = 0;
++    poptContext optCon;
++    const char *fn;
+ 
+     xsetprogname(argv[0]);	/* Portability call -- see system.h */
+     rpmReadConfigFiles(NULL, NULL);
+ 
+-    if (argc > 1 && (rstreq(argv[1], "-h") || rstreq(argv[1], "--help"))) {
+-	fprintf(stderr, "Usage: %s [file.rpm ...]\n", argv[0]);
++    optCon = poptGetContext(NULL, argc, argv, optionsTable, 0);
++    poptSetOtherOptionHelp(optCon, "[OPTIONS]* <FILES>");
++    if (argc < 2 || poptGetNextOpt(optCon) == 0) {
++	poptPrintUsage(optCon, stderr, 0);
+ 	exit(EXIT_FAILURE);
+     }
+ 
+-    if (argc == 1)
+-	argv[argc++] = "-";	/* abuse NULL pointer at the end of argv */
+-
+     rpmts ts = rpmtsCreate();
+     rpmVSFlags vsflags = 0;
+ 
+@@ -227,13 +247,21 @@ int main(int argc, char *argv[])
+     vsflags |= RPMVSF_NOHDRCHK;
+     (void) rpmtsSetVSFlags(ts, vsflags);
+ 
+-    for (i = 1; i < argc; i++) {
++    /* if no file name is given use stdin/stdout */
++    if (!poptPeekArg(optCon)) {
++	rc = process_package(ts, "-");
++	if (rc != 0)
++	    goto exit;
++    }
+ 
+-	rc = process_package(ts, argv[i]);
++    while ((fn = poptGetArg(optCon)) != NULL) {
++	rc = process_package(ts, fn);
+ 	if (rc != 0)
+-	    return rc;
++	    goto exit;
+     }
+ 
++ exit:
++    poptFreeContext(optCon);
+     (void) rpmtsFree(ts);
+     return rc;
+ }

SOURCES/rpm-4.14.3-rpm2archive-parse-popt-options.patch

@@ -0,0 +1,36 @@
+From 8f416b275a365426b07c75adfc017e0b18a85450 Mon Sep 17 00:00:00 2001
+From: Florian Festi <ffesti@redhat.com>
+Date: Fri, 16 Dec 2022 15:45:20 +0100
+Subject: [PATCH] rpm2archive: Properly parse popt options
+
+and issue an error message for unknown options. Before unknown options
+could mess up the argument parsing leading to reading and writing from
+stdin/stdout.
+
+Thanks to Eva Mrakova and the Red Hat QE team for spotting this!
+---
+ rpm2archive.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/rpm2archive.c b/rpm2archive.c
+index de1a17d2b..09da8d16b 100644
+--- a/rpm2archive.c
++++ b/rpm2archive.c
+@@ -233,6 +233,14 @@ int main(int argc, const char *argv[])
+ 
+     optCon = poptGetContext(NULL, argc, argv, optionsTable, 0);
+     poptSetOtherOptionHelp(optCon, "[OPTIONS]* <FILES>");
++    while ((rc = poptGetNextOpt(optCon)) != -1) {
++	if (rc < 0) {
++	    fprintf(stderr, "%s: %s\n",
++		    poptBadOption(optCon, POPT_BADOPTION_NOALIAS),
++		    poptStrerror(rc));
++	    exit(EXIT_FAILURE);
++	}
++    }
+     if (argc < 2 || poptGetNextOpt(optCon) == 0) {
+ 	poptPrintUsage(optCon, stderr, 0);
+ 	exit(EXIT_FAILURE);
+-- 
+2.38.1
+

SOURCES/rpm-4.16.1.3-rpm2archive-error-handling.patch

@@ -0,0 +1,51 @@
+From f1634250587479d664b34b6de1a6546b2c2b9de5 Mon Sep 17 00:00:00 2001
+From: Florian Festi <ffesti@redhat.com>
+Date: Mon, 18 Jan 2021 15:02:34 +0100
+Subject: [PATCH] rpm2archive: Add more error handling
+
+Cleanly error out if file can't be written instead of segfaulting
+
+Resolves: #1091
+---
+ rpm2archive.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/rpm2archive.c b/rpm2archive.c
+index 646f1663d..15c5da016 100644
+--- a/rpm2archive.c
++++ b/rpm2archive.c
+@@ -119,9 +119,14 @@ static int process_package(rpmts ts, char * filename)
+ 
+     /* create archive */
+     a = archive_write_new();
+-    archive_write_add_filter_gzip(a);
+-    archive_write_set_format_pax_restricted(a);
+-
++    if (archive_write_add_filter_gzip(a) != ARCHIVE_OK) {
++	fprintf(stderr, "Error: Could not create gzip output filter\n");
++	exit(EXIT_FAILURE);
++    }
++    if (archive_write_set_format_pax_restricted(a) != ARCHIVE_OK) {
++	fprintf(stderr, "Error: Format pax restricted is not supported\n");
++	exit(EXIT_FAILURE);
++    }
+     if (!strcmp(filename, "-")) {
+ 	if (isatty(STDOUT_FILENO)) {
+ 	    fprintf(stderr, "Error: refusing to output archive data to a terminal.\n");
+@@ -130,9 +135,11 @@ static int process_package(rpmts ts, char * filename)
+ 	archive_write_open_fd(a, STDOUT_FILENO);
+     } else {
+ 	char * outname = rstrscat(NULL, filename, ".tgz", NULL);
+-	archive_write_open_filename(a, outname);
++	if (archive_write_open_filename(a, outname) != ARCHIVE_OK) {
++	    fprintf(stderr, "Error: Can't open output file: %s\n", outname);
++	    exit(EXIT_FAILURE);
++	}
+ 	_free(outname);
+-	// XXX error handling
+     }
+ 
+     entry = archive_entry_new();
+-- 
+2.38.1
+

SPECS/rpm.spec

@@ -32,7 +32,7 @@
 
 %global rpmver 4.14.3
 #global snapver rc2
-%global rel 24
+%global rel 31
 
 %global srcver %{version}%{?snapver:-%{snapver}}
 %global srcdir %{?snapver:testing}%{!?snapver:%{name}-%(echo %{version} | cut -d'.' -f1-2).x}
@@ -115,6 +115,20 @@ Patch161: rpm-4.14.3-validate-and-require-subkey-binding-sigs.patch
 Patch162: rpm-4.14.3-fix-spurious-transfiletriggerpostun-execution.patch
 Patch163: rpm-4.14.3-skip-recorded-symlinks-in-setperms.patch
 Patch164: rpm-4.14.3-fapolicyd-make-write-nonblocking.patch
+Patch165: rpm-4.16.1.3-rpm2archive-error-handling.patch
+Patch166: rpm-4.14.3-rpm2archive-nocompression.patch
+Patch167: rpm-4.14.3-rpm2archive-parse-popt-options.patch
+Patch168: rpm-4.14.3-rpm2archive-Don-t-print-usage.patch
+# Backport fsm to fix CVEs
+Patch169: 0001-Eliminate-code-duplication-from-rpmfiNext.patch
+Patch170: 0001-Add-optional-callback-on-directory-changes-during-rp.patch
+Patch171: 0001-Pass-file-descriptor-to-file-prepare-plugin-hook-use.patch
+Patch172: 0001-Swap-over-to-dirfd-basename-based-operation-within-t.patch
+Patch173: 0001-Use-file-state-machine-from-rpm-4.19.patch
+Patch174: 0001-Emit-full-paths-for-file-disposition-diagnostics-on-.patch
+Patch175: 0001-Fix-wrong-return-code-on-O_DIRECTORY-open-of-invalid.patch
+Patch176: 0001-Print-full-path-if-file-removal-fails.patch
+Patch177: 0001-Don-t-warn-about-missing-user-group-on-skipped-files.patch
 
 # Python 3 string API sanity
 Patch500: 0001-In-Python-3-return-all-our-string-data-as-surrogate-.patch
@@ -146,6 +160,8 @@ Patch1000: disable-python-extra.patch
 Patch1001: compile-with-Platform-Python-binary-where-relevant.patch
 # make unversioned %%__python an error unless explicitly overridden
 Patch1002: rpm-4.14.2-unversioned-python.patch
+# Make brp-python-bytecompile compatible with Python 3.10+
+Patch1003: brp-python-bytecompile-compatibility-with-newer-pyth.patch
 
 # Partially GPL/LGPL dual-licensed and some bits with BSD
 # SourceLicense: (GPLv2+ and LGPLv2+ with exceptions) and BSD 
@@ -695,6 +711,17 @@ make check || cat tests/rpmtests.log
 %doc doc/librpm/html/*
 
 %changelog
+* Tue Dec 12 2023 Florian Festi <ffesti@redhat.com> - 4.14.3-31
+- Backport file handling code from rpm-4.19 to fix CVE-2021-35937,
+  CVE-2021-35938 and CVE-2021-35939
+
+* Tue Sep 26 2023 Lumír Balhar <lbalhar@redhat.com> - 4.14.3-27
+- Make brp-python-bytecompile script compatible with Python 3.10+
+Resolves: RHEL-6423
+
+* Mon Dec 19 2022 Florian Festi <ffesti@redhat.com> - 4.14.3-26
+- Add --nocompression to rpm2archive (#2129345)
+
 * Tue Sep 13 2022 Michal Domonkos <mdomonko@redhat.com> - 4.14.3-24
 - Make write() nonblocking in fapolicyd plugin (#2110787)