9 changed files with 104 additions and 121 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-/usermode-1.113.tar.xz
+SOURCES/usermode-1.114.tar.xz
--- a/.usermode.metadata
+++ b/.usermode.metadata
@ -0,0 +1 @@
+8566e6c180ba5a6635c92d7a76f3e4410dab7dc8 SOURCES/usermode-1.114.tar.xz
--- a/SOURCES/config-util
+++ b/SOURCES/config-util
--- a/SOURCES/usermode-1.114-fix_sast.patch
+++ b/SOURCES/usermode-1.114-fix_sast.patch
@ -0,0 +1,21 @@
+diff -up usermode-1.114/gsmclient.c.fix_sast usermode-1.114/gsmclient.c
+--- usermode-1.114/gsmclient.c.fix_sast	2024-08-06 17:42:30.778556066 +0200
+++ usermode-1.114/gsmclient.c	2024-08-06 17:42:30.847556790 +0200
+@@ -182,6 +182,7 @@ gsm_client_init (GsmClient *client, gpoi
+   char pid_str[64];
+   int   empty_vector_len = 0;
+   char *empty_vector[] = { NULL };
+  gchar *gchptr;
+ 
+   (void)data;
+   client->priv = g_new (GsmClientPrivate, 1);
+@@ -198,7 +199,8 @@ gsm_client_init (GsmClient *client, gpoi
+    * with an empty proplist)
+    */
+   push_prop (client, smprop_new_string (GSM_CLIENT_PROPERTY_CURRENT_DIRECTORY,
+-                                        g_get_current_dir (), -1));
+                                        (gchptr=g_get_current_dir ()), -1));
+  g_free(gchptr);
+ 
+   g_snprintf (pid_str, sizeof (pid_str), "%d", (int) getpid ());
+   push_prop (client, smprop_new_string (GSM_CLIENT_PROPERTY_PROCESS_ID,
--- a/SPECS/usermode.spec
+++ b/SPECS/usermode.spec
@ -1,27 +1,32 @@
+# Add `--without gtk' option (enable gtk by default):
+%bcond_without gtk
+
 Summary: Tools for certain user account management tasks
 Name: usermode
-Version: 1.113
-Release: 2%{?dist}
+Version: 1.114
+Release: 5%{?dist}
 License: GPLv2+
-Group: Applications/System
 URL: https://pagure.io/%{name}/
 Source: https://releases.pagure.org/%{name}/%{name}-%{version}.tar.xz
 Source1: config-util
-# Do not use deprecated API
-Patch1: usermode-1.113-selinux.patch
-Patch2: usermode-1.113-manpage_typo.patch
+Patch1:  usermode-1.114-fix_sast.patch
 Requires: pam, passwd, util-linux
 # https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/IJFYI5Q2BYZKIGDFS2WLOBDUSEGWHIKV/
+BuildRequires: make
 BuildRequires: gcc
-BuildRequires: desktop-file-utils, gettext, glib2-devel, gtk2-devel, intltool
-BuildRequires: libblkid-devel, libSM-devel, libselinux-devel, libuser-devel
-BuildRequires: pam-devel, perl-XML-Parser, startup-notification-devel
+BuildRequires: gettext, glib2-devel, intltool
+%if %{with gtk}
+BuildRequires: desktop-file-utils, gtk2-devel, startup-notification-devel, libSM-devel
+%endif
+BuildRequires: libblkid-devel, libselinux-devel, libuser-devel
+BuildRequires: pam-devel, perl-XML-Parser
 BuildRequires: util-linux

+%if %{with gtk}
 %package gtk
 Summary: Graphical tools for certain user account management tasks
-Group: Applications/System
 Requires: %{name} = %{version}-%{release}
+%endif

 %global _hardened_build 1

@ -30,6 +35,7 @@ The usermode package contains the userhelper program, which can be
 used to allow configured programs to be run with superuser privileges
 by ordinary users.

+%if %{with gtk}
 %description gtk
 The usermode-gtk package contains several graphical tools for users:
 userinfo, usermount and userpasswd.  Userinfo allows users to change
@ -39,28 +45,31 @@ passwords.

 Install the usermode-gtk package if you would like to provide users with
 graphical tools for certain account management tasks.
+%endif

 %prep
 %setup -q
-%patch1 -p1
-%patch2 -p1
+%patch -P 1 -p1 -b .fix_sast

 %build
-%configure --with-fexecve=no --with-selinux
+%configure --with-selinux --without-fexecve %{!?with_gtk:--without-gtk}

-make %{?_smp_mflags}
+%make_build

 %install
-make install DESTDIR=$RPM_BUILD_ROOT INSTALL='install -p'
+%make_install INSTALL='install -p'

+%if %{with gtk}
 # make userformat symlink to usermount
 ln -sf usermount $RPM_BUILD_ROOT%{_bindir}/userformat
 ln -s usermount.1 $RPM_BUILD_ROOT%{_mandir}/man1/userformat.1
+%endif

 mkdir -p $RPM_BUILD_ROOT/etc/security/console.apps
 install -p -m 644 %{SOURCE1} \
 	$RPM_BUILD_ROOT/etc/security/console.apps/config-util

+%if %{with gtk}
 for i in redhat-userinfo.desktop redhat-userpasswd.desktop \
 	redhat-usermount.desktop; do
 	echo 'NotShowIn=GNOME;KDE;' >>$RPM_BUILD_ROOT%{_datadir}/applications/$i
@ -68,17 +77,20 @@ for i in redhat-userinfo.desktop redhat-userpasswd.desktop \
 		--dir $RPM_BUILD_ROOT%{_datadir}/applications \
 		$RPM_BUILD_ROOT%{_datadir}/applications/$i
 done
+%endif

 %find_lang %{name}

 %files -f %{name}.lang
-%doc COPYING ChangeLog NEWS README
+%license COPYING
+%doc ChangeLog NEWS README
 %attr(4711,root,root) /usr/sbin/userhelper
 %{_bindir}/consolehelper
 %{_mandir}/man8/userhelper.8*
 %{_mandir}/man8/consolehelper.8*
 %config(noreplace) /etc/security/console.apps/config-util

+%if %{with gtk}
 %files gtk
 %{_bindir}/usermount
 %{_mandir}/man1/usermount.1*
@ -95,24 +107,67 @@ done
 %{_datadir}/%{name}
 %{_datadir}/pixmaps/*
 %{_datadir}/applications/*
+%endif

 %changelog
-* Tue Aug 03 2021 Jiri Kucera <jkucera@redhat.com> - 1.113-2
- Fix typo in pam-panel-icon manpage
-  Do not use deprecated selinux API
-  Do not use fexecve
-  Resolves: #1775931
+* Tue Aug 06 2024 Michal Hlavinka <mhlavink@redhat.com> - 1.114-5
+- fix static analysis findings (RHEL-27043)

-* Mon Nov 05 2018 Jiri Kucera <jkucera@redhat.com> - 1.113-1
- Rebase to usermode-1.113 (fixes static scanner issues)
-  Resolves #1602722
+* Thu Dec 09 2021 Jiri Kucera <jkucera@redhat.com> - 1.114-4
+- Rebuild with new annobin
+  Related: #1984417

-* Wed Aug 08 2018 Jiri Kucera <jkucera@redhat.com> - 1.112-2
+* Tue Dec 07 2021 Jiri Kucera <jkucera@redhat.com> - 1.114-3
+- Do not use fexecve
+  Script executed via fexecve has a file descriptor number in
+  argv[0]. This results in unexpected output: when displaying
+  the script help, a user see "Usage: <number> [options]"
+  instead of "Usage: <scriptname> [options]".
+  Resolves: #1984417
+
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1.114-2
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Fri May 14 2021 Jiri Kucera <jkucera@redhat.com> - 1.114-1
+- Update to usermode-1.114
+  Resolves: #1938893
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.112-11
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.112-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Wed Sep 09 2020 Jiri Kucera <jkucera@redhat.com> - 1.112-9
+- Do not use deprecated selinux headers
+  Resolves #1865598
+
+* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.112-8
+- Second attempt - Rebuilt for
+  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.112-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.112-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.112-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.112-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Tue Aug 07 2018 Jiri Kucera <jkucera@redhat.com> - 1.112-3
 - Dropped need to run autotools
 - <sys/sysmacros.h> must be now included manually
-  Resolves #1611752
+  Resolves #1606624
 - Fixed bad FSF address

+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.112-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
 * Thu Feb 22 2018 Jiri Kucera <jkucera@redhat.com> - 1.112-1
 - Update to usermode-1.112
  Resolves #1269643
--- a/gating.yaml
+++ b/gating.yaml
@ -1,6 +0,0 @@
--- !Policy
-product_versions:
-  - rhel-8
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
--- a/1
+++ b/1
@ -1 +0,0 @@
-SHA512 (usermode-1.113.tar.xz) = 0653da8cff94b86bd67ca1bed50bb77a929f5da1c047e6c627273fc319cc3bf6df7c5af1b5be160b2068632199d194bd00bcf43f702927a34b884149800c7f21
--- a/usermode-1.113-manpage_typo.patch
+++ b/usermode-1.113-manpage_typo.patch
@ -1,22 +0,0 @@
-From 79c1ddd9fbea9cdc2bc973a3d271e9c9617d5eb7 Mon Sep 17 00:00:00 2001
-From: Jiri Kucera <jkucera@redhat.com>
-Date: Apr 28 2021 08:24:20 +0000
-Subject: Fix typo
-
-
---
-
-diff --git a/pam-panel-icon.1 b/pam-panel-icon.1
-index 5f891dc..2563627 100644
--- a/pam-panel-icon.1
-+++ b/pam-panel-icon.1
-@@ -40,7 +40,7 @@ timestamp status.
- If the
- .B pam_timestamp
- authorization is active,
-allowing an unprivileted user to temporarily authenticate as the
-+allowing an unprivileged user to temporarily authenticate as the
- .B root
- user without providing a password,
- an icon in the notification area of the panel is displayed.
-
--- a/usermode-1.113-selinux.patch
+++ b/usermode-1.113-selinux.patch
@ -1,65 +0,0 @@
-From 48c4085004caad1ec928fa103b7f3e3fe684c826 Mon Sep 17 00:00:00 2001
-From: Petr Lautrbach <plautrba@redhat.com>
-Date: Apr 07 2020 11:16:48 +0000
-Subject: Do not use deprecated flask.h and av_permissions.h
-
-
-selinux/flask.h and selinux/av_permissions.h will be completely dropped in the
-next SELinux release.
-
-Use string_to_security_class() and string_to_av_perm() to get class and
-permission values. The original hardcoded values could be invalid and are
-deprecated as the whole flask.h and av_permissions.h header files.
-
---
-
-diff --git a/userhelper.c b/userhelper.c
-index 4177c89..f2afde7 100644
--- a/userhelper.c
-+++ b/userhelper.c
-@@ -48,8 +48,6 @@
- 
- #ifdef WITH_SELINUX
- #include <selinux/selinux.h>
-#include <selinux/flask.h>
-#include <selinux/av_permissions.h>
- #endif
- 
- #include "shvar.h"
-@@ -111,7 +109,7 @@ static int checkAccess(unsigned int selaccess) {
-     struct av_decision avd;
-     int retval = security_compute_av(user_context,
- 				     user_context,
-				     SECCLASS_PASSWD,
-+				     string_to_security_class("passwd"),
- 				     selaccess,
- 				     &avd);
- 	  
-@@ -2267,7 +2265,8 @@ main(int argc, char **argv)
- 	const char *new_home_phone;
- 	const char *new_shell;
- #ifdef WITH_SELINUX
-	unsigned perm;
-+	security_class_t class;
-+	access_vector_t perm;
- #endif
- 
- 	/* State variable we pass around. */
-@@ -2426,12 +2425,13 @@ main(int argc, char **argv)
- 			user_name = g_strdup(argv[optind]);
- 
- #ifdef WITH_SELINUX
-+			class = string_to_security_class("passwd");
- 			if (c_flag) 
-			  perm = PASSWD__PASSWD;
-+			  perm = string_to_av_perm(class, "passwd");
- 			else if (s_flag)
-			  perm = PASSWD__CHSH;
-+			  perm = string_to_av_perm(class, "chsh");
- 			else
-			  perm = PASSWD__CHFN;
-+			  perm = string_to_av_perm(class, "chfn");
- 
- 			if (is_selinux_enabled() > 0 &&
- 			    checkAccess(perm)!= 0) {
-
				`@ -0,0 +1 @@`
				`8566e6c180ba5a6635c92d7a76f3e4410dab7dc8 SOURCES/usermode-1.114.tar.xz`
				`@ -1 +0,0 @@`
				`SHA512 (usermode-1.113.tar.xz) = 0653da8cff94b86bd67ca1bed50bb77a929f5da1c047e6c627273fc319cc3bf6df7c5af1b5be160b2068632199d194bd00bcf43f702927a34b884149800c7f21`