import OL yggdrasil-0.4.5-3.el10_0

.fmf/version

@@ -1 +0,0 @@
-1

.gitignore

@@ -1,10 +1 @@
-/yggdrasil-ffb580f55ae91beff78156fdb6a41be8bc049117.tar.gz
-/yggdrasil-0.3.1.tar.gz
-/yggdrasil-0.3.2.tar.gz
-/yggdrasil-0.3.2.tar.xz
-/yggdrasil-0.4.1.tar.xz
-/yggdrasil-0.4.2.tar.xz
-/yggdrasil-0.4.4.tar.xz
-/yggdrasil-0.4.5.tar.xz
-/yggdrasil-0.4.6.tar.xz
-/yggdrasil-0.4.7.tar.xz
+SOURCES/yggdrasil-0.4.5.tar.xz

.yggdrasil.metadata

@@ -0,0 +1 @@
+61c8ea524a5d18abab770e35394a7a1b548a409a SOURCES/yggdrasil-0.4.5.tar.xz

README.md

@@ -1,3 +0,0 @@
-# yggdrasil
-
-The yggdrasil package

SOURCES/0001-fix-Only-root-user-can-call-use-com.redhat.Yggdrasil.patch

@@ -0,0 +1,37 @@
+From 5291b3a84b1b251d27ce0f9aebca4ac56c620dc2 Mon Sep 17 00:00:00 2001
+From: Jiri Hnidek <jhnidek@redhat.com>
+Date: Wed, 30 Apr 2025 13:33:17 +0200
+Subject: [PATCH] fix: Only root user can call use com.redhat.Yggdrasil1
+
+* Card ID: RHEL-88585
+* CVE: CVE-2025-3931
+  * Local user was able to dispatch content for any
+    yggdrasil worker using D-Bus method Dispatch().
+    If there was any worker installed and the worker
+    used root user instead some system user, then
+    it could lead to a local privilege escalation
+* Only root user should be able to call methods in
+  com.redhat.Yggdrasil1 destination
+* No local user needs to call methods in this destination
+---
+ data/dbus/yggd.conf.in | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/data/dbus/yggd.conf.in b/data/dbus/yggd.conf.in
+index 26b2d46..695da5c 100644
+--- a/data/dbus/yggd.conf.in
++++ b/data/dbus/yggd.conf.in
+@@ -15,8 +15,8 @@
+     <allow send_destination="com.redhat.Yggdrasil1.Dispatcher1" />
+   </policy>
+ 
+-  <policy context="default">
+-    <!-- Anyone can send messages to the Yggdrasil1 destination. -->
++  <policy user="root">
++    <!-- Only root can send messages to the Yggdrasil1 destination. -->
+     <allow send_destination="com.redhat.Yggdrasil1" />
+   </policy>
+ </busconfig>
+-- 
+2.47.1
+

SPECS/yggdrasil.spec

@@ -1,8 +1,18 @@
+## START: Set by rpmautospec
+## (rpmautospec version 0.6.5)
+## RPMAUTOSPEC: autorelease, autochangelog
+%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
+    release_number = 3;
+    base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
+    print(release_number + base_release_number - 1);
+}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
+## END: Set by rpmautospec
+
 %bcond_without check
 
 # https://github.com/redhatinsights/yggdrasil
 %global goipath         github.com/redhatinsights/yggdrasil
-Version:                0.4.7
+Version:                0.4.5
 %global tag             v%{version}
 
 %gometa -f
@@ -32,6 +42,8 @@ BuildRequires:  pkgconfig(systemd)
 BuildRequires:  pkgconfig(bash-completion)
 %{?sysusers_requires_compat}
 
+Patch0:         0001-fix-Only-root-user-can-call-use-com.redhat.Yggdrasil.patch
+
 %description %{common_description}
 
 %package devel
@@ -136,4 +148,88 @@ rm -f %{_unitdir}/rhcd.service
 %{_unitdir}/com.redhat.Yggdrasil1.Worker1.echo.service
 
 %changelog
-%autochangelog
+## START: Generated by rpmautospec
+* Thu Jun 26 2025 Alex Burmashev <alexander.burmashev@oracle.com> - 0.4.5-3
+- Fix CVE-2025-3931
+
+* Tue Mar 11 2025 Joe VLcek <jvlcek@redhat.com> - 0.4.5-2
+- Create rhcd.service sym link to yggdrasil.service
+
+* Mon Feb 03 2025 Link Dupont <link@sub-pop.net> - 0.4.5-1
+- Update to 0.4.5 (RHEL-77619)
+
+* Mon Feb 03 2025 Link Dupont <link@sub-pop.net> - 0.4.4-8
+- Include examples subpackage
+
+* Thu Nov 07 2024 Link Dupont <link@sub-pop.net> - 0.4.4-7
+- Include local state dir (RHEL-66427)
+
+* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 0.4.4-6
+- Bump release for October 2024 mass rebuild:
+
+* Tue Oct 08 2024 Link Dupont <link@sub-pop.net> - 0.4.4-4
+- Add yggdrasil user to rhsm group (RHEL-61735)
+
+* Tue Sep 24 2024 Link Dupont <link@sub-pop.net> - 0.4.4-3
+- Use sysusers_create_compat to create users in pre
+
+* Mon Sep 16 2024 Link Dupont <link@sub-pop.net> - 0.4.4-2
+- Bump release to rebuild
+
+* Fri Sep 13 2024 Link Dupont <link@sub-pop.net> - 0.4.4-1
+- Update to version 0.4.4 (RHEL-56788)
+
+* Mon Aug 19 2024 Link Dupont <link@sub-pop.net> - 0.4.1-8
+- Bump release to rebuild package.
+
+* Tue Aug 06 2024 Link Dupont <link@sub-pop.net> - 0.4.1-7
+- Don't build gopkg subpackages
+
+* Tue Aug 06 2024 Link Dupont <link@sub-pop.net> - 0.4.1-6
+- Rebuild to mitigate CVE-2024-24791 risk (RHEL-47186)
+
+* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 0.4.1-5
+- Bump release for June 2024 mass rebuild
+
+* Fri Jun 07 2024 Link Dupont <link@sub-pop.net> - 0.4.1-4
+- add gating.yaml
+
+* Sun Feb 11 2024 Maxwell G <maxwell@gtmx.me> - 0.4.1-3
+- Rebuild for golang 1.22.0
+
+* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Mon Sep 18 2023 Link Dupont <link@sub-pop.net> - 0.4.1-1
+- Update to version 0.4.1 (RHBZ#2239102)
+
+* Wed Aug 09 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 0.3.2-2
+- Use vendored dependencies in RHEL builds
+
+* Mon Jul 24 2023 Link Dupont <link@sub-pop.net> - 0.3.2-1
+- Update to version 0.3.2 (RHBZ#2225230)
+
+* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.3.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Tue Mar 07 2023 Link Dupont <link@sub-pop.net> - 0.3.1-2
+- Include D-Bus interface files in devel package
+
+* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.2.98^1.ffb580f-0.5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.2.98^1.ffb580f-0.4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Tue Jul 19 2022 Maxwell G <gotmax@e.email> - 0.2.98^1.ffb580f-0.3
+- Rebuild for CVE-2022-{1705,32148,30631,30633,28131,30635,30632,30630,1962} in
+  golang
+
+* Sat Jun 18 2022 Robert-André Mauchin <zebob.m@gmail.com> - 0.2.98^1.ffb580f-0.2
+- Rebuilt for CVE-2022-1996, CVE-2022-24675, CVE-2022-28327, CVE-2022-27191,
+  CVE-2022-29526, CVE-2022-30629
+
+* Tue Aug 10 2021 Link Dupont <linkdupont@fedoraproject.org> - 0.2.98^1.ffb580f-0.1.20210728gitffb580f
+- Initial package
+
+## END: Generated by rpmautospec

changelog

@@ -1,16 +0,0 @@
-* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.2.98^1.ffb580f-0.5
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
-
-* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.2.98^1.ffb580f-0.4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
-
-* Tue Jul 19 2022 Maxwell G <gotmax@e.email> - 0.2.98^1.ffb580f-0.3
-- Rebuild for CVE-2022-{1705,32148,30631,30633,28131,30635,30632,30630,1962} in
-  golang
-
-* Sat Jun 18 2022 Robert-André Mauchin <zebob.m@gmail.com> - 0.2.98^1.ffb580f-0.2
-- Rebuilt for CVE-2022-1996, CVE-2022-24675, CVE-2022-28327, CVE-2022-27191,
-  CVE-2022-29526, CVE-2022-30629
-
-* Tue Aug 10 2021 Link Dupont <linkdupont@fedoraproject.org> - 0.2.98^1.ffb580f-0.1.20210728gitffb580f
-- Initial package

gating.yaml

@@ -1,10 +0,0 @@
---- !Policy
-product_versions:
-  - rhel-10
-decision_context: osci_compose_gate
-rules:
-# Disabling until tier 0 tests are added: https://issues.redhat.com/browse/CCT-98  
-#  - !PassingTestCaseRule { test_case_name: osci.brew-build.tier0.functional }
-  - !PassingTestCaseRule {test_case_name: rhsmci.brew-build.tier1.functional}
-
-

plans/main.fmf

@@ -1,5 +0,0 @@
-summary: Basic smoke test
-discover:
-    how: fmf
-execute:
-    how: tmt

sources

@@ -1 +0,0 @@
-SHA512 (yggdrasil-0.4.7.tar.xz) = 7d9de9a4cbdaf108a923794f2ea222f6db57bf185eb4281b1486b56e4c843ca1199c0bb2a2ebb270c5ec86661346148fd0c8dd3448e5d7b78d0bc8e32a99156a

tests/smoke/main.fmf

@@ -1,3 +0,0 @@
-summary: Run yggd --help
-test: /usr/bin/yggd --help
-duration: 5m