diff --git a/SOURCES/0001-Give-warning-on-not-supported-hash-for-RSA-keys.patch b/SOURCES/0001-Give-warning-on-not-supported-hash-for-RSA-keys.patch new file mode 100644 index 0000000..24a7326 --- /dev/null +++ b/SOURCES/0001-Give-warning-on-not-supported-hash-for-RSA-keys.patch @@ -0,0 +1,40 @@ +From 48546ffc0a3f3eb15bfd439a19fc9722eaea592f Mon Sep 17 00:00:00 2001 +From: Florian Festi +Date: Tue, 28 Jun 2022 12:50:54 +0200 +Subject: [PATCH] Give warning on not supported hash for RSA keys + +This can happen when old keys are used on systems that have disabled SHA1 +e.g. for FIPS requirements. + +This is less than ideal but there is currently no way to pass a meaningful +error code up to rpmtsImportPubkey. rpmPubkeyNew just returns a valid key +or NULL. + +See rhbz#2069877 +--- + rpmio/digest_openssl.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/rpmio/digest_openssl.c b/rpmio/digest_openssl.c +index a28a13acc..2ec5140f1 100644 +--- a/rpmio/digest_openssl.c ++++ b/rpmio/digest_openssl.c +@@ -4,6 +4,7 @@ + #include + #include + #include ++#include + + #include "rpmio/digest.h" + +@@ -483,6 +484,7 @@ static int pgpVerifySigRSA(pgpDigAlg pgpkey, pgpDigAlg pgpsig, + + ret = EVP_PKEY_CTX_set_signature_md(pkey_ctx, getEVPMD(hash_algo)); + if (ret < 0) { ++ rpmlog(RPMLOG_WARNING, "Signature not supported. Hash algorithm %s not available.\n", pgpValString(PGPVAL_HASHALGO, hash_algo)); + rc = 1; + goto done; + } +-- +2.36.1 + diff --git a/SOURCES/rpm-4.16.1.3-Make-rpm2cpio.sh-more-robust.patch b/SOURCES/rpm-4.16.1.3-Make-rpm2cpio.sh-more-robust.patch new file mode 100644 index 0000000..38b2f5a --- /dev/null +++ b/SOURCES/rpm-4.16.1.3-Make-rpm2cpio.sh-more-robust.patch @@ -0,0 +1,57 @@ +diff --git a/scripts/rpm2cpio.sh b/scripts/rpm2cpio.sh +index 4531271cc..74aeed851 100755 +--- a/scripts/rpm2cpio.sh ++++ b/scripts/rpm2cpio.sh +@@ -15,13 +15,23 @@ _dd() { + } + + calcsize() { ++ ++ case "$(_dd $1 bs=4 count=1 | tr -d '\0')" in ++ "$(printf '\216\255\350')"*) ;; # '\x8e\xad\xe8' ++ *) fatal "File doesn't look like rpm: $pkg" ;; ++ esac ++ + offset=$(($1 + 8)) + + local i b b0 b1 b2 b3 b4 b5 b6 b7 + + i=0 + while [ $i -lt 8 ]; do +- b="$(_dd $(($offset + $i)) bs=1 count=1)" ++ # add . to not loose \n ++ # strip \0 as it gets dropped with warning otherwise ++ b="$(_dd $(($offset + $i)) bs=1 count=1 | tr -d '\0' ; echo .)" ++ b=${b%.} # strip . again ++ + [ -z "$b" ] && + b="0" || + b="$(exec printf '%u\n' "'$b")" +@@ -33,7 +43,7 @@ calcsize() { + offset=$(($offset + $rsize)) + } + +-case "$(_dd 0 bs=8 count=1)" in ++case "$(_dd 0 bs=4 count=1 | tr -d '\0')" in + "$(printf '\355\253\356\333')"*) ;; # '\xed\xab\xee\xdb' + *) fatal "File doesn't look like rpm: $pkg" ;; + esac +@@ -44,11 +54,11 @@ sigsize=$rsize + calcsize $(($offset + (8 - ($sigsize % 8)) % 8)) + hdrsize=$rsize + +-case "$(_dd $offset bs=3 count=1)" in +- "$(printf '\102\132')"*) _dd $offset | bunzip2 ;; # '\x42\x5a' +- "$(printf '\037\213')"*) _dd $offset | gunzip ;; # '\x1f\x8b' +- "$(printf '\375\067')"*) _dd $offset | xzcat ;; # '\xfd\x37' +- "$(printf '\135\000')"*) _dd $offset | unlzma ;; # '\x5d\x00' +- "$(printf '\050\265')"*) _dd $offset | unzstd ;; # '\x28\xb5' +- *) fatal "Unrecognized rpm file: $pkg" ;; ++case "$(_dd $offset bs=2 count=1 | tr -d '\0')" in ++ "$(printf '\102\132')") _dd $offset | bunzip2 ;; # '\x42\x5a' ++ "$(printf '\037\213')") _dd $offset | gunzip ;; # '\x1f\x8b' ++ "$(printf '\375\067')") _dd $offset | xzcat ;; # '\xfd\x37' ++ "$(printf '\135')") _dd $offset | unlzma ;; # '\x5d\x00' ++ "$(printf '\050\265')") _dd $offset | unzstd ;; # '\x28\xb5' ++ *) fatal "Unrecognized payload compression format in rpm file: $pkg" ;; + esac diff --git a/SOURCES/rpm-4.16.1.3-fapolicyd-make-write-nonblocking.patch b/SOURCES/rpm-4.16.1.3-fapolicyd-make-write-nonblocking.patch deleted file mode 100644 index 343bd02..0000000 --- a/SOURCES/rpm-4.16.1.3-fapolicyd-make-write-nonblocking.patch +++ /dev/null @@ -1,167 +0,0 @@ -From 534fd1f0c84b12ba6080a46e07c57ef913c77cba Mon Sep 17 00:00:00 2001 -From: Radovan Sroka -Date: Thu, 25 Aug 2022 15:38:01 +0200 -Subject: [PATCH] fapolicyd: Make write() nonblocking - -- switch to read only and non blocking mode for pipe -- add 1 minute loop to wait for pipe to reappear - -Sometimes during the system update/upgrade fapolicyd -get restarted e.g. when systemd gets updated. -That can lead to the situation where fapolicyd pipe -has been removed and created again. -In such cases rpm-plugin-fapolicyd gets stuck on -write() to the pipe which does not exist anymore. -After switching to non blocking file descriptor -we can try to reopen the pipe if there is an error -from write(). Assuming that a new pipe should appear -when fapolicyd daemon starts again. -If not then after 1 minute of waiting we expect -fapolicyd daemon to be not active and we let the -transaction continue. - -Signed-off-by: Radovan Sroka ---- - plugins/fapolicyd.c | 74 +++++++++++++++++++++++++++++++++++++++------ - 1 file changed, 65 insertions(+), 9 deletions(-) - -diff --git a/plugins/fapolicyd.c b/plugins/fapolicyd.c -index 1ff50c30f..6c6322941 100644 ---- a/plugins/fapolicyd.c -+++ b/plugins/fapolicyd.c -@@ -27,7 +27,7 @@ static rpmRC open_fifo(struct fapolicyd_data* state) - int fd = -1; - struct stat s; - -- fd = open(state->fifo_path, O_RDWR); -+ fd = open(state->fifo_path, O_WRONLY|O_NONBLOCK); - if (fd == -1) { - rpmlog(RPMLOG_DEBUG, "Open: %s -> %s\n", state->fifo_path, strerror(errno)); - goto bad; -@@ -55,15 +55,26 @@ static rpmRC open_fifo(struct fapolicyd_data* state) - } - - state->fd = fd; -+ - /* considering success */ - return RPMRC_OK; - - bad: - if (fd >= 0) - close(fd); -+ -+ state->fd = -1; - return RPMRC_FAIL; - } - -+static void close_fifo(struct fapolicyd_data* state) -+{ -+ if (state->fd > 0) -+ (void) close(state->fd); -+ -+ state->fd = -1; -+} -+ - static rpmRC write_fifo(struct fapolicyd_data* state, const char * str) - { - ssize_t len = strlen(str); -@@ -86,6 +97,54 @@ static rpmRC write_fifo(struct fapolicyd_data* state, const char * str) - return RPMRC_FAIL; - } - -+static void try_to_write_to_fifo(struct fapolicyd_data* state, const char * str) -+{ -+ int reload = 0; -+ int printed = 0; -+ -+ /* 1min/60s */ -+ const int timeout = 60; -+ -+ /* wait up to X seconds */ -+ for (int i = 0; i < timeout; i++) { -+ -+ if (reload) { -+ if (!printed) { -+ rpmlog(RPMLOG_WARNING, "rpm-plugin-fapolicyd: waiting for the service connection to resume, it can take up to %d seconds\n", timeout); -+ printed = 1; -+ } -+ -+ (void) close_fifo(state); -+ (void) open_fifo(state); -+ } -+ -+ if (state->fd >= 0) { -+ if (write_fifo(state, str) == RPMRC_OK) { -+ -+ /* write was successful after few reopens */ -+ if (reload) -+ rpmlog(RPMLOG_WARNING, "rpm-plugin-fapolicyd: the service connection has resumed\n"); -+ -+ break; -+ } -+ } -+ -+ /* failed write or reopen */ -+ reload = 1; -+ sleep(1); -+ -+ /* the last iteration */ -+ /* consider failure */ -+ if (i == timeout-1) { -+ rpmlog(RPMLOG_WARNING, "rpm-plugin-fapolicyd: the service connection has not resumed\n"); -+ rpmlog(RPMLOG_WARNING, "rpm-plugin-fapolicyd: continuing without the service\n"); -+ } -+ -+ } -+ -+} -+ -+ - static rpmRC fapolicyd_init(rpmPlugin plugin, rpmts ts) - { - if (rpmtsFlags(ts) & (RPMTRANS_FLAG_TEST|RPMTRANS_FLAG_BUILD_PROBS)) -@@ -102,10 +161,7 @@ static rpmRC fapolicyd_init(rpmPlugin plugin, rpmts ts) - - static void fapolicyd_cleanup(rpmPlugin plugin) - { -- if (fapolicyd_state.fd > 0) -- (void) close(fapolicyd_state.fd); -- -- fapolicyd_state.fd = -1; -+ (void) close_fifo(&fapolicyd_state); - } - - static rpmRC fapolicyd_tsm_post(rpmPlugin plugin, rpmts ts, int res) -@@ -116,9 +172,9 @@ static rpmRC fapolicyd_tsm_post(rpmPlugin plugin, rpmts ts, int res) - /* we are ready */ - if (fapolicyd_state.fd > 0) { - /* send a signal that transaction is over */ -- (void) write_fifo(&fapolicyd_state, "1\n"); -+ (void) try_to_write_to_fifo(&fapolicyd_state, "1\n"); - /* flush cache */ -- (void) write_fifo(&fapolicyd_state, "2\n"); -+ (void) try_to_write_to_fifo(&fapolicyd_state, "2\n"); - } - - end: -@@ -133,7 +189,7 @@ static rpmRC fapolicyd_scriptlet_pre(rpmPlugin plugin, const char *s_name, - - if (fapolicyd_state.changed_files > 0) { - /* send signal to flush cache */ -- (void) write_fifo(&fapolicyd_state, "2\n"); -+ (void) try_to_write_to_fifo(&fapolicyd_state, "2\n"); - - /* optimize flushing */ - /* flush only when there was an actual change */ -@@ -176,7 +232,7 @@ static rpmRC fapolicyd_fsm_file_prepare(rpmPlugin plugin, rpmfi fi, - char * sha = rpmfiFDigestHex(fi, NULL); - - snprintf(buffer, 4096, "%s %lu %64s\n", dest, size, sha); -- (void) write_fifo(&fapolicyd_state, buffer); -+ (void) try_to_write_to_fifo(&fapolicyd_state, buffer); - - free(sha); - --- -2.37.3 - diff --git a/SOURCES/rpm-4.16.1.3-find_debuginfo_vendor_opts.patch b/SOURCES/rpm-4.16.1.3-find_debuginfo_vendor_opts.patch new file mode 100644 index 0000000..c6f30a7 --- /dev/null +++ b/SOURCES/rpm-4.16.1.3-find_debuginfo_vendor_opts.patch @@ -0,0 +1,20 @@ +--- rpm.orig/macros.in 2022-06-30 11:37:18.975312592 +0100 ++++ rpm-4.16.1.3/macros.in 2022-06-30 11:37:43.145158323 +0100 +@@ -167,6 +167,9 @@ + # A spec file can %%define _find_debuginfo_opts to pass options to + # the script. See the script for details. + # ++# Vendor spec files (eg redhat-rpm-config:macros) can %%define ++# _find_debuginfo_vendor_opts to pass options to the script. ++# + %__debug_install_post \ + %{_rpmconfigdir}/find-debuginfo.sh \\\ + %{?_smp_build_ncpus:-j%{_smp_build_ncpus}} \\\ +@@ -179,6 +182,7 @@ + %{?_unique_debug_srcs:--unique-debug-src-base "%{name}-%{VERSION}-%{RELEASE}.%{_arch}"} \\\ + %{?_find_debuginfo_dwz_opts} \\\ + %{?_find_debuginfo_opts} \\\ ++ %{?_find_debuginfo_vendor_opts} \\\ + %{?_debugsource_packages:-S debugsourcefiles.list} \\\ + "%{_builddir}/%{?buildsubdir}"\ + %{nil} diff --git a/SPECS/rpm.spec b/SPECS/rpm.spec index b583524..d21d853 100644 --- a/SPECS/rpm.spec +++ b/SPECS/rpm.spec @@ -32,7 +32,7 @@ %global rpmver 4.16.1.3 #global snapver rc1 -%global rel 12 +%global rel 17 %global sover 9 %global srcver %{rpmver}%{?snapver:-%{snapver}} @@ -48,7 +48,7 @@ Summary: The RPM package management system Name: rpm Version: %{rpmver} -Release: %{?snapver:0.%{snapver}.}%{rel}%{?dist}.1 +Release: %{?snapver:0.%{snapver}.}%{rel}%{?dist} Url: http://www.rpm.org/ Source0: http://ftp.rpm.org/releases/%{srcdir}/rpm-%{srcver}.tar.bz2 %if %{with bdb} && %{with int_bdb} @@ -82,12 +82,13 @@ Patch110: rpm-4.16.1.3-add-path-query-option.patch Patch111: rpm-4.16.1.3-skip-recorded-symlinks-in-setperms.patch Patch112: rpm-4.16.1.3-fix-regression-reading-rpm-v3-pkgs.patch Patch113: rpm-4.16.1.3-fix-spurious-transfiletriggerpostun-execution.patch -Patch114: rpm-4.16.1.3-fapolicyd-make-write-nonblocking.patch +Patch114: rpm-4.16.1.3-Make-rpm2cpio.sh-more-robust.patch # These are not yet upstream Patch906: rpm-4.7.1-geode-i686.patch # Probably to be upstreamed in slightly different form Patch907: rpm-4.15.x-ldflags.patch +Patch908: 0001-Give-warning-on-not-supported-hash-for-RSA-keys.patch # Not yet (all) upstream, debugedit DWARF5 # https://code.wildebeest.org/git/user/mjw/rpm/log/?h=gcc-dwarf5-4.16.1.2 @@ -100,6 +101,7 @@ Patch916: 0006-debugedit-Handle-DWARF-5-debug_line-and-debug_line_s.patch # Downstream-only patches Patch1000: rpm-4.16.1.3-hashtab-use-after-free-fix.patch +Patch1001: rpm-4.16.1.3-find_debuginfo_vendor_opts.patch # Partially GPL/LGPL dual-licensed and some bits with BSD # SourceLicense: (GPLv2+ and LGPLv2+ with exceptions) and BSD @@ -612,8 +614,14 @@ fi %doc doc/librpm/html/* %changelog -* Thu Sep 15 2022 Michal Domonkos - 4.16.1.3-12.1 -- Make write() nonblocking in fapolicyd plugin (#2124603) +* Wed Aug 03 2022 Florian Festi - 4.16.1.3-17 +- Make rpm2cpio.sh more robust (#1983015) + +* Thu Jun 30 2022 Nick Clifton - 4.16.1.3-15 +- Pass _find_debuginfo_vendor_opts to the find-debuginfo script. (#2099617) + +* Tue Jun 28 2022 Florian Festi - 4.16.1.3-14 +- Warning for failed key import (#2069877) * Tue Apr 05 2022 Michal Domonkos - 4.16.1.3-12 - Fix minor ABI regression in rpmcli.h (#2037352)