diff --git a/SOURCES/0001-Syslog-restored-Augeas-1.1.0-tree-compatibility-for-.patch b/SOURCES/0001-Syslog-restored-Augeas-1.1.0-tree-compatibility-for-.patch index 18ee668..ae765e9 100644 --- a/SOURCES/0001-Syslog-restored-Augeas-1.1.0-tree-compatibility-for-.patch +++ b/SOURCES/0001-Syslog-restored-Augeas-1.1.0-tree-compatibility-for-.patch @@ -97,5 +97,5 @@ index 2ad1c165..329d121e 100644 = "*.* @far.far.away\n" -- -2.13.5 +2.13.6 diff --git a/SOURCES/0002-Revert-Use-Quote-module-in-dovecot.patch b/SOURCES/0002-Revert-Use-Quote-module-in-dovecot.patch index be59a73..6cc2093 100644 --- a/SOURCES/0002-Revert-Use-Quote-module-in-dovecot.patch +++ b/SOURCES/0002-Revert-Use-Quote-module-in-dovecot.patch @@ -82,5 +82,5 @@ index 33ea16f1..8e8c083b 100644 } } -- -2.13.5 +2.13.6 diff --git a/SOURCES/0003-Revert-Jaas-add-several-improvements-to-cover-more-v.patch b/SOURCES/0003-Revert-Jaas-add-several-improvements-to-cover-more-v.patch index d673b86..0b0e93a 100644 --- a/SOURCES/0003-Revert-Jaas-add-several-improvements-to-cover-more-v.patch +++ b/SOURCES/0003-Revert-Jaas-add-several-improvements-to-cover-more-v.patch @@ -139,5 +139,5 @@ index 5f2bfb13..d5ede698 100644 - { } } -- -2.13.5 +2.13.6 diff --git a/SOURCES/0004-UpdateDB-autoload-etc-updatedb.conf-with-Simplevars.patch b/SOURCES/0004-UpdateDB-autoload-etc-updatedb.conf-with-Simplevars.patch index a30c599..2ac217f 100644 --- a/SOURCES/0004-UpdateDB-autoload-etc-updatedb.conf-with-Simplevars.patch +++ b/SOURCES/0004-UpdateDB-autoload-etc-updatedb.conf-with-Simplevars.patch @@ -47,5 +47,5 @@ index 40cd26fb..c7309b16 100644 - -let xfm = transform lns filter -- -2.13.5 +2.13.6 diff --git a/SOURCES/0005-Revert-Dnsmasq-add-structure-to-address-and-server-o.patch b/SOURCES/0005-Revert-Dnsmasq-add-structure-to-address-and-server-o.patch index 01442bc..14767f4 100644 --- a/SOURCES/0005-Revert-Dnsmasq-add-structure-to-address-and-server-o.patch +++ b/SOURCES/0005-Revert-Dnsmasq-add-structure-to-address-and-server-o.patch @@ -134,5 +134,5 @@ index c6a63d96..0abfa6bd 100644 - { "domain" = "qux.net" } - } -- -2.13.5 +2.13.6 diff --git a/SOURCES/0006-Sshd-revert-Sshd-module-to-1.1.0-compatible-add-Sshd.patch b/SOURCES/0006-Sshd-revert-Sshd-module-to-1.1.0-compatible-add-Sshd.patch index 21d1aec..4d10ed4 100644 --- a/SOURCES/0006-Sshd-revert-Sshd-module-to-1.1.0-compatible-add-Sshd.patch +++ b/SOURCES/0006-Sshd-revert-Sshd-module-to-1.1.0-compatible-add-Sshd.patch @@ -486,5 +486,5 @@ index b4563540..387ac7d2 100644 lens-stunnel.sh \ lens-subversion.sh \ -- -2.13.5 +2.13.6 diff --git a/SOURCES/0007-Dhcpd-revert-Dhcpd-module-to-1.1.0-compatible-add-Dh.patch b/SOURCES/0007-Dhcpd-revert-Dhcpd-module-to-1.1.0-compatible-add-Dh.patch index 78e8d95..0d5cbba 100644 --- a/SOURCES/0007-Dhcpd-revert-Dhcpd-module-to-1.1.0-compatible-add-Dh.patch +++ b/SOURCES/0007-Dhcpd-revert-Dhcpd-module-to-1.1.0-compatible-add-Dh.patch @@ -1746,5 +1746,5 @@ index 387ac7d2..315cac9c 100644 lens-dnsmasq.sh \ lens-dovecot.sh \ -- -2.13.5 +2.13.6 diff --git a/SOURCES/0008-Slapd-revert-Slapd-module-to-1.1.0-compatible-add-Sl.patch b/SOURCES/0008-Slapd-revert-Slapd-module-to-1.1.0-compatible-add-Sl.patch index 82aa24b..007bf8a 100644 --- a/SOURCES/0008-Slapd-revert-Slapd-module-to-1.1.0-compatible-add-Sl.patch +++ b/SOURCES/0008-Slapd-revert-Slapd-module-to-1.1.0-compatible-add-Sl.patch @@ -414,5 +414,5 @@ index 315cac9c..65d8993e 100644 lens-solaris_system.sh \ lens-soma.sh \ -- -2.13.5 +2.13.6 diff --git a/SOURCES/0009-Rhsm-new-lens-to-parse-subscription-manager-s-rhsm.c.patch b/SOURCES/0009-Rhsm-new-lens-to-parse-subscription-manager-s-rhsm.c.patch index f35e21c..724831a 100644 --- a/SOURCES/0009-Rhsm-new-lens-to-parse-subscription-manager-s-rhsm.c.patch +++ b/SOURCES/0009-Rhsm-new-lens-to-parse-subscription-manager-s-rhsm.c.patch @@ -254,5 +254,5 @@ index 65d8993e..4d2b2605 100644 lens-rsyncd.sh \ lens-rsyslog.sh \ -- -2.13.5 +2.13.6 diff --git a/SOURCES/0010-Fix-sudoers-lens-recognize-match_group_by_gid.patch b/SOURCES/0010-Fix-sudoers-lens-recognize-match_group_by_gid.patch new file mode 100644 index 0000000..7aa278e --- /dev/null +++ b/SOURCES/0010-Fix-sudoers-lens-recognize-match_group_by_gid.patch @@ -0,0 +1,29 @@ +From 9a65d8e4a428f05e392658fac498ea99d3b3405f Mon Sep 17 00:00:00 2001 +From: Luigi Toscano +Date: Thu, 24 Aug 2017 16:21:49 +0200 +Subject: [PATCH] Fix sudoers lens: recognize "match_group_by_gid" + +The option is now enabled by default in the default sudoers of +RHEL 7.4 (and probably soon CentOS 7). + +Closes #482 +--- + lenses/sudoers.aug | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lenses/sudoers.aug b/lenses/sudoers.aug +index 7567772d..0437daae 100644 +--- a/lenses/sudoers.aug ++++ b/lenses/sudoers.aug +@@ -307,7 +307,7 @@ let parameter_flag_kw = "always_set_home" | "authenticate" | "env_editor" + | "tty_tickets" | "visiblepw" | "closefrom_override" + | "closefrom_override" | "compress_io" | "fast_glob" + | "log_input" | "log_output" | "pwfeedback" +- | "umask_override" | "use_pty" ++ | "umask_override" | "use_pty" | "match_group_by_gid" + + let parameter_flag = [ del_negate . negate_node? + . key parameter_flag_kw ] +-- +2.13.6 + diff --git a/SOURCES/0010-src-pathx.c-parse_name-correctly-handle-trailing-whi.patch b/SOURCES/0010-src-pathx.c-parse_name-correctly-handle-trailing-whi.patch deleted file mode 100644 index 051b999..0000000 --- a/SOURCES/0010-src-pathx.c-parse_name-correctly-handle-trailing-whi.patch +++ /dev/null @@ -1,162 +0,0 @@ -From 419ab04ebea64ab23aa5e97a62e3499438d4e680 Mon Sep 17 00:00:00 2001 -From: David Lutterkort -Date: Fri, 4 Aug 2017 17:13:52 -0700 -Subject: [PATCH] * src/pathx.c (parse_name): correctly handle trailing - whitespace in names - -When a name ended in whitespace, we incorrectly assumed it was always ok to -trim that whitespace. That is not true if that whitespace is escaped, -i.e. if the path expression is something like '/x\ '. In that case, the -name really needs to be literally 'x ', i.e., we can not trim that -whitespace. - -The incorrect behavior led to turning '/x\ ' first into 'x\' and then, -because we assume that '\' is always followed by a character inside the -string, when we removed the escaping '\', we would read beyond the end of -the intermediate string result; if we were lucky, that would lead to a -crash, otherwise we'd continue with junk. - -We now make sure that escaped whitespace at the end of a string does not -get stripped, avoiding all these headaches. - -Fixes RHBZ https://bugzilla.redhat.com/show_bug.cgi?id=1475621 ---- - src/pathx.c | 27 +++++++++++++++++++------ - tests/test-xpath.c | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 80 insertions(+), 6 deletions(-) - -diff --git a/src/pathx.c b/src/pathx.c -index 8d8dbbbe..a726a032 100644 ---- a/src/pathx.c -+++ b/src/pathx.c -@@ -1643,6 +1643,16 @@ int pathx_escape_name(const char *in, char **out) { - return 0; - } - -+/* Return true if POS is preceded by an odd number of backslashes, i.e., if -+ * POS is escaped. Stop the search when we get to START */ -+static bool backslash_escaped(const char *pos, const char *start) { -+ bool result=false; -+ while (pos-- > start && *pos == '\\') { -+ result = !result; -+ } -+ return result; -+} -+ - /* - * NameNoWS ::= [^][|/\= \t\n] | \\. - * NameWS ::= [^][|/\=] | \\. -@@ -1652,11 +1662,14 @@ static char *parse_name(struct state *state) { - const char *s = state->pos; - char *result; - -+ /* Advance state->pos until it points to the first character that is -+ * not part of a name. */ - while (*state->pos != '\0' && strchr(name_follow, *state->pos) == NULL) { -- /* This is a hack: since we allow spaces in names, we need to avoid -- * gobbling up stuff that is in follow(Name), e.g. 'or' so that -- * things like [name1 or name2] still work. -- */ -+ /* Since we allow spaces in names, we need to avoid gobbling up -+ * stuff that is in follow(Name), e.g. 'or' so that things like -+ * [name1 or name2] still work. In other words, we'll parse 'x frob -+ * y' as one name, but for 'x or y', we consider 'x' a name in its -+ * own right. */ - if (STREQLEN(state->pos, " or ", strlen(" or ")) || - STREQLEN(state->pos, " and ", strlen(" and "))) - break; -@@ -1671,10 +1684,12 @@ static char *parse_name(struct state *state) { - state->pos += 1; - } - -- /* Strip trailing white space */ -+ /* Strip trailing white space. Make sure we respect escaped whitespace -+ * and don't strip it as in "x\\ " */ - if (state->pos > s) { - state->pos -= 1; -- while (isspace(*state->pos) && state->pos >= s) -+ while (isspace(*state->pos) && state->pos > s -+ && !backslash_escaped(state->pos, s)) - state->pos -= 1; - state->pos += 1; - } -diff --git a/tests/test-xpath.c b/tests/test-xpath.c -index 335e7bf8..dbba29e0 100644 ---- a/tests/test-xpath.c -+++ b/tests/test-xpath.c -@@ -331,6 +331,62 @@ static int test_wrong_regexp_flag(struct augeas *aug) { - return -1; - } - -+static int test_trailing_ws_in_name(struct augeas *aug) { -+ int r; -+ -+ printf("%-30s ... ", "trailing_ws_in_name"); -+ -+ /* We used to incorrectly lop escaped whitespace off the end of a -+ * name. Make sure that we really create a tree node with label 'x ' -+ * with the below set, and look for it in a number of ways to ensure we -+ * are not lopping off trailing whitespace. */ -+ r = aug_set(aug, "/ws\\ ", "1"); -+ if (r < 0) { -+ fprintf(stderr, "failed to set '/ws ': %d\n", r); -+ goto fail; -+ } -+ /* We did not create a node with label 'ws' */ -+ r = aug_get(aug, "/ws", NULL); -+ if (r != 0) { -+ fprintf(stderr, "created '/ws' instead: %d\n", r); -+ goto fail; -+ } -+ -+ /* We did not create a node with label 'ws\t' (this also checks that we -+ * don't create something like 'ws\\' by dropping the last whitespace -+ * character. */ -+ r = aug_get(aug, "/ws\\\t", NULL); -+ if (r != 0) { -+ fprintf(stderr, "found '/ws\\t': %d\n", r); -+ goto fail; -+ } -+ -+ /* But we did create 'ws ' */ -+ r = aug_get(aug, "/ws\\ ", NULL); -+ if (r != 1) { -+ fprintf(stderr, "could not find '/ws ': %d\n", r); -+ goto fail; -+ } -+ -+ /* If the whitespace is preceded by an even number of '\\' chars, -+ * whitespace must be stripped */ -+ r = aug_set(aug, "/nows\\\\ ", "1"); -+ if (r < 0) { -+ fprintf(stderr, "set of '/nows' failed: %d\n", r); -+ goto fail; -+ } -+ r = aug_get(aug, "/nows\\\\", NULL); -+ if (r != 1) { -+ fprintf(stderr, "could not get '/nows\\'\n"); -+ goto fail; -+ } -+ printf("PASS\n"); -+ return 0; -+ fail: -+ printf("FAIL\n"); -+ return -1; -+} -+ - static int run_tests(struct test *tests, int argc, char **argv) { - char *lensdir; - struct augeas *aug = NULL; -@@ -374,6 +430,9 @@ static int run_tests(struct test *tests, int argc, char **argv) { - - if (test_wrong_regexp_flag(aug) < 0) - result = EXIT_FAILURE; -+ -+ if (test_trailing_ws_in_name(aug) < 0) -+ result = EXIT_FAILURE; - } - aug_close(aug); - --- -2.13.5 - diff --git a/SOURCES/0011-Fix-sudoers-lens-recognize-match_group_by_gid.patch b/SOURCES/0011-Fix-sudoers-lens-recognize-match_group_by_gid.patch deleted file mode 100644 index 30961e4..0000000 --- a/SOURCES/0011-Fix-sudoers-lens-recognize-match_group_by_gid.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 15409d95e059b898a30a41107fa4c81ef35799f8 Mon Sep 17 00:00:00 2001 -From: Luigi Toscano -Date: Thu, 24 Aug 2017 16:21:49 +0200 -Subject: [PATCH] Fix sudoers lens: recognize "match_group_by_gid" - -The option is now enabled by default in the default sudoers of -RHEL 7.4 (and probably soon CentOS 7). - -Closes #482 ---- - lenses/sudoers.aug | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lenses/sudoers.aug b/lenses/sudoers.aug -index 7567772d..0437daae 100644 ---- a/lenses/sudoers.aug -+++ b/lenses/sudoers.aug -@@ -307,7 +307,7 @@ let parameter_flag_kw = "always_set_home" | "authenticate" | "env_editor" - | "tty_tickets" | "visiblepw" | "closefrom_override" - | "closefrom_override" | "compress_io" | "fast_glob" - | "log_input" | "log_output" | "pwfeedback" -- | "umask_override" | "use_pty" -+ | "umask_override" | "use_pty" | "match_group_by_gid" - - let parameter_flag = [ del_negate . negate_node? - . key parameter_flag_kw ] --- -2.13.5 - diff --git a/SOURCES/0011-src-pathx.c-parse_name-correctly-handle-trailing-whi.patch b/SOURCES/0011-src-pathx.c-parse_name-correctly-handle-trailing-whi.patch new file mode 100644 index 0000000..a674572 --- /dev/null +++ b/SOURCES/0011-src-pathx.c-parse_name-correctly-handle-trailing-whi.patch @@ -0,0 +1,162 @@ +From d157f330acfe94a1f61bf766b485beb0e0dd7177 Mon Sep 17 00:00:00 2001 +From: David Lutterkort +Date: Fri, 4 Aug 2017 17:13:52 -0700 +Subject: [PATCH] * src/pathx.c (parse_name): correctly handle trailing + whitespace in names + +When a name ended in whitespace, we incorrectly assumed it was always ok to +trim that whitespace. That is not true if that whitespace is escaped, +i.e. if the path expression is something like '/x\ '. In that case, the +name really needs to be literally 'x ', i.e., we can not trim that +whitespace. + +The incorrect behavior led to turning '/x\ ' first into 'x\' and then, +because we assume that '\' is always followed by a character inside the +string, when we removed the escaping '\', we would read beyond the end of +the intermediate string result; if we were lucky, that would lead to a +crash, otherwise we'd continue with junk. + +We now make sure that escaped whitespace at the end of a string does not +get stripped, avoiding all these headaches. + +Fixes RHBZ https://bugzilla.redhat.com/show_bug.cgi?id=1475621 +--- + src/pathx.c | 27 +++++++++++++++++++------ + tests/test-xpath.c | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 80 insertions(+), 6 deletions(-) + +diff --git a/src/pathx.c b/src/pathx.c +index 8d8dbbbe..a726a032 100644 +--- a/src/pathx.c ++++ b/src/pathx.c +@@ -1643,6 +1643,16 @@ int pathx_escape_name(const char *in, char **out) { + return 0; + } + ++/* Return true if POS is preceded by an odd number of backslashes, i.e., if ++ * POS is escaped. Stop the search when we get to START */ ++static bool backslash_escaped(const char *pos, const char *start) { ++ bool result=false; ++ while (pos-- > start && *pos == '\\') { ++ result = !result; ++ } ++ return result; ++} ++ + /* + * NameNoWS ::= [^][|/\= \t\n] | \\. + * NameWS ::= [^][|/\=] | \\. +@@ -1652,11 +1662,14 @@ static char *parse_name(struct state *state) { + const char *s = state->pos; + char *result; + ++ /* Advance state->pos until it points to the first character that is ++ * not part of a name. */ + while (*state->pos != '\0' && strchr(name_follow, *state->pos) == NULL) { +- /* This is a hack: since we allow spaces in names, we need to avoid +- * gobbling up stuff that is in follow(Name), e.g. 'or' so that +- * things like [name1 or name2] still work. +- */ ++ /* Since we allow spaces in names, we need to avoid gobbling up ++ * stuff that is in follow(Name), e.g. 'or' so that things like ++ * [name1 or name2] still work. In other words, we'll parse 'x frob ++ * y' as one name, but for 'x or y', we consider 'x' a name in its ++ * own right. */ + if (STREQLEN(state->pos, " or ", strlen(" or ")) || + STREQLEN(state->pos, " and ", strlen(" and "))) + break; +@@ -1671,10 +1684,12 @@ static char *parse_name(struct state *state) { + state->pos += 1; + } + +- /* Strip trailing white space */ ++ /* Strip trailing white space. Make sure we respect escaped whitespace ++ * and don't strip it as in "x\\ " */ + if (state->pos > s) { + state->pos -= 1; +- while (isspace(*state->pos) && state->pos >= s) ++ while (isspace(*state->pos) && state->pos > s ++ && !backslash_escaped(state->pos, s)) + state->pos -= 1; + state->pos += 1; + } +diff --git a/tests/test-xpath.c b/tests/test-xpath.c +index 335e7bf8..dbba29e0 100644 +--- a/tests/test-xpath.c ++++ b/tests/test-xpath.c +@@ -331,6 +331,62 @@ static int test_wrong_regexp_flag(struct augeas *aug) { + return -1; + } + ++static int test_trailing_ws_in_name(struct augeas *aug) { ++ int r; ++ ++ printf("%-30s ... ", "trailing_ws_in_name"); ++ ++ /* We used to incorrectly lop escaped whitespace off the end of a ++ * name. Make sure that we really create a tree node with label 'x ' ++ * with the below set, and look for it in a number of ways to ensure we ++ * are not lopping off trailing whitespace. */ ++ r = aug_set(aug, "/ws\\ ", "1"); ++ if (r < 0) { ++ fprintf(stderr, "failed to set '/ws ': %d\n", r); ++ goto fail; ++ } ++ /* We did not create a node with label 'ws' */ ++ r = aug_get(aug, "/ws", NULL); ++ if (r != 0) { ++ fprintf(stderr, "created '/ws' instead: %d\n", r); ++ goto fail; ++ } ++ ++ /* We did not create a node with label 'ws\t' (this also checks that we ++ * don't create something like 'ws\\' by dropping the last whitespace ++ * character. */ ++ r = aug_get(aug, "/ws\\\t", NULL); ++ if (r != 0) { ++ fprintf(stderr, "found '/ws\\t': %d\n", r); ++ goto fail; ++ } ++ ++ /* But we did create 'ws ' */ ++ r = aug_get(aug, "/ws\\ ", NULL); ++ if (r != 1) { ++ fprintf(stderr, "could not find '/ws ': %d\n", r); ++ goto fail; ++ } ++ ++ /* If the whitespace is preceded by an even number of '\\' chars, ++ * whitespace must be stripped */ ++ r = aug_set(aug, "/nows\\\\ ", "1"); ++ if (r < 0) { ++ fprintf(stderr, "set of '/nows' failed: %d\n", r); ++ goto fail; ++ } ++ r = aug_get(aug, "/nows\\\\", NULL); ++ if (r != 1) { ++ fprintf(stderr, "could not get '/nows\\'\n"); ++ goto fail; ++ } ++ printf("PASS\n"); ++ return 0; ++ fail: ++ printf("FAIL\n"); ++ return -1; ++} ++ + static int run_tests(struct test *tests, int argc, char **argv) { + char *lensdir; + struct augeas *aug = NULL; +@@ -374,6 +430,9 @@ static int run_tests(struct test *tests, int argc, char **argv) { + + if (test_wrong_regexp_flag(aug) < 0) + result = EXIT_FAILURE; ++ ++ if (test_trailing_ws_in_name(aug) < 0) ++ result = EXIT_FAILURE; + } + aug_close(aug); + +-- +2.13.6 + diff --git a/SOURCES/0012-tests-test-save.c-testSaveNoPermission-skip-when-roo.patch b/SOURCES/0012-tests-test-save.c-testSaveNoPermission-skip-when-roo.patch new file mode 100644 index 0000000..c711a34 --- /dev/null +++ b/SOURCES/0012-tests-test-save.c-testSaveNoPermission-skip-when-roo.patch @@ -0,0 +1,28 @@ +From f0e1dfad1c8a7c8193f2805c0919d6105344dc17 Mon Sep 17 00:00:00 2001 +From: Dominic Cleal +Date: Thu, 17 Dec 2015 10:40:45 +0000 +Subject: [PATCH] * tests/test-save.c (testSaveNoPermission): skip when root + +--- + tests/test-save.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/tests/test-save.c b/tests/test-save.c +index 4b6470f2..8775ba54 100644 +--- a/tests/test-save.c ++++ b/tests/test-save.c +@@ -355,6 +355,11 @@ static void testPathEscaping(CuTest *tc) { + * used to lead to a SEGV + */ + static void testSaveNoPermission(CuTest *tc) { ++ if (getuid() == 0) { ++ puts("pending (testSaveNoPermission): can't test permissions under root account"); ++ return; ++ } ++ + int r; + char *path = NULL; + const char *v; +-- +2.13.6 + diff --git a/SOURCES/0013-Chrony-allow-signed-numbers.patch b/SOURCES/0013-Chrony-allow-signed-numbers.patch new file mode 100644 index 0000000..5280cb8 --- /dev/null +++ b/SOURCES/0013-Chrony-allow-signed-numbers.patch @@ -0,0 +1,52 @@ +From deae1ee7eafff09b983ba7b9bcb7e59df92a5cea Mon Sep 17 00:00:00 2001 +From: Miroslav Lichvar +Date: Wed, 3 Jun 2015 17:31:07 +0200 +Subject: [PATCH] Chrony: allow signed numbers + +--- + lenses/chrony.aug | 4 ++-- + lenses/tests/test_chrony.aug | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/lenses/chrony.aug b/lenses/chrony.aug +index 32575688..5e30ee1f 100644 +--- a/lenses/chrony.aug ++++ b/lenses/chrony.aug +@@ -50,10 +50,10 @@ module Chrony = + let word = Rx.word + + (* Variable: integer *) +- let integer = Rx.integer ++ let integer = Rx.relinteger + + (* Variable: decimal *) +- let decimal = Rx.decimal ++ let decimal = Rx.reldecimal + + (* Variable: ip *) + let ip = Rx.ip +diff --git a/lenses/tests/test_chrony.aug b/lenses/tests/test_chrony.aug +index c4b552eb..905ecee4 100644 +--- a/lenses/tests/test_chrony.aug ++++ b/lenses/tests/test_chrony.aug +@@ -25,7 +25,7 @@ peer ntpc1.example.com + stratumweight 0 + driftfile /var/lib/chrony/drift + rtcsync +-makestep 10 3 ++makestep 10 -1 + bindcmdaddress 127.0.0.1 + bindcmdaddress ::1 + local stratum 10 +@@ -87,7 +87,7 @@ initstepslew 30 foo.bar.com baz.quz.com + { "rtcsync" } + { "makestep" + { "threshold" = "10" } +- { "limit" = "3" } ++ { "limit" = "-1" } + } + { "bindcmdaddress" = "127.0.0.1" } + { "bindcmdaddress" = "::1" } +-- +2.13.6 + diff --git a/SOURCES/0014-Fix-430-support-Krb5-include-dir.patch b/SOURCES/0014-Fix-430-support-Krb5-include-dir.patch new file mode 100644 index 0000000..75f751f --- /dev/null +++ b/SOURCES/0014-Fix-430-support-Krb5-include-dir.patch @@ -0,0 +1,52 @@ +From 430f0210d36d3abf2bfbe2a336f8f8d260ccc81b Mon Sep 17 00:00:00 2001 +From: "Jason A. Smith" +Date: Fri, 23 Dec 2016 03:19:24 -0500 +Subject: [PATCH] Fix #430 - support Krb5 include(dir)? + +Updated the Krb5 lens to support the include(dir)? directives, +with test case. +--- + lenses/krb5.aug | 9 +++++++-- + lenses/tests/test_krb5.aug | 9 +++++++++ + 2 files changed, 16 insertions(+), 2 deletions(-) + +diff --git a/lenses/krb5.aug b/lenses/krb5.aug +index 37778fd8..8936f3a0 100644 +--- a/lenses/krb5.aug ++++ b/lenses/krb5.aug +@@ -151,8 +151,13 @@ let kdc = + let pam = + simple_section "pam" name_re + +-let lns = (comment|empty)* . ++let includes = Build.key_value_line /include(dir)?/ Sep.space (store Rx.fspath) ++ ++let lns = (comment|empty|includes)* . + (libdefaults|login|appdefaults|realms|domain_realm + |logging|capaths|dbdefaults|dbmodules|instance_mapping|kdc|pam)* + +-let xfm = transform lns (incl "/etc/krb5.conf") ++let filter = (incl "/etc/krb5.conf.d/*.conf") ++ . (incl "/etc/krb5.conf") ++ ++let xfm = transform lns filter +diff --git a/lenses/tests/test_krb5.aug b/lenses/tests/test_krb5.aug +index e17a659a..743bb375 100644 +--- a/lenses/tests/test_krb5.aug ++++ b/lenses/tests/test_krb5.aug +@@ -1020,3 +1020,12 @@ default_ccache_name = KEYRING:persistent:%{uid}\n" = + { "libdefaults" + { } + { "default_ccache_name" = "KEYRING:persistent:%{uid}" } } ++ ++(* Include(dir) test *) ++let include_test = "include /etc/krb5.other_conf.d/other.conf ++includedir /etc/krb5.conf.d/ ++" ++ ++test Krb5.lns get include_test = ++ { "include" = "/etc/krb5.other_conf.d/other.conf" } ++ { "includedir" = "/etc/krb5.conf.d/" } +-- +2.13.6 + diff --git a/SOURCES/0015-Cgconfig-allow-fperm-dperm-in-admin-task.patch b/SOURCES/0015-Cgconfig-allow-fperm-dperm-in-admin-task.patch new file mode 100644 index 0000000..90df2d5 --- /dev/null +++ b/SOURCES/0015-Cgconfig-allow-fperm-dperm-in-admin-task.patch @@ -0,0 +1,81 @@ +From de01f104d6ee4b11122aa4a108fc6082d3061886 Mon Sep 17 00:00:00 2001 +From: Pino Toscano +Date: Mon, 4 Sep 2017 18:45:05 +0200 +Subject: [PATCH] Cgconfig: allow fperm & dperm in admin & task + +These keys are used to control the permissions for files and +directories. +--- + lenses/cgconfig.aug | 2 +- + lenses/tests/test_cgconfig.aug | 45 ++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 46 insertions(+), 1 deletion(-) + +diff --git a/lenses/cgconfig.aug b/lenses/cgconfig.aug +index 6a5b8603..e766343d 100644 +--- a/lenses/cgconfig.aug ++++ b/lenses/cgconfig.aug +@@ -30,7 +30,7 @@ module Cgconfig = + let name = /[^#= \n\t{}\/]+/ + let cont_name = /(cpuacct|cpu|devices|ns|cpuset|memory|freezer|net_cls|blkio|hugetlb|perf_event)/ + let role_name = /(admin|task)/ +- let id_name = /(uid|gid)/ ++ let id_name = /(uid|gid|fperm|dperm)/ + let address = /[^#; \n\t{}]+/ + let qaddress = address|/"[^#;"\n\t{}]+"/ + +diff --git a/lenses/tests/test_cgconfig.aug b/lenses/tests/test_cgconfig.aug +index 6cd0856d..84fd2ded 100644 +--- a/lenses/tests/test_cgconfig.aug ++++ b/lenses/tests/test_cgconfig.aug +@@ -318,3 +318,48 @@ test Cgconfig.lns get group6 = + { } + } + ++let group7 =" ++group daemons/www { ++ perm { ++ task { ++ uid = root; ++ gid = root; ++ fperm = 770; ++ } ++ admin { ++ uid = root; ++ gid = root; ++ dperm = 777; ++ } ++ } ++} ++" ++ ++test Cgconfig.lns get group7 = ++ { } ++ { "group" = "daemons/www" ++ { } ++ { "perm" ++ { } ++ { "task" ++ { } ++ { "uid" = "root" } ++ { } ++ { "gid" = "root" } ++ { } ++ { "fperm" = "770" } ++ { } } ++ { } ++ { "admin" ++ { } ++ { "uid" = "root" } ++ { } ++ { "gid" = "root" } ++ { } ++ { "dperm" = "777" } ++ { } } ++ { } } ++ { } ++ } ++ { } ++ +-- +2.13.6 + diff --git a/SOURCES/0016-Grub-handle-top-level-boot-directive-494.patch b/SOURCES/0016-Grub-handle-top-level-boot-directive-494.patch new file mode 100644 index 0000000..09bb7c8 --- /dev/null +++ b/SOURCES/0016-Grub-handle-top-level-boot-directive-494.patch @@ -0,0 +1,55 @@ +From 06b3a79ee2bfdb4ae3675232e82ae3d06bbba353 Mon Sep 17 00:00:00 2001 +From: Pino Toscano +Date: Tue, 12 Sep 2017 10:58:46 +0200 +Subject: [PATCH] Grub: handle top-level "boot" directive (#494) + +Grub 1 effectively ignores commands in the configuration which work only +in the command line. The generated configuration by anaconda included +also a commented "boot=device" entry at the beginning: uncommenting that +does not make the configuration invalid, but makes the Grub lens not +able to parse it. + +Since there is no harm in representing a configuration key that will be +effectively ignored, accept top-level "boot" entries as well. +--- + lenses/grub.aug | 1 + + lenses/tests/test_grub.aug | 4 ++-- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/lenses/grub.aug b/lenses/grub.aug +index c52d16c6..9866f3f7 100644 +--- a/lenses/grub.aug ++++ b/lenses/grub.aug +@@ -148,6 +148,7 @@ module Grub = + | kw_menu_arg "foreground" + | kw_menu_arg "background" + | kw_menu_arg "verbose" ++ | kw_menu_arg "boot" (* only for CLI, ignored in conf *) + | serial + | terminal + | password_arg +diff --git a/lenses/tests/test_grub.aug b/lenses/tests/test_grub.aug +index f022ef72..8a0d9f4a 100644 +--- a/lenses/tests/test_grub.aug ++++ b/lenses/tests/test_grub.aug +@@ -8,7 +8,7 @@ module Test_grub = + # root (hd0,0) + # kernel /vmlinuz-version ro root=/dev/vg00/lv00 + # initrd /initrd-version.img +-#boot=/dev/sda ++boot=/dev/sda + device (hd0) HD(1,800,64000,9895c137-d4b2-4e3b-a93b-dc9ac4) + password --md5 $1$M9NLj$p2gs87vwNv48BUu.wAfVw0 + default=0 +@@ -53,7 +53,7 @@ title othermenu + { "#comment" = "root (hd0,0)" } + { "#comment" = "kernel /vmlinuz-version ro root=/dev/vg00/lv00" } + { "#comment" = "initrd /initrd-version.img" } +- { "#comment" = "boot=/dev/sda" } ++ { "boot" = "/dev/sda" } + { "device" = "(hd0)" + { "file" = "HD(1,800,64000,9895c137-d4b2-4e3b-a93b-dc9ac4)" } } + { "password" = "$1$M9NLj$p2gs87vwNv48BUu.wAfVw0" +-- +2.13.6 + diff --git a/SPECS/augeas.spec b/SPECS/augeas.spec index 03154d0..a963731 100644 --- a/SPECS/augeas.spec +++ b/SPECS/augeas.spec @@ -1,6 +1,6 @@ Name: augeas Version: 1.4.0 -Release: 2%{?dist}.2 +Release: 5%{?dist} Summary: A library for changing configuration files Group: System Environment/Libraries @@ -16,8 +16,13 @@ Patch6: 0006-Sshd-revert-Sshd-module-to-1.1.0-compatible-add-Sshd.patch Patch7: 0007-Dhcpd-revert-Dhcpd-module-to-1.1.0-compatible-add-Dh.patch Patch8: 0008-Slapd-revert-Slapd-module-to-1.1.0-compatible-add-Sl.patch Patch9: 0009-Rhsm-new-lens-to-parse-subscription-manager-s-rhsm.c.patch -Patch10: 0010-src-pathx.c-parse_name-correctly-handle-trailing-whi.patch -Patch11: 0011-Fix-sudoers-lens-recognize-match_group_by_gid.patch +Patch10: 0010-Fix-sudoers-lens-recognize-match_group_by_gid.patch +Patch11: 0011-src-pathx.c-parse_name-correctly-handle-trailing-whi.patch +Patch12: 0012-tests-test-save.c-testSaveNoPermission-skip-when-roo.patch +Patch13: 0013-Chrony-allow-signed-numbers.patch +Patch14: 0014-Fix-430-support-Krb5-include-dir.patch +Patch15: 0015-Cgconfig-allow-fperm-dperm-in-admin-task.patch +Patch16: 0016-Grub-handle-top-level-boot-directive-494.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -70,6 +75,11 @@ The libraries for %{name}. %patch9 -p1 %patch10 -p1 %patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 # Patches affect Makefile.am and configure.ac, so rerun autotools. autoreconf @@ -131,11 +141,18 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/pkgconfig/augeas.pc %changelog -* Thu Sep 21 2017 Pino Toscano - 1.4.0-2.el7_4.2 -- Sudoers: recognize "match_group_by_gid" (RHBZ#1493005) - -* Mon Sep 04 2017 Pino Toscano - 1.4.0-2.el7_4.1 -- Fix CVE-2017-7555, improper handling of escaped strings (RHBZ#1481545) +* Wed Oct 04 2017 Pino Toscano - 1.4.0-5 +- Cgconfig: allow fperm & dperm in admin & task (RHBZ#1325741) +- Grub: handle top-level "boot" directive (RHBZ#1484261) + +* Mon Sep 04 2017 Pino Toscano - 1.4.0-4 +- Fix CVE-2017-7555, improper handling of escaped strings (RHBZ#1481546) +- Skip testSaveNoPermission when running as root (RHBZ#1269817) +- Chrony: allow signed numbers (RHBZ#1302017) +- Krb5: support includedir (RHBZ#1406111) + +* Tue Aug 29 2017 Luigi Toscano - 1.4.0-3 + Fix sudoers lens: recognize "match_group_by_gid" (RHBZ#1483888) * Thu Jul 30 2015 Dominic Cleal - 1.4.0-2 - Rhsm: add to parse subscription-manager config (RHBZ#1141121)