From fe2bf251392a2f1451d5101a615e37941c6f1458 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 18 2021 06:35:07 +0000 Subject: import p11-kit-0.23.22-1.el8 --- diff --git a/.gitignore b/.gitignore index bb75f38..f181ddb 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ -SOURCES/p11-kit-0.23.14.tar.gz +SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg +SOURCES/p11-kit-0.23.22.tar.xz diff --git a/.p11-kit.metadata b/.p11-kit.metadata index a336cc3..4e41b67 100644 --- a/.p11-kit.metadata +++ b/.p11-kit.metadata @@ -1 +1,2 @@ -30cab1d4b716022e6918f9a49976609c425f9cfc SOURCES/p11-kit-0.23.14.tar.gz +526f07b62624739ba318a171bab3352af91d0134 SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg +339e5163ed50a9984a74739b9207ea8cd77fa7e2 SOURCES/p11-kit-0.23.22.tar.xz diff --git a/SOURCES/p11-kit-0.23.22.tar.xz.sig b/SOURCES/p11-kit-0.23.22.tar.xz.sig new file mode 100644 index 0000000..6ef001e Binary files /dev/null and b/SOURCES/p11-kit-0.23.22.tar.xz.sig differ diff --git a/SOURCES/p11-kit-coverity.patch b/SOURCES/p11-kit-coverity.patch deleted file mode 100644 index f07f616..0000000 --- a/SOURCES/p11-kit-coverity.patch +++ /dev/null @@ -1,623 +0,0 @@ -From 8a8db182af533a43b4d478d28af8623035475d68 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Tue, 16 Oct 2018 18:05:10 +0200 -Subject: [PATCH 01/10] debug: Work around cppcheck false-positives - -https://trac.cppcheck.net/ticket/8794 ---- - common/debug.h | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/common/debug.h b/common/debug.h -index 255c62c..7ea36f3 100644 ---- a/common/debug.h -+++ b/common/debug.h -@@ -71,13 +71,13 @@ void p11_debug_precond (const char *format, - #endif - - #define return_val_if_fail(x, v) \ -- do { if (!(x)) { \ -+ do { if (x) { } else { \ - p11_debug_precond ("p11-kit: '%s' not true at %s\n", #x, __func__); \ - return v; \ - } } while (false) - - #define return_if_fail(x) \ -- do { if (!(x)) { \ -+ do { if (x) { } else { \ - p11_debug_precond ("p11-kit: '%s' not true at %s\n", #x, __func__); \ - return; \ - } } while (false) -@@ -100,7 +100,7 @@ void p11_debug_precond (const char *format, - } while (false) - - #define warn_if_fail(x) \ -- do { if (!(x)) { \ -+ do { if (x) { } else { \ - p11_debug_precond ("p11-kit: '%s' not true at %s\n", #x, __func__); \ - } } while (false) - --- -2.17.2 - - -From c76197ddbbd0c29adc2bceff2ee9f740f71d134d Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Tue, 16 Oct 2018 18:06:56 +0200 -Subject: [PATCH 02/10] build: Call va_end() always when leaving the function - ---- - common/attrs.c | 4 +++- - common/compat.c | 5 ++++- - common/path.c | 5 ++++- - trust/parser.c | 4 +++- - 4 files changed, 14 insertions(+), 4 deletions(-) - -diff --git a/common/attrs.c b/common/attrs.c -index aa91891..a387a66 100644 ---- a/common/attrs.c -+++ b/common/attrs.c -@@ -538,8 +538,10 @@ buffer_append_printf (p11_buffer *buffer, - va_list va; - - va_start (va, format); -- if (vasprintf (&string, format, va) < 0) -+ if (vasprintf (&string, format, va) < 0) { -+ va_end (va); - return_if_reached (); -+ } - va_end (va); - - p11_buffer_add (buffer, string, -1); -diff --git a/common/compat.c b/common/compat.c -index 5a9702d..48614fa 100644 ---- a/common/compat.c -+++ b/common/compat.c -@@ -525,7 +525,10 @@ strconcat (const char *first, - for (arg = first; arg; arg = va_arg (va, const char*)) { - size_t old_length = length; - length += strlen (arg); -- return_val_if_fail (length >= old_length, NULL); -+ if (length < old_length) { -+ va_end (va); -+ return_val_if_reached (NULL); -+ } - } - - va_end (va); -diff --git a/common/path.c b/common/path.c -index 5cf0e1a..17a6230 100644 ---- a/common/path.c -+++ b/common/path.c -@@ -218,7 +218,10 @@ p11_path_build (const char *path, - while (path != NULL) { - size_t old_len = len; - len += strlen (path) + 1; -- return_val_if_fail (len >= old_len, NULL); -+ if (len < old_len) { -+ va_end (va); -+ return_val_if_reached (NULL); -+ } - path = va_arg (va, const char *); - } - va_end (va); -diff --git a/trust/parser.c b/trust/parser.c -index f92cdc9..e912c3a 100644 ---- a/trust/parser.c -+++ b/trust/parser.c -@@ -697,8 +697,10 @@ p11_parser_formats (p11_parser *parser, - func = va_arg (va, parser_func); - if (func == NULL) - break; -- if (!p11_array_push (formats, func)) -+ if (!p11_array_push (formats, func)) { -+ va_end (va); - return_if_reached (); -+ } - } - va_end (va); - --- -2.17.2 - - -From b10dadce5a3c921149b2c9fe0dec614f8076ebda Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Tue, 16 Oct 2018 18:10:05 +0200 -Subject: [PATCH 03/10] build: Free memory before return{,_val}_if_* macros - ---- - p11-kit/iter.c | 5 ++++- - p11-kit/proxy.c | 10 ++++++++-- - trust/asn1.c | 15 ++++++++++++--- - trust/builder.c | 5 ++++- - trust/index.c | 10 ++++++++-- - trust/persist.c | 5 ++++- - trust/save.c | 29 +++++++++++++++++++++++++---- - trust/session.c | 10 ++++++++-- - trust/token.c | 5 ++++- - 9 files changed, 77 insertions(+), 17 deletions(-) - -diff --git a/p11-kit/iter.c b/p11-kit/iter.c -index 0e4ca6e..d1ffd91 100644 ---- a/p11-kit/iter.c -+++ b/p11-kit/iter.c -@@ -157,7 +157,10 @@ p11_kit_iter_new (P11KitUri *uri, - return_val_if_fail (iter != NULL, NULL); - - iter->modules = p11_array_new (NULL); -- return_val_if_fail (iter->modules != NULL, NULL); -+ if (iter->modules == NULL) { -+ p11_kit_iter_free (iter); -+ return_val_if_reached (NULL); -+ } - - iter->want_writable = !!(behavior & P11_KIT_ITER_WANT_WRITABLE); - iter->preload_results = !(behavior & P11_KIT_ITER_BUSY_SESSIONS); -diff --git a/p11-kit/proxy.c b/p11-kit/proxy.c -index b7fb63d..abe7935 100644 ---- a/p11-kit/proxy.c -+++ b/p11-kit/proxy.c -@@ -267,7 +267,10 @@ proxy_create (Proxy **res, CK_FUNCTION_LIST **loaded, - py->forkid = p11_forkid; - - py->inited = modules_dup (loaded); -- return_val_if_fail (py->inited != NULL, CKR_HOST_MEMORY); -+ if (py->inited == NULL) { -+ proxy_free (py, 0); -+ return_val_if_reached (CKR_HOST_MEMORY); -+ } - - rv = p11_kit_modules_initialize (py->inited, NULL); - -@@ -320,7 +323,10 @@ proxy_create (Proxy **res, CK_FUNCTION_LIST **loaded, - } - - py->sessions = p11_dict_new (p11_dict_ulongptr_hash, p11_dict_ulongptr_equal, NULL, free); -- return_val_if_fail (py->sessions != NULL, CKR_HOST_MEMORY); -+ if (py->sessions == NULL) { -+ proxy_free (py, 1); -+ return_val_if_reached (CKR_HOST_MEMORY); -+ } - py->refs = 1; - - *res = py; -diff --git a/trust/asn1.c b/trust/asn1.c -index dd1812d..5ce682d 100644 ---- a/trust/asn1.c -+++ b/trust/asn1.c -@@ -285,11 +285,17 @@ p11_asn1_cache_new (void) - return_val_if_fail (cache != NULL, NULL); - - cache->defs = p11_asn1_defs_load (); -- return_val_if_fail (cache->defs != NULL, NULL); -+ if (cache->defs == NULL) { -+ p11_asn1_cache_free (cache); -+ return_val_if_reached (NULL); -+ } - - cache->items = p11_dict_new (p11_dict_direct_hash, p11_dict_direct_equal, - NULL, free_asn1_item); -- return_val_if_fail (cache->items != NULL, NULL); -+ if (cache->items == NULL) { -+ p11_asn1_cache_free (cache); -+ return_val_if_reached (NULL); -+ } - - return cache; - } -@@ -342,7 +348,10 @@ p11_asn1_cache_take (p11_asn1_cache *cache, - item->length = der_len; - item->node = node; - item->struct_name = strdup (struct_name); -- return_if_fail (item->struct_name != NULL); -+ if (item->struct_name == NULL) { -+ free_asn1_item (item); -+ return_if_reached (); -+ } - - if (!p11_dict_set (cache->items, (void *)der, item)) - return_if_reached (); -diff --git a/trust/builder.c b/trust/builder.c -index 742c544..d819dc8 100644 ---- a/trust/builder.c -+++ b/trust/builder.c -@@ -187,7 +187,10 @@ p11_builder_new (int flags) - return_val_if_fail (builder != NULL, NULL); - - builder->asn1_cache = p11_asn1_cache_new (); -- return_val_if_fail (builder->asn1_cache, NULL); -+ if (builder->asn1_cache == NULL) { -+ p11_builder_free (builder); -+ return_val_if_reached (NULL); -+ } - builder->asn1_defs = p11_asn1_cache_defs (builder->asn1_cache); - - builder->flags = flags; -diff --git a/trust/index.c b/trust/index.c -index f4b6b4b..6a8e535 100644 ---- a/trust/index.c -+++ b/trust/index.c -@@ -170,10 +170,16 @@ p11_index_new (p11_index_build_cb build, - index->objects = p11_dict_new (p11_dict_ulongptr_hash, - p11_dict_ulongptr_equal, - NULL, free_object); -- return_val_if_fail (index->objects != NULL, NULL); -+ if (index->objects == NULL) { -+ p11_index_free (index); -+ return_val_if_reached (NULL); -+ } - - index->buckets = calloc (NUM_BUCKETS, sizeof (index_bucket)); -- return_val_if_fail (index->buckets != NULL, NULL); -+ if (index->buckets == NULL) { -+ p11_index_free (index); -+ return_val_if_reached (NULL); -+ } - - return index; - } -diff --git a/trust/persist.c b/trust/persist.c -index 887b316..569cea1 100644 ---- a/trust/persist.c -+++ b/trust/persist.c -@@ -89,7 +89,10 @@ p11_persist_new (void) - return_val_if_fail (persist != NULL, NULL); - - persist->constants = p11_constant_reverse (true); -- return_val_if_fail (persist->constants != NULL, NULL); -+ if (persist->constants == NULL) { -+ free (persist); -+ return_val_if_reached (NULL); -+ } - - return persist; - } -diff --git a/trust/save.c b/trust/save.c -index abff864..8184e13 100644 ---- a/trust/save.c -+++ b/trust/save.c -@@ -68,6 +68,8 @@ static char * make_unique_name (const char *bare, - const char *extension, - int (*check) (void *, char *), - void *data); -+static void filo_free (p11_save_file *file); -+static void dir_free (p11_save_dir *dir); - - bool - p11_save_write_and_finish (p11_save_file *file, -@@ -114,9 +116,15 @@ p11_save_open_file (const char *path, - return_val_if_fail (file != NULL, NULL); - file->temp = temp; - file->bare = strdup (path); -- return_val_if_fail (file->bare != NULL, NULL); -+ if (file->bare == NULL) { -+ filo_free (file); -+ return_val_if_reached (NULL); -+ } - file->extension = strdup (extension); -- return_val_if_fail (file->extension != NULL, NULL); -+ if (file->extension == NULL) { -+ filo_free (file); -+ return_val_if_reached (NULL); -+ } - file->flags = flags; - file->fd = fd; - -@@ -166,6 +174,13 @@ filo_free (p11_save_file *file) - free (file); - } - -+static void -+dir_free (p11_save_dir *dir) { -+ p11_dict_free (dir->cache); -+ free (dir->path); -+ free (dir); -+} -+ - #ifdef OS_UNIX - - static int -@@ -349,10 +364,16 @@ p11_save_open_directory (const char *path, - return_val_if_fail (dir != NULL, NULL); - - dir->path = strdup (path); -- return_val_if_fail (dir->path != NULL, NULL); -+ if (dir->path == NULL) { -+ dir_free (dir); -+ return_val_if_reached (NULL); -+ } - - dir->cache = p11_dict_new (p11_dict_str_hash, p11_dict_str_equal, free, NULL); -- return_val_if_fail (dir->cache != NULL, NULL); -+ if (dir->cache == NULL) { -+ dir_free (dir); -+ return_val_if_reached (NULL); -+ } - - dir->flags = flags; - return dir; -diff --git a/trust/session.c b/trust/session.c -index b93a5c3..d464394 100644 ---- a/trust/session.c -+++ b/trust/session.c -@@ -59,12 +59,18 @@ p11_session_new (p11_token *token) - session->handle = p11_module_next_id (); - - session->builder = p11_builder_new (P11_BUILDER_FLAG_NONE); -- return_val_if_fail (session->builder, NULL); -+ if (session->builder == NULL) { -+ p11_session_free (session); -+ return_val_if_reached (NULL); -+ } - - session->index = p11_index_new (p11_builder_build, NULL, NULL, - p11_builder_changed, - session->builder); -- return_val_if_fail (session->index != NULL, NULL); -+ if (session->index == NULL) { -+ p11_session_free (session); -+ return_val_if_reached (NULL); -+ } - - session->token = token; - -diff --git a/trust/token.c b/trust/token.c -index 4cbcc77..fd3b043 100644 ---- a/trust/token.c -+++ b/trust/token.c -@@ -829,7 +829,10 @@ p11_token_new (CK_SLOT_ID slot, - return_val_if_fail (token != NULL, NULL); - - token->builder = p11_builder_new (P11_BUILDER_FLAG_TOKEN); -- return_val_if_fail (token->builder != NULL, NULL); -+ if (token->builder == NULL) { -+ p11_token_free (token); -+ return_val_if_reached (NULL); -+ } - - token->index = p11_index_new (on_index_build, - on_index_store, --- -2.17.2 - - -From 06323aed926ddc67bd18ed98e5af92035a8e3d39 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Tue, 16 Oct 2018 18:14:46 +0200 -Subject: [PATCH 04/10] build: Check return value of p11_dict_set - ---- - p11-kit/proxy.c | 3 ++- - p11-kit/rpc-server.c | 6 +++++- - trust/module.c | 3 ++- - 3 files changed, 9 insertions(+), 3 deletions(-) - -diff --git a/p11-kit/proxy.c b/p11-kit/proxy.c -index abe7935..11e6165 100644 ---- a/p11-kit/proxy.c -+++ b/p11-kit/proxy.c -@@ -612,7 +612,8 @@ proxy_C_OpenSession (CK_X_FUNCTION_LIST *self, - sess->wrap_slot = map.wrap_slot; - sess->real_session = *handle; - sess->wrap_session = ++state->last_handle; /* TODO: Handle wrapping, and then collisions */ -- p11_dict_set (state->px->sessions, &sess->wrap_session, sess); -+ if (!p11_dict_set (state->px->sessions, &sess->wrap_session, sess)) -+ warn_if_reached (); - *handle = sess->wrap_session; - } - -diff --git a/p11-kit/rpc-server.c b/p11-kit/rpc-server.c -index 2db3524..3a8991d 100644 ---- a/p11-kit/rpc-server.c -+++ b/p11-kit/rpc-server.c -@@ -2226,7 +2226,11 @@ p11_kit_remote_serve_tokens (const char **tokens, - p11_message_err (error, "couldn't subclass filter"); - goto out; - } -- p11_dict_set (filters, module, filter); -+ if (!p11_dict_set (filters, module, filter)) { -+ error = EINVAL; -+ p11_message_err (error, "couldn't register filter"); -+ goto out; -+ } - } - - for (i = 0; i < n_tokens; i++) { -diff --git a/trust/module.c b/trust/module.c -index e09113b..24cda87 100644 ---- a/trust/module.c -+++ b/trust/module.c -@@ -1321,7 +1321,8 @@ find_objects_match (CK_ATTRIBUTE *attrs, - } - value = memdup (oid->pValue, oid->ulValueLen); - return_val_if_fail (value != NULL, false); -- p11_dict_set (find->extensions, value, value); -+ if (!p11_dict_set (find->extensions, value, value)) -+ warn_if_reached (); - } - } - --- -2.17.2 - - -From 213ea0815ef45411bf6c134918b79d2aad69c1dc Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Tue, 16 Oct 2018 18:16:12 +0200 -Subject: [PATCH 05/10] build: Check return value of p11_rpc_buffer_get_uint64 - ---- - p11-kit/rpc-client.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/p11-kit/rpc-client.c b/p11-kit/rpc-client.c -index 0dd4525..e202e37 100644 ---- a/p11-kit/rpc-client.c -+++ b/p11-kit/rpc-client.c -@@ -371,7 +371,8 @@ proto_read_ulong_array (p11_rpc_message *msg, CK_ULONG_PTR arr, - - /* We need to go ahead and read everything in all cases */ - for (i = 0; i < num; ++i) { -- p11_rpc_buffer_get_uint64 (msg->input, &msg->parsed, &val); -+ if (!p11_rpc_buffer_get_uint64 (msg->input, &msg->parsed, &val)) -+ return PARSE_ERROR; - if (arr) - arr[i] = (CK_ULONG)val; - } --- -2.17.2 - - -From 1f78cb0b4dd193ec1f1b2b424a497a6c2edec043 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Tue, 16 Oct 2018 18:16:51 +0200 -Subject: [PATCH 06/10] rpc-server: p11_kit_remote_serve_tokens: Fix memleak - ---- - p11-kit/rpc-server.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/p11-kit/rpc-server.c b/p11-kit/rpc-server.c -index 3a8991d..5b3dbf0 100644 ---- a/p11-kit/rpc-server.c -+++ b/p11-kit/rpc-server.c -@@ -2285,6 +2285,11 @@ p11_kit_remote_serve_tokens (const char **tokens, - p11_kit_modules_release (modules); - if (error != 0) - errno = error; -+ if (uris) { -+ for (i = 0; i < n_tokens; i++) -+ p11_kit_uri_free (uris[i]); -+ free (uris); -+ } - - return ret; - } --- -2.17.2 - - -From 033cd90806cb1e2eab7e799703757abc2f07052e Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Tue, 16 Oct 2018 18:18:05 +0200 -Subject: [PATCH 07/10] proxy: Fix null dereference when reusing slots - ---- - p11-kit/proxy.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/p11-kit/proxy.c b/p11-kit/proxy.c -index 11e6165..8eaf205 100644 ---- a/p11-kit/proxy.c -+++ b/p11-kit/proxy.c -@@ -307,7 +307,10 @@ proxy_create (Proxy **res, CK_FUNCTION_LIST **loaded, - break; - } - py->mappings[py->n_mappings].funcs = funcs; -- py->mappings[py->n_mappings].wrap_slot = j == n_mappings ? py->n_mappings + MAPPING_OFFSET : mappings[j].wrap_slot; -+ py->mappings[py->n_mappings].wrap_slot = -+ (n_mappings == 0 || j == n_mappings) ? -+ py->n_mappings + MAPPING_OFFSET : -+ mappings[j].wrap_slot; - py->mappings[py->n_mappings].real_slot = slots[i]; - ++py->n_mappings; - } --- -2.17.2 - - -From da73c2804b3ca962fa51473bb4c303a5ed32d4a1 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Tue, 16 Oct 2018 18:20:12 +0200 -Subject: [PATCH 08/10] trust: Set umask before calling mkstemp - ---- - trust/save.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/trust/save.c b/trust/save.c -index 8184e13..bb77348 100644 ---- a/trust/save.c -+++ b/trust/save.c -@@ -95,6 +95,7 @@ p11_save_open_file (const char *path, - { - p11_save_file *file; - char *temp; -+ mode_t mode; - int fd; - - return_val_if_fail (path != NULL, NULL); -@@ -105,7 +106,9 @@ p11_save_open_file (const char *path, - if (asprintf (&temp, "%s%s.XXXXXX", path, extension) < 0) - return_val_if_reached (NULL); - -+ mode = umask (0077); - fd = mkstemp (temp); -+ umask (mode); - if (fd < 0) { - p11_message_err (errno, "couldn't create file: %s%s", path, extension); - free (temp); --- -2.17.2 - - -From 6417780ebbbbb0f01ddb001b239347655fb98578 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Wed, 17 Oct 2018 09:53:27 +0200 -Subject: [PATCH 09/10] rpc-server: Check calloc failure - ---- - p11-kit/rpc-server.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/p11-kit/rpc-server.c b/p11-kit/rpc-server.c -index 5b3dbf0..3216742 100644 ---- a/p11-kit/rpc-server.c -+++ b/p11-kit/rpc-server.c -@@ -2219,6 +2219,10 @@ p11_kit_remote_serve_tokens (const char **tokens, - filter = p11_dict_get (filters, module); - if (filter == NULL) { - lower = calloc (1, sizeof (p11_virtual)); -+ if (lower == NULL) { -+ error = ENOMEM; -+ goto out; -+ } - p11_virtual_init (lower, &p11_virtual_base, module, NULL); - filter = p11_filter_subclass (lower, NULL); - if (filter == NULL) { --- -2.17.2 - - -From 83e92c2f9575707083d8b0c70ef330e285d70836 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Wed, 17 Oct 2018 09:53:46 +0200 -Subject: [PATCH 10/10] trust: Check index->buckets is allocated on cleanup - ---- - trust/index.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/trust/index.c b/trust/index.c -index 6a8e535..2d1da29 100644 ---- a/trust/index.c -+++ b/trust/index.c -@@ -193,9 +193,11 @@ p11_index_free (p11_index *index) - - p11_dict_free (index->objects); - p11_dict_free (index->changes); -- for (i = 0; i < NUM_BUCKETS; i++) -- free (index->buckets[i].elem); -- free (index->buckets); -+ if (index->buckets) { -+ for (i = 0; i < NUM_BUCKETS; i++) -+ free (index->buckets[i].elem); -+ free (index->buckets); -+ } - free (index); - } - --- -2.17.2 - diff --git a/SOURCES/p11-kit-dt-needed.patch b/SOURCES/p11-kit-dt-needed.patch new file mode 100644 index 0000000..9c07b87 --- /dev/null +++ b/SOURCES/p11-kit-dt-needed.patch @@ -0,0 +1,42 @@ +From a91266ef087532e2332c75c4fd9244df66f30b64 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Fri, 18 Dec 2020 13:37:10 +0100 +Subject: [PATCH] meson: Link trust/client modules explicitly to -ldl + +This adds the -ldl link flag missing in the meson build, but present +in the autotools build. Although the use-case is unlikely, this +allows those modules to be linked as a normal shared library to a +program. +--- + p11-kit/meson.build | 1 + + trust/meson.build | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/p11-kit/meson.build b/p11-kit/meson.build +index 7d57cd7..02147a9 100644 +--- a/p11-kit/meson.build ++++ b/p11-kit/meson.build +@@ -92,6 +92,7 @@ if host_system != 'windows' + 'client.c', 'client-init.c', + name_prefix: '', + include_directories: [configinc, commoninc], ++ dependencies: dlopen_deps, + link_args: p11_module_ldflags, + link_depends: [p11_module_symbol_map, + p11_module_symbol_def], +diff --git a/trust/meson.build b/trust/meson.build +index 482a3c1..d4a8e15 100644 +--- a/trust/meson.build ++++ b/trust/meson.build +@@ -56,7 +56,7 @@ shared_module('p11-kit-trust', + 'module-init.c', + name_prefix: '', + c_args: p11_kit_trust_c_args, +- dependencies: [asn_h_dep, libp11_library_dep] + libtasn1_deps, ++ dependencies: [asn_h_dep, libp11_library_dep] + dlopen_deps + libtasn1_deps, + link_args: p11_module_ldflags, + link_depends: [p11_module_symbol_map, + p11_module_symbol_def], +-- +2.29.2 + diff --git a/SOURCES/p11-kit-lower-libffi-priority.patch b/SOURCES/p11-kit-lower-libffi-priority.patch deleted file mode 100644 index e5021b6..0000000 --- a/SOURCES/p11-kit-lower-libffi-priority.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 6e1046de2233fba7875d3d6a1b260192678dd0ad Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Fri, 19 Oct 2018 10:21:36 +0200 -Subject: [PATCH] virtual: Prefer fixed closures to libffi closures - -On some circumstances (such as when loading p11-kit-proxy from httpd), -it is known that creation of libffi closure always fails, due to -SELinux policy. Although this is harmless, it pollutes the journal -and gives wrong hints when troubleshooting. This patch changes the -order of preference of libffi vs pre-compiled closures to avoid that. ---- - p11-kit/virtual.c | 19 ++++++++++++++----- - 1 file changed, 14 insertions(+), 5 deletions(-) - -diff --git a/p11-kit/virtual.c b/p11-kit/virtual.c -index 6abfe7a..338239f 100644 ---- a/p11-kit/virtual.c -+++ b/p11-kit/virtual.c -@@ -2832,9 +2832,14 @@ p11_virtual_wrap (p11_virtual *virt, - p11_destroyer destroyer) - { - Wrapper *wrapper; -+ CK_FUNCTION_LIST *result; - - return_val_if_fail (virt != NULL, NULL); - -+ result = p11_virtual_wrap_fixed (virt, destroyer); -+ if (result) -+ return result; -+ - wrapper = calloc (1, sizeof (Wrapper)); - return_val_if_fail (wrapper != NULL, NULL); - -@@ -2844,8 +2849,10 @@ p11_virtual_wrap (p11_virtual *virt, - wrapper->bound.version.minor = CRYPTOKI_VERSION_MINOR; - wrapper->fixed_index = -1; - -- if (!init_wrapper_funcs (wrapper)) -- return p11_virtual_wrap_fixed (virt, destroyer); -+ if (!init_wrapper_funcs (wrapper)) { -+ free (wrapper); -+ return_val_if_reached (NULL); -+ } - - assert ((void *)wrapper == (void *)&wrapper->bound); - assert (p11_virtual_is_wrapper (&wrapper->bound)); -@@ -2859,7 +2866,11 @@ CK_FUNCTION_LIST * - p11_virtual_wrap (p11_virtual *virt, - p11_destroyer destroyer) - { -- return p11_virtual_wrap_fixed (virt, destroyer); -+ CK_FUNCTION_LIST *result; -+ -+ result = p11_virtual_wrap_fixed (virt, destroyer); -+ return_val_if_fail (result != NULL, NULL); -+ return result; - } - - #endif /* !FFI_CLOSURES */ -@@ -3068,8 +3079,6 @@ p11_virtual_wrap_fixed (p11_virtual *virt, - } - p11_mutex_unlock (&p11_virtual_mutex); - -- return_val_if_fail (result != NULL, NULL); -- - return result; - } - --- -2.17.2 - diff --git a/SOURCES/p11-kit-unloading-fix.patch b/SOURCES/p11-kit-unloading-fix.patch deleted file mode 100644 index 189ef46..0000000 --- a/SOURCES/p11-kit-unloading-fix.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 4a925177a81c2566d2a81a0a450607a5ff4d9048 Mon Sep 17 00:00:00 2001 -From: Stefano Garzarella -Date: Wed, 27 Feb 2019 12:25:20 +0100 -Subject: [PATCH] modules: check gl.modules before iterates on it when freeing - -In some circumstances, as described in the BZ, can happen that -free_modules_when_no_refs_unlocked() is called multiple times -when the module destructor is invoked. -We should check gl.modules before iterates on it in the -free_modules_when_no_refs_unlocked() functions, to avoid -a SIGSEGV. - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1680963 ---- - p11-kit/modules.c | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - -diff --git a/p11-kit/modules.c b/p11-kit/modules.c -index 0299eda..891ce4c 100644 ---- a/p11-kit/modules.c -+++ b/p11-kit/modules.c -@@ -797,14 +797,16 @@ init_globals_unlocked (void) - static void - free_modules_when_no_refs_unlocked (void) - { -- Module *mod; -- p11_dictiter iter; -- -- /* Check if any modules have a ref count */ -- p11_dict_iterate (gl.modules, &iter); -- while (p11_dict_next (&iter, (void **)&mod, NULL)) { -- if (mod->ref_count) -- return; -+ if (gl.modules) { -+ Module *mod; -+ p11_dictiter iter; -+ -+ /* Check if any modules have a ref count */ -+ p11_dict_iterate (gl.modules, &iter); -+ while (p11_dict_next (&iter, (void **)&mod, NULL)) { -+ if (mod->ref_count) -+ return; -+ } - } - - p11_dict_free (gl.unmanaged_by_funcs); --- -2.20.1 - diff --git a/SPECS/p11-kit.spec b/SPECS/p11-kit.spec index f8563fc..7d0e73b 100644 --- a/SPECS/p11-kit.spec +++ b/SPECS/p11-kit.spec @@ -1,26 +1,33 @@ # This spec file has been automatically updated -Version: 0.23.14 -Release: 5%{?dist} +Version: 0.23.22 +Release: 1%{?dist} Name: p11-kit Summary: Library for loading and sharing PKCS#11 modules License: BSD URL: http://p11-glue.freedesktop.org/p11-kit.html -Source0: https://github.com/p11-glue/p11-kit/releases/download/%{version}/p11-kit-%{version}.tar.gz -Source1: trust-extract-compat -Source2: p11-kit-client.service -Patch1: p11-kit-coverity.patch -Patch2: p11-kit-lower-libffi-priority.patch -Patch3: p11-kit-unloading-fix.patch +Source0: https://github.com/p11-glue/p11-kit/releases/download/%{version}/p11-kit-%{version}.tar.xz +Source1: https://github.com/p11-glue/p11-kit/releases/download/%{version}/p11-kit-%{version}.tar.xz.sig +Source2: gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg +Source3: trust-extract-compat +Source4: p11-kit-client.service + +Patch1: p11-kit-dt-needed.patch BuildRequires: gcc BuildRequires: libtasn1-devel >= 2.3 +BuildRequires: libtasn1-tools BuildRequires: libffi-devel +BuildRequires: gettext BuildRequires: gtk-doc -BuildRequires: systemd-devel +BuildRequires: meson +BuildRequires: systemd-devel +BuildRequires: bash-completion # Work around for https://bugzilla.redhat.com/show_bug.cgi?id=1497147 # Remove this once it is fixed BuildRequires: pkgconfig(glib-2.0) +BuildRequires: gnupg2 +BuildRequires: /usr/bin/xsltproc %description p11-kit provides a way to load and enumerate PKCS#11 modules, as well @@ -38,11 +45,11 @@ developing applications that use %{name}. %package trust -Summary: System trust module from %{name} -Requires: %{name}%{?_isa} = %{version}-%{release} -Requires(post): %{_sbindir}/update-alternatives -Requires(postun): %{_sbindir}/update-alternatives -Conflicts: nss < 3.14.3-9 +Summary: System trust module from %{name} +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires(post): %{_sbindir}/update-alternatives +Requires(postun): %{_sbindir}/update-alternatives +Conflicts: nss < 3.14.3-9 %description trust The %{name}-trust package contains a system trust PKCS#11 module which @@ -69,37 +76,35 @@ feature is still experimental. %prep +gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} + %autosetup -p1 %build # These paths are the source paths that come from the plan here: # https://fedoraproject.org/wiki/Features/SharedSystemCertificates:SubTasks -%configure --disable-static --enable-doc --with-trust-paths=%{_sysconfdir}/pki/ca-trust/source:%{_datadir}/pki/ca-trust-source --disable-silent-rules -make %{?_smp_mflags} V=1 +%meson -Dgtk_doc=true -Dman=true -Dtrust_paths=%{_sysconfdir}/pki/ca-trust/source:%{_datadir}/pki/ca-trust-source +%meson_build %install -make install DESTDIR=$RPM_BUILD_ROOT +%meson_install mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pkcs11/modules -rm -f $RPM_BUILD_ROOT%{_libdir}/*.la -rm -f $RPM_BUILD_ROOT%{_libdir}/pkcs11/*.la -install -p -m 755 %{SOURCE1} $RPM_BUILD_ROOT%{_libexecdir}/p11-kit/ +install -p -m 755 %{SOURCE3} $RPM_BUILD_ROOT%{_libexecdir}/p11-kit/ # Install the example conf with %%doc instead -rm $RPM_BUILD_ROOT%{_sysconfdir}/pkcs11/pkcs11.conf.example +mkdir -p $RPM_BUILD_ROOT%{_docdir}/%{name} +mv $RPM_BUILD_ROOT%{_sysconfdir}/pkcs11/pkcs11.conf.example $RPM_BUILD_ROOT%{_docdir}/%{name}/pkcs11.conf.example mkdir -p $RPM_BUILD_ROOT%{_userunitdir} -install -p -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_userunitdir} +install -p -m 644 %{SOURCE4} $RPM_BUILD_ROOT%{_userunitdir} +%find_lang %{name} %check -make check +%meson_test -%post -p /sbin/ldconfig - %post trust %{_sbindir}/update-alternatives --install %{_libdir}/libnssckbi.so \ %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so 30 -%postun -p /sbin/ldconfig - %postun trust if [ $1 -eq 0 ] ; then # package removal @@ -107,11 +112,11 @@ if [ $1 -eq 0 ] ; then fi -%files +%files -f %{name}.lang %{!?_licensedir:%global license %%doc} %license COPYING %doc AUTHORS NEWS README -%doc p11-kit/pkcs11.conf.example +%{_docdir}/%{name}/pkcs11.conf.example %dir %{_sysconfdir}/pkcs11 %dir %{_sysconfdir}/pkcs11/modules %dir %{_datadir}/p11-kit @@ -124,6 +129,7 @@ fi %{_mandir}/man1/trust.1.gz %{_mandir}/man8/p11-kit.8.gz %{_mandir}/man5/pkcs11.conf.5.gz +%{_datadir}/bash-completion/completions/p11-kit %files devel %{_includedir}/p11-kit-1/ @@ -138,6 +144,7 @@ fi %{_libdir}/pkcs11/p11-kit-trust.so %{_datadir}/p11-kit/modules/p11-kit-trust.module %{_libexecdir}/p11-kit/trust-extract-compat +%{_datadir}/bash-completion/completions/trust %files server %{_libdir}/pkcs11/p11-kit-client.so @@ -148,6 +155,25 @@ fi %changelog +* Mon Jan 11 2021 Daiki Ueno - 0.23.22-1 +- Rebase to 0.23.22 to fix memory safety issues (CVE-2020-29361, CVE-2020-29362, and CVE-2020-29363) +- Preserve DT_NEEDED information from the previous version, flagged by rpmdiff +- Add xsltproc to BR + +* Tue Nov 10 2020 Daiki Ueno - 0.23.21-4 +- Fix realloc usage on proxy cleanup (#1894979) +- Make 'trust anchor --store' preserve all attributes from .p11-kit files + +* Tue Nov 3 2020 Daiki Ueno - 0.23.21-3 +- Restore clobbered changelog entry + +* Mon Nov 2 2020 Daiki Ueno - 0.23.21-2 +- Update p11-kit-invalid-config.patch to be more thorough (thanks to + Alexander Sosedkin) + +* Tue Oct 20 2020 Daiki Ueno - 0.23.21-1 +- Update to upstream 0.23.21 release + * Fri Mar 29 2019 Daiki Ueno - 0.23.14-5 - Fix crash on unloading the library, when it is both linked and dlopen'ed