From 1a9baff8021d8b9546d39b9de32cec1665a56029 Mon Sep 17 00:00:00 2001 From: Michal Domonkos Date: Feb 01 2022 14:38:08 +0000 Subject: Add patches for release 10 Resolves: #1943724 Resolves: #2048455 Resolves: #2037352 Resolves: #2025906 --- diff --git a/rpm-4.16.1.3-add-path-query-option.patch b/rpm-4.16.1.3-add-path-query-option.patch new file mode 100644 index 0000000..0a44718 --- /dev/null +++ b/rpm-4.16.1.3-add-path-query-option.patch @@ -0,0 +1,194 @@ +From ce8af503733b5661efa046cc7f5f68ee0dad75cc Mon Sep 17 00:00:00 2001 +From: Michal Domonkos +Date: Mon, 16 Aug 2021 18:21:02 +0200 +Subject: [PATCH] Add support for RPMDBI_BASENAMES on file queries + +There are legitimate reasons (such as rhbz#1940895 or the included test) +for wanting the former behavior where all file states were considered in +file queries prior to commit 9ad57bda4a82b9847826daa766b4421d877bb3d9, +so celebrate the tenth anniversary of that commit by adding a CLI switch +(a new package selector --path), as contemplated back then. + +Update the man page for --file to reflect it's current behavior and make +--path that more obvious. + +Resolves: rhbz#1940895 + +Combined with d1aebda01033bc8ba0d748b49f6fad9a5c0caa3f and backported +for 4.16.1.3. +--- + doc/rpm.8 | 9 ++++++-- + lib/poptQV.c | 6 +++++- + lib/query.c | 7 +++++-- + lib/rpmcli.h | 1 + + tests/rpmquery.at | 52 +++++++++++++++++++++++++++++++++++++++++++++++ + 5 files changed, 70 insertions(+), 5 deletions(-) + +diff --git a/doc/rpm.8 b/doc/rpm.8 +index 80055b675..ab7364cf6 100644 +--- a/doc/rpm.8 ++++ b/doc/rpm.8 +@@ -57,7 +57,7 @@ rpm \- RPM Package Manager + .PP + + [\fB\fIPACKAGE_NAME\fB\fR] +- [\fB-a,--all [\fISELECTOR\fR]\fR] [\fB-f,--file \fIFILE\fB\fR] ++ [\fB-a,--all [\fISELECTOR\fR]\fR] [\fB-f,--file \fIFILE\fB\fR] [\fB--path \fIPATH\fB\fR] + [\fB-g,--group \fIGROUP\fB\fR] [\fB-p,--package \fIPACKAGE_FILE\fB\fR] + [\fB--hdrid \fISHA1\fB\fR] [\fB--pkgid \fIMD5\fB\fR] [\fB--tid \fITID\fB\fR] + [\fB--querybynumber \fIHDRNUM\fB\fR] [\fB--triggeredby \fIPACKAGE_NAME\fB\fR] +@@ -569,7 +569,7 @@ starts with "b". + List duplicated packages. + .TP + \fB-f, --file \fIFILE\fB\fR +-Query package owning \fIFILE\fR. ++Query package owning installed \fIFILE\fR. + .TP + \fB--filecaps\fR + List file names with POSIX1.e capabilities. +@@ -612,6 +612,11 @@ that will be expanded to paths that are substituted in place of + the package manifest as additional \fIPACKAGE_FILE\fR + arguments to the query. + .TP ++\fB--path \fIPATH\fB\fR ++Query package(s) owning \fIPATH\fR, whether the file is installed or not. ++Multiple packages may own a \fIPATH\fR, but the file is only owned by the ++package installed last. ++.TP + \fB--pkgid \fIMD5\fB\fR + Query package that contains a given package identifier, i.e. the + \fIMD5\fR digest of the combined header and +diff --git a/lib/poptQV.c b/lib/poptQV.c +index d9d1fad75..9b6101009 100644 +--- a/lib/poptQV.c ++++ b/lib/poptQV.c +@@ -27,6 +27,7 @@ struct rpmQVKArguments_s rpmQVKArgs; + #define POPT_WHATENHANCES -1014 + #define POPT_WHATOBSOLETES -1015 + #define POPT_WHATCONFLICTS -1016 ++#define POPT_QUERYBYPATH -1017 + + /* ========== Query/Verify/Signature source args */ + static void rpmQVSourceArgCallback( poptContext con, +@@ -58,6 +59,7 @@ static void rpmQVSourceArgCallback( poptContext con, + case POPT_WHATSUPPLEMENTS: qva->qva_source |= RPMQV_WHATSUPPLEMENTS; break; + case POPT_WHATENHANCES: qva->qva_source |= RPMQV_WHATENHANCES; break; + case POPT_TRIGGEREDBY: qva->qva_source |= RPMQV_TRIGGEREDBY; break; ++ case POPT_QUERYBYPATH: qva->qva_source |= RPMQV_PATH_ALL; break; + case POPT_QUERYBYPKGID: qva->qva_source |= RPMQV_PKGID; break; + case POPT_QUERYBYHDRID: qva->qva_source |= RPMQV_HDRID; break; + case POPT_QUERYBYTID: qva->qva_source |= RPMQV_TID; break; +@@ -80,7 +82,9 @@ struct poptOption rpmQVSourcePoptTable[] = { + { "checksig", 'K', POPT_ARGFLAG_DOC_HIDDEN, NULL, 'K', + N_("rpm checksig mode"), NULL }, + { "file", 'f', 0, 0, 'f', +- N_("query/verify package(s) owning file"), "FILE" }, ++ N_("query/verify package(s) owning installed file"), "FILE" }, ++ { "path", '\0', 0, 0, POPT_QUERYBYPATH, ++ N_("query/verify package(s) owning path, installed or not"), "PATH" }, + { "group", 'g', 0, 0, 'g', + N_("query/verify package(s) in group"), "GROUP" }, + { "package", 'p', 0, 0, 'p', +diff --git a/lib/query.c b/lib/query.c +index fdabe6e52..9a71f0dc5 100644 +--- a/lib/query.c ++++ b/lib/query.c +@@ -445,6 +445,7 @@ static rpmdbMatchIterator initQueryIterator(QVA_t qva, rpmts ts, const char * ar + } + /* fallthrough on absolute and relative paths */ + case RPMQV_PATH: ++ case RPMQV_PATH_ALL: + { char * fn; + + for (s = arg; *s != '\0'; s++) +@@ -463,8 +464,10 @@ static rpmdbMatchIterator initQueryIterator(QVA_t qva, rpmts ts, const char * ar + fn = xstrdup(arg); + (void) rpmCleanPath(fn); + +- /* XXX Add a switch to enable former BASENAMES behavior? */ +- mi = rpmtsInitIterator(ts, RPMDBI_INSTFILENAMES, fn, 0); ++ rpmDbiTagVal tag = RPMDBI_INSTFILENAMES; ++ if (qva->qva_source == RPMQV_PATH_ALL) ++ tag = RPMDBI_BASENAMES; ++ mi = rpmtsInitIterator(ts, tag, fn, 0); + if (mi == NULL) + mi = rpmtsInitIterator(ts, RPMDBI_PROVIDENAME, fn, 0); + +diff --git a/lib/rpmcli.h b/lib/rpmcli.h +index 4886c2453..8ef992ff2 100644 +--- a/lib/rpmcli.h ++++ b/lib/rpmcli.h +@@ -81,6 +81,7 @@ rpmcliFini(poptContext optCon); + enum rpmQVSources_e { + RPMQV_PACKAGE = 0, /*!< ... from package name db search. */ + RPMQV_PATH, /*!< ... from file path db search. */ ++ RPMQV_PATH_ALL, /*!< ... from file path db search (all states). */ + RPMQV_ALL, /*!< ... from each installed package. */ + RPMQV_RPM, /*!< ... from reading binary rpm package. */ + RPMQV_GROUP, /*!< ... from group db search. */ +diff --git a/tests/rpmquery.at b/tests/rpmquery.at +index 9a4f1cb76..335d5ee0d 100644 +--- a/tests/rpmquery.at ++++ b/tests/rpmquery.at +@@ -201,6 +201,58 @@ runroot rpm \ + + AT_CLEANUP + ++# ------------------------------ ++# query a package by a file ++AT_SETUP([rpm -qf]) ++AT_KEYWORDS([query]) ++AT_CHECK([ ++RPMDB_INIT ++runroot rpm \ ++ --nodeps \ ++ -i /data/RPMS/hello-1.0-1.i386.rpm ++runroot rpm \ ++ -qf /usr/local/bin/hello ++], ++[0], ++[hello-1.0-1.i386 ++], ++[]) ++AT_CLEANUP ++ ++AT_SETUP([rpm -qf on non-installed file]) ++AT_KEYWORDS([query]) ++AT_CHECK([ ++RPMDB_INIT ++runroot rpm \ ++ --nodeps \ ++ --excludedocs \ ++ -i /data/RPMS/hello-1.0-1.i386.rpm ++runroot rpm \ ++ -qf /usr/share/doc/hello-1.0/FAQ ++], ++[1], ++[], ++[error: file /usr/share/doc/hello-1.0/FAQ: No such file or directory ++]) ++AT_CLEANUP ++ ++AT_SETUP([rpm -q --path on non-installed file]) ++AT_KEYWORDS([query]) ++AT_CHECK([ ++RPMDB_INIT ++runroot rpm \ ++ --nodeps \ ++ --excludedocs \ ++ -i /data/RPMS/hello-1.0-1.i386.rpm ++runroot rpm \ ++ -q --path /usr/share/doc/hello-1.0/FAQ ++], ++[0], ++[hello-1.0-1.i386 ++], ++[]) ++AT_CLEANUP ++ + # ------------------------------ + AT_SETUP([integer array query]) + AT_KEYWORDS([query]) +-- +2.34.1 + diff --git a/rpm-4.16.1.3-bump-rpmdb-cookie-hash-to-SHA256-for-FIPS.patch b/rpm-4.16.1.3-bump-rpmdb-cookie-hash-to-SHA256-for-FIPS.patch new file mode 100644 index 0000000..998e1f8 --- /dev/null +++ b/rpm-4.16.1.3-bump-rpmdb-cookie-hash-to-SHA256-for-FIPS.patch @@ -0,0 +1,32 @@ +From a26f6655546158153807017e7ded2aff5e4e10e4 Mon Sep 17 00:00:00 2001 +From: Panu Matilainen +Date: Mon, 31 Jan 2022 11:13:35 +0200 +Subject: [PATCH] Bump hash for rpmdb cookie to SHA256 to appease FIPS + +The rpmdb cookie is not a security feature, but as these existing +hashes are more convenient than coming up with our own... we then +run into the great big wall of FIPS which in its current incarnation +disallows use of SHA1. And so rpmdbCookie() fails under current FIPS. + +Just bumping the algorithm to SHA256 seems the path of lowest +resistance, whether that algo makes sense for this purpose or not. +--- + lib/rpmdb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/rpmdb.c b/lib/rpmdb.c +index 01d49a641..00bd4236f 100644 +--- a/lib/rpmdb.c ++++ b/lib/rpmdb.c +@@ -2642,7 +2642,7 @@ char *rpmdbCookie(rpmdb db) + rpmdbIndexIterator ii = rpmdbIndexIteratorInit(db, RPMDBI_NAME); + + if (ii) { +- DIGEST_CTX ctx = rpmDigestInit(PGPHASHALGO_SHA1, RPMDIGEST_NONE); ++ DIGEST_CTX ctx = rpmDigestInit(PGPHASHALGO_SHA256, RPMDIGEST_NONE); + const void *key = 0; + size_t keylen = 0; + while ((rpmdbIndexIteratorNext(ii, &key, &keylen)) == 0) { +-- +2.34.1 + diff --git a/rpm-4.16.1.3-skip-recorded-symlinks-in-setperms.patch b/rpm-4.16.1.3-skip-recorded-symlinks-in-setperms.patch new file mode 100644 index 0000000..6e3acf8 --- /dev/null +++ b/rpm-4.16.1.3-skip-recorded-symlinks-in-setperms.patch @@ -0,0 +1,40 @@ +From 6cdcdd8770d1f0b9ba706dcc1e6392a59dbe3fe5 Mon Sep 17 00:00:00 2001 +From: Michal Domonkos +Date: Tue, 7 Dec 2021 08:08:37 +0100 +Subject: [PATCH] Skip recorded symlinks in --setperms (RhBug:1900662) + +If a package contains a symlink in the buildroot which is declared as a +ghost or config file but is a regular file or directory on the system +where it's installed, a --setperms call will reset its permissions to +those of a symlink (777 on Linux), which almost certainly is not the +correct thing to do. + +To fix that, just skip files that were recorded as symlinks. + +This is a special case of a general issue in --setperms; since file +permission semantics may change depending on the file type, to stay on +the safe side, any (ghost or config) file whose type changes after +installation should probably be skipped. However, symlinks are the most +prominent case here, so let's just focus on that now and avoid adding +too much cleverness to a popt alias (this got us into trouble not too +long ago, see commits 38c2f6e and 0d83637). We may revisit this in the +eventual C implementation. +--- + rpmpopt.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/rpmpopt.in b/rpmpopt.in +index 27d298651..d5a6b140b 100644 +--- a/rpmpopt.in ++++ b/rpmpopt.in +@@ -44,6 +44,7 @@ rpm alias --scripts --qf '\ + --POPTdesc=$"list install/erase scriptlets from package(s)" + + rpm alias --setperms -q --qf '[\[ -L %{FILENAMES:shescape} \] || \ ++ \[ -n %{FILELINKTOS:shescape} \] || \ + ( \[ $((%{FILEFLAGS} & 2#1001000)) != 0 \] && \[ ! -e %{FILENAMES:shescape} \] ) || \ + chmod %7{FILEMODES:octal} %{FILENAMES:shescape}\n]' \ + --pipe "grep -v \(none\) | grep '^. -L ' | sed 's/chmod .../chmod /' | sh" \ +-- +2.34.1 + diff --git a/rpm-4.16.1.3-validate-and-require-subkey-binding-sigs.patch b/rpm-4.16.1.3-validate-and-require-subkey-binding-sigs.patch index a1753a4..878f6e4 100644 --- a/rpm-4.16.1.3-validate-and-require-subkey-binding-sigs.patch +++ b/rpm-4.16.1.3-validate-and-require-subkey-binding-sigs.patch @@ -1,4 +1,4 @@ -From a73895e6f03bef5e95a738ff680f7c42151f3959 Mon Sep 17 00:00:00 2001 +From 32b21da4bae5b8fbe0f42c31b723c4963b4b2512 Mon Sep 17 00:00:00 2001 From: Demi Marie Obenour Date: Thu, 6 May 2021 18:34:45 -0400 Subject: [PATCH] Validate and require subkey binding signatures on PGP public @@ -18,22 +18,25 @@ Combined with: 5ff86764b17f31535cb247543a90dd739076ec38 b5e8bc74b2b05aa557f663fe227b94d2bc64fbd8 9f03f42e2614a68f589f9db8fe76287146522c0c +b6dffb6dc5ffa2ddc389743f0507876cab341315 (mem-leak fix) +ae3d2d234ae47ff85229d3fce97a266fa1aa5a61 (use-after-free fix) Fixes CVE-2021-3521. --- - rpmio/rpmpgp.c | 123 +++++++++++++++--- + rpmio/rpmpgp.c | 122 +++++++++++++++--- + sign/rpmgensig.c | 2 +- tests/Makefile.am | 3 + tests/data/keys/CVE-2021-3521-badbind.asc | 25 ++++ .../data/keys/CVE-2021-3521-nosubsig-last.asc | 25 ++++ tests/data/keys/CVE-2021-3521-nosubsig.asc | 37 ++++++ tests/rpmsigdig.at | 28 ++++ - 6 files changed, 224 insertions(+), 17 deletions(-) + 7 files changed, 224 insertions(+), 18 deletions(-) create mode 100644 tests/data/keys/CVE-2021-3521-badbind.asc create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig-last.asc create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig.asc diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c -index d0688ebe9..b12410d67 100644 +index d0688ebe9..3372d577d 100644 --- a/rpmio/rpmpgp.c +++ b/rpmio/rpmpgp.c @@ -515,7 +515,7 @@ pgpDigAlg pgpDigAlgFree(pgpDigAlg alg) @@ -76,7 +79,7 @@ index d0688ebe9..b12410d67 100644 } break; default: rpmlog(RPMLOG_WARNING, _("Unsupported version of key: V%d\n"), version); -@@ -1041,36 +1039,128 @@ unsigned int pgpDigParamsAlgo(pgpDigParams digp, unsigned int algotype) +@@ -1041,36 +1039,127 @@ unsigned int pgpDigParamsAlgo(pgpDigParams digp, unsigned int algotype) return algo; } @@ -178,12 +181,11 @@ index d0688ebe9..b12410d67 100644 - p += (pkt.body - pkt.head) + pkt.blen; + if (selfsig) { + /* subkeys must be followed by binding signature */ -+ if (prevtag == PGPTAG_PUBLIC_SUBKEY) { -+ if (selfsig->sigtype != PGPSIGTYPE_SUBKEY_BINDING) -+ break; -+ } ++ int xx = 1; /* assume failure */ + -+ int xx = pgpVerifySelf(digp, selfsig, all, i); ++ if (!(prevtag == PGPTAG_PUBLIC_SUBKEY && ++ selfsig->sigtype != PGPSIGTYPE_SUBKEY_BINDING)) ++ xx = pgpVerifySelf(digp, selfsig, all, i); + + selfsig = pgpDigParamsFree(selfsig); + if (xx) @@ -213,7 +215,7 @@ index d0688ebe9..b12410d67 100644 if (ret && rc == 0) { *ret = digp; } else { -@@ -1105,8 +1195,7 @@ int pgpPrtParamsSubkeys(const uint8_t *pkts, size_t pktlen, +@@ -1105,8 +1194,7 @@ int pgpPrtParamsSubkeys(const uint8_t *pkts, size_t pktlen, digps = xrealloc(digps, alloced * sizeof(*digps)); } @@ -223,6 +225,19 @@ index d0688ebe9..b12410d67 100644 /* Copy UID from main key to subkey */ digps[count]->userid = xstrdup(mainkey->userid); +diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c +index e5d191cc0..988a0f611 100644 +--- a/sign/rpmgensig.c ++++ b/sign/rpmgensig.c +@@ -351,7 +351,7 @@ static int haveSignature(rpmtd sigtd, Header h) + pgpPrtParams(oldtd.data, oldtd.count, PGPTAG_SIGNATURE, &sig2); + if (pgpDigParamsCmp(sig1, sig2) == 0) + rc = 1; +- pgpDigParamsFree(sig2); ++ sig2 = pgpDigParamsFree(sig2); + } + pgpDigParamsFree(sig1); + rpmtdFreeData(&oldtd); diff --git a/tests/Makefile.am b/tests/Makefile.am index f742a9e1d..328234278 100644 --- a/tests/Makefile.am @@ -382,5 +397,5 @@ index e1a3ab062..705fc5870 100644 # Test pre-built package verification AT_SETUP([rpmkeys -K 1]) -- -2.33.1 +2.34.1 diff --git a/rpm.spec b/rpm.spec index f598ac7..8c9a909 100644 --- a/rpm.spec +++ b/rpm.spec @@ -32,7 +32,7 @@ %global rpmver 4.16.1.3 #global snapver rc1 -%global rel 9 +%global rel 10 %global sover 9 %global srcver %{rpmver}%{?snapver:-%{snapver}} @@ -77,6 +77,9 @@ Patch105: rpm-4.16.1.3-ELF-files-strip-when-debuginfo-disabled.patch Patch106: rpm-4.16.1.3-unbreak-checking-of-installed-rich-deps.patch Patch107: rpm-4.16.1.3-fix-IMA-sig-len-assumed-const.patch Patch108: rpm-4.16.1.3-validate-and-require-subkey-binding-sigs.patch +Patch109: rpm-4.16.1.3-bump-rpmdb-cookie-hash-to-SHA256-for-FIPS.patch +Patch110: rpm-4.16.1.3-add-path-query-option.patch +Patch111: rpm-4.16.1.3-skip-recorded-symlinks-in-setperms.patch # These are not yet upstream Patch906: rpm-4.7.1-geode-i686.patch @@ -606,6 +609,12 @@ fi %doc doc/librpm/html/* %changelog +* Mon Jan 31 2022 Michal Domonkos - 4.16.1.3-10 +- Address covscan issues in binding sigs validation patch (#1943724) +- Bump hash for rpmdb cookie to SHA256 for FIPS (#2048455) +- Add --path query option (#2037352) +- Skip recorded symlinks in --setperms (#2025906) + * Mon Dec 13 2021 Michal Domonkos - 4.16.1.3-9 - Fix-up IMA signature lengths patch (#2018937)