diff --git a/SOURCES/rpm-4.11.x-Fix-Python-hdr-refcount.patch b/SOURCES/rpm-4.11.x-Fix-Python-hdr-refcount.patch
new file mode 100644
index 0000000..99f8420
--- /dev/null
+++ b/SOURCES/rpm-4.11.x-Fix-Python-hdr-refcount.patch
@@ -0,0 +1,72 @@
+From 40326b5724b0cd55a21b2d86eeef344e4826f863 Mon Sep 17 00:00:00 2001
+From: Florian Festi <ffesti@redhat.com>
+Date: Thu, 20 Oct 2016 16:06:06 +0200
+Subject: [PATCH] Do not call headerLink() in hdr_Wrap()
+
+as headers often already have an ref count of 1.
+Add headerLink() only where it is necessary.
+Plugs memory leaks in Python binding
+Resolves: rhbz:#1358467
+---
+ python/header-py.c | 4 ++--
+ python/rpmmi-py.c | 2 ++
+ python/rpmts-py.c | 1 -
+ 3 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/python/header-py.c b/python/header-py.c
+index 63167d9..5d98f89 100644
+--- a/python/header-py.c
++++ b/python/header-py.c
+@@ -394,6 +394,7 @@ static PyObject *hdr_new(PyTypeObject *subtype, PyObject *args, PyObject *kwds)
+ h = headerNew();
+ } else if (CAPSULE_CHECK(obj)) {
+ h = CAPSULE_EXTRACT(obj, "rpm._C_Header");
++ headerLink(h);
+ } else if (hdrObject_Check(obj)) {
+ h = headerCopy(((hdrObject*) obj)->h);
+ } else if (PyBytes_Check(obj)) {
+@@ -778,8 +779,7 @@ PyObject * hdr_Wrap(PyTypeObject *subtype, Header h)
+ {
+ hdrObject * hdr = (hdrObject *)subtype->tp_alloc(subtype, 0);
+ if (hdr == NULL) return NULL;
+-
+- hdr->h = headerLink(h);
++ hdr->h = h;
+ return (PyObject *) hdr;
+ }
+
+diff --git a/python/rpmmi-py.c b/python/rpmmi-py.c
+index 0e27575..379cafb 100644
+--- a/python/rpmmi-py.c
++++ b/python/rpmmi-py.c
+@@ -1,6 +1,7 @@
+ #include "rpmsystem-py.h"
+
+ #include <rpm/rpmdb.h>
++#include <rpm/header.h>
+
+ #include "rpmmi-py.h"
+ #include "header-py.h"
+@@ -74,6 +75,7 @@ rpmmi_iternext(rpmmiObject * s)
+ s->mi = rpmdbFreeIterator(s->mi);
+ return NULL;
+ }
++ headerLink(h);
+ return hdr_Wrap(&hdr_Type, h);
+ }
+
+diff --git a/python/rpmts-py.c b/python/rpmts-py.c
+index 13951df..f05371c 100644
+--- a/python/rpmts-py.c
++++ b/python/rpmts-py.c
+@@ -384,7 +384,6 @@ rpmts_HdrFromFdno(rpmtsObject * s, PyObject *arg)
+
+ if (rpmrc == RPMRC_OK) {
+ ho = hdr_Wrap(&hdr_Type, h);
+- h = headerFree(h); /* ref held by python object */
+ } else {
+ Py_INCREF(Py_None);
+ ho = Py_None;
+--
+2.9.3
+
diff --git a/SOURCES/rpm-4.11.x-Fix-off-by-one-base64.patch b/SOURCES/rpm-4.11.x-Fix-off-by-one-base64.patch
new file mode 100644
index 0000000..24cca69
--- /dev/null
+++ b/SOURCES/rpm-4.11.x-Fix-off-by-one-base64.patch
@@ -0,0 +1,30 @@
+From 0964912b94f9f48a0a812fbfbb2f996dbd93eff0 Mon Sep 17 00:00:00 2001
+From: Jonathan Wakely <github@kayari.org>
+Date: Wed, 25 May 2016 12:31:19 +0100
+Subject: [PATCH] Fix off-by-one error
+
+There's an off-by-one error in base64_decode_value which results in undefined behaviour:
+
+ void* out;
+ size_t len;
+ rpmBase64Decode("\x7b", &out, &len);
+---
+ rpmio/base64.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/rpmio/base64.c b/rpmio/base64.c
+index 60e67d4..4424aab 100644
+--- a/rpmio/base64.c
++++ b/rpmio/base64.c
+@@ -104,7 +104,7 @@ static int base64_decode_value(unsigned char value_in)
+ {
+ static const int decoding[] = {62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-2,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51};
+ value_in -= 43;
+- if (value_in > sizeof(decoding)/sizeof(int))
++ if (value_in >= sizeof(decoding)/sizeof(int))
+ return -1;
+ return decoding[value_in];
+ }
+--
+2.9.3
+
diff --git a/SOURCES/rpm-4.11.x-export-verifysigs-to-python.patch b/SOURCES/rpm-4.11.x-export-verifysigs-to-python.patch
new file mode 100644
index 0000000..76e2e7d
--- /dev/null
+++ b/SOURCES/rpm-4.11.x-export-verifysigs-to-python.patch
@@ -0,0 +1,87 @@
+diff -up rpm-4.11.3/lib/rpmchecksig.c.orig rpm-4.11.3/lib/rpmchecksig.c
+--- rpm-4.11.3/lib/rpmchecksig.c.orig 2013-11-22 11:31:31.000000000 +0100
++++ rpm-4.11.3/lib/rpmchecksig.c 2017-03-15 18:18:20.688251955 +0100
+@@ -242,8 +242,8 @@ static void formatResult(rpmTagVal sigta
+ free(msg);
+ }
+
+-static int rpmpkgVerifySigs(rpmKeyring keyring, rpmQueryFlags flags,
+- FD_t fd, const char *fn)
++int rpmpkgVerifySigs(rpmKeyring keyring, rpmQueryFlags flags, FD_t fd,
++ const char *fn)
+ {
+
+ char *buf = NULL;
+diff -up rpm-4.11.3/lib/rpmcli.h.orig rpm-4.11.3/lib/rpmcli.h
+--- rpm-4.11.3/lib/rpmcli.h.orig 2014-02-05 14:04:02.000000000 +0100
++++ rpm-4.11.3/lib/rpmcli.h 2017-03-15 18:18:20.689251950 +0100
+@@ -254,6 +254,17 @@ int showVerifyPackage(QVA_t qva, rpmts t
+ */
+ int rpmVerifySignatures(QVA_t qva, rpmts ts, FD_t fd, const char * fn);
+
++/**
++ * Check package and header signatures.
++ * @param keyring keyring handle
++ * @param flags flags to control what to verify
++ * @param fd package file handle
++ * @param fn package file name
++ * @return 0 on success, 1 on failure
++ */
++int rpmpkgVerifySigs(rpmKeyring keyring, rpmQueryFlags flags, FD_t fd,
++ const char *fn);
++
+ /** \ingroup rpmcli
+ * Verify package install.
+ * @todo hack: RPMQV_ALL can pass char ** arglist = NULL, not char * arg. Union?
+diff -up rpm-4.11.3/python/rpmts-py.c.orig rpm-4.11.3/python/rpmts-py.c
+--- rpm-4.11.3/python/rpmts-py.c.orig 2014-02-05 14:04:02.000000000 +0100
++++ rpm-4.11.3/python/rpmts-py.c 2017-03-15 18:18:20.689251950 +0100
+@@ -7,6 +7,8 @@
+ #include <rpm/rpmpgp.h>
+ #include <rpm/rpmdb.h>
+ #include <rpm/rpmbuild.h>
++#include <rpm/rpmcli.h>
++#include <rpm/rpmkeyring.h>
+
+ #include "header-py.h"
+ #include "rpmds-py.h" /* XXX for rpmdsNew */
+@@ -671,6 +672,24 @@ exit:
+ return mio;
+ }
+
++static PyObject *
++rpmts_VerifySigs(rpmtsObject * s, PyObject * args)
++{
++ rpmfdObject *fdo = NULL;
++ char *fn = NULL;
++ rpmQueryFlags flags = (VERIFY_DIGEST|VERIFY_SIGNATURE);
++ int rc = 1;
++
++ if (!PyArg_ParseTuple(args, "O&s|i:VerifySigs", rpmfdFromPyObject, &fdo,
++ &fn, &flags))
++ return NULL;
++
++ rpmKeyring keyring = rpmtsGetKeyring(s->ts, 1);
++ rc = rpmpkgVerifySigs(keyring, flags, rpmfdGetFd(fdo), fn);
++ rpmKeyringFree(keyring);
++ return PyBool_FromLong(rc == 0);
++}
++
+ static struct PyMethodDef rpmts_methods[] = {
+ {"addInstall", (PyCFunction) rpmts_AddInstall, METH_VARARGS,
+ NULL },
+@@ -729,6 +748,14 @@ Remove all elements from the transaction
+ {"dbIndex", (PyCFunction) rpmts_index, METH_VARARGS|METH_KEYWORDS,
+ "ts.dbIndex(TagN) -> ii\n\
+ - Create a key iterator for the default transaction rpmdb.\n" },
++ {"_verifySigs", (PyCFunction) rpmts_VerifySigs, METH_VARARGS,
++ "ts._verifySigs(fdno, fn, [flags]) -- Verify package signature\n\n"
++ "Returns True if it verifies, False otherwise.\n\n"
++ "Args:\n"
++ " fdno : file descriptor of the package to verify\n"
++ " fn : package file name (just for logging purposes)\n"
++ " flags : bitfield to control what to verify\n"
++ " (default is rpm.VERIFY_SIGNATURE | rpm.VERIFY_DIGEST)"},
+ {NULL, NULL} /* sentinel */
+ };
+
diff --git a/SOURCES/rpm-4.11.x-perl.req-skip-my-var-block.patch b/SOURCES/rpm-4.11.x-perl.req-skip-my-var-block.patch
new file mode 100644
index 0000000..61ef41b
--- /dev/null
+++ b/SOURCES/rpm-4.11.x-perl.req-skip-my-var-block.patch
@@ -0,0 +1,39 @@
+From 4a9b7f547ce1bb6b0b352d2e29ae4b0d3bddebfb Mon Sep 17 00:00:00 2001
+From: Florian Festi <ffesti@redhat.com>
+Date: Mon, 13 Mar 2017 11:20:11 +0100
+Subject: [PATCH] perl.req: Also skip blocks with my var = <<
+
+Before only
+var = <<BLOCK
+ foo
+BLOCK
+
+was skipped.
+
+But
+
+my var = <<BLOCK
+
+is also valid perl and needs to be skipped for dependency scanning.
+---
+ scripts/perl.req | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/scripts/perl.req b/scripts/perl.req
+index 7155518..52bd301 100755
+--- a/scripts/perl.req
++++ b/scripts/perl.req
+@@ -104,8 +104,8 @@ sub process_file {
+
+ # skip the "= <<" block
+
+- if (m/^\s*\$(?:.*)\s*=\s*<<\s*(["'`])(.+?)\1/ ||
+- m/^\s*\$(.*)\s*=\s*<<(\w+)\s*;/) {
++ if (m/^\s*(?:my\s*)?\$(?:.*)\s*=\s*<<\s*(["'`])(.+?)\1/ ||
++ m/^\s*(?:my\s*)?\$(.*)\s*=\s*<<(\w+)\s*;/) {
+ $tag = $2;
+ while (<FILE>) {
+ chomp;
+--
+2.9.3
+
diff --git a/SOURCES/rpm-4.11.x-sources-to-lua-variables.patch b/SOURCES/rpm-4.11.x-sources-to-lua-variables.patch
new file mode 100644
index 0000000..a5ea75d
--- /dev/null
+++ b/SOURCES/rpm-4.11.x-sources-to-lua-variables.patch
@@ -0,0 +1,43 @@
+From 344f938670b8f7400ef177945cef5552783d450f Mon Sep 17 00:00:00 2001
+From: Lubos Kardos <lkardos@redhat.com>
+Date: Fri, 10 Apr 2015 17:28:17 +0200
+Subject: [PATCH] Fix adding of sources to lua variables during recursive
+ parsing of spec
+
+- Before this fix sources and patches weren't added to lua variables
+ "sources" and "patches" if they were located in spec file after tag
+ "BuildArch". Now it works.(rhbz:#1084309)
+---
+ build/parsePreamble.c | 2 +-
+ build/spec.c | 2 ++
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/build/parsePreamble.c b/build/parsePreamble.c
+index 21160cd..521068c 100644
+--- a/build/parsePreamble.c
++++ b/build/parsePreamble.c
+@@ -308,7 +308,7 @@ static int addSource(rpmSpec spec, Package pkg, const char *field, rpmTagVal tag
+ addMacro(spec->macros, buf, NULL, p->fullSource, RMIL_SPEC);
+ free(buf);
+ #ifdef WITH_LUA
+- if (!spec->recursing) {
++ {
+ rpmlua lua = NULL; /* global state */
+ const char * what = (flag & RPMBUILD_ISPATCH) ? "patches" : "sources";
+ rpmluaPushTable(lua, what);
+diff --git a/build/spec.c b/build/spec.c
+index d06e2c1..1db5d15 100644
+--- a/build/spec.c
++++ b/build/spec.c
+@@ -239,6 +239,8 @@ rpmSpec newSpec(void)
+ {
+ /* make sure patches and sources tables always exist */
+ rpmlua lua = NULL; /* global state */
++ rpmluaDelVar(lua, "patches");
++ rpmluaDelVar(lua, "sources");
+ rpmluaPushTable(lua, "patches");
+ rpmluaPushTable(lua, "sources");
+ rpmluaPop(lua);
+--
+2.9.3
+
diff --git a/SOURCES/rpm-4.11.x-verify-data-range.patch b/SOURCES/rpm-4.11.x-verify-data-range.patch
new file mode 100644
index 0000000..a90614c
--- /dev/null
+++ b/SOURCES/rpm-4.11.x-verify-data-range.patch
@@ -0,0 +1,96 @@
+Adjusted lib/package.c section to apply, and 4.11.x requires the
+same change in lib/signature.c as well.
+
+From 89dce2b91d7d73a1e225461a7392c3d6d7a30a95 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Wed, 19 Oct 2016 14:48:08 +0300
+Subject: [PATCH] Verify data is within range and does not overlap in
+ headerVerifyInfo()
+
+Checking whether data start offset is within header data area is of no use
+whatsoever if the entire chunk doesn't fit. Validate the entire data
+fits within range and that it does not overlap, however with string
+types we can only check the array size is sane but we cant check the
+actual content.
+
+Adjust the upper limit for region trailer in headerVerifyRegion() so
+it fits the new rules, but in reality calling headerVerifyInfo() for
+the region tags is rather pointless since they're so different.
+
+Partial fix for RhBug:1373107.
+---
+ lib/header.c | 21 ++++++++++++++++-----
+ lib/package.c | 2 +-
+ 2 files changed, 17 insertions(+), 6 deletions(-)
+
+diff --git a/lib/header.c b/lib/header.c
+index 7f7c115..cac5c94 100644
+--- a/lib/header.c
++++ b/lib/header.c
+@@ -196,7 +196,8 @@ int headerVerifyInfo(int il, int dl, const void * pev, void * iv, int negate)
+ {
+ entryInfo pe = (entryInfo) pev;
+ entryInfo info = iv;
+- int i;
++ int i, tsize;
++ int32_t end = 0;
+
+ for (i = 0; i < il; i++) {
+ info->tag = ntohl(pe[i].tag);
+@@ -206,16 +207,26 @@ int headerVerifyInfo(int il, int dl, const void * pev, void * iv, int negate)
+ info->offset = -info->offset;
+ info->count = ntohl(pe[i].count);
+
++ /* Previous data must not overlap */
++ if (end > info->offset)
++ return i;
++
+ if (hdrchkType(info->type))
+ return i;
+ if (hdrchkAlign(info->type, info->offset))
+ return i;
+- if (hdrchkRange(dl, info->offset))
+- return i;
+- if (hdrchkData(info->count))
+- return i;
+
++ /* For string types we can only check the array size is sane */
++ tsize = typeSizes[info->type];
++ if (tsize < 1)
++ tsize = 1;
++
++ /* Verify the data actually fits */
++ end = info->offset + (info->count * tsize);
++ if (hdrchkRange(dl, end))
++ return i;
+ }
++
+ return -1;
+ }
+
+diff --git a/lib/package.c b/lib/package.c
+index b6bea09..bb83163 100644
+--- a/lib/package.c
++++ b/lib/package.c
+@@ -339,7 +339,7 @@ static rpmRC headerVerify(rpmKeyring keyring, rpmVSFlags vsflags,
+ (void) memcpy(&info, regionEnd, REGION_TAG_COUNT);
+ regionEnd += REGION_TAG_COUNT;
+
+- if (headerVerifyInfo(1, il * sizeof(*pe), &info, &entry.info, 1) != -1 ||
++ if (headerVerifyInfo(1, il * sizeof(*pe) + REGION_TAG_COUNT, &info, &entry.info, 1) != -1 ||
+ !(entry.info.tag == RPMTAG_HEADERIMMUTABLE
+ && entry.info.type == REGION_TAG_TYPE
+ && entry.info.count == REGION_TAG_COUNT))
+diff --git a/lib/signature.c b/lib/signature.c
+index d8017dc..ddf2eb8 100644
+--- a/lib/signature.c
++++ b/lib/signature.c
+@@ -165,7 +165,7 @@ rpmRC rpmReadSignature(FD_t fd, Header * sighp, sigType sig_type, char ** msg)
+ }
+ dataEnd += REGION_TAG_COUNT;
+
+- xx = headerVerifyInfo(1, il * sizeof(*pe), &info, &entry.info, 1);
++ xx = headerVerifyInfo(1, il * sizeof(*pe) + REGION_TAG_COUNT, &info, &entry.info, 1);
+ if (xx != -1 ||
+ !((entry.info.tag == RPMTAG_HEADERSIGNATURES || entry.info.tag == RPMTAG_HEADERIMAGE)
+ && entry.info.type == REGION_TAG_TYPE
diff --git a/SPECS/rpm.spec b/SPECS/rpm.spec
index 42a5afb..8b445aa 100644
--- a/SPECS/rpm.spec
+++ b/SPECS/rpm.spec
@@ -21,7 +21,7 @@
Summary: The RPM package management system
Name: rpm
Version: %{rpmver}
-Release: %{?snapver:0.%{snapver}.}21%{?dist}
+Release: %{?snapver:0.%{snapver}.}25%{?dist}
Group: System Environment/Base
Url: http://www.rpm.org/
Source0: http://rpm.org/releases/rpm-4.11.x/%{name}-%{srcver}.tar.bz2
@@ -77,6 +77,11 @@ Patch174: rpm-4.11.x-define-PY_SSIZE_T_CLEAN.patch
Patch175: rpm-4.11.x-python-binding-test-case.patch
Patch176: rpm-4.11.x-Add-noplugins.patch
Patch177: rpm-4.11.x-no-longer-config.patch
+Patch178: rpm-4.11.x-Fix-off-by-one-base64.patch
+Patch179: rpm-4.11.x-sources-to-lua-variables.patch
+Patch180: rpm-4.11.x-Fix-Python-hdr-refcount.patch
+Patch181: rpm-4.11.x-perl.req-skip-my-var-block.patch
+Patch182: rpm-4.11.x-verify-data-range.patch
# Filter soname dependencies by name
Patch200: rpm-4.11.x-filter-soname-deps.patch
@@ -101,6 +106,7 @@ Patch310: rpm-4.11.x-CVE-2014-8118.patch
Patch311: rpm-4.11.3-update-config.guess.patch
Patch312: rpm-4.11.x-man-systemd-inhibit.patch
Patch313: rpm-4.11.x-quiet-signing.patch
+Patch314: rpm-4.11.x-export-verifysigs-to-python.patch
# Temporary Patch to provide support for updates
Patch400: rpm-4.10.90-rpmlib-filesystem-check.patch
@@ -324,7 +330,11 @@ Requires: rpm-libs%{_isa} = %{version}-%{release}
%patch175 -p1 -b .py_size_test
%patch176 -p1 -b .noplugins
%patch177 -p1 -b .noconfig
-
+%patch178 -p1 -b .offbyone
+%patch179 -p1 -b .sourceslua
+%patch180 -p1 -b .hdrrefcnt
+%patch181 -p1 -b .perlblock
+%patch182 -p1 -b .verifysignature
%patch200 -p1 -b .filter-soname-deps
%patch201 -p1 -b .dont-filter-ld64
@@ -341,6 +351,7 @@ Requires: rpm-libs%{_isa} = %{version}-%{release}
%patch311 -p1 -b .config.guess
%patch312 -p1 -b .man-inhibit
%patch313 -p1 -b .quiet-sign
+%patch314 -p1 -b .verifysig
%patch400 -p1 -b .rpmlib-filesystem-check
%patch401 -p1 -b .disable-collection-plugins
@@ -482,7 +493,6 @@ exit 0
%{_bindir}/rpmverify
%{_mandir}/man8/rpm.8*
-%{_mandir}/man8/rpm-plugin-systemd-inhibit.8*
%{_mandir}/man8/rpmdb.8*
%{_mandir}/man8/rpmkeys.8*
%{_mandir}/man8/rpm2cpio.8*
@@ -521,6 +531,7 @@ exit 0
%files plugin-systemd-inhibit
%{_libdir}/rpm-plugins
%{_libdir}/rpm-plugins/systemd_inhibit.so
+%{_mandir}/man8/rpm-plugin-systemd-inhibit.8*
%endif
%files build-libs
@@ -582,6 +593,22 @@ exit 0
%doc COPYING doc/librpm/html/*
%changelog
+* Fri Mar 17 2017 Panu Matilainen <pmatilai@redhat.com> - 4.11.3-25
+- Really fix #1371487
+
+* Thu Mar 16 2017 Florian Festi <ffesti@redhat.com> - 4.11.3-24
+- Fix include in patch for #1343692
+- Disable patch for (#1371487) temporarily
+
+* Mon Mar 13 2017 Florian Festi <ffesti@redhat.com> - 4.11.3-22
+- Move rpm-plugin-systemd-inhibit man page to that package (#1360706)
+- Fix off by one error in base64 code (#1341913)
+- Add sources to lua to prevent %%autosetup failing in some cases (#1359084)
+- Fix refcounting for Python hdr objects (#1358467)
+- Perl dependecy generator: Skip blocks after variable definitions (#1378307)
+- Verify signatures properly (#1371487)
+- Export function in Python binding for yum (#1343692)
+
* Tue Jul 26 2016 Florian Festi <ffesti@redhat.com> - 4.11.3-21
- Fix --sign for rpmbuild with --quiet (#1293483)
- Adjusted fix for --noplugins option (#1264031)