diff --git a/SOURCES/0832-ci-lint-add-shell-linter-Differential-ShellCheck.patch b/SOURCES/0832-ci-lint-add-shell-linter-Differential-ShellCheck.patch new file mode 100644 index 0000000..d848bfa --- /dev/null +++ b/SOURCES/0832-ci-lint-add-shell-linter-Differential-ShellCheck.patch @@ -0,0 +1,59 @@ +From 5f69ba3919d32ed93c68bb6b8b70a516f2bb56a8 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Tue, 16 Aug 2022 14:34:49 +0200 +Subject: [PATCH] ci(lint): add shell linter - Differential ShellCheck + +It performs differential ShellCheck scans and report results directly in +pull request. + +documentation: +https://github.com/redhat-plumbers-in-action/differential-shellcheck + +(inspired by commit + https://github.com/systemd/systemd/commit/3f3c718e79abdac698ae90de5cd4c0560a0a75d4) + +RHEL-only + +Related: #2122499 +--- + .github/workflows/differential-shellcheck.yml | 31 +++++++++++++++++++ + 1 file changed, 31 insertions(+) + create mode 100644 .github/workflows/differential-shellcheck.yml + +diff --git a/.github/workflows/differential-shellcheck.yml b/.github/workflows/differential-shellcheck.yml +new file mode 100644 +index 0000000000..fa94679b51 +--- /dev/null ++++ b/.github/workflows/differential-shellcheck.yml +@@ -0,0 +1,31 @@ ++--- ++# https://github.com/redhat-plumbers-in-action/differential-shellcheck#readme ++ ++name: Differential ShellCheck ++on: ++ pull_request: ++ branches: ++ - master ++ - rhel-8.*.0 ++ ++permissions: ++ contents: read ++ ++jobs: ++ lint: ++ runs-on: ubuntu-latest ++ ++ permissions: ++ security-events: write ++ pull-requests: write ++ ++ steps: ++ - name: Repository checkout ++ uses: actions/checkout@v3 ++ with: ++ fetch-depth: 0 ++ ++ - name: Differential ShellCheck ++ uses: redhat-plumbers-in-action/differential-shellcheck@v3 ++ with: ++ token: ${{ secrets.GITHUB_TOKEN }} diff --git a/SOURCES/0833-meson-do-not-compare-objects-of-different-types.patch b/SOURCES/0833-meson-do-not-compare-objects-of-different-types.patch new file mode 100644 index 0000000..234e387 --- /dev/null +++ b/SOURCES/0833-meson-do-not-compare-objects-of-different-types.patch @@ -0,0 +1,34 @@ +From deb09b3bd826571149f6b018f3a3ff8a33cd104b Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 28 Jun 2018 16:09:04 +0900 +Subject: [PATCH] meson: do not compare objects of different types + +This fixes the following warning: +``` +meson.build:1140: WARNING: Trying to compare values of different types (DependencyHolder, list) using !=. +The result of this is undefined and will become a hard error in a future Meson release. +``` + +Follow-up for f02582f69fe1e7663a87ba80bd4f90d5d23ee75f(#9410). + +(cherry picked from commit 48f5da19b6e8f0d05f5217bc9856093d354ce5d0) + +Related: #2122499 +--- + meson.build | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/meson.build b/meson.build +index 6729a9ea5e..af4cf331da 100644 +--- a/meson.build ++++ b/meson.build +@@ -1165,7 +1165,8 @@ substs.set('DEFAULT_DNSSEC_MODE', default_dnssec) + + dns_over_tls = get_option('dns-over-tls') + if dns_over_tls != 'false' +- have = libgnutls != [] and libgnutls.version().version_compare('>=3.5.3') ++ have = (conf.get('HAVE_GNUTLS') == 1 and ++ libgnutls.version().version_compare('>=3.5.3')) + if dns_over_tls == 'true' and not have + error('DNS-over-TLS support was requested, but dependencies are not available') + endif diff --git a/SOURCES/0834-journal-remote-use-MHD_HTTP_CONTENT_TOO_LARGE-as-MHD.patch b/SOURCES/0834-journal-remote-use-MHD_HTTP_CONTENT_TOO_LARGE-as-MHD.patch new file mode 100644 index 0000000..689ad06 --- /dev/null +++ b/SOURCES/0834-journal-remote-use-MHD_HTTP_CONTENT_TOO_LARGE-as-MHD.patch @@ -0,0 +1,48 @@ +From ea9b3a664f5e67d0ee6b0bf6ca362835ae11fedc Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 20 Dec 2021 20:48:32 +0900 +Subject: [PATCH] journal-remote: use MHD_HTTP_CONTENT_TOO_LARGE as + MHD_HTTP_PAYLOAD_TOO_LARGE is deprecated since 0.9.74 + +(cherry picked from commit 30df858f43b14a55c6650b43bea12cbf2cc0bc67) + +Related: #2122499 +--- + src/journal-remote/journal-remote-main.c | 2 +- + src/journal-remote/microhttpd-util.h | 10 +++++++--- + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/src/journal-remote/journal-remote-main.c b/src/journal-remote/journal-remote-main.c +index 47fe9d7433..bcaa370099 100644 +--- a/src/journal-remote/journal-remote-main.c ++++ b/src/journal-remote/journal-remote-main.c +@@ -304,7 +304,7 @@ static int request_handler( + /* When serialized, an entry of maximum size might be slightly larger, + * so this does not correspond exactly to the limit in journald. Oh well. + */ +- return mhd_respondf(connection, 0, MHD_HTTP_PAYLOAD_TOO_LARGE, ++ return mhd_respondf(connection, 0, MHD_HTTP_CONTENT_TOO_LARGE, + "Payload larger than maximum size of %u bytes", ENTRY_SIZE_MAX); + } + +diff --git a/src/journal-remote/microhttpd-util.h b/src/journal-remote/microhttpd-util.h +index 26909082a1..dd0ca1d9bd 100644 +--- a/src/journal-remote/microhttpd-util.h ++++ b/src/journal-remote/microhttpd-util.h +@@ -38,9 +38,13 @@ + # define MHD_HTTP_NOT_ACCEPTABLE MHD_HTTP_METHOD_NOT_ACCEPTABLE + #endif + +-/* Renamed in µhttpd 0.9.53 */ +-#ifndef MHD_HTTP_PAYLOAD_TOO_LARGE +-# define MHD_HTTP_PAYLOAD_TOO_LARGE MHD_HTTP_REQUEST_ENTITY_TOO_LARGE ++/* Renamed in µhttpd 0.9.74 (8c644fc1f4d498ea489add8d40a68f5d3e5899fa) */ ++#ifndef MHD_HTTP_CONTENT_TOO_LARGE ++# ifdef MHD_HTTP_PAYLOAD_TOO_LARGE ++# define MHD_HTTP_CONTENT_TOO_LARGE MHD_HTTP_PAYLOAD_TOO_LARGE /* 0.9.53 or newer */ ++# else ++# define MHD_HTTP_CONTENT_TOO_LARGE MHD_HTTP_REQUEST_ENTITY_TOO_LARGE ++# endif + #endif + + #if MHD_VERSION < 0x00094203 diff --git a/SOURCES/0835-Fix-build-with-httpd-0.9.71.patch b/SOURCES/0835-Fix-build-with-httpd-0.9.71.patch new file mode 100644 index 0000000..0f8ec58 --- /dev/null +++ b/SOURCES/0835-Fix-build-with-httpd-0.9.71.patch @@ -0,0 +1,71 @@ +From ca86de228e19cea268ec3eeabc9097d7c28fbf24 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 30 Jun 2020 09:56:10 +0200 +Subject: [PATCH] =?UTF-8?q?Fix=20build=20with=20=C2=B5httpd=200.9.71?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The return type of callbacks was changed from int to an enum. + +(cherry picked from commit d17eabb1052e7c8c432331a7a782845e36164f01) + +Related: #2122499 +--- + src/journal-remote/journal-gatewayd.c | 4 ++-- + src/journal-remote/journal-remote-main.c | 2 +- + src/journal-remote/microhttpd-util.h | 6 ++++++ + 3 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/src/journal-remote/journal-gatewayd.c b/src/journal-remote/journal-gatewayd.c +index 54446ff7b5..3ff05a4d72 100644 +--- a/src/journal-remote/journal-gatewayd.c ++++ b/src/journal-remote/journal-gatewayd.c +@@ -338,7 +338,7 @@ static int request_parse_range( + return 0; + } + +-static int request_parse_arguments_iterator( ++static mhd_result request_parse_arguments_iterator( + void *cls, + enum MHD_ValueKind kind, + const char *key, +@@ -795,7 +795,7 @@ static int request_handler_machine( + return MHD_queue_response(connection, MHD_HTTP_OK, response); + } + +-static int request_handler( ++static mhd_result request_handler( + void *cls, + struct MHD_Connection *connection, + const char *url, +diff --git a/src/journal-remote/journal-remote-main.c b/src/journal-remote/journal-remote-main.c +index bcaa370099..a1008db6eb 100644 +--- a/src/journal-remote/journal-remote-main.c ++++ b/src/journal-remote/journal-remote-main.c +@@ -241,7 +241,7 @@ static int process_http_upload( + return mhd_respond(connection, MHD_HTTP_ACCEPTED, "OK."); + }; + +-static int request_handler( ++static mhd_result request_handler( + void *cls, + struct MHD_Connection *connection, + const char *url, +diff --git a/src/journal-remote/microhttpd-util.h b/src/journal-remote/microhttpd-util.h +index dd0ca1d9bd..792c07ac20 100644 +--- a/src/journal-remote/microhttpd-util.h ++++ b/src/journal-remote/microhttpd-util.h +@@ -51,6 +51,12 @@ + # define MHD_create_response_from_fd_at_offset64 MHD_create_response_from_fd_at_offset + #endif + ++#if MHD_VERSION >= 0x00097002 ++# define mhd_result enum MHD_Result ++#else ++# define mhd_result int ++#endif ++ + void microhttpd_logger(void *arg, const char *fmt, va_list ap) _printf_(2, 0); + + /* respond_oom() must be usable with return, hence this form. */ diff --git a/SOURCES/0836-ci-replace-LGTM-with-CodeQL.patch b/SOURCES/0836-ci-replace-LGTM-with-CodeQL.patch new file mode 100644 index 0000000..b24cc6c --- /dev/null +++ b/SOURCES/0836-ci-replace-LGTM-with-CodeQL.patch @@ -0,0 +1,303 @@ +From 2b1dbcab1af1a22f3a46fa23aa551a7394673938 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Thu, 15 Sep 2022 15:29:23 +0200 +Subject: [PATCH] ci: replace LGTM with CodeQL + +As LGTM is going to be shut down by EOY, let's use CodeQL instead. + +This is loosely based on upstream's CodeQL configs with some minor +tweaks to avoid backporting tons of unrelated commits. + +rhel-only +Related: #2122499 +--- + .github/codeql-config.yml | 12 ++++ + .github/codeql-custom.qls | 44 ++++++++++++ + .../PotentiallyDangerousFunction.ql | 3 + + .../UninitializedVariableWithCleanup.ql | 16 ++--- + .github/codeql-queries/qlpack.yml | 11 +++ + .github/workflows/codeql.yml | 68 +++++++++++++++++++ + .lgtm.yml | 37 ---------- + 7 files changed, 146 insertions(+), 45 deletions(-) + create mode 100644 .github/codeql-config.yml + create mode 100644 .github/codeql-custom.qls + rename {.lgtm/cpp-queries => .github/codeql-queries}/PotentiallyDangerousFunction.ql (93%) + rename {.lgtm/cpp-queries => .github/codeql-queries}/UninitializedVariableWithCleanup.ql (86%) + create mode 100644 .github/codeql-queries/qlpack.yml + create mode 100644 .github/workflows/codeql.yml + delete mode 100644 .lgtm.yml + +diff --git a/.github/codeql-config.yml b/.github/codeql-config.yml +new file mode 100644 +index 0000000000..7c01d32caa +--- /dev/null ++++ b/.github/codeql-config.yml +@@ -0,0 +1,12 @@ ++--- ++# vi: ts=2 sw=2 et: ++# SPDX-License-Identifier: LGPL-2.1-or-later ++name: "CodeQL config" ++ ++disable-default-queries: false ++ ++queries: ++ - name: Enable possibly useful queries which are disabled by default ++ uses: ./.github/codeql-custom.qls ++ - name: systemd-specific CodeQL queries ++ uses: ./.github/codeql-queries/ +diff --git a/.github/codeql-custom.qls b/.github/codeql-custom.qls +new file mode 100644 +index 0000000000..d35fbe3114 +--- /dev/null ++++ b/.github/codeql-custom.qls +@@ -0,0 +1,44 @@ ++--- ++# vi: ts=2 sw=2 et syntax=yaml: ++# SPDX-License-Identifier: LGPL-2.1-or-later ++# ++# Note: it is not recommended to directly reference the respective queries from ++# the github/codeql repository, so we have to "dance" around it using ++# a custom QL suite ++# See: ++# - https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#running-additional-queries ++# - https://github.com/github/codeql-action/issues/430#issuecomment-806092120 ++# - https://codeql.github.com/docs/codeql-cli/creating-codeql-query-suites/ ++ ++# Note: the codeql/-queries pack name can be found in the CodeQL repo[0] ++# in /ql/src/qlpack.yml. The respective codeql-suites are then ++# under /ql/src/codeql-suites/. ++# ++# [0] https://github.com/github/codeql ++- import: codeql-suites/cpp-lgtm.qls ++ from: codeql/cpp-queries ++- import: codeql-suites/python-lgtm.qls ++ from: codeql/python-queries ++- include: ++ id: ++ - cpp/bad-strncpy-size ++ - cpp/declaration-hides-variable ++ - cpp/include-non-header ++ - cpp/inconsistent-null-check ++ - cpp/mistyped-function-arguments ++ - cpp/nested-loops-with-same-variable ++ - cpp/sizeof-side-effect ++ - cpp/suspicious-pointer-scaling ++ - cpp/suspicious-pointer-scaling-void ++ - cpp/suspicious-sizeof ++ - cpp/unsafe-strcat ++ - cpp/unsafe-strncat ++ - cpp/unsigned-difference-expression-compared-zero ++ - cpp/unused-local-variable ++ tags: ++ - "security" ++ - "correctness" ++ severity: "error" ++- exclude: ++ id: ++ - cpp/fixme-comment +diff --git a/.lgtm/cpp-queries/PotentiallyDangerousFunction.ql b/.github/codeql-queries/PotentiallyDangerousFunction.ql +similarity index 93% +rename from .lgtm/cpp-queries/PotentiallyDangerousFunction.ql +rename to .github/codeql-queries/PotentiallyDangerousFunction.ql +index 39e8dddd13..63fd14e75f 100644 +--- a/.lgtm/cpp-queries/PotentiallyDangerousFunction.ql ++++ b/.github/codeql-queries/PotentiallyDangerousFunction.ql +@@ -46,6 +46,9 @@ predicate potentiallyDangerousFunction(Function f, string message) { + ) or ( + f.getQualifiedName() = "accept" and + message = "Call to accept() is not O_CLOEXEC-safe. Use accept4() instead." ++ ) or ( ++ f.getQualifiedName() = "dirname" and ++ message = "Call dirname() is icky. Use path_extract_directory() instead." + ) + } + +diff --git a/.lgtm/cpp-queries/UninitializedVariableWithCleanup.ql b/.github/codeql-queries/UninitializedVariableWithCleanup.ql +similarity index 86% +rename from .lgtm/cpp-queries/UninitializedVariableWithCleanup.ql +rename to .github/codeql-queries/UninitializedVariableWithCleanup.ql +index 6b3b62f8bc..e514111f28 100644 +--- a/.lgtm/cpp-queries/UninitializedVariableWithCleanup.ql ++++ b/.github/codeql-queries/UninitializedVariableWithCleanup.ql +@@ -50,16 +50,16 @@ class UninitialisedLocalReachability extends StackVariableReachability { + * fun(&x); + * puts(x); + * +- * `useOfVarActual()` won't treat this an an uninitialized read even if the callee ++ * `useOfVarActual()` won't treat this as an uninitialized read even if the callee + * doesn't modify the argument, however, `useOfVar()` will + */ + override predicate isSink(ControlFlowNode node, StackVariable v) { useOfVar(v, node) } + + override predicate isBarrier(ControlFlowNode node, StackVariable v) { +- // only report the _first_ possibly uninitialized use ++ /* only report the _first_ possibly uninitialized use */ + useOfVar(v, node) or + ( +- /* If there's an return statement somewhere between the variable declaration ++ /* If there's a return statement somewhere between the variable declaration + * and a possible definition, don't accept is as a valid initialization. + * + * E.g.: +@@ -71,7 +71,7 @@ class UninitialisedLocalReachability extends StackVariableReachability { + * x = malloc(...); + * + * is not a valid initialization, since we might return from the function +- * _before_ the actual iniitialization (emphasis on _might_, since we ++ * _before_ the actual initialization (emphasis on _might_, since we + * don't know if the return statement might ever evaluate to true). + */ + definitionBarrier(v, node) and +@@ -92,14 +92,14 @@ predicate containsInlineAssembly(Function f) { exists(AsmStmt s | s.getEnclosing + * for this check to exclude them. + */ + VariableAccess commonException() { +- // If the uninitialized use we've found is in a macro expansion, it's +- // typically something like va_start(), and we don't want to complain. ++ /* If the uninitialized use we've found is in a macro expansion, it's ++ * typically something like va_start(), and we don't want to complain. */ + result.getParent().isInMacroExpansion() + or + result.getParent() instanceof BuiltInOperation + or +- // Finally, exclude functions that contain assembly blocks. It's +- // anyone's guess what happens in those. ++ /* Finally, exclude functions that contain assembly blocks. It's ++ * anyone's guess what happens in those. */ + containsInlineAssembly(result.getEnclosingFunction()) + } + +diff --git a/.github/codeql-queries/qlpack.yml b/.github/codeql-queries/qlpack.yml +new file mode 100644 +index 0000000000..a1a2dec6d6 +--- /dev/null ++++ b/.github/codeql-queries/qlpack.yml +@@ -0,0 +1,11 @@ ++--- ++# vi: ts=2 sw=2 et syntax=yaml: ++# SPDX-License-Identifier: LGPL-2.1-or-later ++ ++library: false ++name: systemd/cpp-queries ++version: 0.0.1 ++dependencies: ++ codeql/cpp-all: "*" ++ codeql/suite-helpers: "*" ++extractor: cpp +diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml +new file mode 100644 +index 0000000000..c5426d5686 +--- /dev/null ++++ b/.github/workflows/codeql.yml +@@ -0,0 +1,68 @@ ++--- ++# vi: ts=2 sw=2 et: ++# SPDX-License-Identifier: LGPL-2.1-or-later ++# ++name: "CodeQL" ++ ++on: ++ pull_request: ++ branches: ++ - master ++ - rhel-* ++ paths: ++ - '**/meson.build' ++ - '.github/**/codeql*' ++ - 'src/**' ++ - 'test/**' ++ - 'tools/**' ++ push: ++ branches: ++ - master ++ - rhel-* ++ ++permissions: ++ contents: read ++ ++jobs: ++ analyze: ++ name: Analyze ++ runs-on: ubuntu-22.04 ++ concurrency: ++ group: ${{ github.workflow }}-${{ matrix.language }}-${{ github.ref }} ++ cancel-in-progress: true ++ permissions: ++ actions: read ++ security-events: write ++ ++ strategy: ++ fail-fast: false ++ matrix: ++ language: ['cpp', 'python'] ++ ++ steps: ++ - name: Checkout repository ++ uses: actions/checkout@v3 ++ ++ - name: Initialize CodeQL ++ uses: github/codeql-action/init@v2 ++ with: ++ languages: ${{ matrix.language }} ++ config-file: ./.github/codeql-config.yml ++ ++ - name: Install dependencies ++ if: matrix.language == 'cpp' ++ run: | ++ echo "deb-src http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs) main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list ++ sudo apt-get -y update ++ sudo apt-get -y build-dep systemd ++ sudo apt-get -y install libfdisk-dev libpwquality-dev libqrencode-dev libssl-dev libxkbcommon-dev libzstd-dev ++ ++ - name: Build ++ if: matrix.language == 'cpp' ++ run: | ++ # EL 8 systemd fails to build with newer gnu-efi (3.0.13 on Ubuntu Jammy ATTOW) ++ meson build -Dlibiptc=false -Dgnu-efi=false ++ ninja -C build -v ++ ++ - name: Perform CodeQL Analysis ++ uses: github/codeql-action/analyze@v2 +diff --git a/.lgtm.yml b/.lgtm.yml +deleted file mode 100644 +index fe93957b67..0000000000 +--- a/.lgtm.yml ++++ /dev/null +@@ -1,37 +0,0 @@ +---- +-# vi: ts=2 sw=2 et: +- +-# Explicitly enable certain checks which are hidden by default +-queries: +- - include: cpp/bad-strncpy-size +- - include: cpp/declaration-hides-variable +- - include: cpp/inconsistent-null-check +- - include: cpp/mistyped-function-arguments +- - include: cpp/nested-loops-with-same-variable +- - include: cpp/sizeof-side-effect +- - include: cpp/suspicious-pointer-scaling +- - include: cpp/suspicious-pointer-scaling-void +- - include: cpp/suspicious-sizeof +- - include: cpp/unsafe-strcat +- - include: cpp/unsafe-strncat +- - include: cpp/unsigned-difference-expression-compared-zero +- - include: cpp/unused-local-variable +- - include: +- tags: +- - "security" +- - "correctness" +- severity: "error" +- +-extraction: +- cpp: +- prepare: +- packages: +- - python3-pip +- - python3-setuptools +- - python3-wheel +- after_prepare: +- - pip3 install meson +- - export PATH="$HOME/.local/bin/:$PATH" +- python: +- python_setup: +- version: 3 diff --git a/SOURCES/0837-ci-mergify-Update-policy-Drop-LGTM-checks.patch b/SOURCES/0837-ci-mergify-Update-policy-Drop-LGTM-checks.patch new file mode 100644 index 0000000..b7603f0 --- /dev/null +++ b/SOURCES/0837-ci-mergify-Update-policy-Drop-LGTM-checks.patch @@ -0,0 +1,71 @@ +From 4c241b812ea79f3faa02c45f95834842c7847b76 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Wed, 21 Sep 2022 15:14:26 +0200 +Subject: [PATCH] ci(mergify): Update policy - Drop LGTM checks + +rhel-only + +Related: #2122499 +--- + .github/workflows/differential-shellcheck.yml | 1 + + .mergify.yml | 28 ++++++------------- + 2 files changed, 9 insertions(+), 20 deletions(-) + +diff --git a/.github/workflows/differential-shellcheck.yml b/.github/workflows/differential-shellcheck.yml +index fa94679b51..4399f0bc64 100644 +--- a/.github/workflows/differential-shellcheck.yml ++++ b/.github/workflows/differential-shellcheck.yml +@@ -13,6 +13,7 @@ permissions: + + jobs: + lint: ++ name: Differential ShellCheck + runs-on: ubuntu-latest + + permissions: +diff --git a/.mergify.yml b/.mergify.yml +index 3afd04f18e..a5eed6a82a 100644 +--- a/.mergify.yml ++++ b/.mergify.yml +@@ -11,16 +11,10 @@ pull_request_rules: + - -check-success=build (stream8, GCC_ASAN) + # CentOS Stream CI + - -check-success=CentOS CI (CentOS Stream 8) +- # LGTM +- - and: +- - "-check-success=LGTM analysis: JavaScript" +- - "-check-neutral=LGTM analysis: JavaScript" +- - and: +- - "-check-success=LGTM analysis: Python" +- - "-check-neutral=LGTM analysis: Python" +- - and: +- - "-check-success=LGTM analysis: C/C++" +- - "-check-neutral=LGTM analysis: C/C++" ++ # CodeQL ++ - -check-success=CodeQL ++ # Other ++ - -check-success=Differential ShellCheck + actions: + label: + add: +@@ -36,16 +30,10 @@ pull_request_rules: + - check-success=build (stream8, GCC_ASAN) + # CentOS Stream CI + - check-success=CentOS CI (CentOS Stream 8) +- # LGTM +- - or: +- - "check-success=LGTM analysis: JavaScript" +- - "check-neutral=LGTM analysis: JavaScript" +- - or: +- - "check-success=LGTM analysis: Python" +- - "check-neutral=LGTM analysis: Python" +- - or: +- - "check-success=LGTM analysis: C/C++" +- - "check-neutral=LGTM analysis: C/C++" ++ # CodeQL ++ - check-success=CodeQL ++ # Other ++ - check-success=Differential ShellCheck + actions: + label: + remove: diff --git a/SOURCES/0838-time-util-fix-buffer-over-run.patch b/SOURCES/0838-time-util-fix-buffer-over-run.patch new file mode 100644 index 0000000..c63ae79 --- /dev/null +++ b/SOURCES/0838-time-util-fix-buffer-over-run.patch @@ -0,0 +1,44 @@ +From a521f942d5c304bca7c61bacb3c79e565853718e Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 7 Jul 2022 18:27:02 +0900 +Subject: [PATCH] time-util: fix buffer-over-run + +Fixes #23928. + +(cherry picked from commit 9102c625a673a3246d7e73d8737f3494446bad4e) + +Resolves: #2139391 +--- + src/basic/time-util.c | 2 +- + src/test/test-time-util.c | 5 +++++ + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/basic/time-util.c b/src/basic/time-util.c +index c36e462193..d46d884be5 100644 +--- a/src/basic/time-util.c ++++ b/src/basic/time-util.c +@@ -515,7 +515,7 @@ char *format_timespan(char *buf, size_t l, usec_t t, usec_t accuracy) { + t = b; + } + +- n = MIN((size_t) k, l); ++ n = MIN((size_t) k, l-1); + + l -= n; + p += n; +diff --git a/src/test/test-time-util.c b/src/test/test-time-util.c +index 354a01dd1a..6ebde4153c 100644 +--- a/src/test/test-time-util.c ++++ b/src/test/test-time-util.c +@@ -187,6 +187,11 @@ static void test_format_timespan(usec_t accuracy) { + test_format_timespan_one(500 * USEC_PER_MSEC, accuracy); + test_format_timespan_one(9*USEC_PER_YEAR/5 - 23, accuracy); + test_format_timespan_one(USEC_INFINITY, accuracy); ++ ++ /* See issue #23928. */ ++ _cleanup_free_ char *buf; ++ assert_se(buf = new(char, 5)); ++ assert_se(buf == format_timespan(buf, 5, 100005, 1000)); + } + + static void test_timezone_is_valid(void) { diff --git a/SPECS/systemd.spec b/SPECS/systemd.spec index 9692c92..c2302aa 100644 --- a/SPECS/systemd.spec +++ b/SPECS/systemd.spec @@ -13,7 +13,7 @@ Name: systemd Url: http://www.freedesktop.org/wiki/Software/systemd Version: 239 -Release: 68%{?dist} +Release: 69%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -881,6 +881,13 @@ Patch0828: 0828-core-load-fragment-move-config_parse_sec_fix_0-to-sr.patch Patch0829: 0829-sd-event-add-relative-timer-calls.patch Patch0830: 0830-logind-add-option-to-stop-idle-sessions-after-specif.patch Patch0831: 0831-logind-schedule-idle-check-full-interval-from-now-if.patch +Patch0832: 0832-ci-lint-add-shell-linter-Differential-ShellCheck.patch +Patch0833: 0833-meson-do-not-compare-objects-of-different-types.patch +Patch0834: 0834-journal-remote-use-MHD_HTTP_CONTENT_TOO_LARGE-as-MHD.patch +Patch0835: 0835-Fix-build-with-httpd-0.9.71.patch +Patch0836: 0836-ci-replace-LGTM-with-CodeQL.patch +Patch0837: 0837-ci-mergify-Update-policy-Drop-LGTM-checks.patch +Patch0838: 0838-time-util-fix-buffer-over-run.patch %ifarch %{ix86} x86_64 aarch64 %global have_gnu_efi 1 @@ -1510,13 +1517,20 @@ fi %files tests -f .file-list-tests %changelog -* Tue Sep 27 2022 systemd maintenance team - 239-68 +* Tue Nov 08 2022 systemd maintenance team - 239-69 - logind: optionally watch utmp for login data (#2122288) - logind: add hashtable for finding session by leader PID (#2122288) - core/load-fragment: move config_parse_sec_fix_0 to src/shared (#2122288) - sd-event: add relative timer calls (#2122288) - logind: add option to stop idle sessions after specified timeout (#2122288) - logind: schedule idle check full interval from now if we couldn't figure out atime timestamp (#2122288) +- ci(lint): add shell linter - Differential ShellCheck (#2122499) +- meson: do not compare objects of different types (#2122499) +- journal-remote: use MHD_HTTP_CONTENT_TOO_LARGE as MHD_HTTP_PAYLOAD_TOO_LARGE is deprecated since 0.9.74 (#2122499) +- Fix build with µhttpd 0.9.71 (#2122499) +- ci: replace LGTM with CodeQL (#2122499) +- ci(mergify): Update policy - Drop LGTM checks (#2122499) +- time-util: fix buffer-over-run (#2139391) * Fri Aug 26 2022 systemd maintenance team - 239-67 - resolved: pin stream while calling callbacks for it (#2110549)