diff --git a/SOURCES/BZ-1757613-downloadonly-do-not-reset-localpath.patch b/SOURCES/BZ-1757613-downloadonly-do-not-reset-localpath.patch new file mode 100644 index 0000000..407a5fc --- /dev/null +++ b/SOURCES/BZ-1757613-downloadonly-do-not-reset-localpath.patch @@ -0,0 +1,25 @@ +commit 3da1a101937f62b2e4836346d096d3c745bf34fd +Author: Lukáš Hrázký +Date: Tue Dec 17 15:17:08 2019 +0100 + + Don't reset the package localpath to temporary after download (RhBug:1757613) + + The path is already changed from temporary to final earlier in the + function, as the file is renamed. The removed line seems superfluous and + out of place, the value in po.localpath should already be the correct + one. + + https://bugzilla.redhat.com/show_bug.cgi?id=1757613 + +diff --git a/yum/__init__.py b/yum/__init__.py +index 56f8c8c4..9c158c81 100644 +--- a/yum/__init__.py ++++ b/yum/__init__.py +@@ -2583,7 +2583,6 @@ much more problems). + result, errmsg = self.sigCheckPkg(po) + if result != 0: + self.verbose_logger.warn("%s", errmsg) +- po.localpath = obj.filename + if po in errors: + del errors[po] + diff --git a/SOURCES/BZ-1778763-fix-typo-sig_typ-sig_type.patch b/SOURCES/BZ-1778763-fix-typo-sig_typ-sig_type.patch new file mode 100644 index 0000000..473b05e --- /dev/null +++ b/SOURCES/BZ-1778763-fix-typo-sig_typ-sig_type.patch @@ -0,0 +1,35 @@ +From ea0f047e1b390510556be9fc453782ef63976207 Mon Sep 17 00:00:00 2001 +From: Marek Blaha +Date: Mon, 16 Dec 2019 14:15:09 +0100 +Subject: [PATCH] Fix typo sig_typ -> sig_type (RhBug:1778763) + +https://bugzilla.redhat.com/show_bug.cgi?id=1778763 +--- + yum/pgpmsg.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/yum/pgpmsg.py b/yum/pgpmsg.py +index dae60c9..d3d30a1 100644 +--- a/yum/pgpmsg.py ++++ b/yum/pgpmsg.py +@@ -983,7 +983,7 @@ be scanned to make sure they are valid for a pgp certificate.""" + # bind it to the key + while pkt_idx < len(pkts) and pkts[pkt_idx].pkt_typ == CTB_PKT_SIG : + if pkts[pkt_idx].sig_type not in (SIG_TYPE_PK_USER_GEN, SIG_TYPE_PK_USER_PER, SIG_TYPE_PK_USER_CAS, SIG_TYPE_PK_USER_POS, SIG_TYPE_CERT_REVOKE) : +- raise ValueError('signature %d doesn\'t bind user_id to key, is %s' % (pkt_idx, map_to_str(sig_type_to_str, pkts[pkt_idx].sig_typ))) ++ raise ValueError('signature %d doesn\'t bind user_id to key, is %s' % (pkt_idx, map_to_str(sig_type_to_str, pkts[pkt_idx].sig_type))) + + user_id.append(pkts[pkt_idx]) + +@@ -1078,7 +1078,7 @@ be scanned to make sure they are valid for a pgp certificate.""" + if pkt_idx >= len(pkts) : + raise ValueError('subkey at index %d was not followed by a signature' % (pkt_idx-1)) + if pkts[pkt_idx].pkt_typ != CTB_PKT_SIG or pkts[pkt_idx].sig_type != SIG_TYPE_SUBKEY_BIND : +- raise ValueError('signature %d doesn\'t bind subkey to key, type is %s' % (pkt_idx, map_to_str(sig_type_to_str, pkts[pkt_idx].sig_typ))) ++ raise ValueError('signature %d doesn\'t bind subkey to key, type is %s' % (pkt_idx, map_to_str(sig_type_to_str, pkts[pkt_idx].sig_type))) + subkey.append(pkts[pkt_idx]) + + pkt_idx = pkt_idx + 1 +-- +libgit2 0.28.5 + diff --git a/SOURCES/BZ-1778784-check-for-revoked-subkeys-before-checking-the-signature.patch b/SOURCES/BZ-1778784-check-for-revoked-subkeys-before-checking-the-signature.patch new file mode 100644 index 0000000..31668e7 --- /dev/null +++ b/SOURCES/BZ-1778784-check-for-revoked-subkeys-before-checking-the-signature.patch @@ -0,0 +1,48 @@ +From f8616a2d6e22705371fe6ba47597238d3d1dc2f1 Mon Sep 17 00:00:00 2001 +From: Pavla Kratochvilova +Date: Fri, 3 Apr 2020 07:59:38 +0200 +Subject: [PATCH] Check for revoked subkeys before checking the signature. BZ 1778784 + +The reverse order resulted in error "Invalid GPG Key from +: signature 9 doesn't bind subkey to key, type is +subkey revocation" when the package was signed with a GPG key +with revoked subkey. +--- + yum/pgpmsg.py | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/yum/pgpmsg.py b/yum/pgpmsg.py +index d3d30a1..1b7698b 100644 +--- a/yum/pgpmsg.py ++++ b/yum/pgpmsg.py +@@ -1074,21 +1074,21 @@ be scanned to make sure they are valid for a pgp certificate.""" + pkt_idx = pkt_idx + 1 + is_revoked = 0 + ++ # there may optionally be a revocation ++ if pkt_idx < len(pkts) and pkts[pkt_idx].pkt_typ == CTB_PKT_SIG and pkts[pkt_idx].sig_type == SIG_TYPE_SUBKEY_REVOKE : ++ is_revoked = 1 ++ subkey.append(pkts[pkt_idx]) ++ pkt_idx = pkt_idx + 1 ++ + # there must be one signature following the subkey that binds it to the main key + if pkt_idx >= len(pkts) : + raise ValueError('subkey at index %d was not followed by a signature' % (pkt_idx-1)) + if pkts[pkt_idx].pkt_typ != CTB_PKT_SIG or pkts[pkt_idx].sig_type != SIG_TYPE_SUBKEY_BIND : + raise ValueError('signature %d doesn\'t bind subkey to key, type is %s' % (pkt_idx, map_to_str(sig_type_to_str, pkts[pkt_idx].sig_type))) + subkey.append(pkts[pkt_idx]) + + pkt_idx = pkt_idx + 1 + +- # there may optionally be a revocation +- if pkt_idx < len(pkts) and pkts[pkt_idx].pkt_typ == CTB_PKT_SIG and pkts[pkt_idx].sig_type == SIG_TYPE_SUBKEY_REVOKE : +- is_revoked = 1 +- subkey.append(pkts[pkt_idx]) +- pkt_idx = pkt_idx + 1 +- + # append the user ID and signature(s) onto the list + if is_revoked : + self.rvkd_subkeys.append(subkey) +-- +libgit2 0.28.5 + diff --git a/SOURCES/yum.conf.centos b/SOURCES/yum.conf.centos deleted file mode 100644 index 367126f..0000000 --- a/SOURCES/yum.conf.centos +++ /dev/null @@ -1,26 +0,0 @@ -[main] -cachedir=/var/cache/yum/$basearch/$releasever -keepcache=0 -debuglevel=2 -logfile=/var/log/yum.log -exactarch=1 -obsoletes=1 -gpgcheck=1 -plugins=1 -installonly_limit=5 -bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum -distroverpkg=centos-release - - -# This is the default, if you make this bigger yum won't see if the metadata -# is newer on the remote and so you'll "gain" the bandwidth of not having to -# download the new metadata and "pay" for it by yum not having correct -# information. -# It is esp. important, to have correct metadata, for distributions like -# Fedora which don't keep old packages around. If you don't like this checking -# interupting your command line usage, it's much better to have something -# manually check the metadata once an hour (yum-updatesd will do this). -# metadata_expire=90m - -# PUT YOUR REPOS HERE OR IN separate files named file.repo -# in /etc/yum.repos.d diff --git a/SPECS/yum.spec b/SPECS/yum.spec index 23ec8c1..21531f6 100644 --- a/SPECS/yum.spec +++ b/SPECS/yum.spec @@ -32,11 +32,11 @@ Summary: RPM package installer/updater/manager Name: yum Version: 3.4.3 -Release: 166%{?dist} +Release: 168%{?dist} License: GPLv2+ Group: System Environment/Base Source0: http://yum.baseurl.org/download/3.4/%{name}-%{version}.tar.gz -Source1: yum.conf.centos +Source1: yum.conf.fedora Source2: yum-updatesd.conf.fedora Patch1: yum-distro-configs.patch Patch5: geode-arch.patch @@ -183,6 +183,11 @@ Patch364: BZ-1510495-yumRepo-migrate-more-prints-to-logging.patch Patch365: BZ-1744639-yum-cron-make-sure-output-fully-unicode.patch Patch366: BZ-1573154-docs-yum-command-is-not-optional.patch Patch367: BZ-1645618-updateinfo-suggest-verbose-command.patch +Patch368: BZ-1757613-downloadonly-do-not-reset-localpath.patch + +# rhel-7.9 +Patch369: BZ-1778763-fix-typo-sig_typ-sig_type.patch +Patch370: BZ-1778784-check-for-revoked-subkeys-before-checking-the-signature.patch URL: http://yum.baseurl.org/ BuildArchitectures: noarch @@ -201,7 +206,6 @@ BuildRequires: pygpgme # End of CheckRequires Conflicts: pirut < 1.1.4 Requires: python >= 2.4 -Requires: yum-plugin-fastestmirror Requires: rpm-python, rpm >= 0:4.11.3-22 Requires: python-iniparse Requires: python-sqlite @@ -450,6 +454,11 @@ Install this package if you want auto yum updates nightly via cron. %patch365 -p1 %patch366 -p1 %patch367 -p1 +%patch368 -p1 + +# rhel-7.9 +%patch369 -p1 +%patch370 -p1 # Do distro config. changes after everything else. %patch1 -p1 @@ -681,12 +690,15 @@ exit 0 %endif %changelog -* Sat Nov 02 2019 CentOS Sources - 3.4.3-166.el7.centos -- CentOS yum config -- use the CentOS bug tracker url -- retain installonly limit of 5 -- ensure distrover is always from centos-release -- Make yum require yum-plugin-fastestmirror +* Thu Apr 16 2020 Pavla Kratochvilova - 3.4.3-168 +- Fix typo sig_typ -> sig_type +- Resolves: bug#1778763 +- Check for revoked subkeys before checking the signature +- Resolves: bug#1778784 + +* Fri Jan 10 2020 Michal Domonkos - 3.4.3-167 +- downloadonly: do not reset localpath +- Resolves: bug#1757613 * Mon Sep 09 2019 Michal Domonkos - 3.4.3-166 - docs: yum command argument is not optional