diff --git a/SOURCES/BZ-1778763-fix-typo-sig_typ-sig_type.patch b/SOURCES/BZ-1778763-fix-typo-sig_typ-sig_type.patch new file mode 100644 index 0000000..473b05e --- /dev/null +++ b/SOURCES/BZ-1778763-fix-typo-sig_typ-sig_type.patch @@ -0,0 +1,35 @@ +From ea0f047e1b390510556be9fc453782ef63976207 Mon Sep 17 00:00:00 2001 +From: Marek Blaha +Date: Mon, 16 Dec 2019 14:15:09 +0100 +Subject: [PATCH] Fix typo sig_typ -> sig_type (RhBug:1778763) + +https://bugzilla.redhat.com/show_bug.cgi?id=1778763 +--- + yum/pgpmsg.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/yum/pgpmsg.py b/yum/pgpmsg.py +index dae60c9..d3d30a1 100644 +--- a/yum/pgpmsg.py ++++ b/yum/pgpmsg.py +@@ -983,7 +983,7 @@ be scanned to make sure they are valid for a pgp certificate.""" + # bind it to the key + while pkt_idx < len(pkts) and pkts[pkt_idx].pkt_typ == CTB_PKT_SIG : + if pkts[pkt_idx].sig_type not in (SIG_TYPE_PK_USER_GEN, SIG_TYPE_PK_USER_PER, SIG_TYPE_PK_USER_CAS, SIG_TYPE_PK_USER_POS, SIG_TYPE_CERT_REVOKE) : +- raise ValueError('signature %d doesn\'t bind user_id to key, is %s' % (pkt_idx, map_to_str(sig_type_to_str, pkts[pkt_idx].sig_typ))) ++ raise ValueError('signature %d doesn\'t bind user_id to key, is %s' % (pkt_idx, map_to_str(sig_type_to_str, pkts[pkt_idx].sig_type))) + + user_id.append(pkts[pkt_idx]) + +@@ -1078,7 +1078,7 @@ be scanned to make sure they are valid for a pgp certificate.""" + if pkt_idx >= len(pkts) : + raise ValueError('subkey at index %d was not followed by a signature' % (pkt_idx-1)) + if pkts[pkt_idx].pkt_typ != CTB_PKT_SIG or pkts[pkt_idx].sig_type != SIG_TYPE_SUBKEY_BIND : +- raise ValueError('signature %d doesn\'t bind subkey to key, type is %s' % (pkt_idx, map_to_str(sig_type_to_str, pkts[pkt_idx].sig_typ))) ++ raise ValueError('signature %d doesn\'t bind subkey to key, type is %s' % (pkt_idx, map_to_str(sig_type_to_str, pkts[pkt_idx].sig_type))) + subkey.append(pkts[pkt_idx]) + + pkt_idx = pkt_idx + 1 +-- +libgit2 0.28.5 + diff --git a/SOURCES/BZ-1778784-check-for-revoked-subkeys-before-checking-the-signature.patch b/SOURCES/BZ-1778784-check-for-revoked-subkeys-before-checking-the-signature.patch new file mode 100644 index 0000000..31668e7 --- /dev/null +++ b/SOURCES/BZ-1778784-check-for-revoked-subkeys-before-checking-the-signature.patch @@ -0,0 +1,48 @@ +From f8616a2d6e22705371fe6ba47597238d3d1dc2f1 Mon Sep 17 00:00:00 2001 +From: Pavla Kratochvilova +Date: Fri, 3 Apr 2020 07:59:38 +0200 +Subject: [PATCH] Check for revoked subkeys before checking the signature. BZ 1778784 + +The reverse order resulted in error "Invalid GPG Key from +: signature 9 doesn't bind subkey to key, type is +subkey revocation" when the package was signed with a GPG key +with revoked subkey. +--- + yum/pgpmsg.py | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/yum/pgpmsg.py b/yum/pgpmsg.py +index d3d30a1..1b7698b 100644 +--- a/yum/pgpmsg.py ++++ b/yum/pgpmsg.py +@@ -1074,21 +1074,21 @@ be scanned to make sure they are valid for a pgp certificate.""" + pkt_idx = pkt_idx + 1 + is_revoked = 0 + ++ # there may optionally be a revocation ++ if pkt_idx < len(pkts) and pkts[pkt_idx].pkt_typ == CTB_PKT_SIG and pkts[pkt_idx].sig_type == SIG_TYPE_SUBKEY_REVOKE : ++ is_revoked = 1 ++ subkey.append(pkts[pkt_idx]) ++ pkt_idx = pkt_idx + 1 ++ + # there must be one signature following the subkey that binds it to the main key + if pkt_idx >= len(pkts) : + raise ValueError('subkey at index %d was not followed by a signature' % (pkt_idx-1)) + if pkts[pkt_idx].pkt_typ != CTB_PKT_SIG or pkts[pkt_idx].sig_type != SIG_TYPE_SUBKEY_BIND : + raise ValueError('signature %d doesn\'t bind subkey to key, type is %s' % (pkt_idx, map_to_str(sig_type_to_str, pkts[pkt_idx].sig_type))) + subkey.append(pkts[pkt_idx]) + + pkt_idx = pkt_idx + 1 + +- # there may optionally be a revocation +- if pkt_idx < len(pkts) and pkts[pkt_idx].pkt_typ == CTB_PKT_SIG and pkts[pkt_idx].sig_type == SIG_TYPE_SUBKEY_REVOKE : +- is_revoked = 1 +- subkey.append(pkts[pkt_idx]) +- pkt_idx = pkt_idx + 1 +- + # append the user ID and signature(s) onto the list + if is_revoked : + self.rvkd_subkeys.append(subkey) +-- +libgit2 0.28.5 + diff --git a/SOURCES/centos-branding-yum.patch b/SOURCES/centos-branding-yum.patch deleted file mode 100644 index f100222..0000000 --- a/SOURCES/centos-branding-yum.patch +++ /dev/null @@ -1,37 +0,0 @@ -diff -uNrp yum-3.4.3.orig/yum/constants.py yum-3.4.3/yum/constants.py ---- yum-3.4.3.orig/yum/constants.py 2018-01-30 11:17:56.961899488 +0000 -+++ yum-3.4.3/yum/constants.py 2018-01-30 11:41:57.421866122 +0000 -@@ -123,22 +123,22 @@ REPO_PROBLEM_PACKAGE=5 - - - ERRORS_TO_KBASE_ARTICLES = { -- 404: """To address this issue please refer to the below knowledge base article -+ 404: """To address this issue please refer to the below wiki article - --https://access.redhat.com/articles/1320623 -+https://wiki.centos.org/yum-errors - --If above article doesn't help to resolve this issue please open a ticket with Red Hat Support. -+If above article doesn't help to resolve this issue please use https://bugs.centos.org/. - """, -- 403: """To address this issue please refer to the below knowledge base article -+ 403: """To address this issue please refer to the below wiki article - --https://access.redhat.com/solutions/69319 -+https://wiki.centos.org/yum-errors - --If above article doesn't help to resolve this issue please open a ticket with Red Hat Support. -+If above article doesn't help to resolve this issue please use https://bugs.centos.org/. - """, -- 60: """It was impossible to connect to the Red Hat servers. -+ 60: """It was impossible to connect to the CentOS servers. - This could mean a connectivity issue in your environment, such as the requirement to configure a proxy, - or a transparent proxy that tampers with TLS security, or an incorrect system clock. --Please collect information about the specific failure that occurs in your environment, --using the instructions in: https://access.redhat.com/solutions/1527033 and open a ticket with Red Hat Support. -+You can try to solve this issue by using the instructions on https://wiki.centos.org/yum-errors -+If above article doesn't help to resolve this issue please use https://bugs.centos.org/. - """ --} -\ No newline at end of file -+} diff --git a/SOURCES/yum.conf.centos b/SOURCES/yum.conf.centos deleted file mode 100644 index 367126f..0000000 --- a/SOURCES/yum.conf.centos +++ /dev/null @@ -1,26 +0,0 @@ -[main] -cachedir=/var/cache/yum/$basearch/$releasever -keepcache=0 -debuglevel=2 -logfile=/var/log/yum.log -exactarch=1 -obsoletes=1 -gpgcheck=1 -plugins=1 -installonly_limit=5 -bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum -distroverpkg=centos-release - - -# This is the default, if you make this bigger yum won't see if the metadata -# is newer on the remote and so you'll "gain" the bandwidth of not having to -# download the new metadata and "pay" for it by yum not having correct -# information. -# It is esp. important, to have correct metadata, for distributions like -# Fedora which don't keep old packages around. If you don't like this checking -# interupting your command line usage, it's much better to have something -# manually check the metadata once an hour (yum-updatesd will do this). -# metadata_expire=90m - -# PUT YOUR REPOS HERE OR IN separate files named file.repo -# in /etc/yum.repos.d diff --git a/SPECS/yum.spec b/SPECS/yum.spec index d16592a..21531f6 100644 --- a/SPECS/yum.spec +++ b/SPECS/yum.spec @@ -32,11 +32,11 @@ Summary: RPM package installer/updater/manager Name: yum Version: 3.4.3 -Release: 167%{?dist} +Release: 168%{?dist} License: GPLv2+ Group: System Environment/Base Source0: http://yum.baseurl.org/download/3.4/%{name}-%{version}.tar.gz -Source1: yum.conf.centos +Source1: yum.conf.fedora Source2: yum-updatesd.conf.fedora Patch1: yum-distro-configs.patch Patch5: geode-arch.patch @@ -185,7 +185,9 @@ Patch366: BZ-1573154-docs-yum-command-is-not-optional.patch Patch367: BZ-1645618-updateinfo-suggest-verbose-command.patch Patch368: BZ-1757613-downloadonly-do-not-reset-localpath.patch -Patch1000: centos-branding-yum.patch +# rhel-7.9 +Patch369: BZ-1778763-fix-typo-sig_typ-sig_type.patch +Patch370: BZ-1778784-check-for-revoked-subkeys-before-checking-the-signature.patch URL: http://yum.baseurl.org/ BuildArchitectures: noarch @@ -204,7 +206,6 @@ BuildRequires: pygpgme # End of CheckRequires Conflicts: pirut < 1.1.4 Requires: python >= 2.4 -Requires: yum-plugin-fastestmirror Requires: rpm-python, rpm >= 0:4.11.3-22 Requires: python-iniparse Requires: python-sqlite @@ -454,7 +455,10 @@ Install this package if you want auto yum updates nightly via cron. %patch366 -p1 %patch367 -p1 %patch368 -p1 -%patch1000 -p1 + +# rhel-7.9 +%patch369 -p1 +%patch370 -p1 # Do distro config. changes after everything else. %patch1 -p1 @@ -686,12 +690,11 @@ exit 0 %endif %changelog -* Tue Mar 31 2020 CentOS Sources - 3.4.3-167.el7.centos -- CentOS yum config -- use the CentOS bug tracker url -- retain installonly limit of 5 -- ensure distrover is always from centos-release -- Make yum require yum-plugin-fastestmirror +* Thu Apr 16 2020 Pavla Kratochvilova - 3.4.3-168 +- Fix typo sig_typ -> sig_type +- Resolves: bug#1778763 +- Check for revoked subkeys before checking the signature +- Resolves: bug#1778784 * Fri Jan 10 2020 Michal Domonkos - 3.4.3-167 - downloadonly: do not reset localpath