diff options
Diffstat (limited to 'meta/recipes-devtools/rpm')
16 files changed, 699 insertions, 360 deletions
diff --git a/meta/recipes-devtools/rpm/files/0001-Add-a-color-setting-for-mips64_n32-binaries.patch b/meta/recipes-devtools/rpm/files/0001-Add-a-color-setting-for-mips64_n32-binaries.patch index ac6dcaf101..331ea849e6 100644 --- a/meta/recipes-devtools/rpm/files/0001-Add-a-color-setting-for-mips64_n32-binaries.patch +++ b/meta/recipes-devtools/rpm/files/0001-Add-a-color-setting-for-mips64_n32-binaries.patch @@ -1,20 +1,21 @@ -From e3eff024826550aec4a6a5baef7210a29faf299d Mon Sep 17 00:00:00 2001 +From 5492ac3c716020a27a25253bbffe810db43202bf Mon Sep 17 00:00:00 2001 From: Alexander Kanavin <alex.kanavin@gmail.com> Date: Thu, 9 Mar 2017 18:54:02 +0200 Subject: [PATCH] Add a color setting for mips64_n32 binaries Upstream-Status: Inappropriate [oe-core specific] Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> + --- - build/rpmfc.c | 1 + + build/rpmfc.c | 4 ++++ rpmrc.in | 2 ++ - 2 files changed, 3 insertions(+) + 2 files changed, 6 insertions(+) diff --git a/build/rpmfc.c b/build/rpmfc.c -index d38a10916..c8e2f876a 100644 +index 10c380ee9..b7655aa93 100644 --- a/build/rpmfc.c +++ b/build/rpmfc.c -@@ -622,6 +622,7 @@ exit: +@@ -639,6 +639,7 @@ exit: static const struct rpmfcTokens_s rpmfcTokens[] = { { "directory", RPMFC_INCLUDE }, @@ -22,11 +23,21 @@ index d38a10916..c8e2f876a 100644 { "ELF 32-bit", RPMFC_ELF32|RPMFC_INCLUDE }, { "ELF 64-bit", RPMFC_ELF64|RPMFC_INCLUDE }, +@@ -1149,6 +1150,9 @@ static uint32_t getElfColor(const char *fn) + color = RPMFC_ELF32; + break; + } ++ if (ehdr.e_machine == EM_MIPS || ehdr.e_machine == EM_MIPS_RS3_LE) ++ if (ehdr.e_flags & EF_MIPS_ABI2) ++ color = RPMFC_ELFMIPSN32; + elf_end(elf); + } + close(fd); diff --git a/rpmrc.in b/rpmrc.in -index abc08fc31..f5bc820d8 100644 +index 5bd9ba3e5..f15bb8dad 100644 --- a/rpmrc.in +++ b/rpmrc.in -@@ -133,6 +133,8 @@ archcolor: mipsr6el 1 +@@ -137,6 +137,8 @@ archcolor: mipsr6el 1 archcolor: mips64r6 2 archcolor: mips64r6el 2 @@ -35,6 +46,3 @@ index abc08fc31..f5bc820d8 100644 archcolor: m68k 1 archcolor: m68kmint 1 --- -2.11.0 - diff --git a/meta/recipes-devtools/rpm/files/0001-Bump-up-the-limit-of-signature-header-to-64MB.patch b/meta/recipes-devtools/rpm/files/0001-Bump-up-the-limit-of-signature-header-to-64MB.patch deleted file mode 100644 index 0a19c12a7a..0000000000 --- a/meta/recipes-devtools/rpm/files/0001-Bump-up-the-limit-of-signature-header-to-64MB.patch +++ /dev/null @@ -1,62 +0,0 @@ -From e8bf0eba7143abb6e69db82ee747a0c6790dd00a Mon Sep 17 00:00:00 2001 -From: Hongxu Jia <hongxu.jia@windriver.com> -Date: Wed, 3 Jun 2020 10:25:24 +0800 -Subject: [PATCH] Bump up the limit of signature header to 64MB - -Since commits [Place file signatures into the signature header where they -belong][1] applied, run `rpm -Kv **.rpm' failed if signature header -is larger than 64KB. Here are steps: - -1) A unsigned rpm package, the size is 227560 bytes -$ ls -al xz-src-5.2.5-r0.corei7_64.rpm --rw-------. 1 mockbuild 1000 227560 Jun 3 09:59 - -2) Sign the rpm package -$ rpmsign --addsign ... xz-src-5.2.5-r0.corei7_64.rpm - -3) The size of signed rpm is 312208 bytes -$ ls -al xz-src-5.2.5-r0.corei7_64.rpm --rw-------. 1 mockbuild 1000 312208 Jun 3 09:48 - -4) Run `rpm -Kv' failed with signature hdr data out of range -$ rpm -Kv xz-src-5.2.5-r0.corei7_64.rpm -xz-src-5.2.5-r0.corei7_64.rpm: -error: xz-src-5.2.5-r0.corei7_64.rpm: signature hdr data: BAD, no. of -bytes(88864) out of range - -From 1) and 3), the size of signed rpm package increased -312208 - 227560 = 84648, so the check of dl_max (64KB,65536) -is not enough. - -As [1] said: - - This also means the signature header can be MUCH bigger than ever - before,so bump up the limit (to 64MB, arbitrary something for now) - -So [1] missed to multiply by 1024. - -[1] https://github.com/rpm-software-management/rpm/commit/f558e886050c4e98f6cdde391df679a411b3f62c - -Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/486579912381ede82172dc6d0ff3941a6d0536b5] - -Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> ---- - lib/header.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/header.c b/lib/header.c -index 9ec7ed0..cbf6890 100644 ---- a/lib/header.c -+++ b/lib/header.c -@@ -1906,7 +1906,7 @@ rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrbl - - if (regionTag == RPMTAG_HEADERSIGNATURES) { - il_max = 32; -- dl_max = 64 * 1024; -+ dl_max = 64 * 1024 * 1024; - } - - memset(block, 0, sizeof(block)); --- -2.25.4 - diff --git a/meta/recipes-devtools/rpm/files/0001-CVE-2021-3521.patch b/meta/recipes-devtools/rpm/files/0001-CVE-2021-3521.patch new file mode 100644 index 0000000000..044b4dd2a0 --- /dev/null +++ b/meta/recipes-devtools/rpm/files/0001-CVE-2021-3521.patch @@ -0,0 +1,57 @@ +From 9a6871126f472feea057d5f803505ec8cc78f083 Mon Sep 17 00:00:00 2001 +From: Panu Matilainen <pmatilai@redhat.com> +Date: Thu, 30 Sep 2021 09:56:20 +0300 +Subject: [PATCH 1/3] Refactor pgpDigParams construction to helper function + +No functional changes, just to reduce code duplication and needed by +the following commits. + +CVE: CVE-2021-3521 +Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/9f03f42e2] + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + rpmio/rpmpgp.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c +index d0688ebe9a..e472b5320f 100644 +--- a/rpmio/rpmpgp.c ++++ b/rpmio/rpmpgp.c +@@ -1041,6 +1041,13 @@ unsigned int pgpDigParamsAlgo(pgpDigParams digp, unsigned int algotype) + return algo; + } + ++static pgpDigParams pgpDigParamsNew(uint8_t tag) ++{ ++ pgpDigParams digp = xcalloc(1, sizeof(*digp)); ++ digp->tag = tag; ++ return digp; ++} ++ + int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype, + pgpDigParams * ret) + { +@@ -1058,8 +1065,7 @@ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype, + if (pkttype && pkt.tag != pkttype) { + break; + } else { +- digp = xcalloc(1, sizeof(*digp)); +- digp->tag = pkt.tag; ++ digp = pgpDigParamsNew(pkt.tag); + } + } + +@@ -1105,8 +1111,7 @@ int pgpPrtParamsSubkeys(const uint8_t *pkts, size_t pktlen, + digps = xrealloc(digps, alloced * sizeof(*digps)); + } + +- digps[count] = xcalloc(1, sizeof(**digps)); +- digps[count]->tag = PGPTAG_PUBLIC_SUBKEY; ++ digps[count] = pgpDigParamsNew(PGPTAG_PUBLIC_SUBKEY); + /* Copy UID from main key to subkey */ + digps[count]->userid = xstrdup(mainkey->userid); + +-- +2.17.1 + diff --git a/meta/recipes-devtools/rpm/files/0001-Do-not-hardcode-lib-rpm-as-the-installation-path-for.patch b/meta/recipes-devtools/rpm/files/0001-Do-not-hardcode-lib-rpm-as-the-installation-path-for.patch index 52440d6818..6d236ac400 100644 --- a/meta/recipes-devtools/rpm/files/0001-Do-not-hardcode-lib-rpm-as-the-installation-path-for.patch +++ b/meta/recipes-devtools/rpm/files/0001-Do-not-hardcode-lib-rpm-as-the-installation-path-for.patch @@ -1,4 +1,4 @@ -From 2f3d1619b6510bc131c4375827caf912559f0fa2 Mon Sep 17 00:00:00 2001 +From 8d013fe154a162305f76141151baf767dd04b598 Mon Sep 17 00:00:00 2001 From: Alexander Kanavin <alex.kanavin@gmail.com> Date: Mon, 27 Feb 2017 09:43:30 +0200 Subject: [PATCH] Do not hardcode "lib/rpm" as the installation path for @@ -14,10 +14,10 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/configure.ac b/configure.ac -index d3aeab86e..1a1f3f91f 100644 +index eb7d6941b..10a889b5d 100644 --- a/configure.ac +++ b/configure.ac -@@ -1086,7 +1086,7 @@ else +@@ -871,7 +871,7 @@ else usrprefix=$prefix fi @@ -27,10 +27,10 @@ index d3aeab86e..1a1f3f91f 100644 AC_SUBST(OBJDUMP) diff --git a/macros.in b/macros.in -index fe9803aad..d128675bf 100644 +index a1f795e5f..689e784ef 100644 --- a/macros.in +++ b/macros.in -@@ -985,7 +985,7 @@ package or when debugging this package.\ +@@ -933,7 +933,7 @@ package or when debugging this package.\ %_sharedstatedir %{_prefix}/com %_localstatedir %{_prefix}/var %_lib lib @@ -40,7 +40,7 @@ index fe9803aad..d128675bf 100644 %_infodir %{_datadir}/info %_mandir %{_datadir}/man diff --git a/rpm.am b/rpm.am -index 40b4ec55f..3139ce8f6 100644 +index 7b57f433b..9bbb9ee96 100644 --- a/rpm.am +++ b/rpm.am @@ -1,10 +1,10 @@ @@ -55,4 +55,4 @@ index 40b4ec55f..3139ce8f6 100644 +rpmconfigdir = $(libdir)/rpm # Libtool version (current-revision-age) for all our libraries - rpm_version_info = 9:1:0 + rpm_version_info = 11:0:2 diff --git a/meta/recipes-devtools/rpm/files/0001-Fix-build-with-musl-C-library.patch b/meta/recipes-devtools/rpm/files/0001-Fix-build-with-musl-C-library.patch deleted file mode 100644 index 0b1d6298a9..0000000000 --- a/meta/recipes-devtools/rpm/files/0001-Fix-build-with-musl-C-library.patch +++ /dev/null @@ -1,48 +0,0 @@ -From d076de030deb9cafd9b2e82be5d506cebdefad0b Mon Sep 17 00:00:00 2001 -From: Alexander Kanavin <alex.kanavin@gmail.com> -Date: Mon, 27 Feb 2017 14:43:21 +0200 -Subject: [PATCH 1/9] Fix build with musl C library. - -Upstream-Status: Pending -Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> - ---- - configure.ac | 3 ++- - rpmio/digest_nss.c | 1 + - 2 files changed, 3 insertions(+), 1 deletion(-) - -diff --git a/configure.ac b/configure.ac -index c04a2e8d1..c9d9ac16d 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -255,6 +255,7 @@ AC_SEARCH_LIBS(dlopen, [dl]) - # Check for libelf library. Prefer external, otherwise none. - WITH_LIBELF_LIB= - AC_CHECK_HEADER([libelf.h]) -+AC_CHECK_HEADERS([error.h], [WITH_ERROR_H=yes]) - AC_CHECK_HEADERS([gelf.h], [ - AC_CHECK_LIB(elf, gelf_getvernaux, [ - AC_DEFINE(HAVE_LIBELF, 1, [Define to 1 if you have the 'elf' library (-lelf).]) -@@ -263,7 +264,7 @@ AC_CHECK_HEADERS([gelf.h], [ - ]) - ]) - AC_SUBST(WITH_LIBELF_LIB) --AM_CONDITIONAL(LIBELF,[test "$WITH_LIBELF" = yes]) -+AM_CONDITIONAL(LIBELF,[test "$WITH_LIBELF" = yes && test "$WITH_ERROR_H" = yes]) - - AC_CHECK_HEADERS([dwarf.h], [ - WITH_LIBDWARF=yes -diff --git a/rpmio/digest_nss.c b/rpmio/digest_nss.c -index 992d9acf6..e11920e3e 100644 ---- a/rpmio/digest_nss.c -+++ b/rpmio/digest_nss.c -@@ -1,5 +1,6 @@ - #include "system.h" - -+#include <signal.h> - #include <pthread.h> - #include <nss.h> - #include <sechash.h> --- -2.14.2 - diff --git a/meta/recipes-devtools/rpm/files/0001-build-pack.c-do-not-insert-payloadflags-into-.rpm-me.patch b/meta/recipes-devtools/rpm/files/0001-build-pack.c-do-not-insert-payloadflags-into-.rpm-me.patch new file mode 100644 index 0000000000..79b168257e --- /dev/null +++ b/meta/recipes-devtools/rpm/files/0001-build-pack.c-do-not-insert-payloadflags-into-.rpm-me.patch @@ -0,0 +1,28 @@ +From 2d351c666f09cc1b9e368422653fb42ac8b86249 Mon Sep 17 00:00:00 2001 +From: Alexander Kanavin <alex@linutronix.de> +Date: Tue, 31 Aug 2021 10:37:05 +0200 +Subject: [PATCH] build/pack.c: do not insert payloadflags into .rpm metadata + +The flags look like '19T56' where 19 is the compression level +(deterministic), and 56 is the amount of threads (varies from one +host to the next and breaks reproducibility for .rpm). + +Upstream-Status: Inappropriate [oe-core specific] +Signed-off-by: Alexander Kanavin <alex@linutronix.de> +--- + build/pack.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/build/pack.c b/build/pack.c +index 932cb213e..b45d0726f 100644 +--- a/build/pack.c ++++ b/build/pack.c +@@ -328,7 +328,7 @@ static char *getIOFlags(Package pkg) + headerPutString(pkg->header, RPMTAG_PAYLOADCOMPRESSOR, compr); + buf = xstrdup(rpmio_flags); + buf[s - rpmio_flags] = '\0'; +- headerPutString(pkg->header, RPMTAG_PAYLOADFLAGS, buf+1); ++ headerPutString(pkg->header, RPMTAG_PAYLOADFLAGS, ""); + free(buf); + } + exit: diff --git a/meta/recipes-devtools/rpm/files/0001-docs-do-not-build-manpages-requires-pandoc.patch b/meta/recipes-devtools/rpm/files/0001-docs-do-not-build-manpages-requires-pandoc.patch new file mode 100644 index 0000000000..ced52d1007 --- /dev/null +++ b/meta/recipes-devtools/rpm/files/0001-docs-do-not-build-manpages-requires-pandoc.patch @@ -0,0 +1,26 @@ +From 9bf1693092385eba9841614613313010221ca01f Mon Sep 17 00:00:00 2001 +From: Alexander Kanavin <alex.kanavin@gmail.com> +Date: Tue, 29 Jun 2021 20:11:26 +0200 +Subject: [PATCH] docs: do not build manpages (requires pandoc) + +Upstream-Status: Inappropriate [oe-core specific] +Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> +--- + docs/Makefile.am | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/docs/Makefile.am b/docs/Makefile.am +index 5a6bd203a..6257767fd 100644 +--- a/docs/Makefile.am ++++ b/docs/Makefile.am +@@ -1,7 +1,5 @@ + ## Process this file with automake to produce Makefile.in + +-SUBDIRS = man +- + EXTRA_DIST = + + EXTRA_DIST += \ +-- +2.32.0 + diff --git a/meta/recipes-devtools/rpm/files/0001-rpm-rpmio.c-restrict-virtual-memory-usage-if-limit-s.patch b/meta/recipes-devtools/rpm/files/0001-rpm-rpmio.c-restrict-virtual-memory-usage-if-limit-s.patch deleted file mode 100644 index 6454785254..0000000000 --- a/meta/recipes-devtools/rpm/files/0001-rpm-rpmio.c-restrict-virtual-memory-usage-if-limit-s.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 0066b862bb3a09f39295abd5d972a53ac8dc1555 Mon Sep 17 00:00:00 2001 -From: Peter Bergin <peter@berginkonsult.se> -Date: Wed, 19 Sep 2018 15:12:31 +0200 -Subject: [PATCH] rpm/rpmio.c: restrict virtual memory usage if limit set - -A solution to avoid OOM situation when the virtual memory is restricted -for a user (ulimit -v). As the lzopen_internal function is run in parallel -one instance per CPU thread the available virtual memory is limited per -CPU thread. - -Upstream-Status: Pending [merge of multithreading patches to upstream] - -Signed-off-by: Peter Bergin <peter@berginkonsult.se> ---- - rpmio/rpmio.c | 34 ++++++++++++++++++++++++++++++++++ - 1 file changed, 34 insertions(+) - -diff --git a/rpmio/rpmio.c b/rpmio/rpmio.c -index e051c98..b3c56b6 100644 ---- a/rpmio/rpmio.c -+++ b/rpmio/rpmio.c -@@ -845,6 +845,40 @@ static LZFILE *lzopen_internal(const char *mode, int fd, int xz) - } - #endif - -+ struct rlimit virtual_memory; -+ getrlimit(RLIMIT_AS, &virtual_memory); -+ if (virtual_memory.rlim_cur != RLIM_INFINITY) { -+ const uint64_t virtual_memlimit = virtual_memory.rlim_cur; -+ const uint64_t virtual_memlimit_per_cpu_thread = -+ virtual_memlimit / lzma_cputhreads(); -+ uint64_t memory_usage_virt; -+ rpmlog(RPMLOG_NOTICE, "XZ: virtual memory restricted to %lu and " -+ "per CPU thread %lu\n", virtual_memlimit, virtual_memlimit_per_cpu_thread); -+ /* keep reducing the number of compression threads until memory -+ usage falls below the limit per CPU thread*/ -+ while ((memory_usage_virt = lzma_stream_encoder_mt_memusage(&mt_options)) > -+ virtual_memlimit_per_cpu_thread) { -+ /* If number of threads goes down to zero lzma_stream_encoder will -+ * will return UINT64_MAX. We must check here to avoid an infinite loop. -+ * If we get into situation that one thread requires more virtual memory -+ * than available we set one thread, print error message and try anyway. */ -+ if (--mt_options.threads == 0) { -+ mt_options.threads = 1; -+ rpmlog(RPMLOG_WARNING, -+ "XZ: Could not adjust number of threads to get below " -+ "virtual memory limit %lu. usage %lu\n", -+ virtual_memlimit_per_cpu_thread, memory_usage_virt); -+ break; -+ } -+ } -+ if (threads != (int)mt_options.threads) -+ rpmlog(RPMLOG_NOTICE, -+ "XZ: Adjusted the number of threads from %d to %d to not " -+ "exceed the memory usage limit of %lu bytes\n", -+ threads, mt_options.threads, virtual_memlimit); -+ -+ } -+ - ret = lzma_stream_encoder_mt(&lzfile->strm, &mt_options); - } - #endif --- -2.7.4 - diff --git a/meta/recipes-devtools/rpm/files/0001-rpmfc.c-do-not-run-file-classification-in-parallel.patch b/meta/recipes-devtools/rpm/files/0001-rpmfc.c-do-not-run-file-classification-in-parallel.patch deleted file mode 100644 index d8d338792d..0000000000 --- a/meta/recipes-devtools/rpm/files/0001-rpmfc.c-do-not-run-file-classification-in-parallel.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 93c3c7f043f62e96941274e957c4ad9432032af1 Mon Sep 17 00:00:00 2001 -From: Alexander Kanavin <alex.kanavin@gmail.com> -Date: Mon, 18 Nov 2019 16:22:56 +0100 -Subject: [PATCH] rpmfc.c: do not run file classification in parallel - -This is causing freezes with libmagic when the file in question is compressed: -https://github.com/rpm-software-management/rpm/issues/756 - -Upstream-Status: Inappropriate [upstream wants a proper fix] -Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> ---- - build/rpmfc.c | 8 -------- - 1 file changed, 8 deletions(-) - -diff --git a/build/rpmfc.c b/build/rpmfc.c -index 3db7a9352..17afdd57a 100644 ---- a/build/rpmfc.c -+++ b/build/rpmfc.c -@@ -680,7 +680,6 @@ static void rpmfcAttributes(rpmfc fc, int ix, const char *ftype, const char *ful - /* Add attributes on libmagic type & path pattern matches */ - if (matches(&(*attr)->incl, ftype, path, is_executable)) { - argvAddTokens(&fc->fattrs[ix], (*attr)->name); -- #pragma omp critical(fahash) - fattrHashAddEntry(fc->fahash, attr-fc->atypes, ix); - } - } -@@ -1105,7 +1104,6 @@ rpmRC rpmfcClassify(rpmfc fc, ARGV_t argv, rpm_mode_t * fmode) - /* Build (sorted) file class dictionary. */ - fc->cdict = rpmstrPoolCreate(); - -- #pragma omp parallel - { - /* libmagic is not thread-safe, each thread needs to a private handle */ - magic_t ms = magic_open(msflags); -@@ -1113,15 +1111,12 @@ rpmRC rpmfcClassify(rpmfc fc, ARGV_t argv, rpm_mode_t * fmode) - if (ms == NULL) { - rpmlog(RPMLOG_ERR, _("magic_open(0x%x) failed: %s\n"), - msflags, strerror(errno)); -- #pragma omp cancel parallel - } - - if (magic_load(ms, NULL) == -1) { - rpmlog(RPMLOG_ERR, _("magic_load failed: %s\n"), magic_error(ms)); -- #pragma omp cancel parallel - } - -- #pragma omp for ordered reduction(+:nerrors) - for (int ix = 0; ix < fc->nfiles; ix++) { - rpmsid ftypeId; - const char * ftype; -@@ -1185,14 +1180,11 @@ rpmRC rpmfcClassify(rpmfc fc, ARGV_t argv, rpm_mode_t * fmode) - fc->fcolor[ix] = fcolor; - - /* Add to file class dictionary and index array */ -- #pragma omp ordered - if (fcolor != RPMFC_WHITE && (fcolor & RPMFC_INCLUDE)) { - ftypeId = rpmstrPoolId(fc->cdict, ftype, 1); -- #pragma omp atomic - fc->fknown++; - } else { - ftypeId = rpmstrPoolId(fc->cdict, "", 1); -- #pragma omp atomic - fc->fwhite++; - } - /* Pool id's start from 1, for headers we want it from 0 */ diff --git a/meta/recipes-devtools/rpm/files/0001-rpmplugins.c-call-dlerror-prior-to-dlsym.patch b/meta/recipes-devtools/rpm/files/0001-rpmplugins.c-call-dlerror-prior-to-dlsym.patch deleted file mode 100644 index 8842e3ebd7..0000000000 --- a/meta/recipes-devtools/rpm/files/0001-rpmplugins.c-call-dlerror-prior-to-dlsym.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 6878a83f9bac015c64d83cee42530a20a264cc5a Mon Sep 17 00:00:00 2001 -From: Alexander Kanavin <alex.kanavin@gmail.com> -Date: Tue, 7 Jan 2020 12:02:06 +0100 -Subject: [PATCH] rpmplugins.c: call dlerror() prior to dlsym() - -This is the recommended way in the manpage; if there is -a lingering error from an unrelated dl*() call that was -never obtained via dlerror(), it needs to be cleared -prior to calling dlsym(). - -Upstream-Status: Submitted [https://github.com/rpm-software-management/rpm/pull/998] -Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> ---- - lib/rpmplugins.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/lib/rpmplugins.c b/lib/rpmplugins.c -index 65e684e84..b950f85cf 100644 ---- a/lib/rpmplugins.c -+++ b/lib/rpmplugins.c -@@ -68,6 +68,8 @@ static rpmPlugin rpmPluginNew(const char *name, const char *path, - - /* make sure the plugin has the supported hooks flag */ - hooks_name = rstrscat(NULL, name, "_hooks", NULL); -+ /* clear out any old errors that weren't fetched */ -+ dlerror(); - hooks = dlsym(handle, hooks_name); - if ((error = dlerror()) != NULL) { - rpmlog(RPMLOG_ERR, _("Failed to resolve symbol %s: %s\n"), diff --git a/meta/recipes-devtools/rpm/files/0001-tools-Add-error.h-for-non-glibc-case.patch b/meta/recipes-devtools/rpm/files/0001-tools-Add-error.h-for-non-glibc-case.patch new file mode 100644 index 0000000000..9783396639 --- /dev/null +++ b/meta/recipes-devtools/rpm/files/0001-tools-Add-error.h-for-non-glibc-case.patch @@ -0,0 +1,71 @@ +From 9b9d717f484ec913cdd3804e43489b3dc18bd77c Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Sat, 31 Oct 2020 22:14:05 -0700 +Subject: [PATCH] tools: Add error.h for non-glibc case + +error is glibc specific API, so this patch will mostly not accepted +upstream given that elfutils has been closely tied to glibc + +Upstream-Status: Inappropriate [workaround for musl] + +Signed-off-by: Khem Raj <raj.khem@gmail.com> + +--- + tools/elfdeps.c | 6 +++++- + tools/error.h | 27 +++++++++++++++++++++++++++ + 2 files changed, 32 insertions(+), 1 deletion(-) + create mode 100644 tools/error.h + +diff --git a/tools/elfdeps.c b/tools/elfdeps.c +index d205935bb..3a8945b33 100644 +--- a/tools/elfdeps.c ++++ b/tools/elfdeps.c +@@ -5,10 +5,14 @@ + #include <unistd.h> + #include <stdlib.h> + #include <fcntl.h> +-#include <error.h> + #include <errno.h> + #include <popt.h> + #include <gelf.h> ++#ifdef __GLIBC__ ++#include <error.h> ++#else ++#include "error.h" ++#endif + + #include <rpm/rpmstring.h> + #include <rpm/argv.h> +diff --git a/tools/error.h b/tools/error.h +new file mode 100644 +index 000000000..ef06827a0 +--- /dev/null ++++ b/tools/error.h +@@ -0,0 +1,27 @@ ++#ifndef _ERROR_H_ ++#define _ERROR_H_ ++ ++#include <stdarg.h> ++#include <stdio.h> ++#include <stdlib.h> ++#include <string.h> ++#include <errno.h> ++ ++static unsigned int error_message_count = 0; ++ ++static inline void error(int status, int errnum, const char* format, ...) ++{ ++ va_list ap; ++ fprintf(stderr, "%s: ", program_invocation_name); ++ va_start(ap, format); ++ vfprintf(stderr, format, ap); ++ va_end(ap); ++ if (errnum) ++ fprintf(stderr, ": %s", strerror(errnum)); ++ fprintf(stderr, "\n"); ++ error_message_count++; ++ if (status) ++ exit(status); ++} ++ ++#endif /* _ERROR_H_ */ diff --git a/meta/recipes-devtools/rpm/files/0002-CVE-2021-3521.patch b/meta/recipes-devtools/rpm/files/0002-CVE-2021-3521.patch new file mode 100644 index 0000000000..683b57d455 --- /dev/null +++ b/meta/recipes-devtools/rpm/files/0002-CVE-2021-3521.patch @@ -0,0 +1,64 @@ +From c4b1bee51bbdd732b94b431a951481af99117703 Mon Sep 17 00:00:00 2001 +From: Panu Matilainen <pmatilai@redhat.com> +Date: Thu, 30 Sep 2021 09:51:10 +0300 +Subject: [PATCH 2/3] Process MPI's from all kinds of signatures + +No immediate effect but needed by the following commits. + +CVE: CVE-2021-3521 +Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/b5e8bc74b] + +Signed-off-by: Changqing Li <changqing.li@windriver.com> + +--- + rpmio/rpmpgp.c | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c +index 25f67048fd..509e777e6d 100644 +--- a/rpmio/rpmpgp.c ++++ b/rpmio/rpmpgp.c +@@ -543,7 +543,7 @@ pgpDigAlg pgpDigAlgFree(pgpDigAlg alg) + return NULL; + } + +-static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo, uint8_t sigtype, ++static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo, + const uint8_t *p, const uint8_t *h, size_t hlen, + pgpDigParams sigp) + { +@@ -556,10 +556,8 @@ static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo, uint8_t sigtype, + int mpil = pgpMpiLen(p); + if (pend - p < mpil) + break; +- if (sigtype == PGPSIGTYPE_BINARY || sigtype == PGPSIGTYPE_TEXT) { +- if (sigalg->setmpi(sigalg, i, p)) +- break; +- } ++ if (sigalg->setmpi(sigalg, i, p)) ++ break; + p += mpil; + } + +@@ -619,7 +617,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen, + } + + p = ((uint8_t *)v) + sizeof(*v); +- rc = pgpPrtSigParams(tag, v->pubkey_algo, v->sigtype, p, h, hlen, _digp); ++ rc = pgpPrtSigParams(tag, v->pubkey_algo, p, h, hlen, _digp); + } break; + case 4: + { pgpPktSigV4 v = (pgpPktSigV4)h; +@@ -677,8 +675,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen, + p += 2; + if (p > hend) + return 1; +- +- rc = pgpPrtSigParams(tag, v->pubkey_algo, v->sigtype, p, h, hlen, _digp); ++ rc = pgpPrtSigParams(tag, v->pubkey_algo, p, h, hlen, _digp); + } break; + default: + rpmlog(RPMLOG_WARNING, _("Unsupported version of signature: V%d\n"), version); +-- +2.17.1 + diff --git a/meta/recipes-devtools/rpm/files/0003-CVE-2021-3521.patch b/meta/recipes-devtools/rpm/files/0003-CVE-2021-3521.patch new file mode 100644 index 0000000000..a5ec802501 --- /dev/null +++ b/meta/recipes-devtools/rpm/files/0003-CVE-2021-3521.patch @@ -0,0 +1,329 @@ +From 07676ca03ad8afcf1ca95a2353c83fbb1d970b9b Mon Sep 17 00:00:00 2001 +From: Panu Matilainen <pmatilai@redhat.com> +Date: Thu, 30 Sep 2021 09:59:30 +0300 +Subject: [PATCH 3/3] Validate and require subkey binding signatures on PGP + public keys + +All subkeys must be followed by a binding signature by the primary key +as per the OpenPGP RFC, enforce the presence and validity in the parser. + +The implementation is as kludgey as they come to work around our +simple-minded parser structure without touching API, to maximise +backportability. Store all the raw packets internally as we decode them +to be able to access previous elements at will, needed to validate ordering +and access the actual data. Add testcases for manipulated keys whose +import previously would succeed. + +Depends on the two previous commits: +7b399fcb8f52566e6f3b4327197a85facd08db91 and +236b802a4aa48711823a191d1b7f753c82a89ec5 + +Fixes CVE-2021-3521. + +Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/bd36c5dc9] +CVE:CVE-2021-3521 + +Signed-off-by: Changqing Li <changqing.li@windriver.com> + +--- + rpmio/rpmpgp.c | 99 +++++++++++++++++-- + tests/Makefile.am | 3 + + tests/data/keys/CVE-2021-3521-badbind.asc | 25 +++++ + .../data/keys/CVE-2021-3521-nosubsig-last.asc | 25 +++++ + tests/data/keys/CVE-2021-3521-nosubsig.asc | 37 +++++++ + tests/rpmsigdig.at | 28 ++++++ + 6 files changed, 209 insertions(+), 8 deletions(-) + create mode 100644 tests/data/keys/CVE-2021-3521-badbind.asc + create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig-last.asc + create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig.asc + +diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c +index 509e777e6d..371ad4d9b6 100644 +--- a/rpmio/rpmpgp.c ++++ b/rpmio/rpmpgp.c +@@ -1061,33 +1061,116 @@ static pgpDigParams pgpDigParamsNew(uint8_t tag) + return digp; + } + ++static int hashKey(DIGEST_CTX hash, const struct pgpPkt *pkt, int exptag) ++{ ++ int rc = -1; ++ if (pkt->tag == exptag) { ++ uint8_t head[] = { ++ 0x99, ++ (pkt->blen >> 8), ++ (pkt->blen ), ++ }; ++ ++ rpmDigestUpdate(hash, head, 3); ++ rpmDigestUpdate(hash, pkt->body, pkt->blen); ++ rc = 0; ++ } ++ return rc; ++} ++ ++static int pgpVerifySelf(pgpDigParams key, pgpDigParams selfsig, ++ const struct pgpPkt *all, int i) ++{ ++ int rc = -1; ++ DIGEST_CTX hash = NULL; ++ ++ switch (selfsig->sigtype) { ++ case PGPSIGTYPE_SUBKEY_BINDING: ++ hash = rpmDigestInit(selfsig->hash_algo, 0); ++ if (hash) { ++ rc = hashKey(hash, &all[0], PGPTAG_PUBLIC_KEY); ++ if (!rc) ++ rc = hashKey(hash, &all[i-1], PGPTAG_PUBLIC_SUBKEY); ++ } ++ break; ++ default: ++ /* ignore types we can't handle */ ++ rc = 0; ++ break; ++ } ++ ++ if (hash && rc == 0) ++ rc = pgpVerifySignature(key, selfsig, hash); ++ ++ rpmDigestFinal(hash, NULL, NULL, 0); ++ ++ return rc; ++} ++ + int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype, + pgpDigParams * ret) + { + const uint8_t *p = pkts; + const uint8_t *pend = pkts + pktlen; + pgpDigParams digp = NULL; +- struct pgpPkt pkt; ++ pgpDigParams selfsig = NULL; ++ int i = 0; ++ int alloced = 16; /* plenty for normal cases */ ++ struct pgpPkt *all = xmalloc(alloced * sizeof(*all)); + int rc = -1; /* assume failure */ ++ int expect = 0; ++ int prevtag = 0; + + while (p < pend) { +- if (decodePkt(p, (pend - p), &pkt)) ++ struct pgpPkt *pkt = &all[i]; ++ if (decodePkt(p, (pend - p), pkt)) + break; + + if (digp == NULL) { +- if (pkttype && pkt.tag != pkttype) { ++ if (pkttype && pkt->tag != pkttype) { + break; + } else { +- digp = pgpDigParamsNew(pkt.tag); ++ digp = pgpDigParamsNew(pkt->tag); + } + } + +- if (pgpPrtPkt(&pkt, digp)) ++ if (expect) { ++ if (pkt->tag != expect) ++ break; ++ selfsig = pgpDigParamsNew(pkt->tag); ++ } ++ if (pgpPrtPkt(pkt, selfsig ? selfsig : digp)) + break; + +- p += (pkt.body - pkt.head) + pkt.blen; +- if (pkttype == PGPTAG_SIGNATURE) +- break; ++ if (selfsig) { ++ /* subkeys must be followed by binding signature */ ++ if (prevtag == PGPTAG_PUBLIC_SUBKEY) { ++ if (selfsig->sigtype != PGPSIGTYPE_SUBKEY_BINDING) ++ break; ++ } ++ ++ int xx = pgpVerifySelf(digp, selfsig, all, i); ++ ++ selfsig = pgpDigParamsFree(selfsig); ++ if (xx) ++ break; ++ expect = 0; ++ } ++ ++ if (pkt->tag == PGPTAG_PUBLIC_SUBKEY) ++ expect = PGPTAG_SIGNATURE; ++ prevtag = pkt->tag; ++ ++ i++; ++ p += (pkt->body - pkt->head) + pkt->blen; ++ if (pkttype == PGPTAG_SIGNATURE) ++ break; ++ ++ if (alloced <= i) { ++ alloced *= 2; ++ all = xrealloc(all, alloced * sizeof(*all)); ++ } ++ + } + + rc = (digp && (p == pend)) ? 0 : -1; +diff --git a/tests/Makefile.am b/tests/Makefile.am +index a41ce10de8..7bb23247f1 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -107,6 +107,9 @@ EXTRA_DIST += data/SPECS/hello-config-buildid.spec + EXTRA_DIST += data/SPECS/hello-cd.spec + EXTRA_DIST += data/keys/rpm.org-rsa-2048-test.pub + EXTRA_DIST += data/keys/rpm.org-rsa-2048-test.secret ++EXTRA_DIST += data/keys/CVE-2021-3521-badbind.asc ++EXTRA_DIST += data/keys/CVE-2022-3521-nosubsig.asc ++EXTRA_DIST += data/keys/CVE-2022-3521-nosubsig-last.asc + EXTRA_DIST += data/macros.testfile + EXTRA_DIST += data/macros.debug + EXTRA_DIST += data/SOURCES/foo.c +diff --git a/tests/data/keys/CVE-2021-3521-badbind.asc b/tests/data/keys/CVE-2021-3521-badbind.asc +new file mode 100644 +index 0000000000..aea00f9d7a +--- /dev/null ++++ b/tests/data/keys/CVE-2021-3521-badbind.asc +@@ -0,0 +1,25 @@ ++-----BEGIN PGP PUBLIC KEY BLOCK----- ++Version: rpm-4.17.90 (NSS-3) ++ ++mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g ++HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY ++91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8 ++eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas ++7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ ++1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl ++c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK ++CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf ++Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB ++BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr ++XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX ++fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq +++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN ++BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY ++zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz ++iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6 ++Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c ++KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m ++L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAE= ++=WCfs ++-----END PGP PUBLIC KEY BLOCK----- ++ +diff --git a/tests/data/keys/CVE-2021-3521-nosubsig-last.asc b/tests/data/keys/CVE-2021-3521-nosubsig-last.asc +new file mode 100644 +index 0000000000..aea00f9d7a +--- /dev/null ++++ b/tests/data/keys/CVE-2021-3521-nosubsig-last.asc +@@ -0,0 +1,25 @@ ++-----BEGIN PGP PUBLIC KEY BLOCK----- ++Version: rpm-4.17.90 (NSS-3) ++ ++mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g ++HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY ++91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8 ++eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas ++7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ ++1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl ++c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK ++CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf ++Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB ++BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr ++XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX ++fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq +++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN ++BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY ++zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz ++iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6 ++Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c ++KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m ++L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAE= ++=WCfs ++-----END PGP PUBLIC KEY BLOCK----- ++ +diff --git a/tests/data/keys/CVE-2021-3521-nosubsig.asc b/tests/data/keys/CVE-2021-3521-nosubsig.asc +new file mode 100644 +index 0000000000..3a2e7417f8 +--- /dev/null ++++ b/tests/data/keys/CVE-2021-3521-nosubsig.asc +@@ -0,0 +1,37 @@ ++-----BEGIN PGP PUBLIC KEY BLOCK----- ++Version: rpm-4.17.90 (NSS-3) ++ ++mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g ++HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY ++91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8 ++eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas ++7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ ++1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl ++c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK ++CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf ++Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB ++BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr ++XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX ++fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq +++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN ++BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY ++zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz ++iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6 ++Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c ++KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m ++L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAG5AQ0EWOY5GAEIAKT68NmshdC4 ++VcRhOhlXBvZq23NtskkKoPvW+ZlMuxbRDG48pGBtxhjOngriVUGceEWsXww5Q7En ++uRBYglkxkW34ENym0Ji6tsPYfhbbG+dZWKIL4vMIzPOIwlPrXrm558vgkdMM/ELZ ++8WIz3KtzvYubKUk2Qz+96lPXbwnlC/SBFRpBseJC5LoOb/5ZGdR/HeLz1JXiacHF ++v9Nr3cZWqg5yJbDNZKfASdZgC85v3kkvhTtzknl//5wqdAMexbuwiIh2xyxbO+B/ ++qqzZFrVmu3sV2Tj5lLZ/9p1qAuEM7ULbixd/ld8yTmYvQ4bBlKv2bmzXtVfF+ymB ++Tm6BzyQEl/MAEQEAAYkBHwQYAQgACQUCWOY5GAIbDAAKCRBDRFkeGWTF/PANB/9j ++mifmj6z/EPe0PJFhrpISt9PjiUQCt0IPtiL5zKAkWjHePIzyi+0kCTBF6DDLFxos ++3vN4bWnVKT1kBhZAQlPqpJTg+m74JUYeDGCdNx9SK7oRllATqyu+5rncgxjWVPnQ ++zu/HRPlWJwcVFYEVXYL8xzfantwQTqefjmcRmBRdA2XJITK+hGWwAmrqAWx+q5xX ++Pa8wkNMxVzNS2rUKO9SoVuJ/wlUvfoShkJ/VJ5HDp3qzUqncADfdGN35TDzscngQ ++gHvnMwVBfYfSCABV1hNByoZcc/kxkrWMmsd/EnIyLd1Q1baKqc3cEDuC6E6/o4yJ ++E4XX4jtDmdZPreZALsiB ++=rRop ++-----END PGP PUBLIC KEY BLOCK----- ++ +diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at +index 8e7c759b8f..e2d30a7f1b 100644 +--- a/tests/rpmsigdig.at ++++ b/tests/rpmsigdig.at +@@ -2,6 +2,34 @@ + + AT_BANNER([RPM signatures and digests]) + ++AT_SETUP([rpmkeys --import invalid keys]) ++AT_KEYWORDS([rpmkeys import]) ++RPMDB_INIT ++ ++AT_CHECK([ ++runroot rpmkeys --import /data/keys/CVE-2021-3521-badbind.asc ++], ++[1], ++[], ++[error: /data/keys/CVE-2021-3521-badbind.asc: key 1 import failed.] ++) ++AT_CHECK([ ++runroot rpmkeys --import /data/keys/CVE-2021-3521-nosubsig.asc ++], ++[1], ++[], ++[error: /data/keys/CVE-2021-3521-nosubsig.asc: key 1 import failed.] ++) ++ ++AT_CHECK([ ++runroot rpmkeys --import /data/keys/CVE-2021-3521-nosubsig-last.asc ++], ++[1], ++[], ++[error: /data/keys/CVE-2021-3521-nosubsig-last.asc: key 1 import failed.] ++) ++AT_CLEANUP ++ + # ------------------------------ + # Test pre-built package verification + AT_SETUP([rpmkeys -Kv <unsigned> 1]) +-- +2.17.1 + diff --git a/meta/recipes-devtools/rpm/files/0011-Do-not-require-that-ELF-binaries-are-executable-to-b.patch b/meta/recipes-devtools/rpm/files/0011-Do-not-require-that-ELF-binaries-are-executable-to-b.patch deleted file mode 100644 index 4ac5c38f06..0000000000 --- a/meta/recipes-devtools/rpm/files/0011-Do-not-require-that-ELF-binaries-are-executable-to-b.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 5141d50d7b3d3c209a22c53deedb4ceef014401d Mon Sep 17 00:00:00 2001 -From: Peter Kjellerstedt <pkj@axis.com> -Date: Mon, 15 May 2017 10:21:08 +0200 -Subject: [PATCH 09/15] Do not require that ELF binaries are executable to be - identifiable - -There is nothing that requires, e.g., a DSO to be executable, but it -is still an ELF binary and should be identified as such. - -Upstream probably expects all ELF binaries to be marked as executable, -but rather than imposing such a limitation for OE, allow any file to -be identified as an ELF binary regardless of whether it is executable -or not. - -Upstream-Status: Inappropriate -Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> - ---- - fileattrs/elf.attr | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/fileattrs/elf.attr b/fileattrs/elf.attr -index 5805dd0ee..3516f309d 100644 ---- a/fileattrs/elf.attr -+++ b/fileattrs/elf.attr -@@ -1,4 +1,3 @@ - %__elf_provides %{_rpmconfigdir}/elfdeps --provides %{?__filter_GLIBC_PRIVATE:--filter-private} - %__elf_requires %{_rpmconfigdir}/elfdeps --requires %{?__filter_GLIBC_PRIVATE:--filter-private} - %__elf_magic ^(setuid,? )?(setgid,? )?(sticky )?ELF (32|64)-bit.*$ --%__elf_flags exeonly --- -2.14.2 - diff --git a/meta/recipes-devtools/rpm/files/environment.d-rpm.sh b/meta/recipes-devtools/rpm/files/environment.d-rpm.sh new file mode 100644 index 0000000000..9b669a18d1 --- /dev/null +++ b/meta/recipes-devtools/rpm/files/environment.d-rpm.sh @@ -0,0 +1 @@ +export RPM_CONFIGDIR="$OECORE_NATIVE_SYSROOT/usr/lib/rpm" diff --git a/meta/recipes-devtools/rpm/rpm_4.15.1.bb b/meta/recipes-devtools/rpm/rpm_4.17.0.bb index cbe1acffe2..c392ac0db4 100644 --- a/meta/recipes-devtools/rpm/rpm_4.15.1.bb +++ b/meta/recipes-devtools/rpm/rpm_4.17.0.bb @@ -5,74 +5,86 @@ verifying, querying, and updating software packages. Each software \ package consists of an archive of files along with information about \ the package like its version, a description, etc." -SUMMARY_${PN}-dev = "Development files for manipulating RPM packages" -DESCRIPTION_${PN}-dev = "This package contains the RPM C library and header files. These \ +SUMMARY:${PN}-dev = "Development files for manipulating RPM packages" +DESCRIPTION:${PN}-dev = "This package contains the RPM C library and header files. These \ development files will simplify the process of writing programs that \ manipulate RPM packages and databases. These files are intended to \ simplify the process of creating graphical package managers or any \ other tools that need an intimate knowledge of RPM packages in order \ to function." -SUMMARY_python3-rpm = "Python bindings for apps which will manupulate RPM packages" -DESCRIPTION_python3-rpm = "The python3-rpm package contains a module that permits applications \ +SUMMARY:python3-rpm = "Python bindings for apps which will manupulate RPM packages" +DESCRIPTION:python3-rpm = "The python3-rpm package contains a module that permits applications \ written in the Python programming language to use the interface \ supplied by the RPM Package Manager libraries." HOMEPAGE = "http://www.rpm.org" # libraries are also LGPL - how to express this? -LICENSE = "GPL-2.0" -LIC_FILES_CHKSUM = "file://COPYING;md5=c0bf017c0fd1920e6158a333acabfd4a" +LICENSE = "GPL-2.0-only" +LIC_FILES_CHKSUM = "file://COPYING;md5=c4eec0c20c6034b9407a09945b48a43f" -SRC_URI = "git://github.com/rpm-software-management/rpm;branch=rpm-4.15.x \ +SRC_URI = "git://github.com/rpm-software-management/rpm;branch=rpm-4.17.x;protocol=https \ + file://environment.d-rpm.sh \ file://0001-Do-not-add-an-unsatisfiable-dependency-when-building.patch \ file://0001-Do-not-read-config-files-from-HOME.patch \ file://0001-When-cross-installing-execute-package-scriptlets-wit.patch \ file://0001-Do-not-reset-the-PATH-environment-variable-before-ru.patch \ file://0002-Add-support-for-prefixing-etc-from-RPM_ETCCONFIGDIR-.patch \ file://0001-Do-not-hardcode-lib-rpm-as-the-installation-path-for.patch \ - file://0001-Fix-build-with-musl-C-library.patch \ file://0001-Add-a-color-setting-for-mips64_n32-binaries.patch \ - file://0011-Do-not-require-that-ELF-binaries-are-executable-to-b.patch \ file://0001-perl-disable-auto-reqs.patch \ - file://0001-rpm-rpmio.c-restrict-virtual-memory-usage-if-limit-s.patch \ file://0016-rpmscript.c-change-logging-level-around-scriptlets-t.patch \ - file://0001-rpmplugins.c-call-dlerror-prior-to-dlsym.patch \ - file://0001-rpmfc.c-do-not-run-file-classification-in-parallel.patch \ file://0001-lib-transaction.c-fix-file-conflicts-for-MIPS64-N32.patch \ - file://0001-Bump-up-the-limit-of-signature-header-to-64MB.patch \ + file://0001-tools-Add-error.h-for-non-glibc-case.patch \ + file://0001-docs-do-not-build-manpages-requires-pandoc.patch \ + file://0001-build-pack.c-do-not-insert-payloadflags-into-.rpm-me.patch \ + file://0001-CVE-2021-3521.patch \ + file://0002-CVE-2021-3521.patch \ + file://0003-CVE-2021-3521.patch \ " PE = "1" -SRCREV = "ab2179452c5be276a6b96c591afded485c7e58c3" +SRCREV = "3e74e8ba2dd5e76a5353d238dc7fc38651ce27b3" S = "${WORKDIR}/git" -DEPENDS = "openssl libarchive db file popt xz bzip2 dbus elfutils python3" -DEPENDS_append_class-native = " file-replacement-native bzip2-replacement-native" +DEPENDS = "lua libgcrypt file popt xz bzip2 elfutils python3" +DEPENDS:append:class-native = " file-replacement-native bzip2-replacement-native" inherit autotools gettext pkgconfig python3native export PYTHON_ABI +AUTOTOOLS_AUXDIR = "${S}/build-aux" + # OE-core patches autoreconf to additionally run gnu-configize, which fails with this recipe -EXTRA_AUTORECONF_append = " --exclude=gnu-configize" +EXTRA_AUTORECONF:append = " --exclude=gnu-configize" -EXTRA_OECONF_append = " --without-lua --enable-python --with-crypto=openssl" -EXTRA_OECONF_append_libc-musl = " --disable-nls --disable-openmp" +# Vendor is detected differently on x86 and aarch64 hosts and can feed into target packages +EXTRA_OECONF:append = " --enable-python --with-crypto=libgcrypt --with-vendor=pc" +EXTRA_OECONF:append:libc-musl = " --disable-nls --disable-openmp" # --sysconfdir prevents rpm from attempting to access machine-specific configuration in sysroot/etc; we need to have it in rootfs -# # --localstatedir prevents rpm from writing its database to native sysroot when building images -# -# Disable dbus for native, so that rpm doesn't attempt to inhibit shutdown via session dbus even when plugins support is enabled. -# Also disable plugins by default for native. -EXTRA_OECONF_append_class-native = " --sysconfdir=/etc --localstatedir=/var --disable-plugins" -EXTRA_OECONF_append_class-nativesdk = " --sysconfdir=/etc --localstatedir=/var --disable-plugins" +# Forcibly disable plugins for native/nativesdk, as the inhibit and prioreset +# plugins both behave badly inside builds. +EXTRA_OECONF:append:class-native = " --sysconfdir=/etc --localstatedir=/var --disable-plugins" +EXTRA_OECONF:append:class-nativesdk = " --sysconfdir=/etc --disable-plugins" BBCLASSEXTEND = "native nativesdk" -PACKAGECONFIG ??= "" +PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'inhibit', '', d)} sqlite zstd" +# The inhibit plugin serves no purpose outside of the target +PACKAGECONFIG:remove:class-native = "inhibit" +PACKAGECONFIG:remove:class-nativesdk = "inhibit" + PACKAGECONFIG[imaevm] = "--with-imaevm,,ima-evm-utils" +PACKAGECONFIG[inhibit] = "--enable-inhibit-plugin,--disable-inhibit-plugin,dbus" +PACKAGECONFIG[rpm2archive] = "--with-archive,--without-archive,libarchive" +PACKAGECONFIG[sqlite] = "--enable-sqlite=yes,--enable-sqlite=no,sqlite3" +PACKAGECONFIG[ndb] = "--enable-ndb,--disable-ndb" +PACKAGECONFIG[bdb-ro] = "--enable-bdb-ro,--disable-bdb-ro" +PACKAGECONFIG[zstd] = "--enable-zstd=yes,--enable-zstd=no,zstd" ASNEEDED = "" @@ -92,9 +104,13 @@ WRAPPER_TOOLS = " \ ${libdir}/rpm/rpmdeps \ " -do_install_append_class-native() { +do_configure:prepend() { + mkdir -p ${S}/build-aux +} + +do_install:append:class-native() { for tool in ${WRAPPER_TOOLS}; do - create_wrapper ${D}$tool \ + test -x ${D}$tool && create_wrapper ${D}$tool \ RPM_CONFIGDIR=${STAGING_LIBDIR_NATIVE}/rpm \ RPM_ETCCONFIGDIR=${STAGING_DIR_NATIVE} \ MAGIC=${STAGING_DIR_NATIVE}${datadir_native}/misc/magic.mgc \ @@ -102,9 +118,9 @@ do_install_append_class-native() { done } -do_install_append_class-nativesdk() { +do_install:append:class-nativesdk() { for tool in ${WRAPPER_TOOLS}; do - create_wrapper ${D}$tool \ + test -x ${D}$tool && create_wrapper ${D}$tool \ RPM_CONFIGDIR='`dirname $''realpath`'/${@os.path.relpath(d.getVar('libdir'), d.getVar('bindir'))}/rpm \ RPM_ETCCONFIGDIR='$'{RPM_ETCCONFIGDIR-'`dirname $''realpath`'/${@os.path.relpath(d.getVar('sysconfdir'), d.getVar('bindir'))}/..} \ MAGIC='`dirname $''realpath`'/${@os.path.relpath(d.getVar('datadir'), d.getVar('bindir'))}/misc/magic.mgc \ @@ -112,35 +128,71 @@ do_install_append_class-nativesdk() { done rm -rf ${D}/var + + mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d + install -m 644 ${WORKDIR}/environment.d-rpm.sh ${D}${SDKPATHNATIVE}/environment-setup.d/rpm.sh } # Rpm's make install creates var/tmp which clashes with base-files packaging -do_install_append_class-target() { +do_install:append:class-target() { rm -rf ${D}/var } +do_install:append:class-nativesdk() { + rm -rf ${D}${SDKPATHNATIVE}/var +} -do_install_append () { +do_install:append () { sed -i -e 's:${HOSTTOOLS_DIR}/::g' \ ${D}/${libdir}/rpm/macros - sed -i -e 's|/usr/bin/python|${USRBINPATH}/env ${PYTHON_PN}|' \ - ${D}${libdir}/rpm/pythondistdeps.py } -FILES_${PN} += "${libdir}/rpm-plugins/*.so \ +FILES:${PN} += "${libdir}/rpm-plugins/*.so \ " +FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/rpm.sh" -FILES_${PN}-dev += "${libdir}/rpm-plugins/*.la \ +FILES:${PN}-dev += "${libdir}/rpm-plugins/*.la \ " +PACKAGE_BEFORE_PN += "${PN}-build ${PN}-sign ${PN}-archive" + +RRECOMMENDS:${PN} += "rpm-sign rpm-archive" + +FILES:${PN}-build = "\ + ${bindir}/rpmbuild \ + ${bindir}/gendiff \ + ${bindir}/rpmspec \ + ${libdir}/librpmbuild.so.* \ + ${libdir}/rpm/brp-* \ + ${libdir}/rpm/check-* \ + ${libdir}/rpm/debugedit \ + ${libdir}/rpm/sepdebugcrcfix \ + ${libdir}/rpm/find-debuginfo.sh \ + ${libdir}/rpm/find-lang.sh \ + ${libdir}/rpm/*provides* \ + ${libdir}/rpm/*requires* \ + ${libdir}/rpm/*deps* \ + ${libdir}/rpm/*.prov \ + ${libdir}/rpm/*.req \ + ${libdir}/rpm/config.* \ + ${libdir}/rpm/mkinstalldirs \ + ${libdir}/rpm/macros.p* \ + ${libdir}/rpm/fileattrs/* \ +" + +FILES:${PN}-sign = "\ + ${bindir}/rpmsign \ + ${libdir}/librpmsign.so.* \ +" + +FILES:${PN}-archive = "\ + ${bindir}/rpm2archive \ +" PACKAGES += "python3-rpm" PROVIDES += "python3-rpm" -FILES_python3-rpm = "${PYTHON_SITEPACKAGES_DIR}/rpm/*" - -# rpm 5.x was packaging the rpm build tools separately -RPROVIDES_${PN} += "rpm-build" +FILES:python3-rpm = "${PYTHON_SITEPACKAGES_DIR}/rpm/*" -RDEPENDS_${PN} = "bash perl python3-core" +RDEPENDS:${PN}-build = "bash perl python3-core" PACKAGE_PREPROCESS_FUNCS += "rpm_package_preprocess" @@ -149,3 +201,8 @@ rpm_package_preprocess () { sed -i -e 's:--sysroot[^ ]*::g' \ ${PKGD}/${libdir}/rpm/macros } + +SSTATE_HASHEQUIV_FILEMAP = " \ + populate_sysroot:*/rpm/macros:${TMPDIR} \ + populate_sysroot:*/rpm/macros:${COREBASE} \ + " |