mirror of
https://github.com/openSUSE/osc.git
synced 2025-02-05 19:00:56 +01:00
b730f880cf
The old code could potentially yield to a use-after-free situation,
which results in UB. For this, consider the following scenario, where
osc performs several HTTPS requests (assumption: the server supports
ssl session resumption):
- HTTPS Request 1:
* a new SSL *s connection is established, which also creates a new
SSL_SESSION *ss => ss->references == 1
* once the handshake is done, the ss is put into the session cache
(see ssl_update_cache) => ss->references == 2
- osc saves the session ss in a class variable
- s is SSL_free()d, which calls SSL_SESSION_free => ss->references == 1
- HTTPS Request 2:
* setup a new SSL *s connection that reuses the saved session ss
=> ss->references == 2
* once the handshake is done, ssl_update_cache is called, which is a
NOP, because s->hit == 1 (that is, the session was resumed)
* osc saves the session ss in a class variable
* s is SSL_free()d, which calls SSL_SESSION_free => ss->references == 1
...
> 2 hours later (see tls1_default_timeout)
...
- HTTPS Request 256:
* setup a new SSL *s connection that reuses the saved session ss
=> ss->references == 2
* once the handshake is done, ssl_update_cache is called, but is
_no_ NOP anymore
* ssl_update_cache flushes the session cache (this is done every
255/256 (depending on the way we count) connections) => ss is
SSL_SESSION_free()d => ss->references == 1
* osc saves the session ss in a class variable
* s is SSL_free()d, which calls SSL_SESSION_free:
since ss->references == 1, ss is eventually free()d
- HTTPS Request 257:
* setup a new SSL *s connection that reuses the saved session ss
Since ss does not exist anymore, the remaining program execution is UB.
(Note: SSL_free(...) is _NOT_ called, if M2Crypto 0.29 is used.
M2Crypto 0.30 calls SSL_free(...) again.)
Due to a bug in OpenSSL_1_1_0h (see openssl commit 8e405776858) the
scenario from above can be triggered with exactly 2 HTTPS requests (the
SSL_SESSION is not cached, because we configured SSL_VERIFY_PEER, but
no sid_ctx was set). This is fixed in openssl commit c4fa1f7fc01.
In order to reliably reuse a session, we probably need to listen to the
session cache changes. Such callbacks could be registered via
SSL_CTX_sess_set_new_cb and/or SSL_CTX_sess_set_remove_cb, but both
functions are not provided by M2Crypto. Another idea is to directly utilize
the session cache, but this also has to be implemented in M2Crypto first.
Yet another approach is to retrieve the session via SSL_get1_session, which
increases the session's refcnt, but this also needs to be implemented in
M2Crypto first (if we choose to use this approach, we also have to make
sure that we eventually free the session manually...).
Fixes: #398 ("SIGSEGV on \"osc commit\"")
osc -- opensuse-commander with svn like handling
Patches can be submitted via
* mail to opensuse-buildservice@opensuse.org
* Bugzilla: https://bugzilla.novell.com/enter_bug.cgi?product=openSUSE.org&component=BuildService
* or the official Git repository on Github:
https://github.com/openSUSE/osc
INSTALLATION:
RPM packages are here (rpm-md repository):
http://download.opensuse.org/repositories/openSUSE:/Tools/
To install from git, do
python setup.py build
python setup.py install
# create a symlink 'osc' in your path pointing to osc.py.
ln -s osc-wrapper.py /usr/bin/osc
Alternatively, you can directly use osc-wrapper.py from the source dir
(which is easier if you develop on osc).
The program needs the cElementTree python module installed. On SUSE, the
respective package is called python-elementtree (before 10.2: python-xml).
For local building, you will need python-urlgrabber in addition. Those are
standard package on SUSE Linux since a while. If your version is too old, you
can find python-elementtree and python-urlgrabber here:
http://download.opensuse.org/repositories/devel:/languages:/python/
CONFIGURATION:
When you use it for the first time, it will ask you for your username and
password, and store it in ~/.oscrc.
CONFIGURATION MIGRATION (only affects versions >= 0.114):
Version 0.114 got some cleanups for the configfile handling and therefore some
options are now deprecated, namely:
* apisrv
* scheme
One new option was added:
* apiurl = <protocol>://<somehost> # use this as the default apiurl. If this
option isn't specified the default (https://api.opensuse.org) is used.
So far osc still has some backward compatibility for these options but it might
get removed in the future that's why it issues a deprecation warning in case
one of those options is still in use.
The new configuration scheme looks like the following:
# entry for an apiurl
[<protocol>://<apiurl>]
user = <username>
password = <password>
...
'''Before starting the migration please save your ~/.oscrc file!'''
If the migration doesn't work for whatever reason feel free to send me an email
or ask on the opensuse-buildservice mailinglist or in the #opensuse-buildservice
irc channel.
=== Migration case I (apisrv only) ===
The apisrv option is used to specify the default apihost. If apisrv isn't
specified at all the default ("api.opensuse.org") is used.
The current [general] section looks like this:
[general]
...
apisrv = <somehost>
# or
apisrv = <protocol>://<somehost>
apisrv got superseded by the new apiurl option which looks like this:
[general]
...
apiurl = <protocol>://<somehost>
If apisrv has no "<protocol>" https is used. Make sure all apiurl sections have
the new format which is described above. Afterwards apisrv can be removed.
=== Migration case II (scheme only) ===
The current [general] section looks like this:
[general]
...
scheme = <protocol>
This means every apiurl section which don't have the new format which is
described above for instance
[<somehost>]
user = <username>
password = <password>
...
has to be converted to
[<protocol>://<somehost>]
user = <username>
password = <password>
...
Afterwards the scheme option can be removed from the [general] section (it
might be the case that some sections already have the correct format).
=== Migration case III (apisrv and scheme) ===
The current [general] section looks like this:
[general]
...
apisrv = <somehost>
scheme = <protocol>
Both options can be removed if all apiurl sections have the new format which is
described above. So basically just adjust all apiurl sections (it might be the
case that some sections already have the correct format).
KEYRING USAGE
Osc now can store passwords in keyrings instead of ~/.oscrc. To use it,
you need python-keyring and either python-keyring-kde or -gnome.
If you want to switch to using a keyring you need to delete apiurl section
from ~/.oscrc and you will be asked for credentials again, which will be then
stored in the keyring application.
WORKING COPY INCONSISTENT (only affects version >= 0.130)
osc's working copy handling was rewritten in 0.130. Thus some
consistency checks were added. As a result osc might complain
that some old working copies are in an inconsistent state:
Your working copy '.' is in an inconsistent state.
Please run 'osc repairwc .' (Note this might _remove_
files from the .osc/ dir). Please check the state
of the working copy afterwards (via 'osc status .')
To fix this simply run "osc repairwc ." as suggested in the
error message. Note that "osc repairwc ." might need to contact
the api in order to fetch some missing files. Also it might remove
some files from the storedir (.osc/) but it won't touch any locally
modified files.
If it DOES NOT fix the problem please create a bug report and attach
your working copy to the bug (if possible).
USAGE EXAMPLES:
(online at http://en.opensuse.org/openSUSE:OSC )
To list existing content on the server
osc ls # list projects
osc ls Apache # list packages in a project
osc ls Apache subversion # list files of package of a project
Check out content
osc co Apache # entire project
osc co Apache subversion # a package
osc co Apache subversion foo # single file
Update a working copy
osc up
osc up [pac_dir] # update a single package by its path
osc up * # from within a project dir, update all packages
osc up # from within a project dir, update all packages
# AND check out all newly added packages
If an update can't be merged automatically, a file is in 'C' (conflict)
state, and conflicts are marked with special <<<<<<< and >>>>>>> lines.
After manually resolving the problem, use
osc resolved foo
Upload change content
osc ci # current dir
osc ci <dir>
osc ci file1 file2 ...
Show the status (which files have been changed locally)
osc st
osc st <directory>
osc st file1 file2 ...
Mark files to be added or removed on the next 'checkin'
osc add file1 file2 ...
osc rm file1 file2 ...
Adds all new files in local copy and removes all disappeared files.
osc addremove
Generates a diff, to view the changes
osc diff # current dir
osc diff file1 file2 ...
Shows the build results of the package
osc results
osc results [repository]
Shows the log file of a package (you need to be inside a package directory)
osc log <repository> <arch>
Shows the URLs of .repo files which are packages sources for Yum/YaST/smart
osc repourls [dir]
Triggers a package rebuild for all repositories/architectures of a package
osc rebuildpac [dir]
Shows available repository/build targets
osc repository
Shows the configured repository/build targets of a project
osc repository <project>
Shows meta information
osc meta Apache
osc meta Apache subversion
osc id username
Edit meta information
(Creates new package/project if it doesn't exist)
osc editmeta Apache
osc editmeta Apache subversion
Update package meta data with metadata taken from spec file
osc updatepacmetafromspec <dir>
There are other commands, which you may not need (they may be useful in scripts):
osc repos
osc buildconfig
osc buildinfo
Locally build a package (see 'osc help build' for more info):
osc build <repo> <arch> specfile [--clean|--noinit]
Update a package to a different sources (directory foo_package_source):
cp -a foo_package_source foo; cd foo; osc init <prj> <pac>; osc addremove; osc ci; cd $OLDPWD; rm -r foo
HINT FOR W3M USERS
Putting the following in the file ~/.w3m/passwd will make
w3m know the credentials for the buildservice servers:
"""
host api.opensuse.org
port 80
realm Authentication required
login foo
password bar
host build.opensuse.org
port 80
realm openSUSE Build Service
login foo
password bar
"""
chmod 0600 ~/.w3m/passwd
NOTES about the testsuite
A new test suite has been created and should run via doing
# cd tests
# python suite.py