Accepting request 403498 from security

- reset rpm groups (forwarded request 403495 from jengelh) OBS-URL: https://build.opensuse.org/request/show/403498 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/haveged?expand=0&rev=47
2016-06-29 13:02:31 +00:00 · 2016-06-29 13:02:31 +00:00 · 1bf1f36d62
commit 1bf1f36d62
parent e2450edbc5 ab2704a644
4 changed files with 69 additions and 4 deletions
--- a/haveged-no-syslog.patch
+++ b/haveged-no-syslog.patch
@ -0,0 +1,39 @@
+Index: haveged-1.9.1/src/haveged.c
+===================================================================
+--- haveged-1.9.1.orig/src/haveged.c
+++ haveged-1.9.1/src/haveged.c
+@@ -361,8 +361,10 @@ static void daemonize(     /* RETURN: no
+    void)                   /* IN: nothing       */
+ {
+    FILE *fh;
+#if 0
+    openlog(params->daemon, LOG_CONS, LOG_DAEMON);
+    syslog(LOG_NOTICE, "%s starting up", params->daemon);
+#endif
+    if (daemon(0, 0) == -1)
+       error_exit("Cannot fork into the background");
+    fh = fopen(params->pid_file, "w");
+@@ -499,7 +501,9 @@ static void error_exit(    /* RETURN: no
+ #ifndef NO_DAEMON
+    if (params->detached!=0) {
+       unlink(params->pid_file);
+#if 0
+       syslog(LOG_INFO, "%s: %s", params->daemon, buffer);
+#endif
+       }
+    else
+ #endif
+@@ -609,11 +613,13 @@ static void print_msg(     /* RETURN: no
+    va_list ap;
+    va_start(ap, format);
+    snprintf(buffer, sizeof(buffer), "%s: %s", params->daemon, format);
+#if 0
+ #ifndef NO_DAEMON
+    if (params->detached != 0)
+       vsyslog(LOG_INFO, buffer, ap);
+    else
+ #endif
+#endif
+    vfprintf(stderr, buffer, ap);
+    va_end(ap);
+ }
--- a/haveged.changes
+++ b/haveged.changes
@ -1,3 +1,25 @@
+-------------------------------------------------------------------
+Sun Jun 19 13:16:01 UTC 2016 - jengelh@inai.de
+
+- reset rpm groups
+
+-------------------------------------------------------------------
+Fri Jun 17 14:15:05 UTC 2016 - psimons@suse.com
+
+- Add haveged-no-syslog.patch to remedy the potential for deadlocks
+  when booting the system: journald reads from /dev/random, which
+  receives entropy from haveged, which in turn logs to syslog
+  before providing any. Ideally, haveged would provide a proper
+  command-line flag to disable use of syslog. Will work with
+  upstream to resolve this in a cleaner way. (bnc#959237)
+
+- Remove "After=systemd-random-seed.service" from systemd service
+  file to avoid the potential for deadlocks when booting the
+  system: systemd-random-seed needs /var to read its previous
+  state; mounting /var needs journald; journald needs entropy; and
+  entropy is provided by haveged, which needs systemd-random-seed.
+  (bnc#959237)
+
 -------------------------------------------------------------------
 Thu Dec 10 16:20:27 CET 2015 - tiwai@suse.de

--- a/haveged.service
+++ b/haveged.service
@ -4,7 +4,8 @@ Documentation=man:haveged(8) http://www.issihosts.com/haveged/
 DefaultDependencies=no
 ConditionVirtualization=!container
 #Conflicts=shutdown.target
-After=systemd-random-seed.service
+# Don't wait for systemd-random-seed.service, leads to deadlock with fips=1
+#After=systemd-random-seed.service
 Before=sysinit.target shutdown.target systemd-journald.service

 [Service]
--- a/haveged.spec
+++ b/haveged.spec
@ -1,7 +1,7 @@
 #
 # spec file for package haveged
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -32,6 +32,8 @@ Patch0:         ppc64le.patch
 Patch1:         haveged-conditional-enttest.patch
 # PATCH-FIX-OPENSUSE: ignore clock-gettime enablement on generic architectures
 Patch2:         fix-enforced-clock-gettime.patch
+# PATCH-FIX-UPSTREAM: don't write to syslog at startup to avoid deadlocks psimons@suse.com bnc#959237
+Patch3:         haveged-no-syslog.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  libtool
@ -58,7 +60,7 @@ For more informations see http://www.issihosts.com/haveged/

 %package devel
 Summary:        Haveged development files
-Group:          Development/Libraries
+Group:          Development/Libraries/C and C++
 Requires:       libhavege1 = %{version}

 %description devel
@ -69,7 +71,7 @@ algorithm and supporting features.

 %package -n libhavege1
 Summary:        Haveged interface library
-Group:          Development/Libraries/C and C++
+Group:          System/Libraries

 %description -n libhavege1
 Shared object for the haveged library
@ -81,6 +83,7 @@ algorithm and supporting features.
 %patch0 -p1
 %patch1 -p1
 %patch2
+%patch3 -p1

 %build
 autoreconf -fvi