Accepting request 1298073 from network:messaging:amqp

OBS-URL: https://build.opensuse.org/request/show/1298073
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rabbitmq-server?expand=0&rev=97

feature-suse-reproducable-build.patch

@@ -0,0 +1,13 @@
+Index: rabbitmq-server-3.13.7/erlang.mk
+===================================================================
+--- rabbitmq-server-3.13.7.orig/erlang.mk
++++ rabbitmq-server-3.13.7/erlang.mk
+@@ -66,7 +66,7 @@ export ERLANG_MK_TMP
+ 
+ # "erl" command.
+ 
+-ERL = erl +A1 -noinput -boot no_dot_erlang
++ERL = erl +A1 -noinput -boot no_dot_erlang -enable-deterministic-build
+ 
+ # Platform detection.
+ 

fix-CVE-2025-50200.patch

@@ -0,0 +1,172 @@
+From ab095675a98991a5f5b25cd7671ad4658a7642c0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Lo=C3=AFc=20Hoguin?= <loic.hoguin@broadcom.com>
+Date: Tue, 25 Mar 2025 12:33:00 +0100
+Subject: [PATCH] Fix Cowboy crashes caused by double reply
+
+Issue introduced in 383ddb16341.
+---
+ .../src/rabbit_mgmt_util.erl                  | 17 +++++++++++++
+ .../src/rabbit_mgmt_wm_exchange_publish.erl   | 25 ++++++-------------
+ .../src/rabbit_mgmt_wm_queue_actions.erl      | 24 ++++++------------
+ .../src/rabbit_mgmt_wm_queue_get.erl          | 24 ++++++------------
+ 4 files changed, 41 insertions(+), 49 deletions(-)
+
+Index: rabbitmq-server-3.13.7/deps/rabbitmq_management/src/rabbit_mgmt_util.erl
+===================================================================
+--- rabbitmq-server-3.13.7.orig/deps/rabbitmq_management/src/rabbit_mgmt_util.erl
++++ rabbitmq-server-3.13.7/deps/rabbitmq_management/src/rabbit_mgmt_util.erl
+@@ -51,6 +51,8 @@
+ 
+ -export([disable_stats/1, enable_queue_totals/1]).
+ 
++-export([set_resp_not_found/2]).
++
+ -import(rabbit_misc, [pget/2]).
+ 
+ -include("rabbit_mgmt.hrl").
+@@ -1145,3 +1147,18 @@ catch_no_such_user_or_vhost(Fun, Replace
+ %% error is thrown when the request is out of range
+ sublist(List, S, L) when is_integer(L), L >= 0 ->
+     lists:sublist(lists:nthtail(S-1, List), L).
++
++-spec set_resp_not_found(binary(), cowboy_req:req()) -> cowboy_req:req().
++set_resp_not_found(NotFoundBin, ReqData) ->
++    ErrorMessage = case rabbit_mgmt_util:vhost(ReqData) of
++        not_found ->
++            <<"vhost_not_found">>;
++        _ ->
++            NotFoundBin
++    end,
++    ReqData1 = cowboy_req:set_resp_header(
++        <<"content-type">>, <<"application/json">>, ReqData),
++    cowboy_req:set_resp_body(rabbit_json:encode(#{
++        <<"error">> => <<"not_found">>,
++        <<"reason">> => ErrorMessage
++    }), ReqData1).
+Index: rabbitmq-server-3.13.7/deps/rabbitmq_management/src/rabbit_mgmt_wm_exchange_publish.erl
+===================================================================
+--- rabbitmq-server-3.13.7.orig/deps/rabbitmq_management/src/rabbit_mgmt_wm_exchange_publish.erl
++++ rabbitmq-server-3.13.7/deps/rabbitmq_management/src/rabbit_mgmt_wm_exchange_publish.erl
+@@ -29,11 +29,14 @@ allowed_methods(ReqData, Context) ->
+ content_types_provided(ReqData, Context) ->
+    {rabbit_mgmt_util:responder_map(to_json), ReqData, Context}.
+ 
+-resource_exists(ReqData, Context) ->
+-    {case rabbit_mgmt_wm_exchange:exchange(ReqData) of
+-         not_found -> raise_not_found(ReqData, Context);
+-         _         -> true
+-     end, ReqData, Context}.
++resource_exists(ReqData0, Context) ->
++    case rabbit_mgmt_wm_exchange:exchange(ReqData0) of
++        not_found ->
++            ReqData1 = rabbit_mgmt_util:set_resp_not_found(<<"exchange_not_found">>, ReqData0),
++            {false, ReqData1, Context};
++        _ ->
++            {true, ReqData0, Context}
++    end.
+ 
+ allow_missing_post(ReqData, Context) ->
+     {false, ReqData, Context}.
+@@ -104,18 +107,6 @@ bad({{coordinator_unavailable, _}, _}, R
+ is_authorized(ReqData, Context) ->
+     rabbit_mgmt_util:is_authorized_vhost(ReqData, Context).
+ 
+-raise_not_found(ReqData, Context) ->
+-    ErrorMessage = case rabbit_mgmt_util:vhost(ReqData) of
+-        not_found -> 
+-            "vhost_not_found";
+-        _ ->
+-            "exchange_not_found"
+-    end,
+-    rabbit_mgmt_util:not_found(
+-        rabbit_data_coercion:to_binary(ErrorMessage),
+-        ReqData,
+-        Context).
+-
+ %%--------------------------------------------------------------------
+ 
+ decode(Payload, <<"string">>) -> Payload;
+Index: rabbitmq-server-3.13.7/deps/rabbitmq_management/src/rabbit_mgmt_wm_queue_actions.erl
+===================================================================
+--- rabbitmq-server-3.13.7.orig/deps/rabbitmq_management/src/rabbit_mgmt_wm_queue_actions.erl
++++ rabbitmq-server-3.13.7/deps/rabbitmq_management/src/rabbit_mgmt_wm_queue_actions.erl
+@@ -26,11 +26,14 @@ variances(Req, Context) ->
+ allowed_methods(ReqData, Context) ->
+     {[<<"POST">>, <<"OPTIONS">>], ReqData, Context}.
+ 
+-resource_exists(ReqData, Context) ->
+-    {case rabbit_mgmt_wm_queue:queue(ReqData) of
+-         not_found -> raise_not_found(ReqData, Context);
+-         _         -> true
+-     end, ReqData, Context}.
++resource_exists(ReqData0, Context) ->
++    case rabbit_mgmt_wm_queue:queue(ReqData0) of
++        not_found ->
++            ReqData1 = rabbit_mgmt_util:set_resp_not_found(<<"queue_not_found">>, ReqData0),
++            {false, ReqData1, Context};
++        _ ->
++            {true, ReqData0, Context}
++    end.
+ 
+ allow_missing_post(ReqData, Context) ->
+     {false, ReqData, Context}.
+@@ -55,17 +58,6 @@ do_it(ReqData0, Context) ->
+ is_authorized(ReqData, Context) ->
+     rabbit_mgmt_util:is_authorized_admin(ReqData, Context).
+ 
+-raise_not_found(ReqData, Context) ->
+-    ErrorMessage = case rabbit_mgmt_util:vhost(ReqData) of
+-        not_found -> 
+-            "vhost_not_found";
+-        _ ->
+-            "queue_not_found"
+-    end,
+-    rabbit_mgmt_util:not_found(
+-        rabbit_data_coercion:to_binary(ErrorMessage),
+-        ReqData,
+-        Context).
+ %%--------------------------------------------------------------------
+ 
+ action(<<"sync">>, Q, ReqData, Context) when ?is_amqqueue(Q) ->
+Index: rabbitmq-server-3.13.7/deps/rabbitmq_management/src/rabbit_mgmt_wm_queue_get.erl
+===================================================================
+--- rabbitmq-server-3.13.7.orig/deps/rabbitmq_management/src/rabbit_mgmt_wm_queue_get.erl
++++ rabbitmq-server-3.13.7/deps/rabbitmq_management/src/rabbit_mgmt_wm_queue_get.erl
+@@ -29,11 +29,14 @@ allowed_methods(ReqData, Context) ->
+ content_types_provided(ReqData, Context) ->
+    {rabbit_mgmt_util:responder_map(to_json), ReqData, Context}.
+ 
+-resource_exists(ReqData, Context) ->
+-    {case rabbit_mgmt_wm_queue:queue(ReqData) of
+-         not_found -> raise_not_found(ReqData, Context);
+-         _         -> true
+-     end, ReqData, Context}.
++resource_exists(ReqData0, Context) ->
++    case rabbit_mgmt_wm_queue:queue(ReqData0) of
++        not_found ->
++            ReqData1 = rabbit_mgmt_util:set_resp_not_found(<<"queue_not_found">>, ReqData0),
++            {false, ReqData1, Context};
++        _ ->
++            {true, ReqData0, Context}
++    end.
+ 
+ allow_missing_post(ReqData, Context) ->
+     {false, ReqData, Context}.
+@@ -152,17 +155,6 @@ basic_get(Ch, Q, AckMode, Enc, Trunc) ->
+ is_authorized(ReqData, Context) ->
+     rabbit_mgmt_util:is_authorized_vhost(ReqData, Context).
+ 
+-raise_not_found(ReqData, Context) ->
+-    ErrorMessage = case rabbit_mgmt_util:vhost(ReqData) of
+-        not_found -> 
+-            "vhost_not_found";
+-        _ ->
+-            "queue_not_found"
+-    end,
+-    rabbit_mgmt_util:not_found(
+-        rabbit_data_coercion:to_binary(ErrorMessage),
+-        ReqData,
+-        Context).
+ %%--------------------------------------------------------------------
+ 
+ maybe_truncate(Payload, none)                         -> Payload;

rabbitmq-server.changes

@@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Thu Aug  7 06:35:22 UTC 2025 - Simon Lees <sflees@suse.de>
+
+- Restore SLES logrotate file, (bsc#1246091)
+
+-------------------------------------------------------------------
+Thu Jul 31 06:06:04 UTC 2025 - Simon Lees <sflees@suse.de>
+
+- RabbitMQ Node can log Basic Auth header from an HTTP request
+  (bsc#1245105, CVE-2025-50200)
+  * fix-CVE-2025-50200.patch
+- bad logrotate configuration allows potential escalation from 
+  rabbitmq to root, /var/log/rabbitmq ownership is now 750
+  (bsc#1246091)
+- Make build reproducable
+  * feature-suse-reproducable-build.patch
+
 -------------------------------------------------------------------
 Wed Apr 30 07:31:55 UTC 2025 - Simon Lees <sflees@suse.de>
 

rabbitmq-server.logrotate

@@ -3,5 +3,11 @@
         missingok
         rotate 20
         compress
+        delaycompress
         notifempty
+        sharedscripts
+        postrotate
+              /usr/sbin/rabbitmqctl rotate_logs > /dev/null
+        endscript
+        su rabbitmq rabbitmq
 }

rabbitmq-server.spec

@@ -53,8 +53,10 @@ Source4:        rabbitmq-env.conf
 Source6:        rabbitmq-server.service
 Source7:        https://raw.githubusercontent.com/rabbitmq/rabbitmq-packaging/v%{version}/RPMS/Fedora/rabbitmq-server.tmpfiles
 Source8:        README.SUSE
-Patch0:         rabbitmq-server-allow-elixir-1.18.patch
-Patch1:         fix-CVE-2025-30219.patch
+Patch0:         feature-suse-reproducable-build.patch
+Patch1:         rabbitmq-server-allow-elixir-1.18.patch
+Patch2:         fix-CVE-2025-30219.patch
+Patch3:         fix-CVE-2025-50200.patch
 BuildRequires:  elixir
 # https://www.rabbitmq.com/which-erlang.html
 BuildRequires:  erlang >= 25.0
@@ -235,7 +237,7 @@ done
 #
 %attr(0755, rabbitmq, rabbitmq) %dir %{_localstatedir}/lib/rabbitmq
 %attr(0750, rabbitmq, rabbitmq) %dir %{_localstatedir}/lib/rabbitmq/mnesia
-%attr(0755, rabbitmq, rabbitmq) %dir %{_localstatedir}/log/rabbitmq
+%attr(0750, rabbitmq, rabbitmq) %dir %{_localstatedir}/log/rabbitmq
 #
 %{_sbindir}/rabbitmq-plugins
 %{_sbindir}/rabbitmq-server