diff --git a/dbrointerruptable.diff b/dbrointerruptable.diff index 1fb0233..94fd2fe 100644 --- a/dbrointerruptable.diff +++ b/dbrointerruptable.diff @@ -1,9 +1,6 @@ -Do not block signals if the database is opened read-only, it just -annoys the users. [#48026] - ---- ./lib/rpmdb.c.orig 2011-02-28 09:57:27.000000000 +0000 -+++ ./lib/rpmdb.c 2011-05-10 16:58:21.000000000 +0000 -@@ -623,10 +623,12 @@ int rpmdbClose(rpmdb db) +--- ./lib/rpmdb.c.orig 2011-09-19 10:02:08.000000000 +0000 ++++ ./lib/rpmdb.c 2011-10-19 15:06:25.000000000 +0000 +@@ -630,10 +630,12 @@ int rpmdbClose(rpmdb db) { rpmdb * prev, next; int rc = 0; @@ -16,41 +13,21 @@ annoys the users. [#48026] (void) rpmdbUnlink(db); if (db->nrefs > 0) -@@ -655,11 +657,13 @@ int rpmdbClose(rpmdb db) +@@ -661,7 +663,7 @@ int rpmdbClose(rpmdb db) + db = _free(db); - exit: -- (void) rpmsqEnable(-SIGHUP, NULL); -- (void) rpmsqEnable(-SIGINT, NULL); -- (void) rpmsqEnable(-SIGTERM,NULL); -- (void) rpmsqEnable(-SIGQUIT,NULL); -- (void) rpmsqEnable(-SIGPIPE,NULL); -+ if ((dbmode & (O_RDWR|O_WRONLY)) != 0) { -+ (void) rpmsqEnable(-SIGHUP, NULL); -+ (void) rpmsqEnable(-SIGINT, NULL); -+ (void) rpmsqEnable(-SIGTERM,NULL); -+ (void) rpmsqEnable(-SIGQUIT,NULL); -+ (void) rpmsqEnable(-SIGPIPE,NULL); -+ } - return rc; - } - -@@ -721,11 +725,13 @@ static int openDatabase(const char * pre +- if (rpmdbRock == NULL) { ++ if (rpmdbRock == NULL && (dbmode & (O_RDWR|O_WRONLY)) != 0) { + (void) rpmsqEnable(-SIGHUP, NULL); + (void) rpmsqEnable(-SIGINT, NULL); + (void) rpmsqEnable(-SIGTERM, NULL); +@@ -730,7 +732,7 @@ static int openDatabase(const char * pre /* Try to ensure db home exists, error out if we cant even create */ rc = rpmioMkpath(rpmdbHome(db), 0755, getuid(), getgid()); if (rc == 0) { -- (void) rpmsqEnable(SIGHUP, NULL); -- (void) rpmsqEnable(SIGINT, NULL); -- (void) rpmsqEnable(SIGTERM,NULL); -- (void) rpmsqEnable(SIGQUIT,NULL); -- (void) rpmsqEnable(SIGPIPE,NULL); -+ if ((db->db_mode & (O_RDWR|O_WRONLY)) != 0) { -+ (void) rpmsqEnable(SIGHUP, NULL); -+ (void) rpmsqEnable(SIGINT, NULL); -+ (void) rpmsqEnable(SIGTERM,NULL); -+ (void) rpmsqEnable(SIGQUIT,NULL); -+ (void) rpmsqEnable(SIGPIPE,NULL); -+ } - - /* Just the primary Packages database opened here */ - rc = (rpmdbOpenIndex(db, RPMDBI_PACKAGES, db->db_flags) != NULL) ? 0 : -2; +- if (rpmdbRock == NULL) { ++ if (rpmdbRock == NULL && (db->db_mode & (O_RDWR|O_WRONLY)) != 0) { + (void) rpmsqEnable(SIGHUP, NULL); + (void) rpmsqEnable(SIGINT, NULL); + (void) rpmsqEnable(SIGTERM, NULL); diff --git a/docdefattr.diff b/docdefattr.diff deleted file mode 100644 index 4335b28..0000000 --- a/docdefattr.diff +++ /dev/null @@ -1,35 +0,0 @@ ---- ./build/files.c.orig 2011-07-26 17:08:21.000000000 +0000 -+++ ./build/files.c 2011-07-26 17:08:39.000000000 +0000 -@@ -1735,11 +1735,13 @@ static rpmRC processPackageFiles(rpmSpec - struct FileList_s fl; - const char *fileName; - char buf[BUFSIZ]; -- struct AttrRec_s arbuf; -+ struct AttrRec_s arbuf, def_arbuf; - AttrRec specialDocAttrRec = &arbuf; -+ AttrRec def_specialDocAttrRec = &def_arbuf; - char *specialDoc = NULL; - - nullAttrRec(specialDocAttrRec); -+ nullAttrRec(def_specialDocAttrRec); - pkg->cpioList = NULL; - - if (pkg->fileFile) { -@@ -1877,6 +1879,7 @@ static rpmRC processPackageFiles(rpmSpec - specialDoc = _free(specialDoc); - specialDoc = xstrdup(fileName); - dupAttrRec(&fl.cur_ar, specialDocAttrRec); -+ dupAttrRec(&fl.def_ar, def_specialDocAttrRec); - } else if (fl.currentFlags & RPMFILE_PUBKEY) { - (void) processMetadataFile(pkg, &fl, fileName, RPMTAG_PUBKEYS); - } else { -@@ -1917,7 +1920,9 @@ static rpmRC processPackageFiles(rpmSpec - fl.nLangs = 0; - - dupAttrRec(specialDocAttrRec, &fl.cur_ar); -+ dupAttrRec(def_specialDocAttrRec, &fl.def_ar); - freeAttrRec(specialDocAttrRec); -+ freeAttrRec(def_specialDocAttrRec); - - (void) processBinaryFile(pkg, &fl, specialDoc); - diff --git a/headerchk.diff b/headerchk.diff new file mode 100644 index 0000000..7e446c1 --- /dev/null +++ b/headerchk.diff @@ -0,0 +1,53 @@ +--- ./lib/header.c.orig 2011-10-19 15:08:41.000000000 +0000 ++++ ./lib/header.c 2011-10-19 15:11:40.000000000 +0000 +@@ -904,6 +904,10 @@ Header headerLoad(void * uh) + h->indexUsed += ne; + } + } ++ rdlen += REGION_TAG_COUNT; ++ /* XXX should be equality test, but dribbles are sometimes a bit off? */ ++ if (rdlen > dl) ++ goto errxit; + } + + h->flags &= ~HEADERFLAG_SORTED; +--- ./rpmio/rpmpgp.c.orig 2011-10-19 15:12:17.000000000 +0000 ++++ ./rpmio/rpmpgp.c 2011-10-19 15:13:46.000000000 +0000 +@@ -402,6 +402,8 @@ static int pgpPrtSubType(const uint8_t * + + while (hlen > 0) { + i = pgpLen(p, &plen); ++ if (i + plen > hlen) ++ break; + p += i; + hlen -= i; + +@@ -484,7 +486,7 @@ static int pgpPrtSubType(const uint8_t * + p += plen; + hlen -= plen; + } +- return 0; ++ return (hlen != 0); /* non-zero hlen is an error */ + } + + static const char * const pgpSigRSA[] = { +@@ -608,7 +610,8 @@ fprintf(stderr, " hash[%zu] -- %s\n", + _digp->hashlen = sizeof(*v) + plen; + _digp->hash = memcpy(xmalloc(_digp->hashlen), v, _digp->hashlen); + } +- (void) pgpPrtSubType(p, plen, v->sigtype, _digp); ++ if (pgpPrtSubType(p, plen, v->sigtype, _digp)) ++ return 1; + p += plen; + + plen = pgpGrab(p,2); +@@ -619,7 +622,8 @@ fprintf(stderr, " hash[%zu] -- %s\n", + + if (_debug && _print) + fprintf(stderr, " unhash[%zu] -- %s\n", plen, pgpHexStr(p, plen)); +- (void) pgpPrtSubType(p, plen, v->sigtype, _digp); ++ if (pgpPrtSubType(p, plen, v->sigtype, _digp)) ++ return 1; + p += plen; + + plen = pgpGrab(p,2); diff --git a/macrosin.diff b/macrosin.diff index 9587597..bc303b9 100644 --- a/macrosin.diff +++ b/macrosin.diff @@ -29,12 +29,13 @@ # The path to the gzip executable (legacy, use %{__gzip} instead). %_gzipbin %{__gzip} -@@ -230,7 +230,7 @@ package or when debugging this package.\ +@@ -230,7 +230,8 @@ package or when debugging this package.\ %_tmppath %{_var}/tmp # Path to top of build area. -%_topdir %{getenv:HOME}/rpmbuild -+%_topdir %{_usrsrc}/packages ++%_topdir %{expand:%%global _topdir %{lua:if posix.access(rpm.expand("%{_usrsrc}/packages"), "w") then print "%{_usrsrc}/packages" else print "%{getenv:HOME}/rpmbuild" end} \ ++}%_topdir # The path to the unzip executable (legacy, use %{__unzip} instead). %_unzipbin %{__unzip} diff --git a/rpm-4.9.1.2.tar.bz2 b/rpm-4.9.1.2.tar.bz2 new file mode 100644 index 0000000..3affb51 --- /dev/null +++ b/rpm-4.9.1.2.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ea55e5c5b70703a3fea33e5debec27a694816ae86d1bf5ce99bc9e27db84b60a +size 3500371 diff --git a/rpm-4.9.1.tar.bz2 b/rpm-4.9.1.tar.bz2 deleted file mode 100644 index 7d60669..0000000 --- a/rpm-4.9.1.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:b85f6c7c17ef1810362110779a198e25f81c0f683470e9ab21d4d2fdd48ee899 -size 3497021 diff --git a/rpm-python.spec b/rpm-python.spec index 91c3ddb..dc9d1ee 100644 --- a/rpm-python.spec +++ b/rpm-python.spec @@ -25,7 +25,7 @@ BuildRequires: libacl-devel libcap-devel python-devel xz-devel zlib-devel License: GPLv2+ Group: System/Packages Summary: Python Bindings for Manipulating RPM Packages -Version: 4.9.1 +Version: 4.9.1.2 Release: 5 Requires: rpm = %{version} %py_requires diff --git a/rpm-suse_macros b/rpm-suse_macros index 37237e0..1af54ac 100644 --- a/rpm-suse_macros +++ b/rpm-suse_macros @@ -336,7 +336,7 @@ %supplements_kernel_module() \ %{expand:%(if ! rpm -q kernel-syms > /dev/null; then echo "%fail Please add the kernel-syms package to BuildRequires"; fi)} -%suse_version 1140 +%suse_version 1210 %sles_version 0 %ul_version 0 diff --git a/rpm.changes b/rpm.changes index 0543976..60a1454 100644 --- a/rpm.changes +++ b/rpm.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Wed Oct 19 18:28:39 CEST 2011 - mls@suse.de + +- update to rpm-4.9.1.2 + * fixes some securities issues + * makes two local patches obsolete +- add other security checks +- use ~/rpmbuild as topdir is /usr/src/packages in not writeable + [bnc#658536] +- bump suse_version macro + ------------------------------------------------------------------- Fri Sep 30 06:42:49 UTC 2011 - adrian@suse.de diff --git a/rpm.spec b/rpm.spec index 00cdf02..14a5ea0 100644 --- a/rpm.spec +++ b/rpm.spec @@ -25,11 +25,11 @@ BuildRequires: popt-devel BuildRequires: libacl-devel libcap-devel #!BuildIgnore: rpmlint-Factory Provides: rpminst -PreReq: %insserv_prereq %fillup_prereq permissions +PreReq: %insserv_prereq %fillup_prereq AutoReqProv: on Summary: The RPM Package Manager -Version: 4.9.1 -Release: 27 +Version: 4.9.1.2 +Release: 1 Source: rpm-%{version}.tar.bz2 Source1: RPM-HOWTO.tar.bz2 Source2: RPM-Tips.html.tar.bz2 @@ -111,10 +111,9 @@ Patch73: nomagiccheck.diff Patch74: findsupplements.diff Patch75: assumeexec.diff Patch76: buildpipe.diff -Patch77: trailslash.diff -Patch78: docdefattr.diff -Patch79: mono-find-requires.diff -Patch80: debugedit-stabs-warning.diff +Patch77: mono-find-requires.diff +Patch78: debugedit-stabs-warning.diff +Patch79: headerchk.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build # # avoid bootstrapping problem @@ -178,7 +177,6 @@ rm -f rpmdb/db.h %patch -P 50 -P 51 -P 52 -P 53 -P 54 -P 55 -P 56 -P 57 -P 58 -P 59 %patch -P 60 -P 61 -P 62 -P 63 -P 64 -P 65 -P 66 -P 67 -P 68 -P 69 %patch -P 70 -P 71 -P 72 -P 73 -P 74 -P 75 -P 76 -P 77 -P 78 -P 79 -%patch -P 80 #chmod 755 scripts/find-supplements{,.ksyms} #chmod 755 scripts/find-provides.ksyms scripts/find-requires.ksyms #chmod 755 scripts/firmware.prov @@ -244,13 +242,13 @@ mkdir -p $RPM_BUILD_ROOT/usr/lib/rpm/suse ln -s ../suse_macros $RPM_BUILD_ROOT/usr/lib/rpm/suse/macros for d in BUILD RPMS SOURCES SPECS SRPMS BUILDROOT ; do mkdir -p $RPM_BUILD_ROOT/usr/src/packages/$d - chmod 1777 $RPM_BUILD_ROOT/usr/src/packages/$d + chmod 755 $RPM_BUILD_ROOT/usr/src/packages/$d done for d in $RPM_BUILD_ROOT/usr/lib/rpm/platform/*-linux/macros ; do dd=${d%%-linux/macros} dd=${dd##*/} mkdir $RPM_BUILD_ROOT/usr/src/packages/RPMS/$dd - chmod 1777 $RPM_BUILD_ROOT/usr/src/packages/RPMS/$dd + chmod 755 $RPM_BUILD_ROOT/usr/src/packages/RPMS/$dd done mkdir -p $RPM_BUILD_ROOT/var/lib/rpm gzip -9 $RPM_BUILD_ROOT/%{_mandir}/man[18]/*.[18] @@ -266,7 +264,6 @@ rm -f $RPM_BUILD_ROOT%{_prefix}/share/locale/de/LC_MESSAGES/rpm.mo mkdir -p $RPM_BUILD_ROOT/var/adm/fillup-templates install -c -m0644 %{SOURCE9} $RPM_BUILD_ROOT/var/adm/fillup-templates/ rm -f $RPM_BUILD_ROOT/usr/lib/rpm/cpanflute $RPM_BUILD_ROOT/usr/lib/rpm/cpanflute2 -find $RPM_BUILD_ROOT/usr/src/packages/* -type d | sed -e "s@$RPM_BUILD_ROOT@@" | sort > $RPM_BUILD_ROOT/usr/lib/rpm/permlist install -m 755 %{SOURCE5} $RPM_BUILD_ROOT/usr/lib/rpm install -m 755 %{SOURCE6} $RPM_BUILD_ROOT/usr/lib/rpm install -m 755 scripts/find-supplements{,.ksyms} $RPM_BUILD_ROOT/usr/lib/rpm @@ -307,7 +304,6 @@ rm -rf $RPM_BUILD_ROOT %post %{fillup_only -an services} -%run_permissions test -f var/lib/rpm/Packages || rpm --initdb if test -s var/lib/rpm/packages.rpm ; then echo "converting rpm-3 database to rpm-4 format..." @@ -321,9 +317,6 @@ rm -f var/lib/rpm/Filemd5s var/lib/rpm/Filedigests var/lib/rpm/Requireversion va %postun %{insserv_cleanup} -%verifyscript -%verify_permissions -f /usr/lib/rpm/permlist - %files -f rpm.lang %defattr(-,root,root) %doc CHANGES.gz COPYING GROUPS @@ -342,13 +335,13 @@ rm -f var/lib/rpm/Filemd5s var/lib/rpm/Filedigests var/lib/rpm/Requireversion va %{_libdir}/librpmsign.so.* %doc %{_mandir}/man[18]/*.[18]* %dir /var/lib/rpm -%verify(not mode) %dir %attr(755,root,root) /usr/src/packages/BUILD -%verify(not mode) %dir %attr(755,root,root) /usr/src/packages/SPECS -%verify(not mode) %dir %attr(755,root,root) /usr/src/packages/SOURCES -%verify(not mode) %dir %attr(755,root,root) /usr/src/packages/SRPMS -%verify(not mode) %dir %attr(755,root,root) /usr/src/packages/RPMS -%verify(not mode) %dir %attr(755,root,root) /usr/src/packages/BUILDROOT -%verify(not mode) %dir %attr(755,root,root) /usr/src/packages/RPMS/* +%dir %attr(755,root,root) /usr/src/packages/BUILD +%dir %attr(755,root,root) /usr/src/packages/SPECS +%dir %attr(755,root,root) /usr/src/packages/SOURCES +%dir %attr(755,root,root) /usr/src/packages/SRPMS +%dir %attr(755,root,root) /usr/src/packages/RPMS +%dir %attr(755,root,root) /usr/src/packages/BUILDROOT +%dir %attr(755,root,root) /usr/src/packages/RPMS/* /var/adm/fillup-templates/sysconfig.services-rpm %files devel diff --git a/trailslash.diff b/trailslash.diff deleted file mode 100644 index 875df7b..0000000 --- a/trailslash.diff +++ /dev/null @@ -1,40 +0,0 @@ ---- ./build/files.c.orig 2011-07-21 10:59:03.000000000 +0000 -+++ ./build/files.c 2011-07-21 10:59:33.000000000 +0000 -@@ -1398,7 +1398,7 @@ static rpmRC addFile(FileList fl, const - } - } - -- if ((! fl->isDir) && S_ISDIR(statp->st_mode)) { -+ if ((fl->isDir <= 0) && S_ISDIR(statp->st_mode)) { - /* FIX: fl->buildRoot may be NULL */ - return recurseDir(fl, diskPath); - } -@@ -1678,9 +1678,6 @@ static rpmRC processBinaryFile(Package p - * /.././../usr/../bin//./sh - */ - diskPath = rpmGenPath(fl->buildRoot, NULL, fileName); -- /* Arrange trailing slash on directories */ -- if (fl->isDir) -- diskPath = rstrcat(&diskPath, "/"); - - if (doGlob) { - ARGV_t argv = NULL; -@@ -1694,8 +1691,18 @@ static rpmRC processBinaryFile(Package p - goto exit; - } - -+ /* Arrange trailing slash on directories */ -+ if (fl->isDir) -+ diskPath = rstrcat(&diskPath, "/"); -+ - if (rpmGlob(diskPath, &argc, &argv) == 0 && argc >= 1) { - for (i = 0; i < argc; i++) { -+ if (fl->isDir) { -+ /* strip trailing slash again */ -+ int l = strlen(argv[i]); -+ if (l > 1 && argv[i][l - 1] == '/') -+ argv[i][l - 1] = 0; -+ } - rc = addFile(fl, argv[i], NULL); - } - argvFree(argv);