Accepting request 617098 from Base:System

-> OBS-URL: https://build.opensuse.org/request/show/617098 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rpm?expand=0&rev=263
2018-06-26 08:29:04 +00:00 · 2018-06-26 08:29:04 +00:00 · b59282c601
commit b59282c601
parent 4900fd3338 0dd6570819
7 changed files with 163 additions and 14 deletions
--- a/fileattrs.diff
+++ b/fileattrs.diff
@ -32,13 +32,13 @@
 --- ./fileattrs/kernel.attr.orig	2017-12-01 15:46:28.172720497 +0000
 +++ ./fileattrs/kernel.attr	2017-12-01 15:46:28.172720497 +0000
@@ -0,0 +1,2 @@
-+%__kernel_provides	%{_rpmconfigdir}/find-provides.ksyms --opensuse 0%{?is_opensuse}
+%__kernel_provides	%{_rpmconfigdir}/find-provides.ksyms --tumbleweed %{?sle_version:0}%{!?sle_version:1}
 +%__kernel_path		^(/lib/modules/[^/]*/kernel/.*\.ko(\.gz)?|/boot/vmlinu[xz].*)$
 --- ./fileattrs/kmp.attr.orig	2017-12-01 15:46:28.172720497 +0000
 +++ ./fileattrs/kmp.attr	2017-12-01 15:46:28.172720497 +0000
@@ -0,0 +1,4 @@
-+%__kmp_provides		%{_rpmconfigdir}/find-provides.ksyms --opensuse 0%{?is_opensuse}
-+%__kmp_requires		%{_rpmconfigdir}/find-requires.ksyms --opensuse 0%{?is_opensuse}
+%__kmp_provides		%{_rpmconfigdir}/find-provides.ksyms --tumbleweed %{?sle_version:0}%{!?sle_version:1}
+%__kmp_requires		%{_rpmconfigdir}/find-requires.ksyms --tumbleweed %{?sle_version:0}%{!?sle_version:1}
 +%__kmp_supplements	%{_rpmconfigdir}/find-supplements.ksyms
 +%__kmp_path		^/lib/modules/[^/]*/(updates|extra)/.*\.ko(\.gz)?
 --- ./fileattrs/perl.attr.orig	2017-08-10 08:08:07.113108701 +0000
--- a/findksyms.diff
+++ b/findksyms.diff
@ -23,16 +23,16 @@
 +
 +IFS=$'\n'
 +
-+is_opensuse=false
+is_tumbleweed=false
 +
-+if test "$1" = "--opensuse"; then
+if test "$1" = "--tumbleweed"; then
 +    if test "$2" -gt 0; then
-+        is_opensuse=true
+        is_tumbleweed=true
 +    fi
 +    shift 2
 +fi
 +
-+if ! $is_opensuse; then
+if ! $is_tumbleweed; then
 +    trap 'rm -f "$tmp"' EXIT
 +    tmp=$(mktemp)
 +fi
@ -58,7 +58,7 @@
 +    *)
 +        continue
 +    esac
-+    if $is_opensuse; then
+    if $is_tumbleweed; then
 +        continue
 +    fi
 +    unzip=false
@ -107,16 +107,16 @@
 +
 +IFS=$'\n'
 +
-+is_opensuse=false
+is_tumbleweed=false
 +
-+if test "$1" = "--opensuse"; then
+if test "$1" = "--tumbleweed"; then
 +    if test "$2" -gt 0; then
-+        is_opensuse=true
+        is_tumbleweed=true
 +    fi
 +    shift 2
 +fi
 +
-+if ! $is_opensuse && ! test -e /sbin/modprobe; then
+if ! $is_tumbleweed && ! test -e /sbin/modprobe; then
 +    cat > /dev/null
 +    exit 0
 +fi
@ -124,7 +124,7 @@
 +for f in $(grep -E '/lib/modules/.+\.ko$' | grep -v '/lib/modules/[^/]*/kernel/'); do
 +    flavor=${f#*/lib/modules/}
 +    flavor=${flavor%%/*}
-+    if $is_opensuse; then
+    if $is_tumbleweed; then
 +        echo "kernel-uname-r = $flavor"
 +        continue
 +    fi
--- a/1
+++ b/1
@ -243,6 +243,7 @@
 %sles_version @sles_version@
 %ul_version @ul_version@
 %is_opensuse @is_opensuse@
+%sle_version @sle_version@
 %leap_version @leap_version@

 %do_profiling 1
--- a/rpm.changes
+++ b/rpm.changes
@ -1,3 +1,27 @@
+-------------------------------------------------------------------
+Fri Jun 15 12:46:10 UTC 2018 - msuchanek@suse.com
+
+- Add kernel export provides on openSUSE (boo#1095148).
+
+-------------------------------------------------------------------
+Fri Jun 15 13:25:18 CEST 2018 - mls@suse.de
+
+- really fix symlink attacks on rpm install [bnc#943457]
+  [CVE-2017-7500]
+  new patch: safesymlinks.diff
+- backport removal of user/group duplicate detection in verify
+  new patch: verifynodup.diff
+
+-------------------------------------------------------------------
+Mon Jun 11 11:43:36 CEST 2018 - mls@suse.de
+
+- Define sle_version in leap [bnc#1094735]
+
+-------------------------------------------------------------------
+Wed May 30 10:48:49 UTC 2018 - msuchanek@suse.com
+
+- openSUSE releases also preserve kabi (boo#1095148).
+
 -------------------------------------------------------------------
 Mon May  7 16:36:45 CEST 2018 - mls@suse.de

--- a/rpm.spec
+++ b/rpm.spec
@ -132,6 +132,8 @@ Patch111:       debugedit-bnc1076819.diff
 Patch112:       hardlinks.diff
 Patch113:       debugedit-riscv.patch
 Patch114:       source_date_epoch_buildtime.diff
+Patch115:       safesymlinks.diff
+Patch116:       verifynodup.diff
 Patch6464:      auto-config-update-aarch64-ppc64le.diff
 Patch6465:      auto-config-update-riscv64.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@ -229,7 +231,7 @@ rm -f rpmdb/db.h
 %patch                               -P 85
 %patch                   -P 93 -P 94                         -P 99
 %patch -P 100        -P 102 -P 103                             -P 108
-%patch -P 109 -P 111 -P 112 -P 113 -P 114
+%patch -P 109 -P 111 -P 112 -P 113 -P 114 -P 115 -P 116

 %ifarch aarch64 ppc64le riscv64
 %patch6464
@ -252,6 +254,12 @@ sed -e 's/@suse_version@/%{?suse_version}%{!?suse_version:0}/' \
    -e 's/@is_opensuse@/%{?is_opensuse}%{!?is_opensuse:0}/' \
    -e '/@leap_version@%{?leap_version:nomatch}/d' \
    -e 's/@leap_version@/%{?leap_version}%{!?leap_version:0}/' \
+%if 0%{?is_opensuse}
+    -e '/@sle_version@%{?sle_version:nomatch}/d' \
+    -e 's/@sle_version@/%{?sle_version}%{!?sle_version:0}/' \
+%else
+    -e '/@sle_version@/d' \
+%endif
  < %{SOURCE4} > suse_macros
 rm -f m4/libtool.m4
 rm -f m4/lt*.m4
--- a/safesymlinks.diff
+++ b/safesymlinks.diff
@ -0,0 +1,44 @@
+--- ./lib/fsm.c.orig	2018-06-15 11:15:50.320133057 +0000
+++ ./lib/fsm.c	2018-06-15 11:15:56.240118124 +0000
+@@ -653,7 +653,7 @@ static int fsmUtime(const char *path, mo
+     return rc;
+ }
+ 
+-static int fsmVerify(const char *path, rpmfi fi, const struct stat *fsb)
+static int fsmVerify(const char *path, rpmfi fi)
+ {
+     int rc;
+     int saveerrno = errno;
+@@ -684,7 +684,7 @@ static int fsmVerify(const char *path, r
+             if (rc) return rc;
+             errno = saveerrno;
+ 	    /* Only permit directory symlinks by target owner and root */
+-            if (S_ISDIR(dsb.st_mode) && (luid == 0 || luid == fsb->st_uid))
+            if (S_ISDIR(dsb.st_mode) && (luid == 0 || luid == dsb.st_uid))
+ 		    return 0;
+         }
+     } else if (S_ISLNK(mode)) {
+@@ -928,7 +928,7 @@ int rpmPackageFilesInstall(rpmts ts, rpm
+ 	    }
+ 	    /* Assume file does't exist when tmp suffix is in use */
+ 	    if (!suffix) {
+-		rc = fsmVerify(fpath, fi, &sb);
+		rc = fsmVerify(fpath, fi);
+ 	    } else {
+ 		rc = (action == FA_TOUCH) ? 0 : RPMERR_ENOENT;
+ 	    }
+--- ./lib/verify.c.orig	2018-06-15 11:16:03.904098773 +0000
+++ ./lib/verify.c	2018-06-15 11:23:42.842941766 +0000
+@@ -98,11 +98,8 @@ rpmVerifyAttrs rpmfilesVerify(rpmfiles f
+ 	struct stat dsb;
+ 	/* ...if it actually points to a directory  */
+ 	if (stat(fn, &dsb) == 0 && S_ISDIR(dsb.st_mode)) {
+-	    uid_t fuid;
+ 	    /* ...and is by a legit user, to match fsmVerify() behavior */
+-	    if (sb.st_uid == 0 ||
+-			(rpmugUid(rpmfilesFUser(fi, ix), &fuid) == 0 &&
+-			 sb.st_uid == fuid)) {
+	    if (sb.st_uid == 0 || sb.st_uid == dsb.st_uid) {
+ 		sb = dsb; /* struct assignment */
+ 	    }
+ 	}
--- a/verifynodup.diff
+++ b/verifynodup.diff
@ -0,0 +1,72 @@
+--- ./lib/verify.c.orig	2018-06-15 11:25:09.142724319 +0000
+++ ./lib/verify.c	2018-06-15 11:27:32.246363744 +0000
+@@ -59,7 +59,7 @@ rpmVerifyAttrs rpmfilesVerify(rpmfiles f
+     rpmfileAttrs fileAttrs = rpmfilesFFlags(fi, ix);
+     rpmVerifyAttrs flags = rpmfilesVFlags(fi, ix);
+     const char * fn = rpmfilesFN(fi, ix);
+-    struct stat sb;
+    struct stat sb, fsb;
+     rpmVerifyAttrs vfy = RPMVERIFY_NONE;
+ 
+     /*
+@@ -88,7 +88,7 @@ rpmVerifyAttrs rpmfilesVerify(rpmfiles f
+ 	break;
+     }
+ 
+-    if (fn == NULL || lstat(fn, &sb) != 0) {
+    if (fn == NULL || lstat(fn, &sb) != 0 || rpmfilesStat(fi, ix, 0, &fsb)) {
+ 	vfy |= RPMVERIFY_LSTATFAIL;
+ 	goto exit;
+     }
+@@ -243,47 +243,11 @@ rpmVerifyAttrs rpmfilesVerify(rpmfiles f
+ 	vfy |= RPMVERIFY_MTIME;
+     }
+ 
+-    if (flags & RPMVERIFY_USER) {
+-	const char * name = rpmugUname(sb.st_uid);
+-	const char * fuser = rpmfilesFUser(fi, ix);
+-	uid_t uid;
+-	int namematch = 0;
+-	int idmatch = 0;
+-
+-	if (name && fuser)
+-	   namematch =  rstreq(name, fuser);
+-	if (fuser && rpmugUid(fuser, &uid) == 0)
+-	    idmatch = (uid == sb.st_uid);
+-
+-	if (namematch != idmatch) {
+-	    rpmlog(RPMLOG_WARNING,
+-		    _("Duplicate username or UID for user %s\n"), fuser);
+-	}
+-
+-	if (!(namematch || idmatch))
+-	    vfy |= RPMVERIFY_USER;
+-    }
+-
+-    if (flags & RPMVERIFY_GROUP) {
+-	const char * name = rpmugGname(sb.st_gid);
+-	const char * fgroup = rpmfilesFGroup(fi, ix);
+-	gid_t gid;
+-	int namematch = 0;
+-	int idmatch = 0;
+-
+-	if (name && fgroup)
+-	    namematch = rstreq(name, fgroup);
+-	if (fgroup && rpmugGid(fgroup, &gid) == 0)
+-	    idmatch = (gid == sb.st_gid);
+-
+-	if (namematch != idmatch) {
+-	    rpmlog(RPMLOG_WARNING,
+-		    _("Duplicate groupname or GID for group %s\n"), fgroup);
+-	}
+    if ((flags & RPMVERIFY_USER) && (sb.st_uid != fsb.st_uid))
+	vfy |= RPMVERIFY_USER;
+ 
+-	if (!(namematch || idmatch))
+-	    vfy |= RPMVERIFY_GROUP;
+-    }
+    if ((flags & RPMVERIFY_GROUP) && (sb.st_gid != fsb.st_gid))
+	vfy |= RPMVERIFY_GROUP;
+ 
+ exit:
+     return vfy;