diff --git a/rpm-4.16.1.3-ELF-files-strip-when-debuginfo-disabled.patch b/rpm-4.16.1.3-ELF-files-strip-when-debuginfo-disabled.patch new file mode 100644 index 0000000..70c2a0b --- /dev/null +++ b/rpm-4.16.1.3-ELF-files-strip-when-debuginfo-disabled.patch @@ -0,0 +1,36 @@ +From 7f0b7217fb1c20ec6ce0c0e0bfee0349f27a2511 Mon Sep 17 00:00:00 2001 +From: Panu Matilainen +Date: Fri, 8 Jan 2021 13:59:59 +0200 +Subject: [PATCH] Ensure ELF files get stripped when debuginfo is disabled + +Depending on libmagic version, PIE executables can be reported as +"shared object" avoiding the strip. And so will any libraries because +we're explicitly skipping them for whatever historical reason - perhaps +because there's a separate script for stripping the libraries, but that +has been never enabled in rpm, and relying on "file" strings to do this +is hopelessly unreliable. + +Also drop file permissions checks: making shared libraries executable +just to have them stripped is not sensical, especially in the light of +commit 80818e4f902ba3cf85e4cfcd8a7a4c71c601f3cf + +Reported once upon time as RhBug:988812 and later RhBug:1634084 +--- + scripts/brp-strip | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/scripts/brp-strip b/scripts/brp-strip +index c3484fe3c..35fbb593a 100755 +--- a/scripts/brp-strip ++++ b/scripts/brp-strip +@@ -13,5 +13,5 @@ Darwin*) exit 0 ;; + esac + + # Strip ELF binaries +-find "$RPM_BUILD_ROOT" -type f \( -perm -0100 -or -perm -0010 -or -perm -0001 \) \! -regex "${RPM_BUILD_ROOT}/*usr/lib/debug.*" -print0 | \ +- xargs -0 -r -P$NCPUS -n32 sh -c "file \"\$@\" | grep -v ' shared object,' | sed -n -e 's/^\(.*\):[ ]*ELF.*, not stripped.*/\1/p' | xargs -I\{\} $STRIP -g \{\}" ARG0 ++find "$RPM_BUILD_ROOT" -type f \! -regex "${RPM_BUILD_ROOT}/*usr/lib/debug.*" -print0 | \ ++ xargs -0 -r -P$NCPUS -n32 sh -c "file \"\$@\" | sed -n -e 's/^\(.*\):[ ]*ELF.*, not stripped.*/\1/p' | xargs -I\{\} $STRIP -g \{\}" ARG0 +-- +2.33.1 + diff --git a/rpm-4.16.1.3-fix-IMA-sig-len-assumed-const.patch b/rpm-4.16.1.3-fix-IMA-sig-len-assumed-const.patch new file mode 100644 index 0000000..9be13e7 --- /dev/null +++ b/rpm-4.16.1.3-fix-IMA-sig-len-assumed-const.patch @@ -0,0 +1,194 @@ +From 495f25f7198fb1e0163a7ae55de55576d9dc6fe5 Mon Sep 17 00:00:00 2001 +From: Panu Matilainen +Date: Mon, 29 Nov 2021 14:01:39 +0200 +Subject: [PATCH] Fix IMA signature lengths assumed constant (#1833, + RhBug:2018937) + +At least ECDSA and RSA signatures can vary in length, but the IMA code +assumes constant lengths and thus may either place invalid signatures on +disk from either truncating or overshooting, and segfault if the stars are +just so. + +Luckily the signatures are stored as strings so we can calculate the +actual lengths at runtime and ignore the stored constant length info. +Extend hex2bin() to optionally calculate the lengths and maximum, +and use these for returning IMA data from the rpmfi(les) API. + +Additionally update the signing code to store the largest IMA signature +length rather than what happened to be last to be on the safe side. +We can't rely on this value due to invalid packages being out there, +but then we need to calculate the lengths on rpmfiles populate so there's +not a lot to gain anyhow. + +Fixes: #1833 + +Combined with 0c1ad364d65c4144ff71c376e0b49fbc322b686d and backported +for 4.16.1.3. Note that the test case has been removed due to it +including a binary file (test package) for which we'd have to use -Sgit +with %autopatch and thus depend on git-core at build time. +Nevertheless, we do have this BZ covered in our internal test suite, so +no need for it anyway. +--- + lib/rpmfi.c | 43 ++++++++++++++++++++++++++++++++++--------- + python/rpmfiles-py.c | 18 ++++++++++++++++++ + sign/rpmsignfiles.c | 5 ++++- + 3 files changed, 56 insertions(+), 10 deletions(-) + +diff --git a/lib/rpmfi.c b/lib/rpmfi.c +index af428468c..0878d78f2 100644 +--- a/lib/rpmfi.c ++++ b/lib/rpmfi.c +@@ -115,7 +115,8 @@ struct rpmfiles_s { + struct fingerPrint_s * fps; /*!< File fingerprint(s). */ + + int digestalgo; /*!< File digest algorithm */ +- int signaturelength; /*!< File signature length */ ++ int *signaturelengths; /*!< File signature length */ ++ int signaturemaxlen; /*!< Largest file signature length */ + unsigned char * digests; /*!< File digests in binary. */ + unsigned char * signatures; /*!< File signatures in binary. */ + +@@ -575,9 +576,9 @@ const unsigned char * rpmfilesFSignature(rpmfiles fi, int ix, size_t *len) + + if (fi != NULL && ix >= 0 && ix < rpmfilesFC(fi)) { + if (fi->signatures != NULL) +- signature = fi->signatures + (fi->signaturelength * ix); ++ signature = fi->signatures + (fi->signaturemaxlen * ix); + if (len) +- *len = fi->signaturelength; ++ *len = fi->signaturelengths[ix]; + } + return signature; + } +@@ -1257,6 +1258,7 @@ rpmfiles rpmfilesFree(rpmfiles fi) + fi->flangs = _free(fi->flangs); + fi->digests = _free(fi->digests); + fi->signatures = _free(fi->signatures); ++ fi->signaturelengths = _free(fi->signaturelengths); + fi->fcaps = _free(fi->fcaps); + + fi->cdict = _free(fi->cdict); +@@ -1486,15 +1488,38 @@ err: + } + + /* Convert a tag of hex strings to binary presentation */ +-static uint8_t *hex2bin(Header h, rpmTagVal tag, rpm_count_t num, size_t len) ++/* If lengths is non-NULL, assume variable length strings */ ++static uint8_t *hex2bin(Header h, rpmTagVal tag, rpm_count_t num, size_t len, ++ int **lengths, int *maxlen) + { + struct rpmtd_s td; + uint8_t *bin = NULL; + + if (headerGet(h, tag, &td, HEADERGET_MINMEM) && rpmtdCount(&td) == num) { +- uint8_t *t = bin = xmalloc(num * len); + const char *s; + ++ /* Figure string sizes + max length for allocation purposes */ ++ if (lengths) { ++ int maxl = 0; ++ int *lens = xmalloc(num * sizeof(*lens)); ++ int i = 0; ++ ++ while ((s = rpmtdNextString(&td))) { ++ lens[i] = strlen(s) / 2; ++ if (lens[i] > maxl) ++ maxl = lens[i]; ++ i++; ++ } ++ ++ *lengths = lens; ++ *maxlen = maxl; ++ len = maxl; ++ ++ /* Reinitialize iterator for next round */ ++ rpmtdInit(&td); ++ } ++ ++ uint8_t *t = bin = xmalloc(num * len); + while ((s = rpmtdNextString(&td))) { + if (*s == '\0') { + memset(t, 0, len); +@@ -1570,15 +1595,15 @@ static int rpmfilesPopulate(rpmfiles fi, Header h, rpmfiFlags flags) + /* grab hex digests from header and store in binary format */ + if (!(flags & RPMFI_NOFILEDIGESTS)) { + size_t diglen = rpmDigestLength(fi->digestalgo); +- fi->digests = hex2bin(h, RPMTAG_FILEDIGESTS, totalfc, diglen); ++ fi->digests = hex2bin(h, RPMTAG_FILEDIGESTS, totalfc, diglen, ++ NULL, NULL); + } + + fi->signatures = NULL; + /* grab hex signatures from header and store in binary format */ + if (!(flags & RPMFI_NOFILESIGNATURES)) { +- fi->signaturelength = headerGetNumber(h, RPMTAG_FILESIGNATURELENGTH); +- fi->signatures = hex2bin(h, RPMTAG_FILESIGNATURES, +- totalfc, fi->signaturelength); ++ fi->signatures = hex2bin(h, RPMTAG_FILESIGNATURES, totalfc, 0, ++ &fi->signaturelengths, &fi->signaturemaxlen); + } + + /* XXX TR_REMOVED doesn;t need fmtimes, frdevs, finodes */ +diff --git a/python/rpmfiles-py.c b/python/rpmfiles-py.c +index 27666021d..48189a0ac 100644 +--- a/python/rpmfiles-py.c ++++ b/python/rpmfiles-py.c +@@ -152,6 +152,22 @@ static PyObject *rpmfile_digest(rpmfileObject *s) + Py_RETURN_NONE; + } + ++static PyObject *bytebuf(const unsigned char *buf, size_t len) ++{ ++ if (buf) { ++ PyObject *o = PyBytes_FromStringAndSize((const char *)buf, len); ++ return o; ++ } ++ Py_RETURN_NONE; ++} ++ ++static PyObject *rpmfile_imasig(rpmfileObject *s) ++{ ++ size_t len = 0; ++ const unsigned char *sig = rpmfilesFSignature(s->files, s->ix, &len); ++ return bytebuf(sig, len); ++} ++ + static PyObject *rpmfile_class(rpmfileObject *s) + { + return utf8FromString(rpmfilesFClass(s->files, s->ix)); +@@ -278,6 +294,8 @@ static PyGetSetDef rpmfile_getseters[] = { + "language the file provides (typically for doc files)" }, + { "caps", (getter) rpmfile_caps, NULL, + "file capabilities" }, ++ { "imasig", (getter) rpmfile_imasig, NULL, ++ "IMA signature" }, + { NULL, NULL, NULL, NULL } + }; + +diff --git a/sign/rpmsignfiles.c b/sign/rpmsignfiles.c +index b143c5b9b..6f39db6be 100644 +--- a/sign/rpmsignfiles.c ++++ b/sign/rpmsignfiles.c +@@ -98,8 +98,9 @@ rpmRC rpmSignFiles(Header sigh, Header h, const char *key, char *keypass) + td.count = 1; + + while (rpmfiNext(fi) >= 0) { ++ uint32_t slen; + digest = rpmfiFDigest(fi, NULL, NULL); +- signature = signFile(algoname, digest, diglen, key, keypass, &siglen); ++ signature = signFile(algoname, digest, diglen, key, keypass, &slen); + if (!signature) { + rpmlog(RPMLOG_ERR, _("signFile failed\n")); + goto exit; +@@ -110,6 +111,8 @@ rpmRC rpmSignFiles(Header sigh, Header h, const char *key, char *keypass) + goto exit; + } + signature = _free(signature); ++ if (slen > siglen) ++ siglen = slen; + } + + if (siglen > 0) { +-- +2.33.1 + diff --git a/rpm-4.16.1.3-support-bdb-hash-v8.patch b/rpm-4.16.1.3-support-bdb-hash-v8.patch new file mode 100644 index 0000000..3581544 --- /dev/null +++ b/rpm-4.16.1.3-support-bdb-hash-v8.patch @@ -0,0 +1,39 @@ +From c771ae28e28b2971869b7801ffc7961f4dcb6544 Mon Sep 17 00:00:00 2001 +From: Panu Matilainen +Date: Thu, 10 Jun 2021 10:32:12 +0300 +Subject: [PATCH] Support hash v8 databases from BDB < 4.6 in bdb_ro + +In Hash v8 databases page type differs from newer ones to denote +the difference between sorted and unsorted pages. + +Fixes reading rpm databases from older distros like SLES 11 and RHEL 5 +(RhBug:1965147) +--- + lib/backend/bdb_ro.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/backend/bdb_ro.c b/lib/backend/bdb_ro.c +index 2667ec845..695ef78e3 100644 +--- a/lib/backend/bdb_ro.c ++++ b/lib/backend/bdb_ro.c +@@ -276,7 +276,7 @@ static int hash_lookup(struct bdb_cur *cur, const unsigned char *key, unsigned i + pg = hash_bucket_to_page(cur->db, bucket); + if (bdb_getpage(cur->db, cur->page, pg)) + return -1; +- if (cur->page[25] != 8 && cur->page[25] != 13) ++ if (cur->page[25] != 8 && cur->page[25] != 13 && cur->page[25] != 2) + return -1; + cur->idx = (unsigned int)-2; + cur->numidx = *(uint16_t *)(cur->page + 20); +@@ -323,7 +323,7 @@ static int hash_next(struct bdb_cur *cur) + } + if (bdb_getpage(cur->db, cur->page, pg)) + return -1; +- if (cur->page[25] != 8 && cur->page[25] != 13) ++ if (cur->page[25] != 8 && cur->page[25] != 13 && cur->page[25] != 2) + return -1; + cur->numidx = *(uint16_t *)(cur->page + 20); + continue; +-- +2.33.1 + diff --git a/rpm-4.16.1.3-unbreak-checking-of-installed-rich-deps.patch b/rpm-4.16.1.3-unbreak-checking-of-installed-rich-deps.patch new file mode 100644 index 0000000..43184bc --- /dev/null +++ b/rpm-4.16.1.3-unbreak-checking-of-installed-rich-deps.patch @@ -0,0 +1,144 @@ +From 137ecc2e1841c2b27b99d4db9006253dd1c73dde Mon Sep 17 00:00:00 2001 +From: Michael Schroeder +Date: Fri, 4 Jun 2021 23:30:49 +0200 +Subject: [PATCH] Unbreak checking of installed rich dependencies + +Commit ddb32b9187e9ce85819a84ca8d202131fd9f8b9f added an +extra check that tests if the provide we are checking really +intersects the dependency from rpmdb. Unfortunately the +rpmdsCompare() call does not understand rich dependencies and +will consider them as not intersecting. + +Unbreak the check by not doing the intersection test for +rich dependencies. We'll improve this in a later commit. + +Also add test cases for dependency problems with installed +rich dependencies. +--- + lib/depends.c | 2 +- + tests/rpmdeps.at | 99 ++++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 100 insertions(+), 1 deletion(-) + +diff --git a/lib/depends.c b/lib/depends.c +index c10ba4bda..fecbd9675 100644 +--- a/lib/depends.c ++++ b/lib/depends.c +@@ -846,7 +846,7 @@ static void checkInstDeps(rpmts ts, depCache dcache, rpmte te, + rpmdsSetIx(ds, rpmdbGetIteratorFileNum(mi)); + + /* Is it in our range at all? (but file deps have no range) */ +- if (depds) ++ if (depds && !rpmdsIsRich(ds)) + match = rpmdsCompare(ds, depds); + + if (match && unsatisfiedDepend(ts, dcache, ds) == is_problem) { +diff --git a/tests/rpmdeps.at b/tests/rpmdeps.at +index 67bde1dc8..8357af9df 100644 +--- a/tests/rpmdeps.at ++++ b/tests/rpmdeps.at +@@ -732,3 +732,102 @@ runroot rpm -U /build/RPMS/noarch/deptest-one-1.0-1.noarch.rpm /build/RPMS/noarc + [], + []) + AT_CLEANUP ++ ++# ------------------------------ ++# ++AT_SETUP([install to break installed rich dependency]) ++AT_KEYWORDS([install, boolean]) ++RPMDB_INIT ++ ++runroot rpmbuild --quiet -bb \ ++ --define "pkg one" \ ++ --define "cfls (deptest-three or deptest-five)" \ ++ /data/SPECS/deptest.spec ++runroot rpmbuild --quiet -bb \ ++ --define "pkg two" \ ++ --define "reqs (deptest-five if deptest-four)" \ ++ /data/SPECS/deptest.spec ++runroot rpmbuild --quiet -bb \ ++ --define "pkg three" \ ++ /data/SPECS/deptest.spec ++runroot rpmbuild --quiet -bb \ ++ --define "pkg four" \ ++ /data/SPECS/deptest.spec ++ ++# installed conflict with "or" clause ++AT_CHECK([ ++RPMDB_INIT ++ ++runroot rpm -U /build/RPMS/noarch/deptest-one-1.0-1.noarch.rpm ++runroot rpm -U /build/RPMS/noarch/deptest-three-1.0-1.noarch.rpm ++], ++[1], ++[], ++[error: Failed dependencies: ++ (deptest-three or deptest-five) conflicts with (installed) deptest-one-1.0-1.noarch ++]) ++ ++# installed requires with "if" clause ++AT_CHECK([ ++RPMDB_INIT ++ ++runroot rpm -U /build/RPMS/noarch/deptest-two-1.0-1.noarch.rpm ++runroot rpm -U /build/RPMS/noarch/deptest-four-1.0-1.noarch.rpm ++], ++[1], ++[], ++[error: Failed dependencies: ++ (deptest-five if deptest-four) is needed by (installed) deptest-two-1.0-1.noarch ++]) ++AT_CLEANUP ++ ++# ------------------------------ ++# ++AT_SETUP([erase to break installed rich dependency]) ++AT_KEYWORDS([install, boolean]) ++RPMDB_INIT ++ ++runroot rpmbuild --quiet -bb \ ++ --define "pkg one" \ ++ --define "reqs (deptest-three or deptest-five)" \ ++ /data/SPECS/deptest.spec ++runroot rpmbuild --quiet -bb \ ++ --define "pkg two" \ ++ --define "cfls (deptest-five unless deptest-four)" \ ++ /data/SPECS/deptest.spec ++runroot rpmbuild --quiet -bb \ ++ --define "pkg three" \ ++ /data/SPECS/deptest.spec ++runroot rpmbuild --quiet -bb \ ++ --define "pkg four" \ ++ /data/SPECS/deptest.spec ++runroot rpmbuild --quiet -bb \ ++ --define "pkg five" \ ++ /data/SPECS/deptest.spec ++ ++# installed requires with "or" clause ++AT_CHECK([ ++RPMDB_INIT ++ ++runroot rpm -U /build/RPMS/noarch/deptest-one-1.0-1.noarch.rpm /build/RPMS/noarch/deptest-three-1.0-1.noarch.rpm ++runroot rpm -e deptest-three ++], ++[1], ++[], ++[error: Failed dependencies: ++ (deptest-three or deptest-five) is needed by (installed) deptest-one-1.0-1.noarch ++]) ++ ++# installed conflicts with "unless" clause ++AT_CHECK([ ++RPMDB_INIT ++ ++runroot rpm -U /build/RPMS/noarch/deptest-two-1.0-1.noarch.rpm /build/RPMS/noarch/deptest-four-1.0-1.noarch.rpm /build/RPMS/noarch/deptest-five-1.0-1.noarch.rpm ++runroot rpm -e deptest-four ++], ++[1], ++[], ++[error: Failed dependencies: ++ (deptest-five unless deptest-four) conflicts with (installed) deptest-two-1.0-1.noarch ++]) ++AT_CLEANUP +-- +2.33.1 + diff --git a/rpm-4.16.1.3-validate-and-require-subkey-binding-sigs.patch b/rpm-4.16.1.3-validate-and-require-subkey-binding-sigs.patch new file mode 100644 index 0000000..a1753a4 --- /dev/null +++ b/rpm-4.16.1.3-validate-and-require-subkey-binding-sigs.patch @@ -0,0 +1,386 @@ +From a73895e6f03bef5e95a738ff680f7c42151f3959 Mon Sep 17 00:00:00 2001 +From: Demi Marie Obenour +Date: Thu, 6 May 2021 18:34:45 -0400 +Subject: [PATCH] Validate and require subkey binding signatures on PGP public + keys + +All subkeys must be followed by a binding signature by the primary key +as per the OpenPGP RFC, enforce the presence and validity in the parser. + +The implementation is as kludgey as they come to work around our +simple-minded parser structure without touching API, to maximise +backportability. Store all the raw packets internally as we decode them +to be able to access previous elements at will, needed to validate ordering +and access the actual data. Add testcases for manipulated keys whose +import previously would succeed. + +Combined with: +5ff86764b17f31535cb247543a90dd739076ec38 +b5e8bc74b2b05aa557f663fe227b94d2bc64fbd8 +9f03f42e2614a68f589f9db8fe76287146522c0c + +Fixes CVE-2021-3521. +--- + rpmio/rpmpgp.c | 123 +++++++++++++++--- + tests/Makefile.am | 3 + + tests/data/keys/CVE-2021-3521-badbind.asc | 25 ++++ + .../data/keys/CVE-2021-3521-nosubsig-last.asc | 25 ++++ + tests/data/keys/CVE-2021-3521-nosubsig.asc | 37 ++++++ + tests/rpmsigdig.at | 28 ++++ + 6 files changed, 224 insertions(+), 17 deletions(-) + create mode 100644 tests/data/keys/CVE-2021-3521-badbind.asc + create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig-last.asc + create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig.asc + +diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c +index d0688ebe9..b12410d67 100644 +--- a/rpmio/rpmpgp.c ++++ b/rpmio/rpmpgp.c +@@ -515,7 +515,7 @@ pgpDigAlg pgpDigAlgFree(pgpDigAlg alg) + return NULL; + } + +-static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo, uint8_t sigtype, ++static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo, + const uint8_t *p, const uint8_t *h, size_t hlen, + pgpDigParams sigp) + { +@@ -528,10 +528,8 @@ static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo, uint8_t sigtype, + int mpil = pgpMpiLen(p); + if (p + mpil > pend) + break; +- if (sigtype == PGPSIGTYPE_BINARY || sigtype == PGPSIGTYPE_TEXT) { +- if (sigalg->setmpi(sigalg, i, p)) +- break; +- } ++ if (sigalg->setmpi(sigalg, i, p)) ++ break; + p += mpil; + } + +@@ -604,7 +602,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen, + } + + p = ((uint8_t *)v) + sizeof(*v); +- rc = pgpPrtSigParams(tag, v->pubkey_algo, v->sigtype, p, h, hlen, _digp); ++ rc = pgpPrtSigParams(tag, v->pubkey_algo, p, h, hlen, _digp); + } break; + case 4: + { pgpPktSigV4 v = (pgpPktSigV4)h; +@@ -662,7 +660,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen, + if (p > (h + hlen)) + return 1; + +- rc = pgpPrtSigParams(tag, v->pubkey_algo, v->sigtype, p, h, hlen, _digp); ++ rc = pgpPrtSigParams(tag, v->pubkey_algo, p, h, hlen, _digp); + } break; + default: + rpmlog(RPMLOG_WARNING, _("Unsupported version of key: V%d\n"), version); +@@ -1041,36 +1039,128 @@ unsigned int pgpDigParamsAlgo(pgpDigParams digp, unsigned int algotype) + return algo; + } + ++static pgpDigParams pgpDigParamsNew(uint8_t tag) ++{ ++ pgpDigParams digp = xcalloc(1, sizeof(*digp)); ++ digp->tag = tag; ++ return digp; ++} ++ ++static int hashKey(DIGEST_CTX hash, const struct pgpPkt *pkt, int exptag) ++{ ++ int rc = -1; ++ if (pkt->tag == exptag) { ++ uint8_t head[] = { ++ 0x99, ++ (pkt->blen >> 8), ++ (pkt->blen ), ++ }; ++ ++ rpmDigestUpdate(hash, head, 3); ++ rpmDigestUpdate(hash, pkt->body, pkt->blen); ++ rc = 0; ++ } ++ return rc; ++} ++ ++static int pgpVerifySelf(pgpDigParams key, pgpDigParams selfsig, ++ const struct pgpPkt *all, int i) ++{ ++ int rc = -1; ++ DIGEST_CTX hash = NULL; ++ ++ switch (selfsig->sigtype) { ++ case PGPSIGTYPE_SUBKEY_BINDING: ++ hash = rpmDigestInit(selfsig->hash_algo, 0); ++ if (hash) { ++ rc = hashKey(hash, &all[0], PGPTAG_PUBLIC_KEY); ++ if (!rc) ++ rc = hashKey(hash, &all[i-1], PGPTAG_PUBLIC_SUBKEY); ++ } ++ break; ++ default: ++ /* ignore types we can't handle */ ++ rc = 0; ++ break; ++ } ++ ++ if (hash && rc == 0) ++ rc = pgpVerifySignature(key, selfsig, hash); ++ ++ rpmDigestFinal(hash, NULL, NULL, 0); ++ ++ return rc; ++} ++ + int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype, + pgpDigParams * ret) + { + const uint8_t *p = pkts; + const uint8_t *pend = pkts + pktlen; + pgpDigParams digp = NULL; +- struct pgpPkt pkt; ++ pgpDigParams selfsig = NULL; ++ int i = 0; ++ int alloced = 16; /* plenty for normal cases */ ++ struct pgpPkt *all = xmalloc(alloced * sizeof(*all)); + int rc = -1; /* assume failure */ ++ int expect = 0; ++ int prevtag = 0; + + while (p < pend) { +- if (decodePkt(p, (pend - p), &pkt)) ++ struct pgpPkt *pkt = &all[i]; ++ if (decodePkt(p, (pend - p), pkt)) + break; + + if (digp == NULL) { +- if (pkttype && pkt.tag != pkttype) { ++ if (pkttype && pkt->tag != pkttype) { + break; + } else { +- digp = xcalloc(1, sizeof(*digp)); +- digp->tag = pkt.tag; ++ digp = pgpDigParamsNew(pkt->tag); + } + } + +- if (pgpPrtPkt(&pkt, digp)) ++ if (expect) { ++ if (pkt->tag != expect) ++ break; ++ selfsig = pgpDigParamsNew(pkt->tag); ++ } ++ ++ if (pgpPrtPkt(pkt, selfsig ? selfsig : digp)) + break; + +- p += (pkt.body - pkt.head) + pkt.blen; ++ if (selfsig) { ++ /* subkeys must be followed by binding signature */ ++ if (prevtag == PGPTAG_PUBLIC_SUBKEY) { ++ if (selfsig->sigtype != PGPSIGTYPE_SUBKEY_BINDING) ++ break; ++ } ++ ++ int xx = pgpVerifySelf(digp, selfsig, all, i); ++ ++ selfsig = pgpDigParamsFree(selfsig); ++ if (xx) ++ break; ++ expect = 0; ++ } ++ ++ if (pkt->tag == PGPTAG_PUBLIC_SUBKEY) ++ expect = PGPTAG_SIGNATURE; ++ prevtag = pkt->tag; ++ ++ i++; ++ p += (pkt->body - pkt->head) + pkt->blen; ++ if (pkttype == PGPTAG_SIGNATURE) ++ break; ++ ++ if (alloced <= i) { ++ alloced *= 2; ++ all = xrealloc(all, alloced * sizeof(*all)); ++ } + } + +- rc = (digp && (p == pend)) ? 0 : -1; ++ rc = (digp && (p == pend) && expect == 0) ? 0 : -1; + ++ free(all); + if (ret && rc == 0) { + *ret = digp; + } else { +@@ -1105,8 +1195,7 @@ int pgpPrtParamsSubkeys(const uint8_t *pkts, size_t pktlen, + digps = xrealloc(digps, alloced * sizeof(*digps)); + } + +- digps[count] = xcalloc(1, sizeof(**digps)); +- digps[count]->tag = PGPTAG_PUBLIC_SUBKEY; ++ digps[count] = pgpDigParamsNew(PGPTAG_PUBLIC_SUBKEY); + /* Copy UID from main key to subkey */ + digps[count]->userid = xstrdup(mainkey->userid); + +diff --git a/tests/Makefile.am b/tests/Makefile.am +index f742a9e1d..328234278 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -107,6 +107,9 @@ EXTRA_DIST += data/SPECS/hello-config-buildid.spec + EXTRA_DIST += data/SPECS/hello-cd.spec + EXTRA_DIST += data/keys/rpm.org-rsa-2048-test.pub + EXTRA_DIST += data/keys/rpm.org-rsa-2048-test.secret ++EXTRA_DIST += data/keys/CVE-2021-3521-badbind.asc ++EXTRA_DIST += data/keys/CVE-2021-3521-nosubsig.asc ++EXTRA_DIST += data/keys/CVE-2021-3521-nosubsig-last.asc + EXTRA_DIST += data/macros.testfile + EXTRA_DIST += data/macros.debug + EXTRA_DIST += data/SOURCES/foo.c +diff --git a/tests/data/keys/CVE-2021-3521-badbind.asc b/tests/data/keys/CVE-2021-3521-badbind.asc +new file mode 100644 +index 000000000..aea00f9d7 +--- /dev/null ++++ b/tests/data/keys/CVE-2021-3521-badbind.asc +@@ -0,0 +1,25 @@ ++-----BEGIN PGP PUBLIC KEY BLOCK----- ++Version: rpm-4.17.90 (NSS-3) ++ ++mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g ++HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY ++91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8 ++eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas ++7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ ++1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl ++c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK ++CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf ++Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB ++BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr ++XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX ++fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq +++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN ++BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY ++zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz ++iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6 ++Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c ++KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m ++L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAE= ++=WCfs ++-----END PGP PUBLIC KEY BLOCK----- ++ +diff --git a/tests/data/keys/CVE-2021-3521-nosubsig-last.asc b/tests/data/keys/CVE-2021-3521-nosubsig-last.asc +new file mode 100644 +index 000000000..aea00f9d7 +--- /dev/null ++++ b/tests/data/keys/CVE-2021-3521-nosubsig-last.asc +@@ -0,0 +1,25 @@ ++-----BEGIN PGP PUBLIC KEY BLOCK----- ++Version: rpm-4.17.90 (NSS-3) ++ ++mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g ++HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY ++91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8 ++eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas ++7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ ++1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl ++c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK ++CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf ++Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB ++BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr ++XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX ++fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq +++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN ++BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY ++zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz ++iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6 ++Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c ++KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m ++L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAE= ++=WCfs ++-----END PGP PUBLIC KEY BLOCK----- ++ +diff --git a/tests/data/keys/CVE-2021-3521-nosubsig.asc b/tests/data/keys/CVE-2021-3521-nosubsig.asc +new file mode 100644 +index 000000000..3a2e7417f +--- /dev/null ++++ b/tests/data/keys/CVE-2021-3521-nosubsig.asc +@@ -0,0 +1,37 @@ ++-----BEGIN PGP PUBLIC KEY BLOCK----- ++Version: rpm-4.17.90 (NSS-3) ++ ++mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g ++HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY ++91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8 ++eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas ++7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ ++1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl ++c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK ++CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf ++Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB ++BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr ++XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX ++fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq +++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN ++BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY ++zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz ++iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6 ++Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c ++KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m ++L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAG5AQ0EWOY5GAEIAKT68NmshdC4 ++VcRhOhlXBvZq23NtskkKoPvW+ZlMuxbRDG48pGBtxhjOngriVUGceEWsXww5Q7En ++uRBYglkxkW34ENym0Ji6tsPYfhbbG+dZWKIL4vMIzPOIwlPrXrm558vgkdMM/ELZ ++8WIz3KtzvYubKUk2Qz+96lPXbwnlC/SBFRpBseJC5LoOb/5ZGdR/HeLz1JXiacHF ++v9Nr3cZWqg5yJbDNZKfASdZgC85v3kkvhTtzknl//5wqdAMexbuwiIh2xyxbO+B/ ++qqzZFrVmu3sV2Tj5lLZ/9p1qAuEM7ULbixd/ld8yTmYvQ4bBlKv2bmzXtVfF+ymB ++Tm6BzyQEl/MAEQEAAYkBHwQYAQgACQUCWOY5GAIbDAAKCRBDRFkeGWTF/PANB/9j ++mifmj6z/EPe0PJFhrpISt9PjiUQCt0IPtiL5zKAkWjHePIzyi+0kCTBF6DDLFxos ++3vN4bWnVKT1kBhZAQlPqpJTg+m74JUYeDGCdNx9SK7oRllATqyu+5rncgxjWVPnQ ++zu/HRPlWJwcVFYEVXYL8xzfantwQTqefjmcRmBRdA2XJITK+hGWwAmrqAWx+q5xX ++Pa8wkNMxVzNS2rUKO9SoVuJ/wlUvfoShkJ/VJ5HDp3qzUqncADfdGN35TDzscngQ ++gHvnMwVBfYfSCABV1hNByoZcc/kxkrWMmsd/EnIyLd1Q1baKqc3cEDuC6E6/o4yJ ++E4XX4jtDmdZPreZALsiB ++=rRop ++-----END PGP PUBLIC KEY BLOCK----- ++ +diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at +index e1a3ab062..705fc5870 100644 +--- a/tests/rpmsigdig.at ++++ b/tests/rpmsigdig.at +@@ -240,6 +240,34 @@ gpg(185e6146f00650f8) = 4:185e6146f00650f8-58e63918 + []) + AT_CLEANUP + ++AT_SETUP([rpmkeys --import invalid keys]) ++AT_KEYWORDS([rpmkeys import]) ++RPMDB_INIT ++ ++AT_CHECK([ ++runroot rpmkeys --import /data/keys/CVE-2021-3521-badbind.asc ++], ++[1], ++[], ++[error: /data/keys/CVE-2021-3521-badbind.asc: key 1 import failed.] ++) ++AT_CHECK([ ++runroot rpmkeys --import /data/keys/CVE-2021-3521-nosubsig.asc ++], ++[1], ++[], ++[error: /data/keys/CVE-2021-3521-nosubsig.asc: key 1 import failed.] ++) ++ ++AT_CHECK([ ++runroot rpmkeys --import /data/keys/CVE-2021-3521-nosubsig-last.asc ++], ++[1], ++[], ++[error: /data/keys/CVE-2021-3521-nosubsig-last.asc: key 1 import failed.] ++) ++AT_CLEANUP ++ + # ------------------------------ + # Test pre-built package verification + AT_SETUP([rpmkeys -K 1]) +-- +2.33.1 + diff --git a/rpm.spec b/rpm.spec index a383e91..9da035d 100644 --- a/rpm.spec +++ b/rpm.spec @@ -32,7 +32,7 @@ %global rpmver 4.16.1.3 #global snapver rc1 -%global rel 7 +%global rel 8 %global sover 9 %global srcver %{rpmver}%{?snapver:-%{snapver}} @@ -72,6 +72,11 @@ Patch100: rpm-4.16.1.3-imp-covscan-fixes.patch Patch101: rpm-4.16.1.3-rpmsign-support-EdDSA-sig.patch Patch102: rpm-4.16.1.3-add-fapolicyd-plugin.patch Patch103: rpm-4.16.1.3-unblock-signals-in-forked-scriptlets.patch +Patch104: rpm-4.16.1.3-support-bdb-hash-v8.patch +Patch105: rpm-4.16.1.3-ELF-files-strip-when-debuginfo-disabled.patch +Patch106: rpm-4.16.1.3-unbreak-checking-of-installed-rich-deps.patch +Patch107: rpm-4.16.1.3-fix-IMA-sig-len-assumed-const.patch +Patch108: rpm-4.16.1.3-validate-and-require-subkey-binding-sigs.patch # These are not yet upstream Patch906: rpm-4.7.1-geode-i686.patch @@ -368,6 +373,7 @@ done; --with-cap \ --with-acl \ %{?with_ndb: --enable-ndb} \ + %{!?with_libarchive: --without-archive} \ %{?with_libimaevm: --with-imaevm} \ %{?with_zstd: --enable-zstd} \ %{?with_sqlite: --enable-sqlite} \ @@ -461,7 +467,9 @@ fi %attr(0644, root, root) %ghost /var/lib/rpm/.*.lock %{_bindir}/rpm +%if %{with libarchive} %{_bindir}/rpm2archive +%endif %{_bindir}/rpm2cpio %{_bindir}/rpmdb %{_bindir}/rpmkeys @@ -471,7 +479,9 @@ fi %{_mandir}/man8/rpm.8* %{_mandir}/man8/rpmdb.8* %{_mandir}/man8/rpmkeys.8* +%if %{with libarchive} %{_mandir}/man8/rpm2archive.8* +%endif %{_mandir}/man8/rpm2cpio.8* %{_mandir}/man8/rpm-misc.8* %{_mandir}/man8/rpm-plugins.8* @@ -596,6 +606,16 @@ fi %doc doc/librpm/html/* %changelog +* Thu Dec 09 2021 Michal Domonkos - 4.16.1.3-8 +- Support hash v8 databases from BDB < 4.6 (#1965147) +- Ensure ELF files get stripped when debuginfo is disabled (#1999009) +- Actually honor libarchive bcond at configure time (#1999012) +- Unbreak checking of installed rich dependencies (#2015407) +- Rebuild against soname bump in ima-evm-utils (#2026079) +- Fix IMA signature lengths assumed constant (#2018937) +- Validate and require subkey binding sigs on PGP pubkeys (#1943724) +- Fixes CVE-2021-3521 + * Thu Aug 19 2021 Michal Domonkos - 4.16.1.3-7 - Unblock signals in forked scriptlets (#1991667)