diff --git a/0001-Give-warning-on-not-supported-hash-for-RSA-keys.patch b/0001-Give-warning-on-not-supported-hash-for-RSA-keys.patch new file mode 100644 index 0000000..24a7326 --- /dev/null +++ b/0001-Give-warning-on-not-supported-hash-for-RSA-keys.patch @@ -0,0 +1,40 @@ +From 48546ffc0a3f3eb15bfd439a19fc9722eaea592f Mon Sep 17 00:00:00 2001 +From: Florian Festi +Date: Tue, 28 Jun 2022 12:50:54 +0200 +Subject: [PATCH] Give warning on not supported hash for RSA keys + +This can happen when old keys are used on systems that have disabled SHA1 +e.g. for FIPS requirements. + +This is less than ideal but there is currently no way to pass a meaningful +error code up to rpmtsImportPubkey. rpmPubkeyNew just returns a valid key +or NULL. + +See rhbz#2069877 +--- + rpmio/digest_openssl.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/rpmio/digest_openssl.c b/rpmio/digest_openssl.c +index a28a13acc..2ec5140f1 100644 +--- a/rpmio/digest_openssl.c ++++ b/rpmio/digest_openssl.c +@@ -4,6 +4,7 @@ + #include + #include + #include ++#include + + #include "rpmio/digest.h" + +@@ -483,6 +484,7 @@ static int pgpVerifySigRSA(pgpDigAlg pgpkey, pgpDigAlg pgpsig, + + ret = EVP_PKEY_CTX_set_signature_md(pkey_ctx, getEVPMD(hash_algo)); + if (ret < 0) { ++ rpmlog(RPMLOG_WARNING, "Signature not supported. Hash algorithm %s not available.\n", pgpValString(PGPVAL_HASHALGO, hash_algo)); + rc = 1; + goto done; + } +-- +2.36.1 + diff --git a/rpm-4.16.1.3-Make-rpm2cpio.sh-more-robust.patch b/rpm-4.16.1.3-Make-rpm2cpio.sh-more-robust.patch new file mode 100644 index 0000000..38b2f5a --- /dev/null +++ b/rpm-4.16.1.3-Make-rpm2cpio.sh-more-robust.patch @@ -0,0 +1,57 @@ +diff --git a/scripts/rpm2cpio.sh b/scripts/rpm2cpio.sh +index 4531271cc..74aeed851 100755 +--- a/scripts/rpm2cpio.sh ++++ b/scripts/rpm2cpio.sh +@@ -15,13 +15,23 @@ _dd() { + } + + calcsize() { ++ ++ case "$(_dd $1 bs=4 count=1 | tr -d '\0')" in ++ "$(printf '\216\255\350')"*) ;; # '\x8e\xad\xe8' ++ *) fatal "File doesn't look like rpm: $pkg" ;; ++ esac ++ + offset=$(($1 + 8)) + + local i b b0 b1 b2 b3 b4 b5 b6 b7 + + i=0 + while [ $i -lt 8 ]; do +- b="$(_dd $(($offset + $i)) bs=1 count=1)" ++ # add . to not loose \n ++ # strip \0 as it gets dropped with warning otherwise ++ b="$(_dd $(($offset + $i)) bs=1 count=1 | tr -d '\0' ; echo .)" ++ b=${b%.} # strip . again ++ + [ -z "$b" ] && + b="0" || + b="$(exec printf '%u\n' "'$b")" +@@ -33,7 +43,7 @@ calcsize() { + offset=$(($offset + $rsize)) + } + +-case "$(_dd 0 bs=8 count=1)" in ++case "$(_dd 0 bs=4 count=1 | tr -d '\0')" in + "$(printf '\355\253\356\333')"*) ;; # '\xed\xab\xee\xdb' + *) fatal "File doesn't look like rpm: $pkg" ;; + esac +@@ -44,11 +54,11 @@ sigsize=$rsize + calcsize $(($offset + (8 - ($sigsize % 8)) % 8)) + hdrsize=$rsize + +-case "$(_dd $offset bs=3 count=1)" in +- "$(printf '\102\132')"*) _dd $offset | bunzip2 ;; # '\x42\x5a' +- "$(printf '\037\213')"*) _dd $offset | gunzip ;; # '\x1f\x8b' +- "$(printf '\375\067')"*) _dd $offset | xzcat ;; # '\xfd\x37' +- "$(printf '\135\000')"*) _dd $offset | unlzma ;; # '\x5d\x00' +- "$(printf '\050\265')"*) _dd $offset | unzstd ;; # '\x28\xb5' +- *) fatal "Unrecognized rpm file: $pkg" ;; ++case "$(_dd $offset bs=2 count=1 | tr -d '\0')" in ++ "$(printf '\102\132')") _dd $offset | bunzip2 ;; # '\x42\x5a' ++ "$(printf '\037\213')") _dd $offset | gunzip ;; # '\x1f\x8b' ++ "$(printf '\375\067')") _dd $offset | xzcat ;; # '\xfd\x37' ++ "$(printf '\135')") _dd $offset | unlzma ;; # '\x5d\x00' ++ "$(printf '\050\265')") _dd $offset | unzstd ;; # '\x28\xb5' ++ *) fatal "Unrecognized payload compression format in rpm file: $pkg" ;; + esac diff --git a/rpm-4.16.1.3-add-path-query-option.patch b/rpm-4.16.1.3-add-path-query-option.patch index 0a44718..324f098 100644 --- a/rpm-4.16.1.3-add-path-query-option.patch +++ b/rpm-4.16.1.3-add-path-query-option.patch @@ -1,4 +1,4 @@ -From ce8af503733b5661efa046cc7f5f68ee0dad75cc Mon Sep 17 00:00:00 2001 +From ba659220886c1a315f50fb91b9af4615b1a8757e Mon Sep 17 00:00:00 2001 From: Michal Domonkos Date: Mon, 16 Aug 2021 18:21:02 +0200 Subject: [PATCH] Add support for RPMDBI_BASENAMES on file queries @@ -14,8 +14,11 @@ Update the man page for --file to reflect it's current behavior and make Resolves: rhbz#1940895 -Combined with d1aebda01033bc8ba0d748b49f6fad9a5c0caa3f and backported -for 4.16.1.3. +Combined with: +d1aebda01033bc8ba0d748b49f6fad9a5c0caa3f +f62b6d27cd741406a52a7e9c5b1d6f581dbd3af8 + +Backported for 4.16.1.3. --- doc/rpm.8 | 9 ++++++-- lib/poptQV.c | 6 +++++- @@ -115,17 +118,17 @@ index fdabe6e52..9a71f0dc5 100644 mi = rpmtsInitIterator(ts, RPMDBI_PROVIDENAME, fn, 0); diff --git a/lib/rpmcli.h b/lib/rpmcli.h -index 4886c2453..8ef992ff2 100644 +index 4886c2453..3961418e7 100644 --- a/lib/rpmcli.h +++ b/lib/rpmcli.h -@@ -81,6 +81,7 @@ rpmcliFini(poptContext optCon); - enum rpmQVSources_e { - RPMQV_PACKAGE = 0, /*!< ... from package name db search. */ - RPMQV_PATH, /*!< ... from file path db search. */ +@@ -101,6 +101,7 @@ enum rpmQVSources_e { + RPMQV_SPECBUILTRPMS, /*!< ... from pkgs which would be built from spec */ + RPMQV_WHATOBSOLETES, /*!< ... from obsoletes db search. */ + RPMQV_WHATCONFLICTS, /*!< ... from conflicts db search. */ + RPMQV_PATH_ALL, /*!< ... from file path db search (all states). */ - RPMQV_ALL, /*!< ... from each installed package. */ - RPMQV_RPM, /*!< ... from reading binary rpm package. */ - RPMQV_GROUP, /*!< ... from group db search. */ + }; + + typedef rpmFlags rpmQVSources; diff --git a/tests/rpmquery.at b/tests/rpmquery.at index 9a4f1cb76..335d5ee0d 100644 --- a/tests/rpmquery.at @@ -190,5 +193,5 @@ index 9a4f1cb76..335d5ee0d 100644 AT_SETUP([integer array query]) AT_KEYWORDS([query]) -- -2.34.1 +2.35.1 diff --git a/rpm-4.16.1.3-fapolicyd-make-write-nonblocking.patch b/rpm-4.16.1.3-fapolicyd-make-write-nonblocking.patch new file mode 100644 index 0000000..343bd02 --- /dev/null +++ b/rpm-4.16.1.3-fapolicyd-make-write-nonblocking.patch @@ -0,0 +1,167 @@ +From 534fd1f0c84b12ba6080a46e07c57ef913c77cba Mon Sep 17 00:00:00 2001 +From: Radovan Sroka +Date: Thu, 25 Aug 2022 15:38:01 +0200 +Subject: [PATCH] fapolicyd: Make write() nonblocking + +- switch to read only and non blocking mode for pipe +- add 1 minute loop to wait for pipe to reappear + +Sometimes during the system update/upgrade fapolicyd +get restarted e.g. when systemd gets updated. +That can lead to the situation where fapolicyd pipe +has been removed and created again. +In such cases rpm-plugin-fapolicyd gets stuck on +write() to the pipe which does not exist anymore. +After switching to non blocking file descriptor +we can try to reopen the pipe if there is an error +from write(). Assuming that a new pipe should appear +when fapolicyd daemon starts again. +If not then after 1 minute of waiting we expect +fapolicyd daemon to be not active and we let the +transaction continue. + +Signed-off-by: Radovan Sroka +--- + plugins/fapolicyd.c | 74 +++++++++++++++++++++++++++++++++++++++------ + 1 file changed, 65 insertions(+), 9 deletions(-) + +diff --git a/plugins/fapolicyd.c b/plugins/fapolicyd.c +index 1ff50c30f..6c6322941 100644 +--- a/plugins/fapolicyd.c ++++ b/plugins/fapolicyd.c +@@ -27,7 +27,7 @@ static rpmRC open_fifo(struct fapolicyd_data* state) + int fd = -1; + struct stat s; + +- fd = open(state->fifo_path, O_RDWR); ++ fd = open(state->fifo_path, O_WRONLY|O_NONBLOCK); + if (fd == -1) { + rpmlog(RPMLOG_DEBUG, "Open: %s -> %s\n", state->fifo_path, strerror(errno)); + goto bad; +@@ -55,15 +55,26 @@ static rpmRC open_fifo(struct fapolicyd_data* state) + } + + state->fd = fd; ++ + /* considering success */ + return RPMRC_OK; + + bad: + if (fd >= 0) + close(fd); ++ ++ state->fd = -1; + return RPMRC_FAIL; + } + ++static void close_fifo(struct fapolicyd_data* state) ++{ ++ if (state->fd > 0) ++ (void) close(state->fd); ++ ++ state->fd = -1; ++} ++ + static rpmRC write_fifo(struct fapolicyd_data* state, const char * str) + { + ssize_t len = strlen(str); +@@ -86,6 +97,54 @@ static rpmRC write_fifo(struct fapolicyd_data* state, const char * str) + return RPMRC_FAIL; + } + ++static void try_to_write_to_fifo(struct fapolicyd_data* state, const char * str) ++{ ++ int reload = 0; ++ int printed = 0; ++ ++ /* 1min/60s */ ++ const int timeout = 60; ++ ++ /* wait up to X seconds */ ++ for (int i = 0; i < timeout; i++) { ++ ++ if (reload) { ++ if (!printed) { ++ rpmlog(RPMLOG_WARNING, "rpm-plugin-fapolicyd: waiting for the service connection to resume, it can take up to %d seconds\n", timeout); ++ printed = 1; ++ } ++ ++ (void) close_fifo(state); ++ (void) open_fifo(state); ++ } ++ ++ if (state->fd >= 0) { ++ if (write_fifo(state, str) == RPMRC_OK) { ++ ++ /* write was successful after few reopens */ ++ if (reload) ++ rpmlog(RPMLOG_WARNING, "rpm-plugin-fapolicyd: the service connection has resumed\n"); ++ ++ break; ++ } ++ } ++ ++ /* failed write or reopen */ ++ reload = 1; ++ sleep(1); ++ ++ /* the last iteration */ ++ /* consider failure */ ++ if (i == timeout-1) { ++ rpmlog(RPMLOG_WARNING, "rpm-plugin-fapolicyd: the service connection has not resumed\n"); ++ rpmlog(RPMLOG_WARNING, "rpm-plugin-fapolicyd: continuing without the service\n"); ++ } ++ ++ } ++ ++} ++ ++ + static rpmRC fapolicyd_init(rpmPlugin plugin, rpmts ts) + { + if (rpmtsFlags(ts) & (RPMTRANS_FLAG_TEST|RPMTRANS_FLAG_BUILD_PROBS)) +@@ -102,10 +161,7 @@ static rpmRC fapolicyd_init(rpmPlugin plugin, rpmts ts) + + static void fapolicyd_cleanup(rpmPlugin plugin) + { +- if (fapolicyd_state.fd > 0) +- (void) close(fapolicyd_state.fd); +- +- fapolicyd_state.fd = -1; ++ (void) close_fifo(&fapolicyd_state); + } + + static rpmRC fapolicyd_tsm_post(rpmPlugin plugin, rpmts ts, int res) +@@ -116,9 +172,9 @@ static rpmRC fapolicyd_tsm_post(rpmPlugin plugin, rpmts ts, int res) + /* we are ready */ + if (fapolicyd_state.fd > 0) { + /* send a signal that transaction is over */ +- (void) write_fifo(&fapolicyd_state, "1\n"); ++ (void) try_to_write_to_fifo(&fapolicyd_state, "1\n"); + /* flush cache */ +- (void) write_fifo(&fapolicyd_state, "2\n"); ++ (void) try_to_write_to_fifo(&fapolicyd_state, "2\n"); + } + + end: +@@ -133,7 +189,7 @@ static rpmRC fapolicyd_scriptlet_pre(rpmPlugin plugin, const char *s_name, + + if (fapolicyd_state.changed_files > 0) { + /* send signal to flush cache */ +- (void) write_fifo(&fapolicyd_state, "2\n"); ++ (void) try_to_write_to_fifo(&fapolicyd_state, "2\n"); + + /* optimize flushing */ + /* flush only when there was an actual change */ +@@ -176,7 +232,7 @@ static rpmRC fapolicyd_fsm_file_prepare(rpmPlugin plugin, rpmfi fi, + char * sha = rpmfiFDigestHex(fi, NULL); + + snprintf(buffer, 4096, "%s %lu %64s\n", dest, size, sha); +- (void) write_fifo(&fapolicyd_state, buffer); ++ (void) try_to_write_to_fifo(&fapolicyd_state, buffer); + + free(sha); + +-- +2.37.3 + diff --git a/rpm-4.16.1.3-find_debuginfo_vendor_opts.patch b/rpm-4.16.1.3-find_debuginfo_vendor_opts.patch new file mode 100644 index 0000000..c6f30a7 --- /dev/null +++ b/rpm-4.16.1.3-find_debuginfo_vendor_opts.patch @@ -0,0 +1,20 @@ +--- rpm.orig/macros.in 2022-06-30 11:37:18.975312592 +0100 ++++ rpm-4.16.1.3/macros.in 2022-06-30 11:37:43.145158323 +0100 +@@ -167,6 +167,9 @@ + # A spec file can %%define _find_debuginfo_opts to pass options to + # the script. See the script for details. + # ++# Vendor spec files (eg redhat-rpm-config:macros) can %%define ++# _find_debuginfo_vendor_opts to pass options to the script. ++# + %__debug_install_post \ + %{_rpmconfigdir}/find-debuginfo.sh \\\ + %{?_smp_build_ncpus:-j%{_smp_build_ncpus}} \\\ +@@ -179,6 +182,7 @@ + %{?_unique_debug_srcs:--unique-debug-src-base "%{name}-%{VERSION}-%{RELEASE}.%{_arch}"} \\\ + %{?_find_debuginfo_dwz_opts} \\\ + %{?_find_debuginfo_opts} \\\ ++ %{?_find_debuginfo_vendor_opts} \\\ + %{?_debugsource_packages:-S debugsourcefiles.list} \\\ + "%{_builddir}/%{?buildsubdir}"\ + %{nil} diff --git a/rpm.spec b/rpm.spec index 30f5d17..83409b5 100644 --- a/rpm.spec +++ b/rpm.spec @@ -42,7 +42,7 @@ %global rpmver 4.16.1.3 #global snapver rc1 -%global rel 11.2 +%global rel 19.1 %global sover 9 %global srcver %{rpmver}%{?snapver:-%{snapver}} @@ -92,11 +92,14 @@ Patch110: rpm-4.16.1.3-add-path-query-option.patch Patch111: rpm-4.16.1.3-skip-recorded-symlinks-in-setperms.patch Patch112: rpm-4.16.1.3-fix-regression-reading-rpm-v3-pkgs.patch Patch113: rpm-4.16.1.3-fix-spurious-transfiletriggerpostun-execution.patch +Patch114: rpm-4.16.1.3-Make-rpm2cpio.sh-more-robust.patch +Patch115: rpm-4.16.1.3-fapolicyd-make-write-nonblocking.patch # These are not yet upstream Patch906: rpm-4.7.1-geode-i686.patch # Probably to be upstreamed in slightly different form Patch907: rpm-4.15.x-ldflags.patch +Patch908: 0001-Give-warning-on-not-supported-hash-for-RSA-keys.patch # Not yet (all) upstream, debugedit DWARF5 # https://code.wildebeest.org/git/user/mjw/rpm/log/?h=gcc-dwarf5-4.16.1.2 @@ -109,6 +112,7 @@ Patch916: 0006-debugedit-Handle-DWARF-5-debug_line-and-debug_line_s.patch # Downstream-only patches Patch1000: rpm-4.16.1.3-hashtab-use-after-free-fix.patch +Patch1001: rpm-4.16.1.3-find_debuginfo_vendor_opts.patch # fsverity support %if %{with libfsverity} @@ -727,6 +731,27 @@ fi %doc doc/librpm/html/* %changelog +* Sat Oct 29 2022 Richard Phibel - 4.16.1.3-19.1 +- Merge upstream changes for Hyperscale + +* Fri Oct 21 2022 Michal Domonkos - 4.16.1.3-19 +- Bump release for rebuild + +* Fri Sep 23 2022 Michal Domonkos - 4.16.1.3-18 +- Make write() nonblocking in fapolicyd plugin (#2111251) + +* Wed Aug 03 2022 Florian Festi - 4.16.1.3-17 +- Make rpm2cpio.sh more robust (#1983015) + +* Thu Jun 30 2022 Nick Clifton - 4.16.1.3-15 +- Pass _find_debuginfo_vendor_opts to the find-debuginfo script. (#2099617) + +* Tue Jun 28 2022 Florian Festi - 4.16.1.3-14 +- Warning for failed key import (#2069877) + +* Tue Apr 05 2022 Michal Domonkos - 4.16.1.3-12 +- Fix minor ABI regression in rpmcli.h (#2037352) + * Tue Mar 29 2022 Manu Bretelle - 4.16.1.3-11.2 - Make `rpm -i` work without `--nodigest` - Remove need of executable stack for reflink plugin