From 4a8173e79ba683670b7c1dd1937d8dc69b2437cd Mon Sep 17 00:00:00 2001 From: Panu Matilainen Date: Dec 04 2009 09:32:33 +0000 Subject: - missing error exit code from signing password checking (#496754) - dont fail build on unrecognized data files (#532489) - dont try to parse subkeys and secret keys (#436812) - fix chmod test on selinux, breaking %%{_fixperms} macro (#543035) --- diff --git a/rpm-4.7.2-chmod-selinux.patch b/rpm-4.7.2-chmod-selinux.patch new file mode 100644 index 0000000..dd5a691 --- /dev/null +++ b/rpm-4.7.2-chmod-selinux.patch @@ -0,0 +1,24 @@ +diff -up rpm-4.7.2/configure.ac.chmod-test rpm-4.7.2/configure.ac +--- rpm-4.7.2/configure.ac.chmod-test 2009-11-25 09:19:30.000000000 +0200 ++++ rpm-4.7.2/configure.ac 2009-12-04 11:23:39.000000000 +0200 +@@ -61,7 +61,7 @@ AC_MSG_CHECKING(POSIX chmod) + touch foo.chmodtest + chmod 744 foo.chmodtest + chmod +X foo.chmodtest 2>/dev/null +-a=`ls -l foo.chmodtest | awk '{print $1}'` ++a=`ls -l foo.chmodtest | awk '{print substr($1,1,10)}'` + rm -f foo.chmodtest + if test "$a" = "-rwxr-xr-x"; then + AC_MSG_RESULT(yes) +diff -up rpm-4.7.2/configure.chmod-test rpm-4.7.2/configure +--- rpm-4.7.2/configure.chmod-test 2009-12-04 11:24:06.000000000 +0200 ++++ rpm-4.7.2/configure 2009-12-04 11:24:51.000000000 +0200 +@@ -17626,7 +17626,7 @@ $as_echo_n "checking POSIX chmod... " >& + touch foo.chmodtest + chmod 744 foo.chmodtest + chmod +X foo.chmodtest 2>/dev/null +-a=`ls -l foo.chmodtest | awk '{print $1}'` ++a=`ls -l foo.chmodtest | awk '{print substr($1,1,10)}'` + rm -f foo.chmodtest + if test "$a" = "-rwxr-xr-x"; then + { $as_echo "$as_me:$LINENO: result: yes" >&5 diff --git a/rpm-4.7.2-pgp-subkey.patch b/rpm-4.7.2-pgp-subkey.patch new file mode 100644 index 0000000..568383c --- /dev/null +++ b/rpm-4.7.2-pgp-subkey.patch @@ -0,0 +1,37 @@ +commit 6eeb0bb06466d9eb75eb55efd514d3ecfe089042 +Author: Panu Matilainen +Date: Wed Nov 25 15:07:17 2009 +0200 + + We can't handle OpenPGP subkeys or secret keys, so dont even try + - parsing subkeys ends up overwriting data in the main key, causing + bogus signature checking failures + - this is the final missing piece of RhBug:436812, short of adding + proper support for subkeys (maybe someday...) + (cherry picked from commit 98213fc4192c7af07037a0f3e9cce9e3b8509c02) + +diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c +index d7bbb5e..f76fc2b 100644 +--- a/rpmio/rpmpgp.c ++++ b/rpmio/rpmpgp.c +@@ -1190,11 +1190,6 @@ static int pgpPrtPkt(const uint8_t *pkt, size_t pleft, + else + memset(_digp->signid, 0, sizeof(_digp->signid)); + } +- case PGPTAG_PUBLIC_SUBKEY: +- rc = pgpPrtKey(tag, h, hlen, _dig, _digp); +- break; +- case PGPTAG_SECRET_KEY: +- case PGPTAG_SECRET_SUBKEY: + rc = pgpPrtKey(tag, h, hlen, _dig, _digp); + break; + case PGPTAG_USER_ID: +@@ -1205,6 +1200,9 @@ static int pgpPrtPkt(const uint8_t *pkt, size_t pleft, + rc = pgpPrtComment(tag, h, hlen); + break; + ++ case PGPTAG_PUBLIC_SUBKEY: ++ case PGPTAG_SECRET_KEY: ++ case PGPTAG_SECRET_SUBKEY: + case PGPTAG_RESERVED: + case PGPTAG_PUBLIC_SESSION_KEY: + case PGPTAG_SYMMETRIC_SESSION_KEY: diff --git a/rpm-4.7.2-rpmfc-unknown.patch b/rpm-4.7.2-rpmfc-unknown.patch new file mode 100644 index 0000000..418b16b --- /dev/null +++ b/rpm-4.7.2-rpmfc-unknown.patch @@ -0,0 +1,43 @@ +commit fa9fcc89146f08bce3b51d96d0ec9d4175db6978 +Author: Panu Matilainen +Date: Thu Nov 26 10:22:41 2009 +0200 + + Dont fail build on unrecognized non-executable files (ticket #105) + - Generally only executable files are critical for dependency extraction, + whereas oddball application data files can cause unnecessary build + failure due to libmagic misdetections etc, so just let non-executables + pass with a warning and mark them as unknown data + (cherry picked from commit cfcd1f9bd98d5d0fc46a84931984efec3b9d47e2) + +diff --git a/build/rpmfc.c b/build/rpmfc.c +index bcb5383..e4ba6b2 100644 +--- a/build/rpmfc.c ++++ b/build/rpmfc.c +@@ -1245,6 +1245,7 @@ rpmRC rpmfcClassify(rpmfc fc, ARGV_t argv, rpm_mode_t * fmode) + for (fc->ix = 0; fc->ix < fc->nfiles; fc->ix++) { + const char * ftype; + rpm_mode_t mode = (fmode ? fmode[fc->ix] : 0); ++ int is_executable = (mode & (S_IXUSR|S_IXGRP|S_IXOTH)); + + s = argv[fc->ix]; + slen = strlen(s); +@@ -1277,11 +1278,16 @@ rpmRC rpmfcClassify(rpmfc fc, ARGV_t argv, rpm_mode_t * fmode) + ftype = magic_file(ms, s); + + if (ftype == NULL) { +- rpmlog(RPMLOG_ERR, ++ rpmlog(is_executable ? RPMLOG_ERR : RPMLOG_WARNING, + _("Recognition of file \"%s\" failed: mode %06o %s\n"), + s, mode, magic_error(ms)); +- magic_close(ms); +- return RPMRC_FAIL; ++ /* only executable files are critical to dep extraction */ ++ if (is_executable) { ++ magic_close(ms); ++ return RPMRC_FAIL; ++ } ++ /* unrecognized non-executables get treated as "data" */ ++ ftype = "data"; + } + } + diff --git a/rpm-4.7.2-sign-passcheck.patch b/rpm-4.7.2-sign-passcheck.patch new file mode 100644 index 0000000..8369cef --- /dev/null +++ b/rpm-4.7.2-sign-passcheck.patch @@ -0,0 +1,34 @@ +commit 31c5e0f9b7b09661611b50d84d26ba47ce97fffe +Author: Panu Matilainen +Date: Wed Nov 25 16:42:43 2009 +0200 + + Fix signature password checking result on abnormal conditions (RhBug:496754) + - Execve() failure wasn't returning an error code, causing rpm to + think the password was ok when we couldn't even try verifying + - Stricter return code checking from the password checking child: + the password can only be ok if the child exits with WIFEXITED() *and* + WIFEXITCODE() of 0. Also WIFEXITCODE() should only be called if + WIFEXITED() returns true. + (cherry picked from commit 2b41860984f0c4ebba5ebce93a18c9c0ca5e1065) + +diff --git a/lib/signature.c b/lib/signature.c +index a501f3e..a2eaf9b 100644 +--- a/lib/signature.c ++++ b/lib/signature.c +@@ -883,6 +883,7 @@ static int checkPassPhrase(const char * passPhrase, const rpmSigTag sigTag) + + rpmlog(RPMLOG_ERR, _("Could not exec %s: %s\n"), "gpg", + strerror(errno)); ++ _exit(EXIT_FAILURE); + } break; + case RPMSIGTAG_RSA: + case RPMSIGTAG_PGP5: /* XXX legacy */ +@@ -932,7 +933,7 @@ static int checkPassPhrase(const char * passPhrase, const rpmSigTag sigTag) + + (void) waitpid(pid, &status, 0); + +- return ((!WIFEXITED(status) || WEXITSTATUS(status)) ? 1 : 0); ++ return ((WIFEXITED(status) && WEXITSTATUS(status) == 0)) ? 0 : 1; + } + + char * rpmGetPassPhrase(const char * prompt, const rpmSigTag sigTag) diff --git a/rpm.spec b/rpm.spec index 4be7415..fcd4467 100644 --- a/rpm.spec +++ b/rpm.spec @@ -21,7 +21,7 @@ Summary: The RPM package management system Name: rpm Version: %{rpmver} -Release: 1%{?dist} +Release: 2%{?dist} Group: System Environment/Base Url: http://www.rpm.org/ Source0: http://rpm.org/releases/rpm-4.7.x/%{name}-%{srcver}.tar.bz2 @@ -42,6 +42,10 @@ Patch3: rpm-4.6.0-fedora-specspo.patch Patch200: rpm-4.7.1-bugurl.patch Patch201: rpm-4.7.0-extra-provides.patch Patch202: rpm-4.7.1-python-bytecompile.patch +Patch203: rpm-4.7.2-sign-passcheck.patch +Patch204: rpm-4.7.2-rpmfc-unknown.patch +Patch205: rpm-4.7.2-pgp-subkey.patch +Patch206: rpm-4.7.2-chmod-selinux.patch # These are not yet upstream Patch301: rpm-4.6.0-niagara.patch @@ -197,6 +201,10 @@ packages on a system. %patch200 -p1 -b .bugurl %patch201 -p1 -b .extra-prov %patch202 -p1 -b .python-bytecompile +%patch203 -p1 -b .sign-passcheck +%patch204 -p1 -b .rpmfc-unknown +%patch205 -p1 -b .pgp-subkey +%patch206 -p1 -b .chmod-test %patch301 -p1 -b .niagara %patch302 -p1 -b .geode @@ -411,6 +419,12 @@ exit 0 %doc doc/librpm/html/* %changelog +* Fri Dec 04 2009 Panu Matilainen - 4.7.2-2 +- missing error exit code from signing password checking (#496754) +- dont fail build on unrecognized data files (#532489) +- dont try to parse subkeys and secret keys (#436812) +- fix chmod test on selinux, breaking %%{_fixperms} macro (#543035) + * Wed Nov 25 2009 Panu Matilainen - 4.7.2-1 - update to 4.7.2 (http://rpm.org/wiki/Releases/4.7.2) - fixes #464750, #529214