| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The count can never be larger than header data size, which can never be
larger than 256MB. Most datatypes have further restrictions of course, this
is merely an outer perimeter check to catch impossibly large values that
could otherwise overflow all manner of trivial calculations.
Addresses the point I missed in PR #1493 but with a much tighter limit.
(cherry picked from commit d8fbddfa5051bdc1c71e16cb11f14d9fdc7f5c5e)
|
|
|
|
|
|
|
|
|
|
|
|
| |
The other backends would want to create the missing index, but as bdb_ro
is read-only it can't do that. As the main purpose of bdb_ro is to support
migrating away from BDB for which only the primary database is needed,
it doesn't make sense to fail it for non-essential data. Let it fail
for secondary indexes - this might affect our ability to query but
that's secondary, literally, and we also do emit a warning here.
Fixes: #1576
(cherry picked from commit 190d8bdf3d61f0684f19bda0be906ae04ac957ae)
|
|
|
|
|
|
|
|
| |
open() returns -1 on error, not 0, so this wasn't catching what it
was supposed to. Drop the error message as this case is better handled
in the caller.
(cherry picked from commit 632b7a30fd4ad7499d194ef768c30024d51349c5)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
-fno-strict-overflow tells gcc and clang to handle signed integer and
(at least on gcc) pointer arithmetic wraparound using twos-complement
representation like deity intended.
-fno-delete-null-pointer-checks tells gcc not to "optimize" away
programmer added safeguards. Really.
Suggested by Demi Marie Obenour.
Backported from commit 5ee567ebd600c1dec4a9ceb6161d877d891d8594
|
|
|
|
|
|
| |
Lotsa new names, many from translations but otherwise too.
(cherry picked from commit 295c522ade98bd51ae674a35607a38276ed13163)
|
|
|
|
|
|
|
| |
Look up possible offending tags from the main header first in a separate
loop, this avoids having to re-sort after each headerPut() operation.
(cherry picked from commit f7b97593af5cf818a5c6c5b9bc55bba6d08c9cb0)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Only look for known tags, and ensure correct type and size where known
before copying over. Bump the old arbitrary 16k count limit to 16M limit
though, it's not inconceivable that a package could have that many files.
While at it, ensure none of these tags exist in the main header,
which would confuse us greatly.
This is optimized for backporting ease, upstream can remove redundancies
and further improve checking later.
Reported and initial patches by Demi Marie Obenour.
Fixes: RhBug:1935049, RhBug:1933867, RhBug:1935035, RhBug:1934125, ...
Fixes: CVE-2021-3421, CVE-2021-20271
Backported from commit d6a86b5e69e46cc283b1e06c92343319beb42e21
|
|
|
|
|
|
|
| |
Users can pass untrusted data to hdrblobInit() and it must be robust
against this.
(cherry picked from commit 8f4b3c3cab8922a2022b9e47c71f1ecf906077ef)
|
|
|
|
|
|
|
|
| |
There's no way to safely validate an object to which only a void
pointer is given. Use headerImport() and pass a size to make
verification possible, headerCopyLoad() has been long deprecated anyway.
(cherry picked from commit 07858c0d60cb3d19f977aed14842fd7fbf66528f)
|
|
|
|
|
|
| |
Found by fuzzing rpmReadPackageFile() with libfuzzer under ASAN.
(cherry picked from commit 9747a6af016a3458d54fe060777c95e3900b5fa4)
|
|
|
|
|
|
|
|
| |
Commit fb5888417727edbd8ce1b389b1b6ee9ac899d8e4 introduced a regression
where on database open failure we end up accessing the already freed
handle when trying to report the error.
Backport of commit d601a7b7ae764b31ad74b2dceff1eafb5297147f
|
|
|
|
|
|
|
|
|
| |
With the changed logic, the if-clause can fall through without ever
initializing s. The exit code condition is getting more complicated
now so move it to helper variable, assume failure for a safe default.
Fixes: 165330b7bf0757e30fa8a6de9998a564fb62796f
(cherry picked from commit 34f28c1492240c0a02b0abb13af7f1870197e41d)
|
|
|
|
|
|
|
|
| |
The ‘end’ parameter to ‘strtaglen’ might point past the end of an
allocation. Therefore, if ‘start’ becomes equal to ‘end’, exit the loop
without calling ‘memchr’ on it.
(cherry picked from commit 165330b7bf0757e30fa8a6de9998a564fb62796f)
|
|
|
|
|
|
|
|
|
|
|
| |
When there is number after "T" (suggested number of threads or "0" for
getncpus), lzopen_internal() mode parser would skip one byte, and when
it's at the end of the string it would then parse undesired garbage from
the memory, making intermittent compression failures.
Fixes: 7740d1098 ("Add support for multithreaded xz compression")
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
(cherry picked from commit 405fc8998181353bd510864ca251dc233afec276)
|
|
|
|
|
|
|
| |
Zero counts are invalid, and they cause problems elsewhere. For
instance, strtaglen() will suffer an integer underflow.
(cherry picked from commit 5e40166380a450a36b302914be60fd004624f724)
|
|
|
|
|
|
| |
This is already checked for other header entries.
(cherry picked from commit f29c43728c492b1dbfe50136d33bf12f3704d8a0)
|
|
|
|
|
|
|
|
| |
Test that the shared objects created during compilation matches the
expectations of the person bumping the libtool version, which is oh
so easy to get wrong. This of course needs to be skipped for static builds.
(cherry picked from commit 1c6d2f9352537fe391237e292566224ca7d22515)
|
|
|
|
|
|
|
| |
4.16.1.1 managed to bump the wrong part of libtool version, of all
things...
Yep, I need a vacation.
|
|
|
|
| |
Sigh.
|
|
|
|
|
|
|
|
|
| |
Only call free on the success path, getaddrinfo() is like most this
type functions and only allocates on success and so, in failure we'd
end up freeing an uninitialized pointer.
Reported by Scott Andrews on rpm-list.
(cherry picked from commit 5ce2b5e3121aa07eb1ccf2bc24443c1536bf94d5)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is no harm in allowing read access in this case. We still
error out in the database rebuild case, just to be on the safe
side. We now have the following logic:
_db_backend unset:
* error out for rebuilddb or read-write access
* use detected backend and print a debug message
_db_backend unknown:
* error out for rebuilddb or read-write access
* use detected backend and print a warning message
_db_backend set:
* use detected backend and print a warning message if it
does not match the configured backend
(cherry picked from commit 0644e4e79c841b03d606fc8bb035ec311f4bfb17)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit acf5e00281d73a2f8034091241c7b0e2ba00e383 cut a couple of corners
too many, causing the temporary file name used to extract the spec from
the tarball to end up in the src.rpm too.
Revert back to creating %_specdir for tar builds, it might not be
optimal but it's not exactly harmful either (%_sourcedir is different).
The "truly correct" solutions get increasingly complicated for such
a silly thing as this is. In addition to creating the %_specdir, we
also need to rename the file to its proper name, simplify that code
a bit while at it and add a test-case.
Fixes: #1386
(cherry picked from commit dfffedb5ebe46e039c0313b3d2fb939dfc63efd6)
|
|
|
|
|
|
| |
Fix up for commit 6a780f1.
(cherry picked from commit 89c6a9d607e2c2ea3f2ece5376f493525665eb28)
|
|
|
|
|
|
|
|
|
| |
Dockerhub has added download rate limiting (and who could blame them)
But our CI getting blocked because of other projects being busy
downloading from Docker isn't so nice, hopefully Fedora's own registry
lets us work around this.
(cherry picked from commit 05fada7c9a1ef22bd310a9be4c6c06a4d2dd581d)
|
|
|
|
|
|
|
|
|
|
|
|
| |
When we do lazy rpmdb open in rpmtsInitIterator(), we also do a lazy
keyring open. Except that since the keyring typically lives in the rpmdb,
we PROBABLY should try open the database first. One of those "WTF I've
been smoking" moments, lol.
Prevents an ugly if mostly harmless double error anything we can't open
the database for one reason or another.
(cherry picked from commit 3cb955b77f07c70ba01d765aa6377908847608f5)
|
|
|
|
|
|
|
| |
If an index open fails there's no point trying to go on, things are
not going to work and at least BDB will segfault in some cases...
(cherry picked from commit fd054a40b2ba005571455d749de0423975e77651)
|
|
|
|
|
|
|
|
|
|
| |
pkgParsePkts() only parses the PGP armor, the actual pubkey is only
parsed as a part of rpmPubkeyNew() whose return we need to check for
separately. Emit different messages in these cases.
Thanks to @KOLANICH for pointing this out and initial patch.
(cherry picked from commit ee5dd3ccb9fe084251f4c0195907a04a4bdc77e7)
|
|
|
|
|
|
|
|
|
|
|
| |
No need to call edit_dwarf2() if debugedit is invoked just to extract
build-id (with `-i -n'). Otherwise, we will get `DWARF version 0
unhandled' warning for compressed .debug files:
/usr/lib/rpm/debugedit: ./usr/lib/debug/...e.ko.debug: DWARF version 0 unhandled
Context: We have kernel modules elfcompressed in ALT.
(cherry picked from commit e526a0af17455c8233a793998daa787f58f35500)
|
|
|
|
|
|
|
|
|
|
|
|
| |
We only actually used gethostbyname() for canonicalizing buildhost,
convert that to use getaddrinfo() instead, which actually has an
option for retrieving exactly what we want.
The other "use" was to initialize name services, but as we don't need
or use hostnames for any operation, we can just as well drop it. User
and group names are what we care about.
(cherry picked from commit c223d84fbf1ebb7a862f297e65878a2a78653e8e)
|
|
|
|
|
|
|
|
| |
Use AC_COMPILE_IFELSE as AC_RUN_IFELSE raises a build failure when
cross-compiling
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
(cherry picked from commit 13585fbbe83eb177b13d86c2d6f11ff41a68d07e)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Curiously, sqlite allocates resources that need freeing even in case
of failure to open. Quoting from https://www.sqlite.org/c3ref/open.html:
> Whether or not an error occurs when it is opened, resources associated
> with the database connection handle should be released by passing it to
> sqlite3_close() when it is no longer required.
I disagree, but as it's documented behavior there's no point filing a
bug. So lets close the non-open connection and chug on.
(cherry picked from commit fb5888417727edbd8ce1b389b1b6ee9ac899d8e4)
|
|
|
|
|
|
|
|
|
|
| |
There's no point or need to do all this fluff on library initialization,
we can just as well do it when we're told to use a chroot by
calling rpmChrootSet(), at which time we're still on familiar ground.
Eliminating unused cruft from initialization can't hurt our start-up
times either.
(cherry picked from commit f9c7b53f50adc129baee809692d4c80b3bd15432)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
find-debuginfo is multi-threaded and rpm runs
scripts usually with "-e" to abort on error.
If the debug-splitting tool fails, that job will abort.
But if you have X files that are problematic in the tree,
and you have X or less jobs, find-debuginfo will abort
as no single res.$number has been written.
But if you have more than X jobs, the build will succeed,
which makes the whole process random.
This commit remove this randomness.
(cherry picked from commit a7efb1a88e74cf074ed058ab42d3c761c093879f)
|
|
|
|
|
|
|
|
|
| |
In libselinux >= 3.1 these cause deprecation warnings on build.
security_context_t always was nothing but typedef to plain old "char *"
so just using that is entirely backwards compatible too.
(cherry picked from commit dd5c0446a3178fa6f4385284badb9d6f6c1342b3)
|
|
|
|
|
|
|
|
|
|
| |
Fixes compilation on musl, otherwise it fails with undefined references
to various O_* symbols as mentioned here:
https://www.man7.org/linux/man-pages/man0/fcntl.h.0p.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
(cherry picked from commit 6dbb036d2ff4c6f182926e0826c5b7896ea1ccef)
|
|
|
|
|
|
|
|
|
|
| |
If there was a \ at the end of the buffer, the code would
return a pointer after the trailing \0 leading to unallocated
memory access and weird results in some cases.
See commit 817959609b95afe34ce0f7f6c3dc5d7d0d9a8470.
(cherry picked from commit 6d7fa91949337c7a86bab3359b39558fdae07dce)
|
|
|
|
|
|
|
| |
When converting - to _ in cli-defined macro names, stop at first '('
as we have no business mucking with the arguments.
(cherry picked from commit b278517d7f016eb9680642a686416772cc9f291c)
|
|
|
|
|
|
|
|
|
| |
This seems to be the intention of the code but it did
not work because macro parsing was resumed at the wrong
point of the input string. Without this commit, "%{}"
expanded to "%" instead of "%{}".
(cherry picked from commit 6de7374bb86d59ad8ca577c1d16776057c3eba73)
|
|
|
|
| |
(cherry picked from commit b441de003160885b1c0a3106011960706bcfb0d5)
|
|
|
|
|
|
|
|
|
|
|
| |
This code eliminates a false positive failure when the destination
position is > 2GiB. This is done by changing the contract for `Fseek`.
Now it returns `0` on success instead of an `int` offset.
Care should be used to interpret the result as there is a difference in
semantics between the POSIX `fseek(2)`. Existing code is correct: negative
results are still failures.
(cherry picked from commit d1dee9c00af418004f578a97e9b794676daf6d37)
|
|
|
|
|
|
| |
Versions are not supported in arithmetic operations.
(cherry picked from commit 85765a79b7434f37486827c189d71cd9169db680)
|
|
|
|
| |
(cherry picked from commit 0f6ffbb99238b983f456604a02a933912da7af2f)
|
|
|
|
|
|
| |
Our config was spitting all manner of obsoletion warnings
(cherry picked from commit 4212dbdc17876a77adfc710de563168bfeb3aab9)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All this time we've been logging file and transfile triggers with output
identical to that of regular triggers, confusing people for no good reason.
We know which of the three it is when creating so add a matching prefix
to the output at that point. All we need to do is move the '%' from
the scriptlet table to the printf() format string to make room for
the description prefix. Doh.
So now we get output using things with their proper names, such as:
D: running post-transaction scripts
D: %transfiletriggerin(glibc-common-2.31-4.fc32.x86_64): scriptlet start
(cherry picked from commit 79ac95fea56f2d5cc67a9f27dc34a4cae8b4c415)
|
|
|
|
|
|
|
|
| |
Fixes compilation on musl, otherwise it fails with undefined references
to various O_* symbols as mentioned here:
https://www.man7.org/linux/man-pages/man0/fcntl.h.0p.html
(cherry picked from commit 9395bdc64459357631111842e7a28304b4d76301)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When %_minimize_writes is enabled, we determine unchanged files during
fingerprinting and only update their metadata (FA_TOUCH) instead of
always recreating from scratch (FA_CREATE) during install. However
package scriptlets (and administrators) can and will do arbitrary stuff
in the meanwhile, such as rm -f their own files in %pre, hoping to
get a fresh copy of contents no matter what. Or something.
Now, if the file was determined to not need changing by rpm, this will
just fail with chown & friends trying to touch non-existent file.
One can consider this a case of package shooting itself in the foot, but
when a package update fails or succeeds depending on %_minimize_writes this
to me suggests the feature is at fault as much as the package.
Do fsmVerify() on all files to be FA_TOUCH'ed to detect files whose
type changed or were removed since fingerprinting. This still doesn't
ensure correctness if something tampers with the contents in the meanwhile,
(for that we'd need to run the file through the whole machinery again,
checksumming and all) but covers the most glaring cases.
(cherry picked from commit 886c24cfc6c0fec90d8db1406a0e32c0e09e92c9)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On strings that are not \0-terminated (which are a big reason for the
existence of this function), the while-loop would try to compare the
first character beyond the specified buffer for '\0' before realizing
we're already beyond the end when checking n. Should be mostly harmless
in practise as the check for n would still terminate it, but not right.
In particular this trips up address sanitizer with the bdb backend where
some of the returned strings are not \0-terminated.
Test for string length first, and move the decrementing side-effect into
the loop for better readability.
(cherry picked from commit 747b7119ae89a3ccaceeae4f5570c7ab83d2cf5d)
|
|
|
|
|
|
|
| |
headerCopyTags() expects a 0-terminated array, this was overflowing
(spotted by address-sanitizer)
(cherry picked from commit 213a4064a4b1b5b260a55b3933170599e617494d)
|