| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
| |
It turns out this wasn't a good fit for a maintenance update as it broke
compilation on certain platforms where it previously worked, see #2143
for details.
This reverts commit 42fae2fa5bce5bf1ef5685619fa8d62a746c9dbd.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the repo is already initialized when calling this macro and it's
using a different branch name than "master" (see #2121) or the global
git option init.defaultBranch is set differently (see #2120), the macro
will fail at:
%{__git} branch --set-upstream-to=master
Instead of being overly clever, just track the original (start-point)
branch by using --track when branching (see git-branch(1) for details).
For brevity, combine this and branch creation into a single checkout
command.
This fixes commit 3a6b1d8fbf846d3f1b139d343fdfddebe99ae42b.
Thanks Panu for the clarification and suggestion in #854!
(cherry picked from commit 1f5ae2a6dd710de4a278087471bf0909ff9f6739)
|
| |
|
|
|
|
|
|
|
|
| |
We use an empty string when discarding a value due to short circuiting, but
an empty string is not allowed for versions. So use "0" in that case.
Fixes: #1883
(cherry picked from commit 321933f060896f721e361a1c8a8d3731bdcee827)
|
|
|
|
|
|
|
|
|
|
|
| |
Recent binutils can do debug section lookups over the internet, but this
is something we never want during rpmbuild (everything else aside, we're
just building the thing so there wont be anything on the net anyhow).
Disable the lookups by setting DEBUGINFOD_URLS to empty rather than
using the specific option as this is compatible with any old version of
readelf.
(cherry picked from commit 3cec59812c8126088a51924c6aeea112ce9b545a)
|
|
|
|
|
| |
Fixes: #2081
(cherry picked from commit 370c58746c3b8c178808aaa95e1acb009fc4a677)
|
|
|
|
|
|
|
|
|
|
| |
We meddle with TZ environ which then propagates to other values through
mktime() implicitly calling tzset(), but that other data doesn't get
reset by just restoring the TZ variable. Restore initial state by explicitly
call tzset() after we're done with it.
Fixes: #1821
(cherry picked from commit 1a7de551a74d73f01eb40cb744c1dbba5faeb651)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Sqlite WAL threshold of 1000 pages is way too low for rpmdb as a single
header often exceeds that, but disabling the checkpointing entirely can
cause the WAL to grow to multiple gigabytes during large distro update
transactions, which isn't healty either. Bump the threshold to 10000
pages which caps the WAL size to tens of megabytes, which hopefully
is a reasonable balance between performance on rotational disks (anybody
remember those?) and diskpace consumption.
Also drop no longer meaningful link to %_flush_io configuration.
(cherry picked from commit cbfba05d7f0d01e91570e450a549a3e9644f49ed)
|
|
|
|
|
| |
Fixes: #1473
(cherry picked from commit e36ac91ee20d7c9c32ad7d17f3e4b054f9159c21)
|
|
|
|
|
|
|
| |
One of the situations which commit a7ceb572cfe1066a6dc425a272ed6b99747eaccc
did not cover proved out to be lethal...
(cherry picked from commit 6ee7cec81cc0b757efff14ef77c9c7ac13a91e27)
|
|
|
|
|
|
|
|
|
|
| |
When getting a certificate's creation time, assert that the
certificate's creation time (the Primary Key's creation time field) is
used, not the active binding signature's creation time.
See #2004.
(cherry picked from commit ee2f59cc1770f6eb4493a59710e9ef749725da46)
|
|
|
|
|
|
|
|
|
| |
The public key parser needs to set PGPDIG_SAVED_TIME, so that future
iterations in pgpDigParams() do not clobber the key’s creation time.
Fixes #2004.
Backported from commit 2b48aa7c69e530a70fc1a2620375c23b8eef1f4c
|
|
|
|
|
|
|
|
|
|
| |
Some versions of gpg appear to default to using SHA512. This breaks
several tests' assumption that gpg generates a SHA256 hash. Force gpg
to use SHA256 by passing `--digest-algo sha256` to rpmsign.
Fixes #2002.
(cherry picked from commit 4814bc84c5948d52998f6e33869d53ace9a0e753)
|
|
|
|
| |
(cherry picked from commit 16d06d76e36f03e7ed92776d309e20906b9f6875)
|
|
|
|
|
|
|
|
|
|
| |
The stats aren't particularly interesting except for development
and debugging purposes. Rather than change all the debug fprintf()'s
in rpmio to rpmlog(), just change the stats to only get printed
when --rpmiodebug is active like the rest of the io debug code.
Fixes: #1987
(cherry picked from commit 4f34fa9623c4fada7f075fff0088ccb5b75e26d9)
|
|
|
|
|
|
|
| |
Should've been in commit 53b408c18ee9738c3b461c3c43acc40a0fd72f3f
already.
(cherry picked from commit b01005aa4178a3e9db38382b8650fa32412cdb6a)
|
|
|
|
|
|
|
|
| |
Bury the two remaining callers that somehow avoided the massacre in
commit 6800e0a4df14e03157a463b55cbe6adfa0ce0c3d, add compiler
deprecation warnings.
(cherry picked from commit 6eec1f8a005db6ff9a1cce57afa5dba4253a06b2)
|
|
|
|
|
|
|
|
| |
Add RPM_GNUC_DEPRECATED markers where we can, unfortunately these APIs
are used to implement each others so adding more would cause unwanted
warnings to build of rpm itself.
(cherry picked from commit 4af06be2a496939f293bfdae6b0ca558ac6d1a33)
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since 3.5, grep emits the diagnostic "binary file matches" message
to stderr which causes the result file to be empty and build continuing
despite an obvious error being present.
We're not interested in the match itself, only whether there are files
with matches. Grep has a standard option for this (-l), use it.
Fixes: #1968
(cherry picked from commit 96de5c1f02e69a7ae37bcc8437451dfa35c87ae1)
|
|
|
|
|
|
| |
headerGet() returning 0 is an error condition.
(cherry picked from commit 619ef3edc5b7958184954a513b3f5cbe22aee5f2)
|
|
|
|
|
|
|
| |
base2bin() would call memcpy() on NULL for empty fsverity signatures.
This is undefined behavior, even if the length is 0.
(cherry picked from commit 6d3ce1c96833e896f082df81c727687da130f416)
|
|
|
|
|
|
|
|
|
|
|
|
| |
This changes the git autosetup handlers so that they do the initial
commit of the expanded tarball on "master", then switch to a branch
"rpm-build" before applying patches. Additionally it sets the
"rpm-build" branch's upstream to "master", so that in the active work
tree where the "rpm-build" is checked out, commands such as
"git rebase -i" automatically have a default behavior that makes sense.
Signed-off-by: Peter Jones <pjones@redhat.com>
(cherry picked from commit 3a6b1d8fbf846d3f1b139d343fdfddebe99ae42b)
|
|
|
|
|
|
| |
Previously, the bignums would be left as dangling and double-freed.
(cherry picked from commit 0a91d1f62d5b6e1cac4d0a7c2ac9f75faad50534)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
According to `man 3ssl` the only successful return value for
EVP_PKEY_verify_init() is 1, and EVP_PKEY_CTX_set_rsa_padding() and
EVP_PKEY_CTX_set_signature_md() can both return 0 or a negative number
on failure or any positive number on success. BN_bn2binpad() returns -1
on error, but 0 (an empty key or signature) is also not valid.
Therefore use != 1 to check the return value of EVP_PKEY_verify_init(),
<= 0 to check the return values of the other three functions mentioned
above. Also delete a bunch of cruft.
(cherry picked from commit 1ddaeddffa52f02db198417ebf73cb6c5d432250)
|
|
|
|
|
|
|
|
|
|
| |
I forgot to wire it up to the test suite in
ad97e2fceaae3a853d9332324156630677384989, and they did not test all of
the cases they were supposed to. This checks that valid old- and
new-format signature packets with correct lengths are accepted, and that
incorrect lengths are rejected.
Backported from commit ba0fe1be9a6093f0a49921f38e2e8826dc825340
|
|
|
|
|
|
|
|
|
|
|
| |
Commit f311fb65eea4791fa15a00412384b96fdccbbf1c added a step to reset
calculated states between rpmtsRun() calls to allow for %pretrans
hacks, but this causes actions set for --excludepath to get lost.
While those do get recalculated at the time of actual install and
correctly skipped, this causes them to be considered for file
disposition which they should not.
(cherry picked from commit 0bb3fa9025882cd11867ffa0f8ab0bf3e6314d70)
|
|
|
|
|
|
|
|
|
| |
Files that are not installed cannot conflict with anything, any more
than skipped files can. The latter we handled, the former not. Strange
what "obvious" cases can go on unnoticed forever, when lacking systematic
tests.
(cherry picked from commit cf2752b05c47a9461ffcaea04bdb774905286ba6)
|
|
|
|
|
|
|
|
| |
Replace the two very basic file erase tests from "rpmdb" group with a more
elaborate set of tests in their own file. Some embarrassing failures
here, eg "shared" colored files getting left behind on erase. Oops.
(cherry picked from commit a7ceb572cfe1066a6dc425a272ed6b99747eaccc)
|
|
|
|
|
|
|
|
|
|
| |
- Some versions of gpg appear to default to using SHA512. This
breaks test 273's assumption that gpg generates a SHA256 hash.
Configure gpg to use SHA256.
- Fixes #1969.
(cherry picked from commit 67608fa46a3edad27944c4f99a71f6c881635216)
|
|
|
|
|
|
|
|
|
|
| |
According to RFC 4880 §5.2.3.4 the signature creation time MUST be a
hashed subpacket. Enforce this requirement in RPM. Also set the saved
flags to PGPDIG_SAVED_TIME | PGPDIG_SAVED_ID |
PGPDIG_SAVED_CREATION_TIME for v3 signatures, and do not overwrite an
already saved key ID with one taken from a v3 signature.
(cherry picked from commit 7e7266c9af883ce49b3516a5bd099d218e8e3fac)
|
|
|
|
|
|
| |
Found by leak sanitizer on a fuzzed test case.
(cherry picked from commit 10ac962bf2f71af927c8eaaea427135441663497)
|
|
|
|
| |
(cherry picked from commit d747bf045ea20b0cb5813a83c13bdfb4ca424699)
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit cb6aa82dbc10d554f8d234e934ae7c77e39a3ce2 unblocked all signals
from scriptlets, but turns out this is too much: SIGINT, SIGTSTP and
SIGQUIT sent from the terminal are passed to the process group, and
with unblocked signals end up killing our scriptlets while rpm itself
continues. -ENOSENSE.
Stopping (and continuing) is okay though so we don't block that.
(cherry picked from commit 25c4c61a9599590ce4d610621ff0bffde7ae5e82)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If an RPM contains IMA signed digests and rpm-plugin-ima is installed,
then any attempt to install to a filesystem that doesn't support
extended attributes will cause the RPM installation to fail.
This can be seen, for example, if installing a file /boot, which is
usually a vFAT filesystem.
The rpm-plugin for selinux fixed this some time back, and that same
logic can be applied to IMA too - where, if a failure to set an extended
attribute results in an errno that is set to EOPNOTSUPP, then this
should not cause a complete failure, but should instead just be logged
at a debug level.
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Backported from commit 7db2efa95d859cebda2b095ffdffac42812bd6d9
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes how RPM handles packages that contain a header signature, but
neither header+payload signature nor payload digests. Such packages are
obviously not properly signed, but RPM previously accepted them.
This could be used to confuse both ‘rpmkeys -K’ and old versions of DNF.
Both would report that the package has been properly signed even when it
has not. The included regression tests demonstrates the change in
behavior.
(cherry picked from commit 0e9f6fdc63f09ebd00516e6f2f46a7297b743bcd)
|
|
|
|
|
|
|
|
|
| |
If the i18ntable was smaller than the i18nstring entry an out of bounds
read could result. This should not happen in a valid package, but even
if RPM rejected such packages during load, this situation could still
result as a result of usage of the RPM API.
(cherry picked from commit db8fc1057e38839adc04e263fe255ce86cab9fa7)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At least ECDSA and RSA signatures can vary in length, but the IMA code
assumes constant lengths and thus may either place invalid signatures on
disk from either truncating or overshooting, and segfault if the stars are
just so.
As we can't assume static lengths and attempts to use maximum length
have proven problematic for other reasons, use a data structure that
can actually handle variable length data properly: store offsets into
the decoded binary blob and use them to calculate lengths when needed,
empty data is simply consequtive identical offsets. This avoids a whole
class of silly overflow issues with multiplying, makes zero-length data
actually presentable in the data structure and saves memory too.
Add tests to show behavior with variable length signatures and missing
signatures.
Additionally update the signing code to store the largest IMA signature
length rather than what happened to be last to be on the safe side.
We can't rely on this value due to invalid packages being out there,
but then we need to calculate the lengths on rpmfiles populate so there's
not a lot to gain anyhow.
Fixes: #1833
(cherry picked from commit 07f1d3132f0c7b7ecb69a47a9930edb534a9250e)
|
|
|
|
| |
(cherry picked from commit 1b938be57c9e47d434c177d46d4f9361fe873c12)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This section uses the `_with_*` macro, which is dangerous when used in
combination with `%bcond` or `%bcond_without` because it doesn't honor
the "default".
The section above already explains what users should do -- some variation of:
%{?with_gnutls:--with static} \
%{!?with_openssl:--without openssl}
... which is more verbose, but works with %bcond` & `%bcond_without`.
(cherry picked from commit 1c2970dda2c828b07fcaec494b9f5abe01ed8cb0)
|
|
|
|
|
|
|
| |
Move documentation from comments to reference manual
Fixes: https://github.com/rpm-software-management/rpm/issues/941
(cherry picked from commit a99b6373af0774f4bef62aa89defc84cfcacc078)
|
|
|
|
|
|
| |
Also fix a memory leak in an error path.
(cherry picked from commit 1f03aba8b2881a5717af97065038fb056e02a2b3)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit b3d672a5523dfec033160e5cc866432a0e808649 got the base reasoning
in the ballpark but the code all wrong, introducing a severe performance
regression without actually fixing what it claimed to.
The missing incredient is actually comparing the current prefix with the
triggers in matched package (trying to describe this makes my head
spin): a package may have multiple triggers on multiple prefixes and
we need to make sure we only execute triggers of this type, from this
prefix.
This stuff really needs more and better testcases.
Fixes: b3d672a5523dfec033160e5cc866432a0e808649
(cherry picked from commit 0988ccb53abf426587d228df5c60c4042da71999)
|
|
|
|
|
|
|
|
|
|
|
|
| |
The rpmdb cookie is not a security feature, but as these existing
hashes are more convenient than coming up with our own... we then
run into the great big wall of FIPS which in its current incarnation
disallows use of SHA1. And so rpmdbCookie() fails under current FIPS.
Just bumping the algorithm to SHA256 seems the path of lowest
resistance, whether that algo makes sense for this purpose or not.
(cherry picked from commit a26f6655546158153807017e7ded2aff5e4e10e4)
|
|
|
|
|
|
|
|
| |
* Explicitly state that \0 is not supported in queryformat strings.
Signed-off-by: Thomas Moschny <thomas.moschny@gmx.de>
Co-authored-by: Florian Festi <ffesti@redhat.com>
(cherry picked from commit e53b7e20085297e4877e8936953cb1869452ab25)
|
|
|
|
|
|
|
| |
If writing to stdout or stderr fails, rpmkeys should exit with a
non-zero status code.
(cherry picked from commit fc8386be36a32f8462a0d16a2dd3e5e18f7fbc2d)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a package contains a symlink in the buildroot which is declared as a
ghost or config file but is a regular file or directory on the system
where it's installed, a --setperms call will reset its permissions to
those of a symlink (777 on Linux), which almost certainly is not the
correct thing to do.
To fix that, just skip files that were recorded as symlinks.
This is a special case of a general issue in --setperms; since file
permission semantics may change depending on the file type, to stay on
the safe side, any (ghost or config) file whose type changes after
installation should probably be skipped. However, symlinks are the most
prominent case here, so let's just focus on that now and avoid adding
too much cleverness to a popt alias (this got us into trouble not too
long ago, see commits 38c2f6e and 0d83637). We may revisit this in the
eventual C implementation.
(cherry picked from commit ed07a187734addfa16be9ee922398e4ff9859f53)
|
|
|
|
|
|
|
| |
The descriptor is openned in rpmpkgOpen, and we treat 0 as valid file descriptor.
Here we should do the same or fail earlier.
(cherry picked from commit be64821b908fdb1ff3c12530430d1cf046839e60)
|
|
|
|
|
|
|
|
|
| |
Make the regular expressions more precise (anchor them to
the end of the input string), and try to catch any future
unrecognized target triplets by checking for a "-gnu" part
left over after the known variants were supposedly stripped.
(cherry picked from commit 1cdb72ae48b7ba689c5c79118f4f0c1b4ffe6b7c)
|
|
|
|
|
|
|
|
|
|
|
| |
There were two problems here: first, the -gnueabihf and -gnuabi64
suffixes were not recognized at all, and second, -gnueabihf was
misdetected as -gnueabi since the regular expression is not precise
enough (no "$" at the end), leading to an inconsistent situation of
host_os_gnu being set (incorrectly) and the suffix *not* removed from
host_os.
(cherry picked from commit e6277e4ab016d71d4017568eb996c91fc63bcde9)
|