Hello community, here is the log from the commit of package rpm for openSUSE:Factory checked in at 2018-06-26 10:29:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rpm (Old) and /work/SRC/openSUSE:Factory/.rpm.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rpm" Tue Jun 26 10:29:04 2018 rev:263 rq:617098 version:4.14.1 Changes: -------- --- /work/SRC/openSUSE:Factory/rpm/rpm.changes 2018-05-10 15:44:31.715975923 +0200 +++ /work/SRC/openSUSE:Factory/.rpm.new/rpm.changes 2018-06-26 10:29:16.296764706 +0200 @@ -1,0 +2,24 @@ +Fri Jun 15 12:46:10 UTC 2018 - msucha...@suse.com + +- Add kernel export provides on openSUSE (boo#1095148). + +------------------------------------------------------------------- +Fri Jun 15 13:25:18 CEST 2018 - m...@suse.de + +- really fix symlink attacks on rpm install [bnc#943457] + [CVE-2017-7500] + new patch: safesymlinks.diff +- backport removal of user/group duplicate detection in verify + new patch: verifynodup.diff + +------------------------------------------------------------------- +Mon Jun 11 11:43:36 CEST 2018 - m...@suse.de + +- Define sle_version in leap [bnc#1094735] + +------------------------------------------------------------------- +Wed May 30 10:48:49 UTC 2018 - msucha...@suse.com + +- openSUSE releases also preserve kabi (boo#1095148). + +------------------------------------------------------------------- New: ---- safesymlinks.diff verifynodup.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rpm.spec ++++++ --- /var/tmp/diff_new_pack.nv99XU/_old 2018-06-26 10:29:19.284654964 +0200 +++ /var/tmp/diff_new_pack.nv99XU/_new 2018-06-26 10:29:19.288654817 +0200 @@ -132,6 +132,8 @@ Patch112: hardlinks.diff Patch113: debugedit-riscv.patch Patch114: source_date_epoch_buildtime.diff +Patch115: safesymlinks.diff +Patch116: verifynodup.diff Patch6464: auto-config-update-aarch64-ppc64le.diff Patch6465: auto-config-update-riscv64.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -229,7 +231,7 @@ %patch -P 85 %patch -P 93 -P 94 -P 99 %patch -P 100 -P 102 -P 103 -P 108 -%patch -P 109 -P 111 -P 112 -P 113 -P 114 +%patch -P 109 -P 111 -P 112 -P 113 -P 114 -P 115 -P 116 %ifarch aarch64 ppc64le riscv64 %patch6464 @@ -252,6 +254,12 @@ -e 's/@is_opensuse@/%{?is_opensuse}%{!?is_opensuse:0}/' \ -e '/@leap_version@%{?leap_version:nomatch}/d' \ -e 's/@leap_version@/%{?leap_version}%{!?leap_version:0}/' \ +%if 0%{?is_opensuse} + -e '/@sle_version@%{?sle_version:nomatch}/d' \ + -e 's/@sle_version@/%{?sle_version}%{!?sle_version:0}/' \ +%else + -e '/@sle_version@/d' \ +%endif < %{SOURCE4} > suse_macros rm -f m4/libtool.m4 rm -f m4/lt*.m4 ++++++ fileattrs.diff ++++++ --- /var/tmp/diff_new_pack.nv99XU/_old 2018-06-26 10:29:19.400650704 +0200 +++ /var/tmp/diff_new_pack.nv99XU/_new 2018-06-26 10:29:19.400650704 +0200 @@ -32,13 +32,13 @@ --- ./fileattrs/kernel.attr.orig 2017-12-01 15:46:28.172720497 +0000 +++ ./fileattrs/kernel.attr 2017-12-01 15:46:28.172720497 +0000 @@ -0,0 +1,2 @@ -+%__kernel_provides %{_rpmconfigdir}/find-provides.ksyms --opensuse 0%{?is_opensuse} ++%__kernel_provides %{_rpmconfigdir}/find-provides.ksyms --tumbleweed %{?sle_version:0}%{!?sle_version:1} +%__kernel_path ^(/lib/modules/[^/]*/kernel/.*\.ko(\.gz)?|/boot/vmlinu[xz].*)$ --- ./fileattrs/kmp.attr.orig 2017-12-01 15:46:28.172720497 +0000 +++ ./fileattrs/kmp.attr 2017-12-01 15:46:28.172720497 +0000 @@ -0,0 +1,4 @@ -+%__kmp_provides %{_rpmconfigdir}/find-provides.ksyms --opensuse 0%{?is_opensuse} -+%__kmp_requires %{_rpmconfigdir}/find-requires.ksyms --opensuse 0%{?is_opensuse} ++%__kmp_provides %{_rpmconfigdir}/find-provides.ksyms --tumbleweed %{?sle_version:0}%{!?sle_version:1} ++%__kmp_requires %{_rpmconfigdir}/find-requires.ksyms --tumbleweed %{?sle_version:0}%{!?sle_version:1} +%__kmp_supplements %{_rpmconfigdir}/find-supplements.ksyms +%__kmp_path ^/lib/modules/[^/]*/(updates|extra)/.*\.ko(\.gz)? --- ./fileattrs/perl.attr.orig 2017-08-10 08:08:07.113108701 +0000 ++++++ findksyms.diff ++++++ --- /var/tmp/diff_new_pack.nv99XU/_old 2018-06-26 10:29:19.412650263 +0200 +++ /var/tmp/diff_new_pack.nv99XU/_new 2018-06-26 10:29:19.412650263 +0200 @@ -23,16 +23,16 @@ + +IFS=$'\n' + -+is_opensuse=false ++is_tumbleweed=false + -+if test "$1" = "--opensuse"; then ++if test "$1" = "--tumbleweed"; then + if test "$2" -gt 0; then -+ is_opensuse=true ++ is_tumbleweed=true + fi + shift 2 +fi + -+if ! $is_opensuse; then ++if ! $is_tumbleweed; then + trap 'rm -f "$tmp"' EXIT + tmp=$(mktemp) +fi @@ -58,7 +58,7 @@ + *) + continue + esac -+ if $is_opensuse; then ++ if $is_tumbleweed; then + continue + fi + unzip=false @@ -107,16 +107,16 @@ + +IFS=$'\n' + -+is_opensuse=false ++is_tumbleweed=false + -+if test "$1" = "--opensuse"; then ++if test "$1" = "--tumbleweed"; then + if test "$2" -gt 0; then -+ is_opensuse=true ++ is_tumbleweed=true + fi + shift 2 +fi + -+if ! $is_opensuse && ! test -e /sbin/modprobe; then ++if ! $is_tumbleweed && ! test -e /sbin/modprobe; then + cat > /dev/null + exit 0 +fi @@ -124,7 +124,7 @@ +for f in $(grep -E '/lib/modules/.+\.ko$' | grep -v '/lib/modules/[^/]*/kernel/'); do + flavor=${f#*/lib/modules/} + flavor=${flavor%%/*} -+ if $is_opensuse; then ++ if $is_tumbleweed; then + echo "kernel-uname-r = $flavor" + continue + fi ++++++ rpm-suse_macros ++++++ --- /var/tmp/diff_new_pack.nv99XU/_old 2018-06-26 10:29:19.520646296 +0200 +++ /var/tmp/diff_new_pack.nv99XU/_new 2018-06-26 10:29:19.524646149 +0200 @@ -243,6 +243,7 @@ %sles_version @sles_version@ %ul_version @ul_version@ %is_opensuse @is_opensuse@ +%sle_version @sle_version@ %leap_version @leap_version@ %do_profiling 1 ++++++ safesymlinks.diff ++++++ --- ./lib/fsm.c.orig 2018-06-15 11:15:50.320133057 +0000 +++ ./lib/fsm.c 2018-06-15 11:15:56.240118124 +0000 @@ -653,7 +653,7 @@ static int fsmUtime(const char *path, mo return rc; } -static int fsmVerify(const char *path, rpmfi fi, const struct stat *fsb) +static int fsmVerify(const char *path, rpmfi fi) { int rc; int saveerrno = errno; @@ -684,7 +684,7 @@ static int fsmVerify(const char *path, r if (rc) return rc; errno = saveerrno; /* Only permit directory symlinks by target owner and root */ - if (S_ISDIR(dsb.st_mode) && (luid == 0 || luid == fsb->st_uid)) + if (S_ISDIR(dsb.st_mode) && (luid == 0 || luid == dsb.st_uid)) return 0; } } else if (S_ISLNK(mode)) { @@ -928,7 +928,7 @@ int rpmPackageFilesInstall(rpmts ts, rpm } /* Assume file does't exist when tmp suffix is in use */ if (!suffix) { - rc = fsmVerify(fpath, fi, &sb); + rc = fsmVerify(fpath, fi); } else { rc = (action == FA_TOUCH) ? 0 : RPMERR_ENOENT; } --- ./lib/verify.c.orig 2018-06-15 11:16:03.904098773 +0000 +++ ./lib/verify.c 2018-06-15 11:23:42.842941766 +0000 @@ -98,11 +98,8 @@ rpmVerifyAttrs rpmfilesVerify(rpmfiles f struct stat dsb; /* ...if it actually points to a directory */ if (stat(fn, &dsb) == 0 && S_ISDIR(dsb.st_mode)) { - uid_t fuid; /* ...and is by a legit user, to match fsmVerify() behavior */ - if (sb.st_uid == 0 || - (rpmugUid(rpmfilesFUser(fi, ix), &fuid) == 0 && - sb.st_uid == fuid)) { + if (sb.st_uid == 0 || sb.st_uid == dsb.st_uid) { sb = dsb; /* struct assignment */ } } ++++++ verifynodup.diff ++++++ --- ./lib/verify.c.orig 2018-06-15 11:25:09.142724319 +0000 +++ ./lib/verify.c 2018-06-15 11:27:32.246363744 +0000 @@ -59,7 +59,7 @@ rpmVerifyAttrs rpmfilesVerify(rpmfiles f rpmfileAttrs fileAttrs = rpmfilesFFlags(fi, ix); rpmVerifyAttrs flags = rpmfilesVFlags(fi, ix); const char * fn = rpmfilesFN(fi, ix); - struct stat sb; + struct stat sb, fsb; rpmVerifyAttrs vfy = RPMVERIFY_NONE; /* @@ -88,7 +88,7 @@ rpmVerifyAttrs rpmfilesVerify(rpmfiles f break; } - if (fn == NULL || lstat(fn, &sb) != 0) { + if (fn == NULL || lstat(fn, &sb) != 0 || rpmfilesStat(fi, ix, 0, &fsb)) { vfy |= RPMVERIFY_LSTATFAIL; goto exit; } @@ -243,47 +243,11 @@ rpmVerifyAttrs rpmfilesVerify(rpmfiles f vfy |= RPMVERIFY_MTIME; } - if (flags & RPMVERIFY_USER) { - const char * name = rpmugUname(sb.st_uid); - const char * fuser = rpmfilesFUser(fi, ix); - uid_t uid; - int namematch = 0; - int idmatch = 0; - - if (name && fuser) - namematch = rstreq(name, fuser); - if (fuser && rpmugUid(fuser, &uid) == 0) - idmatch = (uid == sb.st_uid); - - if (namematch != idmatch) { - rpmlog(RPMLOG_WARNING, - _("Duplicate username or UID for user %s\n"), fuser); - } - - if (!(namematch || idmatch)) - vfy |= RPMVERIFY_USER; - } - - if (flags & RPMVERIFY_GROUP) { - const char * name = rpmugGname(sb.st_gid); - const char * fgroup = rpmfilesFGroup(fi, ix); - gid_t gid; - int namematch = 0; - int idmatch = 0; - - if (name && fgroup) - namematch = rstreq(name, fgroup); - if (fgroup && rpmugGid(fgroup, &gid) == 0) - idmatch = (gid == sb.st_gid); - - if (namematch != idmatch) { - rpmlog(RPMLOG_WARNING, - _("Duplicate groupname or GID for group %s\n"), fgroup); - } + if ((flags & RPMVERIFY_USER) && (sb.st_uid != fsb.st_uid)) + vfy |= RPMVERIFY_USER; - if (!(namematch || idmatch)) - vfy |= RPMVERIFY_GROUP; - } + if ((flags & RPMVERIFY_GROUP) && (sb.st_gid != fsb.st_gid)) + vfy |= RPMVERIFY_GROUP; exit: return vfy;