Hello community,
here is the log from the commit of package rpm for openSUSE:Factory checked in
at 2018-06-26 10:29:04
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rpm (Old)
and /work/SRC/openSUSE:Factory/.rpm.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rpm"
Tue Jun 26 10:29:04 2018 rev:263 rq:617098 version:4.14.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/rpm/rpm.changes 2018-05-10 15:44:31.715975923
+0200
+++ /work/SRC/openSUSE:Factory/.rpm.new/rpm.changes 2018-06-26
10:29:16.296764706 +0200
@@ -1,0 +2,24 @@
+Fri Jun 15 12:46:10 UTC 2018 - msucha...@suse.com
+
+- Add kernel export provides on openSUSE (boo#1095148).
+
+-------------------------------------------------------------------
+Fri Jun 15 13:25:18 CEST 2018 - m...@suse.de
+
+- really fix symlink attacks on rpm install [bnc#943457]
+ [CVE-2017-7500]
+ new patch: safesymlinks.diff
+- backport removal of user/group duplicate detection in verify
+ new patch: verifynodup.diff
+
+-------------------------------------------------------------------
+Mon Jun 11 11:43:36 CEST 2018 - m...@suse.de
+
+- Define sle_version in leap [bnc#1094735]
+
+-------------------------------------------------------------------
+Wed May 30 10:48:49 UTC 2018 - msucha...@suse.com
+
+- openSUSE releases also preserve kabi (boo#1095148).
+
+-------------------------------------------------------------------
New:
----
safesymlinks.diff
verifynodup.diff
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rpm.spec ++++++
--- /var/tmp/diff_new_pack.nv99XU/_old 2018-06-26 10:29:19.284654964 +0200
+++ /var/tmp/diff_new_pack.nv99XU/_new 2018-06-26 10:29:19.288654817 +0200
@@ -132,6 +132,8 @@
Patch112: hardlinks.diff
Patch113: debugedit-riscv.patch
Patch114: source_date_epoch_buildtime.diff
+Patch115: safesymlinks.diff
+Patch116: verifynodup.diff
Patch6464: auto-config-update-aarch64-ppc64le.diff
Patch6465: auto-config-update-riscv64.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -229,7 +231,7 @@
%patch -P 85
%patch -P 93 -P 94 -P 99
%patch -P 100 -P 102 -P 103 -P 108
-%patch -P 109 -P 111 -P 112 -P 113 -P 114
+%patch -P 109 -P 111 -P 112 -P 113 -P 114 -P 115 -P 116
%ifarch aarch64 ppc64le riscv64
%patch6464
@@ -252,6 +254,12 @@
-e 's/@is_opensuse@/%{?is_opensuse}%{!?is_opensuse:0}/' \
-e '/@leap_version@%{?leap_version:nomatch}/d' \
-e 's/@leap_version@/%{?leap_version}%{!?leap_version:0}/' \
+%if 0%{?is_opensuse}
+ -e '/@sle_version@%{?sle_version:nomatch}/d' \
+ -e 's/@sle_version@/%{?sle_version}%{!?sle_version:0}/' \
+%else
+ -e '/@sle_version@/d' \
+%endif
< %{SOURCE4} > suse_macros
rm -f m4/libtool.m4
rm -f m4/lt*.m4
++++++ fileattrs.diff ++++++
--- /var/tmp/diff_new_pack.nv99XU/_old 2018-06-26 10:29:19.400650704 +0200
+++ /var/tmp/diff_new_pack.nv99XU/_new 2018-06-26 10:29:19.400650704 +0200
@@ -32,13 +32,13 @@
--- ./fileattrs/kernel.attr.orig 2017-12-01 15:46:28.172720497 +0000
+++ ./fileattrs/kernel.attr 2017-12-01 15:46:28.172720497 +0000
@@ -0,0 +1,2 @@
-+%__kernel_provides %{_rpmconfigdir}/find-provides.ksyms --opensuse
0%{?is_opensuse}
++%__kernel_provides %{_rpmconfigdir}/find-provides.ksyms --tumbleweed
%{?sle_version:0}%{!?sle_version:1}
+%__kernel_path
^(/lib/modules/[^/]*/kernel/.*\.ko(\.gz)?|/boot/vmlinu[xz].*)$
--- ./fileattrs/kmp.attr.orig 2017-12-01 15:46:28.172720497 +0000
+++ ./fileattrs/kmp.attr 2017-12-01 15:46:28.172720497 +0000
@@ -0,0 +1,4 @@
-+%__kmp_provides %{_rpmconfigdir}/find-provides.ksyms --opensuse
0%{?is_opensuse}
-+%__kmp_requires %{_rpmconfigdir}/find-requires.ksyms --opensuse
0%{?is_opensuse}
++%__kmp_provides %{_rpmconfigdir}/find-provides.ksyms
--tumbleweed %{?sle_version:0}%{!?sle_version:1}
++%__kmp_requires %{_rpmconfigdir}/find-requires.ksyms
--tumbleweed %{?sle_version:0}%{!?sle_version:1}
+%__kmp_supplements %{_rpmconfigdir}/find-supplements.ksyms
+%__kmp_path ^/lib/modules/[^/]*/(updates|extra)/.*\.ko(\.gz)?
--- ./fileattrs/perl.attr.orig 2017-08-10 08:08:07.113108701 +0000
++++++ findksyms.diff ++++++
--- /var/tmp/diff_new_pack.nv99XU/_old 2018-06-26 10:29:19.412650263 +0200
+++ /var/tmp/diff_new_pack.nv99XU/_new 2018-06-26 10:29:19.412650263 +0200
@@ -23,16 +23,16 @@
+
+IFS=$'\n'
+
-+is_opensuse=false
++is_tumbleweed=false
+
-+if test "$1" = "--opensuse"; then
++if test "$1" = "--tumbleweed"; then
+ if test "$2" -gt 0; then
-+ is_opensuse=true
++ is_tumbleweed=true
+ fi
+ shift 2
+fi
+
-+if ! $is_opensuse; then
++if ! $is_tumbleweed; then
+ trap 'rm -f "$tmp"' EXIT
+ tmp=$(mktemp)
+fi
@@ -58,7 +58,7 @@
+ *)
+ continue
+ esac
-+ if $is_opensuse; then
++ if $is_tumbleweed; then
+ continue
+ fi
+ unzip=false
@@ -107,16 +107,16 @@
+
+IFS=$'\n'
+
-+is_opensuse=false
++is_tumbleweed=false
+
-+if test "$1" = "--opensuse"; then
++if test "$1" = "--tumbleweed"; then
+ if test "$2" -gt 0; then
-+ is_opensuse=true
++ is_tumbleweed=true
+ fi
+ shift 2
+fi
+
-+if ! $is_opensuse && ! test -e /sbin/modprobe; then
++if ! $is_tumbleweed && ! test -e /sbin/modprobe; then
+ cat > /dev/null
+ exit 0
+fi
@@ -124,7 +124,7 @@
+for f in $(grep -E '/lib/modules/.+\.ko$' | grep -v
'/lib/modules/[^/]*/kernel/'); do
+ flavor=${f#*/lib/modules/}
+ flavor=${flavor%%/*}
-+ if $is_opensuse; then
++ if $is_tumbleweed; then
+ echo "kernel-uname-r = $flavor"
+ continue
+ fi
++++++ rpm-suse_macros ++++++
--- /var/tmp/diff_new_pack.nv99XU/_old 2018-06-26 10:29:19.520646296 +0200
+++ /var/tmp/diff_new_pack.nv99XU/_new 2018-06-26 10:29:19.524646149 +0200
@@ -243,6 +243,7 @@
%sles_version @sles_version@
%ul_version @ul_version@
%is_opensuse @is_opensuse@
+%sle_version @sle_version@
%leap_version @leap_version@
%do_profiling 1
++++++ safesymlinks.diff ++++++
--- ./lib/fsm.c.orig 2018-06-15 11:15:50.320133057 +0000
+++ ./lib/fsm.c 2018-06-15 11:15:56.240118124 +0000
@@ -653,7 +653,7 @@ static int fsmUtime(const char *path, mo
return rc;
}
-static int fsmVerify(const char *path, rpmfi fi, const struct stat *fsb)
+static int fsmVerify(const char *path, rpmfi fi)
{
int rc;
int saveerrno = errno;
@@ -684,7 +684,7 @@ static int fsmVerify(const char *path, r
if (rc) return rc;
errno = saveerrno;
/* Only permit directory symlinks by target owner and root */
- if (S_ISDIR(dsb.st_mode) && (luid == 0 || luid == fsb->st_uid))
+ if (S_ISDIR(dsb.st_mode) && (luid == 0 || luid == dsb.st_uid))
return 0;
}
} else if (S_ISLNK(mode)) {
@@ -928,7 +928,7 @@ int rpmPackageFilesInstall(rpmts ts, rpm
}
/* Assume file does't exist when tmp suffix is in use */
if (!suffix) {
- rc = fsmVerify(fpath, fi, &sb);
+ rc = fsmVerify(fpath, fi);
} else {
rc = (action == FA_TOUCH) ? 0 : RPMERR_ENOENT;
}
--- ./lib/verify.c.orig 2018-06-15 11:16:03.904098773 +0000
+++ ./lib/verify.c 2018-06-15 11:23:42.842941766 +0000
@@ -98,11 +98,8 @@ rpmVerifyAttrs rpmfilesVerify(rpmfiles f
struct stat dsb;
/* ...if it actually points to a directory */
if (stat(fn, &dsb) == 0 && S_ISDIR(dsb.st_mode)) {
- uid_t fuid;
/* ...and is by a legit user, to match fsmVerify() behavior */
- if (sb.st_uid == 0 ||
- (rpmugUid(rpmfilesFUser(fi, ix), &fuid) == 0 &&
- sb.st_uid == fuid)) {
+ if (sb.st_uid == 0 || sb.st_uid == dsb.st_uid) {
sb = dsb; /* struct assignment */
}
}
++++++ verifynodup.diff ++++++
--- ./lib/verify.c.orig 2018-06-15 11:25:09.142724319 +0000
+++ ./lib/verify.c 2018-06-15 11:27:32.246363744 +0000
@@ -59,7 +59,7 @@ rpmVerifyAttrs rpmfilesVerify(rpmfiles f
rpmfileAttrs fileAttrs = rpmfilesFFlags(fi, ix);
rpmVerifyAttrs flags = rpmfilesVFlags(fi, ix);
const char * fn = rpmfilesFN(fi, ix);
- struct stat sb;
+ struct stat sb, fsb;
rpmVerifyAttrs vfy = RPMVERIFY_NONE;
/*
@@ -88,7 +88,7 @@ rpmVerifyAttrs rpmfilesVerify(rpmfiles f
break;
}
- if (fn == NULL || lstat(fn, &sb) != 0) {
+ if (fn == NULL || lstat(fn, &sb) != 0 || rpmfilesStat(fi, ix, 0, &fsb)) {
vfy |= RPMVERIFY_LSTATFAIL;
goto exit;
}
@@ -243,47 +243,11 @@ rpmVerifyAttrs rpmfilesVerify(rpmfiles f
vfy |= RPMVERIFY_MTIME;
}
- if (flags & RPMVERIFY_USER) {
- const char * name = rpmugUname(sb.st_uid);
- const char * fuser = rpmfilesFUser(fi, ix);
- uid_t uid;
- int namematch = 0;
- int idmatch = 0;
-
- if (name && fuser)
- namematch = rstreq(name, fuser);
- if (fuser && rpmugUid(fuser, &uid) == 0)
- idmatch = (uid == sb.st_uid);
-
- if (namematch != idmatch) {
- rpmlog(RPMLOG_WARNING,
- _("Duplicate username or UID for user %s\n"), fuser);
- }
-
- if (!(namematch || idmatch))
- vfy |= RPMVERIFY_USER;
- }
-
- if (flags & RPMVERIFY_GROUP) {
- const char * name = rpmugGname(sb.st_gid);
- const char * fgroup = rpmfilesFGroup(fi, ix);
- gid_t gid;
- int namematch = 0;
- int idmatch = 0;
-
- if (name && fgroup)
- namematch = rstreq(name, fgroup);
- if (fgroup && rpmugGid(fgroup, &gid) == 0)
- idmatch = (gid == sb.st_gid);
-
- if (namematch != idmatch) {
- rpmlog(RPMLOG_WARNING,
- _("Duplicate groupname or GID for group %s\n"), fgroup);
- }
+ if ((flags & RPMVERIFY_USER) && (sb.st_uid != fsb.st_uid))
+ vfy |= RPMVERIFY_USER;
- if (!(namematch || idmatch))
- vfy |= RPMVERIFY_GROUP;
- }
+ if ((flags & RPMVERIFY_GROUP) && (sb.st_gid != fsb.st_gid))
+ vfy |= RPMVERIFY_GROUP;
exit:
return vfy;
