diff --git a/.github/actions/checkout-with-stable-pkgs/action.yml b/.github/actions/checkout-with-stable-pkgs/action.yml new file mode 100644 index 0000000000..d3afae7b2b --- /dev/null +++ b/.github/actions/checkout-with-stable-pkgs/action.yml @@ -0,0 +1,17 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +name: "Stable specs and manifests checkout" +description: "Checks out the repo, and a stable version of both specs and manifests." +runs: + using: "composite" + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + fetch-tags: true + + - name: Checkout stable specs and manifests + shell: bash + run: git checkout 3.0-stable -- SPECS/ toolkit/resources/manifests/package/*.txt diff --git a/.github/workflows/check-files.yml b/.github/workflows/check-files.yml new file mode 100644 index 0000000000..bb6826a495 --- /dev/null +++ b/.github/workflows/check-files.yml @@ -0,0 +1,140 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +name: Check Disallowed Files + +on: + push: + branches: [main, 2.0*, 3.0*, fasttrack/*] + pull_request: + branches: [main, 2.0*, 3.0*, fasttrack/*] + +jobs: + + build: + name: Check Disallowed Files + runs-on: ubuntu-latest + steps: + + - name: Check out code + uses: actions/checkout@v4 + + - name: Get base commit for PRs + if: ${{ github.event_name == 'pull_request' }} + run: | + git fetch origin ${{ github.base_ref }} + echo "base_sha=$(git rev-parse origin/${{ github.base_ref }})" >> $GITHUB_ENV + echo "Merging ${{ github.sha }} into ${{ github.base_ref }}" + + - name: Get base commit for Pushes + if: ${{ github.event_name == 'push' }} + run: | + git fetch origin ${{ github.event.before }} + echo "base_sha=${{ github.event.before }}" >> $GITHUB_ENV + echo "Merging ${{ github.sha }} into ${{ github.event.before }}" + + - name: Get the changed files + run: | + echo "Files changed: '$(git diff-tree --no-commit-id --name-only -r ${{ env.base_sha }} ${{ github.sha }})'" + changed_files=$(git diff-tree --diff-filter=AM --no-commit-id --name-only -r ${{ env.base_sha }} ${{ github.sha }}) + echo "Files to validate: '${changed_files}'" + echo "changed-files<> $GITHUB_ENV + echo "${changed_files}" >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV + + - name: Check for disallowed file types + run: | + if [[ -z "${{ env.changed-files }}" ]]; then + echo "No files to validate. Exiting." + exit 0 + fi + + echo "Checking files..." + error_found=0 + + # Read disallowed extensions from the configuration file + if [[ ! -f ".github/workflows/disallowed-extensions.txt" ]]; then + echo "Configuration file '.github/workflows/disallowed-extensions.txt' not found. Skipping check." + exit 0 + fi + + # Create array of disallowed extensions + mapfile -t disallowed_extensions < .github/workflows/disallowed-extensions.txt + if [[ $? -ne 0 ]]; then + echo "Error occurred while reading disallowed extensions. Exiting." + exit 1 + fi + + # Check each changed file + while IFS= read -r file; do + if [[ -z "$file" ]]; then + continue + fi + + echo "Checking file: $file" + + # Get file extension (convert to lowercase for comparison) + extension=$(echo "${file##*.}" | tr '[:upper:]' '[:lower:]') + filename=$(basename "$file") + + # Check if file should be in blob store + should_be_in_blob_store=false + + # Check against disallowed extensions + for disallowed_ext in "${disallowed_extensions[@]}"; do + # Remove any whitespace and comments + clean_ext=$(echo "$disallowed_ext" | sed 's/#.*//' | xargs) + if [[ -z "$clean_ext" ]]; then + continue + fi + + if [[ "$extension" == "$clean_ext" ]]; then + should_be_in_blob_store=true + break + fi + done + + # Additional checks for binary files and large files + if [[ -f "$file" ]]; then + # Check if file is binary (but allow .sh files even if executable) + if file "$file" | grep -q "binary\|archive\|compressed"; then + should_be_in_blob_store=true + fi + + # Check file size (files > 1MB should be in blob store) + file_size=$(stat -f%z "$file" 2>/dev/null || stat -c%s "$file" 2>/dev/null || echo 0) + if [[ $file_size -gt 1048576 ]]; then # 1MB + should_be_in_blob_store=true + fi + fi + + if [[ "$should_be_in_blob_store" == "true" ]]; then + 1>&2 echo "**** ERROR ****" + 1>&2 echo "File '$file' should be stored in blob store, not in git repository." + 1>&2 echo "Reason: Images, Large files, binaries, tarballs, and non-text files slow down git operations" + 1>&2 echo "and cannot be efficiently diffed. Please upload to blob store instead." + 1>&2 echo "**** ERROR ****" + error_found=1 + fi + done <<< "${{ env.changed-files }}" + + if [[ $error_found -eq 1 ]]; then + echo "" + echo "==========================================" + echo "FILES THAT SHOULD BE IN BLOB STORE DETECTED" + echo "==========================================" + echo "The following file types should be stored in blob store:" + echo "- Source tarballs (.tar.gz, .tar.xz, .zip, etc.)" + echo "- Binary files (.bin, .exe, .so, .dll, etc.)" + echo "- Images (.gif, .bmp, etc.)" + echo "- Archives (.rar, .7z, .tar, etc.)" + echo "- Large files (> 1MB)" + echo "- Any non-text files that cannot be efficiently diffed" + echo "" + echo "Please upload these files to the blob store and reference them" + echo "in your spec files or configuration instead of checking them into git." + echo "==========================================" + exit 1 + fi + + echo "All files are appropriate for git storage." \ No newline at end of file diff --git a/.github/workflows/check-package-builds.yml b/.github/workflows/check-package-builds.yml new file mode 100644 index 0000000000..8ffc8bea66 --- /dev/null +++ b/.github/workflows/check-package-builds.yml @@ -0,0 +1,165 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +# This check verifies basic package build success and failure cases. +# It should only be dependent on toolkit changes, not on the specs. +# This is why each build uses the 3.0-stable version of the specs and manifests. + +name: Package build checks + +env: + REGULAR_PKG: words + REGULAR_PKG_SPEC_PATH: SPECS/words/words.spec + TOOLCHAIN_PKG: xz + +on: + push: + branches: [3.0*, fasttrack/3.0] + paths: + - ".github/workflows/check-package-builds.yml" + - "toolkit/Makefile" + - "toolkit/scripts/*" + - "toolkit/tools/*" + pull_request: + branches: [3.0*, fasttrack/3.0] + paths: + - ".github/workflows/check-package-builds.yml" + - "toolkit/Makefile" + - "toolkit/scripts/*" + - "toolkit/tools/*" + +jobs: + package-checks: + name: ${{ matrix.check-name }} + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + include: + - check-name: "Simple package build succeeds" + package-type: "REGULAR_PKG" + extra-args: "" + + - check-name: "Simple package build fails" + package-type: "REGULAR_PKG" + error-pattern: "Number of failed SRPMs:\\s+1\\s*$" + extra-args: "" + build-prep: | + # Adding an invalid command to the '%prep' section will cause the build to fail. + sed -i '/%prep/a this-command-should-fail-because-its-not-a-command-at-all' "$REGULAR_PKG_SPEC_PATH" + + - check-name: "Toolchain package rebuild succeeds" + package-type: "TOOLCHAIN_PKG" + extra-args: "ALLOW_TOOLCHAIN_REBUILDS=y" + + - check-name: "Toolchain package rebuild fails" + package-type: "TOOLCHAIN_PKG" + error-pattern: "Number of toolchain SRPM conflicts:\\s+1\\s*$" + extra-args: "ALLOW_TOOLCHAIN_REBUILDS=n" + build-prep: "" + + - check-name: "None license check does not break the build" + package-type: "REGULAR_PKG" + extra-args: "LICENSE_CHECK_MODE=none" + build-prep: | + license_file_name=$(grep -oP '^%license\s+\K\S+' "$REGULAR_PKG_SPEC_PATH") + if [[ -z "$license_file_name" ]]; then + echo "ERROR: no license file found in the spec $REGULAR_PKG_SPEC_PATH" + exit 1 + fi + # Tagging a license file as a documentation file will not fail the license check on the 'none' level. + sed -i "/^%license/a %doc $license_file_name" "$REGULAR_PKG_SPEC_PATH" + + - check-name: "Warning-only license check does not break the build" + package-type: "REGULAR_PKG" + extra-args: "LICENSE_CHECK_MODE=warn" + build-prep: | + license_file_name=$(grep -oP '^%license\s+\K\S+' "$REGULAR_PKG_SPEC_PATH") + if [[ -z "$license_file_name" ]]; then + echo "ERROR: no license file found in the spec $REGULAR_PKG_SPEC_PATH" + exit 1 + fi + # Tagging a license file as a documentation file will not fail the license check on the 'warn' level. + sed -i "/^%license/a %doc $license_file_name" "$REGULAR_PKG_SPEC_PATH" + + - check-name: "Fatal license check succeeds on duplicated license as documentation" + package-type: "REGULAR_PKG" + extra-args: "LICENSE_CHECK_MODE=fatal" + build-prep: | + license_file_name=$(grep -oP '^%license\s+\K\S+' "$REGULAR_PKG_SPEC_PATH") + if [[ -z "$license_file_name" ]]; then + echo "ERROR: no license file found in the spec $REGULAR_PKG_SPEC_PATH" + exit 1 + fi + # Tagging a license file as a documentation file will not fail the license check on the 'fatal' level. + sed -i "/^%license/a %doc $license_file_name" "$REGULAR_PKG_SPEC_PATH" + + - check-name: "Fatal license check fails" + package-type: "REGULAR_PKG" + error-pattern: "Number of SRPMs with license errors:\\s+1\\s*$" + extra-args: "LICENSE_CHECK_MODE=fatal" + build-prep: | + if ! grep -q '^%license' "$REGULAR_PKG_SPEC_PATH"; then + echo "ERROR: no '%license' macro found in the spec $REGULAR_PKG_SPEC_PATH" + exit 1 + fi + # Tagging a license file as a documentation file will cause the license check to fail. + sed -i "s/^%license/%doc/" "$REGULAR_PKG_SPEC_PATH" + + - check-name: "Pedantic license check fails" + package-type: "REGULAR_PKG" + error-pattern: "Number of SRPMs with license errors:\\s+1\\s*$" + extra-args: "LICENSE_CHECK_MODE=pedantic" + build-prep: | + license_file_name=$(grep -oP '^%license\s+\K\S+' "$REGULAR_PKG_SPEC_PATH") + if [[ -z "$license_file_name" ]]; then + echo "ERROR: no license file found in the spec $REGULAR_PKG_SPEC_PATH" + exit 1 + fi + sed -i "/^%license/a %doc $license_file_name" "$REGULAR_PKG_SPEC_PATH" + + steps: + - uses: actions/checkout@v4 + + - name: Checkout a stable version of the specs + uses: ./.github/actions/checkout-with-stable-pkgs + + - name: Prepare the build environment + if: ${{ matrix.build-prep != '' }} + run: | + set -euo pipefail + + ${{ matrix.build-prep }} + + - name: Run the build + run: | + set -euo pipefail + + if sudo make -C toolkit -j$(nproc) build-packages \ + PACKAGE_REBUILD_LIST="${{ env[matrix.package-type] }}" \ + REBUILD_TOOLS=y \ + SRPM_PACK_LIST="${{ env[matrix.package-type] }}" \ + ${{ matrix.extra-args }} 2>&1 | tee build.log; then + touch build.succeeded + fi + + - name: Check the results + run: | + set -euo pipefail + + if [[ -z "${{ matrix.error-pattern }}" ]]; then + if [[ ! -f build.succeeded ]]; then + echo "Build failed, but it was expected to succeed." + exit 1 + fi + else + if [[ -f build.succeeded ]]; then + echo "Build succeeded, but it was expected to fail." + exit 1 + fi + + if ! grep -qP '${{ matrix.error-pattern }}' build.log; then + echo "Build failed, but not with the expected error message." + exit 1 + fi + fi diff --git a/.github/workflows/check-package-cgmanifest.yml b/.github/workflows/check-package-cgmanifest.yml index e93e2c1cb9..07af69c6b9 100644 --- a/.github/workflows/check-package-cgmanifest.yml +++ b/.github/workflows/check-package-cgmanifest.yml @@ -56,8 +56,17 @@ jobs: echo "Files to validate: '${changed_specs}'" echo "updated-specs=${changed_specs}" >> "$GITHUB_ENV" - - name: Check each spec - run: | - .github/workflows/overwrite_shell_link.sh - .github/workflows/validate-cg-manifest.sh ${{ env.updated-specs }} - shell: bash + - name: Get the changed files + run: | + echo "Files changed: '$(git diff-tree --no-commit-id --name-only -r ${{ env.base_sha }} ${{ github.sha }})'" + changed_specs=$(git diff-tree --diff-filter=d --no-commit-id --name-only -r ${{ env.base_sha }} ${{ github.sha }} | { grep "SPECS.*/.*\.spec$" || test $? = 1; }) + echo "Files to validate: '${changed_specs}'" + echo "updated-specs=$(echo ${changed_specs})" >> $GITHUB_ENV + + - name: Build the worker chroot + if: ${{ env.updated-specs != '' }} + run: sudo make -C toolkit -j$(nproc) chroot-tools REBUILD_TOOLS=y DAILY_BUILD_ID=lkg + + - name: Check each spec + if: ${{ env.updated-specs != '' }} + run: .github/workflows/validate-cg-manifest.sh build/worker/worker_chroot.tar.gz ${{ env.updated-specs }} diff --git a/.github/workflows/disallowed-extensions.txt b/.github/workflows/disallowed-extensions.txt new file mode 100644 index 0000000000..99e8d20406 --- /dev/null +++ b/.github/workflows/disallowed-extensions.txt @@ -0,0 +1,79 @@ +# File extensions that should be stored in blob store instead of git repository +# Lines starting with # are comments and will be ignored +# Extensions should be lowercase without the leading dot + +# Source tarballs and archives +tar +gz +tgz +bz2 +xz +zip +rar +7z +tar.gz +tar.xz +tar.bz2 + +# Binary executables +bin +exe +dll +so +dylib +a +lib +obj +o + +# Image files +gif +bmp +tiff +tif +webp +raw +heif + + +# Audio/Video files +mp3 +wav +avi +mp4 +mkv +mov +wmv +flv +ogg +m4a +aac + +# Package files +rpm +deb +msi +dmg +iso + +# Compressed source packages +gem +whl +egg + +# Database files +db +sqlite +sqlite3 + +# Fonts +ttf +otf +woff +woff2 + +# Other binary formats +jar +war +ear +class \ No newline at end of file diff --git a/.github/workflows/overwrite_shell_link.sh b/.github/workflows/overwrite_shell_link.sh deleted file mode 100755 index 1c45a3cfb1..0000000000 --- a/.github/workflows/overwrite_shell_link.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. - -set -e - -shell_link_path="/bin/sh" - -if [[ -f "$shell_link_path" ]] -then - original_rpm_shell="$(readlink $shell_link_path)" -fi - -if [[ "$original_rpm_shell" != "bash" ]] -then - echo "Host system's '$shell_link_path' links to '$original_rpm_shell'. Azure Linux specs require 'bash' - updating." - - sudo rm -f $shell_link_path - sudo ln -s bash "$shell_link_path" -fi diff --git a/.github/workflows/validate-cg-manifest.sh b/.github/workflows/validate-cg-manifest.sh index 6140ad2188..eedf394b30 100755 --- a/.github/workflows/validate-cg-manifest.sh +++ b/.github/workflows/validate-cg-manifest.sh @@ -9,10 +9,10 @@ # - OR that a #source0 comment is a substring of the cgmanifest URL # - The URL listed in the cgmanifets is valid (can be downloaded) -# $@ - Paths to spec files to check +# $1 - Path to worker chroot's archive +# $2+ - Paths to spec files to check -# shellcheck source=../../toolkit/scripts/rpmops.sh -source "$(git rev-parse --show-toplevel)"/toolkit/scripts/rpmops.sh +set -euo pipefail # Specs, which contain multiple source files and are split into many entries inside 'cgmanifest.json'. ignore_multiple_sources=" \ @@ -61,57 +61,75 @@ ignore_no_source_tarball=" \ web-assets \ " -# Specs where cgmanifest validation has known issues checking URLs. -ignore_known_issues=" \ - virglrenderer \ - libesmtp" - alt_source_tag="Source9999" -function prepare_lua { - local azl_lua_dir - local azl_srpm_lua_dir - local lua_common_path - local lua_forge_path - local lua_python_path - local rpm_lua_dir - local rpm_macros_dir - - rpm_macros_dir="$1" - - lua_common_path="common.lua" - lua_forge_path="srpm/forge.lua" - lua_python_path="srpm/python.lua" - rpm_lua_dir="$(rpm --eval "%_rpmluadir")" - azl_lua_dir="$rpm_lua_dir/azl" - azl_srpm_lua_dir="$azl_lua_dir/srpm" - - if [[ -z "$rpm_lua_dir" ]] - then - echo "ERROR: no RPM LUA directory set, can't update with Azure Linux's LUA modules!" >&2 - exit 1 +chroot_rpmspec() { + local chroot_dir_path + local sourcedir + + chroot_dir_path="$1" + shift + + if [[ ! -d "$chroot_dir_path" ]]; then + echo "Expected a chroot directory as first argument to 'chroot_rpmspec'. Got '$chroot_dir_path'." >&2 + return 1 fi - # We only want to clean-up directories, which were absent from the system. - for dir_path in "$rpm_lua_dir" "$azl_lua_dir" "$azl_srpm_lua_dir" - do - if [[ ! -d "$dir_path" ]] - then - FILES_TO_CLEAN_UP+=("$dir_path") + # Looking for spec path in the argument list to extract its directory. + sourcedir="" + for arg in "$@"; do + if [[ "$arg" == *.spec && -f "$chroot_dir_path/$arg" ]]; then + sourcedir="$(dirname "$arg")" break fi done - sudo mkdir -p "$azl_srpm_lua_dir" - - for file_path in "$lua_common_path" "$lua_forge_path" "$lua_python_path" - do - system_lua_path="$azl_lua_dir/$file_path" - if [[ ! -f "$system_lua_path" ]] - then - sudo cp "$rpm_macros_dir/$(basename "$file_path")" "$system_lua_path" - FILES_TO_CLEAN_UP+=("$system_lua_path") - fi + + if [[ -z $sourcedir ]]; then + echo "Must pass valid spec path to 'chroot_rpmspec'!" >&2 + return 1 + fi + + sudo chroot "$chroot_dir_path" rpmspec -D "_sourcedir $sourcedir" "$@" +} + +prepare_chroot_environment() { + local chroot_archive + local chroot_dir_path + local chroot_rpm_macros_dir_path + local dist_name + local dist_number + local dist_tag + local rpm_macros_dir_path + + chroot_archive="$1" + chroot_dir_path="$2" + + echo "Creating worker chroot under '$chroot_dir_path'." + + sudo tar -xf "$chroot_archive" -C "$chroot_dir_path" + sudo chown -R "$(id -u):$(id -g)" "$chroot_dir_path" + + rpm_macros_dir_path="$(sudo chroot "$chroot_dir_path" rpm --eval '%{_rpmmacrodir}')" + echo "Creating the RPM macros directory '$rpm_macros_dir_path' in the chroot." + chroot_rpm_macros_dir_path="$chroot_dir_path/$rpm_macros_dir_path" + mkdir -vp "$chroot_rpm_macros_dir_path" + + echo "Setting RPM's macros for the RPM queries inside the new chroot:" + dist_tag=$(make -sC toolkit get-dist-tag) + # Dist name is extracted from the dist tag by removing the leading dot and the number suffix. + # Example: ".azl3" -> "azl" + dist_name="$(sed -E 's/^\.(.*)[0-9]+$/\1/' <<<"$dist_tag")" + # Dist number is the number suffix of the dist tag. + # Example: ".azl3" -> "3" + dist_number="$(grep -oP "\d+$" <<<"$dist_tag")" + echo "%dist $dist_tag" | tee "$chroot_rpm_macros_dir_path/macros.dist" + echo "%$dist_name $dist_number" | tee -a "$chroot_rpm_macros_dir_path/macros.dist" + echo "%with_check 1" | tee -a "$chroot_rpm_macros_dir_path/macros.dist" + for macro_file in SPECS/azurelinux-rpm-macros/macros* SPECS/pyproject-rpm-macros/macros.pyproject SPECS/perl/macros.perl; do + sudo cp -v "$macro_file" "$chroot_rpm_macros_dir_path" done + + echo } function specs_dir_from_spec_path { @@ -127,121 +145,121 @@ rm -rf ./cgmanifest_test_dir/ if [[ $# -eq 0 ]] then echo "No specs passed to validate." - exit + exit 1 fi +if [[ ! -f "$1" ]]; then + echo "First argument is not a valid file. Please pass the path to the worker chroot's archive." + exit 1 +fi + +rm -f bad_registrations.txt + WORK_DIR=$(mktemp -d -t) -FILES_TO_CLEAN_UP=("$WORK_DIR") function clean_up { - echo "Cleaning up..." - for file_path in "${FILES_TO_CLEAN_UP[@]}" - do - echo " Removing ($file_path)." - sudo rm -rf "$file_path" - done + echo "Removing the temporary directory '$WORK_DIR'." + rm -rf "$WORK_DIR" } trap clean_up EXIT SIGINT SIGTERM +prepare_chroot_environment "$1" "$WORK_DIR" -azl_macros_dir="$(specs_dir_from_spec_path "$1")" -prepare_lua "$azl_macros_dir" - +shift # Remove the first argument (the chroot archive) from the list of specs to check. echo "Checking $# specs." i=0 -for original_spec in "$@" -do - i=$((i+1)) - echo "[$i/$#] Checking $original_spec" - +for original_spec in "$@"; do + i=$((i + 1)) + echo "[$i/$#] Checking $original_spec." # Using a copy of the spec file, because parsing requires some pre-processing. original_spec_dir_path="$(dirname "$original_spec")" cp -r "$original_spec_dir_path" "$WORK_DIR" original_spec_dir_name="$(basename "$original_spec_dir_path")" - spec="$WORK_DIR/$original_spec_dir_name/$(basename "$original_spec")" + chroot_spec="$original_spec_dir_name/$(basename "$original_spec")" + host_spec="$WORK_DIR/$chroot_spec" # Skipping specs for signed packages. Their unsigned versions should already be included in the manifest. - if echo "$original_spec" | grep -q "SPECS-SIGNED" - then - echo " $spec is being ignored (reason: signed package), skipping" + if echo "$original_spec" | grep -q "SPECS-SIGNED"; then + echo " $host_spec is being ignored (reason: signed package), skipping." continue fi # Pre-processing alternate sources (commented-out "Source" lines with full URLs), if present. Currently we only care about the first source. # First, we replace "%%" with "%" in the alternate source's line. - sed -Ei "/^#\s*Source0?:.*%%.*/s/%%/%/g" "$spec" + sed -Ei "/^#\s*Source0?:.*%%.*/s/%%/%/g" "$host_spec" # Then we uncomment it. - sed -Ei "s/^#\s*Source0?:/$alt_source_tag:/" "$spec" + sed -Ei "s/^#\s*Source0?:/$alt_source_tag:/" "$host_spec" # Removing trailing comments from "Source" tags. - sed -Ei "s/^(\s*Source[0-9]*:.*)#.*/\1/" "$spec" + sed -Ei "s/^(\s*Source[0-9]*:.*)#.*/\1/" "$host_spec" - name=$(mariner_rpmspec --srpm --qf "%{NAME}" -q "$spec" 2>/dev/null) - if [[ -z $name ]] - then - echo "Failed to get name from '$original_spec'. Please update the spec or the macros from the 'defines' variable in this script. Error:" >> bad_registrations.txt - mariner_rpmspec --srpm --qf "%{NAME}" -q "$spec" &>> bad_registrations.txt + name=$(chroot_rpmspec "$WORK_DIR" --srpm --qf "%{NAME}" -q "$chroot_spec" 2>/dev/null) + if [[ -z $name ]]; then + echo "Failed to get name from '$original_spec'. Please update the spec or the chroot macros configuration in this script. Error:" >>bad_registrations.txt + chroot_rpmspec "$WORK_DIR" --srpm --qf "%{NAME}" -q "$chroot_spec" &>>bad_registrations.txt continue fi # Skipping specs from the ignore lists. - if echo "$ignore_multiple_sources $ignore_no_source_tarball $ignore_known_issues" | grep -qP "(^|\s)$name($|\s)" - then - echo " $name is being ignored (reason: explicitly ignored package), skipping" + if echo "$ignore_multiple_sources $ignore_no_source_tarball" | grep -qP "(^|\s)$name($|\s)"; then + echo " $name is being ignored (reason: explicitly ignored package), skipping." continue fi - version=$(mariner_rpmspec --srpm --qf "%{VERSION}" -q "$spec" 2>/dev/null ) - if [[ -z $version ]] - then - echo "Failed to get version from '$original_spec'. Please update the spec or the macros from the 'defines' variable in this script. Error:" >> bad_registrations.txt - mariner_rpmspec --srpm --qf "%{VERSION}" -q "$spec" &>> bad_registrations.txt + version=$(chroot_rpmspec "$WORK_DIR" --srpm --qf "%{VERSION}" -q "$chroot_spec" 2>/dev/null) + if [[ -z $version ]]; then + echo "Failed to get version from '$original_spec'. Please update the spec or the chroot macros configuration in this script. Error:" >>bad_registrations.txt + chroot_rpmspec "$WORK_DIR" --srpm --qf "%{VERSION}" -q "$chroot_spec" &>>bad_registrations.txt continue fi - parsed_spec="$(mariner_rpmspec --parse "$spec" 2>/dev/null)" + parsed_spec="$WORK_DIR/parsed.spec" + chroot_rpmspec "$WORK_DIR" --parse "$chroot_spec" 2>/dev/null > "$parsed_spec" # Reading the source0 file/URL. - source0=$(echo "$parsed_spec" | grep -P "^\s*Source0?:" | cut -d: -f2- | xargs) - if [[ -z $source0 ]] - then - echo " No source file listed for $name:$version, skipping" + if ! grep -qP "^\s*Source0?:" "$parsed_spec"; then + echo " No source file listed for $name-$version, skipping." continue fi + source0=$(grep -P "^\s*Source0?:" "$parsed_spec" | cut -d: -f2- | xargs) + echo " Source0: $source0." + # Reading the alternate source URL. - source0alt=$(echo "$parsed_spec" | grep -P "^\s*$alt_source_tag:" | cut -d: -f2- | xargs) + source0_alt="" + if grep -qP "^\s*$alt_source_tag:" "$parsed_spec"; then + source0_alt=$(grep -P "^\s*$alt_source_tag:" "$parsed_spec" | cut -d: -f2- | xargs) + echo " Source0Alt: $source0_alt." + fi # Pull the current registration from the cgmanifest file. Every registration should have a URL, so if we don't find one # that implies the registration is missing. - manifesturl=$(jq --raw-output ".Registrations[].component.other | select(.name==\"$name\" and .version==\"$version\") | .downloadUrl" cgmanifest.json) - if [[ -z $manifesturl ]] - then - echo "Registration for $name:$version is missing" >> bad_registrations.txt + manifest_url=$(jq --raw-output ".Registrations[].component.other | select(.name==\"$name\" and .version==\"$version\") | .downloadUrl" cgmanifest.json) + if [[ -z $manifest_url ]]; then + echo "Registration for $name-$version is missing" >>bad_registrations.txt else - if [[ "$manifesturl" != "$source0" && "$manifesturl" != "$source0alt" ]] - then + echo " Registration URL: $manifest_url." + + if [[ "$manifest_url" != "$source0" && "$manifest_url" != "$source0_alt" ]]; then { - echo "Registration URL for $name:$version ($manifesturl) matches neither the first \"Source\" tag nor the alternate source URL." + echo "Registration URL for $name-$version ($manifest_url) matches neither the first \"Source\" tag nor the alternate source URL." printf '\tFirst "Source" tag:\t%s\n' "$source0" - printf '\tAlternate source URL:\t%s\n' "$source0alt" - } >> bad_registrations.txt + printf '\tAlternate source URL:\t%s\n' "$source0_alt" + } >>bad_registrations.txt else # Try a few times to download the source listed in the manifest # Parsing output instead of using error codes because 'wget' returns code 8 for FTP, even if the file exists. # Sample HTTP(S) output: Remote file exists. # Sample FTP output: File ‘time-1.9.tar.gz’ exists. - if ! wget --secure-protocol=TLSv1_2 --spider --timeout=30 --tries=10 "${manifesturl}" 2>&1 | grep -qP "^(Remote file|File ‘.*’) exists.*" - then - echo "Registration for $name:$version has invalid URL '$manifesturl' (could not download)" >> bad_registrations.txt + if ! wget --secure-protocol=TLSv1_2 --spider --timeout=30 --tries=10 "${manifest_url}" 2>&1 | grep -qP "^(Remote file|File ‘.*’) exists.*"; then + echo "Registration for $name-$version has invalid URL '$manifest_url' (could not download)" >>bad_registrations.txt fi fi fi done -if [[ -s bad_registrations.txt ]] -then +if [[ -s bad_registrations.txt ]]; then echo "####" echo "Found errors while analyzing modified spec files, cgmanifest.json may need to be updated." echo "####" diff --git a/.github/workflows/verify-osguard-imageconfigs.yml b/.github/workflows/verify-osguard-imageconfigs.yml new file mode 100644 index 0000000000..c3f97b6921 --- /dev/null +++ b/.github/workflows/verify-osguard-imageconfigs.yml @@ -0,0 +1,29 @@ +name: Verify osguard imageconfigs are up-to-date + +on: + pull_request: + workflow_dispatch: + +jobs: + verify-osguard-imageconfigs: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: '3.x' + + - name: Install Python dependencies for merge_yaml + run: | + python -m pip install --upgrade pip + pip install pyyaml + + - name: Run osguard imageconfigs test + working-directory: toolkit/scripts + shell: bash + run: | + set -euo pipefail + ./generate-osguard-imageconfigs.sh test diff --git a/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md b/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md index bc54fa51e0..ae6c9055d1 100644 --- a/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md +++ b/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md @@ -6,12 +6,12 @@ The Edge Microvisor Toolkit SPEC files originated from a variety of sources with | Ceph source | [LGPL2.1](https://github.com/ceph/ceph/blob/master/COPYING-LGPL2.1) | ceph | | Debian | [MIT](https://opensource.org/licenses/MIT) | prometheus-process-exporter | | DOC group source | [DOC](https://www.dre.vanderbilt.edu/~schmidt/ACE-copying.html) | ace-tao | -| Fedora | [Fedora MIT License Declaration](https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#License_of_Fedora_SPEC_Files) | 389-ds-base
a52dec
abseil-cpp
accountsservice
acpica-tools
acpid
adcli
adobe-mappings-cmap
adobe-mappings-pdf
advancecomp
adwaita-icon-theme
afflib
aide
alsa-firmware
alsa-plugins
alsa-sof-firmware
amtk
amtterm
annobin
ansible-freeipa
archivemount
arptables
arpwatch
asio
aspell
aspell-en
at
at-spi2-atk
at-spi2-core
atf
atk
atop
attr
audiofile
augeas
authbind
authd
authselect
autoconf213
avahi
babeltrace
babeltrace2
babl
baekmuk-ttf-fonts
bats
bcache-tools
biosdevname
blosc
bluez
bmake
bolt
boom-boot
booth
botan2
breezy
brotli
buildah
busybox
bwidget
byacc
ca-certificates
cachefilesd
caddy
cairomm
calamares
capnproto
capstone
catatonit
catch
catch1
cdrdao
celt051
cereal
certmonger
cfitsio
cgdcbxd
chan
CharLS
checkpolicy
checksec
chrony
cim-schema
cjkuni-uming-fonts
cjose
cjson
ck
clang15
cldr-emoji-annotation
clinfo
clucene
clutter
clutter-gst3
clutter-gtk
cmocka
cogl
collectd
colm
color-filesystem
colord
colorize
compat-lua
compiler-rt
conda
conmon
conntrack-tools
console-setup
container-exception-logger
containernetworking-plugins
convmv
corosync
corosync-qdevice
cpp-hocon
cppcheck
cpprest
cpptest
cpufrequtils
cpuid
criu
crypto-policies
cryptsetup
cscope
ctags
CUnit
cups
custodia
Cython
dbus-c++
dbus-python
dbxtool
dconf
dcraw
debootstrap
deltarpm
desktop-file-utils
device-mapper-persistent-data
dhcpcd
dietlibc
diffstat
ding-libs
discount
distribution-gpg-keys
dleyna-connector-dbus
dleyna-core
dmraid
dnf
dnf-plugins-core
docbook-dtds
docbook-simple
docbook-slides
docbook-style-dsssl
docbook-utils
docbook2X
docbook5-schemas
docbook5-style-xsl
dogtail
dos2unix
dotconf
dovecot
dpdk
dpkg
driverctl
dropwatch
drpm
duktape
dumpet
dvd+rw-tools
dwarves
dwz
dyninst
ebtables
edac-utils
edk2
efax
efi-rpm-macros
egl-wayland
eglexternalplatform
elinks
enca
enchant
enchant2
enscript
environment-modules
erofs-utils
evemu
execstack
exempi
exiv2
expected
extra-cmake-modules
fabtests
facter
fakechroot
fakeroot
fdupes
fence-virt
fetchmail
fftw
filebench
fio
firewalld
flac
flashrom
flatbuffers
flite
fltk
fmt
fontawesome-fonts
fontawesome4-fonts
fontpackages
fonts-rpm-macros
foomatic-db
freeglut
freeipmi
freeradius
freetds
freexl
fribidi
fros
frr
fsverity-utils
fuse-overlayfs
fuse-sshfs
fuse-zip
fuse3
future
fwupd
fwupd-efi
fxload
gavl
gbenchmark
gconf-editor
GConf2
gcovr
gcr
gdal
gdisk
gdk-pixbuf2
generic-logos
genwqe-tools
geoclue2
GeoIP
GeoIP-GeoLite-data
geolite2
geos
gfs2-utils
ghc-srpm-macros
gi-docgen
giflib
gl-manpages
glew
glm
glog
glslang
glusterfs
gnome-desktop-testing
gnome-doc-utils
gnome-icon-theme
gnome-keyring
gnu-efi
go-rpm-macros
gom
google-api-python-client
google-crosextra-caladea-fonts
google-crosextra-carlito-fonts
google-guice
google-noto-cjk-fonts
google-noto-emoji-fonts
google-roboto-slab-fonts
gphoto2
gpm
gpsbabel
graphene
graphite2
graphviz
grubby
gsettings-desktop-schemas
gsl
gsm
gspell
gssdp
gssntlmssp
gstreamer1
gstreamer1-plugins-base
gtk-vnc
gtk2
gtk3
gtkspell
gupnp
gupnp-av
gupnp-dlna
gupnp-igd
hardening-check
hdf
hdf5
heimdal
help2man
hexedit
hicolor-icon-theme
hiera
highlight
hivex
hostname
hping3
hsakmt
htop
hunspell
hunspell-af
hunspell-ar
hunspell-as
hunspell-ast
hunspell-az
hunspell-be
hunspell-bg
hunspell-bn
hunspell-br
hunspell-ca
hunspell-cop
hunspell-csb
hunspell-cv
hunspell-cy
hunspell-da
hunspell-de
hunspell-dsb
hunspell-el
hunspell-en
hunspell-eo
hunspell-es
hunspell-et
hunspell-eu
hunspell-fa
hunspell-fj
hunspell-fo
hunspell-fr
hunspell-fur
hunspell-fy
hunspell-ga
hunspell-gd
hunspell-gl
hunspell-grc
hunspell-gu
hunspell-gv
hunspell-haw
hunspell-hi
hunspell-hil
hunspell-hr
hunspell-hsb
hunspell-ht
hunspell-hu
hunspell-hy
hunspell-ia
hunspell-id
hunspell-is
hunspell-it
hunspell-kk
hunspell-km
hunspell-kn
hunspell-ko
hunspell-ku
hunspell-ky
hunspell-la
hunspell-lb
hunspell-ln
hunspell-mai
hunspell-mg
hunspell-mi
hunspell-mk
hunspell-ml
hunspell-mn
hunspell-mos
hunspell-mr
hunspell-ms
hunspell-mt
hunspell-nds
hunspell-ne
hunspell-nl
hunspell-no
hunspell-nr
hunspell-nso
hunspell-ny
hunspell-om
hunspell-or
hunspell-pa
hunspell-pl
hunspell-pt
hunspell-quh
hunspell-ro
hunspell-ru
hunspell-rw
hunspell-se
hunspell-shs
hunspell-si
hunspell-sk
hunspell-sl
hunspell-smj
hunspell-so
hunspell-sq
hunspell-sr
hunspell-sv
hunspell-sw
hunspell-ta
hunspell-te
hunspell-tet
hunspell-th
hunspell-tk
hunspell-tl
hunspell-tn
hunspell-tpi
hunspell-ts
hunspell-uk
hunspell-uz
hunspell-ve
hunspell-vi
hunspell-wa
hunspell-xh
hunspell-yi
hwdata
hwloc
hyperscan
hyperv-daemons
hyphen
hyphen-as
hyphen-bg
hyphen-bn
hyphen-ca
hyphen-da
hyphen-de
hyphen-el
hyphen-es
hyphen-fa
hyphen-fo
hyphen-fr
hyphen-ga
hyphen-gl
hyphen-grc
hyphen-gu
hyphen-hi
hyphen-hsb
hyphen-hu
hyphen-ia
hyphen-id
hyphen-is
hyphen-it
hyphen-kn
hyphen-ku
hyphen-lt
hyphen-mi
hyphen-ml
hyphen-mn
hyphen-mr
hyphen-nl
hyphen-or
hyphen-pa
hyphen-pl
hyphen-pt
hyphen-ro
hyphen-ru
hyphen-sa
hyphen-sk
hyphen-sl
hyphen-sv
hyphen-ta
hyphen-te
hyphen-tk
hyphen-uk
ibus
ibus-chewing
ibus-hangul
ibus-kkc
ibus-libzhuyin
ibus-m17n
ibus-rawcode
ibus-sayura
ibus-table
ibus-table-chinese
icc-profiles-openicc
icon-naming-utils
icoutils
iftop
igt-gpu-tools
iio-sensor-proxy
ilmbase
im-chooser
imaptest
imsettings
incron
indent
infinipath-psm
inih
iniparser
intel-cmt-cat
intel-compute-runtime
intel-gmmlib
intel-igc
intel-ipsec-mb
intel-level-zero
intel-media-driver
intel-metee
intel-opencl-clang
intel-vpl-gpu-rt
ioping
IP2Location
ipa-pgothic-fonts
ipcalc
ipmitool
iprutils
iptraf-ng
iptstate
irssi
iscsi-initiator-utils
isns-utils
iso-codes
isomd5sum
iw
iwd
jabberpy
jakarta-servlet
jasper
javapackages-bootstrap
javapackages-tools
jbigkit
jdom2
jemalloc
jfsutils
jimtcl
jose
js-jquery
jsoncpp
Judy
jurand
kata-containers
kde-filesystem
kde-settings
kernel-srpm-macros
kexec-tools
keybinder3
keycloak-httpd-client-install
kf
kf-kconfig
kf-kcoreaddons
kf-ki18n
kf-kwidgetsaddons
kpmcore
kronosnet
ksh
kyotocabinet
kyua
ladspa
lame
langtable
lapack
lasso
latencytop
lato-fonts
lcms2
lcov
ldns
leatherman
ledmon
lensfun
leveldb
lftp
libabw
libaec
libao
libappstream-glib
libarrow
libart_lgpl
libasyncns
libatasmart
libavc1394
libblockdev
libbpf
libbsd
libburn
libbytesize
libcacard
libcanberra
libcbor
libcdio
libcdio-paranoia
libcdr
libcgroup
libchewing
libclc
libcli
libcmis
libcmpiutil
libcomps
libcroco
libcxx
libdaemon
libdap
libdatrie
libdazzle
libdbi
libdbusmenu
libdc1394
libdecor
libdeflate
libdmx
libdnf
libdrm
libdvdnav
libdvdread
libdwarf
libeasyfc
libecap
libecb
libei
libell
libEMF
libeot
libepoxy
libepubgen
libesmtp
libetonyek
libev
libevdev
libexif
libexttextcat
libfabric
libfontenc
libfreehand
libftdi
libgadu
libgdither
libgee
libgee06
libgeotiff
libgexiv2
libgit2
libgit2-glib
libglade2
libglvnd
libgovirt
libgphoto2
libgsf
libgta
libguestfs
libgusb
libgxim
libgxps
libhangul
libhugetlbfs
libibcommon
libical
libICE
libicns
libid3tag
libIDL
libidn2
libiec61883
libieee1284
libimobiledevice
libindicator
libinput
libiodbc
libipt
libiptcdata
libiscsi
libisoburn
libisofs
libjaylink
libjcat
libkcapi
libkeepalive
libkkc
libkkc-data
libkml
liblangtag
libldb
libldm
liblerc
liblockfile
liblognorm
liblouis
liblqr-1
liblzf
libmad
libmamba
libmd
libmediaart
libmicrohttpd
libmikmod
libmodman
libmodplug
libmodulemd1
libmpcdec
libmspub
libmtp
libmusicbrainz5
libmwaw
libnbd
libnet
libnetfilter_log
libnfs
libnotify
libntlm
libnumbertext
libnvme
liboauth
libodfgen
libofa
libogg
liboggz
liboil
libomxil-bellagio
libopenraw
liboping
libosinfo
libotf
libotr
libpagemaker
libpaper
libpciaccess
libpeas
libpfm
libpinyin
libplist
libpmemobj-cpp
libpng12
libpng15
libproxy
libpsm2
libpwquality
libqb
libqxp
libraqm
LibRaw
libraw1394
libreport
libreswan
librevenge
librsvg2
librx
libsamplerate
libsass
libsecret
libsemanage
libsigc++20
libsigsegv
libslirp
libSM
libsmbios
libsmi
libsndfile
libsodium
libspiro
libsrtp
libssh
libstaroffice
libstemmer
libstoragemgmt
libtdb
libteam
libtevent
libthai
libtnc
libtomcrypt
libtommath
libtpms
libtracecmd
libtraceevent
libtracefs
libtranslit
libucil
libunicap
libuninameslist
liburing
libusb1
libusbmuxd
libuser
libva-utils
libvarlink
libverto
libvirt-dbus
libvirt-glib
libvirt-java
libvirt-python
libvisio
libvisual
libvoikko
libvorbis
libvpl
libvpx
libwacom
libwebsockets
libwnck3
libwpd
libwpe
libwpg
libwps
libwvstreams
libX11
libXau
libXaw
libxcb
libXcomposite
libxcrypt
libXcursor
libxcvt
libXdamage
libXdmcp
libXext
libxfce4util
libXfixes
libXfont2
libXft
libXi
libXinerama
libxkbcommon
libxkbfile
libxklavier
libxmlb
libXmu
libXpm
libXrandr
libXrender
libXres
libXScrnSaver
libxshmfence
libXt
libXtst
libXv
libXxf86vm
libyami
libyang
libyubikey
libzip
libzmf
lilv
linuxconsoletools
lksctp-tools
lld15
lldpd
llvm15
lockdev
logwatch
lpsolve
lrzsz
lua
lua-expat
lua-filesystem
lua-json
lua-lpeg
lua-lunitx
lua-rpm-macros
lua-term
luajit
lujavrite
luksmeta
lutok
lv2
lxc
lxcfs
lzip
lzop
m17n-db
m17n-lib
mac-robber
mailcap
mailx
malaga
malaga-suomi-voikko
mallard-rng
man-pages-cs
man-pages-es
man-pages-it
man-pages-ja
man-pages-ko
man-pages-pl
man-pages-ru
man-pages-zh-CN
mandoc
mariadb-connector-c
mariadb-connector-odbc
marisa
maven-compiler-plugin
maven-jar-plugin
maven-parent
maven-resolver
maven-resources-plugin
maven-surefire
maven-wagon
mcelog
mcpp
mcstrans
mdadm
mdds
mdevctl
meanwhile
mecab
mecab-ipadic
media-player-info
memcached
memkind
mesa
mesa-demos
mesa-libGLU
metis
microcode_ctl
microdnf
minicom
minizip-ng
mksh
mobile-broadband-provider-info
mock
mock-core-configs
mod_auth_gssapi
mod_auth_mellon
mod_auth_openidc
mod_authnz_pam
mod_fcgid
mod_http2
mod_intercept_form_submit
mod_lookup_identity
mod_md
mod_security
mod_security_crs
mod_wsgi
mokutil
mosh
mosquitto
mpage
mrtg
mstflint
mt-st
mtdev
mtools
mtr
mtx
munge
mutt
mythes
mythes-bg
mythes-ca
mythes-cs
mythes-da
mythes-de
mythes-el
mythes-en
mythes-eo
mythes-es
mythes-fr
mythes-ga
mythes-hu
mythes-mi
mythes-ne
mythes-nl
mythes-pl
mythes-pt
mythes-ro
mythes-ru
mythes-sk
mythes-sl
mythes-sv
mythes-uk
nbd
nbdkit
needrestart
neon
netavark
netcdf
netcf
netlabel_tools
netpbm
netsniff-ng
nfs4-acl-tools
nftables
nilfs-utils
nkf
nload
nlopt
nodejs-packaging
nss-mdns
nss-pam-ldapd
nss_nis
nss_wrapper
ntfs-3g
ntfs-3g-system-compression
numad
numatop
numpy
nvml
oath-toolkit
ocaml
ocaml-alcotest
ocaml-astring
ocaml-augeas
ocaml-base
ocaml-bigarray-compat
ocaml-bisect-ppx
ocaml-calendar
ocaml-camlp-streams
ocaml-camlp5
ocaml-camomile
ocaml-cinaps
ocaml-cmdliner
ocaml-compiler-libs-janestreet
ocaml-cppo
ocaml-csexp
ocaml-csv
ocaml-ctypes
ocaml-curses
ocaml-dune
ocaml-extlib
ocaml-fileutils
ocaml-findlib
ocaml-fmt
ocaml-fpath
ocaml-gettext
ocaml-integers
ocaml-libvirt
ocaml-luv
ocaml-lwt
ocaml-markup
ocaml-mmap
ocaml-num
ocaml-ocamlbuild
ocaml-ocplib-endian
ocaml-ounit
ocaml-parsexp
ocaml-pp
ocaml-ppx-derivers
ocaml-ppx-here
ocaml-ppx-let
ocaml-ppxlib
ocaml-re
ocaml-react
ocaml-result
ocaml-seq
ocaml-sexplib
ocaml-sexplib0
ocaml-srpm-macros
ocaml-stdio
ocaml-stdlib-random
ocaml-topkg
ocaml-tyxml
ocaml-uutf
ocaml-xml-light
ocaml-zarith
ocl-icd
oddjob
ogdi
omping
opa
opal
open-vm-tools
openblas
openbox
opencc
opencl-filesystem
opencl-headers
opencryptoki
opencsd
opendnssec
OpenEXR
openjade
openjpeg2
openmpi
openobex
openoffice-lv
openrdate
opensc
openslp
opensm
opensp
openssl
openssl-ibmpkcs11
openssl-pkcs11
openwsman
optipng
orangefs
ORBit2
orc
os-prober
osinfo-db
osinfo-db-tools
overpass-fonts
p11-kit
p7zip
pacemaker
pacrunner
paho-c
pakchois
pam_krb5
pam_wrapper
papi
paps
parallel
passim
patchelf
patchutils
pbzip2
pcp
pcsc-lite
pcsc-lite-ccid
PEGTL
perl
perl-Algorithm-C3
perl-Algorithm-Diff
perl-Alien-Build
perl-Alien-pkgconf
perl-AnyEvent
perl-AnyEvent-AIO
perl-AnyEvent-BDB
perl-App-cpanminus
perl-App-FatPacker
perl-AppConfig
perl-Archive-Extract
perl-Archive-Zip
perl-Authen-SASL
perl-B-COW
perl-B-Debug
perl-B-Hooks-EndOfScope
perl-B-Hooks-OP-Check
perl-B-Keywords
perl-B-Lint
perl-bareword-filehandles
perl-BDB
perl-Bit-Vector
perl-boolean
perl-Browser-Open
perl-BSD-Resource
perl-Business-ISBN
perl-Business-ISBN-Data
perl-Bytes-Random-Secure
perl-Capture-Tiny
perl-Carp-Clan
perl-CBOR-XS
perl-Class-Accessor
perl-Class-C3
perl-Class-C3-XS
perl-Class-Data-Inheritable
perl-Class-Factory-Util
perl-Class-Inspector
perl-Class-ISA
perl-Class-Load
perl-Class-Load-XS
perl-Class-Method-Modifiers
perl-Class-Singleton
perl-Class-Tiny
perl-Class-XSAccessor
perl-Clone
perl-Color-ANSI-Util
perl-Color-RGB-Util
perl-ColorThemeBase-Static
perl-ColorThemeRole-ANSI
perl-ColorThemes-Standard
perl-ColorThemeUtil-ANSI
perl-Compress-Bzip2
perl-Compress-LZF
perl-Compress-Raw-Lzma
perl-Config-AutoConf
perl-Config-INI
perl-Config-INI-Reader-Multiline
perl-Config-IniFiles
perl-Config-Simple
perl-Config-Tiny
perl-Const-Fast
perl-Convert-ASN1
perl-Convert-Bencode
perl-Coro
perl-Coro-Multicore
perl-CPAN-Changes
perl-CPAN-DistnameInfo
perl-CPAN-Meta-Check
perl-Cpanel-JSON-XS
perl-Crypt-CBC
perl-Crypt-DES
perl-Crypt-IDEA
perl-Crypt-OpenSSL-Bignum
perl-Crypt-OpenSSL-Guess
perl-Crypt-OpenSSL-Random
perl-Crypt-OpenSSL-RSA
perl-Crypt-PasswdMD5
perl-Crypt-Random-Seed
perl-CSS-Tiny
perl-Data-Dump
perl-Data-Munge
perl-Data-OptList
perl-Data-Peek
perl-Data-Section
perl-Data-UUID
perl-Date-Calc
perl-Date-ISO8601
perl-Date-Manip
perl-DateTime
perl-DateTime-Format-Builder
perl-DateTime-Format-DateParse
perl-DateTime-Format-HTTP
perl-DateTime-Format-IBeat
perl-DateTime-Format-ISO8601
perl-DateTime-Format-Mail
perl-DateTime-Format-Strptime
perl-DateTime-Locale
perl-DateTime-TimeZone
perl-DateTime-TimeZone-SystemV
perl-DateTime-TimeZone-Tzfile
perl-DBD-MySQL
perl-Devel-CallChecker
perl-Devel-Caller
perl-Devel-CheckBin
perl-Devel-CheckLib
perl-Devel-Cycle
perl-Devel-EnforceEncapsulation
perl-Devel-GlobalDestruction
perl-Devel-GlobalDestruction-XS
perl-Devel-Hide
perl-Devel-Leak
perl-Devel-LexAlias
perl-Devel-Refcount
perl-Devel-Size
perl-Devel-StackTrace
perl-Devel-Symdump
perl-Digest-BubbleBabble
perl-Digest-CRC
perl-Digest-HMAC
perl-Digest-SHA1
perl-Dist-CheckConflicts
perl-DynaLoader-Functions
perl-Email-Address
perl-Email-Date-Format
perl-Encode-Detect
perl-Encode-EUCJPASCII
perl-Encode-IMAPUTF7
perl-Encode-Locale
perl-Env-ShellWords
perl-Error
perl-EV
perl-Eval-Closure
perl-Event
perl-Exception-Class
perl-Expect
perl-ExtUtils-Config
perl-ExtUtils-Depends
perl-ExtUtils-Helpers
perl-ExtUtils-InstallPaths
perl-ExtUtils-PkgConfig
perl-FCGI
perl-Fedora-VSP
perl-FFI-CheckLib
perl-File-BaseDir
perl-File-BOM
perl-File-chdir
perl-File-CheckTree
perl-File-Copy-Recursive
perl-File-DesktopEntry
perl-File-Find-Object
perl-File-Find-Object-Rule
perl-File-Find-Rule
perl-File-Find-Rule-Perl
perl-File-Inplace
perl-File-Listing
perl-File-MimeInfo
perl-File-pushd
perl-File-ReadBackwards
perl-File-Remove
perl-File-ShareDir
perl-File-ShareDir-Install
perl-File-Slurp
perl-File-Slurp-Tiny
perl-File-Slurper
perl-File-TreeCreate
perl-File-Type
perl-Font-TTF
perl-FreezeThaw
perl-GD
perl-GD-Barcode
perl-generators
perl-Getopt-ArgvFile
perl-gettext
perl-Graphics-ColorNamesLite-WWW
perl-GSSAPI
perl-Guard
perl-Hook-LexWrap
perl-HTML-Parser
perl-HTML-Tagset
perl-HTML-Tree
perl-HTTP-Cookies
perl-HTTP-Daemon
perl-HTTP-Date
perl-HTTP-Message
perl-HTTP-Negotiate
perl-Image-Base
perl-Image-Info
perl-Image-Xbm
perl-Image-Xpm
perl-Import-Into
perl-Importer
perl-inc-latest
perl-indirect
perl-Inline-Files
perl-IO-AIO
perl-IO-All
perl-IO-CaptureOutput
perl-IO-Compress-Lzma
perl-IO-HTML
perl-IO-Multiplex
perl-IO-SessionData
perl-IO-Socket-INET6
perl-IO-String
perl-IO-stringy
perl-IO-Tty
perl-IPC-Run
perl-IPC-Run3
perl-IPC-System-Simple
perl-JSON
perl-JSON-Color
perl-JSON-MaybeXS
perl-LDAP
perl-libnet
perl-libwww-perl
perl-libxml-perl
perl-Lingua-EN-Inflect
perl-List-MoreUtils-XS
perl-local-lib
perl-Locale-Codes
perl-Locale-Maketext-Gettext
perl-Locale-Msgfmt
perl-Locale-PO
perl-Log-Message
perl-Log-Message-Simple
perl-LWP-MediaTypes
perl-LWP-Protocol-https
perl-Mail-AuthenticationResults
perl-Mail-DKIM
perl-Mail-IMAPTalk
perl-Mail-SPF
perl-MailTools
perl-Match-Simple
perl-Math-Int64
perl-Math-Random-ISAAC
perl-MIME-Charset
perl-MIME-Lite
perl-MIME-Types
perl-Mixin-Linewise
perl-MLDBM
perl-Mock-Config
perl-Module-Build-Tiny
perl-Module-CPANfile
perl-Module-Implementation
perl-Module-Install-AuthorRequires
perl-Module-Install-AuthorTests
perl-Module-Install-AutoLicense
perl-Module-Install-GithubMeta
perl-Module-Install-ManifestSkip
perl-Module-Install-ReadmeFromPod
perl-Module-Install-ReadmeMarkdownFromPod
perl-Module-Install-Repository
perl-Module-Install-TestBase
perl-Module-Load-Util
perl-Module-Manifest
perl-Module-Manifest-Skip
perl-Module-Package
perl-Module-Package-Au
perl-Module-Pluggable
perl-Module-Runtime
perl-Module-Signature
perl-Mojolicious
perl-Moo
perl-Mozilla-CA
perl-Mozilla-LDAP
perl-MRO-Compat
perl-multidimensional
perl-namespace-autoclean
perl-namespace-clean
perl-Net-CIDR-Lite
perl-Net-Daemon
perl-Net-DNS
perl-Net-DNS-Resolver-Mock
perl-Net-DNS-Resolver-Programmable
perl-Net-HTTP
perl-Net-IMAP-Simple
perl-Net-IMAP-Simple-SSL
perl-Net-IP
perl-Net-LibIDN2
perl-Net-Patricia
perl-Net-SMTP-SSL
perl-Net-SNMP
perl-Net-Telnet
perl-Newt
perl-NNTPClient
perl-NTLM
perl-Number-Compare
perl-Object-Deadly
perl-Object-HashBase
perl-Package-Anon
perl-Package-Constants
perl-Package-DeprecationManager
perl-Package-Generator
perl-Package-Stash
perl-Package-Stash-XS
perl-PadWalker
perl-Paper-Specs
perl-PAR-Dist
perl-Parallel-Iterator
perl-Params-Classify
perl-Params-Util
perl-Params-Validate
perl-Params-ValidationCompiler
perl-Parse-PMFile
perl-Parse-RecDescent
perl-Parse-Yapp
perl-Path-Tiny
perl-Perl-Critic
perl-Perl-Critic-More
perl-Perl-Destruct-Level
perl-Perl-MinimumVersion
perl-Perl4-CoreLibs
perl-PerlIO-gzip
perl-PerlIO-utf8_strict
perl-PkgConfig-LibPkgConf
perl-Pod-Coverage
perl-Pod-Coverage-TrustPod
perl-Pod-Escapes
perl-Pod-Eventual
perl-Pod-LaTeX
perl-Pod-Markdown
perl-Pod-Parser
perl-Pod-Plainer
perl-Pod-POM
perl-Pod-Spell
perl-PPI
perl-PPI-HTML
perl-PPIx-QuoteLike
perl-PPIx-Regexp
perl-PPIx-Utilities
perl-prefork
perl-Probe-Perl
perl-Razor-Agent
perl-Readonly
perl-Readonly-XS
perl-Ref-Util
perl-Ref-Util-XS
perl-Regexp-Pattern-Perl
perl-Return-MultiLevel
perl-Role-Tiny
perl-Scope-Guard
perl-Scope-Upper
perl-SGMLSpm
perl-SNMP_Session
perl-Socket6
perl-Software-License
perl-Sort-Versions
perl-Specio
perl-Spiffy
perl-strictures
perl-String-CRC32
perl-String-Format
perl-String-ShellQuote
perl-String-Similarity
perl-Sub-Exporter
perl-Sub-Exporter-Progressive
perl-Sub-Identify
perl-Sub-Infix
perl-Sub-Info
perl-Sub-Install
perl-Sub-Name
perl-Sub-Quote
perl-Sub-Uplevel
perl-SUPER
perl-Switch
perl-Syntax-Highlight-Engine-Kate
perl-Sys-CPU
perl-Sys-MemInfo
perl-Sys-Virt
perl-Taint-Runtime
perl-Task-Weaken
perl-Term-Size-Any
perl-Term-Size-Perl
perl-Term-Table
perl-Term-UI
perl-TermReadKey
perl-Test-Base
perl-Test-ClassAPI
perl-Test-CPAN-Meta
perl-Test-CPAN-Meta-JSON
perl-Test-Deep
perl-Test-Differences
perl-Test-DistManifest
perl-Test-Distribution
perl-Test-EOL
perl-Test-Exception
perl-Test-Exit
perl-Test-FailWarnings
perl-Test-Fatal
perl-Test-File
perl-Test-File-ShareDir
perl-Test-Harness
perl-Test-HasVersion
perl-Test-InDistDir
perl-Test-Inter
perl-Test-LeakTrace
perl-Test-LongString
perl-Test-Manifest
perl-Test-Memory-Cycle
perl-Test-MinimumVersion
perl-Test-MockObject
perl-Test-MockRandom
perl-Test-Needs
perl-Test-NoTabs
perl-Test-NoWarnings
perl-Test-Object
perl-Test-Output
perl-Test-Pod
perl-Test-Pod-Coverage
perl-Test-Portability-Files
perl-Test-Requires
perl-Test-RequiresInternet
perl-Test-Script
perl-Test-Simple
perl-Test-SubCalls
perl-Test-Synopsis
perl-Test-Taint
perl-Test-TrailingSpace
perl-Test-utf8
perl-Test-Vars
perl-Test-Warn
perl-Test-Without-Module
perl-Test2-Plugin-NoWarnings
perl-Test2-Suite
perl-Test2-Tools-Explain
perl-Text-CharWidth
perl-Text-CSV_XS
perl-Text-Diff
perl-Text-Glob
perl-Text-Iconv
perl-Text-Soundex
perl-Text-Unidecode
perl-Text-WrapI18N
perl-Tie-IxHash
perl-TimeDate
perl-Tree-DAG_Node
perl-Unicode-EastAsianWidth
perl-Unicode-LineBreak
perl-Unicode-Map8
perl-Unicode-String
perl-Unicode-UTF8
perl-UNIVERSAL-can
perl-UNIVERSAL-isa
perl-Unix-Syslog
perl-URI
perl-Variable-Magic
perl-Version-Requirements
perl-WWW-RobotRules
perl-XML-Catalog
perl-XML-DOM
perl-XML-Dumper
perl-XML-Filter-BufferText
perl-XML-Generator
perl-XML-Grove
perl-XML-Handler-YAWriter
perl-XML-LibXML
perl-XML-LibXSLT
perl-XML-NamespaceSupport
perl-XML-Parser-Lite
perl-XML-RegExp
perl-XML-SAX
perl-XML-SAX-Base
perl-XML-SAX-Writer
perl-XML-Simple
perl-XML-TokeParser
perl-XML-TreeBuilder
perl-XML-Twig
perl-XML-Writer
perl-XML-XPath
perl-XML-XPathEngine
perl-XString
perl-YAML-LibYAML
perl-YAML-PP
perl-YAML-Syck
perltidy
pesign
phodav
php
php-pear
php-pecl-apcu
php-pecl-zip
physfs
picosat
pinfo
pipewire
pixman
pkcs11-helper
pkgconf
plexus-cipher
plexus-containers
plexus-pom
plexus-sec-dispatcher
plotutils
pmdk-convert
pmix
pngcrush
pngnq
po4a
podman
poetry
policycoreutils
polkit-pkla-compat
polkit-qt-1
portreserve
postfix
potrace
powertop
ppp
pps-tools
pptp
priv_wrapper
procmail
prometheus
prometheus-node-exporter
ps_mem
psacct
pssh
psutils
ptlib
publicsuffix-list
pugixml
pulseaudio
puppet
pwgen
pyatspi
pybind11
pycairo
pyelftools
pyflakes
pygobject3
PyGreSQL
pykickstart
pylint
pyparted
pyproject-rpm-macros
pyserial
python-absl-py
python-aiodns
python-aiohttp
python-alsa
python-apscheduler
python-archspec
python-argcomplete
python-argparse-manpage
python-astroid
python-astunparse
python-async-generator
python-augeas
python-azure-sdk
python-backoff
python-beautifulsoup4
python-betamax
python-blinker
python-blivet
python-boltons
python-breathe
python-cached_property
python-cbor2
python-charset-normalizer
python-cheetah
python-click
python-cmd2
python-colorama
python-CommonMark
python-conda-libmamba-solver
python-conda-package-handling
python-conda-package-streaming
python-configshell
python-cpuinfo
python-cups
python-curio
python-cytoolz
python-d2to1
python-dbus-client-gen
python-dbus-python-client-gen
python-dbus-signature-pyparsing
python-dbusmock
python-ddt
python-debtcollector
python-decorator
python-distlib
python-dmidecode
python-dns
python-dtopt
python-dulwich
python-editables
python-elementpath
python-enchant
python-entrypoints
python-ethtool
python-evdev
python-extras
python-faker
python-fasteners
python-fastjsonschema
python-fields
python-filelock
python-fixtures
python-flake8
python-flaky
python-flask
python-flit
python-flit-core
python-fluidity-sm
python-frozendict
python-funcsigs
python-gast
python-genshi
python-google-auth
python-google-auth-oauthlib
python-greenlet
python-gssapi
python-h5py
python-hatch-fancy-pypi-readme
python-hatch-vcs
python-hatchling
python-hs-dbus-signature
python-html5lib
python-httplib2
python-humanize
python-hwdata
python-importlib-metadata
python-iniconfig
python-inotify
python-into-dbus-python
python-IPy
python-iso8601
python-isodate
python-isort
python-itsdangerous
python-jsonschema-specifications
python-junitxml
python-justbases
python-justbytes
python-jwcrypto
python-jwt
python-kdcproxy
python-kerberos
python-kmod
python-kubernetes
python-lark
python-lazy-object-proxy
python-ldap
python-linux-procfs
python-lit
python-looseversion
python-markdown
python-markdown-it-py
python-mccabe
python-mdurl
python-memcached
python-menuinst
python-mimeparse
python-mock
python-monotonic
python-more-itertools
python-mpmath
python-msal
python-msrestazure
python-mutagen
python-networkx
python-nose2
python-ntlm-auth
python-oauth2client
python-openpyxl
python-openstackdocstheme
python-oslo-i18n
python-oslo-sphinx
python-paho-mqtt
python-paramiko
python-pathspec
python-pefile
python-pexpect
python-pkgconfig
python-platformdirs
python-pluggy
python-podman-api
python-poetry-core
python-process-tests
python-productmd
python-prometheus_client
python-ptyprocess
python-pycares
python-pycosat
python-pydbus
python-pymongo
python-PyMySQL
python-pyperclip
python-pyproject-api
python-pyproject-metadata
python-pyroute2
python-pyrsistent
python-pysocks
python-pytest-benchmark
python-pytest-cov
python-pytest-expect
python-pytest-flake8
python-pytest-flakes
python-pytest-forked
python-pytest-mock
python-pytest-relaxed
python-pytest-runner
python-pytest-subtests
python-pytest-timeout
python-pytest-xdist
python-pytoml
python-pyudev
python-pywbem
python-qrcode
python-rdflib
python-recommonmark
python-referencing
python-requests-file
python-requests-ftp
python-requests-kerberos
python-requests-mock
python-requests-oauthlib
python-requests-toolbelt
python-requests_ntlm
python-responses
python-retrying
python-rfc3986
python-rich
python-rpm-generators
python-rpmautospec-core
python-rpmfluff
python-rtslib
python-ruamel-yaml
python-ruamel-yaml-clib
python-s3transfer
python-schedutils
python-semantic_version
python-shortuuid
python-should_dsl
python-simpleline
python-slip
python-smartypants
python-sniffio
python-sortedcontainers
python-soupsieve
python-sphinx
python-sphinx-epytext
python-sphinx-theme-py3doc-enhanced
python-sphinx_rtd_theme
python-sphinxcontrib-apidoc
python-sphinxcontrib-applehelp
python-sphinxcontrib-devhelp
python-sphinxcontrib-htmlhelp
python-sphinxcontrib-httpdomain
python-sphinxcontrib-jquery
python-sphinxcontrib-jsmath
python-sphinxcontrib-qthelp
python-sphinxcontrib-serializinghtml
python-sphinxygen
python-sqlalchemy
python-suds
python-systemd
python-tempita
python-templated-dictionary
python-termcolor
python-testpath
python-testresources
python-testscenarios
python-testtools
python-tidy
python-toml
python-tomli
python-toolz
python-tornado
python-tox
python-tox-current-env
python-tqdm
python-trio
python-trove-classifiers
python-typing-extensions
python-typogrify
python-tzlocal
python-uamqp
python-unittest2
python-untangle
python-uritemplate
python-url-normalize
python-urwid
python-uswid
python-varlink
python-versioneer
python-virt-firmware
python-voluptuous
python-waitress
python-webencodings
python-webtest
python-wheel
python-whoosh
python-winrm
python-wrapt
python-xlrd
python-xlsxwriter
python-xmlschema
python-xmltodict
python-yubico
python-zipp
python-zmq
python-zstandard
python-zstd
python3-mallard-ducktype
python3-pytest-asyncio
python3-typed_ast
pyusb
pywbem
pyxattr
qemu
qhull
qpdf
qperf
qr-code-generator
qt-rpm-macros
qt5-qtconnectivity
qt5-qtsensors
qt5-qtserialport
qtbase
qtdeclarative
qtsvg
qttools
quagga
quota
radvd
ragel
raptor2
rarian
rasdaemon
rasqal
rcs
rdist
rdma-core
re2
re2c
realmd
rear
recode
reproc
resource-agents
rest
rhash
rlwrap
rp-pppoe
rpm-mpi-hooks
rpmdevtools
rpmlint
rr
rtkit
rtl-sdr
ruby-augeas
rubygem-bson
rubygem-coderay
rubygem-diff-lcs
rubygem-flexmock
rubygem-hpricot
rubygem-introspection
rubygem-liquid
rubygem-maruku
rubygem-metaclass
rubygem-mongo
rubygem-mustache
rubygem-mysql2
rubygem-pkg-config
rubygem-rake
rubygem-rake-compiler
rubygem-ronn
rubygem-rouge
rubygem-rspec
rubygem-rspec-expectations
rubygem-rspec-mocks
rubygem-rspec-support
rubygem-sys-filesystem
rubygem-thread_order
rusers
rust-cbindgen
s-nail
samba
sanlock
sassist
satyr
sbc
sblim-cim-client2
sblim-cmpi-base
sblim-cmpi-devel
sblim-cmpi-fsvol
sblim-cmpi-network
sblim-cmpi-nfsv3
sblim-cmpi-nfsv4
sblim-cmpi-params
sblim-cmpi-sysfs
sblim-cmpi-syslog
sblim-indication_helper
sblim-sfcb
sblim-sfcc
sblim-sfcCommon
sblim-testsuite
sblim-wbemcli
scl-utils
scotch
screen
scrub
SDL
SDL2
SDL_sound
sdparm
seabios
secilc
selinux-policy
serd
setools
setserial
setuptool
sgabios
sgml-common
sgpio
shared-mime-info
sharutils
shim-unsigned-aarch64
shim-unsigned-x64
simdjson
sip
sisu
skkdic
sleuthkit
slirp4netns
smartmontools
smc-tools
socket_wrapper
softhsm
sombok
sord
sos
sound-theme-freedesktop
soundtouch
sox
soxr
sparsehash
spausedd
spdlog
speex
speexdsp
spice-protocol
spice-vdagent
spirv-headers
spirv-llvm-translator
spirv-llvm15-translator
spirv-tools
splix
squashfs-tools
squid
sratom
sscg
star
startup-notification
stress-ng
stunnel
subscription-manager
subunit
suitesparse
SuperLU
supermin
switcheroo-control
swtpm
symlinks
sympy
sysfsutils
systemd
systemd-bootchart
t1lib
t1utils
taglib
tang
targetcli
tbb
tcl-pgtcl
tclx
teckit
telnet
thrift
tidy
time
tini
tinycdb
tix
tk
tlog
tmpwatch
tn5250
tofrodos
tokyocabinet
trace-cmd
tss2
ttembed
ttmkfdir
tuna
twolame
uchardet
uclibc-ng
ucpp
ucs-miscfixed-fonts
ucx
udftools
udica
udisks2
uglify-js
uid_wrapper
umockdev
unicode-emoji
unicode-ucd
unique3
units
upower
uriparser
urlview
usb_modeswitch
usb_modeswitch-data
usbguard
usbip
usbmuxd
usbredir
usermode
ustr
uthash
uuid
uw-imap
v4l-utils
vc-intrinsics
vhostmd
vino
virglrenderer
virt-p2v
virt-top
virt-what
virt-who
vitess
vmem
volume_key
vorbis-tools
vte291
vulkan-headers
vulkan-loader
watchdog
wavpack
wayland
wayland-protocols
web-assets
webrtc-audio-processing
websocketpp
wget
whois
wireguard-tools
wireless-regdb
wireshark
woff2
wordnet
words
wpebackend-fdo
wsmancli
wvdial
x3270
xapian-core
Xaw3d
xcb-proto
xcb-util
xcb-util-image
xcb-util-keysyms
xcb-util-renderutil
xcb-util-wm
xdelta
xdg-dbus-proxy
xdg-utils
xdp-tools
xerces-c
xfconf
xfsdump
xhtml1-dtds
xkeyboard-config
xmlstarlet
xmltoman
xmvn
xorg-x11-apps
xorg-x11-drv-libinput
xorg-x11-font-utils
xorg-x11-fonts
xorg-x11-proto-devel
xorg-x11-server
xorg-x11-server-utils
xorg-x11-server-Xwayland
xorg-x11-util-macros
xorg-x11-utils
xorg-x11-xauth
xorg-x11-xbitmaps
xorg-x11-xinit
xorg-x11-xkb-utils
xorg-x11-xtrans-devel
xrestop
xxhash
yajl
yaml-cpp
yasm
yelp-tools
yelp-xsl
ykclient
yp-tools
ypbind
ypserv
yq
z3
zenity
zerofree
zfs-fuse
zipper
zopfli
zziplib | +| Fedora | [Fedora MIT License Declaration](https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#License_of_Fedora_SPEC_Files) | 389-ds-base
a52dec
abseil-cpp
accountsservice
acpica-tools
acpid
adcli
adobe-mappings-cmap
adobe-mappings-pdf
advancecomp
adwaita-icon-theme
afflib
aide
alsa-firmware
alsa-plugins
alsa-sof-firmware
amtk
amtterm
annobin
ansible-freeipa
archivemount
arptables
arpwatch
asio
aspell
aspell-en
at
at-spi2-atk
at-spi2-core
atf
atk
atop
attr
audiofile
augeas
authbind
authd
authselect
autoconf213
avahi
babeltrace
babeltrace2
babl
baekmuk-ttf-fonts
bats
bcache-tools
biosdevname
blosc
bluez
bmake
bolt
boom-boot
booth
botan2
breezy
brotli
buildah
busybox
bwidget
byacc
ca-certificates
cachefilesd
cairomm
calamares
capnproto
capstone
catatonit
catch
catch1
cdrdao
celt051
cereal
certmonger
cfitsio
cgdcbxd
chan
CharLS
checkpolicy
checksec
chrony
cim-schema
cjkuni-uming-fonts
cjose
cjson
ck
clang15
cldr-emoji-annotation
clinfo
clucene
clutter
clutter-gst3
clutter-gtk
cmocka
cogl
collectd
colm
color-filesystem
colord
colorize
compat-lua
compiler-rt
conda
conmon
conntrack-tools
console-setup
container-exception-logger
convmv
corosync
corosync-qdevice
cpp-hocon
cppcheck
cpprest
cpptest
cpufrequtils
cpuid
criu
crypto-policies
cryptsetup
cscope
ctags
CUnit
cups
custodia
Cython
dbus-c++
dbus-python
dbxtool
dconf
dcraw
debootstrap
deltarpm
desktop-file-utils
device-mapper-persistent-data
dhcpcd
dietlibc
diffstat
ding-libs
discount
distribution-gpg-keys
dleyna-connector-dbus
dleyna-core
dmraid
dnf
dnf-plugins-core
docbook-dtds
docbook-simple
docbook-slides
docbook-style-dsssl
docbook-utils
docbook2X
docbook5-schemas
docbook5-style-xsl
dogtail
dos2unix
dotconf
dovecot
dpdk
dpkg
driverctl
dropwatch
drpm
duktape
dumpet
dvd+rw-tools
dwarves
dwz
dyninst
ebtables
edac-utils
edk2
efax
efi-rpm-macros
egl-wayland
eglexternalplatform
elinks
enca
enchant
enchant2
enscript
environment-modules
erofs-utils
evemu
execstack
exempi
exiv2
expected
extra-cmake-modules
fabtests
facter
fakechroot
fakeroot
fdupes
fence-virt
fetchmail
fftw
filebench
fio
firewalld
flac
flashrom
flatbuffers
flite
fltk
fmt
fontawesome-fonts
fontawesome4-fonts
fontpackages
fonts-rpm-macros
foomatic-db
freeglut
freeipmi
freeradius
freetds
freexl
fribidi
fros
frr
fsverity-utils
fuse-overlayfs
fuse-sshfs
fuse-zip
fuse3
future
fwupd
fwupd-efi
fxload
gavl
gbenchmark
gconf-editor
GConf2
gcovr
gcr
gdal
gdisk
gdk-pixbuf2
generic-logos
genwqe-tools
geoclue2
GeoIP
GeoIP-GeoLite-data
geolite2
geos
gfs2-utils
ghc-srpm-macros
gi-docgen
giflib
gl-manpages
glew
glm
glog
glslang
glusterfs
gnome-desktop-testing
gnome-doc-utils
gnome-icon-theme
gnome-keyring
gnu-efi
go-rpm-macros
gom
google-api-python-client
google-crosextra-caladea-fonts
google-crosextra-carlito-fonts
google-guice
google-noto-cjk-fonts
google-noto-emoji-fonts
google-roboto-slab-fonts
gphoto2
gpm
gpsbabel
graphene
graphite2
graphviz
grubby
gsettings-desktop-schemas
gsl
gsm
gspell
gssdp
gssntlmssp
gstreamer1
gstreamer1-plugins-base
gtk-vnc
gtk2
gtk3
gtkspell
gupnp
gupnp-av
gupnp-dlna
gupnp-igd
hardening-check
hdf
hdf5
heimdal
help2man
hexedit
hicolor-icon-theme
hiera
highlight
hivex
hostname
hping3
hsakmt
htop
hunspell
hunspell-af
hunspell-ar
hunspell-as
hunspell-ast
hunspell-az
hunspell-be
hunspell-bg
hunspell-bn
hunspell-br
hunspell-ca
hunspell-cop
hunspell-csb
hunspell-cv
hunspell-cy
hunspell-da
hunspell-de
hunspell-dsb
hunspell-el
hunspell-en
hunspell-eo
hunspell-es
hunspell-et
hunspell-eu
hunspell-fa
hunspell-fj
hunspell-fo
hunspell-fr
hunspell-fur
hunspell-fy
hunspell-ga
hunspell-gd
hunspell-gl
hunspell-grc
hunspell-gu
hunspell-gv
hunspell-haw
hunspell-hi
hunspell-hil
hunspell-hr
hunspell-hsb
hunspell-ht
hunspell-hu
hunspell-hy
hunspell-ia
hunspell-id
hunspell-is
hunspell-it
hunspell-kk
hunspell-km
hunspell-kn
hunspell-ko
hunspell-ku
hunspell-ky
hunspell-la
hunspell-lb
hunspell-ln
hunspell-mai
hunspell-mg
hunspell-mi
hunspell-mk
hunspell-ml
hunspell-mn
hunspell-mos
hunspell-mr
hunspell-ms
hunspell-mt
hunspell-nds
hunspell-ne
hunspell-nl
hunspell-no
hunspell-nr
hunspell-nso
hunspell-ny
hunspell-om
hunspell-or
hunspell-pa
hunspell-pl
hunspell-pt
hunspell-quh
hunspell-ro
hunspell-ru
hunspell-rw
hunspell-se
hunspell-shs
hunspell-si
hunspell-sk
hunspell-sl
hunspell-smj
hunspell-so
hunspell-sq
hunspell-sr
hunspell-sv
hunspell-sw
hunspell-ta
hunspell-te
hunspell-tet
hunspell-th
hunspell-tk
hunspell-tl
hunspell-tn
hunspell-tpi
hunspell-ts
hunspell-uk
hunspell-uz
hunspell-ve
hunspell-vi
hunspell-wa
hunspell-xh
hunspell-yi
hwdata
hwloc
hyperscan
hyperv-daemons
hyphen
hyphen-as
hyphen-bg
hyphen-bn
hyphen-ca
hyphen-da
hyphen-de
hyphen-el
hyphen-es
hyphen-fa
hyphen-fo
hyphen-fr
hyphen-ga
hyphen-gl
hyphen-grc
hyphen-gu
hyphen-hi
hyphen-hsb
hyphen-hu
hyphen-ia
hyphen-id
hyphen-is
hyphen-it
hyphen-kn
hyphen-ku
hyphen-lt
hyphen-mi
hyphen-ml
hyphen-mn
hyphen-mr
hyphen-nl
hyphen-or
hyphen-pa
hyphen-pl
hyphen-pt
hyphen-ro
hyphen-ru
hyphen-sa
hyphen-sk
hyphen-sl
hyphen-sv
hyphen-ta
hyphen-te
hyphen-tk
hyphen-uk
ibus
ibus-chewing
ibus-hangul
ibus-kkc
ibus-libzhuyin
ibus-m17n
ibus-rawcode
ibus-sayura
ibus-table
ibus-table-chinese
icc-profiles-openicc
icon-naming-utils
icoutils
iftop
igt-gpu-tools
iio-sensor-proxy
ilmbase
im-chooser
imaptest
imsettings
incron
indent
infinipath-psm
inih
iniparser
intel-cmt-cat
intel-compute-runtime
intel-gmmlib
intel-igc
intel-ipsec-mb
intel-level-zero
intel-media-driver
intel-metee
intel-opencl-clang
intel-vpl-gpu-rt
ioping
IP2Location
ipa-pgothic-fonts
ipcalc
ipmitool
iprutils
iptraf-ng
iptstate
irssi
iscsi-initiator-utils
isns-utils
iso-codes
isomd5sum
iw
iwd
jabberpy
jakarta-servlet
jasper
javapackages-bootstrap
javapackages-tools
jbigkit
jdom2
jemalloc
jfsutils
jimtcl
jose
js-jquery
jsoncpp
Judy
jurand
kata-containers
kde-filesystem
kde-settings
kernel-srpm-macros
kexec-tools
keybinder3
keycloak-httpd-client-install
kf
kf-kconfig
kf-kcoreaddons
kf-ki18n
kf-kwidgetsaddons
kpmcore
kronosnet
ksh
kyotocabinet
kyua
ladspa
lame
langtable
lapack
lasso
latencytop
lato-fonts
lcms2
lcov
ldns
leatherman
ledmon
lensfun
leveldb
lftp
libabw
libaec
libao
libappstream-glib
libarrow
libart_lgpl
libasyncns
libatasmart
libavc1394
libblockdev
libbpf
libbsd
libburn
libbytesize
libcacard
libcanberra
libcbor
libcdio
libcdio-paranoia
libcdr
libcgroup
libchewing
libclc
libcli
libcmis
libcmpiutil
libcomps
libcroco
libcxx
libdaemon
libdap
libdatrie
libdazzle
libdbi
libdbusmenu
libdc1394
libdecor
libdeflate
libdmx
libdnf
libdrm
libdvdnav
libdvdread
libdwarf
libeasyfc
libecap
libecb
libei
libell
libEMF
libeot
libepoxy
libepubgen
libesmtp
libetonyek
libev
libevdev
libexif
libexttextcat
libfabric
libfontenc
libfreehand
libftdi
libgadu
libgdither
libgee
libgee06
libgeotiff
libgexiv2
libgit2
libgit2-glib
libglade2
libglvnd
libgovirt
libgphoto2
libgsf
libgta
libguestfs
libgusb
libgxim
libgxps
libhangul
libhugetlbfs
libibcommon
libical
libICE
libicns
libid3tag
libIDL
libidn2
libiec61883
libieee1284
libimobiledevice
libindicator
libinput
libiodbc
libipt
libiptcdata
libiscsi
libisoburn
libisofs
libjaylink
libjcat
libkcapi
libkeepalive
libkkc
libkkc-data
libkml
liblangtag
libldb
libldm
liblerc
liblockfile
liblognorm
liblouis
liblqr-1
liblzf
libmad
libmamba
libmd
libmediaart
libmicrohttpd
libmikmod
libmodman
libmodplug
libmodulemd1
libmpcdec
libmspub
libmtp
libmusicbrainz5
libmwaw
libnbd
libnet
libnetfilter_log
libnfs
libnotify
libntlm
libnumbertext
libnvme
liboauth
libodfgen
libofa
libogg
liboggz
liboil
libomxil-bellagio
libopenraw
liboping
libosinfo
libotf
libotr
libpagemaker
libpaper
libpciaccess
libpeas
libpfm
libpinyin
libplist
libpmemobj-cpp
libpng12
libpng15
libproxy
libpsm2
libpwquality
libqb
libqxp
libraqm
LibRaw
libraw1394
libreport
libreswan
librevenge
librsvg2
librx
libsamplerate
libsass
libsecret
libsemanage
libsigc++20
libsigsegv
libslirp
libSM
libsmbios
libsmi
libsndfile
libsodium
libspiro
libsrtp
libssh
libstaroffice
libstemmer
libstoragemgmt
libtdb
libteam
libtevent
libthai
libtnc
libtomcrypt
libtommath
libtpms
libtracecmd
libtraceevent
libtracefs
libtranslit
libucil
libunicap
libuninameslist
liburing
libusb1
libusbmuxd
libuser
libva-utils
libvarlink
libverto
libvirt-dbus
libvirt-glib
libvirt-java
libvirt-python
libvisio
libvisual
libvoikko
libvorbis
libvpl
libvpx
libwacom
libwebsockets
libwnck3
libwpd
libwpe
libwpg
libwps
libwvstreams
libX11
libXau
libXaw
libxcb
libXcomposite
libxcrypt
libXcursor
libxcvt
libXdamage
libXdmcp
libXext
libxfce4util
libXfixes
libXfont2
libXft
libXi
libXinerama
libxkbcommon
libxkbfile
libxklavier
libxmlb
libXmu
libXpm
libXrandr
libXrender
libXres
libXScrnSaver
libxshmfence
libXt
libXtst
libXv
libXxf86vm
libyami
libyang
libyubikey
libzip
libzmf
lilv
linuxconsoletools
lksctp-tools
lld15
lldpd
llvm15
lockdev
logwatch
lpsolve
lrzsz
lua
lua-expat
lua-filesystem
lua-json
lua-lpeg
lua-lunitx
lua-rpm-macros
lua-term
luajit
lujavrite
luksmeta
lutok
lv2
lxc
lxcfs
lzip
lzop
m17n-db
m17n-lib
mac-robber
mailcap
mailx
malaga
malaga-suomi-voikko
mallard-rng
man-pages-cs
man-pages-es
man-pages-it
man-pages-ja
man-pages-ko
man-pages-pl
man-pages-ru
man-pages-zh-CN
mandoc
mariadb
mariadb-connector-c
mariadb-connector-odbc
marisa
maven-compiler-plugin
maven-jar-plugin
maven-parent
maven-resolver
maven-resources-plugin
maven-surefire
maven-wagon
mcelog
mcpp
mcstrans
mdadm
mdds
mdevctl
meanwhile
mecab
mecab-ipadic
media-player-info
memcached
memkind
mesa
mesa-demos
mesa-libGLU
metis
microcode_ctl
microdnf
minicom
minizip-ng
mksh
mobile-broadband-provider-info
mock
mock-core-configs
mod_auth_gssapi
mod_auth_mellon
mod_auth_openidc
mod_authnz_pam
mod_fcgid
mod_http2
mod_intercept_form_submit
mod_lookup_identity
mod_md
mod_security
mod_security_crs
mod_wsgi
mokutil
mosh
mosquitto
mpage
mrtg
mstflint
mt-st
mtdev
mtools
mtr
mtx
munge
mutt
mythes
mythes-bg
mythes-ca
mythes-cs
mythes-da
mythes-de
mythes-el
mythes-en
mythes-eo
mythes-es
mythes-fr
mythes-ga
mythes-hu
mythes-mi
mythes-ne
mythes-nl
mythes-pl
mythes-pt
mythes-ro
mythes-ru
mythes-sk
mythes-sl
mythes-sv
mythes-uk
nbd
nbdkit
needrestart
neon
netavark
netcdf
netcf
netlabel_tools
netpbm
netsniff-ng
nfs4-acl-tools
nftables
nilfs-utils
nkf
nload
nlopt
nodejs-packaging
nss-mdns
nss-pam-ldapd
nss_nis
nss_wrapper
ntfs-3g
ntfs-3g-system-compression
numad
numatop
numpy
nvml
oath-toolkit
ocaml
ocaml-alcotest
ocaml-astring
ocaml-augeas
ocaml-base
ocaml-bigarray-compat
ocaml-bisect-ppx
ocaml-calendar
ocaml-camlp-streams
ocaml-camlp5
ocaml-camomile
ocaml-cinaps
ocaml-cmdliner
ocaml-compiler-libs-janestreet
ocaml-cppo
ocaml-csexp
ocaml-csv
ocaml-ctypes
ocaml-curses
ocaml-dune
ocaml-extlib
ocaml-fileutils
ocaml-findlib
ocaml-fmt
ocaml-fpath
ocaml-gettext
ocaml-integers
ocaml-libvirt
ocaml-luv
ocaml-lwt
ocaml-markup
ocaml-mmap
ocaml-num
ocaml-ocamlbuild
ocaml-ocplib-endian
ocaml-ounit
ocaml-parsexp
ocaml-pp
ocaml-ppx-derivers
ocaml-ppx-here
ocaml-ppx-let
ocaml-ppxlib
ocaml-re
ocaml-react
ocaml-result
ocaml-seq
ocaml-sexplib
ocaml-sexplib0
ocaml-srpm-macros
ocaml-stdio
ocaml-stdlib-random
ocaml-topkg
ocaml-tyxml
ocaml-uutf
ocaml-xml-light
ocaml-zarith
ocl-icd
oddjob
ogdi
omping
opa
opal
open-vm-tools
openblas
openbox
opencc
opencl-filesystem
opencl-headers
opencryptoki
opencsd
opendnssec
OpenEXR
openjade
openjpeg2
openmpi
openobex
openoffice-lv
openrdate
opensc
openslp
opensm
opensp
openssl
openssl-ibmpkcs11
openssl-pkcs11
openwsman
optipng
orangefs
ORBit2
orc
os-prober
osinfo-db
osinfo-db-tools
overpass-fonts
p11-kit
p7zip
pacemaker
pacrunner
paho-c
pakchois
pam_krb5
pam_wrapper
papi
paps
parallel
passim
patchelf
patchutils
pbzip2
pcp
pcsc-lite
pcsc-lite-ccid
PEGTL
perl
perl-Algorithm-C3
perl-Algorithm-Diff
perl-Alien-Build
perl-Alien-pkgconf
perl-AnyEvent
perl-AnyEvent-AIO
perl-AnyEvent-BDB
perl-App-cpanminus
perl-App-FatPacker
perl-AppConfig
perl-Archive-Extract
perl-Archive-Zip
perl-Authen-SASL
perl-B-COW
perl-B-Debug
perl-B-Hooks-EndOfScope
perl-B-Hooks-OP-Check
perl-B-Keywords
perl-B-Lint
perl-bareword-filehandles
perl-BDB
perl-Bit-Vector
perl-boolean
perl-Browser-Open
perl-BSD-Resource
perl-Business-ISBN
perl-Business-ISBN-Data
perl-Bytes-Random-Secure
perl-Capture-Tiny
perl-Carp-Clan
perl-CBOR-XS
perl-Class-Accessor
perl-Class-C3
perl-Class-C3-XS
perl-Class-Data-Inheritable
perl-Class-Factory-Util
perl-Class-Inspector
perl-Class-ISA
perl-Class-Load
perl-Class-Load-XS
perl-Class-Method-Modifiers
perl-Class-Singleton
perl-Class-Tiny
perl-Class-XSAccessor
perl-Clone
perl-Color-ANSI-Util
perl-Color-RGB-Util
perl-ColorThemeBase-Static
perl-ColorThemeRole-ANSI
perl-ColorThemes-Standard
perl-ColorThemeUtil-ANSI
perl-Compress-Bzip2
perl-Compress-LZF
perl-Compress-Raw-Lzma
perl-Config-AutoConf
perl-Config-INI
perl-Config-INI-Reader-Multiline
perl-Config-IniFiles
perl-Config-Simple
perl-Config-Tiny
perl-Const-Fast
perl-Convert-ASN1
perl-Convert-Bencode
perl-Coro
perl-Coro-Multicore
perl-CPAN-Changes
perl-CPAN-DistnameInfo
perl-CPAN-Meta-Check
perl-Cpanel-JSON-XS
perl-Crypt-CBC
perl-Crypt-DES
perl-Crypt-IDEA
perl-Crypt-OpenSSL-Bignum
perl-Crypt-OpenSSL-Guess
perl-Crypt-OpenSSL-Random
perl-Crypt-OpenSSL-RSA
perl-Crypt-PasswdMD5
perl-Crypt-Random-Seed
perl-CSS-Tiny
perl-Data-Dump
perl-Data-Munge
perl-Data-OptList
perl-Data-Peek
perl-Data-Section
perl-Data-UUID
perl-Date-Calc
perl-Date-ISO8601
perl-Date-Manip
perl-DateTime
perl-DateTime-Format-Builder
perl-DateTime-Format-DateParse
perl-DateTime-Format-HTTP
perl-DateTime-Format-IBeat
perl-DateTime-Format-ISO8601
perl-DateTime-Format-Mail
perl-DateTime-Format-Strptime
perl-DateTime-Locale
perl-DateTime-TimeZone
perl-DateTime-TimeZone-SystemV
perl-DateTime-TimeZone-Tzfile
perl-DBD-MySQL
perl-Devel-CallChecker
perl-Devel-Caller
perl-Devel-CheckBin
perl-Devel-CheckLib
perl-Devel-Cycle
perl-Devel-EnforceEncapsulation
perl-Devel-GlobalDestruction
perl-Devel-GlobalDestruction-XS
perl-Devel-Hide
perl-Devel-Leak
perl-Devel-LexAlias
perl-Devel-Refcount
perl-Devel-Size
perl-Devel-StackTrace
perl-Devel-Symdump
perl-Digest-BubbleBabble
perl-Digest-CRC
perl-Digest-HMAC
perl-Digest-SHA1
perl-Dist-CheckConflicts
perl-DynaLoader-Functions
perl-Email-Address
perl-Email-Date-Format
perl-Encode-Detect
perl-Encode-EUCJPASCII
perl-Encode-IMAPUTF7
perl-Encode-Locale
perl-Env-ShellWords
perl-Error
perl-EV
perl-Eval-Closure
perl-Event
perl-Exception-Class
perl-Expect
perl-ExtUtils-Config
perl-ExtUtils-Depends
perl-ExtUtils-Helpers
perl-ExtUtils-InstallPaths
perl-ExtUtils-PkgConfig
perl-FCGI
perl-Fedora-VSP
perl-FFI-CheckLib
perl-File-BaseDir
perl-File-BOM
perl-File-chdir
perl-File-CheckTree
perl-File-Copy-Recursive
perl-File-DesktopEntry
perl-File-Find-Object
perl-File-Find-Object-Rule
perl-File-Find-Rule
perl-File-Find-Rule-Perl
perl-File-Inplace
perl-File-Listing
perl-File-MimeInfo
perl-File-pushd
perl-File-ReadBackwards
perl-File-Remove
perl-File-ShareDir
perl-File-ShareDir-Install
perl-File-Slurp
perl-File-Slurp-Tiny
perl-File-Slurper
perl-File-TreeCreate
perl-File-Type
perl-Font-TTF
perl-FreezeThaw
perl-GD
perl-GD-Barcode
perl-generators
perl-Getopt-ArgvFile
perl-gettext
perl-Graphics-ColorNamesLite-WWW
perl-GSSAPI
perl-Guard
perl-Hook-LexWrap
perl-HTML-Parser
perl-HTML-Tagset
perl-HTML-Tree
perl-HTTP-Cookies
perl-HTTP-Daemon
perl-HTTP-Date
perl-HTTP-Message
perl-HTTP-Negotiate
perl-Image-Base
perl-Image-Info
perl-Image-Xbm
perl-Image-Xpm
perl-Import-Into
perl-Importer
perl-inc-latest
perl-indirect
perl-Inline-Files
perl-IO-AIO
perl-IO-All
perl-IO-CaptureOutput
perl-IO-Compress-Lzma
perl-IO-HTML
perl-IO-Multiplex
perl-IO-SessionData
perl-IO-Socket-INET6
perl-IO-String
perl-IO-stringy
perl-IO-Tty
perl-IPC-Run
perl-IPC-Run3
perl-IPC-System-Simple
perl-JSON
perl-JSON-Color
perl-JSON-MaybeXS
perl-LDAP
perl-libnet
perl-libwww-perl
perl-libxml-perl
perl-Lingua-EN-Inflect
perl-List-MoreUtils-XS
perl-local-lib
perl-Locale-Codes
perl-Locale-Maketext-Gettext
perl-Locale-Msgfmt
perl-Locale-PO
perl-Log-Message
perl-Log-Message-Simple
perl-LWP-MediaTypes
perl-LWP-Protocol-https
perl-Mail-AuthenticationResults
perl-Mail-DKIM
perl-Mail-IMAPTalk
perl-Mail-SPF
perl-MailTools
perl-Match-Simple
perl-Math-Int64
perl-Math-Random-ISAAC
perl-MIME-Charset
perl-MIME-Lite
perl-MIME-Types
perl-Mixin-Linewise
perl-MLDBM
perl-Mock-Config
perl-Module-Build-Tiny
perl-Module-CPANfile
perl-Module-Implementation
perl-Module-Install-AuthorRequires
perl-Module-Install-AuthorTests
perl-Module-Install-AutoLicense
perl-Module-Install-GithubMeta
perl-Module-Install-ManifestSkip
perl-Module-Install-ReadmeFromPod
perl-Module-Install-ReadmeMarkdownFromPod
perl-Module-Install-Repository
perl-Module-Install-TestBase
perl-Module-Load-Util
perl-Module-Manifest
perl-Module-Manifest-Skip
perl-Module-Package
perl-Module-Package-Au
perl-Module-Pluggable
perl-Module-Runtime
perl-Module-Signature
perl-Mojolicious
perl-Moo
perl-Mozilla-CA
perl-Mozilla-LDAP
perl-MRO-Compat
perl-multidimensional
perl-namespace-autoclean
perl-namespace-clean
perl-Net-CIDR-Lite
perl-Net-Daemon
perl-Net-DNS
perl-Net-DNS-Resolver-Mock
perl-Net-DNS-Resolver-Programmable
perl-Net-HTTP
perl-Net-IMAP-Simple
perl-Net-IMAP-Simple-SSL
perl-Net-IP
perl-Net-LibIDN2
perl-Net-Patricia
perl-Net-SMTP-SSL
perl-Net-SNMP
perl-Net-Telnet
perl-Newt
perl-NNTPClient
perl-NTLM
perl-Number-Compare
perl-Object-Deadly
perl-Object-HashBase
perl-Package-Anon
perl-Package-Constants
perl-Package-DeprecationManager
perl-Package-Generator
perl-Package-Stash
perl-Package-Stash-XS
perl-PadWalker
perl-Paper-Specs
perl-PAR-Dist
perl-Parallel-Iterator
perl-Params-Classify
perl-Params-Util
perl-Params-Validate
perl-Params-ValidationCompiler
perl-Parse-PMFile
perl-Parse-RecDescent
perl-Parse-Yapp
perl-Path-Tiny
perl-Perl-Critic
perl-Perl-Critic-More
perl-Perl-Destruct-Level
perl-Perl-MinimumVersion
perl-Perl4-CoreLibs
perl-PerlIO-gzip
perl-PerlIO-utf8_strict
perl-PkgConfig-LibPkgConf
perl-Pod-Coverage
perl-Pod-Coverage-TrustPod
perl-Pod-Escapes
perl-Pod-Eventual
perl-Pod-LaTeX
perl-Pod-Markdown
perl-Pod-Parser
perl-Pod-Plainer
perl-Pod-POM
perl-Pod-Spell
perl-PPI
perl-PPI-HTML
perl-PPIx-QuoteLike
perl-PPIx-Regexp
perl-PPIx-Utilities
perl-prefork
perl-Probe-Perl
perl-Razor-Agent
perl-Readonly
perl-Readonly-XS
perl-Ref-Util
perl-Ref-Util-XS
perl-Regexp-Pattern-Perl
perl-Return-MultiLevel
perl-Role-Tiny
perl-Scope-Guard
perl-Scope-Upper
perl-SGMLSpm
perl-SNMP_Session
perl-Socket6
perl-Software-License
perl-Sort-Versions
perl-Specio
perl-Spiffy
perl-strictures
perl-String-CRC32
perl-String-Format
perl-String-ShellQuote
perl-String-Similarity
perl-Sub-Exporter
perl-Sub-Exporter-Progressive
perl-Sub-Identify
perl-Sub-Infix
perl-Sub-Info
perl-Sub-Install
perl-Sub-Name
perl-Sub-Quote
perl-Sub-Uplevel
perl-SUPER
perl-Switch
perl-Syntax-Highlight-Engine-Kate
perl-Sys-CPU
perl-Sys-MemInfo
perl-Sys-Virt
perl-Taint-Runtime
perl-Task-Weaken
perl-Term-Size-Any
perl-Term-Size-Perl
perl-Term-Table
perl-Term-UI
perl-TermReadKey
perl-Test-Base
perl-Test-ClassAPI
perl-Test-CPAN-Meta
perl-Test-CPAN-Meta-JSON
perl-Test-Deep
perl-Test-Differences
perl-Test-DistManifest
perl-Test-Distribution
perl-Test-EOL
perl-Test-Exception
perl-Test-Exit
perl-Test-FailWarnings
perl-Test-Fatal
perl-Test-File
perl-Test-File-ShareDir
perl-Test-Harness
perl-Test-HasVersion
perl-Test-InDistDir
perl-Test-Inter
perl-Test-LeakTrace
perl-Test-LongString
perl-Test-Manifest
perl-Test-Memory-Cycle
perl-Test-MinimumVersion
perl-Test-MockObject
perl-Test-MockRandom
perl-Test-Needs
perl-Test-NoTabs
perl-Test-NoWarnings
perl-Test-Object
perl-Test-Output
perl-Test-Pod
perl-Test-Pod-Coverage
perl-Test-Portability-Files
perl-Test-Requires
perl-Test-RequiresInternet
perl-Test-Script
perl-Test-Simple
perl-Test-SubCalls
perl-Test-Synopsis
perl-Test-Taint
perl-Test-TrailingSpace
perl-Test-utf8
perl-Test-Vars
perl-Test-Warn
perl-Test-Without-Module
perl-Test2-Plugin-NoWarnings
perl-Test2-Suite
perl-Test2-Tools-Explain
perl-Text-CharWidth
perl-Text-CSV_XS
perl-Text-Diff
perl-Text-Glob
perl-Text-Iconv
perl-Text-Soundex
perl-Text-Unidecode
perl-Text-WrapI18N
perl-Tie-IxHash
perl-TimeDate
perl-Tree-DAG_Node
perl-Type-Tiny
perl-Unicode-EastAsianWidth
perl-Unicode-LineBreak
perl-Unicode-Map8
perl-Unicode-String
perl-Unicode-UTF8
perl-UNIVERSAL-can
perl-UNIVERSAL-isa
perl-Unix-Syslog
perl-URI
perl-Variable-Magic
perl-Version-Requirements
perl-WWW-RobotRules
perl-XML-Catalog
perl-XML-DOM
perl-XML-Dumper
perl-XML-Filter-BufferText
perl-XML-Generator
perl-XML-Grove
perl-XML-Handler-YAWriter
perl-XML-LibXML
perl-XML-LibXSLT
perl-XML-NamespaceSupport
perl-XML-Parser-Lite
perl-XML-RegExp
perl-XML-SAX
perl-XML-SAX-Base
perl-XML-SAX-Writer
perl-XML-Simple
perl-XML-TokeParser
perl-XML-TreeBuilder
perl-XML-Twig
perl-XML-Writer
perl-XML-XPath
perl-XML-XPathEngine
perl-XString
perl-YAML-LibYAML
perl-YAML-PP
perl-YAML-Syck
perltidy
pesign
phodav
php
php-pear
php-pecl-apcu
php-pecl-zip
physfs
picosat
pinfo
pipewire
pixman
pkcs11-helper
pkgconf
plexus-cipher
plexus-containers
plexus-pom
plexus-sec-dispatcher
plotutils
pmdk-convert
pmix
pngcrush
pngnq
po4a
podman
poetry
policycoreutils
polkit-pkla-compat
polkit-qt-1
portreserve
postfix
potrace
powertop
ppp
pps-tools
pptp
priv_wrapper
procmail
prometheus-node-exporter
ps_mem
psacct
pssh
psutils
ptlib
publicsuffix-list
pugixml
pulseaudio
puppet
pwgen
pyatspi
pybind11
pycairo
pyelftools
pyflakes
pygobject3
PyGreSQL
pykickstart
pylint
pyparted
pyproject-rpm-macros
pyserial
python-absl-py
python-aiodns
python-aiohttp
python-alsa
python-apscheduler
python-archspec
python-argcomplete
python-argparse-manpage
python-astroid
python-astunparse
python-async-generator
python-augeas
python-azure-sdk
python-backoff
python-beautifulsoup4
python-betamax
python-blinker
python-blivet
python-boltons
python-breathe
python-cached_property
python-cbor2
python-charset-normalizer
python-cheetah
python-click
python-cmd2
python-colorama
python-CommonMark
python-conda-libmamba-solver
python-conda-package-handling
python-conda-package-streaming
python-configshell
python-cpuinfo
python-cups
python-curio
python-cytoolz
python-d2to1
python-dbus-client-gen
python-dbus-python-client-gen
python-dbus-signature-pyparsing
python-dbusmock
python-ddt
python-debtcollector
python-decorator
python-distlib
python-dmidecode
python-dns
python-dtopt
python-dulwich
python-editables
python-elementpath
python-enchant
python-entrypoints
python-ethtool
python-evdev
python-extras
python-faker
python-fasteners
python-fastjsonschema
python-fields
python-filelock
python-fixtures
python-flake8
python-flaky
python-flask
python-flit
python-flit-core
python-fluidity-sm
python-frozendict
python-funcsigs
python-gast
python-genshi
python-google-auth
python-google-auth-oauthlib
python-greenlet
python-gssapi
python-h5py
python-hatch-fancy-pypi-readme
python-hatch-vcs
python-hatchling
python-hs-dbus-signature
python-html5lib
python-httplib2
python-humanize
python-hwdata
python-importlib-metadata
python-iniconfig
python-inotify
python-into-dbus-python
python-IPy
python-iso8601
python-isodate
python-isort
python-itsdangerous
python-jsonschema-specifications
python-junit_xml
python-junitxml
python-justbases
python-justbytes
python-jwcrypto
python-jwt
python-kdcproxy
python-kerberos
python-kmod
python-kubernetes
python-lark
python-lazy-object-proxy
python-ldap
python-linux-procfs
python-lit
python-looseversion
python-markdown
python-markdown-it-py
python-mccabe
python-mdurl
python-memcached
python-menuinst
python-mimeparse
python-mock
python-monotonic
python-more-itertools
python-mpmath
python-msal
python-msrestazure
python-mutagen
python-networkx
python-nose2
python-ntlm-auth
python-oauth2client
python-openpyxl
python-openstackdocstheme
python-oslo-i18n
python-oslo-sphinx
python-paho-mqtt
python-paramiko
python-pathspec
python-pefile
python-pexpect
python-pkgconfig
python-platformdirs
python-pluggy
python-podman-api
python-poetry-core
python-process-tests
python-productmd
python-prometheus_client
python-ptyprocess
python-pycares
python-pycosat
python-pydbus
python-pymongo
python-PyMySQL
python-pyperclip
python-pyproject-api
python-pyproject-metadata
python-pyroute2
python-pyrsistent
python-pysocks
python-pytest-benchmark
python-pytest-cov
python-pytest-expect
python-pytest-flake8
python-pytest-flakes
python-pytest-forked
python-pytest-mock
python-pytest-relaxed
python-pytest-runner
python-pytest-subtests
python-pytest-timeout
python-pytest-xdist
python-pytoml
python-pyudev
python-pywbem
python-qrcode
python-rdflib
python-recommonmark
python-referencing
python-requests-file
python-requests-ftp
python-requests-kerberos
python-requests-mock
python-requests-oauthlib
python-requests-toolbelt
python-requests_ntlm
python-responses
python-retrying
python-rfc3986
python-rich
python-rpm-generators
python-rpmautospec-core
python-rpmfluff
python-rtslib
python-ruamel-yaml
python-ruamel-yaml-clib
python-s3transfer
python-schedutils
python-semantic_version
python-shortuuid
python-should_dsl
python-simpleline
python-slip
python-smartypants
python-sniffio
python-sortedcontainers
python-soupsieve
python-sphinx
python-sphinx-epytext
python-sphinx-theme-py3doc-enhanced
python-sphinx_rtd_theme
python-sphinxcontrib-apidoc
python-sphinxcontrib-applehelp
python-sphinxcontrib-devhelp
python-sphinxcontrib-htmlhelp
python-sphinxcontrib-httpdomain
python-sphinxcontrib-jquery
python-sphinxcontrib-jsmath
python-sphinxcontrib-qthelp
python-sphinxcontrib-serializinghtml
python-sphinxygen
python-sqlalchemy
python-suds
python-systemd
python-tempita
python-templated-dictionary
python-termcolor
python-testpath
python-testresources
python-testscenarios
python-testtools
python-tidy
python-toml
python-tomli
python-toolz
python-tornado
python-tox
python-tox-current-env
python-tqdm
python-trio
python-trove-classifiers
python-typing-extensions
python-typogrify
python-tzlocal
python-uamqp
python-unittest2
python-untangle
python-uritemplate
python-url-normalize
python-urwid
python-uswid
python-varlink
python-versioneer
python-virt-firmware
python-voluptuous
python-waitress
python-webencodings
python-webtest
python-wheel
python-whoosh
python-winrm
python-wrapt
python-xlrd
python-xlsxwriter
python-xmlschema
python-xmltodict
python-yubico
python-zipp
python-zmq
python-zstandard
python-zstd
python3-mallard-ducktype
python3-pytest-asyncio
python3-typed_ast
pyusb
pywbem
pyxattr
qemu
qhull
qpdf
qperf
qr-code-generator
qt-rpm-macros
qt5-qtconnectivity
qt5-qtsensors
qt5-qtserialport
qtbase
qtdeclarative
qtsvg
qttools
quagga
quota
radvd
ragel
raptor2
rarian
rasdaemon
rasqal
rcs
rdist
rdma-core
re2
re2c
realmd
rear
recode
reproc
resource-agents
rest
rhash
rlwrap
rp-pppoe
rpm-mpi-hooks
rpmdevtools
rpmlint
rr
rtkit
rtl-sdr
ruby-augeas
rubygem-bson
rubygem-coderay
rubygem-diff-lcs
rubygem-flexmock
rubygem-hpricot
rubygem-introspection
rubygem-liquid
rubygem-maruku
rubygem-metaclass
rubygem-mongo
rubygem-mustache
rubygem-mysql2
rubygem-pkg-config
rubygem-rake
rubygem-rake-compiler
rubygem-ronn
rubygem-rouge
rubygem-rspec
rubygem-rspec-expectations
rubygem-rspec-mocks
rubygem-rspec-support
rubygem-sys-filesystem
rubygem-thread_order
rusers
rust-cbindgen
s-nail
samba
sanlock
sassist
satyr
sbc
sblim-cim-client2
sblim-cmpi-base
sblim-cmpi-devel
sblim-cmpi-fsvol
sblim-cmpi-network
sblim-cmpi-nfsv3
sblim-cmpi-nfsv4
sblim-cmpi-params
sblim-cmpi-sysfs
sblim-cmpi-syslog
sblim-indication_helper
sblim-sfcb
sblim-sfcc
sblim-sfcCommon
sblim-testsuite
sblim-wbemcli
scl-utils
scotch
screen
scrub
sdl12-compat
SDL2
SDL_sound
sdparm
seabios
secilc
selinux-policy
serd
setools
setserial
setuptool
sgabios
sgml-common
sgpio
shared-mime-info
sharutils
shim-unsigned-aarch64
shim-unsigned-x64
simdjson
sip
sisu
skkdic
sleuthkit
slirp4netns
smartmontools
smc-tools
socket_wrapper
softhsm
sombok
sord
sos
sound-theme-freedesktop
soundtouch
sox
soxr
sparsehash
spausedd
spdlog
speex
speexdsp
spice-protocol
spice-vdagent
spirv-headers
spirv-llvm-translator
spirv-llvm15-translator
spirv-tools
splix
squashfs-tools
squid
sratom
sscg
star
startup-notification
stress-ng
strongswan
stunnel
subscription-manager
subunit
suitesparse
SuperLU
supermin
switcheroo-control
swtpm
symlinks
sympy
sysfsutils
systemd
systemd-bootchart
t1lib
t1utils
taglib
tang
targetcli
tbb
tcl-pgtcl
tclx
teckit
telnet
thrift
tidy
time
tini
tinycdb
tix
tk
tlog
tmpwatch
tn5250
tofrodos
tokyocabinet
trace-cmd
tss2
ttembed
ttmkfdir
tuna
twolame
uchardet
uclibc-ng
ucpp
ucs-miscfixed-fonts
ucx
udftools
udica
udisks2
uglify-js
uid_wrapper
umockdev
unicode-emoji
unicode-ucd
unique3
units
upower
uriparser
urlview
usb_modeswitch
usb_modeswitch-data
usbguard
usbip
usbmuxd
usbredir
usermode
ustr
uthash
uuid
uw-imap
v4l-utils
vc-intrinsics
vhostmd
vino
virglrenderer
virt-p2v
virt-top
virt-what
virt-who
vitess
vmem
volume_key
vorbis-tools
vte291
vulkan-headers
vulkan-loader
watchdog
wavpack
wayland
wayland-protocols
web-assets
webrtc-audio-processing
websocketpp
wget
whois
wireguard-tools
wireless-regdb
wireshark
woff2
wordnet
words
wpebackend-fdo
wsmancli
wvdial
x3270
xapian-core
Xaw3d
xcb-proto
xcb-util
xcb-util-image
xcb-util-keysyms
xcb-util-renderutil
xcb-util-wm
xdelta
xdg-dbus-proxy
xdg-utils
xdp-tools
xerces-c
xfconf
xfsdump
xhtml1-dtds
xkeyboard-config
xmlstarlet
xmltoman
xmvn
xorg-x11-apps
xorg-x11-drv-libinput
xorg-x11-font-utils
xorg-x11-fonts
xorg-x11-proto-devel
xorg-x11-server
xorg-x11-server-utils
xorg-x11-server-Xwayland
xorg-x11-util-macros
xorg-x11-utils
xorg-x11-xauth
xorg-x11-xbitmaps
xorg-x11-xinit
xorg-x11-xkb-utils
xorg-x11-xtrans-devel
xrestop
xxhash
yajl
yaml-cpp
yasm
yelp-tools
yelp-xsl
ykclient
yp-tools
ypbind
ypserv
yq
z3
zenity
zerofree
zfs-fuse
zipper
zix
zopfli
zziplib | | Fedora (Copyright Remi Collet) | [CC-BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/legalcode) | libmemcached-awesome
librabbitmq | | Fedora (ISC) | [ISC License](https://github.com/sarugaku/resolvelib/blob/main/LICENSE) | python-resolvelib | | Intel | [MIT License](/LICENSES-AND-NOTICES/LICENSE.md) | cluster-agent
device-discovery
edge-release
edge-repos
edge-rpm-macros
hardware-discovery-agent
inbm
intel-idv-services
intel-igsc
intel-lms
intel-npu-firmware
intel-xpu-smi
node-agent
nvidia-data-center-driver
os-update
otelcol-contrib
persistent-mount
platform-manageability-agent
platform-observability-agent
platform-telemetry-agent
platform-update-agent
python-snoop
reporting-agent
rpc
tink-worker
tpm-cryptsetup
tpm2-initramfs-tool | | Magnus Edenhill Open Source | [Magnus Edenhill Open Source BSD License](https://github.com/jemalloc/jemalloc/blob/dev/COPYING) | librdkafka | -| Microsoft | [Microsoft MIT License](https://github.com/microsoft/azurelinux/blob/3.0/LICENSES-AND-NOTICES/LICENSE.md) | alsa-lib
application-gateway-kubernetes-ingress
asc
azcopy
azl-otel-collector
azure-iot-sdk-c
azure-nvme-utils
azure-storage-cpp
azurelinux-sysinfo
bazel
blobfuse2
bmon
bpftrace
ccache
cert-manager
cf-cli
check-restart
clamav
cloud-hypervisor-cvm
cloud-provider-kubevirt
cmake-fedora
containerd
containerd2
coredns
dcos-cli
debugedit
dejavu-fonts
distroless-packages
docker-buildx
docker-cli
docker-compose
doxygen
dtc
edk2-hvloader-signed
elixir
espeak-ng
espeakup
flannel
fluent-bit
freefont
gflags
gh
go-md2man
grpc
grub2-efi-binary-signed
GSL
gtk-update-icon-cache
helm
ig
intel-pf-bb-config
ivykis
jsonbuilder
jx
kata-containers-cc
kata-packages-uvm
keda
keras
kernel-64k-signed
kernel-mshv-signed
kernel-rt
kernel-signed
kernel-uki
kernel-uki-signed
kpatch
kube-vip-cloud-provider
kubernetes
libacvp
libconfini
libconfuse
libgdiplus
libmaxminddb
libmetalink
libsafec
libutempter
libuv
libxml++
linuxptp
lld
local-path-provisioner
lsb-release
ltp
lttng-consume
mm-common
moby-containerd-cc
moby-engine
msgpack
ncompress
networkd-dispatcher
nlohmann-json
nmap
node-problem-detector
ntopng
opentelemetry-cpp
packer
pcaudiolib
pcre2
perl-Test-Warnings
perl-Text-Template
pigz
prebuilt-ca-certificates
prebuilt-ca-certificates-base
prometheus-adapter
python-cachetools
python-cherrypy
python-cstruct
python-execnet
python-google-pasta
python-libclang
python-libevdev
python-logutils
python-ml-dtypes
python-namex
python-nocasedict
python-omegaconf
python-opt-einsum
python-optree
python-pecan
python-pip
python-pyrpm
python-remoto
python-repoze-lru
python-routes
python-rsa
python-setuptools
python-sphinxcontrib-websupport
python-tensorboard
python-tensorboard-plugin-wit
python-yamlloader
R
rabbitmq-server
rocksdb
rubygem-addressable
rubygem-asciidoctor
rubygem-async
rubygem-async-http
rubygem-async-io
rubygem-async-pool
rubygem-bindata
rubygem-concurrent-ruby
rubygem-connection_pool
rubygem-console
rubygem-cool.io
rubygem-deep_merge
rubygem-digest-crc
rubygem-elastic-transport
rubygem-elasticsearch
rubygem-elasticsearch-api
rubygem-eventmachine
rubygem-excon
rubygem-faraday
rubygem-faraday-em_http
rubygem-faraday-em_synchrony
rubygem-faraday-excon
rubygem-faraday-httpclient
rubygem-faraday-multipart
rubygem-faraday-net_http
rubygem-faraday-net_http_persistent
rubygem-faraday-patron
rubygem-faraday-rack
rubygem-faraday-retry
rubygem-ffi
rubygem-fiber-local
rubygem-hirb
rubygem-hocon
rubygem-hoe
rubygem-http_parser
rubygem-httpclient
rubygem-io-event
rubygem-jmespath
rubygem-ltsv
rubygem-mini_portile2
rubygem-minitest
rubygem-mocha
rubygem-msgpack
rubygem-multi_json
rubygem-multipart-post
rubygem-net-http-persistent
rubygem-nio4r
rubygem-nokogiri
rubygem-oj
rubygem-parallel
rubygem-power_assert
rubygem-prometheus-client
rubygem-protocol-hpack
rubygem-protocol-http
rubygem-protocol-http1
rubygem-protocol-http2
rubygem-public_suffix
rubygem-puppet-resource_api
rubygem-rdiscount
rubygem-rdkafka
rubygem-rexml
rubygem-ruby-kafka
rubygem-ruby-progressbar
rubygem-rubyzip
rubygem-semantic_puppet
rubygem-serverengine
rubygem-sigdump
rubygem-strptime
rubygem-systemd-journal
rubygem-test-unit
rubygem-thor
rubygem-timers
rubygem-tzinfo
rubygem-tzinfo-data
rubygem-webhdfs
rubygem-webrick
rubygem-yajl-ruby
rubygem-zip-zip
runc
sdbus-cpp
sgx-backwards-compatibility
shim
skopeo
span-lite
sriov-network-device-plugin
SymCrypt
SymCrypt-OpenSSL
systemd-boot-signed
tensorflow
tinyxml2
toml11
tracelogging
umoci
usrsctp
vala
valkey
vnstat
xterm
zstd | +| Microsoft | [Microsoft MIT License](https://github.com/microsoft/azurelinux/blob/3.0/LICENSES-AND-NOTICES/LICENSE.md) | alsa-lib
application-gateway-kubernetes-ingress
asc
azcopy
azl-otel-collector
azure-iot-sdk-c
azure-nvme-utils
azure-storage-cpp
azurelinux-image-tools
azurelinux-sysinfo
bazel
bmon
bpftrace
ccache
cert-manager
cf-cli
check-restart
clamav
cloud-hypervisor-cvm
cloud-provider-kubevirt
cmake-fedora
containerd2
core-packages
coredns
dasel
dcos-cli
debugedit
dejavu-fonts
distroless-packages
docker-buildx
docker-cli
docker-compose
doxygen
dtc
edk2-hvloader-signed
elfutils
elixir
espeak-ng
espeakup
flannel
fluent-bit
freefont
gflags
gh
go-md2man
grpc
grub2-efi-binary-signed
GSL
gtk-update-icon-cache
intel-pf-bb-config
ivykis
jsonbuilder
jx
kata-containers-cc
kata-packages-uvm
keda
keras
kernel-64k-signed
kernel-mshv-signed
kernel-rt
kernel-signed
kernel-uki
kernel-uki-signed
kpatch
kube-vip-cloud-provider
kubernetes
libacvp
libconfini
libconfuse
libgdiplus
libmaxminddb
libmetalink
libsafec
libutempter
libuv
libvirt
libxml++
linuxptp
lld
lsb-release
ltp
lttng-consume
mm-common
moby-containerd-cc
moby-engine
msgpack
ncompress
networkd-dispatcher
nlohmann-json
nmap
ntopng
opentelemetry-cpp
packer
pcaudiolib
pcre2
perl-Test-Warnings
perl-Text-Template
pigz
prebuilt-ca-certificates
prebuilt-ca-certificates-base
prometheus-adapter
python-cachetools
python-cherrypy
python-cstruct
python-execnet
python-google-pasta
python-libclang
python-libevdev
python-logutils
python-ml-dtypes
python-namex
python-nocasedict
python-omegaconf
python-opt-einsum
python-optree
python-pecan
python-pip
python-pyrpm
python-remoto
python-repoze-lru
python-routes
python-rsa
python-setuptools
python-sphinxcontrib-websupport
python-tensorboard
python-tensorboard-plugin-wit
python-yamlloader
R
rabbitmq-server
rocksdb
rubygem-addressable
rubygem-asciidoctor
rubygem-bindata
rubygem-concurrent-ruby
rubygem-connection_pool
rubygem-cool.io
rubygem-deep_merge
rubygem-digest-crc
rubygem-elastic-transport
rubygem-elasticsearch
rubygem-elasticsearch-api
rubygem-eventmachine
rubygem-excon
rubygem-faraday
rubygem-faraday-em_http
rubygem-faraday-em_synchrony
rubygem-faraday-excon
rubygem-faraday-httpclient
rubygem-faraday-multipart
rubygem-faraday-net_http
rubygem-faraday-net_http_persistent
rubygem-faraday-rack
rubygem-faraday-retry
rubygem-ffi
rubygem-fiber-local
rubygem-hirb
rubygem-hocon
rubygem-hoe
rubygem-http_parser
rubygem-httpclient
rubygem-io-event
rubygem-jmespath
rubygem-ltsv
rubygem-mini_portile2
rubygem-minitest
rubygem-mocha
rubygem-msgpack
rubygem-multi_json
rubygem-multipart-post
rubygem-net-http-persistent
rubygem-nio4r
rubygem-nokogiri
rubygem-oj
rubygem-parallel
rubygem-power_assert
rubygem-prometheus-client
rubygem-protocol-hpack
rubygem-protocol-http
rubygem-protocol-http1
rubygem-protocol-http2
rubygem-public_suffix
rubygem-puppet-resource_api
rubygem-rdiscount
rubygem-rdkafka
rubygem-rexml
rubygem-ruby-kafka
rubygem-ruby-progressbar
rubygem-rubyzip
rubygem-semantic_puppet
rubygem-serverengine
rubygem-sigdump
rubygem-strptime
rubygem-systemd-journal
rubygem-test-unit
rubygem-thor
rubygem-timers
rubygem-tzinfo
rubygem-tzinfo-data
rubygem-webhdfs
rubygem-webrick
rubygem-yajl-ruby
rubygem-zip-zip
runc
sdbus-cpp
sgx-backwards-compatibility
shim
skopeo
span-lite
sriov-network-device-plugin
SymCrypt
SymCrypt-OpenSSL
systemd-boot-signed
tardev-snapshotter
tensorflow
tinyxml2
toml11
tracelogging
umoci
usrsctp
vala
valkey
vnstat
xterm
zstd | | Netplan source | [GPLv3](https://github.com/canonical/netplan/blob/main/COPYING) | netplan | | Numad source | [LGPLv2 License](https://www.gnu.org/licenses/old-licenses/lgpl-2.1.txt) | numad | | NVIDIA | [ASL 2.0 License and spec specific licenses](http://www.apache.org/licenses/LICENSE-2.0) | fwctl-signed
ibarr
ibsim
iser-signed
isert-signed
knem-modules-signed
libnvidia-container
mlnx-ethtool
mlnx-iproute2
mlnx-nfsrdma-signed
mlnx-tools
mlx-steering-dump
multiperf
nvidia-container-toolkit
ofed-docs
ofed-scripts
perftest
rshim
sockperf
xpmem-modules-signed | @@ -19,7 +19,7 @@ The Edge Microvisor Toolkit SPEC files originated from a variety of sources with | OpenEuler | [BSD-3 License](https://github.com/pytorch/pytorch/blob/master/LICENSE) | pytorch | | OpenMamba | [Openmamba GPLv2 License](https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt) | bash-completion | | OpenSUSE | Following [openSUSE guidelines](https://en.opensuse.org/openSUSE:Specfile_guidelines#Specfile_Licensing) | ant
ant-junit
antlr
aopalliance
apache-commons-beanutils
apache-commons-cli
apache-commons-codec
apache-commons-collections
apache-commons-collections4
apache-commons-compress
apache-commons-daemon
apache-commons-dbcp
apache-commons-digester
apache-commons-httpclient
apache-commons-io
apache-commons-jexl
apache-commons-lang
apache-commons-lang3
apache-commons-logging
apache-commons-net
apache-commons-pool
apache-commons-pool2
apache-commons-validator
apache-commons-vfs2
apache-parent
args4j
atinject
base64coder
bcel
bea-stax
beust-jcommander
bsf
byaccj
cal10n
cdparanoia
cglib
cni
containerized-data-importer
cpulimit
cri-o
ecj
fillup
flux
gd
geronimo-specs
glassfish-annotation-api
gnu-getopt
gnu-regexp
golang-packaging
guava
hamcrest
hawtjni-runtime
httpcomponents-core
influx-cli
influxdb
jakarta-taglibs-standard
jansi
jarjar
java-cup
java-cup-bootstrap
javacc
javacc-bootstrap
javassist
jboss-interceptors-1.2-api
jdepend
jflex
jflex-bootstrap
jlex
jline
jna
jsch
jsoup
jsr-305
jtidy
junit
junitperf
jzlib
kubevirt
kured
libcontainers-common
libtheora
libva
libvdpau
lynx
multus
objectweb-anttask
objectweb-asm
objenesis
oro
osgi-annotation
osgi-compendium
osgi-core
patterns-ceph-containers
plexus-classworlds
plexus-interpolation
plexus-utils
proj
psl-make-dafsa
publicsuffix
qdox
regexp
relaxngDatatype
rhino
ripgrep
servletapi4
servletapi5
shapelib
slf4j
trilead-ssh2
virtiofsd
xalan-j2
xbean
xcursor-themes
xerces-j2
xml-commons-apis
xml-commons-resolver
xmldb-api
xmlrpc-c
xmlunit
xpp2
xpp3
xz-java | -| Photon | [Photon License](LICENSE-PHOTON.md) and [Photon Notice](NOTICE.APACHE2).
Also see [LICENSE-EXCEPTIONS.PHOTON](LICENSE-EXCEPTIONS.PHOTON). | acl
alsa-utils
ansible
apr
apr-util
asciidoc
atftp
audit
autoconf
autoconf-archive
autofs
autogen
automake
babel
bash
bc
bcc
bind
binutils
bison
blktrace
boost
btrfs-progs
bubblewrap
build-essential
bzip2
c-ares
cairo
cassandra
cdrkit
check
chkconfig
chrpath
cifs-utils
clang
cloud-init
cloud-utils-growpart
cmake
cni-plugins
core-packages
coreutils
cpio
cppunit
cracklib
crash
crash-gcore-command
createrepo_c
cri-tools
cronie
curl
cyrus-sasl
cyrus-sasl-bootstrap
dbus
dbus-glib
dejagnu
device-mapper-multipath
dialog
diffutils
dkms
dmidecode
dnsmasq
docbook-dtd-xml
docbook-style-xsl
dosfstools
dracut
dstat
e2fsprogs
ed
efibootmgr
efivar
elfutils
emacs
erlang
etcd
ethtool
expat
expect
fcgi
file
filesystem
findutils
flex
fontconfig
fping
freetype
fuse
gawk
gc
gcc
gdb
gdbm
gettext
git
git-lfs
glib
glib-networking
glibc
glibmm
gmp
gnome-common
gnupg2
gnuplot
gnutls
gobject-introspection
golang
golang-1.23
gperf
gperftools
gpgme
gptfdisk
grep
groff
grub2
gtest
gtk-doc
guile
gzip
haproxy
harfbuzz
haveged
hdparm
http-parser
httpd
i2c-tools
iana-etc
icu
initramfs
initscripts
inotify-tools
intltool
iotop
iperf3
iproute
ipset
iptables
iputils
ipvsadm
ipxe
irqbalance
itstool
jansson
jq
json-c
json-glib
kbd
keepalived
kernel
kernel-64k
kernel-headers
kernel-lpg-innovate
kernel-uvm
keyutils
kmod
krb5
less
libaio
libarchive
libassuan
libatomic_ops
libcap
libcap-ng
libconfig
libdb
libdnet
libedit
libestr
libevent
libfastjson
libffi
libgcrypt
libgpg-error
libgssglue
libgudev
libjpeg-turbo
libksba
liblogging
libmbim
libmnl
libmodulemd
libmpc
libmspack
libndp
libnetfilter_conntrack
libnetfilter_cthelper
libnetfilter_cttimeout
libnetfilter_queue
libnfnetlink
libnftnl
libnl3
libnsl2
libpcap
libpipeline
libpng
libpsl
libqmi
librelp
librepo
librsync
libseccomp
libselinux
libsepol
libserf
libsigc++30
libsolv
libsoup
libssh2
libtalloc
libtar
libtasn1
libtiff
libtirpc
libtool
libunistring
libunwind
libusb
libvirt
libwebp
libxml2
libxslt
libyaml
linux-firmware
lldb
lldpad
llvm
lm-sensors
lmdb
log4cpp
logrotate
lshw
lsof
lsscsi
ltrace
lttng-tools
lttng-ust
lvm2
lz4
lzo
m2crypto
m4
make
man-db
man-pages
mariadb
maven
mc
mercurial
meson
mlocate
ModemManager
mpfr
msr-tools
mysql
nano
nasm
ncurses
ndctl
net-snmp
net-tools
nettle
newt
nfs-utils
nghttp2
nginx
ninja-build
nodejs
npth
nspr
nss
nss-altfiles
ntp
numactl
nvme-cli
oniguruma
OpenIPMI
openldap
openscap
openssh
openvswitch
ostree
pam
pango
parted
patch
pciutils
perl-Canary-Stability
perl-CGI
perl-common-sense
perl-Crypt-SSLeay
perl-DBD-SQLite
perl-DBI
perl-DBIx-Simple
perl-Exporter-Tiny
perl-File-HomeDir
perl-File-Which
perl-IO-Socket-SSL
perl-JSON-Any
perl-JSON-XS
perl-libintl-perl
perl-List-MoreUtils
perl-Module-Build
perl-Module-Install
perl-Module-ScanDeps
perl-Net-SSLeay
perl-NetAddr-IP
perl-Object-Accessor
perl-Path-Class
perl-Try-Tiny
perl-Types-Serialiser
perl-WWW-Curl
perl-XML-Parser
perl-YAML
perl-YAML-Tiny
pgbouncer
pinentry
polkit
popt
postgresql
procps-ng
protobuf
protobuf-c
psmisc
pth
pyasn1-modules
pyOpenSSL
pyparsing
pytest
python-appdirs
python-asn1crypto
python-atomicwrites
python-attrs
python-bcrypt
python-certifi
python-cffi
python-chardet
python-configobj
python-constantly
python-coverage
python-cryptography
python-daemon
python-dateutil
python-defusedxml
python-distro
python-docopt
python-docutils
python-ecdsa
python-gevent
python-hyperlink
python-hypothesis
python-idna
python-imagesize
python-incremental
python-iniparse
python-ipaddr
python-jinja2
python-jmespath
python-jsonpatch
python-jsonpointer
python-jsonschema
python-lockfile
python-lxml
python-mako
python-markupsafe
python-mistune
python-msgpack
python-netaddr
python-netifaces
python-ntplib
python-oauthlib
python-packaging
python-pam
python-pbr
python-ply
python-prettytable
python-psutil
python-psycopg2
python-py
python-pyasn1
python-pycodestyle
python-pycparser
python-pycurl
python-pygments
python-pynacl
python-requests
python-setuptools_scm
python-simplejson
python-six
python-snowballstemmer
python-sphinx-theme-alabaster
python-twisted
python-urllib3
python-vcversioner
python-virtualenv
python-wcwidth
python-webob
python-websocket-client
python-werkzeug
python-zope-event
python-zope-interface
python3
pytz
PyYAML
rapidjson
readline
rng-tools
rpcbind
rpcsvc-proto
rpm
rpm-ostree
rrdtool
rsync
rsyslog
ruby
rust
rust-1.75
scons
sed
sg3_utils
shadow-utils
slang
snappy
socat
sqlite
sshpass
strace
strongswan
subversion
sudo
swig
syslinux
syslog-ng
sysstat
systemd-bootstrap
systemtap
tar
tboot
tcl
tcpdump
tcsh
tdnf
telegraf
texinfo
tmux
tpm2-abrmd
tpm2-pkcs11
tpm2-pytss
tpm2-tools
tpm2-tss
traceroute
tree
tzdata
unbound
unixODBC
unzip
usbutils
userspace-rcu
utf8proc
util-linux
valgrind
vim
vsftpd
WALinuxAgent
which
wpa_supplicant
xfsprogs
xinetd
xmlsec1
xmlto
xz
zchunk
zeromq
zip
zlib
zsh | +| Photon | [Photon License](LICENSE-PHOTON.md) and [Photon Notice](NOTICE.APACHE2).
Also see [LICENSE-EXCEPTIONS.PHOTON](LICENSE-EXCEPTIONS.PHOTON). | acl
alsa-utils
ansible
apr
apr-util
asciidoc
atftp
audit
autoconf
autoconf-archive
autofs
autogen
automake
babel
bash
bc
bcc
bind
binutils
bison
blktrace
boost
btrfs-progs
bubblewrap
build-essential
bzip2
c-ares
cairo
cassandra
cassandra-driver
cdrkit
check
chkconfig
chrpath
cifs-utils
clang
cloud-init
cloud-utils-growpart
cmake
cni-plugins
coreutils
cpio
cppunit
cqlsh
cracklib
crash
crash-gcore-command
createrepo_c
cri-tools
cronie
curl
cyrus-sasl
cyrus-sasl-bootstrap
dbus
dbus-glib
dejagnu
device-mapper-multipath
dialog
diffutils
dkms
dmidecode
dnsmasq
docbook-dtd-xml
docbook-style-xsl
dosfstools
dracut
dstat
e2fsprogs
ed
efibootmgr
efivar
emacs
erlang
etcd
ethtool
expat
expect
fcgi
file
filesystem
findutils
flex
fontconfig
fping
freetype
fuse
gawk
gc
gcc
gdb
gdbm
gettext
git
git-lfs
glib
glib-networking
glibc
glibmm
gmp
gnome-common
gnupg2
gnuplot
gnutls
gobject-introspection
golang
golang-1.23
gperf
gperftools
gpgme
gptfdisk
grep
groff
grub2
gtest
gtk-doc
guile
gzip
haproxy
harfbuzz
haveged
hdparm
http-parser
httpd
i2c-tools
iana-etc
icu
initramfs
initscripts
inotify-tools
intltool
iotop
iperf3
iproute
ipset
iptables
iputils
ipvsadm
ipxe
irqbalance
itstool
jansson
jq
json-c
json-glib
kbd
keepalived
kernel
kernel-64k
kernel-headers
kernel-lpg-innovate
kernel-uvm
keyutils
kmod
krb5
less
libaio
libarchive
libassuan
libatomic_ops
libcap
libcap-ng
libconfig
libdb
libdnet
libedit
libestr
libevent
libfastjson
libffi
libgcrypt
libgpg-error
libgssglue
libgudev
libjpeg-turbo
libksba
liblogging
libmbim
libmnl
libmodulemd
libmpc
libmspack
libndp
libnetfilter_conntrack
libnetfilter_cthelper
libnetfilter_cttimeout
libnetfilter_queue
libnfnetlink
libnftnl
libnl3
libnsl2
libpcap
libpipeline
libpng
libpsl
libqmi
librelp
librepo
librsync
libseccomp
libselinux
libsepol
libserf
libsigc++30
libsolv
libsoup
libssh2
libtalloc
libtar
libtasn1
libtiff
libtirpc
libtool
libunistring
libunwind
libusb
libwebp
libxml2
libxslt
libyaml
linux-firmware
lldb
lldpad
llvm
lm-sensors
lmdb
log4cpp
logrotate
lshw
lsof
lsscsi
ltrace
lttng-tools
lttng-ust
lvm2
lz4
lzo
m2crypto
m4
make
man-db
man-pages
maven
mc
mercurial
meson
mlocate
ModemManager
mpfr
msr-tools
mysql
nano
nasm
ncurses
ndctl
net-snmp
net-tools
nettle
newt
nfs-utils
nghttp2
nginx
ninja-build
nodejs
npth
nspr
nss
nss-altfiles
ntp
numactl
nvme-cli
oniguruma
OpenIPMI
openldap
openscap
openssh
openvswitch
ostree
pam
pango
parted
patch
pciutils
perl-Canary-Stability
perl-CGI
perl-common-sense
perl-Crypt-SSLeay
perl-DBD-SQLite
perl-DBI
perl-DBIx-Simple
perl-Exporter-Tiny
perl-File-HomeDir
perl-File-Which
perl-IO-Socket-SSL
perl-JSON-Any
perl-JSON-XS
perl-libintl-perl
perl-List-MoreUtils
perl-Module-Build
perl-Module-Install
perl-Module-ScanDeps
perl-Net-SSLeay
perl-NetAddr-IP
perl-Object-Accessor
perl-Path-Class
perl-Try-Tiny
perl-Types-Serialiser
perl-WWW-Curl
perl-XML-Parser
perl-YAML
perl-YAML-Tiny
pgbouncer
pinentry
polkit
popt
postgresql
procps-ng
protobuf
protobuf-c
psmisc
pth
pyasn1-modules
pyOpenSSL
pyparsing
pytest
python-appdirs
python-asn1crypto
python-atomicwrites
python-attrs
python-bcrypt
python-certifi
python-cffi
python-chardet
python-configobj
python-constantly
python-coverage
python-cryptography
python-daemon
python-dateutil
python-defusedxml
python-distro
python-docopt
python-docutils
python-ecdsa
python-geomet
python-gevent
python-hyperlink
python-hypothesis
python-idna
python-imagesize
python-incremental
python-iniparse
python-ipaddr
python-jinja2
python-jmespath
python-jsonpatch
python-jsonpointer
python-jsonschema
python-lockfile
python-lxml
python-mako
python-markupsafe
python-mistune
python-msgpack
python-netaddr
python-netifaces
python-ntplib
python-oauthlib
python-packaging
python-pam
python-pbr
python-ply
python-prettytable
python-psutil
python-psycopg2
python-py
python-pyasn1
python-pycodestyle
python-pycparser
python-pycurl
python-pygments
python-pynacl
python-requests
python-setuptools_scm
python-simplejson
python-six
python-snowballstemmer
python-sphinx-theme-alabaster
python-twisted
python-urllib3
python-vcversioner
python-virtualenv
python-wcwidth
python-webob
python-websocket-client
python-werkzeug
python-zope-event
python-zope-interface
python3
pytz
PyYAML
rapidjson
readline
rng-tools
rpcbind
rpcsvc-proto
rpm
rpm-ostree
rrdtool
rsync
rsyslog
ruby
rust
rust-1.75
scons
sed
sg3_utils
shadow-utils
slang
snappy
socat
sqlite
sshpass
strace
subversion
sudo
swig
syslinux
syslog-ng
sysstat
systemd-bootstrap
systemtap
tar
tboot
tcl
tcpdump
tcsh
tdnf
telegraf
texinfo
tmux
tpm2-abrmd
tpm2-pkcs11
tpm2-pytss
tpm2-tools
tpm2-tss
traceroute
tree
tzdata
unbound
unixODBC
unzip
usbutils
userspace-rcu
utf8proc
util-linux
valgrind
vim
vsftpd
WALinuxAgent
which
wpa_supplicant
xfsprogs
xinetd
xmlsec1
xmlto
xz
zchunk
zeromq
zip
zlib
zsh | | RPM software management source | [GPLv2+ License](https://github.com/rpm-software-management/dnf5/blob/main/COPYING.md) | dnf5 | | Source project | Same as the source project. | python-nocaselist
yq | | Sysbench source | [GPLv2+ License](https://github.com/akopytov/sysbench/blob/master/COPYING) | sysbench | diff --git a/LICENSES-AND-NOTICES/SPECS/data/licenses.json b/LICENSES-AND-NOTICES/SPECS/data/licenses.json index d807c57edb..f069ffbb1e 100644 --- a/LICENSES-AND-NOTICES/SPECS/data/licenses.json +++ b/LICENSES-AND-NOTICES/SPECS/data/licenses.json @@ -103,7 +103,6 @@ "byacc", "ca-certificates", "cachefilesd", - "caddy", "cairomm", "calamares", "capnproto", @@ -148,7 +147,6 @@ "conntrack-tools", "console-setup", "container-exception-logger", - "containernetworking-plugins", "convmv", "corosync", "corosync-qdevice", @@ -915,6 +913,7 @@ "man-pages-ru", "man-pages-zh-CN", "mandoc", + "mariadb", "mariadb-connector-c", "mariadb-connector-odbc", "marisa", @@ -1575,6 +1574,7 @@ "perl-Tie-IxHash", "perl-TimeDate", "perl-Tree-DAG_Node", + "perl-Type-Tiny", "perl-Unicode-EastAsianWidth", "perl-Unicode-LineBreak", "perl-Unicode-Map8", @@ -1651,7 +1651,6 @@ "pptp", "priv_wrapper", "procmail", - "prometheus", "prometheus-node-exporter", "ps_mem", "psacct", @@ -1770,6 +1769,7 @@ "python-isort", "python-itsdangerous", "python-jsonschema-specifications", + "python-junit_xml", "python-junitxml", "python-justbases", "python-justbytes", @@ -2042,7 +2042,7 @@ "scotch", "screen", "scrub", - "SDL", + "sdl12-compat", "SDL2", "SDL_sound", "sdparm", @@ -2096,6 +2096,7 @@ "star", "startup-notification", "stress-ng", + "strongswan", "stunnel", "subscription-manager", "subunit", @@ -2253,6 +2254,7 @@ "zerofree", "zfs-fuse", "zipper", + "zix", "zopfli", "zziplib" ] @@ -2319,9 +2321,9 @@ "azure-iot-sdk-c", "azure-nvme-utils", "azure-storage-cpp", + "azurelinux-image-tools", "azurelinux-sysinfo", "bazel", - "blobfuse2", "bmon", "bpftrace", "ccache", @@ -2332,9 +2334,10 @@ "cloud-hypervisor-cvm", "cloud-provider-kubevirt", "cmake-fedora", - "containerd", "containerd2", + "core-packages", "coredns", + "dasel", "dcos-cli", "debugedit", "dejavu-fonts", @@ -2345,6 +2348,7 @@ "doxygen", "dtc", "edk2-hvloader-signed", + "elfutils", "elixir", "espeak-ng", "espeakup", @@ -2358,8 +2362,6 @@ "grub2-efi-binary-signed", "GSL", "gtk-update-icon-cache", - "helm", - "ig", "intel-pf-bb-config", "ivykis", "jsonbuilder", @@ -2386,10 +2388,10 @@ "libsafec", "libutempter", "libuv", + "libvirt", "libxml++", "linuxptp", "lld", - "local-path-provisioner", "lsb-release", "ltp", "lttng-consume", @@ -2401,7 +2403,6 @@ "networkd-dispatcher", "nlohmann-json", "nmap", - "node-problem-detector", "ntopng", "opentelemetry-cpp", "packer", @@ -2444,14 +2445,9 @@ "rocksdb", "rubygem-addressable", "rubygem-asciidoctor", - "rubygem-async", - "rubygem-async-http", - "rubygem-async-io", - "rubygem-async-pool", "rubygem-bindata", "rubygem-concurrent-ruby", "rubygem-connection_pool", - "rubygem-console", "rubygem-cool.io", "rubygem-deep_merge", "rubygem-digest-crc", @@ -2468,7 +2464,6 @@ "rubygem-faraday-multipart", "rubygem-faraday-net_http", "rubygem-faraday-net_http_persistent", - "rubygem-faraday-patron", "rubygem-faraday-rack", "rubygem-faraday-retry", "rubygem-ffi", @@ -2530,6 +2525,7 @@ "SymCrypt", "SymCrypt-OpenSSL", "systemd-boot-signed", + "tardev-snapshotter", "tensorflow", "tinyxml2", "toml11", @@ -2755,6 +2751,7 @@ "c-ares", "cairo", "cassandra", + "cassandra-driver", "cdrkit", "check", "chkconfig", @@ -2765,10 +2762,10 @@ "cloud-utils-growpart", "cmake", "cni-plugins", - "core-packages", "coreutils", "cpio", "cppunit", + "cqlsh", "cracklib", "crash", "crash-gcore-command", @@ -2796,7 +2793,6 @@ "ed", "efibootmgr", "efivar", - "elfutils", "emacs", "erlang", "etcd", @@ -2941,7 +2937,6 @@ "libunistring", "libunwind", "libusb", - "libvirt", "libwebp", "libxml2", "libxslt", @@ -2968,7 +2963,6 @@ "make", "man-db", "man-pages", - "mariadb", "maven", "mc", "mercurial", @@ -3071,6 +3065,7 @@ "python-docopt", "python-docutils", "python-ecdsa", + "python-geomet", "python-gevent", "python-hyperlink", "python-hypothesis", @@ -3150,7 +3145,6 @@ "sqlite", "sshpass", "strace", - "strongswan", "subversion", "sudo", "swig", diff --git a/SPECS-EXTENDED/389-ds-base/389-ds-base.spec b/SPECS-EXTENDED/389-ds-base/389-ds-base.spec index a870233630..40201181fd 100644 --- a/SPECS-EXTENDED/389-ds-base/389-ds-base.spec +++ b/SPECS-EXTENDED/389-ds-base/389-ds-base.spec @@ -68,7 +68,7 @@ ExcludeArch: i686 Summary: 389 Directory Server (%{variant}) Name: 389-ds-base Version: 3.1.1 -Release: 3%{?dist} +Release: 6%{?dist} License: GPL-3.0-or-later AND (0BSD OR Apache-2.0 OR MIT) AND (Apache-2.0 OR Apache-2.0 WITH LLVM-exception OR MIT) AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR MIT OR Zlib) AND (Apache-2.0 OR MIT) AND (CC-BY-4.0 AND MIT) AND (MIT OR Apache-2.0) AND Unicode-DFS-2016 AND (MIT OR CC0-1.0) AND (MIT OR Unlicense) AND 0BSD AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND MIT AND MIT AND ISC AND MPL-2.0 AND PSF-2.0 URL: https://www.port389.org Vendor: Microsoft Corporation @@ -732,10 +732,19 @@ exit 0 %endif %changelog -* Mon Apr 21 2025 Kavya Sree Kaitepalli 3.1.1-3 +* Mon Jul 21 2025 Jyoti Kanase - 3.1.1-6 +- Bump release to rebuild with rust + +* Fri Jun 13 2025 Kavya Sree Kaitepalli - 3.1.1-5 +- Bump release to rebuild with rust + +* Wed May 14 2025 Kavya Sree Kaitepalli - 3.1.1-4 +- Bump release to rebuild with rust 1.86.0 + +* Mon Apr 21 2025 Kavya Sree Kaitepalli - 3.1.1-3 - Bump release to build with rust 1.85.0 -* Fri Sep 20 2024 Muhammad Falak 3.1.0-2 +* Fri Sep 20 2024 Muhammad Falak - 3.1.0-2 - Initial Azure Linux import from Fedora 42 (license: MIT) - License verified diff --git a/SPECS-EXTENDED/PyGreSQL/PyGreSQL.signatures.json b/SPECS-EXTENDED/PyGreSQL/PyGreSQL.signatures.json index a0a9a5e5ec..b9d5067679 100644 --- a/SPECS-EXTENDED/PyGreSQL/PyGreSQL.signatures.json +++ b/SPECS-EXTENDED/PyGreSQL/PyGreSQL.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "PyGreSQL-5.2.2.tar.gz": "8c6c56f95cf08337075be0930a1d28333624ebcd6180cf888c59d3e2887f32ce" + "PyGreSQL-6.0.1.tar.gz": "57e44af29c7443641ca65e549e568848946f937597cf19064bbfadc4e5e53bfb" } } diff --git a/SPECS-EXTENDED/PyGreSQL/PyGreSQL.spec b/SPECS-EXTENDED/PyGreSQL/PyGreSQL.spec index ca5196064b..8a9b2c752f 100644 --- a/SPECS-EXTENDED/PyGreSQL/PyGreSQL.spec +++ b/SPECS-EXTENDED/PyGreSQL/PyGreSQL.spec @@ -1,16 +1,18 @@ +%global with_tests 0 + Vendor: Microsoft Corporation Distribution: Azure Linux %global srcname PyGreSQL Name: %{srcname} -Version: 5.2.2 -Release: 3%{?dist} +Version: 6.0.1 +Release: 1%{?dist} Summary: Python client library for PostgreSQL URL: http://www.pygresql.org/ License: PostgreSQL -Source0: https://github.com/PyGreSQL/%{name}/archive/%{version}/%{name}-%{version}.tar.gz +Source0: https://github.com/PyGreSQL/%{name}/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz BuildRequires: gcc BuildRequires: libpq-devel @@ -58,12 +60,18 @@ find -type f -exec chmod 644 {} + %files -n python3-pygresql %license docs/copyright.rst %doc docs/*.rst -%{python3_sitearch}/*.so -%{python3_sitearch}/*.py -%{python3_sitearch}/__pycache__/*.py{c,o} +%{python3_sitearch}/pg/*.so +%{python3_sitearch}/pg/*.py +%{python3_sitearch}//pg/__pycache__/*.py{c,o} +%{python3_sitearch}/pg/_pg.pyi +%{python3_sitearch}/pg/py.typed +%{python3_sitearch}/pgdb/*.py +%{python3_sitearch}/pgdb/__pycache__/*.py{c,o} +%{python3_sitearch}/pgdb/py.typed %{python3_sitearch}/*.egg-info - +# Requires postgresql-test-rpm-macros which is not provided by postgresql in Azure Linux. +%if 0%{?with_tests} %check %postgresql_tests_run @@ -76,9 +84,12 @@ dbport = $PGPORT EOF %{__python3} setup.py test - +%endif %changelog +* Wed Sep 25 2024 jyoti kanase - 6.0.1-1 +- Update to 6.0.1 + * Thu Aug 31 2023 Pawel Winogrodzki - 5.2.2-3 - Disabling missing test dependency. - License verified. diff --git a/SPECS-EXTENDED/SDL/SDL-1.2.10-GrabNotViewable.patch b/SPECS-EXTENDED/SDL/SDL-1.2.10-GrabNotViewable.patch deleted file mode 100644 index 128cf3510d..0000000000 --- a/SPECS-EXTENDED/SDL/SDL-1.2.10-GrabNotViewable.patch +++ /dev/null @@ -1,22 +0,0 @@ -Makes SDL-1.2 SDL_WM_GrabInput() non-blocking in case of SDL window is not -viewable. Patch provided by . -See . - ---- ./src/video/x11/SDL_x11wm.c 2007-12-31 04:48:13.000000000 +0000 -+++ ./src/video/x11/SDL_x11wm.c 2009-01-15 10:27:14.000000000 +0000 -@@ -351,13 +351,14 @@ SDL_GrabMode X11_GrabInputNoLock(_THIS, - result = XGrabPointer(SDL_Display, SDL_Window, True, 0, - GrabModeAsync, GrabModeAsync, - SDL_Window, None, CurrentTime); -- if ( result == GrabSuccess ) { -+ if ( result == GrabSuccess || result == GrabNotViewable ) { - break; - } - SDL_Delay(100); - } - if ( result != GrabSuccess ) { - /* Uh, oh, what do we do here? */ ; -+ return(SDL_GRAB_OFF); - } - /* Now grab the keyboard */ - XGrabKeyboard(SDL_Display, WMwindow, True, diff --git a/SPECS-EXTENDED/SDL/SDL-1.2.12-multilib.patch b/SPECS-EXTENDED/SDL/SDL-1.2.12-multilib.patch deleted file mode 100644 index 29e6319eb0..0000000000 --- a/SPECS-EXTENDED/SDL/SDL-1.2.12-multilib.patch +++ /dev/null @@ -1,25 +0,0 @@ -diff -up SDL-1.2.12/sdl-config.in.multilib SDL-1.2.12/sdl-config.in ---- SDL-1.2.12/sdl-config.in.multilib 2007-07-20 07:52:45.000000000 +0200 -+++ SDL-1.2.12/sdl-config.in 2007-11-06 17:07:25.000000000 +0100 -@@ -3,7 +3,6 @@ - prefix=@prefix@ - exec_prefix=@exec_prefix@ - exec_prefix_set=no --libdir=@libdir@ - - @ENABLE_STATIC_FALSE@usage="\ - @ENABLE_STATIC_FALSE@Usage: sdl-config [--prefix[=DIR]] [--exec-prefix[=DIR]] [--version] [--cflags] [--libs]" -@@ -45,11 +44,11 @@ while test $# -gt 0; do - echo -I@includedir@/SDL @SDL_CFLAGS@ - ;; - @ENABLE_SHARED_TRUE@ --libs) --@ENABLE_SHARED_TRUE@ echo -L@libdir@ @SDL_RLD_FLAGS@ @SDL_LIBS@ -+@ENABLE_SHARED_TRUE@ echo @SDL_RLD_FLAGS@ @SDL_LIBS@ - @ENABLE_SHARED_TRUE@ ;; - @ENABLE_STATIC_TRUE@@ENABLE_SHARED_TRUE@ --static-libs) - @ENABLE_STATIC_TRUE@@ENABLE_SHARED_FALSE@ --libs|--static-libs) --@ENABLE_STATIC_TRUE@ echo -L@libdir@ @SDL_RLD_FLAGS@ @SDL_STATIC_LIBS@ -+@ENABLE_STATIC_TRUE@ echo @SDL_RLD_FLAGS@ @SDL_STATIC_LIBS@ - @ENABLE_STATIC_TRUE@ ;; - *) - echo "${usage}" 1>&2 diff --git a/SPECS-EXTENDED/SDL/SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch b/SPECS-EXTENDED/SDL/SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch deleted file mode 100644 index 13fa7860ea..0000000000 --- a/SPECS-EXTENDED/SDL/SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch +++ /dev/null @@ -1,23 +0,0 @@ -changeset: 12960:ad1bbfbca760 -branch: SDL-1.2 -parent: 12914:87d60cae0273 -user: Ozkan Sezer -date: Tue Jul 30 21:30:24 2019 +0300 -summary: Fixed bug 4538 - validate image size when loading BMP files - -diff -r 87d60cae0273 -r ad1bbfbca760 src/video/SDL_bmp.c ---- a/src/video/SDL_bmp.c Tue Jun 18 23:31:40 2019 +0100 -+++ b/src/video/SDL_bmp.c Tue Jul 30 21:30:24 2019 +0300 -@@ -143,6 +143,11 @@ - (void) biYPelsPerMeter; - (void) biClrImportant; - -+ if (biWidth <= 0 || biHeight == 0) { -+ SDL_SetError("BMP file with bad dimensions (%dx%d)", biWidth, biHeight); -+ was_error = SDL_TRUE; -+ goto done; -+ } - if (biHeight < 0) { - topDown = SDL_TRUE; - biHeight = -biHeight; - diff --git a/SPECS-EXTENDED/SDL/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch b/SPECS-EXTENDED/SDL/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch deleted file mode 100644 index 0f242be4e4..0000000000 --- a/SPECS-EXTENDED/SDL/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch +++ /dev/null @@ -1,59 +0,0 @@ -From bb11ffcff5ae2f25bead921c2a299e7e63d8a759 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= -Date: Thu, 14 Feb 2019 16:51:54 +0100 -Subject: [PATCH] CVE-2019-7572: Fix a buffer overread in IMA_ADPCM_nibble -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If an IMA ADPCM block contained an initial index out of step table -range (loaded in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used -this bogus value and that lead to a buffer overread. - -This patch fixes it by moving clamping the index value at the -beginning of IMA_ADPCM_nibble() function instead of the end after -an update. - -CVE-2019-7572 -https://bugzilla.libsdl.org/show_bug.cgi?id=4495 - -Signed-off-by: Petr Písař ---- - src/audio/SDL_wave.c | 14 ++++++++------ - 1 file changed, 8 insertions(+), 6 deletions(-) - -diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c -index 2968b3d..69d62dc 100644 ---- a/src/audio/SDL_wave.c -+++ b/src/audio/SDL_wave.c -@@ -275,6 +275,14 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble) - }; - Sint32 delta, step; - -+ /* Clamp index value. The inital value can be invalid. */ -+ if ( state->index > 88 ) { -+ state->index = 88; -+ } else -+ if ( state->index < 0 ) { -+ state->index = 0; -+ } -+ - /* Compute difference and new sample value */ - step = step_table[state->index]; - delta = step >> 3; -@@ -286,12 +294,6 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble) - - /* Update index value */ - state->index += index_table[nybble]; -- if ( state->index > 88 ) { -- state->index = 88; -- } else -- if ( state->index < 0 ) { -- state->index = 0; -- } - - /* Clamp output sample */ - if ( state->sample > max_audioval ) { --- -2.20.1 - diff --git a/SPECS-EXTENDED/SDL/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch b/SPECS-EXTENDED/SDL/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch deleted file mode 100644 index 2c17831dfc..0000000000 --- a/SPECS-EXTENDED/SDL/SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 6086741bda4d43cc227500bc7645a829380e6326 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= -Date: Fri, 15 Feb 2019 09:21:45 +0100 -Subject: [PATCH] CVE-2019-7572: Fix a buffer overwrite in IMA_ADPCM_decode -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If data chunk was longer than expected based on a WAV format -definition, IMA_ADPCM_decode() tried to write past the output -buffer. This patch fixes it. - -Based on patch from -. - -CVE-2019-7572 -https://bugzilla.libsdl.org/show_bug.cgi?id=4495 - -Signed-off-by: Petr Písař ---- - src/audio/SDL_wave.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c -index 69d62dc..91e89e8 100644 ---- a/src/audio/SDL_wave.c -+++ b/src/audio/SDL_wave.c -@@ -336,7 +336,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded, - static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) - { - struct IMA_ADPCM_decodestate *state; -- Uint8 *freeable, *encoded, *encoded_end, *decoded; -+ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end; - Sint32 encoded_len, samplesleft; - unsigned int c, channels; - -@@ -363,6 +363,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) - return(-1); - } - decoded = *audio_buf; -+ decoded_end = decoded + *audio_len; - - /* Get ready... Go! */ - while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) { -@@ -382,6 +383,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) - } - - /* Store the initial sample we start with */ -+ if (decoded + 2 > decoded_end) goto invalid_size; - decoded[0] = (Uint8)(state[c].sample&0xFF); - decoded[1] = (Uint8)(state[c].sample>>8); - decoded += 2; -@@ -392,6 +394,8 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) - while ( samplesleft > 0 ) { - for ( c=0; c encoded_end) goto invalid_size; -+ if (decoded + 4 * 4 * channels > decoded_end) -+ goto invalid_size; - Fill_IMA_ADPCM_block(decoded, encoded, - c, channels, &state[c]); - encoded += 4; --- -2.20.1 - diff --git a/SPECS-EXTENDED/SDL/SDL-1.2.15-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch b/SPECS-EXTENDED/SDL/SDL-1.2.15-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch deleted file mode 100644 index 767a3b2074..0000000000 --- a/SPECS-EXTENDED/SDL/SDL-1.2.15-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 3e2c89e516701f3586dfeadec13932f665371d2a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= -Date: Fri, 15 Feb 2019 10:36:13 +0100 -Subject: [PATCH] CVE-2019-7573, CVE-2019-7576: Fix buffer overreads in - InitMS_ADPCM -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If MS ADPCM format chunk was too short, InitMS_ADPCM() parsing it -could read past the end of chunk data. This patch fixes it. - -CVE-2019-7573 -https://bugzilla.libsdl.org/show_bug.cgi?id=4491 -CVE-2019-7576 -https://bugzilla.libsdl.org/show_bug.cgi?id=4490 - -Signed-off-by: Petr Písař ---- - src/audio/SDL_wave.c | 13 ++++++++++--- - 1 file changed, 10 insertions(+), 3 deletions(-) - -diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c -index 91e89e8..1d446ed 100644 ---- a/src/audio/SDL_wave.c -+++ b/src/audio/SDL_wave.c -@@ -44,12 +44,13 @@ static struct MS_ADPCM_decoder { - struct MS_ADPCM_decodestate state[2]; - } MS_ADPCM_state; - --static int InitMS_ADPCM(WaveFMT *format) -+static int InitMS_ADPCM(WaveFMT *format, int length) - { -- Uint8 *rogue_feel; -+ Uint8 *rogue_feel, *rogue_feel_end; - int i; - - /* Set the rogue pointer to the MS_ADPCM specific data */ -+ if (length < sizeof(*format)) goto too_short; - MS_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding); - MS_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels); - MS_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency); -@@ -58,9 +59,11 @@ static int InitMS_ADPCM(WaveFMT *format) - MS_ADPCM_state.wavefmt.bitspersample = - SDL_SwapLE16(format->bitspersample); - rogue_feel = (Uint8 *)format+sizeof(*format); -+ rogue_feel_end = (Uint8 *)format + length; - if ( sizeof(*format) == 16 ) { - rogue_feel += sizeof(Uint16); - } -+ if (rogue_feel + 4 > rogue_feel_end) goto too_short; - MS_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]); - rogue_feel += sizeof(Uint16); - MS_ADPCM_state.wNumCoef = ((rogue_feel[1]<<8)|rogue_feel[0]); -@@ -70,12 +73,16 @@ static int InitMS_ADPCM(WaveFMT *format) - return(-1); - } - for ( i=0; i rogue_feel_end) goto too_short; - MS_ADPCM_state.aCoeff[i][0] = ((rogue_feel[1]<<8)|rogue_feel[0]); - rogue_feel += sizeof(Uint16); - MS_ADPCM_state.aCoeff[i][1] = ((rogue_feel[1]<<8)|rogue_feel[0]); - rogue_feel += sizeof(Uint16); - } - return(0); -+too_short: -+ SDL_SetError("Unexpected length of a chunk with a MS ADPCM format"); -+ return(-1); - } - - static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state, -@@ -485,7 +492,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc, - break; - case MS_ADPCM_CODE: - /* Try to understand this */ -- if ( InitMS_ADPCM(format) < 0 ) { -+ if ( InitMS_ADPCM(format, lenread) < 0 ) { - was_error = 1; - goto done; - } --- -2.20.1 - diff --git a/SPECS-EXTENDED/SDL/SDL-1.2.15-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch b/SPECS-EXTENDED/SDL/SDL-1.2.15-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch deleted file mode 100644 index 0bae80ff87..0000000000 --- a/SPECS-EXTENDED/SDL/SDL-1.2.15-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 9b2eee24768889378032077423cb6a3221a8ad18 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= -Date: Thu, 14 Feb 2019 15:41:47 +0100 -Subject: [PATCH] CVE-2019-7574: Fix a buffer overread in IMA_ADPCM_decode -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If data chunk was shorter than expected based on a WAV format -definition, IMA_ADPCM_decode() tried to read past the data chunk -buffer. This patch fixes it. - -CVE-2019-7574 -https://bugzilla.libsdl.org/show_bug.cgi?id=4496 - -Signed-off-by: Petr Písař ---- - src/audio/SDL_wave.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c -index b6c49de..2968b3d 100644 ---- a/src/audio/SDL_wave.c -+++ b/src/audio/SDL_wave.c -@@ -334,7 +334,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded, - static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) - { - struct IMA_ADPCM_decodestate *state; -- Uint8 *freeable, *encoded, *decoded; -+ Uint8 *freeable, *encoded, *encoded_end, *decoded; - Sint32 encoded_len, samplesleft; - unsigned int c, channels; - -@@ -350,6 +350,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) - /* Allocate the proper sized output buffer */ - encoded_len = *audio_len; - encoded = *audio_buf; -+ encoded_end = encoded + encoded_len; - freeable = *audio_buf; - *audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) * - IMA_ADPCM_state.wSamplesPerBlock* -@@ -365,6 +366,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) - while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) { - /* Grab the initial information for this block */ - for ( c=0; c encoded_end) goto invalid_size; - /* Fill the state information for this block */ - state[c].sample = ((encoded[1]<<8)|encoded[0]); - encoded += 2; -@@ -387,6 +389,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) - samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels; - while ( samplesleft > 0 ) { - for ( c=0; c encoded_end) goto invalid_size; - Fill_IMA_ADPCM_block(decoded, encoded, - c, channels, &state[c]); - encoded += 4; -@@ -398,6 +401,10 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) - } - SDL_free(freeable); - return(0); -+invalid_size: -+ SDL_SetError("Unexpected chunk length for an IMA ADPCM decoder"); -+ SDL_free(freeable); -+ return(-1); - } - - SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc, --- -2.20.1 - diff --git a/SPECS-EXTENDED/SDL/SDL-1.2.15-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch b/SPECS-EXTENDED/SDL/SDL-1.2.15-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch deleted file mode 100644 index 53965aa2f2..0000000000 --- a/SPECS-EXTENDED/SDL/SDL-1.2.15-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch +++ /dev/null @@ -1,84 +0,0 @@ -From e1f80cadb079e35103e6eebf160a818815c823df Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= -Date: Thu, 14 Feb 2019 14:51:52 +0100 -Subject: [PATCH] CVE-2019-7575: Fix a buffer overwrite in MS_ADPCM_decode -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If a WAV format defines shorter audio stream and decoded MS ADPCM data chunk -is longer, decoding continued past the output audio buffer. - -This fix is based on a patch from -. - -https://bugzilla.libsdl.org/show_bug.cgi?id=4493 -CVE-2019-7575 - -Signed-off-by: Petr Písař ---- - src/audio/SDL_wave.c | 13 ++++++++----- - 1 file changed, 8 insertions(+), 5 deletions(-) - -diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c -index e42d01c..b6c49de 100644 ---- a/src/audio/SDL_wave.c -+++ b/src/audio/SDL_wave.c -@@ -115,7 +115,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state, - static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) - { - struct MS_ADPCM_decodestate *state[2]; -- Uint8 *freeable, *encoded, *encoded_end, *decoded; -+ Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end; - Sint32 encoded_len, samplesleft; - Sint8 nybble, stereo; - Sint16 *coeff[2]; -@@ -135,6 +135,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) - return(-1); - } - decoded = *audio_buf; -+ decoded_end = decoded + *audio_len; - - /* Get ready... Go! */ - stereo = (MS_ADPCM_state.wavefmt.channels == 2); -@@ -142,7 +143,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) - state[1] = &MS_ADPCM_state.state[stereo]; - while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) { - /* Grab the initial information for this block */ -- if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short; -+ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto invalid_size; - state[0]->hPredictor = *encoded++; - if ( stereo ) { - state[1]->hPredictor = *encoded++; -@@ -169,6 +170,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) - coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor]; - - /* Store the two initial samples we start with */ -+ if (decoded + 4 + (stereo ? 4 : 0) > decoded_end) goto invalid_size; - decoded[0] = state[0]->iSamp2&0xFF; - decoded[1] = state[0]->iSamp2>>8; - decoded += 2; -@@ -190,7 +192,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) - samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)* - MS_ADPCM_state.wavefmt.channels; - while ( samplesleft > 0 ) { -- if (encoded + 1 > encoded_end) goto too_short; -+ if (encoded + 1 > encoded_end) goto invalid_size; -+ if (decoded + 4 > decoded_end) goto invalid_size; - - nybble = (*encoded)>>4; - new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]); -@@ -213,8 +216,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) - } - SDL_free(freeable); - return(0); --too_short: -- SDL_SetError("Too short chunk for a MS ADPCM decoder"); -+invalid_size: -+ SDL_SetError("Unexpected chunk length for a MS ADPCM decoder"); - SDL_free(freeable); - return(-1); - } --- -2.20.1 - diff --git a/SPECS-EXTENDED/SDL/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch b/SPECS-EXTENDED/SDL/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch deleted file mode 100644 index 23cbf98192..0000000000 --- a/SPECS-EXTENDED/SDL/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch +++ /dev/null @@ -1,75 +0,0 @@ -From ac3d0d365b1f01a6782565feda0c7432a5795671 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= -Date: Thu, 14 Feb 2019 14:12:22 +0100 -Subject: [PATCH] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If RIFF/WAV data chunk length is shorter then expected for an audio -format defined in preceeding RIFF/WAV format headers, a buffer -overread can happen. - -This patch fixes it by checking a MS ADPCM data to be decoded are not -past the initialized buffer. - -CVE-2019-7577 -Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492 - -Signed-off-by: Petr Písař ---- - src/audio/SDL_wave.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c -index b4ad6c7..e42d01c 100644 ---- a/src/audio/SDL_wave.c -+++ b/src/audio/SDL_wave.c -@@ -115,7 +115,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state, - static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) - { - struct MS_ADPCM_decodestate *state[2]; -- Uint8 *freeable, *encoded, *decoded; -+ Uint8 *freeable, *encoded, *encoded_end, *decoded; - Sint32 encoded_len, samplesleft; - Sint8 nybble, stereo; - Sint16 *coeff[2]; -@@ -124,6 +124,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) - /* Allocate the proper sized output buffer */ - encoded_len = *audio_len; - encoded = *audio_buf; -+ encoded_end = encoded + encoded_len; - freeable = *audio_buf; - *audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) * - MS_ADPCM_state.wSamplesPerBlock* -@@ -141,6 +142,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) - state[1] = &MS_ADPCM_state.state[stereo]; - while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) { - /* Grab the initial information for this block */ -+ if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short; - state[0]->hPredictor = *encoded++; - if ( stereo ) { - state[1]->hPredictor = *encoded++; -@@ -188,6 +190,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) - samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)* - MS_ADPCM_state.wavefmt.channels; - while ( samplesleft > 0 ) { -+ if (encoded + 1 > encoded_end) goto too_short; -+ - nybble = (*encoded)>>4; - new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]); - decoded[0] = new_sample&0xFF; -@@ -209,6 +213,10 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) - } - SDL_free(freeable); - return(0); -+too_short: -+ SDL_SetError("Too short chunk for a MS ADPCM decoder"); -+ SDL_free(freeable); -+ return(-1); - } - - struct IMA_ADPCM_decodestate { --- -2.20.1 - diff --git a/SPECS-EXTENDED/SDL/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch b/SPECS-EXTENDED/SDL/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch deleted file mode 100644 index 06b429cb6d..0000000000 --- a/SPECS-EXTENDED/SDL/SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 69cd6157644cb0a5c9edd7b5920232c2ca31c151 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= -Date: Tue, 12 Mar 2019 16:21:41 +0100 -Subject: [PATCH] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_nibble and - MS_ADPCM_decode -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If a chunk of RIFF/WAV file with MS ADPCM encoding contains an invalid -predictor (a valid predictor's value is between 0 and 6 inclusive), -a buffer overread can happen when the predictor is used as an index -into an array of MS ADPCM coefficients. - -The overead happens when indexing MS_ADPCM_state.aCoeff[] array in -MS_ADPCM_decode() and later when dereferencing a coef pointer in -MS_ADPCM_nibble(). - -This patch fixes it by checking the MS ADPCM predictor values fit -into the valid range. - -CVE-2019-7577 -Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492 - -Signed-off-by: Petr Písař ---- - src/audio/SDL_wave.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c -index 08f65cb..5f93651 100644 ---- a/src/audio/SDL_wave.c -+++ b/src/audio/SDL_wave.c -@@ -155,6 +155,9 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len) - if ( stereo ) { - state[1]->hPredictor = *encoded++; - } -+ if (state[0]->hPredictor >= 7 || state[1]->hPredictor >= 7) { -+ goto invalid_predictor; -+ } - state[0]->iDelta = ((encoded[1]<<8)|encoded[0]); - encoded += sizeof(Sint16); - if ( stereo ) { -@@ -227,6 +230,10 @@ invalid_size: - SDL_SetError("Unexpected chunk length for a MS ADPCM decoder"); - SDL_free(freeable); - return(-1); -+invalid_predictor: -+ SDL_SetError("Invalid predictor value for a MS ADPCM decoder"); -+ SDL_free(freeable); -+ return(-1); - } - - struct IMA_ADPCM_decodestate { --- -2.20.1 - diff --git a/SPECS-EXTENDED/SDL/SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch b/SPECS-EXTENDED/SDL/SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch deleted file mode 100644 index b0a89de20d..0000000000 --- a/SPECS-EXTENDED/SDL/SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 0eb76f6cabcffa2104e34c26e0f41e6de95356ff Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= -Date: Fri, 15 Feb 2019 10:56:59 +0100 -Subject: [PATCH] CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it -could read past the end of chunk data. This patch fixes it. - -CVE-2019-7578 -https://bugzilla.libsdl.org/show_bug.cgi?id=4494 - -Signed-off-by: Petr Písař ---- - src/audio/SDL_wave.c | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c -index 1d446ed..08f65cb 100644 ---- a/src/audio/SDL_wave.c -+++ b/src/audio/SDL_wave.c -@@ -240,11 +240,12 @@ static struct IMA_ADPCM_decoder { - struct IMA_ADPCM_decodestate state[2]; - } IMA_ADPCM_state; - --static int InitIMA_ADPCM(WaveFMT *format) -+static int InitIMA_ADPCM(WaveFMT *format, int length) - { -- Uint8 *rogue_feel; -+ Uint8 *rogue_feel, *rogue_feel_end; - - /* Set the rogue pointer to the IMA_ADPCM specific data */ -+ if (length < sizeof(*format)) goto too_short; - IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding); - IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels); - IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency); -@@ -253,11 +254,16 @@ static int InitIMA_ADPCM(WaveFMT *format) - IMA_ADPCM_state.wavefmt.bitspersample = - SDL_SwapLE16(format->bitspersample); - rogue_feel = (Uint8 *)format+sizeof(*format); -+ rogue_feel_end = (Uint8 *)format + length; - if ( sizeof(*format) == 16 ) { - rogue_feel += sizeof(Uint16); - } -+ if (rogue_feel + 2 > rogue_feel_end) goto too_short; - IMA_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]); - return(0); -+too_short: -+ SDL_SetError("Unexpected length of a chunk with an IMA ADPCM format"); -+ return(-1); - } - - static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble) -@@ -500,7 +506,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc, - break; - case IMA_ADPCM_CODE: - /* Try to understand this */ -- if ( InitIMA_ADPCM(format) < 0 ) { -+ if ( InitIMA_ADPCM(format, lenread) < 0 ) { - was_error = 1; - goto done; - } --- -2.20.1 - diff --git a/SPECS-EXTENDED/SDL/SDL-1.2.15-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch b/SPECS-EXTENDED/SDL/SDL-1.2.15-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch deleted file mode 100644 index fb899d5f33..0000000000 --- a/SPECS-EXTENDED/SDL/SDL-1.2.15-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch +++ /dev/null @@ -1,67 +0,0 @@ -From beef32b0e510371f3c968d22a1e3d48abbf366c6 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= -Date: Tue, 19 Feb 2019 14:52:52 +0100 -Subject: [PATCH] CVE-2019-7635: Reject BMP images with pixel colors out the - palette -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If a 1-, 4-, or 8-bit per pixel BMP image declares less used colors -than the palette offers an SDL_Surface with a palette of the indicated -number of used colors is created. If some of the image's pixel -refer to a color number higher then the maximal used colors, a subsequent -bliting operation on the surface will look up a color past a blit map -(that is based on the palette) memory. I.e. passing such SDL_Surface -to e.g. an SDL_DisplayFormat() function will result in a buffer overread in -a blit function. - -This patch fixes it by validing each pixel's color to be less than the -maximal color number in the palette. A validation failure raises an -error from a SDL_LoadBMP_RW() function. - -CVE-2019-7635 -https://bugzilla.libsdl.org/show_bug.cgi?id=4498 - -Signed-off-by: Petr Písař ---- - src/video/SDL_bmp.c | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c -index 3accded..8eadc5f 100644 ---- a/src/video/SDL_bmp.c -+++ b/src/video/SDL_bmp.c -@@ -300,6 +300,12 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc) - } - *(bits+i) = (pixel>>shift); - pixel <<= ExpandBMP; -+ if ( bits[i] >= biClrUsed ) { -+ SDL_SetError( -+ "A BMP image contains a pixel with a color out of the palette"); -+ was_error = SDL_TRUE; -+ goto done; -+ } - } } - break; - -@@ -310,6 +316,16 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc) - was_error = SDL_TRUE; - goto done; - } -+ if ( 8 == biBitCount && palette && biClrUsed < (1 << biBitCount ) ) { -+ for ( i=0; iw; ++i ) { -+ if ( bits[i] >= biClrUsed ) { -+ SDL_SetError( -+ "A BMP image contains a pixel with a color out of the palette"); -+ was_error = SDL_TRUE; -+ goto done; -+ } -+ } -+ } - #if SDL_BYTEORDER == SDL_BIG_ENDIAN - /* Byte-swap the pixels if needed. Note that the 24bpp - case has already been taken care of above. */ --- -2.20.1 - diff --git a/SPECS-EXTENDED/SDL/SDL-1.2.15-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch b/SPECS-EXTENDED/SDL/SDL-1.2.15-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch deleted file mode 100644 index 44197df638..0000000000 --- a/SPECS-EXTENDED/SDL/SDL-1.2.15-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch +++ /dev/null @@ -1,209 +0,0 @@ -From cc50d843089c8cf386c3e0f9cb2fae0b258a9b7b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= -Date: Mon, 18 Feb 2019 13:53:16 +0100 -Subject: [PATCH] CVE-2019-7637: Fix in integer overflow in SDL_CalculatePitch -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If a too large width is passed to SDL_SetVideoMode() the width travels -to SDL_CalculatePitch() where the width (e.g. 65535) is multiplied by -BytesPerPixel (e.g. 4) and the result is stored into Uint16 pitch -variable. During this arithmetics an integer overflow can happen (e.g. -the value is clamped as 65532). As a result SDL_Surface with a pitch -smaller than width * BytesPerPixel is created, too small pixel buffer -is allocated and when the SDL_Surface is processed in SDL_FillRect() -a buffer overflow occurs. - -This can be reproduced with "./graywin -width 21312312313123213213213" -command. - -This patch fixes is by using a very careful arithmetics in -SDL_CalculatePitch(). If an overflow is detected, an error is reported -back as a special 0 value. We assume that 0-width surfaces do not -occur in the wild. Since SDL_CalculatePitch() is a private function, -we can change the semantics. - -CVE-2019-7637 -https://bugzilla.libsdl.org/show_bug.cgi?id=4497 - -Signed-off-by: Petr Písař ---- - src/video/SDL_pixels.c | 41 +++++++++++++++++++++++++++------ - src/video/gapi/SDL_gapivideo.c | 3 +++ - src/video/nanox/SDL_nxvideo.c | 4 ++++ - src/video/ps2gs/SDL_gsvideo.c | 3 +++ - src/video/ps3/SDL_ps3video.c | 3 +++ - src/video/windib/SDL_dibvideo.c | 3 +++ - src/video/windx5/SDL_dx5video.c | 3 +++ - src/video/x11/SDL_x11video.c | 4 ++++ - 8 files changed, 57 insertions(+), 7 deletions(-) - -diff --git a/src/video/SDL_pixels.c b/src/video/SDL_pixels.c -index 1a7fd51..44626b7 100644 ---- a/src/video/SDL_pixels.c -+++ b/src/video/SDL_pixels.c -@@ -286,26 +286,53 @@ void SDL_DitherColors(SDL_Color *colors, int bpp) - } - } - /* -- * Calculate the pad-aligned scanline width of a surface -+ * Calculate the pad-aligned scanline width of a surface. Return 0 in case of -+ * an error. - */ - Uint16 SDL_CalculatePitch(SDL_Surface *surface) - { -- Uint16 pitch; -+ unsigned int pitch = 0; - - /* Surface should be 4-byte aligned for speed */ -- pitch = surface->w*surface->format->BytesPerPixel; -+ /* The code tries to prevent from an Uint16 overflow. */; -+ for (Uint8 byte = surface->format->BytesPerPixel; byte; byte--) { -+ pitch += (unsigned int)surface->w; -+ if (pitch < surface->w) { -+ SDL_SetError("A scanline is too wide"); -+ return(0); -+ } -+ } - switch (surface->format->BitsPerPixel) { - case 1: -- pitch = (pitch+7)/8; -+ if (pitch % 8) { -+ pitch = pitch / 8 + 1; -+ } else { -+ pitch = pitch / 8; -+ } - break; - case 4: -- pitch = (pitch+1)/2; -+ if (pitch % 2) { -+ pitch = pitch / 2 + 1; -+ } else { -+ pitch = pitch / 2; -+ } - break; - default: - break; - } -- pitch = (pitch + 3) & ~3; /* 4-byte aligning */ -- return(pitch); -+ /* 4-byte aligning */ -+ if (pitch & 3) { -+ if (pitch + 3 < pitch) { -+ SDL_SetError("A scanline is too wide"); -+ return(0); -+ } -+ pitch = (pitch + 3) & ~3; -+ } -+ if (pitch > 0xFFFF) { -+ SDL_SetError("A scanline is too wide"); -+ return(0); -+ } -+ return((Uint16)pitch); - } - /* - * Match an RGB value to a particular palette index -diff --git a/src/video/gapi/SDL_gapivideo.c b/src/video/gapi/SDL_gapivideo.c -index 86deadc..8a06485 100644 ---- a/src/video/gapi/SDL_gapivideo.c -+++ b/src/video/gapi/SDL_gapivideo.c -@@ -733,6 +733,9 @@ SDL_Surface *GAPI_SetVideoMode(_THIS, SDL_Surface *current, - video->w = gapi->w = width; - video->h = gapi->h = height; - video->pitch = SDL_CalculatePitch(video); -+ if (!current->pitch) { -+ return(NULL); -+ } - - /* Small fix for WinCE/Win32 - when activating window - SDL_VideoSurface is equal to zero, so activating code -diff --git a/src/video/nanox/SDL_nxvideo.c b/src/video/nanox/SDL_nxvideo.c -index b188e09..cbdd09a 100644 ---- a/src/video/nanox/SDL_nxvideo.c -+++ b/src/video/nanox/SDL_nxvideo.c -@@ -378,6 +378,10 @@ SDL_Surface * NX_SetVideoMode (_THIS, SDL_Surface * current, - current -> w = width ; - current -> h = height ; - current -> pitch = SDL_CalculatePitch (current) ; -+ if (!current->pitch) { -+ current = NULL; -+ goto done; -+ } - NX_ResizeImage (this, current, flags) ; - } - -diff --git a/src/video/ps2gs/SDL_gsvideo.c b/src/video/ps2gs/SDL_gsvideo.c -index e172c60..3290866 100644 ---- a/src/video/ps2gs/SDL_gsvideo.c -+++ b/src/video/ps2gs/SDL_gsvideo.c -@@ -479,6 +479,9 @@ static SDL_Surface *GS_SetVideoMode(_THIS, SDL_Surface *current, - current->w = width; - current->h = height; - current->pitch = SDL_CalculatePitch(current); -+ if (!current->pitch) { -+ return(NULL); -+ } - - /* Memory map the DMA area for block memory transfer */ - if ( ! mapped_mem ) { -diff --git a/src/video/ps3/SDL_ps3video.c b/src/video/ps3/SDL_ps3video.c -index d5519e0..17848e3 100644 ---- a/src/video/ps3/SDL_ps3video.c -+++ b/src/video/ps3/SDL_ps3video.c -@@ -339,6 +339,9 @@ static SDL_Surface *PS3_SetVideoMode(_THIS, SDL_Surface * current, int width, in - current->w = width; - current->h = height; - current->pitch = SDL_CalculatePitch(current); -+ if (!current->pitch) { -+ return(NULL); -+ } - - /* Alloc aligned mem for current->pixels */ - s_pixels = memalign(16, current->h * current->pitch); -diff --git a/src/video/windib/SDL_dibvideo.c b/src/video/windib/SDL_dibvideo.c -index 6187bfc..86ebb12 100644 ---- a/src/video/windib/SDL_dibvideo.c -+++ b/src/video/windib/SDL_dibvideo.c -@@ -675,6 +675,9 @@ SDL_Surface *DIB_SetVideoMode(_THIS, SDL_Surface *current, - video->w = width; - video->h = height; - video->pitch = SDL_CalculatePitch(video); -+ if (!current->pitch) { -+ return(NULL); -+ } - - /* Small fix for WinCE/Win32 - when activating window - SDL_VideoSurface is equal to zero, so activating code -diff --git a/src/video/windx5/SDL_dx5video.c b/src/video/windx5/SDL_dx5video.c -index f80ca97..39fc4fc 100644 ---- a/src/video/windx5/SDL_dx5video.c -+++ b/src/video/windx5/SDL_dx5video.c -@@ -1127,6 +1127,9 @@ SDL_Surface *DX5_SetVideoMode(_THIS, SDL_Surface *current, - video->w = width; - video->h = height; - video->pitch = SDL_CalculatePitch(video); -+ if (!current->pitch) { -+ return(NULL); -+ } - - #ifndef NO_CHANGEDISPLAYSETTINGS - /* Set fullscreen mode if appropriate. -diff --git a/src/video/x11/SDL_x11video.c b/src/video/x11/SDL_x11video.c -index 79e60f9..45d1f79 100644 ---- a/src/video/x11/SDL_x11video.c -+++ b/src/video/x11/SDL_x11video.c -@@ -1220,6 +1220,10 @@ SDL_Surface *X11_SetVideoMode(_THIS, SDL_Surface *current, - current->w = width; - current->h = height; - current->pitch = SDL_CalculatePitch(current); -+ if (!current->pitch) { -+ current = NULL; -+ goto done; -+ } - if (X11_ResizeImage(this, current, flags) < 0) { - current = NULL; - goto done; --- -2.20.1 - diff --git a/SPECS-EXTENDED/SDL/SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch b/SPECS-EXTENDED/SDL/SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch deleted file mode 100644 index 34d7cc0edf..0000000000 --- a/SPECS-EXTENDED/SDL/SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 28b1433b4bd7982524f2418420e8cc01786df5c4 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= -Date: Fri, 15 Feb 2019 16:52:27 +0100 -Subject: [PATCH] CVE-2019-7638, CVE-2019-7636: Refuse loading BMP images with - too high number of colors -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If a BMP file that defines more colors than can fit into -a palette of color depth defined in the same BMP file is loaded by -SDL_LoadBMP_RW() function, invalid number of colors is set into -resulting SDL surface. - -Then if the SDL surface is passed to SDL_DisplayFormat() function to -convert the surface format into a native video format, a buffer -overread will happen in Map1to1() or Map1toN() function -(CVE-2019-7638). (The choice of the mapping function depends on -a actual video hardware.) - -In addition SDL_GetRGB() called indirectly from SDL_DisplayFormat() -performs the same buffer overread (CVE-2019-7636). - -There is also probably a buffer overwrite when the SDL_LoadBMP_RW() -loads colors from a file. - -This patch fixes it by refusing loading such badly damaged BMP files. - -CVE-2019-7638 -https://bugzilla.libsdl.org/show_bug.cgi?id=4500 -CVE-2019-7636 -https://bugzilla.libsdl.org/show_bug.cgi?id=4499 - -Signed-off-by: Petr Písař ---- - src/video/SDL_bmp.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c -index d56cfd8..3accded 100644 ---- a/src/video/SDL_bmp.c -+++ b/src/video/SDL_bmp.c -@@ -233,6 +233,10 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc) - if ( palette ) { - if ( biClrUsed == 0 ) { - biClrUsed = 1 << biBitCount; -+ } else if ( biClrUsed > (1 << biBitCount) ) { -+ SDL_SetError("BMP file has an invalid number of colors"); -+ was_error = SDL_TRUE; -+ goto done; - } - if ( biSize == 12 ) { - for ( i = 0; i < (int)biClrUsed; ++i ) { --- -2.20.1 - diff --git a/SPECS-EXTENDED/SDL/SDL-1.2.15-Fixed-bug-4108-Missing-break-statements-in-SDL_CDRes.patch b/SPECS-EXTENDED/SDL/SDL-1.2.15-Fixed-bug-4108-Missing-break-statements-in-SDL_CDRes.patch deleted file mode 100644 index 95ed486e0b..0000000000 --- a/SPECS-EXTENDED/SDL/SDL-1.2.15-Fixed-bug-4108-Missing-break-statements-in-SDL_CDRes.patch +++ /dev/null @@ -1,41 +0,0 @@ -From b8dab2d1dae1f6fb0f2b466e2b26645d072b9aaa Mon Sep 17 00:00:00 2001 -From: Sam Lantinga -Date: Sat, 24 Mar 2018 10:15:42 -0700 -Subject: [PATCH] Fixed bug 4108 - Missing break statements in SDL_CDResume and - SDL_CDStop - -Ozkan Sezer - -Two break statements are missing in SDL_cdrom.c:SDL_CDResume() -and SDL_CDStop(), which negate the returned code from driver -and always return 0. The following patch adds those breaks. - ---HG-- -branch : SDL-1.2 ---- - src/cdrom/SDL_cdrom.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/cdrom/SDL_cdrom.c b/src/cdrom/SDL_cdrom.c -index 8f91bb1b3..fac2437e5 100644 ---- a/src/cdrom/SDL_cdrom.c -+++ b/src/cdrom/SDL_cdrom.c -@@ -285,6 +285,7 @@ int SDL_CDResume(SDL_CD *cdrom) - switch (status) { - case CD_PAUSED: - retval = SDL_CDcaps.Resume(cdrom); -+ break; - default: - retval = 0; - break; -@@ -307,6 +308,7 @@ int SDL_CDStop(SDL_CD *cdrom) - case CD_PLAYING: - case CD_PAUSED: - retval = SDL_CDcaps.Stop(cdrom); -+ break; - default: - retval = 0; - break; --- -2.17.1 - diff --git a/SPECS-EXTENDED/SDL/SDL-1.2.15-Reject-2-3-5-6-7-bpp-BMP-images.patch b/SPECS-EXTENDED/SDL/SDL-1.2.15-Reject-2-3-5-6-7-bpp-BMP-images.patch deleted file mode 100644 index a590606f0c..0000000000 --- a/SPECS-EXTENDED/SDL/SDL-1.2.15-Reject-2-3-5-6-7-bpp-BMP-images.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 70c3d0e97755e1b208ceba2ae012877797f15627 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= -Date: Thu, 21 Feb 2019 10:57:41 +0100 -Subject: [PATCH] Reject 2, 3, 5, 6, 7-bpp BMP images -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BMP decoder assumes less than 8 bit depth images have 1 or 4 bits -per pixel. No other depths are correctly translated to an 8bpp -surface. - -This patch rejects loading these images. - -https://bugzilla.libsdl.org/show_bug.cgi?id=4498 -Signed-off-by: Petr Písař ---- - src/video/SDL_bmp.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c -index 8eadc5f..758d4bb 100644 ---- a/src/video/SDL_bmp.c -+++ b/src/video/SDL_bmp.c -@@ -163,6 +163,14 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc) - ExpandBMP = biBitCount; - biBitCount = 8; - break; -+ case 2: -+ case 3: -+ case 5: -+ case 6: -+ case 7: -+ SDL_SetError("%d-bpp BMP images are not supported", biBitCount); -+ was_error = SDL_TRUE; -+ goto done; - default: - ExpandBMP = 0; - break; --- -2.20.1 - diff --git a/SPECS-EXTENDED/SDL/SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch b/SPECS-EXTENDED/SDL/SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch deleted file mode 100644 index fdf910e03d..0000000000 --- a/SPECS-EXTENDED/SDL/SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch +++ /dev/null @@ -1,73 +0,0 @@ -# HG changeset patch -# User Sam Lantinga -# Date 1397799374 25200 -# Thu Apr 17 22:36:14 2014 -0700 -# Branch SDL-1.2 -# Node ID 0aade9c0203f717fe4b823a176c3c040f1a709f8 -# Parent 22a7f096bb9d4d596f35a93e33608825693462b0 -Fixed bug 2325 - SDL_EnableUNICODE sometimes drops keyboard events completely - -Rafał Mużyło - -The most annoying part of this bug is that though I've found it in two separate apps, I don't have a trivial testcase for it. - -The problem seems to be a condition race, as it's triggered quite randomly (therefore it will be hard to tell whether it really gets fixed, if a probable fix is found). - -While it's specific to SDL 1.2, it seems quite similar to the problem described and fixed in http://forums.libsdl.org/viewtopic.php?p=40503. - -Now, I should start describing the problem. - -A game uses Escape to open menu (the exact key might not be important). Upon opening, it calls SDL_EnableUNICODE(1). Upon closing it calls SDL_EnableUNICODE(0). - -I have an IME running. - -Game uses SDL_PollEvent to get the events. - -If Escape is pressed repeatedly, menu is opened and closed, till it eventually freezes in open state. -"freezes" in this context means "app itself still runs, but no keyboard events are getting delivered (though - for example - mouse events still are)". "getting delivered" should mean "SDL_PollEvent is not receiving any". -If it matters, the last delivered keyboard event is a keypress, the release never arrives. - -It seems (no guarantees, due to random nature of the freeze) that unsetting XMODIFIERS (which - AFAIU - will disable IME as far as SDL is concerned) prevents the freeze, therefore the reference to that SDL2 thread. - -diff -r 22a7f096bb9d -r 0aade9c0203f src/video/x11/SDL_x11events.c ---- a/src/video/x11/SDL_x11events.c Sun Dec 01 00:00:17 2013 -0500 -+++ b/src/video/x11/SDL_x11events.c Thu Apr 17 22:36:14 2014 -0700 -@@ -395,6 +395,8 @@ - { - int posted; - XEvent xevent; -+ int orig_event_type; -+ KeyCode orig_keycode; - - SDL_memset(&xevent, '\0', sizeof (XEvent)); /* valgrind fix. --ryan. */ - XNextEvent(SDL_Display, &xevent); -@@ -410,9 +412,29 @@ - #ifdef X_HAVE_UTF8_STRING - /* If we are translating with IM, we need to pass all events - to XFilterEvent, and discard those filtered events immediately. */ -+ orig_event_type = xevent.type; -+ if (orig_event_type == KeyPress || orig_event_type == KeyRelease) { -+ orig_keycode = xevent.xkey.keycode; -+ } else { -+ orig_keycode = 0; -+ } - if ( SDL_TranslateUNICODE - && SDL_IM != NULL - && XFilterEvent(&xevent, None) ) { -+ if (orig_keycode) { -+ SDL_keysym keysym; -+ static XComposeStatus state; -+ char keybuf[32]; -+ -+ keysym.scancode = xevent.xkey.keycode; -+ keysym.sym = X11_TranslateKeycode(SDL_Display, xevent.xkey.keycode); -+ keysym.mod = KMOD_NONE; -+ keysym.unicode = 0; -+ if (orig_event_type == KeyPress && XLookupString(&xevent.xkey, keybuf, sizeof(keybuf), NULL, &state)) -+ keysym.unicode = (Uint8)keybuf[0]; -+ -+ SDL_PrivateKeyboard(orig_event_type == KeyPress ? SDL_PRESSED : SDL_RELEASED, &keysym); -+ } - return 0; - } - #endif diff --git a/SPECS-EXTENDED/SDL/SDL-1.2.15-Use-system-glext.h.patch b/SPECS-EXTENDED/SDL/SDL-1.2.15-Use-system-glext.h.patch deleted file mode 100644 index 42c42e7e44..0000000000 --- a/SPECS-EXTENDED/SDL/SDL-1.2.15-Use-system-glext.h.patch +++ /dev/null @@ -1,32 +0,0 @@ -From cf8a0c3d75005436d3ed3ea0ae258cdef5b10ebe Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= -Date: Mon, 14 Jan 2019 12:10:21 +0100 -Subject: [PATCH] Use system glext.h -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -mesa-18.2.6 changed GL_GLEXT_VERSION and that conflicts with the bundled -glext.h definitions. Use system glext.h instead via GL/gl.h. - -Signed-off-by: Petr Písař ---- - include/SDL_opengl.h | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/include/SDL_opengl.h b/include/SDL_opengl.h -index 3d791d6..3a77b11 100644 ---- a/include/SDL_opengl.h -+++ b/include/SDL_opengl.h -@@ -33,6 +33,8 @@ - #endif - #include - #endif -+/* mesa changes GL_GLEXT_VERSION, use system glext.h instead via GL/gl.h */ -+#define NO_SDL_GLEXT - #ifndef NO_SDL_GLEXT - #define __glext_h_ /* Don't let gl.h include glext.h */ - #endif --- -2.17.2 - diff --git a/SPECS-EXTENDED/SDL/SDL-1.2.15-add_sdl_config_man.patch b/SPECS-EXTENDED/SDL/SDL-1.2.15-add_sdl_config_man.patch deleted file mode 100644 index 6cdf271dd1..0000000000 --- a/SPECS-EXTENDED/SDL/SDL-1.2.15-add_sdl_config_man.patch +++ /dev/null @@ -1,90 +0,0 @@ -diff -r 91ad7b43317a Makefile.in ---- a/Makefile.in Sun Jun 02 20:48:53 2013 +0600 -+++ b/Makefile.in Wed Jun 19 10:34:27 2013 +0200 -@@ -98,6 +98,11 @@ - $(SHELL) $(auxdir)/mkinstalldirs $(DESTDIR)$(libdir)/pkgconfig - $(INSTALL) -m 644 sdl.pc $(DESTDIR)$(libdir)/pkgconfig - install-man: -+ $(SHELL) $(auxdir)/mkinstalldirs $(DESTDIR)$(mandir)/man1 -+ for src in $(srcdir)/docs/man1/*.1; do \ -+ file=`echo $$src | sed -e 's|^.*/||'`; \ -+ $(INSTALL) -m 644 $$src $(DESTDIR)$(mandir)/man1/$$file; \ -+ done - $(SHELL) $(auxdir)/mkinstalldirs $(DESTDIR)$(mandir)/man3 - for src in $(srcdir)/docs/man3/*.3; do \ - file=`echo $$src | sed -e 's|^.*/||'`; \ -@@ -120,6 +125,10 @@ - rm -f $(DESTDIR)$(datadir)/aclocal/sdl.m4 - rm -f $(DESTDIR)$(libdir)/pkgconfig/sdl.pc - uninstall-man: -+ for src in $(srcdir)/docs/man1/*.1; do \ -+ file=`echo $$src | sed -e 's|^.*/||'`; \ -+ rm -f $(DESTDIR)$(mandir)/man1/$$file; \ -+ done - for src in $(srcdir)/docs/man3/*.3; do \ - file=`echo $$src | sed -e 's|^.*/||'`; \ - rm -f $(DESTDIR)$(mandir)/man3/$$file; \ -diff -r 91ad7b43317a docs/man1/sdl-config.1 ---- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ b/docs/man1/sdl-config.1 Wed Jun 19 10:34:27 2013 +0200 -@@ -0,0 +1,60 @@ -+.TH sdl-config 1 "2013-06-19" "SDL 1.2" -+.SH NAME -+sdl-config \- script to get information about the installed version of SDL -+.SH SYNOPSIS -+\fBsdl-config -+[\~--prefix[=\fIDIR\fP]\~] -+[\~--exec-prefix[=\fIDIR\fP]\~] -+[\~--version\~] [\~--cflags\~] [\~--libs\~] [\~--static-libs\~]\fR -+.SH DESCRIPTION -+.B sdl-config -+is a tool that is used to configure and determine the compiler and linker -+flags that should be used to compile and link programs, and libraries, and -+plugins that use SDL. It is also used internally by the m4 macros that are -+included with SDL. -+.SH OPTIONS -+.TP -+.B --cflags -+Print the compiler flags that are necessary to compile a program or library -+that uses SDL. -+.TP -+.BI --exec-prefix= DIR -+If specified, use -+.I DIR -+instead of the installation exec prefix that SDL was build with when computing -+the output for the --exec-prefix option. This option must be specified before -+any of the --cflags, and --libs options. -+.TP -+.B --libs -+Print the linker flags that are necessary to link a program that uses SDL. -+.TP -+.BI --prefix= DIR -+If specified, use DIR instead of the installation prefix that SDL was built -+with when computing the output for the --prefix, and --exec-prefix options. -+This option is also used for the exec prefix if --exec-prefix was not -+specified. This option must be specified before any of the --cflags, and -+--libs options. -+.TP -+.B --static-libs -+Print the linker flags that are necessary to statically link a program that uses SDL. -+.TP -+.B --version -+Prints the currently installed version of SDL on standard output. -+.SH EXAMPLES -+.TP -+gcc -o main.o $(sdl-config --cflags) main.c -+is how you might use -+.B sdl-config -+to compile a C source file for an executable program. -+.TP -+gcc -o my_app $(sdl-config --libs) main.o util.o -+is how you might use -+.B sdl-config -+to link compiled objects into an executable program. -+.SH AUTHOR -+The Simple DirectMedia Layer (SDL) library was written by Sam Lantinga. -+.PP -+This manual page was written by Branden Robinson, originally for Progeny -+Linux Systems, Inc., and the Debian Project. -+.PP -+This manual page was modified by Petr Pisar to match original SDL distribution. diff --git a/SPECS-EXTENDED/SDL/SDL-1.2.15-const_XData32.patch b/SPECS-EXTENDED/SDL/SDL-1.2.15-const_XData32.patch deleted file mode 100644 index 0f1c07cfb1..0000000000 --- a/SPECS-EXTENDED/SDL/SDL-1.2.15-const_XData32.patch +++ /dev/null @@ -1,16 +0,0 @@ -libX11-1.5.99.901 has changed prototype of _XData32 - - - -diff -r b6b2829cd7ef src/video/x11/SDL_x11sym.h ---- a/src/video/x11/SDL_x11sym.h Wed Feb 27 15:20:31 2013 -0800 -+++ b/src/video/x11/SDL_x11sym.h Wed Mar 27 16:07:23 2013 +0100 -@@ -165,7 +165,7 @@ - */ - #ifdef LONG64 - SDL_X11_MODULE(IO_32BIT) --SDL_X11_SYM(int,_XData32,(Display *dpy,register long *data,unsigned len),(dpy,data,len),return) -+SDL_X11_SYM(int,_XData32,(Display *dpy,register _Xconst long *data,unsigned len),(dpy,data,len),return) - SDL_X11_SYM(void,_XRead32,(Display *dpy,register long *data,long len),(dpy,data,len),) - #endif - diff --git a/SPECS-EXTENDED/SDL/SDL-1.2.15-fix-small-errors-detected-by-coverity.patch b/SPECS-EXTENDED/SDL/SDL-1.2.15-fix-small-errors-detected-by-coverity.patch deleted file mode 100644 index a7b1f9ff05..0000000000 --- a/SPECS-EXTENDED/SDL/SDL-1.2.15-fix-small-errors-detected-by-coverity.patch +++ /dev/null @@ -1,67 +0,0 @@ -From a976b037b63d8de9ed0eb920238ac4211b649408 Mon Sep 17 00:00:00 2001 -From: Wim Taymans -Date: Mon, 29 Apr 2019 15:50:39 +0200 -Subject: [PATCH] fix small errors detected by coverity - ---- - src/video/SDL_surface.c | 2 +- - src/video/fbcon/SDL_fbevents.c | 2 +- - src/video/fbcon/SDL_fbmatrox.c | 2 ++ - 3 files changed, 4 insertions(+), 2 deletions(-) - -diff --git a/src/video/SDL_surface.c b/src/video/SDL_surface.c -index 0f3ad12c4..0386cb3fb 100644 ---- a/src/video/SDL_surface.c -+++ b/src/video/SDL_surface.c -@@ -116,6 +116,7 @@ SDL_Surface * SDL_CreateRGBSurface (Uint32 flags, - surface->locked = 0; - surface->map = NULL; - surface->unused1 = 0; -+ surface->refcount = 1; - SDL_SetClipRect(surface, NULL); - SDL_FormatChanged(surface); - -@@ -142,7 +143,6 @@ SDL_Surface * SDL_CreateRGBSurface (Uint32 flags, - } - - /* The surface is ready to go */ -- surface->refcount = 1; - #ifdef CHECK_LEAKS - ++surfaces_allocated; - #endif -diff --git a/src/video/fbcon/SDL_fbevents.c b/src/video/fbcon/SDL_fbevents.c -index 5e369a4a8..dd7413df9 100644 ---- a/src/video/fbcon/SDL_fbevents.c -+++ b/src/video/fbcon/SDL_fbevents.c -@@ -575,7 +575,7 @@ int FB_OpenMouse(_THIS) - - /* ELO TOUCHSCREEN SUPPORT */ - -- if ( mousedrv && (SDL_strcmp(mousedrv, "ELO") == 0) ) { -+ if ( mousedrv && (SDL_strcmp(mousedrv, "ELO") == 0) && mousedev ) { - mouse_fd = open(mousedev, O_RDWR); - if ( mouse_fd >= 0 ) { - if(eloInitController(mouse_fd)) { -diff --git a/src/video/fbcon/SDL_fbmatrox.c b/src/video/fbcon/SDL_fbmatrox.c -index 04b90b05d..4e3da4f84 100644 ---- a/src/video/fbcon/SDL_fbmatrox.c -+++ b/src/video/fbcon/SDL_fbmatrox.c -@@ -80,6 +80,7 @@ static int FillHWRect(_THIS, SDL_Surface *dst, SDL_Rect *rect, Uint32 color) - switch (dst->format->BytesPerPixel) { - case 1: - color |= (color<<8); -+ /* fallthrough */ - case 2: - color |= (color<<16); - break; -@@ -191,6 +192,7 @@ static int HWAccelBlit(SDL_Surface *src, SDL_Rect *srcrect, - switch (dst->format->BytesPerPixel) { - case 1: - colorkey |= (colorkey<<8); -+ /* fallthrough */ - case 2: - colorkey |= (colorkey<<16); - break; --- -2.20.1 - diff --git a/SPECS-EXTENDED/SDL/SDL-1.2.15-fix_copy_paste_mistakes_in_commit_9b0e5c555c0f.patch b/SPECS-EXTENDED/SDL/SDL-1.2.15-fix_copy_paste_mistakes_in_commit_9b0e5c555c0f.patch deleted file mode 100644 index b00ce02285..0000000000 --- a/SPECS-EXTENDED/SDL/SDL-1.2.15-fix_copy_paste_mistakes_in_commit_9b0e5c555c0f.patch +++ /dev/null @@ -1,45 +0,0 @@ -changeset: 12980:32075e9e2135 -branch: SDL-1.2 -tag: tip -parent: 12977:37d0eba8fa17 -user: Ozkan Sezer -date: Fri Aug 02 00:35:05 2019 +0300 -summary: fix copy+paste mistakes in commit 9b0e5c555c0f (CVE-2019-7637 fix): - -diff -r 37d0eba8fa17 -r 32075e9e2135 src/video/gapi/SDL_gapivideo.c ---- a/src/video/gapi/SDL_gapivideo.c Wed Jul 31 23:50:10 2019 +0300 -+++ b/src/video/gapi/SDL_gapivideo.c Fri Aug 02 00:35:05 2019 +0300 -@@ -733,7 +733,7 @@ - video->w = gapi->w = width; - video->h = gapi->h = height; - video->pitch = SDL_CalculatePitch(video); -- if (!current->pitch) { -+ if (!video->pitch) { - return(NULL); - } - -diff -r 37d0eba8fa17 -r 32075e9e2135 src/video/windib/SDL_dibvideo.c ---- a/src/video/windib/SDL_dibvideo.c Wed Jul 31 23:50:10 2019 +0300 -+++ b/src/video/windib/SDL_dibvideo.c Fri Aug 02 00:35:05 2019 +0300 -@@ -675,7 +675,7 @@ - video->w = width; - video->h = height; - video->pitch = SDL_CalculatePitch(video); -- if (!current->pitch) { -+ if (!video->pitch) { - return(NULL); - } - -diff -r 37d0eba8fa17 -r 32075e9e2135 src/video/windx5/SDL_dx5video.c ---- a/src/video/windx5/SDL_dx5video.c Wed Jul 31 23:50:10 2019 +0300 -+++ b/src/video/windx5/SDL_dx5video.c Fri Aug 02 00:35:05 2019 +0300 -@@ -1127,7 +1127,7 @@ - video->w = width; - video->h = height; - video->pitch = SDL_CalculatePitch(video); -- if (!current->pitch) { -+ if (!video->pitch) { - return(NULL); - } - - diff --git a/SPECS-EXTENDED/SDL/SDL-1.2.15-ignore_insane_joystick_axis.patch b/SPECS-EXTENDED/SDL/SDL-1.2.15-ignore_insane_joystick_axis.patch deleted file mode 100644 index 33340fd1bc..0000000000 --- a/SPECS-EXTENDED/SDL/SDL-1.2.15-ignore_insane_joystick_axis.patch +++ /dev/null @@ -1,20 +0,0 @@ -changeset: 6324:95abff7adcc2 -branch: SDL-1.2 -parent: 6306:2b923729fd01 -user: Ryan C. Gordon -date: Sun Jun 03 04:49:25 2012 -0400 -summary: Linux evdev: ignore joystick axis events if they aren't in a sane range. - -diff -r 2b923729fd01 -r 95abff7adcc2 src/joystick/linux/SDL_sysjoystick.c ---- a/src/joystick/linux/SDL_sysjoystick.c Sat May 12 23:32:51 2012 -0700 -+++ b/src/joystick/linux/SDL_sysjoystick.c Sun Jun 03 04:49:25 2012 -0400 -@@ -1106,6 +1106,9 @@ - } - break; - case EV_ABS: -+ if (code > ABS_MISC) { -+ break; -+ } - switch (code) { - case ABS_HAT0X: - case ABS_HAT0Y: diff --git a/SPECS-EXTENDED/SDL/SDL-1.2.15-no-default-backing-store.patch b/SPECS-EXTENDED/SDL/SDL-1.2.15-no-default-backing-store.patch deleted file mode 100644 index 4d5209d1e1..0000000000 --- a/SPECS-EXTENDED/SDL/SDL-1.2.15-no-default-backing-store.patch +++ /dev/null @@ -1,24 +0,0 @@ -Do not harness backing store by default - -xorg-server 1.15 enables backing store if composite extension is enabled -(default settings). Harnessing backing store through compositor leads to -tearing effect. - -This patch reverts default harnessing backing store to conditional use if -SDL_VIDEO_X11_BACKINGSTORE environment variable exists. - - - - -diff -up SDL-1.2.15/src/video/x11/SDL_x11video.c.jx SDL-1.2.15/src/video/x11/SDL_x11video.c ---- SDL-1.2.15/src/video/x11/SDL_x11video.c.jx 2012-01-19 01:30:06.000000000 -0500 -+++ SDL-1.2.15/src/video/x11/SDL_x11video.c 2014-03-04 14:39:34.691545549 -0500 -@@ -1088,7 +1088,7 @@ static int X11_CreateWindow(_THIS, SDL_S - } - } - --#if 0 /* This is an experiment - are the graphics faster now? - nope. */ -+#if 1 /* This is an experiment - are the graphics faster now? - nope. */ - if ( SDL_getenv("SDL_VIDEO_X11_BACKINGSTORE") ) - #endif - /* Cache the window in the server, when possible */ diff --git a/SPECS-EXTENDED/SDL/SDL-1.2.15-vec_perm-ppc64le.patch b/SPECS-EXTENDED/SDL/SDL-1.2.15-vec_perm-ppc64le.patch deleted file mode 100644 index 77c915b930..0000000000 --- a/SPECS-EXTENDED/SDL/SDL-1.2.15-vec_perm-ppc64le.patch +++ /dev/null @@ -1,87 +0,0 @@ -Correct vec_perm() application on little-endian 64-bit PowerPC - -The LE transformation for vec_perm has an implicit assumption that the -permutation is being used to reorder vector elements (in this case 4-byte -integer word elements), not to reorder bytes within those elements. Although -this is legal behavior, it is not anticipated by the transformation performed -by the compilers. - -This causes pygame-1.9.1 test failure on PPC64LE because blitted pixmaps are -corrupted there due to how SDL uses vec_perm(). - - - ---- SDL-1.2.15/src/video/SDL_blit_N.c.ori 2017-09-04 05:56:17.759347525 -0400 -+++ SDL-1.2.15/src/video/SDL_blit_N.c 2017-09-06 05:36:20.570789610 -0400 -@@ -146,6 +146,32 @@ static vector unsigned char calc_swizzle - return(vswiz); - } - -+/* reorder bytes for PowerPC little endian */ -+static vector unsigned char reorder_ppc64le_vec(vector unsigned char vpermute) -+{ -+ /* The result vector of calc_swizzle32 reorder bytes using vec_perm. -+ The LE transformation for vec_perm has an implicit assumption -+ that the permutation is being used to reorder vector elements, -+ not to reorder bytes within those elements. -+ Unfortunatly the result order is not the expected one for powerpc -+ little endian when the two first vector parameters of vec_perm are -+ not of type 'vector char'. This is because the numbering from the -+ left for BE, and numbering from the right for LE, produces a -+ different interpretation of what the odd and even lanes are. -+ Refer to fedora bug 1392465 -+ */ -+ -+ const vector unsigned char ppc64le_reorder = VECUINT8_LITERAL( -+ 0x01, 0x00, 0x03, 0x02, -+ 0x05, 0x04, 0x07, 0x06, -+ 0x09, 0x08, 0x0B, 0x0A, -+ 0x0D, 0x0C, 0x0F, 0x0E ); -+ -+ vector unsigned char vswiz_ppc64le; -+ vswiz_ppc64le = vec_perm(vpermute, vpermute, ppc64le_reorder); -+ return(vswiz_ppc64le); -+} -+ - static void Blit_RGB888_RGB565(SDL_BlitInfo *info); - static void Blit_RGB888_RGB565Altivec(SDL_BlitInfo *info) { - int height = info->d_height; -@@ -631,6 +657,12 @@ static void Blit32to32KeyAltivec(SDL_Bli - vsel = (vector unsigned char)vec_and(vs, vrgbmask); - vsel = (vector unsigned char)vec_cmpeq(vs, vckey); - /* permute the src vec to the dest format */ -+ -+#if defined(__powerpc__) && (SDL_BYTEORDER == SDL_LIL_ENDIAN) -+ /* reorder bytes for PowerPC little endian */ -+ vpermute = reorder_ppc64le_vec(vpermute); -+#endif -+ - vs = vec_perm(vs, valpha, vpermute); - /* load the destination vec */ - vd = vec_ld(0, dstp); -@@ -704,6 +736,12 @@ static void ConvertAltivec32to32_noprefe - src += 4; - width -= 4; - vbits = vec_perm(vbits, voverflow, valigner); /* src is ready. */ -+ -+#if defined(__powerpc__) && (SDL_BYTEORDER == SDL_LIL_ENDIAN) -+ /* reorder bytes for PowerPC little endian */ -+ vpermute = reorder_ppc64le_vec(vpermute); -+#endif -+ - vbits = vec_perm(vbits, vzero, vpermute); /* swizzle it. */ - vec_st(vbits, 0, dst); /* store it back out. */ - dst += 4; -@@ -786,6 +824,12 @@ static void ConvertAltivec32to32_prefetc - src += 4; - width -= 4; - vbits = vec_perm(vbits, voverflow, valigner); /* src is ready. */ -+ -+#if defined(__powerpc__) && (SDL_BYTEORDER == SDL_LIL_ENDIAN) -+ /* reorder bytes for PowerPC little endian */ -+ vpermute = reorder_ppc64le_vec(vpermute); -+#endif -+ - vbits = vec_perm(vbits, vzero, vpermute); /* swizzle it. */ - vec_st(vbits, 0, dst); /* store it back out. */ - dst += 4; diff --git a/SPECS-EXTENDED/SDL/SDL.signatures.json b/SPECS-EXTENDED/SDL/SDL.signatures.json deleted file mode 100644 index 49f40b2a72..0000000000 --- a/SPECS-EXTENDED/SDL/SDL.signatures.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "Signatures": { - "SDL-1.2.15.tar.gz": "5172f97606100080603a48e5279a2b90213905c77e17953ce2a13cff03e10bef", - "SDL_config.h": "ba92a6bcb9b66ec357db62067cccf32bda9f40f495737f084221bb1a71cfd8d1" - } -} diff --git a/SPECS-EXTENDED/SDL/SDL.spec b/SPECS-EXTENDED/SDL/SDL.spec deleted file mode 100644 index 7fc6bad679..0000000000 --- a/SPECS-EXTENDED/SDL/SDL.spec +++ /dev/null @@ -1,820 +0,0 @@ -Summary: A cross-platform multimedia library -Name: SDL -Version: 1.2.15 -Release: 45%{?dist} -# The license of the file src/video/fbcon/riva_mmio.h is bad, but the contents -# of the file has been relicensed to MIT in 2008 by Nvidia for the -# xf86_video-nv driver, therefore it can be considered ok. -# The license in the file src/stdlib/SDL_qsort.c is bad, but author relicensed -# it to zlib on 2016-02-21, -# , bug #1381888. -License: LGPL-2.1-or-later -Vendor: Microsoft Corporation -Distribution: Azure Linux -URL: https://www.libsdl.org/ -Source0: https://github.com/libsdl-org/%{name}-1.2/archive/refs/tags/release-%{version}.tar.gz#/%{name}-%{version}.tar.gz -Source1: SDL_config.h -Patch0: SDL-1.2.12-multilib.patch -# Rejected by upstream as sdl1155, rh480065 -Patch1: SDL-1.2.10-GrabNotViewable.patch -# Proposded to upstream as sdl1769 -Patch2: SDL-1.2.15-const_XData32.patch -# sdl-config(1) manual from Debian, rh948864 -Patch3: SDL-1.2.15-add_sdl_config_man.patch -# Upstream fix for sdl1486, rh990677 -Patch4: SDL-1.2.15-ignore_insane_joystick_axis.patch -# Do not use backing store by default, sdl2383, rh1073057, rejected by -# upstream -Patch5: SDL-1.2.15-no-default-backing-store.patch -# Fix processing keyboard events if SDL_EnableUNICODE() is enabled, sdl2325, -# rh1126136, in upstream after 1.2.15 -Patch6: SDL-1.2.15-SDL_EnableUNICODE_drops_keyboard_events.patch -# Fix vec_perm() usage on little-endian 64-bit PowerPC, bug #1392465 -Patch7: SDL-1.2.15-vec_perm-ppc64le.patch -# Use system glext.h to prevent from clashing on a GL_GLEXT_VERSION definition, -# rh1662778 -Patch8: SDL-1.2.15-Use-system-glext.h.patch -# Fix CVE-2019-7577 (a buffer overread in MS_ADPCM_decode), bug #1676510, -# upstream bug #4492, in upstream after 1.2.15 -Patch9: SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_deco.patch -# Fix CVE-2019-7575 (a buffer overwrite in MS_ADPCM_decode), bug #1676744, -# upstream bug #4493, in upstream after 1.2.15 -Patch10: SDL-1.2.15-CVE-2019-7575-Fix-a-buffer-overwrite-in-MS_ADPCM_dec.patch -# Fix CVE-2019-7574 (a buffer overread in IMA_ADPCM_decode), bug #1676750, -# upstream bug #4496, in upstream after 1.2.15 -Patch11: SDL-1.2.15-CVE-2019-7574-Fix-a-buffer-overread-in-IMA_ADPCM_dec.patch -# Fix CVE-2019-7572 (a buffer overread in IMA_ADPCM_nibble), bug #1676754, -# upstream bug #4495, in upstream after 1.2.15 -Patch12: SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overread-in-IMA_ADPCM_nib.patch -# Fix CVE-2019-7572 (a buffer overwrite in IMA_ADPCM_nibble), bug #1676754, -# upstream bug #4495, in upstream after 1.2.15 -Patch13: SDL-1.2.15-CVE-2019-7572-Fix-a-buffer-overwrite-in-IMA_ADPCM_de.patch -# Fix CVE-2019-7573, CVE-2019-7576 (buffer overreads in InitMS_ADPCM), -# bugs #1676752, #1676756, upstream bugs #4491, #4490, -# in upstream after 1.2.15 -Patch14: SDL-1.2.15-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch -# Fix CVE-2019-7578, (a buffer overread in InitIMA_ADPCM), bug #1676782, -# upstream bug #4491, in upstream after 1.2.15 -Patch15: SDL-1.2.15-CVE-2019-7578-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch -# Fix CVE-2019-7638, CVE-2019-7636 (buffer overflows when processing BMP -# images with too high number of colors), bugs #1677144, #1677157, -# upstream bugs #4500, #4499, in upstream after 1.2.15 -Patch16: SDL-1.2.15-CVE-2019-7638-CVE-2019-7636-Refuse-loading-BMP-image.patch -# Fix CVE-2019-7637 (an integer overflow in SDL_CalculatePitch), bug #1677152, -# upstream bug #4497, in upstream after 1.2.15 -Patch17: SDL-1.2.15-CVE-2019-7637-Fix-in-integer-overflow-in-SDL_Calcula.patch -# Fix CVE-2019-7635 (a buffer overread when blitting a BMP image with pixel -# colors out the palette), bug #1677159, upstream bug #4498, -# in upstream after 1.2.15 -Patch18: SDL-1.2.15-CVE-2019-7635-Reject-BMP-images-with-pixel-colors-ou.patch -# Reject 2, 3, 5, 6, 7-bpp BMP images (related to CVE-2019-7635), -# bug #1677159, upstream bug #4498, in upstream after 1.2.15 -Patch19: SDL-1.2.15-Reject-2-3-5-6-7-bpp-BMP-images.patch -# Fix CVE-2019-7577 (Fix a buffer overread in MS_ADPCM_nibble and -# MS_ADPCM_decode on an invalid predictor), bug #1676510, upstream bug #4492, -# in upstream after 1.2.15 -Patch20: SDL-1.2.15-CVE-2019-7577-Fix-a-buffer-overread-in-MS_ADPCM_nibb.patch -# Fix retrieving an error code after stopping and resuming a CD-ROM playback, -# upstream bug #4108, in upstream after 1.2.15 -Patch21: SDL-1.2.15-Fixed-bug-4108-Missing-break-statements-in-SDL_CDRes.patch -# Fix SDL_Surface reference counter initialization and a possible crash when -# opening a mouse device when using a framebuffer video output, bug #1602687 -Patch22: SDL-1.2.15-fix-small-errors-detected-by-coverity.patch -# Fix Windows drivers broken with a patch for CVE-2019-7637, bug #1677152, -# upstream bug #4497, in upstream after 1.2.15 -Patch23: SDL-1.2.15-fix_copy_paste_mistakes_in_commit_9b0e5c555c0f.patch -# Fix CVE-2019-13616 (a heap buffer over-read in BlitNtoN), bug #1747237, -# upstream bug #4538, in upstream after 1.2.15 -Patch24: SDL-1.2.15-CVE-2019-13616-validate_image_size_when_loading_BMP_files.patch -BuildRequires: alsa-lib-devel -BuildRequires: coreutils -BuildRequires: gcc -BuildRequires: glibc-common -BuildRequires: make -BuildRequires: pulseaudio-libs-devel -# Autotools -BuildRequires: automake -BuildRequires: autoconf -BuildRequires: libtool - -%description -Simple DirectMedia Layer (SDL) is a cross-platform multimedia library designed -to provide fast access to the graphics frame buffer and audio device. - -%package devel -Summary: Files needed to develop Simple DirectMedia Layer applications -Requires: SDL%{?_isa} = %{version}-%{release} -Requires: alsa-lib-devel - -%description devel -Simple DirectMedia Layer (SDL) is a cross-platform multimedia library designed -to provide fast access to the graphics frame buffer and audio device. This -package provides the libraries, include files, and other resources needed for -developing SDL applications. - -%package static -Summary: Files needed to develop static Simple DirectMedia Layer applications -Requires: SDL-devel%{?_isa} = %{version}-%{release} - -%description static -Simple DirectMedia Layer (SDL) is a cross-platform multimedia library designed -to provide fast access to the graphics frame buffer and audio device. This -package provides the static libraries needed for developing static SDL -applications. - -%prep -%autosetup -p1 -n %{name}-1.2-release-%{version} -for F in CREDITS; do - iconv -f iso8859-1 -t utf-8 < "$F" > "${F}.utf" - touch --reference "$F" "${F}.utf" - mv "${F}.utf" "$F" -done -# Compilation without ESD -sed -i -e 's/.*AM_PATH_ESD.*//' configure.in -# Remove unwanted files -rm -f symbian.zip - -%build -aclocal -libtoolize -autoconf -%configure \ - --enable-video-opengl \ - --disable-video-svga \ - --disable-video-ggi \ - --disable-video-aalib \ - --enable-sdl-dlopen \ - --disable-arts \ - --disable-esd \ - --disable-nas \ - --enable-pulseaudio-shared \ - --enable-alsa \ - --disable-video-ps3 \ - --disable-rpath -%make_build - -%install -%make_install - -# Rename SDL_config.h to SDL_config-.h to avoid file conflicts on -# multilib systems and install SDL_config.h wrapper -mv %{buildroot}/%{_includedir}/SDL/SDL_config.h %{buildroot}/%{_includedir}/SDL/SDL_config-%{_arch}.h -install -m644 %{SOURCE1} %{buildroot}/%{_includedir}/SDL/SDL_config.h - -# remove libtool .la file -rm -f %{buildroot}%{_libdir}/*.la - -%check -make test - -%files -%license COPYING -%doc BUGS CREDITS README-SDL.txt -%{_libdir}/libSDL-1.2.so.* - -%files devel -%doc README docs.html docs/html docs/index.html TODO WhatsNew -%{_bindir}/*-config -%{_libdir}/libSDL.so -%{_libdir}/pkgconfig/sdl.pc -%{_includedir}/SDL -%{_datadir}/aclocal/* -%{_mandir}/man1/* -%{_mandir}/man3/SDL*.3* - -%files static -%{_libdir}/lib*.a - -%changelog -* Tue Dec 13 2022 Sumedh Sharma - 1.2.15-45 -- Disable arts,esound and nas features for build -- Enable check section -- License verified - -* Thu Mar 25 2021 Henry Li - 1.2.15-44 -- Initial CBL-Mariner import from Fedora 32 (license: MIT). -- Remove x11 and graphics-related dependencies - -* Tue Jan 28 2020 Fedora Release Engineering - 1.2.15-43 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Fri Aug 30 2019 Petr Pisar - 1.2.15-42 -- Fix CVE-2019-13616 (a heap buffer over-read in BlitNtoN) (bug #1747237) - -* Fri Aug 02 2019 Petr Pisar - 1.2.15-41 -- Fix Windows drivers broken with a patch for CVE-2019-7637 (bug #1677152) -- Update URL to use secured HTTP protocol - -* Wed Jul 24 2019 Fedora Release Engineering - 1.2.15-40 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - -* Mon Jun 03 2019 Petr Pisar - 1.2.15-39 -- Fix retrieving an error code after stopping and resuming a CD-ROM playback - (upstream bug #4108) -- Fix SDL_Surface reference counter initialization and a possible crash when - opening a mouse device when using a framebuffer video output (bug #1602687) - -* Tue Mar 12 2019 Petr Pisar - 1.2.15-38 -- Fix CVE-2019-7577 completely (a buffer overread in MS_ADPCM_nibble and - MS_ADPCM_decode on an invalid predictor) (bug #1676510) - -* Fri Feb 15 2019 Petr Pisar - 1.2.15-37 -- Fix CVE-2019-7577 (a buffer overread in MS_ADPCM_decode) (bug #1676510) -- Fix CVE-2019-7575 (a buffer overwrite in MS_ADPCM_decode) (bug #1676744) -- Fix CVE-2019-7574 (a buffer overread in IMA_ADPCM_decode) (bug #1676750) -- Fix CVE-2019-7572 (a buffer overread in IMA_ADPCM_nibble) (bug #1676754) -- Fix CVE-2019-7572 (a buffer overwrite in IMA_ADPCM_nibble) (bug #1676754) -- Fix CVE-2019-7573, CVE-2019-7576 (buffer overreads in InitMS_ADPCM) - (bugs #1676752, #1676756) -- Fix CVE-2019-7578 (a buffer overread in InitIMA_ADPCM) (bug #1676782) -- Fix CVE-2019-7638, CVE-2019-7636 (buffer overflows when processing BMP - images with too high number of colors) (bugs #1677144, #1677157) -- Fix CVE-2019-7637 (an integer overflow in SDL_CalculatePitch) (bug #1677152) -- Fix CVE-2019-7635 (a buffer overread when blitting a BMP image with pixel - colors out the palette) (bug #1677159) -- Reject 2, 3, 5, 6, 7-bpp BMP images (bug #1677159) - -* Thu Jan 31 2019 Fedora Release Engineering - 1.2.15-36 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Mon Jan 14 2019 Petr Pisar - 1.2.15-35 -- Remove manual updating of config.{guess,sub} - this has been part of - %%configure since 2013 -- Use system glext.h to prevent from clashing on a GL_GLEXT_VERSION definition - (bug #1662778) - -* Tue Aug 28 2018 Petr Pisar - 1.2.15-34 -- Remove useless build-time dependency on audiofile-devel - -* Thu Jul 12 2018 Fedora Release Engineering - 1.2.15-33 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Tue Mar 27 2018 David Abdurachmanov - 1.2.15-32 -- Add riscv64 to SDL_config.h - -* Thu Mar 22 2018 Petr Pisar - 1.2.15-31 -- Remove post scriptlets with ldconfig - -* Wed Feb 07 2018 Fedora Release Engineering - 1.2.15-30 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - -* Tue Sep 19 2017 Petr Pisar - 1.2.15-29 -- Fix vec_perm() usage on little-endian 64-bit PowerPC (bug #1392465) - -* Wed Aug 02 2017 Fedora Release Engineering - 1.2.15-28 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - -* Sun Jul 30 2017 Florian Weimer - 1.2.15-27 -- Rebuild with binutils fix for ppc64le (#1475636) - -* Wed Jul 26 2017 Fedora Release Engineering - 1.2.15-26 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Tue Jul 25 2017 Petr Pisar - 1.2.15-25 -- Rebuild with newer GCC to fix miscompilation on PowerPC (bug #1427880) - -* Fri Feb 10 2017 Fedora Release Engineering - 1.2.15-24 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Tue Jan 10 2017 Petr Pisar - 1.2.15-23 -- Enable setting gamma by programing palette as supported by xorg-server - 1.19.0 again (bug #891973) - -* Wed Feb 03 2016 Fedora Release Engineering - 1.2.15-21 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - -* Thu Oct 22 2015 Petr Pisar - 1.2.15-20 -- Enable support for ESound - -* Fri Sep 04 2015 Michal Toman - 1.2.15-19 -- Add support for MIPS architecture to SDL_config.h -- Disable support for ESound - -* Tue Jun 16 2015 Fedora Release Engineering - 1.2.15-18 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild - -* Fri Aug 15 2014 Fedora Release Engineering - 1.2.15-17 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild - -* Mon Aug 04 2014 Petr Pisar - 1.2.15-16 -- Fix processing keyboard events if SDL_EnableUNICODE() is enabled - (bug #1126136) - -* Fri Jun 06 2014 Fedora Release Engineering - 1.2.15-15 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild - -* Fri Mar 07 2014 Petr Pisar - 1.2.15-14 -- Do not harness backing store by default. Export SDL_VIDEO_X11_BACKINGSTORE - environment variable to enable it. (bug #1073057) - -* Fri Jan 17 2014 Petr Pisar - 1.2.15-13 -- Add support for ppc64le architecture (bug #1054397) - -* Thu Dec 05 2013 Petr Pisar - 1.2.15-12 -- Ignore joystick axis events if they aren't in a sane range (bug #990677) - -* Tue Jul 30 2013 Petr Pisar - 1.2.15-11 -- Fix a typo in controlling NAS support - -* Fri Jul 26 2013 Petr Pisar - 1.2.15-10 -- Add esound and arts support (bug #851349) -- Add NAS support - -* Wed Jun 19 2013 Petr Pisar - 1.2.15-9 -- Add sdl-config(1) manual page (bug #948864) - -* Thu May 23 2013 Petr Pisar - 1.2.15-8 -- Update header files to support aarch64 (bug #966115) - -* Wed Mar 27 2013 Petr Pisar - 1.2.15-7 -- Update config.sub to support aarch64 (bug #926510) -- Adapt to libX11-1.5.99.901 - -* Wed Feb 13 2013 Fedora Release Engineering - 1.2.15-6 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild - -* Wed Jan 23 2013 Petr Pisar - 1.2.15-5 -- Work around bug in Xorg to allow changing gamma on X11 (bug #891973) - -* Mon Sep 10 2012 Petr Pisar - 1.2.15-4 -- GL and GLU headers have been moved to mesa-GL-devel and mesa-GLU-devel - -* Thu Aug 23 2012 Matthias Clasen - 1.2.15-3 -- Drop esound and arts support (bug #851349) - -* Wed Jul 18 2012 Fedora Release Engineering - 1.2.15-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild - -* Thu Feb 23 2012 Petr Pisar - 1.2.15-1 -- Beautify spec code -- 1.2.15 bump - -* Thu Jan 19 2012 Petr Pisar - 1.2.14-16 -- Replace my patch with upstream one (bug #782251) - -* Tue Jan 17 2012 Petr Pisar - 1.2.14-15 -- Restore compatibility with libX11-1.4.99.1 (bug #782251) - -* Thu Jan 12 2012 Fedora Release Engineering - 1.2.14-14 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild - -* Fri Aug 26 2011 Petr Pisar - 1.2.14-13 -- Don't block SDL_WM_GrabInput() if window is not viewable (bug #480065) - -* Thu Feb 24 2011 Petr Pisar - 1.2.14-12 -- Adapt to nasm-2.09 (bug #678818) - -* Fri Feb 18 2011 Petr Pisar - 1.2.14-11 -- Correct patch application -- Make intradependecies architecture specific - -* Fri Feb 18 2011 Petr Pisar - 1.2.14-10 -- Do not call memcpy() on overlapping areas (bug #669844) - -* Mon Feb 07 2011 Fedora Release Engineering - 1.2.14-9 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild - -* Mon Aug 16 2010 Petr Pisar - 1.2.14-8 -- Kernel joystick structure has grown in unknown 2.6 Linux version (rh624241, - sdl900) - -* Thu Aug 12 2010 Petr Pisar - 1.2.14-7 -- Fix left button press event in windowed mode (rh556608, sdl894) -- Remove unrecognized --disable-debug and --enable-dlopen configure options - (rh581056) - -* Mon Aug 02 2010 Petr Pisar - 1.2.14-6 -- Make repacked source tar ball relative -- Remove useless src/joystick/darwin/10.3.9-FIX/IOHIDLib.h because of APSL-2.0 - license -- Apply SDL-1.2.14-xio_error-rh603984.patch (rh603984, sdl1009) -- Escape spec file comments -- Convert CREDITS to UTF-8 - -* Wed Jun 23 2010 Hans de Goede 1.2.14-5 -- Don't crash when trying to exit because of an xio-error (rh603984, sdl1009) - -* Wed Mar 24 2010 Thomas Woerner 1.2.14-4 -- added repackage.sh script to remove joyos2,h and symbian.zip because of - licensing problems -- added comment about riva_mmio.h license - -* Tue Feb 16 2010 Josh Boyer 1.2.14-3 -- disable ps3 video support that was added in 2.14. It fails to - build on ppc/ppc64 - -* Fri Feb 12 2010 Thomas Woerner 1.2.14-2 -- fixed build for libtool 2.2.6 in F-13 (rhbz#555501) - -* Tue Oct 27 2009 Thomas Woerner 1.2.14-1 -- new version 1.2.14 -- dropped patches for upstream fixes: libdir, dynamic-esd, x11dyn64, - dynamic-pulse, pa-rewrite, rh484362 and rh487720 - -* Fri Jul 24 2009 Fedora Release Engineering - 1.2.13-10 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild - -* Tue Apr 7 2009 Thomas Woerner 1.2.13-9 -- fixed qemu-kvm segfaults on startup in SDL_memcpyMMX/SSE (rhbz#487720) - upstream patch - -* Mon Feb 23 2009 Fedora Release Engineering - 1.2.13-8 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild - -* Fri Feb 13 2009 Hans de Goede 1.2.13-7 -- Rewrite pulseaudio support to stop the crackle crackle with the - new glitch free pulseaudio, this also gives us much better latency, - as good as with directly using alsa (rh 474745, sdl 698) -- Workaround an obscure bug in the inline-asm revcpy function (by disabling it) - This fixes Ri-li crashing on i386 (rh 484121, rh 484362, sdl 699) - -* Tue Sep 2 2008 Thomas Woerner 1.2.13-6 -- dropped pulseaudio hack (rhbz#448270) -- pulseaudio is now used by default -- simplified spec file for new architecture support (rhbz#433618) - -* Mon Jul 14 2008 Tom "spot" Callaway 1.2.13-5 -- fix license tag - -* Wed May 28 2008 Dennis Gilmore 1.2.13-4 -- fix sparc multilib handling - -* Mon Apr 7 2008 Thomas Woerner 1.2.13-3 -- updated PulseAudio driver (rhbz#439847) - Thanks to Lennart Poettering for the patch - -* Fri Feb 1 2008 Thomas Woerner 1.2.13-2 -- new static sub package for static libraries - -* Mon Jan 7 2008 Thomas Woerner 1.2.13-1 -- new version 1.2.13 - - fixes i810 video overlay problem (rhbz#310841) - - fixes c++ style comments in header files (rhbz#426475) -- review fixes: spec file cleanup, dropped static libs (rhbz#226402) -- fixed pulseaudio hack scripts from Warren for multilib systems (rhbz#426579) -- fixed pulseaudio detection in configure to enable dynamic use of pulseaudio - libraries - -* Fri Dec 21 2007 Warren Togami 1.2.12-5 -- correct stupid mistake that broke SDL-devel - RPM should error out if a SourceX is defined twice... - -* Wed Dec 19 2007 Warren Togami 1.2.12-4 -- Build with --enable-pulseaudio-shared for testing purposes (#343911) - It is known to not work in some cases, so not enabled by default. -- Move pulseaudio enabler hack from SDL_mixer (#426275) -- Make pulseaudio enabler hack conditional. It will only attempt to use it if - alsa-plugins-pulseaudio is installed. - -* Tue Nov 6 2007 Thomas Woerner 1.2.12-3 -- fixed latest multiarch conflicts: dropped libdir from sdl-config completely - (rhbz#343141) - -* Tue Aug 28 2007 Thomas Woerner 1.2.12-2 -- use uname -m in multilib patch instead of arch - -* Mon Aug 27 2007 Thomas Woerner 1.2.12-1 -- new version 1.2.12 - fixes TEXTRELs (rhbz#179407) -- added arm support (rhbz#245411) - Thanks to Lennert Buytenhek for the patch -- added alpha support (rhbz#246463) - Thanks to Oliver Falk for the patch -- disabled yasm for SDL (rhbz#234823) - Thanks to Nikolay Ulyanitsky for the patch - -* Tue Mar 20 2007 Thomas Woerner 1.2.11-2 -- use X11 dlopen code for 64 bit architectures (rhbz#207903) - -* Mon Mar 19 2007 Thomas Woerner 1.2.11-1 -- new version 1.2.11 -- fixed man page SDL_ListModes (rhbz#208212) -- fixed spurious esound, audiofile dependencies (rhbz#217389) - Thanks to Ville Skyttä for the patch -- dropped requirements for imake and libXt-devel (rhbz#226402) -- made nasm arch %%{ix86} only (rhbz#226402) -- dropped O3 from options (rhbz#226402) -- dropped tagname environment variable (rhbz#226402) - -* Thu Nov 2 2006 Thomas Woerner 1.2.10-9 -- fixed arch order in SDL_config.h wrapper - -* Fri Oct 27 2006 Thomas Woerner 1.2.10-8 -- fixed multilib conflicts for SDL (#212288) - -* Wed Jul 26 2006 Thomas Woerner 1.2.10-6.2 -- setting the X11 lib and include paths hard to get shared X11 support on all - architectures - -* Wed Jul 26 2006 Thomas Woerner 1.2.10-6.1 -- added build requires for automake and autoconf - -* Tue Jul 25 2006 Thomas Woerner 1.2.10-6 -- dropped libXt build requires, because libSDL does not need libXt at all - - this was an autofoo bug (fixed already) -- fixed multilib devel conflicts (#192749) -- added buidrequires for imake: AC_PATH_X needs imake currently - -* Wed Jul 12 2006 Jesse Keating - 1.2.10-5 -- rebuild -- use %%configure macro - -* Tue Jun 20 2006 Christopher Stone 1.2.10-4 -- added missing (build) requires for libXt libXrender libXrandr -- remove %%makeinstall macro (bad practice) -- use %%{buildroot} macro consistantly - -* Tue Jun 6 2006 Thomas Woerner 1.2.10-2 -- added missing (build) requires for GL and GLU - -* Mon May 22 2006 Thomas Woerner 1.2.10-1 -- new version 1.2.10 -- dropped the following patches because they are not needed anymore: - ppc_modes, gcc4, yuv_mmx_gcc4 and no_exec_stack -- new pagesize patch (drop PAGE_SIZE, use sysconf(_SC_PAGESIZE) instead) - -* Mon Feb 13 2006 Jesse Keating - 1.2.9-5.2.1 -- rebump for build order issues during double-long bump - -* Fri Feb 10 2006 Jesse Keating - 1.2.9-5.2 -- bump again for double-long bug on ppc(64) - -* Tue Feb 07 2006 Jesse Keating - 1.2.9-5.1 -- rebuilt for new gcc4.1 snapshot and glibc changes - -* Fri Jan 27 2006 Thomas Woerner 1.2.9-5 -- added upstream no exec stack patch - -* Thu Jan 26 2006 Thomas Woerner 1.2.9-4 -- prefer alsa sound output, then artsd and esd - -* Tue Jan 24 2006 Thomas Woerner 1.2.9-3 -- dropped libtool .la files from devel package - -* Fri Dec 09 2005 Jesse Keating -- rebuilt - -* Wed Nov 16 2005 Thomas Woerner 1.2.9-2.1 -- fixed build requires - -* Tue Nov 15 2005 Warren Togami 1.2.9-2 -- -devel req actual X libs - -* Mon Nov 7 2005 Thomas Woerner 1.2.9-1 -- new version 1.2.9 with additional gcc4 fixes -- using xorg-x11-devel instead of XFree86-devel - -* Thu May 26 2005 Bill Nottingham 1.2.8-3.2 -- fix configure script for libdir so library deps are identical on all - arches (#158346) - -* Thu Apr 14 2005 Thomas Woerner 1.2.8-3.1 -- new version of the gcc4 fix - -* Tue Apr 12 2005 Thomas Woerner 1.2.8-3 -- fixed gcc4 compile problems -- fixed x86_64 endian problem - -* Wed Feb 9 2005 Thomas Woerner 1.2.8-2 -- rebuild - -* Fri Dec 17 2004 Thomas Woerner 1.2.8-1 -- new version 1.2.8 - -* Thu Oct 14 2004 Thomas Woerner 1.2.7-8 -- added patch from SDL CVS for arts detection/initialization problem (#113831) - -* Wed Sep 29 2004 Thomas Woerner 1.2.7-7.1 -- moved to new autofoo utils - -* Fri Jul 9 2004 Thomas Woerner 1.2.7-7 -- fixed resolution switching for ppc (#127254) - -* Mon Jun 21 2004 Thomas Woerner 1.2.7-6 -- fixed gcc34 build problems - -* Tue Jun 15 2004 Elliot Lee -- rebuilt - -* Mon May 24 2004 Thomas Woerner 1.2.7-4 -- added requires for alsa-lib-devel (#123374) - -* Wed Mar 31 2004 Harald Hoyer - 1.2.7-3 -- fixed gcc34 compilation issues - -* Wed Mar 10 2004 Thomas Woerner 1.2.7-2.1 -- added buildrequires for alsa-lib-devel -- now using automake 1.5 - -* Tue Mar 9 2004 Thomas Woerner 1.2.7-2 -- Fixed SDL requires for devel package - -* Tue Mar 02 2004 Elliot Lee -- rebuilt -- Revive SDL-ppc64.patch - -* Mon Mar 1 2004 Thomas Woerner 1.2.7-1 -- new version 1.2.7 - -* Fri Feb 13 2004 Elliot Lee -- rebuilt - -* Thu Feb 5 2004 Thomas Woerner 1.2.6-3.1 -- disabled several video modes, hopefuilly fixes (#113831) - -* Thu Jan 29 2004 Thomas Woerner 1.2.6-3 -- fix for alsa 1.0 - -* Tue Nov 25 2003 Thomas Woerner 1.2.6-2 -- removed rpath -- using O3 instead of O2, now (SDL_RLEaccel.c compile error) -- added BuildRequires for nasm - -* Tue Sep 2 2003 Thomas Woerner 1.2.6-1 -- new version 1.2.6 - -* Thu Aug 7 2003 Elliot Lee 1.2.5-9 -- Fix libtool - -* Wed Jun 04 2003 Elliot Lee -- rebuilt - -* Wed Jun 4 2003 Than Ngo 1.2.5-7 -- fix build problem with gcc 3.3 -- clean up specfile - -* Mon May 19 2003 Thomas Woerner 1.2.5-5 -- rebuild - -* Tue Apr 15 2003 Thomas Woerner 1.2.5-4 -- X11 modes fix (use more than 60 Hz, when possible) - -* Mon Feb 17 2003 Elliot Lee 1.2.5-3.5 -- ppc64 fix - -* Mon Feb 10 2003 Thomas Woerner 1.2.5-3 -- added -fPIC to LDFLAGS - -* Wed Jan 22 2003 Tim Powers -- rebuilt - -* Tue Dec 10 2002 Thomas Woerner 1.2.5-1 -- new version 1.2.5 -- disabled conflicting automake16 patch -- dgavideo modes fix (#78861) - -* Sun Dec 01 2002 Elliot Lee 1.2.4-7 -- Fix unpackaged files by including them. -- _smp_mflags - -* Fri Nov 29 2002 Tim Powers 1.2.4-6 -- remove unpackaged files from the buildroot -- lib64'ize - -* Sat Jul 20 2002 Florian La Roche -- do not require nasm for mainframe - -* Tue Jul 2 2002 Bernhard Rosenkraenzer 1.2.4-4 -- Fix bug #67255 - -* Fri Jun 21 2002 Tim Powers -- automated rebuild - -* Sun May 26 2002 Tim Powers -- automated rebuild - -* Thu May 23 2002 Bernhard Rosenkraenzer 1.2.4-1 -- 1.2.4 -- Fix build with automake 1.6 - -* Mon Mar 11 2002 Bernhard Rosenkraenzer 1.2.3-7 -- Fix AM_PATH_SDL automake macro with AC_LANG(c++) (#60533) - -* Thu Feb 28 2002 Bernhard Rosenkraenzer 1.2.3-6 -- Rebuild in current environment - -* Thu Jan 24 2002 Bernhard Rosenkraenzer 1.2.3-5 -- dlopen() aRts and esd rather than linking directly to them. -- make sure aRts and esd are actually used if they're running. - -* Mon Jan 21 2002 Bernhard Rosenkraenzer 1.2.3-4 -- Don't crash without xv optimization: BuildRequire a version of nasm that - works. - -* Wed Jan 09 2002 Tim Powers -- automated rebuild - -* Mon Dec 17 2001 Bernhard Rosenkraenzer 1.2.3-2 -- Rebuild with new aRts, require arts-devel rather than kdelibs-sound-devel -- Temporarily exclude alpha (compiler bugs) - -* Thu Nov 22 2001 Bernhard Rosenkraenzer 1.2.3-1 -- 1.2.3 - -* Sat Nov 17 2001 Bernhard Rosenkraenzer 1.2.2-5 -- Add workaround for automake 1.5 asm bugs - -* Tue Oct 30 2001 Bernhard Rosenkraenzer 1.2.2-4 -- Make sure -fPIC is used on all architectures (#55039) -- Fix build with autoconf 2.5x - -* Fri Aug 31 2001 Bill Nottingham 1.2.2-3 -- rebuild (fixes #50750??) - -* Thu Aug 2 2001 Bernhard Rosenkraenzer 1.2.2-2 -- SDL-devel should require esound-devel and kdelibs-sound-devel (#44884) - -* Tue Jul 24 2001 Bernhard Rosenkraenzer 1.2.2-1 -- Update to 1.2.2; this should fix #47941 -- Add build dependencies - -* Tue Jul 10 2001 Elliot Lee 1.2.1-3 -- Rebuild to eliminate libXv/libXxf86dga deps. - -* Fri Jun 29 2001 Preston Brown -- output same libraries for sdl-config whether --libs or --static-libs - selected. Fixes compilation of most SDL programs. -- properly packaged new HTML documentation - -* Sun Jun 24 2001 Bernhard Rosenkraenzer 1.2.1-1 -- 1.2.1 - -* Mon May 7 2001 Bernhard Rosenkraenzer 1.2.0-2 -- Add Bill's byteorder patch - -* Sun Apr 15 2001 Bernhard Rosenkraenzer -- 1.2.0 - -* Tue Feb 27 2001 Karsten Hopp -- SDL-devel requires SDL - -* Tue Jan 16 2001 Bernhard Rosenkraenzer -- Require arts rather than kdelibs-sound - -* Sun Jan 7 2001 Bernhard Rosenkraenzer -- 1.1.7 - -* Tue Oct 24 2000 Bernhard Rosenkraenzer -- 1.1.6 - -* Mon Aug 7 2000 Bernhard Rosenkraenzer -- build against new DGA -- update to 1.1.4, remove patches (they're now in the base release) - -* Tue Aug 1 2000 Bernhard Rosenkraenzer -- %%post -p /sbin/ldconfig (Bug #14928) -- add URL - -* Wed Jul 12 2000 Prospector -- automatic rebuild - -* Sun Jun 18 2000 Bill Nottingham -- replace patch that fell out of SRPM - -* Tue Jun 13 2000 Preston Brown -- FHS paths -- use 1.1 (development) version; everything even from Loki links to it! - -* Thu May 4 2000 Bill Nottingham -- autoconf fixes for ia64 - -* Mon Apr 24 2000 Tim Powers -- updated to 1.0.8 - -* Tue Feb 15 2000 Tim Powers -- updated to 1.0.4, fixes problems when run in 8bpp - -* Tue Feb 01 2000 Tim Powers -- applied patch from Hans de Goede for fullscreen toggling. -- using --enable-video-x11-dgamouse since it smoothes the mouse some. - -* Sun Jan 30 2000 Tim Powers -- updated to 1.0.3, bugfix update - -* Fri Jan 28 2000 Tim Powers -- fixed group etc - -* Fri Jan 21 2000 Tim Powers -- build for 6.2 Powertools - -* Wed Jan 19 2000 Sam Lantinga -- Re-integrated spec file into SDL distribution -- 'name' and 'version' come from configure -- Some of the documentation is devel specific -- Removed SMP support from %%build - it doesn't work with libtool anyway - -* Tue Jan 18 2000 Hakan Tandogan -- Hacked Mandrake sdl spec to build 1.1 - -* Sun Dec 19 1999 John Buswell -- Build Release - -* Sat Dec 18 1999 John Buswell -- Add symlink for libSDL-1.0.so.0 required by sdlbomber -- Added docs - -* Thu Dec 09 1999 Lenny Cartier -- v 1.0.0 - -* Mon Nov 1 1999 Chmouel Boudjnah -- First spec file for Mandrake distribution. diff --git a/SPECS-EXTENDED/SDL2/SDL2-2.0.22-prefer-wayland.patch b/SPECS-EXTENDED/SDL2/SDL2-2.0.22-prefer-wayland.patch deleted file mode 100644 index af8a74571a..0000000000 --- a/SPECS-EXTENDED/SDL2/SDL2-2.0.22-prefer-wayland.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 68d8a2c6b4f732920df40bd79dc3c18b71a4a349 Mon Sep 17 00:00:00 2001 -From: Neal Gompa -Date: Fri, 29 Apr 2022 23:39:39 -0400 -Subject: [PATCH] Revert "Revert "video: Prefer Wayland over X11"" - -For Fedora/RHEL, we want to continue using Wayland by default. - -The majority of issues around Wayland by default seem to center -around cases that are issues for the Steam Runtime's bundled -copy of SDL and proprietary games that depend on that runtime. - -These issues do not apply to us. - -This reverts commit 254fcc90eb22bb159ab365ad956222a9c5632841. ---- - src/video/SDL_video.c | 24 ++++++++++++------------ - 1 file changed, 12 insertions(+), 12 deletions(-) - -diff --git a/src/video/SDL_video.c b/src/video/SDL_video.c -index 2b896c44b..6f31f4c9e 100644 ---- a/src/video/SDL_video.c -+++ b/src/video/SDL_video.c -@@ -61,12 +61,12 @@ static VideoBootStrap *bootstrap[] = { - #if SDL_VIDEO_DRIVER_COCOA - &COCOA_bootstrap, - #endif --#if SDL_VIDEO_DRIVER_X11 -- &X11_bootstrap, --#endif - #if SDL_VIDEO_DRIVER_WAYLAND - &Wayland_bootstrap, - #endif -+#if SDL_VIDEO_DRIVER_X11 -+ &X11_bootstrap, -+#endif - #if SDL_VIDEO_DRIVER_VIVANTE - &VIVANTE_bootstrap, - #endif -@@ -4275,12 +4275,12 @@ SDL_IsScreenKeyboardShown(SDL_Window *window) - #if SDL_VIDEO_DRIVER_UIKIT - #include "uikit/SDL_uikitmessagebox.h" - #endif --#if SDL_VIDEO_DRIVER_X11 --#include "x11/SDL_x11messagebox.h" --#endif - #if SDL_VIDEO_DRIVER_WAYLAND - #include "wayland/SDL_waylandmessagebox.h" - #endif -+#if SDL_VIDEO_DRIVER_X11 -+#include "x11/SDL_x11messagebox.h" -+#endif - #if SDL_VIDEO_DRIVER_HAIKU - #include "haiku/SDL_bmessagebox.h" - #endif -@@ -4388,17 +4388,17 @@ SDL_ShowMessageBox(const SDL_MessageBoxData *messageboxdata, int *buttonid) - retval = 0; - } - #endif --#if SDL_VIDEO_DRIVER_X11 -+#if SDL_VIDEO_DRIVER_WAYLAND - if (retval == -1 && -- SDL_MessageboxValidForDriver(messageboxdata, SDL_SYSWM_X11) && -- X11_ShowMessageBox(messageboxdata, buttonid) == 0) { -+ SDL_MessageboxValidForDriver(messageboxdata, SDL_SYSWM_WAYLAND) && -+ Wayland_ShowMessageBox(messageboxdata, buttonid) == 0) { - retval = 0; - } - #endif --#if SDL_VIDEO_DRIVER_WAYLAND -+#if SDL_VIDEO_DRIVER_X11 - if (retval == -1 && -- SDL_MessageboxValidForDriver(messageboxdata, SDL_SYSWM_WAYLAND) && -- Wayland_ShowMessageBox(messageboxdata, buttonid) == 0) { -+ SDL_MessageboxValidForDriver(messageboxdata, SDL_SYSWM_X11) && -+ X11_ShowMessageBox(messageboxdata, buttonid) == 0) { - retval = 0; - } - #endif --- -2.35.1 - diff --git a/SPECS-EXTENDED/SDL2/SDL2-2.0.9-khrplatform.patch b/SPECS-EXTENDED/SDL2/SDL2-2.0.9-khrplatform.patch deleted file mode 100644 index b6c39278ba..0000000000 --- a/SPECS-EXTENDED/SDL2/SDL2-2.0.9-khrplatform.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff -up SDL2-2.0.9/include/SDL_opengl_glext.h.khrplatform SDL2-2.0.9/include/SDL_opengl_glext.h ---- SDL2-2.0.9/include/SDL_opengl_glext.h.khrplatform 2019-02-15 20:22:39.173773779 -0500 -+++ SDL2-2.0.9/include/SDL_opengl_glext.h 2019-02-15 20:22:58.176399330 -0500 -@@ -469,8 +469,9 @@ GLAPI void APIENTRY glBlendEquation (GLe - typedef long GLsizeiptr; - typedef long GLintptr; - #else --typedef ptrdiff_t GLsizeiptr; --typedef ptrdiff_t GLintptr; -+#include -+typedef khronos_intptr_t GLintptr; -+typedef khronos_ssize_t GLsizeiptr; - #endif - #define GL_BUFFER_SIZE 0x8764 - #define GL_BUFFER_USAGE 0x8765 diff --git a/SPECS-EXTENDED/SDL2/SDL2-2.30.1-prefer-wayland.patch b/SPECS-EXTENDED/SDL2/SDL2-2.30.1-prefer-wayland.patch new file mode 100644 index 0000000000..6408643bb2 --- /dev/null +++ b/SPECS-EXTENDED/SDL2/SDL2-2.30.1-prefer-wayland.patch @@ -0,0 +1,19 @@ +diff -up ./src/video/SDL_video.c.prefer-wayland ./src/video/SDL_video.c +--- ./src/video/SDL_video.c.prefer-wayland 2024-03-25 11:11:50.474311044 +1000 ++++ ./src/video/SDL_video.c 2024-03-25 11:40:04.785892199 +1000 +@@ -69,12 +69,12 @@ static VideoBootStrap *bootstrap[] = { + #ifdef SDL_VIDEO_DRIVER_COCOA + &COCOA_bootstrap, + #endif +-#ifdef SDL_VIDEO_DRIVER_X11 +- &X11_bootstrap, +-#endif + #ifdef SDL_VIDEO_DRIVER_WAYLAND + &Wayland_bootstrap, + #endif ++#ifdef SDL_VIDEO_DRIVER_X11 ++ &X11_bootstrap, ++#endif + #ifdef SDL_VIDEO_DRIVER_VIVANTE + &VIVANTE_bootstrap, + #endif diff --git a/SPECS-EXTENDED/SDL2/SDL2.signatures.json b/SPECS-EXTENDED/SDL2/SDL2.signatures.json index cd6960b50a..36cefdba08 100644 --- a/SPECS-EXTENDED/SDL2/SDL2.signatures.json +++ b/SPECS-EXTENDED/SDL2/SDL2.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { - "SDL2-2.24.0.tar.gz": "91e4c34b1768f92d399b078e171448c6af18cafda743987ed2064a28954d6d97", + "SDL2-2.30.9.tar.gz": "24b574f71c87a763f50704bbb630cbe38298d544a1f890f099a4696b1d6beba4", "SDL_config.h": "6805453d2b12b0713a827c54dd4ff823ca73df055e6c074dc5300ff1a8b1d2b9", "SDL_revision.h": "ca24e457ea25247aa940034e8a2d28922485b279932a2074e15ff83456ed2d4e" } diff --git a/SPECS-EXTENDED/SDL2/SDL2.spec b/SPECS-EXTENDED/SDL2/SDL2.spec index 7ff3252097..02ae081cd9 100644 --- a/SPECS-EXTENDED/SDL2/SDL2.spec +++ b/SPECS-EXTENDED/SDL2/SDL2.spec @@ -1,20 +1,20 @@ %bcond_with jack -Summary: Cross-platform multimedia library Name: SDL2 -Version: 2.24.0 -Release: 2%{?dist} -License: zlib AND MIT +Version: 2.30.9 +Release: 1%{?dist} +Summary: Cross-platform multimedia library Vendor: Microsoft Corporation Distribution: Azure Linux +License: Zlib AND MIT AND Apache-2.0 AND (Apache-2.0 OR MIT) URL: https://www.libsdl.org/ Source0: https://www.libsdl.org/release/%{name}-%{version}.tar.gz Source1: SDL_config.h Source2: SDL_revision.h + Patch0: multilib.patch -# ptrdiff_t is not the same as khronos defines on 32bit arches -Patch1: SDL2-2.0.9-khrplatform.patch # Prefer Wayland by default -Patch2: SDL2-2.0.22-prefer-wayland.patch +Patch1: SDL2-2.30.1-prefer-wayland.patch + BuildRequires: git-core BuildRequires: cmake BuildRequires: make @@ -30,7 +30,8 @@ BuildRequires: libX11-devel BuildRequires: libXi-devel BuildRequires: libXrandr-devel BuildRequires: libXrender-devel -BuildRequires: libXScrnSaver-devel +# While SDL2 supports this, Xwayland does not expose XScrnSaver. +# BuildRequires: libXScrnSaver-devel BuildRequires: libXinerama-devel BuildRequires: libXcursor-devel BuildRequires: systemd-devel @@ -67,9 +68,9 @@ to provide fast access to the graphics frame buffer and audio device. %package devel Summary: Files needed to develop Simple DirectMedia Layer applications Requires: %{name}%{?_isa} = %{version}-%{release} -Requires: libX11-devel%{?_isa} Requires: mesa-libEGL-devel%{?_isa} Requires: mesa-libGLES-devel%{?_isa} +Requires: libX11-devel%{?_isa} # Conflict with versions before libSDLmain moved here Conflicts: %{name}-static < 2.0.18-4 @@ -90,14 +91,16 @@ Conflicts: %{name}-devel < 2.0.18-4 Static libraries for SDL2. %prep -%autosetup -p1 -n %{name}-%{version} +%autosetup -S git +#autopatch 0 sed -i -e 's/\r//g' TODO.txt README.md WhatsNew.txt BUGS.txt LICENSE.txt CREDITS.txt README-SDL.txt %build # Deal with new CMake policy around whitespace in LDFLAGS... export LDFLAGS="%{shrink:%{build_ldflags}}" -mkdir -p buildDir +mkdir -p build +cd build %cmake \ -DSDL_DLOPEN=ON \ @@ -109,7 +112,7 @@ mkdir -p buildDir %if %{with jack} -DSDL_JACK_SHARED=ON \ %else - -DSDL_JACK=OFF \ + -DSDL_JACK_SHARED=ON \ %endif -DSDL_PIPEWIRE_SHARED=ON \ -DSDL_ALSA=ON \ @@ -118,12 +121,15 @@ mkdir -p buildDir -DSDL_SSE3=OFF \ -DSDL_RPATH=OFF \ -DSDL_STATIC=ON \ - -DSDL_STATIC_PIC=ON -B ./buildDir + -DSDL_STATIC_PIC=ON \ + .. -cmake --build buildDir %{?_smp_mflags} --verbose +%cmake_build %install -DESTDIR=%{buildroot} cmake --install buildDir +cd build +%cmake_install +cd .. # Rename SDL_config.h to SDL_config-.h to avoid file conflicts on # multilib systems and install SDL_config.h wrapper @@ -151,6 +157,7 @@ install -p -m 644 %{SOURCE2} %{buildroot}%{_includedir}/SDL2/SDL_revision.h %{_libdir}/cmake/SDL2/SDL2Config*.cmake %{_libdir}/cmake/SDL2/SDL2Targets*.cmake %{_libdir}/cmake/SDL2/SDL2mainTargets*.cmake +%{_libdir}/cmake/SDL2/sdlfind.cmake %{_includedir}/SDL2 %{_datadir}/aclocal/* %{_libdir}/libSDL2_test.a @@ -162,7 +169,11 @@ install -p -m 644 %{SOURCE2} %{buildroot}%{_includedir}/SDL2/SDL_revision.h %{_libdir}/cmake/SDL2/SDL2staticTargets*.cmake %changelog -* Fri Nov 25 2022 Sumedh Sharma - 2.24.0-2 +* Tue Mar 11 2025 Jyoti kanase - 2.30.9-1 +- Upgrade to 2.30.9 +- License Verified. + +* Fri Nov 25 2022 Sumedh Sharma - 2.24.0-2 - Initial CBL-Mariner import from Fedora 37 (license: MIT) - Build with feature disabled: jack - License verified diff --git a/SPECS-EXTENDED/azl-otel-collector/azl-otel-collector.signatures.json b/SPECS-EXTENDED/azl-otel-collector/azl-otel-collector.signatures.json index e791bf06ef..67b9725006 100644 --- a/SPECS-EXTENDED/azl-otel-collector/azl-otel-collector.signatures.json +++ b/SPECS-EXTENDED/azl-otel-collector/azl-otel-collector.signatures.json @@ -1,7 +1,7 @@ { "Signatures": { - "azl-otel-collector-0.124.0.tar.gz": "2c11273db7045c693143cd2869e98b2a125362ff5f7adbade54af6f3e3a7f364", - "azl-otel-collector-0.124.0-govendor-v1.tar.gz": "171aac80bf3965b647f13d6cb41d72365d7870d2672133148149b34086368147", + "azl-otel-collector-0.127.0.tar.gz": "10c1fb11e89e101110c1b6765ec61f932edf9c5dbedec45cabefd8e9c1134a4f", + "azl-otel-collector-0.127.0-govendor-v1.tar.gz": "b99e7c84f87bb4544c23b5f63586a05659e779a5966d3fb8bc8b1d46168881c6", "azl-otel-collector.service": "16d0fb39947318ca4912adc20613a79b88ec8ffae1bdb214001ac65a086d293c" } } diff --git a/SPECS-EXTENDED/azl-otel-collector/azl-otel-collector.spec b/SPECS-EXTENDED/azl-otel-collector/azl-otel-collector.spec index 10742b698a..7089c0d071 100644 --- a/SPECS-EXTENDED/azl-otel-collector/azl-otel-collector.spec +++ b/SPECS-EXTENDED/azl-otel-collector/azl-otel-collector.spec @@ -3,7 +3,7 @@ %global debug_package %{nil} Summary: Azure Linux OpenTelemetry Collector Distribution Name: azl-otel-collector -Version: 0.124.0 +Version: 0.127.0 Release: 1%{?dist} License: MIT Vendor: Microsoft Corporation @@ -68,6 +68,9 @@ for the Azure Linux OpenTelemetry Collector. %{_unitdir}/azl-otel-collector.service %changelog +* Mon Jun 01 2025 Adit Jha - 0.127.0-1 +- Bump to 0.127.0 release + * Wed Apr 23 2025 Adit Jha - 0.124.0-1 - Original version for Azure Linux - License Verified diff --git a/SPECS-EXTENDED/buildah/buildah.spec b/SPECS-EXTENDED/buildah/buildah.spec index f0fd4e8191..53ebcd9586 100644 --- a/SPECS-EXTENDED/buildah/buildah.spec +++ b/SPECS-EXTENDED/buildah/buildah.spec @@ -21,7 +21,7 @@ Summary: A command line tool used for creating OCI Images Name: buildah Version: 1.18.0 -Release: 30%{?dist} +Release: 31%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -32,7 +32,7 @@ BuildRequires: btrfs-progs-devel BuildRequires: device-mapper-devel BuildRequires: git BuildRequires: glib2-devel -BuildRequires: glibc-static >= 2.38-10%{?dist} +BuildRequires: glibc-static >= 2.38-11%{?dist} BuildRequires: go-md2man BuildRequires: go-rpm-macros BuildRequires: golang @@ -123,6 +123,9 @@ cp imgtype %{buildroot}/%{_bindir}/%{name}-imgtype %{_datadir}/%{name}/test %changelog +* Thu May 22 2025 Kanishk Bansal - 1.18.0-31 +- Bump to rebuild with updated glibc + * Mon May 12 2025 Andrew Phelps - 1.18.0-30 - Bump to rebuild with updated glibc diff --git a/SPECS-EXTENDED/cassandra-driver/cassandra-driver.signatures.json b/SPECS-EXTENDED/cassandra-driver/cassandra-driver.signatures.json new file mode 100644 index 0000000000..13ddaf1a48 --- /dev/null +++ b/SPECS-EXTENDED/cassandra-driver/cassandra-driver.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "cassandra-driver-3.29.2.tar.gz": "aa3be5396e05b395c178091656a329daba23b0d4dd69b8d076090157f86e6d13" + } +} \ No newline at end of file diff --git a/SPECS-EXTENDED/cassandra-driver/cassandra-driver.spec b/SPECS-EXTENDED/cassandra-driver/cassandra-driver.spec new file mode 100644 index 0000000000..4f1e224cb9 --- /dev/null +++ b/SPECS-EXTENDED/cassandra-driver/cassandra-driver.spec @@ -0,0 +1,72 @@ +%define srcname cassandra-driver + +Summary: A modern, feature-rich and highly-tunable Python client library for Apache Cassandra (2.1+) +Name: %{srcname} +Version: 3.29.2 +Release: 1%{?dist} +Url: https://github.com/datastax/python-driver#datastax-python-driver-for-apache-cassandra +License: Apache 2.0 +Group: Development/Languages/Python +Vendor: Microsoft Corporation +Distribution: Azure Linux +Source0: https://github.com/datastax/python-driver/archive/refs/tags/%{version}.tar.gz#/%{srcname}-%{version}.tar.gz + +BuildRequires: python3-devel +BuildRequires: python3-setuptools +BuildRequires: libev-devel + +Requires: libev +Requires: python3 +Requires: python-geomet + +%description +A modern, feature-rich and highly-tunable Python client library for Apache Cassandra (2.1+) +using exclusively Cassandra's binary protocol and Cassandra Query Language v3. The driver +supports Python 3.8, 3.9, 3.10, 3.11 and 3.12. + +%prep +%autosetup -p1 -n python-driver-%{version} + +%build +%{python3} setup.py build --no-cython + +%install +%{python3} setup.py install \ + --prefix=%{_prefix} --root=%{buildroot} --no-cython + +%files +%defattr(-,root,root,-) +%{python3_sitelib}/* + +%changelog +* Thu May 22 2025 Jyoti kanase - 3.29.2-1 +- Initial Azure Linux import from Photon (license: Apache2). +- Upgrade to 3.29.2 +- License verified. + +* Sun Aug 21 2022 Gerrit Photon 3.25.0-1 +- Automatic Version Bump +* Fri Jun 11 2021 Ankit Jain 3.24.0-4 +- Fixed install time dependency +* Tue Dec 15 2020 Shreenidhi Shedi 3.24.0-3 +- Fix build with new rpm +* Tue Sep 29 2020 Satya Naga Vasamsetty 3.24.0-2 +- openssl 1.1.1 +* Fri Jul 24 2020 Gerrit Photon 3.24.0-1 +- Automatic Version Bump +* Tue Jun 16 2020 Tapas Kundu 3.15.1-3 +- Mass removal python2 +* Wed Dec 12 2018 Tapas Kundu 3.15.1-2 +- Fix make check +* Sun Sep 09 2018 Tapas Kundu 3.15.1-1 +- Update to version 3.15.1 +* Fri Oct 13 2017 Alexey Makhalov 3.10.0-5 +- Remove BuildArch +* Tue Sep 12 2017 Dheeraj Shetty 3.10.0-4 +- Do make check for python3 subpackage +* Wed Aug 16 2017 Harish Udaiya Kumar 3.10.0-3 +- Fix make check. +* Tue Jun 20 2017 Xiaolin Li 3.10.0-2 +- Add python3-setuptools and python3-xml to python3 sub package Buildrequires. +* Thu Jun 15 2017 Harish Udaiya Kumar 3.10.0-1 +- Initial packaging for Photon diff --git a/SPECS-EXTENDED/cassandra/Readme b/SPECS-EXTENDED/cassandra/Readme index ddadb6c4f1..cd1a1c97d6 100644 --- a/SPECS-EXTENDED/cassandra/Readme +++ b/SPECS-EXTENDED/cassandra/Readme @@ -6,16 +6,16 @@ 2. Refer to cassandra spec and install all build required dependenices. 3. Download cassandra sources and extract under /usr/src 4. cd /usr/src/apache-cassandra--src -5. Run "export JAVA_HOME=/usr/lib/jvm/msopenjdk-11" -6. Run export ANT_OPTS="-Xmx1024m -XX:MaxPermSize=512m" +5. Run "export JAVA_HOME=/usr/lib/jvm/msopenjdk-17" +6. Run export ANT_OPTS="-Xmx1024m -XX:MaxMetaspaceSize=512m" 7. Run "sudo ant -v clean jar javadoc -Drelease=true -Duse.jdk11=true" 8. Once build completed successfully take build cache as below. 9. cd ~/.m2 -9. sudo tar --sort=name \ - --mtime="2021-04-26 00:00Z" \ +10. sudo tar --sort=name \ + --mtime="2025-05-29 00:00Z" \ --owner=0 --group=0 --numeric-owner \ --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \ -cf cassandra-build-cache-.tar.gz repository -10. Update latest build cache in cassandra spec and update to sources server. +11. Update latest build cache in cassandra spec and update to sources server. diff --git a/SPECS-EXTENDED/cassandra/cassandra.signatures.json b/SPECS-EXTENDED/cassandra/cassandra.signatures.json index d59582a052..46d0a42a5b 100644 --- a/SPECS-EXTENDED/cassandra/cassandra.signatures.json +++ b/SPECS-EXTENDED/cassandra/cassandra.signatures.json @@ -1,7 +1,7 @@ { "Signatures": { - "apache-cassandra-4.0.10-src.tar.gz": "1a71836fdde8a16842772be8e73ca7a0fb1bb93e882d65f094110230db1b3559", - "cassandra-build-cache-4.0.10.tar.gz": "8dc493925e00d38a62705df1532f2b4055068973d9e7a3a23fd65b6456aebb28", + "apache-cassandra-5.0.0-src.tar.gz": "ee40905acda499717462d315c4004c4053994cd9ea0eb0ec51dd8abb8707334f", + "cassandra-build-cache-1-5.0.0.tar.gz": "b9c8d4bd4f01bef3ded9b62de416604e39cb238e38493b4765e5d15be96b764d", "cassandra.service": "6dec7dc13d2d8b53627936bf0c66fbb202045331eeec2edcc7fa0527817258d2" } -} +} \ No newline at end of file diff --git a/SPECS-EXTENDED/cassandra/cassandra.spec b/SPECS-EXTENDED/cassandra/cassandra.spec index 0f4c590053..cbdaa9066c 100644 --- a/SPECS-EXTENDED/cassandra/cassandra.spec +++ b/SPECS-EXTENDED/cassandra/cassandra.spec @@ -3,9 +3,9 @@ Summary: Cassandra is a highly scalable, eventually consistent, distributed, structured key-value store Name: cassandra -Version: 4.0.10 -Release: 1%{?dist} -URL: http://cassandra.apache.org/ +Version: 5.0.0 +Release: 2%{?dist} +URL: https://cassandra.apache.org/ License: Apache License, Version 2.0 Group: Applications/System Vendor: Microsoft Corporation @@ -15,8 +15,7 @@ Source1: cassandra.service # Refer to Readme file for detailed # instructions to regenerate cassandra-build-cache # whenever updating to newer version. -Source2: cassandra-build-cache-%{version}.tar.gz -ExclusiveArch: x86_64 +Source2: cassandra-build-cache-1-%{version}.tar.gz BuildRequires: ant BuildRequires: ant-junit @@ -29,7 +28,7 @@ BuildRequires: git BuildRequires: tar BuildRequires: which BuildRequires: systemd-rpm-macros -BuildRequires: msopenjdk-11 +BuildRequires: msopenjdk-17 BuildRequires: javapackages-local-bootstrap BuildRequires: javapackages-tools BuildRequires: xml-commons-apis @@ -39,7 +38,7 @@ BuildRequires: python3-devel BuildRequires: python3-libs BuildRequires: python3-setuptools -Requires: msopenjdk-11 +Requires: msopenjdk-17 Requires: javapackages-tools Requires: which Requires: gawk @@ -62,12 +61,19 @@ mkdir -p ~/.m2 mv repository ~/.m2/ export JAVA_HOME="%{java_home}" -export ANT_OPTS="-Xmx1024m -XX:MaxPermSize=512m" +export ANT_OPTS="-Xmx1024m -XX:MaxMetaspaceSize=512m" ant -v clean jar javadoc -Drelease=true -Duse.jdk11=true # clean build cache rm -rf ~/.m2 +%ifarch x86_64 +rm $(find lib/sigar-bin -type f -name "*" ! -name "libsigar-amd64-linux.so") +%endif +%ifarch aarch64 +rm -r lib/sigar-bin +%endif + %install mkdir -p %{buildroot}%{_var}/opt/%{name}/data mkdir -p %{buildroot}%{_var}/log/%{name} @@ -141,6 +147,15 @@ fi %exclude %{_var}/opt/cassandra/build/lib %changelog +* Thu Jun 19 2025 Jyoti Kanase - 5.0.0-2 +- Adding support for aarch64 + +* Thu May 29 2025 Jyoti Kanase - 5.0.0-1 +- Upgrade version to 5.0.0 + +* Thu May 22 2025 Jyoti Kanase - 4.0.10-2 +- Update path for JAVA_HOME + * Tue May 30 2023 Suresh Babu Chalamalasetty 4.0.10-1 - Upgrade version to 4.0.10 to address CVE-2023-30601. diff --git a/SPECS-EXTENDED/catatonit/catatonit.spec b/SPECS-EXTENDED/catatonit/catatonit.spec index 95d6abd771..c1b9a92af1 100644 --- a/SPECS-EXTENDED/catatonit/catatonit.spec +++ b/SPECS-EXTENDED/catatonit/catatonit.spec @@ -3,7 +3,7 @@ Distribution: Azure Linux Name: catatonit Version: 0.1.7 -Release: 18%{?dist} +Release: 19%{?dist} Summary: A signal-forwarding process manager for containers License: GPLv3+ URL: https://github.com/openSUSE/catatonit @@ -13,7 +13,7 @@ BuildRequires: automake BuildRequires: file BuildRequires: gcc BuildRequires: git -BuildRequires: glibc-static >= 2.38-10%{?dist} +BuildRequires: glibc-static >= 2.38-11%{?dist} BuildRequires: libtool BuildRequires: make @@ -61,6 +61,9 @@ ln -s %{_libexecdir}/%{name}/%{name} %{buildroot}%{_libexecdir}/podman/%{name} %{_libexecdir}/podman/%{name} %changelog +* Thu May 22 2025 Kanishk Bansal - 0.1.7-19 +- Bump to rebuild with updated glibc + * Mon May 12 2025 Andrew Phelps - 0.1.7-18 - Bump to rebuild with updated glibc diff --git a/SPECS-EXTENDED/cim-schema/cim-schema.spec b/SPECS-EXTENDED/cim-schema/cim-schema.spec index a4e7973587..0ade327bca 100644 --- a/SPECS-EXTENDED/cim-schema/cim-schema.spec +++ b/SPECS-EXTENDED/cim-schema/cim-schema.spec @@ -38,13 +38,13 @@ Distribution: Azure Linux %global update 1 Name: cim-schema -Url: http://www.dmtf.org/ +Url: https://www.dmtf.org/ Summary: Common Information Model (CIM) Schema Version: %{major}.%{minor}.%{update} -Release: 6%{?dist} +Release: 7%{?dist} License: LicenseRef-DMTF -Source0: http://www.dmtf.org/standards/cim/cim_schema_v%{major}%{minor}%{update}/cim_schema_%{version}Experimental-MOFs.zip -Source1: http://www.dmtf.org/standards/cim/cim_schema_v%{major}%{minor}%{update}/cim_schema_%{version}Experimental-Doc.zip +Source0: https://www.dmtf.org/standards/cim/cim_schema_v%{major}%{minor}%{update}/cim_schema_%{version}Experimental-MOFs.zip +Source1: https://www.dmtf.org/standards/cim/cim_schema_v%{major}%{minor}%{update}/cim_schema_%{version}Experimental-Doc.zip Source2: LICENSE BuildArch: noarch @@ -63,7 +63,7 @@ provides the actual model descriptions. Authors: -------- - DTMF + DTMF %description docs Common Information Model (CIM) schema documentation. @@ -88,19 +88,22 @@ ln -s cimv%{version} $RPM_BUILD_ROOT/$MOFDIR/cim-current ln -s cim_schema_%{version}.mof $RPM_BUILD_ROOT/$MOFDIR/cim-current/CIM_Schema.mof install -d $RPM_BUILD_ROOT/usr/bin mkdir -p $RPM_BUILD_ROOT/%{_docdir}/%{name} -cp -a %{SOURCE2} $RPM_BUILD_ROOT/%{_docdir}/%{name} +cp -a %{SOURCE2} . %files %dir %{_datarootdir}/mof %dir %{_datarootdir}/mof/cimv%{version} %{_datarootdir}/mof/cimv%{version}/* %{_datarootdir}/mof/cim-current -%doc %{_docdir}/%{name}/LICENSE +%license LICENSE %files docs %doc ../%{name}-docs/* %changelog +* Thu Jun 19 2025 Kshitiz Godara - 2.54.1-7 +- Address issues introduced by PR 11486 + * Tue Dec 17 2024 Akarsh Chaudhary - 2.54.1-6 - Initial Azure Linux import from Fedora 41 (license: MIT). - License verified diff --git a/SPECS-EXTENDED/cim-schema/cim_schema_2.54.1Experimental-Doc.zip b/SPECS-EXTENDED/cim-schema/cim_schema_2.54.1Experimental-Doc.zip deleted file mode 100644 index b9a3e08480..0000000000 Binary files a/SPECS-EXTENDED/cim-schema/cim_schema_2.54.1Experimental-Doc.zip and /dev/null differ diff --git a/SPECS-EXTENDED/cim-schema/cim_schema_2.54.1Experimental-MOFs.zip b/SPECS-EXTENDED/cim-schema/cim_schema_2.54.1Experimental-MOFs.zip deleted file mode 100644 index e5d81f8005..0000000000 Binary files a/SPECS-EXTENDED/cim-schema/cim_schema_2.54.1Experimental-MOFs.zip and /dev/null differ diff --git a/SPECS-EXTENDED/cjose/cjose.signatures.json b/SPECS-EXTENDED/cjose/cjose.signatures.json index b31361cdfd..d4f36502c5 100644 --- a/SPECS-EXTENDED/cjose/cjose.signatures.json +++ b/SPECS-EXTENDED/cjose/cjose.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "cjose-0.6.1.tar.gz": "208eaa0fa616b44a71d8aa155c40b14c7c9d0fa2bb91d1408824520d2fc1b4dd" + "cjose-0.6.2.2_updated.tar.gz": "2de8652b23ee3e15398176e8b2aaa513aa89635368f2748fbc304f8aefe910a4" } } diff --git a/SPECS-EXTENDED/cjose/cjose.spec b/SPECS-EXTENDED/cjose/cjose.spec index 6b31faa9bd..0df7b94e66 100644 --- a/SPECS-EXTENDED/cjose/cjose.spec +++ b/SPECS-EXTENDED/cjose/cjose.spec @@ -1,21 +1,21 @@ Vendor: Microsoft Corporation Distribution: Azure Linux Name: cjose -Version: 0.6.1 -Release: 6%{?dist} +Version: 0.6.2.2 +Release: 7%{?dist} Summary: C library implementing the Javascript Object Signing and Encryption (JOSE) License: MIT -URL: https://github.com/cisco/cjose -Source0: https://github.com/cisco/%{name}/archive/%{version}/%{name}-%{version}.tar.gz - -Patch1: concatkdf.patch +URL: https://github.com/OpenIDC/cjose +# There is already a source tarball with 0.6.2.2 containing 0.6.0 source code, updated name of tarball +Source0: https://github.com/OpenIDC/cjose/releases/download/v%{version}/cjose-%{version}.tar.gz#/cjose-%{version}_updated.tar.gz BuildRequires: gcc BuildRequires: doxygen BuildRequires: openssl-devel BuildRequires: jansson-devel BuildRequires: check-devel +BuildRequires: make %description Implementation of JOSE for C/C++ @@ -64,8 +64,55 @@ make check || (cat test/test-suite.log; exit 1) %changelog -* Fri Oct 15 2021 Pawel Winogrodzki - 0.6.1-6 -- Initial CBL-Mariner import from Fedora 32 (license: MIT). +* Tue Dec 17 2024 Akarsh Chaudhary - 0.6.2.2-7 +- Initial Azure Linux import from Fedora 41 (license: MIT). +- License verified + +* Tue Oct 22 2024 Richard W.M. Jones - 0.6.2.2-6 +- Rebuild for Jansson 2.14 + (https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/3PYINSQGKQ4BB25NQUI2A2UCGGLAG5ND/) + +* Wed Jul 17 2024 Fedora Release Engineering - 0.6.2.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + +* Tue Jan 23 2024 Fedora Release Engineering - 0.6.2.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Fri Jan 19 2024 Fedora Release Engineering - 0.6.2.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Fri Sep 1 2023 Tomas Halman - 0.6.2.2-2 +- migrated to SPDX license + +* Wed Jul 26 2023 Tomas Halman - 0.6.2.2-1 +- Rebase to version 0.6.2.2. Solves CVE-2023-37464. + +* Wed Jul 19 2023 Fedora Release Engineering - 0.6.1-14 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Wed Jan 18 2023 Fedora Release Engineering - 0.6.1-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Fri Oct 28 2022 Stephen Gallagher - 0.6.1-12 +- Enable build on OpenSSL 3.0 + +* Wed Jul 20 2022 Fedora Release Engineering - 0.6.1-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Wed Jan 19 2022 Fedora Release Engineering - 0.6.1-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Tue Sep 14 2021 Sahana Prasad - 0.6.1-9 +- Rebuilt with OpenSSL 3.0.0 + +* Wed Jul 21 2021 Fedora Release Engineering - 0.6.1-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Tue Jan 26 2021 Fedora Release Engineering - 0.6.1-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Mon Jul 27 2020 Fedora Release Engineering - 0.6.1-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild * Tue Jan 28 2020 Fedora Release Engineering - 0.6.1-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild diff --git a/SPECS-EXTENDED/cjose/concatkdf.patch b/SPECS-EXTENDED/cjose/concatkdf.patch deleted file mode 100644 index abeccaf2cf..0000000000 --- a/SPECS-EXTENDED/cjose/concatkdf.patch +++ /dev/null @@ -1,74 +0,0 @@ -commit 0238eb8f3612515f4374381b593dd79116169330 -Author: John Dennis -Date: Thu Aug 2 16:21:33 2018 -0400 - - fix concatkdf failures on big endian architectures - - Several of the elements used to compute the digest in ECDH-ES key - agreement computation are represented in binary form as a 32-bit - integer length followed by that number of octets. the length - field. The 32-bit length integer is represented in big endian - format (the 8 most significant bits are in the first octet.). - - The conversion to a 4 byte big endian integer was being computed - in a manner that only worked on little endian architectures. The - function htonl() returns a 32-bit integer whose octet sequence given - the address of the integer is big endian. There is no need for any - further manipulation. - - The existing code used bit shifting on a 32-bit value. In C bit - shifting is endian agnostic for multi-octet values, a right shift - moves most significant bits toward least significant bits. The result - of a bit shift of a multi-octet value on either big or little - archictures will always be the same provided you "view" it as the same - data type (e.g. 32-bit integer). But indexing the octets of that - mulit-octet value will be different depending on endianness, hence the - assembled octets differed depending on endianness. - - Issue: #77 - Signed-off-by: John Dennis - -diff --git a/src/concatkdf.c b/src/concatkdf.c -index ec064ab..59b845a 100644 ---- a/src/concatkdf.c -+++ b/src/concatkdf.c -@@ -29,15 +29,9 @@ - //////////////////////////////////////////////////////////////////////////////// - static uint8_t *_apply_uint32(const uint32_t value, uint8_t *buffer) - { -- const uint32_t formatted = htonl(value); -- const uint8_t data[4] = { -- (formatted >> 0) & 0xff, -- (formatted >> 8) & 0xff, -- (formatted >> 16) & 0xff, -- (formatted >> 24) & 0xff -- }; -- memcpy(buffer, data, 4); -+ const uint32_t big_endian_int32 = htonl(value); - -+ memcpy(buffer, &big_endian_int32, 4); - return buffer + 4; - } - -diff --git a/test/check_concatkdf.c b/test/check_concatkdf.c -index e4325fc..41d0f1c 100644 ---- a/test/check_concatkdf.c -+++ b/test/check_concatkdf.c -@@ -60,14 +60,9 @@ _create_otherinfo_header_finish: - - static bool _cmp_uint32(uint8_t **actual, uint32_t expected) - { -- uint32_t value = htonl(expected); -- uint8_t expectedData[] = { -- (value >> 0) & 0xff, -- (value >> 8) & 0xff, -- (value >> 16) & 0xff, -- (value >> 24) & 0xff -- }; -- bool result = (0 == memcmp(*actual, expectedData, 4)); -+ uint32_t big_endian_int32 = htonl(expected); -+ -+ bool result = (0 == memcmp(*actual, &big_endian_int32, 4)); - (*actual) += 4; - return result; - } diff --git a/SPECS-EXTENDED/containernetworking-plugins/containernetworking-plugins.signatures.json b/SPECS-EXTENDED/containernetworking-plugins/containernetworking-plugins.signatures.json deleted file mode 100644 index 2dbc8203d5..0000000000 --- a/SPECS-EXTENDED/containernetworking-plugins/containernetworking-plugins.signatures.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "Signatures": { - "containernetworking-plugins-1.6.1.tar.gz": "5e2ea69bca08bfb92921f22fa2cc1e69392ee139a5878068dfbc1c7568e37b01" - } -} diff --git a/SPECS-EXTENDED/containernetworking-plugins/containernetworking-plugins.spec b/SPECS-EXTENDED/containernetworking-plugins/containernetworking-plugins.spec deleted file mode 100644 index e38ea0f7d1..0000000000 --- a/SPECS-EXTENDED/containernetworking-plugins/containernetworking-plugins.spec +++ /dev/null @@ -1,545 +0,0 @@ -%global with_debug 1 -%global provider github -%global provider_tld com -%global project containernetworking -%global repo plugins -%global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo} -%global import_path %{provider_prefix} -%global git0 https://%{import_path} - -# Used for comparing with latest upstream tag -# to decide whether to autobuild (non-rawhide only) -%define built_tag v1.6.1 -%define built_tag_strip %(b=%{built_tag}; echo ${b:1}) - -%global gen_version %(b=%{built_tag_strip}; echo ${b/-/"~"}) -%define download_url %{git0}/archive/%{built_tag}.tar.gz - -Name: containernetworking-plugins -Version: 1.6.1 -Release: 4%{?dist} -Summary: Reference and example networking plugins, maintained by the CNI team - -# Generated by go-vendor-tools -License: Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND MIT -Vendor: Microsoft Corporation -Distribution: Azure Linux -URL: https://github.com/containernetworking/plugins -Source0: %{download_url}#/%{name}-%{version}.tar.gz - -BuildRequires: golang >= 1.23 -BuildRequires: systemd-devel -BuildRequires: go-rpm-macros -BuildRequires: go-md2man - -Requires: systemd - -Obsoletes: containernetworking-cni < 0.7.1-2 -Provides: containernetworking-cni = %{version}-%{release} -Provides: kubernetes-cni -Provides: container-network-stack = 1 - -%description -%{common_description} -The CNI (Container Network Interface) project consists of a specification -and libraries for writing plugins to configure network interfaces in Linux -containers, along with a number of supported plugins. CNI concerns itself -only with network connectivity of containers and removing allocated resources -when the container is deleted. - -%prep -%autosetup -p1 -n plugins-%{version} - -# Use correct paths in cni-dhcp unitfiles -# sed -i 's/\/opt\/cni\/bin/\%%{_libexecdir}\/cni/' plugins/ipam/dhcp/systemd/cni-dhcp.service -sed -i 's/\/opt\/cni\/bin/\%{_prefix}\/libexec\/cni/' plugins/ipam/dhcp/systemd/cni-dhcp.service - -# remove MS Windows specific plugins -rm -rf plugins/main/windows - -%build -./build_linux.sh - -%install -install -m 0755 -vd %{buildroot}%{_libexecdir}/cni -install -m 0755 -vp bin/* %{buildroot}/%{_libexecdir}/cni/ - -install -dp %{buildroot}%{_unitdir} -install -p plugins/ipam/dhcp/systemd/cni-dhcp.service %{buildroot}%{_unitdir} -install -p plugins/ipam/dhcp/systemd/cni-dhcp.socket %{buildroot}%{_unitdir} - -%files -%license vendor/modules.txt -%doc CONTRIBUTING.md OWNERS.md README.md RELEASING.md - -%dir %{_libexecdir}/cni -%{_libexecdir}/cni/* -%{_unitdir}/cni-dhcp.service -%{_unitdir}/cni-dhcp.socket - -%changelog -* Thu Apr 17 2025 Archana Shettigar - 1.6.1-4 -- Initial Azure Linux import from Fedora 41 (license: MIT). -- License verified. - -* Tue Dec 31 2024 Bradley G Smith - 1.6.1-3 -- Align packit syntax with docker-compose example - -* Wed Dec 04 2024 Bradley G Smith - 1.6.1-2 -- Correct syntax to generate vendor archive - -* Mon Dec 02 2024 Bradley G Smith - 1.6.1-1 -- Update to release v1.6.1 -- Resolves rhbz# -- Upstream bug fix -- Revised spec file that uses vendored archive in addition to upstream - source archive. - -* Mon Dec 02 2024 Bradley G Smith - 1.6.0-2 -- Update packit to generate vendor archive - -* Tue Oct 15 2024 Bradley G Smith - 1.6.0-1 -- Update to v1.6.0 - -* Tue Sep 03 2024 Bradley G Smith - 1.5.1-1 -- Update to v1.5.1 -- Upstream fix to tar image's owner. - -* Wed Jul 17 2024 Fedora Release Engineering - 1.4.0-9 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild - -* Tue Mar 19 2024 Bradley G Smith - 1.4.0-8 -- Add F40 support and update F38 to v1.4 - -* Mon Mar 18 2024 Bradley G Smith - 1.4.0-7 -- Adds Initial Packit Integration - -* Sun Mar 17 2024 Bradley G Smith - 1.4.0-6 -- Fix incorrect bundled provides syntax - -* Sat Feb 17 2024 Bradley G Smith - 1.4.0-5 -- Replace manual awk script with macro supported vendoring - -* Sun Feb 11 2024 Maxwell G - 1.4.0-4 -- Rebuild for golang 1.22.0 - -* Wed Jan 24 2024 Fedora Release Engineering - 1.4.0-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - -* Fri Jan 19 2024 Fedora Release Engineering - 1.4.0-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - -* Thu Jan 04 2024 Bradley G Smith - 1.4.0-1 -- Update to v1.4.0 - -* Wed Jul 19 2023 Fedora Release Engineering - 1.3.0-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild - -* Thu Jun 22 2023 Yaakov Selkowitz - 1.3.0-2 -- Import 1.3.0 sources - -* Mon Jun 05 2023 Peter Hunt - 1.3.0-1 -- bump to v1.3.0 - -* Wed Mar 08 2023 Lokesh Mandvekar - 1.1.1-16 -- Resolves: #2161274, #2163068 - Rebuild for CVE-2022-41717 - -* Mon Mar 06 2023 Lokesh Mandvekar - 1.1.1-15 -- migrated to SPDX license - -* Thu Jan 19 2023 Fedora Release Engineering - 1.1.1-14 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild - -* Fri Oct 28 2022 Troy Dawson - 1.1.1-13 -- Add ExclusiveArch - -* Mon Oct 10 2022 Lokesh Mandvekar - 1.1.1-12 -- remove debbuild macros to comply with Fedora guidelines - -* Thu Aug 18 2022 Lokesh Mandvekar - 1.1.1-11 -- no bundled provides for debbuild - -* Wed Aug 17 2022 Lokesh Mandvekar - 1.1.1-10 -- use easier tag macros to make both fedora and debbuild happy - -* Tue Aug 16 2022 Lokesh Mandvekar - 1.1.1-9 -- enable debbuild - -* Thu Jul 21 2022 Maxwell G - 1.1.1-8 -- Fix FTBFS - -* Wed Jul 20 2022 Fedora Release Engineering - 1.1.1-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild - -* Tue Jul 19 2022 Maxwell G - 1.1.1-6 -- Rebuild for - CVE-2022-{1705,32148,30631,30633,28131,30635,30632,30630,1962} in golang - -* Sat Jun 18 2022 Robert-André Mauchin - 1.1.1-5 -- Rebuilt for CVE-2022-1996, CVE-2022-24675, CVE-2022-28327, - CVE-2022-27191, CVE-2022-29526, CVE-2022-30629 - -* Fri Jun 17 2022 Robert-André Mauchin - 1.1.1-4 -- Rebuilt for CVE-2022-1996, CVE-2022-24675, CVE-2022-28327, - CVE-2022-27191, CVE-2022-29526, CVE-2022-30629 - -* Mon May 30 2022 Lokesh Mandvekar - 1.1.1-3 -- remove unused macros - -* Mon May 30 2022 RH Container Bot - 1.1.1-2 -- auto bump to v1.1.1 - -* Fri Apr 01 2022 Lokesh Mandvekar - 1.1.1-1 -- bump to v1.1.1 - -* Mon Mar 07 2022 Lokesh Mandvekar - 1.1.0-1 -- bump to v1.1.0 - -* Wed Feb 02 2022 Lokesh Mandvekar - 1.0.1-4 -- Provides: container-network-stack = 1 - -* Mon Jan 24 2022 Lokesh Mandvekar - 1.0.1-3 -- switch to autospec and Provides: container-network-stack - -* Wed Jan 19 2022 Fedora Release Engineering - 1.0.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - -* Wed Sep 08 2021 RH Container Bot - 1.0.1-1 -- containernetworking-plugins-1.0.1-1 - -* Thu Aug 19 2021 Lokesh Mandvekar - 1.0.0-14 -- containernetworking-plugins-1.0.0-21 -- fix release tag and built v1.0.0 - -* Mon Aug 16 2021 RH Container Bot - 1.0.0-13 -- containernetworking-plugins-1.0.0-1 - -* Mon Aug 02 2021 Lokesh Mandvekar - 1.0.0-12 -- containernetworking-plugins-1.0.0-20.1.git2876cd5 -- Resolves: #1983596, #1987737 - Security fix for CVE-2021-34558 - -* Wed Jul 21 2021 Fedora Release Engineering - 1.0.0-11 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - -* Wed Jul 21 2021 Fedora Release Engineering - 1.0.0-10 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - -* Thu Jun 17 2021 RH Container Bot - 1.0.0-9 -- containernetworking-plugins-1.0.0-18.1.git2876cd5 -- autobuilt 2876cd5 - -* Mon Jun 14 2021 Lokesh Mandvekar - 1.0.0-8 -- containernetworking-plugins-1.0.0-17.1.git5238c13 -- BR: go-rpm-macros to re-enable debuginfo - -* Sat Jun 12 2021 Kevin Fenzi - 1.0.0-7 -- Disable debug packages to get rawhide composing. - -* Mon Jun 07 2021 Lokesh Mandvekar - 1.0.0-6 -- containernetworking-plugins-1.0.0-15.1.git5238c13 -- Resolves: #1962008 - use correct plugin path in unitfile - -* Mon Jun 07 2021 Lokesh Mandvekar - 1.0.0-5 -- Resolves: #1962008 - -* Thu Jun 03 2021 RH Container Bot - 1.0.0-4 -- containernetworking-plugins-1.0.0-14.1.git5238c13 -- autobuilt 5238c13 - -* Thu May 27 2021 RH Container Bot - 1.0.0-3 -- containernetworking-plugins-1.0.0-13.1.git78702e9 -- autobuilt 78702e9 - -* Thu May 20 2021 RH Container Bot - 1.0.0-2 -- containernetworking-plugins-1.0.0-12.1.git6618a0a -- autobuilt 6618a0a - -* Thu May 06 2021 RH Container Bot - 1.0.0-1 -- containernetworking-plugins-1.0.0-11.1.git8de0287 -- bump to 1.0.0 -- autobuilt 8de0287 - -* Tue Apr 20 2021 RH Container Bot - 0.9.1-10 -- containernetworking-plugins-0.9.1-10.1.gitb41052c -- autobuilt b41052c - -* Wed Mar 10 2021 RH Container Bot - 0.9.1-9 -- containernetworking-plugins-0.9.1-9.1.git2989aba -- autobuilt 2989aba - -* Mon Mar 08 2021 Lokesh Mandvekar - 0.9.1-8 -- containernetworking-plugins-0.9.1-8.1.gitd385120 -- fix build issues - -* Wed Mar 03 2021 RH Container Bot - 0.9.1-7 -- containernetworking-plugins-0.9.1-7.1.gitd385120 -- autobuilt d385120 - -* Wed Mar 03 2021 RH Container Bot - 0.9.1-6 -- containernetworking-plugins-0.9.1-6.1.git1c1799e -- autobuilt 1c1799e - -* Wed Mar 03 2021 RH Container Bot - 0.9.1-5 -- containernetworking-plugins-0.9.1-5.1.git0ea07b8 -- autobuilt 0ea07b8 - -* Wed Feb 24 2021 RH Container Bot - 0.9.1-4 -- containernetworking-plugins-0.9.1-4.1.git47927f5 -- autobuilt 47927f5 - -* Wed Feb 24 2021 RH Container Bot - 0.9.1-3 -- containernetworking-plugins-0.9.1-3.1.git8936113 -- autobuilt 8936113 - -* Mon Feb 15 2021 Lokesh Mandvekar - 0.9.1-2 -- containernetworking-plugins-0.9.1-2.1.gitfa48f75 -- Resolves: #1928513 - install cni-dhcp unitfiles - -* Fri Feb 05 2021 Lokesh Mandvekar - 0.9.1-1 -- containernetworking-plugins-0.9.1-1.1.gitfa48f75 -- built fa48f75 - -* Fri Feb 05 2021 Lokesh Mandvekar - 0.9.0-7 -- include CVE ID in changelog - -* Fri Feb 05 2021 Lokesh Mandvekar - 0.9.0-6 -- containernetworking-plugins-0.9.0-27.1.git74a6b28 -- Resolves: #1919391,1925399 - -* Wed Jan 27 2021 RH Container Bot - 0.9.0-5 -- containernetworking-plugins-0.9.0-26.1.git8feef71 -- autobuilt 8feef71 - -* Tue Jan 26 2021 Fedora Release Engineering - 0.9.0-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - -* Wed Jan 20 2021 RH Container Bot - 0.9.0-3 -- containernetworking-plugins-0.9.0-24.1.git8c66d68 -- autobuilt 8c66d68 - -* Mon Jan 11 2021 RH Container Bot - 0.9.0-2 -- containernetworking-plugins-0.9.0-23.1.git48a97a7 -- autobuilt 48a97a7 - -* Thu Jan 07 2021 RH Container Bot - 0.9.0-1 -- containernetworking-plugins-0.9.0-22.1.git3819ef7 -- bump to 0.9.0 -- autobuilt 3819ef7 - -* Wed Dec 09 2020 RH Container Bot - 0.8.7-9 -- containernetworking-plugins-0.8.7-21.1.gite13bab9 -- autobuilt e13bab9 - -* Wed Nov 25 2020 RH Container Bot - 0.8.7-8 -- containernetworking-plugins-0.8.7-20.1.git509d645 -- autobuilt 509d645 - -* Thu Nov 19 2020 RH Container Bot - 0.8.7-7 -- containernetworking-plugins-0.8.7-19.1.gitcccf539 -- autobuilt cccf539 - -* Thu Nov 12 2020 RH Container Bot - 0.8.7-6 -- containernetworking-plugins-0.8.7-18.1.git8aad973 -- autobuilt 8aad973 - -* Thu Nov 05 2020 RH Container Bot - 0.8.7-5 -- containernetworking-plugins-0.8.7-17.1.gitccd872b -- autobuilt ccd872b - -* Fri Oct 23 2020 RH Container Bot - 0.8.7-4 -- containernetworking-plugins-0.8.7-16.1.git440dcc3 -- autobuilt 440dcc3 - -* Thu Oct 15 2020 RH Container Bot - 0.8.7-3 -- containernetworking-plugins-0.8.7-15.1.gita9abbaf -- autobuilt a9abbaf - -* Thu Oct 08 2020 RH Container Bot - 0.8.7-2 -- containernetworking-plugins-0.8.7-14.1.git6df03d7 -- autobuilt 6df03d7 - -* Wed Sep 16 2020 RH Container Bot - 0.8.7-1 -- containernetworking-plugins-0.8.7-13.1.gite78e6aa -- bump to 0.8.7 -- autobuilt e78e6aa - -* Wed Aug 26 2020 RH Container Bot - 0.8.6-12 -- containernetworking-plugins-0.8.6-12.1.git9b8de6a -- autobuilt 9b8de6a - -* Wed Aug 05 2020 RH Container Bot - 0.8.6-11 -- containernetworking-plugins-0.8.6-11.1.gitbd58999 -- autobuilt bd58999 - -* Wed Aug 05 2020 RH Container Bot - 0.8.6-10 -- containernetworking-plugins-0.8.6-10.1.git8a88f90 -- autobuilt 8a88f90 - -* Mon Jul 27 2020 Fedora Release Engineering - 0.8.6-9 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Wed Jul 22 2020 RH Container Bot - 0.8.6-8 -- containernetworking-plugins-0.8.6-8.1.gitd713ec6 -- autobuilt d713ec6 - -* Wed Jul 15 2020 RH Container Bot - 0.8.6-7 -- containernetworking-plugins-0.8.6-7.1.git6eb8e31 -- autobuilt 6eb8e31 - -* Wed Jul 08 2020 RH Container Bot - 0.8.6-6 -- containernetworking-plugins-0.8.6-6.1.gitc90b165 -- autobuilt c90b165 - -* Wed Jul 01 2020 RH Container Bot - 0.8.6-5 -- containernetworking-plugins-0.8.6-5.1.git28773dc -- autobuilt 28773dc - -* Wed Jun 24 2020 RH Container Bot - 0.8.6-4 -- containernetworking-plugins-0.8.6-4.1.gite1f8f9b -- autobuilt e1f8f9b - -* Wed Jun 03 2020 RH Container Bot - 0.8.6-3 -- containernetworking-plugins-0.8.6-3.1.git1fb9793 -- autobuilt 1fb9793 - -* Wed May 27 2020 RH Container Bot - 0.8.6-2 -- containernetworking-plugins-0.8.6-2.1.gitb76fdd7 -- autobuilt b76fdd7 - -* Fri May 15 2020 Lokesh Mandvekar - 0.8.6-1 -- containernetworking-plugins-0.8.6-1.1.gitad10b6f -- correct version tag - -* Wed May 13 2020 RH Container Bot - 0.8.5-12 -- containernetworking-plugins-0.8.5-8.1.gitad10b6f -- autobuilt ad10b6f - -* Wed Apr 29 2020 RH Container Bot - 0.8.5-11 -- containernetworking-plugins-0.8.5-7.1.gitf7a2fc9 -- autobuilt f7a2fc9 - -* Wed Apr 22 2020 RH Container Bot - 0.8.5-10 -- containernetworking-plugins-0.8.5-6.1.git5af9ff4 -- autobuilt 5af9ff4 - -* Wed Apr 15 2020 RH Container Bot - 0.8.5-9 -- containernetworking-plugins-0.8.5-5.1.gita78853f -- autobuilt a78853f - -* Wed Apr 08 2020 RH Container Bot - 0.8.5-8 -- containernetworking-plugins-0.8.5-4.1.gitf4332fe -- autobuilt f4332fe - -* Wed Apr 01 2020 RH Container Bot - 0.8.5-7 -- containernetworking-plugins-0.8.5-3.1.git117e30f -- autobuilt 117e30f - -* Fri Mar 20 2020 RH Container Bot - 0.8.5-6 -- containernetworking-plugins-0.8.5-2.1.git47a9fd8 -- autobuilt 47a9fd8 - -* Mon Feb 03 2020 Lokesh Mandvekar - 0.8.5-5 -- disable debuginfo for centos - -* Mon Feb 03 2020 Lokesh Mandvekar - 0.8.5-4 -- GO111MODULE=off - -* Mon Feb 03 2020 Lokesh Mandvekar - 0.8.5-3 -- use BR: golang - -* Mon Feb 03 2020 Lokesh Mandvekar - 0.8.5-2 -- use go-md2man as builddep - -* Thu Jan 30 2020 Lokesh Mandvekar - 0.8.5-1 -- containernetworking-plugins-0.8.5-1.1.gitf5c3d1b -- bump to v0.8.5 -- autobuilt f5c3d1b - -* Tue Jan 28 2020 Fedora Release Engineering - 0.8.2-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Wed Sep 18 2019 Lokesh Mandvekar (Bot) - 0.8.2-4 -- containernetworking-plugins-0.8.2-0.4.dev.git291ab6c -- autobuilt 291ab6c - -* Wed Sep 11 2019 Lokesh Mandvekar (Bot) - 0.8.2-3 -- containernetworking-plugins-0.8.2-0.3.dev.git23d5525 -- autobuilt 23d5525 - -* Wed Sep 11 2019 Lokesh Mandvekar (Bot) - 0.8.2-2 -- containernetworking-plugins-0.8.2-0.2.dev.git4bb2881 -- autobuilt 4bb2881 - -* Wed Aug 28 2019 Lokesh Mandvekar (Bot) - 0.8.2-1 -- containernetworking-plugins-0.8.2-0.1.dev.git7e68430 -- bump to 0.8.2 -- autobuilt 7e68430 - -* Wed Aug 14 2019 Lokesh Mandvekar (Bot) - 0.8.1-9 -- containernetworking-plugins-0.8.1-7.1.dev.git485be65 -- autobuilt 485be65 - -* Wed Aug 14 2019 Lokesh Mandvekar (Bot) - 0.8.1-8 -- containernetworking-plugins-0.8.1-6.1.dev.gitc9e1c0c -- autobuilt c9e1c0c - -* Mon Aug 12 2019 Lokesh Mandvekar (Bot) - 0.8.1-7 -- containernetworking-plugins-0.8.1-5.1.dev.git2d6d4b2 -- autobuilt 2d6d4b2 - -* Wed Aug 07 2019 Lokesh Mandvekar (Bot) - 0.8.1-6 -- containernetworking-plugins-0.8.1-4.1.dev.gitccd683e -- autobuilt ccd683e - -* Wed Jul 31 2019 Lokesh Mandvekar - 0.8.1-5 -- built_tag macro records exact upstream tag built - -* Wed Jul 24 2019 Lokesh Mandvekar (Bot) - 0.8.1-4 -- containernetworking-plugins-0.8.1-3.1.dev.gitded2f17 -- autobuilt ded2f17 - -* Thu Jul 18 2019 Lokesh Mandvekar (Bot) - 0.8.1-3 -- containernetworking-plugins-0.8.1-2.1.dev.git7ba2bcf -- autobuilt 7ba2bcf - -* Wed Jul 10 2019 Lokesh Mandvekar - 0.8.1-2 -- containernetworking-plugins-0.8.1-1.1.dev.git966bbcb -- built 966bbcb -- hook up to autobuild - -* Fri Jun 07 2019 Lokesh Mandvekar - 0.8.1-1 -- containernetworking-plugins-0.8.1-1 -- bump to v0.8.1 - -* Fri May 31 2019 Lokesh Mandvekar - 0.7.5-3 -- add centos7 conditionals - -* Fri May 31 2019 Lokesh Mandvekar - 0.7.5-2 -- BR: git and remove ExcludeArch - -* Fri May 31 2019 Lokesh Mandvekar - 0.7.5-1 -- containernetworking-plugins-0.7.5-1 -- Resolves: #1715758 - CVE-2019-9946 -- bump to v0.7.5 - -* Wed Feb 27 2019 Jason Brooks - 0.7.4-2 -- add provides kubernetes-cni for upstream kubelet compat - -* Wed Feb 13 2019 Lokesh Mandvekar - 0.7.4-1 -- containernetworking-plugins-0.7.4-1 -- bump to v0.7.4 - -* Thu Jan 31 2019 Fedora Release Engineering - 0.7.3-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Thu Aug 30 2018 Lokesh Mandvekar - 0.7.3-2 -- containernetworking-plugins-0.7.3-2 -- correct upgrade path from older -cni package -- for whatever reason, "<" works but "<=" doesn't for obsoletion - -* Mon Aug 20 2018 Lokesh Mandvekar - 0.7.3-1 -- containernetworking-plugins-0.7.3-1 -- Resolves: #1613909 - rename package to containernetworking-plugins -- Obsoletes containernetworking-cni -- bump to v0.7.3 -## END: Generated by rpmautospec diff --git a/SPECS-EXTENDED/cqlsh/cqlsh.signatures.json b/SPECS-EXTENDED/cqlsh/cqlsh.signatures.json new file mode 100644 index 0000000000..e687ebae0b --- /dev/null +++ b/SPECS-EXTENDED/cqlsh/cqlsh.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "cqlsh-6.1.2.tar.gz": "63b0c94709047e251fc1351d5a8098cbd01e71f4faeed3880630d1cd005d2bba" + } +} \ No newline at end of file diff --git a/SPECS-EXTENDED/cqlsh/cqlsh.spec b/SPECS-EXTENDED/cqlsh/cqlsh.spec new file mode 100644 index 0000000000..f6e15e5120 --- /dev/null +++ b/SPECS-EXTENDED/cqlsh/cqlsh.spec @@ -0,0 +1,60 @@ +%define srcname cqlsh + +Summary: A Python-based command-line client for running simple CQL commands on a Cassandra cluster. +Name: %{srcname} +Version: 6.1.2 +Release: 2%{?dist} +License: Apache License Version 2.0 +Group: Development/Languages/Python +Vendor: Microsoft Corporation +Distribution: Azure Linux +Url: https://pypi.python.org/pypi/cqlsh + +Source0: https://files.pythonhosted.org/packages/source/c/cqlsh/%{srcname}-%{version}.tar.gz + +BuildRequires: python3-devel +BuildRequires: python3-setuptools + +Requires: python3 +Requires: python3-six +Requires: cassandra +Requires: cassandra-driver + +BuildArch: noarch + +%description +cqlsh is a Python-based command-line tool, and the most direct way to run simple CQL commonds on a Cassandra cluster. +This is a simple re-bundling of the open source tool that comes bundled with Cassandra to allow for cqlsh to be installed and run inside of virtual environments.. + +%prep +%autosetup -p1 -n %{srcname}-%{version} + +%build +%{py3_build} + +%install +%{py3_install} + +%files +%defattr(-,root,root) +%{_bindir}/%{srcname} +%{python3_sitelib}/* + +%changelog +* Thu May 22 2025 Jyoti kanase - 6.1.2-2 +- Initial Azure Linux import from Photon (license: Apache2). +- License verified. + +* Sat Aug 05 2023 Shreenidhi Shedi 6.1.2-1 +- Upgrade to v6.1.2 +- Remove python3-cql dependency +* Tue Feb 21 2023 Ankit Jain 6.1.0-1 +- Update to 6.1.0 +* Sun Aug 21 2022 Gerrit Photon 6.0.0-1 +- Automatic Version Bump +* Thu Nov 11 2021 Shreenidhi Shedi 6.0.0ga-1 +- Update to 6.0.0 +* Wed Jun 09 2021 Ankit Jain 6.0.0b4-1 +- Update to 6.0.0b4 to support python3 +* Mon Jul 10 2017 Xiaolin Li 5.0.4-1 +- Initial packaging for Photon diff --git a/SPECS-EXTENDED/dyninst/dyninst.spec b/SPECS-EXTENDED/dyninst/dyninst.spec index 000ba95e12..82a3b7030f 100644 --- a/SPECS-EXTENDED/dyninst/dyninst.spec +++ b/SPECS-EXTENDED/dyninst/dyninst.spec @@ -1,7 +1,7 @@ Summary: An API for Run-time Code Generation License: LGPLv2+ Name: dyninst -Release: 20%{?dist} +Release: 21%{?dist} Vendor: Microsoft Corporation Distribution: Azure Linux URL: http://www.dyninst.org @@ -31,7 +31,7 @@ BuildRequires: tbb tbb-devel # Extra requires just for the testsuite BuildRequires: gcc-gfortran libstdc++-static libxml2-devel -BuildRequires: glibc-static >= 2.38-10%{?dist} +BuildRequires: glibc-static >= 2.38-11%{?dist} # Testsuite files should not provide/require anything %{?filter_setup: @@ -194,6 +194,9 @@ echo "%{_libdir}/dyninst" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf %attr(644,root,root) %{_libdir}/dyninst/testsuite/*.a %changelog +* Thu May 22 2025 Kanishk Bansal - 10.1.0-21 +- Bump to rebuild with updated glibc + * Mon May 12 2025 Andrew Phelps - 10.1.0-20 - Bump to rebuild with updated glibc diff --git a/SPECS-EXTENDED/elinks/0005-elinks-0.15.0-xterm.patch b/SPECS-EXTENDED/elinks/0005-elinks-0.15.0-xterm.patch index aacb1e6dd1..1b7b99061e 100644 --- a/SPECS-EXTENDED/elinks/0005-elinks-0.15.0-xterm.patch +++ b/SPECS-EXTENDED/elinks/0005-elinks-0.15.0-xterm.patch @@ -1,10 +1,10 @@ From b2f38ad669e99a650850a36576a4d54c57bf9ac0 Mon Sep 17 00:00:00 2001 From: Kamil Dudka -Date: Mon, 11 Apr 2022 09:27:22 +0200 +Date: Tue, 2 Jan 2023 11:48:22 +0100 Subject: [PATCH] Resolves: #128105 - use "Linux" xterm terminal driver instead of "VT100" -elinks-0.10.1-xterm.patch rebased on 0.15.0 +0005-elinks-0.15.0-xterm.patch rebased on 0.17.0 --- src/config/options.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) @@ -20,8 +20,8 @@ index a43fbe0..a363b36 100644 - get_opt_int("terminal.xterm.type", NULL) = TERM_VT100; + get_opt_int("terminal.xterm.type", NULL) = TERM_LINUX; get_opt_bool("terminal.xterm.underline", NULL) = 1; + get_opt_bool("terminal.xterm.strike", NULL) = 1; get_opt_int("terminal.xterm-color.type", NULL) = TERM_VT100; - get_opt_int("terminal.xterm-color.colors", NULL) = COLOR_MODE_16; -- 2.34.1 diff --git a/SPECS-EXTENDED/elinks/0006-elinks-0.16.0-libidn2.patch b/SPECS-EXTENDED/elinks/0006-elinks-0.16.0-libidn2.patch deleted file mode 100644 index 22bac40ee5..0000000000 --- a/SPECS-EXTENDED/elinks/0006-elinks-0.16.0-libidn2.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 41461147907ed9a93792309f074072e981b33f42 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Mon, 11 Apr 2022 09:39:48 +0200 -Subject: [PATCH] Resolves: #1098789 - add support for GNU Libidn2 - -patch by Robert Scheck ---- - Makefile.config.in | 2 +- - configure.ac | 4 ++-- - src/osdep/win32/win32.c | 2 +- - src/protocol/uri.c | 12 ++++++------ - 4 files changed, 10 insertions(+), 10 deletions(-) - -diff --git a/Makefile.config.in b/Makefile.config.in -index bf01d78..73d9762 100644 ---- a/Makefile.config.in -+++ b/Makefile.config.in -@@ -139,7 +139,7 @@ CONFIG_GOPHER = @CONFIG_GOPHER@ - CONFIG_GPM = @CONFIG_GPM@ - CONFIG_GZIP = @CONFIG_GZIP@ - CONFIG_HTML_HIGHLIGHT = @CONFIG_HTML_HIGHLIGHT@ --CONFIG_IDN = @CONFIG_IDN@ -+CONFIG_IDN2 = @CONFIG_IDN2@ - CONFIG_INTERLINK = @CONFIG_INTERLINK@ - CONFIG_IPV6 = @CONFIG_IPV6@ - CONFIG_DBLATEX = @CONFIG_DBLATEX@ -diff --git a/configure.ac b/configure.ac -index d4537ab..d3bf724 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -556,8 +556,8 @@ EL_LOG_CONFIG([CONFIG_BROTLI], [[brotli]], [[$enable_brotli]]) - EL_CONFIG_OPTIONAL_LIBRARY(CONFIG_LZMA, lzma, lzma.h, lzma, lzma_code, - [ --with-lzma enable lzma encoding support]) - --EL_CONFIG_OPTIONAL_LIBRARY(CONFIG_IDN, idn, idna.h, idn, stringprep_check_version, -- [ --without-idn disable international domain names support]) -+EL_CONFIG_OPTIONAL_LIBRARY(CONFIG_IDN2, idn2, idn2.h, idn2, idn2_lookup_ul, -+ [ --without-idn2 disable international domain names support]) - - # =================================================================== - # Check for GSSAPI, optional even if installed. -diff --git a/src/osdep/win32/win32.c b/src/osdep/win32/win32.c -index 02b1834..f4c148d 100644 ---- a/src/osdep/win32/win32.c -+++ b/src/osdep/win32/win32.c -@@ -44,7 +44,7 @@ init_osdep(void) - } - #endif - setlocale(LC_ALL, ""); --#ifdef CONFIG_IDN -+#ifdef CONFIG_IDN2 - { - char buf[60]; - UINT cp = GetACP(); -diff --git a/src/protocol/uri.c b/src/protocol/uri.c -index a8f15d1..218d1af 100644 ---- a/src/protocol/uri.c -+++ b/src/protocol/uri.c -@@ -9,8 +9,8 @@ - #ifdef HAVE_ICONV - #include - #endif --#ifdef HAVE_IDNA_H --#include -+#ifdef HAVE_IDN2_H -+#include - #endif - #include - #include -@@ -535,10 +535,10 @@ add_uri_to_string(struct string *string, const struct uri *uri, - * --pasky */ - if (uri->ipv6 && wants(URI_PORT)) add_char_to_string(string, '['); - #endif --#ifdef CONFIG_IDN -+#ifdef CONFIG_IDN2 - /* Support for the GNU International Domain Name library. - * -- * http://www.gnu.org/software/libidn/manual/html_node/IDNA-Functions.html -+ * http://www.gnu.org/software/libidn/libidn2/manual/libidn2.html - */ - if (wants(URI_IDN)) { - char *host = NULL; -@@ -556,10 +556,10 @@ add_uri_to_string(struct string *string, const struct uri *uri, - - if (host) { - char *idname; -- int code = idna_to_ascii_8z(host, &idname, 0); -+ int code = idn2_lookup_ul(host, &idname, 0); - - /* FIXME: Return NULL if it coughed? --jonas */ -- if (code == IDNA_SUCCESS) { -+ if (code == IDN2_OK) { - add_to_string(string, idname); - free(idname); - add_host = 0; --- -2.38.1 - diff --git a/SPECS-EXTENDED/elinks/elinks.signatures.json b/SPECS-EXTENDED/elinks/elinks.signatures.json index b53bada3e0..cd9a7770b1 100644 --- a/SPECS-EXTENDED/elinks/elinks.signatures.json +++ b/SPECS-EXTENDED/elinks/elinks.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { - "elinks-0.16.0.tar.xz": "4d65b78563af39ba1d0a9ab1c081e129ef2ed541009e6ff11c465ba9d8f0f234", + "elinks-0.17.0.tar.xz": "58c73a6694dbb7ccf4e22cee362cf14f1a20c09aaa4273343e8b7df9378b330e", "elinks.conf": "39679e5f67383fb4a9fd749faf0cca09956e25dcfb9fba064bafec126525b22a" } } diff --git a/SPECS-EXTENDED/elinks/elinks.spec b/SPECS-EXTENDED/elinks/elinks.spec index e17ec8eb8f..84524a5689 100644 --- a/SPECS-EXTENDED/elinks/elinks.spec +++ b/SPECS-EXTENDED/elinks/elinks.spec @@ -1,13 +1,13 @@ -Name: elinks -Summary: A text-mode Web browser -Version: 0.16.0 -Release: 3%{?dist} -Vendor: Microsoft Corporation -Distribution: Azure Linux -License: GPLv2 -URL: https://github.com/rkd77/elinks -Source: https://github.com/rkd77/elinks/releases/download/v%{version}/elinks-%{version}.tar.xz -Source2: elinks.conf +Name: elinks +Summary: A text-mode Web browser +Version: 0.17.0 +Release: 1%{?dist} +Vendor: Microsoft Corporation +Distribution: Azure Linux +License: GPLv2 +URL: https://github.com/rkd77/elinks +Source: https://github.com/rkd77/elinks/releases/download/v%{version}/elinks-%{version}.tar.xz +Source2: elinks.conf BuildRequires: automake BuildRequires: bzip2-devel @@ -46,11 +46,9 @@ Patch4: 0004-elinks-0.15.0-sysname.patch # Fix xterm terminal: "Linux" driver seems better than "VT100" (#128105) Patch5: 0005-elinks-0.15.0-xterm.patch -# add support for GNU Libidn2, patch by Robert Scheck (#1098789) -Patch6: 0006-elinks-0.16.0-libidn2.patch # let list_is_singleton() return false for an empty list (#1075415) -Patch15: elinks-0.12pre6-list_is_singleton.patch +Patch6: elinks-0.12pre6-list_is_singleton.patch %description Elinks is a text-based Web browser. Elinks does not display any images, @@ -85,7 +83,7 @@ CFLAGS="$CFLAGS -DLUA_COMPAT_5_3" --without-spidermonkey \ --without-x -%make_build +%make_build -j1 %install %make_install @@ -122,7 +120,7 @@ exit 0 %files -f elinks.lang %license COPYING -%doc README +%doc README.md %ghost %verify(not md5 size mtime) %{_bindir}/links %{_bindir}/elinks %ghost %verify(not md5 size mtime) %{_mandir}/man1/links.1.gz @@ -131,6 +129,10 @@ exit 0 %{_mandir}/man5/* %changelog +* Fri Mar 21 2025 Jyoti kanase - 0.17.0-1 +- Upgrade to 0.17.0. +- License Verified. + * Thu Jan 26 2023 Henry Li - 0.16.0-1 - Initial CBL-Mariner import from Fedora 38 (license: MIT) - License Verified @@ -662,4 +664,4 @@ exit 0 - provides virtual package webclient. * Thu Jan 6 2000 Bernhard Rosenkraenzer -- initial RPM \ No newline at end of file +- initial RPM diff --git a/SPECS-EXTENDED/facter/facter-4.8.0.gem.asc b/SPECS-EXTENDED/facter/facter-4.8.0.gem.asc new file mode 100644 index 0000000000..4821868bb7 --- /dev/null +++ b/SPECS-EXTENDED/facter/facter-4.8.0.gem.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE1oEe063uuEQa9aqPRSi2zZ5h7yYFAmaf2n8ACgkQRSi2zZ5h +7ya1EA//X+R/lKh8Pq7hvC90foSIsyH2mFptwtR+piKfH3aMwsszhMDpqgEb1KFa +rLf44UQv4ZJWSKBx3K7g5TTIm3mYRUaU7yZIcl3/F5XS6/LHaFzIlPqWIqhd4eAS +h8eP64echKJfkSVZka0T+WAOV9vsWSeGBLmWBSQN1G6iLpW2iz+ntmv6qb5LCE5+ +v/L5lr0/nG4lumAW3rPagysMm2kiJxRZSz7K6hjxa2B61mLo1e8iQfdDohO0h7ok +4y2qsowKnYlrnKlLGSlDKG3AJ4jkU4HJQ5hUYJ6odUxOOxSdDUfe60CcdeKg0rvw +p5LoROJ8UIRqSvZuw2s/xoZKjTNhZsW5mRVl2w4gbA07VibNYj5iM3BLeKcdaITX +nQmeVaS3EZeeAflStkh9uFmTOhuvtwl/ZZa3ksAjYlHjwhjyK2QBpw4wGjuwJdL8 +QMWqjMduBMB1+3IiIGyaoBaMaW2BoP/ESec4p6W8spxNh8KnaOycwtvRLHK2aMfx +JRsEw1MdjxtRDA3HJDqxXfTAHVQHrb82e0BUMvztfFPpZouPXTGGmFDMwccqMOj4 +FK6rEufrnJqDoAbT8msRH3L78ls+Xw2npBFf9UK+mRLFAtq9iMDAB/Ku8bOURoNb +CsKF+nSG4AAAusZP4H5qvnMB/XrSuzYH+9Z2KLiAjUMwspSniVc= +=yn9V +-----END PGP SIGNATURE----- diff --git a/SPECS-EXTENDED/facter/facter.signatures.json b/SPECS-EXTENDED/facter/facter.signatures.json index 9d27e165bf..3f99b777f3 100644 --- a/SPECS-EXTENDED/facter/facter.signatures.json +++ b/SPECS-EXTENDED/facter/facter.signatures.json @@ -1,5 +1,7 @@ { "Signatures": { - "facter-4.2.13.gem": "a4f293b585176b080c8f10e9adb7a4d1cfd484268dfef518b162a0422450264c" + "facter-4.8.0.gem": "0950375502fc2ec8a0e55d89d4610be639f6ce5418ab6c5df2205e90e6af6084", + "facter-4.8.0.gem.asc": "53cb68dcba913b796bfb85ab07ee2598fab4d344e335a068e9d66e22f8f219a5", + "puppet-gpg-signing-key-20250406.pub": "4d5a9c73f97235eebe8c69f728aa2efcc8e1ee02282f972efdbbbd3a430be454" } } diff --git a/SPECS-EXTENDED/facter/facter.spec b/SPECS-EXTENDED/facter/facter.spec index 02c708f8d3..fdd89a3046 100644 --- a/SPECS-EXTENDED/facter/facter.spec +++ b/SPECS-EXTENDED/facter/facter.spec @@ -1,33 +1,30 @@ -## START: Set by rpmautospec -## (rpmautospec version 0.2.5) -%define autorelease(e:s:pb:) %{?-p:0.}%{lua: - release_number = 1; - base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}")); - print(release_number + base_release_number - 1); -}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{?dist} -## END: Set by rpmautospec - %global gem_name facter -%global debug_package %{nil} +%bcond_with docs Name: facter -Version: 4.2.13 +Version: 4.8.0 Release: 1%{?dist} Summary: Command and ruby library for gathering system information Vendor: Microsoft Corporation Distribution: Azure Linux -License: ASL 2.0 + +License: Apache-2.0 URL: https://github.com/puppetlabs/facter Source0: https://downloads.puppetlabs.com/%{name}/%{name}-%{version}.gem +Source1: https://downloads.puppetlabs.com/%{name}/%{name}-%{version}.gem.asc +Source2: https://downloads.puppetlabs.com/puppet-gpg-signing-key-20250406.pub + BuildRequires: gnupg2 BuildRequires: rubygems-devel -BuildRequires: ruby >= 2.3 +BuildRequires: ruby >= 2.5 Requires: ruby(rubygems) +Requires: ruby(release) >= 2.5 # Add runtime deps for testing BuildRequires: rubygem(hocon) >= 1.3 BuildRequires: rubygem(thor) >= 1.0.1 +BuildRequires: rubygem(sys-filesystem) # Binaries that Facter can call for complete facts %ifarch %ix86 x86_64 ia64 @@ -37,6 +34,9 @@ Requires: virt-what %endif Requires: net-tools +# Soft dependency for the mountpoints fact +Requires: rubygem(sys-filesystem) + Provides: ruby-%{name} = %{version} Obsoletes: ruby-%{name} < 4 Obsoletes: %{name}-devel < 4 @@ -54,7 +54,7 @@ custom or site specific. It is easy to extend by including your own custom facts. Facter can also be used to create conditional expressions in Puppet that key off the values returned by facts. - +%if %{with docs} %package doc Summary: Documentation for %{name} Requires: %{name} = %{version}-%{release} @@ -62,10 +62,12 @@ BuildArch: noarch %description doc Documentation for %{name}. - +%endif %prep +%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %setup -q -n %{gem_name}-%{version} +%gemspec_add_dep -g sys-filesystem %build gem build ../%{gem_name}-%{version}.gemspec @@ -80,12 +82,14 @@ rm %{buildroot}%{gem_instdir}/LICENSE mkdir -p %{buildroot}%{_bindir} cp -a .%{gem_instdir}/bin/facter %{buildroot}%{_bindir} rm -rf %{buildroot}/%{gem_instdir}/bin - +%if %{without docs} +rm -rf %{buildroot}/%{gem_docdir} +%endif %check # No test suite can run since the spec files are not part of the gem # So try to run the executable and see if that works -GEM_HOME="%{buildroot}%{gem_dir}" %{buildroot}%{_bindir}/facter +GEM_HOME="%{buildroot}%{gem_dir}" %{buildroot}%{_bindir}/facter --help %files @@ -96,10 +100,16 @@ GEM_HOME="%{buildroot}%{gem_dir}" %{buildroot}%{_bindir}/facter %exclude %{gem_cache} %{gem_spec} +%if %{with docs} %files doc %doc %{gem_docdir} +%endif %changelog +* Wed Oct 30 2024 Jyoti Kanase - 4.8.0-1 +- Upgrade to 4.8.0 +- License verified. + * Tue May 07 2024 Andy Zaugg 4.2.13-1 - Bumped version to facter version which has Mariner Linux Support diff --git a/SPECS-EXTENDED/facter/puppet-gpg-signing-key-20250406.pub b/SPECS-EXTENDED/facter/puppet-gpg-signing-key-20250406.pub new file mode 100644 index 0000000000..333b379f5a --- /dev/null +++ b/SPECS-EXTENDED/facter/puppet-gpg-signing-key-20250406.pub @@ -0,0 +1,31 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFyrv4oBEADhL8iyDPZ+GWN7L+A8dpEpggglxTtL7qYNyN5Uga2j0cusDdOD +ftPHsurLjfxtc2EFGdFK/N8y4LSpq+nOeazhkHcPeDiWC2AuN7+NGjH9LtvMUqKy +NWPhPYP2r/xPL547oDMdvLXDH5n+FsLFW8QgATHk4AvlIhGng0gWu80OqTCiL0HC +W7TftkF8ofP8k90SnLYbI9HDVOj6VYYtqG5NeoCHGAqrb79G/jq64Z/gLktD3IrB +CxYhKFfJtZ/BSDB8Aa4ht+jIyeFCNSbGyfFfWlHKvF3JngS/76Y7gxX1sbR3gHJQ +hO25AQdsPYKxgtIgNeB9/oBp1+V3K1W/nta4gbDVwJWCqDRbEFlHIdV7fvV/sqiI +W7rQ60aAY7J6Gjt/aUmNArvT8ty3szmhR0wEEU5/hhIVV6VjS+AQsI8pFv6VB8bJ +TLfOBPDW7dw2PgyWhVTEN8KW/ckyBvGmSdzSgAhw+rAe7li50/9e2H8eiJgBbGid +8EQidZgkokh331CMDkIA6F3ygiB+u2ZZ7ywxhxIRO70JElIuIOiofhVfRnh/ODlH +X7eD+cA2rlLQd2yWf4diiA7C9R8r8vPrAdp3aPZ4xLxvYYZV8E1JBdMus5GRy4rB +Avetp0Wx/1r9zVDKD/J1bNIlt0SR9FTmynZj4kLWhoCqmbrLS35325sS6wARAQAB +tEhQdXBwZXQsIEluYy4gUmVsZWFzZSBLZXkgKFB1cHBldCwgSW5jLiBSZWxlYXNl +IEtleSkgPHJlbGVhc2VAcHVwcGV0LmNvbT6JAlQEEwEKAD4WIQTWgR7Tre64RBr1 +qo9FKLbNnmHvJgUCXKu/igIbAwUJC0c1AAULCQgHAwUVCgkICwUWAgMBAAIeAQIX +gAAKCRBFKLbNnmHvJg/vD/0eOl/pBb6ooGnzg2qoD+XwgOK3HkTdvGNZKGsIrhUG +q6O0zoyPW8v9b/i7QEDre8QahARmMAEQ+T3nbNVzw4kpE+YIrEkKjoJsrF8/K/1L +zBHJCc3S9oF9KubG5BuQ4bAmcvnI+qpEYbSTLHztYGUfXAGu+MnaDf4C60G7zM6m +ec4bX8lVnt+gcsGGGCdN89XsZLBNdv21z9xMeaAPiRYJpbqwrb8cYbKQeqFSQt2M +UylN5oVeN77Q8iyXSyVwpc6uKzXdQ8bVPbKUTWSXQ4SSp0HJjtAMiDH2pjty4PG6 +EgZ6/njJLOzQ29ZgFrS19XLONlptHwKzLYB8nJhJvGHfzzInmNttDtNwTA6IxpsR +4aCnrPWFJRCbmMBNXvBR9B/O+e/T5ngL21ipMEwzEOiQlRSacnO2pICwZ5pARMRI +dxq/5BQYry9HNlJDGR7YIfn7i0oCGk5BxwotSlAPw8jFpNU/zTOvpQAdPvZje2JP +6GS+hYxSdHsigREXI2gxTvpcLk8LOe9PsqJv631e6Kvn9P9OHiihIp8G9fRQ8T7y +elHcNanV192mfbWxJhDAcQ+JEy9883lOanaCoaf/7z4kdmCQLz5/oNg2K0qjSgZH +JY/gxCOwuAuUJlLcAXQG6txJshfMxyQUO46DXg0/gjwkKgT/9PbTJEN/WN/G6n1h +lQ== +=nKF2 +-----END PGP PUBLIC KEY BLOCK----- + diff --git a/SPECS-EXTENDED/fonts-rpm-macros/fonts-rpm-macros-drop-yaml.patch b/SPECS-EXTENDED/fonts-rpm-macros/fonts-rpm-macros-drop-yaml.patch new file mode 100644 index 0000000000..3f9a29a3c2 --- /dev/null +++ b/SPECS-EXTENDED/fonts-rpm-macros/fonts-rpm-macros-drop-yaml.patch @@ -0,0 +1,46 @@ +diff -pruN fonts-rpm-macros-2.0.5.orig/bin/gen-fontconf fonts-rpm-macros-2.0.5/bin/gen-fontconf +--- fonts-rpm-macros-2.0.5.orig/bin/gen-fontconf 2020-04-03 07:55:50.000000000 +0900 ++++ fonts-rpm-macros-2.0.5/bin/gen-fontconf 2024-06-03 14:07:58.244902559 +0900 +@@ -23,7 +23,11 @@ from lxml import etree + from operator import itemgetter + import os + from pathlib import PurePath +-import ruamel.yaml ++yaml_supported = True ++try: ++ import ruamel.yaml ++except ModuleNotFoundError: ++ yaml_supported = False + import subprocess + import sys + +@@ -36,14 +40,17 @@ oneormore = ['fullname', 'family', 'styl + parser = argparse.ArgumentParser( + description='Generate traditional fontconfig syntax from a high-level configuration file') + cgroup = parser.add_mutually_exclusive_group(required=True) +-cgroup.add_argument("-y", "--yaml", "-c", "--config", type=str, +- help="YAML configuration file to process") ++mode = ['xml', 'legacy'] ++if yaml_supported: ++ mode.append('yaml') ++ cgroup.add_argument("-y", "--yaml", "-c", "--config", type=str, ++ help="YAML configuration file to process") + cgroup.add_argument("-x", "--xml", type=str, + help="XML configuration file to process") + parser.add_argument("-l", "--license", metavar="SPDX ID", type=str, nargs='?', default="MIT", + help="SPDX license identifier for the generated files") + parser.add_argument("-m", "--mode", metavar="MODE", type=str, nargs='?', +- default="legacy", choices=['xml', 'yaml', 'legacy'], ++ default="legacy", choices=mode, + help="Output format: current fontconfig syntax, or XML/YAML syntax proposals") + parser.add_argument("-w", "--write", action="store_true", + help="Write output to disk") +@@ -685,7 +692,7 @@ ext = '.conf' + if args.mode == 'xml': + ext = '.xml' + +-if args.yaml != None: ++if yaml_supported and args.yaml != None: + groups = readyaml(args.yaml) + if args.write and output == None: + output = PurePath(PurePath(args.yaml).name).with_suffix(ext) diff --git a/SPECS-EXTENDED/fonts-rpm-macros/fonts-rpm-macros-epoch-in-req.patch b/SPECS-EXTENDED/fonts-rpm-macros/fonts-rpm-macros-epoch-in-req.patch new file mode 100644 index 0000000000..fcd8fe8c8a --- /dev/null +++ b/SPECS-EXTENDED/fonts-rpm-macros/fonts-rpm-macros-epoch-in-req.patch @@ -0,0 +1,57 @@ +diff -pruN fonts-rpm-macros-2.0.5.orig/rpm/lua/srpm/fonts.lua fonts-rpm-macros-2.0.5/rpm/lua/srpm/fonts.lua +--- fonts-rpm-macros-2.0.5.orig/rpm/lua/srpm/fonts.lua 2024-06-19 16:39:41.814323447 +0900 ++++ fonts-rpm-macros-2.0.5/rpm/lua/srpm/fonts.lua 2024-06-19 16:42:07.095849192 +0900 +@@ -172,13 +172,31 @@ local function pkg(forcemain, forcesub, + end + end + ++-- Output Requires(meta) line ++local function output_requires(fontpkg) ++ if tonumber(rpm.expand("0%{?epoch}")) == 0 then ++ print(rpm.expand( "Requires(meta): " .. fontpkg .. " = %{version}-%{release}\n")) ++ else ++ print(rpm.expand( "Requires(meta): " .. fontpkg .. " = %{epoch}:%{version}-%{release}\n")) ++ end ++end ++ + -- Create a font (sub)metapackage header + local function metapkg(name, summary, description, suffixes) + local fedora = require "fedora.common" + local fontpkgs = fedora.getsuffixed("fontpkgname") ++ local hsuffix + if (name == "") then + name, _ = string.gsub(rpm.expand("%{name}"), "-fonts$", "") + name = name .. "-fonts-all" ++ hsuffix = "all" ++ else ++ hsuffix = norm(name) ++ end ++ if (rpm.expand("%{?fontpkgheader" .. hsuffix .. "}") ~= "") then ++ fedora.explicitset( "currentfontpkgheader", "%{fontpkgheader" .. hsuffix .. "}", false) ++ else ++ fedora.explicitunset( "currentfontpkgheader", false) + end + if (summary == "") then + summary = "All the font packages, generated from %{name}" +@@ -192,18 +210,19 @@ local function metapkg(name, summary, de + "Summary: " .. summary .. "\n")) + if (suffixes == "") then + for _, fontpkg in pairs(fontpkgs) do +- print(rpm.expand( "Requires(meta): " .. fontpkg .. " = %{version}-%{release}\n")) ++ output_requires(fontpkg) + end + else + for suffix in string.gmatch(rpm.expand(suffixes), "[^%s%p]+") do + local fontpkg = fontpkgs[suffix] + if (fontpkg ~= nil) then +- print(rpm.expand("Requires(meta): " .. fontpkg .. " = %{version}-%{release}\n")) ++ output_requires(fontpkg) + end + end + end + print(rpm.expand( + "BuildArch: noarch\n" .. ++ "%{?currentfontpkgheader}\n" .. + "%description -n " .. name .. "\n" .. + description .. "\n" .. + "%files -n " .. name .. "\n\n")) diff --git a/SPECS-EXTENDED/fonts-rpm-macros/fonts-rpm-macros.spec b/SPECS-EXTENDED/fonts-rpm-macros/fonts-rpm-macros.spec index 27be188432..94df2d7b8f 100644 --- a/SPECS-EXTENDED/fonts-rpm-macros/fonts-rpm-macros.spec +++ b/SPECS-EXTENDED/fonts-rpm-macros/fonts-rpm-macros.spec @@ -22,22 +22,24 @@ Version: 2.0.5 BuildArch: noarch Name: fonts-rpm-macros -Release: 13%{?dist} +Release: 14%{?dist} Summary: Build-stage rpm automation for fonts packages License: GPL-3.0-or-later URL: https://docs.fedoraproject.org/en-US/packaging-guidelines/FontsPolicy/ Source: %{forgesource} Patch0: %{name}-omit-foundry-in-family.patch -Patch1: update_for_azl.patch +Patch1: %{name}-drop-yaml.patch +Patch2: %{name}-epoch-in-req.patch +Patch3: update_for_azl.patch -Requires: fonts-srpm-macros = %{?epoch:%{epoch}:}%{version}-%{release} -Requires: fonts-filesystem = %{?epoch:%{epoch}:}%{version}-%{release} +Requires: fonts-srpm-macros = %{version}-%{release} +Requires: fonts-filesystem = %{version}-%{release} -Provides: fontpackages-devel = %{?epoch:%{epoch}:}%{version}-%{release} -Obsoletes: fontpackages-devel < %{?epoch:%{epoch}:}%{version}-%{release} +Provides: fontpackages-devel = %{version}-%{release} +Obsoletes: fontpackages-devel < %{version}-%{release} # Tooling dropped for now as no one was willing to maintain it -Obsoletes: fontpackages-tools < %{?epoch:%{epoch}:}%{version}-%{release} +Obsoletes: fontpackages-tools < %{version}-%{release} Requires: fontconfig Requires: libappstream-glib @@ -72,8 +74,8 @@ fonts-srpm-macros will pull in for fonts packages only. Summary: Directories used by font packages License: MIT -Provides: fontpackages-filesystem = %{?epoch:%{epoch}:}%{version}-%{release} -Obsoletes: fontpackages-filesystem < %{?epoch:%{epoch}:}%{version}-%{release} +Provides: fontpackages-filesystem = %{version}-%{release} +Obsoletes: fontpackages-filesystem < %{version}-%{release} %description -n fonts-filesystem This package contains the basic directory layout used by font packages, @@ -83,8 +85,8 @@ including the correct permissions for the directories. Summary: Example fonts packages rpm spec templates License: MIT -Requires: fonts-rpm-macros = %{?epoch:%{epoch}:}%{version}-%{release} -Supplements: fonts-rpm-macros = %{?epoch:%{epoch}:}%{version}-%{release} +Requires: fonts-rpm-macros = %{version}-%{release} +Supplements: fonts-rpm-macros = %{version}-%{release} %description -n fonts-rpm-templates This package contains documented rpm spec templates showcasing how to use the @@ -98,8 +100,10 @@ for template in templates/rpm/*\.spec ; do grep -v '^%%dnl' "${template}" > "${target}" touch -r "${template}" "${target}" done -%patch 0 -p1 -b .1-omit-foundry-in-family -%patch 1 -p1 +%patch -P0 -p1 -b .1-omit-foundry-in-family +%patch -P1 -p1 -b .1-drop-yaml +%patch -P2 -p1 -b .2-epoch-in-req +%patch -P3 -p1 %install install -m 0755 -d %{buildroot}%{_fontbasedir} \ @@ -155,6 +159,10 @@ install -m 0755 -vp bin/* %{buildroot}%{_bindir} %doc %{ftcgtemplatedir}/*txt %changelog +* Fri Mar 21 2025 Jyoti kanase - 2.0.5-14 +- Applying patches for Build fix +- License verified. + * Thu Feb 22 2024 Pawel Winogrodzki - 2.0.5-13 - Updating file paths for 3.0 version of Azure Linux. - Resetting 'Epoch' for 3.0 version of Azure Linux. diff --git a/SPECS-EXTENDED/fonts-rpm-macros/update_for_azl.patch b/SPECS-EXTENDED/fonts-rpm-macros/update_for_azl.patch index dc705533cf..e42e1a2f1c 100644 --- a/SPECS-EXTENDED/fonts-rpm-macros/update_for_azl.patch +++ b/SPECS-EXTENDED/fonts-rpm-macros/update_for_azl.patch @@ -14,9 +14,15 @@ index bb7475b..c9bd17c 100644 local oldtag = nil local oldadvance = nil diff --git a/rpm/lua/srpm/fonts.lua b/rpm/lua/srpm/fonts.lua -index 213fe61..2d3bf87 100644 +index 3a40f2c..8896225 100644 --- a/rpm/lua/srpm/fonts.lua +++ b/rpm/lua/srpm/fonts.lua +@@ -1,4 +1,4 @@ +--- Copyright © 2018-2019 Nicolas Mailhot ++-- Copyright © 2018-2019 Nicolas Mailhot + -- + -- This program is free software: you can redistribute it and/or modify + -- it under the terms of the GNU General Public License as published by @@ -92,12 +92,12 @@ end -- The fontenv macro main processing function -- See the documentation in the macros.fonts file for argument description @@ -34,7 +40,7 @@ index 213fe61..2d3bf87 100644 "fontpkgheader", "fonts", "fontsex", "fontconfs", "fontconfsex", "fontconfngs", "fontconfngsex", "fontappstreams", "fontappstreamsex", -@@ -107,39 +107,39 @@ local function env(suffix, verbose, globvalues) +@@ -107,41 +107,41 @@ local function env(suffix, verbose, globvalues) for _, v in ipairs({"foundry", "fontdocs", "fontdocsex", "fontlicense", "fontlicenses", "fontlicensesex"}) do if (rpm.expand("%{" .. v .. "}") ~= "%{" .. v .. "}") then @@ -52,7 +58,9 @@ index 213fe61..2d3bf87 100644 + azl.explicitunset("current" .. g, verbose) end end - local basename = rpm.expand("%{?foundry" .. suffix .. ":%{foundry" .. suffix .. "} }%{fontfamily" .. suffix .. "}") + local foundry = rpm.expand("%{?foundry" .. suffix .. ":%{foundry" .. suffix .. "}}") + local family = string.gsub(rpm.expand("%{fontfamily" .. suffix .. "}"), "^" .. foundry, "") + local basename = foundry .. " " .. family - fedora.safeset("fontpkgname" .. suffix, rpmname(basename), verbose) - fedora.safeset("fonthumanname" .. suffix, basename, verbose) - fedora.safeset("fontdir" .. suffix, "%{_fontbasedir}/%{fontpkgname" .. suffix .. "}", verbose) @@ -85,7 +93,7 @@ index 213fe61..2d3bf87 100644 local sub = (not forcemain) and (forcesub or ((suffix ~= nil) and (suffix ~= "") and (suffix ~= "0"))) env(suffix, verbose, {}) name = sub and "%package -n " or "Name: " -@@ -154,15 +154,15 @@ local function singlepkg(forcemain, forcesub, suffix, verbose) +@@ -156,15 +156,15 @@ local function singlepkg(forcemain, forcesub, suffix, verbose) "Requires: fontpackages-filesystem\n" .. "%{?currentfontpkgheader}\n" .. "%description -n %{currentfontpkgname}\n") .. @@ -104,7 +112,7 @@ index 213fe61..2d3bf87 100644 singlepkg(forcemain, forcesub, suffix, verbose) end else -@@ -172,8 +172,8 @@ end +@@ -183,8 +183,8 @@ end -- Create a font (sub)metapackage header local function metapkg(name, summary, description, suffixes) @@ -112,10 +120,22 @@ index 213fe61..2d3bf87 100644 - local fontpkgs = fedora.getsuffixed("fontpkgname") + local azl = require "azl.common" + local fontpkgs = azl.getsuffixed("fontpkgname") + local hsuffix if (name == "") then name, _ = string.gsub(rpm.expand("%{name}"), "-fonts$", "") - name = name .. "-fonts-all" -@@ -184,7 +184,7 @@ local function metapkg(name, summary, description, suffixes) +@@ -194,9 +194,9 @@ local function metapkg(name, summary, description, suffixes) + hsuffix = norm(name) + end + if (rpm.expand("%{?fontpkgheader" .. hsuffix .. "}") ~= "") then +- fedora.explicitset( "currentfontpkgheader", "%{fontpkgheader" .. hsuffix .. "}", false) ++ azl.explicitset( "currentfontpkgheader", "%{fontpkgheader" .. hsuffix .. "}", false) + else +- fedora.explicitunset( "currentfontpkgheader", false) ++ azl.explicitunset( "currentfontpkgheader", false) + end + if (summary == "") then + summary = "All the font packages, generated from %{name}" +@@ -204,7 +204,7 @@ local function metapkg(name, summary, description, suffixes) if (description == "") then description = "This meta-package installs all the font packages, generated from the %{name} source package." end @@ -257,3 +277,6 @@ index 77365d6..8132b95 100644 local name = rpm.expand("%{?-n*}") local summary = rpm.expand("%{?-s*}") if (summary ~= "") then +-- +2.45.2 + diff --git a/SPECS-EXTENDED/foomatic-db/foomatic-db.signatures.json b/SPECS-EXTENDED/foomatic-db/foomatic-db.signatures.json index 5f81553446..cde5c93f64 100644 --- a/SPECS-EXTENDED/foomatic-db/foomatic-db.signatures.json +++ b/SPECS-EXTENDED/foomatic-db/foomatic-db.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "foomatic-db-4.0-20201104.tar.gz": "08443996af04aa724e71ef2536b5f7c69d07d37327e07f3f258a1f79acc79e1e" + "foomatic-db-4.0-20250707.tar.gz": "4a974cf375469c5bb4ec29b6f4fe38cfbae4f656c795d24e34002c112841accd" } -} +} \ No newline at end of file diff --git a/SPECS-EXTENDED/foomatic-db/foomatic-db.spec b/SPECS-EXTENDED/foomatic-db/foomatic-db.spec index f69ba69ed2..195c5aabce 100644 --- a/SPECS-EXTENDED/foomatic-db/foomatic-db.spec +++ b/SPECS-EXTENDED/foomatic-db/foomatic-db.spec @@ -1,16 +1,19 @@ %global dbver_rel 4.0 -%global dbver_snap 20201104 +%global dbver_snap 20250707 + Summary: Database of printers and printer drivers Name: foomatic-db -Version: %{dbver_rel} -Release: 71%{?dist} +Version: %{dbver_rel}.%{dbver_snap} +Release: 1%{?dist} License: GPL-2.0-or-later Vendor: Microsoft Corporation Distribution: Azure Linux URL: https://www.openprinting.org -Source0: %{_distro_sources_url}/foomatic-db-%{dbver_rel}-%{dbver_snap}.tar.gz +Source0: https://www.openprinting.org/download/foomatic/foomatic-db-%{dbver_rel}-%{dbver_snap}.tar.gz + Patch1: foomatic-db-device-ids.patch Patch2: foomatic-db-invalid.patch + BuildRequires: cups BuildRequires: make BuildRequires: perl-interpreter @@ -47,7 +50,7 @@ PPDs from printer manufacturers. %prep %setup -q -n foomatic-db-%{dbver_snap} -find -type d | xargs chmod g-s +find -type d | xargs -d '\n' chmod g-s pushd db/source @@ -109,10 +112,10 @@ popd # HP DeskJet 720C (bug #797099) # Kyocera FS-1118MFP (bug #782377) # Brother HL-2040 (bug #999040) -%patch 1 -p1 +%patch -P 1 -p1 # These can't be generated at all (bug #866476) -%patch 2 -p1 +%patch -P 2 -p1 # Use sed instead of perl in the PPDs (bug #512739). find db/source/PPD -type f -name '*.ppd' -exec sed -i 's,perl -p,sed,g' {} + @@ -164,6 +167,10 @@ ln -sf ../../foomatic/db/source/PPD %{buildroot}%{_datadir}/cups/model/foomatic- %{_datadir}/cups/model/foomatic-db-ppds %changelog +* Mon Oct 28 2024 Jyoti kanase - 4.0.20250707-1 +- Update to version 4.0.20250707 +- License verified + * Thu Feb 22 2024 Pawel Winogrodzki - 4.0-71 - Updating naming for 3.0 version of Azure Linux. diff --git a/SPECS-EXTENDED/freeradius/fix-error-for-expansion-of-macro-in-thread.h.patch b/SPECS-EXTENDED/freeradius/fix-error-for-expansion-of-macro-in-thread.h.patch deleted file mode 100644 index 051b66af8f..0000000000 --- a/SPECS-EXTENDED/freeradius/fix-error-for-expansion-of-macro-in-thread.h.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 30ce5ccd62446349d432ff65d3fe8d46872423c8 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Wed, 18 Jan 2017 14:59:39 +0800 -Subject: [PATCH] fix error for expansion of macro in thread.h - -The parameter declaration is missing in expansion of macro -which cause the build error: -| In file included from src/freeradius-devel/libradius.h:80:0, -| from src/lib/log.c:26: -| src/lib/log.c: In function '__fr_thread_local_destroy_fr_strerror_buffer': -| src/lib/log.c:37:31: error: 'fr_strerror_buffer' undeclared (first use in this function) -| fr_thread_local_setup(char *, fr_strerror_buffer) /* macro */ -| ^ - -Add the missing declaration in macro. - -Upstream-Status: Pending - -Signed-off-by: Yi Zhao ---- - src/include/threads.h | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/src/include/threads.h b/src/include/threads.h -index e36d81dac0..2bcb6aadcb 100644 ---- a/src/include/threads.h -+++ b/src/include/threads.h -@@ -89,7 +89,7 @@ static _t __fr_thread_local_init_##_n(pthread_destructor_t func)\ - # define fr_thread_local_get(_n) _n - #elif defined(HAVE_PTHREAD_H) - # include --# define fr_thread_local_setup(_t, _n) \ -+# define fr_thread_local_setup(_t, _n) static __thread _t _n;\ - static pthread_key_t __fr_thread_local_key_##_n;\ - static pthread_once_t __fr_thread_local_once_##_n = PTHREAD_ONCE_INIT;\ - static pthread_destructor_t __fr_thread_local_destructor_##_n = NULL;\ -@@ -100,17 +100,17 @@ static void __fr_thread_local_destroy_##_n(UNUSED void *unused)\ - static void __fr_thread_local_key_init_##_n(void)\ - {\ - (void) pthread_key_create(&__fr_thread_local_key_##_n, __fr_thread_local_destroy_##_n);\ -- (void) pthread_setspecific(__fr_thread_local_key_##_n, &(_n));\ - }\ - static _t __fr_thread_local_init_##_n(pthread_destructor_t func)\ - {\ - __fr_thread_local_destructor_##_n = func;\ - if (_n) return _n; \ - (void) pthread_once(&__fr_thread_local_once_##_n, __fr_thread_local_key_init_##_n);\ -+ (void) pthread_setspecific(__fr_thread_local_key_##_n, &(_n));\ - return _n;\ - } --# define fr_thread_local_init(_n, _f) __fr_thread_local_init_##_n(_f) --# define fr_thread_local_set(_n, _v) __fr_thread_local_set_##_n(_v) --# define fr_thread_local_get(_n) __fr_thread_local_get_##_n() -+# define fr_thread_local_init(_n, _f) __fr_thread_local_init_##_n(_f) -+# define fr_thread_local_set(_n, _v) ((int)!((_n = _v) || 1)) -+# define fr_thread_local_get(_n) _n - #endif - #endif --- -2.25.1 - diff --git a/SPECS-EXTENDED/freeradius/freeradius-Use-system-crypto-policy-by-default.patch b/SPECS-EXTENDED/freeradius/freeradius-Use-system-crypto-policy-by-default.patch index 975a205b32..74f3cfd966 100644 --- a/SPECS-EXTENDED/freeradius/freeradius-Use-system-crypto-policy-by-default.patch +++ b/SPECS-EXTENDED/freeradius/freeradius-Use-system-crypto-policy-by-default.patch @@ -83,4 +83,5 @@ index 137fcbc6cc..a65f8a8711 100644 # # Connection timeout for outgoing TLS connections. -- -2.21.0 \ No newline at end of file +2.21.0 + diff --git a/SPECS-EXTENDED/freeradius/freeradius-configure-c99.patch b/SPECS-EXTENDED/freeradius/freeradius-configure-c99.patch new file mode 100644 index 0000000000..cc9daffe1e --- /dev/null +++ b/SPECS-EXTENDED/freeradius/freeradius-configure-c99.patch @@ -0,0 +1,35 @@ +The backtrace_symbols function expects a pointer to an array of void * +values, not a pointer to an array of a single element. Removing the +address operator ensures that the right type is used. + +This avoids an unconditional failure of this probe with compilers that +treat incompatible pointer types as a compilation error. + +Submitted upstream: + +diff --git a/configure b/configure +index ed01ee2bdd912f63..1e6d2284779cdd58 100755 +--- a/configure ++++ b/configure +@@ -13390,7 +13390,7 @@ main (void) + { + + void *sym[1]; +- backtrace_symbols(&sym, sizeof(sym)) ++ backtrace_symbols(sym, sizeof(sym)) + ; + return 0; + } +diff --git a/configure.ac b/configure.ac +index 76320213b51d7bb4..6a689711d6c90483 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -2168,7 +2168,7 @@ if test "x$ac_cv_header_execinfo_h" = "xyes"; then + #include + ]], [[ + void *sym[1]; +- backtrace_symbols(&sym, sizeof(sym)) ]])],[ ++ backtrace_symbols(sym, sizeof(sym)) ]])],[ + AC_MSG_RESULT(yes) + ac_cv_lib_execinfo_backtrace_symbols="yes" + ],[ diff --git a/SPECS-EXTENDED/freeradius/freeradius-ease-openssl-version-check.patch b/SPECS-EXTENDED/freeradius/freeradius-ease-openssl-version-check.patch new file mode 100644 index 0000000000..23f1df76df --- /dev/null +++ b/SPECS-EXTENDED/freeradius/freeradius-ease-openssl-version-check.patch @@ -0,0 +1,35 @@ +From: Antonio Torres +Date: Tue, 12 Sep 2023 +Subject: Ease OpenSSL version check requirement + +FreeRADIUS includes an OpenSSL version check that compares built vs linked version, +and fails to start if this check fails. We can ease this requirement in Fedora/RHEL as +ABI changes are tracked and soname is changed accordingly, as discussed in previous +Bugzilla for this issue [1]. + +[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1299388 + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2238511 +Signed-off-by: Antonio Torres +--- + src/main/version.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/main/version.c b/src/main/version.c +index c190337c1d..fee2150eb2 100644 +--- a/src/main/version.c ++++ b/src/main/version.c +@@ -79,11 +79,11 @@ int ssl_check_consistency(void) + */ + if ((ssl_linked & 0x0000000f) != (ssl_built & 0x0000000f)) { + mismatch: +- ERROR("libssl version mismatch. built: %lx linked: %lx", ++ DEBUG2("libssl version mismatch. built: %lx linked: %lx", + (unsigned long) ssl_built, + (unsigned long) ssl_linked); + +- return -1; ++ return 0; + } + + /* diff --git a/SPECS-EXTENDED/freeradius/freeradius-ldap-infinite-timeout-on-starttls.patch b/SPECS-EXTENDED/freeradius/freeradius-ldap-infinite-timeout-on-starttls.patch new file mode 100644 index 0000000000..40df134a8d --- /dev/null +++ b/SPECS-EXTENDED/freeradius/freeradius-ldap-infinite-timeout-on-starttls.patch @@ -0,0 +1,31 @@ +From: Antonio Torres +Date: Fri, 28 Jan 2022 +Subject: Use infinite timeout when using LDAP+start-TLS + +This will ensure that the TLS connection to the LDAP server will complete +before starting FreeRADIUS, as it forces libldap to use a blocking socket during +the process. Infinite timeout is the OpenLDAP default. +Avoids this: https://git.openldap.org/openldap/openldap/-/blob/87ffc60006298069a5a044b8e63dab27a61d3fdf/libraries/libldap/tls2.c#L1134 + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1992551 +Signed-off-by: Antonio Torres +--- + src/modules/rlm_ldap/ldap.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c +index cf7a84e069..841bf888a1 100644 +--- a/src/modules/rlm_ldap/ldap.c ++++ b/src/modules/rlm_ldap/ldap.c +@@ -1472,7 +1472,10 @@ void *mod_conn_create(TALLOC_CTX *ctx, void *instance) + } + + #ifdef LDAP_OPT_NETWORK_TIMEOUT +- if (inst->net_timeout) { ++ bool using_tls = inst->start_tls || ++ inst->port == 636 || ++ strncmp(inst->server, "ldaps://", strlen("ldaps://")) == 0; ++ if (inst->net_timeout && !using_tls) { + memset(&tv, 0, sizeof(tv)); + tv.tv_sec = inst->net_timeout; + diff --git a/SPECS-EXTENDED/freeradius/freeradius-no-buildtime-cert-gen.patch b/SPECS-EXTENDED/freeradius/freeradius-no-buildtime-cert-gen.patch index 0d551385df..b435d82256 100644 --- a/SPECS-EXTENDED/freeradius/freeradius-no-buildtime-cert-gen.patch +++ b/SPECS-EXTENDED/freeradius/freeradius-no-buildtime-cert-gen.patch @@ -27,10 +27,10 @@ index 0b2cd74de8..8c623cf95c 100644 # # For creating documentation via doc/all.mk diff --git a/configure b/configure -index 77a1436510..74ff9a1fd4 100755 +index 5041ca264f..ed01ee2bdd 100755 --- a/configure +++ b/configure -@@ -652,6 +652,7 @@ AUTOCONF +@@ -679,6 +679,7 @@ AUTOCONF ACLOCAL RUSERS SNMPWALK @@ -38,16 +38,15 @@ index 77a1436510..74ff9a1fd4 100755 SNMPGET openssl_version_check_config WITH_DHCP -@@ -5961,7 +5962,7 @@ else - openssl_version_check_config= - fi +@@ -6976,6 +6977,7 @@ fi + -- -+ENABLE_REPRODUCIBLE_BUILDS=yes # Check whether --enable-reproducible-builds was given. - if test "${enable_reproducible_builds+set}" = set; then : ++ENABLE_REPRODUCIBLE_BUILDS=yes + if test ${enable_reproducible_builds+y} + then : enableval=$enable_reproducible_builds; case "$enableval" in -@@ -5973,6 +5974,7 @@ $as_echo "#define ENABLE_REPRODUCIBLE_BUILDS 1" >>confdefs.h +@@ -6987,6 +6989,7 @@ printf "%s\n" "#define ENABLE_REPRODUCIBLE_BUILDS 1" >>confdefs.h ;; *) reproducible_builds=no diff --git a/SPECS-EXTENDED/freeradius/freeradius.signatures.json b/SPECS-EXTENDED/freeradius/freeradius.signatures.json index f14964bb84..bc564b6927 100644 --- a/SPECS-EXTENDED/freeradius/freeradius.signatures.json +++ b/SPECS-EXTENDED/freeradius/freeradius.signatures.json @@ -2,9 +2,9 @@ "Signatures": { "freeradius-logrotate": "d9f040861ee70def0c6fd6bad8b901503e1b48b5283cd319f72b28c6493ba29d", "freeradius-pam-conf": "5e7dc31dd832ee6365c32bbe8042863ef8381cb1f076dfad72caa2e86d7050d7", - "freeradius-server-3.2.3.tar.bz2": "4a16aeffbfa1424e1f317fdf71d17e5523a4fd9564d87c747a60595ef93c5d1f", + "freeradius-server-3.2.5.tar.bz2": "0fe4f57b28b942c5e5955f48a88769817ca287a830b939d7120ffcff3fcdba88", "freeradius-tmpfiles.conf": "125b30adfdee54a4ae3865e7a75ad71b91c1385190a2d3fb876cf20cfc923a08", "freeradius.sysusers": "313b1c8868c014ae368861a92356818f16fabae594ba6483981097b2d815efe2", - "radiusd.service": "300647599fcd3f96d2a8065dd49bfeab086a6353c6f97bd32edc698e3550e312" + "radiusd.service": "bd5b8c9675a9884e5625a02b12262da30ef6bb84379724593b1d7d2610a02a88" } } diff --git a/SPECS-EXTENDED/freeradius/freeradius.spec b/SPECS-EXTENDED/freeradius/freeradius.spec index 7305144680..49d57874e2 100644 --- a/SPECS-EXTENDED/freeradius/freeradius.spec +++ b/SPECS-EXTENDED/freeradius/freeradius.spec @@ -3,52 +3,62 @@ %global HAVE_EC_CRYPTO 1 %global debug_package %{nil} -Summary: High-performance and highly configurable free RADIUS server -Name: freeradius -Version: 3.2.3 -Release: 2%{?dist} -License: GPLv2+ AND LGPLv2+ -Vendor: Microsoft Corporation -Distribution: Azure Linux -URL: https://freeradius.org/ +Summary: High-performance and highly configurable free RADIUS server +Name: freeradius +Version: 3.2.5 +Release: 3%{?dist} +Vendor: Microsoft Corporation +Distribution: Azure Linux +License: GPL-2.0-or-later AND LGPL-2.0-or-later +URL: https://www.freeradius.org/ %global dist_base freeradius-server-%{version} + +Source0: https://github.com/FreeRADIUS/freeradius-server/releases/download/release_3_2_5/%{dist_base}.tar.bz2 +Source100: radiusd.service +Source102: freeradius-logrotate +Source103: freeradius-pam-conf +Source104: freeradius-tmpfiles.conf +Source105: freeradius.sysusers + +Patch1: freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch +Patch2: freeradius-Use-system-crypto-policy-by-default.patch +Patch3: freeradius-bootstrap-create-only.patch +Patch4: freeradius-no-buildtime-cert-gen.patch +Patch5: freeradius-bootstrap-make-permissions.patch +Patch6: freeradius-ldap-infinite-timeout-on-starttls.patch +Patch7: freeradius-ease-openssl-version-check.patch +Patch8: freeradius-configure-c99.patch + %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}} -Source0: ftp://ftp.freeradius.org/pub/radius/%{dist_base}.tar.bz2 -Source100: radiusd.service -Source102: freeradius-logrotate -Source103: freeradius-pam-conf -Source104: freeradius-tmpfiles.conf -Source105: freeradius.sysusers -Patch1: freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch -Patch2: freeradius-Use-system-crypto-policy-by-default.patch -Patch3: freeradius-bootstrap-create-only.patch -Patch4: freeradius-no-buildtime-cert-gen.patch -Patch5: freeradius-bootstrap-make-permissions.patch -Patch6: fix-error-for-expansion-of-macro-in-thread.h.patch -BuildRequires: autoconf -BuildRequires: gcc -BuildRequires: gdbm-devel -BuildRequires: libpcap-devel -BuildRequires: libtalloc-devel -BuildRequires: make -BuildRequires: net-snmp-devel -BuildRequires: net-snmp-utils -BuildRequires: openssl -BuildRequires: openssl-devel -BuildRequires: pam-devel -BuildRequires: pcre-devel -BuildRequires: readline-devel -BuildRequires: systemd-units -BuildRequires: zlib-devel + +BuildRequires: autoconf +BuildRequires: make +BuildRequires: gcc +BuildRequires: gdbm-devel +BuildRequires: openssl +BuildRequires: openssl-devel +# https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine +BuildRequires: pam-devel +BuildRequires: zlib-devel +BuildRequires: net-snmp-devel +BuildRequires: net-snmp-utils +BuildRequires: readline-devel +BuildRequires: libpcap-devel +BuildRequires: systemd-units +BuildRequires: libtalloc-devel +BuildRequires: chrpath +BuildRequires: systemd-rpm-macros + # Require OpenSSL version we built with, or newer, to avoid startup failures # due to runtime OpenSSL version checks. Requires: openssl >= %(rpm -q --queryformat '%%{VERSION}' openssl) Requires(pre): shadow-utils glibc-common Requires(post): systemd-sysv Requires(post): systemd-units -# Needed for certificate generation -Requires(post): make +# Needed for certificate generation as upstream bootstrap script isn't +# compatible with Makefile equivalent. +Requires: make Requires(preun): systemd-units Requires(postun): systemd-units @@ -68,17 +78,16 @@ be centralized, and minimizes the amount of re-configuration which has to be done when adding or deleting new users. %package doc -Summary: FreeRADIUS documentation +Summary: FreeRADIUS documentation %description doc All documentation supplied by the FreeRADIUS project is included in this package. %package utils -Summary: FreeRADIUS utilities -Requires: %{name} = %{version}-%{release} -Requires: libpcap >= 0.9.4 -Requires: perl-Net-IP +Summary: FreeRADIUS utilities +Requires: %{name} = %{version}-%{release} +Requires: libpcap >= 0.9.4 %description utils The FreeRADIUS server has a number of features found in other servers, @@ -90,86 +99,85 @@ Support for RFC and VSA Attributes Additional server configuration attributes Selecting a particular configuration Authentication methods %package devel -Summary: FreeRADIUS development files -Requires: %{name} = %{version}-%{release} +Summary: FreeRADIUS development files +Requires: %{name} = %{version}-%{release} %description devel Development headers and libraries for FreeRADIUS. %package ldap -Summary: LDAP support for freeradius -BuildRequires: openldap-devel -Requires: %{name} = %{version}-%{release} +Summary: LDAP support for freeradius +Requires: %{name} = %{version}-%{release} +BuildRequires: openldap-devel %description ldap This plugin provides the LDAP support for the FreeRADIUS server project. %package krb5 -Summary: Kerberos 5 support for freeradius -BuildRequires: krb5-devel -Requires: %{name} = %{version}-%{release} +Summary: Kerberos 5 support for freeradius +Requires: %{name} = %{version}-%{release} +BuildRequires: krb5-devel %description krb5 This plugin provides the Kerberos 5 support for the FreeRADIUS server project. %package perl -Summary: Perl support for freeradius +Summary: Perl support for freeradius +Requires: %{name} = %{version}-%{release} %{?fedora:BuildRequires: perl-devel} -BuildRequires: perl-devel -BuildRequires: perl-generators -BuildRequires: perl(ExtUtils::Embed) -Requires: %{name} = %{version}-%{release} -Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version)) +BuildRequires: perl-devel +BuildRequires: perl-generators +BuildRequires: perl(ExtUtils::Embed) %description perl This plugin provides the Perl support for the FreeRADIUS server project. %package -n python3-freeradius -Summary: Python 3 support for freeradius +Summary: Python 3 support for freeradius +Requires: %{name} = %{version}-%{release} +BuildRequires: python3-devel %{?python_provide:%python_provide python3-freeradius} -BuildRequires: python3-devel -Requires: %{name} = %{version}-%{release} %description -n python3-freeradius This plugin provides the Python 3 support for the FreeRADIUS server project. %package mysql -Summary: MySQL support for freeradius -BuildRequires: mariadb-connector-c-devel -Requires: %{name} = %{version}-%{release} +Summary: MySQL support for freeradius +Requires: %{name} = %{version}-%{release} +BuildRequires: mariadb-connector-c-devel %description mysql This plugin provides the MySQL support for the FreeRADIUS server project. %package postgresql -Summary: Postgresql support for freeradius -BuildRequires: postgresql-devel -Requires: %{name} = %{version}-%{release} +Summary: Postgresql support for freeradius +Requires: %{name} = %{version}-%{release} +BuildRequires: libpq-devel %description postgresql This plugin provides the postgresql support for the FreeRADIUS server project. %package sqlite -Summary: SQLite support for freeradius -BuildRequires: sqlite-devel -Requires: %{name} = %{version}-%{release} +Summary: SQLite support for freeradius +Requires: %{name} = %{version}-%{release} +BuildRequires: sqlite-devel %description sqlite This plugin provides the SQLite support for the FreeRADIUS server project. %package unixODBC -Summary: Unix ODBC support for freeradius -BuildRequires: unixODBC-devel -Requires: %{name} = %{version}-%{release} +Summary: Unix ODBC support for freeradius +Requires: %{name} = %{version}-%{release} +BuildRequires: unixODBC-devel %description unixODBC This plugin provides the unixODBC support for the FreeRADIUS server project. %package rest -Summary: REST support for freeradius -BuildRequires: json-c-devel -BuildRequires: libcurl-devel -Requires: %{name} = %{version}-%{release} +Summary: REST support for freeradius +Requires: %{name} = %{version}-%{release} +BuildRequires: libcurl-devel +BuildRequires: json-c-devel %description rest This plugin provides the REST support for the FreeRADIUS server project. @@ -181,19 +189,10 @@ This plugin provides the REST support for the FreeRADIUS server project. # Force compile/link options, extra security for network facing daemon %global _hardened_build 1 -# Hack: rlm_python3 as stable; prevents building other unstable modules. -sed 's/rlm_python/rlm_python3/g' src/modules/stable -i - -# python3-config is broken: -# https://bugzilla.redhat.com/show_bug.cgi?id=1772988 -export PY3_LIB_DIR=%{_libdir}/"$(python3-config --configdir | sed 's#/usr/lib/##g')" +%global build_ldflags %{build_ldflags} $(python3-config --embed --libs) +export PY3_LIB_DIR="$(python3-config --configdir)" export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_var("INCLUDEPY"))')" -# In order for the above hack to stick, do a fake configure so -# we can run reconfig before cleaning up after ourselves and running -# configure for real. -./configure && make reconfig && (make clean distclean || true) - %configure \ --libdir=%{_libdir}/freeradius \ --enable-reproducible-builds \ @@ -212,6 +211,7 @@ export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_v --with-rlm_python3 \ --with-rlm-python3-lib-dir=$PY3_LIB_DIR \ --with-rlm-python3-include-dir=$PY3_INC_DIR \ + --without-rlm_python \ --without-rlm_eap_ikev2 \ --without-rlm_eap_tnc \ --without-rlm_sql_iodbc \ @@ -223,7 +223,8 @@ export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_v --without-rlm_rediswho \ --without-rlm_cache_memcached -make +# Build fast, but get better errors if we fail +make %{?_smp_mflags} || make -j1 %install mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/lib/radiusd @@ -248,6 +249,15 @@ install -p -D -m 0644 %{SOURCE105} %{buildroot}%{_sysusersdir}/freeradius.conf mkdir -p $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/ install -m 644 mibs/*RADIUS*.mib $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/ +# remove rpath where needed +chrpath --delete $RPM_BUILD_ROOT%{_libdir}/freeradius/*.so +for f in $RPM_BUILD_ROOT/usr/sbin/*; do chrpath --delete $f || true; done +for f in $RPM_BUILD_ROOT/usr/bin/*; do chrpath --delete $f || true; done + +# update ld with freeradius libs +mkdir -p %{buildroot}/%{_sysconfdir}/ld.so.conf.d +echo "%{_libdir}/freeradius" > %{buildroot}/%{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf + # remove unneeded stuff rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.crt rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.crl @@ -293,12 +303,13 @@ rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-config/sql/ippool/mongo/queries. rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-config/sql/main/mongo/queries.conf # install doc files omitted by standard install -for f in COPYRIGHT CREDITS INSTALL.rst README.rst VERSION; do +for f in CREDITS INSTALL.rst README.rst VERSION; do cp $f $RPM_BUILD_ROOT/%{docdir} done -cp LICENSE $RPM_BUILD_ROOT/%{docdir}/LICENSE.gpl -cp src/lib/LICENSE $RPM_BUILD_ROOT/%{docdir}/LICENSE.lgpl -cp src/LICENSE.openssl $RPM_BUILD_ROOT/%{docdir}/LICENSE.openssl +# license files +cp LICENSE LICENSE.gpl +cp src/lib/LICENSE LICENSE.lgpl +cp src/LICENSE.openssl LICENSE.openssl # add Red Hat specific documentation cat >> $RPM_BUILD_ROOT/%{docdir}/REDHAT << EOF @@ -317,7 +328,7 @@ EOF # Make sure our user/group is present prior to any package or subpackage installation %pre -%sysusers_create_package %{name} %{SOURCE105} +%sysusers_create_compat %{SOURCE105} %preun %systemd_preun radiusd.service @@ -327,17 +338,20 @@ EOF /bin/systemctl try-restart radiusd.service >/dev/null 2>&1 || : -%files +%files +# license +%license COPYRIGHT +%license LICENSE.gpl +%license LICENSE.lgpl +%license LICENSE.openssl # doc -%license %{docdir}/LICENSE.gpl -%license %{docdir}/LICENSE.lgpl -%license %{docdir}/LICENSE.openssl %doc %{docdir}/REDHAT # system %config(noreplace) %{_sysconfdir}/pam.d/radiusd %config(noreplace) %{_sysconfdir}/logrotate.d/radiusd +%config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf %{_unitdir}/radiusd.service %{_tmpfilesdir}/radiusd.conf %{_sysusersdir}/freeradius.conf @@ -374,6 +388,7 @@ EOF %config(noreplace) /etc/raddb/certs/Makefile %config(noreplace) /etc/raddb/certs/passwords.mk /etc/raddb/certs/README.md +/etc/raddb/certs/realms/README.md %config(noreplace) /etc/raddb/certs/xpextensions %attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/*.cnf %attr(750,root,radiusd) /etc/raddb/certs/bootstrap @@ -500,6 +515,7 @@ EOF %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/utf8 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/wimax %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/yubikey +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/dpsk # mods-enabled # symlink: /etc/raddb/mods-enabled/xxx -> ../mods-available/xxx @@ -625,35 +641,37 @@ EOF %{_libdir}/freeradius/rlm_utf8.so %{_libdir}/freeradius/rlm_wimax.so %{_libdir}/freeradius/rlm_yubikey.so +%{_libdir}/freeradius/rlm_dpsk.so +%{_libdir}/freeradius/rlm_eap_teap.so # main man pages -%{_mandir}/man5/clients.conf.5.gz -%{_mandir}/man5/dictionary.5.gz -%{_mandir}/man5/radiusd.conf.5.gz -%{_mandir}/man5/radrelay.conf.5.gz -%{_mandir}/man5/rlm_always.5.gz -%{_mandir}/man5/rlm_attr_filter.5.gz -%{_mandir}/man5/rlm_chap.5.gz -%{_mandir}/man5/rlm_counter.5.gz -%{_mandir}/man5/rlm_detail.5.gz -%{_mandir}/man5/rlm_digest.5.gz -%{_mandir}/man5/rlm_expr.5.gz -%{_mandir}/man5/rlm_files.5.gz -%{_mandir}/man5/rlm_idn.5.gz -%{_mandir}/man5/rlm_mschap.5.gz -%{_mandir}/man5/rlm_pap.5.gz -%{_mandir}/man5/rlm_passwd.5.gz -%{_mandir}/man5/rlm_realm.5.gz -%{_mandir}/man5/rlm_sql.5.gz -%{_mandir}/man5/rlm_unbound.5.gz -%{_mandir}/man5/rlm_unix.5.gz -%{_mandir}/man5/unlang.5.gz -%{_mandir}/man5/users.5.gz -%{_mandir}/man8/raddebug.8.gz -%{_mandir}/man8/radiusd.8.gz -%{_mandir}/man8/radmin.8.gz -%{_mandir}/man8/radrelay.8.gz -%{_mandir}/man8/rlm_sqlippool_tool.8.gz +%doc %{_mandir}/man5/clients.conf.5.gz +%doc %{_mandir}/man5/dictionary.5.gz +%doc %{_mandir}/man5/radiusd.conf.5.gz +%doc %{_mandir}/man5/radrelay.conf.5.gz +%doc %{_mandir}/man5/rlm_always.5.gz +%doc %{_mandir}/man5/rlm_attr_filter.5.gz +%doc %{_mandir}/man5/rlm_chap.5.gz +%doc %{_mandir}/man5/rlm_counter.5.gz +%doc %{_mandir}/man5/rlm_detail.5.gz +%doc %{_mandir}/man5/rlm_digest.5.gz +%doc %{_mandir}/man5/rlm_expr.5.gz +%doc %{_mandir}/man5/rlm_files.5.gz +%doc %{_mandir}/man5/rlm_idn.5.gz +%doc %{_mandir}/man5/rlm_mschap.5.gz +%doc %{_mandir}/man5/rlm_pap.5.gz +%doc %{_mandir}/man5/rlm_passwd.5.gz +%doc %{_mandir}/man5/rlm_realm.5.gz +%doc %{_mandir}/man5/rlm_sql.5.gz +%doc %{_mandir}/man5/rlm_unbound.5.gz +%doc %{_mandir}/man5/rlm_unix.5.gz +%doc %{_mandir}/man5/unlang.5.gz +%doc %{_mandir}/man5/users.5.gz +%doc %{_mandir}/man8/raddebug.8.gz +%doc %{_mandir}/man8/radiusd.8.gz +%doc %{_mandir}/man8/radmin.8.gz +%doc %{_mandir}/man8/radrelay.8.gz +%doc %{_mandir}/man8/rlm_sqlippool_tool.8.gz # MIB files %{_datadir}/snmp/mibs/*RADIUS*.mib @@ -662,8 +680,13 @@ EOF %doc %{docdir}/ + %files utils /usr/bin/* +# These files require additional dependencies, two perl modules, Base32 and Net module +# which are currently unavailable. Skip them for now. +%exclude /usr/bin/radsecret +%exclude /usr/bin/rlm_sqlippool_tool # utils man pages %doc %{_mandir}/man1/radclient.1.gz @@ -846,36 +869,186 @@ EOF %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest %changelog -* Wed Oct 18 2023 Archana Choudhary - 3.2.3-2 -- Correct unavailable sysusers_create_compat macro to available sysusers_create_package macro -- Add runtime requirement for utils subpackage -- Update build requirement for postgresql subpackage -- Disable generation of debuginfo package as its files conflict with filsystem package - -* Tue Sep 05 2023 Archana Choudhary - 3.2.3-1 -- Upgrade to 3.2.3 -- Address CVE-2022-41860, CVE-2022-41861 -- Update Patch2 & Patch4 -- Add Patch6 to address build error -- Add Source105 for user management during installation -- License verified - -* Fri Apr 30 2021 Pawel Winogrodzki - 3.0.21-9 -- Making binaries paths compatible with CBL-Mariner's paths. - -* Fri Feb 05 2021 Henry Li - 3.0.21-8 -- Initial CBL-Mariner import from Fedora 32 (license: MIT). -- Remove %%{EPOCH} -- Remove python2-freeradius - -* Wed May 13 2020 Alexander Scheel - 3.0.21-7 +* Fri Jan 31 2025 Jyoti kanase - 3.2.5-3 +- Initial Azure Linux import from Fedora 41 (license: MIT). +- License verified. + +* Wed Jul 17 2024 Fedora Release Engineering - 3.2.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + +* Tue Jul 09 2024 Antonio Torres - 3.2.5-1 +- Update to upstream release 3.2.5 + +* Wed Jun 12 2024 Jitka Plesnikova - 3.2.4-3 +- Perl 5.40 rebuild + +* Fri Jun 07 2024 Python Maint - 3.2.4-2 +- Rebuilt for Python 3.13 + +* Fri May 31 2024 Antonio Torres - 3.2.4-1 +- Update to upstream release 3.2.4 + +* Wed Jan 24 2024 Fedora Release Engineering - 3.2.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Fri Jan 19 2024 Fedora Release Engineering - 3.2.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Tue Dec 19 2023 Florian Weimer - 3.2.3-2 +- Fix C compatibility issue in configure script + +* Tue Oct 24 2023 Antonio Torres - 3.2.3-1 +- Update to upstream release 3.2.3 + +* Tue Sep 12 2023 Antonio Torres - 3.2.2-5 +- Ease OpenSSL version check requirement + Resolves #2238511 + +* Wed Jul 19 2023 Fedora Release Engineering - 3.2.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Tue Jul 11 2023 Jitka Plesnikova - 3.2.2-3 +- Perl 5.38 rebuild + +* Tue Jun 13 2023 Python Maint - 3.2.2-2 +- Rebuilt for Python 3.12 + +* Tue Mar 21 2023 Antonio Torres - 3.2.2-1 +- Update to upstream release 3.2.2 + +* Wed Mar 15 2023 Antonio Torres - 3.2.1-4 +- Migrate to SPDX license + +* Thu Jan 19 2023 Fedora Release Engineering - 3.2.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Mon Oct 17 2022 Antonio Torres - 3.2.1-2 +- Remove hack for Python3 support from specfile + +* Mon Oct 17 2022 Antonio Torres - 3.2.1-1 +- Update to 3.2.1 upstream release + Resolves #2131850 + +* Tue Sep 20 2022 Antonio Torres - 3.2.0-4 +- Remove deprecated pcre-devel dependency + Resolves #2128292 + +* Mon Sep 5 2022 Antonio Torres - 3.2.0-3 +- configure: allow building with runstatedir option + Resolves: #2123374 + +* Thu Jul 21 2022 Fedora Release Engineering - 3.2.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Tue Jul 19 2022 Antonio Torres - 3.2.0-1 +- Rebase to 3.2.0 upstream release + Related: #2077687 + +* Wed Jun 29 2022 Antonio Torres - 3.0.25-8 +- Use GID / UID 95 as it's reserved for FreeRADIUS (https://pagure.io/setup/blob/07f8debf03dfb0e5ed36051c13c86c8cd00cd241/f/uidgid#_107) + Related: #2095741 + +* Fri Jun 24 2022 Antonio Torres - 3.0.25-7 +- Dynamically allocate users using sysusers.d format + Related: #2095741 + +* Mon Jun 13 2022 Python Maint - 3.0.25-6 +- Rebuilt for Python 3.11 + +* Tue May 31 2022 Jitka Plesnikova - 3.0.25-5 +- Perl 5.36 rebuild + +* Fri Apr 22 2022 Antonio Torres - 3.0.25-4 +- Use infinite timeout when using LDAP+start-TLS + Related: #1983063 + +* Thu Jan 20 2022 Fedora Release Engineering - 3.0.25-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Thu Oct 14 2021 Antonio Torres - 3.0.25-2 +- Fix file conflict in SQL files + Resolves: bz#2014014 + +* Fri Oct 08 2021 Antonio Torres - 3.0.25-1 +- Update to 3.0.25. + Resolves: bz#2011984 + +* Thu Sep 30 2021 Antonio Torres - 3.0.24-1 +- Update to 3.0.24. + Resolves: bz#2009036 + +* Tue Sep 14 2021 Sahana Prasad - 3.0.23-7 +- Rebuilt with OpenSSL 3.0.0 + +* Wed Jul 21 2021 Fedora Release Engineering - 3.0.23-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Thu Jul 15 2021 Antonio Torres - 3.0.23-5 +- Fix coredump not being able to be enabled + +* Sat Jul 10 2021 Björn Esser - 3.0.23-4 +- Rebuild for versioned symbols in json-c + +* Tue Jun 29 2021 Antonio Torres - 3.0.23-2 +- Fix rpath not being removed correctly + +* Tue Jun 29 2021 Antonio Torres - 3.0.23-2 +- Remove RPATH usage from additional binaries + +* Tue Jun 29 2021 Antonio Torres - 3.0.23-1 +- Rebase to 3.0.23 + Fixes: bz#1970528 + +* Tue Jun 29 2021 Antonio Torres - 3.0.22-5 +- Fix binaries not being correctly linked after RPATH removal + +* Fri Jun 25 2021 Antonio Torres - 3.0.22-4 +- Fix python3 not being correctly linked + +* Mon Jun 07 2021 Python Maint - 3.0.22-2 +- Rebuilt for Python 3.10 + +* Fri Jun 4 2021 Antonio Torres - 3.0.22-1 +- Rebased to 3.0.22 + Resolves: bz#1961190 + +* Fri May 21 2021 Jitka Plesnikova - 3.0.21-12 +- Perl 5.34 rebuild + +* Wed Mar 10 2021 Robbie Harwood - 3.0.21-11 +- Disable automatic bootstrap + +* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 3.0.21-10 +- Rebuilt for updated systemd-rpm-macros + See https://pagure.io/fesco/issue/2583. + +* Mon Feb 08 2021 Pavel Raiskup - 3.0.21-9 +- rebuild for libpq ABI fix rhbz#1908268 + +* Tue Jan 26 2021 Fedora Release Engineering - 3.0.21-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Tue Aug 04 2020 Alexander Scheel - 3.0.21-7 - Fix certificate permissions after make-based generation Resolves: bz#1835249 -* Wed May 13 2020 Alexander Scheel - 3.0.21-2 +* Tue Aug 04 2020 Alexander Scheel - 3.0.21-6 +- Fix certificate permissions after make-based generation + Resolves: bz#1835249 + +* Mon Jul 27 2020 Fedora Release Engineering - 3.0.21-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jun 23 2020 Jitka Plesnikova - 3.0.21-4 +- Perl 5.32 rebuild + +* Wed May 13 2020 Alexander Scheel - 3.0.21-3 - Fix certificate generation Resolves: bz#1835249 +* Tue Apr 21 2020 Björn Esser - 3.0.21-2 +- Rebuild (json-c) + * Wed Apr 01 2020 Alexander Scheel - 3.0.21-1 - Rebased to 3.0.21 Resolves: bz#1816745 @@ -1339,6 +1512,7 @@ EOF config test on restart. * Added cache config item to rlm_krb5. When set to "no" ticket caching is disabled which may increase performance. + Bug fixes * Fix CVE-2012-3547. All users of 2.1.10, 2.1.11, 2.1.12, and 802.1X should upgrade immediately. @@ -1458,6 +1632,7 @@ EOF radclient continues to be more flexible. * Updated Oracle schema and queries * Added SecurID module. See src/modules/rlm_securid/README + Bug fixes * Fix memory leak in rlm_detail * Fix "failed to insert event" @@ -1531,6 +1706,7 @@ EOF "foo", "authorize" method. * Produce errors in more situations when the configuration files have invalid syntax. + Bug fixes * Ignore pre/post-proxy sections if proxying is disabled * Add configure checks for pcap_fopen*. @@ -1676,6 +1852,7 @@ EOF in sql{} section. * Added %%{tolower: ...string ... }, which returns the lowercase version of the string. Also added %%{toupper: ... } for uppercase. + Bug fixes * Fix endless loop when there are multiple sub-options for DHCP option 82. @@ -1792,6 +1969,7 @@ EOF * Added documentation for CoA. See raddb/sites-available/coa * Add sub-option support for Option 82. See dictionary.dhcp * Add "server" field to default SQL NAS table, and documented it. + Bug fixes * Reset "received ping" counter for Status-Server checks. In some corner cases it was not getting reset. @@ -1877,6 +2055,7 @@ EOF * Allow accounting packets to be written to a detail file, even if they were read from a different detail file. * Added OpenSSL license exception (src/LICENSE.openssl) + Bug fixes * DHCP sockets can now set the broadcast flag before binding to a socket. You need to set "broadcast = yes" in the DHCP listener. @@ -2128,6 +2307,7 @@ EOF * Remove macro that was causing build issues on some platforms. * Fixed issues with dead home servers. Bug noted by Chris Moules. * Fixed "access after free" with some dynamic clients. + - fix packaging bug, some directories missing execute permission /etc/raddb/dictionary now readable by all. diff --git a/SPECS-EXTENDED/freeradius/radiusd.service b/SPECS-EXTENDED/freeradius/radiusd.service index d073530819..f5452803d6 100644 --- a/SPECS-EXTENDED/freeradius/radiusd.service +++ b/SPECS-EXTENDED/freeradius/radiusd.service @@ -6,7 +6,6 @@ After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.serv Type=forking PIDFile=/var/run/radiusd/radiusd.pid ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd -ExecStartPre=/bin/sh /etc/raddb/certs/bootstrap ExecStartPre=/usr/sbin/radiusd -C ExecStart=/usr/sbin/radiusd -d /etc/raddb ExecReload=/usr/sbin/radiusd -C diff --git a/SPECS-EXTENDED/gcr/fix-meson-packages-build-keyword.patch b/SPECS-EXTENDED/gcr/fix-meson-packages-build-keyword.patch new file mode 100644 index 0000000000..9355f5ab00 --- /dev/null +++ b/SPECS-EXTENDED/gcr/fix-meson-packages-build-keyword.patch @@ -0,0 +1,36 @@ +diff --git a/gck/meson.build b/gck/meson.build +index 756b486..a21a1e9 100644 +--- a/gck/meson.build ++++ b/gck/meson.build +@@ -131,7 +131,6 @@ if get_option('introspection') + sources: gck_gir_sources, + namespace: 'Gck', + nsversion: '@0@'.format(gck_major_version), +- packages: gck_deps, + export_packages: 'gck-@0@'.format(gck_major_version), + includes: [ 'GObject-2.0', 'Gio-2.0' ], + header: 'gck/gck.h', +diff --git a/gcr/meson.build b/gcr/meson.build +index 06c3a63..f998336 100644 +--- a/gcr/meson.build ++++ b/gcr/meson.build +@@ -189,7 +189,6 @@ if get_option('introspection') + sources: [ gcr_base_public_sources, gcr_base_headers ], + namespace: 'Gcr', + nsversion: '@0@'.format(gcr_major_version), +- packages: gcr_base_deps, + export_packages: 'gcr-base-@0@'.format(gcr_major_version), + includes: [ + 'GObject-2.0', +diff --git a/ui/meson.build b/ui/meson.build +index 477412d..d93c0ef 100644 +--- a/ui/meson.build ++++ b/ui/meson.build +@@ -153,7 +153,6 @@ if get_option('introspection') + export_packages: 'gcr-ui-@0@'.format(gcr_major_version), + identifier_prefix: 'Gcr', + symbol_prefix: 'gcr', +- packages: gcr_ui_deps, + includes: [ + 'GObject-2.0', + 'Gio-2.0', diff --git a/SPECS-EXTENDED/gcr/gcr.spec b/SPECS-EXTENDED/gcr/gcr.spec index 9c5e1a6117..43e922f49b 100644 --- a/SPECS-EXTENDED/gcr/gcr.spec +++ b/SPECS-EXTENDED/gcr/gcr.spec @@ -8,12 +8,13 @@ Distribution: Azure Linux Name: gcr Version: 3.38.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A library for bits of crypto UI and parsing License: GPLv2 URL: https://wiki.gnome.org/Projects/CryptoGlue Source0: https://download.gnome.org/sources/%{name}/%{majmin}/%{name}-%{version}.tar.xz +Patch0: fix-meson-packages-build-keyword.patch BuildRequires: gettext BuildRequires: gtk-doc @@ -115,6 +116,9 @@ desktop-file-validate $RPM_BUILD_ROOT%{_datadir}/applications/gcr-viewer.desktop %{_libdir}/libgcr-base-3.so.* %changelog +* Tue Jun 03 2025 Andy Zaugg - 3.38.1-2 +- Fix meson syntax to allow gcr to compile + * Mon Dec 30 2024 Pawel Winogrodzki - 3.38.1-1 - Bump to 3.38.1 to fix missing OID header bug (GCR issue #48). diff --git a/SPECS-EXTENDED/ibus/ibus-1385349-segv-bus-proxy.patch b/SPECS-EXTENDED/ibus/ibus-1385349-segv-bus-proxy.patch index 0b8fc9a874..eaf76cbc7b 100644 --- a/SPECS-EXTENDED/ibus/ibus-1385349-segv-bus-proxy.patch +++ b/SPECS-EXTENDED/ibus/ibus-1385349-segv-bus-proxy.patch @@ -1,6 +1,6 @@ -From 023d50db40912e4f7ee333543e05995a9c730bae Mon Sep 17 00:00:00 2001 +From 1286ce92a5ccf68b5dcf1b4a7c0884ce29d5c51b Mon Sep 17 00:00:00 2001 From: fujiwarat -Date: Fri, 15 May 2020 21:44:16 +0900 +Date: Fri, 12 Jul 2024 23:30:25 +0900 Subject: [PATCH] Fix SEGV in bus_panel_proxy_focus_in() rhbz#1350291 SEGV in BUS_IS_CONNECTION(skip_connection) in @@ -11,9 +11,12 @@ rhbz#1767976 SEGV in assert(connection != NULL) in bus_dbus_impl_connection_filter_cb() call bus_connection_set_filter() in bus_dbus_impl_destroy(). +rhbz#2213445 SEGV in bus_panel_proxy_new() +WIP: Add a GError. + rhbz#1601577 rhbz#1797726 SEGV in ibus_engine_desc_get_layout() in bus_engine_proxy_new_internal() -WIP: Added a GError to get the error message to check why the SEGV happened. +WIP: Add a GError to get the error message to check why the SEGV happened. rhbz#1663528 SEGV in g_mutex_clear() in bus_dbus_impl_destroy() If the mutex is not unlocked, g_mutex_clear() causes assert. @@ -21,7 +24,11 @@ If the mutex is not unlocked, g_mutex_clear() causes assert. rhbz#1767691 SEGV in client/x11/main.c:_sighandler(). Do not call atexit functions in _sighandler(). -rhbz#1795499 SEGV in ibus_bus_get_bus_address() because of no _bus->priv. +rhbz#2195895 SEGV in client/x11/main.c:_xim_set_cursor_location() +check if IBusInputContext was disconnected. + +rhbz#1795499 rhbz#1936777 SEGV in ibus_bus_get_bus_address() because of +no _bus->priv. _changed_cb() should not be called after ibus_bus_destroy() is called. rhbz#1771238 SEGV in assert(m_loop == null) in switcher.vala. @@ -31,6 +38,13 @@ events and m_loop was not released. rhbz#1797120 SEGV in assert(bus.is_connected()) in panel_binding_construct() Check m_ibus in extension.vala:bus_name_acquired_cb() +rhbz#2151344 SEGV with portal_context->owner in name_owner_changed() +Maybe g_object_unref() is called but not finalized yet. + +rhbz#2239633 SEGV with g_object_unref() in +ibus_portal_context_handle_destroy() +Connect "handle-destroy" signal after g_list_prepend(). + BUG=rhbz#1350291 BUG=rhbz#1601577 BUG=rhbz#1663528 @@ -39,20 +53,25 @@ BUG=rhbz#1795499 BUG=rhbz#1771238 BUG=rhbz#1767976 BUG=rhbz#1797120 +BUG=rhbz#2151344 +BUG=rhbz#2195895 +BUG=rhbz#2239633 --- bus/dbusimpl.c | 47 ++++++++++++++++++++++++--- - bus/engineproxy.c | 51 ++++++++++++++++++++++------- - client/x11/main.c | 8 ++++- - src/ibusbus.c | 5 +++ + bus/engineproxy.c | 44 +++++++++++++++++++------ + bus/panelproxy.c | 9 +++++- + client/x11/main.c | 56 ++++++++++++++++++++++++++++---- + portal/portal.c | 25 ++++++++++++--- + src/ibusbus.c | 6 ++++ ui/gtk3/extension.vala | 4 +++ ui/gtk3/switcher.vala | 73 +++++++++++++++++++++++++----------------- - 6 files changed, 141 insertions(+), 47 deletions(-) + 8 files changed, 208 insertions(+), 56 deletions(-) diff --git a/bus/dbusimpl.c b/bus/dbusimpl.c -index 59787a80..af2fbde2 100644 +index 110d864a..391d576a 100644 --- a/bus/dbusimpl.c +++ b/bus/dbusimpl.c -@@ -610,6 +610,7 @@ static void +@@ -621,6 +621,7 @@ static void bus_dbus_impl_destroy (BusDBusImpl *dbus) { GList *p; @@ -60,7 +79,7 @@ index 59787a80..af2fbde2 100644 for (p = dbus->objects; p != NULL; p = p->next) { IBusService *object = (IBusService *) p->data; -@@ -633,6 +634,10 @@ bus_dbus_impl_destroy (BusDBusImpl *dbus) +@@ -644,6 +645,10 @@ bus_dbus_impl_destroy (BusDBusImpl *dbus) for (p = dbus->connections; p != NULL; p = p->next) { BusConnection *connection = BUS_CONNECTION (p->data); @@ -71,7 +90,7 @@ index 59787a80..af2fbde2 100644 g_signal_handlers_disconnect_by_func (connection, bus_dbus_impl_connection_destroy_cb, dbus); ibus_object_destroy (IBUS_OBJECT (connection)); -@@ -647,12 +652,39 @@ bus_dbus_impl_destroy (BusDBusImpl *dbus) +@@ -658,12 +663,39 @@ bus_dbus_impl_destroy (BusDBusImpl *dbus) dbus->unique_names = NULL; dbus->names = NULL; @@ -112,8 +131,8 @@ index 59787a80..af2fbde2 100644 +#undef BUS_DBUS_MUTEX_SAFE_CLEAR /* FIXME destruct _lock and _queue members. */ - IBUS_OBJECT_CLASS(bus_dbus_impl_parent_class)->destroy ((IBusObject *) dbus); -@@ -1483,13 +1515,20 @@ bus_dbus_impl_connection_filter_cb (GDBusConnection *dbus_connection, + IBUS_OBJECT_CLASS(bus_dbus_impl_parent_class)->destroy ((IBusObject *)dbus); +@@ -1539,13 +1571,20 @@ bus_dbus_impl_connection_filter_cb (GDBusConnection *dbus_connection, gboolean incoming, gpointer user_data) { @@ -137,10 +156,10 @@ index 59787a80..af2fbde2 100644 if (incoming) { /* is incoming message */ diff --git a/bus/engineproxy.c b/bus/engineproxy.c -index 2d98995c..bbbe5532 100644 +index b3e16066..ba479b59 100644 --- a/bus/engineproxy.c +++ b/bus/engineproxy.c -@@ -660,20 +660,33 @@ bus_engine_proxy_g_signal (GDBusProxy *proxy, +@@ -693,10 +693,12 @@ bus_engine_proxy_g_signal (GDBusProxy *proxy, g_return_if_reached (); } @@ -152,16 +171,14 @@ index 2d98995c..bbbe5532 100644 + GDBusConnection *connection, + GError **error) { -+ GDBusProxyFlags flags; -+ BusEngineProxy *engine; -+ + GDBusProxyFlags flags; + BusEngineProxy *engine; +@@ -706,12 +708,20 @@ bus_engine_proxy_new_internal (const gchar *path, g_assert (path); g_assert (IBUS_IS_ENGINE_DESC (desc)); g_assert (G_IS_DBUS_CONNECTION (connection)); + g_assert (error && *error == NULL); -- GDBusProxyFlags flags = G_DBUS_PROXY_FLAGS_DO_NOT_AUTO_START; -- BusEngineProxy *engine = + /* rhbz#1601577 engine == NULL if connection is closed. */ + if (g_dbus_connection_is_closed (connection)) { + *error = g_error_new (G_DBUS_ERROR, @@ -169,19 +186,19 @@ index 2d98995c..bbbe5532 100644 + "Connection is closed."); + return NULL; + } -+ flags = G_DBUS_PROXY_FLAGS_DO_NOT_AUTO_START; -+ engine = - (BusEngineProxy *) g_initable_new (BUS_TYPE_ENGINE_PROXY, - NULL, -- NULL, -+ error, - "desc", desc, - "g-connection", connection, - "g-interface-name", IBUS_INTERFACE_ENGINE, -@@ -681,12 +694,19 @@ bus_engine_proxy_new_internal (const gchar *path, - "g-default-timeout", g_gdbus_timeout, - "g-flags", flags, - NULL); + flags = G_DBUS_PROXY_FLAGS_DO_NOT_AUTO_START; + engine = (BusEngineProxy *) g_initable_new ( + BUS_TYPE_ENGINE_PROXY, + NULL, +- NULL, ++ error, + "desc", desc, + "g-connection", connection, + "g-interface-name", IBUS_INTERFACE_ENGINE, +@@ -719,6 +729,12 @@ bus_engine_proxy_new_internal (const gchar *path, + "g-default-timeout", g_gdbus_timeout, + "g-flags", flags, + NULL); + /* FIXME: rhbz#1601577 */ + if (!engine) { + /* show abrt local variable */ @@ -191,14 +208,15 @@ index 2d98995c..bbbe5532 100644 const gchar *layout = ibus_engine_desc_get_layout (desc); if (layout != NULL && layout[0] != '\0') { engine->keymap = ibus_keymap_get (layout); - } +@@ -756,6 +772,7 @@ bus_engine_proxy_new_internal (const gchar *path, + return engine; } +#pragma GCC reset_options typedef struct { GTask *task; -@@ -748,23 +768,30 @@ create_engine_ready_cb (BusFactoryProxy *factory, +@@ -818,23 +835,30 @@ create_engine_ready_cb (BusFactoryProxy *factory, GAsyncResult *res, EngineProxyNewData *data) { @@ -237,11 +255,45 @@ index 2d98995c..bbbe5532 100644 /* FIXME: set destroy callback ? */ g_task_return_pointer (data->task, engine, NULL); +diff --git a/bus/panelproxy.c b/bus/panelproxy.c +index e6001ebf..00828fbc 100644 +--- a/bus/panelproxy.c ++++ b/bus/panelproxy.c +@@ -122,6 +122,8 @@ bus_panel_proxy_new (BusConnection *connection, + const gchar *path = NULL; + GObject *obj; + BusPanelProxy *panel; ++ GError *error = NULL; ++ const gchar *message; + + g_assert (BUS_IS_CONNECTION (connection)); + +@@ -138,7 +140,7 @@ bus_panel_proxy_new (BusConnection *connection, + + obj = g_initable_new (BUS_TYPE_PANEL_PROXY, + NULL, +- NULL, ++ &error, + "g-object-path", path, + "g-interface-name", IBUS_INTERFACE_PANEL, + "g-connection", bus_connection_get_dbus_connection (connection), +@@ -146,6 +148,11 @@ bus_panel_proxy_new (BusConnection *connection, + "g-flags", G_DBUS_PROXY_FLAGS_DO_NOT_AUTO_START | G_DBUS_PROXY_FLAGS_DO_NOT_LOAD_PROPERTIES, + NULL); + ++ if (error) { ++ /* TODO: rhbz#2213445 Why does this issue happen? */ ++ message = error->message; ++ g_critical ("Failed to generate BusPanelProxy: %s", message); ++ } + panel = BUS_PANEL_PROXY (obj); + panel->panel_type = panel_type; + return panel; diff --git a/client/x11/main.c b/client/x11/main.c -index c9ee174d..768b91f0 100644 +index b7eb5961..3075d5d0 100644 --- a/client/x11/main.c +++ b/client/x11/main.c -@@ -40,6 +40,7 @@ +@@ -45,6 +45,7 @@ #include #include #include @@ -249,7 +301,142 @@ index c9ee174d..768b91f0 100644 #include -@@ -1104,7 +1105,12 @@ _atexit_cb () +@@ -69,6 +70,7 @@ typedef struct _X11ICONN X11ICONN; + typedef struct _X11IC X11IC; + struct _X11IC { + IBusInputContext *context; ++ gboolean ibus_connected; + Window client_window; + Window focus_window; + gint32 input_style; +@@ -327,6 +329,18 @@ _xim_store_ic_values (X11IC *x11ic, IMChangeICStruct *call_data) + return 1; + } + ++static void ++ibus_ic_connection_closed_cb (GDBusConnection *connection, ++ gboolean remote_peer_vanished, ++ GError *error, ++ X11IC *x11ic) ++{ ++ /* rhbz#2195895 The moment of the IBusBus disconnection would be ++ * different from the moment of XIM_DISCONNECT. ++ */ ++ x11ic->ibus_connected = FALSE; ++} ++ + + static int + xim_create_ic (XIMS xims, IMChangeICStruct *call_data) +@@ -334,6 +348,7 @@ xim_create_ic (XIMS xims, IMChangeICStruct *call_data) + static int base_icid = 1; + X11IC *x11ic; + guint32 capabilities = IBUS_CAP_FOCUS; ++ GDBusConnection *connection; + + call_data->icid = base_icid ++; + +@@ -345,8 +360,9 @@ xim_create_ic (XIMS xims, IMChangeICStruct *call_data) + + x11ic->icid = call_data->icid; + x11ic->connect_id = call_data->connect_id; +- x11ic->conn = (X11ICONN *)g_hash_table_lookup (_connections, +- GINT_TO_POINTER ((gint) call_data->connect_id)); ++ x11ic->conn = (X11ICONN *)g_hash_table_lookup ( ++ _connections, ++ GINT_TO_POINTER ((gint) call_data->connect_id)); + if (x11ic->conn == NULL) { + g_slice_free (X11IC, x11ic); + g_return_val_if_reached (0); +@@ -376,6 +392,10 @@ xim_create_ic (XIMS xims, IMChangeICStruct *call_data) + G_CALLBACK (_context_enabled_cb), x11ic); + g_signal_connect (x11ic->context, "disabled", + G_CALLBACK (_context_disabled_cb), x11ic); ++ connection = g_dbus_proxy_get_connection (G_DBUS_PROXY (x11ic->context)); ++ x11ic->ibus_connected = !g_dbus_connection_is_closed (connection); ++ g_signal_connect (connection, "closed", ++ G_CALLBACK (ibus_ic_connection_closed_cb), x11ic); + + + if (x11ic->input_style & XIMPreeditCallbacks) +@@ -400,11 +420,19 @@ xim_destroy_ic (XIMS xims, IMChangeICStruct *call_data) + LOG (1, "XIM_DESTROY_IC ic=%d connect_id=%d", + call_data->icid, call_data->connect_id); + +- x11ic = (X11IC *)g_hash_table_lookup (_x11_ic_table, +- GINT_TO_POINTER ((gint) call_data->icid)); ++ x11ic = (X11IC *)g_hash_table_lookup ( ++ _x11_ic_table, ++ GINT_TO_POINTER ((gint) call_data->icid)); + g_return_val_if_fail (x11ic != NULL, 0); + + if (x11ic->context) { ++ GDBusConnection *connection = ++ g_dbus_proxy_get_connection (G_DBUS_PROXY (x11ic->context)); ++ x11ic->ibus_connected = FALSE; ++ g_signal_handlers_disconnect_by_func ( ++ connection, ++ (GCallback)ibus_ic_connection_closed_cb, ++ x11ic); + ibus_proxy_destroy ((IBusProxy *)x11ic->context); + g_object_unref (x11ic->context); + x11ic->context = NULL; +@@ -412,7 +440,8 @@ xim_destroy_ic (XIMS xims, IMChangeICStruct *call_data) + + g_hash_table_remove (_x11_ic_table, + GINT_TO_POINTER ((gint) call_data->icid)); +- x11ic->conn->clients = g_list_remove (x11ic->conn->clients, (gconstpointer)x11ic); ++ x11ic->conn->clients = g_list_remove (x11ic->conn->clients, ++ (gconstpointer)x11ic); + + g_free (x11ic->preedit_string); + x11ic->preedit_string = NULL; +@@ -439,6 +468,8 @@ xim_set_ic_focus (XIMS xims, IMChangeFocusStruct *call_data) + x11ic = (X11IC *) g_hash_table_lookup (_x11_ic_table, + GINT_TO_POINTER ((gint) call_data->icid)); + g_return_val_if_fail (x11ic != NULL, 0); ++ if (!x11ic->ibus_connected) ++ return 1; + + ibus_input_context_focus_in (x11ic->context); + _xim_set_cursor_location (x11ic); +@@ -458,6 +489,8 @@ xim_unset_ic_focus (XIMS xims, IMChangeFocusStruct *call_data) + x11ic = (X11IC *) g_hash_table_lookup (_x11_ic_table, + GINT_TO_POINTER ((gint) call_data->icid)); + g_return_val_if_fail (x11ic != NULL, 0); ++ if (!x11ic->ibus_connected) ++ return 1; + + ibus_input_context_focus_out (x11ic->context); + +@@ -712,6 +745,8 @@ xim_forward_event (XIMS xims, IMForwardEventStruct *call_data) + _x11_ic_table, + GINT_TO_POINTER ((gint) call_data->icid)); + g_return_val_if_fail (x11ic != NULL, 0); ++ if (!x11ic->ibus_connected) ++ return 0; + + xevent = (XKeyEvent*) &(call_data->event); + +@@ -870,6 +905,8 @@ _xim_set_cursor_location (X11IC *x11ic) + } + } + ++ if (!x11ic->ibus_connected) ++ return; + ibus_input_context_set_cursor_location (x11ic->context, + preedit_area.x, + preedit_area.y, +@@ -950,6 +987,8 @@ xim_reset_ic (XIMS xims, IMResetICStruct *call_data) + x11ic = (X11IC *) g_hash_table_lookup (_x11_ic_table, + GINT_TO_POINTER ((gint) call_data->icid)); + g_return_val_if_fail (x11ic != NULL, 0); ++ if (!x11ic->ibus_connected) ++ return 1; + + ibus_input_context_reset (x11ic->context); + +@@ -1309,7 +1348,12 @@ _atexit_cb () static void _sighandler (int sig) { @@ -263,11 +450,70 @@ index c9ee174d..768b91f0 100644 } static void +diff --git a/portal/portal.c b/portal/portal.c +index 5cd38779..5110baad 100644 +--- a/portal/portal.c ++++ b/portal/portal.c +@@ -92,6 +92,11 @@ static void portal_context_g_signal (GDBusProxy *proxy, + GVariant *parameters, + IBusPortalContext *portal_context); + ++#define IBUS_TYPE_PORTAL_CONTEXT \ ++ (ibus_portal_context_get_type ()) ++#define IBUS_IS_PORTAL_CONTEXT(obj) \ ++ (G_TYPE_CHECK_INSTANCE_TYPE ((obj), IBUS_TYPE_PORTAL_CONTEXT)) ++ + G_DEFINE_TYPE_WITH_CODE (IBusPortalContext, + ibus_portal_context, + IBUS_DBUS_TYPE_INPUT_CONTEXT_SKELETON, +@@ -492,11 +497,6 @@ ibus_portal_context_new (IBusInputContext *context, + g_strdup_printf (IBUS_PATH_INPUT_CONTEXT, portal_context->id); + portal_context->service = ibus_dbus_service_skeleton_new (); + +- g_signal_connect (portal_context->service, +- "handle-destroy", +- G_CALLBACK (ibus_portal_context_handle_destroy), +- portal_context); +- + if (!g_dbus_interface_skeleton_export ( + G_DBUS_INTERFACE_SKELETON (portal_context->service), + connection, portal_context->object_path, +@@ -509,8 +509,17 @@ ibus_portal_context_new (IBusInputContext *context, + return NULL; + } + ++ /* rhbz#2239633 g_list_prepend() needs to be callsed before ++ * ibus_portal_context_handle_destroy() is connected ++ * for g_list_remove() in ibus_portal_context_finalize(). ++ */ + all_contexts = g_list_prepend (all_contexts, portal_context); + ++ g_signal_connect (portal_context->service, ++ "handle-destroy", ++ G_CALLBACK (ibus_portal_context_handle_destroy), ++ portal_context); ++ + return portal_context; + } + +@@ -667,6 +676,12 @@ name_owner_changed (GDBusConnection *connection, + IBusPortalContext *portal_context = l->data; + next = l->next; + ++ /* rhbz#2151344 portal_context might not be finalized? */ ++ if (!G_LIKELY (IBUS_IS_PORTAL_CONTEXT (portal_context))) { ++ g_warn_message (G_LOG_DOMAIN, __FILE__, __LINE__, G_STRFUNC, ++ "portal_context is not IBusPortalContext"); ++ continue; ++ } + if (g_strcmp0 (portal_context->owner, name) == 0) { + g_object_unref (portal_context); + } diff --git a/src/ibusbus.c b/src/ibusbus.c -index b7ffbb47..668c8a26 100644 +index 0e6d67f1..fcc742b6 100644 --- a/src/ibusbus.c +++ b/src/ibusbus.c -@@ -689,6 +689,11 @@ ibus_bus_destroy (IBusObject *object) +@@ -742,6 +742,12 @@ ibus_bus_destroy (IBusObject *object) _bus = NULL; if (bus->priv->monitor) { @@ -276,16 +522,17 @@ index b7ffbb47..668c8a26 100644 + */ + g_signal_handlers_disconnect_by_func (bus->priv->monitor, + (GCallback) _changed_cb, bus); ++ g_file_monitor_cancel (bus->priv->monitor); g_object_unref (bus->priv->monitor); bus->priv->monitor = NULL; } diff --git a/ui/gtk3/extension.vala b/ui/gtk3/extension.vala -index ea3cd464..57ed1357 100644 +index a6f2e8e6..b7a04081 100644 --- a/ui/gtk3/extension.vala +++ b/ui/gtk3/extension.vala @@ -73,6 +73,10 @@ class ExtensionGtk : Gtk.Application { - string signal_name, - Variant parameters) { + string signal_name, + Variant parameters) { debug("signal_name = %s", signal_name); + /* rhbz#1797120 Fix assert(bus.is_connected()) in + * panel_binding_construct() @@ -295,10 +542,10 @@ index ea3cd464..57ed1357 100644 m_panel.load_settings(); } diff --git a/ui/gtk3/switcher.vala b/ui/gtk3/switcher.vala -index a4529c88..29a70dd5 100644 +index 26bded99..21ede7be 100644 --- a/ui/gtk3/switcher.vala +++ b/ui/gtk3/switcher.vala -@@ -140,8 +140,8 @@ class Switcher : Gtk.Window { +@@ -176,8 +176,8 @@ class Switcher : Gtk.Window { IBus.EngineDesc[] engines, int index, string input_context_path) { @@ -307,9 +554,9 @@ index a4529c88..29a70dd5 100644 + assert(m_loop == null); + assert(index < engines.length); - m_is_running = true; - m_keyval = keyval; -@@ -198,16 +198,18 @@ class Switcher : Gtk.Window { + if (m_is_running) + return index; +@@ -236,16 +236,18 @@ class Switcher : Gtk.Window { null, event, null); @@ -337,7 +584,7 @@ index a4529c88..29a70dd5 100644 #else Gdk.Device device = event.get_device(); if (device == null) { -@@ -243,30 +245,41 @@ class Switcher : Gtk.Window { +@@ -281,30 +283,41 @@ class Switcher : Gtk.Window { Gdk.EventMask.KEY_RELEASE_MASK, null, Gdk.CURRENT_TIME); @@ -399,5 +646,5 @@ index a4529c88..29a70dd5 100644 #if VALA_0_34 seat.ungrab(); -- -2.24.1 +2.45.0 diff --git a/SPECS-EXTENDED/ibus/ibus-HEAD.patch b/SPECS-EXTENDED/ibus/ibus-HEAD.patch index 1ed4aacb2b..e69de29bb2 100644 --- a/SPECS-EXTENDED/ibus/ibus-HEAD.patch +++ b/SPECS-EXTENDED/ibus/ibus-HEAD.patch @@ -1,599 +0,0 @@ -From 7b0d091839a4f1315ba216175fb2787e86f7fa31 Mon Sep 17 00:00:00 2001 -From: fujiwarat -Date: Tue, 3 Mar 2020 17:08:30 +0900 -Subject: [PATCH] src/tests: Delete graves in substitution in - ibus-desktop-testing-runner - -Delete the single quotations to enclose grave chracters because -DASH saves the single quoted '`id -u`' as the raw string in the command -substitution not to be extracted. - -BUG=https://github.com/ibus/ibus/issues/2189 ---- - src/tests/ibus-desktop-testing-runner.in | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/src/tests/ibus-desktop-testing-runner.in b/src/tests/ibus-desktop-testing-runner.in -index 0d9a847c..f9238e69 100755 ---- a/src/tests/ibus-desktop-testing-runner.in -+++ b/src/tests/ibus-desktop-testing-runner.in -@@ -4,7 +4,7 @@ - # - # ibus - The Input Bus - # --# Copyright (c) 2018-2019 Takao Fujiwara -+# Copyright (c) 2018-2020 Takao Fujiwara - # Copyright (c) 2018 Red Hat, Inc. - # - # This program is free software; you can redistribute it and/or modify -@@ -31,7 +31,8 @@ - # POSIX sh has no 'echo -e' - : ${ECHO:='/usr/bin/echo'} - # POSIX sh has $UID --: ${UID:='`id -u`'} -+# DASH saves the graves in '``' as characters not to be extracted -+: ${UID:=`id -u`} - - - PROGNAME=`basename $0` -@@ -170,7 +171,7 @@ _EOF - run_dbus_daemon() - { - # Use dbus-launch --exit-with-session later instead of --sh-syntax -- export DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$UID/bus -+ export DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$UID/bus" - } - - run_desktop() --- -2.24.1 - -From 8ce25208c3f4adfd290a032c6aa739d2b7580eb1 Mon Sep 17 00:00:00 2001 -From: Carlos Garnacho -Date: Thu, 12 Mar 2020 16:02:16 +0900 -Subject: [PATCH] src: Use WAYLAND_DISPLAY on Wayland sessions to make up - IBus socket name - -In Wayland sessions, GNOME Shell 3.36 is leveraging 2 X11 Display -connections so one is used to set up all services for a "X11 session" -before user applications connected to the other display might require it. -This allows seamlessly starting Xwayland on demand to X11 user applications. - -IBus here belongs to the first described connection, it is started -explicitly on that display by GNOME Shell as it is necessary to set up -ibus-x11 before any other X11 client might want to use it. - -However the use of this "secondary" display results in IBus daemon left -unable to talk to applications, as the socket name is dependent on the -DISPLAY envvar and ibus/applications don't agree on its content. - -For wayland sessions, make it look for WAYLAND_DISPLAY, as that'll have -the similar "per session bus" behavior that this seems to look after. - -BUG=https://gitlab.gnome.org/GNOME/gnome-shell/issues/2341 ---- - src/ibusshare.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/src/ibusshare.c b/src/ibusshare.c -index 0d50d3f5..e0ef2ce0 100644 ---- a/src/ibusshare.c -+++ b/src/ibusshare.c -@@ -100,6 +100,7 @@ ibus_get_socket_path (void) - gchar *display; - gchar *displaynumber = "0"; - /* gchar *screennumber = "0"; */ -+ gboolean is_wayland = FALSE; - gchar *p; - - path = g_strdup (g_getenv ("IBUS_ADDRESS_FILE")); -@@ -108,13 +109,19 @@ ibus_get_socket_path (void) - } - - if (_display == NULL) { -- display = g_strdup (g_getenv ("DISPLAY")); -+ display = g_strdup (g_getenv ("WAYLAND_DISPLAY")); -+ if (display) -+ is_wayland = TRUE; -+ else -+ display = g_strdup (g_getenv ("DISPLAY")); - } - else { - display = g_strdup (_display); - } - -- if (display) { -+ if (is_wayland) { -+ displaynumber = display; -+ } else if (display) { - p = display; - hostname = display; - for (; *p != ':' && *p != '\0'; p++); --- -2.24.1 - -From 5765bfd69fb2ab1174378fbb0d8cac7f2bd2610f Mon Sep 17 00:00:00 2001 -From: Changwoo Ryu -Date: Wed, 15 Apr 2020 17:43:14 +0900 -Subject: [PATCH] client/gtk2: Remove glib_check_version() in gtk immodule - -In the gtk2/gtk3 immodule, glib_check_version() is being used to make sure -that the installed glib version is not older than the glib version which ibus -is built with. - -But there is no reason why glib version is checked in runtime. Library -compatibility is already being checked more precisely by packaging systems and -linkers. - -This version check can break the ibus gtk immodule when used with an older but -compatible version of glib, such as glib 2.62.x which is compatible with -2.64.x. - -BUG=https://github.com/ibus/ibus/issues/2200 ---- - client/gtk2/ibusim.c | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/client/gtk2/ibusim.c b/client/gtk2/ibusim.c -index bfacd0f0..d70800d3 100644 ---- a/client/gtk2/ibusim.c -+++ b/client/gtk2/ibusim.c -@@ -41,9 +41,7 @@ static const GtkIMContextInfo *info_list[] = { - G_MODULE_EXPORT const gchar* - g_module_check_init (GModule *module) - { -- return glib_check_version (GLIB_MAJOR_VERSION, -- GLIB_MINOR_VERSION, -- 0); -+ return null; - } - - G_MODULE_EXPORT void --- -2.24.1 - -From 8da016764cee9616cca4658d1fb311d6b3bfc0df Mon Sep 17 00:00:00 2001 -From: fujiwarat -Date: Wed, 15 Apr 2020 17:55:03 +0900 -Subject: [PATCH] src/tests: Fix to get focus events with su in - ibus-desktop-testing-runner - -GtkWindow haven't received focus events in any test cases since Fedora 31 -whenever Ansible runs ibus-desktop-testing-runner after `su root`. -Seems su command does not run systemd automatically and now systemd -requires XDG_RUNTIME_DIR and Ansible requires root access with ssh. -This fix requires to restart sshd with modified /etc/ssh/sshd_config -with "PermitRootLogin yes" in order to run with su command. - -Ansible with ibus-desktop-testin-runner has worked fine if root console -login is used without this patch because PAM runs systemd by login. ---- - src/tests/ibus-desktop-testing-runner.in | 36 ++++++++++++++++++++++-- - 1 file changed, 33 insertions(+), 3 deletions(-) - -diff --git a/src/tests/ibus-desktop-testing-runner.in b/src/tests/ibus-desktop-testing-runner.in -index f9238e69..f760fd5b 100755 ---- a/src/tests/ibus-desktop-testing-runner.in -+++ b/src/tests/ibus-desktop-testing-runner.in -@@ -49,6 +49,7 @@ PID_XORG=0 - PID_GNOME_SESSION=0 - TESTING_RUNNER="default" - TESTS="" -+TIMEOUT=300 - GREEN='\033[0;32m' - RED='\033[0;31m' - NC='\033[0m' -@@ -84,6 +85,7 @@ usage() - "-r, --runner=RUNNER Run TESTS programs with a test RUNNER.\n" \ - " RUNNDER = gnome or default.\n" \ - " default is an embedded runner.\n" \ -+"-T, --timeout=TIMEOUT Set timeout (default TIMEOUT is 300 sec).\n" \ - "-o, --output=OUTPUT_FILE OUtput the log to OUTPUT_FILE\n" \ - "-O, --result=RESULT_FILE OUtput the result to RESULT_FILE\n" \ - "" -@@ -92,8 +94,8 @@ usage() - parse_args() - { - # This is GNU getopt. "sudo port getopt" in BSD? -- ARGS=`getopt -o hvb:s:cd:t:r:o:O: --long \ -- help,version,builddir:,srcdir:,no-graphics,desktop:,tests:,runner:,output:,result:\ -+ ARGS=`getopt -o hvb:s:cd:t:r:T:o:O: --long \ -+ help,version,builddir:,srcdir:,no-graphics,desktop:,tests:,runner:,timeout:,output:,result:\ - -- "$@"`; - eval set -- "$ARGS" - while [ 1 ] ; do -@@ -106,6 +108,7 @@ parse_args() - -d | --desktop ) DESKTOP_COMMAND="$2"; shift 2;; - -t | --tests ) TESTS="$2"; shift 2;; - -r | --runner ) TESTING_RUNNER="$2"; shift 2;; -+ -T | --timeout ) TIMEOUT="$2"; shift 2;; - -o | --output ) TEST_LOG="$2"; shift 2;; - -O | --result ) RESULT_LOG="$2"; shift 2;; - -- ) shift; break;; -@@ -166,11 +169,37 @@ _EOF - fi - # `su` command does not run loginctl - export XDG_SESSION_TYPE='x11' -+ export XDG_SESSION_CLASS=user -+ # `su` command does not get focus in events without this variable. -+ # Need to restart sshd after set "PermitRootLogin yes" in sshd_config -+ if [ "x$XDG_RUNTIME_DIR" = x ] ; then -+ export XDG_RUNTIME_DIR=/run/user/$UID -+ is_root_login=`grep "^PermitRootLogin" /etc/ssh/sshd_config | grep yes` -+ if [ "x$ANSIBLE" != x ] && [ "x$is_root_login" = x ] ; then -+ print_log -e "${RED}FAIL${NC}: No permission to get focus-in events in GtkWindow with ansible" -+ echo "su command does not configure necessary login info " \ -+ "with systemd and GtkWindow cannot receive focus-events " \ -+ "when ibus-desktop-testing-runner is executed by " \ -+ "ansible-playbook." >> $TEST_LOG -+ echo "Enabling root login via sshd, restarting sshd, set " \ -+ "XDG_RUNTIME_DIR can resolve the problem under " \ -+ "ansible-playbook." >> $TEST_LOG -+ exit 255 -+ fi -+ fi -+ # Do we need XDG_SESSION_ID and XDG_SEAT? -+ #export XDG_CONFIG_DIRS=/etc/xdg -+ #export XDG_SESSION_ID=10 -+ #export XDG_SESSION_DESKTOP=gnome -+ #export XDG_SEAT=seat0 - } - - run_dbus_daemon() - { - # Use dbus-launch --exit-with-session later instead of --sh-syntax -+ # GNOME uses a unix:abstract address and it effects gsettings set values -+ # in each test case. -+ # TODO: Should we comment out this line? - export DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$UID/bus" - } - -@@ -288,7 +317,8 @@ run_gnome_desktop_testing_runner() - fail=1 - continue - fi -- gnome-desktop-testing-runner $tst 2>>$TEST_LOG 1>>$TEST_LOG -+ gnome-desktop-testing-runner --timeout=$TIMEOUT $tst \ -+ 2>>$TEST_LOG 1>>$TEST_LOG - retval=$? - read pass fail << EOF - `count_case_result $retval $pass $fail` --- -2.24.1 - -From 0b9d9365988a96a2bc31c48624f9c2b8081601b6 Mon Sep 17 00:00:00 2001 -From: fujiwarat -Date: Wed, 22 Apr 2020 20:17:12 +0900 -Subject: [PATCH] client/gtk2: Fix typo - ---- - client/gtk2/ibusim.c | 4 ++-- - src/tests/ibus-desktop-testing-runner.in | 2 +- - 2 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/client/gtk2/ibusim.c b/client/gtk2/ibusim.c -index d70800d3..55609ce7 100644 ---- a/client/gtk2/ibusim.c -+++ b/client/gtk2/ibusim.c -@@ -2,7 +2,7 @@ - /* vim:set et ts=4: */ - /* ibus - The Input Bus - * Copyright (C) 2008-2010 Peng Huang -- * Copyright (C) 2008-2010 Red Hat, Inc. -+ * Copyright (C) 2008-2020 Red Hat, Inc. - * - * This library is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public -@@ -41,7 +41,7 @@ static const GtkIMContextInfo *info_list[] = { - G_MODULE_EXPORT const gchar* - g_module_check_init (GModule *module) - { -- return null; -+ return NULL; - } - - G_MODULE_EXPORT void -diff --git a/src/tests/ibus-desktop-testing-runner.in b/src/tests/ibus-desktop-testing-runner.in -index f760fd5b..4232c549 100755 ---- a/src/tests/ibus-desktop-testing-runner.in -+++ b/src/tests/ibus-desktop-testing-runner.in -@@ -173,7 +173,7 @@ _EOF - # `su` command does not get focus in events without this variable. - # Need to restart sshd after set "PermitRootLogin yes" in sshd_config - if [ "x$XDG_RUNTIME_DIR" = x ] ; then -- export XDG_RUNTIME_DIR=/run/user/$UID -+ export XDG_RUNTIME_DIR="/run/user/$UID" - is_root_login=`grep "^PermitRootLogin" /etc/ssh/sshd_config | grep yes` - if [ "x$ANSIBLE" != x ] && [ "x$is_root_login" = x ] ; then - print_log -e "${RED}FAIL${NC}: No permission to get focus-in events in GtkWindow with ansible" --- -2.24.1 - -From 8c4125bc78ce3502b5aeb053e7029cc2594f83f2 Mon Sep 17 00:00:00 2001 -From: Changwoo Ryu -Date: Sun, 12 Apr 2020 05:28:15 +0900 -Subject: [PATCH] src: Build the Emoji dictionaries in parallel - -Instead of building Emoji dictionaries src/dicts/emoji-*.dict in sequence, a -pattern rule is specified for them. The make -jN option builds the -dictionaries in parallel. - -The GNU make extensions like pattern rule and patsubst function are used for -it. But src/Makefile.am has had other GNU make extensions for a while, so -using more extensions should not make portability worse. - -BUG=https://github.com/ibus/ibus/pull/2209 ---- - src/Makefile.am | 55 ++++++++++++++++++++++++------------------------- - 1 file changed, 27 insertions(+), 28 deletions(-) - -diff --git a/src/Makefile.am b/src/Makefile.am -index a8e3d07d..99de1ab7 100644 ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -246,42 +246,41 @@ if ENABLE_EMOJI_DICT - AM_CPPFLAGS += -DENABLE_EMOJI_DICT - - dictdir = $(pkgdatadir)/dicts --dict_DATA = dicts/emoji-en.dict - LANG_FILES = $(basename $(notdir $(wildcard $(EMOJI_ANNOTATION_DIR)/*.xml))) -+EMOJI_DICT_FILES = $(patsubst %,dicts/emoji-%.dict,$(LANG_FILES)) -+dict_DATA = $(EMOJI_DICT_FILES) - - noinst_PROGRAMS += emoji-parser - --dicts/emoji-en.dict: emoji-parser -+dicts/emoji-%.dict: emoji-parser - $(AM_V_at)if test x"$(LANG_FILES)" = x ; then \ - echo "WARNING: Not found $(EMOJI_ANNOTATION_DIR)/en.xml" 1>&2; \ - fi; \ -- for f in $(LANG_FILES) ; do \ -- if test -f dicts/emoji-$$f.dict; then \ -- echo "Already exists dicts/emoji-$$f.dict"; \ -- continue; \ -- fi; \ -- if test -f \ -- "$(EMOJI_ANNOTATION_DIR)/../annotationsDerived/$$f.xml" ; then \ -- xml_derived_option="--xml-derived $(EMOJI_ANNOTATION_DIR)/../annotationsDerived/$$f.xml"; \ -+ if test -f $@; then \ -+ echo "Already exists $@"; \ -+ exit 0; \ -+ fi; \ -+ if test -f \ -+ "$(EMOJI_ANNOTATION_DIR)/../annotationsDerived/$*.xml" ; then \ -+ xml_derived_option="--xml-derived $(EMOJI_ANNOTATION_DIR)/../annotationsDerived/$*.xml"; \ - plus_comment="derived"; \ -- fi; \ -- if test x"$$f" = xen ; then \ -- $(builddir)/emoji-parser \ -- --unicode-emoji-dir $(UNICODE_EMOJI_DIR) \ -- --xml $(EMOJI_ANNOTATION_DIR)/$$f.xml \ -- $$xml_derived_option \ -- --xml-ascii $(top_srcdir)/data/annotations/en_ascii.xml \ -- --out-category ibusemojigen.h \ -- --out $@; \ -- else \ -- $(builddir)/emoji-parser \ -- --unicode-emoji-dir $(UNICODE_EMOJI_DIR) \ -- --xml $(EMOJI_ANNOTATION_DIR)/$$f.xml \ -- $$xml_derived_option \ -- --out dicts/emoji-$$f.dict; \ -- fi; \ -- echo "Generated $$plus_comment dicts/emoji-$$f.dict"; \ -- done -+ fi; \ -+ if test x"$*" = xen ; then \ -+ $(builddir)/emoji-parser \ -+ --unicode-emoji-dir $(UNICODE_EMOJI_DIR) \ -+ --xml $(EMOJI_ANNOTATION_DIR)/$*.xml \ -+ $$xml_derived_option \ -+ --xml-ascii $(top_srcdir)/data/annotations/en_ascii.xml \ -+ --out-category ibusemojigen.h \ -+ --out $@; \ -+ else \ -+ $(builddir)/emoji-parser \ -+ --unicode-emoji-dir $(UNICODE_EMOJI_DIR) \ -+ --xml $(EMOJI_ANNOTATION_DIR)/$*.xml \ -+ $$xml_derived_option \ -+ --out $@; \ -+ fi; \ -+ echo "Generated $$plus_comment $@" - - ibusemojigen.h: dicts/emoji-en.dict - $(NULL) --- -2.23.0.rc1 - -From 02105c4d486283e6b561181d9c934d4d23f2d65e Mon Sep 17 00:00:00 2001 -From: fujiwarat -Date: Thu, 14 May 2020 15:48:34 +0900 -Subject: [PATCH] bus: Fix SEGV in bus_panel_proxy_focus_in() - -SEGV in BUS_IS_PANEL_PROXY() in bus_panel_proxy_focus_in() -Check if GDBusConnect is closed before bus_panel_proxy_new() is called. - -BUG=rhbz#1349148 -BUG=rhbz#1385349 ---- - bus/ibusimpl.c | 25 ++++++++++++++++++++----- - 1 file changed, 20 insertions(+), 5 deletions(-) - -diff --git a/bus/ibusimpl.c b/bus/ibusimpl.c -index 85761d30..e432e849 100644 ---- a/bus/ibusimpl.c -+++ b/bus/ibusimpl.c -@@ -2,8 +2,8 @@ - /* vim:set et sts=4: */ - /* ibus - The Input Bus - * Copyright (C) 2008-2013 Peng Huang -- * Copyright (C) 2011-2019 Takao Fujiwara -- * Copyright (C) 2008-2019 Red Hat, Inc. -+ * Copyright (C) 2011-2020 Takao Fujiwara -+ * Copyright (C) 2008-2020 Red Hat, Inc. - * - * This library is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public -@@ -464,13 +464,16 @@ _dbus_name_owner_changed_cb (BusDBusImpl *dbus, - else if (!g_strcmp0 (name, IBUS_SERVICE_PANEL_EXTENSION_EMOJI)) - panel_type = PANEL_TYPE_EXTENSION_EMOJI; - -- if (panel_type != PANEL_TYPE_NONE) { -+ do { -+ if (panel_type == PANEL_TYPE_NONE) -+ break; - if (g_strcmp0 (new_name, "") != 0) { - /* a Panel process is started. */ - BusConnection *connection; - BusInputContext *context = NULL; - BusPanelProxy **panel = (panel_type == PANEL_TYPE_PANEL) ? - &ibus->panel : &ibus->emoji_extension; -+ GDBusConnection *dbus_connection = NULL; - - if (*panel != NULL) { - ibus_proxy_destroy ((IBusProxy *)(*panel)); -@@ -479,9 +482,21 @@ _dbus_name_owner_changed_cb (BusDBusImpl *dbus, - g_assert (*panel == NULL); - } - -- connection = bus_dbus_impl_get_connection_by_name (BUS_DEFAULT_DBUS, new_name); -+ connection = bus_dbus_impl_get_connection_by_name (BUS_DEFAULT_DBUS, -+ new_name); - g_return_if_fail (connection != NULL); - -+ dbus_connection = bus_connection_get_dbus_connection (connection); -+ /* rhbz#1349148 rhbz#1385349 -+ * Avoid SEGV of BUS_IS_PANEL_PROXY (ibus->panel) -+ * This function is called during destroying the connection -+ * in this case? */ -+ if (dbus_connection == NULL || -+ g_dbus_connection_is_closed (dbus_connection)) { -+ new_name = ""; -+ break; -+ } -+ - *panel = bus_panel_proxy_new (connection, panel_type); - if (panel_type == PANEL_TYPE_EXTENSION_EMOJI) - ibus->enable_emoji_extension = FALSE; -@@ -535,7 +550,7 @@ _dbus_name_owner_changed_cb (BusDBusImpl *dbus, - } - } - } -- } -+ } while (0); - - bus_ibus_impl_component_name_owner_changed (ibus, name, old_name, new_name); - } --- -2.24.1 - -From f591381e3c892947ecaffe9131b9039ab9014498 Mon Sep 17 00:00:00 2001 -From: fujiwarat -Date: Thu, 14 May 2020 16:02:00 +0900 -Subject: [PATCH] bus: Fix SEGV in bus_dbus_impl_name_owner_changed() - -rhbz#1406699 SEGV in new_owner!=NULL in bus_dbus_impl_name_owner_changed() -which is called by bus_name_service_remove_owner() -If bus_connection_get_unique_name()==NULL, set new_owner="" in -bus_name_service_remove_owner() - -rhbz#1432252 SEGV in old_owner!=NULL in bus_dbus_impl_name_owner_changed() -which is called by bus_name_service_set_primary_owner() -If bus_connection_get_unique_name()==NULL, set old_owner="" in -bus_name_service_set_primary_owner() - -BUG=rhbz#1406699 -BUG=rhbz#1432252 ---- - bus/dbusimpl.c | 27 +++++++++++++++++++++++---- - 1 file changed, 23 insertions(+), 4 deletions(-) - -diff --git a/bus/dbusimpl.c b/bus/dbusimpl.c -index b54ef817..59787a80 100644 ---- a/bus/dbusimpl.c -+++ b/bus/dbusimpl.c -@@ -2,7 +2,8 @@ - /* vim:set et sts=4: */ - /* ibus - The Input Bus - * Copyright (C) 2008-2013 Peng Huang -- * Copyright (C) 2008-2013 Red Hat, Inc. -+ * Copyright (C) 2015-2020 Takao Fujiwara -+ * Copyright (C) 2008-2020 Red Hat, Inc. - * - * This library is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public -@@ -344,6 +345,8 @@ bus_name_service_set_primary_owner (BusNameService *service, - BusConnectionOwner *owner, - BusDBusImpl *dbus) - { -+ gboolean has_old_owner = FALSE; -+ - g_assert (service != NULL); - g_assert (owner != NULL); - g_assert (dbus != NULL); -@@ -351,6 +354,13 @@ bus_name_service_set_primary_owner (BusNameService *service, - BusConnectionOwner *old = service->owners != NULL ? - (BusConnectionOwner *)service->owners->data : NULL; - -+ /* rhbz#1432252 If bus_connection_get_unique_name() == NULL, -+ * "Hello" method is not received yet. -+ */ -+ if (old != NULL && bus_connection_get_unique_name (old->conn) != NULL) { -+ has_old_owner = TRUE; -+ } -+ - if (old != NULL) { - g_signal_emit (dbus, - dbus_signals[NAME_LOST], -@@ -370,7 +380,8 @@ bus_name_service_set_primary_owner (BusNameService *service, - 0, - owner->conn, - service->name, -- old != NULL ? bus_connection_get_unique_name (old->conn) : "", -+ has_old_owner ? bus_connection_get_unique_name (old->conn) : -+ "", - bus_connection_get_unique_name (owner->conn)); - - if (old != NULL && old->do_not_queue != 0) { -@@ -427,6 +438,7 @@ bus_name_service_remove_owner (BusNameService *service, - BusDBusImpl *dbus) - { - GSList *owners; -+ gboolean has_new_owner = FALSE; - - g_assert (service != NULL); - g_assert (owner != NULL); -@@ -439,6 +451,13 @@ bus_name_service_remove_owner (BusNameService *service, - BusConnectionOwner *_new = NULL; - if (owners->next != NULL) { - _new = (BusConnectionOwner *)owners->next->data; -+ /* rhbz#1406699 If bus_connection_get_unique_name() == NULL, -+ * "Hello" method is not received yet. -+ */ -+ if (_new != NULL && -+ bus_connection_get_unique_name (_new->conn) != NULL) { -+ has_new_owner = TRUE; -+ } - } - - if (dbus != NULL) { -@@ -447,7 +466,7 @@ bus_name_service_remove_owner (BusNameService *service, - 0, - owner->conn, - service->name); -- if (_new != NULL) { -+ if (has_new_owner) { - g_signal_emit (dbus, - dbus_signals[NAME_ACQUIRED], - 0, -@@ -460,7 +479,7 @@ bus_name_service_remove_owner (BusNameService *service, - _new != NULL ? _new->conn : NULL, - service->name, - bus_connection_get_unique_name (owner->conn), -- _new != NULL ? bus_connection_get_unique_name (_new->conn) : ""); -+ has_new_owner ? bus_connection_get_unique_name (_new->conn) : ""); - - } - } --- -2.24.1 - diff --git a/SPECS-EXTENDED/ibus/ibus-xinput b/SPECS-EXTENDED/ibus/ibus-xinput index 4d7f4572c3..3bf9974e91 100644 --- a/SPECS-EXTENDED/ibus/ibus-xinput +++ b/SPECS-EXTENDED/ibus/ibus-xinput @@ -6,6 +6,10 @@ PREFERENCE_PROGRAM=/usr/bin/ibus-setup SHORT_DESC="IBus" GTK_IM_MODULE=ibus NOT_RUN=gnome3 +# IMSETTINGS_IGNORE_SESSION concatenate the current session name and type x11 or +# wayland. The current session name is calculated by get_destop() +# in /usr/libexec/imsettings-functions and the value is case-sensitive. +IMSETTINGS_IGNORE_SESSION=KDE-wayland if test -f /usr/lib64/qt5/plugins/platforminputcontexts/libibusplatforminputcontextplugin.so || \ test -f /usr/lib/qt5/plugins/platforminputcontexts/libibusplatforminputcontextplugin.so || \ diff --git a/SPECS-EXTENDED/ibus/ibus.signatures.json b/SPECS-EXTENDED/ibus/ibus.signatures.json index 76bb421515..e94960645a 100644 --- a/SPECS-EXTENDED/ibus/ibus.signatures.json +++ b/SPECS-EXTENDED/ibus/ibus.signatures.json @@ -1,7 +1,8 @@ { "Signatures": { - "ibus-1.5.22.tar.gz": "8170eba58c28aa4818970751ebdeada728ebb63d535967a5c5f5c21b0017be4a", - "ibus-xinput": "672dd0984cde30533a607d1178f9cd36c2fe441b010645e79f34dab56b574f36", - "ibus.conf.5": "c48db6e9b5b6af560379da6be9b2f60168be5e23f3947126f336c75fb70e304f" + "ibus-1.5.31.tar.gz": "5093994c8342551134c81f2d271575efbc459bb756cef1173c22430c8601a1e1", + "ibus-xinput": "f3633a4f127361e01f3205edc24f55d6126e40909f3a39f3d001e88a290a7305", + "ibus.conf.5": "c48db6e9b5b6af560379da6be9b2f60168be5e23f3947126f336c75fb70e304f", + "ibus.tar.gz.sum": "dde726c1f4f655a59b50571a9a8c6c479b729ea2a2835d9a49f54fef9eaf6c27" } -} +} \ No newline at end of file diff --git a/SPECS-EXTENDED/ibus/ibus.spec b/SPECS-EXTENDED/ibus/ibus.spec index 611983f14c..c927afd4c3 100644 --- a/SPECS-EXTENDED/ibus/ibus.spec +++ b/SPECS-EXTENDED/ibus/ibus.spec @@ -1,56 +1,91 @@ Vendor: Microsoft Corporation Distribution: Azure Linux -# This package depends on automagic byte compilation -# https://fedoraproject.org/wiki/Changes/No_more_automagic_Python_bytecompilation_phase_2 -%global _python_bytecompile_extra 1 +%global source_version %%(echo "%version" | tr '~' '-') -%global with_kde5 1 +%global with_python2 0 -%global ibus_api_version 1.0 +%global with_pkg_config %(pkg-config --version >/dev/null 2>&1 && echo -n "1" || echo -n "0") +%global ibus_api_version 1.0 +%global pkgcache /var/cache/%name # for bytecompile in %%{_datadir}/ibus/setup %global __python %{__python3} + +%bcond_without gtk2 +%bcond_without xinit +%bcond_without gtk4 + +%if %with_pkg_config +%if %{with gtk2} +%{!?gtk2_binary_version: %global gtk2_binary_version %(pkg-config --variable=gtk_binary_version gtk+-2.0)} +%else +%{!?gtk2_binary_version: %global gtk2_binary_version ?.?.?} +%endif +%{!?gtk3_binary_version: %global gtk3_binary_version %(pkg-config --variable=gtk_binary_version gtk+-3.0)} +%if %{with gtk4} +%{!?gtk4_binary_version: %global gtk4_binary_version %(pkg-config --variable=gtk_binary_version gtk4)} +%else +%{!?gtk4_binary_version: %global gtk4_binary_version ?.?.?} +%endif +%global glib_ver %([ -a %{_libdir}/pkgconfig/glib-2.0.pc ] && pkg-config --modversion glib-2.0 | cut -d. -f 1,2 || echo -n "999") +%else +%{!?gtk2_binary_version: %global gtk2_binary_version ?.?.?} +%{!?gtk3_binary_version: %global gtk3_binary_version ?.?.?} +%{!?gtk4_binary_version: %global gtk4_binary_version ?.?.?} +%global glib_ver 0 +%endif + %global dbus_python_version 0.83.0 Name: ibus -Version: 1.5.22 -Release: 9%{?dist} +Version: 1.5.31 +# https://github.com/fedora-infra/rpmautospec/issues/101 +Release: 1%{?dist} Summary: Intelligent Input Bus for Linux OS -License: LGPLv2+ +License: LGPL-2.1-or-later URL: https://github.com/ibus/%name/wiki -Source0: https://github.com/ibus/%name/releases/download/%{version}/%{name}-%{version}.tar.gz -Source1: %{name}-xinput -Source2: %{name}.conf.5 +Source0: https://github.com/ibus/%name/releases/download/%{source_version}/%{name}-%{source_version}.tar.gz +Source1: https://github.com/ibus/%name/releases/download/%{source_version}/%{name}.tar.gz.sum +Source2: %{name}-xinput +Source3: %{name}.conf.5 # Patch0: %%{name}-HEAD.patch -Patch0: %{name}-HEAD.patch # Under testing #1349148 #1385349 #1350291 #1406699 #1432252 #1601577 Patch1: %{name}-1385349-segv-bus-proxy.patch +# autoreconf requires autopoint but not po.m4 BuildRequires: gettext-devel BuildRequires: libtool # for gtkdoc-fixxref BuildRequires: glib2-doc -BuildRequires: dbus-glib-devel +BuildRequires: gtk3-devel BuildRequires: dbus-python-devel >= %{dbus_python_version} BuildRequires: desktop-file-utils BuildRequires: gtk-doc BuildRequires: dconf-devel +BuildRequires: dbus-x11 BuildRequires: python3-devel BuildRequires: python3-gobject +%if %with_python2 +# https://bugzilla.gnome.org/show_bug.cgi?id=759334 +# Need python2 for gsettings-schema-convert +BuildRequires: python2-devel +# for AM_GCONF_SOURCE_2 in configure.ac +BuildRequires: GConf2-devel +BuildRequires: intltool +%endif BuildRequires: git BuildRequires: vala BuildRequires: iso-codes-devel BuildRequires: libnotify-devel BuildRequires: wayland-devel -%if %with_kde5 -BuildRequires: qt5-qtbase-devel -%endif BuildRequires: cldr-emoji-annotation BuildRequires: unicode-emoji BuildRequires: unicode-ucd +BuildRequires: systemd Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-gtk3%{?_isa} = %{version}-%{release} Requires: %{name}-setup = %{version}-%{release} Requires: iso-codes @@ -73,11 +108,6 @@ Requires: %{_sbindir}/alternatives Requires(post): %{_sbindir}/alternatives Requires(postun): %{_sbindir}/alternatives -# Obsoletes ibus-xkbc by ibus xkb engine -Provides: ibus-xkbc = 1.3.4 -Obsoletes: ibus-xkbc < 1.3.4 - - %global _xinputconf %{_sysconfdir}/X11/xinit/xinput.d/ibus.conf %description @@ -87,36 +117,114 @@ IBus means Intelligent Input Bus. It is an input framework for Linux OS. Summary: IBus libraries Requires: dbus >= 1.2.4 -Requires: glib2 +Requires: glib2 >= %{glib_ver} # Owner of %%{_libdir}/girepository-1.0 Requires: gobject-introspection - - - - +%if (0%{?fedora} > 28 || 0%{?rhel} > 7) +%else +Conflicts: %{name}%{?_isa} < %{version} +%endif %description libs This package contains the libraries for IBus +%package gtk3 +Summary: IBus IM module for GTK3 +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires: glib2 >= %{glib_ver} +Requires(post): glib2 >= %{glib_ver} + +%description gtk3 +This package contains IBus IM module for GTK3 + %package setup Summary: IBus setup utility Requires: %{name} = %{version}-%{release} %{?__python3:Requires: %{__python3}} Requires: python3-gobject BuildRequires: gobject-introspection-devel -BuildRequires: pygobject3-devel +BuildRequires: python3-gobject-devel +BuildRequires: make BuildArch: noarch %description setup This is a setup utility for IBus. +%if %with_python2 +%package pygtk2 +Summary: IBus PyGTK2 library +%if (0%{?fedora} && 0%{?fedora} <= 27) || (0%{?rhel} && 0%{?rhel} <= 7) +Requires: dbus-python >= %{dbus_python_version} +%else +Requires: python2-dbus >= %{dbus_python_version} +%endif +Requires: python2 +Requires: pygtk2 +BuildArch: noarch + +%description pygtk2 +This is a PyGTK2 library for IBus. Now major IBus engines use PyGObject3 +and this package will be deprecated. +%endif + +%package py2override +Summary: IBus Python2 override library +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +# Owner of %%python2_sitearch/gi/overrides +%if (0%{?fedora} && 0%{?fedora} <= 27) || (0%{?rhel} && 0%{?rhel} <= 7) +Requires: pygobject3-base +%else +Requires: python2-gobject-base +%endif +Requires: python2 + +%description py2override +This is a Python2 override library for IBus. The Python files override +some functions in GObject-Introspection. + +%package wayland +Summary: IBus IM module for Wayland +Requires: %{name}-libs%{?_isa} = %{version}-%{release} + +%description wayland +This package contains IBus IM module for Wayland + +%package panel +Summary: IBus Panel icon +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +%if %{with xinit} +# setxkbmap can change XKB options for Xorg desktop sessions +Requires: setxkbmap +%endif +BuildRequires: libdbusmenu-gtk3-devel + +%description panel +This package contains IBus Panel icon using GtkStatusIcon or AppIndicator +in non-GNOME desktop sessions likes XFCE or Plasma because gnome-shell +shows the IBus Icon. This package depends on libdbusmenu-gtk3 for Wayland +desktop sessions. + +%package xinit +Summary: IBus Xinit +Requires: %{name} = %{version}-%{release} +%if %{with xinit} +# Owner of %%{_sysconfdir}/X11/xinit +Requires: xorg-x11-xinit +%endif +BuildArch: noarch + +%description xinit +This package includes xinit scripts to set environment variables of IBus +for Xorg desktop sessions and this is not needed by Wayland desktop sessions. + %package devel Summary: Development tools for ibus Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: dbus-devel Requires: glib2-devel # for %%{_datadir}/gettext/its -Requires: gettext +Requires: gettext-devel %description devel The ibus-devel package contains the header files and developer @@ -129,44 +237,106 @@ BuildArch: noarch %description devel-docs The ibus-devel-docs package contains developer documentation for IBus +%package desktop-testing +Summary: Wrapper of InstalledTests Runner for IBus +Requires: %{name} = %{version}-%{release} +%if 0%{?fedora:1}%{?rhel:0} +# Use no-overview mode in CI to get input focus +BuildRequires: gnome-shell-extension-no-overview +Requires: gnome-shell-extension-no-overview +%endif +BuildArch: noarch + +%description desktop-testing +GNOME desktop testing runner implements the InstalledTests specification +and IBus also needs focus events to enable input contexts on text widgets. +The wrapper script runs gnome-session for the focus events and GNOME +desktop testing runner internally. + +%package tests +Summary: Tests for the %{name} package +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} + +%description tests +The %{name}-tests package contains tests that can be used to verify +the functionality of the installed %{name} package. + + %prep -%autosetup -S git +SAVED_SUM=$(grep sha512sum %SOURCE1 | awk '{print $2}') +MY_SUM=$(sha512sum %SOURCE0 | awk '{print $1}') +if test x"$SAVED_SUM" != x"$MY_SUM" ; then + abort +fi +%autosetup -S git -n %{name}-%{source_version} # cp client/gtk2/ibusimcontext.c client/gtk3/ibusimcontext.c || : +# cp client/gtk2/ibusim.c client/gtk3/ibusim.c || : +# cp client/gtk2/ibusimcontext.c client/gtk4/ibusimcontext.c || : +cp client/gtk2/ibusimcontext.c client/gtk3/ibusimcontext.c || : +cp client/gtk2/ibusimcontext.c client/gtk4/ibusimcontext.c || : + + +# prep test +for f in ibusimcontext.c ibusim.c +do + diff client/gtk2/$f client/gtk3/$f + if test $? -ne 0 ; then + echo "Have to copy $f into client/gtk3" + abort + fi +done +diff client/gtk2/ibusimcontext.c client/gtk4/ibusimcontext.c +if test $? -ne 0 ; then + echo "Have to copy ibusimcontext.c into client/gtk4" + abort +fi %build #autoreconf -f -i -v #make -C ui/gtk3 maintainer-clean-generic #make -C tools maintainer-clean-generic +#make -C src/compose maintainer-clean-generic autoreconf -f -i -v %configure \ --disable-static \ --disable-gtk2 \ - --disable-gtk3 \ - --disable-xim \ - --enable-gtk-doc=yes \ - --enable-gtk-doc-html=no \ + --disable-gtk4 \ + --enable-gtk3 \ + --enable-xim \ + --enable-gtk-doc \ --enable-surrounding-text \ --with-python=python3 \ - --disable-ui \ - --enable-vala=no \ - --disable-tests \ +%if ! %with_python2 --disable-python2 \ -%if ! %with_kde5 - --disable-appindicator \ +%else + --enable-python-library \ %endif + --with-python-overrides-dir=%{python3_sitearch}/gi/overrides \ + --enable-wayland \ --enable-introspection \ --enable-install-tests \ %{nil} - make -C ui/gtk3 maintainer-clean-generic -%make_build +%make_build %install make install DESTDIR=$RPM_BUILD_ROOT INSTALL='install -p' rm -f $RPM_BUILD_ROOT%{_libdir}/libibus-*%{ibus_api_version}.la +%if %{with gtk2} +rm -f $RPM_BUILD_ROOT%{_libdir}/gtk-2.0/%{gtk2_binary_version}/immodules/im-ibus.la +%endif +rm -f $RPM_BUILD_ROOT%{_libdir}/gtk-3.0/%{gtk3_binary_version}/immodules/im-ibus.la +%if %{with gtk4} +rm -f $RPM_BUILD_ROOT%{_libdir}/gtk-4.0/%{gtk4_binary_version}/immodules/libim-ibus.la +%endif +%if %{without xinit} +# setxkbmap is not available in RHEL10 +rm -f $RPM_BUILD_ROOT%{_datadir}/installed-tests/ibus/xkb-latin-layouts.test +%endif # install man page -for S in %{SOURCE2} +for S in %{SOURCE3} do cp $S . MP=`basename $S` @@ -175,12 +345,28 @@ do done # install xinput config file -install -pm 644 -D %{SOURCE1} $RPM_BUILD_ROOT%{_xinputconf} +install -pm 644 -D %{SOURCE2} $RPM_BUILD_ROOT%{_xinputconf} +install -m 755 -d $RPM_BUILD_ROOT%pkgcache/bus +# `rpm -Vaq ibus` compare st_mode of struct stat with lstat(2) and +# st_mode of the RPM cache and if the file does not exist, st_mode of +# RPM cache is o0100000 while the actual st_mode is o0100644. +touch $RPM_BUILD_ROOT%pkgcache/bus/registry # install .desktop files +%if %with_python2 +echo "NoDisplay=true" >> $RPM_BUILD_ROOT%{_datadir}/applications/ibus-setup.desktop +%else echo "NoDisplay=true" >> $RPM_BUILD_ROOT%{_datadir}/applications/org.freedesktop.IBus.Setup.desktop +%endif #echo "X-GNOME-Autostart-enabled=false" >> $RPM_BUILD_ROOT%%{_sysconfdir}/xdg/autostart/ibus.desktop +mkdir -p $RPM_BUILD_ROOT%{_libdir}/ibus +cp src/compose/sequences-* $RPM_BUILD_ROOT%{_libdir}/ibus + +HAS_PREFIX=$(grep prefix $RPM_BUILD_ROOT%{_bindir}/ibus-setup | wc -l) +[ x"$HAS_PREFIX" == x1 ] && \ + sed -i -e '/prefix/d' $RPM_BUILD_ROOT%{_bindir}/ibus-setup + desktop-file-install --delete-original \ --dir $RPM_BUILD_ROOT%{_datadir}/applications \ $RPM_BUILD_ROOT%{_datadir}/applications/* @@ -190,33 +376,40 @@ desktop-file-install --delete-original \ %check make check \ - DISABLE_GUI_TESTS="ibus-compose ibus-keypress test-stress" \ + DISABLE_GUI_TESTS="ibus-compose ibus-keypress test-stress xkb-latin-layouts" \ VERBOSE=1 \ %{nil} -%post +%post xinit %{_sbindir}/alternatives --install %{_sysconfdir}/X11/xinit/xinputrc xinputrc %{_xinputconf} 83 || : %postun if [ "$1" -eq 0 ]; then - %{_sbindir}/alternatives --remove xinputrc %{_xinputconf} || : - # if alternative was set to manual, reset to auto - [ -L %{_sysconfdir}/alternatives/xinputrc -a "`readlink %{_sysconfdir}/alternatives/xinputrc`" = "%{_xinputconf}" ] && %{_sbindir}/alternatives --auto xinputrc || : - # 'dconf update' sometimes does not update the db... dconf update || : [ -f %{_sysconfdir}/dconf/db/ibus ] && \ rm %{_sysconfdir}/dconf/db/ibus || : - # 'ibus write-cache --system' updates the system cache. - [ -f /var/cache/ibus/bus/registry ] && \ - rm /var/cache/ibus/bus/registry || : +fi + +%postun xinit +if [ "$1" -eq 0 ]; then + %{_sbindir}/alternatives --remove xinputrc %{_xinputconf} || : + # if alternative was set to manual, reset to auto + [ -L %{_sysconfdir}/alternatives/xinputrc -a "`readlink %{_sysconfdir}/alternatives/xinputrc`" = "%{_xinputconf}" ] && %{_sbindir}/alternatives --auto xinputrc || : fi %posttrans dconf update || : + +%transfiletriggerin -- %{_datadir}/ibus/component +[ -x %{_bindir}/ibus ] && \ + %{_bindir}/ibus write-cache --system &>/dev/null || : + +%transfiletriggerpostun -- %{_datadir}/ibus/component [ -x %{_bindir}/ibus ] && \ %{_bindir}/ibus write-cache --system &>/dev/null || : + %ldconfig_scriptlets libs %files -f %{name}10.lang @@ -225,53 +418,104 @@ dconf update || : %dir %{_datadir}/ibus/ %{_bindir}/ibus %{_bindir}/ibus-daemon +%{_datadir}/applications/org.freedesktop.IBus.Panel.Emojier.desktop +%{_datadir}/applications/org.freedesktop.IBus.Panel.Extension.Gtk3.desktop %{_datadir}/bash-completion/completions/ibus.bash %{_datadir}/dbus-1/services/*.service +%dir %{_datadir}/GConf +%dir %{_datadir}/GConf/gsettings %{_datadir}/GConf/gsettings/* %{_datadir}/glib-2.0/schemas/*.xml %{_datadir}/ibus/component %{_datadir}/ibus/dicts -%{_datadir}/ibus/engine +%dir %{_datadir}/ibus/engine %{_datadir}/ibus/keymaps %{_datadir}/icons/hicolor/*/apps/* %{_datadir}/man/man1/ibus.1.gz %{_datadir}/man/man1/ibus-daemon.1.gz +%{_datadir}/man/man7/ibus-emoji.7.gz %{_datadir}/man/man5/00-upstream-settings.5.gz %{_datadir}/man/man5/ibus.5.gz -%{_datadir}/man/man5/ibus.conf.5.gz %{_libexecdir}/ibus-engine-simple %{_libexecdir}/ibus-dconf %{_libexecdir}/ibus-portal +%{_libexecdir}/ibus-extension-gtk3 +%{_libexecdir}/ibus-ui-emojier +%{_libexecdir}/ibus-x11 %{_sysconfdir}/dconf/db/ibus.d %{_sysconfdir}/dconf/profile/ibus +%dir %{_sysconfdir}/xdg/Xwayland-session.d +%{_sysconfdir}/xdg/Xwayland-session.d/10-ibus-x11 +%dir %{_prefix}/lib/systemd/user/gnome-session.target.wants +%{_prefix}/lib/systemd/user/gnome-session.target.wants/*.service +%{_prefix}/lib/systemd/user/org.freedesktop.IBus.session.*.service %python3_sitearch/gi/overrides/__pycache__/*.py* %python3_sitearch/gi/overrides/IBus.py -# ibus owns xinput.d because gnome does not like to depend on imsettings. -%dir %{_sysconfdir}/X11/xinit/xinput.d -# Do not use %%config(noreplace) to always get the new keywords in _xinputconf -# For user customization, $HOME/.xinputrc can be used instead. -%config %{_xinputconf} - +%verify(not mtime) %dir %pkgcache +%verify(not mtime) %dir %pkgcache/bus +# 'ibus write-cache --system' updates the system cache. +%ghost %pkgcache/bus/registry %files libs %{_libdir}/libibus-*%{ibus_api_version}.so.* %dir %{_libdir}/girepository-1.0 %{_libdir}/girepository-1.0/IBus*-1.0.typelib +%files gtk3 +%{_libdir}/gtk-3.0/%{gtk3_binary_version}/immodules/im-ibus.so + # The setup package won't include icon files so that # gtk-update-icon-cache is executed in the main package only one time. %files setup %{_bindir}/ibus-setup +%if %with_python2 +%{_datadir}/applications/ibus-setup.desktop +%else %{_datadir}/applications/org.freedesktop.IBus.Setup.desktop +%endif %{_datadir}/ibus/setup %{_datadir}/man/man1/ibus-setup.1.gz +%if %with_python2 +%files pygtk2 +%dir %{python2_sitelib}/ibus +%{python2_sitelib}/ibus/* +%endif + +%if %with_python2 +%files py2override +%python2_sitearch/gi/overrides/IBus.py* +%endif + +%files wayland +%{_libexecdir}/ibus-wayland + +%files panel +%{_datadir}/applications/org.freedesktop.IBus.Panel.Wayland.Gtk3.desktop +%{_libexecdir}/ibus-ui-gtk3 + +%files xinit +%{_datadir}/man/man5/ibus.conf.5.gz +%if %{without xinit} +# ibus owns xinit directory without xorg-x11-xinit package +%dir %{_sysconfdir}/X11/xinit +%dir %{_sysconfdir}/X11/xinit/xinput.d +%endif +# Do not use %%config(noreplace) to always get the new keywords in _xinputconf +# For user customization, $HOME/.xinputrc can be used instead. +%config %{_xinputconf} + %files devel +%{_libdir}/ibus %{_libdir}/lib*.so %{_libdir}/pkgconfig/* %{_includedir}/* %{_datadir}/gettext/its/ibus.* %dir %{_datadir}/gir-1.0 %{_datadir}/gir-1.0/IBus*-1.0.gir +%dir %{_datadir}/vala +%dir %{_datadir}/vala/vapi +%{_datadir}/vala/vapi/ibus-*1.0.vapi +%{_datadir}/vala/vapi/ibus-*1.0.deps %files devel-docs # Own html dir since gtk-doc is heavy. @@ -279,7 +523,23 @@ dconf update || : %dir %{_datadir}/gtk-doc/html %{_datadir}/gtk-doc/html/* +%files desktop-testing +%{_bindir}/ibus-desktop-testing-runner +%{_datadir}/ibus/tests +%{_libexecdir}/ibus-desktop-testing-autostart +%{_libexecdir}/ibus-desktop-testing-module + +%files tests +%dir %{_libexecdir}/installed-tests +%{_libexecdir}/installed-tests/ibus +%dir %{_datadir}/installed-tests +%{_datadir}/installed-tests/ibus + %changelog +* Thu Mar 13 2025 Sumit Jena - 1.5.31-1 +- Update to version 1.5.31 +- License verified + * Tue Aug 10 2021 Thomas Crain - 1.5.22-9 - Remove python2 support - Remove build-time dependency version checking diff --git a/SPECS-EXTENDED/ibus/ibus.tar.gz.sum b/SPECS-EXTENDED/ibus/ibus.tar.gz.sum new file mode 100644 index 0000000000..a26de42fac --- /dev/null +++ b/SPECS-EXTENDED/ibus/ibus.tar.gz.sum @@ -0,0 +1,4 @@ +cksum 3075875856 4108303 ibus-1.5.31.tar.gz +sha1sum 02c754a119a1a1f88ed8d578148e8ec609496733 ibus-1.5.31.tar.gz +sha256sum 5093994c8342551134c81f2d271575efbc459bb756cef1173c22430c8601a1e1 ibus-1.5.31.tar.gz +sha512sum adfad740002662262981ddfcc3f6eb1e898433d3bd90b07535ceef367d496d3da3e0836e59133d0063caf2d3d55d0deb6cf18ae2807fdd1ce4afab84a7725ca5 ibus-1.5.31.tar.gz diff --git a/SPECS-EXTENDED/jimtcl/jimtcl-fix_doc_paths.patch b/SPECS-EXTENDED/jimtcl/jimtcl-fix_doc_paths.patch deleted file mode 100644 index 3c55606bcc..0000000000 --- a/SPECS-EXTENDED/jimtcl/jimtcl-fix_doc_paths.patch +++ /dev/null @@ -1,45 +0,0 @@ -diff --git Makefile.in Makefile.in -index 51435c1..c2cff43 100644 ---- Makefile.in -+++ Makefile.in -@@ -99,7 +99,7 @@ $(JIMSH): $(LIBJIM) jimsh.o initjimsh.o - install: all @TCL_EXTS@ install-exec install-docs - $(INSTALL_DATA_DIR) $(DESTDIR)@libdir@/jim - $(INSTALL_DATA) $(LIBJIM) $(DESTDIR)@libdir@ -- $(INSTALL_DATA) @srcdir@/README.extensions @C_EXT_SHOBJS@ $(DESTDIR)@libdir@/jim -+ $(INSTALL_DATA) @srcdir@/README.extensions @C_EXT_SHOBJS@ $(DESTDIR)@datadir@/doc/jimtcl - for i in tcltest.tcl @TCL_EXTS@; do $(INSTALL_DATA) @srcdir@/$$i $(DESTDIR)@libdir@/jim; done - $(INSTALL_DATA_DIR) $(DESTDIR)@includedir@ - $(INSTALL_DATA) @srcdir@/jim.h @srcdir@/jim-eventloop.h @srcdir@/jim-signal.h \ -@@ -118,9 +118,9 @@ uninstall: - rm -f $(DESTDIR)@bindir@/$(JIMSH) - rm -f $(DESTDIR)@bindir@/build-jim-ext - rm -f $(DESTDIR)@libdir@/$(LIBJIM) -- for i in README.extensions @C_EXT_SHOBJS@ @TCL_EXTS@; do rm -f $(DESTDIR)@libdir@/jim/$$i; done -+ for i in README.extensions @C_EXT_SHOBJS@ @TCL_EXTS@; do rm -f $(DESTDIR)@datadir@/doc/jimtcl/$$i; done - rm -f $(DESTDIR)@includedir@/jim*.h -- rm -f $(DESTDIR)@datadir@/doc/jim/Tcl.html -+ rm -f $(DESTDIR)@datadir@/doc/jimtcl/Tcl.html - @else - install install-exec: all - uninstall: -@@ -259,15 +259,15 @@ install-docs: - - @if INSTALL_DOCS == docs - install-docs: docs -- $(INSTALL_DATA_DIR) $(DESTDIR)$(docdir) -- $(INSTALL_DATA) Tcl.html $(DESTDIR)$(docdir) -+ $(INSTALL_DATA_DIR) $(DESTDIR)@datadir@/doc/jimtcl -+ $(INSTALL_DATA) Tcl.html $(DESTDIR)@datadir@/doc/jimtcl - @endif - - @if INSTALL_DOCS == shipped - install-docs: -- $(INSTALL_DATA_DIR) $(DESTDIR)$(docdir) -+ $(INSTALL_DATA_DIR) $(DESTDIR)@datadir@/doc/jimtcl - @echo "Warning: asciidoc not available - installing Tcl_shipped.html" -- $(INSTALL_DATA) Tcl_shipped.html $(DESTDIR)$(docdir)/Tcl.html -+ $(INSTALL_DATA) Tcl_shipped.html $(DESTDIR)@datadir@/doc/jimtcl/Tcl.html - @endif - - Tcl.html: jim_tcl.txt @srcdir@/make-index diff --git a/SPECS-EXTENDED/jimtcl/jimtcl-stdio-for-readline.diff b/SPECS-EXTENDED/jimtcl/jimtcl-stdio-for-readline.diff new file mode 100644 index 0000000000..1a32d4775f --- /dev/null +++ b/SPECS-EXTENDED/jimtcl/jimtcl-stdio-for-readline.diff @@ -0,0 +1,27 @@ +From 35e0e1f9b1f018666e5170a35366c5fc3b97309c Mon Sep 17 00:00:00 2001 +From: Steve Bennett +Date: Thu, 29 Aug 2024 08:25:11 +1000 +Subject: [PATCH] readline: work around buggy readline.h + +Some versions don't included needed stdio.h + +Fixes: #308 + +Signed-off-by: Steve Bennett +--- + jim-readline.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/jim-readline.c b/jim-readline.c +index 5715b2c9..c83e649b 100644 +--- a/jim-readline.c ++++ b/jim-readline.c +@@ -34,6 +34,8 @@ + + #include + ++#include ++ + #include + #include + diff --git a/SPECS-EXTENDED/jimtcl/jimtcl.signatures.json b/SPECS-EXTENDED/jimtcl/jimtcl.signatures.json index a5edb52922..d902feab58 100644 --- a/SPECS-EXTENDED/jimtcl/jimtcl.signatures.json +++ b/SPECS-EXTENDED/jimtcl/jimtcl.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "jimtcl-0.78.tar.gz": "cf801795c9fd98bfff6882c14afdf96424ba86dead58c2a4e15978b176d3e12b" + "jimtcl-0.83.tar.gz": "6f2df00009f5ac4ad654c1ae1d2f8ed18191de38d1f5a88a54ea99cc16936686" } } diff --git a/SPECS-EXTENDED/jimtcl/jimtcl.spec b/SPECS-EXTENDED/jimtcl/jimtcl.spec index a9e85f2055..212636e0e8 100644 --- a/SPECS-EXTENDED/jimtcl/jimtcl.spec +++ b/SPECS-EXTENDED/jimtcl/jimtcl.spec @@ -1,78 +1,169 @@ +%bcond_without tests + Vendor: Microsoft Corporation Distribution: Azure Linux Name: jimtcl -Version: 0.78 -Release: 5%{?dist} +Version: 0.83 +Release: 3%{?dist} Summary: A small embeddable Tcl interpreter -License: BSD +License: BSD-2-Clause-Views URL: http://jim.tcl.tk -Source0: https://github.com/msteveb/%{name}/archive/%{version}/%{name}-%{version}.tar.gz -Patch0: jimtcl-fix_doc_paths.patch +Source: https://github.com/msteveb/%{name}/archive/%{version}/%{name}-%{version}.tar.gz +# readline expects applications to include stdio.h, jimtcl was not +Patch: https://github.com/msteveb/jimtcl/commit/35e0e1f9b1f018666e5170a35366c5fc3b97309c.patch#/jimtcl-stdio-for-readline.diff -BuildRequires: gcc +BuildRequires: gcc-c++ BuildRequires: asciidoc - -%description -Jim is an opensource small-footprint implementation of the Tcl programming +BuildRequires: make +# Extension dependencies +BuildRequires: pkgconfig(openssl) +BuildRequires: pkgconfig(zlib) +%if %{with tests} +BuildRequires: hostname +%endif + +%global _description %{expand: +Jim is an opensource small-footprint implementation of the Tcl programming language. It implements a large subset of Tcl and adds new features like references with garbage collection, closures, built-in Object Oriented Programming system, Functional Programming commands, first-class arrays and -UTF-8 support. +UTF-8 support.} + +%description %{_description} + %package devel Summary: Development files for %{name} Requires: %{name}%{?_isa} = %{version}-%{release} -%description devel +%description devel %{_description} + The %{name}-devel package contains libraries and header files for developing applications that use %{name}. -%prep -%setup -q -%patch 0 +%prep +%autosetup rm -rf sqlite3 %build #configure is not able to locate the needed binaries, so specify it manualy -export CC=gcc -export LD=ld +# export CC=gcc +# export LD=ld export AR=ar export RANLIB=ranlib export STRIP=strip -%configure --full --shared --disable-option-checking -make %{?_smp_mflags} +# compile extensions that are disabled by default +# as modules +# see ./configure --extinfo for list +%configure --shared --disable-option-checking \ + --allextmod \ +%ifarch s390x # zlib test fails on s390x + --without-ext=zlib \ +%endif + --docdir=%{_datadir}/doc/%{name} +%make_build -%check -make test %install -%make_install -rm -rf %{buildroot}/%{_datadir}/doc/%{name} -rm -rf %{buildroot}/%{_libdir}/jim/tcltest.tcl -pushd %{buildroot}/%{_libdir}/ -ln -s libjim.so.* libjim.so -popd +%make_install INSTALL_DOCS=nodocs +rm %{buildroot}/%{_libdir}/jim/README.extensions + + +%if %{with tests} +%check +# remove tests that require network access +rm tests/ssl.test +make test +%endif -%ldconfig_scriptlets %files -%doc LICENSE AUTHORS README Tcl.html +%license LICENSE +%doc AUTHORS README README.* +%doc EastAsianWidth.txt +%doc %{_datadir}/doc/%{name}/Tcl.html +%{_bindir}/jimdb %{_bindir}/jimsh +%dir %{_libdir}/jim +%{_libdir}/jim/*.tcl +%{_libdir}/jim/*.so %{_libdir}/libjim.so.* + %files devel -%doc DEVELOPING README.extensions README.metakit README.namespaces README.oo README.utf-8 STYLE +%doc CONTRIBUTING.md STYLE %{_includedir}/* %{_bindir}/build-jim-ext %{_libdir}/libjim.so %{_libdir}/pkgconfig/jimtcl.pc %changelog -* Fri Oct 15 2021 Pawel Winogrodzki - 0.78-5 -- Initial CBL-Mariner import from Fedora 32 (license: MIT). +* Mon May 12 2025 Archana Shettigar - 0.83-3 +- Initial Azure Linux import from Fedora 42 (license: MIT). +- License verified + +* Fri Jan 17 2025 Fedora Release Engineering - 0.83-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + +* Fri Sep 20 2024 Michel Lind - 0.83-1 +- Update to version 0.83; Fixes: RHBZ#2309077 + +* Thu Jul 18 2024 Fedora Release Engineering - 0.82-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + +* Wed Jan 24 2024 Fedora Release Engineering - 0.82-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Sat Jan 20 2024 Fedora Release Engineering - 0.82-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Thu Jul 20 2023 Fedora Release Engineering - 0.82-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Tue Feb 28 2023 Michel Alexandre Salim - 0.82-2 +- Properly disable zlib extension on s390x +- move README files meant for programming with jimtcl to main package + +* Tue Feb 28 2023 Michel Alexandre Salim - 0.82-1 +- Update to 0.82 +- enable more extensions +- update license to use SPDX + +* Thu Jan 19 2023 Fedora Release Engineering - 0.81-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Thu Jul 21 2022 Fedora Release Engineering - 0.81-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Thu Jan 20 2022 Fedora Release Engineering - 0.81-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Fri Jan 07 2022 Michel Alexandre Salim - 0.81-2 +- Disable zlib module on s390x (tests fail) + +* Fri Jan 07 2022 Michel Alexandre Salim - 0.81-1 +- Update to 0.81 +- Ship extensions that are disabled by default as modules +- Opt in to rpmautospec + +* Thu Jul 22 2021 Fedora Release Engineering - 0.78-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Tue Jan 26 2021 Fedora Release Engineering - 0.78-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Thu Aug 06 2020 Jeff Law - 0.78-6 +- Depend on g++ + +* Sat Aug 01 2020 Fedora Release Engineering - 0.78-6 +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jul 28 2020 Fedora Release Engineering - 0.78-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild * Wed Jan 29 2020 Fedora Release Engineering - 0.78-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild @@ -153,4 +244,3 @@ popd * Sun May 05 2013 Markus Mayer - 0.73-1 - inital prm release - diff --git a/SPECS-EXTENDED/jose/jose.signatures.json b/SPECS-EXTENDED/jose/jose.signatures.json index 0350c785cd..5347c71478 100644 --- a/SPECS-EXTENDED/jose/jose.signatures.json +++ b/SPECS-EXTENDED/jose/jose.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "jose-10.tar.bz2": "5c9cdcfb535c4d9f781393d7530521c72b1dd81caa9934cab6dd752cc7efcd72" + "jose-14.tar.xz": "cee329ef9fce97c4c025604a8d237092f619aaa9f6d35fdf9d8c9052bc1ff95b" } } diff --git a/SPECS-EXTENDED/jose/jose.spec b/SPECS-EXTENDED/jose/jose.spec index 4ae82a1fd9..e4b87def81 100644 --- a/SPECS-EXTENDED/jose/jose.spec +++ b/SPECS-EXTENDED/jose/jose.spec @@ -1,19 +1,23 @@ Vendor: Microsoft Corporation Distribution: Azure Linux Name: jose -Version: 10 -Release: 7%{?dist} +Version: 14 +Release: 3%{?dist} Summary: Tools for JSON Object Signing and Encryption (JOSE) -License: ASL 2.0 +License: Apache-2.0 URL: https://github.com/latchset/%{name} -Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.bz2 +Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz BuildRequires: gcc BuildRequires: pkgconfig BuildRequires: jansson-devel >= 2.10 BuildRequires: openssl-devel BuildRequires: zlib-devel +BuildRequires: git-core +BuildRequires: meson +BuildRequires: ninja-build +BuildRequires: asciidoc Requires: lib%{name}%{?_isa} = %{version}-%{release} %description @@ -46,28 +50,26 @@ Obsoletes: lib%{name}-zlib-devel < %{version}-%{release} This package contains development files for lib%{name}. %prep -%setup -q +%autosetup -S git %build -%if 0%{?rhel} -%__sed -i 's|libcrypto >= 1\.0\.2|libcrypto >= 1\.0\.1|' configure -%endif -%configure --disable-openmp -make %{?_smp_mflags} +%meson +%meson_build %install rm -rf %{buildroot} -%make_install +%meson_install rm -rf %{buildroot}/%{_libdir}/lib%{name}.la %check -make %{?_smp_mflags} check +%meson_test %ldconfig_scriptlets -n lib%{name} %files %{_bindir}/%{name} %{_mandir}/man1/jose*.1* +%license COPYING %files -n lib%{name} %license COPYING @@ -81,8 +83,64 @@ make %{?_smp_mflags} check %{_mandir}/man3/jose*.3* %changelog -* Fri Oct 15 2021 Pawel Winogrodzki - 10-7 -- Initial CBL-Mariner import from Fedora 32 (license: MIT). +* Mon May 12 2025 Archana Shettigar - 14-3 +- Initial Azure Linux import from Fedora 41 (license: MIT). +- License verified + +* Thu Jul 18 2024 Fedora Release Engineering - 14-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + +* Thu May 23 2024 Sergio Arroutbi - 14-1 +- Update to release 14 + +* Wed Apr 03 2024 Sergio Correia - 13-1 +- Update to release 13 + +* Fri Feb 02 2024 Sergio Arroutbi - 12-1 +- Update to release v12 + +* Tue Jan 30 2024 Tulio Magno Quites Machado Filho - 11-11 +- Fix test when using zlib-ng + +* Wed Jan 24 2024 Fedora Release Engineering - 11-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Sat Jan 20 2024 Fedora Release Engineering - 11-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Thu Jul 20 2023 Fedora Release Engineering - 11-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Thu Jan 19 2023 Fedora Release Engineering - 11-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Thu Jul 21 2022 Fedora Release Engineering - 11-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Thu Jan 20 2022 Fedora Release Engineering - 11-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Tue Sep 14 2021 Sahana Prasad - 11-4 +- Rebuilt with OpenSSL 3.0.0 + +* Thu Jul 22 2021 Fedora Release Engineering - 11-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Fri May 07 2021 Sergio Correia - 11-2 +- Update sources file to v11. + +* Fri May 07 2021 Sergio Correia - 11-1 +- Update to new jose upstream release, v11. + +* Tue Jan 26 2021 Fedora Release Engineering - 10-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Tue Jul 28 2020 Tom Stellard - 10-8 +- Use make macros +- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro + +* Tue Jul 28 2020 Fedora Release Engineering - 10-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild * Wed Jan 29 2020 Fedora Release Engineering - 10-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild diff --git a/SPECS-EXTENDED/kernel-lpg-innovate/kernel-lpg-innovate.normal.config b/SPECS-EXTENDED/kernel-lpg-innovate/kernel-lpg-innovate.normal.config index 41605efdf8..dd579f134b 100644 --- a/SPECS-EXTENDED/kernel-lpg-innovate/kernel-lpg-innovate.normal.config +++ b/SPECS-EXTENDED/kernel-lpg-innovate/kernel-lpg-innovate.normal.config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 6.6.85.1 Kernel Configuration +# Linux/x86_64 6.6.89.2 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 13.2.0" CONFIG_CC_IS_GCC=y @@ -289,8 +289,7 @@ CONFIG_KEXEC_SIG=y # CONFIG_KEXEC_SIG_FORCE is not set CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y CONFIG_CRASH_DUMP=y -CONFIG_CRASH_HOTPLUG=y -CONFIG_CRASH_MAX_MEMORY_RANGES=8192 +# CONFIG_CRASH_HOTPLUG is not set # end of Kexec and crash features # end of General setup @@ -511,11 +510,20 @@ CONFIG_CC_HAS_RETURN_THUNK=y CONFIG_CC_HAS_ENTRY_PADDING=y CONFIG_FUNCTION_PADDING_CFI=11 CONFIG_FUNCTION_PADDING_BYTES=16 +CONFIG_CALL_PADDING=y +CONFIG_HAVE_CALL_THUNKS=y +CONFIG_CALL_THUNKS=y +CONFIG_PREFIX_SYMBOLS=y CONFIG_CPU_MITIGATIONS=y CONFIG_PAGE_TABLE_ISOLATION=y CONFIG_RETPOLINE=y +CONFIG_RETHUNK=y +CONFIG_CPU_UNRET_ENTRY=y +CONFIG_CALL_DEPTH_TRACKING=y +# CONFIG_CALL_THUNKS_DEBUG is not set CONFIG_CPU_IBPB_ENTRY=y CONFIG_CPU_IBRS_ENTRY=y +CONFIG_CPU_SRSO=y # CONFIG_SLS is not set # CONFIG_GDS_FORCE_MITIGATION is not set CONFIG_MITIGATION_RFDS=y @@ -729,6 +737,8 @@ CONFIG_HOTPLUG_CORE_SYNC_FULL=y CONFIG_HOTPLUG_SPLIT_STARTUP=y CONFIG_HOTPLUG_PARALLEL=y CONFIG_GENERIC_ENTRY=y +CONFIG_JUMP_LABEL=y +# CONFIG_STATIC_KEYS_SELFTEST is not set CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y CONFIG_ARCH_USE_BUILTIN_BSWAP=y CONFIG_USER_RETURN_NOTIFIER=y @@ -762,6 +772,8 @@ CONFIG_HAVE_PERF_EVENTS_NMI=y CONFIG_HAVE_HARDLOCKUP_DETECTOR_PERF=y CONFIG_HAVE_PERF_REGS=y CONFIG_HAVE_PERF_USER_STACK_DUMP=y +CONFIG_HAVE_ARCH_JUMP_LABEL=y +CONFIG_HAVE_ARCH_JUMP_LABEL_RELATIVE=y CONFIG_MMU_GATHER_TABLE_FREE=y CONFIG_MMU_GATHER_RCU_TABLE_FREE=y CONFIG_MMU_GATHER_MERGE_VMAS=y @@ -815,6 +827,7 @@ CONFIG_HAVE_ARCH_COMPAT_MMAP_BASES=y CONFIG_PAGE_SIZE_LESS_THAN_64KB=y CONFIG_PAGE_SIZE_LESS_THAN_256KB=y CONFIG_HAVE_OBJTOOL=y +CONFIG_HAVE_JUMP_LABEL_HACK=y CONFIG_HAVE_NOINSTR_HACK=y CONFIG_HAVE_NOINSTR_VALIDATION=y CONFIG_HAVE_UACCESS_VALIDATION=y @@ -1860,8 +1873,6 @@ CONFIG_ETHTOOL_NETLINK=y # # Device Drivers # -CONFIG_HAVE_EISA=y -# CONFIG_EISA is not set CONFIG_HAVE_PCI=y CONFIG_PCI=y CONFIG_PCI_DOMAINS=y @@ -2464,7 +2475,6 @@ CONFIG_DM_FLAKEY=m CONFIG_DM_VERITY=m CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING=y -CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING=y CONFIG_DM_VERITY_FEC=y # CONFIG_DM_SWITCH is not set # CONFIG_DM_LOG_WRITES is not set @@ -6157,7 +6167,8 @@ CONFIG_HYPERV_VSM=y CONFIG_HYPERV_TIMER=y CONFIG_HYPERV_UTILS=y CONFIG_HYPERV_BALLOON=y -# CONFIG_DXGKRNL is not set +# CONFIG_MSHV_ROOT is not set +# CONFIG_MSHV_DIAG is not set # end of Microsoft Hyper-V guest support # @@ -6362,6 +6373,7 @@ CONFIG_INTEL_IOMMU_PERF_EVENTS=y # CONFIG_IOMMUFD is not set CONFIG_IRQ_REMAP=y CONFIG_HYPERV_IOMMU=y +CONFIG_HYPERV_ROOT_PVIOMMU=y # CONFIG_VIRTIO_IOMMU is not set # @@ -7566,13 +7578,6 @@ CONFIG_CRYPTO_DRBG_HASH=y CONFIG_CRYPTO_DRBG_CTR=y CONFIG_CRYPTO_DRBG=y CONFIG_CRYPTO_JITTERENTROPY=y -CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_2=y -# CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_128 is not set -# CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_1024 is not set -# CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_8192 is not set -CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKS=64 -CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE=32 -CONFIG_CRYPTO_JITTERENTROPY_OSR=3 # CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set # end of Random number generation @@ -8051,6 +8056,7 @@ CONFIG_RCU_EXP_CPU_STALL_TIMEOUT=0 CONFIG_LATENCYTOP=y CONFIG_USER_STACKTRACE_SUPPORT=y CONFIG_HAVE_RETHOOK=y +CONFIG_HAVE_DYNAMIC_FTRACE_NO_PATCHABLE=y CONFIG_HAVE_SYSCALL_TRACEPOINTS=y CONFIG_HAVE_FENTRY=y CONFIG_HAVE_OBJTOOL_MCOUNT=y diff --git a/SPECS-EXTENDED/kernel-lpg-innovate/kernel-lpg-innovate.secure.config b/SPECS-EXTENDED/kernel-lpg-innovate/kernel-lpg-innovate.secure.config index cfbe106cde..54f4234bfa 100644 --- a/SPECS-EXTENDED/kernel-lpg-innovate/kernel-lpg-innovate.secure.config +++ b/SPECS-EXTENDED/kernel-lpg-innovate/kernel-lpg-innovate.secure.config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 6.6.85.1 Kernel Configuration +# Linux/x86_64 6.6.89.2 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 13.2.0" CONFIG_CC_IS_GCC=y @@ -408,12 +408,20 @@ CONFIG_CC_HAS_RETURN_THUNK=y CONFIG_CC_HAS_ENTRY_PADDING=y CONFIG_FUNCTION_PADDING_CFI=11 CONFIG_FUNCTION_PADDING_BYTES=16 +CONFIG_CALL_PADDING=y +CONFIG_HAVE_CALL_THUNKS=y +CONFIG_CALL_THUNKS=y +CONFIG_PREFIX_SYMBOLS=y CONFIG_CPU_MITIGATIONS=y # CONFIG_PAGE_TABLE_ISOLATION is not set CONFIG_RETPOLINE=y -# CONFIG_RETHUNK is not set +CONFIG_RETHUNK=y +CONFIG_CPU_UNRET_ENTRY=y +CONFIG_CALL_DEPTH_TRACKING=y +# CONFIG_CALL_THUNKS_DEBUG is not set CONFIG_CPU_IBPB_ENTRY=y CONFIG_CPU_IBRS_ENTRY=y +CONFIG_CPU_SRSO=y # CONFIG_SLS is not set # CONFIG_GDS_FORCE_MITIGATION is not set CONFIG_MITIGATION_RFDS=y @@ -520,7 +528,8 @@ CONFIG_HOTPLUG_SPLIT_STARTUP=y CONFIG_HOTPLUG_PARALLEL=y CONFIG_GENERIC_ENTRY=y # CONFIG_KPROBES is not set -# CONFIG_JUMP_LABEL is not set +CONFIG_JUMP_LABEL=y +# CONFIG_STATIC_KEYS_SELFTEST is not set # CONFIG_STATIC_CALL_SELFTEST is not set CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y CONFIG_ARCH_USE_BUILTIN_BSWAP=y @@ -806,8 +815,6 @@ CONFIG_LOCK_MM_AND_FIND_VMA=y # # Device Drivers # -CONFIG_HAVE_EISA=y -# CONFIG_EISA is not set CONFIG_HAVE_PCI=y # CONFIG_PCI is not set # CONFIG_PCCARD is not set @@ -1145,7 +1152,8 @@ CONFIG_HV_SECURE_VTL=y # CONFIG_HYPERV_VSM is not set CONFIG_HYPERV_TIMER=y # CONFIG_HYPERV_BALLOON is not set -# CONFIG_DXGKRNL is not set +# CONFIG_MSHV_ROOT is not set +# CONFIG_MSHV_DIAG is not set # end of Microsoft Hyper-V guest support # @@ -1658,13 +1666,6 @@ CONFIG_CRYPTO_DRBG_HMAC=y # CONFIG_CRYPTO_DRBG_CTR is not set CONFIG_CRYPTO_DRBG=y CONFIG_CRYPTO_JITTERENTROPY=y -CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_2=y -# CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_128 is not set -# CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_1024 is not set -# CONFIG_CRYPTO_JITTERENTROPY_MEMSIZE_8192 is not set -CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKS=64 -CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE=32 -CONFIG_CRYPTO_JITTERENTROPY_OSR=3 # CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set # end of Random number generation diff --git a/SPECS-EXTENDED/kernel-lpg-innovate/kernel-lpg-innovate.signatures.json b/SPECS-EXTENDED/kernel-lpg-innovate/kernel-lpg-innovate.signatures.json index 8c9e7e2b79..7d28c87d02 100644 --- a/SPECS-EXTENDED/kernel-lpg-innovate/kernel-lpg-innovate.signatures.json +++ b/SPECS-EXTENDED/kernel-lpg-innovate/kernel-lpg-innovate.signatures.json @@ -3,9 +3,9 @@ "azurelinux-ca-20230216.pem": "d545401163c75878319f01470455e6bc18a5968e39dd964323225e3fe308849b", "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985", "cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98", - "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", - "kernel-lpg-innovate-6.6.85.1.tar.gz": "aeb96805bda3f87246a3e2a29641b79a64c55ecd80761e2e17832fffb95823cd", - "kernel-lpg-innovate.normal.config": "fd17d1b88a0d75416b76db0fd02a2d15e002e544ae996d52085e65a34789e53e", - "kernel-lpg-innovate.secure.config": "07b6cc37bd78031ff2962beecda23ae38e624be49220f4434661757ef63d42f1" + "kernel-lpg-innovate-6.6.89.2.tar.gz": "1e990a0a25d3c7a2aa45f92e713257eb72afb5c10e5a1fdb0953f5bdac8524ac", + "kernel-lpg-innovate.normal.config": "2e38b5509d2645117ba30eb79d71dc88c6f1734d1499ef9cd9f92a57c5bf4ad1", + "kernel-lpg-innovate.secure.config": "6fb187a273f4da472af7b76cca55772713688b4fe18b0df7f2e63e9a3af5e882", + "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f" } } diff --git a/SPECS-EXTENDED/kernel-lpg-innovate/kernel-lpg-innovate.spec b/SPECS-EXTENDED/kernel-lpg-innovate/kernel-lpg-innovate.spec index bd712ec534..5ccc910321 100644 --- a/SPECS-EXTENDED/kernel-lpg-innovate/kernel-lpg-innovate.spec +++ b/SPECS-EXTENDED/kernel-lpg-innovate/kernel-lpg-innovate.spec @@ -28,8 +28,8 @@ Summary: Linux Kernel Name: kernel-lpg-innovate -Version: 6.6.85.1 -Release: 1001%{?dist} +Version: 6.6.89.2 +Release: 1002%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -76,6 +76,10 @@ Requires: kmod Requires: %{name}-grub Requires(post): coreutils Requires(postun): coreutils +Conflicts: kernel +Conflicts: kernel-64k +Conflicts: kernel-ipe +Conflicts: kernel-rt %{?grub2_configuration_requires} # When updating the config files it is important to sanitize them. # Steps for updating a config file: @@ -168,6 +172,8 @@ This package contains a grub config file to add required LPG-Innovate parameters %package -n python3-perf-%{short_name} Summary: Python 3 extension for perf tools +Provides: python3-perf +Requires: %{name} = %{version}-%{release} Requires: python3 %description -n python3-perf-%{short_name} @@ -175,6 +181,8 @@ This package contains the Python 3 extension for the 'perf' performance analysis %package -n bpftool-%{short_name} Summary: Inspection and simple manipulation of eBPF programs and maps +Provides: bpftool +Requires: %{name} = %{version}-%{release} %description -n bpftool-%{short_name} This package contains the bpftool, which allows inspection and simple @@ -461,6 +469,13 @@ echo "initrd of kernel %{uname_r} removed" >&2 %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Wed 11 Jun 2025 Harshit Gupta - 6.6.89.2-1002 +- Add Conflicts with other kernels +- Rename bpftool and python3-perf to be kernel specific + +* Mon May 19 2025 Dan Streetman - 6.6.89.2-1001 +- update to 6.6.89.2 + * Thu Apr 17 2025 Dan Streetman - 6.6.85.1-1001 - update to 6.6.85.1 diff --git a/SPECS-EXTENDED/libappstream-glib/libappstream-glib.signatures.json b/SPECS-EXTENDED/libappstream-glib/libappstream-glib.signatures.json index bb3dd91b06..b3cb36dec2 100644 --- a/SPECS-EXTENDED/libappstream-glib/libappstream-glib.signatures.json +++ b/SPECS-EXTENDED/libappstream-glib/libappstream-glib.signatures.json @@ -1,5 +1,5 @@ { - "Signatures": { - "appstream-glib-0.8.2.tar.xz": "71256500add5048d6f08878904708b3d0c3875f402e0adcd358e91d47dcd8b96" - } + "Signatures": { + "appstream-glib-0.8.3.tar.xz": "84754064c560fca6e1ab151dc64354fc235a5798f016b91b38c9617253a8cf11" + } } diff --git a/SPECS-EXTENDED/libappstream-glib/libappstream-glib.spec b/SPECS-EXTENDED/libappstream-glib/libappstream-glib.spec index 851aeea050..bed1cf75de 100644 --- a/SPECS-EXTENDED/libappstream-glib/libappstream-glib.spec +++ b/SPECS-EXTENDED/libappstream-glib/libappstream-glib.spec @@ -2,15 +2,15 @@ %global json_glib_version 1.1.2 %global gdk_pixbuf_version 2.31.5 -Summary: Library for AppStream metadata -Name: libappstream-glib -Version: 0.8.2 -Release: 4%{?dist} -License: LGPL-2.0-or-later -Vendor: Microsoft Corporation -Distribution: Azure Linux -URL: http://people.freedesktop.org/~hughsient/appstream-glib/ -Source0: http://people.freedesktop.org/~hughsient/appstream-glib/releases/appstream-glib-%{version}.tar.xz +Summary: Library for AppStream metadata +Name: libappstream-glib +Version: 0.8.3 +Release: 1%{?dist} +License: LGPL-2.0-or-later +Vendor: Microsoft Corporation +Distribution: Azure Linux +URL: https://people.freedesktop.org/~hughsient/appstream-glib/ +Source0: https://people.freedesktop.org/~hughsient/appstream-glib/releases/appstream-glib-%{version}.tar.xz BuildRequires: glib2-devel >= %{glib2_version} BuildRequires: docbook-utils @@ -76,12 +76,11 @@ This library and command line tool is used for building AppStream metadata from a directory of packages. %prep -%autosetup -p1 -Sgit -n appstream-glib-%{version} +%autosetup -p1 -n appstream-glib-%{version} %build %meson \ -Dgtk-doc=false \ - -Dstemmer=true \ -Ddep11=false %meson_build @@ -130,6 +129,10 @@ from a directory of packages. %{_mandir}/man1/appstream-builder.1.gz %changelog +* Fri Mar 21 2025 Jyoti kanase - 0.8.3-1 +- Upgrade to 0.8.3 +- License Verified. + * Tue Feb 14 2023 Muhammad Falak - 0.8.2-4 - Drop docs generation to fix build diff --git a/SPECS-EXTENDED/libetonyek/0001-glm-force-dmat3-initialization-needed-from-v0.9.9.0.patch b/SPECS-EXTENDED/libetonyek/0001-glm-force-dmat3-initialization-needed-from-v0.9.9.0.patch deleted file mode 100644 index 1add51828c..0000000000 --- a/SPECS-EXTENDED/libetonyek/0001-glm-force-dmat3-initialization-needed-from-v0.9.9.0.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 548c2735c09570726f08d5ae9fee8efefb54d529 Mon Sep 17 00:00:00 2001 -From: osnola -Date: Sun, 31 Mar 2019 09:34:11 +0200 -Subject: [PATCH] glm: force dmat3 initialization (needed from v0.9.9.0) - -Change-Id: I2cb285f2d9bc1e9818ed946b38caaf8a5de9e61a -Reviewed-on: https://gerrit.libreoffice.org/69993 -Reviewed-by: Laurent Alonso(fr) -Tested-by: Laurent Alonso(fr) ---- - src/lib/IWORKCollector.cpp | 6 +++--- - src/lib/KEYCollector.cpp | 3 +-- - 2 files changed, 4 insertions(+), 5 deletions(-) - -diff --git a/src/lib/IWORKCollector.cpp b/src/lib/IWORKCollector.cpp -index 41a9c79..794b462 100644 ---- a/src/lib/IWORKCollector.cpp -+++ b/src/lib/IWORKCollector.cpp -@@ -183,8 +183,8 @@ private: - IWORKCollector::Level::Level() - : m_geometry() - , m_graphicStyle() -- , m_trafo() -- , m_previousTrafo() -+ , m_trafo(1) -+ , m_previousTrafo(1) - { - } - -@@ -601,7 +601,7 @@ void IWORKCollector::startLevel() - return; - } - -- glm::dmat3 currentTrafo, prevTrafo; -+ glm::dmat3 currentTrafo(1), prevTrafo(1); - if (!m_levelStack.empty()) - { - currentTrafo = m_levelStack.top().m_trafo; -diff --git a/src/lib/KEYCollector.cpp b/src/lib/KEYCollector.cpp -index a9d8cc3..08e7e69 100644 ---- a/src/lib/KEYCollector.cpp -+++ b/src/lib/KEYCollector.cpp -@@ -167,7 +167,7 @@ void KEYCollector::insertTextPlaceholder(const KEYPlaceholderPtr_t &placeholder) - { - if (bool(placeholder)) - { -- glm::dmat3 trafo; -+ glm::dmat3 trafo(1); - if (bool(placeholder->m_geometry)) - trafo = makeTransformation(*placeholder->m_geometry); - trafo *= m_levelStack.top().m_trafo; -@@ -417,7 +417,6 @@ void KEYCollector::drawTextBox(const IWORKTextPtr_t &text, const glm::dmat3 &tra - double w = boundingBox->m_naturalSize.m_width; - double h = boundingBox->m_naturalSize.m_height; - vec = trafo * glm::dvec3(w, h, 0); -- - if (vec[0]>0) - props.insert("svg:width", pt2in(vec[0])); - if (vec[1]>0) --- -2.24.1 - diff --git a/SPECS-EXTENDED/libetonyek/libetonyek.signatures.json b/SPECS-EXTENDED/libetonyek/libetonyek.signatures.json index 9d92bf56a7..c56f0102b5 100644 --- a/SPECS-EXTENDED/libetonyek/libetonyek.signatures.json +++ b/SPECS-EXTENDED/libetonyek/libetonyek.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "libetonyek-0.1.9.tar.xz": "e61677e8799ce6e55b25afc11aa5339113f6a49cff031f336e32fa58635b1a4a" + "libetonyek-0.1.12.tar.xz": "b9fa82fbeb8cb7a701101060e4f3e1e4ef7c38f574b2859d3ecbe43604c21f83" } -} +} \ No newline at end of file diff --git a/SPECS-EXTENDED/libetonyek/libetonyek.spec b/SPECS-EXTENDED/libetonyek/libetonyek.spec index 9c9bf3a897..24573356e9 100644 --- a/SPECS-EXTENDED/libetonyek/libetonyek.spec +++ b/SPECS-EXTENDED/libetonyek/libetonyek.spec @@ -3,13 +3,13 @@ Distribution: Azure Linux %global apiversion 0.1 Name: libetonyek -Version: 0.1.9 -Release: 7%{?dist} +Version: 0.1.12 +Release: 2%{?dist} Summary: A library for import of Apple iWork documents -License: MPLv2.0 +License: MPL-2.0 URL: http://wiki.documentfoundation.org/DLP/Libraries/libetonyek -Source: http://dev-www.libreoffice.org/src/%{name}/%{name}-%{version}.tar.xz +Source: https://dev-www.libreoffice.org/src/%{name}/%{name}-%{version}.tar.xz BuildRequires: boost-devel BuildRequires: doxygen @@ -17,17 +17,16 @@ BuildRequires: gcc-c++ BuildRequires: glm-devel BuildRequires: gperf BuildRequires: help2man +BuildRequires: make BuildRequires: pkgconfig(cppunit) BuildRequires: pkgconfig(liblangtag) BuildRequires: pkgconfig(librevenge-0.0) BuildRequires: pkgconfig(librevenge-generators-0.0) BuildRequires: pkgconfig(librevenge-stream-0.0) BuildRequires: pkgconfig(libxml-2.0) -BuildRequires: pkgconfig(mdds-1.5) +BuildRequires: pkgconfig(mdds-2.1) BuildRequires: pkgconfig(zlib) -Patch1: 0001-glm-force-dmat3-initialization-needed-from-v0.9.9.0.patch - %description %{name} is library for import of Apple iWork documents. It supports documents created by any version of Keynote, Pages or Numbers. @@ -59,15 +58,15 @@ supported: CSV, HTML, SVG, text, and raw. %autosetup -p1 %build -%configure --disable-silent-rules --disable-static --disable-werror --with-mdds=1.5 +%configure --disable-silent-rules --disable-static --disable-werror --with-mdds=2.1 sed -i \ -e 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' \ -e 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' \ libtool -make %{?_smp_mflags} +%make_build %install -make install DESTDIR=%{buildroot} +%make_install rm -f %{buildroot}/%{_libdir}/*.la # we install API docs directly from build rm -rf %{buildroot}/%{_docdir}/%{name} @@ -84,13 +83,13 @@ install -m 0644 key2*.1 numbers2*.1 pages2*.1 %{buildroot}/%{_mandir}/man1 %check export LD_LIBRARY_PATH=%{buildroot}/%{_libdir}${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}} -if ! make %{?_smp_mflags} check; then +if ! %make_build check; then cat src/test/*.log exit 1 fi %files -%doc AUTHORS FEATURES NEWS README +%doc AUTHORS FEATURES.md NEWS README.md %license COPYING %{_libdir}/%{name}-%{apiversion}.so.* @@ -125,8 +124,67 @@ fi %{_mandir}/man1/pages2text.1* %changelog -* Fri Oct 15 2021 Pawel Winogrodzki - 0.1.9-7 -- Initial CBL-Mariner import from Fedora 32 (license: MIT). +* Wed May 07 2025 Aninda Pradhan - 0.1.12-2 +- Initial Azure Linux import from Fedora 41 (license: MIT) +- License Verified + +* Sun Dec 22 2024 David Tardon - 0.1.12-1 +- Update to 0.1.12 + +* Sun Dec 22 2024 David Tardon - 0.1.10-1 +- Revert "Update to latest git snapshot" + +* Thu Jul 18 2024 Fedora Release Engineering - 0.1.11~20230802.git9c3a8cb-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + +* Thu Jan 25 2024 Fedora Release Engineering - 0.1.11~20230802.git9c3a8cb-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Sun Jan 21 2024 Fedora Release Engineering - 0.1.11~20230802.git9c3a8cb-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Thu Aug 24 2023 Mattia Verga - 0.1.11~20230802.git9c3a8cb-3 +- Change mdds req also in configure parameters + +* Thu Aug 24 2023 Mattia Verga - 0.1.11~20230802.git9c3a8cb-2 +- Fix mdds version requirement + +* Thu Aug 24 2023 Mattia Verga - 0.1.11~20230802.git9c3a8cb-1 +- Update to latest git snapshot + +* Thu Jul 20 2023 Fedora Release Engineering - 0.1.10-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Thu Jan 19 2023 Fedora Release Engineering - 0.1.10-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Mon Nov 21 2022 David Tardon - 0.1.10-5 +- Convert license to SPDX + +* Thu Jul 21 2022 Fedora Release Engineering - 0.1.10-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Thu Jan 20 2022 Fedora Release Engineering - 0.1.10-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Thu Jul 22 2021 Fedora Release Engineering - 0.1.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Tue May 18 2021 David Tardon - 0.1.10-1 +- new upstream release + +* Tue Jan 26 2021 Fedora Release Engineering - 0.1.9-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Tue Jul 28 2020 Fedora Release Engineering - 0.1.9-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jul 14 2020 Tom Stellard - 0.1.9-8 +- Use make macros +- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro + +* Thu Jun 04 2020 David Tardon - 0.1.9-7 +- fix build with latest boost * Thu Feb 06 2020 Caolán McNamara - 0.1.9-6 - add fix for contemporary glm @@ -265,3 +323,4 @@ fi * Wed Oct 30 2013 David Tardon 0.0.0-1 - initial import + diff --git a/SPECS-EXTENDED/libproxy/libproxy-0.4.17-fix-python-version-check.patch b/SPECS-EXTENDED/libproxy/libproxy-0.4.17-fix-python-version-check.patch deleted file mode 100644 index e4affb0ed0..0000000000 --- a/SPECS-EXTENDED/libproxy/libproxy-0.4.17-fix-python-version-check.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 04eeeabb42436cb58e9bac2f6c31c0fb87905a72 Mon Sep 17 00:00:00 2001 -From: David King -Date: Mon, 21 Jun 2021 17:10:43 +0100 -Subject: [PATCH] python: Support Python 3.10 and above -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -As suggested by Miro Hrončok, change the way that the Python interpreter -version is found. Additionally, update the static list of accepted -Python 3 versions. - -https://bugzilla.redhat.com/show_bug.cgi?id=1898060 ---- - bindings/python/python2/CMakeLists.txt | 2 +- - bindings/python/python3/CMakeLists.txt | 2 +- - cmake/FindPython3Interp.cmake | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/bindings/python/python2/CMakeLists.txt b/bindings/python/python2/CMakeLists.txt -index 00df551..f4d2b91 100644 ---- a/bindings/python/python2/CMakeLists.txt -+++ b/bindings/python/python2/CMakeLists.txt -@@ -6,7 +6,7 @@ if(PYTHON2INTERP_FOUND) - if(NOT PYTHON2_SITEPKG_DIR) - execute_process(COMMAND - ${PYTHON2_EXECUTABLE} -- -c "import sys; print (sys.version[0:3])" -+ -c "import sys; print('{}.{}'.format(*sys.version_info[0:2]))" - OUTPUT_VARIABLE PYTHON2_VERSION - OUTPUT_STRIP_TRAILING_WHITESPACE) - -diff --git a/bindings/python/python3/CMakeLists.txt b/bindings/python/python3/CMakeLists.txt -index bf87dfc..fc3b24b 100644 ---- a/bindings/python/python3/CMakeLists.txt -+++ b/bindings/python/python3/CMakeLists.txt -@@ -6,7 +6,7 @@ if(PYTHON3INTERP_FOUND) - if(NOT PYTHON3_SITEPKG_DIR) - execute_process(COMMAND - ${PYTHON3_EXECUTABLE} -- -c "import sys; print (sys.version[0:3])" -+ -c "import sys; print('{}.{}'.format(*sys.version_info[0:2]))" - OUTPUT_VARIABLE PYTHON3_VERSION - OUTPUT_STRIP_TRAILING_WHITESPACE) - -diff --git a/cmake/FindPython3Interp.cmake b/cmake/FindPython3Interp.cmake -index 74398b2..5b25e5a 100644 ---- a/cmake/FindPython3Interp.cmake -+++ b/cmake/FindPython3Interp.cmake -@@ -39,7 +39,7 @@ - - unset(_Python3_NAMES) - --set(_Python3_VERSIONS 3.9 3.8 3.7 3.6 3.5 3.4 3.3 3.2 3.1 3.0) -+set(_Python3_VERSIONS 3.10 3.9 3.8 3.7 3.6 3.5 3.4 3.3 3.2 3.1 3.0) - - if(Python3Interp_FIND_VERSION) - if(Python3Interp_FIND_VERSION_COUNT GREATER 1) --- -2.31.1 - diff --git a/SPECS-EXTENDED/libproxy/libproxy.signatures.json b/SPECS-EXTENDED/libproxy/libproxy.signatures.json index 0a139fd71a..2e2fa33a80 100644 --- a/SPECS-EXTENDED/libproxy/libproxy.signatures.json +++ b/SPECS-EXTENDED/libproxy/libproxy.signatures.json @@ -1,6 +1,5 @@ { "Signatures": { - "libproxy-0.4.17.tar.gz": "88c624711412665515e2800a7e564aabb5b3ee781b9820eca9168035b0de60a9", - "proxy.1": "e53e8d6872d707b8a50994976c7e2502d3a104d677db57210592afd459047497" + "libproxy-0.5.8.tar.gz": "64e363855012175bf796b37cacddf7bc7e08af0bf406eea94b549ce207987d3e" } } diff --git a/SPECS-EXTENDED/libproxy/libproxy.spec b/SPECS-EXTENDED/libproxy/libproxy.spec index c8384601f6..3fda1c8b6f 100644 --- a/SPECS-EXTENDED/libproxy/libproxy.spec +++ b/SPECS-EXTENDED/libproxy/libproxy.spec @@ -1,203 +1,111 @@ Vendor: Microsoft Corporation Distribution: Azure Linux -%global bootstrap 1 - +%global _privatelibs libpxbackend-1.0[.]so.* +%global __provides_exclude ^(%{_privatelibs})$ +%global __requires_exclude ^(%{_privatelibs})$ + Name: libproxy -Version: 0.4.17 -Release: 5%{?dist} +Version: 0.5.8 +Release: 1%{?dist} Summary: A library handling all the details of proxy configuration - -License: LGPLv2+ + +License: LGPL-2.1-or-later URL: https://libproxy.github.io/libproxy/ Source0: https://github.com/libproxy/%{name}/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz -# Taken from the Debian package. -Source1: proxy.1 -# https://bugzilla.redhat.com/show_bug.cgi?id=1898060 -Patch0: libproxy-0.4.17-fix-python-version-check.patch - -BuildRequires: cmake >= 2.6.0 -BuildRequires: gcc-c++ -BuildRequires: pkgconfig(gio-2.0) >= 2.26 + +BuildRequires: gcc +BuildRequires: meson +#BuildRequires: /usr/bin/gi-docgen +BuildRequires: /usr/bin/vapigen + +BuildRequires: pkgconfig(duktape) +BuildRequires: pkgconfig(gio-2.0) >= 2.71.3 +BuildRequires: pkgconfig(gobject-introspection-1.0) +BuildRequires: pkgconfig(libcurl) BuildRequires: python3-devel - -%if ! 0%{?bootstrap} -# NetworkManager -BuildRequires: pkgconfig(libnm) -# pacrunner (and NetworkManager) -BuildRequires: pkgconfig(dbus-1) -# webkit (gtk3) -BuildRequires: pkgconfig(javascriptcoregtk-4.0) -# Python -%else -# Obsoletes of disabled subpackages. -Provides: %{name}-mozjs = %{version}-%{release} -Obsoletes: %{name}-mozjs < %{version}-%{release} -Provides: %{name}-webkitgtk4 = %{version}-%{release} -Obsoletes: %{name}-webkitgtk4 < %{version}-%{release} -%endif - - +# For config-gnome +BuildRequires: pkgconfig(gsettings-desktop-schemas) + + %description libproxy offers the following features: - - * extremely small core footprint (< 35K) - * no external dependencies within libproxy core - (libproxy plugins may have dependencies) - * only 3 functions in the stable external API + + * extremely small core footprint + * minimal dependencies within libproxy core + * only 4 functions in the stable-ish external API * dynamic adjustment to changing network topology * a standard way of dealing with proxy settings across all scenarios * a sublime sense of joy and accomplishment - - + + %package bin Summary: Binary to test %{name} Requires: %{name}%{?_isa} = %{version}-%{release} - + %description bin The %{name}-bin package contains the proxy binary for %{name} - -%package -n python3-%{name} -Summary: Binding for %{name} and python3 -Requires: %{name} = %{version}-%{release} -BuildArch: noarch -%{?python_provide:%python_provide python3-%{name}} - -%description -n python3-%{name} -The python3 binding for %{name} - -%package gnome -Summary: Plugin for %{name} and gnome -Requires: %{name}%{?_isa} = %{version}-%{release} - -%description gnome -The %{name}-gnome package contains the %{name} plugin for gnome. - -%package kde -Summary: Plugin for %{name} and kde -Requires: %{name}%{?_isa} = %{version}-%{release} -Requires: /usr/bin/kreadconfig5 - -%description kde -The %{name}-kde package contains the %{name} plugin for kde. - -%if ! 0%{?bootstrap} -%package networkmanager -Summary: Plugin for %{name} and networkmanager -Requires: %{name}%{?_isa} = %{version}-%{release} - -%description networkmanager -The %{name}-networkmanager package contains the %{name} plugin -for networkmanager. - -%package webkitgtk4 -Summary: Plugin for %{name} and webkitgtk3 -Requires: %{name}%{?_isa} = %{version}-%{release} -Provides: %{name}-pac = %{version}-%{release} -Obsoletes: %{name}-mozjs <= %{version}-%{release} - -%description webkitgtk4 -The %{name}-webkitgtk4 package contains the %{name} plugin for -webkitgtk3. - -%package pacrunner -Summary: Plugin for %{name} and PacRunner -Requires: %{name}%{?_isa} = %{version}-%{release} -Provides: %{name}-pac = %{version}-%{release} -Requires: pacrunner - -%description pacrunner -The %{name}-pacrunner package contains the %{name} plugin for -PacRunner. -%endif - + %package devel Summary: Development files for %{name} Requires: %{name}%{?_isa} = %{version}-%{release} - + %description devel The %{name}-devel package contains libraries and header files for developing applications that use %{name}. - + %prep %autosetup -p1 - - + + %build -export CXXFLAGS="$CXXFLAGS -std=c++14" -%{cmake} \ - -DMODULE_INSTALL_DIR=%{_libdir}/%{name}/%{version}/modules \ - -DBIPR=OFF \ - -DWITH_KDE=ON \ - -DWITH_MOZJS=OFF \ - -DWITH_PERL=OFF \ - -DWITH_PYTHON2=OFF \ - -DWITH_PYTHON3=ON \ -%if ! 0%{?bootstrap} - -DWITH_GNOME3=ON \ - -DWITH_WEBKIT3=ON \ -%endif - . -%cmake_build - - +%meson \ + -Ddocs=false \ + -Dconfig-gnome=false \ + -Dconfig-kde=true \ + -Dconfig-osx=false \ + -Dconfig-windows=false \ + -Dintrospection=true \ + -Dtests=true \ + -Dvapi=true +%meson_build + %install -%cmake_install - -#In case all modules are disabled -mkdir -p %{buildroot}%{_libdir}/%{name}/%{version}/modules - -# Man page. -install -Dpm 0644 %{SOURCE1} %{buildroot}/%{_mandir}/man1/proxy.1 - - +%meson_install + %check -%ctest - +%meson_test %ldconfig_scriptlets %files -%doc AUTHORS README +%doc README.md %license COPYING -%{_libdir}/*.so.* -%dir %{_libdir}/%{name} -%dir %{_libdir}/%{name}/%{version} -%dir %{_libdir}/%{name}/%{version}/modules - +%dir %{_libdir}/girepository-1.0 +%{_libdir}/girepository-1.0/Libproxy-1.0.typelib +%{_libdir}/libproxy.so.* +%dir %{_libdir}/libproxy +%{_libdir}/libproxy/libpxbackend-1.0.so + %files bin %{_bindir}/proxy -%{_mandir}/man1/proxy.1* - -%files -n python3-%{name} -%{python3_sitelib}/__pycache__/* -%{python3_sitelib}/%{name}.* - -%files gnome -%{_libdir}/%{name}/%{version}/modules/config_gnome3.so -%{_libexecdir}/pxgsettings - -%files kde -%{_libdir}/%{name}/%{version}/modules/config_kde.so - -%if ! 0%{?bootstrap} -%files networkmanager -%{_libdir}/%{name}/%{version}/modules/network_networkmanager.so - -%files webkitgtk4 -%{_libdir}/%{name}/%{version}/modules/pacrunner_webkit.so - -%files pacrunner -%{_libdir}/%{name}/%{version}/modules/config_pacrunner.so -%endif - +%{_mandir}/man8/proxy.8* + %files devel -%{_includedir}/proxy.h -%{_libdir}/*.so +#%{_docdir}/libproxy-1.0/ +%{_includedir}/libproxy/ +%{_libdir}/libproxy.so %{_libdir}/pkgconfig/libproxy-1.0.pc -%{_datadir}/cmake/Modules/Findlibproxy.cmake +%dir %{_datadir}/gir-1.0 +%{_datadir}/gir-1.0/Libproxy-1.0.gir +%dir %{_datadir}/vala/vapi/ +%{_datadir}/vala/vapi/libproxy-1.0.deps +%{_datadir}/vala/vapi/libproxy-1.0.vapi %changelog +* Tue Nov 12 2024 Sumit Jena - 0.5.8-1 +- Update to version 0.5.8 + * Wed Mar 02 2022 Pawel Winogrodzki - 0.4.17-5 - Initial CBL-Mariner import from Fedora 36 (license: MIT). - Enabling 'gnome' and 'kde' subpackages. diff --git a/SPECS-EXTENDED/libsrtp/libsrtp-2.3.0-shared-fix.patch b/SPECS-EXTENDED/libsrtp/libsrtp-2.3.0-shared-fix.patch deleted file mode 100644 index 4ad0d34c02..0000000000 --- a/SPECS-EXTENDED/libsrtp/libsrtp-2.3.0-shared-fix.patch +++ /dev/null @@ -1,36 +0,0 @@ -diff -up libsrtp-2.3.0/Makefile.in.sharedfix libsrtp-2.3.0/Makefile.in ---- libsrtp-2.3.0/Makefile.in.sharedfix 2020-01-07 09:48:36.004217062 -0500 -+++ libsrtp-2.3.0/Makefile.in 2020-01-07 09:53:08.117725096 -0500 -@@ -106,12 +106,14 @@ bindir = @bindir@ - pkgconfigdir = $(libdir)/pkgconfig - pkgconfig_DATA = libsrtp2.pc - --SHAREDLIBVERSION = 1 -+SHAREDLIBMINIVER = 1 -+SHAREDLIBVERSION = $(SHAREDLIBMINIVER).0.0 - ifneq (,$(or $(findstring linux,@host@), $(findstring gnu,@host@))) - SHAREDLIB_DIR = $(libdir) --SHAREDLIB_LDFLAGS = -shared -Wl,-soname,$@ - SHAREDLIBSUFFIXNOVER = so -+SHAREDLIBMINISUFFIX = $(SHAREDLIBSUFFIXNOVER).$(SHAREDLIBMINIVER) - SHAREDLIBSUFFIX = $(SHAREDLIBSUFFIXNOVER).$(SHAREDLIBVERSION) -+SHAREDLIB_LDFLAGS = -shared -Wl,-soname,libsrtp2.$(SHAREDLIBMINISUFFIX) - else ifneq (,$(or $(findstring cygwin,@host@), $(findstring mingw,@host@))) - SHAREDLIB_DIR = $(bindir) - SHAREDLIB_LDFLAGS = -shared -Wl,--out-implib,libsrtp2.dll.a -@@ -166,6 +168,7 @@ libsrtp2.$(SHAREDLIBSUFFIX): $(srtpobj) - $(CC) -shared -o $@ $(SHAREDLIB_LDFLAGS) \ - $^ $(LDFLAGS) $(LIBS) - if [ -n "$(SHAREDLIBVERSION)" ]; then \ -+ ln -sfn $@ libsrtp2.$(SHAREDLIBMINISUFFIX); \ - ln -sfn $@ libsrtp2.$(SHAREDLIBSUFFIXNOVER); \ - fi - -@@ -288,6 +291,7 @@ install: - cp libsrtp2.$(SHAREDLIBSUFFIXNOVER) $(DESTDIR)$(SHAREDLIB_DIR)/; \ - if [ -n "$(SHAREDLIBVERSION)" ]; then \ - ln -sfn libsrtp2.$(SHAREDLIBSUFFIX) $(DESTDIR)$(SHAREDLIB_DIR)/libsrtp2.$(SHAREDLIBSUFFIXNOVER); \ -+ ln -sfn libsrtp2.$(SHAREDLIBSUFFIX) $(DESTDIR)$(SHAREDLIB_DIR)/libsrtp2.$(SHAREDLIBMINISUFFIX); \ - fi; \ - fi - $(INSTALL) -d $(DESTDIR)$(pkgconfigdir) diff --git a/SPECS-EXTENDED/libsrtp/libsrtp.signatures.json b/SPECS-EXTENDED/libsrtp/libsrtp.signatures.json index 8ec0026fb2..1c64c93699 100644 --- a/SPECS-EXTENDED/libsrtp/libsrtp.signatures.json +++ b/SPECS-EXTENDED/libsrtp/libsrtp.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "libsrtp-2.3.0.tar.gz": "94093a5d04c5f4743e8d81182b76938374df6d393b45322f24960d250b0110e8" + "libsrtp-2.6.0.tar.gz": "bf641aa654861be10570bfc137d1441283822418e9757dc71ebb69a6cf84ea6b" } } diff --git a/SPECS-EXTENDED/libsrtp/libsrtp.spec b/SPECS-EXTENDED/libsrtp/libsrtp.spec index 3e8350c8d1..ec62814702 100644 --- a/SPECS-EXTENDED/libsrtp/libsrtp.spec +++ b/SPECS-EXTENDED/libsrtp/libsrtp.spec @@ -1,17 +1,20 @@ Vendor: Microsoft Corporation Distribution: Azure Linux -%global shortname srtp - Name: libsrtp -Version: 2.3.0 -Release: 3%{?dist} +Version: 2.6.0 +Release: 1%{?dist} Summary: An implementation of the Secure Real-time Transport Protocol (SRTP) -License: BSD +License: BSD-3-Clause URL: https://github.com/cisco/libsrtp Source0: https://github.com/cisco/libsrtp/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz -BuildRequires: gcc, nss-devel, libpcap-devel -# Fix shared lib so ldconfig doesn't complain -Patch0: libsrtp-2.3.0-shared-fix.patch +BuildRequires: gcc +BuildRequires: doxygen +BuildRequires: meson +BuildRequires: procps-ng +BuildRequires: pkgconfig(openssl) +BuildRequires: pkgconfig(libpcap) +Provides: libsrtp-tools = %{version}-%{release} +Obsoletes: libsrtp-tools < 2.6.0-1 %description This package provides an implementation of the Secure Real-time @@ -21,7 +24,6 @@ a supporting cryptographic kernel. %package devel Summary: Development files for %{name} Requires: %{name}%{?_isa} = %{version}-%{release} -Requires: pkgconfig %description devel The %{name}-devel package contains libraries and header files for @@ -29,36 +31,29 @@ developing applications that use %{name}. %prep %setup -q -n %{name}-%{version} -%patch 0 -p1 -b .sharedfix - -%if 0%{?rhel} > 0 -%ifarch ppc64 -sed -i 's/-z noexecstack//' Makefile.in -%endif -%endif %build -export CFLAGS="%{optflags} -fPIC" -%configure --enable-nss -make %{?_smp_mflags} shared_library - +%meson -Dcrypto-library=openssl -Dcrypto-library-kdf=disabled +%meson_build %install -make install DESTDIR=%{buildroot} -find %{buildroot} -name '*.la' -exec rm -f {} ';' - -%ldconfig_scriptlets - +%meson_install +%check +%meson_test %files %license LICENSE %doc CHANGES README.md %{_libdir}/*.so.* %files devel -%{_includedir}/%{shortname}2/ +%{_includedir}/srtp2/ %{_libdir}/pkgconfig/libsrtp2.pc %{_libdir}/*.so %changelog +* Tue Nov 12 2024 Sumit Jena - 2.6.0-1 +- Update to version 2.6.0 +- License verified. + * Fri Oct 15 2021 Pawel Winogrodzki - 2.3.0-3 - Initial CBL-Mariner import from Fedora 32 (license: MIT). diff --git a/SPECS-EXTENDED/lilv/drobilla.gpg b/SPECS-EXTENDED/lilv/drobilla.gpg new file mode 100644 index 0000000000..943ca5f1c6 --- /dev/null +++ b/SPECS-EXTENDED/lilv/drobilla.gpg @@ -0,0 +1,123 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.11 (GNU/Linux) + +mQGiBEXaIU8RBAC7vZmKrMkUyYMKomqHn9bpgFlT01fSQZyB5vHCTb5uW467HQGv +FMu6CCh2UbTyMDc/0py+EDgmkiqstUQ6hII2BbjoAlRgh4Kw43/6G1IDQiMAHXFx +jgs4Kx/xEsamMWXcGLYgBQExnN0EjjGy8ukLFHi5d4RAgNVY3tUlT+31wwCgoetH +x893hs3OQCNV21UCUV/Ndy0D/1RqBTZGXjTQ2eBCbZI7YCGOfPPdmNoDbSaDMubk +UNdbc78+FvG4SOnXxOdwe6W7Lc5qHwYXcga21ajEXT7Fpok+bj9/6a2WCiB4gzkg +Pi8Lwa0XTs7Hjyh9DFtxGbJHNxtsUV97pVBzrxdAiKasY0/CVWuiJBbZuLsyxWwe +rgwjA/9FJXx1tqOBclX4IGZnVzCGzNhTMtj2P248gZ8B6fOTkbt5bUGHBs2XtM0j +irsYeLWeWsfMa0fFMksfrwekbA4u2uMv9dA8VyjXmYGmKfNOtuyPm/NOS4CjpRQO +e3uB+ttbTKwK9Hx6j5WpfLlUBSlAKlxL1wt4cV03QXI5Sh5+QLQiRGF2ZSBSb2Jp +bGxhcmQgPGRhdmVAZHJvYmlsbGEubmV0PoheBBMRAgAeBQJF2iFPAhsDBgsJCAcD +AgMVAgMDFgIBAh4BAheAAAoJEMb2DmUpcnBgGoQAoIHtHRacGREDktZoKv+hMqW5 +SolkAJ9Xaolpgqa0yuO0+U0cHLqYMdN4mbkCDQRF2iFWEAgA+TUcUVyDVXmiBsbM +V6MOW4ZClnS8Ayz+jOkRbPgIaZOgaWekTVXFHvIYb8zQIZHlYNRj3cESkECKzFPH +uQbYcWLtq2AhI5I32027uoierPzM3tkAIttbqxI+ZNvyLM+rOdO/tR7N3QQy4dxB +goNN33kMYoe9M+AoAVJVhj5i+lv79lkQOiOGyIrZRe8tK2vARwl4jpxn5ZyGtY46 +1KMuoOq1H0gBxUGnHG/29gMtfM0WR+mdkB0N4Vmd5DwCBF1PZW+bz/jwUtKTYKlU +4oVLToPbbr1ZxIQ/GeaiX0QbFC6qkYAz1mbXuwIhT7NZnF1Bb5NUVaNDD6me0P/z +mys3pwADBQgAmjvG8d8Ou84Ry7KFlI5aVttIRDvVvODI14XgrRsaEamBurtqH2d1 +GiTuQKatTBcP2Vh4EBggUKvUBo6OqHl5HSJnMCssot9sbjd2INcVNhA37psZA/z0 +SiHvsU5MYJZAhIRy2OSq6f2rTJnN3tpH9uP22G0hnHwWsvaPif2rJJKa4FsLfiSJ +83nNZycmL0swG/3r2CFaWKdgI8Qxh4a9hzhQ/xp677rp+wXoR15Tiz3doVIks9gU +x/ttSOlIe1qikvIm2sK4YjGskyk3ThDnbKADBA0LPxmUw0LRwfMUpjB9w/KPB6K1 +garaVufX87EiQjMqtcatifrlt86BQG6UqIhJBBgRAgAJBQJF2iFWAhsMAAoJEMb2 +DmUpcnBgUWgAnig09zgkm9I8MYfmjNdeVicZ/TslAJ9gXHch/j3J0oVLZn7iLl8L +enSb2JkCDQROyvsgARAAymdAvdxjXiijDSh09Je1GZlWZz8DBVBSp+Sy8Er3f6aa +NjpdUagO4EBLYXTXOaCmpg+iwqmH9F9kDniyPj1JYkaLvttFhXlUaLY4bVAf74RG +Wbxkrq2Geh5WfK78SbAHuLdp9bx7mCq3HahHLB/DGkElRCgvhFwGRoju7bvkHl/Y +MJJsLpUN+Tpdle5VeVuUAH8l48D3WCwp2kUBzA6DXF/SqOHtNV3tbnuKKdB2Q4ks +JI51KwqrSa3vTrB+8TmVpocjqUK1RD+7rBJKEh4ARHhlEz6C2W3nZm0lLxsFCkgs +ccqCdLV0ZP6vYhAOPWN1kvBjkkibd0szH9a4AUWO9kUT8B0HHzcquJl6LyV2NtVj +PkPNc4zBGsb+otuPRHDU2EeW248/42royn2TgDioJ3keTe/ZCD22CJ8kNBSZOPOU +9DkZiBv/1heourSWsQAQnWTz0uE4/yVk2/Z6L4nFMk2YZYeYoiYjtz2FdMn+/9tj +eJDr+LH1q6EcBPf3qjT90gOSo3cLlswpVPOOndlrXExVi17dQSrQGi8mBxBjeMb6 +pNbF9EXcbd3Cm9oWxJy6gVEPkY0a5tRmH2Vf8uO8SdHWqh1mMgMzzFLrlvef4CmB +TS0Rp72OYq8R+9lFcRGtbeOkUdaPIL7zxCsf+H0pJTjIH4nEYkZmv9wtBW+SgfcA +EQEAAbQgRGF2aWQgUm9iaWxsYXJkIDxkQGRyb2JpbGxhLm5ldD6JAjoEEwEIACQC +GwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAk7K/HYCGQEACgkQ/GzPL3NkwkAb +RA/9Fq7wDadgPMTz47skAWqDyzc1kv4Auft+qpJDpSo9PwZWwQicAJZYNscinZVR +ZKhf+BD0v/eMoy+bzu+wf3Q+Eqq3xYCVUAHZzlQGa0MZ/8nQWfqqZe6Hq43KTgf0 +liSTWOYLHh50JuNPb0Vu2bjrgYxcLEEDIEIhulLiB+iiyuXWJ0ssA32Y9Oh+jxb2 +h62G9rWsYsvoAqvPyxhrbD1WLCMLi9KBXRpUTVaGcMtRicqpYvjZrqEkXINS6OBQ +mBuHiLoef7NGJR+22ljz2XPbQMji8m02ozOk8DDNlBMyubasIknulOEGKGgfwr2c +ZbU+1uUD4BbmWYAALGRXe2pl6AbGPU8kjgHQux2Pd7PH8qJxEvuU4O9Zi99jZgP2 +CMh4I4x3fv9RfDM4z77vMkaV8yoITz4vGdlY+UvSK5BzAMfQxuSCxPXtaqQEjS2g +r6KpUmadK7fLUmvFhXuPKwwA/BxbW6YcQKjhUZqnI5q4Hjek8iEnUiiZLnh1dSl3 +lp2us8Dxq3+TTX09qraOY25Kwf/Xjyd/l6/74JxXXFaeQkb9LHyqk3Jlk2THf3aW +TzH8h9lvTwruYhME0ib8mnPqDSfs1LQILmln8rs7Ma9HCKoUFJeMjqz3+sDMP3HC +SqqrdwxkqnufG/0S3dYjd+z910J/Qj1J/yhNAt1cA6Dwx3aIRgQQEQgABgUCTsr7 +twAKCRDG9g5lKXJwYFRNAJ4rI5MK8g+ouo85l96AAowEBrMvUQCdGdzUXaHH29N6 +FH60gGcMHi/M/jO5Ag0ETsr7IAEQALBnW/tm8zo9y8G1yOO0S0PKXxf3yPcM8J3s +wZupmuRmQyhUF3xoxiTtZH4XbMnUw2Ddzpt7XRFC8BTmI+5E32uxxR7EMgqMS1/X +MlIp+7qEiMF25DAZ6agOBFEe244MFlDt+WIt7XeJPViByKxbgi5rS14MljUazfQr +mgzAVq45RpDc3QIhgE65Q+9R4FDillWUwv5AkieRb3QdMHXrvSgsQ21bnvjdRggp +8Xw4GG4k0e5WnpU7FvDM2unDywvcU/LnRDxsZazzPNJDi1kq7CYmB94xvIdxvDed +QV8SFJ1YZkkx8MTule60t40b4pr6l2zJzR2SaR0GRsOaKeUPP08ye+20arJV/PbE +R7holpB8N68F3MYW712dosCLBVD2srpsjuWLdKA4X/SVb8i0bu/T7dwMJeDSOSmd +WXLEIMBsCQxuttk/hLkJQBVvWu/guMft8Qn2Lb9uPFe8Si8rkjiWTSEq2Q2PXcUu +X+0w9kbmuDULdovAyi+sLObkyx/dVz6LJbM1Ea6XWLhi4QVwKL5/VOey/6UctW2D +Kg0SNvLA5jiTx4L8u3Kd4TtvV8qmWOMTmLWXnezwE2Ln4gH65ZkbImgdZswt5r8G +DZ4fxLZsxjS9WPWAndH5z4yFtaUUHgf9A985baj2MVA3dhKXjoiZxLTThxxO40UK +wamCRY21ABEBAAGJAh8EGAEIAAkFAk7K+yACGwwACgkQ/GzPL3NkwkDnGA/7BVKA +/8hEHmmtrq7LzRLu6HYALdf/B7yfcpnwHjFjZchExWaQXuG+AqfgP4bm+OBnpN1e +OX7dD1x79AHJb/Mp2SX3NlzGvujzwMDrR9Hp4XmeeBXfxvSQXiRqcHH6Jr/rv564 +vYxgp0zdCmCRP1y+sSOEOyh46cTP9LD9w+1LzWW96dTo5FQ3q193rzrFBUJStbuM +Isp3puQ08ntmXXfYk+KuXB/hMKbJU9gbMBV7cQdGX4AZ4DcSsacs1TPdiqGZ4fJ3 +XjGegory9dVaTbwkK1ULEENGsPc8LIYTIlNHJ4E1ZSMAkTTn7ThphBvHnXOPG9fg +NimAhXYKpE4a+DwQJY1YY06KFJtqeGYGoFiTqfhn4R/Mq2kArFNoCmmbH1gDThsw +c7idTmyI4DHAhx8kHK0mrnkaA2J+Ah82Kimsu+sMKUxMwbYZ32yK18HQI3y8iXEu +GsGQk8X2gKO8YfOOvGFf2sPl1IN+ZZ8ZI7bZi/yzh5K04Pxyb6LTYpG+YDAZS6H5 +NkWQxPM0TCDFLDlLl5SESl7BxgqryqCY4okRGVq0WLXa3MpFCjoYOAdtkQOm6ZOE +9tjKogx0ZN9cflde2D9MSi9ADCZ8gK4tQ581Ea43owT2iMJVceGcqJE3ZVnUq2PX +DoVGVgIxT1stR69am4hgSHpShTRVU5fio+jiuHKZAg0ET0BWRQEQAOru18ePCKAr +nY43QCcDiVjDCTrPx0lswgkaGPWRwL1jOHiLnwMaafsb/SMjvgwJ3P40Tzo1wB22 +STmQ4/r5JL3nVQ7cRmeCDSMbbva9vuOAC/zOGH6N6Pd/Vyq4bJp3eWhL/bNiBF7R +4ft9E5RD1WIM7kDM0LUd2HgqyvwgKngiJFfZNCEXFuXhHNc4nuRsrLnEb5T+6PTl +noQRQyqd0rhShYTBvjL9DUhhFtgqNmjYl1hCurFnyE8G5zkxnIuJ+wWlgBiPSIIf +ZZY0IGLXH7DHDHaV+N4MKduCiOhPwLhaNHxNekBFaFNllLgVGMUE/Bp4GvHcfAgX +tAQbztqag5folJxNYNWX1qLmYh9hluJA0MRq+nFNpYWmMTcQQYOPpBuOVRf8u5qN +p/aQwH5DdoDa6Mdwfbrq+RcMBogwCjZGROe296YuBBIUfWRxfYQaIwbtrTajSZW2 +DWUze3tONLWjPJKJFDD6w42UQSp+fnDrrdZhasDU8bmVE5LUyA8B01BJWglQIgfL +Z5PzDsxSZtWulxsOoz+VwS2sbslNkVWFPWbcMoKB/fAtN+mmMzrjmHLbF+hLta4Z +ZBJcCS4Nk0Lw4+9Msf7jWWNEUbKyqvKnSK774mIDktp+o2fPXmi0KLcwxrda2SJS +bPeDbYsPzhwTR66+ZoQ430MifR4RIwanABEBAAG0IERhdmlkIFJvYmlsbGFyZCA8 +ZEBkcm9iaWxsYS5uZXQ+iQI6BBMBCAAkAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4B +AheABQJPQFfZAhkBAAoJEDZyeCqb82jzx9YQALzxj/8b+JD9px1lGb7ZbN5GTBdh +J6CgLkObSkwnU88vWxOhZDKd6dTyGYtmHg3rridM/0OMVv/hUXxTcRWKHo8S44OA +rFSNhjuarfh7IQRDpe16J9vWaStuK8uiyOmHl8IGmtDoVtlDo7yd0/b8lwCJd9R3 +4d81ruYLHguHxo6ahMyB+SjPXoqEj8dUcY4OR35wRI04H+HSq7s4kpqX4G5uhrtW +5dEk7GuqELyg9forQ4xDD/cSOXUtBX/Sak9KRKZLxNyp5h4xvSHi5wl3DjB4Of5J +P7e437J5PXQtw1mNHCwbMyp6R9cqETTwjRj11gbqFy1PjiKDgT6/iPvA+Vg4GcJH +k1Rhzq2PMLegZIqJ6+F3G2oRl0XF1J9j3XvSnXSTMlqEQd6VNFmAd1PGJMfok3kz +brPBIBt8/ltaSn71ekanzxpAVC4fHO6JzPszyqpdkRriTL7nYZ872J5+BWCC3eOr +QVvDNu+FZznHRuI8TqhdWr76w4oZMx56S/oV8bo9wVQx0urxjB851IcPWU8GyBu4 +Bqb9kpw8IzUY08AENKzal9KstCkCoG5a80B0sS7Et7a23TNZF2rBKOzza7yte+5d +PDeDg0WSexzJr35kArjUz7sgKODFfAlvTTgRPTTRIdBeQV69aUc3XvaJQFXwPobz +yvH/ie166GqJIRvOuQINBE9AVkUBEACr6qQSWRlg+AifZqLYSY64VQ4Bvj3SfVXl +MLlMWDeKFAnW49sg/DMu9t20m3m/L49UW51zyjnRlIN8j6NqmVtRKAs2C+FRpSTK +U6NSdsBweUOkQP6FGJRlb9o3cTxePBvQL/weulB/rzRhBqL4W3U4L3jUxYE0vCYs +D5Dq0/177BtazrOIBuRADABLQ7m9976jIfz9zNoix8j7CNtX0g+JB4E5kObVQ41N +LyZ8ei+t/q1MP1KxwD6e+icESlLNrO2rhXBssc6KScbdrPmCfR5bumFitEfxeIJI +s5XR/FKCgmQH4SRQJQ4MY/+B5OIRDH4zjbs8EP2kD+85hbKx8sjrQeafA1VYw+TN +FBJhCNqMkzl6WyZ2GX7ZP0xw19BS/RioOLVq3I3WSRpJGsguzE87xXDF91caaxQn +CL1LM2zqNstYDNYIAmCThVixeONFbFiPN7OsTG2lsSh79mX8+/2YAxj/9ACCxDcF +xXeWbByVdpuV2n24F3lLQBY1/Gpy8yskJLCOFEjGYVIHsEaD+FxR2x9WusWb+aeI +zHmOA8cwcLazJcneMvOTIrlgAz0yZphY+c6kx/opem0N+nKX+aEFbolnlsPXhGNC +AD5xffJOIUK+gGrPstf2WdqYfmWegd7ak1FG4j1WqHwHplOwgStPTO33IhhWXHLj +yRsf8AyumQARAQABiQIfBBgBCAAJBQJPQFZFAhsMAAoJEDZyeCqb82jzTUkP/3jv +hkMK0IGcuCVkfB3uIxsjLKl+lI2FDq/zUOo6Ko491q/8Ks2E4fGYmVrcxymnAThB +4STL0QaLJdIaRlJo0cMkcEsF0RKxu1aaLRRWk08hrdjI3aRLwzAdWxHAE3ESz75T +l26ZB1MvgWBSzyLtYJXYBz738ldIfvs5hzhDWMJTcbhf+Hnaoxt3fcDu8k0EdTIB +CRziOO7uq9npDxwMOTyPQvEMr4v8kIvn/Npu3ZQtadzkeSr+/ENCGNz1KatTV3Iy +lH6X8ANP8eiq4ODOrayjyKs0ZDtL3sn+jJhoz/AF/qBpSTnEtDUpPT3U0Noo4HHk +YQYiK8SI0OcxH9tSkgaeRcnFvlbJw2ackRpHuXNuGZ66zt2yDj7cZG6ssg9Yrrax +x3y+27MJXYnowOnRjCdCQZ5hKeOny73lyFZYDisCvqha138PRJtSwQAgnKEu0Bh/ +sSI0DtPZmsXC9iPg9AxBDqVfdxtsWqfA31JmR+MsN58cT1Ej4Li+cH9sPOFVOpSf +gylCgHUC2Lact8v5xrArHyrCBfmavDnclir84A5TuwGMLhm2Ui9yKn5fGgiF4P4U +U1zeTPb45Mf9NU5pKJXd5H0MsOU58DjaM5Af3dpH6c8wsyDkNeVDvUzLXghsUH80 +HQMSpfZtNLZ/57KoSi7YYYotWZX/mch2i4mqVEEp +=MGn/ +-----END PGP PUBLIC KEY BLOCK----- diff --git a/SPECS-EXTENDED/lilv/lilv-0.24.26.tar.xz.sig b/SPECS-EXTENDED/lilv/lilv-0.24.26.tar.xz.sig new file mode 100644 index 0000000000..eee6170cf0 Binary files /dev/null and b/SPECS-EXTENDED/lilv/lilv-0.24.26.tar.xz.sig differ diff --git a/SPECS-EXTENDED/lilv/lilv.signatures.json b/SPECS-EXTENDED/lilv/lilv.signatures.json index 56aa3e3449..1239cc7bb5 100755 --- a/SPECS-EXTENDED/lilv/lilv.signatures.json +++ b/SPECS-EXTENDED/lilv/lilv.signatures.json @@ -1,5 +1,7 @@ { "Signatures": { - "lilv-0.24.14.tar.bz2": "6399dfcbead61a143acef3a38ad078047ab225b00470ad5d33745637341d6406" + "drobilla.gpg": "29c8ffc9ffee2982ad3c3355736ed043377c1f0f4ea4776df4b98a464692b70e", + "lilv-0.24.26.tar.xz": "22feed30bc0f952384a25c2f6f4b04e6d43836408798ed65a8a934c055d5d8ac", + "lilv-0.24.26.tar.xz.sig": "a491289e5df5fdf41e96b1ad7138dce42a4008795f4e6ceedfd1416036cff6a1" } -} +} \ No newline at end of file diff --git a/SPECS-EXTENDED/lilv/lilv.spec b/SPECS-EXTENDED/lilv/lilv.spec index bc3026dda7..4c9b330aee 100755 --- a/SPECS-EXTENDED/lilv/lilv.spec +++ b/SPECS-EXTENDED/lilv/lilv.spec @@ -3,33 +3,34 @@ %bcond_with docs Summary: An LV2 Resource Description Framework Library Name: lilv -Version: 0.24.14 -Release: 4%{?dist} -License: MIT +Version: 0.24.26 +Release: 1%{?dist} Vendor: Microsoft Corporation Distribution: Azure Linux +License: MIT URL: https://drobilla.net/software/lilv -Source0: https://download.drobilla.net/%{name}-%{version}.tar.bz2 +Source0: https://download.drobilla.net/%{name}-%{version}.tar.xz +Source1: https://download.drobilla.net/%{name}-%{version}.tar.xz.sig +Source2: https://drobilla.net/drobilla.gpg + +BuildRequires: gnupg2 +BuildRequires: meson BuildRequires: doxygen BuildRequires: graphviz -BuildRequires: sord-devel >= 0.14.0 -BuildRequires: sratom-devel >= 0.4.4 -BuildRequires: lv2-devel >= 1.18.0 -BuildRequires: python3 +BuildRequires: sord-devel >= 0.16.16 +BuildRequires: sratom-devel >= 0.6.10 +BuildRequires: lv2-devel >= 1.18.2 BuildRequires: python3-devel -BuildRequires: swig -BuildRequires: serd-devel >= 0.30.0 +BuildRequires: serd-devel >= 0.30.10 BuildRequires: gcc BuildRequires: gcc-c++ BuildRequires: libsndfile-devel >= 1.0.0 +BuildRequires: zix-devel >= 0.6.0 %if %{with docs} BuildRequires: python3-sphinx BuildRequires: python3-sphinx_lv2_theme %endif Requires: lv2 >= 1.18.0 -%if 0%{?with_check} -BuildRequires: lcov -%endif # To try and deal with multilib issues from the -libs split: # https://bugzilla.redhat.com/show_bug.cgi?id=2052588 @@ -42,6 +43,7 @@ faster and have minimal dependencies. %package libs Summary: Libraries for %{name} +Obsoletes: lilv < 0.24.12-2 %description libs %{name} is a lightweight C library for Resource Description Syntax which @@ -70,39 +72,33 @@ supports reading and writing Turtle and NTriples. This package contains the python libraries for %{name}. + %prep +%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 -# Do not run ld config -sed -i -e 's|bld.add_post_fun(autowaf.run_ldconfig)||' wscript -# for packagers sake, build the tests with debug symbols -sed -i -e "s|'-ftest-coverage'\]|\ - '-ftest-coverage' \] + '%{optflags}'.split(' ')|" wscript %build -%{set_build_flags} -export LINKFLAGS="%{__global_ldflags}" -%{python3} waf configure -v --prefix=%{_prefix} \ - --libdir=%{_libdir} --configdir=%{_sysconfdir} --mandir=%{_mandir} \ - --docdir=%{_pkgdocdir} \ %if %{with docs} - --docs \ +%meson +%meson_build %endif - --test --dyn-manifest - -%{python3} waf -v build %{?_smp_mflags} +%meson -Ddocs=disabled +%meson_build %install -%{python3} waf -v install --destdir=%{buildroot} -chmod +x %{buildroot}%{_libdir}/lib%{name}-0.so.* +%meson_install + +%if %{with docs} +mv %{buildroot}%{_docdir}/%{name}-%{maj} %{buildroot}%{_docdir}/%{name} +%endif %check -%{python3} waf test +%meson_test %files %if %{with docs} %exclude %{_pkgdocdir}/%{name}-%{maj}/ %endif -%{_bindir}/lilv-bench %{_bindir}/lv2info %{_bindir}/lv2ls %{_bindir}/lv2bench @@ -114,20 +110,25 @@ chmod +x %{buildroot}%{_libdir}/lib%{name}-0.so.* %doc AUTHORS NEWS README.md %license COPYING %{_libdir}/lib%{name}-%{maj}.so.* +%if %{with docs} +%{_pkgdocdir}/%{name}-%{maj}/ +%endif + %files devel %{_libdir}/lib%{name}-%{maj}.so %{_libdir}/pkgconfig/%{name}-%{maj}.pc %{_includedir}/%{name}-%{maj}/ -%if %{with docs} -%{_pkgdocdir}/%{name}-%{maj}/ -%endif - + %files -n python3-%{name} %{python3_sitelib}/%{name}.* %{python3_sitelib}/__pycache__/* %changelog +* Tue Feb 25 2025 Jyoti kanase - 0.24.26-1 +- Upgrade to 0.24.26 +- License Verified. + * Thu Nov 24 2022 Sumedh Sharma - 0.24.14-4 - Initial CBL-Mariner import from Fedora 37 (license: MIT) - Disable subpackage doc diff --git a/SPECS-EXTENDED/papi/papi-libsde.patch b/SPECS-EXTENDED/papi/papi-libsde.patch new file mode 100644 index 0000000000..7fb522beb2 --- /dev/null +++ b/SPECS-EXTENDED/papi/papi-libsde.patch @@ -0,0 +1,33 @@ +commit 2f37f74ea25f850835b22fa617938264bd158134 +Author: William Cohen +Date: Thu Apr 25 10:55:36 2024 -0400 + + SDE_LIB: Build libsde.so.1.0 with the CFLAGS and LDFLAGS passed in + + A recent annocheck of the papi RPMS showed that libsde.so.1.0 was not + built with the expected flags passed into the RPM build. Minor + changes were made to src/sde_lib/Makefile to use the CFLAGS and + LDFLAGS passed in. + +diff --git a/src/sde_lib/Makefile b/src/sde_lib/Makefile +index 67ef5987..8518f92e 100644 +--- a/src/sde_lib/Makefile ++++ b/src/sde_lib/Makefile +@@ -1,7 +1,7 @@ + CC ?= gcc + SDE_INC = -I. -I.. + SDE_LD = -ldl -pthread +-CFLAGS = -Wextra -Wall -O2 ++CFLAGS += -Wextra -Wall -O2 + + %_d.o: %.c + $(CC) -c -Bdynamic -fPIC -shared -fvisibility=hidden $(CFLAGS) $(SDE_INC) $< -o $@ +@@ -14,7 +14,7 @@ SOBJS=$(patsubst %.c,%_s.o,$(wildcard *.c)) + all: dynamic static + + dynamic: $(DOBJS) +- $(CC) -Bdynamic -fPIC -shared -Wl,-soname -Wl,libsde.so -fvisibility=hidden $(CFLAGS) $(DOBJS) -lrt -ldl -pthread -o libsde.so.1.0 ++ $(CC) $(LDFLAGS) -Bdynamic -fPIC -shared -Wl,-soname -Wl,libsde.so -fvisibility=hidden $(CFLAGS) $(DOBJS) -lrt -ldl -pthread -o libsde.so.1.0 + rm -f *_d.o + + static: $(SOBJS) diff --git a/SPECS-EXTENDED/papi/papi-nostatic.patch b/SPECS-EXTENDED/papi/papi-nostatic.patch new file mode 100644 index 0000000000..435aa5eac0 --- /dev/null +++ b/SPECS-EXTENDED/papi/papi-nostatic.patch @@ -0,0 +1,30 @@ +commit cc34c978778adb40df1a200059a31c8d628b10ee +Author: William Cohen +Date: Thu Jan 21 14:48:01 2021 -0500 + + Only check for libpfm.a if static libraries are being used. + + Even when static libraries are not be used papi was checking for + libpfm.a, this would cause a failure if libpfm.a wasn't installed. + Exclude checking for libpfm.a if no static libpfm library is needed. + +diff --git a/src/Rules.pfm4_pe b/src/Rules.pfm4_pe +index 61eedc8a3..65a9635c6 100644 +--- a/src/Rules.pfm4_pe ++++ b/src/Rules.pfm4_pe +@@ -32,6 +32,7 @@ ifeq (yes,$(MIC)) + FORCE_PFM_ARCH="CONFIG_PFMLIB_ARCH_X86=y" + endif + ++ifneq (,$(STATIC)) + ifeq (,$(PFM_OBJS)) + $(PFM_LIB_PATH)/libpfm.a: + ifneq (,${PFM_ROOT}) +@@ -49,6 +50,7 @@ else + endif + $(MAKE) + endif ++endif + + include Makefile.inc + diff --git a/SPECS-EXTENDED/papi/papi-python3.patch b/SPECS-EXTENDED/papi/papi-python3.patch new file mode 100644 index 0000000000..c5e75094e4 --- /dev/null +++ b/SPECS-EXTENDED/papi/papi-python3.patch @@ -0,0 +1,10 @@ +diff --git a/src/high-level/scripts/papi_hl_output_writer.py b/src/high-level/scripts/papi_hl_output_writer.py +index 123d2cd0..34bfbd73 100755 +--- a/src/high-level/scripts/papi_hl_output_writer.py ++++ b/src/high-level/scripts/papi_hl_output_writer.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/python ++#!/usr/bin/python3 + from __future__ import division + from collections import OrderedDict + diff --git a/SPECS-EXTENDED/papi/papi.signatures.json b/SPECS-EXTENDED/papi/papi.signatures.json index 27be8832dd..a711561f45 100644 --- a/SPECS-EXTENDED/papi/papi.signatures.json +++ b/SPECS-EXTENDED/papi/papi.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "papi-5.7.0.tar.gz": "d1a3bb848e292c805bc9f29e09c27870e2ff4cda6c2fba3b7da8b4bba6547589" + "papi-7.1.0.tar.gz": "5818afb6dba3ece57f51e65897db5062f8e3464e6ed294b654ebf34c3991bc4f" } -} +} \ No newline at end of file diff --git a/SPECS-EXTENDED/papi/papi.spec b/SPECS-EXTENDED/papi/papi.spec index 733c181f6f..546aea1a9c 100644 --- a/SPECS-EXTENDED/papi/papi.spec +++ b/SPECS-EXTENDED/papi/papi.spec @@ -7,14 +7,18 @@ %endif Summary: Performance Application Programming Interface Name: papi -Version: 5.7.0 -Release: 5%{?dist} +Version: 7.1.0 +Release: 1%{?dist} License: BSD Requires: papi-libs = %{version}-%{release} Vendor: Microsoft Corporation Distribution: Azure Linux -URL: http://icl.cs.utk.edu/papi/ -Source0: http://icl.cs.utk.edu/projects/papi/downloads/%{name}-%{version}.tar.gz +URL: https://icl.cs.utk.edu/papi/ +Source0: https://icl.cs.utk.edu/projects/papi/downloads/%{name}-%{version}.tar.gz +Patch1: papi-python3.patch +Patch2: papi-nostatic.patch +Patch3: papi-libsde.patch + BuildRequires: autoconf BuildRequires: doxygen BuildRequires: ncurses-devel @@ -23,8 +27,8 @@ BuildRequires: kernel-headers >= 2.6.32 BuildRequires: chrpath BuildRequires: lm_sensors-devel %if %{without bundled_libpfm} -BuildRequires: libpfm-devel >= 4.6.0-1 -BuildRequires: libpfm-static >= 4.6.0-1 +BuildRequires: libpfm-devel >= 4.6.0 +BuildRequires: libpfm-static >= 4.6.0 %endif # Following required for net component BuildRequires: net-tools @@ -72,7 +76,7 @@ PAPI-static includes the static versions of the library files for the PAPI user-space libraries and interfaces. %prep -%setup -q +%autosetup -p1 %build %if %{without bundled_libpfm} @@ -90,19 +94,6 @@ autoconf #components currently left out because of build configure/build issues # --with-components="bgpm coretemp_freebsd cuda host_micpower nvml vmware" -pushd components -#pushd cuda; ./configure; popd -#pushd host_micpower; ./configure; popd -%if %{with_rdma} -pushd infiniband_umad; %configure; popd -%endif -pushd lmsensors; \ - %configure --with-sensors_incdir=/usr/include/sensors \ - --with-sensors_libdir=%{_libdir}; \ - popd -#pushd vmware; ./configure; popd -popd - #DBG workaround to make sure libpfm just uses the normal CFLAGS DBG="" make %{?_smp_mflags} @@ -118,23 +109,25 @@ rm -rf $RPM_BUILD_ROOT cd src make DESTDIR=$RPM_BUILD_ROOT LDCONFIG=/bin/true install-all -chrpath --delete $RPM_BUILD_ROOT%{_libdir}/*.so* +# Scrub the rpath/runpath from all the binaries. +find %{buildroot} -type f -executable ! -iname "*.py" ! -iname "*.sh" | xargs chrpath --delete %files %{_bindir}/* %dir /usr/share/papi /usr/share/papi/papi_events.csv -%doc INSTALL.txt README LICENSE.txt RELEASENOTES.txt +%doc INSTALL.txt README.md LICENSE.txt RELEASENOTES.txt %doc %{_mandir}/man1/* %ldconfig_scriptlets libs %files libs %{_libdir}/*.so.* -%doc INSTALL.txt README LICENSE.txt RELEASENOTES.txt +%doc INSTALL.txt README.md LICENSE.txt RELEASENOTES.txt %files devel %{_includedir}/*.h +%{_includedir}/*.hpp %if %{with bundled_libpfm} %{_includedir}/perfmon/*.h %endif @@ -154,6 +147,10 @@ chrpath --delete $RPM_BUILD_ROOT%{_libdir}/*.so* %{_libdir}/*.a %changelog +* Tue Apr 29 2025 Jyoti kanase - 7.1.0-1 +- Upgrade to 7.1.0 +- License verified. + * Tue Mar 23 2021 Henry Li - 5.7.0-5 - Initial CBL-Mariner import from Fedora 32 (license: MIT). - Remove infiniband-diags-devel from build requirement since it's already obsoleted diff --git a/SPECS-EXTENDED/paps/paps-0.6.8-glib282.patch b/SPECS-EXTENDED/paps/paps-0.6.8-glib282.patch new file mode 100644 index 0000000000..7d3d16512f --- /dev/null +++ b/SPECS-EXTENDED/paps/paps-0.6.8-glib282.patch @@ -0,0 +1,12 @@ +diff -pruN paps-0.6.8.orig/src/paps.c paps-0.6.8/src/paps.c +--- paps-0.6.8.orig/src/paps.c 2024-09-13 21:07:13.225683344 +0900 ++++ paps-0.6.8/src/paps.c 2024-09-13 21:10:24.177041518 +0900 +@@ -784,7 +784,7 @@ split_text_into_paragraphs (PangoContext + while (p != NULL && *p) + { + wc = g_utf8_get_char (p); +- next = g_utf8_next_char (p); ++ next = (char *) g_utf8_next_char (p); + if (wc == (gunichar)-1) + { + fprintf (stderr, "%s: Invalid character in input\n", g_get_prgname ()); diff --git a/SPECS-EXTENDED/paps/paps-c99.patch b/SPECS-EXTENDED/paps/paps-c99.patch new file mode 100644 index 0000000000..115043e9b3 --- /dev/null +++ b/SPECS-EXTENDED/paps/paps-c99.patch @@ -0,0 +1,44 @@ +Use AC_USE_SYSTEM_EXTENSIONS and include , so that +makes a declaration of wcwidth available. Include +for a declaration of g_vasprintf. This avoids implicit function +declarations and build failures with future compilers. + +No need to upstream this because it only impacts the bundled 0.6.8 +sources, the later 0.8.0 version has already been fixed upstream. The +g_vasprintf call was introduced in the paps-0.6.6-lcnumeric.patch +downstream patch. + +diff -ur paps-0.8.0.orig/paps-0.6.8/configure.in paps-0.8.0/paps-0.6.8/configure.in +--- paps-0.8.0.orig/paps-0.6.8/configure.in 2023-04-13 11:56:29.571277839 +0200 ++++ paps-0.8.0/paps-0.6.8/configure.in 2023-04-13 12:00:03.228135149 +0200 +@@ -6,6 +6,7 @@ + AC_LANG_C + AC_PROG_CC + AM_PROG_LIBTOOL ++AC_USE_SYSTEM_EXTENSIONS + + dnl ====================================================== + dnl check for CUPS +diff -ur paps-0.8.0.orig/paps-0.6.8/src/paps.c paps-0.8.0/paps-0.6.8/src/paps.c +--- paps-0.8.0.orig/paps-0.6.8/src/paps.c 2023-04-13 11:56:29.583277719 +0200 ++++ paps-0.8.0/paps-0.6.8/src/paps.c 2023-04-13 12:02:28.958673663 +0200 +@@ -20,7 +20,7 @@ + * + */ + +- ++#include + #include + #include + #include "libpaps.h" +diff -ur paps-0.8.0.orig/paps-0.6.8/src/libpaps.c paps-0.8.0/paps-0.6.8/src/libpaps.c +--- paps-0.8.0.orig/paps-0.6.8/src/libpaps.c 2023-04-13 11:56:29.581277739 +0200 ++++ paps-0.8.0/paps-0.6.8/src/libpaps.c 2023-04-13 12:07:17.504779917 +0200 +@@ -23,6 +23,7 @@ + + #include "libpaps.h" + ++#include + #include + #include + #include diff --git a/SPECS-EXTENDED/paps/paps-fix-build.patch b/SPECS-EXTENDED/paps/paps-fix-build.patch new file mode 100644 index 0000000000..e77f3876fc --- /dev/null +++ b/SPECS-EXTENDED/paps/paps-fix-build.patch @@ -0,0 +1,85 @@ +From e2180b2e1493abc2a8d1165e10bf264d50fac0ae Mon Sep 17 00:00:00 2001 +From: Akira TAGOH +Date: Wed, 1 Mar 2023 15:24:27 +0900 +Subject: [PATCH] Fix the build issue + +Some code ignores a return value of g_string_free() and that causes: + +ignoring return value of 'gchar* g_string_free_and_steal(GString*)' declared with attribute 'warn_unused_result' [-Wunused-result] + +This fixes it. +--- + src/paps.cc | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/src/paps.cc b/src/paps.cc +index cb48ddc..429b764 100644 +--- a/src/paps.cc ++++ b/src/paps.cc +@@ -368,6 +368,7 @@ copy_pango_parse_enum (GType type, + { + int i; + GString *s = g_string_new (nullptr); ++ gchar *gstr; + + for (i = 0, v = g_enum_get_value (klass, i); v; + i++ , v = g_enum_get_value (klass, i)) +@@ -382,10 +383,10 @@ copy_pango_parse_enum (GType type, + G_ENUM_CLASS_TYPE_NAME(klass), + s->str); + +- if (possible_values) +- *possible_values = s->str; ++ gstr = g_string_free (s, possible_values ? false : true); + +- g_string_free (s, possible_values ? false : true); ++ if (possible_values) ++ *possible_values = gstr; + } + } + +@@ -1001,7 +1002,7 @@ read_file (FILE *file, + if (ferror (file)) + { + fprintf(stderr, _("%s: Error reading file.\n"), g_get_prgname ()); +- g_string_free (inbuf, true); ++ (void) g_string_free (inbuf, true); + exit(1); + } + else if (bp == nullptr) +@@ -1043,8 +1044,7 @@ read_file (FILE *file, + if (inbuf->len && inbuf->str[inbuf->len-1] != '\n') + g_string_append(inbuf, "\n"); + +- text = inbuf->str; +- g_string_free (inbuf, false); ++ text = g_string_free (inbuf, false); + + if (encoding != nullptr && cvh != nullptr) + g_iconv_close(cvh); +@@ -1671,7 +1671,11 @@ get_date() + fprintf(stderr, _("%1$s: Error while converting date string from '%2$s' to UTF-8.\n"), + g_get_prgname(), get_encoding()); + /* Return the unconverted string. */ +- g_string_free(inbuf, false); ++ /* ++ * inbuf isn't used here, but a few memory is ++ * allocated by default. so it should be freed anyway. ++ */ ++ (void) g_string_free(inbuf, true); + g_iconv_close(cvh); + return date; + } +@@ -1679,8 +1683,7 @@ get_date() + obuffer[BUFSIZE * 6 - 1 - oblen] = 0; + g_string_append(inbuf, bp); + +- date_utf8 = inbuf->str; +- g_string_free(inbuf, false); ++ date_utf8 = g_string_free(inbuf, false); + g_iconv_close(cvh); + } + +-- +2.39.2 + diff --git a/SPECS-EXTENDED/paps/paps-fix-cpi.patch b/SPECS-EXTENDED/paps/paps-fix-cpi.patch index f917296a19..7bc3f6125f 100644 --- a/SPECS-EXTENDED/paps/paps-fix-cpi.patch +++ b/SPECS-EXTENDED/paps/paps-fix-cpi.patch @@ -310,7 +310,7 @@ index 334d547..72dbaad 100644 + + para->length = i; + next = g_utf8_offset_to_pointer(para->text, para->length); -+ wc = g_utf8_prev_char(next); ++ wc = g_utf8_get_char(g_utf8_prev_char(next)); + } else { + pango_layout_set_text(para->layout, para->text, para->length); + } diff --git a/SPECS-EXTENDED/paps/paps-fix-src-to-paps.patch b/SPECS-EXTENDED/paps/paps-fix-src-to-paps.patch new file mode 100644 index 0000000000..d18f8af363 --- /dev/null +++ b/SPECS-EXTENDED/paps/paps-fix-src-to-paps.patch @@ -0,0 +1,18 @@ +diff -pruN paps-0.8.0.orig/scripts/src-to-paps paps-0.8.0/scripts/src-to-paps +--- paps-0.8.0.orig/scripts/src-to-paps 2023-02-09 16:27:38.000000000 +0900 ++++ paps-0.8.0/scripts/src-to-paps 2023-03-01 15:00:27.801416563 +0900 +@@ -1,4 +1,4 @@ +-#!/usr/bin/python ++#!/usr/bin/python3 + + ###################################################################### + # Use GNU source-hightlight to turn source code into pango markup +@@ -49,7 +49,7 @@ def arg_if_not_none(param_name, val): + # Defaults + + # TBD - Make this a configuration variable +-pango_outlang_path = '/usr/local/share/paps/pango_markup.outlang' ++pango_outlang_path = '/usr/share/paps/pango_markup.outlang' + + parser = argparse.ArgumentParser(description='Process a file') + parser.add_argument('-o', '--output', diff --git a/SPECS-EXTENDED/paps/paps-glib282.patch b/SPECS-EXTENDED/paps/paps-glib282.patch new file mode 100644 index 0000000000..23bd2b48d6 --- /dev/null +++ b/SPECS-EXTENDED/paps/paps-glib282.patch @@ -0,0 +1,34 @@ +g_utf8_next_char no longer includes a cast to char* as of 2.81.0: + +https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4016 + +diff -up a/src/paps.cc b/src/paps.cc +--- a/src/paps.cc 2024-09-12 19:21:02.858439427 -0400 ++++ b/src/paps.cc 2024-09-12 21:15:46.905955152 -0400 +@@ -1115,7 +1115,7 @@ split_text_into_paragraphs (PangoContext + while (p != nullptr && *p) + { + wc = g_utf8_get_char (p); +- next = g_utf8_next_char (p); ++ next = (char *) g_utf8_next_char (p); + if (wc == (gunichar)-1) + { + fprintf (stderr, _("%s: Invalid character in input\n"), g_get_prgname ()); +@@ -1130,7 +1130,7 @@ split_text_into_paragraphs (PangoContext + para->length = p - last_para; + /* handle dos line breaks */ + if (wc == '\r' && *next == '\n') +- next = g_utf8_next_char(next); ++ next = (char *) g_utf8_next_char(next); + para->layout = pango_layout_new (pango_context); + + if (page_layout->cpi > 0.0L) +@@ -1201,7 +1201,7 @@ split_text_into_paragraphs (PangoContext + g_free (newtext); + + para->length = i; +- next = g_utf8_offset_to_pointer (para->text, para->length); ++ next = (char *) g_utf8_offset_to_pointer (para->text, para->length); + wc = g_utf8_get_char (g_utf8_prev_char (next)); + } + else diff --git a/SPECS-EXTENDED/paps/paps.signatures.json b/SPECS-EXTENDED/paps/paps.signatures.json index 70c68b33bc..f9bd0526ee 100644 --- a/SPECS-EXTENDED/paps/paps.signatures.json +++ b/SPECS-EXTENDED/paps/paps.signatures.json @@ -2,6 +2,7 @@ "Signatures": { "29-paps.conf": "fcd8f22887f08923bfdcdaab199c90ee1f74db96601ca474095436beb0ab6cc0", "paps-0.6.8.tar.gz": "db214c4ea7ecde2f7986b869f6249864d3ff364e6f210c15aa2824bcbd850a20", + "paps-0.8.0.tar.gz": "bb5a826db364117a5ae79c833c4a000197f3b5b3eff10e31fb1513a583f96ff2", "paps.convs": "ef90a7ffdf2a2491920f432575bccac2a8729ab393040b3c9de602e795d43f6b" } -} +} \ No newline at end of file diff --git a/SPECS-EXTENDED/paps/paps.spec b/SPECS-EXTENDED/paps/paps.spec index 5a4c24717e..3c7285a9d4 100644 --- a/SPECS-EXTENDED/paps/paps.spec +++ b/SPECS-EXTENDED/paps/paps.spec @@ -1,15 +1,18 @@ -Vendor: Microsoft Corporation -Distribution: Azure Linux Name: paps -Version: 0.6.8 -Release: 46%{?dist} +Version: 0.8.0 +Release: 12%{?dist} -License: LGPLv2+ -URL: http://paps.sourceforge.net/ -Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz +License: LGPL-2.0-or-later +Vendor: Microsoft Corporation +Distribution: Azure Linux +URL: https://github.com/dov/paps +Source0: https://github.com/dov/paps/releases/download/v%{version}/%{name}-%{version}.tar.gz Source1: paps.convs -Source2: 29-paps.conf -BuildRequires: pango-devel automake autoconf libtool doxygen cups-devel +Source2: 29-paps.conf +Source3: https://downloads.sourceforge.net/%{name}/%{name}-0.6.8.tar.gz +BuildRequires: make +BuildRequires: pango-devel automake autoconf libtool doxygen cups-devel intltool +BuildRequires: fmt-devel gcc-c++ ## https://sourceforge.net/tracker/index.php?func=detail&aid=1832897&group_id=153049&atid=786241 Patch0: paps-0.6.8-shared.patch ## https://sourceforge.net/tracker/index.php?func=detail&aid=1832924&group_id=153049&atid=786241 @@ -42,31 +45,35 @@ Patch59: %{name}-ft-header.patch Patch60: %{name}-a3.patch ## rhbz#1214939 Patch61: %{name}-fix-paper-size-truncate.patch +Patch62: paps-c99.patch +Patch63: paps-0.6.8-glib282.patch +### For paps +Patch100: %{name}-fix-src-to-paps.patch +Patch101: %{name}-fix-build.patch +Patch102: %{name}-glib282.patch Summary: Plain Text to PostScript converter -Requires: %{name}-libs = %{version}-%{release} -Requires: cups-filesystem fontpackages-filesystem %description paps is a PostScript converter from plain text file using Pango. -%package libs -Summary: Libraries for paps -%description libs -paps is a PostScript converter from plain text file using Pango. - -This package contains the library for paps. +%package -n texttopaps +Summary: CUPS filter based on paps +Obsoletes: %{name}-libs < %{version} +Obsoletes: %{name}-devel < %{version} +Requires: cups-filesystem fontpackages-filesystem +%description -n texttopaps -%package devel -Summary: Development files for paps -Requires: %{name}-libs = %{version}-%{release} -%description devel paps is a PostScript converter from plain text file using Pango. -This package contains the development files that is necessary to develop -applications using paps API. +This package contains a CUPS filter based on paps. + %prep -%setup -q +%setup -q -a 3 +%patch 100 -p1 -b .src-to-paps +%patch 101 -p1 -b .build +%patch 102 -p1 -b .glib282 +pushd %{name}-0.6.8 %patch 0 -p1 -b .shared %patch 1 -p1 -b .wordwrap %patch 2 -p1 -b .langinfo @@ -85,16 +92,29 @@ applications using paps API. %patch 59 -p1 -b .ft-header %patch 60 -p1 -b .a3 %patch 61 -p1 -b .paper-size +%patch 62 -p2 -b .configure-c99 +%patch 63 -p1 -b .glib282 libtoolize -f -c autoreconf -f -i +popd %build +./autogen.sh +%set_build_flags +%if 0%{?rhel} +CXXFLAGS="$CXXFLAGS -DFMT_HEADER_ONLY" +%endif %configure --disable-static make %{?_smp_mflags} +pushd %{name}-0.6.8 +%configure --disable-static +make %{?_smp_mflags} +popd %install +pushd %{name}-0.6.8 make install DESTDIR=$RPM_BUILD_ROOT INSTALL="/usr/bin/install -p" # remove unnecessary files @@ -102,7 +122,8 @@ rm $RPM_BUILD_ROOT%{_libdir}/libpaps.la # make a symlink for CUPS filter install -d $RPM_BUILD_ROOT%{_cups_serverbin}/filter # Not libdir -ln -s %{_bindir}/paps $RPM_BUILD_ROOT%{_cups_serverbin}/filter/texttopaps +mv $RPM_BUILD_ROOT%{_bindir}/paps $RPM_BUILD_ROOT%{_cups_serverbin}/filter/texttopaps +mv $RPM_BUILD_ROOT%{_mandir}/man1/paps.1 $RPM_BUILD_ROOT%{_mandir}/man1/texttopaps.1 install -d $RPM_BUILD_ROOT%{_datadir}/cups/mime install -p -m0644 %{SOURCE1} $RPM_BUILD_ROOT%{_datadir}/cups/mime/ @@ -110,29 +131,107 @@ install -p -m0644 %{SOURCE1} $RPM_BUILD_ROOT%{_datadir}/cups/mime/ install -d $RPM_BUILD_ROOT%{_sysconfdir}/fonts/conf.d install -p -m0644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/fonts/conf.d/ +install -d $RPM_BUILD_ROOT%{_licensedir} +install COPYING.LIB $RPM_BUILD_ROOT%{_licensedir}/COPYING_1.LIB + +rm -rf $RPM_BUILD_ROOT%{_includedir} +rm $RPM_BUILD_ROOT%{_libdir}/libpaps.so +popd + +make install DESTDIR=$RPM_BUILD_ROOT INSTALL="/usr/bin/install -p" %ldconfig_scriptlets libs %files -%doc AUTHORS COPYING.LIB README TODO +%license COPYING.LIB +%doc AUTHORS README +%dir %{_datadir}/paps %{_bindir}/paps +%{_bindir}/src-to-paps +%{_datadir}/paps/pango_markup.outlang %{_mandir}/man1/paps.1* + +%files -n texttopaps +%license %{_licensedir}/COPYING_1.LIB +%doc %{name}-0.6.8/AUTHORS %{name}-0.6.8/README +%{_mandir}/man1/texttopaps.1* +%{_libdir}/libpaps.so.* %{_cups_serverbin}/filter/texttopaps %{_datadir}/cups/mime/paps.convs %{_sysconfdir}/fonts/conf.d/29-paps.conf -%files libs -%doc COPYING.LIB -%{_libdir}/libpaps.so.* - -%files devel -%doc COPYING.LIB -%{_includedir}/libpaps.h -%{_libdir}/libpaps.so %changelog -* Fri Oct 15 2021 Pawel Winogrodzki - 0.6.8-46 -- Initial CBL-Mariner import from Fedora 32 (license: MIT). +* Wed Dec 18 2024 Jyoti kanase - 0.8.0-12 +- Initial Azure Linux import from Fedora 41 (license: MIT). +- License Verified. + +* Fri Sep 13 2024 Akira TAGOH - 0.8.0-11 +- Fix build with glib 2.82 + Patch from Yaakov Selkowitz + +* Thu Jul 18 2024 Fedora Release Engineering - 0.8.0-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + +* Fri Jun 7 2024 Akira TAGOH - 0.8.0-9 +- Own /usr/share/paps + Resolves: rhbz#2283284 + +* Thu Jan 25 2024 Fedora Release Engineering - 0.8.0-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Sun Jan 21 2024 Fedora Release Engineering - 0.8.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Wed Jan 17 2024 Akira TAGOH - 0.8.0-6 +- Fix C type error in paps 0.6.8. + Resolves: rhbz#2256906 + +* Mon Aug 14 2023 Yaakov Selkowitz - 0.8.0-5 +- Use fmt in header-only mode in RHEL builds + +* Thu Jul 20 2023 Fedora Release Engineering - 0.8.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Wed Jun 28 2023 Vitaly Zaitsev - 0.8.0-3 +- Rebuilt due to fmt 10 update. + +* Thu Apr 13 2023 Florian Weimer - 0.8.0-2 +- C99 compatibility fixes for paps 0.6.8 + +* Wed Mar 1 2023 Akira TAGOH - 0.8.0-1 +- New upstream release. + Resolves: rhbz#2168726 + +* Tue Feb 7 2023 Akira TAGOH - 0.7.9-1 +- New upstream release. + Resolves: rhbz#2164212 + +* Thu Jan 19 2023 Fedora Release Engineering - 0.7.1-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Mon Dec 5 2022 Akira TAGOH - 0.7.1-6 +- Convert License tag to SPDX. + +* Fri Jul 22 2022 Fedora Release Engineering - 0.7.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Thu Jan 20 2022 Fedora Release Engineering - 0.7.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Thu Jul 22 2021 Fedora Release Engineering - 0.7.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Tue Jan 26 2021 Fedora Release Engineering - 0.7.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Thu Oct 8 2020 Akira TAGOH - 0.7.1-1 +- New upstream release. + Resolves: rhbz#1254352 +- Sub-package texttopaps with old code. + +* Tue Jul 28 2020 Fedora Release Engineering - 0.6.8-46 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild * Wed Jan 29 2020 Fedora Release Engineering - 0.6.8-45 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild diff --git a/SPECS-EXTENDED/perl-Locale-Maketext-Gettext/perl-Locale-Maketext-Gettext.signatures.json b/SPECS-EXTENDED/perl-Locale-Maketext-Gettext/perl-Locale-Maketext-Gettext.signatures.json index b682ddeb4e..6277009d9d 100644 --- a/SPECS-EXTENDED/perl-Locale-Maketext-Gettext/perl-Locale-Maketext-Gettext.signatures.json +++ b/SPECS-EXTENDED/perl-Locale-Maketext-Gettext/perl-Locale-Maketext-Gettext.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "perl-Locale-Maketext-Gettext-1.30.tar.gz": "053dacd6dec3034ec4111de2be6a8b35379cd8630ce835567663f84bc4ea000b" + "perl-Locale-Maketext-Gettext-1.32.tar.gz": "946a9d4506f97393314546557c13efb346f228e70d6c50aca06f65061584b2fb" } } diff --git a/SPECS-EXTENDED/perl-Locale-Maketext-Gettext/perl-Locale-Maketext-Gettext.spec b/SPECS-EXTENDED/perl-Locale-Maketext-Gettext/perl-Locale-Maketext-Gettext.spec index 250dd21814..32c6deac8a 100644 --- a/SPECS-EXTENDED/perl-Locale-Maketext-Gettext/perl-Locale-Maketext-Gettext.spec +++ b/SPECS-EXTENDED/perl-Locale-Maketext-Gettext/perl-Locale-Maketext-Gettext.spec @@ -1,71 +1,140 @@ -Vendor: Microsoft Corporation -Distribution: Azure Linux +# Perform optional tests +%bcond_without perl_Locale_Maketext_Gettext_enables_optional_test + Name: perl-Locale-Maketext-Gettext -Version: 1.30 -Release: 3%{?dist} +Version: 1.32 +Release: 1%{?dist} Summary: Joins the gettext and Maketext frameworks -License: GPL+ or Artistic +# README.md: GPL+ or Artistic +# t/02-big-endian.t: "the same terms as Perl" and "the same license as the commonlib package" +# (The "commonlib" text is a few-line excerpt.) +# Automatically converted from old format: GPL+ or Artistic - review is highly recommended. +License: GPL-1.0-or-later OR Artistic-1.0-Perl +Vendor: Microsoft Corporation +Distribution: Azure Linux URL: https://metacpan.org/release/Locale-Maketext-Gettext Source0: https://cpan.metacpan.org/authors/id/I/IM/IMACAT/Locale-Maketext-Gettext-%{version}.tar.gz#/perl-Locale-Maketext-Gettext-%{version}.tar.gz BuildArch: noarch BuildRequires: coreutils -BuildRequires: perl-interpreter +# diffutils for cmp +BuildRequires: diffutils +BuildRequires: make BuildRequires: perl-generators +BuildRequires: perl-interpreter +BuildRequires: perl(:VERSION) >= 5.8 +BuildRequires: perl(ExtUtils::MakeMaker) >= 6.76 +BuildRequires: perl(strict) +BuildRequires: perl(warnings) +# Run-time: BuildRequires: perl(base) BuildRequires: perl(Encode) BuildRequires: perl(Exporter) -BuildRequires: perl(ExtUtils::MakeMaker) +BuildRequires: perl(File::Spec::Functions) +BuildRequires: perl(Getopt::Long) +BuildRequires: perl(Locale::Maketext) +# Tests: BuildRequires: perl(File::Basename) BuildRequires: perl(File::Copy) -BuildRequires: perl(File::Spec::Functions) BuildRequires: perl(FindBin) BuildRequires: perl(lib) -BuildRequires: perl(Locale::Maketext) -BuildRequires: perl(Module::Build) -# Module::Signature not used -BuildRequires: perl(Socket) -BuildRequires: perl(strict) BuildRequires: perl(Test) BuildRequires: perl(Test::More) BuildRequires: perl(vars) -BuildRequires: perl(warnings) -BuildRequires: sed -Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) -# Convert getext parameters to maketext parameters (CPAN RT#97771) -Patch0: gettexttomakettext.patch - +%if %{with perl_Locale_Maketext_Gettext_enables_optional_test} +# Optional tests: +# Module::Signature not used +# Socket not used +BuildRequires: perl(Test::Pod) >= 1.00 +%endif + +# Filter private modules +%global __provides_exclude %{?__provides_exclude:%{__provides_exclude}|}^perl\\(T_L10N + %description Locale::Maketext::Gettext joins the GNU gettext and Maketext frameworks. It is a subclass of Locale::Maketext(3) that follows the way GNU gettext works. It works seamlessly, both in the sense of GNU gettext and Maketext. As a result, you enjoy both their advantages, and get rid of both their problems, too. - + +%package tests +Summary: Tests for %{name} +Requires: %{name} = %{?epoch:%{epoch}:}%{version}-%{release} +Requires: coreutils +Requires: perl-Test-Harness + +%description tests +Tests from %{name}. Execute them +with "%{_libexecdir}/%{name}/test". + %prep -%setup -q -n Locale-Maketext-Gettext-%{version} -%patch 0 -p 1 - +%autosetup -p1 -n Locale-Maketext-Gettext-%{version} +# Remove unsed tests +for F in t/00-signature.t \ +%if !%{with perl_Locale_Maketext_Gettext_enables_optional_test} + t/99-pod.t \ +%endif +; do + rm "$F" + perl -i -ne 'print $_ unless m{^\Q'"$F"'\E}' MANIFEST +done +# Sym-link identical files +if cmp t/locale/C/LC_MESSAGES/test.mo t/locale/en/LC_MESSAGES/test.mo; then + rm t/locale/en/LC_MESSAGES/test.mo + ln -s ../../C/LC_MESSAGES/test.mo t/locale/en/LC_MESSAGES/test.mo +fi + %build -%{__perl} Build.PL installdirs=vendor -./Build - +perl Makefile.PL INSTALLDIRS=vendor NO_PACKLIST=1 NO_PERLLOCAL=1 +%{make_build} + %install -./Build install destdir=$RPM_BUILD_ROOT create_packlist=0 -%{_fixperms} $RPM_BUILD_ROOT/* - +%{make_install} +%{_fixperms} %{buildroot}/* +# Install tests +mkdir -p %{buildroot}%{_libexecdir}/%{name} +cp -a t %{buildroot}%{_libexecdir}/%{name} +%if %{with perl_Locale_Maketext_Gettext_enables_optional_test} + rm %{buildroot}%{_libexecdir}/%{name}/t/99-pod.t +%endif +mkdir -p %{buildroot}%{_libexecdir}/%{name}/blib/script +ln -s \ + $(realpath --relative-to %{buildroot}%{_libexecdir}/%{name}/blib/script \ + %{buildroot}%{_bindir}/maketext) \ + %{buildroot}%{_libexecdir}/%{name}/blib/script/maketext +cat > %{buildroot}%{_libexecdir}/%{name}/test << 'EOF' +#!/bin/bash +set -e +# t/12-cache.t and others write into CWD. +DIR=$(mktemp -d) +pushd "$DIR" +cp -a %{_libexecdir}/%{name}/* ./ +prove -I . -j "$(getconf _NPROCESSORS_ONLN)" +popd +rm -rf "$DIR" +EOF +chmod +x %{buildroot}%{_libexecdir}/%{name}/test + %check -rm -f debugsources.list debugfiles.list debuglinks.list -./Build test - +export HARNESS_OPTIONS=j$(perl -e 'if ($ARGV[0] =~ /.*-j([0-9][0-9]*).*/) {print $1} else {print 1}' -- '%{?_smp_mflags}') +make test + %files -%license Artistic COPYING -%doc BUGS Changes README THANKS TODO +%license Artistic +%doc Changes README.md %{perl_vendorlib}/* %{_mandir}/man3/* %{_bindir}/maketext %{_mandir}/man1/* + +%files tests +%{_libexecdir}/%{name} %changelog +* Mon Mar 17 2025 Sumit Jena - 1.32-1 +- Update to version 1.32 +- License verified + * Fri Oct 15 2021 Pawel Winogrodzki - 1.30-3 - Initial CBL-Mariner import from Fedora 32 (license: MIT). diff --git a/SPECS-EXTENDED/pipewire/pipewire.spec b/SPECS-EXTENDED/pipewire/pipewire.spec index d93cc7ef4e..1a6685a6ca 100644 --- a/SPECS-EXTENDED/pipewire/pipewire.spec +++ b/SPECS-EXTENDED/pipewire/pipewire.spec @@ -18,7 +18,7 @@ Summary: Media Sharing Server Name: pipewire Version: %{majorversion}.%{minorversion}.%{microversion} -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -42,7 +42,6 @@ BuildRequires: pkgconfig(gstreamer-base-1.0) >= 1.10.0 BuildRequires: pkgconfig(gstreamer-plugins-base-1.0) >= 1.10.0 BuildRequires: pkgconfig(gstreamer-net-1.0) >= 1.10.0 BuildRequires: pkgconfig(gstreamer-allocators-1.0) >= 1.10.0 -BuildRequires: pkgconfig(fdk-aac) %if %{with vulkan} BuildRequires: pkgconfig(vulkan) %endif @@ -213,6 +212,7 @@ cp %{SOURCE1} subprojects/packagefiles/ -D volume=disabled -D bluez5-codec-aptx=disabled -D roc=disabled \ -D bluez5-codec-lc3plus=disabled \ -D bluez5-codec-ldac=disabled \ + -D bluez5-codec-aac=disabled \ -D bluez5-codec-opus=disabled \ -D x11-xfixes=disabled \ %if %{with media_session} @@ -428,6 +428,9 @@ systemctl --no-reload preset --global pipewire.socket >/dev/null 2>&1 || : %endif %changelog +* Mon Jun 30 2025 Sandeep Karambelkar - 0.3.60-3 +- Build without fdk-aac package since that package has license issues + * Thu Nov 24 2022 Sumedh Sharma - 0.3.60-2 - Initial CBL-Mariner import from Fedora 37 (license: MIT) - Build with features disabled: jack, jackserver-plugin and libcamera-plugin diff --git a/SPECS-EXTENDED/podman/podman.spec b/SPECS-EXTENDED/podman/podman.spec index c108b24bed..746d06e16d 100644 --- a/SPECS-EXTENDED/podman/podman.spec +++ b/SPECS-EXTENDED/podman/podman.spec @@ -35,7 +35,7 @@ Name: podman Version: 4.1.1 -Release: 28%{?dist} +Release: 29%{?dist} License: ASL 2.0 and BSD and ISC and MIT and MPLv2.0 Summary: Manage Pods, Containers and Container Images Vendor: Microsoft Corporation @@ -50,7 +50,7 @@ BuildRequires: go-md2man BuildRequires: golang BuildRequires: gcc BuildRequires: glib2-devel -BuildRequires: glibc-static >= 2.38-10%{?dist} +BuildRequires: glibc-static >= 2.38-11%{?dist} BuildRequires: git BuildRequires: go-rpm-macros BuildRequires: gpgme-devel @@ -386,6 +386,9 @@ cp -pav test/system %{buildroot}/%{_datadir}/%{name}/test/ # rhcontainerbot account currently managed by lsm5 %changelog +* Thu May 22 2025 Kanishk Bansal - 4.1.1-29 +- Bump to rebuild with updated glibc + * Mon May 12 2025 Andrew Phelps - 4.1.1-28 - Bump to rebuild with updated glibc diff --git a/SPECS-EXTENDED/ppp/0001-build-sys-use-gcc-as-our-compiler-of-choice.patch b/SPECS-EXTENDED/ppp/0001-build-sys-use-gcc-as-our-compiler-of-choice.patch deleted file mode 100644 index b8a76ca42c..0000000000 --- a/SPECS-EXTENDED/ppp/0001-build-sys-use-gcc-as-our-compiler-of-choice.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 486e36d184cbaee7e34bb582ea6fdf3bfa9ca531 Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Fri, 4 Apr 2014 11:23:42 +0200 -Subject: [PATCH 01/27] build-sys: use gcc as our compiler of choice - ---- - pppd/Makefile.linux | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux -index a74c914..1d9ea78 100644 ---- a/pppd/Makefile.linux -+++ b/pppd/Makefile.linux -@@ -30,7 +30,7 @@ ifeq (.depend,$(wildcard .depend)) - include .depend - endif - --# CC = gcc -+CC = gcc - # - COPTS = -O2 -pipe -Wall -g - LIBS = --- -1.8.3.1 - diff --git a/SPECS-EXTENDED/ppp/0002-build-sys-enable-PAM-support.patch b/SPECS-EXTENDED/ppp/0002-build-sys-enable-PAM-support.patch deleted file mode 100644 index 2f1c53b4f1..0000000000 --- a/SPECS-EXTENDED/ppp/0002-build-sys-enable-PAM-support.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 0d71a32b73b71c9793d0b304320858062faf00d1 Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Fri, 4 Apr 2014 11:25:43 +0200 -Subject: [PATCH 02/27] build-sys: enable PAM support - ---- - pppd/Makefile.linux | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux -index 1d9ea78..5a44d30 100644 ---- a/pppd/Makefile.linux -+++ b/pppd/Makefile.linux -@@ -61,7 +61,7 @@ HAVE_MULTILINK=y - USE_TDB=y - - HAS_SHADOW=y --#USE_PAM=y -+USE_PAM=y - HAVE_INET6=y - - # Enable plugins --- -1.8.3.1 - diff --git a/SPECS-EXTENDED/ppp/0003-build-sys-utilize-compiler-flags-handed-to-us-by-rpm.patch b/SPECS-EXTENDED/ppp/0003-build-sys-utilize-compiler-flags-handed-to-us-by-rpm.patch deleted file mode 100644 index 87da38b79b..0000000000 --- a/SPECS-EXTENDED/ppp/0003-build-sys-utilize-compiler-flags-handed-to-us-by-rpm.patch +++ /dev/null @@ -1,121 +0,0 @@ -From d729b06f0ac7a5ebd3648ef60bef0499b59bf82d Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Fri, 4 Apr 2014 11:29:39 +0200 -Subject: [PATCH 03/27] build-sys: utilize compiler flags handed to us by - rpmbuild - ---- - chat/Makefile.linux | 2 +- - pppd/Makefile.linux | 3 +-- - pppd/plugins/Makefile.linux | 2 +- - pppd/plugins/pppoatm/Makefile.linux | 2 +- - pppd/plugins/radius/Makefile.linux | 2 +- - pppd/plugins/rp-pppoe/Makefile.linux | 2 +- - pppdump/Makefile.linux | 2 +- - pppstats/Makefile.linux | 2 +- - 8 files changed, 8 insertions(+), 9 deletions(-) - -diff --git a/chat/Makefile.linux b/chat/Makefile.linux -index 1065ac5..848cd8d 100644 ---- a/chat/Makefile.linux -+++ b/chat/Makefile.linux -@@ -10,7 +10,7 @@ CDEF3= -UNO_SLEEP # Use the usleep function - CDEF4= -DFNDELAY=O_NDELAY # Old name value - CDEFS= $(CDEF1) $(CDEF2) $(CDEF3) $(CDEF4) - --COPTS= -O2 -g -pipe -+COPTS= $(RPM_OPT_FLAGS) - CFLAGS= $(COPTS) $(CDEFS) - - INSTALL= install -diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux -index 5a44d30..63872eb 100644 ---- a/pppd/Makefile.linux -+++ b/pppd/Makefile.linux -@@ -32,8 +32,7 @@ endif - - CC = gcc - # --COPTS = -O2 -pipe -Wall -g --LIBS = -+COPTS = -Wall $(RPM_OPT_FLAGS) - - # Uncomment the next 2 lines to include support for Microsoft's - # MS-CHAP authentication protocol. Also, edit plugins/radius/Makefile.linux. -diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux -index 0a7ec7b..e09a369 100644 ---- a/pppd/plugins/Makefile.linux -+++ b/pppd/plugins/Makefile.linux -@@ -1,5 +1,5 @@ - #CC = gcc --COPTS = -O2 -g -+COPTS = $(RPM_OPT_FLAGS) - CFLAGS = $(COPTS) -I.. -I../../include -fPIC - LDFLAGS = -shared - INSTALL = install -diff --git a/pppd/plugins/pppoatm/Makefile.linux b/pppd/plugins/pppoatm/Makefile.linux -index 20f62e6..5a81447 100644 ---- a/pppd/plugins/pppoatm/Makefile.linux -+++ b/pppd/plugins/pppoatm/Makefile.linux -@@ -1,5 +1,5 @@ - #CC = gcc --COPTS = -O2 -g -+COPTS = $(RPM_OPT_FLAGS) - CFLAGS = $(COPTS) -I../.. -I../../../include -fPIC - LDFLAGS = -shared - INSTALL = install -diff --git a/pppd/plugins/radius/Makefile.linux b/pppd/plugins/radius/Makefile.linux -index 24ed3e5..45b3b8d 100644 ---- a/pppd/plugins/radius/Makefile.linux -+++ b/pppd/plugins/radius/Makefile.linux -@@ -12,7 +12,7 @@ VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../../patchlevel.h) - INSTALL = install - - PLUGIN=radius.so radattr.so radrealms.so --CFLAGS=-I. -I../.. -I../../../include -O2 -fPIC -DRC_LOG_FACILITY=LOG_DAEMON -+CFLAGS=-I. -I../.. -I../../../include $(RPM_OPT_FLAGS) -DRC_LOG_FACILITY=LOG_DAEMON - - # Uncomment the next line to include support for Microsoft's - # MS-CHAP authentication protocol. -diff --git a/pppd/plugins/rp-pppoe/Makefile.linux b/pppd/plugins/rp-pppoe/Makefile.linux -index 5d7a271..352991a 100644 ---- a/pppd/plugins/rp-pppoe/Makefile.linux -+++ b/pppd/plugins/rp-pppoe/Makefile.linux -@@ -25,7 +25,7 @@ INSTALL = install - # Version is set ONLY IN THE MAKEFILE! Don't delete this! - RP_VERSION=3.8p - --COPTS=-O2 -g -+COPTS=$(RPM_OPT_FLAGS) - CFLAGS=$(COPTS) -I../../../include '-DRP_VERSION="$(RP_VERSION)"' - all: rp-pppoe.so pppoe-discovery - -diff --git a/pppdump/Makefile.linux b/pppdump/Makefile.linux -index ac028f6..d0a5032 100644 ---- a/pppdump/Makefile.linux -+++ b/pppdump/Makefile.linux -@@ -2,7 +2,7 @@ DESTDIR = $(INSTROOT)@DESTDIR@ - BINDIR = $(DESTDIR)/sbin - MANDIR = $(DESTDIR)/share/man/man8 - --CFLAGS= -O -I../include/net -+CFLAGS= $(RPM_OPT_FLAGS) -I../include/net - OBJS = pppdump.o bsd-comp.o deflate.o zlib.o - - INSTALL= install -diff --git a/pppstats/Makefile.linux b/pppstats/Makefile.linux -index cca6f0f..42aba73 100644 ---- a/pppstats/Makefile.linux -+++ b/pppstats/Makefile.linux -@@ -10,7 +10,7 @@ PPPSTATSRCS = pppstats.c - PPPSTATOBJS = pppstats.o - - #CC = gcc --COPTS = -O -+COPTS = $(RPM_OPT_FLAGS) - COMPILE_FLAGS = -I../include - LIBS = - --- -1.8.3.1 - diff --git a/SPECS-EXTENDED/ppp/0004-doc-add-configuration-samples.patch b/SPECS-EXTENDED/ppp/0004-doc-add-configuration-samples.patch deleted file mode 100644 index 0cea0374ab..0000000000 --- a/SPECS-EXTENDED/ppp/0004-doc-add-configuration-samples.patch +++ /dev/null @@ -1,341 +0,0 @@ -From d7faeb88f684c8b2ae193b2c5b5b358ac757fcfa Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Fri, 4 Apr 2014 11:39:09 +0200 -Subject: [PATCH 04/27] doc: add configuration samples - ---- - sample/auth-down | 17 ++++++ - sample/auth-up | 17 ++++++ - sample/ip-down | 22 ++++++++ - sample/ip-up | 23 ++++++++ - sample/options | 153 +++++++++++++++++++++++++++++++++++++++++++++++++++ - sample/options.ttyXX | 14 +++++ - sample/pap-secrets | 28 ++++++++++ - 7 files changed, 274 insertions(+) - create mode 100644 sample/auth-down - create mode 100644 sample/auth-up - create mode 100644 sample/ip-down - create mode 100644 sample/ip-up - create mode 100644 sample/options - create mode 100644 sample/options.ttyXX - create mode 100644 sample/pap-secrets - -diff --git a/sample/auth-down b/sample/auth-down -new file mode 100644 -index 0000000..edde65d ---- /dev/null -+++ b/sample/auth-down -@@ -0,0 +1,17 @@ -+#!/bin/sh -+# -+# A program or script which is executed after the remote system -+# successfully authenticates itself. It is executed with the parameters -+# -+# -+ -+# -+# The environment is cleared before executing this script -+# so the path must be reset -+# -+PATH=/usr/sbin:/sbin:/usr/bin:/bin -+export PATH -+ -+echo auth-down `date +'%y/%m/%d %T'` $* >> /var/log/pppstats -+ -+# last line -diff --git a/sample/auth-up b/sample/auth-up -new file mode 100644 -index 0000000..54722a3 ---- /dev/null -+++ b/sample/auth-up -@@ -0,0 +1,17 @@ -+#!/bin/sh -+# -+# A program or script which is executed after the remote system -+# successfully authenticates itself. It is executed with the parameters -+# -+# -+ -+# -+# The environment is cleared before executing this script -+# so the path must be reset -+# -+PATH=/usr/sbin:/sbin:/usr/bin:/bin -+export PATH -+ -+echo auth-up `date +'%y/%m/%d %T'` $* >> /var/log/pppstats -+ -+# last line -diff --git a/sample/ip-down b/sample/ip-down -new file mode 100644 -index 0000000..b771fb6 ---- /dev/null -+++ b/sample/ip-down -@@ -0,0 +1,22 @@ -+#!/bin/sh -+# -+# This script is run by the pppd _after_ the link is brought down. -+# It should be used to delete routes, unset IP addresses etc. -+# -+# This script is called with the following arguments: -+# Arg Name Example -+# $1 Interface name ppp0 -+# $2 The tty ttyS1 -+# $3 The link speed 38400 -+# $4 Local IP number 12.34.56.78 -+# $5 Peer IP number 12.34.56.99 -+# -+ -+# -+# The environment is cleared before executing this script -+# so the path must be reset -+# -+PATH=/usr/sbin:/sbin:/usr/bin:/bin -+export PATH -+ -+# last line -diff --git a/sample/ip-up b/sample/ip-up -new file mode 100644 -index 0000000..7ce7c8d ---- /dev/null -+++ b/sample/ip-up -@@ -0,0 +1,23 @@ -+#!/bin/sh -+# -+# This script is run by the pppd after the link is established. -+# It should be used to add routes, set IP address, run the mailq -+# etc. -+# -+# This script is called with the following arguments: -+# Arg Name Example -+# $1 Interface name ppp0 -+# $2 The tty ttyS1 -+# $3 The link speed 38400 -+# $4 Local IP number 12.34.56.78 -+# $5 Peer IP number 12.34.56.99 -+# -+ -+# -+# The environment is cleared before executing this script -+# so the path must be reset -+# -+PATH=/usr/sbin:/sbin:/usr/bin:/bin -+export PATH -+ -+# last line -diff --git a/sample/options b/sample/options -new file mode 100644 -index 0000000..8d0a3f9 ---- /dev/null -+++ b/sample/options -@@ -0,0 +1,153 @@ -+# /etc/ppp/options -+ -+# The name of this server. Often, the FQDN is used here. -+#name -+ -+# Enforce the use of the hostname as the name of the local system for -+# authentication purposes (overrides the name option). -+usehostname -+ -+# If no local IP address is given, pppd will use the first IP address -+# that belongs to the local hostname. If "noipdefault" is given, this -+# is disabled and the peer will have to supply an IP address. -+noipdefault -+ -+# With this option, pppd will accept the peer's idea of our local IP -+# address, even if the local IP address was specified in an option. -+#ipcp-accept-local -+ -+# With this option, pppd will accept the peer's idea of its (remote) IP -+# address, even if the remote IP address was specified in an option. -+#ipcp-accept-remote -+ -+# Specify which DNS Servers the incoming Win95 or WinNT Connection should use -+# Two Servers can be remotely configured -+#ms-dns 192.168.1.1 -+#ms-dns 192.168.1.2 -+ -+# Specify which WINS Servers the incoming connection Win95 or WinNT should use -+#wins-addr 192.168.1.50 -+#wins-addr 192.168.1.51 -+ -+# enable this on a server that already has a permanent default route -+#nodefaultroute -+ -+# Run the executable or shell command specified after pppd has terminated -+# the link. This script could, for example, issue commands to the modem -+# to cause it to hang up if hardware modem control signals were not -+# available. -+# If mgetty is running, it will reset the modem anyway. So there is no need -+# to do it here. -+#disconnect "chat -- \d+++\d\c OK ath0 OK" -+ -+# Increase debugging level (same as -d). The debug output is written -+# to syslog LOG_LOCAL2. -+debug -+ -+# Enable debugging code in the kernel-level PPP driver. The argument n -+# is a number which is the sum of the following values: 1 to enable -+# general debug messages, 2 to request that the contents of received -+# packets be printed, and 4 to request that the contents of transmitted -+# packets be printed. -+#kdebug n -+ -+# Require the peer to authenticate itself before allowing network -+# packets to be sent or received. -+# Please do not disable this setting. It is expected to be standard in -+# future releases of pppd. Use the call option (see manpage) to disable -+# authentication for specific peers. -+#auth -+ -+# authentication can either be pap or chap. As most people only want to -+# use pap, you can also disable chap: -+#require-pap -+#refuse-chap -+ -+# Use hardware flow control (i.e. RTS/CTS) to control the flow of data -+# on the serial port. -+crtscts -+ -+# Specifies that pppd should use a UUCP-style lock on the serial device -+# to ensure exclusive access to the device. -+lock -+ -+# Use the modem control lines. -+modem -+ -+# async character map -- 32-bit hex; each bit is a character -+# that needs to be escaped for pppd to receive it. 0x00000001 -+# represents '\x01', and 0x80000000 represents '\x1f'. -+# To allow pppd to work over a rlogin/telnet connection, ou should escape -+# XON (^Q), XOFF (^S) and ^]: (The peer should use "escape ff".) -+#asyncmap 200a0000 -+asyncmap 0 -+ -+# Specifies that certain characters should be escaped on transmission -+# (regardless of whether the peer requests them to be escaped with its -+# async control character map). The characters to be escaped are -+# specified as a list of hex numbers separated by commas. Note that -+# almost any character can be specified for the escape option, unlike -+# the asyncmap option which only allows control characters to be -+# specified. The characters which may not be escaped are those with hex -+# values 0x20 - 0x3f or 0x5e. -+#escape 11,13,ff -+ -+# Set the MRU [Maximum Receive Unit] value to for negotiation. pppd -+# will ask the peer to send packets of no more than bytes. The -+# minimum MRU value is 128. The default MRU value is 1500. A value of -+# 296 is recommended for slow links (40 bytes for TCP/IP header + 256 -+# bytes of data). -+#mru 542 -+ -+# Set the MTU [Maximum Transmit Unit] value to . Unless the peer -+# requests a smaller value via MRU negotiation, pppd will request that -+# the kernel networking code send data packets of no more than n bytes -+# through the PPP network interface. -+#mtu -+ -+# Set the interface netmask to , a 32 bit netmask in "decimal dot" -+# notation (e.g. 255.255.255.0). -+#netmask 255.255.255.0 -+ -+# Don't fork to become a background process (otherwise pppd will do so -+# if a serial device is specified). -+nodetach -+ -+# Set the assumed name of the remote system for authentication purposes -+# to . -+#remotename -+ -+# Add an entry to this system's ARP [Address Resolution Protocol] -+# table with the IP address of the peer and the Ethernet address of this -+# system. {proxyarp,noproxyarp} -+proxyarp -+ -+# Use the system password database for authenticating the peer using -+# PAP. Note: mgetty already provides this option. If this is specified -+# then dialin from users using a script under Linux to fire up ppp wont work. -+#login -+ -+# If this option is given, pppd will send an LCP echo-request frame to -+# the peer every n seconds. Under Linux, the echo-request is sent when -+# no packets have been received from the peer for n seconds. Normally -+# the peer should respond to the echo-request by sending an echo-reply. -+# This option can be used with the lcp-echo-failure option to detect -+# that the peer is no longer connected. -+lcp-echo-interval 30 -+ -+# If this option is given, pppd will presume the peer to be dead if n -+# LCP echo-requests are sent without receiving a valid LCP echo-reply. -+# If this happens, pppd will terminate the connection. Use of this -+# option requires a non-zero value for the lcp-echo-interval parameter. -+# This option can be used to enable pppd to terminate after the physical -+# connection has been broken (e.g., the modem has hung up) in -+# situations where no hardware modem control lines are available. -+lcp-echo-failure 4 -+ -+# Specifies that pppd should disconnect if the link is idle for n seconds. -+idle 600 -+ -+# Disable the IPXCP and IPX protocols. -+noipx -+ -+# ------ -diff --git a/sample/options.ttyXX b/sample/options.ttyXX -new file mode 100644 -index 0000000..d4202f5 ---- /dev/null -+++ b/sample/options.ttyXX -@@ -0,0 +1,14 @@ -+# If you need to set up multiple serial lines then copy this file to -+# options. for each tty with a modem on it. -+# -+# The options.tty file will assign an IP address to each PPP connection -+# as it comes up. They must all be distinct! -+# -+# Example: -+# options.ttyS1 for com2 under DOS. -+# -+# Edit the following line so that the first IP address -+# mentioned is the ip address of the serial port while the second -+# is the IP address of your host -+# -+hostname-s1:hostname -diff --git a/sample/pap-secrets b/sample/pap-secrets -new file mode 100644 -index 0000000..098971b ---- /dev/null -+++ b/sample/pap-secrets -@@ -0,0 +1,28 @@ -+# Secrets for authentication using PAP -+# client server secret IP addresses -+ -+# OUTBOUND CONNECTIONS -+# Here you should add your userid password to connect to your providers via -+# pap. The * means that the password is to be used for ANY host you connect -+# to. Thus you do not have to worry about the foreign machine name. Just -+# replace password with your password. -+# If you have different providers with different passwords then you better -+# remove the following line. -+#hostname * password -+ -+# INBOUND CONNECTIONS -+#client hostname 192.168.1.1 -+ -+# If you add "auth login -chap +pap" to /etc/mgetty+sendfax/login.config, -+# all users in /etc/passwd can use their password for pap-authentication. -+# -+# Every regular user can use PPP and has to use passwords from /etc/passwd -+#* hostname "" -+# UserIDs that cannot use PPP at all. Check your /etc/passwd and add any -+# other accounts that should not be able to use pppd! Replace hostname -+# with your local hostname. -+#guest hostname "*" - -+#master hostname "*" - -+#root hostname "*" - -+#support hostname "*" - -+#stats hostname "*" - --- -1.8.3.1 - diff --git a/SPECS-EXTENDED/ppp/0005-build-sys-don-t-hardcode-LIBDIR-but-set-it-according.patch b/SPECS-EXTENDED/ppp/0005-build-sys-don-t-hardcode-LIBDIR-but-set-it-according.patch deleted file mode 100644 index 86cac6a30e..0000000000 --- a/SPECS-EXTENDED/ppp/0005-build-sys-don-t-hardcode-LIBDIR-but-set-it-according.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 69711944745af0078da77e108d30f89fd7e06108 Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Fri, 4 Apr 2014 12:01:33 +0200 -Subject: [PATCH 05/27] build-sys: don't hardcode LIBDIR, but set it according - to the target platform - ---- - pppd/Makefile.linux | 3 ++- - pppd/pathnames.h | 2 +- - pppd/plugins/Makefile.linux | 2 +- - pppd/plugins/pppoatm/Makefile.linux | 2 +- - pppd/plugins/pppol2tp/Makefile.linux | 4 ++-- - pppd/plugins/radius/Makefile.linux | 2 +- - pppd/plugins/rp-pppoe/Makefile.linux | 2 +- - 7 files changed, 9 insertions(+), 8 deletions(-) - -diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux -index 63872eb..8ed56c1 100644 ---- a/pppd/Makefile.linux -+++ b/pppd/Makefile.linux -@@ -8,6 +8,7 @@ DESTDIR = $(INSTROOT)@DESTDIR@ - BINDIR = $(DESTDIR)/sbin - MANDIR = $(DESTDIR)/share/man/man8 - INCDIR = $(DESTDIR)/include -+LIBDIR = $(DESTDIR)/lib - - TARGETS = pppd - -@@ -32,7 +33,7 @@ endif - - CC = gcc - # --COPTS = -Wall $(RPM_OPT_FLAGS) -+COPTS = -Wall $(RPM_OPT_FLAGS) -DLIBDIR=\""$(LIBDIR)"\" - - # Uncomment the next 2 lines to include support for Microsoft's - # MS-CHAP authentication protocol. Also, edit plugins/radius/Makefile.linux. -diff --git a/pppd/pathnames.h b/pppd/pathnames.h -index a33f046..a427cb8 100644 ---- a/pppd/pathnames.h -+++ b/pppd/pathnames.h -@@ -57,7 +57,7 @@ - - #ifdef PLUGIN - #ifdef __STDC__ --#define _PATH_PLUGIN DESTDIR "/lib/pppd/" VERSION -+#define _PATH_PLUGIN LIBDIR "/pppd/" VERSION - #else /* __STDC__ */ - #define _PATH_PLUGIN "/usr/lib/pppd" - #endif /* __STDC__ */ --- -1.8.3.1 - diff --git a/SPECS-EXTENDED/ppp/0006-scritps-use-change_resolv_conf-function.patch b/SPECS-EXTENDED/ppp/0006-scritps-use-change_resolv_conf-function.patch deleted file mode 100644 index cbf8713009..0000000000 --- a/SPECS-EXTENDED/ppp/0006-scritps-use-change_resolv_conf-function.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 01419dfb684d501b57f1c24dcfdbcf9da93ccca2 Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Fri, 4 Apr 2014 18:12:47 +0200 -Subject: [PATCH 06/27] scritps: use change_resolv_conf function - -Don't handle /etc/resolv.conf manually, but use a helper function from -initscripts. Also change path where we save DNS servers supplied by peer while -we are at it. - -Resolves: #132482 ---- - pppd/pppd.8 | 2 +- - scripts/ip-down.local.add | 9 +++++---- - scripts/ip-up.local.add | 17 ++++++++++------- - 3 files changed, 16 insertions(+), 12 deletions(-) - -diff --git a/pppd/pppd.8 b/pppd/pppd.8 -index e2768b1..2dd6e1a 100644 ---- a/pppd/pppd.8 -+++ b/pppd/pppd.8 -@@ -1099,7 +1099,7 @@ Ask the peer for up to 2 DNS server addresses. The addresses supplied - by the peer (if any) are passed to the /etc/ppp/ip\-up script in the - environment variables DNS1 and DNS2, and the environment variable - USEPEERDNS will be set to 1. In addition, pppd will create an --/etc/ppp/resolv.conf file containing one or two nameserver lines with -+/var/run/ppp/resolv.conf file containing one or two nameserver lines with - the address(es) supplied by the peer. - .TP - .B user \fIname -diff --git a/scripts/ip-down.local.add b/scripts/ip-down.local.add -index b93590e..163f71e 100644 ---- a/scripts/ip-down.local.add -+++ b/scripts/ip-down.local.add -@@ -9,12 +9,13 @@ - # - # Nick Walker (nickwalker@email.com) - # -+. /etc/sysconfig/network-scripts/network-functions - --if [ -n "$USEPEERDNS" -a -f /etc/ppp/resolv.conf ]; then -- if [ -f /etc/ppp/resolv.prev ]; then -- cp -f /etc/ppp/resolv.prev /etc/resolv.conf -+if [ -n "$USEPEERDNS" -a -f /var/run/ppp/resolv.conf ]; then -+ if [ -f /var/run/ppp/resolv.prev ]; then -+ change_resolv_conf /var/run/ppp/resolv.prev - else -- rm -f /etc/resolv.conf -+ change_resolv_conf - fi - fi - -diff --git a/scripts/ip-up.local.add b/scripts/ip-up.local.add -index 8017209..26cf5f8 100644 ---- a/scripts/ip-up.local.add -+++ b/scripts/ip-up.local.add -@@ -9,16 +9,19 @@ - # - # Nick Walker (nickwalker@email.com) - # -+. /etc/sysconfig/network-scripts/network-functions - --if [ -n "$USEPEERDNS" -a -f /etc/ppp/resolv.conf ]; then -- rm -f /etc/ppp/resolv.prev -+if [ -n "$USEPEERDNS" -a -f /var/run/ppp/resolv.conf ]; then -+ rm -f /var/run/ppp/resolv.prev - if [ -f /etc/resolv.conf ]; then -- cp /etc/resolv.conf /etc/ppp/resolv.prev -- grep domain /etc/ppp/resolv.prev > /etc/resolv.conf -- grep search /etc/ppp/resolv.prev >> /etc/resolv.conf -- cat /etc/ppp/resolv.conf >> /etc/resolv.conf -+ cp /etc/resolv.conf /var/run/ppp/resolv.prev -+ rscf=/var/run/ppp/resolv.new -+ grep domain /var/run/ppp/resolv.prev > $rscf -+ grep search /var/run/ppp/resolv.prev >> $rscf -+ change_resolv_conf $rscf -+ rm -f $rscf - else -- cp /etc/ppp/resolv.conf /etc -+ change_resolv_conf /var/run/ppp/resolv.conf - fi - fi - --- -1.8.3.1 - diff --git a/SPECS-EXTENDED/ppp/0007-build-sys-don-t-strip-binaries-during-installation.patch b/SPECS-EXTENDED/ppp/0007-build-sys-don-t-strip-binaries-during-installation.patch deleted file mode 100644 index 9f542a66e8..0000000000 --- a/SPECS-EXTENDED/ppp/0007-build-sys-don-t-strip-binaries-during-installation.patch +++ /dev/null @@ -1,111 +0,0 @@ -From b9fb631a493c5f1b490c8e9645eb6ebab4b25cc8 Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Fri, 4 Apr 2014 18:37:00 +0200 -Subject: [PATCH 07/27] build-sys: don't strip binaries during installation - -We don't want that when building rpms. rpmbuild does final stripping of binaries -for us and generetes debuginfo rpm. ---- - chat/Makefile.linux | 2 +- - pppd/Makefile.linux | 4 ++-- - pppd/plugins/radius/Makefile.linux | 6 +++--- - pppd/plugins/rp-pppoe/Makefile.linux | 4 ++-- - pppdump/Makefile.linux | 2 +- - pppstats/Makefile.linux | 2 +- - 6 files changed, 10 insertions(+), 10 deletions(-) - -diff --git a/chat/Makefile.linux b/chat/Makefile.linux -index 848cd8d..2445637 100644 ---- a/chat/Makefile.linux -+++ b/chat/Makefile.linux -@@ -25,7 +25,7 @@ chat.o: chat.c - - install: chat - mkdir -p $(BINDIR) $(MANDIR) -- $(INSTALL) -s -c chat $(BINDIR) -+ $(INSTALL) -c chat $(BINDIR) - $(INSTALL) -c -m 644 chat.8 $(MANDIR) - - clean: -diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux -index 8ed56c1..4f27100 100644 ---- a/pppd/Makefile.linux -+++ b/pppd/Makefile.linux -@@ -102,7 +102,7 @@ ifdef USE_SRP - CFLAGS += -DUSE_SRP -DOPENSSL -I/usr/local/ssl/include - LIBS += -lsrp -L/usr/local/ssl/lib -lcrypto - TARGETS += srp-entry --EXTRAINSTALL = $(INSTALL) -s -c -m 555 srp-entry $(BINDIR)/srp-entry -+EXTRAINSTALL = $(INSTALL) -c -m 555 srp-entry $(BINDIR)/srp-entry - MANPAGES += srp-entry.8 - EXTRACLEAN += srp-entry.o - NEEDDES=y -@@ -208,7 +208,7 @@ all: $(TARGETS) - install: pppd - mkdir -p $(BINDIR) $(MANDIR) - $(EXTRAINSTALL) -- $(INSTALL) -s -c -m 555 pppd $(BINDIR)/pppd -+ $(INSTALL) -c -m 555 pppd $(BINDIR)/pppd - if chgrp pppusers $(BINDIR)/pppd 2>/dev/null; then \ - chmod o-rx,u+s $(BINDIR)/pppd; fi - $(INSTALL) -c -m 444 pppd.8 $(MANDIR) -diff --git a/pppd/plugins/radius/Makefile.linux b/pppd/plugins/radius/Makefile.linux -index 179d0b7..707326b 100644 ---- a/pppd/plugins/radius/Makefile.linux -+++ b/pppd/plugins/radius/Makefile.linux -@@ -36,9 +36,9 @@ all: $(PLUGIN) - - install: all - $(INSTALL) -d -m 755 $(LIBDIR) -- $(INSTALL) -s -c -m 755 radius.so $(LIBDIR) -- $(INSTALL) -s -c -m 755 radattr.so $(LIBDIR) -- $(INSTALL) -s -c -m 755 radrealms.so $(LIBDIR) -+ $(INSTALL) -c -m 755 radius.so $(LIBDIR) -+ $(INSTALL) -c -m 755 radattr.so $(LIBDIR) -+ $(INSTALL) -c -m 755 radrealms.so $(LIBDIR) - $(INSTALL) -c -m 444 pppd-radius.8 $(MANDIR) - $(INSTALL) -c -m 444 pppd-radattr.8 $(MANDIR) - -diff --git a/pppd/plugins/rp-pppoe/Makefile.linux b/pppd/plugins/rp-pppoe/Makefile.linux -index 1305ed8..3cd9101 100644 ---- a/pppd/plugins/rp-pppoe/Makefile.linux -+++ b/pppd/plugins/rp-pppoe/Makefile.linux -@@ -43,9 +43,9 @@ rp-pppoe.so: plugin.o discovery.o if.o common.o - - install: all - $(INSTALL) -d -m 755 $(LIBDIR) -- $(INSTALL) -s -c -m 4550 rp-pppoe.so $(LIBDIR) -+ $(INSTALL) -c -m 4550 rp-pppoe.so $(LIBDIR) - $(INSTALL) -d -m 755 $(BINDIR) -- $(INSTALL) -s -c -m 555 pppoe-discovery $(BINDIR) -+ $(INSTALL) -c -m 555 pppoe-discovery $(BINDIR) - - clean: - rm -f *.o *.so pppoe-discovery -diff --git a/pppdump/Makefile.linux b/pppdump/Makefile.linux -index d0a5032..95c6805 100644 ---- a/pppdump/Makefile.linux -+++ b/pppdump/Makefile.linux -@@ -17,5 +17,5 @@ clean: - - install: - mkdir -p $(BINDIR) $(MANDIR) -- $(INSTALL) -s -c pppdump $(BINDIR) -+ $(INSTALL) -c pppdump $(BINDIR) - $(INSTALL) -c -m 444 pppdump.8 $(MANDIR) -diff --git a/pppstats/Makefile.linux b/pppstats/Makefile.linux -index 42aba73..c5ba3b1 100644 ---- a/pppstats/Makefile.linux -+++ b/pppstats/Makefile.linux -@@ -22,7 +22,7 @@ all: pppstats - - install: pppstats - -mkdir -p $(MANDIR) -- $(INSTALL) -s -c pppstats $(BINDIR) -+ $(INSTALL) -c pppstats $(BINDIR) - $(INSTALL) -c -m 444 pppstats.8 $(MANDIR) - - pppstats: $(PPPSTATSRCS) --- -1.8.3.1 - diff --git a/SPECS-EXTENDED/ppp/0008-build-sys-use-prefix-usr-instead-of-usr-local.patch b/SPECS-EXTENDED/ppp/0008-build-sys-use-prefix-usr-instead-of-usr-local.patch deleted file mode 100644 index e82c9576c7..0000000000 --- a/SPECS-EXTENDED/ppp/0008-build-sys-use-prefix-usr-instead-of-usr-local.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 343728d5de6e44bd67923503e62eefaad50760a4 Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Fri, 4 Apr 2014 18:47:01 +0200 -Subject: [PATCH 08/27] build-sys: use prefix /usr instead of /usr/local - ---- - configure | 2 +- - pppd/Makefile.linux | 4 ++-- - scripts/ppp-on-rsh | 2 +- - scripts/ppp-on-ssh | 4 ++-- - scripts/secure-card | 2 +- - 5 files changed, 7 insertions(+), 7 deletions(-) - -diff --git a/configure b/configure -index 6a55e0f..db54d77 100755 ---- a/configure -+++ b/configure -@@ -2,7 +2,7 @@ - # $Id: configure,v 1.38 2008/06/15 07:08:49 paulus Exp $ - - # Where to install stuff by default --DESTDIR=/usr/local -+DESTDIR=/usr - SYSCONF=/etc - - # if [ -d /NextApps ]; then -diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux -index 4f27100..95c2598 100644 ---- a/pppd/Makefile.linux -+++ b/pppd/Makefile.linux -@@ -99,8 +99,8 @@ endif - - # EAP SRP-SHA1 - ifdef USE_SRP --CFLAGS += -DUSE_SRP -DOPENSSL -I/usr/local/ssl/include --LIBS += -lsrp -L/usr/local/ssl/lib -lcrypto -+CFLAGS += -DUSE_SRP -DOPENSSL -I/usr/include/openssl -+LIBS += -lsrp -L/usr/lib -lcrypto - TARGETS += srp-entry - EXTRAINSTALL = $(INSTALL) -c -m 555 srp-entry $(BINDIR)/srp-entry - MANPAGES += srp-entry.8 -diff --git a/scripts/ppp-on-rsh b/scripts/ppp-on-rsh -index 30a50db..a80616a 100755 ---- a/scripts/ppp-on-rsh -+++ b/scripts/ppp-on-rsh -@@ -26,7 +26,7 @@ PPPD_RHOST=myremotehost - # For this example, we assume that pppd on both local and remote - # machines reside in the same place, /usr/local/bin/pppd - # --PPPD_LOC=/usr/local/bin/pppd -+PPPD_LOC=/usr/sbin/pppd - - # - # The location of local options file (where rsh client is running). -diff --git a/scripts/ppp-on-ssh b/scripts/ppp-on-ssh -index 0e41aca..c27e80a 100755 ---- a/scripts/ppp-on-ssh -+++ b/scripts/ppp-on-ssh -@@ -26,7 +26,7 @@ PPPD_RHOST=myremotehost - # For this example, we assume that pppd on both local and remote - # machines reside in the same place, /usr/local/bin/pppd - # --PPPD_LOC=/usr/local/bin/pppd -+PPPD_LOC=/usr/sbin/pppd - - # - # The location of local options file (where ssh client is running). -@@ -52,7 +52,7 @@ PPPD_REM_OPT=/etc/ppp/options-ssh-rem - # - # The location of ssh client on the local machine - # --SSH_LOC=/usr/local/bin/ssh -+SSH_LOC=/usr/bin/ssh - - export PPPD_LOC PPPD_LOC_OPT PPPD_REM_OPT PPPD_RHOST SSH_LOC - -diff --git a/scripts/secure-card b/scripts/secure-card -index 0002365..ae3ae50 100755 ---- a/scripts/secure-card -+++ b/scripts/secure-card -@@ -1,4 +1,4 @@ --#!/usr/local/bin/expect -f -+#!/usr/bin/expect -f - # - # This script was written by Jim Isaacson . It is - # designed to work as a script to use the SecureCARD(tm) device. This --- -1.8.3.1 - diff --git a/SPECS-EXTENDED/ppp/0009-pppd-introduce-ipv6-accept-remote.patch b/SPECS-EXTENDED/ppp/0009-pppd-introduce-ipv6-accept-remote.patch deleted file mode 100644 index af0f015247..0000000000 --- a/SPECS-EXTENDED/ppp/0009-pppd-introduce-ipv6-accept-remote.patch +++ /dev/null @@ -1,57 +0,0 @@ -From abef895f9d144f05a83045136b77277352dc450f Mon Sep 17 00:00:00 2001 -From: David Woodhouse -Date: Fri, 4 Apr 2014 18:53:33 +0200 -Subject: [PATCH 09/27] pppd: introduce ipv6-accept-remote - ---- - pppd/ipv6cp.c | 5 ++++- - pppd/ipv6cp.h | 3 ++- - 2 files changed, 6 insertions(+), 2 deletions(-) - -diff --git a/pppd/ipv6cp.c b/pppd/ipv6cp.c -index caa2b26..5a56c95 100644 ---- a/pppd/ipv6cp.c -+++ b/pppd/ipv6cp.c -@@ -245,6 +245,8 @@ static option_t ipv6cp_option_list[] = { - - { "ipv6cp-accept-local", o_bool, &ipv6cp_allowoptions[0].accept_local, - "Accept peer's interface identifier for us", 1 }, -+ { "ipv6cp-accept-remote", o_bool, &ipv6cp_allowoptions[0].accept_remote, -+ "Accept peer's interface identifier for itself", 1 }, - - { "ipv6cp-use-ipaddr", o_bool, &ipv6cp_allowoptions[0].use_ip, - "Use (default) IPv4 address as interface identifier", 1 }, -@@ -437,6 +439,7 @@ ipv6cp_init(unit) - memset(ao, 0, sizeof(*ao)); - - wo->accept_local = 1; -+ wo->accept_remote = 1; - wo->neg_ifaceid = 1; - ao->neg_ifaceid = 1; - -@@ -962,7 +965,7 @@ ipv6cp_reqci(f, inp, len, reject_if_disagree) - orc = CONFREJ; /* Reject CI */ - break; - } -- if (!eui64_iszero(wo->hisid) && -+ if (!eui64_iszero(wo->hisid) && !wo->accept_remote && - !eui64_equals(ifaceid, wo->hisid) && - eui64_iszero(go->hisid)) { - -diff --git a/pppd/ipv6cp.h b/pppd/ipv6cp.h -index cc4568d..8c7552e 100644 ---- a/pppd/ipv6cp.h -+++ b/pppd/ipv6cp.h -@@ -150,7 +150,8 @@ - typedef struct ipv6cp_options { - int neg_ifaceid; /* Negotiate interface identifier? */ - int req_ifaceid; /* Ask peer to send interface identifier? */ -- int accept_local; /* accept peer's value for iface id? */ -+ int accept_local; /* accept peer's value for our iface id? */ -+ int accept_remote; /* accept peer's value for his iface id? */ - int opt_local; /* ourtoken set by option */ - int opt_remote; /* histoken set by option */ - int use_ip; /* use IP as interface identifier */ --- -1.8.3.1 - diff --git a/SPECS-EXTENDED/ppp/0010-build-sys-enable-CBCP.patch b/SPECS-EXTENDED/ppp/0010-build-sys-enable-CBCP.patch deleted file mode 100644 index 87c3b72527..0000000000 --- a/SPECS-EXTENDED/ppp/0010-build-sys-enable-CBCP.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 8015a0ef23a874f288d5e77ffafe1d7f4281725d Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Fri, 4 Apr 2014 18:59:24 +0200 -Subject: [PATCH 10/27] build-sys: enable CBCP - -Resolves: #199278 ---- - pppd/Makefile.linux | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux -index 95c2598..65700fa 100644 ---- a/pppd/Makefile.linux -+++ b/pppd/Makefile.linux -@@ -68,7 +68,7 @@ HAVE_INET6=y - PLUGIN=y - - # Enable Microsoft proprietary Callback Control Protocol --#CBCP=y -+CBCP=y - - # Enable EAP SRP-SHA1 authentication (requires libsrp) - #USE_SRP=y --- -1.8.3.1 - diff --git a/SPECS-EXTENDED/ppp/0011-build-sys-don-t-put-connect-errors-log-to-etc-ppp.patch b/SPECS-EXTENDED/ppp/0011-build-sys-don-t-put-connect-errors-log-to-etc-ppp.patch deleted file mode 100644 index 56ac3881e8..0000000000 --- a/SPECS-EXTENDED/ppp/0011-build-sys-don-t-put-connect-errors-log-to-etc-ppp.patch +++ /dev/null @@ -1,77 +0,0 @@ -From b4ef433be936c90e356da7a590b032cdee219a3f Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Fri, 4 Apr 2014 19:06:05 +0200 -Subject: [PATCH 11/27] build-sys: don't put connect-errors log to /etc/ppp/ - -Resolves: #118837 ---- - chat/chat.8 | 2 +- - linux/Makefile.top | 8 +++++++- - pppd/pathnames.h | 4 ++-- - 3 files changed, 10 insertions(+), 4 deletions(-) - -diff --git a/chat/chat.8 b/chat/chat.8 -index 6d10836..78d6939 100644 ---- a/chat/chat.8 -+++ b/chat/chat.8 -@@ -200,7 +200,7 @@ The \fBSAY\fR directive allows the script to send strings to the user - at the terminal via standard error. If \fBchat\fR is being run by - pppd, and pppd is running as a daemon (detached from its controlling - terminal), standard error will normally be redirected to the file --/etc/ppp/connect\-errors. -+/var/log/ppp/connect\-errors. - .LP - \fBSAY\fR strings must be enclosed in single or double quotes. If - carriage return and line feed are needed in the string to be output, -diff --git a/linux/Makefile.top b/linux/Makefile.top -index f63d45e..f42efd5 100644 ---- a/linux/Makefile.top -+++ b/linux/Makefile.top -@@ -5,6 +5,8 @@ BINDIR = $(DESTDIR)/sbin - INCDIR = $(DESTDIR)/include - MANDIR = $(DESTDIR)/share/man - ETCDIR = $(INSTROOT)@SYSCONF@/ppp -+RUNDIR = $(DESTDIR)/var/run/ppp -+LOGDIR = $(DESTDIR)/var/log/ppp - - # uid 0 = root - INSTALL= install -@@ -16,7 +18,7 @@ all: - cd pppstats; $(MAKE) $(MFLAGS) all - cd pppdump; $(MAKE) $(MFLAGS) all - --install: $(BINDIR) $(MANDIR)/man8 install-progs install-devel -+install: $(BINDIR) $(RUNDIR) $(LOGDIR) $(MANDIR)/man8 install-progs install-devel - - install-progs: - cd chat; $(MAKE) $(MFLAGS) install -@@ -44,6 +46,10 @@ $(MANDIR)/man8: - $(INSTALL) -d -m 755 $@ - $(ETCDIR): - $(INSTALL) -d -m 755 $@ -+$(RUNDIR): -+ $(INSTALL) -d -m 755 $@ -+$(LOGDIR): -+ $(INSTALL) -d -m 755 $@ - - clean: - rm -f `find . -name '*.[oas]' -print` -diff --git a/pppd/pathnames.h b/pppd/pathnames.h -index a427cb8..bef3160 100644 ---- a/pppd/pathnames.h -+++ b/pppd/pathnames.h -@@ -28,9 +28,9 @@ - #define _PATH_AUTHUP _ROOT_PATH "/etc/ppp/auth-up" - #define _PATH_AUTHDOWN _ROOT_PATH "/etc/ppp/auth-down" - #define _PATH_TTYOPT _ROOT_PATH "/etc/ppp/options." --#define _PATH_CONNERRS _ROOT_PATH "/etc/ppp/connect-errors" -+#define _PATH_CONNERRS _ROOT_PATH "/var/log/ppp/connect-errors" - #define _PATH_PEERFILES _ROOT_PATH "/etc/ppp/peers/" --#define _PATH_RESOLV _ROOT_PATH "/etc/ppp/resolv.conf" -+#define _PATH_RESOLV _ROOT_PATH "/var/run/ppp/resolv.conf" - - #define _PATH_USEROPT ".ppprc" - #define _PATH_PSEUDONYM ".ppp_pseudonym" --- -1.8.3.1 - diff --git a/SPECS-EXTENDED/ppp/0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch b/SPECS-EXTENDED/ppp/0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch deleted file mode 100644 index cf25dba3f9..0000000000 --- a/SPECS-EXTENDED/ppp/0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch +++ /dev/null @@ -1,143 +0,0 @@ -From 82cd789df0f022eb6f3d28646e7a61d1d0715805 Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Mon, 7 Apr 2014 12:23:36 +0200 -Subject: [PATCH 12/27] pppd: we don't want to accidentally leak fds - ---- - pppd/auth.c | 20 ++++++++++---------- - pppd/options.c | 2 +- - pppd/sys-linux.c | 4 ++-- - 3 files changed, 13 insertions(+), 13 deletions(-) - -diff --git a/pppd/auth.c b/pppd/auth.c -index 4271af6..9e957fa 100644 ---- a/pppd/auth.c -+++ b/pppd/auth.c -@@ -428,7 +428,7 @@ setupapfile(argv) - option_error("unable to reset uid before opening %s: %m", fname); - return 0; - } -- ufile = fopen(fname, "r"); -+ ufile = fopen(fname, "re"); - if (seteuid(euid) == -1) - fatal("unable to regain privileges: %m"); - if (ufile == NULL) { -@@ -1413,7 +1413,7 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg) - filename = _PATH_UPAPFILE; - addrs = opts = NULL; - ret = UPAP_AUTHNAK; -- f = fopen(filename, "r"); -+ f = fopen(filename, "re"); - if (f == NULL) { - error("Can't open PAP password file %s: %m", filename); - -@@ -1512,7 +1512,7 @@ null_login(unit) - if (ret <= 0) { - filename = _PATH_UPAPFILE; - addrs = NULL; -- f = fopen(filename, "r"); -+ f = fopen(filename, "re"); - if (f == NULL) - return 0; - check_access(f, filename); -@@ -1559,7 +1559,7 @@ get_pap_passwd(passwd) - } - - filename = _PATH_UPAPFILE; -- f = fopen(filename, "r"); -+ f = fopen(filename, "re"); - if (f == NULL) - return 0; - check_access(f, filename); -@@ -1597,7 +1597,7 @@ have_pap_secret(lacks_ipp) - } - - filename = _PATH_UPAPFILE; -- f = fopen(filename, "r"); -+ f = fopen(filename, "re"); - if (f == NULL) - return 0; - -@@ -1642,7 +1642,7 @@ have_chap_secret(client, server, need_ip, lacks_ipp) - } - - filename = _PATH_CHAPFILE; -- f = fopen(filename, "r"); -+ f = fopen(filename, "re"); - if (f == NULL) - return 0; - -@@ -1684,7 +1684,7 @@ have_srp_secret(client, server, need_ip, lacks_ipp) - struct wordlist *addrs; - - filename = _PATH_SRPFILE; -- f = fopen(filename, "r"); -+ f = fopen(filename, "re"); - if (f == NULL) - return 0; - -@@ -1740,7 +1740,7 @@ get_secret(unit, client, server, secret, secret_len, am_server) - addrs = NULL; - secbuf[0] = 0; - -- f = fopen(filename, "r"); -+ f = fopen(filename, "re"); - if (f == NULL) { - error("Can't open chap secret file %s: %m", filename); - return 0; -@@ -1797,7 +1797,7 @@ get_srp_secret(unit, client, server, secret, am_server) - filename = _PATH_SRPFILE; - addrs = NULL; - -- fp = fopen(filename, "r"); -+ fp = fopen(filename, "re"); - if (fp == NULL) { - error("Can't open srp secret file %s: %m", filename); - return 0; -@@ -2203,7 +2203,7 @@ scan_authfile(f, client, server, secret, addrs, opts, filename, flags) - */ - if (word[0] == '@' && word[1] == '/') { - strlcpy(atfile, word+1, sizeof(atfile)); -- if ((sf = fopen(atfile, "r")) == NULL) { -+ if ((sf = fopen(atfile, "re")) == NULL) { - warn("can't open indirect secret file %s", atfile); - continue; - } -diff --git a/pppd/options.c b/pppd/options.c -index 45fa742..1d754ae 100644 ---- a/pppd/options.c -+++ b/pppd/options.c -@@ -427,7 +427,7 @@ options_from_file(filename, must_exist, check_prot, priv) - option_error("unable to drop privileges to open %s: %m", filename); - return 0; - } -- f = fopen(filename, "r"); -+ f = fopen(filename, "re"); - err = errno; - if (check_prot && seteuid(euid) == -1) - fatal("unable to regain privileges"); -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c -index 72a7727..8a12fa0 100644 ---- a/pppd/sys-linux.c -+++ b/pppd/sys-linux.c -@@ -1412,7 +1412,7 @@ static char *path_to_procfs(const char *tail) - /* Default the mount location of /proc */ - strlcpy (proc_path, "/proc", sizeof(proc_path)); - proc_path_len = 5; -- fp = fopen(MOUNTED, "r"); -+ fp = fopen(MOUNTED, "re"); - if (fp != NULL) { - while ((mntent = getmntent(fp)) != NULL) { - if (strcmp(mntent->mnt_type, MNTTYPE_IGNORE) == 0) -@@ -1472,7 +1472,7 @@ static int open_route_table (void) - close_route_table(); - - path = path_to_procfs("/net/route"); -- route_fd = fopen (path, "r"); -+ route_fd = fopen (path, "re"); - if (route_fd == NULL) { - error("can't open routing table %s: %m", path); - return 0; --- -1.8.3.1 - diff --git a/SPECS-EXTENDED/ppp/0013-everywhere-O_CLOEXEC-harder.patch b/SPECS-EXTENDED/ppp/0013-everywhere-O_CLOEXEC-harder.patch deleted file mode 100644 index d720c362dd..0000000000 --- a/SPECS-EXTENDED/ppp/0013-everywhere-O_CLOEXEC-harder.patch +++ /dev/null @@ -1,241 +0,0 @@ -From 302c1b736cb656c7885a0cba270fd953a672d8a8 Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Mon, 7 Apr 2014 13:56:34 +0200 -Subject: [PATCH 13/27] everywhere: O_CLOEXEC harder - ---- - pppd/eap.c | 2 +- - pppd/main.c | 4 ++-- - pppd/options.c | 4 ++-- - pppd/sys-linux.c | 22 +++++++++++----------- - pppd/tdb.c | 4 ++-- - pppd/tty.c | 4 ++-- - pppd/utils.c | 6 +++--- - 7 files changed, 23 insertions(+), 23 deletions(-) - -diff --git a/pppd/eap.c b/pppd/eap.c -index 6ea6c1f..faced53 100644 ---- a/pppd/eap.c -+++ b/pppd/eap.c -@@ -1226,7 +1226,7 @@ mode_t modebits; - - if ((path = name_of_pn_file()) == NULL) - return (-1); -- fd = open(path, modebits, S_IRUSR | S_IWUSR); -+ fd = open(path, modebits, S_IRUSR | S_IWUSR | O_CLOEXEC); - err = errno; - free(path); - errno = err; -diff --git a/pppd/main.c b/pppd/main.c -index 6d50d1b..4880377 100644 ---- a/pppd/main.c -+++ b/pppd/main.c -@@ -420,7 +420,7 @@ main(argc, argv) - die(0); - - /* Make sure fds 0, 1, 2 are open to somewhere. */ -- fd_devnull = open(_PATH_DEVNULL, O_RDWR); -+ fd_devnull = open(_PATH_DEVNULL, O_RDWR | O_CLOEXEC); - if (fd_devnull < 0) - fatal("Couldn't open %s: %m", _PATH_DEVNULL); - while (fd_devnull <= 2) { -@@ -1679,7 +1679,7 @@ device_script(program, in, out, dont_wait) - if (log_to_fd >= 0) - errfd = log_to_fd; - else -- errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT, 0600); -+ errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT | O_CLOEXEC, 0600); - - ++conn_running; - pid = safe_fork(in, out, errfd); -diff --git a/pppd/options.c b/pppd/options.c -index 1d754ae..8e62635 100644 ---- a/pppd/options.c -+++ b/pppd/options.c -@@ -1544,9 +1544,9 @@ setlogfile(argv) - option_error("unable to drop permissions to open %s: %m", *argv); - return 0; - } -- fd = open(*argv, O_WRONLY | O_APPEND | O_CREAT | O_EXCL, 0644); -+ fd = open(*argv, O_WRONLY | O_APPEND | O_CREAT | O_EXCL | O_CLOEXEC, 0644); - if (fd < 0 && errno == EEXIST) -- fd = open(*argv, O_WRONLY | O_APPEND); -+ fd = open(*argv, O_WRONLY | O_APPEND | O_CLOEXEC); - err = errno; - if (!privileged_option && seteuid(euid) == -1) - fatal("unable to regain privileges: %m"); -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c -index 8a12fa0..00a2cf5 100644 ---- a/pppd/sys-linux.c -+++ b/pppd/sys-linux.c -@@ -459,7 +459,7 @@ int generic_establish_ppp (int fd) - goto err; - } - dbglog("using channel %d", chindex); -- fd = open("/dev/ppp", O_RDWR); -+ fd = open("/dev/ppp", O_RDWR | O_CLOEXEC); - if (fd < 0) { - error("Couldn't reopen /dev/ppp: %m"); - goto err; -@@ -619,7 +619,7 @@ static int make_ppp_unit() - dbglog("in make_ppp_unit, already had /dev/ppp open?"); - close(ppp_dev_fd); - } -- ppp_dev_fd = open("/dev/ppp", O_RDWR); -+ ppp_dev_fd = open("/dev/ppp", O_RDWR | O_CLOEXEC); - if (ppp_dev_fd < 0) - fatal("Couldn't open /dev/ppp: %m"); - flags = fcntl(ppp_dev_fd, F_GETFL); -@@ -693,7 +693,7 @@ int bundle_attach(int ifnum) - if (!new_style_driver) - return -1; - -- master_fd = open("/dev/ppp", O_RDWR); -+ master_fd = open("/dev/ppp", O_RDWR | O_CLOEXEC); - if (master_fd < 0) - fatal("Couldn't open /dev/ppp: %m"); - if (ioctl(master_fd, PPPIOCATTACH, &ifnum) < 0) { -@@ -1715,7 +1715,7 @@ int sifproxyarp (int unit, u_int32_t his_adr) - if (tune_kernel) { - forw_path = path_to_procfs("/sys/net/ipv4/ip_forward"); - if (forw_path != 0) { -- int fd = open(forw_path, O_WRONLY); -+ int fd = open(forw_path, O_WRONLY | O_CLOEXEC); - if (fd >= 0) { - if (write(fd, "1", 1) != 1) - error("Couldn't enable IP forwarding: %m"); -@@ -2030,7 +2030,7 @@ int ppp_available(void) - sscanf(utsname.release, "%d.%d.%d", &osmaj, &osmin, &ospatch); - kernel_version = KVERSION(osmaj, osmin, ospatch); - -- fd = open("/dev/ppp", O_RDWR); -+ fd = open("/dev/ppp", O_RDWR | O_CLOEXEC); - if (fd >= 0) { - new_style_driver = 1; - -@@ -2208,7 +2208,7 @@ void logwtmp (const char *line, const char *name, const char *host) - #if __GLIBC__ >= 2 - updwtmp(_PATH_WTMP, &ut); - #else -- wtmp = open(_PATH_WTMP, O_APPEND|O_WRONLY); -+ wtmp = open(_PATH_WTMP, O_APPEND|O_WRONLY|O_CLOEXEC); - if (wtmp >= 0) { - flock(wtmp, LOCK_EX); - -@@ -2394,7 +2394,7 @@ int sifaddr (int unit, u_int32_t our_adr, u_int32_t his_adr, - int fd; - - path = path_to_procfs("/sys/net/ipv4/ip_dynaddr"); -- if (path != 0 && (fd = open(path, O_WRONLY)) >= 0) { -+ if (path != 0 && (fd = open(path, O_WRONLY | O_CLOEXEC)) >= 0) { - if (write(fd, "1", 1) != 1) - error("Couldn't enable dynamic IP addressing: %m"); - close(fd); -@@ -2570,7 +2570,7 @@ get_pty(master_fdp, slave_fdp, slave_name, uid) - /* - * Try the unix98 way first. - */ -- mfd = open("/dev/ptmx", O_RDWR); -+ mfd = open("/dev/ptmx", O_RDWR | O_CLOEXEC); - if (mfd >= 0) { - int ptn; - if (ioctl(mfd, TIOCGPTN, &ptn) >= 0) { -@@ -2581,7 +2581,7 @@ get_pty(master_fdp, slave_fdp, slave_name, uid) - if (ioctl(mfd, TIOCSPTLCK, &ptn) < 0) - warn("Couldn't unlock pty slave %s: %m", pty_name); - #endif -- if ((sfd = open(pty_name, O_RDWR | O_NOCTTY)) < 0) -+ if ((sfd = open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC)) < 0) - warn("Couldn't open pty slave %s: %m", pty_name); - } - } -@@ -2592,10 +2592,10 @@ get_pty(master_fdp, slave_fdp, slave_name, uid) - for (i = 0; i < 64; ++i) { - slprintf(pty_name, sizeof(pty_name), "/dev/pty%c%x", - 'p' + i / 16, i % 16); -- mfd = open(pty_name, O_RDWR, 0); -+ mfd = open(pty_name, O_RDWR | O_CLOEXEC, 0); - if (mfd >= 0) { - pty_name[5] = 't'; -- sfd = open(pty_name, O_RDWR | O_NOCTTY, 0); -+ sfd = open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC, 0); - if (sfd >= 0) { - fchown(sfd, uid, -1); - fchmod(sfd, S_IRUSR | S_IWUSR); -diff --git a/pppd/tdb.c b/pppd/tdb.c -index bdc5828..c7ab71c 100644 ---- a/pppd/tdb.c -+++ b/pppd/tdb.c -@@ -1724,7 +1724,7 @@ TDB_CONTEXT *tdb_open_ex(const char *name, int hash_size, int tdb_flags, - goto internal; - } - -- if ((tdb->fd = open(name, open_flags, mode)) == -1) { -+ if ((tdb->fd = open(name, open_flags | O_CLOEXEC, mode)) == -1) { - TDB_LOG((tdb, 5, "tdb_open_ex: could not open file %s: %s\n", - name, strerror(errno))); - goto fail; /* errno set by open(2) */ -@@ -1967,7 +1967,7 @@ int tdb_reopen(TDB_CONTEXT *tdb) - } - if (close(tdb->fd) != 0) - TDB_LOG((tdb, 0, "tdb_reopen: WARNING closing tdb->fd failed!\n")); -- tdb->fd = open(tdb->name, tdb->open_flags & ~(O_CREAT|O_TRUNC), 0); -+ tdb->fd = open(tdb->name, (tdb->open_flags & ~(O_CREAT|O_TRUNC)) | O_CLOEXEC, 0); - if (tdb->fd == -1) { - TDB_LOG((tdb, 0, "tdb_reopen: open failed (%s)\n", strerror(errno))); - goto fail; -diff --git a/pppd/tty.c b/pppd/tty.c -index d571b11..bc96695 100644 ---- a/pppd/tty.c -+++ b/pppd/tty.c -@@ -569,7 +569,7 @@ int connect_tty() - status = EXIT_OPEN_FAILED; - goto errret; - } -- real_ttyfd = open(devnam, O_NONBLOCK | O_RDWR, 0); -+ real_ttyfd = open(devnam, O_NONBLOCK | O_RDWR | O_CLOEXEC, 0); - err = errno; - if (prio < OPRIO_ROOT && seteuid(0) == -1) - fatal("Unable to regain privileges"); -@@ -723,7 +723,7 @@ int connect_tty() - if (connector == NULL && modem && devnam[0] != 0) { - int i; - for (;;) { -- if ((i = open(devnam, O_RDWR)) >= 0) -+ if ((i = open(devnam, O_RDWR | O_CLOEXEC)) >= 0) - break; - if (errno != EINTR) { - error("Failed to reopen %s: %m", devnam); -diff --git a/pppd/utils.c b/pppd/utils.c -index 29bf970..6051b9a 100644 ---- a/pppd/utils.c -+++ b/pppd/utils.c -@@ -918,14 +918,14 @@ lock(dev) - slprintf(lock_file, sizeof(lock_file), "%s/LCK..%s", LOCK_DIR, dev); - #endif - -- while ((fd = open(lock_file, O_EXCL | O_CREAT | O_RDWR, 0644)) < 0) { -+ while ((fd = open(lock_file, O_EXCL | O_CREAT | O_RDWR | O_CLOEXEC, 0644)) < 0) { - if (errno != EEXIST) { - error("Can't create lock file %s: %m", lock_file); - break; - } - - /* Read the lock file to find out who has the device locked. */ -- fd = open(lock_file, O_RDONLY, 0); -+ fd = open(lock_file, O_RDONLY | O_CLOEXEC, 0); - if (fd < 0) { - if (errno == ENOENT) /* This is just a timing problem. */ - continue; -@@ -1004,7 +1004,7 @@ relock(pid) - - if (lock_file[0] == 0) - return -1; -- fd = open(lock_file, O_WRONLY, 0); -+ fd = open(lock_file, O_WRONLY | O_CLOEXEC, 0); - if (fd < 0) { - error("Couldn't reopen lock file %s: %m", lock_file); - lock_file[0] = 0; --- -1.8.3.1 - diff --git a/SPECS-EXTENDED/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch b/SPECS-EXTENDED/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch deleted file mode 100644 index 08d67f79d7..0000000000 --- a/SPECS-EXTENDED/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch +++ /dev/null @@ -1,174 +0,0 @@ -From 2a97ab28ee00586e5f06b3ef3a0e43ea0c7c6499 Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Mon, 7 Apr 2014 14:21:41 +0200 -Subject: [PATCH 14/27] everywhere: use SOCK_CLOEXEC when creating socket - ---- - pppd/plugins/pppoatm/pppoatm.c | 2 +- - pppd/plugins/pppol2tp/openl2tp.c | 2 +- - pppd/plugins/pppol2tp/pppol2tp.c | 2 +- - pppd/plugins/rp-pppoe/if.c | 2 +- - pppd/plugins/rp-pppoe/plugin.c | 6 +++--- - pppd/plugins/rp-pppoe/pppoe-discovery.c | 2 +- - pppd/sys-linux.c | 10 +++++----- - pppd/tty.c | 2 +- - 8 files changed, 14 insertions(+), 14 deletions(-) - -diff --git a/pppd/plugins/pppoatm/pppoatm.c b/pppd/plugins/pppoatm/pppoatm.c -index d693350..c31bb34 100644 ---- a/pppd/plugins/pppoatm/pppoatm.c -+++ b/pppd/plugins/pppoatm/pppoatm.c -@@ -135,7 +135,7 @@ static int connect_pppoatm(void) - - if (!device_got_set) - no_device_given_pppoatm(); -- fd = socket(AF_ATMPVC, SOCK_DGRAM, 0); -+ fd = socket(AF_ATMPVC, SOCK_DGRAM | SOCK_CLOEXEC, 0); - if (fd < 0) - fatal("failed to create socket: %m"); - memset(&qos, 0, sizeof qos); -diff --git a/pppd/plugins/pppol2tp/openl2tp.c b/pppd/plugins/pppol2tp/openl2tp.c -index 9643b96..1099575 100644 ---- a/pppd/plugins/pppol2tp/openl2tp.c -+++ b/pppd/plugins/pppol2tp/openl2tp.c -@@ -83,7 +83,7 @@ static int openl2tp_client_create(void) - int result; - - if (openl2tp_fd < 0) { -- openl2tp_fd = socket(PF_UNIX, SOCK_DGRAM, 0); -+ openl2tp_fd = socket(PF_UNIX, SOCK_DGRAM | SOCK_CLOEXEC, 0); - if (openl2tp_fd < 0) { - error("openl2tp connection create: %m"); - return -ENOTCONN; -diff --git a/pppd/plugins/pppol2tp/pppol2tp.c b/pppd/plugins/pppol2tp/pppol2tp.c -index a7e3400..e64a778 100644 ---- a/pppd/plugins/pppol2tp/pppol2tp.c -+++ b/pppd/plugins/pppol2tp/pppol2tp.c -@@ -208,7 +208,7 @@ static void send_config_pppol2tp(int mtu, - struct ifreq ifr; - int fd; - -- fd = socket(AF_INET, SOCK_DGRAM, 0); -+ fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); - if (fd >= 0) { - memset (&ifr, '\0', sizeof (ifr)); - strlcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name)); -diff --git a/pppd/plugins/rp-pppoe/if.c b/pppd/plugins/rp-pppoe/if.c -index 91e9a57..72aba41 100644 ---- a/pppd/plugins/rp-pppoe/if.c -+++ b/pppd/plugins/rp-pppoe/if.c -@@ -116,7 +116,7 @@ openInterface(char const *ifname, UINT16_t type, unsigned char *hwaddr) - stype = SOCK_PACKET; - #endif - -- if ((fd = socket(domain, stype, htons(type))) < 0) { -+ if ((fd = socket(domain, stype | SOCK_CLOEXEC, htons(type))) < 0) { - /* Give a more helpful message for the common error case */ - if (errno == EPERM) { - fatal("Cannot create raw socket -- pppoe must be run as root."); -diff --git a/pppd/plugins/rp-pppoe/plugin.c b/pppd/plugins/rp-pppoe/plugin.c -index a8c2bb4..24bdf8f 100644 ---- a/pppd/plugins/rp-pppoe/plugin.c -+++ b/pppd/plugins/rp-pppoe/plugin.c -@@ -137,7 +137,7 @@ PPPOEConnectDevice(void) - /* server equipment). */ - /* Opening this socket just before waitForPADS in the discovery() */ - /* function would be more appropriate, but it would mess-up the code */ -- conn->sessionSocket = socket(AF_PPPOX, SOCK_STREAM, PX_PROTO_OE); -+ conn->sessionSocket = socket(AF_PPPOX, SOCK_STREAM | SOCK_CLOEXEC, PX_PROTO_OE); - if (conn->sessionSocket < 0) { - error("Failed to create PPPoE socket: %m"); - return -1; -@@ -148,7 +148,7 @@ PPPOEConnectDevice(void) - lcp_wantoptions[0].mru = conn->mru; - - /* Update maximum MRU */ -- s = socket(AF_INET, SOCK_DGRAM, 0); -+ s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); - if (s < 0) { - error("Can't get MTU for %s: %m", conn->ifName); - goto errout; -@@ -320,7 +320,7 @@ PPPoEDevnameHook(char *cmd, char **argv, int doit) - } - - /* Open a socket */ -- if ((fd = socket(PF_PACKET, SOCK_RAW, 0)) < 0) { -+ if ((fd = socket(PF_PACKET, SOCK_RAW | SOCK_CLOEXEC, 0)) < 0) { - r = 0; - } - -diff --git a/pppd/plugins/rp-pppoe/pppoe-discovery.c b/pppd/plugins/rp-pppoe/pppoe-discovery.c -index 3d3bf4e..c0d927d 100644 ---- a/pppd/plugins/rp-pppoe/pppoe-discovery.c -+++ b/pppd/plugins/rp-pppoe/pppoe-discovery.c -@@ -121,7 +121,7 @@ openInterface(char const *ifname, UINT16_t type, unsigned char *hwaddr) - stype = SOCK_PACKET; - #endif - -- if ((fd = socket(domain, stype, htons(type))) < 0) { -+ if ((fd = socket(domain, stype | SOCK_CLOEXEC, htons(type))) < 0) { - /* Give a more helpful message for the common error case */ - if (errno == EPERM) { - rp_fatal("Cannot create raw socket -- pppoe must be run as root."); -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c -index 00a2cf5..0690019 100644 ---- a/pppd/sys-linux.c -+++ b/pppd/sys-linux.c -@@ -308,12 +308,12 @@ static int modify_flags(int fd, int clear_bits, int set_bits) - void sys_init(void) - { - /* Get an internet socket for doing socket ioctls. */ -- sock_fd = socket(AF_INET, SOCK_DGRAM, 0); -+ sock_fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); - if (sock_fd < 0) - fatal("Couldn't create IP socket: %m(%d)", errno); - - #ifdef INET6 -- sock6_fd = socket(AF_INET6, SOCK_DGRAM, 0); -+ sock6_fd = socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0); - if (sock6_fd < 0) - sock6_fd = -errno; /* save errno for later */ - #endif -@@ -1857,7 +1857,7 @@ get_if_hwaddr(u_char *addr, char *name) - struct ifreq ifreq; - int ret, sock_fd; - -- sock_fd = socket(AF_INET, SOCK_DGRAM, 0); -+ sock_fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); - if (sock_fd < 0) - return 0; - memset(&ifreq.ifr_hwaddr, 0, sizeof(struct sockaddr)); -@@ -2067,7 +2067,7 @@ int ppp_available(void) - /* - * Open a socket for doing the ioctl operations. - */ -- s = socket(AF_INET, SOCK_DGRAM, 0); -+ s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); - if (s < 0) - return 0; - -@@ -2860,7 +2860,7 @@ ether_to_eui64(eui64_t *p_eui64) - int skfd; - const unsigned char *ptr; - -- skfd = socket(PF_INET6, SOCK_DGRAM, 0); -+ skfd = socket(PF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0); - if(skfd == -1) - { - warn("could not open IPv6 socket"); -diff --git a/pppd/tty.c b/pppd/tty.c -index bc96695..8e76a5d 100644 ---- a/pppd/tty.c -+++ b/pppd/tty.c -@@ -896,7 +896,7 @@ open_socket(dest) - *sep = ':'; - - /* get a socket and connect it to the other end */ -- sock = socket(PF_INET, SOCK_STREAM, 0); -+ sock = socket(PF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0); - if (sock < 0) { - error("Can't create socket: %m"); - return -1; --- -1.8.3.1 - diff --git a/SPECS-EXTENDED/ppp/0015-pppd-move-pppd-database-to-var-run-ppp.patch b/SPECS-EXTENDED/ppp/0015-pppd-move-pppd-database-to-var-run-ppp.patch deleted file mode 100644 index 88b84d51b2..0000000000 --- a/SPECS-EXTENDED/ppp/0015-pppd-move-pppd-database-to-var-run-ppp.patch +++ /dev/null @@ -1,44 +0,0 @@ -From f2c855462ff56be4121409c7e048cd2503fe0ccf Mon Sep 17 00:00:00 2001 -From: Jiri Skala -Date: Mon, 7 Apr 2014 14:26:20 +0200 -Subject: [PATCH 15/27] pppd: move pppd database to /var/run/ppp - -Resolves: #560014 ---- - pppd/pathnames.h | 11 ++++------- - 1 file changed, 4 insertions(+), 7 deletions(-) - -diff --git a/pppd/pathnames.h b/pppd/pathnames.h -index bef3160..24e010c 100644 ---- a/pppd/pathnames.h -+++ b/pppd/pathnames.h -@@ -6,8 +6,9 @@ - - #ifdef HAVE_PATHS_H - #include -- -+#define _PPP_SUBDIR "ppp/" - #else /* HAVE_PATHS_H */ -+#define _PPP_SUBDIR - #ifndef _PATH_VARRUN - #define _PATH_VARRUN "/etc/ppp/" - #endif -@@ -46,13 +47,9 @@ - #endif /* IPX_CHANGE */ - - #ifdef __STDC__ --#define _PATH_PPPDB _ROOT_PATH _PATH_VARRUN "pppd2.tdb" -+#define _PATH_PPPDB _ROOT_PATH _PATH_VARRUN _PPP_SUBDIR "pppd2.tdb" - #else /* __STDC__ */ --#ifdef HAVE_PATHS_H --#define _PATH_PPPDB "/var/run/pppd2.tdb" --#else --#define _PATH_PPPDB "/etc/ppp/pppd2.tdb" --#endif -+#define _PATH_PPPDB _PATH_VARRUN _PPP_SUBDIR "pppd2.tdb" - #endif /* __STDC__ */ - - #ifdef PLUGIN --- -1.8.3.1 - diff --git a/SPECS-EXTENDED/ppp/0016-rp-pppoe-add-manpage-for-pppoe-discovery.patch b/SPECS-EXTENDED/ppp/0016-rp-pppoe-add-manpage-for-pppoe-discovery.patch deleted file mode 100644 index c633d5c094..0000000000 --- a/SPECS-EXTENDED/ppp/0016-rp-pppoe-add-manpage-for-pppoe-discovery.patch +++ /dev/null @@ -1,126 +0,0 @@ -From a30efa2cc99a5b6ab220de04cbcc7db38888a17a Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Mon, 7 Apr 2014 14:29:45 +0200 -Subject: [PATCH 16/27] rp-pppoe: add manpage for pppoe-discovery - ---- - pppd/plugins/rp-pppoe/Makefile.linux | 2 + - pppd/plugins/rp-pppoe/pppoe-discovery.8 | 86 +++++++++++++++++++++++++++++++++ - 2 files changed, 88 insertions(+) - create mode 100644 pppd/plugins/rp-pppoe/pppoe-discovery.8 - -diff --git a/pppd/plugins/rp-pppoe/Makefile.linux b/pppd/plugins/rp-pppoe/Makefile.linux -index 3cd9101..9918091 100644 ---- a/pppd/plugins/rp-pppoe/Makefile.linux -+++ b/pppd/plugins/rp-pppoe/Makefile.linux -@@ -16,6 +16,7 @@ - - DESTDIR = $(INSTROOT)@DESTDIR@ - BINDIR = $(DESTDIR)/sbin -+MANDIR = $(DESTDIR)/share/man/man8 - LIBDIR = $(DESTDIR)/lib/pppd/$(PPPDVERSION) - - PPPDVERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../../patchlevel.h) -@@ -46,6 +47,7 @@ install: all - $(INSTALL) -c -m 4550 rp-pppoe.so $(LIBDIR) - $(INSTALL) -d -m 755 $(BINDIR) - $(INSTALL) -c -m 555 pppoe-discovery $(BINDIR) -+ $(INSTALL) -c -m 444 pppoe-discovery.8 $(MANDIR) - - clean: - rm -f *.o *.so pppoe-discovery -diff --git a/pppd/plugins/rp-pppoe/pppoe-discovery.8 b/pppd/plugins/rp-pppoe/pppoe-discovery.8 -new file mode 100644 -index 0000000..d0a93db ---- /dev/null -+++ b/pppd/plugins/rp-pppoe/pppoe-discovery.8 -@@ -0,0 +1,86 @@ -+.\" pppoe-discovery.8 written by -+.\" Ben Hutchings , based on pppoe.8. -+.\" Licenced under the GPL version 2 or later. -+.TH PPPOE-DISCOVERY 8 -+.SH NAME -+pppoe\-discovery \- perform PPPoE discovery -+.SH SYNOPSIS -+.B pppoe\-discovery -+[ -+.I options -+] -+.br -+.BR pppoe\-discovery " { " \-V " | " \-h " }" -+.SH DESCRIPTION -+.LP -+\fBpppoe\-discovery\fR performs the same discovery process as -+\fBpppoe\fR, but does not initiate a session. -+It sends a PADI packet and then prints the names of access -+concentrators in each PADO packet it receives. -+.SH OPTIONS -+.TP -+.BI \-I " interface" -+.RS -+The \fB\-I\fR option specifies the Ethernet interface to use. -+Under Linux, it is typically eth0 or eth1. -+The interface should be \(lqup\(rq before you start -+\fBpppoe\-discovery\fR, but should \fInot\fR be configured to have an -+IP address. -+The default interface is eth0. -+.RE -+.TP -+.BI \-D " file_name" -+.RS -+The \fB\-D\fR option causes every packet to be dumped to the specified -+\fIfile_name\fR. -+This is intended for debugging only. -+.RE -+.TP -+.B \-U -+.RS -+Causes \fBpppoe\-discovery\fR to use the Host-Uniq tag in its discovery -+packets. -+This lets you run multiple instances of \fBpppoe\-discovery\fR and/or -+\fBpppoe\fR without having their discovery packets interfere with one -+another. -+You must supply this option to \fIall\fR instances that you intend to -+run simultaneously. -+.RE -+.TP -+.BI \-S " service_name" -+.RS -+Specifies the desired service name. -+\fBpppoe\-discovery\fR will only accept access concentrators which can -+provide the specified service. -+In most cases, you should \fInot\fR specify this option. -+Use it only if you know that there are multiple access concentrators -+or know that you need a specific service name. -+.RE -+.TP -+.BI \-C " ac_name" -+.RS -+Specifies the desired access concentrator name. -+\fBpppoe\-discovery\fR will only accept the specified access -+concentrator. -+In most cases, you should \fInot\fR specify this option. -+Use it only if you know that there are multiple access concentrators. -+If both the \fB\-S\fR and \fB\-C\fR options are specified, they must -+\fIboth\fR match. -+.RE -+.TP -+.B \-A -+.RS -+This option is accepted for compatibility with \fBpppoe\fR, but has no -+effect. -+.RE -+.TP -+.BR \-V " | " \-h -+.RS -+Either of these options causes \fBpppoe\-discovery\fR to print its -+version number and usage information, then exit. -+.RE -+.SH AUTHORS -+\fBpppoe\-discovery\fR was written by Marco d'Itri , -+based on \fBpppoe\fR by David F. Skoll . -+.SH SEE ALSO -+pppoe(8), pppoe-sniff(8) --- -1.8.3.1 - diff --git a/SPECS-EXTENDED/ppp/0018-scritps-fix-ip-up.local-sample.patch b/SPECS-EXTENDED/ppp/0018-scritps-fix-ip-up.local-sample.patch deleted file mode 100644 index c36e0b8b13..0000000000 --- a/SPECS-EXTENDED/ppp/0018-scritps-fix-ip-up.local-sample.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 40960f91cdd06da387616ec838ae2599e7f01cee Mon Sep 17 00:00:00 2001 -From: Jiri Skala -Date: Mon, 7 Apr 2014 15:24:01 +0200 -Subject: [PATCH 18/27] scritps: fix ip-up.local sample - -Resolves: #613717 ---- - scripts/ip-up.local.add | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/scripts/ip-up.local.add b/scripts/ip-up.local.add -index 26cf5f8..282337c 100644 ---- a/scripts/ip-up.local.add -+++ b/scripts/ip-up.local.add -@@ -18,6 +18,9 @@ if [ -n "$USEPEERDNS" -a -f /var/run/ppp/resolv.conf ]; then - rscf=/var/run/ppp/resolv.new - grep domain /var/run/ppp/resolv.prev > $rscf - grep search /var/run/ppp/resolv.prev >> $rscf -+ if [ -f /var/run/ppp/resolv.conf ]; then -+ cat /var/run/ppp/resolv.conf >> $rscf -+ fi - change_resolv_conf $rscf - rm -f $rscf - else --- -1.8.3.1 - diff --git a/SPECS-EXTENDED/ppp/0019-sys-linux-rework-get_first_ethernet.patch b/SPECS-EXTENDED/ppp/0019-sys-linux-rework-get_first_ethernet.patch deleted file mode 100644 index 9a8c3dd61b..0000000000 --- a/SPECS-EXTENDED/ppp/0019-sys-linux-rework-get_first_ethernet.patch +++ /dev/null @@ -1,383 +0,0 @@ -From 6edc865bd02ab591b9121d4a5f6dc3cdbe5af809 Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Wed, 9 Apr 2014 09:18:24 +0200 -Subject: [PATCH 19/27] sys-linux: rework get_first_ethernet() - -We can't assume that host has ethernet NIC named "eth0". Rather than guessing we -better ask udev. We iterate over symlinks symlinks in /sys/class/net and -for each device we determine if it is ethernet device and additionally we query -udev database for sub-type of the device. If we find PCI or USB device which has -ethernet datalink type and appropriate sub-type we return its name. If we don't -succeed in determining more information about device we will return "good -enough" device which in turn is first device with ethernet datalink type. - -Note that we now have two copies of get_first_ethernet() in the source code. This -is bad and should be fixed in the future. - -This commit replaces ppp-2.4.5-eth.patch. - -Resolves: #682381 ---- - pppd/Makefile.linux | 3 + - pppd/multilink.c | 4 +- - pppd/plugins/rp-pppoe/Makefile.linux | 4 +- - pppd/plugins/rp-pppoe/pppoe-discovery.c | 117 +++++++++++++++++++++++++++++++- - pppd/pppd.h | 2 +- - pppd/sys-linux.c | 115 +++++++++++++++++++++++++++++-- - 6 files changed, 232 insertions(+), 13 deletions(-) - -diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux -index 53df4d2..0e8107f 100644 ---- a/pppd/Makefile.linux -+++ b/pppd/Makefile.linux -@@ -32,6 +32,9 @@ include .depend - endif - - CC = gcc -+ -+LIBS = -ludev -+ - # - COPTS = -Wall $(RPM_OPT_FLAGS) -DLIBDIR=\""$(LIBDIR)"\" - -diff --git a/pppd/multilink.c b/pppd/multilink.c -index 135cab0..2f0ed50 100644 ---- a/pppd/multilink.c -+++ b/pppd/multilink.c -@@ -436,12 +436,12 @@ static int - get_default_epdisc(ep) - struct epdisc *ep; - { -- char *p; -+ char *p = NULL; - struct hostent *hp; - u_int32_t addr; - - /* First try for an ethernet MAC address */ -- p = get_first_ethernet(); -+ get_first_ethernet(&p); - if (p != 0 && get_if_hwaddr(ep->value, p) >= 0) { - ep->class = EPD_MAC; - ep->length = 6; -diff --git a/pppd/plugins/rp-pppoe/Makefile.linux b/pppd/plugins/rp-pppoe/Makefile.linux -index 9918091..b949716 100644 ---- a/pppd/plugins/rp-pppoe/Makefile.linux -+++ b/pppd/plugins/rp-pppoe/Makefile.linux -@@ -30,8 +30,8 @@ COPTS=$(RPM_OPT_FLAGS) - CFLAGS=$(COPTS) -I../../../include '-DRP_VERSION="$(RP_VERSION)"' - all: rp-pppoe.so pppoe-discovery - --pppoe-discovery: pppoe-discovery.o debug.o -- $(CC) -o pppoe-discovery pppoe-discovery.o debug.o -+pppoe-discovery: pppoe-discovery.o debug.o common.o -+ $(CC) -o pppoe-discovery pppoe-discovery.o debug.o -ludev - - pppoe-discovery.o: pppoe-discovery.c - $(CC) $(CFLAGS) -c -o pppoe-discovery.o pppoe-discovery.c -diff --git a/pppd/plugins/rp-pppoe/pppoe-discovery.c b/pppd/plugins/rp-pppoe/pppoe-discovery.c -index c0d927d..2bd910f 100644 ---- a/pppd/plugins/rp-pppoe/pppoe-discovery.c -+++ b/pppd/plugins/rp-pppoe/pppoe-discovery.c -@@ -47,8 +47,13 @@ - #include - #endif - -+#include -+#include -+#include -+ - char *xstrdup(const char *s); - void usage(void); -+int get_first_ethernet(char **_r); - - void die(int status) - { -@@ -681,8 +686,15 @@ int main(int argc, char *argv[]) - } - - /* default interface name */ -- if (!conn->ifName) -- conn->ifName = strdup("eth0"); -+ if (!conn->ifName) { -+ char *eth_dev; -+ if (get_first_ethernet(ð_dev) < 0) { -+ fprintf(stderr, "No ethernet device on the host.\n"); -+ exit(1); -+ } -+ conn->ifName = eth_dev; -+ } -+ - - conn->discoverySocket = -1; - conn->sessionSocket = -1; -@@ -722,3 +734,104 @@ void usage(void) - fprintf(stderr, "Usage: pppoe-discovery [options]\n"); - fprintf(stderr, "\nVersion " RP_VERSION "\n"); - } -+ -+/* -+ * get_first_ethernet - return the name of the first ethernet-style -+ * interface on this system. -+ */ -+int -+get_first_ethernet(char **_r) -+{ -+ int r = 0; -+ DIR *d = NULL; -+ struct dirent *entry = NULL; -+ struct udev *udev = NULL; -+ struct udev_device *dev = NULL; -+ char *eth_dev = NULL; -+ -+ d = opendir("/sys/class/net"); -+ if (!d) { -+ fprintf(stderr, "Failed to open dir /sys/class/net : %m\n"); -+ r = -errno; -+ goto fail; -+ } -+ -+ udev = udev_new(); -+ if (!udev) { -+ fprintf(stderr, "Failed to talk to systemd-udevd\n"); -+ r = -EIO; -+ goto fail; -+ } -+ -+ while ((entry = readdir(d)) != NULL) { -+ char syspath[PATH_MAX] = {}; -+ const char *type = NULL; -+ -+ if ((strcmp(entry->d_name, ".") == 0) || (strcmp(entry->d_name, "..") == 0)) -+ continue; -+ -+ sprintf(syspath, "/sys/class/net/%s", entry->d_name); -+ -+ dev = udev_device_new_from_syspath(udev, syspath); -+ if (!dev) -+ continue; -+ -+ type = udev_device_get_sysattr_value(dev, "type"); -+ if (strcmp(type, "1") == 0) { -+ const char *pci_dev_subclass = NULL, *usb_dev_subclass = NULL; -+ -+ pci_dev_subclass = udev_device_get_property_value(dev, -+ "ID_PCI_SUBCLASS_FROM_DATABASE"); -+ usb_dev_subclass = udev_device_get_property_value(dev, -+ "ID_USB_SUBCLASS_FROM_DATABASE"); -+ -+ if ((pci_dev_subclass && strcmp(pci_dev_subclass, "Ethernet controller") == 0) || -+ (usb_dev_subclass && (strcmp(usb_dev_subclass, "Ethernet Networking") == 0 || -+ strcmp(usb_dev_subclass, "Ethernet Emulation") == 0))) { -+ char *d = NULL; -+ -+ d = strdup(entry->d_name); -+ if (!d) { -+ r = -ENOMEM; -+ goto fail; -+ } -+ -+ free(eth_dev); -+ eth_dev = d; -+ break; -+ } else if (!eth_dev) { -+ eth_dev = strdup(entry->d_name); -+ if (!eth_dev) { -+ r = -ENOMEM; -+ goto fail; -+ } -+ } -+ } -+ -+ udev_device_unref(dev); -+ dev = NULL; -+ } -+ -+ if (dev) -+ udev_device_unref(dev); -+ udev_unref(udev); -+ closedir(d); -+ -+ *_r = eth_dev; -+ -+ return 0; -+ -+fail: -+ if (dev) -+ udev_device_unref(dev); -+ -+ if (udev) -+ udev_unref(udev); -+ -+ if (d) -+ closedir(d); -+ -+ free(eth_dev); -+ -+ return r; -+} -diff --git a/pppd/pppd.h b/pppd/pppd.h -index de271c1..aaddba1 100644 ---- a/pppd/pppd.h -+++ b/pppd/pppd.h -@@ -691,7 +691,7 @@ int sipxfaddr __P((int, unsigned long, unsigned char *)); - int cipxfaddr __P((int)); - #endif - int get_if_hwaddr __P((u_char *addr, char *name)); --char *get_first_ethernet __P((void)); -+int get_first_ethernet __P((char **_r)); - - /* Procedures exported from options.c */ - int setipaddr __P((char *, char **, int)); /* Set local/remote ip addresses */ -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c -index 0690019..ec09c50 100644 ---- a/pppd/sys-linux.c -+++ b/pppd/sys-linux.c -@@ -92,6 +92,9 @@ - #include - #include - #include -+#include -+ -+#include - - /* This is in netdevice.h. However, this compile will fail miserably if - you attempt to include netdevice.h because it has so many references -@@ -1873,10 +1876,101 @@ get_if_hwaddr(u_char *addr, char *name) - * get_first_ethernet - return the name of the first ethernet-style - * interface on this system. - */ --char * --get_first_ethernet() --{ -- return "eth0"; -+int -+get_first_ethernet(char **_r) -+{ -+ int r = 0; -+ DIR *d = NULL; -+ struct dirent *entry = NULL; -+ struct udev *udev = NULL; -+ struct udev_device *dev = NULL; -+ char *eth_dev = NULL; -+ -+ d = opendir("/sys/class/net"); -+ if (!d) { -+ fprintf(stderr, "Failed to open dir /sys/class/net : %m\n"); -+ r = -errno; -+ goto fail; -+ } -+ -+ udev = udev_new(); -+ if (!udev) { -+ fprintf(stderr, "Failed to talk to systemd-udevd\n"); -+ r = -EIO; -+ goto fail; -+ } -+ -+ while ((entry = readdir(d)) != NULL) { -+ char syspath[PATH_MAX] = {}; -+ const char *type = NULL; -+ -+ if ((strcmp(entry->d_name, ".") == 0) || (strcmp(entry->d_name, "..") == 0)) -+ continue; -+ -+ sprintf(syspath, "/sys/class/net/%s", entry->d_name); -+ -+ dev = udev_device_new_from_syspath(udev, syspath); -+ if (!dev) -+ continue; -+ -+ type = udev_device_get_sysattr_value(dev, "type"); -+ if (strcmp(type, "1") == 0) { -+ const char *pci_dev_subclass = NULL, *usb_dev_subclass = NULL; -+ -+ pci_dev_subclass = udev_device_get_property_value(dev, -+ "ID_PCI_SUBCLASS_FROM_DATABASE"); -+ usb_dev_subclass = udev_device_get_property_value(dev, -+ "ID_USB_SUBCLASS_FROM_DATABASE"); -+ -+ if ((pci_dev_subclass && strcmp(pci_dev_subclass, "Ethernet controller") == 0) || -+ (usb_dev_subclass && (strcmp(usb_dev_subclass, "Ethernet Networking") == 0 || -+ strcmp(usb_dev_subclass, "Ethernet Emulation") == 0))) { -+ char *d = NULL; -+ -+ d = strdup(entry->d_name); -+ if (!d) { -+ r = -ENOMEM; -+ goto fail; -+ } -+ -+ free(eth_dev); -+ eth_dev = d; -+ break; -+ } else if (!eth_dev) { -+ eth_dev = strdup(entry->d_name); -+ if (!eth_dev) { -+ r = -ENOMEM; -+ goto fail; -+ } -+ } -+ } -+ -+ udev_device_unref(dev); -+ dev = NULL; -+ } -+ -+ if (dev) -+ udev_device_unref(dev); -+ udev_unref(udev); -+ closedir(d); -+ -+ *_r = eth_dev; -+ -+ return 0; -+ -+fail: -+ if (dev) -+ udev_device_unref(dev); -+ -+ if (udev) -+ udev_unref(udev); -+ -+ if (d) -+ closedir(d); -+ -+ free(eth_dev); -+ -+ return r; - } - - /******************************************************************** -@@ -2859,6 +2953,7 @@ ether_to_eui64(eui64_t *p_eui64) - struct ifreq ifr; - int skfd; - const unsigned char *ptr; -+ char *eth_dev = NULL; - - skfd = socket(PF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0); - if(skfd == -1) -@@ -2867,11 +2962,19 @@ ether_to_eui64(eui64_t *p_eui64) - return 0; - } - -- strcpy(ifr.ifr_name, "eth0"); -+ if (get_first_ethernet(ð_dev) < 0) -+ { -+ warn("no ethernet device present on the host"); -+ return 0; -+ } -+ -+ strcpy(ifr.ifr_name, eth_dev); -+ free(eth_dev); -+ - if(ioctl(skfd, SIOCGIFHWADDR, &ifr) < 0) - { - close(skfd); -- warn("could not obtain hardware address for eth0"); -+ warn("could not obtain hardware address for %s", ifr.ifr_name); - return 0; - } - close(skfd); --- -1.8.3.1 - diff --git a/SPECS-EXTENDED/ppp/0020-pppd-put-lock-files-in-var-lock-ppp.patch b/SPECS-EXTENDED/ppp/0020-pppd-put-lock-files-in-var-lock-ppp.patch deleted file mode 100644 index 93d26c5465..0000000000 --- a/SPECS-EXTENDED/ppp/0020-pppd-put-lock-files-in-var-lock-ppp.patch +++ /dev/null @@ -1,26 +0,0 @@ -From c5a5f795b1defcb6d168e79c4d1fc371dfc556ca Mon Sep 17 00:00:00 2001 -From: Jiri Skala -Date: Wed, 9 Apr 2014 09:29:50 +0200 -Subject: [PATCH 20/27] pppd: put lock files in /var/lock/ppp - -Resolves: #708260 ---- - pppd/utils.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/pppd/utils.c b/pppd/utils.c -index 6051b9a..8407492 100644 ---- a/pppd/utils.c -+++ b/pppd/utils.c -@@ -846,7 +846,7 @@ complete_read(int fd, void *buf, size_t count) - /* Procedures for locking the serial device using a lock file. */ - #ifndef LOCK_DIR - #ifdef __linux__ --#define LOCK_DIR "/var/lock" -+#define LOCK_DIR "/var/lock/ppp" - #else - #ifdef SVR4 - #define LOCK_DIR "/var/spool/locks" --- -1.8.3.1 - diff --git a/SPECS-EXTENDED/ppp/0021-build-sys-compile-pppol2tp-plugin-with-RPM_OPT_FLAGS.patch b/SPECS-EXTENDED/ppp/0021-build-sys-compile-pppol2tp-plugin-with-RPM_OPT_FLAGS.patch deleted file mode 100644 index 83402712d3..0000000000 --- a/SPECS-EXTENDED/ppp/0021-build-sys-compile-pppol2tp-plugin-with-RPM_OPT_FLAGS.patch +++ /dev/null @@ -1,23 +0,0 @@ -From d69eb9a8aa284014dd7dd282813989eda9d84d74 Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Wed, 9 Apr 2014 09:56:09 +0200 -Subject: [PATCH 21/27] build-sys: compile pppol2tp plugin with RPM_OPT_FLAGS - ---- - pppd/plugins/pppol2tp/Makefile.linux | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/pppd/plugins/pppol2tp/Makefile.linux b/pppd/plugins/pppol2tp/Makefile.linux -index 4339566..9a635b8 100644 ---- a/pppd/plugins/pppol2tp/Makefile.linux -+++ b/pppd/plugins/pppol2tp/Makefile.linux -@@ -1,5 +1,5 @@ - #CC = gcc --COPTS = -O2 -g -+COPTS = $(RPM_OPT_FLAGS) - CFLAGS = $(COPTS) -I. -I../.. -I../../../include -fPIC - LDFLAGS = -shared - INSTALL = install --- -1.8.3.1 - diff --git a/SPECS-EXTENDED/ppp/0022-build-sys-compile-pppol2tp-with-multilink-support.patch b/SPECS-EXTENDED/ppp/0022-build-sys-compile-pppol2tp-with-multilink-support.patch deleted file mode 100644 index 945933e9e1..0000000000 --- a/SPECS-EXTENDED/ppp/0022-build-sys-compile-pppol2tp-with-multilink-support.patch +++ /dev/null @@ -1,24 +0,0 @@ -From a0060c5d48ef742bff4fe9ba9c276a5c21795ce8 Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Wed, 9 Apr 2014 09:58:38 +0200 -Subject: [PATCH 22/27] build-sys: compile pppol2tp with multilink support - -Resolves: #817013 ---- - pppd/plugins/pppol2tp/Makefile.linux | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/pppd/plugins/pppol2tp/Makefile.linux b/pppd/plugins/pppol2tp/Makefile.linux -index 9a635b8..9cb316d 100644 ---- a/pppd/plugins/pppol2tp/Makefile.linux -+++ b/pppd/plugins/pppol2tp/Makefile.linux -@@ -1,5 +1,5 @@ - #CC = gcc --COPTS = $(RPM_OPT_FLAGS) -+COPTS = $(RPM_OPT_FLAGS) -DHAVE_MULTILINK - CFLAGS = $(COPTS) -I. -I../.. -I../../../include -fPIC - LDFLAGS = -shared - INSTALL = install --- -1.8.3.1 - diff --git a/SPECS-EXTENDED/ppp/0023-build-sys-install-rp-pppoe-plugin-files-with-standar.patch b/SPECS-EXTENDED/ppp/0023-build-sys-install-rp-pppoe-plugin-files-with-standar.patch deleted file mode 100644 index 7a18e07cb2..0000000000 --- a/SPECS-EXTENDED/ppp/0023-build-sys-install-rp-pppoe-plugin-files-with-standar.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 769521a3798fd554ddc7333cb1255cd1b40790e8 Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Thu, 10 Apr 2014 10:00:55 +0200 -Subject: [PATCH 23/27] build-sys: install rp-pppoe plugin files with standard - perms - -This is needed to properly generate debuginfo package. ---- - pppd/plugins/rp-pppoe/Makefile.linux | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/pppd/plugins/rp-pppoe/Makefile.linux b/pppd/plugins/rp-pppoe/Makefile.linux -index b949716..fa49efb 100644 ---- a/pppd/plugins/rp-pppoe/Makefile.linux -+++ b/pppd/plugins/rp-pppoe/Makefile.linux -@@ -44,10 +44,10 @@ rp-pppoe.so: plugin.o discovery.o if.o common.o - - install: all - $(INSTALL) -d -m 755 $(LIBDIR) -- $(INSTALL) -c -m 4550 rp-pppoe.so $(LIBDIR) -+ $(INSTALL) -c -m 755 rp-pppoe.so $(LIBDIR) - $(INSTALL) -d -m 755 $(BINDIR) -- $(INSTALL) -c -m 555 pppoe-discovery $(BINDIR) -- $(INSTALL) -c -m 444 pppoe-discovery.8 $(MANDIR) -+ $(INSTALL) -c -m 755 pppoe-discovery $(BINDIR) -+ $(INSTALL) -c -m 644 pppoe-discovery.8 $(MANDIR) - - clean: - rm -f *.o *.so pppoe-discovery --- -1.8.3.1 - diff --git a/SPECS-EXTENDED/ppp/0024-build-sys-install-pppoatm-plugin-files-with-standard.patch b/SPECS-EXTENDED/ppp/0024-build-sys-install-pppoatm-plugin-files-with-standard.patch deleted file mode 100644 index 9982d92bb8..0000000000 --- a/SPECS-EXTENDED/ppp/0024-build-sys-install-pppoatm-plugin-files-with-standard.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 0fdb22ef3d3cc3b297372451d60bd6c61d047d27 Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Thu, 10 Apr 2014 10:08:41 +0200 -Subject: [PATCH 24/27] build-sys: install pppoatm plugin files with standard - perms - ---- - pppd/plugins/pppoatm/Makefile.linux | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/pppd/plugins/pppoatm/Makefile.linux b/pppd/plugins/pppoatm/Makefile.linux -index 769794b..4c5826f 100644 ---- a/pppd/plugins/pppoatm/Makefile.linux -+++ b/pppd/plugins/pppoatm/Makefile.linux -@@ -37,7 +37,7 @@ $(PLUGIN): $(PLUGIN_OBJS) - - install: all - $(INSTALL) -d -m 755 $(LIBDIR) -- $(INSTALL) -c -m 4550 $(PLUGIN) $(LIBDIR) -+ $(INSTALL) -c -m 755 $(PLUGIN) $(LIBDIR) - - clean: - rm -f *.o *.so --- -1.8.3.1 - diff --git a/SPECS-EXTENDED/ppp/0025-pppd-install-pppd-binary-using-standard-perms-755.patch b/SPECS-EXTENDED/ppp/0025-pppd-install-pppd-binary-using-standard-perms-755.patch deleted file mode 100644 index 428d71ac9d..0000000000 --- a/SPECS-EXTENDED/ppp/0025-pppd-install-pppd-binary-using-standard-perms-755.patch +++ /dev/null @@ -1,29 +0,0 @@ -From ab8b06cdc1075abc67f77e7c3bb684e20071d614 Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Thu, 10 Apr 2014 10:09:41 +0200 -Subject: [PATCH 25/27] pppd: install pppd binary using standard perms (755) - ---- - pppd/Makefile.linux | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux -index 0e8107f..534ccc2 100644 ---- a/pppd/Makefile.linux -+++ b/pppd/Makefile.linux -@@ -223,10 +223,10 @@ all: $(TARGETS) - install: pppd - mkdir -p $(BINDIR) $(MANDIR) - $(EXTRAINSTALL) -- $(INSTALL) -c -m 555 pppd $(BINDIR)/pppd -+ $(INSTALL) -c -m 755 pppd $(BINDIR)/pppd - if chgrp pppusers $(BINDIR)/pppd 2>/dev/null; then \ - chmod o-rx,u+s $(BINDIR)/pppd; fi -- $(INSTALL) -c -m 444 pppd.8 $(MANDIR) -+ $(INSTALL) -c -m 644 pppd.8 $(MANDIR) - - pppd: $(PPPDOBJS) - $(CC) $(CFLAGS) $(LDFLAGS) -o pppd $(PPPDOBJS) $(LIBS) --- -1.8.3.1 - diff --git a/SPECS-EXTENDED/ppp/0028-pppoe-include-netinet-in.h-before-linux-in.h.patch b/SPECS-EXTENDED/ppp/0028-pppoe-include-netinet-in.h-before-linux-in.h.patch deleted file mode 100644 index 9b0920d3bc..0000000000 --- a/SPECS-EXTENDED/ppp/0028-pppoe-include-netinet-in.h-before-linux-in.h.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 33797aa193a2751da26f9af120e39c110defe4d1 Mon Sep 17 00:00:00 2001 -From: Lubomir Rintel -Date: Sat, 10 Dec 2016 19:53:56 +0100 -Subject: [PATCH] pppoe: include netinet/in.h before linux/in.h - -To fix build breakage. ---- - pppd/plugins/rp-pppoe/pppoe.h | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/pppd/plugins/rp-pppoe/pppoe.h b/pppd/plugins/rp-pppoe/pppoe.h -index 9ab2eee..f77f5b7 100644 ---- a/pppd/plugins/rp-pppoe/pppoe.h -+++ b/pppd/plugins/rp-pppoe/pppoe.h -@@ -15,6 +15,8 @@ - - #include "config.h" - -+#include -+ - #if defined(HAVE_NETPACKET_PACKET_H) || defined(HAVE_LINUX_IF_PACKET_H) - #define _POSIX_SOURCE 1 /* For sigaction defines */ - #endif -@@ -84,8 +86,6 @@ typedef unsigned long UINT32_t; - #include - #endif - --#include -- - #ifdef HAVE_NETINET_IF_ETHER_H - #include - --- -2.9.3 - diff --git a/SPECS-EXTENDED/ppp/ifdown-ppp b/SPECS-EXTENDED/ppp/ifdown-ppp deleted file mode 100755 index fca646384c..0000000000 --- a/SPECS-EXTENDED/ppp/ifdown-ppp +++ /dev/null @@ -1,51 +0,0 @@ -#! /bin/bash - -cd /etc/sysconfig/network-scripts -. ./network-functions - -CONFIG=$1 -source_config - -if [ "$TYPE" = "xDSL" ] && [ -x /usr/sbin/adsl-stop ] ; then - adsl-stop /etc/sysconfig/network-scripts/$CONFIG - exit $? -fi - -CONFIG=${CONFIG##ifcfg-} - -if [ "${DEMAND}" = "yes" ] && [ -f /var/run/ppp-${CONFIG}.pid ] ; then - PID=$(head -1 /var/run/ppp-${CONFIG}.pid) - kill -TERM ${PID} - sleep 2 - [ ! -d /proc/${PID} ] && exit 0 - sleep 5 - [ ! -d /proc/${PID} ] && exit 0 - kill -TERM ${PID} - [ ! -d /proc/${PID} ] && exit 0 - exit 1 -fi - -file=/var/run/pppwatch-${DEVICE}.pid - -if [ ! -f $file ]; then - # ppp isn't running, or we didn't start it - exit 0 -fi - -PID=$(cat $file) -[ -n "${PID}" ] || exit 1 - -kill -TERM ${PID} > /dev/null 2>&1 -[ ! -d /proc/${PID} ] && exit 0 -sleep 2 -[ ! -d /proc/${PID} ] && exit 0 -sleep 5 -[ ! -d /proc/${PID} ] && exit 0 -sleep 10 -[ ! -d /proc/${PID} ] && exit 0 - -# killing ppp-watch twice in a row causes it to send a SIGKILL to pppd pgrp -kill -TERM ${PID} > /dev/null 2>&1 -[ ! -d /proc/${PID} ] && exit 0 - -exit 1 diff --git a/SPECS-EXTENDED/ppp/ifup-ppp b/SPECS-EXTENDED/ppp/ifup-ppp deleted file mode 100755 index fb30639d0d..0000000000 --- a/SPECS-EXTENDED/ppp/ifup-ppp +++ /dev/null @@ -1,157 +0,0 @@ -#! /bin/bash - -. /etc/init.d/functions - -cd /etc/sysconfig/network-scripts -. ./network-functions - -# ifup-post for PPP is handled through /etc/ppp/ip-up -if [ "${1}" = daemon ] ; then - # we've been called from ppp-watch, so don't invoke it for persistence - shift -else - # just in case a full path to the configuration file is passed in - CONFIG=${1##*/} # CONFIG=$(basename $1) - [ -f "${CONFIG}" ] || CONFIG=ifcfg-${1} - source_config - # don't start ppp-watch by xDSL - if [ "${DEMAND}" != yes -a "$TYPE" != "xDSL" ] ; then - # let ppp-watch do the right thing - exec /sbin/ppp-watch "${CONFIG##ifcfg-}" "$2" - fi -fi - -CONFIG=$1 -[ -f "${CONFIG}" ] || CONFIG=ifcfg-${1} -source_config - -if [ -z "${DISCONNECTTIMEOUT}" ]; then - DISCONNECTTIMEOUT=2 -fi - -if [ -z "${RETRYTIMEOUT}" ]; then - RETRYTIMEOUT=30 -fi - -if [ -z "${IDLETIMEOUT}" ]; then - IDLETIMEOUT=600 -fi - -if [ "${2}" = "boot" -a "${ONBOOT}" = "no" ]; then - exit -fi - -[ -x /usr/sbin/pppd ] || { - echo $"pppd does not exist or is not executable" - echo $"ifup-ppp for ${DEVICE} exiting" - /usr/bin/logger -p daemon.info -t ifup-ppp \ - $"pppd does not exist or is not executable for ${DEVICE}" - exit 1 -} - -# check that xDSL connection -if [ "$TYPE" = "xDSL" ] ; then - if [ -x /usr/sbin/adsl-start ] ; then - adsl-start /etc/sysconfig/network-scripts/$CONFIG - exit $? - else - /usr/bin/logger -p daemon.info -t ifup-ppp \ - $"adsl-start does not exist or is not executable for ${DEVICE}" - exit 1 - fi -fi - -PEERCONF=/etc/ppp/peers/${DEVNAME} - -if [ "${DEBUG}" = "yes" ]; then - CHATDBG="-v" -fi - -if [ ! -f ${PEERCONF} ]; then - if [ -z "${WVDIALSECT}" ] ; then - CHATSCRIPT=/etc/sysconfig/network-scripts/chat-${DEVNAME} - [ -f ${CHATSCRIPT} ] || { - echo $"/etc/sysconfig/network-scripts/chat-${DEVNAME} does not exist" - echo $"ifup-ppp for ${DEVNAME} exiting" - /usr/bin/logger -p daemon.info -t ifup-ppp \ - $"/etc/sysconfig/network-scripts/chat-${DEVNAME} does not exist for ${DEVICE}" - exit 1 - } - fi - /usr/bin/logger -s -p daemon.notice -t ifup-ppp \ - $"Setting up a new ${PEERCONF} config file" - if [ -f /etc/ppp/peers/${DEVICE} ]; then - cp -f /etc/ppp/peers/${DEVICE} ${PEERCONF} - else - touch ${PEERCONF} - fi - if [ "${WVDIALSECT}" ]; then - echo "connect \"/usr/bin/wvdial --remotename ${DEVNAME} --chat '${WVDIALSECT}'\"" >> ${PEERCONF} - else - echo "connect \"/usr/sbin/chat ${CHATDBG} -f ${CHATSCRIPT}\"" >> ${PEERCONF} - fi -fi - -opts="lock" -if [ "${HARDFLOWCTL}" != no ] ; then - opts="$opts modem crtscts" -fi -if [ "${ESCAPECHARS}" != yes ] ; then - opts="$opts asyncmap 00000000" -fi -if [ "${DEFROUTE}" != no ] ; then - # pppd will no longer delete an existing default route - # so we have to help it out a little here. - DEFRT=$(ip route list match 0.0.0.0/0) - [ -n "${DEFRT}" ] && echo "$DEFRT" > /etc/default-routes - echo "$DEFRT" | while read spec; do - ip route del $spec; - done - opts="$opts defaultroute" -fi -if [ "${PEERDNS}" != no ] ; then - cp -f /etc/resolv.conf /etc/resolv.conf.save - opts="$opts usepeerdns" -fi -if [ -n "${MRU}" ] ; then - opts="$opts mru ${MRU}" -fi -if [ -n "${MTU}" ] ; then - opts="$opts mtu ${MTU}" -fi -if [ -n "${IPADDR}${REMIP}" ] ; then - # if either IP address is set, the following will work. - opts="$opts ${IPADDR}:${REMIP}" -fi -if [ -n "${PAPNAME}" ] ; then - opts="$opts user ${PAPNAME} remotename ${DEVNAME}" -fi -if [ "${DEBUG}" = yes ] ; then - opts="$opts debug" -fi - -if [ ${DEMAND} = yes ] ; then - opts="$opts demand ktune idle ${IDLETIMEOUT} holdoff ${RETRYTIMEOUT}" - exec= -else - opts="$opts nodetach" - exec=exec -fi - -/usr/bin/logger -p daemon.info -t ifup-ppp \ - $"pppd started for ${DEVNAME} on ${MODEMPORT} at ${LINESPEED}" - -$exec pppd $opts ${MODEMPORT} ${LINESPEED} \ - ipparam ${DEVNAME} linkname ${DEVNAME} call ${DEVNAME}\ - noauth \ - ${PPPOPTIONS} || exit - -if [ "${DEMAND}" = "yes" ] ; then - # pppd is a tad slow to write the pid-file. - sleep 2 - if [ -f /var/run/ppp-${DEVNAME}.pid ] ; then - REALDEVICE=$(tail -1 /var/run/ppp-${DEVNAME}.pid) - /etc/sysconfig/network-scripts/ifup-routes ${REALDEVICE} ${DEVNAME} - fi -fi - diff --git a/SPECS-EXTENDED/ppp/ipv6-down b/SPECS-EXTENDED/ppp/ipv6-down index b290585a37..36e0c5fde8 100644 --- a/SPECS-EXTENDED/ppp/ipv6-down +++ b/SPECS-EXTENDED/ppp/ipv6-down @@ -6,65 +6,9 @@ # # This file should not be modified -- make local changes to # /etc/ppp/ipv6-down.local instead -# -# -# Taken from: -# (P) & (C) 2001-2006 by Peter Bieringer -# -# You will find more information on the initscripts-ipv6 homepage at -# http://www.deepspace6.net/projects/initscripts-ipv6.html -# -# RHL integration assistance by Pekka Savola -# -# Calling parameters: -# $1: interface name -# $6: logical interface name (set by pppd option ipparam) -# -# Version 2006-08-02 -# -# Uses following information from /etc/sysconfig/network-scripts/ifcfg-$1: -# IPV6INIT=yes|no: controls IPv6 configuration for this interface -# - - -PATH=/sbin:/usr/sbin:/bin:/usr/bin -export PATH -LOGDEVICE=$6 -REALDEVICE=$1 - -[ -f /etc/sysconfig/network ] || exit 0 -. /etc/sysconfig/network - -cd /etc/sysconfig/network-scripts -. ./network-functions - -CONFIG=$LOGDEVICE -[ -f "$CONFIG" ] || CONFIG=ifcfg-$CONFIG -source_config - -[ -f /etc/sysconfig/network-scripts/network-functions-ipv6 ] || exit 1 -. /etc/sysconfig/network-scripts/network-functions-ipv6 +[ -f /etc/sysconfig/network-scripts/network-functions-ipv6 ] && /etc/ppp/ipv6-down.initscripts "$@" [ -x /etc/ppp/ipv6-down.local ] && /etc/ppp/ipv6-down.local "$@" - -if [ "$IPV6_CONTROL_RADVD" = "yes" ]; then - # Control running radvd - ipv6_trigger_radvd down "$IPV6_RADVD_TRIGGER_ACTION" $IPV6_RADVD_PIDFILE -fi - -# IPv6 test, no module loaded, exit if system is not IPv6-ready -ipv6_test testonly || exit 0 - -# Test device status -ipv6_test_device_status $REALDEVICE -if [ $? != 0 -a $? != 11 ]; then - # device doesn't exist or other problem occurs - exit 1 -fi - -# Delete all current configured IPv6 addresses on this interface -ipv6_cleanup_device $REALDEVICE - exit 0 diff --git a/SPECS-EXTENDED/ppp/ipv6-down.initscripts b/SPECS-EXTENDED/ppp/ipv6-down.initscripts new file mode 100644 index 0000000000..c8f228fc24 --- /dev/null +++ b/SPECS-EXTENDED/ppp/ipv6-down.initscripts @@ -0,0 +1,56 @@ +#!/bin/sh +# +# +# Taken from: +# (P) & (C) 2001-2006 by Peter Bieringer +# +# You will find more information on the initscripts-ipv6 homepage at +# http://www.deepspace6.net/projects/initscripts-ipv6.html +# +# RHL integration assistance by Pekka Savola +# +# Calling parameters: +# $1: interface name +# $6: logical interface name (set by pppd option ipparam) +# +# Version 2006-08-02 +# +# Uses following information from /etc/sysconfig/network-scripts/ifcfg-$1: +# IPV6INIT=yes|no: controls IPv6 configuration for this interface +# +PATH=/sbin:/usr/sbin:/bin:/usr/bin +export PATH + +LOGDEVICE=$6 +REALDEVICE=$1 + +[ -f /etc/sysconfig/network ] || exit 0 +. /etc/sysconfig/network + +cd /etc/sysconfig/network-scripts +. ./network-functions + +CONFIG=$LOGDEVICE +[ -f "$CONFIG" ] || CONFIG=ifcfg-$CONFIG +source_config + +[ -f /etc/sysconfig/network-scripts/network-functions-ipv6 ] || exit 1 +. /etc/sysconfig/network-scripts/network-functions-ipv6 + +if [ "$IPV6_CONTROL_RADVD" = "yes" ]; then + # Control running radvd + ipv6_trigger_radvd down "$IPV6_RADVD_TRIGGER_ACTION" $IPV6_RADVD_PIDFILE +fi + +# IPv6 test, no module loaded, exit if system is not IPv6-ready +ipv6_test testonly || exit 0 + +# Test device status +ipv6_test_device_status $REALDEVICE +if [ $? != 0 -a $? != 11 ]; then + # device doesn't exist or other problem occurs + exit 1 +fi + +# Delete all current configured IPv6 addresses on this interface +ipv6_cleanup_device $REALDEVICE diff --git a/SPECS-EXTENDED/ppp/ipv6-up b/SPECS-EXTENDED/ppp/ipv6-up index 059afec61a..623631aa6e 100644 --- a/SPECS-EXTENDED/ppp/ipv6-up +++ b/SPECS-EXTENDED/ppp/ipv6-up @@ -7,105 +7,8 @@ # This file should not be modified -- make local changes to # /etc/ppp/ipv6-up.local instead # -# Taken from: -# (P) & (C) 2001-2006 by Peter Bieringer -# -# You will find more information on the initscripts-ipv6 homepage at -# http://www.deepspace6.net/projects/initscripts-ipv6.html -# -# RHL integration assistance by Pekka Savola -# -# Calling parameters: -# $1: interface name -# $6: logical interface name (set by pppd option ipparam) -# -# -# Version: 2006-08-02 -# -# Uses following information from "/etc/sysconfig/network": -# IPV6_DEFAULTDEV=: controls default route (optional) -# -# Uses following information from "/etc/sysconfig/network-scripts/ifcfg-$1": -# IPV6INIT=yes|no: controls IPv6 configuration for this interface -# IPV6ADDR=[/]: specify primary static IPv6 address -# IPV6ADDR_SECONDARIES="[/] ..." (optional) -# IPV6_MTU=: controls IPv6 MTU for this link (optional) -# - - -PATH=/sbin:/usr/sbin:/bin:/usr/bin -export PATH - -LOGDEVICE=$6 -REALDEVICE=$1 - -[ -f /etc/sysconfig/network ] || exit 0 -. /etc/sysconfig/network - -cd /etc/sysconfig/network-scripts -. ./network-functions -. ./network-functions-ipv6 - -CONFIG=$LOGDEVICE -[ -f "$CONFIG" ] || CONFIG=ifcfg-$CONFIG -source_config - -# Test whether IPv6 configuration is disabled for this interface -[[ "$IPV6INIT" = [nN0]* ]] && exit 0 - -[ -f /etc/sysconfig/network-scripts/network-functions-ipv6 ] || exit 1 -. /etc/sysconfig/network-scripts/network-functions-ipv6 - -# IPv6 test, module loaded, exit if system is not IPv6-ready -ipv6_test || exit 1 - -# Test device status -ipv6_test_device_status $REALDEVICE -if [ $? != 0 -a $? != 11 ]; then - # device doesn't exist or other problem occurs - exit 1 -fi - -# Setup IPv6 address on specified interface -if [ -n "$IPV6ADDR" ]; then - ipv6_add_addr_on_device $REALDEVICE $IPV6ADDR || exit 1 -fi - -# Set IPv6 MTU, if given -if [ -n "$IPV6_MTU" ]; then - ipv6_set_mtu $REALDEVICE $IPV6_MTU -fi - -# Setup additional IPv6 addresses from list, if given -if [ -n "$IPV6ADDR_SECONDARIES" ]; then - for ipv6addr in $IPV6ADDR_SECONDARIES; do - ipv6_add_addr_on_device $REALDEVICE $ipv6addr - done -fi - -# Setup default IPv6 route through device -if [ "$IPV6_DEFAULTDEV" = "$LOGDEVICE" ]; then - ipv6_set_default_route "" "$REALDEVICE" "$REALDEVICE" -fi - -# Setup additional static IPv6 routes on specified interface, if given -if [ -f /etc/sysconfig/static-routes-ipv6 ]; then - LC_ALL=C grep -w "^$LOGDEVICE" /etc/sysconfig/static-routes-ipv6 | while read device args; do - ipv6_add_route $args $REALDEVICE - done -fi - -# Setup additional static IPv6 routes (newer config style) -if [ -f "/etc/sysconfig/network-scripts/route6-$DEVICE" ]; then - sed -ne 's/#.*//' -e '/[^[:space:]]/p' "/etc/sysconfig/network-scripts/route6-$DEVICE" | while read line; do - /sbin/ip -6 route add $line - done -fi -if [ "$IPV6_CONTROL_RADVD" = "yes" ]; then - # Control running radvd - ipv6_trigger_radvd up "$IPV6_RADVD_TRIGGER_ACTION" $IPV6_RADVD_PIDFILE -fi +[ -f /etc/sysconfig/network-scripts/network-functions-ipv6 ] && /etc/ppp/ipv6-up.initscripts "$@" [ -x /etc/ppp/ipv6-up.local ] && /etc/ppp/ipv6-up.local "$@" diff --git a/SPECS-EXTENDED/ppp/ipv6-up.initscripts b/SPECS-EXTENDED/ppp/ipv6-up.initscripts new file mode 100644 index 0000000000..98d6d63fce --- /dev/null +++ b/SPECS-EXTENDED/ppp/ipv6-up.initscripts @@ -0,0 +1,99 @@ +#!/bin/sh +# Taken from: +# (P) & (C) 2001-2006 by Peter Bieringer +# +# You will find more information on the initscripts-ipv6 homepage at +# http://www.deepspace6.net/projects/initscripts-ipv6.html +# +# RHL integration assistance by Pekka Savola +# +# Calling parameters: +# $1: interface name +# $6: logical interface name (set by pppd option ipparam) +# +# +# Version: 2006-08-02 +# +# Uses following information from "/etc/sysconfig/network": +# IPV6_DEFAULTDEV=: controls default route (optional) +# +# Uses following information from "/etc/sysconfig/network-scripts/ifcfg-$1": +# IPV6INIT=yes|no: controls IPv6 configuration for this interface +# IPV6ADDR=[/]: specify primary static IPv6 address +# IPV6ADDR_SECONDARIES="[/] ..." (optional) +# IPV6_MTU=: controls IPv6 MTU for this link (optional) +# + +PATH=/sbin:/usr/sbin:/bin:/usr/bin +export PATH + +LOGDEVICE=$6 +REALDEVICE=$1 + +[ -f /etc/sysconfig/network ] || exit 0 +. /etc/sysconfig/network + +cd /etc/sysconfig/network-scripts +. ./network-functions +. ./network-functions-ipv6 + +CONFIG=$LOGDEVICE +[ -f "$CONFIG" ] || CONFIG=ifcfg-$CONFIG +source_config + +# Test whether IPv6 configuration is disabled for this interface +[[ "$IPV6INIT" = [nN0]* ]] && exit 0 + +[ -f /etc/sysconfig/network-scripts/network-functions-ipv6 ] || exit 1 +. /etc/sysconfig/network-scripts/network-functions-ipv6 + +# IPv6 test, module loaded, exit if system is not IPv6-ready +ipv6_test || exit 1 + +# Test device status +ipv6_test_device_status $REALDEVICE +if [ $? != 0 -a $? != 11 ]; then + # device doesn't exist or other problem occurs + exit 1 +fi + +# Setup IPv6 address on specified interface +if [ -n "$IPV6ADDR" ]; then + ipv6_add_addr_on_device $REALDEVICE $IPV6ADDR || exit 1 +fi + +# Set IPv6 MTU, if given +if [ -n "$IPV6_MTU" ]; then + ipv6_set_mtu $REALDEVICE $IPV6_MTU +fi + +# Setup additional IPv6 addresses from list, if given +if [ -n "$IPV6ADDR_SECONDARIES" ]; then + for ipv6addr in $IPV6ADDR_SECONDARIES; do + ipv6_add_addr_on_device $REALDEVICE $ipv6addr + done +fi + +# Setup default IPv6 route through device +if [ "$IPV6_DEFAULTDEV" = "$LOGDEVICE" ]; then + ipv6_set_default_route "" "$REALDEVICE" "$REALDEVICE" +fi + +# Setup additional static IPv6 routes on specified interface, if given +if [ -f /etc/sysconfig/static-routes-ipv6 ]; then + LC_ALL=C grep -w "^$LOGDEVICE" /etc/sysconfig/static-routes-ipv6 | while read device args; do + ipv6_add_route $args $REALDEVICE + done +fi + +# Setup additional static IPv6 routes (newer config style) +if [ -f "/etc/sysconfig/network-scripts/route6-$DEVICE" ]; then + sed -ne 's/#.*//' -e '/[^[:space:]]/p' "/etc/sysconfig/network-scripts/route6-$DEVICE" | while read line; do + /sbin/ip -6 route add $line + done +fi + +if [ "$IPV6_CONTROL_RADVD" = "yes" ]; then + # Control running radvd + ipv6_trigger_radvd up "$IPV6_RADVD_TRIGGER_ACTION" $IPV6_RADVD_PIDFILE +fi diff --git a/SPECS-EXTENDED/ppp/ppp-2.4.7-CVE-2020-8597.patch b/SPECS-EXTENDED/ppp/ppp-2.4.7-CVE-2020-8597.patch deleted file mode 100644 index 5d7c51bcac..0000000000 --- a/SPECS-EXTENDED/ppp/ppp-2.4.7-CVE-2020-8597.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 8d7970b8f3db727fe798b65f3377fe6787575426 Mon Sep 17 00:00:00 2001 -From: Paul Mackerras -Date: Mon, 3 Feb 2020 15:53:28 +1100 -Subject: [PATCH] pppd: Fix bounds check in EAP code - -Given that we have just checked vallen < len, it can never be the case -that vallen >= len + sizeof(rhostname). This fixes the check so we -actually avoid overflowing the rhostname array. - -Reported-by: Ilja Van Sprundel -Signed-off-by: Paul Mackerras ---- - pppd/eap.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/pppd/eap.c b/pppd/eap.c -index 94407f56..1b93db01 100644 ---- a/pppd/eap.c -+++ b/pppd/eap.c -@@ -1420,7 +1420,7 @@ int len; - } - - /* Not so likely to happen. */ -- if (vallen >= len + sizeof (rhostname)) { -+ if (len - vallen >= sizeof (rhostname)) { - dbglog("EAP: trimming really long peer name down"); - BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1); - rhostname[sizeof (rhostname) - 1] = '\0'; -@@ -1846,7 +1846,7 @@ int len; - } - - /* Not so likely to happen. */ -- if (vallen >= len + sizeof (rhostname)) { -+ if (len - vallen >= sizeof (rhostname)) { - dbglog("EAP: trimming really long peer name down"); - BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1); - rhostname[sizeof (rhostname) - 1] = '\0'; diff --git a/SPECS-EXTENDED/ppp/ppp-2.4.7-DES-openssl.patch b/SPECS-EXTENDED/ppp/ppp-2.4.7-DES-openssl.patch deleted file mode 100644 index ad3b2687aa..0000000000 --- a/SPECS-EXTENDED/ppp/ppp-2.4.7-DES-openssl.patch +++ /dev/null @@ -1,79 +0,0 @@ -diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux -index 534ccc2..cf11b74 100644 ---- a/pppd/Makefile.linux -+++ b/pppd/Makefile.linux -@@ -41,7 +41,7 @@ COPTS = -Wall $(RPM_OPT_FLAGS) -DLIBDIR=\""$(LIBDIR)"\" - # Uncomment the next 2 lines to include support for Microsoft's - # MS-CHAP authentication protocol. Also, edit plugins/radius/Makefile.linux. - CHAPMS=y --USE_CRYPT=y -+#USE_CRYPT=y - # Don't use MSLANMAN unless you really know what you're doing. - #MSLANMAN=y - # Uncomment the next line to include support for MPPE. CHAPMS (above) must -@@ -147,7 +147,8 @@ endif - - ifdef NEEDDES - ifndef USE_CRYPT --LIBS += -ldes $(LIBS) -+CFLAGS += -I/usr/include/openssl -+LIBS += -lcrypto - else - CFLAGS += -DUSE_CRYPT=1 - endif -diff --git a/pppd/pppcrypt.c b/pppd/pppcrypt.c -index 8b85b13..6b35375 100644 ---- a/pppd/pppcrypt.c -+++ b/pppd/pppcrypt.c -@@ -64,7 +64,7 @@ u_char *des_key; /* OUT 64 bit DES key with parity bits added */ - des_key[7] = Get7Bits(key, 49); - - #ifndef USE_CRYPT -- des_set_odd_parity((des_cblock *)des_key); -+ DES_set_odd_parity((DES_cblock *)des_key); - #endif - } - -@@ -158,25 +158,25 @@ u_char *clear; /* OUT 8 octets */ - } - - #else /* USE_CRYPT */ --static des_key_schedule key_schedule; -+static DES_key_schedule key_schedule; - - bool - DesSetkey(key) - u_char *key; - { -- des_cblock des_key; -+ DES_cblock des_key; - MakeKey(key, des_key); -- des_set_key(&des_key, key_schedule); -+ DES_set_key(&des_key, &key_schedule); - return (1); - } - - bool --DesEncrypt(clear, key, cipher) -+DesEncrypt(clear, cipher) - u_char *clear; /* IN 8 octets */ - u_char *cipher; /* OUT 8 octets */ - { -- des_ecb_encrypt((des_cblock *)clear, (des_cblock *)cipher, -- key_schedule, 1); -+ DES_ecb_encrypt((DES_cblock *)clear, (DES_cblock *)cipher, -+ &key_schedule, 1); - return (1); - } - -@@ -185,8 +185,8 @@ DesDecrypt(cipher, clear) - u_char *cipher; /* IN 8 octets */ - u_char *clear; /* OUT 8 octets */ - { -- des_ecb_encrypt((des_cblock *)cipher, (des_cblock *)clear, -- key_schedule, 0); -+ DES_ecb_encrypt((DES_cblock *)cipher, (DES_cblock *)clear, -+ &key_schedule, 0); - return (1); - } - diff --git a/SPECS-EXTENDED/ppp/ppp-2.4.7-coverity-scan-fixes.patch b/SPECS-EXTENDED/ppp/ppp-2.4.7-coverity-scan-fixes.patch deleted file mode 100644 index 4f61a27aa7..0000000000 --- a/SPECS-EXTENDED/ppp/ppp-2.4.7-coverity-scan-fixes.patch +++ /dev/null @@ -1,453 +0,0 @@ -diff --git a/chat/chat.c b/chat/chat.c -index 710dba9..bf10733 100644 ---- a/chat/chat.c -+++ b/chat/chat.c -@@ -512,6 +512,7 @@ void msgf __V((const char *fmt, ...)) - syslog(LOG_INFO, "%s", line); - if (to_stderr) - fprintf(stderr, "%s\n", line); -+ va_end(args); - } - - /* -@@ -537,6 +538,7 @@ void fatal __V((int code, const char *fmt, ...)) - syslog(LOG_ERR, "%s", line); - if (to_stderr) - fprintf(stderr, "%s\n", line); -+ va_end(args); - terminate(code); - } - -diff --git a/pppd/auth.c b/pppd/auth.c -index 656ffe9..9a7e32d 100644 ---- a/pppd/auth.c -+++ b/pppd/auth.c -@@ -464,6 +464,7 @@ setupapfile(argv) - euid = geteuid(); - if (seteuid(getuid()) == -1) { - option_error("unable to reset uid before opening %s: %m", fname); -+ free(fname); - return 0; - } - ufile = fopen(fname, "re"); -@@ -471,6 +472,7 @@ setupapfile(argv) - fatal("unable to regain privileges: %m"); - if (ufile == NULL) { - option_error("unable to open user login data file %s", fname); -+ free(fname); - return 0; - } - check_access(ufile, fname); -@@ -481,6 +483,7 @@ setupapfile(argv) - || fgets(p, MAXSECRETLEN - 1, ufile) == NULL) { - fclose(ufile); - option_error("unable to read user login data file %s", fname); -+ free(fname); - return 0; - } - fclose(ufile); -@@ -502,6 +505,7 @@ setupapfile(argv) - explicit_passwd = 1; - } - -+ free(fname); - return (1); - } - -diff --git a/pppd/eap-tls.c b/pppd/eap-tls.c -index 1b79abf..f7f42fd 100644 ---- a/pppd/eap-tls.c -+++ b/pppd/eap-tls.c -@@ -693,6 +693,7 @@ int eaptls_init_ssl_server(eap_state * esp) - } - - strncpy(ets->peer, esp->es_server.ea_peer, MAXWORDLEN); -+ ets->peer[MAXWORDLEN - 1] = 0; - - dbglog( "getting eaptls secret" ); - if (!get_eaptls_secret(esp->es_unit, esp->es_server.ea_peer, -@@ -780,7 +781,10 @@ int eaptls_init_ssl_client(eap_state * esp) - * verify - */ - if (esp->es_client.ea_peer) -+ { - strncpy(ets->peer, esp->es_client.ea_peer, MAXWORDLEN); -+ ets->peer[MAXWORDLEN - 1] = 0; -+ } - else - ets->peer[0] = 0; - -@@ -835,7 +839,10 @@ int eaptls_init_ssl_client(eap_state * esp) - * ssl_verify_callback() - */ - if (servcertfile[0]) -+ { - strncpy(ets->peercertfile, servcertfile, MAXWORDLEN); -+ ets->peercertfile[MAXWORDLEN - 1] = 0; -+ } - else - ets->peercertfile[0] = 0; - -diff --git a/pppd/multilink.c b/pppd/multilink.c -index 2f0ed50..67200ba 100644 ---- a/pppd/multilink.c -+++ b/pppd/multilink.c -@@ -445,9 +445,13 @@ get_default_epdisc(ep) - if (p != 0 && get_if_hwaddr(ep->value, p) >= 0) { - ep->class = EPD_MAC; - ep->length = 6; -+ free(p); - return 1; - } - -+ if (p) -+ free(p); -+ - /* see if our hostname corresponds to a reasonable IP address */ - hp = gethostbyname(hostname); - if (hp != NULL) { -diff --git a/pppd/options.c b/pppd/options.c -index 1cef314..bc264d6 100644 ---- a/pppd/options.c -+++ b/pppd/options.c -@@ -1735,7 +1735,7 @@ user_unsetenv(argv) - option_error("unexpected = in name: %s", arg); - return 0; - } -- if (arg == '\0') { -+ if (*arg == '\0') { - option_error("missing variable name for unset"); - return 0; - } -diff --git a/pppd/plugins/pppol2tp/openl2tp.c b/pppd/plugins/pppol2tp/openl2tp.c -index 1099575..7c4fe8b 100644 ---- a/pppd/plugins/pppol2tp/openl2tp.c -+++ b/pppd/plugins/pppol2tp/openl2tp.c -@@ -246,6 +246,9 @@ out: - (*old_pppol2tp_ip_updown_hook)(tunnel_id, session_id, up); - } - -+ if (user_name != NULL) -+ free(user_name); -+ - return; - } - -diff --git a/pppd/plugins/radius/avpair.c b/pppd/plugins/radius/avpair.c -index 716d23f..ec48eb8 100644 ---- a/pppd/plugins/radius/avpair.c -+++ b/pppd/plugins/radius/avpair.c -@@ -121,7 +121,8 @@ VALUE_PAIR *rc_avpair_new (int attrid, void *pval, int len, int vendorcode) - if ((vp = (VALUE_PAIR *) malloc (sizeof (VALUE_PAIR))) - != (VALUE_PAIR *) NULL) - { -- strncpy (vp->name, pda->name, sizeof (vp->name)); -+ strncpy (vp->name, pda->name, NAME_LENGTH); -+ vp->name[NAME_LENGTH] = 0; - vp->attribute = attrid; - vp->vendorcode = vendorcode; - vp->next = (VALUE_PAIR *) NULL; -diff --git a/pppd/plugins/radius/config.c b/pppd/plugins/radius/config.c -index a29e5e8..6e36d89 100644 ---- a/pppd/plugins/radius/config.c -+++ b/pppd/plugins/radius/config.c -@@ -153,6 +153,7 @@ static int set_option_auo(char *filename, int line, OPTION *option, char *p) - *iptr = AUTH_RADIUS_FST; - else { - error("%s: auth_order: unknown keyword: %s", filename, p); -+ free(iptr); - return (-1); - } - -@@ -165,6 +166,7 @@ static int set_option_auo(char *filename, int line, OPTION *option, char *p) - *iptr = (*iptr) | AUTH_RADIUS_SND; - else { - error("%s: auth_order: unknown or unexpected keyword: %s", filename, p); -+ free(iptr); - return (-1); - } - } -@@ -272,7 +274,7 @@ char *rc_conf_str(char *optname) - - if (option == NULL) - fatal("rc_conf_str: unkown config option requested: %s", optname); -- return (char *)option->val; -+ return (char *)option->val; - } - - int rc_conf_int(char *optname) -diff --git a/pppd/plugins/radius/radius.c b/pppd/plugins/radius/radius.c -index 4ba5f52..6f2a0bd 100644 ---- a/pppd/plugins/radius/radius.c -+++ b/pppd/plugins/radius/radius.c -@@ -898,7 +898,8 @@ radius_acct_start(void) - - rstate.start_time = time(NULL); - -- strncpy(rstate.session_id, rc_mksid(), sizeof(rstate.session_id)); -+ strncpy(rstate.session_id, rc_mksid(), MAXSESSIONID); -+ rstate.session_id[MAXSESSIONID] = 0; - - rc_avpair_add(&send, PW_ACCT_SESSION_ID, - rstate.session_id, 0, VENDOR_NONE); -diff --git a/pppd/plugins/radius/radiusclient.h b/pppd/plugins/radius/radiusclient.h -index 51b959a..cff0c26 100644 ---- a/pppd/plugins/radius/radiusclient.h -+++ b/pppd/plugins/radius/radiusclient.h -@@ -440,6 +440,7 @@ UINT4 rc_get_ipaddr __P((char *)); - int rc_good_ipaddr __P((char *)); - const char *rc_ip_hostname __P((UINT4)); - UINT4 rc_own_ipaddress __P((void)); -+UINT4 rc_own_bind_ipaddress __P((void)); - - - /* sendserver.c */ -diff --git a/pppd/plugins/radius/radrealms.c b/pppd/plugins/radius/radrealms.c -index 7a30370..cd006fd 100644 ---- a/pppd/plugins/radius/radrealms.c -+++ b/pppd/plugins/radius/radrealms.c -@@ -68,10 +68,12 @@ lookup_realm(char const *user, - - if ((fd = fopen(radrealms_config, "r")) == NULL) { - option_error("cannot open %s", radrealms_config); -+ free(auths); -+ free(accts); - return; -- } -+ } - info("Reading %s", radrealms_config); -- -+ - while ((fgets(buffer, sizeof(buffer), fd) != NULL)) { - line++; - -@@ -87,6 +89,8 @@ lookup_realm(char const *user, - fclose(fd); - option_error("%s: invalid line %d: %s", radrealms_config, - line, buffer); -+ free(auths); -+ free(accts); - return; - } - info("Parsing '%s' entry:", p); -@@ -101,6 +105,8 @@ lookup_realm(char const *user, - fclose(fd); - option_error("%s: realm name missing on line %d: %s", - radrealms_config, line, buffer); -+ free(auths); -+ free(accts); - return; - } - -@@ -111,6 +117,8 @@ lookup_realm(char const *user, - fclose(fd); - option_error("%s: server address missing on line %d: %s", - radrealms_config, line, buffer); -+ free(auths); -+ free(accts); - return; - } - s->name[s->max] = strdup(p); -@@ -119,6 +127,8 @@ lookup_realm(char const *user, - fclose(fd); - option_error("%s: server port missing on line %d: %s", - radrealms_config, line, buffer); -+ free(auths); -+ free(accts); - return; - } - s->port[s->max] = atoi(p); -diff --git a/pppd/plugins/rp-pppoe/Makefile.linux b/pppd/plugins/rp-pppoe/Makefile.linux -index 5e06b52..5f79284 100644 ---- a/pppd/plugins/rp-pppoe/Makefile.linux -+++ b/pppd/plugins/rp-pppoe/Makefile.linux -@@ -34,10 +34,10 @@ pppoe-discovery: pppoe-discovery.o debug.o common.o - $(CC) $(LDFLAGS) -o pppoe-discovery pppoe-discovery.o debug.o -ludev - - pppoe-discovery.o: pppoe-discovery.c -- $(CC) $(CFLAGS) -c -o pppoe-discovery.o pppoe-discovery.c -+ $(CC) $(CFLAGS) -I../../.. -c -o pppoe-discovery.o pppoe-discovery.c - - debug.o: debug.c -- $(CC) $(CFLAGS) -c -o debug.o debug.c -+ $(CC) $(CFLAGS) -I../../.. -c -o debug.o debug.c - - rp-pppoe.so: plugin.o discovery.o if.o common.o - $(CC) $(LDFLAGS) -o rp-pppoe.so -shared plugin.o discovery.o if.o common.o -diff --git a/pppd/plugins/rp-pppoe/if.c b/pppd/plugins/rp-pppoe/if.c -index 72aba41..50d5693 100644 ---- a/pppd/plugins/rp-pppoe/if.c -+++ b/pppd/plugins/rp-pppoe/if.c -@@ -133,7 +133,8 @@ openInterface(char const *ifname, UINT16_t type, unsigned char *hwaddr) - - /* Fill in hardware address */ - if (hwaddr) { -- strncpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name)); -+ strncpy(ifr.ifr_name, ifname, IFNAMSIZ); -+ ifr.ifr_name[IFNAMSIZ - 1] = 0; - if (ioctl(fd, SIOCGIFHWADDR, &ifr) < 0) { - error("Can't get hardware address for %s: %m", ifname); - close(fd); -@@ -152,7 +153,8 @@ openInterface(char const *ifname, UINT16_t type, unsigned char *hwaddr) - } - - /* Sanity check on MTU */ -- strncpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name)); -+ strncpy(ifr.ifr_name, ifname, IFNAMSIZ); -+ ifr.ifr_name[IFNAMSIZ - 1] = 0; - if (ioctl(fd, SIOCGIFMTU, &ifr) < 0) { - error("Can't get MTU for %s: %m", ifname); - } else if (ifr.ifr_mtu < ETH_DATA_LEN) { -@@ -166,7 +168,8 @@ openInterface(char const *ifname, UINT16_t type, unsigned char *hwaddr) - sa.sll_family = AF_PACKET; - sa.sll_protocol = htons(type); - -- strncpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name)); -+ strncpy(ifr.ifr_name, ifname, IFNAMSIZ); -+ ifr.ifr_name[IFNAMSIZ - 1] = 0; - if (ioctl(fd, SIOCGIFINDEX, &ifr) < 0) { - error("Could not get interface index for %s: %m", ifname); - close(fd); -diff --git a/pppd/plugins/rp-pppoe/plugin.c b/pppd/plugins/rp-pppoe/plugin.c -index 24bdf8f..1856c6b 100644 ---- a/pppd/plugins/rp-pppoe/plugin.c -+++ b/pppd/plugins/rp-pppoe/plugin.c -@@ -153,7 +153,7 @@ PPPOEConnectDevice(void) - error("Can't get MTU for %s: %m", conn->ifName); - goto errout; - } -- strncpy(ifr.ifr_name, conn->ifName, sizeof(ifr.ifr_name)); -+ strlcpy(ifr.ifr_name, conn->ifName, sizeof(ifr.ifr_name)); - if (ioctl(s, SIOCGIFMTU, &ifr) < 0) { - error("Can't get MTU for %s: %m", conn->ifName); - close(s); -@@ -326,7 +326,7 @@ PPPoEDevnameHook(char *cmd, char **argv, int doit) - - /* Try getting interface index */ - if (r) { -- strncpy(ifr.ifr_name, cmd, sizeof(ifr.ifr_name)); -+ strlcpy(ifr.ifr_name, cmd, sizeof(ifr.ifr_name)); - if (ioctl(fd, SIOCGIFINDEX, &ifr) < 0) { - r = 0; - } else { -@@ -345,7 +345,7 @@ PPPoEDevnameHook(char *cmd, char **argv, int doit) - /* Close socket */ - close(fd); - if (r && doit) { -- strncpy(devnam, cmd, sizeof(devnam)); -+ strlcpy(devnam, cmd, sizeof(devnam)); - if (the_channel != &pppoe_channel) { - - the_channel = &pppoe_channel; -diff --git a/pppd/plugins/rp-pppoe/pppoe-discovery.c b/pppd/plugins/rp-pppoe/pppoe-discovery.c -index 2bd910f..502e17f 100644 ---- a/pppd/plugins/rp-pppoe/pppoe-discovery.c -+++ b/pppd/plugins/rp-pppoe/pppoe-discovery.c -@@ -177,7 +177,8 @@ openInterface(char const *ifname, UINT16_t type, unsigned char *hwaddr) - sa.sll_family = AF_PACKET; - sa.sll_protocol = htons(type); - -- strncpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name)); -+ strncpy(ifr.ifr_name, ifname, IFNAMSIZ); -+ ifr.ifr_name[IFNAMSIZ - 1] = 0; - if (ioctl(fd, SIOCGIFINDEX, &ifr) < 0) { - fatalSys("ioctl(SIOCFIGINDEX): Could not get interface index"); - } -diff --git a/pppd/plugins/rp-pppoe/pppoe.h b/pppd/plugins/rp-pppoe/pppoe.h -index f77f5b7..6118e27 100644 ---- a/pppd/plugins/rp-pppoe/pppoe.h -+++ b/pppd/plugins/rp-pppoe/pppoe.h -@@ -24,6 +24,8 @@ - #include /* For FILE */ - #include /* For pid_t */ - -+#include "pppd/pppd.h" /* For error */ -+ - /* How do we access raw Ethernet devices? */ - #undef USE_LINUX_PACKET - #undef USE_BPF -diff --git a/pppd/plugins/winbind.c b/pppd/plugins/winbind.c -index bb05acd..4638f46 100644 ---- a/pppd/plugins/winbind.c -+++ b/pppd/plugins/winbind.c -@@ -432,6 +432,7 @@ unsigned int run_ntlm_auth(const char *username, - - /* parent */ - if (close(child_out[0]) == -1) { -+ close(child_in[1]); - notice("error closing pipe?!? for child OUT[0]"); - return NOT_AUTHENTICATED; - } -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c -index 9a1d8a6..ef92486 100644 ---- a/pppd/sys-linux.c -+++ b/pppd/sys-linux.c -@@ -2236,7 +2236,6 @@ int ppp_available(void) - } - } - -- close (s); - if (!ok) { - slprintf(route_buffer, sizeof(route_buffer), - "Sorry - PPP driver version %d.%d.%d is out of date\n", -@@ -2246,6 +2245,7 @@ int ppp_available(void) - } - } - } -+ close(s); - return ok; - } - -@@ -2722,7 +2722,10 @@ get_pty(master_fdp, slave_fdp, slave_name, uid) - warn("Couldn't unlock pty slave %s: %m", pty_name); - #endif - if ((sfd = open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC)) < 0) -+ { - warn("Couldn't open pty slave %s: %m", pty_name); -+ close(mfd); -+ } - } - } - #endif /* TIOCGPTN */ -@@ -3011,6 +3014,7 @@ ether_to_eui64(eui64_t *p_eui64) - if (get_first_ethernet(ð_dev) < 0) - { - warn("no ethernet device present on the host"); -+ close(skfd); - return 0; - } - -diff --git a/pppstats/pppstats.c b/pppstats/pppstats.c -index 6367988..4aaa319 100644 ---- a/pppstats/pppstats.c -+++ b/pppstats/pppstats.c -@@ -150,7 +150,8 @@ get_ppp_stats(curp) - #define ifr_name ifr__name - #endif - -- strncpy(req.ifr_name, interface, sizeof(req.ifr_name)); -+ strncpy(req.ifr_name, interface, IFNAMSIZ); -+ req.ifr_name[IFNAMSIZ - 1] = 0; - if (ioctl(s, SIOCGPPPSTATS, &req) < 0) { - fprintf(stderr, "%s: ", progname); - if (errno == ENOTTY) -@@ -176,7 +177,8 @@ get_ppp_cstats(csp) - #define ifr_name ifr__name - #endif - -- strncpy(creq.ifr_name, interface, sizeof(creq.ifr_name)); -+ strncpy(creq.ifr_name, interface, IFNAMSIZ); -+ creq.ifr_name[IFNAMSIZ - 1] = 0; - if (ioctl(s, SIOCGPPPCSTATS, &creq) < 0) { - fprintf(stderr, "%s: ", progname); - if (errno == ENOTTY) { -@@ -526,7 +528,8 @@ main(argc, argv) - #undef ifr_name - #define ifr_name ifr_ifrn.ifrn_name - #endif -- strncpy(ifr.ifr_name, interface, sizeof(ifr.ifr_name)); -+ strncpy(ifr.ifr_name, interface, IFNAMSIZ); -+ ifr.ifr_name[IFNAMSIZ - 1] = 0; - if (ioctl(s, SIOCGIFFLAGS, (caddr_t)&ifr) < 0) { - fprintf(stderr, "%s: nonexistent interface '%s' specified\n", - progname, interface); diff --git a/SPECS-EXTENDED/ppp/ppp-2.4.7-eaptls-mppe-1.300.patch b/SPECS-EXTENDED/ppp/ppp-2.4.7-eaptls-mppe-1.300.patch deleted file mode 100644 index d635696625..0000000000 --- a/SPECS-EXTENDED/ppp/ppp-2.4.7-eaptls-mppe-1.300.patch +++ /dev/null @@ -1,3948 +0,0 @@ -diff -Naur ppp-2.4.7/README.eap-tls ppp-2.4.7-eaptls-mppe-1.300/README.eap-tls ---- ppp-2.4.7/README.eap-tls 1970-01-01 01:00:00.000000000 +0100 -+++ ppp-2.4.7-eaptls-mppe-1.300/README.eap-tls 2020-04-03 11:52:15.686777964 +0200 -@@ -0,0 +1,307 @@ -+EAP-TLS authentication support for PPP -+====================================== -+ -+1. Intro -+ -+ The Extensible Authentication Protocol (EAP; RFC 3748) is a -+ security protocol that can be used with PPP. It provides a means -+ to plug in multiple optional authentication methods. -+ -+ Transport Level Security (TLS; RFC 5216) provides for mutual -+ authentication, integrity-protected ciphersuite negotiation and -+ key exchange between two endpoints. It also provides for optional -+ MPPE encryption. -+ -+ EAP-TLS (RFC 2716) incapsulates the TLS messages in EAP packets, -+ allowing TLS mutual authentication to be used as a generic EAP -+ mechanism. It also provides optional encryption using the MPPE -+ protocol. -+ -+ This patch provide EAP-TLS support to pppd. -+ This authentication method can be used in both client or server -+ mode. -+ -+2. Building -+ -+ To build pppd with EAP-TLS support, OpenSSL (http://www.openssl.org) -+ is required. Any version from 0.9.7 should work. -+ -+ Configure, compile, and install as usual. -+ -+3. Configuration -+ -+ On the client side there are two ways to configure EAP-TLS: -+ -+ 1. supply the appropriate 'ca', 'cert' and 'key' command-line parameters -+ -+ 2. edit the /etc/ppp/eaptls-client file. -+ Insert a line for each system with which you use EAP-TLS. -+ The line is composed of this fields separated by tab: -+ -+ - Client name -+ The name used by the client for authentication, can be * -+ - Server name -+ The name of the server, can be * -+ - Client certificate file -+ The file containing the certificate chain for the -+ client in PEM format -+ - Server certificate file -+ If you want to specify the certificate that the -+ server is allowed to use, put the certificate file name. -+ Else put a dash '-'. -+ - CA certificate file -+ The file containing the trusted CA certificates in PEM -+ format. -+ - Client private key file -+ The file containing the client private key in PEM format. -+ -+ -+ On the server side edit the /etc/ppp/eaptls-server file. -+ Insert a line for each system with which you use EAP-TLS. -+ The line is composed of this fields separated by tab: -+ -+ - Client name -+ The name used by the client for authentication, can be * -+ - Server name -+ The name of the server, can be * -+ - Client certificate file -+ If you want to specify the certificate that the -+ client is allowed to use, put the certificate file name. -+ Else put a dash '-'. -+ - Server certificate file -+ The file containing the certificate chain for the -+ server in PEM format -+ - CA certificate file -+ The file containing the trusted CA certificates in PEM format. -+ - Client private key file -+ The file containing the server private key in PEM format. -+ - addresses -+ A list of IP addresses the client is allowed to use. -+ -+ -+ OpenSSL engine support is included starting with v0.95 of this patch. -+ Currently the only engine tested is the 'pkcs11' engine (hardware token -+ support). To use the 'pksc11' engine: -+ - Use a special private key fileiname in the /etc/ppp/eaptls-client file: -+ : -+ e.g. -+ pkcs11:123456 -+ -+ - The certificate can also be loaded from the 'pkcs11' engine using -+ a special client certificate filename in the /etc/ppp/eaptls-client file: -+ : -+ e.g. -+ pkcs11:123456 -+ -+ - Create an /etc/ppp/openssl.cnf file to load the right OpenSSL engine prior -+ to starting 'pppd'. A sample openssl.cnf file is -+ -+ openssl_conf = openssl_def -+ -+ [ openssl_def ] -+ engines = engine_section -+ -+ [ engine_section ] -+ pkcs11 = pkcs11_section -+ -+ [ pkcs11_section ] -+ engine_id = pkcs11 -+ dynamic_path = /usr/lib64/openssl/engines/engine_pkcs11.so -+ MODULE_PATH = /usr/lib64/libeTPkcs11.so -+ init = 0 -+ -+ - There are two ways to specify a password/PIN for the PKCS11 engine: -+ - inside the openssl.cnf file using -+ PIN = your-secret-pin -+ Note The keyword 'PIN' is case sensitive! -+ - Using the 'password' in the ppp options file. -+ From v0.97 of the eap-tls patch the password can also be supplied -+ using the appropriate 'eaptls_passwd_hook' (see plugins/passprompt.c -+ for an example). -+ -+ -+4. Options -+ -+ These pppd options are available: -+ -+ ca -+ Use the CA public certificate found in in PEM format -+ cert -+ Use the client public certificate found in in PEM format -+ or in engine:engine_id format -+ key -+ Use the client private key found in in PEM format -+ or in engine:engine_id format -+ crl -+ Use the Certificate Revocation List (CRL) file in PEM format. -+ crl-dir -+ Use CRL files from directory . It contains CRL files in PEM -+ format and each file contains a CRL. The files are looked up -+ by the issuer name hash value. Use the c_rehash utility -+ to create necessary links. -+ need-peer-eap -+ If the peer doesn't ask us to authenticate or doesn't use eap -+ to authenticate us, disconnect. -+ -+ Note: -+ password-encrypted certificates can be used as of v0.94 of this -+ patch. The password for the eap-tls.key file is specified using -+ the regular -+ password .... -+ statement in the ppp options file, or by using the appropriate -+ plugin which supplies a 'eaptls_passwd_hook' routine. -+ -+5. Connecting -+ -+ If you're setting up a pppd server, edit the EAP-TLS configuration file -+ as written above and then run pppd with the 'auth' option to authenticate -+ the client. The EAP-TLS method will be used if the other eap methods can't -+ be used (no secrets). -+ -+ If you're setting up a client, edit the configuration file and then run -+ pppd with 'remotename' option to specify the server name. Add the -+ 'need-peer-eap' option if you want to be sure the peer ask you to -+ authenticate (and to use eap) and to disconnect if it doesn't. -+ -+6. Example -+ -+ The following example can be used to connect a Linux client with the 'pptp' -+ package to a Linux server running the 'pptpd' (PoPToP) package. The server -+ was configured with a certificate with name (CN) 'pptp-server', the client -+ was configured with a certificate with name (CN) 'pptp-client', both -+ signed by the same Certificate Authority (CA). -+ -+ Server side: -+ - /etc/pptpd.conf file: -+ option /etc/ppp/options-pptpd-eaptls -+ localip 172.16.1.1 -+ remoteip 172.16.1.10-20 -+ - /etc/ppp/options-pptpd-eaptls file: -+ name pptp-server -+ lock -+ mtu 1500 -+ mru 1450 -+ auth -+ lcp-echo-failure 3 -+ lcp-echo-interval 5 -+ nodeflate -+ nobsdcomp -+ nopredictor1 -+ nopcomp -+ noaccomp -+ -+ require-eap -+ require-mppe-128 -+ -+ crl /home/janjust/ppp/keys/crl.pem -+ -+ debug -+ logfile /tmp/pppd.log -+ -+ - /etc/ppp/eaptls-server file: -+ * pptp-server - /etc/ppp/pptp-server.crt /etc/ppp/ca.crt /etc/ppp/pptp-server.key * -+ -+ - On the server, run -+ pptdp --conf /etc/pptpd.conf -+ -+ Client side: -+ - Run -+ pppd noauth require-eap require-mppe-128 \ -+ ipcp-accept-local ipcp-accept-remote noipdefault \ -+ cert /etc/ppp/keys/pptp-client.crt \ -+ key /etc/ppp/keys/pptp-client.key \ -+ ca /etc/ppp/keys/ca.crt \ -+ name pptp-client remotename pptp-server \ -+ debug logfile /tmp/pppd.log -+ pty "pptp pptp-server.example.com --nolaunchpppd" -+ -+ Check /var/log/messages and the files /tmp/pppd.log on both sides for debugging info. -+ -+7. Notes -+ -+ This is experimental code. -+ Send suggestions and comments to Jan Just Keijser -+ -+8. Changelog of ppp-<>-eaptls-mppe-* patches -+ -+v0.7 (22-Nov-2005) -+ - First version of the patch to include MPPE support -+ - ppp-2.4.3 only -+v0.9 (25-Jul-2006) -+ - Bug fixes -+ - First version for ppp-2.4.4 -+v0.91 (03-Sep-2006) -+ - Added missing #include for md5.h -+ - Last version for ppp-2.4.3 -+v0.92 (22-Apr-2008) -+ - Fix for openssl 0.9.8 issue with md5 function overload. -+v0.93 (14-Aug-2008) -+ - Make sure 'noauth' option can be used to bypass server certificate verification. -+v0.94 (15-Oct-2008) -+ - Added support for password-protected private keys by (ab)using the 'password' field. -+v0.95 (23-Dec-2009) -+ - First version with OpenSSL engine support. -+v0.96 (27-Jan-2010) -+ - Added fully functional support for OpenSSL engines (PKCS#11) -+ - First version for ppp-2.4.5 -+v0.97 (20-Apr-2010) -+ - Some bug fixes for v0.96 -+ - Added support for entering the password via a plugin. The sample plugin -+ .../pppd/plugins/passprompt.c has been extended with EAP-TLS support. -+ The "old" methods using the password option or the /etc/ppp/openssl.cnf file still work. -+ - Added support for specifying the client CA, certificate and private key on the command-line -+ or via the ppp config file. -+v0.98 (20-Apr-2010) -+ - Fix initialisation bug when using ca/cert/key command-line options. -+ - Last version for ppp-2.4.4 -+v0.99 (05-Oct-2010) -+ - Fix coredump when using multilink option. -+v0.991 (08-Aug-2011) -+ - Fix compilation issue with openssl 1.0. -+v0.992 (01-Dec-2011) -+ - Fix compilation issue with eaptls_check_hook and passwordfd plugin. -+v0.993 (24-Apr-2012) -+ - Fix compilation issue when EAP_TLS=n in pppd/Makefile. -+v0.994 (11-Jun-2012) -+ - Fix compilation issue on Ubuntu 11.10. -+v0.995 (27-May-2014) -+ - Add support for a CRL file using the command-line option 'crl' -+ (prior only 'crl-dir' was supported). -+ - Fix segfault when pkcs11 enginename was not specified correctly. -+ - Fix segfault when client was misconfigured. -+ - Disable SSL Session Ticket support as Windows 8 does not support this. -+v0.996 (28-May-2014) -+ - Fix minor bug where SessionTicket message was printed as 'Unknown SSL3 code 4' -+ - Add EAP-TLS-specific options to pppd.8 manual page. -+ - Updated README.eap-tls file with new options and provide an example. -+v0.997 (19-Jun-2014) -+ - Change SSL_OP_NO_TICKETS to SSL_OP_NO_TICKET -+ - Fix bug in initialisation code with fragmented packets. -+v0.998 (13-Mar-2015) -+ - Add fix for https://bugzilla.redhat.com/show_bug.cgi?id=1023620 -+v0.999 (11-May-2017) -+ - Add support for OpenSSL 1.1: the code will now compile against OpenSSL 1.0.x or 1.1.x. -+v1.101 (1-Jun-2018) -+ - Fix vulnerabilities CVE-2018-11574. -+v1.102 (2-Nov-2018) -+ - Add TLS 1.2 support. Windows 7/8 will connect using TLS 1.0, Windows 10 clients using TLS 1.2. -+ This works both when compiling against OpenSSL 1.0.1+ and 1.1+. -+ - Print warning when certificate is either not yet valid or has expired. -+ - Perform better peer certificate checks. -+ - Allow certificate chain files to be used. -+v1.200 (28-Feb-2020) -+ - First version of patch that was used to create a github PR against the main ppp code base. -+ - Add client-side 'capath' option to allow a directory with trusted CA certificates. -+ - Add compile-time Makefile option to have pppd use either the internal MD5+SHA1 functions or -+ use the ones supplied by OpenSSL. -+ - Code now also builds on Solaris (x86 tested) but has not been tested yet, as the Solaris ppp -+ kernel driver does not support MPPE. -+v1.201 (03-Apr-2020) -+ - Force use of TLSv1.2 even if TLSv1.3 is available (with OpenSSL 1.1.1+). This ensures that -+ you can compile and link against OpenSSL 1.1.1+ without breaking the TLS negotiation. -+v1.300 (03-Apr-2020) -+ - Add (experimental) TLS 1.3 support. This is based on draft-ietf-emu-eap-tls13-05 (expired) and -+ requires OpenSSL 1.1.1+ to be effective. -+ - Add new option 'max-tls-version' to specify the highest version of the TLS protocol to use -+ (defaults to TLS1.2 for now - so to use TLS1.3 you need to explicitly add 'max-tls-version 1.3') -+ -diff -Naur ppp-2.4.7/etc.ppp/eaptls-client ppp-2.4.7-eaptls-mppe-1.300/etc.ppp/eaptls-client ---- ppp-2.4.7/etc.ppp/eaptls-client 1970-01-01 01:00:00.000000000 +0100 -+++ ppp-2.4.7-eaptls-mppe-1.300/etc.ppp/eaptls-client 2020-03-23 09:20:59.000000000 +0100 -@@ -0,0 +1,10 @@ -+# Parameters for authentication using EAP-TLS (client) -+ -+# client name (can be *) -+# server name (can be *) -+# client certificate file (required) -+# server certificate file (optional, if unused put '-') -+# CA certificate file (required) -+# client private key file (required) -+ -+#client server /root/cert/client.crt - /root/cert/ca.crt /root/cert/client.key -diff -Naur ppp-2.4.7/etc.ppp/eaptls-server ppp-2.4.7-eaptls-mppe-1.300/etc.ppp/eaptls-server ---- ppp-2.4.7/etc.ppp/eaptls-server 1970-01-01 01:00:00.000000000 +0100 -+++ ppp-2.4.7-eaptls-mppe-1.300/etc.ppp/eaptls-server 2020-03-23 09:20:59.000000000 +0100 -@@ -0,0 +1,11 @@ -+# Parameters for authentication using EAP-TLS (server) -+ -+# client name (can be *) -+# server name (can be *) -+# client certificate file (optional, if unused put '-') -+# server certificate file (required) -+# CA certificate file (required) -+# server private key file (required) -+# allowed addresses (required, can be *) -+ -+#client server - /root/cert/server.crt /root/cert/ca.crt /root/cert/server.key 192.168.1.0/24 -diff -Naur ppp-2.4.7/etc.ppp/openssl.cnf ppp-2.4.7-eaptls-mppe-1.300/etc.ppp/openssl.cnf ---- ppp-2.4.7/etc.ppp/openssl.cnf 1970-01-01 01:00:00.000000000 +0100 -+++ ppp-2.4.7-eaptls-mppe-1.300/etc.ppp/openssl.cnf 2020-03-23 09:20:59.000000000 +0100 -@@ -0,0 +1,14 @@ -+openssl_conf = openssl_def -+ -+[ openssl_def ] -+engines = engine_section -+ -+[ engine_section ] -+pkcs11 = pkcs11_section -+ -+[ pkcs11_section ] -+engine_id = pkcs11 -+dynamic_path = /usr/lib64/openssl/engines/engine_pkcs11.so -+MODULE_PATH = /usr/lib64/libeTPkcs11.so -+init = 0 -+ -diff -Naur ppp-2.4.7/linux/Makefile.top ppp-2.4.7-eaptls-mppe-1.300/linux/Makefile.top ---- ppp-2.4.7/linux/Makefile.top 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.300/linux/Makefile.top 2020-03-23 09:20:59.000000000 +0100 -@@ -26,7 +26,7 @@ - cd pppdump; $(MAKE) $(MFLAGS) install - - install-etcppp: $(ETCDIR) $(ETCDIR)/options $(ETCDIR)/pap-secrets \ -- $(ETCDIR)/chap-secrets -+ $(ETCDIR)/chap-secrets $(ETCDIR)/eaptls-server $(ETCDIR)/eaptls-client - - install-devel: - cd pppd; $(MAKE) $(MFLAGS) install-devel -@@ -37,6 +37,10 @@ - $(INSTALL) -c -m 600 etc.ppp/pap-secrets $@ - $(ETCDIR)/chap-secrets: - $(INSTALL) -c -m 600 etc.ppp/chap-secrets $@ -+$(ETCDIR)/eaptls-server: -+ $(INSTALL) -c -m 600 etc.ppp/eaptls-server $@ -+$(ETCDIR)/eaptls-client: -+ $(INSTALL) -c -m 600 etc.ppp/eaptls-client $@ - - $(BINDIR): - $(INSTALL) -d -m 755 $@ -diff -Naur ppp-2.4.7/pppd/Makefile.linux ppp-2.4.7-eaptls-mppe-1.300/pppd/Makefile.linux ---- ppp-2.4.7/pppd/Makefile.linux 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.300/pppd/Makefile.linux 2020-03-23 09:20:59.000000000 +0100 -@@ -11,16 +11,16 @@ - - TARGETS = pppd - --PPPDSRCS = main.c magic.c fsm.c lcp.c ipcp.c upap.c chap-new.c md5.c ccp.c \ -- ecp.c ipxcp.c auth.c options.c sys-linux.c md4.c chap_ms.c \ -+PPPDSRCS = main.c magic.c fsm.c lcp.c ipcp.c upap.c chap-new.c ccp.c \ -+ ecp.c ipxcp.c auth.c options.c sys-linux.c chap_ms.c \ - demand.c utils.c tty.c eap.c chap-md5.c session.c - - HEADERS = ccp.h session.h chap-new.h ecp.h fsm.h ipcp.h \ -- ipxcp.h lcp.h magic.h md5.h patchlevel.h pathnames.h pppd.h \ -+ ipxcp.h lcp.h magic.h patchlevel.h pathnames.h pppd.h \ - upap.h eap.h - - MANPAGES = pppd.8 --PPPDOBJS = main.o magic.o fsm.o lcp.o ipcp.o upap.o chap-new.o md5.o ccp.o \ -+PPPDOBJS = main.o magic.o fsm.o lcp.o ipcp.o upap.o chap-new.o ccp.o \ - ecp.o auth.o options.o demand.o utils.o sys-linux.o ipxcp.o tty.o \ - eap.o chap-md5.o session.o - -@@ -76,6 +76,13 @@ - # Use libutil - USE_LIBUTIL=y - -+# Enable EAP-TLS authentication (requires MPPE support, libssl and libcrypto) -+USE_EAPTLS=y -+ -+# Either use the internal {md5,sha1} routines or use the openssl versions -+USE_OPENSSL_MD5=y -+USE_OPENSSL_SHA1=y -+ - MAXOCTETS=y - - INCLUDE_DIRS= -I../include -@@ -87,8 +94,9 @@ - ifdef CHAPMS - CFLAGS += -DCHAPMS=1 - NEEDDES=y --PPPDOBJS += md4.o chap_ms.o -+PPPDSRC += md4.c chap_ms.c - HEADERS += md4.h chap_ms.h -+PPPDOBJS += md4.o chap_ms.o - ifdef MSLANMAN - CFLAGS += -DMSLANMAN=1 - endif -@@ -106,11 +114,31 @@ - MANPAGES += srp-entry.8 - EXTRACLEAN += srp-entry.o - NEEDDES=y -+endif -+ -+# EAP-TLS -+ifdef USE_EAPTLS -+CFLAGS += -DUSE_EAPTLS=1 -+LIBS += -lssl -lcrypto -+PPPDSRC += eap-tls.c -+HEADERS += eap-tls.h -+PPPDOBJS += eap-tls.o -+endif -+ -+ifdef USE_OPENSSL_MD5 -+CFLAGS += -DUSE_OPENSSL_MD5=1 -+LIBS += -lcrypto -+else -+PPPDSRC += md5.c -+HEADERS += md5.h -+PPPDOBJS += md5.o -+endif -+ -+ifdef USE_OPENSSL_SHA1 -+CFLAGS += -DUSE_OPENSSL_SHA1=1 -+LIBS += -lcrypto - else --# OpenSSL has an integrated version of SHA-1, and its implementation --# is incompatible with this local SHA-1 implementation. We must use --# one or the other, not both. --PPPDSRCS += sha1.c -+PPPDSRC += sha1.c - HEADERS += sha1.h - PPPDOBJS += sha1.o - endif -diff -Naur ppp-2.4.7/pppd/Makefile.sol2 ppp-2.4.7-eaptls-mppe-1.300/pppd/Makefile.sol2 ---- ppp-2.4.7/pppd/Makefile.sol2 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.300/pppd/Makefile.sol2 2020-03-23 09:20:59.000000000 +0100 -@@ -5,10 +5,10 @@ - - include ../Makedefs.com - --CFLAGS = -I../include -DSVR4 -DSOL2 $(COPTS) '-DDESTDIR="@DESTDIR@"' -+CFLAGS = -I../include -DSVR4 -DSOL2 $(COPTS) '-DDESTDIR="/usr/local"' - LIBS = -lsocket -lnsl - --OBJS = main.o magic.o fsm.o lcp.o ipcp.o upap.o chap-new.o eap.o md5.o \ -+OBJS = main.o magic.o fsm.o lcp.o ipcp.o upap.o chap-new.o eap.o \ - tty.o ccp.o ecp.o auth.o options.o demand.o utils.o sys-solaris.o \ - chap-md5.o session.o - -@@ -37,7 +37,21 @@ - - # Uncomment to enable MS-CHAP - CFLAGS += -DUSE_CRYPT -DCHAPMS -DMSLANMAN -DHAVE_CRYPT_H --OBJS += chap_ms.o pppcrypt.o md4.o sha1.o -+OBJS += chap_ms.o pppcrypt.o md4.o -+ -+# Uncomment to enable MPPE (in both CHAP and EAP-TLS) -+CFLAGS += -DMPPE -+ -+# Uncomment to use the OpenSSL {md5,sha1} routines -+#CFLAGS += -DUSE_OPENSSL_MD5 -DUSE_OPENSSL_SHA1 -+#LIBS += -lcrypto -+# else -+OBJS += md5.o sha1.o -+ -+# Uncomment to enable EAP-TLS -+CFLAGS += -DUSE_EAPTLS -+LIBS += -lcrypto -lssl -+OBJS += eap-tls.o - - # Uncomment for CBCP - #CFLAGS += -DCBCP_SUPPORT -diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-1.300/pppd/auth.c ---- ppp-2.4.7/pppd/auth.c 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.300/pppd/auth.c 2020-04-02 15:28:19.000000000 +0200 -@@ -109,6 +109,9 @@ - #include "upap.h" - #include "chap-new.h" - #include "eap.h" -+#ifdef USE_EAPTLS -+#include "eap-tls.h" -+#endif - #ifdef CBCP_SUPPORT - #include "cbcp.h" - #endif -@@ -183,6 +186,11 @@ - /* Hook for a plugin to get the CHAP password for authenticating us */ - int (*chap_passwd_hook) __P((char *user, char *passwd)) = NULL; - -+#ifdef USE_EAPTLS -+/* Hook for a plugin to get the EAP-TLS password for authenticating us */ -+int (*eaptls_passwd_hook) __P((char *user, char *passwd)) = NULL; -+#endif -+ - /* Hook for a plugin to say whether it is OK if the peer - refuses to authenticate. */ - int (*null_auth_hook) __P((struct wordlist **paddrs, -@@ -238,6 +246,16 @@ - bool explicit_user = 0; /* Set if "user" option supplied */ - bool explicit_passwd = 0; /* Set if "password" option supplied */ - char remote_name[MAXNAMELEN]; /* Peer's name for authentication */ -+#ifdef USE_EAPTLS -+char *cacert_file = NULL; /* CA certificate file (pem format) */ -+char *ca_path = NULL; /* directory with CA certificates */ -+char *cert_file = NULL; /* client certificate file (pem format) */ -+char *privkey_file = NULL; /* client private key file (pem format) */ -+char *crl_dir = NULL; /* directory containing CRL files */ -+char *crl_file = NULL; /* Certificate Revocation List (CRL) file (pem format) */ -+char *max_tls_version = NULL; /* Maximum TLS protocol version (default=1.2) */ -+bool need_peer_eap = 0; /* Require peer to authenticate us */ -+#endif - - static char *uafname; /* name of most recent +ua file */ - -@@ -254,6 +272,19 @@ - static int have_chap_secret __P((char *, char *, int, int *)); - static int have_srp_secret __P((char *client, char *server, int need_ip, - int *lacks_ipp)); -+ -+#ifdef USE_EAPTLS -+static int have_eaptls_secret_server -+__P((char *client, char *server, int need_ip, int *lacks_ipp)); -+static int have_eaptls_secret_client __P((char *client, char *server)); -+static int scan_authfile_eaptls __P((FILE * f, char *client, char *server, -+ char *cli_cert, char *serv_cert, -+ char *ca_cert, char *pk, -+ struct wordlist ** addrs, -+ struct wordlist ** opts, -+ char *filename, int flags)); -+#endif -+ - static int ip_addr_check __P((u_int32_t, struct permitted_ip *)); - static int scan_authfile __P((FILE *, char *, char *, char *, - struct wordlist **, struct wordlist **, -@@ -401,6 +432,18 @@ - "Set telephone number(s) which are allowed to connect", - OPT_PRIV | OPT_A2LIST }, - -+#ifdef USE_EAPTLS -+ { "ca", o_string, &cacert_file, "EAP-TLS CA certificate in PEM format" }, -+ { "capath", o_string, &ca_path, "EAP-TLS CA certificate directory" }, -+ { "cert", o_string, &cert_file, "EAP-TLS client certificate in PEM format" }, -+ { "key", o_string, &privkey_file, "EAP-TLS client private key in PEM format" }, -+ { "crl-dir", o_string, &crl_dir, "Use CRLs in directory" }, -+ { "crl", o_string, &crl_file, "Use specific CRL file" }, -+ { "max-tls-version", o_string, &max_tls_version, -+ "Maximum TLS version (1.0/1.1/1.2 (default)/1.3)" }, -+ { "need-peer-eap", o_bool, &need_peer_eap, -+ "Require the peer to authenticate us", 1 }, -+#endif /* USE_EAPTLS */ - { NULL } - }; - -@@ -730,6 +773,9 @@ - lcp_options *wo = &lcp_wantoptions[unit]; - lcp_options *go = &lcp_gotoptions[unit]; - lcp_options *ho = &lcp_hisoptions[unit]; -+#ifdef USE_EAPTLS -+ lcp_options *ao = &lcp_allowoptions[unit]; -+#endif - int i; - struct protent *protp; - -@@ -764,6 +810,22 @@ - } - } - -+#ifdef USE_EAPTLS -+ if (need_peer_eap && !ao->neg_eap) { -+ warn("eap required to authenticate us but no suitable secrets"); -+ lcp_close(unit, "couldn't negotiate eap"); -+ status = EXIT_AUTH_TOPEER_FAILED; -+ return; -+ } -+ -+ if (need_peer_eap && !ho->neg_eap) { -+ warn("peer doesn't want to authenticate us with eap"); -+ lcp_close(unit, "couldn't negotiate eap"); -+ status = EXIT_PEER_AUTH_FAILED; -+ return; -+ } -+#endif -+ - new_phase(PHASE_AUTHENTICATE); - auth = 0; - if (go->neg_eap) { -@@ -1277,6 +1339,15 @@ - our_name, 1, &lacks_ip); - } - -+#ifdef USE_EAPTLS -+ if (!can_auth && wo->neg_eap) { -+ can_auth = -+ have_eaptls_secret_server((explicit_remote ? remote_name : -+ NULL), our_name, 1, &lacks_ip); -+ -+ } -+#endif -+ - if (auth_required && !can_auth && noauth_addrs == NULL) { - if (default_auth) { - option_error( -@@ -1331,7 +1402,11 @@ - passwd[0] != 0 || - (hadchap == 1 || (hadchap == -1 && have_chap_secret(user, - (explicit_remote? remote_name: NULL), 0, NULL))) || -- have_srp_secret(user, (explicit_remote? remote_name: NULL), 0, NULL)); -+ have_srp_secret(user, (explicit_remote? remote_name: NULL), 0, NULL) -+#ifdef USE_EAPTLS -+ || have_eaptls_secret_client(user, (explicit_remote? remote_name: NULL)) -+#endif -+ ); - - hadchap = -1; - if (go->neg_upap && !uselogin && !have_pap_secret(NULL)) -@@ -1346,8 +1421,14 @@ - !have_chap_secret((explicit_remote? remote_name: NULL), our_name, - 1, NULL))) && - !have_srp_secret((explicit_remote? remote_name: NULL), our_name, 1, -- NULL)) -+ NULL) -+#ifdef USE_EAPTLS -+ && !have_eaptls_secret_server((explicit_remote? remote_name: NULL), -+ our_name, 1, NULL) -+#endif -+ ) - go->neg_eap = 0; -+ - } - - -@@ -1707,6 +1788,7 @@ - } - - -+ - /* - * get_secret - open the CHAP secret file and return the secret - * for authenticating the given client on the given server. -@@ -2359,3 +2441,345 @@ - - auth_script_pid = run_program(script, argv, 0, auth_script_done, NULL, 0); - } -+ -+ -+#ifdef USE_EAPTLS -+static int -+have_eaptls_secret_server(client, server, need_ip, lacks_ipp) -+ char *client; -+ char *server; -+ int need_ip; -+ int *lacks_ipp; -+{ -+ FILE *f; -+ int ret; -+ char *filename; -+ struct wordlist *addrs; -+ char servcertfile[MAXWORDLEN]; -+ char clicertfile[MAXWORDLEN]; -+ char cacertfile[MAXWORDLEN]; -+ char pkfile[MAXWORDLEN]; -+ -+ filename = _PATH_EAPTLSSERVFILE; -+ f = fopen(filename, "r"); -+ if (f == NULL) -+ return 0; -+ -+ if (client != NULL && client[0] == 0) -+ client = NULL; -+ else if (server != NULL && server[0] == 0) -+ server = NULL; -+ -+ ret = -+ scan_authfile_eaptls(f, client, server, clicertfile, servcertfile, -+ cacertfile, pkfile, &addrs, NULL, filename, -+ 0); -+ -+ fclose(f); -+ -+/* -+ if (ret >= 0 && !eaptls_init_ssl(1, cacertfile, servcertfile, -+ clicertfile, pkfile)) -+ ret = -1; -+*/ -+ -+ if (ret >= 0 && need_ip && !some_ip_ok(addrs)) { -+ if (lacks_ipp != 0) -+ *lacks_ipp = 1; -+ ret = -1; -+ } -+ if (addrs != 0) -+ free_wordlist(addrs); -+ -+ return ret >= 0; -+} -+ -+ -+static int -+have_eaptls_secret_client(client, server) -+ char *client; -+ char *server; -+{ -+ FILE *f; -+ int ret; -+ char *filename; -+ struct wordlist *addrs = NULL; -+ char servcertfile[MAXWORDLEN]; -+ char clicertfile[MAXWORDLEN]; -+ char cacertfile[MAXWORDLEN]; -+ char pkfile[MAXWORDLEN]; -+ -+ if (client != NULL && client[0] == 0) -+ client = NULL; -+ else if (server != NULL && server[0] == 0) -+ server = NULL; -+ -+ if ((cacert_file || ca_path) && cert_file && privkey_file) -+ return 1; -+ -+ filename = _PATH_EAPTLSCLIFILE; -+ f = fopen(filename, "r"); -+ if (f == NULL) -+ return 0; -+ -+ ret = -+ scan_authfile_eaptls(f, client, server, clicertfile, servcertfile, -+ cacertfile, pkfile, &addrs, NULL, filename, -+ 0); -+ fclose(f); -+ -+/* -+ if (ret >= 0 && !eaptls_init_ssl(0, cacertfile, clicertfile, -+ servcertfile, pkfile)) -+ ret = -1; -+*/ -+ -+ if (addrs != 0) -+ free_wordlist(addrs); -+ -+ return ret >= 0; -+} -+ -+ -+static int -+scan_authfile_eaptls(f, client, server, cli_cert, serv_cert, ca_cert, pk, -+ addrs, opts, filename, flags) -+ FILE *f; -+ char *client; -+ char *server; -+ char *cli_cert; -+ char *serv_cert; -+ char *ca_cert; -+ char *pk; -+ struct wordlist **addrs; -+ struct wordlist **opts; -+ char *filename; -+ int flags; -+{ -+ int newline; -+ int got_flag, best_flag; -+ struct wordlist *ap, *addr_list, *alist, **app; -+ char word[MAXWORDLEN]; -+ -+ if (addrs != NULL) -+ *addrs = NULL; -+ if (opts != NULL) -+ *opts = NULL; -+ addr_list = NULL; -+ if (!getword(f, word, &newline, filename)) -+ return -1; /* file is empty??? */ -+ newline = 1; -+ best_flag = -1; -+ for (;;) { -+ /* -+ * Skip until we find a word at the start of a line. -+ */ -+ while (!newline && getword(f, word, &newline, filename)); -+ if (!newline) -+ break; /* got to end of file */ -+ -+ /* -+ * Got a client - check if it's a match or a wildcard. -+ */ -+ got_flag = 0; -+ if (client != NULL && strcmp(word, client) != 0 && !ISWILD(word)) { -+ newline = 0; -+ continue; -+ } -+ if (!ISWILD(word)) -+ got_flag = NONWILD_CLIENT; -+ -+ /* -+ * Now get a server and check if it matches. -+ */ -+ if (!getword(f, word, &newline, filename)) -+ break; -+ if (newline) -+ continue; -+ if (!ISWILD(word)) { -+ if (server != NULL && strcmp(word, server) != 0) -+ continue; -+ got_flag |= NONWILD_SERVER; -+ } -+ -+ /* -+ * Got some sort of a match - see if it's better than what -+ * we have already. -+ */ -+ if (got_flag <= best_flag) -+ continue; -+ -+ /* -+ * Get the cli_cert -+ */ -+ if (!getword(f, word, &newline, filename)) -+ break; -+ if (newline) -+ continue; -+ if (strcmp(word, "-") != 0) { -+ strlcpy(cli_cert, word, MAXWORDLEN); -+ } else -+ cli_cert[0] = 0; -+ -+ /* -+ * Get serv_cert -+ */ -+ if (!getword(f, word, &newline, filename)) -+ break; -+ if (newline) -+ continue; -+ if (strcmp(word, "-") != 0) { -+ strlcpy(serv_cert, word, MAXWORDLEN); -+ } else -+ serv_cert[0] = 0; -+ -+ /* -+ * Get ca_cert -+ */ -+ if (!getword(f, word, &newline, filename)) -+ break; -+ if (newline) -+ continue; -+ strlcpy(ca_cert, word, MAXWORDLEN); -+ -+ /* -+ * Get pk -+ */ -+ if (!getword(f, word, &newline, filename)) -+ break; -+ if (newline) -+ continue; -+ strlcpy(pk, word, MAXWORDLEN); -+ -+ -+ /* -+ * Now read address authorization info and make a wordlist. -+ */ -+ app = &alist; -+ for (;;) { -+ if (!getword(f, word, &newline, filename) || newline) -+ break; -+ ap = (struct wordlist *) -+ malloc(sizeof(struct wordlist) + strlen(word) + 1); -+ if (ap == NULL) -+ novm("authorized addresses"); -+ ap->word = (char *) (ap + 1); -+ strcpy(ap->word, word); -+ *app = ap; -+ app = &ap->next; -+ } -+ *app = NULL; -+ /* -+ * This is the best so far; remember it. -+ */ -+ best_flag = got_flag; -+ if (addr_list) -+ free_wordlist(addr_list); -+ addr_list = alist; -+ -+ if (!newline) -+ break; -+ } -+ -+ /* scan for a -- word indicating the start of options */ -+ for (app = &addr_list; (ap = *app) != NULL; app = &ap->next) -+ if (strcmp(ap->word, "--") == 0) -+ break; -+ /* ap = start of options */ -+ if (ap != NULL) { -+ ap = ap->next; /* first option */ -+ free(*app); /* free the "--" word */ -+ *app = NULL; /* terminate addr list */ -+ } -+ if (opts != NULL) -+ *opts = ap; -+ else if (ap != NULL) -+ free_wordlist(ap); -+ if (addrs != NULL) -+ *addrs = addr_list; -+ else if (addr_list != NULL) -+ free_wordlist(addr_list); -+ -+ return best_flag; -+} -+ -+ -+int -+get_eaptls_secret(unit, client, server, clicertfile, servcertfile, -+ cacertfile, capath, pkfile, am_server) -+ int unit; -+ char *client; -+ char *server; -+ char *clicertfile; -+ char *servcertfile; -+ char *cacertfile; -+ char *capath; -+ char *pkfile; -+ int am_server; -+{ -+ FILE *fp; -+ int ret; -+ char *filename = NULL; -+ struct wordlist *addrs = NULL; -+ struct wordlist *opts = NULL; -+ -+ /* maybe overkill, but it eases debugging */ -+ bzero(clicertfile, MAXWORDLEN); -+ bzero(servcertfile, MAXWORDLEN); -+ bzero(cacertfile, MAXWORDLEN); -+ bzero(capath, MAXWORDLEN); -+ bzero(pkfile, MAXWORDLEN); -+ -+ /* the ca+cert+privkey can also be specified as options */ -+ if (!am_server && (cacert_file || ca_path) && cert_file && privkey_file ) -+ { -+ strlcpy( clicertfile, cert_file, MAXWORDLEN ); -+ if (cacert_file) -+ strlcpy( cacertfile, cacert_file, MAXWORDLEN ); -+ if (ca_path) -+ strlcpy( capath, ca_path, MAXWORDLEN ); -+ strlcpy( pkfile, privkey_file, MAXWORDLEN ); -+ } -+ else -+ { -+ filename = (am_server ? _PATH_EAPTLSSERVFILE : _PATH_EAPTLSCLIFILE); -+ addrs = NULL; -+ -+ fp = fopen(filename, "r"); -+ if (fp == NULL) -+ { -+ error("Can't open eap-tls secret file %s: %m", filename); -+ return 0; -+ } -+ -+ check_access(fp, filename); -+ -+ ret = scan_authfile_eaptls(fp, client, server, clicertfile, servcertfile, -+ cacertfile, pkfile, &addrs, &opts, filename, 0); -+ -+ fclose(fp); -+ -+ if (ret < 0) return 0; -+ } -+ -+ if (eaptls_passwd_hook) -+ { -+ dbglog( "Calling eaptls password hook" ); -+ if ( (*eaptls_passwd_hook)(pkfile, passwd) < 0) -+ { -+ error("Unable to obtain EAP-TLS password for %s (%s) from plugin", -+ client, pkfile); -+ return 0; -+ } -+ } -+ if (am_server) -+ set_allowed_addrs(unit, addrs, opts); -+ else if (opts != NULL) -+ free_wordlist(opts); -+ if (addrs != NULL) -+ free_wordlist(addrs); -+ -+ return 1; -+} -+#endif -+ -diff -Naur ppp-2.4.7/pppd/ccp.c ppp-2.4.7-eaptls-mppe-1.300/pppd/ccp.c ---- ppp-2.4.7/pppd/ccp.c 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.300/pppd/ccp.c 2020-03-23 09:20:59.000000000 +0100 -@@ -540,6 +540,9 @@ - if (go->mppe) { - ccp_options *ao = &ccp_allowoptions[f->unit]; - int auth_mschap_bits = auth_done[f->unit]; -+#ifdef USE_EAPTLS -+ int auth_eap_bits = auth_done[f->unit]; -+#endif - int numbits; - - /* -@@ -567,8 +570,23 @@ - lcp_close(f->unit, "MPPE required but not available"); - return; - } -+ -+#ifdef USE_EAPTLS -+ /* -+ * MPPE is also possible in combination with EAP-TLS. -+ * It is not possible to detect if we're doing EAP or EAP-TLS -+ * at this stage, hence we accept all forms of EAP. If TLS is -+ * not used then the MPPE keys will not be derived anyway. -+ */ -+ /* Leave only the eap auth bits set */ -+ auth_eap_bits &= (EAP_WITHPEER | EAP_PEER ); -+ -+ if ((numbits == 0) && (auth_eap_bits == 0)) { -+ error("MPPE required, but MS-CHAP[v2] nor EAP-TLS auth are performed."); -+#else - if (!numbits) { -- error("MPPE required, but MS-CHAP[v2] auth not performed."); -+ error("MPPE required, but MS-CHAP[v2] auth not performed."); -+#endif - lcp_close(f->unit, "MPPE required but not available"); - return; - } -diff -Naur ppp-2.4.7/pppd/chap-md5.c ppp-2.4.7-eaptls-mppe-1.300/pppd/chap-md5.c ---- ppp-2.4.7/pppd/chap-md5.c 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.300/pppd/chap-md5.c 2020-03-23 09:20:59.000000000 +0100 -@@ -36,7 +36,11 @@ - #include "chap-new.h" - #include "chap-md5.h" - #include "magic.h" -+#ifdef USE_OPENSSL_MD5 -+#include "openssl/md5.h" -+#else - #include "md5.h" -+#endif /* USE_OPENSSL_MD5 */ - - #define MD5_HASH_SIZE 16 - #define MD5_MIN_CHALLENGE 16 -diff -Naur ppp-2.4.7/pppd/chap_ms.c ppp-2.4.7-eaptls-mppe-1.300/pppd/chap_ms.c ---- ppp-2.4.7/pppd/chap_ms.c 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.300/pppd/chap_ms.c 2020-03-23 09:20:59.000000000 +0100 -@@ -535,7 +535,7 @@ - char *username, u_char Challenge[8]) - - { -- SHA1_CTX sha1Context; -+ SHA_CTX sha1Context; - u_char sha1Hash[SHA1_SIGNATURE_SIZE]; - char *user; - -@@ -671,7 +671,7 @@ - 0x6E }; - - int i; -- SHA1_CTX sha1Context; -+ SHA_CTX sha1Context; - u_char Digest[SHA1_SIGNATURE_SIZE]; - u_char Challenge[8]; - -@@ -725,7 +725,7 @@ - void - mppe_set_keys(u_char *rchallenge, u_char PasswordHashHash[MD4_SIGNATURE_SIZE]) - { -- SHA1_CTX sha1Context; -+ SHA_CTX sha1Context; - u_char Digest[SHA1_SIGNATURE_SIZE]; /* >= MPPE_MAX_KEY_LEN */ - - SHA1_Init(&sha1Context); -@@ -769,7 +769,7 @@ - mppe_set_keys2(u_char PasswordHashHash[MD4_SIGNATURE_SIZE], - u_char NTResponse[24], int IsServer) - { -- SHA1_CTX sha1Context; -+ SHA_CTX sha1Context; - u_char MasterKey[SHA1_SIGNATURE_SIZE]; /* >= MPPE_MAX_KEY_LEN */ - u_char Digest[SHA1_SIGNATURE_SIZE]; /* >= MPPE_MAX_KEY_LEN */ - -diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.300/pppd/eap-tls.c ---- ppp-2.4.7/pppd/eap-tls.c 1970-01-01 01:00:00.000000000 +0100 -+++ ppp-2.4.7-eaptls-mppe-1.300/pppd/eap-tls.c 2020-04-03 11:27:59.116631426 +0200 -@@ -0,0 +1,1560 @@ -+/* * eap-tls.c - EAP-TLS implementation for PPP -+ * -+ * Copyright (c) Beniamino Galvani 2005 All rights reserved. -+ * Jan Just Keijser 2006-2019 All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. The name(s) of the authors of this software must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. -+ * -+ * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO -+ * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY -+ * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN -+ * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING -+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -+ * -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include -+#include -+#include -+ -+#include "pppd.h" -+#include "eap.h" -+#include "eap-tls.h" -+#include "fsm.h" -+#include "lcp.h" -+#include "pathnames.h" -+ -+typedef struct pw_cb_data -+{ -+ const void *password; -+ const char *prompt_info; -+} PW_CB_DATA; -+ -+/* The openssl configuration file and engines can be loaded only once */ -+static CONF *ssl_config = NULL; -+static ENGINE *cert_engine = NULL; -+static ENGINE *pkey_engine = NULL; -+ -+/* TLSv1.3 do we have a session ticket ? */ -+static int have_session_ticket = 0; -+ -+int ssl_verify_callback(int, X509_STORE_CTX *); -+void ssl_msg_callback(int write_p, int version, int ct, const void *buf, -+ size_t len, SSL * ssl, void *arg); -+int ssl_new_session_cb(SSL *s, SSL_SESSION *sess); -+ -+X509 *get_X509_from_file(char *filename); -+int ssl_cmp_certs(char *filename, X509 * a); -+ -+#ifdef MPPE -+ -+#define EAPTLS_MPPE_KEY_LEN 32 -+ -+/* -+ * The following stuff is only needed if SSL_export_keying_material() is not available -+ */ -+ -+#if OPENSSL_VERSION_NUMBER < 0x10001000L -+ -+/* -+ * https://wiki.openssl.org/index.php/1.1_API_Changes -+ * tries to provide some guidance but ultimately falls short. -+ * -+ */ -+ -+static void HMAC_CTX_free(HMAC_CTX *ctx) -+{ -+ if (ctx != NULL) { -+ HMAC_CTX_cleanup(ctx); -+ OPENSSL_free(ctx); -+ } -+} -+ -+static HMAC_CTX *HMAC_CTX_new(void) -+{ -+ HMAC_CTX *ctx = OPENSSL_malloc(sizeof(*ctx)); -+ if (ctx != NULL) -+ HMAC_CTX_init(ctx); -+ return ctx; -+} -+ -+static size_t SSL_get_client_random(const SSL *ssl, unsigned char *out, -+ size_t outlen) -+{ -+ if (outlen == 0) -+ return sizeof(ssl->s3->client_random); -+ if (outlen > sizeof(ssl->s3->client_random)) -+ outlen = sizeof(ssl->s3->client_random); -+ memcpy(out, ssl->s3->client_random, outlen); -+ return outlen; -+} -+ -+static size_t SSL_get_server_random(const SSL *ssl, unsigned char *out, -+ size_t outlen) -+{ -+ if (outlen == 0) -+ return sizeof(ssl->s3->server_random); -+ if (outlen > sizeof(ssl->s3->server_random)) -+ outlen = sizeof(ssl->s3->server_random); -+ memcpy(out, ssl->s3->server_random, outlen); -+ return outlen; -+} -+ -+static size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, -+ unsigned char *out, size_t outlen) -+{ -+ if (outlen == 0) -+ return session->master_key_length; -+ if (outlen > session->master_key_length) -+ outlen = session->master_key_length; -+ memcpy(out, session->master_key, outlen); -+ return outlen; -+} -+ -+ -+/* -+ * TLS PRF from RFC 2246 -+ */ -+static void P_hash(const EVP_MD *evp_md, -+ const unsigned char *secret, unsigned int secret_len, -+ const unsigned char *seed, unsigned int seed_len, -+ unsigned char *out, unsigned int out_len) -+{ -+ HMAC_CTX *ctx_a, *ctx_out; -+ unsigned char a[HMAC_MAX_MD_CBLOCK]; -+ unsigned int size; -+ -+ ctx_a = HMAC_CTX_new(); -+ ctx_out = HMAC_CTX_new(); -+ HMAC_Init_ex(ctx_a, secret, secret_len, evp_md, NULL); -+ HMAC_Init_ex(ctx_out, secret, secret_len, evp_md, NULL); -+ -+ size = HMAC_size(ctx_out); -+ -+ /* Calculate A(1) */ -+ HMAC_Update(ctx_a, seed, seed_len); -+ HMAC_Final(ctx_a, a, NULL); -+ -+ while (1) { -+ /* Calculate next part of output */ -+ HMAC_Update(ctx_out, a, size); -+ HMAC_Update(ctx_out, seed, seed_len); -+ -+ /* Check if last part */ -+ if (out_len < size) { -+ HMAC_Final(ctx_out, a, NULL); -+ memcpy(out, a, out_len); -+ break; -+ } -+ -+ /* Place digest in output buffer */ -+ HMAC_Final(ctx_out, out, NULL); -+ HMAC_Init_ex(ctx_out, NULL, 0, NULL, NULL); -+ out += size; -+ out_len -= size; -+ -+ /* Calculate next A(i) */ -+ HMAC_Init_ex(ctx_a, NULL, 0, NULL, NULL); -+ HMAC_Update(ctx_a, a, size); -+ HMAC_Final(ctx_a, a, NULL); -+ } -+ -+ HMAC_CTX_free(ctx_a); -+ HMAC_CTX_free(ctx_out); -+ memset(a, 0, sizeof(a)); -+} -+ -+static void PRF(const unsigned char *secret, unsigned int secret_len, -+ const unsigned char *seed, unsigned int seed_len, -+ unsigned char *out, unsigned char *buf, unsigned int out_len) -+{ -+ unsigned int i; -+ unsigned int len = (secret_len + 1) / 2; -+ const unsigned char *s1 = secret; -+ const unsigned char *s2 = secret + (secret_len - len); -+ -+ P_hash(EVP_md5(), s1, len, seed, seed_len, out, out_len); -+ P_hash(EVP_sha1(), s2, len, seed, seed_len, buf, out_len); -+ -+ for (i=0; i < out_len; i++) { -+ out[i] ^= buf[i]; -+ } -+} -+ -+static int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen, -+ const char *label, size_t llen, -+ const unsigned char *p, size_t plen, -+ int use_context) -+{ -+ unsigned char seed[64 + 2*SSL3_RANDOM_SIZE]; -+ unsigned char buf[4*EAPTLS_MPPE_KEY_LEN]; -+ unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; -+ size_t master_key_length; -+ unsigned char *pp; -+ -+ pp = seed; -+ -+ memcpy(pp, label, llen); -+ pp += llen; -+ -+ llen += SSL_get_client_random(s, pp, SSL3_RANDOM_SIZE); -+ pp += SSL3_RANDOM_SIZE; -+ -+ llen += SSL_get_server_random(s, pp, SSL3_RANDOM_SIZE); -+ -+ master_key_length = SSL_SESSION_get_master_key(SSL_get_session(s), master_key, -+ sizeof(master_key)); -+ PRF(master_key, master_key_length, seed, llen, out, buf, olen); -+ -+ return 1; -+} -+ -+#endif /* OPENSSL_VERSION_NUMBER < 0x10001000L */ -+ -+ -+/* -+ * OpenSSL 1.1+ introduced a generic TLS_method() -+ * For older releases we substitute the appropriate method -+ */ -+ -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ -+#define TLS_method SSLv23_method -+ -+#define SSL3_RT_HEADER 0x100 -+ -+#ifndef SSL_CTX_set_max_proto_version -+/** Mimics SSL_CTX_set_max_proto_version for OpenSSL < 1.1 */ -+static inline int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, long tls_ver_max) -+{ -+ long sslopt = 0; -+ -+ if (tls_ver_max < TLS1_VERSION) -+ { -+ sslopt |= SSL_OP_NO_TLSv1; -+ } -+#ifdef SSL_OP_NO_TLSv1_1 -+ if (tls_ver_max < TLS1_1_VERSION) -+ { -+ sslopt |= SSL_OP_NO_TLSv1_1; -+ } -+#endif -+#ifdef SSL_OP_NO_TLSv1_2 -+ if (tls_ver_max < TLS1_2_VERSION) -+ { -+ sslopt |= SSL_OP_NO_TLSv1_2; -+ } -+#endif -+ SSL_CTX_set_options(ctx, sslopt); -+ -+ return 1; -+} -+#endif /* SSL_CTX_set_max_proto_version */ -+ -+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ -+ -+ -+/* -+ * Generate keys according to RFC 2716 and add to reply -+ */ -+void eaptls_gen_mppe_keys(struct eaptls_session *ets, int client) -+{ -+ unsigned char out[4*EAPTLS_MPPE_KEY_LEN]; -+ const char *prf_label; -+ size_t prf_size; -+ unsigned char eap_tls13_context[] = { EAPT_TLS }; -+ unsigned char *context = NULL; -+ size_t context_len = 0; -+ unsigned char *p; -+ -+ dbglog("EAP-TLS generating MPPE keys"); -+ if (ets->tls_v13) -+ { -+ prf_label = "EXPORTER_EAP_TLS_Key_Material"; -+ context = eap_tls13_context; -+ context_len = 1; -+ } -+ else -+ { -+ prf_label = "client EAP encryption"; -+ } -+ -+ dbglog("EAP-TLS PRF label = %s", prf_label); -+ prf_size = strlen(prf_label); -+ if (SSL_export_keying_material(ets->ssl, out, sizeof(out), prf_label, prf_size, -+ context, context_len, 0) != 1) -+ { -+ warn( "EAP-TLS: Failed generating keying material" ); -+ return; -+ } -+ -+ /* -+ * We now have the master send and receive keys. -+ * From these, generate the session send and receive keys. -+ * (see RFC3079 / draft-ietf-pppext-mppe-keys-03.txt for details) -+ */ -+ if (client) -+ { -+ p = out; -+ BCOPY( p, mppe_send_key, sizeof(mppe_send_key) ); -+ p += EAPTLS_MPPE_KEY_LEN; -+ BCOPY( p, mppe_recv_key, sizeof(mppe_recv_key) ); -+ } -+ else -+ { -+ p = out; -+ BCOPY( p, mppe_recv_key, sizeof(mppe_recv_key) ); -+ p += EAPTLS_MPPE_KEY_LEN; -+ BCOPY( p, mppe_send_key, sizeof(mppe_send_key) ); -+ } -+ -+ mppe_keys_set = 1; -+} -+ -+#endif /* MPPE */ -+ -+void log_ssl_errors( void ) -+{ -+ unsigned long ssl_err = ERR_get_error(); -+ -+ if (ssl_err != 0) -+ dbglog("EAP-TLS SSL error stack:"); -+ while (ssl_err != 0) { -+ dbglog( ERR_error_string( ssl_err, NULL ) ); -+ ssl_err = ERR_get_error(); -+ } -+} -+ -+ -+int password_callback (char *buf, int size, int rwflag, void *u) -+{ -+ if (buf) -+ { -+ strncpy (buf, passwd, size); -+ return strlen (buf); -+ } -+ return 0; -+} -+ -+ -+CONF *eaptls_ssl_load_config( void ) -+{ -+ CONF *config; -+ int ret_code; -+ long error_line = 33; -+ -+ config = NCONF_new( NULL ); -+ dbglog( "Loading OpenSSL config file" ); -+ ret_code = NCONF_load( config, _PATH_OPENSSLCONFFILE, &error_line ); -+ if (ret_code == 0) -+ { -+ warn( "EAP-TLS: Error in OpenSSL config file %s at line %d", _PATH_OPENSSLCONFFILE, error_line ); -+ NCONF_free( config ); -+ config = NULL; -+ ERR_clear_error(); -+ } -+ -+ dbglog( "Loading OpenSSL built-ins" ); -+ ENGINE_load_builtin_engines(); -+ OPENSSL_load_builtin_modules(); -+ -+ dbglog( "Loading OpenSSL configured modules" ); -+ if (CONF_modules_load( config, NULL, 0 ) <= 0 ) -+ { -+ warn( "EAP-TLS: Error loading OpenSSL modules" ); -+ log_ssl_errors(); -+ config = NULL; -+ } -+ -+ return config; -+} -+ -+ENGINE *eaptls_ssl_load_engine( char *engine_name ) -+{ -+ ENGINE *e = NULL; -+ -+ dbglog( "Enabling OpenSSL auto engines" ); -+ ENGINE_register_all_complete(); -+ -+ dbglog( "Loading OpenSSL '%s' engine support", engine_name ); -+ e = ENGINE_by_id( engine_name ); -+ if (!e) -+ { -+ dbglog( "EAP-TLS: Cannot load '%s' engine support, trying 'dynamic'", engine_name ); -+ e = ENGINE_by_id( "dynamic" ); -+ if (e) -+ { -+ if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine_name, 0) -+ || !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) -+ { -+ warn( "EAP-TLS: Error loading dynamic engine '%s'", engine_name ); -+ log_ssl_errors(); -+ ENGINE_free(e); -+ e = NULL; -+ } -+ } -+ else -+ { -+ warn( "EAP-TLS: Cannot load dynamic engine support" ); -+ } -+ } -+ -+ if (e) -+ { -+ dbglog( "Initialising engine" ); -+ if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) -+ { -+ warn( "EAP-TLS: Cannot use that engine" ); -+ log_ssl_errors(); -+ ENGINE_free(e); -+ e = NULL; -+ } -+ } -+ -+ return e; -+} -+ -+/* -+ * Initialize the SSL stacks and tests if certificates, key and crl -+ * for client or server use can be loaded. -+ */ -+SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, char *capath, -+ char *certfile, char *peer_certfile, char *privkeyfile) -+{ -+ char *cert_engine_name = NULL; -+ char *cert_identifier = NULL; -+ char *pkey_engine_name = NULL; -+ char *pkey_identifier = NULL; -+ SSL_CTX *ctx; -+ SSL *ssl; -+ X509_STORE *certstore; -+ X509_LOOKUP *lookup; -+ X509 *tmp; -+ int ret; -+#if defined(TLS1_2_VERSION) -+ long tls_version = TLS1_2_VERSION; -+#elif defined(TLS1_1_VERSION) -+ long tls_version = TLS1_1_VERSION; -+#else -+ long tls_version = TLS1_VERSION; -+#endif -+ -+ /* -+ * Without these can't continue -+ */ -+ if (!(cacertfile[0] || capath[0])) -+ { -+ error("EAP-TLS: CA certificate file or path missing"); -+ return NULL; -+ } -+ -+ if (!certfile[0]) -+ { -+ error("EAP-TLS: Certificate missing"); -+ return NULL; -+ } -+ -+ if (!privkeyfile[0]) -+ { -+ error("EAP-TLS: Private key missing"); -+ return NULL; -+ } -+ -+ SSL_library_init(); -+ SSL_load_error_strings(); -+ -+ ctx = SSL_CTX_new(TLS_method()); -+ -+ if (!ctx) { -+ error("EAP-TLS: Cannot initialize SSL CTX context"); -+ goto fail; -+ } -+ -+ /* if the certificate filename is of the form engine:id. e.g. -+ pkcs11:12345 -+ then we try to load and use this engine. -+ If the certificate filename starts with a / or . then we -+ ALWAYS assume it is a file and not an engine/pkcs11 identifier -+ */ -+ if ( index( certfile, '/' ) == NULL && index( certfile, '.') == NULL ) -+ { -+ cert_identifier = index( certfile, ':' ); -+ -+ if (cert_identifier) -+ { -+ cert_engine_name = certfile; -+ *cert_identifier = '\0'; -+ cert_identifier++; -+ -+ dbglog( "Found certificate engine '%s'", cert_engine_name ); -+ dbglog( "Found certificate identifier '%s'", cert_identifier ); -+ } -+ } -+ -+ /* if the privatekey filename is of the form engine:id. e.g. -+ pkcs11:12345 -+ then we try to load and use this engine. -+ If the privatekey filename starts with a / or . then we -+ ALWAYS assume it is a file and not an engine/pkcs11 identifier -+ */ -+ if ( index( privkeyfile, '/' ) == NULL && index( privkeyfile, '.') == NULL ) -+ { -+ pkey_identifier = index( privkeyfile, ':' ); -+ -+ if (pkey_identifier) -+ { -+ pkey_engine_name = privkeyfile; -+ *pkey_identifier = '\0'; -+ pkey_identifier++; -+ -+ dbglog( "Found privatekey engine '%s'", pkey_engine_name ); -+ dbglog( "Found privatekey identifier '%s'", pkey_identifier ); -+ } -+ } -+ -+ if (cert_identifier && pkey_identifier) -+ { -+ if (strlen( cert_identifier ) == 0) -+ { -+ if (strlen( pkey_identifier ) == 0) -+ error( "EAP-TLS: both the certificate and privatekey identifiers are missing!" ); -+ else -+ { -+ dbglog( "Substituting privatekey identifier for certificate identifier" ); -+ cert_identifier = pkey_identifier; -+ } -+ } -+ else -+ { -+ if (strlen( pkey_identifier ) == 0) -+ { -+ dbglog( "Substituting certificate identifier for privatekey identifier" ); -+ pkey_identifier = cert_identifier; -+ } -+ } -+ -+ } -+ -+ /* load the openssl config file only once */ -+ if (!ssl_config) -+ { -+ if (cert_engine_name || pkey_engine_name) -+ ssl_config = eaptls_ssl_load_config(); -+ -+ if (ssl_config && cert_engine_name) -+ cert_engine = eaptls_ssl_load_engine( cert_engine_name ); -+ -+ if (ssl_config && pkey_engine_name) -+ { -+ /* don't load the same engine twice */ -+ if ( cert_engine && strcmp( cert_engine_name, pkey_engine_name) == 0 ) -+ pkey_engine = cert_engine; -+ else -+ pkey_engine = eaptls_ssl_load_engine( pkey_engine_name ); -+ } -+ } -+ -+ SSL_CTX_set_default_passwd_cb (ctx, password_callback); -+ -+ if (strlen(cacertfile) == 0) cacertfile = NULL; -+ if (strlen(capath) == 0) capath = NULL; -+ -+ if (!SSL_CTX_load_verify_locations(ctx, cacertfile, capath)) -+ { -+ error("EAP-TLS: Cannot load verify locations"); -+ if (cacertfile) dbglog("CA certificate file = [%s]", cacertfile); -+ if (capath) dbglog("CA certificate path = [%s]", capath); -+ goto fail; -+ } -+ -+ if (init_server) -+ SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(cacertfile)); -+ -+ if (cert_engine) -+ { -+ struct -+ { -+ const char *s_slot_cert_id; -+ X509 *cert; -+ } cert_info; -+ -+ cert_info.s_slot_cert_id = cert_identifier; -+ cert_info.cert = NULL; -+ -+ if (!ENGINE_ctrl_cmd( cert_engine, "LOAD_CERT_CTRL", 0, &cert_info, NULL, 0 ) ) -+ { -+ error( "EAP-TLS: Error loading certificate with id '%s' from engine", cert_identifier ); -+ goto fail; -+ } -+ -+ if (cert_info.cert) -+ { -+ dbglog( "Got the certificate, adding it to SSL context" ); -+ dbglog( "subject = %s", X509_NAME_oneline( X509_get_subject_name( cert_info.cert ), NULL, 0 ) ); -+ if (SSL_CTX_use_certificate(ctx, cert_info.cert) <= 0) -+ { -+ error("EAP-TLS: Cannot use PKCS11 certificate %s", cert_identifier); -+ goto fail; -+ } -+ } -+ else -+ { -+ warn("EAP-TLS: Cannot load PKCS11 key %s", cert_identifier); -+ log_ssl_errors(); -+ } -+ } -+ else -+ { -+ if (!SSL_CTX_use_certificate_chain_file(ctx, certfile)) -+ { -+ error( "EAP-TLS: Cannot use public certificate %s", certfile ); -+ goto fail; -+ } -+ } -+ -+ -+ /* -+ * Check the Before and After dates of the certificate -+ */ -+ ssl = SSL_new(ctx); -+ tmp = SSL_get_certificate(ssl); -+ -+ ret = X509_cmp_time(X509_get_notBefore(tmp), NULL); -+ if (ret == 0) -+ { -+ warn( "EAP-TLS: Failed to read certificate notBefore field."); -+ } -+ if (ret > 0) -+ { -+ warn( "EAP-TLS: Your certificate is not yet valid!"); -+ } -+ -+ ret = X509_cmp_time(X509_get_notAfter(tmp), NULL); -+ if (ret == 0) -+ { -+ warn( "EAP-TLS: Failed to read certificate notAfter field."); -+ } -+ if (ret < 0) -+ { -+ warn( "EAP-TLS: Your certificate has expired!"); -+ } -+ SSL_free(ssl); -+ -+ if (pkey_engine) -+ { -+ EVP_PKEY *pkey = NULL; -+ PW_CB_DATA cb_data; -+ -+ cb_data.password = passwd; -+ cb_data.prompt_info = pkey_identifier; -+ -+ dbglog( "Loading private key '%s' from engine", pkey_identifier ); -+ pkey = ENGINE_load_private_key(pkey_engine, pkey_identifier, NULL, &cb_data); -+ if (pkey) -+ { -+ dbglog( "Got the private key, adding it to SSL context" ); -+ if (SSL_CTX_use_PrivateKey(ctx, pkey) <= 0) -+ { -+ error("EAP-TLS: Cannot use PKCS11 key %s", pkey_identifier); -+ goto fail; -+ } -+ } -+ else -+ { -+ warn("EAP-TLS: Cannot load PKCS11 key %s", pkey_identifier); -+ log_ssl_errors(); -+ } -+ } -+ else -+ { -+ if (!SSL_CTX_use_PrivateKey_file(ctx, privkeyfile, SSL_FILETYPE_PEM)) -+ { -+ error("EAP-TLS: Cannot use private key %s", privkeyfile); -+ goto fail; -+ } -+ } -+ -+ if (SSL_CTX_check_private_key(ctx) != 1) { -+ error("EAP-TLS: Private key %s fails security check", privkeyfile); -+ goto fail; -+ } -+ -+ /* Explicitly set the NO_TICKETS flag to support Win7/Win8 clients */ -+ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 -+#ifdef SSL_OP_NO_TICKET -+ | SSL_OP_NO_TICKET -+#endif -+ ); -+ -+ /* OpenSSL 1.1.1+ does not include RC4 ciphers by default. -+ * This causes totally obsolete WinXP clients to fail. If you really -+ * need ppp+EAP-TLS+openssl 1.1.1+WinXP then enable RC4 cipers and -+ * make sure that you use an OpenSSL that supports them -+ -+ SSL_CTX_set_cipher_list(ctx, "RC4"); -+ */ -+ -+ -+ /* Set up a SSL Session cache with a callback. This is needed for TLSv1.3+. -+ * During the initial handshake the server signals to the client early on -+ * that the handshake is finished, even before the client has sent its -+ * credentials to the server. The actual connection (and moment that the -+ * client sends its credentials) only starts after the arrival of the first -+ * session ticket. The 'ssl_new_session_cb' catches this ticket. -+ */ -+ SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL_STORE); -+ SSL_CTX_sess_set_new_cb(ctx, ssl_new_session_cb); -+ -+ /* As EAP-TLS+TLSv1.3 is highly experimental we offer the user a chance to override */ -+ if (max_tls_version) -+ { -+ if (strncmp(max_tls_version, "1.0", 3) == 0) -+ tls_version = TLS1_VERSION; -+ else if (strncmp(max_tls_version, "1.1", 3) == 0) -+ tls_version = TLS1_1_VERSION; -+ else if (strncmp(max_tls_version, "1.2", 3) == 0) -+#ifdef TLS1_2_VERSION -+ tls_version = TLS1_2_VERSION; -+#else -+ { -+ warn("TLSv1.2 not available. Defaulting to TLSv1.1"); -+ tls_version = TLS_1_1_VERSION; -+ } -+#endif -+ else if (strncmp(max_tls_version, "1.3", 3) == 0) -+#ifdef TLS1_3_VERSION -+ tls_version = TLS1_3_VERSION; -+#else -+ warn("TLSv1.3 not available."); -+#endif -+ } -+ -+ dbglog("EAP-TLS: Setting max protocol version to 0x%X", tls_version); -+ SSL_CTX_set_max_proto_version(ctx, tls_version); -+ -+ SSL_CTX_set_verify_depth(ctx, 5); -+ SSL_CTX_set_verify(ctx, -+ SSL_VERIFY_PEER | -+ SSL_VERIFY_FAIL_IF_NO_PEER_CERT, -+ &ssl_verify_callback); -+ -+ if (crl_dir) { -+ if (!(certstore = SSL_CTX_get_cert_store(ctx))) { -+ error("EAP-TLS: Failed to get certificate store"); -+ goto fail; -+ } -+ -+ if (!(lookup = -+ X509_STORE_add_lookup(certstore, X509_LOOKUP_hash_dir()))) { -+ error("EAP-TLS: Store lookup for CRL failed"); -+ -+ goto fail; -+ } -+ -+ X509_LOOKUP_add_dir(lookup, crl_dir, X509_FILETYPE_PEM); -+ X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK); -+ } -+ -+ if (crl_file) { -+ FILE *fp = NULL; -+ X509_CRL *crl = NULL; -+ -+ fp = fopen(crl_file, "r"); -+ if (!fp) { -+ error("EAP-TLS: Cannot open CRL file '%s'", crl_file); -+ goto fail; -+ } -+ -+ crl = PEM_read_X509_CRL(fp, NULL, NULL, NULL); -+ if (!crl) { -+ error("EAP-TLS: Cannot read CRL file '%s'", crl_file); -+ goto fail; -+ } -+ -+ if (!(certstore = SSL_CTX_get_cert_store(ctx))) { -+ error("EAP-TLS: Failed to get certificate store"); -+ goto fail; -+ } -+ if (!X509_STORE_add_crl(certstore, crl)) { -+ error("EAP-TLS: Cannot add CRL to certificate store"); -+ goto fail; -+ } -+ X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK); -+ -+ } -+ -+ /* -+ * If a peer certificate file was specified, it must be valid, else fail -+ */ -+ if (peer_certfile[0]) { -+ if (!(tmp = get_X509_from_file(peer_certfile))) { -+ error("EAP-TLS: Error loading client certificate from file %s", -+ peer_certfile); -+ goto fail; -+ } -+ X509_free(tmp); -+ } -+ -+ return ctx; -+ -+fail: -+ log_ssl_errors(); -+ SSL_CTX_free(ctx); -+ return NULL; -+} -+ -+/* -+ * Determine the maximum packet size by looking at the LCP handshake -+ */ -+ -+int eaptls_get_mtu(int unit) -+{ -+ int mtu, mru; -+ -+ lcp_options *wo = &lcp_wantoptions[unit]; -+ lcp_options *go = &lcp_gotoptions[unit]; -+ lcp_options *ho = &lcp_hisoptions[unit]; -+ lcp_options *ao = &lcp_allowoptions[unit]; -+ -+ mtu = ho->neg_mru? ho->mru: PPP_MRU; -+ mru = go->neg_mru? MAX(wo->mru, go->mru): PPP_MRU; -+ mtu = MIN(MIN(mtu, mru), ao->mru)- PPP_HDRLEN - 10; -+ -+ dbglog("MTU = %d", mtu); -+ return mtu; -+} -+ -+ -+/* -+ * Init the ssl handshake (server mode) -+ */ -+int eaptls_init_ssl_server(eap_state * esp) -+{ -+ struct eaptls_session *ets; -+ char servcertfile[MAXWORDLEN]; -+ char clicertfile[MAXWORDLEN]; -+ char cacertfile[MAXWORDLEN]; -+ char capath[MAXWORDLEN]; -+ char pkfile[MAXWORDLEN]; -+ /* -+ * Allocate new eaptls session -+ */ -+ esp->es_server.ea_session = malloc(sizeof(struct eaptls_session)); -+ if (!esp->es_server.ea_session) -+ fatal("Allocation error"); -+ ets = esp->es_server.ea_session; -+ -+ if (!esp->es_server.ea_peer) { -+ error("EAP-TLS: Error: client name not set (BUG)"); -+ return 0; -+ } -+ -+ strncpy(ets->peer, esp->es_server.ea_peer, MAXWORDLEN); -+ -+ dbglog( "getting eaptls secret" ); -+ if (!get_eaptls_secret(esp->es_unit, esp->es_server.ea_peer, -+ esp->es_server.ea_name, clicertfile, -+ servcertfile, cacertfile, capath, pkfile, 1)) { -+ error( "EAP-TLS: Cannot get secret/password for client \"%s\", server \"%s\"", -+ esp->es_server.ea_peer, esp->es_server.ea_name ); -+ return 0; -+ } -+ -+ ets->mtu = eaptls_get_mtu(esp->es_unit); -+ -+ ets->ctx = eaptls_init_ssl(1, cacertfile, capath, servcertfile, clicertfile, pkfile); -+ if (!ets->ctx) -+ goto fail; -+ -+ if (!(ets->ssl = SSL_new(ets->ctx))) -+ goto fail; -+ -+ /* -+ * Set auto-retry to avoid timeouts on BIO_read -+ */ -+ SSL_set_mode(ets->ssl, SSL_MODE_AUTO_RETRY); -+ -+ /* -+ * Initialize the BIOs we use to read/write to ssl engine -+ */ -+ ets->into_ssl = BIO_new(BIO_s_mem()); -+ ets->from_ssl = BIO_new(BIO_s_mem()); -+ SSL_set_bio(ets->ssl, ets->into_ssl, ets->from_ssl); -+ -+ SSL_set_msg_callback(ets->ssl, ssl_msg_callback); -+ SSL_set_msg_callback_arg(ets->ssl, ets); -+ -+ /* -+ * Attach the session struct to the connection, so we can later -+ * retrieve it when doing certificate verification -+ */ -+ SSL_set_ex_data(ets->ssl, 0, ets); -+ -+ SSL_set_accept_state(ets->ssl); -+ -+ ets->tls_v13 = 0; -+ -+ ets->data = NULL; -+ ets->datalen = 0; -+ ets->alert_sent = 0; -+ ets->alert_recv = 0; -+ -+ /* -+ * If we specified the client certificate file, store it in ets->peercertfile, -+ * so we can check it later in ssl_verify_callback() -+ */ -+ if (clicertfile[0]) -+ strncpy(&ets->peercertfile[0], clicertfile, MAXWORDLEN); -+ else -+ ets->peercertfile[0] = 0; -+ -+ return 1; -+ -+fail: -+ SSL_CTX_free(ets->ctx); -+ return 0; -+} -+ -+/* -+ * Init the ssl handshake (client mode) -+ */ -+int eaptls_init_ssl_client(eap_state * esp) -+{ -+ struct eaptls_session *ets; -+ char servcertfile[MAXWORDLEN]; -+ char clicertfile[MAXWORDLEN]; -+ char cacertfile[MAXWORDLEN]; -+ char capath[MAXWORDLEN]; -+ char pkfile[MAXWORDLEN]; -+ -+ /* -+ * Allocate new eaptls session -+ */ -+ esp->es_client.ea_session = malloc(sizeof(struct eaptls_session)); -+ if (!esp->es_client.ea_session) -+ fatal("Allocation error"); -+ ets = esp->es_client.ea_session; -+ -+ /* -+ * If available, copy server name in ets; it will be used in cert -+ * verify -+ */ -+ if (esp->es_client.ea_peer) -+ strncpy(ets->peer, esp->es_client.ea_peer, MAXWORDLEN); -+ else -+ ets->peer[0] = 0; -+ -+ ets->mtu = eaptls_get_mtu(esp->es_unit); -+ -+ dbglog( "calling get_eaptls_secret" ); -+ if (!get_eaptls_secret(esp->es_unit, esp->es_client.ea_name, -+ ets->peer, clicertfile, -+ servcertfile, cacertfile, capath, pkfile, 0)) { -+ error( "EAP-TLS: Cannot get secret/password for client \"%s\", server \"%s\"", -+ esp->es_client.ea_name, ets->peer ); -+ return 0; -+ } -+ -+ dbglog( "calling eaptls_init_ssl" ); -+ ets->ctx = eaptls_init_ssl(0, cacertfile, capath, clicertfile, servcertfile, pkfile); -+ if (!ets->ctx) -+ goto fail; -+ -+ ets->ssl = SSL_new(ets->ctx); -+ -+ if (!ets->ssl) -+ goto fail; -+ -+ /* -+ * Initialize the BIOs we use to read/write to ssl engine -+ */ -+ dbglog( "Initializing SSL BIOs" ); -+ ets->into_ssl = BIO_new(BIO_s_mem()); -+ ets->from_ssl = BIO_new(BIO_s_mem()); -+ SSL_set_bio(ets->ssl, ets->into_ssl, ets->from_ssl); -+ -+ SSL_set_msg_callback(ets->ssl, ssl_msg_callback); -+ SSL_set_msg_callback_arg(ets->ssl, ets); -+ -+ /* -+ * Attach the session struct to the connection, so we can later -+ * retrieve it when doing certificate verification -+ */ -+ SSL_set_ex_data(ets->ssl, 0, ets); -+ -+ SSL_set_connect_state(ets->ssl); -+ -+ ets->tls_v13 = 0; -+ -+ ets->data = NULL; -+ ets->datalen = 0; -+ ets->alert_sent = 0; -+ ets->alert_recv = 0; -+ -+ /* -+ * If we specified the server certificate file, store it in -+ * ets->peercertfile, so we can check it later in -+ * ssl_verify_callback() -+ */ -+ if (servcertfile[0]) -+ strncpy(ets->peercertfile, servcertfile, MAXWORDLEN); -+ else -+ ets->peercertfile[0] = 0; -+ -+ return 1; -+ -+fail: -+ dbglog( "eaptls_init_ssl_client: fail" ); -+ SSL_CTX_free(ets->ctx); -+ return 0; -+ -+} -+ -+void eaptls_free_session(struct eaptls_session *ets) -+{ -+ if (ets->ssl) -+ SSL_free(ets->ssl); -+ -+ if (ets->ctx) -+ SSL_CTX_free(ets->ctx); -+ -+ free(ets); -+} -+ -+ -+int eaptls_is_init_finished(struct eaptls_session *ets) -+{ -+ if (ets->ssl && SSL_is_init_finished(ets->ssl)) -+ { -+ if (ets->tls_v13) -+ return have_session_ticket; -+ else -+ return 1; -+ } -+ -+ return 0; -+} -+ -+/* -+ * Handle a received packet, reassembling fragmented messages and -+ * passing them to the ssl engine -+ */ -+int eaptls_receive(struct eaptls_session *ets, u_char * inp, int len) -+{ -+ u_char flags; -+ u_int tlslen = 0; -+ u_char dummy[65536]; -+ -+ if (len < 1) { -+ warn("EAP-TLS: received no or invalid data"); -+ return 1; -+ } -+ -+ GETCHAR(flags, inp); -+ len--; -+ -+ if (flags & EAP_TLS_FLAGS_LI && len > 4) { -+ /* -+ * LenghtIncluded flag set -> this is the first packet of a message -+ */ -+ -+ /* -+ * the first 4 octets are the length of the EAP-TLS message -+ */ -+ GETLONG(tlslen, inp); -+ len -= 4; -+ -+ if (!ets->data) { -+ -+ if (tlslen > EAP_TLS_MAX_LEN) { -+ error("EAP-TLS: TLS message length > %d, truncated", EAP_TLS_MAX_LEN); -+ tlslen = EAP_TLS_MAX_LEN; -+ } -+ -+ /* -+ * Allocate memory for the whole message -+ */ -+ ets->data = malloc(tlslen); -+ if (!ets->data) -+ fatal("EAP-TLS: allocation error\n"); -+ -+ ets->datalen = 0; -+ ets->tlslen = tlslen; -+ } -+ else -+ warn("EAP-TLS: non-first LI packet? that's odd..."); -+ } -+ else if (!ets->data) { -+ /* -+ * A non fragmented message without LI flag -+ */ -+ -+ ets->data = malloc(len); -+ if (!ets->data) -+ fatal("EAP-TLS: allocation error\n"); -+ -+ ets->datalen = 0; -+ ets->tlslen = len; -+ } -+ -+ if (flags & EAP_TLS_FLAGS_MF) -+ ets->frag = 1; -+ else -+ ets->frag = 0; -+ -+ if (len < 0) { -+ warn("EAP-TLS: received malformed data"); -+ return 1; -+ } -+ -+ if (len + ets->datalen > ets->tlslen) { -+ warn("EAP-TLS: received data > TLS message length"); -+ return 1; -+ } -+ -+ BCOPY(inp, ets->data + ets->datalen, len); -+ ets->datalen += len; -+ -+ if (!ets->frag) { -+ -+ /* -+ * If we have the whole message, pass it to ssl -+ */ -+ -+ if (ets->datalen != ets->tlslen) { -+ warn("EAP-TLS: received data != TLS message length"); -+ return 1; -+ } -+ -+ if (BIO_write(ets->into_ssl, ets->data, ets->datalen) == -1) -+ log_ssl_errors(); -+ -+ SSL_read(ets->ssl, dummy, 65536); -+ -+ free(ets->data); -+ ets->data = NULL; -+ ets->datalen = 0; -+ } -+ -+ return 0; -+} -+ -+/* -+ * Return an eap-tls packet in outp. -+ * A TLS message read from the ssl engine is buffered in ets->data. -+ * At each call we control if there is buffered data and send a -+ * packet of mtu bytes. -+ */ -+int eaptls_send(struct eaptls_session *ets, u_char ** outp) -+{ -+ bool first = 0; -+ int size; -+ u_char fromtls[65536]; -+ int res; -+ u_char *start; -+ -+ start = *outp; -+ -+ if (!ets->data) -+ { -+ if(!ets->alert_sent) -+ { -+ res = SSL_read(ets->ssl, fromtls, 65536); -+ } -+ -+ /* -+ * Read from ssl -+ */ -+ if ((res = BIO_read(ets->from_ssl, fromtls, 65536)) == -1) -+ { -+ warn("EAP-TLS send: No data from BIO_read"); -+ return 1; -+ } -+ -+ ets->datalen = res; -+ -+ ets->data = malloc(ets->datalen); -+ BCOPY(fromtls, ets->data, ets->datalen); -+ -+ ets->offset = 0; -+ first = 1; -+ -+ } -+ -+ size = ets->datalen - ets->offset; -+ -+ if (size > ets->mtu) { -+ size = ets->mtu; -+ ets->frag = 1; -+ } else -+ ets->frag = 0; -+ -+ PUTCHAR(EAPT_TLS, *outp); -+ -+ /* -+ * Set right flags and length if necessary -+ */ -+ if (ets->frag && first) { -+ PUTCHAR(EAP_TLS_FLAGS_LI | EAP_TLS_FLAGS_MF, *outp); -+ PUTLONG(ets->datalen, *outp); -+ } else if (ets->frag) { -+ PUTCHAR(EAP_TLS_FLAGS_MF, *outp); -+ } else -+ PUTCHAR(0, *outp); -+ -+ /* -+ * Copy the data in outp -+ */ -+ BCOPY(ets->data + ets->offset, *outp, size); -+ INCPTR(size, *outp); -+ -+ /* -+ * Copy the packet in retransmission buffer -+ */ -+ BCOPY(start, &ets->rtx[0], *outp - start); -+ ets->rtx_len = *outp - start; -+ -+ ets->offset += size; -+ -+ if (ets->offset >= ets->datalen) { -+ -+ /* -+ * The whole message has been sent -+ */ -+ -+ free(ets->data); -+ ets->data = NULL; -+ ets->datalen = 0; -+ ets->offset = 0; -+ } -+ -+ return 0; -+} -+ -+/* -+ * Get the sent packet from the retransmission buffer -+ */ -+void eaptls_retransmit(struct eaptls_session *ets, u_char ** outp) -+{ -+ BCOPY(ets->rtx, *outp, ets->rtx_len); -+ INCPTR(ets->rtx_len, *outp); -+} -+ -+/* -+ * Verify a certificate. -+ * Most of the work (signatures and issuer attributes checking) -+ * is done by ssl; we check the CN in the peer certificate -+ * against the peer name. -+ */ -+int ssl_verify_callback(int ok, X509_STORE_CTX * ctx) -+{ -+ char subject[256]; -+ char cn_str[256]; -+ X509 *peer_cert; -+ int err, depth; -+ SSL *ssl; -+ struct eaptls_session *ets; -+ -+ peer_cert = X509_STORE_CTX_get_current_cert(ctx); -+ err = X509_STORE_CTX_get_error(ctx); -+ depth = X509_STORE_CTX_get_error_depth(ctx); -+ -+ dbglog("certificate verify depth: %d", depth); -+ -+ if (auth_required && !ok) { -+ X509_NAME_oneline(X509_get_subject_name(peer_cert), -+ subject, 256); -+ -+ X509_NAME_get_text_by_NID(X509_get_subject_name(peer_cert), -+ NID_commonName, cn_str, 256); -+ -+ dbglog("Certificate verification error:\n depth: %d CN: %s" -+ "\n err: %d (%s)\n", depth, cn_str, err, -+ X509_verify_cert_error_string(err)); -+ -+ return 0; -+ } -+ -+ ssl = X509_STORE_CTX_get_ex_data(ctx, -+ SSL_get_ex_data_X509_STORE_CTX_idx()); -+ -+ ets = (struct eaptls_session *)SSL_get_ex_data(ssl, 0); -+ -+ if (ets == NULL) { -+ error("Error: SSL_get_ex_data returned NULL"); -+ return 0; -+ } -+ -+ log_ssl_errors(); -+ -+ if (!depth) { /* This is the peer certificate */ -+ -+ X509_NAME_oneline(X509_get_subject_name(peer_cert), -+ subject, 256); -+ -+ X509_NAME_get_text_by_NID(X509_get_subject_name(peer_cert), -+ NID_commonName, cn_str, 256); -+ -+ /* -+ * If acting as client and the name of the server wasn't specified -+ * explicitely, we can't verify the server authenticity -+ */ -+ if (!ets->peer[0]) { -+ warn("Peer name not specified: no check"); -+ return ok; -+ } -+ -+ /* -+ * Check the CN -+ */ -+ if (strcmp(cn_str, ets->peer)) { -+ error -+ ("Certificate verification error: CN (%s) != peer_name (%s)", -+ cn_str, ets->peer); -+ return 0; -+ } -+ -+ warn("Certificate CN: %s , peer name %s", cn_str, ets->peer); -+ -+ /* -+ * If a peer certificate file was specified, here we check it -+ */ -+ if (ets->peercertfile[0]) { -+ if (ssl_cmp_certs(&ets->peercertfile[0], peer_cert) -+ != 0) { -+ error -+ ("Peer certificate doesn't match stored certificate"); -+ return 0; -+ } -+ } -+ } -+ -+ return ok; -+} -+ -+/* -+ * Compare a certificate with the one stored in a file -+ */ -+int ssl_cmp_certs(char *filename, X509 * a) -+{ -+ X509 *b; -+ int ret; -+ -+ if (!(b = get_X509_from_file(filename))) -+ return 1; -+ -+ ret = X509_cmp(a, b); -+ X509_free(b); -+ -+ return ret; -+ -+} -+ -+X509 *get_X509_from_file(char *filename) -+{ -+ FILE *fp; -+ X509 *ret; -+ -+ if (!(fp = fopen(filename, "r"))) -+ return NULL; -+ -+ ret = PEM_read_X509(fp, NULL, NULL, NULL); -+ -+ fclose(fp); -+ -+ return ret; -+} -+ -+/* -+ * Every sent & received message this callback function is invoked, -+ * so we know when alert messages have arrived or are sent and -+ * we can print debug information about TLS handshake. -+ */ -+void -+ssl_msg_callback(int write_p, int version, int content_type, -+ const void *buf, size_t len, SSL * ssl, void *arg) -+{ -+ char string[256]; -+ struct eaptls_session *ets = (struct eaptls_session *)arg; -+ unsigned char code; -+ const unsigned char*msg = buf; -+ int hvers = msg[1] << 8 | msg[2]; -+ -+ if(write_p) -+ strcpy(string, " -> "); -+ else -+ strcpy(string, " <- "); -+ -+ switch(content_type) { -+ -+ case SSL3_RT_HEADER: -+ strcat(string, "SSL/TLS Header: "); -+ switch(hvers) { -+ case SSL3_VERSION: -+ strcat(string, "SSL 3.0"); -+ break; -+ case TLS1_VERSION: -+ strcat(string, "TLS 1.0"); -+ break; -+ case TLS1_1_VERSION: -+ strcat(string, "TLS 1.1"); -+ break; -+ case TLS1_2_VERSION: -+ strcat(string, "TLS 1.2"); -+ break; -+ default: -+ sprintf(string, "SSL/TLS Header: Unknown version (%d)", hvers); -+ } -+ break; -+ -+ case SSL3_RT_ALERT: -+ strcat(string, "Alert: "); -+ code = msg[1]; -+ -+ if (write_p) { -+ ets->alert_sent = 1; -+ ets->alert_sent_desc = code; -+ } else { -+ ets->alert_recv = 1; -+ ets->alert_recv_desc = code; -+ } -+ -+ strcat(string, SSL_alert_desc_string_long(code)); -+ break; -+ -+ case SSL3_RT_CHANGE_CIPHER_SPEC: -+ strcat(string, "ChangeCipherSpec"); -+ break; -+ -+#ifdef SSL3_RT_INNER_CONTENT_TYPE -+ case SSL3_RT_INNER_CONTENT_TYPE: -+ strcat(string, "InnerContentType (TLS1.3)"); -+ break; -+#endif -+ -+ case SSL3_RT_HANDSHAKE: -+ -+ strcat(string, "Handshake: "); -+ code = msg[0]; -+ -+ switch(code) { -+ case SSL3_MT_HELLO_REQUEST: -+ strcat(string,"Hello Request"); -+ break; -+ case SSL3_MT_CLIENT_HELLO: -+ strcat(string,"Client Hello"); -+ break; -+ case SSL3_MT_SERVER_HELLO: -+ strcat(string,"Server Hello"); -+ break; -+#ifdef SSL3_MT_NEWSESSION_TICKET -+ case SSL3_MT_NEWSESSION_TICKET: -+ strcat(string,"New Session Ticket"); -+ break; -+#endif -+#ifdef SSL3_MT_END_OF_EARLY_DATA -+ case SSL3_MT_END_OF_EARLY_DATA: -+ strcat(string,"End of Early Data"); -+ break; -+#endif -+#ifdef SSL3_MT_ENCRYPTED_EXTENSIONS -+ case SSL3_MT_ENCRYPTED_EXTENSIONS: -+ strcat(string,"Encryped Extensions"); -+ break; -+#endif -+ case SSL3_MT_CERTIFICATE: -+ strcat(string,"Certificate"); -+ break; -+ case SSL3_MT_SERVER_KEY_EXCHANGE: -+ strcat(string,"Server Key Exchange"); -+ break; -+ case SSL3_MT_CERTIFICATE_REQUEST: -+ strcat(string,"Certificate Request"); -+ break; -+ case SSL3_MT_SERVER_DONE: -+ strcat(string,"Server Hello Done"); -+ break; -+ case SSL3_MT_CERTIFICATE_VERIFY: -+ strcat(string,"Certificate Verify"); -+ break; -+ case SSL3_MT_CLIENT_KEY_EXCHANGE: -+ strcat(string,"Client Key Exchange"); -+ break; -+ case SSL3_MT_FINISHED: -+ strcat(string,"Finished: "); -+ hvers = SSL_version(ssl); -+ switch(hvers) { -+ case SSL3_VERSION: -+ strcat(string, "SSL 3.0"); -+ break; -+ case TLS1_VERSION: -+ strcat(string, "TLS 1.0"); -+ break; -+ case TLS1_1_VERSION: -+ strcat(string, "TLS 1.1"); -+ break; -+ case TLS1_2_VERSION: -+ strcat(string, "TLS 1.2"); -+ break; -+#ifdef TLS1_3_VERSION -+ case TLS1_3_VERSION: -+ strcat(string, "TLS 1.3 (experimental)"); -+ ets->tls_v13 = 1; -+ break; -+#endif -+ default: -+ strcat(string, "Unknown version"); -+ } -+ break; -+ default: -+ sprintf( string, "Handshake: Unknown SSL3 code received: %d", code ); -+ } -+ break; -+ -+ default: -+ sprintf( string, "SSL message contains unknown content type: %d", content_type ); -+ -+ } -+ -+ /* Alert messages must always be displayed */ -+ if(content_type == SSL3_RT_ALERT) -+ error("%s", string); -+ else -+ dbglog("%s", string); -+} -+ -+int -+ssl_new_session_cb(SSL *s, SSL_SESSION *sess) -+{ -+ dbglog("EAP-TLS: Post-Handshake New Session Ticket arrived:"); -+ have_session_ticket = 1; -+ -+ /* always return success */ -+ return 1; -+} -+ -diff -Naur ppp-2.4.7/pppd/eap-tls.h ppp-2.4.7-eaptls-mppe-1.300/pppd/eap-tls.h ---- ppp-2.4.7/pppd/eap-tls.h 1970-01-01 01:00:00.000000000 +0100 -+++ ppp-2.4.7-eaptls-mppe-1.300/pppd/eap-tls.h 2020-04-02 17:24:02.000000000 +0200 -@@ -0,0 +1,96 @@ -+/* -+ * eap-tls.h -+ * -+ * Copyright (c) Beniamino Galvani 2005 All rights reserved. -+ * Jan Just Keijser 2006-2019 All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. The name(s) of the authors of this software must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. -+ * -+ * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO -+ * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY -+ * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN -+ * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING -+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -+ * -+ */ -+ -+#ifndef __EAP_TLS_H__ -+#define __EAP_TLS_H__ -+ -+#include "eap.h" -+ -+#include -+#include -+ -+#define EAP_TLS_FLAGS_LI 128 /* length included flag */ -+#define EAP_TLS_FLAGS_MF 64 /* more fragments flag */ -+#define EAP_TLS_FLAGS_START 32 /* start flag */ -+ -+#define EAP_TLS_MAX_LEN 65536 /* max eap tls packet size */ -+ -+struct eaptls_session -+{ -+ u_char *data; /* buffered data */ -+ int datalen; /* buffered data len */ -+ int offset; /* from where to send */ -+ int tlslen; /* total length of tls data */ -+ bool frag; /* packet is fragmented */ -+ bool tls_v13; /* whether we've negotiated TLSv1.3 */ -+ SSL_CTX *ctx; -+ SSL *ssl; /* ssl connection */ -+ BIO *from_ssl; -+ BIO *into_ssl; -+ char peer[MAXWORDLEN]; /* peer name */ -+ char peercertfile[MAXWORDLEN]; -+ bool alert_sent; -+ u_char alert_sent_desc; -+ bool alert_recv; -+ u_char alert_recv_desc; -+ char rtx[EAP_TLS_MAX_LEN]; /* retransmission buffer */ -+ int rtx_len; -+ int mtu; /* unit mtu */ -+}; -+ -+ -+SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, char *capath, -+ char *certfile, char *peer_certfile, char *privkeyfile); -+int eaptls_init_ssl_server(eap_state * esp); -+int eaptls_init_ssl_client(eap_state * esp); -+void eaptls_free_session(struct eaptls_session *ets); -+ -+int eaptls_is_init_finished(struct eaptls_session *ets); -+ -+int eaptls_receive(struct eaptls_session *ets, u_char * inp, int len); -+int eaptls_send(struct eaptls_session *ets, u_char ** outp); -+void eaptls_retransmit(struct eaptls_session *ets, u_char ** outp); -+ -+int get_eaptls_secret(int unit, char *client, char *server, -+ char *clicertfile, char *servcertfile, char *cacertfile, -+ char *capath, char *pkfile, int am_server); -+ -+#ifdef MPPE -+#include "mppe.h" /* MPPE_MAX_KEY_LEN */ -+extern u_char mppe_send_key[MPPE_MAX_KEY_LEN]; -+extern u_char mppe_recv_key[MPPE_MAX_KEY_LEN]; -+extern int mppe_keys_set; -+ -+void eaptls_gen_mppe_keys(struct eaptls_session *ets, int client); -+#endif -+ -+#endif -diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.300/pppd/eap.c ---- ppp-2.4.7/pppd/eap.c 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.300/pppd/eap.c 2020-04-02 12:05:33.000000000 +0200 -@@ -43,6 +43,11 @@ - * Based on draft-ietf-pppext-eap-srp-03.txt. - */ - -+/* -+ * Modification by Beniamino Galvani, Mar 2005 -+ * Implemented EAP-TLS authentication -+ */ -+ - #define RCSID "$Id: eap.c,v 1.4 2004/11/09 22:39:25 paulus Exp $" - - /* -@@ -62,8 +67,12 @@ - - #include "pppd.h" - #include "pathnames.h" --#include "md5.h" - #include "eap.h" -+#ifdef USE_OPENSSL_MD5 -+#include "openssl/md5.h" -+#else -+#include "md5.h" -+#endif /* USE_OPENSSL_MD5 */ - - #ifdef USE_SRP - #include -@@ -72,8 +81,12 @@ - #include "pppcrypt.h" - #endif /* USE_SRP */ - --#ifndef SHA_DIGESTSIZE --#define SHA_DIGESTSIZE 20 -+#ifdef USE_EAPTLS -+#include "eap-tls.h" -+#endif /* USE_EAPTLS */ -+ -+#ifndef SHA_DIGEST_LENGTH -+#define SHA_DIGEST_LENGTH 20 - #endif - - static const char rcsid[] = RCSID; -@@ -209,6 +222,9 @@ - esp->es_server.ea_id = (u_char)(drand48() * 0x100); - esp->es_client.ea_timeout = EAP_DEFREQTIME; - esp->es_client.ea_maxrequests = EAP_DEFALLOWREQ; -+#ifdef USE_EAPTLS -+ esp->es_client.ea_using_eaptls = 0; -+#endif /* USE_EAPTLS */ - } - - /* -@@ -317,8 +333,8 @@ - { - struct tm *tp; - char tbuf[9]; -- SHA1_CTX ctxt; -- u_char dig[SHA_DIGESTSIZE]; -+ SHA_CTX ctxt; -+ u_char dig[SHA_DIGEST_LENGTH]; - time_t reftime; - - if (pn_secret == NULL) -@@ -436,8 +452,16 @@ - u_char vals[2]; - struct b64state bs; - #endif /* USE_SRP */ -+#ifdef USE_EAPTLS -+ struct eaptls_session *ets; -+ int secret_len; -+ char secret[MAXWORDLEN]; -+#endif /* USE_EAPTLS */ - - esp->es_server.ea_timeout = esp->es_savedtime; -+#ifdef USE_EAPTLS -+ esp->es_server.ea_prev_state = esp->es_server.ea_state; -+#endif /* USE_EAPTLS */ - switch (esp->es_server.ea_state) { - case eapBadAuth: - return; -@@ -562,9 +586,81 @@ - break; - } - #endif /* USE_SRP */ -+#ifdef USE_EAPTLS -+ if (!get_secret(esp->es_unit, esp->es_server.ea_peer, -+ esp->es_server.ea_name, secret, &secret_len, 1)) { -+ -+ esp->es_server.ea_state = eapTlsStart; -+ break; -+ } -+#endif /* USE_EAPTLS */ -+ - esp->es_server.ea_state = eapMD5Chall; - break; - -+#ifdef USE_EAPTLS -+ case eapTlsStart: -+ /* Initialize ssl session */ -+ if(!eaptls_init_ssl_server(esp)) { -+ esp->es_server.ea_state = eapBadAuth; -+ break; -+ } -+ -+ esp->es_server.ea_state = eapTlsRecv; -+ break; -+ -+ case eapTlsRecv: -+ ets = (struct eaptls_session *) esp->es_server.ea_session; -+ -+ if(ets->alert_sent) { -+ esp->es_server.ea_state = eapTlsSendAlert; -+ break; -+ } -+ -+ if (status) { -+ esp->es_server.ea_state = eapBadAuth; -+ break; -+ } -+ ets = (struct eaptls_session *) esp->es_server.ea_session; -+ -+ if(ets->frag) -+ esp->es_server.ea_state = eapTlsSendAck; -+ else -+ esp->es_server.ea_state = eapTlsSend; -+ break; -+ -+ case eapTlsSend: -+ ets = (struct eaptls_session *) esp->es_server.ea_session; -+ -+ if(ets->frag) -+ esp->es_server.ea_state = eapTlsRecvAck; -+ else -+ if(SSL_is_init_finished(ets->ssl)) -+ esp->es_server.ea_state = eapTlsRecvClient; -+ else -+ /* JJK Add "TLS empty record" message here ??? */ -+ esp->es_server.ea_state = eapTlsRecv; -+ break; -+ -+ case eapTlsSendAck: -+ esp->es_server.ea_state = eapTlsRecv; -+ break; -+ -+ case eapTlsRecvAck: -+ if (status) -+ { -+ esp->es_server.ea_state = eapBadAuth; -+ break; -+ } -+ -+ esp->es_server.ea_state = eapTlsSend; -+ break; -+ -+ case eapTlsSendAlert: -+ esp->es_server.ea_state = eapTlsRecvAlertAck; -+ break; -+#endif /* USE_EAPTLS */ -+ - case eapSRP1: - #ifdef USE_SRP - ts = (struct t_server *)esp->es_server.ea_session; -@@ -630,6 +726,10 @@ - } - if (esp->es_server.ea_state == eapBadAuth) - eap_send_failure(esp); -+ -+#ifdef USE_EAPTLS -+ dbglog("EAP id=0x%2x '%s' -> '%s'", esp->es_server.ea_id, eap_state_name(esp->es_server.ea_prev_state), eap_state_name(esp->es_server.ea_state)); -+#endif /* USE_EAPTLS */ - } - - /* -@@ -648,10 +748,10 @@ - char *str; - #ifdef USE_SRP - struct t_server *ts; -- u_char clear[8], cipher[8], dig[SHA_DIGESTSIZE], *optr, *cp; -+ u_char clear[8], cipher[8], dig[SHA_DIGEST_LENGTH], *optr, *cp; - int i, j; - struct b64state b64; -- SHA1_CTX ctxt; -+ SHA_CTX ctxt; - #endif /* USE_SRP */ - - /* Handle both initial auth and restart */ -@@ -718,6 +818,30 @@ - INCPTR(esp->es_server.ea_namelen, outp); - break; - -+#ifdef USE_EAPTLS -+ case eapTlsStart: -+ PUTCHAR(EAPT_TLS, outp); -+ PUTCHAR(EAP_TLS_FLAGS_START, outp); -+ eap_figure_next_state(esp, 0); -+ break; -+ -+ case eapTlsSend: -+ eaptls_send(esp->es_server.ea_session, &outp); -+ eap_figure_next_state(esp, 0); -+ break; -+ -+ case eapTlsSendAck: -+ PUTCHAR(EAPT_TLS, outp); -+ PUTCHAR(0, outp); -+ eap_figure_next_state(esp, 0); -+ break; -+ -+ case eapTlsSendAlert: -+ eaptls_send(esp->es_server.ea_session, &outp); -+ eap_figure_next_state(esp, 0); -+ break; -+#endif /* USE_EAPTLS */ -+ - #ifdef USE_SRP - case eapSRP1: - PUTCHAR(EAPT_SRP, outp); -@@ -764,8 +888,8 @@ - PUTLONG(SRPVAL_EBIT, outp); - ts = (struct t_server *)esp->es_server.ea_session; - assert(ts != NULL); -- BCOPY(t_serverresponse(ts), outp, SHA_DIGESTSIZE); -- INCPTR(SHA_DIGESTSIZE, outp); -+ BCOPY(t_serverresponse(ts), outp, SHA_DIGEST_LENGTH); -+ INCPTR(SHA_DIGEST_LENGTH, outp); - - if (pncrypt_setkey(0)) { - /* Generate pseudonym */ -@@ -805,9 +929,9 @@ - /* Set length and pad out to next 20 octet boundary */ - i = outp - optr - 1; - *optr = i; -- i %= SHA_DIGESTSIZE; -+ i %= SHA_DIGEST_LENGTH; - if (i != 0) { -- while (i < SHA_DIGESTSIZE) { -+ while (i < SHA_DIGEST_LENGTH) { - *outp++ = drand48() * 0x100; - i++; - } -@@ -823,14 +947,14 @@ - while (optr < outp) { - SHA1Final(dig, &ctxt); - cp = dig; -- while (cp < dig + SHA_DIGESTSIZE) -+ while (cp < dig + SHA_DIGEST_LENGTH) - *optr++ ^= *cp++; - SHA1Init(&ctxt); - SHA1Update(&ctxt, &esp->es_server.ea_id, 1); - SHA1Update(&ctxt, esp->es_server.ea_skey, - SESSION_KEY_LEN); -- SHA1Update(&ctxt, optr - SHA_DIGESTSIZE, -- SHA_DIGESTSIZE); -+ SHA1Update(&ctxt, optr - SHA_DIGEST_LENGTH, -+ SHA_DIGEST_LENGTH); - } - } - break; -@@ -904,11 +1028,57 @@ - eap_server_timeout(arg) - void *arg; - { -+#ifdef USE_EAPTLS -+ u_char *outp; -+ u_char *lenloc; -+ int outlen; -+#endif /* USE_EAPTLS */ -+ - eap_state *esp = (eap_state *) arg; - - if (!eap_server_active(esp)) - return; - -+#ifdef USE_EAPTLS -+ switch(esp->es_server.ea_prev_state) { -+ -+ /* -+ * In eap-tls the state changes after a request, so we return to -+ * previous state ... -+ */ -+ case(eapTlsStart): -+ case(eapTlsSendAck): -+ esp->es_server.ea_state = esp->es_server.ea_prev_state; -+ break; -+ -+ /* -+ * ... or resend the stored data -+ */ -+ case(eapTlsSend): -+ case(eapTlsSendAlert): -+ outp = outpacket_buf; -+ MAKEHEADER(outp, PPP_EAP); -+ PUTCHAR(EAP_REQUEST, outp); -+ PUTCHAR(esp->es_server.ea_id, outp); -+ lenloc = outp; -+ INCPTR(2, outp); -+ -+ eaptls_retransmit(esp->es_server.ea_session, &outp); -+ -+ outlen = (outp - outpacket_buf) - PPP_HDRLEN; -+ PUTSHORT(outlen, lenloc); -+ output(esp->es_unit, outpacket_buf, outlen + PPP_HDRLEN); -+ esp->es_server.ea_requests++; -+ -+ if (esp->es_server.ea_timeout > 0) -+ TIMEOUT(eap_server_timeout, esp, esp->es_server.ea_timeout); -+ -+ return; -+ default: -+ break; -+ } -+#endif /* USE_EAPTLS */ -+ - /* EAP ID number must not change on timeout. */ - eap_send_request(esp); - } -@@ -1155,17 +1325,90 @@ - PUTCHAR(id, outp); - esp->es_client.ea_id = id; - msglen = EAP_HEADERLEN + 2 * sizeof (u_char) + sizeof (u_int32_t) + -- SHA_DIGESTSIZE; -+ SHA_DIGEST_LENGTH; - PUTSHORT(msglen, outp); - PUTCHAR(EAPT_SRP, outp); - PUTCHAR(EAPSRP_CVALIDATOR, outp); - PUTLONG(flags, outp); -- BCOPY(str, outp, SHA_DIGESTSIZE); -+ BCOPY(str, outp, SHA_DIGEST_LENGTH); - - output(esp->es_unit, outpacket_buf, PPP_HDRLEN + msglen); - } - #endif /* USE_SRP */ - -+#ifdef USE_EAPTLS -+/* -+ * Send an EAP-TLS response message with tls data -+ */ -+static void -+eap_tls_response(esp, id) -+eap_state *esp; -+u_char id; -+{ -+ u_char *outp; -+ int outlen; -+ u_char *lenloc; -+ -+ outp = outpacket_buf; -+ -+ MAKEHEADER(outp, PPP_EAP); -+ -+ PUTCHAR(EAP_RESPONSE, outp); -+ PUTCHAR(id, outp); -+ -+ lenloc = outp; -+ INCPTR(2, outp); -+ -+ /* -+ If the id in the request is unchanged, we must retransmit -+ the old data -+ */ -+ if(id == esp->es_client.ea_id) -+ eaptls_retransmit(esp->es_client.ea_session, &outp); -+ else -+ eaptls_send(esp->es_client.ea_session, &outp); -+ -+ outlen = (outp - outpacket_buf) - PPP_HDRLEN; -+ PUTSHORT(outlen, lenloc); -+ -+ output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen); -+ -+ esp->es_client.ea_id = id; -+} -+ -+/* -+ * Send an EAP-TLS ack -+ */ -+static void -+eap_tls_sendack(esp, id) -+eap_state *esp; -+u_char id; -+{ -+ u_char *outp; -+ int outlen; -+ u_char *lenloc; -+ -+ outp = outpacket_buf; -+ -+ MAKEHEADER(outp, PPP_EAP); -+ -+ PUTCHAR(EAP_RESPONSE, outp); -+ PUTCHAR(id, outp); -+ esp->es_client.ea_id = id; -+ -+ lenloc = outp; -+ INCPTR(2, outp); -+ -+ PUTCHAR(EAPT_TLS, outp); -+ PUTCHAR(0, outp); -+ -+ outlen = (outp - outpacket_buf) - PPP_HDRLEN; -+ PUTSHORT(outlen, lenloc); -+ -+ output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen); -+} -+#endif /* USE_EAPTLS */ -+ - static void - eap_send_nak(esp, id, type) - eap_state *esp; -@@ -1252,8 +1495,8 @@ - { - u_char val; - u_char *datp, *digp; -- SHA1_CTX ctxt; -- u_char dig[SHA_DIGESTSIZE]; -+ SHA_CTX ctxt; -+ u_char dig[SHA_DIGEST_LENGTH]; - int dsize, fd, olen = len; - - /* -@@ -1262,21 +1505,21 @@ - */ - val = id; - while (len > 0) { -- if ((dsize = len % SHA_DIGESTSIZE) == 0) -- dsize = SHA_DIGESTSIZE; -+ if ((dsize = len % SHA_DIGEST_LENGTH) == 0) -+ dsize = SHA_DIGEST_LENGTH; - len -= dsize; - datp = inp + len; - SHA1Init(&ctxt); - SHA1Update(&ctxt, &val, 1); - SHA1Update(&ctxt, esp->es_client.ea_skey, SESSION_KEY_LEN); - if (len > 0) { -- SHA1Update(&ctxt, datp, SHA_DIGESTSIZE); -+ SHA1Update(&ctxt, datp, SHA_DIGEST_LENGTH); - } else { - SHA1Update(&ctxt, esp->es_client.ea_name, - esp->es_client.ea_namelen); - } - SHA1Final(dig, &ctxt); -- for (digp = dig; digp < dig + SHA_DIGESTSIZE; digp++) -+ for (digp = dig; digp < dig + SHA_DIGEST_LENGTH; digp++) - *datp++ ^= *digp; - } - -@@ -1320,12 +1563,17 @@ - char rhostname[256]; - MD5_CTX mdContext; - u_char hash[MD5_SIGNATURE_SIZE]; -+#ifdef USE_EAPTLS -+ u_char flags; -+ struct eaptls_session *ets = esp->es_client.ea_session; -+#endif /* USE_EAPTLS */ -+ - #ifdef USE_SRP - struct t_client *tc; - struct t_num sval, gval, Nval, *Ap, Bval; - u_char vals[2]; -- SHA1_CTX ctxt; -- u_char dig[SHA_DIGESTSIZE]; -+ SHA_CTX ctxt; -+ u_char dig[SHA_DIGEST_LENGTH]; - int fd; - #endif /* USE_SRP */ - -@@ -1456,6 +1704,96 @@ - esp->es_client.ea_namelen); - break; - -+#ifdef USE_EAPTLS -+ case EAPT_TLS: -+ -+ switch(esp->es_client.ea_state) { -+ -+ case eapListen: -+ -+ if (len < 1) { -+ error("EAP: received EAP-TLS Listen packet with no data"); -+ /* Bogus request; wait for something real. */ -+ return; -+ } -+ GETCHAR(flags, inp); -+ if(flags & EAP_TLS_FLAGS_START){ -+ -+ esp->es_client.ea_using_eaptls = 1; -+ -+ if (explicit_remote){ -+ esp->es_client.ea_peer = strdup(remote_name); -+ esp->es_client.ea_peerlen = strlen(remote_name); -+ } else -+ esp->es_client.ea_peer = NULL; -+ -+ /* Init ssl session */ -+ if(!eaptls_init_ssl_client(esp)) { -+ dbglog("cannot init ssl"); -+ eap_send_nak(esp, id, EAPT_TLS); -+ esp->es_client.ea_using_eaptls = 0; -+ break; -+ } -+ -+ ets = esp->es_client.ea_session; -+ eap_tls_response(esp, id); -+ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : eapTlsRecv); -+ break; -+ } -+ -+ /* The server has sent a bad start packet. */ -+ eap_send_nak(esp, id, EAPT_TLS); -+ break; -+ -+ case eapTlsRecvAck: -+ eap_tls_response(esp, id); -+ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : eapTlsRecv); -+ break; -+ -+ case eapTlsRecv: -+ if (len < 1) { -+ error("EAP: discarding EAP-TLS Receive packet with no data"); -+ /* Bogus request; wait for something real. */ -+ return; -+ } -+ eaptls_receive(ets, inp, len); -+ -+ if(ets->frag) { -+ eap_tls_sendack(esp, id); -+ esp->es_client.ea_state = eapTlsRecv; -+ break; -+ } -+ -+ if(ets->alert_recv) { -+ eap_tls_sendack(esp, id); -+ esp->es_client.ea_state = eapTlsRecvFailure; -+ break; -+ } -+ -+ /* Check if TLS handshake is finished */ -+ if(eaptls_is_init_finished(ets)) { -+#ifdef MPPE -+ eaptls_gen_mppe_keys(ets, 1); -+#endif -+ eaptls_free_session(ets); -+ eap_tls_sendack(esp, id); -+ esp->es_client.ea_state = eapTlsRecvSuccess; -+ break; -+ } -+ -+ eap_tls_response(esp,id); -+ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : eapTlsRecv); -+ break; -+ -+ default: -+ eap_send_nak(esp, id, EAPT_TLS); -+ esp->es_client.ea_using_eaptls = 0; -+ break; -+ } -+ -+ break; -+#endif /* USE_EAPTLS */ -+ - #ifdef USE_SRP - case EAPT_SRP: - if (len < 1) { -@@ -1640,7 +1978,7 @@ - esp->es_client.ea_id, id); - } - } else { -- len -= sizeof (u_int32_t) + SHA_DIGESTSIZE; -+ len -= sizeof (u_int32_t) + SHA_DIGEST_LENGTH; - if (len < 0 || t_clientverify(tc, inp + - sizeof (u_int32_t)) != 0) { - error("EAP: SRP server verification " -@@ -1650,7 +1988,7 @@ - GETLONG(esp->es_client.ea_keyflags, inp); - /* Save pseudonym if user wants it. */ - if (len > 0 && esp->es_usepseudo) { -- INCPTR(SHA_DIGESTSIZE, inp); -+ INCPTR(SHA_DIGEST_LENGTH, inp); - write_pseudonym(esp, inp, len, id); - } - } -@@ -1677,7 +2015,7 @@ - esp->es_client.ea_namelen); - SHA1Final(dig, &ctxt); - eap_srp_response(esp, id, EAPSRP_LWRECHALLENGE, dig, -- SHA_DIGESTSIZE); -+ SHA_DIGEST_LENGTH); - break; - - default: -@@ -1733,10 +2071,15 @@ - #ifdef USE_SRP - struct t_server *ts; - struct t_num A; -- SHA1_CTX ctxt; -- u_char dig[SHA_DIGESTSIZE]; -+ eHA_CTX ctxt; -+ u_char dig[SHA_DIGEST_LENGTH]; - #endif /* USE_SRP */ - -+#ifdef USE_EAPTLS -+ struct eaptls_session *ets; -+ u_char flags; -+#endif /* USE_EAPTLS */ -+ - if (esp->es_server.ea_id != id) { - dbglog("EAP: discarding Response %d; expected ID %d", id, - esp->es_server.ea_id); -@@ -1776,6 +2119,64 @@ - eap_figure_next_state(esp, 0); - break; - -+#ifdef USE_EAPTLS -+ case EAPT_TLS: -+ switch(esp->es_server.ea_state) { -+ -+ case eapTlsRecv: -+ -+ ets = (struct eaptls_session *) esp->es_server.ea_session; -+ -+ eap_figure_next_state(esp, -+ eaptls_receive(esp->es_server.ea_session, inp, len)); -+ -+ if(ets->alert_recv) { -+ eap_send_failure(esp); -+ break; -+ } -+ break; -+ -+ case eapTlsRecvAck: -+ if(len > 1) { -+ dbglog("EAP-TLS ACK with extra data"); -+ } -+ eap_figure_next_state(esp, 0); -+ break; -+ -+ case eapTlsRecvClient: -+ /* Receive authentication response from client */ -+ if (len > 0) { -+ GETCHAR(flags, inp); -+ -+ if(len == 1 && !flags) { /* Ack = ok */ -+#ifdef MPPE -+ eaptls_gen_mppe_keys( esp->es_server.ea_session, 0 ); -+#endif -+ eap_send_success(esp); -+ } -+ else { /* failure */ -+ warn("Server authentication failed"); -+ eap_send_failure(esp); -+ } -+ } -+ else -+ warn("Bogus EAP-TLS packet received from client"); -+ -+ eaptls_free_session(esp->es_server.ea_session); -+ -+ break; -+ -+ case eapTlsRecvAlertAck: -+ eap_send_failure(esp); -+ break; -+ -+ default: -+ eap_figure_next_state(esp, 1); -+ break; -+ } -+ break; -+#endif /* USE_EAPTLS */ -+ - case EAPT_NOTIFICATION: - dbglog("EAP unexpected Notification; response discarded"); - break; -@@ -1807,6 +2208,13 @@ - esp->es_server.ea_state = eapMD5Chall; - break; - -+#ifdef USE_EAPTLS -+ /* Send EAP-TLS start packet */ -+ case EAPT_TLS: -+ esp->es_server.ea_state = eapTlsStart; -+ break; -+#endif /* USE_EAPTLS */ -+ - default: - dbglog("EAP: peer requesting unknown Type %d", vallen); - switch (esp->es_server.ea_state) { -@@ -1924,9 +2332,9 @@ - eap_figure_next_state(esp, 1); - break; - } -- if (len < sizeof (u_int32_t) + SHA_DIGESTSIZE) { -+ if (len < sizeof (u_int32_t) + SHA_DIGEST_LENGTH) { - error("EAP: M1 length %d < %d", len, -- sizeof (u_int32_t) + SHA_DIGESTSIZE); -+ sizeof (u_int32_t) + SHA_DIGEST_LENGTH); - eap_figure_next_state(esp, 1); - break; - } -@@ -1963,7 +2371,7 @@ - info("EAP: unexpected SRP Subtype 4 Response"); - return; - } -- if (len != SHA_DIGESTSIZE) { -+ if (len != SHA_DIGEST_LENGTH) { - error("EAP: bad Lightweight rechallenge " - "response"); - return; -@@ -1977,7 +2385,7 @@ - SHA1Update(&ctxt, esp->es_server.ea_peer, - esp->es_server.ea_peerlen); - SHA1Final(dig, &ctxt); -- if (BCMP(dig, inp, SHA_DIGESTSIZE) != 0) { -+ if (BCMP(dig, inp, SHA_DIGEST_LENGTH) != 0) { - error("EAP: failed Lightweight rechallenge"); - eap_send_failure(esp); - break; -@@ -2018,13 +2426,27 @@ - int id; - int len; - { -- if (esp->es_client.ea_state != eapOpen && !eap_client_active(esp)) { -+ if (esp->es_client.ea_state != eapOpen && !eap_client_active(esp) -+#ifdef USE_EAPTLS -+ && esp->es_client.ea_state != eapTlsRecvSuccess -+#endif /* USE_EAPTLS */ -+ ) { - dbglog("EAP unexpected success message in state %s (%d)", - eap_state_name(esp->es_client.ea_state), - esp->es_client.ea_state); - return; - } - -+#ifdef USE_EAPTLS -+ if(esp->es_client.ea_using_eaptls && esp->es_client.ea_state != -+ eapTlsRecvSuccess) { -+ dbglog("EAP-TLS unexpected success message in state %s (%d)", -+ eap_state_name(esp->es_client.ea_state), -+ esp->es_client.ea_state); -+ return; -+ } -+#endif /* USE_EAPTLS */ -+ - if (esp->es_client.ea_timeout > 0) { - UNTIMEOUT(eap_client_timeout, (void *)esp); - } -@@ -2150,6 +2572,9 @@ - int code, id, len, rtype, vallen; - u_char *pstart; - u_int32_t uval; -+#ifdef USE_EAPTLS -+ u_char flags; -+#endif /* USE_EAPTLS */ - - if (inlen < EAP_HEADERLEN) - return (0); -@@ -2214,6 +2639,24 @@ - } - break; - -+#ifdef USE_EAPTLS -+ case EAPT_TLS: -+ if (len < 1) -+ break; -+ GETCHAR(flags, inp); -+ len--; -+ -+ if(flags == 0 && len == 0){ -+ printer(arg, " Ack"); -+ break; -+ } -+ -+ printer(arg, flags & EAP_TLS_FLAGS_LI ? " L":" -"); -+ printer(arg, flags & EAP_TLS_FLAGS_MF ? "M":"-"); -+ printer(arg, flags & EAP_TLS_FLAGS_START ? "S":"- "); -+ break; -+#endif /* USE_EAPTLS */ -+ - case EAPT_SRP: - if (len < 3) - goto truncated; -@@ -2281,10 +2724,10 @@ - if (uval != 0) { - printer(arg, " f<%X>", uval); - } -- if ((vallen = len) > SHA_DIGESTSIZE) -- vallen = SHA_DIGESTSIZE; -+ if ((vallen = len) > SHA_DIGEST_LENGTH) -+ vallen = SHA_DIGEST_LENGTH; - printer(arg, " ", len, inp, -- len < SHA_DIGESTSIZE ? "?" : ""); -+ len < SHA_DIGEST_LENGTH ? "?" : ""); - INCPTR(vallen, inp); - len -= vallen; - if (len > 0) { -@@ -2325,6 +2768,25 @@ - } - break; - -+#ifdef USE_EAPTLS -+ case EAPT_TLS: -+ if (len < 1) -+ break; -+ GETCHAR(flags, inp); -+ len--; -+ -+ if(flags == 0 && len == 0){ -+ printer(arg, " Ack"); -+ break; -+ } -+ -+ printer(arg, flags & EAP_TLS_FLAGS_LI ? " L":" -"); -+ printer(arg, flags & EAP_TLS_FLAGS_MF ? "M":"-"); -+ printer(arg, flags & EAP_TLS_FLAGS_START ? "S":"- "); -+ -+ break; -+#endif /* USE_EAPTLS */ -+ - case EAPT_NAK: - if (len <= 0) { - printer(arg, " "); -@@ -2388,7 +2850,7 @@ - printer(arg, " f<%X>", uval); - } - printer(arg, " ", len, inp, -- len == SHA_DIGESTSIZE ? "" : "?"); -+ len == SHA_DIGEST_LENGTH ? "" : "?"); - INCPTR(len, inp); - len = 0; - break; -@@ -2398,9 +2860,9 @@ - - case EAPSRP_LWRECHALLENGE: - printer(arg, " ", len, inp, -- len == SHA_DIGESTSIZE ? "" : "?"); -- if ((vallen = len) > SHA_DIGESTSIZE) -- vallen = SHA_DIGESTSIZE; -+ len == SHA_DIGEST_LENGTH ? "" : "?"); -+ if ((vallen = len) > SHA_DIGEST_LENGTH) -+ vallen = SHA_DIGEST_LENGTH; - INCPTR(vallen, inp); - len -= vallen; - break; -@@ -2426,3 +2888,4 @@ - - return (inp - pstart); - } -+ -diff -Naur ppp-2.4.7/pppd/eap.h ppp-2.4.7-eaptls-mppe-1.300/pppd/eap.h ---- ppp-2.4.7/pppd/eap.h 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.300/pppd/eap.h 2020-03-23 09:20:59.000000000 +0100 -@@ -84,6 +84,16 @@ - eapClosed, /* Authentication not in use */ - eapListen, /* Client ready (and timer running) */ - eapIdentify, /* EAP Identify sent */ -+ eapTlsStart, /* Send EAP-TLS start packet */ -+ eapTlsRecv, /* Receive EAP-TLS tls data */ -+ eapTlsSendAck, /* Send EAP-TLS ack */ -+ eapTlsSend, /* Send EAP-TLS tls data */ -+ eapTlsRecvAck, /* Receive EAP-TLS ack */ -+ eapTlsRecvClient, /* Receive EAP-TLS auth response from client*/ -+ eapTlsSendAlert, /* Send EAP-TLS tls alert (server)*/ -+ eapTlsRecvAlertAck, /* Receive EAP-TLS ack after sending alert */ -+ eapTlsRecvSuccess, /* Receive EAP success */ -+ eapTlsRecvFailure, /* Receive EAP failure */ - eapSRP1, /* Sent EAP SRP-SHA1 Subtype 1 */ - eapSRP2, /* Sent EAP SRP-SHA1 Subtype 2 */ - eapSRP3, /* Sent EAP SRP-SHA1 Subtype 3 */ -@@ -95,9 +105,18 @@ - - #define EAP_STATES \ - "Initial", "Pending", "Closed", "Listen", "Identify", \ -+ "TlsStart", "TlsRecv", "TlsSendAck", "TlsSend", "TlsRecvAck", "TlsRecvClient",\ -+ "TlsSendAlert", "TlsRecvAlertAck" , "TlsRecvSuccess", "TlsRecvFailure", \ - "SRP1", "SRP2", "SRP3", "MD5Chall", "Open", "SRP4", "BadAuth" - --#define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen) -+#ifdef USE_EAPTLS -+#define eap_client_active(esp) ((esp)->es_client.ea_state != eapInitial &&\ -+ (esp)->es_client.ea_state != eapPending &&\ -+ (esp)->es_client.ea_state != eapClosed) -+#else -+#define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen) -+#endif /* USE_EAPTLS */ -+ - #define eap_server_active(esp) \ - ((esp)->es_server.ea_state >= eapIdentify && \ - (esp)->es_server.ea_state <= eapMD5Chall) -@@ -112,11 +131,17 @@ - u_short ea_namelen; /* Length of our name */ - u_short ea_peerlen; /* Length of peer's name */ - enum eap_state_code ea_state; -+#ifdef USE_EAPTLS -+ enum eap_state_code ea_prev_state; -+#endif - u_char ea_id; /* Current id */ - u_char ea_requests; /* Number of Requests sent/received */ - u_char ea_responses; /* Number of Responses */ - u_char ea_type; /* One of EAPT_* */ - u_int32_t ea_keyflags; /* SRP shared key usage flags */ -+#ifdef USE_EAPTLS -+ bool ea_using_eaptls; -+#endif - }; - - /* -@@ -139,7 +164,12 @@ - * Timeouts. - */ - #define EAP_DEFTIMEOUT 3 /* Timeout (seconds) for rexmit */ -+#ifdef USE_EAPTLS -+#define EAP_DEFTRANSMITS 30 /* max # times to transmit */ -+ /* certificates can be long ... */ -+#else - #define EAP_DEFTRANSMITS 10 /* max # times to transmit */ -+#endif /* USE_EAPTLS */ - #define EAP_DEFREQTIME 20 /* Time to wait for peer request */ - #define EAP_DEFALLOWREQ 20 /* max # times to accept requests */ - -diff -Naur ppp-2.4.7/pppd/pathnames.h ppp-2.4.7-eaptls-mppe-1.300/pppd/pathnames.h ---- ppp-2.4.7/pppd/pathnames.h 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.300/pppd/pathnames.h 2020-03-23 09:20:59.000000000 +0100 -@@ -21,6 +21,13 @@ - #define _PATH_UPAPFILE _ROOT_PATH "/etc/ppp/pap-secrets" - #define _PATH_CHAPFILE _ROOT_PATH "/etc/ppp/chap-secrets" - #define _PATH_SRPFILE _ROOT_PATH "/etc/ppp/srp-secrets" -+ -+#ifdef USE_EAPTLS -+#define _PATH_EAPTLSCLIFILE _ROOT_PATH "/etc/ppp/eaptls-client" -+#define _PATH_EAPTLSSERVFILE _ROOT_PATH "/etc/ppp/eaptls-server" -+#define _PATH_OPENSSLCONFFILE _ROOT_PATH "/etc/ppp/openssl.cnf" -+#endif /* USE_EAPTLS */ -+ - #define _PATH_SYSOPTIONS _ROOT_PATH "/etc/ppp/options" - #define _PATH_IPUP _ROOT_PATH "/etc/ppp/ip-up" - #define _PATH_IPDOWN _ROOT_PATH "/etc/ppp/ip-down" -diff -Naur ppp-2.4.7/pppd/plugins/Makefile.linux ppp-2.4.7-eaptls-mppe-1.300/pppd/plugins/Makefile.linux ---- ppp-2.4.7/pppd/plugins/Makefile.linux 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.300/pppd/plugins/Makefile.linux 2020-03-23 09:20:59.000000000 +0100 -@@ -4,6 +4,9 @@ - LDFLAGS = -shared - INSTALL = install - -+# EAP-TLS -+CFLAGS += -DUSE_EAPTLS=1 -+ - DESTDIR = $(INSTROOT)@DESTDIR@ - BINDIR = $(DESTDIR)/sbin - MANDIR = $(DESTDIR)/share/man/man8 -diff -Naur ppp-2.4.7/pppd/plugins/passprompt.c ppp-2.4.7-eaptls-mppe-1.300/pppd/plugins/passprompt.c ---- ppp-2.4.7/pppd/plugins/passprompt.c 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.300/pppd/plugins/passprompt.c 2020-03-23 09:20:59.000000000 +0100 -@@ -107,4 +107,7 @@ - { - add_options(options); - pap_passwd_hook = promptpass; -+#ifdef USE_EAPTLS -+ eaptls_passwd_hook = promptpass; -+#endif - } -diff -Naur ppp-2.4.7/pppd/plugins/passwordfd.c ppp-2.4.7-eaptls-mppe-1.300/pppd/plugins/passwordfd.c ---- ppp-2.4.7/pppd/plugins/passwordfd.c 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.300/pppd/plugins/passwordfd.c 2020-03-23 09:20:59.000000000 +0100 -@@ -79,4 +79,8 @@ - - chap_check_hook = pwfd_check; - chap_passwd_hook = pwfd_passwd; -+ -+#ifdef USE_EAPTLS -+ eaptls_passwd_hook = pwfd_passwd; -+#endif - } -diff -Naur ppp-2.4.7/pppd/pppcrypt.c ppp-2.4.7-eaptls-mppe-1.300/pppd/pppcrypt.c ---- ppp-2.4.7/pppd/pppcrypt.c 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.300/pppd/pppcrypt.c 2020-03-23 09:20:59.000000000 +0100 -@@ -31,6 +31,7 @@ - */ - - #include -+#include - #include "pppd.h" - #include "pppcrypt.h" - -diff -Naur ppp-2.4.7/pppd/pppd.8 ppp-2.4.7-eaptls-mppe-1.300/pppd/pppd.8 ---- ppp-2.4.7/pppd/pppd.8 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.300/pppd/pppd.8 2020-03-23 09:20:59.000000000 +0100 -@@ -248,6 +248,12 @@ - compression in the corresponding direction. Use \fInobsdcomp\fR or - \fIbsdcomp 0\fR to disable BSD-Compress compression entirely. - .TP -+.B ca \fIca-file -+(EAP-TLS) Use the file \fIca-file\fR as the X.509 Certificate Authority -+(CA) file (in PEM format), needed for setting up an EAP-TLS connection. -+This option is used on the client-side in conjunction with the \fBcert\fR -+and \fBkey\fR options. -+.TP - .B cdtrcts - Use a non-standard hardware flow control (i.e. DTR/CTS) to control - the flow of data on the serial port. If neither the \fIcrtscts\fR, -@@ -259,6 +265,12 @@ - bi-directional flow control. The sacrifice is that this flow - control mode does not permit using DTR as a modem control line. - .TP -+.B cert \fIcertfile -+(EAP-TLS) Use the file \fIcertfile\fR as the X.509 certificate (in PEM -+format), needed for setting up an EAP-TLS connection. This option is -+used on the client-side in conjunction with the \fBca\fR and -+\fBkey\fR options. -+.TP - .B chap\-interval \fIn - If this option is given, pppd will rechallenge the peer every \fIn\fR - seconds. -@@ -287,6 +299,18 @@ - 1000 (1 second). This wait period only applies if the \fBconnect\fR - or \fBpty\fR option is used. - .TP -+.B crl \fIfilename -+(EAP-TLS) Use the file \fIfilename\fR as the Certificate Revocation List -+to check for the validity of the peer's certificate. This option is not -+mandatory for setting up an EAP-TLS connection. Also see the \fBcrl-dir\fR -+option. -+.TP -+.B crl-dir \fIdirectory -+(EAP-TLS) Use the directory \fIdirectory\fR to scan for CRL files in -+has format ($hash.r0) to check for the validity of the peer's certificate. -+This option is not mandatory for setting up an EAP-TLS connection. -+Also see the \fBcrl\fR option. -+.TP - .B debug - Enables connection debugging facilities. - If this option is given, pppd will log the contents of all -@@ -551,6 +575,12 @@ - the kernel are logged by syslog(1) to a file as directed in the - /etc/syslog.conf configuration file. - .TP -+.B key \fIkeyfile -+(EAP-TLS) Use the file \fIkeyfile\fR as the private key file (in PEM -+format), needed for setting up an EAP-TLS connection. This option is -+used on the client-side in conjunction with the \fBca\fR and -+\fBcert\fR options. -+.TP - .B ktune - Enables pppd to alter kernel settings as appropriate. Under Linux, - pppd will enable IP forwarding (i.e. set /proc/sys/net/ipv4/ip_forward -@@ -709,6 +739,9 @@ - Disable Address/Control compression in both directions (send and - receive). - .TP -+.B need-peer-eap -+(EAP-TLS) Require the peer to verify our authentication credentials. -+.TP - .B noauth - Do not require the peer to authenticate itself. This option is - privileged. -diff -Naur ppp-2.4.7/pppd/pppd.h ppp-2.4.7-eaptls-mppe-1.300/pppd/pppd.h ---- ppp-2.4.7/pppd/pppd.h 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.300/pppd/pppd.h 2020-04-02 14:57:50.000000000 +0200 -@@ -325,6 +325,12 @@ - extern bool dryrun; /* check everything, print options, exit */ - extern int child_wait; /* # seconds to wait for children at end */ - -+#ifdef USE_EAPTLS -+extern char *crl_dir; -+extern char *crl_file; -+extern char *max_tls_version; -+#endif /* USE_EAPTLS */ -+ - #ifdef MAXOCTETS - extern unsigned int maxoctets; /* Maximum octetes per session (in bytes) */ - extern int maxoctets_dir; /* Direction : -@@ -741,6 +747,10 @@ - extern int (*chap_passwd_hook) __P((char *user, char *passwd)); - extern void (*multilink_join_hook) __P((void)); - -+#ifdef USE_EAPTLS -+extern int (*eaptls_passwd_hook) __P((char *user, char *passwd)); -+#endif -+ - /* Let a plugin snoop sent and received packets. Useful for L2TP */ - extern void (*snoop_recv_hook) __P((unsigned char *p, int len)); - extern void (*snoop_send_hook) __P((unsigned char *p, int len)); -diff -Naur ppp-2.4.7/pppd/sha1.c ppp-2.4.7-eaptls-mppe-1.300/pppd/sha1.c ---- ppp-2.4.7/pppd/sha1.c 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.300/pppd/sha1.c 2020-03-23 09:20:59.000000000 +0100 -@@ -100,7 +100,7 @@ - /* SHA1Init - Initialize new context */ - - void --SHA1_Init(SHA1_CTX *context) -+SHA1_Init(SHA_CTX *context) - { - /* SHA1 initialization constants */ - context->state[0] = 0x67452301; -@@ -115,7 +115,7 @@ - /* Run your data through this. */ - - void --SHA1_Update(SHA1_CTX *context, const unsigned char *data, unsigned int len) -+SHA1_Update(SHA_CTX *context, const unsigned char *data, size_t len) - { - unsigned int i, j; - -@@ -139,7 +139,7 @@ - /* Add padding and return the message digest. */ - - void --SHA1_Final(unsigned char digest[20], SHA1_CTX *context) -+SHA1_Final(unsigned char *digest, SHA_CTX *context) - { - u_int32_t i, j; - unsigned char finalcount[8]; -diff -Naur ppp-2.4.7/pppd/sha1.h ppp-2.4.7-eaptls-mppe-1.300/pppd/sha1.h ---- ppp-2.4.7/pppd/sha1.h 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.300/pppd/sha1.h 2020-03-23 09:20:59.000000000 +0100 -@@ -1,11 +1,5 @@ - /* sha1.h */ - --/* If OpenSSL is in use, then use that version of SHA-1 */ --#ifdef OPENSSL --#include --#define __SHA1_INCLUDE_ --#endif -- - #ifndef __SHA1_INCLUDE_ - - #ifndef SHA1_SIGNATURE_SIZE -@@ -20,11 +14,11 @@ - u_int32_t state[5]; - u_int32_t count[2]; - unsigned char buffer[64]; --} SHA1_CTX; -+} SHA_CTX; - --extern void SHA1_Init(SHA1_CTX *); --extern void SHA1_Update(SHA1_CTX *, const unsigned char *, unsigned int); --extern void SHA1_Final(unsigned char[SHA1_SIGNATURE_SIZE], SHA1_CTX *); -+extern void SHA1_Init(SHA_CTX *context); -+extern void SHA1_Update(SHA_CTX *context, const unsigned char *data, size_t len); -+extern void SHA1_Final(unsigned char *data, SHA_CTX *context); - - #define __SHA1_INCLUDE_ - #endif /* __SHA1_INCLUDE_ */ -diff -Naur ppp-2.4.7/pppd/sys-solaris.c ppp-2.4.7-eaptls-mppe-1.300/pppd/sys-solaris.c ---- ppp-2.4.7/pppd/sys-solaris.c 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.300/pppd/sys-solaris.c 2020-03-23 09:20:59.000000000 +0100 -@@ -1534,6 +1534,26 @@ - #endif /* defined(INET6) && defined(SOL2) */ - } - -+ -+ -+/* -+ * netif_get_mtu - get the MTU on the PPP network interface. -+ */ -+int -+netif_get_mtu(int unit) -+{ -+ struct ifreq ifr; -+ -+ memset (&ifr, '\0', sizeof (ifr)); -+ strlcpy(ifr.ifr_name, ifname, sizeof (ifr.ifr_name)); -+ -+ if (ioctl(ipfd, SIOCGIFMTU, (caddr_t) &ifr) < 0) { -+ error("ioctl(SIOCGIFMTU): %m (line %d)", __LINE__); -+ return 0; -+ } -+ return ifr.ifr_mtu; -+} -+ - /* - * tty_send_config - configure the transmit characteristics of - * the ppp interface. diff --git a/SPECS-EXTENDED/ppp/ppp-2.4.7-honor-ldflags.patch b/SPECS-EXTENDED/ppp/ppp-2.4.7-honor-ldflags.patch deleted file mode 100644 index 2c3e20dbf2..0000000000 --- a/SPECS-EXTENDED/ppp/ppp-2.4.7-honor-ldflags.patch +++ /dev/null @@ -1,170 +0,0 @@ -diff --git a/chat/Makefile.linux b/chat/Makefile.linux -index 2445637..83114f1 100644 ---- a/chat/Makefile.linux -+++ b/chat/Makefile.linux -@@ -18,7 +18,7 @@ INSTALL= install - all: chat - - chat: chat.o -- $(CC) -o chat chat.o -+ $(CC) $(LDFLAGS) -o chat chat.o - - chat.o: chat.c - $(CC) -c $(CFLAGS) -o chat.o chat.c -diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux -index cf11b74..089f164 100644 ---- a/pppd/Makefile.linux -+++ b/pppd/Makefile.linux -@@ -188,7 +188,7 @@ endif - - ifdef PLUGIN - CFLAGS += -DPLUGIN --LDFLAGS += -Wl,-E -+LDFLAGS_PLUGIN += -Wl,-E - LIBS += -ldl - endif - -@@ -230,7 +230,7 @@ install: pppd - $(INSTALL) -c -m 644 pppd.8 $(MANDIR) - - pppd: $(PPPDOBJS) -- $(CC) $(CFLAGS) $(LDFLAGS) -o pppd $(PPPDOBJS) $(LIBS) -+ $(CC) $(CFLAGS) $(LDFLAGS) $(LDFLAGS_PLUGIN) -o pppd $(PPPDOBJS) $(LIBS) - - srp-entry: srp-entry.c - $(CC) $(CFLAGS) $(LDFLAGS) -o $@ srp-entry.c $(LIBS) -diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux -index 303833a..04fe876 100644 ---- a/pppd/plugins/Makefile.linux -+++ b/pppd/plugins/Makefile.linux -@@ -1,7 +1,7 @@ - #CC = gcc - COPTS = $(RPM_OPT_FLAGS) - CFLAGS = $(COPTS) -I.. -I../../include -fPIC --LDFLAGS = -shared -+LDFLAGS_SHARED = -shared - INSTALL = install - - # EAP-TLS -@@ -33,7 +33,7 @@ all: $(PLUGINS) - for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d all; done - - %.so: %.c -- $(CC) -o $@ $(LDFLAGS) $(CFLAGS) $^ -+ $(CC) -o $@ $(LDFLAGS) $(LDFLAGS_SHARED) $(CFLAGS) $^ - - VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../patchlevel.h) - -diff --git a/pppd/plugins/pppoatm/Makefile.linux b/pppd/plugins/pppoatm/Makefile.linux -index 4c5826f..1961e0e 100644 ---- a/pppd/plugins/pppoatm/Makefile.linux -+++ b/pppd/plugins/pppoatm/Makefile.linux -@@ -1,7 +1,7 @@ - #CC = gcc - COPTS = $(RPM_OPT_FLAGS) - CFLAGS = $(COPTS) -I../.. -I../../../include -fPIC --LDFLAGS = -shared -+LDFLAGS_SHARED = -shared - INSTALL = install - - #*********************************************************************** -@@ -33,7 +33,7 @@ endif - all: $(PLUGIN) - - $(PLUGIN): $(PLUGIN_OBJS) -- $(CC) $(CFLAGS) -o $@ -shared $^ $(LIBS) -+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(LDFLAGS_SHARED) $^ $(LIBS) - - install: all - $(INSTALL) -d -m 755 $(LIBDIR) -diff --git a/pppd/plugins/pppol2tp/Makefile.linux b/pppd/plugins/pppol2tp/Makefile.linux -index 9cb316d..7b23b25 100644 ---- a/pppd/plugins/pppol2tp/Makefile.linux -+++ b/pppd/plugins/pppol2tp/Makefile.linux -@@ -1,7 +1,7 @@ - #CC = gcc - COPTS = $(RPM_OPT_FLAGS) -DHAVE_MULTILINK - CFLAGS = $(COPTS) -I. -I../.. -I../../../include -fPIC --LDFLAGS = -shared -+LDFLAGS_SHARED = -shared - INSTALL = install - - #*********************************************************************** -@@ -16,7 +16,7 @@ PLUGINS := pppol2tp.so openl2tp.so - all: $(PLUGINS) - - %.so: %.o -- $(CC) $(CFLAGS) -o $@ -shared $^ $(LIBS) -+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(LDFLAGS_SHARED) $^ $(LIBS) - - install: all - $(INSTALL) -d -m 755 $(LIBDIR) -diff --git a/pppd/plugins/radius/Makefile.linux b/pppd/plugins/radius/Makefile.linux -index 707326b..2150332 100644 ---- a/pppd/plugins/radius/Makefile.linux -+++ b/pppd/plugins/radius/Makefile.linux -@@ -43,13 +43,13 @@ install: all - $(INSTALL) -c -m 444 pppd-radattr.8 $(MANDIR) - - radius.so: radius.o libradiusclient.a -- $(CC) -o radius.so -shared radius.o libradiusclient.a -+ $(CC) $(LDFLAGS) -o radius.so -shared radius.o libradiusclient.a - - radattr.so: radattr.o -- $(CC) -o radattr.so -shared radattr.o -+ $(CC) $(LDFLAGS) -o radattr.so -shared radattr.o - - radrealms.so: radrealms.o -- $(CC) -o radrealms.so -shared radrealms.o -+ $(CC) $(LDFLAGS) -o radrealms.so -shared radrealms.o - - CLIENTOBJS = avpair.o buildreq.o config.o dict.o ip_util.o \ - clientid.o sendserver.o lock.o util.o md5.o -diff --git a/pppd/plugins/rp-pppoe/Makefile.linux b/pppd/plugins/rp-pppoe/Makefile.linux -index fa49efb..5e06b52 100644 ---- a/pppd/plugins/rp-pppoe/Makefile.linux -+++ b/pppd/plugins/rp-pppoe/Makefile.linux -@@ -31,7 +31,7 @@ CFLAGS=$(COPTS) -I../../../include '-DRP_VERSION="$(RP_VERSION)"' - all: rp-pppoe.so pppoe-discovery - - pppoe-discovery: pppoe-discovery.o debug.o common.o -- $(CC) -o pppoe-discovery pppoe-discovery.o debug.o -ludev -+ $(CC) $(LDFLAGS) -o pppoe-discovery pppoe-discovery.o debug.o -ludev - - pppoe-discovery.o: pppoe-discovery.c - $(CC) $(CFLAGS) -c -o pppoe-discovery.o pppoe-discovery.c -@@ -40,7 +40,7 @@ debug.o: debug.c - $(CC) $(CFLAGS) -c -o debug.o debug.c - - rp-pppoe.so: plugin.o discovery.o if.o common.o -- $(CC) -o rp-pppoe.so -shared plugin.o discovery.o if.o common.o -+ $(CC) $(LDFLAGS) -o rp-pppoe.so -shared plugin.o discovery.o if.o common.o - - install: all - $(INSTALL) -d -m 755 $(LIBDIR) -diff --git a/pppdump/Makefile.linux b/pppdump/Makefile.linux -index 95c6805..33e5107 100644 ---- a/pppdump/Makefile.linux -+++ b/pppdump/Makefile.linux -@@ -10,7 +10,7 @@ INSTALL= install - all: pppdump - - pppdump: $(OBJS) -- $(CC) -o pppdump $(OBJS) -+ $(CC) $(LDFLAGS) -o pppdump $(OBJS) - - clean: - rm -f pppdump $(OBJS) *~ -diff --git a/pppstats/Makefile.linux b/pppstats/Makefile.linux -index c5ba3b1..eeccf83 100644 ---- a/pppstats/Makefile.linux -+++ b/pppstats/Makefile.linux -@@ -26,7 +26,7 @@ install: pppstats - $(INSTALL) -c -m 444 pppstats.8 $(MANDIR) - - pppstats: $(PPPSTATSRCS) -- $(CC) $(CFLAGS) -o pppstats pppstats.c $(LIBS) -+ $(CC) $(CFLAGS) $(LDFLAGS) -o pppstats pppstats.c $(LIBS) - - clean: - rm -f pppstats *~ #* core diff --git a/SPECS-EXTENDED/ppp/ppp-2.5.0-radiusclient-parser-fix.patch b/SPECS-EXTENDED/ppp/ppp-2.5.0-radiusclient-parser-fix.patch new file mode 100644 index 0000000000..a898e258e9 --- /dev/null +++ b/SPECS-EXTENDED/ppp/ppp-2.5.0-radiusclient-parser-fix.patch @@ -0,0 +1,49 @@ +From 7f89208b860ea0c41636410bfdb6a609b2772f47 Mon Sep 17 00:00:00 2001 +From: Eivind Naess +Date: Sun, 23 Apr 2023 11:37:01 -0700 +Subject: [PATCH] Closes #411, Fixing up parsing in radiusclient.conf + +Adding curly braces to fix the code. + +Signed-off-by: Eivind Naess +--- + pppd/plugins/radius/config.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/pppd/plugins/radius/config.c b/pppd/plugins/radius/config.c +index 39744fca1..e1a481487 100644 +--- a/pppd/plugins/radius/config.c ++++ b/pppd/plugins/radius/config.c +@@ -235,24 +235,28 @@ int rc_read_config(char *filename) + + switch (option->type) { + case OT_STR: +- if (set_option_str(filename, line, option, p) < 0) ++ if (set_option_str(filename, line, option, p) < 0) { + fclose(configfd); + return (-1); ++ } + break; + case OT_INT: +- if (set_option_int(filename, line, option, p) < 0) ++ if (set_option_int(filename, line, option, p) < 0) { + fclose(configfd); + return (-1); ++ } + break; + case OT_SRV: +- if (set_option_srv(filename, line, option, p) < 0) ++ if (set_option_srv(filename, line, option, p) < 0) { + fclose(configfd); + return (-1); ++ } + break; + case OT_AUO: +- if (set_option_auo(filename, line, option, p) < 0) ++ if (set_option_auo(filename, line, option, p) < 0) { + fclose(configfd); + return (-1); ++ } + break; + default: + fatal("rc_read_config: impossible case branch!"); diff --git a/SPECS-EXTENDED/ppp/ppp-2.5.0-use-change-resolv-function.patch b/SPECS-EXTENDED/ppp/ppp-2.5.0-use-change-resolv-function.patch new file mode 100644 index 0000000000..30a07fe64f --- /dev/null +++ b/SPECS-EXTENDED/ppp/ppp-2.5.0-use-change-resolv-function.patch @@ -0,0 +1,51 @@ +diff --git a/scripts/ip-down.local.add b/scripts/ip-down.local.add +index b93590e..8889cb6 100644 +--- a/scripts/ip-down.local.add ++++ b/scripts/ip-down.local.add +@@ -9,12 +9,13 @@ + # + # Nick Walker (nickwalker@email.com) + # ++. /etc/sysconfig/network-scripts/network-functions + + if [ -n "$USEPEERDNS" -a -f /etc/ppp/resolv.conf ]; then + if [ -f /etc/ppp/resolv.prev ]; then +- cp -f /etc/ppp/resolv.prev /etc/resolv.conf ++ change_resolv_conf /etc/ppp/resolv.prev + else +- rm -f /etc/resolv.conf ++ change_resolv_conf + fi + fi + +diff --git a/scripts/ip-up.local.add b/scripts/ip-up.local.add +index 8017209..5ced496 100644 +--- a/scripts/ip-up.local.add ++++ b/scripts/ip-up.local.add +@@ -9,16 +9,22 @@ + # + # Nick Walker (nickwalker@email.com) + # ++. /etc/sysconfig/network-scripts/network-functions + + if [ -n "$USEPEERDNS" -a -f /etc/ppp/resolv.conf ]; then + rm -f /etc/ppp/resolv.prev + if [ -f /etc/resolv.conf ]; then + cp /etc/resolv.conf /etc/ppp/resolv.prev +- grep domain /etc/ppp/resolv.prev > /etc/resolv.conf +- grep search /etc/ppp/resolv.prev >> /etc/resolv.conf +- cat /etc/ppp/resolv.conf >> /etc/resolv.conf ++ rscf=/etc/ppp/resolv.new ++ grep domain /etc/ppp/resolv.prev > $rscf ++ grep search /etc/ppp/resolv.prev >> $rscf ++ if [ -f /etc/ppp/resolv.conf ]; then ++ cat /etc/ppp/resolv.conf >> $rscf ++ fi ++ change_resolv_conf $rscf ++ rm -f $rscf + else +- cp /etc/ppp/resolv.conf /etc ++ change_resolv_conf /etc/ppp/resolv.conf + fi + fi + diff --git a/SPECS-EXTENDED/ppp/ppp-tmpfiles.conf b/SPECS-EXTENDED/ppp/ppp-tmpfiles.conf index a07719cb1a..a48a27169c 100644 --- a/SPECS-EXTENDED/ppp/ppp-tmpfiles.conf +++ b/SPECS-EXTENDED/ppp/ppp-tmpfiles.conf @@ -1,2 +1 @@ -d /run/ppp 0755 root root -d /run/lock/ppp 0755 root root +d /run/pppd/lock 0755 root root diff --git a/SPECS-EXTENDED/ppp/ppp.signatures.json b/SPECS-EXTENDED/ppp/ppp.signatures.json index d1282c5011..895a15d7d3 100644 --- a/SPECS-EXTENDED/ppp/ppp.signatures.json +++ b/SPECS-EXTENDED/ppp/ppp.signatures.json @@ -1,17 +1,17 @@ { "Signatures": { - "ifdown-ppp": "3bcc8105510009a2be074bebbecf766de2753d1dfcd50138bc19e5a4067b788d", - "ifup-ppp": "465e0d5eba59e47dbbfaadac1b0601b49dc5dd284f0a6217283c315452980f39", "ip-down": "55900b8a91172a98f22043095f396d69dc7d403f1df3095005e179884cff5d12", "ip-down.ipv6to4": "c4f685c132a5fe2732980ae9bc2f6b48fb89ab30296efcb496720b1bb9424bbb", "ip-up": "4e466f54cbef6c1543a0a1b6d2d519002b71702dacfd8fe1f62b1256a21f9c51", "ip-up.ipv6to4": "dca868bbb6ff3365c4b524062a6303a1c603f6f9a7039904db0e5848ddcc4bf8", - "ipv6-down": "b1302a1c745a7165744bb48e69fee00f6a64a3b7a1c351c0990f9a82173d00a3", - "ipv6-up": "867cf3c5f2440479ed337156c0fbf06e20f1dfb45f82ab31d9f207002c680e83", - "ppp-2.4.7.tar.gz": "02e0a3dd3e4799e33103f70ec7df75348c8540966ee7c948e4ed8a42bbccfb30", + "ipv6-down": "d97702c06d17c3a4d29338dbdcd5c5c71c722a2e407f078042dcec2fa2b19bd6", + "ipv6-down.initscripts": "892351c4927b9af21e94b5ebfbb057903598a369a9786015c8324face8f22a3b", + "ipv6-up": "608b5ef16fc8ff079ecc6007dcc2390ea2ac3d91f01e4d64e8778336b864b5ca", + "ipv6-up.initscripts": "8ce275b50d5f05e62d7f0fc502b2cac4fe088f378ed5869854fe416bc69337e4", + "ppp-2.5.0.tar.gz": "425a5b2df592f4b79e251e5b0d3af48265904162cb0906691a5d35ec355b426d", "ppp-logrotate.conf": "98bf2a8710810e4dcb1e21ecabb36c4cd883fef07c2fbd52800294720afa9bff", "ppp-pam.conf": "acca24f68821c0a0c9b078b1deef3299f76d530239565db7384519e62e1b6fc5", - "ppp-tmpfiles.conf": "e7bfbcd76f047eba191e02b0be547b881630ac7bc6ad32d08608abaaf7342fc6", + "ppp-tmpfiles.conf": "65d3723eadfa6d9009b8fab9317f38e3102f0c47e94f4dd0473b12e553ee49cf", "ppp-watch.tar.xz": "bb010722c2cd5d919945a929f1ee9ade18658791d12db53f8010351d91eed32d" } } diff --git a/SPECS-EXTENDED/ppp/ppp.spec b/SPECS-EXTENDED/ppp/ppp.spec index 3e11f221fb..0e4cc4c757 100644 --- a/SPECS-EXTENDED/ppp/ppp.spec +++ b/SPECS-EXTENDED/ppp/ppp.spec @@ -3,13 +3,13 @@ Distribution: Azure Linux %global _hardened_build 1 Name: ppp -Version: 2.4.7 -Release: 36%{?dist} +Version: 2.5.0 +Release: 1%{?dist} Summary: The Point-to-Point Protocol daemon -License: BSD and LGPLv2+ and GPLv2+ and Public Domain +License: bsd-3-clause AND zlib AND licenseref-fedora-public-domain AND bsd-attribution-hpnd-disclaimer AND bsd-4.3tahoe AND bsd-4-clause-uc AND apache-2.0 AND lgpl-2.0-or-later AND (gpl-2.0-or-later OR bsd-2-clause OR bsd-3-clause OR bsd-4-clause) AND gpl-2.0-or-later AND xlock AND gpl-1.0-or-later AND mackerras-3-clause-acknowledgment AND mackerras-3-clause AND hpnd-fenneberg-Livingston AND sun-ppp AND hpnd-inria-imag AND sun-ppp-2000 URL: http://www.samba.org/ppp -Source0: ftp://ftp.samba.org/pub/ppp/ppp-%{version}.tar.gz +Source0: https://github.com/paulusmack/ppp/archive/ppp-%{version}.tar.gz Source1: ppp-pam.conf Source2: ppp-logrotate.conf Source3: ppp-tmpfiles.conf @@ -19,54 +19,39 @@ Source6: ip-up Source7: ip-up.ipv6to4 Source8: ipv6-down Source9: ipv6-up -Source10: ifup-ppp -Source11: ifdown-ppp Source12: ppp-watch.tar.xz +Source13: ipv6-up.initscripts +Source14: ipv6-down.initscripts # Fedora-specific -Patch0001: 0001-build-sys-use-gcc-as-our-compiler-of-choice.patch -Patch0002: 0002-build-sys-enable-PAM-support.patch -Patch0003: 0003-build-sys-utilize-compiler-flags-handed-to-us-by-rpm.patch -Patch0004: 0004-doc-add-configuration-samples.patch -Patch0005: 0005-build-sys-don-t-hardcode-LIBDIR-but-set-it-according.patch -Patch0006: 0006-scritps-use-change_resolv_conf-function.patch -Patch0007: 0007-build-sys-don-t-strip-binaries-during-installation.patch -Patch0008: 0008-build-sys-use-prefix-usr-instead-of-usr-local.patch -Patch0009: 0009-pppd-introduce-ipv6-accept-remote.patch -Patch0010: 0010-build-sys-enable-CBCP.patch -Patch0011: 0011-build-sys-don-t-put-connect-errors-log-to-etc-ppp.patch -Patch0012: 0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch -Patch0013: 0013-everywhere-O_CLOEXEC-harder.patch -Patch0014: 0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch -Patch0015: 0015-pppd-move-pppd-database-to-var-run-ppp.patch -Patch0016: 0016-rp-pppoe-add-manpage-for-pppoe-discovery.patch -Patch0018: 0018-scritps-fix-ip-up.local-sample.patch -Patch0019: 0019-sys-linux-rework-get_first_ethernet.patch -Patch0020: 0020-pppd-put-lock-files-in-var-lock-ppp.patch -Patch0021: 0021-build-sys-compile-pppol2tp-plugin-with-RPM_OPT_FLAGS.patch -Patch0022: 0022-build-sys-compile-pppol2tp-with-multilink-support.patch -Patch0023: 0023-build-sys-install-rp-pppoe-plugin-files-with-standar.patch -Patch0024: 0024-build-sys-install-pppoatm-plugin-files-with-standard.patch -Patch0025: 0025-pppd-install-pppd-binary-using-standard-perms-755.patch -# https://www.nikhef.nl/~janjust/ppp/ppp-2.4.7-eaptls-mppe-1.300.patch -Patch0026: ppp-2.4.7-eaptls-mppe-1.300.patch -Patch0028: 0028-pppoe-include-netinet-in.h-before-linux-in.h.patch - -# rhbz#1556132 -Patch0029: ppp-2.4.7-DES-openssl.patch -# https://github.com/paulusmack/ppp/pull/95 -Patch0030: ppp-2.4.7-honor-ldflags.patch -Patch0031: ppp-2.4.7-coverity-scan-fixes.patch -Patch0032: ppp-2.4.7-CVE-2020-8597.patch +Patch0: ppp-2.5.0-use-change-resolv-function.patch +# https://github.com/ppp-project/ppp/commit/7f89208b860ea0c41636410bfdb6a609b2772f47 +Patch1: ppp-2.5.0-radiusclient-parser-fix.patch + +BuildRequires: libtool +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: make BuildRequires: gcc -BuildRequires: pam-devel, libpcap-devel, systemd, systemd-devel, glib2-devel +BuildRequires: pam-devel +BuildRequires: libpcap-devel +BuildRequires: systemd +BuildRequires: systemd-devel +BuildRequires: glib2-devel BuildRequires: openssl-devel -Requires: glibc >= 2.0.6, /etc/pam.d/system-auth, libpcap >= 0.8.3-6, systemd +Provides: bundled(linux-atm) = 2.4.1 +Requires: glibc >= 2.0.6 +Requires: /etc/pam.d/system-auth +Requires: libpcap >= 0.8.3-6 +Requires: systemd Requires(pre): /usr/bin/getent Requires(pre): /usr/sbin/groupadd +# Subpackage removed and obsoleted in F40 +Obsoletes: network-scripts-ppp < %{version}-%{release} + %description The ppp package contains the PPP (Point-to-Point Protocol) daemon and documentation for PPP support. The PPP protocol provides a method for @@ -74,37 +59,29 @@ transmitting datagrams over serial point-to-point links. PPP is usually used to dial in to an ISP (Internet Service Provider) or other organization over a modem and phone line. -%package -n network-scripts-%{name} -Summary: PPP legacy network service support -Requires: network-scripts -Supplements: (%{name} and network-scripts) - -%description -n network-scripts-%{name} -This provides the ifup and ifdown scripts for use with the legacy network -service. %package devel Summary: Headers for ppp plugin development Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: pkgconf-pkg-config %description devel This package contains the header files for building plugins for ppp. %prep -%setup -q -%autopatch -p1 +%autosetup -p1 -n %{name}-%{name}-%{version} tar -xJf %{SOURCE12} %build -export RPM_OPT_FLAGS="$RPM_OPT_FLAGS -fPIC -Wall -fno-strict-aliasing" -export RPM_LD_FLAGS="$LDFLAGS" -%configure -make %{?_smp_mflags} LDFLAGS="%{?build_ldflags}" -make -C ppp-watch %{?_smp_mflags} LDFLAGS="%{?build_ldflags}" +autoreconf -fi +export CFLAGS="%{build_cflags} -fno-strict-aliasing" +%configure --enable-systemd --enable-cbcp --with-pam --disable-openssl-engine +%make_build +%make_build -C ppp-watch LDFLAGS="%{?build_ldflags} -pie" %install -make INSTROOT=%{buildroot} install install-etcppp +%make_install find scripts -type f | xargs chmod a-x make ROOT=%{buildroot} -C ppp-watch install @@ -131,10 +108,15 @@ install -p %{SOURCE6} %{buildroot}%{_sysconfdir}/ppp/ip-up install -p %{SOURCE7} %{buildroot}%{_sysconfdir}/ppp/ip-up.ipv6to4 install -p %{SOURCE8} %{buildroot}%{_sysconfdir}/ppp/ipv6-down install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/ppp/ipv6-up +install -p %{SOURCE13} %{buildroot}%{_sysconfdir}/ppp/ipv6-down.initscripts +install -p %{SOURCE14} %{buildroot}%{_sysconfdir}/ppp/ipv6-up.initscripts -install -d %{buildroot}%{_sysconfdir}/sysconfig/network-scripts/ -install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/sysconfig/network-scripts/ifup-ppp -install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/sysconfig/network-scripts/ifdown-ppp +# ghosts +mkdir -p %{buildroot}%{_rundir}/pppd/lock + +%if "%{_sbindir}" == "%{_bindir}" +mv %{buildroot}/usr/sbin/ppp-watch %{buildroot}%{_bindir}/ +%endif %pre /usr/bin/getent group dip >/dev/null 2>&1 || /usr/sbin/groupadd -r -g 40 dip >/dev/null 2>&1 || : @@ -156,7 +138,10 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/sysconfig/network-scripts/ifdo %{_sysconfdir}/ppp/ip-up.ipv6to4 %{_sysconfdir}/ppp/ip-down.ipv6to4 %{_sysconfdir}/ppp/ipv6-up +%{_sysconfdir}/ppp/ipv6-up.initscripts %{_sysconfdir}/ppp/ipv6-down +%{_sysconfdir}/ppp/ipv6-down.initscripts +%{_sysconfdir}/ppp/openssl.cnf %{_mandir}/man8/chat.8* %{_mandir}/man8/pppd.8* %{_mandir}/man8/pppdump.8* @@ -166,8 +151,8 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/sysconfig/network-scripts/ifdo %{_mandir}/man8/pppoe-discovery.8* %{_mandir}/man8/ppp-watch.8* %{_libdir}/pppd -%ghost %dir /run/ppp -%ghost %dir /run/lock/ppp +%ghost %dir %{_rundir}/pppd +%ghost %dir %{_rundir}/pppd/lock %dir %{_sysconfdir}/logrotate.d %attr(700, root, root) %dir %{_localstatedir}/log/ppp %config(noreplace) %{_sysconfdir}/ppp/eaptls-client @@ -179,15 +164,16 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/sysconfig/network-scripts/ifdo %config(noreplace) %{_sysconfdir}/logrotate.d/ppp %{_tmpfilesdir}/ppp.conf -%files -n network-scripts-%{name} -%{_sysconfdir}/sysconfig/network-scripts/ifdown-ppp -%{_sysconfdir}/sysconfig/network-scripts/ifup-ppp - %files devel %{_includedir}/pppd %doc PLUGINS +%{_libdir}/pkgconfig/pppd.pc %changelog +* Mon Mar 10 2025 Jyoti kanase - 2.5.0-1 +- Upgrade to 2.5.0 +- License Verified. + * Thu Mar 25 2021 Thomas Crain - 2.4.7-36 - Remove epoch from minimum supported libpcap version diff --git a/SPECS-EXTENDED/python-argparse-manpage/0001-Fix-setuptools-v60.patch b/SPECS-EXTENDED/python-argparse-manpage/0001-Fix-setuptools-v60.patch new file mode 100644 index 0000000000..b98663108b --- /dev/null +++ b/SPECS-EXTENDED/python-argparse-manpage/0001-Fix-setuptools-v60.patch @@ -0,0 +1,22 @@ +From 867fbbfc8637de32bb4169ce7b02141f08da66b6 Mon Sep 17 00:00:00 2001 +From: Kavya Sree Kaitepalli +Date: Thu, 29 May 2025 08:05:48 +0000 +Subject: [PATCH] Fix-setuptools-v60 + +--- + examples/old_format/expected-output.1 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/examples/old_format/expected-output.1 b/examples/old_format/expected-output.1 +index 6486146..2040d2a 100644 +--- a/examples/old_format/expected-output.1 ++++ b/examples/old_format/expected-output.1 +@@ -1,4 +1,4 @@ +-.TH example 1 2017\-09\-24 "example v.0.1.0-dev" ++.TH example 1 2017\-09\-24 "example v.0.1.0.dev0" + .SH NAME + example \- This script does nothing. + .SH SYNOPSIS +-- +2.45.3 + diff --git a/SPECS-EXTENDED/python-argparse-manpage/python-argparse-manpage.spec b/SPECS-EXTENDED/python-argparse-manpage/python-argparse-manpage.spec index 8c77828b5d..a8bd313979 100644 --- a/SPECS-EXTENDED/python-argparse-manpage/python-argparse-manpage.spec +++ b/SPECS-EXTENDED/python-argparse-manpage/python-argparse-manpage.spec @@ -14,14 +14,14 @@ There is a limited support for (deprecated) optparse objects, too. Name: python-%{modname} Version: 1.5 -Release: 3%{?dist} +Release: 4%{?dist} Summary: %{sum Python} BuildArch: noarch License: ASL 2.0 URL: https://github.com/praiskup/%{modname} Source0: %pypi_source argparse-manpage - +Patch0: 0001-Fix-setuptools-v60.patch BuildRequires: python3-setuptools python3-devel %if 0%{?with_check} BuildRequires: python3-pip @@ -38,7 +38,7 @@ Summary: %{sum Python 3} %{desc} %prep -%setup -q -n %{modname}-%{version} +%autosetup -p1 -n %{modname}-%{version} %build %py3_build @@ -68,6 +68,9 @@ pip3 install pytest==7.1.2 six==1.16.0 %changelog +* Thu May 29 2025 Kavya Sree Kaitepalli - 1.5-4 +- Fix ptests + * Tue May 03 2022 Muhammad Falak - 1.5-3 - Drop BR on pytest, six & pip install deps to enable ptest - License verified diff --git a/SPECS-EXTENDED/python-geomet/python-geomet.signatures.json b/SPECS-EXTENDED/python-geomet/python-geomet.signatures.json new file mode 100644 index 0000000000..6d4a36d624 --- /dev/null +++ b/SPECS-EXTENDED/python-geomet/python-geomet.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "python-geomet-1.1.0.tar.gz": "be5c7b8268071bdb146ce16576402b6f436cb793ab210336fe01e2ab39978cac" + } +} \ No newline at end of file diff --git a/SPECS-EXTENDED/python-geomet/python-geomet.spec b/SPECS-EXTENDED/python-geomet/python-geomet.spec new file mode 100644 index 0000000000..2132a6d7fa --- /dev/null +++ b/SPECS-EXTENDED/python-geomet/python-geomet.spec @@ -0,0 +1,63 @@ +%define srcname geomet +%global with_tests 0 + +Name: python-geomet +Version: 1.1.0 +Release: 1%{?dist} +Summary: GeoJSON <-> WKT/WKB conversion utilities +License: Apache Software License +Vendor: Microsoft Corporation +Distribution: Azure Linux +Group: Development/Languages/Python +URL: https://github.com/geomet/geomet + +Source0: https://github.com/geomet/geomet/archive/refs/tags/%{version}.tar.gz#/python-%{srcname}-%{version}.tar.gz + +BuildRequires: python3-devel +BuildRequires: python3-setuptools + +%if 0%{?with_check} +BuildRequires: python3-pip +%endif + +Requires: python3 +Requires: python3-six +Requires: python3-click +Requires: python3-setuptools + +BuildArch: noarch + +%description +Convert GeoJSON to WKT/WKB (Well-Known Text/Binary), and vice versa. + +%prep +%autosetup -p1 -n %{srcname}-%{version} + +%build +%py3_build + +%install +%py3_install + +%if 0%{?with_tests} +%check +# this doesn't exist in current source archive +# will help in future +bash build-scripts/02-test.sh +%endif + +%files +%defattr(-,root,root,-) +%{_bindir}/%{srcname} +%{python3_sitelib}/* + +%changelog +* Thu May 22 2025 Jyoti kanase - 1.1.0-1 +- Initial Azure Linux import from Photon (license: Apache2). +- Upgrade to 1.1.0 +- License verified. + +* Sun Aug 21 2022 Gerrit Photon 0.3.0-1 +- Automatic Version Bump +* Fri Jun 11 2021 Ankit Jain 0.1.2-1 +- Initial packaging for Photon diff --git a/SPECS-EXTENDED/python-lazy-object-proxy/python-lazy-object-proxy.spec b/SPECS-EXTENDED/python-lazy-object-proxy/python-lazy-object-proxy.spec index c9285d192e..dd949f6745 100644 --- a/SPECS-EXTENDED/python-lazy-object-proxy/python-lazy-object-proxy.spec +++ b/SPECS-EXTENDED/python-lazy-object-proxy/python-lazy-object-proxy.spec @@ -3,7 +3,7 @@ Name: python-%{srcname} Version: 1.10.0 -Release: 6%{?dist} +Release: 7%{?dist} Summary: %{sum} License: BSD-2-Clause @@ -39,18 +39,21 @@ A fast and thorough lazy object proxy. %prep -%autosetup -n python-%{srcname}-%{version} -p0 +%autosetup -p1 -n python-%{srcname}-%{version} #%%generate_buildrequires #%%pyproject_buildrequires -t %build +export SETUPTOOLS_SCM_PRETEND_VERSION=%{version} %pyproject_wheel %install +export SETUPTOOLS_SCM_PRETEND_VERSION=%{version} %pyproject_install %check +export SETUPTOOLS_SCM_PRETEND_VERSION=%{version} %tox # Note that there is no %%files section for the unversioned python module if we are building for several python runtimes @@ -62,8 +65,11 @@ A fast and thorough lazy object proxy. %exclude %{python3_sitearch}/lazy_object_proxy/cext.c %changelog +* Thu Jul 03 2025 Akhila Guruju - 1.10.0-7 +- Fix setuptools-scm lookup error + * Fri Mar 14 2025 Akhila Guruju - 1.10.0-6 -- Initial Azure Linux import from Fedora 41 (license: MIT). +- Initial Azure Linux import from Fedora 41 (license: MIT). - License verified * Fri Jul 19 2024 Fedora Release Engineering - 1.10.0-5 diff --git a/SPECS-EXTENDED/qpdf/qpdf-doc.patch b/SPECS-EXTENDED/qpdf/qpdf-doc.patch deleted file mode 100644 index 5227358ce1..0000000000 --- a/SPECS-EXTENDED/qpdf/qpdf-doc.patch +++ /dev/null @@ -1,30 +0,0 @@ -diff -up qpdf-8.2.1/manual/fix-qdf.1.in.doc qpdf-8.2.1/manual/fix-qdf.1.in ---- qpdf-8.2.1/manual/fix-qdf.1.in.doc 2018-08-18 16:56:19.000000000 +0200 -+++ qpdf-8.2.1/manual/fix-qdf.1.in 2018-09-24 14:24:26.340341484 +0200 -@@ -14,5 +14,4 @@ the same file with stream lengths, cross - object stream offset tables regenerated. - .PP - For details about fix-qdf and about PDF files in QDF mode, please see --the qpdf manual, which can be found in @docdir@/qpdf-manual.html or --@docdir@/qpdf-manual.pdf. -+the qpdf manual, which can be found in qpdf-doc package. -diff -up qpdf-8.2.1/manual/qpdf.1.in.doc qpdf-8.2.1/manual/qpdf.1.in ---- qpdf-8.2.1/manual/qpdf.1.in.doc 2018-09-24 14:24:26.340341484 +0200 -+++ qpdf-8.2.1/manual/qpdf.1.in 2018-09-24 14:26:18.171462618 +0200 -@@ -16,4 +16,4 @@ useful primarily to PDF developers. - .PP - For a summary of qpdf's options, please run - \fBqpdf \-\-help\fR. A complete manual can be found in --@docdir@/qpdf-manual.html or @docdir@/qpdf-manual.pdf. -+qpdf-doc package. -diff -up qpdf-8.2.1/manual/zlib-flate.1.in.doc qpdf-8.2.1/manual/zlib-flate.1.in ---- qpdf-8.2.1/manual/zlib-flate.1.in.doc 2018-08-18 16:56:19.000000000 +0200 -+++ qpdf-8.2.1/manual/zlib-flate.1.in 2018-09-24 14:24:26.340341484 +0200 -@@ -21,6 +21,6 @@ This program should not be used as a gen - tool. Use something like gzip(1) instead. - .PP - For details about qpdf, please see the qpdf manual, which can be found --in @docdir@/qpdf-manual.html or @docdir@/qpdf-manual.pdf. -+in qpdf-doc package. - .SH "SEE ALSO" - qpdf(1), gzip(1) diff --git a/SPECS-EXTENDED/qpdf/qpdf-erase-tests-with-generated-object-stream.patch b/SPECS-EXTENDED/qpdf/qpdf-erase-tests-with-generated-object-stream.patch deleted file mode 100644 index 8a076ae8a0..0000000000 --- a/SPECS-EXTENDED/qpdf/qpdf-erase-tests-with-generated-object-stream.patch +++ /dev/null @@ -1,142 +0,0 @@ -diff -up qpdf-9.0.1/examples/qtest/filter-tokens.test.erase-tests-with-generated-object-stream qpdf-9.0.1/examples/qtest/filter-tokens.test ---- qpdf-9.0.1/examples/qtest/filter-tokens.test.erase-tests-with-generated-object-stream 2019-09-20 14:07:56.000000000 +0200 -+++ qpdf-9.0.1/examples/qtest/filter-tokens.test 2019-10-03 08:05:23.809400490 +0200 -@@ -13,8 +13,4 @@ $td->runtest("filter tokens", - {$td->COMMAND => "pdf-filter-tokens in.pdf a.pdf"}, - {$td->STRING => "", $td->EXIT_STATUS => 0}); - --$td->runtest("check output", -- {$td->FILE => "a.pdf"}, -- {$td->FILE => "out.pdf"}); -- --$td->report(2); -+$td->report(1); -diff -up qpdf-9.0.1/examples/qtest/invert-images.test.erase-tests-with-generated-object-stream qpdf-9.0.1/examples/qtest/invert-images.test ---- qpdf-9.0.1/examples/qtest/invert-images.test.erase-tests-with-generated-object-stream 2019-09-20 14:07:56.000000000 +0200 -+++ qpdf-9.0.1/examples/qtest/invert-images.test 2019-10-03 08:05:23.810400481 +0200 -@@ -19,13 +19,13 @@ $td->runtest("double page size", - $td->EXIT_STATUS => 0}, - $td->NORMALIZE_NEWLINES); - --$td->runtest("check output", -- {$td->FILE => "a.pdf"}, -- {$td->FILE => "out.pdf"}); -+#$td->runtest("check output", -+# {$td->FILE => "a.pdf"}, -+# {$td->FILE => "out.pdf"}); - - cleanup(); - --$td->report(2); -+$td->report(1); - - sub cleanup - { -diff -up qpdf-9.0.1/examples/qtest/set-form-values.test.erase-tests-with-generated-object-stream qpdf-9.0.1/examples/qtest/set-form-values.test ---- qpdf-9.0.1/examples/qtest/set-form-values.test.erase-tests-with-generated-object-stream 2019-09-20 14:07:56.000000000 +0200 -+++ qpdf-9.0.1/examples/qtest/set-form-values.test 2019-10-03 08:05:23.810400481 +0200 -@@ -14,13 +14,10 @@ cleanup(); - $td->runtest("set form values", - {$td->COMMAND => "pdf-set-form-values form-in.pdf a.pdf soup"}, - {$td->STRING => "", $td->EXIT_STATUS => 0}); --$td->runtest("compare files", -- {$td->FILE => "a.pdf"}, -- {$td->FILE => "form-out.pdf"}); - - cleanup(); - --$td->report(2); -+$td->report(1); - - sub cleanup - { -diff -up qpdf-9.0.1/libqpdf/qpdf-c.cc.erase-tests-with-generated-object-stream qpdf-9.0.1/libqpdf/qpdf-c.cc ---- qpdf-9.0.1/libqpdf/qpdf-c.cc.erase-tests-with-generated-object-stream 2019-09-20 14:07:56.000000000 +0200 -+++ qpdf-9.0.1/libqpdf/qpdf-c.cc 2019-10-03 08:05:23.811400473 +0200 -@@ -297,7 +297,6 @@ QPDF_ERROR_CODE qpdf_read_memory(qpdf_da - qpdf->size = size; - qpdf->password = password; - status = trap_errors(qpdf, &call_read_memory); -- QTC::TC("qpdf", "qpdf-c called qpdf_read_memory", status); - return status; - } - -@@ -508,7 +507,6 @@ unsigned char const* qpdf_get_buffer(qpd - - void qpdf_set_object_stream_mode(qpdf_data qpdf, qpdf_object_stream_e mode) - { -- QTC::TC("qpdf", "qpdf-c called qpdf_set_object_stream_mode"); - qpdf->qpdf_writer->setObjectStreamMode(mode); - } - -diff -up qpdf-9.0.1/libqpdf/QPDFWriter.cc.erase-tests-with-generated-object-stream qpdf-9.0.1/libqpdf/QPDFWriter.cc ---- qpdf-9.0.1/libqpdf/QPDFWriter.cc.erase-tests-with-generated-object-stream 2019-10-03 08:05:23.812400464 +0200 -+++ qpdf-9.0.1/libqpdf/QPDFWriter.cc 2019-10-03 08:07:08.083488747 +0200 -@@ -3436,8 +3436,6 @@ QPDFWriter::writeLinearized() - { - if (this->m->deterministic_id) - { -- QTC::TC("qpdf", "QPDFWriter linearized deterministic ID", -- need_xref_stream ? 0 : 1); - computeDeterministicIDData(); - pp_md5 = 0; - assert(this->m->md5_pipeline == 0); -@@ -3645,8 +3643,6 @@ QPDFWriter::writeStandard() - - if (this->m->deterministic_id) - { -- QTC::TC("qpdf", "QPDFWriter standard deterministic ID", -- this->m->object_stream_to_objects.empty() ? 0 : 1); - pp_md5 = 0; - assert(this->m->md5_pipeline == 0); - } -diff -up qpdf-9.0.1/qpdf/qpdf.testcov.erase-tests-with-generated-object-stream qpdf-9.0.1/qpdf/qpdf.testcov ---- qpdf-9.0.1/qpdf/qpdf.testcov.erase-tests-with-generated-object-stream 2019-09-20 14:07:56.000000000 +0200 -+++ qpdf-9.0.1/qpdf/qpdf.testcov 2019-10-03 08:05:23.814400446 +0200 -@@ -123,7 +123,6 @@ qpdf-c called qpdf_get_user_password 0 - qpdf-c called qpdf_is_linearized 0 - qpdf-c called qpdf_is_encrypted 0 - qpdf-c called qpdf_init_write 3 --qpdf-c called qpdf_set_object_stream_mode 0 - qpdf-c called qpdf_set_stream_data_mode 0 - qpdf-c called qpdf_set_content_normalization 0 - qpdf-c called qpdf_set_qdf_mode 0 -@@ -177,7 +176,6 @@ QPDFObjectHandle append page contents 0 - QPDF_Stream getRawStreamData 0 - QPDF_Stream getStreamData 0 - QPDF_Stream expand filter abbreviation 0 --qpdf-c called qpdf_read_memory 0 - QPDF stream without newline 0 - QPDF stream with CR only 0 - QPDF stream with CRNL 0 -@@ -261,8 +259,6 @@ qpdf pages range omitted at end 0 - qpdf pages range omitted in middle 0 - qpdf npages 0 - QPDF already reserved object 0 --QPDFWriter standard deterministic ID 1 --QPDFWriter linearized deterministic ID 1 - QPDFWriter deterministic with no data 0 - qpdf-c called qpdf_set_deterministic_ID 0 - QPDFObjectHandle indirect with 0 objid 0 -diff -up qpdf-9.0.1/qpdf/qtest/qpdf.test.erase-tests-with-generated-object-stream qpdf-9.0.1/qpdf/qtest/qpdf.test ---- qpdf-9.0.1/qpdf/qtest/qpdf.test.erase-tests-with-generated-object-stream 2019-09-20 14:07:56.000000000 +0200 -+++ qpdf-9.0.1/qpdf/qtest/qpdf.test 2019-10-03 08:05:23.816400429 +0200 -@@ -2584,7 +2584,6 @@ my @capi = ( - [3, 'normalized content'], - [4, 'ignore xref streams'], - [5, 'linearized'], -- [6, 'object streams'], - [7, 'qdf'], - [8, 'no original object ids'], - [9, 'uncompressed streams'], -@@ -2628,8 +2627,8 @@ $td->runtest("write damaged", - show_ntests(); - # ---------- - $td->notify("--- Deterministic ID Tests ---"); --$n_tests += 11; --foreach my $d ('nn', 'ny', 'yn', 'yy') -+$n_tests += 7; -+foreach my $d ('nn', 'yn') - { - my $linearize = ($d =~ m/^y/); - my $ostream = ($d =~ m/y$/); diff --git a/SPECS-EXTENDED/qpdf/qpdf-relax.patch b/SPECS-EXTENDED/qpdf/qpdf-relax.patch index 87cc1675b5..9861daf1bb 100644 --- a/SPECS-EXTENDED/qpdf/qpdf-relax.patch +++ b/SPECS-EXTENDED/qpdf/qpdf-relax.patch @@ -1,136 +1,157 @@ -diff -up qpdf-9.0.1/libqpdf/QPDF.cc.relax qpdf-9.0.1/libqpdf/QPDF.cc ---- qpdf-9.0.1/libqpdf/QPDF.cc.relax 2019-09-20 14:07:56.000000000 +0200 -+++ qpdf-9.0.1/libqpdf/QPDF.cc 2019-10-01 13:15:46.513551565 +0200 -@@ -10,6 +10,10 @@ - #include - #include - -+#ifdef HAVE_GNUTLS +diff -up qpdf-11.7.0/libqpdf/QPDF.cc.relax qpdf-11.7.0/libqpdf/QPDF.cc +--- qpdf-11.7.0/libqpdf/QPDF.cc.relax 2023-12-24 13:36:07.000000000 +0100 ++++ qpdf-11.7.0/libqpdf/QPDF.cc 2024-01-08 15:17:27.020951639 +0100 +@@ -13,6 +13,10 @@ + #include + #include + ++#ifdef USE_CRYPTO_GNUTLS +# include +#endif + - #include - #include - #include -@@ -207,7 +211,13 @@ QPDF::processFile(char const* filename, + #include + #include + #include +@@ -250,14 +254,26 @@ void + QPDF::processFile(char const* filename, char const* password) { - FileInputSource* fi = new FileInputSource(); - fi->setFilename(filename); -+#ifdef HAVE_GNUTLS + auto* fi = new FileInputSource(filename); ++#ifdef USE_CRYPTO_GNUTLS + GNUTLS_FIPS140_SET_LAX_MODE(); +#endif - processInputSource(fi, password); -+#ifdef HAVE_GNUTLS + processInputSource(std::shared_ptr(fi), password); ++#ifdef USE_CRYPTO_GNUTLS + GNUTLS_FIPS140_SET_STRICT_MODE(); +#endif } void -@@ -216,7 +226,13 @@ QPDF::processFile(char const* descriptio + QPDF::processFile(char const* description, FILE* filep, bool close_file, char const* password) { - FileInputSource* fi = new FileInputSource(); - fi->setFile(description, filep, close_file); -+#ifdef HAVE_GNUTLS + auto* fi = new FileInputSource(description, filep, close_file); ++#ifdef USE_CRYPTO_GNUTLS + GNUTLS_FIPS140_SET_LAX_MODE(); +#endif - processInputSource(fi, password); -+#ifdef HAVE_GNUTLS + processInputSource(std::shared_ptr(fi), password); ++#ifdef USE_CRYPTO_GNUTLS + GNUTLS_FIPS140_SET_STRICT_MODE(); +#endif } void -diff -up qpdf-9.0.1/libqpdf/QPDF_encryption.cc.relax qpdf-9.0.1/libqpdf/QPDF_encryption.cc ---- qpdf-9.0.1/libqpdf/QPDF_encryption.cc.relax 2019-09-20 14:07:56.000000000 +0200 -+++ qpdf-9.0.1/libqpdf/QPDF_encryption.cc 2019-10-01 13:19:56.086467631 +0200 -@@ -1,6 +1,8 @@ - // This file implements methods from the QPDF class that involve - // encryption. +diff -up qpdf-11.7.0/libqpdf/QPDF_encryption.cc.relax qpdf-11.7.0/libqpdf/QPDF_encryption.cc +--- qpdf-11.7.0/libqpdf/QPDF_encryption.cc.relax 2023-12-24 13:36:07.000000000 +0100 ++++ qpdf-11.7.0/libqpdf/QPDF_encryption.cc 2024-01-08 15:19:52.303117277 +0100 +@@ -3,6 +3,8 @@ + + #include +#include + #include #include -@@ -18,6 +20,10 @@ - #include - #include +@@ -19,6 +21,10 @@ + #include + #include -+#ifdef HAVE_GNUTLS ++#ifdef USE_CRYPTO_GNUTLS +# include +#endif + static unsigned char const padding_string[] = { - 0x28, 0xbf, 0x4e, 0x5e, 0x4e, 0x75, 0x8a, 0x41, - 0x64, 0x00, 0x4e, 0x56, 0xff, 0xfa, 0x01, 0x08, -@@ -1140,6 +1146,12 @@ QPDF::getKeyForObject( + 0x28, 0xbf, 0x4e, 0x5e, 0x4e, 0x75, 0x8a, 0x41, 0x64, 0x00, 0x4e, 0x56, 0xff, 0xfa, 0x01, 0x08, + 0x2e, 0x2e, 0x00, 0xb6, 0xd0, 0x68, 0x3e, 0x80, 0x2f, 0x0c, 0xa9, 0xfe, 0x64, 0x53, 0x69, 0x7a}; +@@ -349,10 +355,21 @@ QPDF::compute_data_key( + result += "sAlT"; + } + ++#ifdef USE_CRYPTO_GNUTLS ++ unsigned oldmode = gnutls_fips140_mode_enabled(); ++ ++ gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD); ++#endif ++ + MD5 md5; + md5.encodeDataIncrementally(result.c_str(), result.length()); + MD5::Digest digest; + md5.digest(digest); ++ ++#ifdef USE_CRYPTO_GNUTLS ++ gnutls_fips140_set_mode(static_cast(oldmode), GNUTLS_FIPS140_SET_MODE_THREAD); ++#endif ++ + return {reinterpret_cast(digest), std::min(result.length(), toS(16))}; + } + +@@ -976,6 +993,12 @@ QPDF::getKeyForObject( void - QPDF::decryptString(std::string& str, int objid, int generation) + QPDF::decryptString(std::string& str, QPDFObjGen const& og) { -+#ifdef HAVE_GNUTLS ++#ifdef USE_CRYPTO_GNUTLS + unsigned oldmode = gnutls_fips140_mode_enabled(); + + gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD); +#endif + - if (objid == 0) - { - return; -@@ -1220,6 +1232,10 @@ QPDF::decryptString(std::string& str, in - QUtil::int_to_string(objid) + " " + - QUtil::int_to_string(generation) + ": " + e.what()); + if (!og.isIndirect()) { + return; + } +@@ -1036,6 +1059,10 @@ QPDF::decryptString(std::string& str, QP + } catch (std::runtime_error& e) { + throw damagedPDF("error decrypting string for object " + og.unparse() + ": " + e.what()); } + -+#ifdef HAVE_GNUTLS ++#ifdef USE_CRYPTO_GNUTLS + gnutls_fips140_set_mode(static_cast(oldmode), GNUTLS_FIPS140_SET_MODE_THREAD); +#endif } - void -@@ -1231,6 +1247,12 @@ QPDF::decryptStream(PointerHolder >& heap) + // Prepend a decryption pipeline to 'pipeline'. The decryption pipeline (returned as +@@ -1051,6 +1078,12 @@ QPDF::decryptStream( + QPDFObjectHandle& stream_dict, + std::unique_ptr& decrypt_pipeline) { -+#ifdef HAVE_GNUTLS ++#ifdef USE_CRYPTO_GNUTLS + unsigned oldmode = gnutls_fips140_mode_enabled(); + + gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD); +#endif + std::string type; - if (stream_dict.getKey("/Type").isName()) - { -@@ -1360,6 +1382,10 @@ QPDF::decryptStream(PointerHolder(oldmode), GNUTLS_FIPS140_SET_MODE_THREAD); +#endif } void -diff -up qpdf-9.0.1/libqpdf/QPDFWriter.cc.relax qpdf-9.0.1/libqpdf/QPDFWriter.cc ---- qpdf-9.0.1/libqpdf/QPDFWriter.cc.relax 2019-09-20 14:07:56.000000000 +0200 -+++ qpdf-9.0.1/libqpdf/QPDFWriter.cc 2019-10-01 13:16:49.665013937 +0200 -@@ -24,6 +24,10 @@ - #include - #include +diff -up qpdf-11.7.0/libqpdf/QPDFWriter.cc.relax qpdf-11.7.0/libqpdf/QPDFWriter.cc +--- qpdf-11.7.0/libqpdf/QPDFWriter.cc.relax 2023-12-24 13:36:07.000000000 +0100 ++++ qpdf-11.7.0/libqpdf/QPDFWriter.cc 2024-01-08 15:17:27.022951614 +0100 +@@ -26,6 +26,10 @@ + #include + #include -+#ifdef HAVE_GNUTLS ++#ifdef USE_CRYPTO_GNUTLS +#include +#endif + - QPDFWriter::Members::Members(QPDF& pdf) : - pdf(pdf), - filename("unspecified"), -@@ -321,6 +325,13 @@ void + QPDFWriter::ProgressReporter::~ProgressReporter() // NOLINT (modernize-use-equals-default) + { + // Must be explicit and not inline -- see QPDF_DLL_CLASS in README-maintainer +@@ -287,6 +291,13 @@ void QPDFWriter::setDeterministicID(bool val) { - this->m->deterministic_id = val; + m->deterministic_id = val; + -+#ifdef HAVE_GNUTLS ++#ifdef USE_CRYPTO_GNUTLS + if (val) + GNUTLS_FIPS140_SET_LAX_MODE(); + else @@ -139,12 +160,12 @@ diff -up qpdf-9.0.1/libqpdf/QPDFWriter.cc.relax qpdf-9.0.1/libqpdf/QPDFWriter.cc } void -@@ -342,6 +353,13 @@ void +@@ -307,6 +318,13 @@ void QPDFWriter::setPreserveEncryption(bool val) { - this->m->preserve_encryption = val; + m->preserve_encryption = val; + -+#ifdef HAVE_GNUTLS ++#ifdef USE_CRYPTO_GNUTLS + if (val) + GNUTLS_FIPS140_SET_STRICT_MODE(); + else @@ -153,3 +174,25 @@ diff -up qpdf-9.0.1/libqpdf/QPDFWriter.cc.relax qpdf-9.0.1/libqpdf/QPDFWriter.cc } void +@@ -1890,11 +1908,21 @@ QPDFWriter::generateID() + } + } + ++#ifdef USE_CRYPTO_GNUTLS ++ unsigned oldmode = gnutls_fips140_mode_enabled(); ++ ++ gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD); ++#endif ++ + MD5 m; + m.encodeString(seed.c_str()); + MD5::Digest digest; + m.digest(digest); + result = std::string(reinterpret_cast(digest), sizeof(MD5::Digest)); ++ ++#ifdef USE_CRYPTO_GNUTLS ++ gnutls_fips140_set_mode(static_cast(oldmode), GNUTLS_FIPS140_SET_MODE_THREAD); ++#endif + } + + // If /ID already exists, follow the spec: use the original first word and generate a new second diff --git a/SPECS-EXTENDED/qpdf/qpdf.signatures.json b/SPECS-EXTENDED/qpdf/qpdf.signatures.json index 593b2bd6a8..8025e3a4dd 100644 --- a/SPECS-EXTENDED/qpdf/qpdf.signatures.json +++ b/SPECS-EXTENDED/qpdf/qpdf.signatures.json @@ -1,5 +1,6 @@ { "Signatures": { - "qpdf-10.1.0.tar.gz": "862c144e4516302327cea908f2879131cc8198b10d3d3a90ef7bc006a915120d" + "qpdf-11.9.1-doc.zip": "7e4e5e4a26e2763c485fca911f72f7ffa08ea32c86603272967355bf0227f6e7", + "qpdf-11.9.1.tar.gz": "2ba4d248f9567a27c146b9772ef5dc93bd9622317978455ffe91b259340d13d1" } -} +} \ No newline at end of file diff --git a/SPECS-EXTENDED/qpdf/qpdf.spec b/SPECS-EXTENDED/qpdf/qpdf.spec index 7dd5c8f480..ada0848c0d 100644 --- a/SPECS-EXTENDED/qpdf/qpdf.spec +++ b/SPECS-EXTENDED/qpdf/qpdf.spec @@ -1,66 +1,61 @@ -Vendor: Microsoft Corporation -Distribution: Azure Linux -Summary: Command-line tools and library for transforming PDF files -Name: qpdf -Version: 10.1.0 -Release: 2%{?dist} -# MIT: e.g. libqpdf/sha2.c +%global bash_completions_dir %{_datadir}/bash-completion/completions +%global zsh_completions_dir %{_datadir}/zsh/site-functions + +Summary: Command-line tools and library for transforming PDF files +Name: qpdf +Version: 11.9.1 +Release: 4%{?dist} +# MIT: e.g. libqpdf/sha2.c, but those are not compiled in (GNUTLS is used) # upstream uses ASL 2.0 now, but he allowed other to distribute qpdf under # old license (see README) -License: (Artistic 2.0 or ASL 2.0) and MIT -URL: http://qpdf.sourceforge.net/ -Source0: http://downloads.sourceforge.net/sourceforge/qpdf/qpdf-%{version}.tar.gz - -Patch0: qpdf-doc.patch -# zlib has optimalization for aarch64 now, which gives different output after -# compression - patch erases 3 tests with generated object stream which were failing -Patch2: qpdf-erase-tests-with-generated-object-stream.patch +License: Apache-2.0 OR Artistic-2.0 +Vendor: Microsoft Corporation +Distribution: Azure Linux +URL: https://qpdf.sourceforge.io/ +Source0: https://github.com/%{name}/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz +Source1: https://github.com/%{name}/%{name}/releases/download/v%{version}/%{name}-%{version}-doc.zip + # make qpdf working under FIPS, downstream patch -Patch3: qpdf-relax.patch +Patch1: qpdf-relax.patch # gcc and gcc-c++ are no longer in buildroot by default # gcc is needed for qpdf-ctest.c BuildRequires: gcc # gcc-c++ is need for everything except for qpdf-ctest BuildRequires: gcc-c++ -# uses make -BuildRequires: make +# uses cmake +BuildRequires: cmake -BuildRequires: zlib-devel -BuildRequires: libjpeg-turbo-devel -BuildRequires: pcre-devel +BuildRequires: zlib-devel +BuildRequires: libjpeg-turbo-devel # for gnutls crypto -BuildRequires: gnutls-devel +BuildRequires: gnutls-devel # for fix-qdf and test suite -BuildRequires: perl-generators -BuildRequires: perl-interpreter -BuildRequires: perl(Carp) -BuildRequires: perl(Config) -BuildRequires: perl(constant) -BuildRequires: perl(Cwd) -BuildRequires: perl(Digest::MD5) -BuildRequires: perl(Digest::SHA) -BuildRequires: perl(File::Basename) -BuildRequires: perl(File::Copy) -BuildRequires: perl(File::Find) -BuildRequires: perl(File::Spec) -BuildRequires: perl(FileHandle) -BuildRequires: perl(IO::Handle) -BuildRequires: perl(IO::Select) -BuildRequires: perl(IO::Socket) -BuildRequires: perl(POSIX) -BuildRequires: perl(strict) +BuildRequires: perl-generators +BuildRequires: perl-interpreter +BuildRequires: perl(Carp) +BuildRequires: perl(Config) +BuildRequires: perl(constant) +BuildRequires: perl(Cwd) +BuildRequires: perl(Digest::MD5) +BuildRequires: perl(Digest::SHA) +BuildRequires: perl(File::Basename) +BuildRequires: perl(File::Compare) +BuildRequires: perl(File::Copy) +BuildRequires: perl(File::Find) +BuildRequires: perl(File::Spec) +BuildRequires: perl(FileHandle) +BuildRequires: perl(IO::Handle) +BuildRequires: perl(IO::Select) +BuildRequires: perl(IO::Socket) +BuildRequires: perl(POSIX) +BuildRequires: perl(strict) # perl(Term::ANSIColor) - not needed for tests # perl(Term::ReadKey) - not needed for tests -# for autoreconf -BuildRequires: autoconf -BuildRequires: automake -BuildRequires: libtool - -Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} %package libs Summary: QPDF library for transforming PDF files @@ -70,9 +65,10 @@ Summary: Development files for QPDF library Requires: %{name}-libs%{?_isa} = %{version}-%{release} %package doc -Summary: QPDF Manual -BuildArch: noarch -Requires: %{name}-libs = %{version}-%{release} +Summary: QPDF Manual +BuildArch: noarch +BuildRequires: unzip +Requires: %{name}-libs = %{version}-%{release} %description QPDF is a command-line program that does structural, content-preserving @@ -94,36 +90,37 @@ for developing programs using the QPDF library. QPDF Manual %prep -%setup -q +%autosetup -p1 -# fix 'complete manual location' note in man pages -%patch 0 -p1 -b .doc -%ifarch aarch64 -%patch 2 -p1 -b .erase-tests-with-generated-object-stream -%endif -%patch 3 -p1 -b .relax +# unpack zip file with manual +unzip %{SOURCE1} %build -# work-around check-rpaths errors -autoreconf --verbose --force --install -# automake files needed to be regenerated in 8.4.0 - check if this can be removed -# in the next qpdf release -./autogen.sh +mkdir -p build +cd build +%cmake -DBUILD_STATIC_LIBS=0 \ + -DREQUIRE_CRYPTO_GNUTLS=1 \ + -DUSE_IMPLICIT_CRYPTO=0 \ + -DSHOW_FAILED_TEST_OUTPUT=1 \ + .. -%configure --disable-static \ - --enable-crypto-gnutls \ - --disable-implicit-crypto \ - --enable-show-failed-test-output - -%make_build +%cmake_build %install -%make_install +cd build +%cmake_install +cd .. + +install -m 0644 %{name}-%{version}-doc/%{name}-manual.pdf %{buildroot}/%{_pkgdocdir}/%{name}-manual.pdf -rm -f %{buildroot}%{_libdir}/libqpdf.la +# install bash/zsh completions +mkdir -p %{buildroot}%{bash_completions_dir} +mkdir -p %{buildroot}%{zsh_completions_dir} +install -m 0644 completions/bash/qpdf %{buildroot}%{bash_completions_dir}/qpdf +install -m 0644 completions/zsh/_qpdf %{buildroot}%{zsh_completions_dir}/_qpdf %check -make check +%ctest %ldconfig_scriptlets libs @@ -132,26 +129,157 @@ make check %{_bindir}/qpdf %{_bindir}/zlib-flate %{_mandir}/man1/* +%dir %{bash_completions_dir} +%{bash_completions_dir}/qpdf +%dir %{zsh_completions_dir} +%{zsh_completions_dir}/_qpdf %files libs -%doc README.md TODO ChangeLog -%license Artistic-2.0 -%{_libdir}/libqpdf.so.28 -%{_libdir}/libqpdf.so.28.1.0 +%doc README.md TODO.md ChangeLog +%license Artistic-2.0 LICENSE.txt NOTICE.md +%{_libdir}/libqpdf.so.29 +%{_libdir}/libqpdf.so.29.* %files devel %doc examples/*.cc examples/*.c %{_includedir}/qpdf/ %{_libdir}/libqpdf.so %{_libdir}/pkgconfig/libqpdf.pc +%{_libdir}/cmake/qpdf/ %files doc %{_pkgdocdir} - %changelog -* Fri Oct 15 2021 Pawel Winogrodzki - 10.1.0-2 -- Initial CBL-Mariner import from Fedora 33 (license: MIT). +* Fri Feb 07 2025 Akhila Guruju - 11.9.1-4 +- Initial Azure Linux import from Fedora 41 (license: MIT). +- License verified +- Defined `bash_completions_dir` and `zsh_completions_dir` + +* Mon Dec 02 2024 Nicolas Fella - 11.9.1-3 +- Don't exclude CMake config files + +* Fri Jul 19 2024 Fedora Release Engineering - 11.9.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + +* Tue Jun 18 2024 Zdenek Dohnal - 11.9.1-1 +- 2290888 - qpdf-11.9.1 is available + +* Fri Mar 01 2024 Zdenek Dohnal - 11.9.0-1 +- 2267205 - TRIAGE CVE-2024-24246 qpdf - Heap Buffer Overflow vulnerability in qpdf [fedora-all] +- 2265854 - qpdf-11.9.0 is available + +* Fri Jan 26 2024 Fedora Release Engineering - 11.8.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Mon Jan 22 2024 Fedora Release Engineering - 11.8.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Tue Jan 09 2024 Zdenek Dohnal - 11.8.0-1 +- 2257313 - qpdf-11.8.0 is available + +* Mon Jan 08 2024 Zdenek Dohnal - 11.7.0-1 +- 2255755 - qpdf-11.7.0 is available + +* Tue Dec 19 2023 Zdenek Dohnal - 11.6.4-2 +- 2254778 - remove the tests which fail with zlib-ng-compat for now + +* Mon Dec 18 2023 Zdenek Dohnal - 11.6.4-1 +- 2253901 - qpdf-11.6.4 is available + +* Thu Nov 02 2023 Zdenek Dohnal - 11.6.3-1 +- 2244319 - qpdf-11.6.3 is available + +* Mon Oct 09 2023 Zdenek Dohnal - 11.6.2-1 +- 2242670 - qpdf-11.6.2 is available + +* Tue Sep 12 2023 Zdenek Dohnal - 11.6.1-1 +- 2237125 - qpdf-11.6.1 is available + +* Wed Jul 26 2023 Zdenek Dohnal - 11.5.0-1 +- 2221506 - qpdf-11.5.0 is available + +* Fri Jul 21 2023 Fedora Release Engineering - 11.4.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Mon May 22 2023 Zdenek Dohnal - 11.4.0-1 +- 2208892 - qpdf-11.4.0 is available + +* Mon Mar 27 2023 Zdenek Dohnal - 11.3.0-2 +- 2181519 - qpdf bash and zsh completion files are missing + +* Thu Mar 02 2023 Zdenek Dohnal - 11.3.0-1 +- 2173354 - qpdf-11.3.0 is available + +* Fri Jan 20 2023 Fedora Release Engineering - 11.2.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Tue Nov 22 2022 Zdenek Dohnal - 11.2.0-1 +- 2144359 - qpdf-11.2.0 is available + +* Thu Oct 13 2022 Zdenek Dohnal - 11.1.1-1 +- 2125823 - qpdf-11.1.1 is available + +* Thu Sep 22 2022 Zdenek Dohnal - 11.1.0-1 +- 2125823 - qpdf-11.1.0 is available, move to cmake + +* Thu Sep 22 2022 Zdenek Dohnal - 10.6.3-5 +- use `grep -E` in test suite (bz2127957) + +* Mon Jul 25 2022 Zdenek Dohnal - 10.6.3-4 +- qpdf doesn't depend on pcre since 7.0b1 + +* Fri Jul 22 2022 Fedora Release Engineering - 10.6.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Thu Jul 14 2022 Zdenek Dohnal - 10.6.3-2 +- 2107240 - FIPS breaks pdftopdf and bannertopdf + +* Fri Mar 18 2022 Zdenek Dohnal - 10.6.3-1 +- 2063429 - qpdf-10.6.3 is available + +* Thu Feb 17 2022 Zdenek Dohnal - 10.6.2-1 +- 2053647 - qpdf-10.6.2 is available + +* Mon Feb 14 2022 Zdenek Dohnal - 10.6.1-1 +- 2053647 - qpdf-10.6.1 is available + +* Thu Feb 10 2022 Zdenek Dohnal - 10.6.0-1 +- 2052569 - qpdf-10.6.0 is available + +* Fri Jan 21 2022 Fedora Release Engineering - 10.5.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Wed Jan 05 2022 Zdenek Dohnal - 10.5.0-2 +- add qpdf-manual - now it is in a different archive + +* Mon Jan 03 2022 Zdenek Dohnal - 10.5.0-1 +- 2034671 - qpdf-10.5.0 is available + +* Mon Dec 06 2021 Zdenek Dohnal - 10.4.0-1 +- 2023979 - qpdf-10.4.0 is available + +* Fri Jul 23 2021 Fedora Release Engineering - 10.3.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Thu May 20 2021 Zdenek Dohnal - 10.3.2-1 +- 1958536 - qpdf-10.3.2 is available + +* Mon Apr 19 2021 Zdenek Dohnal - 10.3.1-2 +- aarch64 specific patches were removed from zlib, so no need for ours +- zlib got downstream patches on s390x, we need to patch qpdf test suite for it + +* Fri Mar 12 2021 Zdenek Dohnal - 10.3.1-1 +- 1937988 - qpdf-10.3.1 is available + +* Thu Mar 11 2021 Zdenek Dohnal - 10.3.0-1 +- 1935799 - qpdf-10.3.0 is available + +* Wed Feb 24 2021 Zdenek Dohnal - 10.2.0-1 +- 1932052 - qpdf-10.2.0 is available + +* Wed Jan 27 2021 Fedora Release Engineering - 10.1.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild * Mon Jan 11 2021 Zdenek Dohnal - 10.1.0-1 - 1912951 - qpdf-10.1.0 is available diff --git a/SPECS-EXTENDED/rasqal/define-printf.patch b/SPECS-EXTENDED/rasqal/define-printf.patch new file mode 100644 index 0000000000..d787e7809e --- /dev/null +++ b/SPECS-EXTENDED/rasqal/define-printf.patch @@ -0,0 +1,23 @@ +diff -ruN rasqal-0.9.33.orig/configure rasqal-0.9.33/configure +--- rasqal-0.9.33.orig/configure 2023-01-23 13:14:38.861781072 +0100 ++++ rasqal-0.9.33/configure 2023-01-23 16:57:03.874250005 +0100 +@@ -13712,6 +13712,7 @@ + $as_echo_n "checking whether __FUNCTION__ is available... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext + /* end confdefs.h. */ ++extern int printf(const char *); + int main() { printf(__FUNCTION__); } + _ACEOF + if ac_fn_c_try_compile "$LINENO"; then : +diff -ruN rasqal-0.9.33.orig/configure.ac rasqal-0.9.33/configure.ac +--- rasqal-0.9.33.orig/configure.ac 2014-11-23 23:11:33.000000000 +0100 ++++ rasqal-0.9.33/configure.ac 2023-01-23 15:49:44.885025978 +0100 +@@ -312,7 +312,7 @@ + AC_C_BIGENDIAN + + AC_MSG_CHECKING(whether __FUNCTION__ is available) +-AC_COMPILE_IFELSE([AC_LANG_SOURCE([int main() { printf(__FUNCTION__); }])], ++AC_COMPILE_IFELSE([AC_LANG_SOURCE([extern int printf(const char *s); int main() { printf(__FUNCTION__); }])], + [AC_DEFINE([HAVE___FUNCTION__], [1], [Is __FUNCTION__ available]) + AC_MSG_RESULT(yes)], + [AC_MSG_RESULT(no)]) diff --git a/SPECS-EXTENDED/rasqal/rasqal-configure-c99-2.patch b/SPECS-EXTENDED/rasqal/rasqal-configure-c99-2.patch new file mode 100644 index 0000000000..89442d1956 --- /dev/null +++ b/SPECS-EXTENDED/rasqal/rasqal-configure-c99-2.patch @@ -0,0 +1,31 @@ +Fix incompatible pointer type due to misuse of the gcry_md_open +function. + +Submitted upstream: + +diff --git a/configure b/configure +index 038ea7c3efaf06a0..17a107cda735a257 100755 +--- a/configure ++++ b/configure +@@ -14541,7 +14541,7 @@ elif test "$ac_cv_header_gcrypt_h" = "yes"; then + int + main () + { +- gcry_md_hd_t hash; gcry_md_open(hash, GCRY_MD_MD5, 0); ++ gcry_md_hd_t hash; gcry_md_open(&hash, GCRY_MD_MD5, 0); + ; + return 0; + } +diff --git a/configure.ac b/configure.ac +index 7bfc38e9261d6c96..eea4d34e7dc9fd4b 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -631,7 +631,7 @@ elif test "$ac_cv_header_gcrypt_h" = "yes"; then + LIBS="$LIBS `$LIBGCRYPT_CONFIG --libs`" + + AC_LINK_IFELSE([AC_LANG_PROGRAM([[ +- #include ]], [[ gcry_md_hd_t hash; gcry_md_open(hash, GCRY_MD_MD5, 0); ]])],[have_digest_gcrypt=yes],[have_digest_gcrypt=no]) ++ #include ]], [[ gcry_md_hd_t hash; gcry_md_open(&hash, GCRY_MD_MD5, 0); ]])],[have_digest_gcrypt=yes],[have_digest_gcrypt=no]) + + CPPFLAGS="$oCPPFLAGS" + LIBS="$oLIBS" diff --git a/SPECS-EXTENDED/rasqal/rasqal.spec b/SPECS-EXTENDED/rasqal/rasqal.spec index bca7c56f76..c351095652 100644 --- a/SPECS-EXTENDED/rasqal/rasqal.spec +++ b/SPECS-EXTENDED/rasqal/rasqal.spec @@ -2,22 +2,25 @@ Vendor: Microsoft Corporation Distribution: Azure Linux Name: rasqal Version: 0.9.33 -Release: 13%{?dist} +Release: 14%{?dist} Summary: RDF Query Library License: LGPLv2+ or ASL 2.0 URL: http://librdf.org/rasqal/ Source: http://download.librdf.org/source/%{name}-%{version}.tar.gz +BuildRequires: make BuildRequires: gcc-c++ BuildRequires: libxml2-devel BuildRequires: mpfr-devel -BuildRequires: pcre-devel BuildRequires: raptor2-devel # for the testsuite BuildRequires: perl(Pod::Usage) BuildRequires: perl(XML::DOM) -#BuildRequires: %{_bindir}/rapper + +# Upstream PR: https://github.com/dajobe/rasqal/pull/11 +Patch1: define-printf.patch +Patch2: rasqal-configure-c99-2.patch %description Rasqal is a library providing full support for querying Resource @@ -31,24 +34,23 @@ Requires: %{name}%{?_isa} = %{version}-%{release} %description devel Libraries, includes etc to develop with the Rasqal RDF query language library. - %prep -%setup -q +%autosetup -p1 # hack to nuke rpaths %if "%{_libdir}" != "/usr/lib" sed -i -e 's|"/lib /usr/lib|"/%{_lib} %{_libdir}|' configure %endif - %build %configure \ + --with-digest-library=gcrypt\ + --disable-pcre \ --disable-static\ --enable-release %make_build - %install %make_install @@ -93,6 +95,10 @@ fi %changelog +* Fri Mar 07 2025 Jyoti Kanase - 0.9.33-14 +- fix build for 0.9.33 +- License Verified. + * Fri Oct 15 2021 Pawel Winogrodzki - 0.9.33-13 - Initial CBL-Mariner import from Fedora 32 (license: MIT). diff --git a/SPECS-EXTENDED/ripgrep/ripgrep.spec b/SPECS-EXTENDED/ripgrep/ripgrep.spec index 6c4a739656..333711ff21 100644 --- a/SPECS-EXTENDED/ripgrep/ripgrep.spec +++ b/SPECS-EXTENDED/ripgrep/ripgrep.spec @@ -20,7 +20,7 @@ Name: ripgrep Version: 13.0.0 -Release: 6%{?dist} +Release: 9%{?dist} Summary: A search tool that combines ag with grep License: MIT AND Unlicense Vendor: Microsoft Corporation @@ -104,6 +104,15 @@ install -Dm 644 complete/_rg %{buildroot}%{_datadir}/zsh/site-functions/_rg %{_datadir}/zsh %changelog +* Mon Jul 21 2025 Jyoti Kanase - 13.0.0-9 +- Bump release to rebuild with rust + +* Fri Jun 13 2025 Kavya Sree Kaitepalli - 13.0.0-8 +- Bump release to rebuild with rust + +* Wed May 14 2025 Kavya Sree Kaitepalli - 13.0.0-7 +- Bump release to rebuild with rust 1.86.0 + * Mon Apr 21 2025 Kavya Sree Kaitepalli - 13.0.0-6 - Bump release to build with rust 1.85.0 diff --git a/SPECS-EXTENDED/rust-cbindgen/rust-cbindgen.spec b/SPECS-EXTENDED/rust-cbindgen/rust-cbindgen.spec index 2764b2fe0d..8641aac2b2 100644 --- a/SPECS-EXTENDED/rust-cbindgen/rust-cbindgen.spec +++ b/SPECS-EXTENDED/rust-cbindgen/rust-cbindgen.spec @@ -2,7 +2,7 @@ Summary: Tool for generating C bindings to Rust code Name: rust-cbindgen Version: 0.24.3 -Release: 2%{?dist} +Release: 5%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -96,6 +96,15 @@ RUSTFLAGS=%{rustflags} cargo test --release %endif %changelog +* Mon Jul 21 2025 Jyoti Kanase - 0.24.3-5 +- Bump release to rebuild with rust + +* Fri Jun 13 2025 Kavya Sree Kaitepalli - 0.24.3-4 +- Bump release to rebuild with rust + +* Wed May 14 2025 Kavya Sree Kaitepalli - 0.24.3-3 +- Bump release to rebuild with rust 1.86.0 + * Mon Apr 21 2025 Kavya Sree Kaitepalli - 0.24.3-2 - Bump release to build with rust 1.85.0 diff --git a/SPECS-EXTENDED/SDL/SDL_config.h b/SPECS-EXTENDED/sdl12-compat/SDL_config.h similarity index 59% rename from SPECS-EXTENDED/SDL/SDL_config.h rename to SPECS-EXTENDED/sdl12-compat/SDL_config.h index 84eb1123c0..d3efbf5134 100644 --- a/SPECS-EXTENDED/SDL/SDL_config.h +++ b/SPECS-EXTENDED/sdl12-compat/SDL_config.h @@ -1,33 +1,32 @@ /* - SDL - Simple DirectMedia Layer - Copyright (C) 1997-2006 Sam Lantinga + Simple DirectMedia Layer + Copyright (C) 1997-2021 Sam Lantinga - This library is free software; you can redistribute it and/or - modify it under the terms of the GNU Lesser General Public - License as published by the Free Software Foundation; either - version 2.1 of the License, or (at your option) any later version. + This software is provided 'as-is', without any express or implied + warranty. In no event will the authors be held liable for any damages + arising from the use of this software. - This library is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Lesser General Public License for more details. + Permission is granted to anyone to use this software for any purpose, + including commercial applications, and to alter it and redistribute it + freely, subject to the following restrictions: - You should have received a copy of the GNU Lesser General Public - License along with this library; if not, write to the Free Software - Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA - - Sam Lantinga - slouken@libsdl.org + 1. The origin of this software must not be misrepresented; you must not + claim that you wrote the original software. If you use this software + in a product, an acknowledgment in the product documentation would be + appreciated but is not required. + 2. Altered source versions must be plainly marked as such, and must not be + misrepresented as being the original software. + 3. This notice may not be removed or altered from any source distribution. */ /* - * This SDL_config.h is a wrapper include file for the original SDL_config.h, - * which has been renamed to SDL_config-.h. There are conflicts for the + * This SDL_config.h is a wrapper include file for the original SDL_config.h, + * which has been renamed to SDL_config-.h. There are conflicts for the * original SDL_config.h on multilib systems, which result from arch-specific * configuration options. Please do not use the arch-specific file directly. * - * Copyright (C) 2006 Red Hat, Inc. - * Thomas Woerner + * Copyright (C) 2021 Neal Gompa + * Neal Gompa */ #ifdef SDL_config_wrapper_h @@ -74,7 +73,7 @@ #elif defined(__riscv) && defined(__riscv_xlen) && __riscv_xlen == 64 #include "SDL_config-riscv64.h" #else -#error "The SDL-devel package is not usable with the architecture." +#error "The sdl12-compat-devel package is not usable with the architecture." #endif #undef SDL_config_wrapper_h diff --git a/SPECS-EXTENDED/sdl12-compat/sdl12-compat-sdlconfig-multilib.patch b/SPECS-EXTENDED/sdl12-compat/sdl12-compat-sdlconfig-multilib.patch new file mode 100644 index 0000000000..412796bb35 --- /dev/null +++ b/SPECS-EXTENDED/sdl12-compat/sdl12-compat-sdlconfig-multilib.patch @@ -0,0 +1,43 @@ +From 3cfbf8e889b50d5d19795d6f81f66345c70ce4e0 Mon Sep 17 00:00:00 2001 +From: Neal Gompa +Date: Wed, 9 Jun 2021 06:57:51 -0400 +Subject: [PATCH] Remove libdir definition from sdl-config for multilib support + +If we export the library directory, then the contents of sdl-config +wind up differing across architectures, which will make sdl12-compat +not multilib-safe. + +Thus, strip out the libdir stuff so that this isn't a problem. +--- + sdl-config.in | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/sdl-config.in b/sdl-config.in +index 528a355..addabd8 100755 +--- a/sdl-config.in ++++ b/sdl-config.in +@@ -10,7 +10,6 @@ + prefix=@CMAKE_INSTALL_PREFIX@ + exec_prefix=${prefix} + exec_prefix_set=no +-libdir=@CMAKE_INSTALL_FULL_LIBDIR@ + includedir=@CMAKE_INSTALL_FULL_INCLUDEDIR@ + + @ENABLE_STATIC_FALSE@usage="\ +@@ -53,11 +52,11 @@ while test $# -gt 0; do + echo -I${includedir}/SDL @SDL_CFLAGS@ + ;; + @ENABLE_SHARED_TRUE@ --libs) +-@ENABLE_SHARED_TRUE@ echo -L${libdir} @SDL_RLD_FLAGS@ @SDL_LIBS@ ++@ENABLE_SHARED_TRUE@ echo @SDL_RLD_FLAGS@ @SDL_LIBS@ + @ENABLE_SHARED_TRUE@ ;; + @ENABLE_STATIC_TRUE@@ENABLE_SHARED_TRUE@ --static-libs) + @ENABLE_STATIC_TRUE@@ENABLE_SHARED_FALSE@ --libs|--static-libs) +-@ENABLE_STATIC_TRUE@ echo -L${libdir} @SDL_LIBS@ @SDL_STATIC_LIBS@ ++@ENABLE_STATIC_TRUE@ echo @SDL_LIBS@ @SDL_STATIC_LIBS@ + @ENABLE_STATIC_TRUE@ ;; + *) + echo "${usage}" 1>&2 +-- +2.31.1 + diff --git a/SPECS-EXTENDED/sdl12-compat/sdl12-compat.signatures.json b/SPECS-EXTENDED/sdl12-compat/sdl12-compat.signatures.json new file mode 100644 index 0000000000..670d624d79 --- /dev/null +++ b/SPECS-EXTENDED/sdl12-compat/sdl12-compat.signatures.json @@ -0,0 +1,6 @@ +{ + "Signatures": { + "SDL_config.h": "2983e2fb365d657f924a4d501866a6f4edf87e3da1a689cce0f908f68547ad78", + "sdl12-compat-1.2.68.tar.gz": "63c6e4dcc1154299e6f363c872900be7f3dcb3e42b9f8f57e05442ec3d89d02d" + } +} diff --git a/SPECS-EXTENDED/sdl12-compat/sdl12-compat.spec b/SPECS-EXTENDED/sdl12-compat/sdl12-compat.spec new file mode 100644 index 0000000000..df1d926123 --- /dev/null +++ b/SPECS-EXTENDED/sdl12-compat/sdl12-compat.spec @@ -0,0 +1,263 @@ +Name: sdl12-compat +Version: 1.2.68 +Release: 4%{?dist} +Summary: SDL 1.2 runtime compatibility library using SDL 2.0 +# mp3 decoder code is MIT-0/PD +# SDL_opengl.h is zlib and MIT +License: zlib and (Public Domain or MIT-0) and MIT +Vendor: Microsoft Corporation +Distribution: Azure Linux +URL: https://github.com/libsdl-org/sdl12-compat +Source0: %{url}/archive/release-%{version}/%{name}-%{version}.tar.gz +# Multilib aware-header stub +Source1: SDL_config.h + +# Backports from upstream (0001~0500) + +# Proposed patches (0501~1000) + +# Fedora specific patches (1001+) +Patch1001: sdl12-compat-sdlconfig-multilib.patch + +BuildRequires: cmake +BuildRequires: gcc +BuildRequires: git-core +BuildRequires: make +BuildRequires: SDL2-devel +BuildRequires: mesa-libGL-devel +BuildRequires: mesa-libGLU-devel +# This replaces SDL +Obsoletes: SDL < 1.2.15-49 +Conflicts: SDL < 1.2.50 +Provides: SDL = %{version} +Provides: SDL%{?_isa} = %{version} +# This dlopens SDL2 (?!), so manually depend on it +Requires: SDL2%{?_isa} >= 2.0.18 + +%description +Simple DirectMedia Layer (SDL) is a cross-platform multimedia library +designed to provide fast access to the graphics frame buffer and audio device. + +This code is a compatibility layer; it provides a binary-compatible API for +programs written against SDL 1.2, but it uses SDL 2.0 behind the scenes. + +If you are writing new code, please target SDL 2.0 directly and do not use +this layer. + +%package devel +Summary: Files to develop SDL 1.2 applications using SDL 2.0 +Requires: %{name}%{?_isa} = %{version}-%{release} +# This replaces SDL-devel +Obsoletes: SDL-devel < 1.2.15-49 +Conflicts: SDL-devel < 1.2.50 +Provides: SDL-devel = %{version} +Provides: SDL-devel%{?_isa} = %{version} +# Add deps required to compile SDL apps +## For SDL_opengl.h +Requires: pkgconfig(gl) +Requires: pkgconfig(glu) +## For SDL_syswm.h +Requires: pkgconfig(x11) +Requires: pkgconfig(xproto) + +%description devel +Simple DirectMedia Layer (SDL) is a cross-platform multimedia library +designed to provide fast access to the graphics frame buffer and audio device. + +This code is a compatibility layer; it provides a source-compatible API for +programs written against SDL 1.2, but it uses SDL 2.0 behind the scenes. + +If you are writing new code, please target SDL 2.0 directly and do not use +this layer. + + +%package static +Summary: Static library to develop SDL 1.2 applications using SDL 2.0 +Requires: %{name}-devel%{?_isa} = %{version}-%{release} +# This replaces SDL-static +Obsoletes: SDL-static < 1.2.15-49 +Conflicts: SDL-static < 1.2.50 +Provides: SDL-static = %{version} +Provides: SDL-static%{?_isa} = %{version} + +%description static +Simple DirectMedia Layer (SDL) is a cross-platform multimedia library +designed to provide fast access to the graphics frame buffer and audio device. + +This code is a compatibility layer; it provides a static link library for +programs written against SDL 1.2, but it uses SDL 2.0 behind the scenes. +Note that applications that use this library will need to declare SDL2 as +a dependency manually, as the library is dlopen()'d to preserve APIs between +SDL-1.2 and SDL-2.0. + +If you are writing new code, please target SDL 2.0 directly and do not use +this layer. + + +%prep +%autosetup -n %{name}-release-%{version} -S git_am + + +%build +%cmake -DSTATICDEVEL=ON +%cmake_build + + +%install +%cmake_install + +# Rename SDL_config.h to SDL_config-.h to avoid file conflicts on +# multilib systems and install SDL_config.h wrapper +mv %{buildroot}/%{_includedir}/SDL/SDL_config.h %{buildroot}/%{_includedir}/SDL/SDL_config-%{_arch}.h +install -m644 %{SOURCE1} %{buildroot}/%{_includedir}/SDL/SDL_config.h + +# Delete leftover static files +#rm -rf %{buildroot}%{_libdir}/*.a + + +%files +%license LICENSE.txt +%doc README.md BUGS.md COMPATIBILITY.md +%{_libdir}/libSDL-1.2.so.* + +%files devel +%{_bindir}/sdl-config +%{_datadir}/aclocal/sdl.m4 +%{_includedir}/SDL/ +%{_libdir}/libSDL-1.2.so +%{_libdir}/libSDL.so +%{_libdir}/pkgconfig/sdl12_compat.pc + +%files static +%{_libdir}/libSDL.a +%{_libdir}/libSDLmain.a + + +%changelog +* Mon Mar 17 2025 Jyoti kanase - 1.2.68-4 +- Initial Azure Linux import from Fedora 41 (license: MIT). +- License Verified. + +* Sat Jul 20 2024 Fedora Release Engineering - 1.2.68-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + +* Sat Jan 27 2024 Fedora Release Engineering - 1.2.68-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Tue Sep 26 2023 Neal Gompa - 1.2.68-1 +- Update to 1.2.68 + +* Sat Jul 22 2023 Fedora Release Engineering - 1.2.60-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Fri Mar 10 2023 Petr Pisar - 1.2.60-3 +- Fix a hang in SDL_FreeYUVOverlay() (RH#2173510) + +* Sat Jan 21 2023 Fedora Release Engineering - 1.2.60-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Sun Oct 30 2022 Neal Gompa - 1.2.60-1 +- Update to 1.2.60 + +* Fri Sep 16 2022 Neal Gompa - 1.2.56-1 +- Update to 1.2.56 (RH#2127545) + +* Sat Jul 23 2022 Fedora Release Engineering - 1.2.52-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Thu Mar 03 2022 Neal Gompa - 1.2.52-1 +- Update to 1.2.52 (RH#2060590) + +* Sat Jan 22 2022 Fedora Release Engineering - 0.0.1~git.20211125.4e4527a-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Sat Dec 11 2021 Neal Gompa - 0.0.1~git.20211125.4e4527a-3 +- Conflict with all old SDL subpackages properly + +* Wed Dec 01 2021 Neal Gompa - 0.0.1~git.20211125.4e4527a-2 +- Obsolete the SDL package properly + +* Sat Nov 27 2021 Neal Gompa - 0.0.1~git.20211125.4e4527a-1 +- Update to new snapshot release + +* Sun Nov 07 2021 Neal Gompa - 0.0.1~git.20211107.a10d6b6-1 +- Update to new snapshot release + +* Sun Sep 26 2021 Neal Gompa - 0.0.1~git.20210926.c6cfc8f-1 +- Update to new snapshot release +- Ensure SDL2 dependency is arched + +* Sun Sep 12 2021 Neal Gompa - 0.0.1~git.20210909.a98590a-1 +- Update to new snapshot release + +* Thu Aug 26 2021 Neal Gompa - 0.0.1~git.20210825.b5f7170-1 +- Update to new snapshot release + +* Sun Aug 22 2021 Neal Gompa - 0.0.1~git.20210814.a3bfcb2-1 +- Update to new snapshot release + +* Sun Jul 25 2021 Neal Gompa - 0.0.1~git.20210719.aa9919b-1 +- Update to new snapshot release + +* Fri Jul 23 2021 Fedora Release Engineering - 0.0.1~git.20210709.51254e5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Fri Jul 09 2021 Neal Gompa - 0.0.1~git.20210709.51254e5-1 +- Update to new snapshot release + +* Tue Jun 29 2021 Neal Gompa - 0.0.1~git.20210628.cf47f88-1 +- Update to new snapshot release + +* Mon Jun 28 2021 Neal Gompa - 0.0.1~git.20210624.08b5def-1 +- Update to new snapshot release + +* Sun Jun 20 2021 Neal Gompa - 0.0.1~git.20210619.4ad7ba6-2 +- Update devel dependencies based on upstream feedback + +* Sun Jun 20 2021 Neal Gompa - 0.0.1~git.20210619.4ad7ba6-1 +- Update to new snapshot release + +* Sun Jun 20 2021 Neal Gompa - 0.0.1~git.20210618.f44f295-2 +- Add devel dependencies expected by SDL packages to devel subpackage + +* Fri Jun 18 2021 Neal Gompa - 0.0.1~git.20210618.f44f295-1 +- Update to new snapshot release + +* Sun Jun 13 2021 Neal Gompa - 0.0.1~git.20210612.44f299f-1 +- Update to new snapshot release +- Update license tag information + +* Sat Jun 12 2021 Neal Gompa - 0.0.1~git.20210612.c0504eb-1 +- Update to new snapshot release + +* Thu Jun 10 2021 Neal Gompa - 0.0.1~git.20210610.21830e8-1 +- Update to new snapshot release +- Add static link library for non-RHEL + +* Wed Jun 09 2021 Neal Gompa - 0.0.1~git.20210609.efe9791-1 +- Update to new snapshot release +- Refresh patch for multilib support + +* Thu Jun 03 2021 Neal Gompa - 0.0.1~git.20210602.cc5826a-3 +- Fix for multilib support + +* Thu Jun 03 2021 Neal Gompa - 0.0.1~git.20210602.cc5826a-2 +- Add missing SDL2 dependency and fix Obsoletes + +* Wed Jun 02 2021 Neal Gompa - 0.0.1~git.20210602.cc5826a-1 +- Update to new snapshot release + +* Sat May 29 2021 Neal Gompa - 0.0.1~git.20210528.646ecd7-0.1 +- Update to new snapshot release + +* Fri May 28 2021 Neal Gompa - 0.0.1~git.20210527.a915ff1-0.1 +- Update to new snapshot release + +* Wed May 26 2021 Neal Gompa - 0.0.1~git.20210526.848ad42-0.1 +- Update to new snapshot release + +* Mon May 24 2021 Neal Gompa - 0.0.1~git.20210524.cf71450-0.1 +- Update to new snapshot release + +* Sat May 15 2021 Neal Gompa - 0~git.20210515.9f2d88a-1 +- Initial package diff --git a/SPECS-EXTENDED/serd/drobilla.gpg b/SPECS-EXTENDED/serd/drobilla.gpg new file mode 100644 index 0000000000..943ca5f1c6 --- /dev/null +++ b/SPECS-EXTENDED/serd/drobilla.gpg @@ -0,0 +1,123 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.11 (GNU/Linux) + +mQGiBEXaIU8RBAC7vZmKrMkUyYMKomqHn9bpgFlT01fSQZyB5vHCTb5uW467HQGv +FMu6CCh2UbTyMDc/0py+EDgmkiqstUQ6hII2BbjoAlRgh4Kw43/6G1IDQiMAHXFx +jgs4Kx/xEsamMWXcGLYgBQExnN0EjjGy8ukLFHi5d4RAgNVY3tUlT+31wwCgoetH +x893hs3OQCNV21UCUV/Ndy0D/1RqBTZGXjTQ2eBCbZI7YCGOfPPdmNoDbSaDMubk +UNdbc78+FvG4SOnXxOdwe6W7Lc5qHwYXcga21ajEXT7Fpok+bj9/6a2WCiB4gzkg +Pi8Lwa0XTs7Hjyh9DFtxGbJHNxtsUV97pVBzrxdAiKasY0/CVWuiJBbZuLsyxWwe +rgwjA/9FJXx1tqOBclX4IGZnVzCGzNhTMtj2P248gZ8B6fOTkbt5bUGHBs2XtM0j +irsYeLWeWsfMa0fFMksfrwekbA4u2uMv9dA8VyjXmYGmKfNOtuyPm/NOS4CjpRQO +e3uB+ttbTKwK9Hx6j5WpfLlUBSlAKlxL1wt4cV03QXI5Sh5+QLQiRGF2ZSBSb2Jp +bGxhcmQgPGRhdmVAZHJvYmlsbGEubmV0PoheBBMRAgAeBQJF2iFPAhsDBgsJCAcD +AgMVAgMDFgIBAh4BAheAAAoJEMb2DmUpcnBgGoQAoIHtHRacGREDktZoKv+hMqW5 +SolkAJ9Xaolpgqa0yuO0+U0cHLqYMdN4mbkCDQRF2iFWEAgA+TUcUVyDVXmiBsbM +V6MOW4ZClnS8Ayz+jOkRbPgIaZOgaWekTVXFHvIYb8zQIZHlYNRj3cESkECKzFPH +uQbYcWLtq2AhI5I32027uoierPzM3tkAIttbqxI+ZNvyLM+rOdO/tR7N3QQy4dxB +goNN33kMYoe9M+AoAVJVhj5i+lv79lkQOiOGyIrZRe8tK2vARwl4jpxn5ZyGtY46 +1KMuoOq1H0gBxUGnHG/29gMtfM0WR+mdkB0N4Vmd5DwCBF1PZW+bz/jwUtKTYKlU +4oVLToPbbr1ZxIQ/GeaiX0QbFC6qkYAz1mbXuwIhT7NZnF1Bb5NUVaNDD6me0P/z +mys3pwADBQgAmjvG8d8Ou84Ry7KFlI5aVttIRDvVvODI14XgrRsaEamBurtqH2d1 +GiTuQKatTBcP2Vh4EBggUKvUBo6OqHl5HSJnMCssot9sbjd2INcVNhA37psZA/z0 +SiHvsU5MYJZAhIRy2OSq6f2rTJnN3tpH9uP22G0hnHwWsvaPif2rJJKa4FsLfiSJ +83nNZycmL0swG/3r2CFaWKdgI8Qxh4a9hzhQ/xp677rp+wXoR15Tiz3doVIks9gU +x/ttSOlIe1qikvIm2sK4YjGskyk3ThDnbKADBA0LPxmUw0LRwfMUpjB9w/KPB6K1 +garaVufX87EiQjMqtcatifrlt86BQG6UqIhJBBgRAgAJBQJF2iFWAhsMAAoJEMb2 +DmUpcnBgUWgAnig09zgkm9I8MYfmjNdeVicZ/TslAJ9gXHch/j3J0oVLZn7iLl8L +enSb2JkCDQROyvsgARAAymdAvdxjXiijDSh09Je1GZlWZz8DBVBSp+Sy8Er3f6aa +NjpdUagO4EBLYXTXOaCmpg+iwqmH9F9kDniyPj1JYkaLvttFhXlUaLY4bVAf74RG +Wbxkrq2Geh5WfK78SbAHuLdp9bx7mCq3HahHLB/DGkElRCgvhFwGRoju7bvkHl/Y +MJJsLpUN+Tpdle5VeVuUAH8l48D3WCwp2kUBzA6DXF/SqOHtNV3tbnuKKdB2Q4ks +JI51KwqrSa3vTrB+8TmVpocjqUK1RD+7rBJKEh4ARHhlEz6C2W3nZm0lLxsFCkgs +ccqCdLV0ZP6vYhAOPWN1kvBjkkibd0szH9a4AUWO9kUT8B0HHzcquJl6LyV2NtVj +PkPNc4zBGsb+otuPRHDU2EeW248/42royn2TgDioJ3keTe/ZCD22CJ8kNBSZOPOU +9DkZiBv/1heourSWsQAQnWTz0uE4/yVk2/Z6L4nFMk2YZYeYoiYjtz2FdMn+/9tj +eJDr+LH1q6EcBPf3qjT90gOSo3cLlswpVPOOndlrXExVi17dQSrQGi8mBxBjeMb6 +pNbF9EXcbd3Cm9oWxJy6gVEPkY0a5tRmH2Vf8uO8SdHWqh1mMgMzzFLrlvef4CmB +TS0Rp72OYq8R+9lFcRGtbeOkUdaPIL7zxCsf+H0pJTjIH4nEYkZmv9wtBW+SgfcA +EQEAAbQgRGF2aWQgUm9iaWxsYXJkIDxkQGRyb2JpbGxhLm5ldD6JAjoEEwEIACQC +GwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAk7K/HYCGQEACgkQ/GzPL3NkwkAb +RA/9Fq7wDadgPMTz47skAWqDyzc1kv4Auft+qpJDpSo9PwZWwQicAJZYNscinZVR +ZKhf+BD0v/eMoy+bzu+wf3Q+Eqq3xYCVUAHZzlQGa0MZ/8nQWfqqZe6Hq43KTgf0 +liSTWOYLHh50JuNPb0Vu2bjrgYxcLEEDIEIhulLiB+iiyuXWJ0ssA32Y9Oh+jxb2 +h62G9rWsYsvoAqvPyxhrbD1WLCMLi9KBXRpUTVaGcMtRicqpYvjZrqEkXINS6OBQ +mBuHiLoef7NGJR+22ljz2XPbQMji8m02ozOk8DDNlBMyubasIknulOEGKGgfwr2c +ZbU+1uUD4BbmWYAALGRXe2pl6AbGPU8kjgHQux2Pd7PH8qJxEvuU4O9Zi99jZgP2 +CMh4I4x3fv9RfDM4z77vMkaV8yoITz4vGdlY+UvSK5BzAMfQxuSCxPXtaqQEjS2g +r6KpUmadK7fLUmvFhXuPKwwA/BxbW6YcQKjhUZqnI5q4Hjek8iEnUiiZLnh1dSl3 +lp2us8Dxq3+TTX09qraOY25Kwf/Xjyd/l6/74JxXXFaeQkb9LHyqk3Jlk2THf3aW +TzH8h9lvTwruYhME0ib8mnPqDSfs1LQILmln8rs7Ma9HCKoUFJeMjqz3+sDMP3HC +SqqrdwxkqnufG/0S3dYjd+z910J/Qj1J/yhNAt1cA6Dwx3aIRgQQEQgABgUCTsr7 +twAKCRDG9g5lKXJwYFRNAJ4rI5MK8g+ouo85l96AAowEBrMvUQCdGdzUXaHH29N6 +FH60gGcMHi/M/jO5Ag0ETsr7IAEQALBnW/tm8zo9y8G1yOO0S0PKXxf3yPcM8J3s +wZupmuRmQyhUF3xoxiTtZH4XbMnUw2Ddzpt7XRFC8BTmI+5E32uxxR7EMgqMS1/X +MlIp+7qEiMF25DAZ6agOBFEe244MFlDt+WIt7XeJPViByKxbgi5rS14MljUazfQr +mgzAVq45RpDc3QIhgE65Q+9R4FDillWUwv5AkieRb3QdMHXrvSgsQ21bnvjdRggp +8Xw4GG4k0e5WnpU7FvDM2unDywvcU/LnRDxsZazzPNJDi1kq7CYmB94xvIdxvDed +QV8SFJ1YZkkx8MTule60t40b4pr6l2zJzR2SaR0GRsOaKeUPP08ye+20arJV/PbE +R7holpB8N68F3MYW712dosCLBVD2srpsjuWLdKA4X/SVb8i0bu/T7dwMJeDSOSmd +WXLEIMBsCQxuttk/hLkJQBVvWu/guMft8Qn2Lb9uPFe8Si8rkjiWTSEq2Q2PXcUu +X+0w9kbmuDULdovAyi+sLObkyx/dVz6LJbM1Ea6XWLhi4QVwKL5/VOey/6UctW2D +Kg0SNvLA5jiTx4L8u3Kd4TtvV8qmWOMTmLWXnezwE2Ln4gH65ZkbImgdZswt5r8G +DZ4fxLZsxjS9WPWAndH5z4yFtaUUHgf9A985baj2MVA3dhKXjoiZxLTThxxO40UK +wamCRY21ABEBAAGJAh8EGAEIAAkFAk7K+yACGwwACgkQ/GzPL3NkwkDnGA/7BVKA +/8hEHmmtrq7LzRLu6HYALdf/B7yfcpnwHjFjZchExWaQXuG+AqfgP4bm+OBnpN1e +OX7dD1x79AHJb/Mp2SX3NlzGvujzwMDrR9Hp4XmeeBXfxvSQXiRqcHH6Jr/rv564 +vYxgp0zdCmCRP1y+sSOEOyh46cTP9LD9w+1LzWW96dTo5FQ3q193rzrFBUJStbuM +Isp3puQ08ntmXXfYk+KuXB/hMKbJU9gbMBV7cQdGX4AZ4DcSsacs1TPdiqGZ4fJ3 +XjGegory9dVaTbwkK1ULEENGsPc8LIYTIlNHJ4E1ZSMAkTTn7ThphBvHnXOPG9fg +NimAhXYKpE4a+DwQJY1YY06KFJtqeGYGoFiTqfhn4R/Mq2kArFNoCmmbH1gDThsw +c7idTmyI4DHAhx8kHK0mrnkaA2J+Ah82Kimsu+sMKUxMwbYZ32yK18HQI3y8iXEu +GsGQk8X2gKO8YfOOvGFf2sPl1IN+ZZ8ZI7bZi/yzh5K04Pxyb6LTYpG+YDAZS6H5 +NkWQxPM0TCDFLDlLl5SESl7BxgqryqCY4okRGVq0WLXa3MpFCjoYOAdtkQOm6ZOE +9tjKogx0ZN9cflde2D9MSi9ADCZ8gK4tQ581Ea43owT2iMJVceGcqJE3ZVnUq2PX +DoVGVgIxT1stR69am4hgSHpShTRVU5fio+jiuHKZAg0ET0BWRQEQAOru18ePCKAr +nY43QCcDiVjDCTrPx0lswgkaGPWRwL1jOHiLnwMaafsb/SMjvgwJ3P40Tzo1wB22 +STmQ4/r5JL3nVQ7cRmeCDSMbbva9vuOAC/zOGH6N6Pd/Vyq4bJp3eWhL/bNiBF7R +4ft9E5RD1WIM7kDM0LUd2HgqyvwgKngiJFfZNCEXFuXhHNc4nuRsrLnEb5T+6PTl +noQRQyqd0rhShYTBvjL9DUhhFtgqNmjYl1hCurFnyE8G5zkxnIuJ+wWlgBiPSIIf +ZZY0IGLXH7DHDHaV+N4MKduCiOhPwLhaNHxNekBFaFNllLgVGMUE/Bp4GvHcfAgX +tAQbztqag5folJxNYNWX1qLmYh9hluJA0MRq+nFNpYWmMTcQQYOPpBuOVRf8u5qN +p/aQwH5DdoDa6Mdwfbrq+RcMBogwCjZGROe296YuBBIUfWRxfYQaIwbtrTajSZW2 +DWUze3tONLWjPJKJFDD6w42UQSp+fnDrrdZhasDU8bmVE5LUyA8B01BJWglQIgfL +Z5PzDsxSZtWulxsOoz+VwS2sbslNkVWFPWbcMoKB/fAtN+mmMzrjmHLbF+hLta4Z +ZBJcCS4Nk0Lw4+9Msf7jWWNEUbKyqvKnSK774mIDktp+o2fPXmi0KLcwxrda2SJS +bPeDbYsPzhwTR66+ZoQ430MifR4RIwanABEBAAG0IERhdmlkIFJvYmlsbGFyZCA8 +ZEBkcm9iaWxsYS5uZXQ+iQI6BBMBCAAkAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4B +AheABQJPQFfZAhkBAAoJEDZyeCqb82jzx9YQALzxj/8b+JD9px1lGb7ZbN5GTBdh +J6CgLkObSkwnU88vWxOhZDKd6dTyGYtmHg3rridM/0OMVv/hUXxTcRWKHo8S44OA +rFSNhjuarfh7IQRDpe16J9vWaStuK8uiyOmHl8IGmtDoVtlDo7yd0/b8lwCJd9R3 +4d81ruYLHguHxo6ahMyB+SjPXoqEj8dUcY4OR35wRI04H+HSq7s4kpqX4G5uhrtW +5dEk7GuqELyg9forQ4xDD/cSOXUtBX/Sak9KRKZLxNyp5h4xvSHi5wl3DjB4Of5J +P7e437J5PXQtw1mNHCwbMyp6R9cqETTwjRj11gbqFy1PjiKDgT6/iPvA+Vg4GcJH +k1Rhzq2PMLegZIqJ6+F3G2oRl0XF1J9j3XvSnXSTMlqEQd6VNFmAd1PGJMfok3kz +brPBIBt8/ltaSn71ekanzxpAVC4fHO6JzPszyqpdkRriTL7nYZ872J5+BWCC3eOr +QVvDNu+FZznHRuI8TqhdWr76w4oZMx56S/oV8bo9wVQx0urxjB851IcPWU8GyBu4 +Bqb9kpw8IzUY08AENKzal9KstCkCoG5a80B0sS7Et7a23TNZF2rBKOzza7yte+5d +PDeDg0WSexzJr35kArjUz7sgKODFfAlvTTgRPTTRIdBeQV69aUc3XvaJQFXwPobz +yvH/ie166GqJIRvOuQINBE9AVkUBEACr6qQSWRlg+AifZqLYSY64VQ4Bvj3SfVXl +MLlMWDeKFAnW49sg/DMu9t20m3m/L49UW51zyjnRlIN8j6NqmVtRKAs2C+FRpSTK +U6NSdsBweUOkQP6FGJRlb9o3cTxePBvQL/weulB/rzRhBqL4W3U4L3jUxYE0vCYs +D5Dq0/177BtazrOIBuRADABLQ7m9976jIfz9zNoix8j7CNtX0g+JB4E5kObVQ41N +LyZ8ei+t/q1MP1KxwD6e+icESlLNrO2rhXBssc6KScbdrPmCfR5bumFitEfxeIJI +s5XR/FKCgmQH4SRQJQ4MY/+B5OIRDH4zjbs8EP2kD+85hbKx8sjrQeafA1VYw+TN +FBJhCNqMkzl6WyZ2GX7ZP0xw19BS/RioOLVq3I3WSRpJGsguzE87xXDF91caaxQn +CL1LM2zqNstYDNYIAmCThVixeONFbFiPN7OsTG2lsSh79mX8+/2YAxj/9ACCxDcF +xXeWbByVdpuV2n24F3lLQBY1/Gpy8yskJLCOFEjGYVIHsEaD+FxR2x9WusWb+aeI +zHmOA8cwcLazJcneMvOTIrlgAz0yZphY+c6kx/opem0N+nKX+aEFbolnlsPXhGNC +AD5xffJOIUK+gGrPstf2WdqYfmWegd7ak1FG4j1WqHwHplOwgStPTO33IhhWXHLj +yRsf8AyumQARAQABiQIfBBgBCAAJBQJPQFZFAhsMAAoJEDZyeCqb82jzTUkP/3jv +hkMK0IGcuCVkfB3uIxsjLKl+lI2FDq/zUOo6Ko491q/8Ks2E4fGYmVrcxymnAThB +4STL0QaLJdIaRlJo0cMkcEsF0RKxu1aaLRRWk08hrdjI3aRLwzAdWxHAE3ESz75T +l26ZB1MvgWBSzyLtYJXYBz738ldIfvs5hzhDWMJTcbhf+Hnaoxt3fcDu8k0EdTIB +CRziOO7uq9npDxwMOTyPQvEMr4v8kIvn/Npu3ZQtadzkeSr+/ENCGNz1KatTV3Iy +lH6X8ANP8eiq4ODOrayjyKs0ZDtL3sn+jJhoz/AF/qBpSTnEtDUpPT3U0Noo4HHk +YQYiK8SI0OcxH9tSkgaeRcnFvlbJw2ackRpHuXNuGZ66zt2yDj7cZG6ssg9Yrrax +x3y+27MJXYnowOnRjCdCQZ5hKeOny73lyFZYDisCvqha138PRJtSwQAgnKEu0Bh/ +sSI0DtPZmsXC9iPg9AxBDqVfdxtsWqfA31JmR+MsN58cT1Ej4Li+cH9sPOFVOpSf +gylCgHUC2Lact8v5xrArHyrCBfmavDnclir84A5TuwGMLhm2Ui9yKn5fGgiF4P4U +U1zeTPb45Mf9NU5pKJXd5H0MsOU58DjaM5Af3dpH6c8wsyDkNeVDvUzLXghsUH80 +HQMSpfZtNLZ/57KoSi7YYYotWZX/mch2i4mqVEEp +=MGn/ +-----END PGP PUBLIC KEY BLOCK----- diff --git a/SPECS-EXTENDED/serd/serd-0.32.4.tar.xz.sig b/SPECS-EXTENDED/serd/serd-0.32.4.tar.xz.sig new file mode 100644 index 0000000000..9b4520f173 Binary files /dev/null and b/SPECS-EXTENDED/serd/serd-0.32.4.tar.xz.sig differ diff --git a/SPECS-EXTENDED/serd/serd.signatures.json b/SPECS-EXTENDED/serd/serd.signatures.json index 1ef7726177..7bd979cf0c 100644 --- a/SPECS-EXTENDED/serd/serd.signatures.json +++ b/SPECS-EXTENDED/serd/serd.signatures.json @@ -1,5 +1,7 @@ { "Signatures": { - "serd-0.30.2.tar.bz2": "9d3102701172804f823f2215ca3147c50eba992641f9fbe014272355f4937202" + "drobilla.gpg": "29c8ffc9ffee2982ad3c3355736ed043377c1f0f4ea4776df4b98a464692b70e", + "serd-0.32.4.tar.xz": "cbefb569e8db686be8c69cb3866a9538c7cb055e8f24217dd6a4471effa7d349", + "serd-0.32.4.tar.xz.sig": "70af8ca8d86aa49e8a642f2be287ac9cf83f65d166a253fa24e20bb3943e5883" } } diff --git a/SPECS-EXTENDED/serd/serd.spec b/SPECS-EXTENDED/serd/serd.spec index 90042c818a..e15720821d 100644 --- a/SPECS-EXTENDED/serd/serd.spec +++ b/SPECS-EXTENDED/serd/serd.spec @@ -3,19 +3,25 @@ Distribution: Azure Linux %global maj 0 Name: serd -Version: 0.30.2 -Release: 3%{?dist} +Version: 0.32.4 +Release: 1%{?dist} Summary: A lightweight C library for RDF syntax - License: ISC -URL: https://drobilla.net/software/serd -Source0: https://download.drobilla.net/%{name}-%{version}.tar.bz2 +URL: https://drobilla.net/software/%{name}.html +Source0: https://download.drobilla.net/%{name}-%{version}.tar.xz +Source1: https://download.drobilla.net/%{name}-%{version}.tar.xz.sig +Source2: https://drobilla.net/drobilla.gpg +BuildRequires: meson BuildRequires: doxygen BuildRequires: graphviz BuildRequires: glib2-devel BuildRequires: python3 +BuildRequires: gnupg2 BuildRequires: gcc +BuildRequires: python3-sphinx +BuildRequires: python3-sphinxygen + %description %{name} is a lightweight C library for RDF syntax which supports reading and @@ -35,46 +41,42 @@ writing Turtle, TRiG, NTriples, and NQuads. This package contains the headers and development libraries for %{name}. + %prep -%setup -q -# we'll run ldconfig, well not any more, see -# https://fedoraproject.org/wiki/Changes/Removing_ldconfig_scriptlets -sed -i -e 's|bld.add_post_fun(autowaf.run_ldconfig)||' wscript +%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' +%autosetup -p1 %build -%set_build_flags -python3 waf configure \ - --prefix=%{_prefix} \ - --libdir=%{_libdir} \ - --mandir=%{_mandir} \ - --datadir=%{_datadir} \ - --docdir=%{_docdir} \ - --test \ - --docs -python3 waf build -v %{?_smp_mflags} +%meson -Dman_html=disabled +%meson_build %install -DESTDIR=%{buildroot} python3 waf install -chmod +x %{buildroot}%{_libdir}/lib%{name}-%{maj}.so.* +%meson_install # Move devel docs to the right directory -install -d %{buildroot}%{_docdir}/%{name}/%{name}-%{maj} -mv %{buildroot}%{_docdir}/%{name}-%{maj}/html %{buildroot}%{_docdir}/%{name}/%{name}-%{maj}/html +install -d %{buildroot}%{_docdir}/%{name} +mv %{buildroot}%{_docdir}/%{name}-%{maj} %{buildroot}%{_docdir}/%{name} + +%check +%meson_test %files %license COPYING %doc AUTHORS NEWS README.md %doc %{_mandir}/man1/serdi.1* -%{_libdir}/lib%{name}-%{maj}.so.* +%{_libdir}/lib%{name}-%{maj}.so.%{maj}* %{_bindir}/serdi %files devel -%doc %{_mandir}/man3/serd.3* %doc %{_docdir}/%{name}/%{name}-%{maj}/ %{_libdir}/lib%{name}-%{maj}*.so %{_libdir}/pkgconfig/%{name}*.pc %{_includedir}/%{name}-%{maj}/ %changelog +* Mon Feb 24 2025 Jyoti kanase - 0.32.4-1 +- Upgrade to 0.32.4 +- License Verified. + * Fri Oct 15 2021 Pawel Winogrodzki - 0.30.2-3 - Initial CBL-Mariner import from Fedora 32 (license: MIT). diff --git a/SPECS-EXTENDED/sord/drobilla.gpg b/SPECS-EXTENDED/sord/drobilla.gpg new file mode 100644 index 0000000000..943ca5f1c6 --- /dev/null +++ b/SPECS-EXTENDED/sord/drobilla.gpg @@ -0,0 +1,123 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.11 (GNU/Linux) + +mQGiBEXaIU8RBAC7vZmKrMkUyYMKomqHn9bpgFlT01fSQZyB5vHCTb5uW467HQGv +FMu6CCh2UbTyMDc/0py+EDgmkiqstUQ6hII2BbjoAlRgh4Kw43/6G1IDQiMAHXFx +jgs4Kx/xEsamMWXcGLYgBQExnN0EjjGy8ukLFHi5d4RAgNVY3tUlT+31wwCgoetH +x893hs3OQCNV21UCUV/Ndy0D/1RqBTZGXjTQ2eBCbZI7YCGOfPPdmNoDbSaDMubk +UNdbc78+FvG4SOnXxOdwe6W7Lc5qHwYXcga21ajEXT7Fpok+bj9/6a2WCiB4gzkg +Pi8Lwa0XTs7Hjyh9DFtxGbJHNxtsUV97pVBzrxdAiKasY0/CVWuiJBbZuLsyxWwe +rgwjA/9FJXx1tqOBclX4IGZnVzCGzNhTMtj2P248gZ8B6fOTkbt5bUGHBs2XtM0j +irsYeLWeWsfMa0fFMksfrwekbA4u2uMv9dA8VyjXmYGmKfNOtuyPm/NOS4CjpRQO +e3uB+ttbTKwK9Hx6j5WpfLlUBSlAKlxL1wt4cV03QXI5Sh5+QLQiRGF2ZSBSb2Jp +bGxhcmQgPGRhdmVAZHJvYmlsbGEubmV0PoheBBMRAgAeBQJF2iFPAhsDBgsJCAcD +AgMVAgMDFgIBAh4BAheAAAoJEMb2DmUpcnBgGoQAoIHtHRacGREDktZoKv+hMqW5 +SolkAJ9Xaolpgqa0yuO0+U0cHLqYMdN4mbkCDQRF2iFWEAgA+TUcUVyDVXmiBsbM +V6MOW4ZClnS8Ayz+jOkRbPgIaZOgaWekTVXFHvIYb8zQIZHlYNRj3cESkECKzFPH +uQbYcWLtq2AhI5I32027uoierPzM3tkAIttbqxI+ZNvyLM+rOdO/tR7N3QQy4dxB +goNN33kMYoe9M+AoAVJVhj5i+lv79lkQOiOGyIrZRe8tK2vARwl4jpxn5ZyGtY46 +1KMuoOq1H0gBxUGnHG/29gMtfM0WR+mdkB0N4Vmd5DwCBF1PZW+bz/jwUtKTYKlU +4oVLToPbbr1ZxIQ/GeaiX0QbFC6qkYAz1mbXuwIhT7NZnF1Bb5NUVaNDD6me0P/z +mys3pwADBQgAmjvG8d8Ou84Ry7KFlI5aVttIRDvVvODI14XgrRsaEamBurtqH2d1 +GiTuQKatTBcP2Vh4EBggUKvUBo6OqHl5HSJnMCssot9sbjd2INcVNhA37psZA/z0 +SiHvsU5MYJZAhIRy2OSq6f2rTJnN3tpH9uP22G0hnHwWsvaPif2rJJKa4FsLfiSJ +83nNZycmL0swG/3r2CFaWKdgI8Qxh4a9hzhQ/xp677rp+wXoR15Tiz3doVIks9gU +x/ttSOlIe1qikvIm2sK4YjGskyk3ThDnbKADBA0LPxmUw0LRwfMUpjB9w/KPB6K1 +garaVufX87EiQjMqtcatifrlt86BQG6UqIhJBBgRAgAJBQJF2iFWAhsMAAoJEMb2 +DmUpcnBgUWgAnig09zgkm9I8MYfmjNdeVicZ/TslAJ9gXHch/j3J0oVLZn7iLl8L +enSb2JkCDQROyvsgARAAymdAvdxjXiijDSh09Je1GZlWZz8DBVBSp+Sy8Er3f6aa +NjpdUagO4EBLYXTXOaCmpg+iwqmH9F9kDniyPj1JYkaLvttFhXlUaLY4bVAf74RG +Wbxkrq2Geh5WfK78SbAHuLdp9bx7mCq3HahHLB/DGkElRCgvhFwGRoju7bvkHl/Y +MJJsLpUN+Tpdle5VeVuUAH8l48D3WCwp2kUBzA6DXF/SqOHtNV3tbnuKKdB2Q4ks +JI51KwqrSa3vTrB+8TmVpocjqUK1RD+7rBJKEh4ARHhlEz6C2W3nZm0lLxsFCkgs +ccqCdLV0ZP6vYhAOPWN1kvBjkkibd0szH9a4AUWO9kUT8B0HHzcquJl6LyV2NtVj +PkPNc4zBGsb+otuPRHDU2EeW248/42royn2TgDioJ3keTe/ZCD22CJ8kNBSZOPOU +9DkZiBv/1heourSWsQAQnWTz0uE4/yVk2/Z6L4nFMk2YZYeYoiYjtz2FdMn+/9tj +eJDr+LH1q6EcBPf3qjT90gOSo3cLlswpVPOOndlrXExVi17dQSrQGi8mBxBjeMb6 +pNbF9EXcbd3Cm9oWxJy6gVEPkY0a5tRmH2Vf8uO8SdHWqh1mMgMzzFLrlvef4CmB +TS0Rp72OYq8R+9lFcRGtbeOkUdaPIL7zxCsf+H0pJTjIH4nEYkZmv9wtBW+SgfcA +EQEAAbQgRGF2aWQgUm9iaWxsYXJkIDxkQGRyb2JpbGxhLm5ldD6JAjoEEwEIACQC +GwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAk7K/HYCGQEACgkQ/GzPL3NkwkAb +RA/9Fq7wDadgPMTz47skAWqDyzc1kv4Auft+qpJDpSo9PwZWwQicAJZYNscinZVR +ZKhf+BD0v/eMoy+bzu+wf3Q+Eqq3xYCVUAHZzlQGa0MZ/8nQWfqqZe6Hq43KTgf0 +liSTWOYLHh50JuNPb0Vu2bjrgYxcLEEDIEIhulLiB+iiyuXWJ0ssA32Y9Oh+jxb2 +h62G9rWsYsvoAqvPyxhrbD1WLCMLi9KBXRpUTVaGcMtRicqpYvjZrqEkXINS6OBQ +mBuHiLoef7NGJR+22ljz2XPbQMji8m02ozOk8DDNlBMyubasIknulOEGKGgfwr2c +ZbU+1uUD4BbmWYAALGRXe2pl6AbGPU8kjgHQux2Pd7PH8qJxEvuU4O9Zi99jZgP2 +CMh4I4x3fv9RfDM4z77vMkaV8yoITz4vGdlY+UvSK5BzAMfQxuSCxPXtaqQEjS2g +r6KpUmadK7fLUmvFhXuPKwwA/BxbW6YcQKjhUZqnI5q4Hjek8iEnUiiZLnh1dSl3 +lp2us8Dxq3+TTX09qraOY25Kwf/Xjyd/l6/74JxXXFaeQkb9LHyqk3Jlk2THf3aW +TzH8h9lvTwruYhME0ib8mnPqDSfs1LQILmln8rs7Ma9HCKoUFJeMjqz3+sDMP3HC +SqqrdwxkqnufG/0S3dYjd+z910J/Qj1J/yhNAt1cA6Dwx3aIRgQQEQgABgUCTsr7 +twAKCRDG9g5lKXJwYFRNAJ4rI5MK8g+ouo85l96AAowEBrMvUQCdGdzUXaHH29N6 +FH60gGcMHi/M/jO5Ag0ETsr7IAEQALBnW/tm8zo9y8G1yOO0S0PKXxf3yPcM8J3s +wZupmuRmQyhUF3xoxiTtZH4XbMnUw2Ddzpt7XRFC8BTmI+5E32uxxR7EMgqMS1/X +MlIp+7qEiMF25DAZ6agOBFEe244MFlDt+WIt7XeJPViByKxbgi5rS14MljUazfQr +mgzAVq45RpDc3QIhgE65Q+9R4FDillWUwv5AkieRb3QdMHXrvSgsQ21bnvjdRggp +8Xw4GG4k0e5WnpU7FvDM2unDywvcU/LnRDxsZazzPNJDi1kq7CYmB94xvIdxvDed +QV8SFJ1YZkkx8MTule60t40b4pr6l2zJzR2SaR0GRsOaKeUPP08ye+20arJV/PbE +R7holpB8N68F3MYW712dosCLBVD2srpsjuWLdKA4X/SVb8i0bu/T7dwMJeDSOSmd +WXLEIMBsCQxuttk/hLkJQBVvWu/guMft8Qn2Lb9uPFe8Si8rkjiWTSEq2Q2PXcUu +X+0w9kbmuDULdovAyi+sLObkyx/dVz6LJbM1Ea6XWLhi4QVwKL5/VOey/6UctW2D +Kg0SNvLA5jiTx4L8u3Kd4TtvV8qmWOMTmLWXnezwE2Ln4gH65ZkbImgdZswt5r8G +DZ4fxLZsxjS9WPWAndH5z4yFtaUUHgf9A985baj2MVA3dhKXjoiZxLTThxxO40UK +wamCRY21ABEBAAGJAh8EGAEIAAkFAk7K+yACGwwACgkQ/GzPL3NkwkDnGA/7BVKA +/8hEHmmtrq7LzRLu6HYALdf/B7yfcpnwHjFjZchExWaQXuG+AqfgP4bm+OBnpN1e +OX7dD1x79AHJb/Mp2SX3NlzGvujzwMDrR9Hp4XmeeBXfxvSQXiRqcHH6Jr/rv564 +vYxgp0zdCmCRP1y+sSOEOyh46cTP9LD9w+1LzWW96dTo5FQ3q193rzrFBUJStbuM +Isp3puQ08ntmXXfYk+KuXB/hMKbJU9gbMBV7cQdGX4AZ4DcSsacs1TPdiqGZ4fJ3 +XjGegory9dVaTbwkK1ULEENGsPc8LIYTIlNHJ4E1ZSMAkTTn7ThphBvHnXOPG9fg +NimAhXYKpE4a+DwQJY1YY06KFJtqeGYGoFiTqfhn4R/Mq2kArFNoCmmbH1gDThsw +c7idTmyI4DHAhx8kHK0mrnkaA2J+Ah82Kimsu+sMKUxMwbYZ32yK18HQI3y8iXEu +GsGQk8X2gKO8YfOOvGFf2sPl1IN+ZZ8ZI7bZi/yzh5K04Pxyb6LTYpG+YDAZS6H5 +NkWQxPM0TCDFLDlLl5SESl7BxgqryqCY4okRGVq0WLXa3MpFCjoYOAdtkQOm6ZOE +9tjKogx0ZN9cflde2D9MSi9ADCZ8gK4tQ581Ea43owT2iMJVceGcqJE3ZVnUq2PX +DoVGVgIxT1stR69am4hgSHpShTRVU5fio+jiuHKZAg0ET0BWRQEQAOru18ePCKAr +nY43QCcDiVjDCTrPx0lswgkaGPWRwL1jOHiLnwMaafsb/SMjvgwJ3P40Tzo1wB22 +STmQ4/r5JL3nVQ7cRmeCDSMbbva9vuOAC/zOGH6N6Pd/Vyq4bJp3eWhL/bNiBF7R +4ft9E5RD1WIM7kDM0LUd2HgqyvwgKngiJFfZNCEXFuXhHNc4nuRsrLnEb5T+6PTl +noQRQyqd0rhShYTBvjL9DUhhFtgqNmjYl1hCurFnyE8G5zkxnIuJ+wWlgBiPSIIf +ZZY0IGLXH7DHDHaV+N4MKduCiOhPwLhaNHxNekBFaFNllLgVGMUE/Bp4GvHcfAgX +tAQbztqag5folJxNYNWX1qLmYh9hluJA0MRq+nFNpYWmMTcQQYOPpBuOVRf8u5qN +p/aQwH5DdoDa6Mdwfbrq+RcMBogwCjZGROe296YuBBIUfWRxfYQaIwbtrTajSZW2 +DWUze3tONLWjPJKJFDD6w42UQSp+fnDrrdZhasDU8bmVE5LUyA8B01BJWglQIgfL +Z5PzDsxSZtWulxsOoz+VwS2sbslNkVWFPWbcMoKB/fAtN+mmMzrjmHLbF+hLta4Z +ZBJcCS4Nk0Lw4+9Msf7jWWNEUbKyqvKnSK774mIDktp+o2fPXmi0KLcwxrda2SJS +bPeDbYsPzhwTR66+ZoQ430MifR4RIwanABEBAAG0IERhdmlkIFJvYmlsbGFyZCA8 +ZEBkcm9iaWxsYS5uZXQ+iQI6BBMBCAAkAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4B +AheABQJPQFfZAhkBAAoJEDZyeCqb82jzx9YQALzxj/8b+JD9px1lGb7ZbN5GTBdh +J6CgLkObSkwnU88vWxOhZDKd6dTyGYtmHg3rridM/0OMVv/hUXxTcRWKHo8S44OA +rFSNhjuarfh7IQRDpe16J9vWaStuK8uiyOmHl8IGmtDoVtlDo7yd0/b8lwCJd9R3 +4d81ruYLHguHxo6ahMyB+SjPXoqEj8dUcY4OR35wRI04H+HSq7s4kpqX4G5uhrtW +5dEk7GuqELyg9forQ4xDD/cSOXUtBX/Sak9KRKZLxNyp5h4xvSHi5wl3DjB4Of5J +P7e437J5PXQtw1mNHCwbMyp6R9cqETTwjRj11gbqFy1PjiKDgT6/iPvA+Vg4GcJH +k1Rhzq2PMLegZIqJ6+F3G2oRl0XF1J9j3XvSnXSTMlqEQd6VNFmAd1PGJMfok3kz +brPBIBt8/ltaSn71ekanzxpAVC4fHO6JzPszyqpdkRriTL7nYZ872J5+BWCC3eOr +QVvDNu+FZznHRuI8TqhdWr76w4oZMx56S/oV8bo9wVQx0urxjB851IcPWU8GyBu4 +Bqb9kpw8IzUY08AENKzal9KstCkCoG5a80B0sS7Et7a23TNZF2rBKOzza7yte+5d +PDeDg0WSexzJr35kArjUz7sgKODFfAlvTTgRPTTRIdBeQV69aUc3XvaJQFXwPobz +yvH/ie166GqJIRvOuQINBE9AVkUBEACr6qQSWRlg+AifZqLYSY64VQ4Bvj3SfVXl +MLlMWDeKFAnW49sg/DMu9t20m3m/L49UW51zyjnRlIN8j6NqmVtRKAs2C+FRpSTK +U6NSdsBweUOkQP6FGJRlb9o3cTxePBvQL/weulB/rzRhBqL4W3U4L3jUxYE0vCYs +D5Dq0/177BtazrOIBuRADABLQ7m9976jIfz9zNoix8j7CNtX0g+JB4E5kObVQ41N +LyZ8ei+t/q1MP1KxwD6e+icESlLNrO2rhXBssc6KScbdrPmCfR5bumFitEfxeIJI +s5XR/FKCgmQH4SRQJQ4MY/+B5OIRDH4zjbs8EP2kD+85hbKx8sjrQeafA1VYw+TN +FBJhCNqMkzl6WyZ2GX7ZP0xw19BS/RioOLVq3I3WSRpJGsguzE87xXDF91caaxQn +CL1LM2zqNstYDNYIAmCThVixeONFbFiPN7OsTG2lsSh79mX8+/2YAxj/9ACCxDcF +xXeWbByVdpuV2n24F3lLQBY1/Gpy8yskJLCOFEjGYVIHsEaD+FxR2x9WusWb+aeI +zHmOA8cwcLazJcneMvOTIrlgAz0yZphY+c6kx/opem0N+nKX+aEFbolnlsPXhGNC +AD5xffJOIUK+gGrPstf2WdqYfmWegd7ak1FG4j1WqHwHplOwgStPTO33IhhWXHLj +yRsf8AyumQARAQABiQIfBBgBCAAJBQJPQFZFAhsMAAoJEDZyeCqb82jzTUkP/3jv +hkMK0IGcuCVkfB3uIxsjLKl+lI2FDq/zUOo6Ko491q/8Ks2E4fGYmVrcxymnAThB +4STL0QaLJdIaRlJo0cMkcEsF0RKxu1aaLRRWk08hrdjI3aRLwzAdWxHAE3ESz75T +l26ZB1MvgWBSzyLtYJXYBz738ldIfvs5hzhDWMJTcbhf+Hnaoxt3fcDu8k0EdTIB +CRziOO7uq9npDxwMOTyPQvEMr4v8kIvn/Npu3ZQtadzkeSr+/ENCGNz1KatTV3Iy +lH6X8ANP8eiq4ODOrayjyKs0ZDtL3sn+jJhoz/AF/qBpSTnEtDUpPT3U0Noo4HHk +YQYiK8SI0OcxH9tSkgaeRcnFvlbJw2ackRpHuXNuGZ66zt2yDj7cZG6ssg9Yrrax +x3y+27MJXYnowOnRjCdCQZ5hKeOny73lyFZYDisCvqha138PRJtSwQAgnKEu0Bh/ +sSI0DtPZmsXC9iPg9AxBDqVfdxtsWqfA31JmR+MsN58cT1Ej4Li+cH9sPOFVOpSf +gylCgHUC2Lact8v5xrArHyrCBfmavDnclir84A5TuwGMLhm2Ui9yKn5fGgiF4P4U +U1zeTPb45Mf9NU5pKJXd5H0MsOU58DjaM5Af3dpH6c8wsyDkNeVDvUzLXghsUH80 +HQMSpfZtNLZ/57KoSi7YYYotWZX/mch2i4mqVEEp +=MGn/ +-----END PGP PUBLIC KEY BLOCK----- diff --git a/SPECS-EXTENDED/sord/sord-0.16.18.tar.xz.sig b/SPECS-EXTENDED/sord/sord-0.16.18.tar.xz.sig new file mode 100644 index 0000000000..75acb9fffc Binary files /dev/null and b/SPECS-EXTENDED/sord/sord-0.16.18.tar.xz.sig differ diff --git a/SPECS-EXTENDED/sord/sord.signatures.json b/SPECS-EXTENDED/sord/sord.signatures.json index 533199b8a6..7fb2245c60 100644 --- a/SPECS-EXTENDED/sord/sord.signatures.json +++ b/SPECS-EXTENDED/sord/sord.signatures.json @@ -1,5 +1,7 @@ { "Signatures": { - "sord-0.16.4.tar.bz2": "b15998f4e7ad958201346009477d6696e90ee5d3e9aff25e7e9be074372690d7" + "drobilla.gpg": "29c8ffc9ffee2982ad3c3355736ed043377c1f0f4ea4776df4b98a464692b70e", + "sord-0.16.18.tar.xz": "4f398b635894491a4774b1498959805a08e11734c324f13d572dea695b13d3b3", + "sord-0.16.18.tar.xz.sig": "aace6e086800e59ffc0837e22d392f126ebf4d2dc8764a2efd026868129fdfb2" } } diff --git a/SPECS-EXTENDED/sord/sord.spec b/SPECS-EXTENDED/sord/sord.spec index 1d5b9fcb79..7c9290613c 100644 --- a/SPECS-EXTENDED/sord/sord.spec +++ b/SPECS-EXTENDED/sord/sord.spec @@ -1,25 +1,26 @@ Vendor: Microsoft Corporation Distribution: Azure Linux %global maj 0 -%{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}} Name: sord -Version: 0.16.4 -Release: 5%{?dist} +Version: 0.16.18 +Release: 1%{?dist} Summary: A lightweight Resource Description Framework (RDF) C library License: ISC URL: https://drobilla.net/software/sord -Source0: https://download.drobilla.net/%{name}-%{version}.tar.bz2 +Source0: https://download.drobilla.net/%{name}-%{version}.tar.xz +Source1: https://download.drobilla.net/%{name}-%{version}.tar.xz.sig +Source2: https://drobilla.net/drobilla.gpg -BuildRequires: boost-devel BuildRequires: doxygen -BuildRequires: graphviz -BuildRequires: glib2-devel -BuildRequires: python3 -BuildRequires: serd-devel >= 0.30.0 BuildRequires: gcc -BuildRequires: gcc-c++ +BuildRequires: meson +BuildRequires: gnupg +BuildRequires: pkgconfig(serd-0) >= 0.30.10 +BuildRequires: pkgconfig(libpcre2-8) +BuildRequires: cmake +BuildRequires: pkgconfig(zix-0) >= 0.4.0 %description %{name} is a lightweight C library for storing Resource Description @@ -38,42 +39,28 @@ Framework (RDF) data in memory. This package contains the headers and development libraries for %{name}. %prep -%setup -q -# we'll run ldconfig, and add our optflags -sed -i -e "s|bld.add_post_fun(autowaf.run_ldconfig)||" \ - -e "s|cflags = [ '-DSORD_INTERNAL' ]\ -|cflags = [ '-DSORD_INTERNAL' ] + '%optflags'.split(' ') |" wscript +%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' +%autosetup -p1 %build -%set_build_flags -# Work around a possible GCC 10 bug -# GCC 10 crashes on these arches in for loop with ZixBTreeIter -%ifarch %{power64} %{arm} aarch64 s390 s390x -CFLAGS+=" -O1" -CXXFLAGS+=" -O1" -%endif -export LINKFLAGS="%{__global_ldflags}" -python3 waf configure \ - --prefix=%{_prefix} \ - --libdir=%{_libdir} \ - --mandir=%{_mandir} \ - --datadir=%{_datadir} \ - --docdir=%{_pkgdocdir} \ - --test \ - --docs -python3 waf build -v %{?_smp_mflags} +%meson +%meson_build %install -DESTDIR=%{buildroot} python3 waf install -chmod +x %{buildroot}%{_libdir}/lib%{name}-%{maj}.so.* -install -pm 644 AUTHORS NEWS README.md COPYING %{buildroot}%{_pkgdocdir} +%meson_install + +# Move devel docs to the right directory +install -d %{buildroot}%{_docdir}/%{name} +mv %{buildroot}%{_docdir}/%{name}-%{maj} %{buildroot}%{_docdir}/%{name} + +%check +%meson_test %files %{_pkgdocdir} %exclude %{_pkgdocdir}/%{name}-%{maj}/ -%exclude %{_pkgdocdir}/COPYING %license COPYING -%{_libdir}/lib%{name}-%{maj}.so.* +%{_libdir}/lib%{name}-%{maj}.so.%{maj}* %{_bindir}/sordi %{_bindir}/sord_validate %{_mandir}/man1/%{name}*.1* @@ -83,9 +70,12 @@ install -pm 644 AUTHORS NEWS README.md COPYING %{buildroot}%{_pkgdocdir} %{_libdir}/lib%{name}-%{maj}.so %{_libdir}/pkgconfig/%{name}-%{maj}.pc %{_includedir}/%{name}-%{maj}/ -%{_mandir}/man3/%{name}*.3* %changelog +* Tue Feb 25 2025 Jyoti kanase - 0.16.18-1 +- Upgrade to 0.16.18 +- License Verified. + * Fri Oct 15 2021 Pawel Winogrodzki - 0.16.4-5 - Initial CBL-Mariner import from Fedora 32 (license: MIT). diff --git a/SPECS-EXTENDED/sratom/drobilla.gpg b/SPECS-EXTENDED/sratom/drobilla.gpg new file mode 100644 index 0000000000..943ca5f1c6 --- /dev/null +++ b/SPECS-EXTENDED/sratom/drobilla.gpg @@ -0,0 +1,123 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.11 (GNU/Linux) + +mQGiBEXaIU8RBAC7vZmKrMkUyYMKomqHn9bpgFlT01fSQZyB5vHCTb5uW467HQGv +FMu6CCh2UbTyMDc/0py+EDgmkiqstUQ6hII2BbjoAlRgh4Kw43/6G1IDQiMAHXFx +jgs4Kx/xEsamMWXcGLYgBQExnN0EjjGy8ukLFHi5d4RAgNVY3tUlT+31wwCgoetH +x893hs3OQCNV21UCUV/Ndy0D/1RqBTZGXjTQ2eBCbZI7YCGOfPPdmNoDbSaDMubk +UNdbc78+FvG4SOnXxOdwe6W7Lc5qHwYXcga21ajEXT7Fpok+bj9/6a2WCiB4gzkg +Pi8Lwa0XTs7Hjyh9DFtxGbJHNxtsUV97pVBzrxdAiKasY0/CVWuiJBbZuLsyxWwe +rgwjA/9FJXx1tqOBclX4IGZnVzCGzNhTMtj2P248gZ8B6fOTkbt5bUGHBs2XtM0j +irsYeLWeWsfMa0fFMksfrwekbA4u2uMv9dA8VyjXmYGmKfNOtuyPm/NOS4CjpRQO +e3uB+ttbTKwK9Hx6j5WpfLlUBSlAKlxL1wt4cV03QXI5Sh5+QLQiRGF2ZSBSb2Jp +bGxhcmQgPGRhdmVAZHJvYmlsbGEubmV0PoheBBMRAgAeBQJF2iFPAhsDBgsJCAcD +AgMVAgMDFgIBAh4BAheAAAoJEMb2DmUpcnBgGoQAoIHtHRacGREDktZoKv+hMqW5 +SolkAJ9Xaolpgqa0yuO0+U0cHLqYMdN4mbkCDQRF2iFWEAgA+TUcUVyDVXmiBsbM +V6MOW4ZClnS8Ayz+jOkRbPgIaZOgaWekTVXFHvIYb8zQIZHlYNRj3cESkECKzFPH +uQbYcWLtq2AhI5I32027uoierPzM3tkAIttbqxI+ZNvyLM+rOdO/tR7N3QQy4dxB +goNN33kMYoe9M+AoAVJVhj5i+lv79lkQOiOGyIrZRe8tK2vARwl4jpxn5ZyGtY46 +1KMuoOq1H0gBxUGnHG/29gMtfM0WR+mdkB0N4Vmd5DwCBF1PZW+bz/jwUtKTYKlU +4oVLToPbbr1ZxIQ/GeaiX0QbFC6qkYAz1mbXuwIhT7NZnF1Bb5NUVaNDD6me0P/z +mys3pwADBQgAmjvG8d8Ou84Ry7KFlI5aVttIRDvVvODI14XgrRsaEamBurtqH2d1 +GiTuQKatTBcP2Vh4EBggUKvUBo6OqHl5HSJnMCssot9sbjd2INcVNhA37psZA/z0 +SiHvsU5MYJZAhIRy2OSq6f2rTJnN3tpH9uP22G0hnHwWsvaPif2rJJKa4FsLfiSJ +83nNZycmL0swG/3r2CFaWKdgI8Qxh4a9hzhQ/xp677rp+wXoR15Tiz3doVIks9gU +x/ttSOlIe1qikvIm2sK4YjGskyk3ThDnbKADBA0LPxmUw0LRwfMUpjB9w/KPB6K1 +garaVufX87EiQjMqtcatifrlt86BQG6UqIhJBBgRAgAJBQJF2iFWAhsMAAoJEMb2 +DmUpcnBgUWgAnig09zgkm9I8MYfmjNdeVicZ/TslAJ9gXHch/j3J0oVLZn7iLl8L +enSb2JkCDQROyvsgARAAymdAvdxjXiijDSh09Je1GZlWZz8DBVBSp+Sy8Er3f6aa +NjpdUagO4EBLYXTXOaCmpg+iwqmH9F9kDniyPj1JYkaLvttFhXlUaLY4bVAf74RG +Wbxkrq2Geh5WfK78SbAHuLdp9bx7mCq3HahHLB/DGkElRCgvhFwGRoju7bvkHl/Y +MJJsLpUN+Tpdle5VeVuUAH8l48D3WCwp2kUBzA6DXF/SqOHtNV3tbnuKKdB2Q4ks +JI51KwqrSa3vTrB+8TmVpocjqUK1RD+7rBJKEh4ARHhlEz6C2W3nZm0lLxsFCkgs +ccqCdLV0ZP6vYhAOPWN1kvBjkkibd0szH9a4AUWO9kUT8B0HHzcquJl6LyV2NtVj +PkPNc4zBGsb+otuPRHDU2EeW248/42royn2TgDioJ3keTe/ZCD22CJ8kNBSZOPOU +9DkZiBv/1heourSWsQAQnWTz0uE4/yVk2/Z6L4nFMk2YZYeYoiYjtz2FdMn+/9tj +eJDr+LH1q6EcBPf3qjT90gOSo3cLlswpVPOOndlrXExVi17dQSrQGi8mBxBjeMb6 +pNbF9EXcbd3Cm9oWxJy6gVEPkY0a5tRmH2Vf8uO8SdHWqh1mMgMzzFLrlvef4CmB +TS0Rp72OYq8R+9lFcRGtbeOkUdaPIL7zxCsf+H0pJTjIH4nEYkZmv9wtBW+SgfcA +EQEAAbQgRGF2aWQgUm9iaWxsYXJkIDxkQGRyb2JpbGxhLm5ldD6JAjoEEwEIACQC +GwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAk7K/HYCGQEACgkQ/GzPL3NkwkAb +RA/9Fq7wDadgPMTz47skAWqDyzc1kv4Auft+qpJDpSo9PwZWwQicAJZYNscinZVR +ZKhf+BD0v/eMoy+bzu+wf3Q+Eqq3xYCVUAHZzlQGa0MZ/8nQWfqqZe6Hq43KTgf0 +liSTWOYLHh50JuNPb0Vu2bjrgYxcLEEDIEIhulLiB+iiyuXWJ0ssA32Y9Oh+jxb2 +h62G9rWsYsvoAqvPyxhrbD1WLCMLi9KBXRpUTVaGcMtRicqpYvjZrqEkXINS6OBQ +mBuHiLoef7NGJR+22ljz2XPbQMji8m02ozOk8DDNlBMyubasIknulOEGKGgfwr2c +ZbU+1uUD4BbmWYAALGRXe2pl6AbGPU8kjgHQux2Pd7PH8qJxEvuU4O9Zi99jZgP2 +CMh4I4x3fv9RfDM4z77vMkaV8yoITz4vGdlY+UvSK5BzAMfQxuSCxPXtaqQEjS2g +r6KpUmadK7fLUmvFhXuPKwwA/BxbW6YcQKjhUZqnI5q4Hjek8iEnUiiZLnh1dSl3 +lp2us8Dxq3+TTX09qraOY25Kwf/Xjyd/l6/74JxXXFaeQkb9LHyqk3Jlk2THf3aW +TzH8h9lvTwruYhME0ib8mnPqDSfs1LQILmln8rs7Ma9HCKoUFJeMjqz3+sDMP3HC +SqqrdwxkqnufG/0S3dYjd+z910J/Qj1J/yhNAt1cA6Dwx3aIRgQQEQgABgUCTsr7 +twAKCRDG9g5lKXJwYFRNAJ4rI5MK8g+ouo85l96AAowEBrMvUQCdGdzUXaHH29N6 +FH60gGcMHi/M/jO5Ag0ETsr7IAEQALBnW/tm8zo9y8G1yOO0S0PKXxf3yPcM8J3s +wZupmuRmQyhUF3xoxiTtZH4XbMnUw2Ddzpt7XRFC8BTmI+5E32uxxR7EMgqMS1/X +MlIp+7qEiMF25DAZ6agOBFEe244MFlDt+WIt7XeJPViByKxbgi5rS14MljUazfQr +mgzAVq45RpDc3QIhgE65Q+9R4FDillWUwv5AkieRb3QdMHXrvSgsQ21bnvjdRggp +8Xw4GG4k0e5WnpU7FvDM2unDywvcU/LnRDxsZazzPNJDi1kq7CYmB94xvIdxvDed +QV8SFJ1YZkkx8MTule60t40b4pr6l2zJzR2SaR0GRsOaKeUPP08ye+20arJV/PbE +R7holpB8N68F3MYW712dosCLBVD2srpsjuWLdKA4X/SVb8i0bu/T7dwMJeDSOSmd +WXLEIMBsCQxuttk/hLkJQBVvWu/guMft8Qn2Lb9uPFe8Si8rkjiWTSEq2Q2PXcUu +X+0w9kbmuDULdovAyi+sLObkyx/dVz6LJbM1Ea6XWLhi4QVwKL5/VOey/6UctW2D +Kg0SNvLA5jiTx4L8u3Kd4TtvV8qmWOMTmLWXnezwE2Ln4gH65ZkbImgdZswt5r8G +DZ4fxLZsxjS9WPWAndH5z4yFtaUUHgf9A985baj2MVA3dhKXjoiZxLTThxxO40UK +wamCRY21ABEBAAGJAh8EGAEIAAkFAk7K+yACGwwACgkQ/GzPL3NkwkDnGA/7BVKA +/8hEHmmtrq7LzRLu6HYALdf/B7yfcpnwHjFjZchExWaQXuG+AqfgP4bm+OBnpN1e +OX7dD1x79AHJb/Mp2SX3NlzGvujzwMDrR9Hp4XmeeBXfxvSQXiRqcHH6Jr/rv564 +vYxgp0zdCmCRP1y+sSOEOyh46cTP9LD9w+1LzWW96dTo5FQ3q193rzrFBUJStbuM +Isp3puQ08ntmXXfYk+KuXB/hMKbJU9gbMBV7cQdGX4AZ4DcSsacs1TPdiqGZ4fJ3 +XjGegory9dVaTbwkK1ULEENGsPc8LIYTIlNHJ4E1ZSMAkTTn7ThphBvHnXOPG9fg +NimAhXYKpE4a+DwQJY1YY06KFJtqeGYGoFiTqfhn4R/Mq2kArFNoCmmbH1gDThsw +c7idTmyI4DHAhx8kHK0mrnkaA2J+Ah82Kimsu+sMKUxMwbYZ32yK18HQI3y8iXEu +GsGQk8X2gKO8YfOOvGFf2sPl1IN+ZZ8ZI7bZi/yzh5K04Pxyb6LTYpG+YDAZS6H5 +NkWQxPM0TCDFLDlLl5SESl7BxgqryqCY4okRGVq0WLXa3MpFCjoYOAdtkQOm6ZOE +9tjKogx0ZN9cflde2D9MSi9ADCZ8gK4tQ581Ea43owT2iMJVceGcqJE3ZVnUq2PX +DoVGVgIxT1stR69am4hgSHpShTRVU5fio+jiuHKZAg0ET0BWRQEQAOru18ePCKAr +nY43QCcDiVjDCTrPx0lswgkaGPWRwL1jOHiLnwMaafsb/SMjvgwJ3P40Tzo1wB22 +STmQ4/r5JL3nVQ7cRmeCDSMbbva9vuOAC/zOGH6N6Pd/Vyq4bJp3eWhL/bNiBF7R +4ft9E5RD1WIM7kDM0LUd2HgqyvwgKngiJFfZNCEXFuXhHNc4nuRsrLnEb5T+6PTl +noQRQyqd0rhShYTBvjL9DUhhFtgqNmjYl1hCurFnyE8G5zkxnIuJ+wWlgBiPSIIf +ZZY0IGLXH7DHDHaV+N4MKduCiOhPwLhaNHxNekBFaFNllLgVGMUE/Bp4GvHcfAgX +tAQbztqag5folJxNYNWX1qLmYh9hluJA0MRq+nFNpYWmMTcQQYOPpBuOVRf8u5qN +p/aQwH5DdoDa6Mdwfbrq+RcMBogwCjZGROe296YuBBIUfWRxfYQaIwbtrTajSZW2 +DWUze3tONLWjPJKJFDD6w42UQSp+fnDrrdZhasDU8bmVE5LUyA8B01BJWglQIgfL +Z5PzDsxSZtWulxsOoz+VwS2sbslNkVWFPWbcMoKB/fAtN+mmMzrjmHLbF+hLta4Z +ZBJcCS4Nk0Lw4+9Msf7jWWNEUbKyqvKnSK774mIDktp+o2fPXmi0KLcwxrda2SJS +bPeDbYsPzhwTR66+ZoQ430MifR4RIwanABEBAAG0IERhdmlkIFJvYmlsbGFyZCA8 +ZEBkcm9iaWxsYS5uZXQ+iQI6BBMBCAAkAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4B +AheABQJPQFfZAhkBAAoJEDZyeCqb82jzx9YQALzxj/8b+JD9px1lGb7ZbN5GTBdh +J6CgLkObSkwnU88vWxOhZDKd6dTyGYtmHg3rridM/0OMVv/hUXxTcRWKHo8S44OA +rFSNhjuarfh7IQRDpe16J9vWaStuK8uiyOmHl8IGmtDoVtlDo7yd0/b8lwCJd9R3 +4d81ruYLHguHxo6ahMyB+SjPXoqEj8dUcY4OR35wRI04H+HSq7s4kpqX4G5uhrtW +5dEk7GuqELyg9forQ4xDD/cSOXUtBX/Sak9KRKZLxNyp5h4xvSHi5wl3DjB4Of5J +P7e437J5PXQtw1mNHCwbMyp6R9cqETTwjRj11gbqFy1PjiKDgT6/iPvA+Vg4GcJH +k1Rhzq2PMLegZIqJ6+F3G2oRl0XF1J9j3XvSnXSTMlqEQd6VNFmAd1PGJMfok3kz +brPBIBt8/ltaSn71ekanzxpAVC4fHO6JzPszyqpdkRriTL7nYZ872J5+BWCC3eOr +QVvDNu+FZznHRuI8TqhdWr76w4oZMx56S/oV8bo9wVQx0urxjB851IcPWU8GyBu4 +Bqb9kpw8IzUY08AENKzal9KstCkCoG5a80B0sS7Et7a23TNZF2rBKOzza7yte+5d +PDeDg0WSexzJr35kArjUz7sgKODFfAlvTTgRPTTRIdBeQV69aUc3XvaJQFXwPobz +yvH/ie166GqJIRvOuQINBE9AVkUBEACr6qQSWRlg+AifZqLYSY64VQ4Bvj3SfVXl +MLlMWDeKFAnW49sg/DMu9t20m3m/L49UW51zyjnRlIN8j6NqmVtRKAs2C+FRpSTK +U6NSdsBweUOkQP6FGJRlb9o3cTxePBvQL/weulB/rzRhBqL4W3U4L3jUxYE0vCYs +D5Dq0/177BtazrOIBuRADABLQ7m9976jIfz9zNoix8j7CNtX0g+JB4E5kObVQ41N +LyZ8ei+t/q1MP1KxwD6e+icESlLNrO2rhXBssc6KScbdrPmCfR5bumFitEfxeIJI +s5XR/FKCgmQH4SRQJQ4MY/+B5OIRDH4zjbs8EP2kD+85hbKx8sjrQeafA1VYw+TN +FBJhCNqMkzl6WyZ2GX7ZP0xw19BS/RioOLVq3I3WSRpJGsguzE87xXDF91caaxQn +CL1LM2zqNstYDNYIAmCThVixeONFbFiPN7OsTG2lsSh79mX8+/2YAxj/9ACCxDcF +xXeWbByVdpuV2n24F3lLQBY1/Gpy8yskJLCOFEjGYVIHsEaD+FxR2x9WusWb+aeI +zHmOA8cwcLazJcneMvOTIrlgAz0yZphY+c6kx/opem0N+nKX+aEFbolnlsPXhGNC +AD5xffJOIUK+gGrPstf2WdqYfmWegd7ak1FG4j1WqHwHplOwgStPTO33IhhWXHLj +yRsf8AyumQARAQABiQIfBBgBCAAJBQJPQFZFAhsMAAoJEDZyeCqb82jzTUkP/3jv +hkMK0IGcuCVkfB3uIxsjLKl+lI2FDq/zUOo6Ko491q/8Ks2E4fGYmVrcxymnAThB +4STL0QaLJdIaRlJo0cMkcEsF0RKxu1aaLRRWk08hrdjI3aRLwzAdWxHAE3ESz75T +l26ZB1MvgWBSzyLtYJXYBz738ldIfvs5hzhDWMJTcbhf+Hnaoxt3fcDu8k0EdTIB +CRziOO7uq9npDxwMOTyPQvEMr4v8kIvn/Npu3ZQtadzkeSr+/ENCGNz1KatTV3Iy +lH6X8ANP8eiq4ODOrayjyKs0ZDtL3sn+jJhoz/AF/qBpSTnEtDUpPT3U0Noo4HHk +YQYiK8SI0OcxH9tSkgaeRcnFvlbJw2ackRpHuXNuGZ66zt2yDj7cZG6ssg9Yrrax +x3y+27MJXYnowOnRjCdCQZ5hKeOny73lyFZYDisCvqha138PRJtSwQAgnKEu0Bh/ +sSI0DtPZmsXC9iPg9AxBDqVfdxtsWqfA31JmR+MsN58cT1Ej4Li+cH9sPOFVOpSf +gylCgHUC2Lact8v5xrArHyrCBfmavDnclir84A5TuwGMLhm2Ui9yKn5fGgiF4P4U +U1zeTPb45Mf9NU5pKJXd5H0MsOU58DjaM5Af3dpH6c8wsyDkNeVDvUzLXghsUH80 +HQMSpfZtNLZ/57KoSi7YYYotWZX/mch2i4mqVEEp +=MGn/ +-----END PGP PUBLIC KEY BLOCK----- diff --git a/SPECS-EXTENDED/sratom/sratom-0.6.16.tar.xz.sig b/SPECS-EXTENDED/sratom/sratom-0.6.16.tar.xz.sig new file mode 100644 index 0000000000..0d960d8de0 Binary files /dev/null and b/SPECS-EXTENDED/sratom/sratom-0.6.16.tar.xz.sig differ diff --git a/SPECS-EXTENDED/sratom/sratom.signatures.json b/SPECS-EXTENDED/sratom/sratom.signatures.json index cac6c81f10..8abd8428dd 100644 --- a/SPECS-EXTENDED/sratom/sratom.signatures.json +++ b/SPECS-EXTENDED/sratom/sratom.signatures.json @@ -1,5 +1,7 @@ { "Signatures": { - "sratom-0.6.10.tar.bz2": "e5951c0d7f0618672628295536a271d61c55ef0dab33ba9fc5767ed4db0a634d" + "drobilla.gpg": "29c8ffc9ffee2982ad3c3355736ed043377c1f0f4ea4776df4b98a464692b70e", + "sratom-0.6.16.tar.xz": "71c157991183e53d0555393bb4271c75c9b5f5dab74a5ef22f208bb22de322c4", + "sratom-0.6.16.tar.xz.sig": "3a18320f6c217d9dd0d08bb97ea2e6781aa827237e9196c05df5af597ee5f15b" } } diff --git a/SPECS-EXTENDED/sratom/sratom.spec b/SPECS-EXTENDED/sratom/sratom.spec index 8bc650b297..62c1a4d28c 100755 --- a/SPECS-EXTENDED/sratom/sratom.spec +++ b/SPECS-EXTENDED/sratom/sratom.spec @@ -1,28 +1,32 @@ -%global maj 0 %{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}} +%global maj 0 %bcond_with docs + Summary: A C library for serializing LV2 plugins Name: sratom -Version: 0.6.10 -Release: 3%{?dist} +Version: 0.6.16 +Release: 1%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux URL: https://drobilla.net/software/%{name}/ -Source0: https://download.drobilla.net/%{name}-%{version}.tar.bz2 +Source0: https://download.drobilla.net/%{name}-%{version}.tar.xz +Source1: https://download.drobilla.net/%{name}-%{version}.tar.xz.sig +Source2: https://drobilla.net/drobilla.gpg + BuildRequires: doxygen BuildRequires: gcc +BuildRequires: gnupg2 BuildRequires: graphviz -BuildRequires: lv2-devel >= 1.16.0 -BuildRequires: python3 -BuildRequires: sord-devel >= 0.14.0 +BuildRequires: sord-devel >= 0.16.16 +BuildRequires: serd-devel >= 0.30.10 +BuildRequires: meson +BuildRequires: lv2-devel >= 1.18.4 %if %{with docs} BuildRequires: python3-sphinx BuildRequires: python3-sphinx_lv2_theme %endif -%if %{with check} -BuildRequires: lcov -%endif +Requires: serd >= 0.30.10 %description %{name} is a new C library for serializing LV2 atoms to/from Turtle. It is @@ -34,6 +38,7 @@ control with network transparency. %package devel Summary: Development libraries and headers for %{name} Requires: %{name}%{_isa} = %{version}-%{release} +Requires: lv2-devel >= 1.18.4 %description devel %{name} is a C library for serializing LV2 atoms to/from Turtle. It is @@ -45,35 +50,28 @@ control with network transparency. This package contains the headers and development libraries for %{name}. %prep +%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 -# for packagers sake, build the tests with debug symbols -sed -i -e "s| '-ftest-coverage'\]|\ - '-ftest-coverage'\] + '%{optflags}'.split(' ')|" wscript - %build -%{set_build_flags} -%{python3} waf configure -v \ - --prefix=%{_prefix} \ - --libdir=%{_libdir} \ - --mandir=%{_mandir} \ - --datadir=%{_datadir} \ - --docdir=%{_pkgdocdir} \ %if %{with docs} - --docs \ +%meson +%meson_build %endif - --test -%{python3} waf build -v %{?_smp_mflags} + +%meson -Ddocs=disabled +%meson_build + %install -DESTDIR=%{buildroot} %{python3} waf install -chmod +x %{buildroot}%{_libdir}/lib%{name}-0.so.* +%meson_install + %if %{with docs} -install -pm 644 NEWS README.md %{buildroot}%{_pkgdocdir} +mv %{buildroot}%{_docdir}/%{name}-%{maj} %{buildroot}%{_pkgdocdir} %endif %check -%{python3} waf test -v +%meson_test %files %if %{with docs} @@ -93,6 +91,10 @@ install -pm 644 NEWS README.md %{buildroot}%{_pkgdocdir} %{_includedir}/%{name}-%{maj}/ %changelog +* Tue Feb 25 2025 Jyoti kanase - 0.6.16-1 +- Upgrade to 0.6.16. +- License verified. + * Thu Nov 24 2022 Sumedh Sharma - 0.6.10-3 - Initial CBL-Mariner import from Fedora 37 (license: MIT) - Make building 'docs' conditional, disabled by default diff --git a/SPECS-EXTENDED/tang/tang.signatures.json b/SPECS-EXTENDED/tang/tang.signatures.json index 694ba860ac..779829cdbd 100644 --- a/SPECS-EXTENDED/tang/tang.signatures.json +++ b/SPECS-EXTENDED/tang/tang.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { - "tang-14.tar.gz": "0b56702a8ac19ff320d7e13a49682efba32403933c84ab1dae0b26ddcc4e3fe5", + "tang-15.tar.xz": "eaf4a2abfea3d05f454a8841e98332be1e1e2432744c70bb7765651ed82c3f7c", "tang.sysusers": "df52060d0ee8eadd72154925ed7b7420d42f0f9b3281bae1e02caee9f900e8fd" } } diff --git a/SPECS-EXTENDED/tang/tang.spec b/SPECS-EXTENDED/tang/tang.spec index 1c5e3697a3..e59633d50f 100644 --- a/SPECS-EXTENDED/tang/tang.spec +++ b/SPECS-EXTENDED/tang/tang.spec @@ -1,37 +1,41 @@ Summary: Network Presence Binding Daemon Name: tang -Version: 14 -Release: 1%{?dist} +Version: 15 +Release: 7%{?dist} License: GPL-3.0-or-later Vendor: Microsoft Corporation Distribution: Azure Linux URL: https://github.com/latchset/%{name} -Source0: https://github.com/latchset/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz Source1: tang.sysusers + BuildRequires: asciidoc BuildRequires: coreutils BuildRequires: curl BuildRequires: gcc BuildRequires: git-core BuildRequires: grep -BuildRequires: http-parser-devel >= 2.7.1-3 BuildRequires: iproute BuildRequires: jose >= 8 BuildRequires: libjose-devel >= 8 BuildRequires: libjose-openssl-devel >= 8 BuildRequires: libjose-zlib-devel >= 8 BuildRequires: meson +BuildRequires: llhttp-devel BuildRequires: pkgconfig BuildRequires: sed BuildRequires: socat BuildRequires: systemd BuildRequires: systemd-devel +BuildRequires: systemd-rpm-macros + +%{?systemd_ordering} Requires: coreutils -Requires: grep Requires: jose >= 8 +Requires: llhttp +Requires: grep Requires: sed Requires(pre): shadow-utils -%{?systemd_requires} %description Tang is a small daemon for binding data to the presence of a third party. @@ -46,22 +50,32 @@ Tang is a small daemon for binding data to the presence of a third party. %install %meson_install install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/tang.conf -echo "User=%{name}" >> %{buildroot}/%{_unitdir}/%{name}d@.service -mkdir -p %{buildroot}/%{_localstatedir}/db/%{name} +%{__mkdir_p} $RPM_BUILD_ROOT/%{_localstatedir}/db/%{name} %check %meson_test %pre -getent group %{name} >/dev/null || groupadd -r %{name} -getent passwd %{name} >/dev/null || \ - useradd -r -g %{name} -d %{_localstatedir}/cache/%{name} -s %{_sbindir}/nologin \ - -c "Tang Network Presence Daemon user" %{name} +%sysusers_create_compat %{SOURCE1} exit 0 %post %systemd_post %{name}d.socket +# Let's make sure any existing keys are readable only +# by the owner/group. +if [ -d /var/db/tang ]; then + for k in /var/db/tang/*.jwk; do + test -e "${k}" || continue + chmod 0440 -- "${k}" + done + for k in /var/db/tang/.*.jwk; do + test -e "${k}" || continue + chmod 0440 -- "${k}" + done + chown tang:tang -R /var/db/tang +fi + %preun %systemd_preun %{name}d.socket @@ -83,73 +97,13 @@ exit 0 %{_sysusersdir}/tang.conf %changelog -* Tue Sep 05 2023 Muhammad Falak R Wani - 14-1 -- Upgrade version to address CVE-2023-1672 -- Lint spec +* Wed May 14 2025 Archana Shettigar - 15-7 +- Initial Azure Linux import from Fedora 41 (license: MIT). - License verified -* Fri Apr 30 2021 Pawel Winogrodzki - 7-7 -- Initial CBL-Mariner import from Fedora 32 (license: MIT). -- Making binaries paths compatible with CBL-Mariner's paths. - -* Tue Dec 1 2020 Sergio Correia - 7-6 -- Move build system to meson - Upstream commits (fed9020, 590de27) -- Move key handling to tang itself - Upstream commits (6090505, c71df1d, 7119454) - -* Tue Feb 25 2020 Sergio Correia - 7-5 -- Rebuilt after http-parser update - -* Fri Jan 31 2020 Fedora Release Engineering - 7-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Sat Jul 27 2019 Fedora Release Engineering - 7-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - -* Sun Feb 03 2019 Fedora Release Engineering - 7-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Fri Aug 10 2018 Nathaniel McCallum - 7-1 -- New upstream release -- Retire tang-nagios package (now separate upstream) - -* Sat Jul 14 2018 Fedora Release Engineering - 6-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Fri Feb 09 2018 Fedora Release Engineering - 6-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - -* Thu Aug 03 2017 Fedora Release Engineering - 6-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - -* Thu Jul 27 2017 Fedora Release Engineering - 6-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Wed Jun 14 2017 Nathaniel McCallum - 6-1 -- New upstream release - -* Wed Jun 14 2017 Nathaniel McCallum - 5-2 -- Fix incorrect dependencies - -* Wed Jun 14 2017 Nathaniel McCallum - 5-1 -- New upstream release - -* Sat Feb 11 2017 Fedora Release Engineering - 4-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Mon Nov 14 2016 Nathaniel McCallum - 4-2 -- Fix a race condition in one of the tests - -* Thu Nov 10 2016 Nathaniel McCallum - 4-1 -- New upstream release -- Add nagios subpackage - -* Wed Oct 26 2016 Nathaniel McCallum - 3-1 -- New upstream release - -* Wed Oct 19 2016 Nathaniel McCallum - 2-1 -- New upstream release +* Sat Jul 20 2024 Fedora Release Engineering - 15-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild -* Tue Aug 23 2016 Nathaniel McCallum - 1-1 -- First release +* Thu May 09 2024 Sergio Correia - 15-5 +- RPMAUTOSPEC: unresolvable merge +## END: Generated by rpmautospec diff --git a/SPECS-EXTENDED/tardev-snapshotter/regenerate-archives.sh b/SPECS-EXTENDED/tardev-snapshotter/regenerate-archives.sh new file mode 100755 index 0000000000..9d8960cc64 --- /dev/null +++ b/SPECS-EXTENDED/tardev-snapshotter/regenerate-archives.sh @@ -0,0 +1,40 @@ +#!/bin/bash + +set -euox pipefail + +NAME=tardev-snapshotter +VERSION=3.2.0.tardev1 + +SOURCE_DIR=$(pwd) +WORK_DIR=$(mktemp -d) +pushd $WORK_DIR + +trap "popd && rm -rf $WORK_DIR" EXIT + +git clone -b "3.2.0.tardev1" https://github.com/microsoft/kata-containers +pushd kata-containers +cp LICENSE src/tardev-snapshotter +mv src/tardev-snapshotter $NAME-$VERSION +tar -czf $NAME-$VERSION.tar.gz $NAME-$VERSION +mv $NAME-$VERSION.tar.gz $WORK_DIR +popd + +wget https://raw.githubusercontent.com/microsoft/azurelinux/3.0/toolkit/scripts/build_cargo_cache.sh +chmod +x ./build_cargo_cache.sh +./build_cargo_cache.sh $NAME-$VERSION.tar.gz $NAME-$VERSION + +mv $NAME-$VERSION.tar.gz $SOURCE_DIR/ +mv $NAME-$VERSION-cargo.tar.gz $SOURCE_DIR/ + +function update-signature { + local FILE=$1 + + jq ".Signatures.\"$FILE\" = \"$(sha256sum $FILE | cut -d ' ' -f 1)\"" $NAME.signatures.json > $NAME.signatures.json.tmp + mv $NAME.signatures.json.tmp $NAME.signatures.json +} + +# Update the signatures json with the new sha256 hashes +pushd $SOURCE_DIR +update-signature $NAME-$VERSION.tar.gz +update-signature $NAME-$VERSION-cargo.tar.gz +popd diff --git a/SPECS-EXTENDED/tardev-snapshotter/tardev-snapshotter.signatures.json b/SPECS-EXTENDED/tardev-snapshotter/tardev-snapshotter.signatures.json new file mode 100644 index 0000000000..6e8f6fd928 --- /dev/null +++ b/SPECS-EXTENDED/tardev-snapshotter/tardev-snapshotter.signatures.json @@ -0,0 +1,6 @@ +{ + "Signatures": { + "tardev-snapshotter-3.2.0.tardev1.tar.gz": "eadeca3704dc668576e673322ad4ab7cd623f0557691e62d5afb5ec85b648278", + "tardev-snapshotter-3.2.0.tardev1-cargo.tar.gz": "67df489758a17f77cd7e9113e67ab5db16843d8a8db9d4660bfb1c8646c41a13" + } +} diff --git a/SPECS-EXTENDED/tardev-snapshotter/tardev-snapshotter.spec b/SPECS-EXTENDED/tardev-snapshotter/tardev-snapshotter.spec new file mode 100644 index 0000000000..06d2121342 --- /dev/null +++ b/SPECS-EXTENDED/tardev-snapshotter/tardev-snapshotter.spec @@ -0,0 +1,82 @@ +%global debug_package %{nil} + +Summary: Tardev Snapshotter for containerd +Name: tardev-snapshotter +Version: 3.2.0.tardev1 +Release: 3%{?dist} +License: ASL 2.0 +Group: Tools/Container +Vendor: Microsoft Corporation +Distribution: Azure Linux + +Source0:https://github.com/microsoft/kata-containers/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz +# Note: the %%{name}-%%{name}-%%{version}-cargo.tar.gz file contains a cache created by capturing the contents downloaded into $CARGO_HOME. +# To update the cache run regenerate-archives.sh +Source1: %{_distro_sources_url}/%{name}-%{version}-cargo.tar.gz + +%{?systemd_requires} + +BuildRequires: clang-devel +BuildRequires: cmake +BuildRequires: device-mapper-devel +BuildRequires: git +BuildRequires: make +BuildRequires: openssl-devel +BuildRequires: pkgconfig(libudev) +BuildRequires: protobuf-compiler +BuildRequires: rust + +%description +tardev-snapshotter is a snapshotter for containerd that uses tar archives to store snapshots. + +%prep +# Setup .cargo directory +mkdir -p $HOME +pushd $HOME +tar xf %{SOURCE1} --no-same-owner +popd + +%autosetup -p1 + +%build +export CARGO_NET_OFFLINE=true +make + +%install +mkdir -p %{buildroot}/%{_unitdir} +install -D -p -m 0644 %{name}.service %{buildroot}%{_unitdir}/%{name}.service +install -D -m 0755 target/release/%{name} %{buildroot}%{_bindir}/%{name} + +%post +%systemd_post %{name}.service + +if [ $1 -eq 1 ]; then # Package install + systemctl enable %{name}.service > /dev/null 2>&1 || : + systemctl start %{name}.service > /dev/null 2>&1 || : +fi + +%preun +%systemd_preun %{name}.service + +%postun +%systemd_postun_with_restart %{name}.service + +%files +%license LICENSE +%{_bindir}/%{name} +%config(noreplace) %{_unitdir}/%{name}.service + +%changelog +* Mon Jul 21 2025 Jyoti Kanase - 3.2.0.tardev1-3 +- Bump release to rebuild with rust + +* Fri Jun 13 2025 Kavya Sree Kaitepalli - 3.2.0.tardev1-2 +- Bump release to rebuild with rust + +* Fri Mar 28 2025 Dallas Delaney - 3.2.0.tardev1-1 +- Add package to specs-extended +- License verified +- Original version for Azure Linux + +* Tue Dec 31 2024 Jiri Appl - 0.0.13-1 +- Initial version diff --git a/SPECS-EXTENDED/usbguard/usbguard-0.7.6-libqb.patch b/SPECS-EXTENDED/usbguard/usbguard-0.7.6-libqb.patch deleted file mode 100644 index 44b5f8da67..0000000000 --- a/SPECS-EXTENDED/usbguard/usbguard-0.7.6-libqb.patch +++ /dev/null @@ -1,118 +0,0 @@ -diff -up usbguard-0.7.6/src/Library/IPCServerPrivate.cpp.orig usbguard-0.7.6/src/Library/IPCServerPrivate.cpp ---- usbguard-0.7.6/src/Library/IPCServerPrivate.cpp.orig 2019-11-25 12:11:49.632373175 +0100 -+++ usbguard-0.7.6/src/Library/IPCServerPrivate.cpp 2019-11-25 12:12:42.361781652 +0100 -@@ -242,6 +242,22 @@ namespace usbguard - return stats->client_pid; - } - -+ void IPCServerPrivate::qbIPCConnectionAuthSet(qb_ipcs_connection_t* conn, uid_t uid, gid_t gid) -+ { -+ try { -+ std::string path = conn->description; -+ size_t last_slash = path.find_last_of("/"); -+ path = path.substr(0, last_slash); -+ chown(path.c_str(), uid, gid); -+ } -+ catch (const std::exception& exception) { -+ USBGUARD_LOG(Error) << "IPC connection chmod error. Exception: " << exception.what(); -+ } -+ catch (...) { -+ USBGUARD_LOG(Error) << "IPC connection error. Could not change mode bits."; -+ } -+ } -+ - int32_t IPCServerPrivate::qbIPCConnectionAcceptFn(qb_ipcs_connection_t* conn, uid_t uid, gid_t gid) - { - try { -@@ -259,6 +275,7 @@ namespace usbguard - << " gid=" << 0 - << " mode=0660"; - qb_ipcs_connection_auth_set(conn, uid, 0, 0660); -+ qbIPCConnectionAuthSet(conn, uid, 0); - return 0; - } - else { -diff -up usbguard-0.7.6/src/Library/IPCServerPrivate.hpp.orig usbguard-0.7.6/src/Library/IPCServerPrivate.hpp ---- usbguard-0.7.6/src/Library/IPCServerPrivate.hpp.orig 2019-11-25 12:11:27.723203531 +0100 -+++ usbguard-0.7.6/src/Library/IPCServerPrivate.hpp 2019-11-25 12:13:04.635954202 +0100 -@@ -39,6 +39,71 @@ - #include - #include - -+ -+/*libqb header starts*/ -+ #define CONNECTION_DESCRIPTION NAME_MAX -+ -+ enum qb_ipcs_connection_state { -+ QB_IPCS_CONNECTION_INACTIVE, -+ QB_IPCS_CONNECTION_ACTIVE, -+ QB_IPCS_CONNECTION_ESTABLISHED, -+ QB_IPCS_CONNECTION_SHUTTING_DOWN, -+ }; -+ -+ struct qb_ipcs_connection_auth { -+ uid_t uid; -+ gid_t gid; -+ mode_t mode; -+ }; -+ -+ struct qb_ringbuffer_s; -+ typedef struct qb_ringbuffer_s qb_ringbuffer_t; -+ -+ struct qb_ipc_one_way { -+ size_t max_msg_size; -+ enum qb_ipc_type type; -+ union { -+ struct { -+ int32_t sock; -+ char *sock_name; -+ void* shared_data; -+ char shared_file_name[NAME_MAX]; -+ } us; -+ struct { -+ qb_ringbuffer_t *rb; -+ } shm; -+ } u; -+ }; -+ -+ struct qb_list_head { -+ struct qb_list_head *next; -+ struct qb_list_head *prev; -+ }; -+ -+ -+ struct qb_ipcs_connection { -+ enum qb_ipcs_connection_state state; -+ int32_t refcount; -+ pid_t pid; -+ uid_t euid; -+ gid_t egid; -+ struct qb_ipcs_connection_auth auth; -+ struct qb_ipc_one_way setup; -+ struct qb_ipc_one_way request; -+ struct qb_ipc_one_way response; -+ struct qb_ipc_one_way event; -+ struct qb_ipcs_service *service; -+ struct qb_list_head list; -+ struct qb_ipc_request_header *receive_buf; -+ void *context; -+ int32_t fc_enabled; -+ int32_t poll_events; -+ int32_t outstanding_notifiers; -+ char description[CONNECTION_DESCRIPTION]; -+ struct qb_ipcs_connection_stats_2 stats; -+ }; -+/*libqb header ends*/ -+ - namespace usbguard - { - class IPCServerPrivate -@@ -107,6 +172,8 @@ namespace usbguard - bool qbIPCConnectionAllowed(uid_t uid, gid_t gid, IPCServer::AccessControl* const ac_ptr) const; - bool authenticateIPCConnectionDAC(uid_t uid, gid_t gid, IPCServer::AccessControl* const ac_ptr = nullptr) const; - -+ static void qbIPCConnectionAuthSet(qb_ipcs_connection_t* connection, uid_t uid, gid_t gid); -+ - bool matchACLByUID(uid_t uid, IPCServer::AccessControl* const ac_ptr) const; - bool matchACLByGID(gid_t gid, IPCServer::AccessControl* const ac_ptr) const; - bool matchACLByName(uid_t uid, gid_t gid, IPCServer::AccessControl* const ac_ptr) const; diff --git a/SPECS-EXTENDED/usbguard/usbguard-revert-catch.patch b/SPECS-EXTENDED/usbguard/usbguard-revert-catch.patch new file mode 100644 index 0000000000..d75cb85bb0 --- /dev/null +++ b/SPECS-EXTENDED/usbguard/usbguard-revert-catch.patch @@ -0,0 +1,17 @@ +diff -up ./configure.ac.fix ./configure.ac +--- ./configure.ac.fix 2022-03-03 15:05:03.357194713 +0100 ++++ ./configure.ac 2022-03-03 15:06:02.849787794 +0100 +@@ -394,11 +394,11 @@ if test "x$with_bundled_catch" = xyes; t + catch_summary="bundled; $catch_CFLAGS $catch_LIBS" + else + SAVE_CPPFLAGS=$CPPFLAGS +- CPPFLAGS="-std=c++17 $CPPFLAGS -I/usr/include/catch2" ++ CPPFLAGS="-std=c++17 $CPPFLAGS -I/usr/include/catch" + AC_LANG_PUSH([C++]) + AC_CHECK_HEADER([catch.hpp], [], [AC_MSG_FAILURE(catch.hpp not found or not usable. Re-run with --with-bundled-catch to use the bundled library.)]) + AC_LANG_POP +- catch_CFLAGS="-I/usr/include/catch2" ++ catch_CFLAGS="-I/usr/include/catch" + catch_LIBS="" + CPPFLAGS=$SAVE_CPPFLAGS + catch_summary="system-wide; $catch_CFLAGS $catch_LIBS" diff --git a/SPECS-EXTENDED/usbguard/usbguard.signatures.json b/SPECS-EXTENDED/usbguard/usbguard.signatures.json index 7d37adb016..a3c88f6985 100644 --- a/SPECS-EXTENDED/usbguard/usbguard.signatures.json +++ b/SPECS-EXTENDED/usbguard/usbguard.signatures.json @@ -1,6 +1,6 @@ { - "Signatures": { - "usbguard-daemon.conf": "5909f3c6f04defae3d7b680c23d3526728b74bd11ff31129b025c6a5ff462407", - "usbguard-1.1.0.tar.gz": "a39104042b0c57f969c4e6580f6d80ad7066551eda966600695e644081128a2d" - } -} + "Signatures": { + "usbguard-1.1.3.tar.gz": "707dad2938923202697f636c2b4e0be80f192242039a2af3fc7ac35d03f78551", + "usbguard-daemon.conf": "5909f3c6f04defae3d7b680c23d3526728b74bd11ff31129b025c6a5ff462407" + } +} \ No newline at end of file diff --git a/SPECS-EXTENDED/usbguard/usbguard.spec b/SPECS-EXTENDED/usbguard/usbguard.spec index 357958713e..9f33a0624e 100644 --- a/SPECS-EXTENDED/usbguard/usbguard.spec +++ b/SPECS-EXTENDED/usbguard/usbguard.spec @@ -1,60 +1,44 @@ -%bcond_with selinux -%bcond_with systemd Vendor: Microsoft Corporation Distribution: Azure Linux -%if %{with selinux} -%global selinuxtype targeted -%endif - -%global moduletype contrib -%define semodule_version 0.0.4 - Name: usbguard -Version: 1.1.0 +Version: 1.1.3 Release: 1%{?dist} Summary: A tool for implementing USB device usage policy -License: GPLv2+ +License: GPL-2.0-or-later ## Not installed # src/ThirdParty/Catch: Boost Software License - Version 1.0 URL: https://usbguard.github.io/ Source0: https://github.com/USBGuard/usbguard/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz -%if %{with selinux} -Source1: https://github.com/USBGuard/usbguard/releases/download/%{name}-selinux-%{semodule_version}/%{name}-selinux-%{semodule_version}.tar.gz -%endif -Source2: usbguard-daemon.conf - -%if %{with systemd} -Requires: systemd -Requires(post): systemd -Requires(preun): systemd -Requires(postun): systemd -%endif +Source1: usbguard-daemon.conf +Patch0: usbguard-revert-catch.patch + Requires(post): /sbin/ldconfig Requires(postun): /sbin/ldconfig -%if %{with selinux} -Recommends: %{name}-selinux -%endif + Obsoletes: %{name}-applet-qt < 0.7.6 +BuildRequires: make BuildRequires: gcc BuildRequires: gcc-c++ BuildRequires: libqb-devel BuildRequires: libgcrypt-devel BuildRequires: libstdc++-devel BuildRequires: protobuf-devel +BuildRequires: protobuf-static +BuildRequires: protobuf-compiler BuildRequires: PEGTL-static -BuildRequires: catch-devel -BuildRequires: autoconf automake libtool +BuildRequires: catch1-devel +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool BuildRequires: bash-completion BuildRequires: asciidoc BuildRequires: audit-libs-devel # For `pkg-config systemd` only BuildRequires: systemd -Patch1: usbguard-0.7.6-libqb.patch - %description The USBGuard software framework helps to protect your computer against rogue USB devices by implementing basic whitelisting/blacklisting capabilities based on @@ -97,36 +81,13 @@ Requires: polkit The %{name}-dbus package contains an optional component that provides a D-Bus interface to the USBGuard daemon component. -%if %{with selinux} -%package selinux -Summary: USBGuard selinux -Group: Applications/System -Requires: %{name} = %{version}-%{release} -BuildRequires: selinux-policy -BuildRequires: selinux-policy-devel -BuildArch: noarch -%{?selinux_requires} - -%description selinux -The %{name}-selinux package contains selinux policy for the USBGuard -daemon. -%endif - # usbguard %prep -%setup -q - -%if %{with selinux} -# selinux -%setup -q -D -T -a 1 -%endif - -%patch 1 -p1 -b .libqb +%autosetup -p1 # Remove bundled library sources before build rm -rf src/ThirdParty/{Catch,PEGTL} - %build mkdir -p ./m4 autoreconf -i -v --no-recursive ./ @@ -134,69 +95,33 @@ autoreconf -i -v --no-recursive ./ --disable-silent-rules \ --without-bundled-catch \ --without-bundled-pegtl \ -%if %{with systemd} --enable-systemd \ -%else - --disable-systemd \ -%endif --with-dbus \ --with-polkit \ --with-crypto-library=gcrypt make %{?_smp_mflags} -%if %{with selinux} -# selinux -pushd %{name}-selinux-%{semodule_version} -make -popd -%endif - %check make check - -%if %{with selinux} -# selinux -%pre selinux -%selinux_relabel_pre -s %{selinuxtype} -%endif - %install make install INSTALL='install -p' DESTDIR=%{buildroot} # Overwrite configuration with distribution defaults mkdir -p %{buildroot}%{_sysconfdir}/usbguard +mkdir -p %{buildroot}%{_sysconfdir}/usbguard/rules.d mkdir -p %{buildroot}%{_sysconfdir}/usbguard/IPCAccessControl.d -install -p -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf - -%if %{with selinux} -# selinux -install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} -install -m 0644 %{name}-selinux-%{semodule_version}/%{name}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} -install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype} -install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if -%endif +install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf # Cleanup find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';' -%if %{with systemd} -%preun -%systemd_preun usbguard.service -%endif - %post %{?ldconfig} -%if %{with systemd} -%systemd_post usbguard.service -%endif %postun %{?ldconfig} -%if %{with systemd} -%systemd_postun usbguard.service -%endif %files %doc README.adoc CHANGELOG.md @@ -206,6 +131,7 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';' %{_bindir}/usbguard %dir %{_localstatedir}/log/usbguard %dir %{_sysconfdir}/usbguard +%dir %{_sysconfdir}/usbguard/rules.d/ %dir %{_sysconfdir}/usbguard/IPCAccessControl.d %config(noreplace) %attr(0600,-,-) %{_sysconfdir}/usbguard/usbguard-daemon.conf %config(noreplace) %attr(0600,-,-) %{_sysconfdir}/usbguard/rules.conf @@ -214,9 +140,8 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';' %{_datadir}/man/man5/usbguard-rules.conf.5.gz %{_datadir}/man/man1/usbguard.1.gz %{_datadir}/bash-completion/completions/usbguard -%if %{with systemd} %{_unitdir}/usbguard.service -%endif +%{_unitdir}/usbguard-dbus.service %files devel %{_includedir}/* @@ -233,40 +158,12 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';' %{_datadir}/dbus-1/system.d/org.usbguard1.conf %{_datadir}/polkit-1/actions/org.usbguard1.policy %{_mandir}/man8/usbguard-dbus.8.gz -%if %{with systemd} -%{_unitdir}/usbguard-dbus.service -%endif - -%if %{with systemd} -%preun dbus -%systemd_preun usbguard-dbus.service - -%post dbus -%systemd_post usbguard-dbus.service - -%postun dbus -%systemd_postun_with_restart usbguard-dbus.service -%endif - -%if %{with selinux} -%files selinux -%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 -%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} -%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if - -%post selinux -%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 - -%postun selinux -if [ $1 -eq 0 ]; then - %selinux_modules_uninstall -s %{selinuxtype} %{name} -fi - -%posttrans selinux -%selinux_relabel_post -s %{selinuxtype} -%endif %changelog +* Tue Apr 08 2025 Akhila Guruju - 1.1.3-1 +- Upgrade to 1.1.3 by taking reference from Fedora 41 (license: MIT). +- License verified. + * Tue Sep 05 2023 Archana Choudhary - 1.1.0-1 - Upgrade to 1.1.0 - CVE-2019-25058 - Update build requirement catch1 -> catch diff --git a/SPECS-EXTENDED/wireshark/wireshark-0002-Customize-permission-denied-error.patch b/SPECS-EXTENDED/wireshark/wireshark-0002-Customize-permission-denied-error.patch deleted file mode 100644 index 0b07ae05dc..0000000000 --- a/SPECS-EXTENDED/wireshark/wireshark-0002-Customize-permission-denied-error.patch +++ /dev/null @@ -1,55 +0,0 @@ -From: Jan Safranek -Date: Fri, 26 Nov 2010 14:30:45 +0300 -Subject: [PATCH] Customize 'permission denied' error. - -Add Fedora-specific message to error output when dumpcap cannot be started -because of permissions. - -Signed-off-by: Jan Safranek - -diff --git a/capture/capture_sync.c b/capture/capture_sync.c -index 47a30a70c4..84d19568b0 100644 ---- a/capture/capture_sync.c -+++ b/capture/capture_sync.c -@@ -336,6 +336,7 @@ sync_pipe_start(capture_options *capture_opts, GPtrArray *capture_comments, - gchar *signal_pipe_name; - #else - char errmsg[1024+1]; -+ const char *securitymsg = ""; - int sync_pipe[2]; /* pipe used to send messages from child to parent */ - enum PIPES { PIPE_READ, PIPE_WRITE }; /* Constants 0 and 1 for PIPE_READ and PIPE_WRITE */ - #endif -@@ -741,8 +742,10 @@ sync_pipe_start(capture_options *capture_opts, GPtrArray *capture_comments, - dup2(sync_pipe[PIPE_WRITE], 2); - ws_close(sync_pipe[PIPE_READ]); - execv(argv[0], argv); -- snprintf(errmsg, sizeof errmsg, "Couldn't run %s in child process: %s", -- argv[0], g_strerror(errno)); -+ if (errno == EPERM || errno == EACCES) -+ securitymsg = "\nAre you a member of the 'wireshark' group? Try running\n'usermod -a -G wireshark _your_username_' as root."; -+ snprintf(errmsg, sizeof errmsg, "Couldn't run %s in child process: %s%s", -+ argv[0], g_strerror(errno), securitymsg); - sync_pipe_errmsg_to_parent(2, errmsg, ""); - - /* Exit with "_exit()", so that we don't close the connection -@@ -846,6 +849,7 @@ sync_pipe_open_command(char* const argv[], int *data_read_fd, - int i; - #else - char errmsg[1024+1]; -+ const char *securitymsg = ""; - int sync_pipe[2]; /* pipe used to send messages from child to parent */ - int data_pipe[2]; /* pipe used to send data from child to parent */ - #endif -@@ -994,8 +998,10 @@ sync_pipe_open_command(char* const argv[], int *data_read_fd, - ws_close(sync_pipe[PIPE_READ]); - ws_close(sync_pipe[PIPE_WRITE]); - execv(argv[0], argv); -- snprintf(errmsg, sizeof errmsg, "Couldn't run %s in child process: %s", -- argv[0], g_strerror(errno)); -+ if (errno == EPERM || errno == EACCES) -+ securitymsg = "\nAre you a member of the 'wireshark' group? Try running\n'usermod -a -G wireshark _your_username_' as root."; -+ snprintf(errmsg, sizeof errmsg, "Couldn't run %s in child process: %s%s", -+ argv[0], g_strerror(errno), securitymsg); - sync_pipe_errmsg_to_parent(2, errmsg, ""); - - /* Exit with "_exit()", so that we don't close the connection diff --git a/SPECS-EXTENDED/wireshark/wireshark-0003-fix-string-overrun-in-plugins-profinet.patch b/SPECS-EXTENDED/wireshark/wireshark-0003-fix-string-overrun-in-plugins-profinet.patch deleted file mode 100644 index b71f99c73c..0000000000 --- a/SPECS-EXTENDED/wireshark/wireshark-0003-fix-string-overrun-in-plugins-profinet.patch +++ /dev/null @@ -1,18 +0,0 @@ -From: Peter Hatina -Date: Wed, 4 Sep 2013 10:03:57 +0200 -Subject: [PATCH] fix string overrun in plugins/profinet - - -diff --git a/plugins/epan/profinet/packet-dcom-cba.c b/plugins/epan/profinet/packet-dcom-cba.c -index 52c5017e1f..fb980269db 100644 ---- a/plugins/epan/profinet/packet-dcom-cba.c -+++ b/plugins/epan/profinet/packet-dcom-cba.c -@@ -543,7 +543,7 @@ dissect_ICBAPhysicalDevice_get_LogicalDevice_rqst(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep) - { - guint32 u32Pointer; -- gchar szStr[1000]; -+ gchar szStr[1000] = ""; - guint32 u32MaxStr = sizeof(szStr); - gchar *call; - diff --git a/SPECS-EXTENDED/wireshark/wireshark-0004-Restore-Fedora-specific-groups.patch b/SPECS-EXTENDED/wireshark/wireshark-0004-Restore-Fedora-specific-groups.patch deleted file mode 100644 index 53e62dca57..0000000000 --- a/SPECS-EXTENDED/wireshark/wireshark-0004-Restore-Fedora-specific-groups.patch +++ /dev/null @@ -1,15 +0,0 @@ -From: Peter Lemenkov -Date: Fri, 13 Sep 2013 14:36:55 +0400 -Subject: [PATCH] Restore Fedora-specific groups - -Signed-off-by: Peter Lemenkov -diff --git a/resources/freedesktop/org.wireshark.Wireshark.desktop b/resources/freedesktop/org.wireshark.Wireshark.desktop -index a880a50a33..a25d67d99b 100644 ---- a/resources/freedesktop/org.wireshark.Wireshark.desktop -+++ b/resources/freedesktop/org.wireshark.Wireshark.desktop -@@ -108,4 +108,4 @@ Terminal=false - MimeType=application/vnd.tcpdump.pcap;application/x-pcapng;application/x-snoop;application/x-iptrace;application/x-lanalyzer;application/x-nettl;application/x-radcom;application/x-etherpeek;application/x-visualnetworks;application/x-netinstobserver;application/x-5view;application/x-tektronix-rf5;application/x-micropross-mplog;application/x-apple-packetlogger;application/x-endace-erf;application/ipfix;application/x-ixia-vwr; - # Category entry according to: - # https://specifications.freedesktop.org/menu-spec/1.0/ --Categories=Network;Monitor;Qt; -+Categories=Application;Network;Monitor;Qt; diff --git a/SPECS-EXTENDED/wireshark/wireshark-0005-Fix-paths-in-a-wireshark.desktop-file.patch b/SPECS-EXTENDED/wireshark/wireshark-0005-Fix-paths-in-a-wireshark.desktop-file.patch deleted file mode 100644 index 325afe297d..0000000000 --- a/SPECS-EXTENDED/wireshark/wireshark-0005-Fix-paths-in-a-wireshark.desktop-file.patch +++ /dev/null @@ -1,20 +0,0 @@ -From: Kenneth Soerensen -Date: Wed, 29 Jan 2014 16:04:12 +0400 -Subject: [PATCH] Fix paths in a org.wireshark.Wireshark.desktop file - - -diff --git a/resources/freedesktop/org.wireshark.Wireshark.desktop b/resources/freedesktop/org.wireshark.Wireshark.desktop -index a880a50a33..54b3595d55 100644 ---- a/resources/freedesktop/org.wireshark.Wireshark.desktop -+++ b/resources/freedesktop/org.wireshark.Wireshark.desktop -@@ -102,8 +102,8 @@ Comment[tr]=Ağ trafiği çözümleyicisi - Comment[vi]=Trình phân tích giao thông mạng - Comment[uk]=Аналізатор мережевого трафіку - Icon=org.wireshark.Wireshark --TryExec=wireshark --Exec=wireshark %f -+TryExec=/usr/bin/wireshark -+Exec=/usr/bin/wireshark %f - Terminal=false - MimeType=application/vnd.tcpdump.pcap;application/x-pcapng;application/x-snoop;application/x-iptrace;application/x-lanalyzer;application/x-nettl;application/x-radcom;application/x-etherpeek;application/x-visualnetworks;application/x-netinstobserver;application/x-5view;application/x-tektronix-rf5;application/x-micropross-mplog;application/x-apple-packetlogger;application/x-endace-erf;application/ipfix;application/x-ixia-vwr; - # Category entry according to: diff --git a/SPECS-EXTENDED/wireshark/wireshark-0006-Move-tmp-to-var-tmp.patch b/SPECS-EXTENDED/wireshark/wireshark-0006-Move-tmp-to-var-tmp.patch deleted file mode 100644 index 2c1ab0d32b..0000000000 --- a/SPECS-EXTENDED/wireshark/wireshark-0006-Move-tmp-to-var-tmp.patch +++ /dev/null @@ -1,271 +0,0 @@ -From cb54210f7f02b07768cfbf49ae266d487f580e1b Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Thu, 29 Jun 2017 15:32:58 +0200 -Subject: [PATCH] Move /tmp to /var/tmp - -Fedora is using tmpfs which is limited by the size of RAM, thus we need -to use different directory on different filesystem. - ---- - ui/qt/about_dialog.cpp | 3 +- - ui/qt/iax2_analysis_dialog.cpp | 5 ++- - ui/qt/utils/rtp_audio_file.cpp | 3 +- - wsutil/tempfile.c | 18 +++++++- - wsutil/tempfile.h | 2 +- - wsutil/wstmpdir.c | 71 ++++++++++++++++++++++++++++++++++ - wsutil/wstmpdir.h | 39 +++++++++++++++++++ - 7 files changed, 134 insertions(+), 7 deletions(-) - create mode 100644 wsutil/wstmpdir.c - create mode 100644 wsutil/wstmpdir.h - -diff --git a/ui/qt/about_dialog.cpp b/ui/qt/about_dialog.cpp -index 752b669ac4..42c2be0fca 100644 ---- a/ui/qt/about_dialog.cpp -+++ b/ui/qt/about_dialog.cpp -@@ -14,6 +14,7 @@ - - #include "main_application.h" - #include -+#include /* for get_tmp_dir() */ - - #include - #include -@@ -185,7 +186,7 @@ FolderListModel::FolderListModel(QObject * parent): - appendRow(QStringList() << tr("\"File\" dialogs") << get_last_open_dir() << tr("capture files")); - - /* temp */ -- appendRow(QStringList() << tr("Temp") << (global_capture_opts.temp_dir && global_capture_opts.temp_dir[0] ? global_capture_opts.temp_dir : g_get_tmp_dir()) << tr("untitled capture files")); -+ appendRow(QStringList() << tr("Temp") << (global_capture_opts.temp_dir && global_capture_opts.temp_dir[0] ? global_capture_opts.temp_dir : get_tmp_dir()) << tr("untitled capture files")); - - /* pers conf */ - appendRow(QStringList() << tr("Personal configuration") -diff --git a/ui/qt/iax2_analysis_dialog.cpp b/ui/qt/iax2_analysis_dialog.cpp -index 07b9b42e01..fb09de989b 100644 ---- a/ui/qt/iax2_analysis_dialog.cpp -+++ b/ui/qt/iax2_analysis_dialog.cpp -@@ -25,6 +25,7 @@ - #include "ui/rtp_stream.h" - #endif - #include -+#include /* for get_tmp_dir() */ - - #include - #include -@@ -255,10 +256,10 @@ Iax2AnalysisDialog::Iax2AnalysisDialog(QWidget &parent, CaptureFile &cf) : - - // We keep our temp files open for the lifetime of the dialog. The GTK+ - // UI opens and closes at various points. -- QString tempname = QString("%1/wireshark_iax2_f").arg(QDir::tempPath()); -+ QString tempname = QString("%1/wireshark_iax2_f").arg(get_tmp_dir()); - fwd_tempfile_ = new QTemporaryFile(tempname, this); - fwd_tempfile_->open(); -- tempname = QString("%1/wireshark_iax2_r").arg(QDir::tempPath()); -+ tempname = QString("%1/wireshark_iax2_r").arg(get_tmp_dir()); - rev_tempfile_ = new QTemporaryFile(tempname, this); - rev_tempfile_->open(); - -diff --git a/ui/qt/utils/rtp_audio_file.cpp b/ui/qt/utils/rtp_audio_file.cpp -index 591a63bbf3..203f5c5286 100644 ---- a/ui/qt/utils/rtp_audio_file.cpp -+++ b/ui/qt/utils/rtp_audio_file.cpp -@@ -31,6 +31,7 @@ - - #include "rtp_audio_file.h" - #include -+#include /* for get_tmp_dir() */ - - RtpAudioFile::RtpAudioFile(bool use_disk_for_temp, bool use_disk_for_frames): - real_pos_(0) -@@ -45,7 +46,7 @@ RtpAudioFile::RtpAudioFile(bool use_disk_for_temp, bool use_disk_for_frames): - - tempname = "memory"; - if (use_disk_for_temp) { -- tempname = QString("%1/wireshark_rtp_stream").arg(QDir::tempPath()); -+ tempname = QString("%1/wireshark_rtp_stream").arg(get_tmp_dir()); - sample_file_ = new QTemporaryFile(tempname, this); - } else { - sample_file_ = new QBuffer(this); -diff --git a/wsutil/tempfile.c b/wsutil/tempfile.c -index f93f96d538..73964a1def 100644 ---- a/wsutil/tempfile.c -+++ b/wsutil/tempfile.c -@@ -14,10 +14,12 @@ - - #include "tempfile.h" - #include "file_util.h" -+#include -+#include /* for get_tmp_dir() */ - - /** - * Create a tempfile with the given prefix (e.g. "wireshark"). The path -- * is created using g_file_open_tmp. -+ * is created using get_tmp_dir. - * - * @param tempdir [in] If not NULL, the directory in which to create the file. - * @param namebuf [in,out] If not NULL, receives the full path of the temp file. -@@ -33,6 +33,9 @@ create_tempfile(const char *tempdir, gchar **namebuf, const char *pfx, const cha - { - int fd; - gchar *safe_pfx = NULL; -+ gchar *tmp_file; -+ const char *tmp_dir; -+ int old_mask; - - if (pfx) { - /* The characters in "delimiters" come from: -@@ -54,7 +57,16 @@ create_tempfile(const char *tempdir, gchar **namebuf, const char *pfx, const cha - gchar* filetmpl = ws_strdup_printf("%sXXXXXX%s", safe_pfx ? safe_pfx : "", sfx ? sfx : ""); - g_free(safe_pfx); - -- fd = g_file_open_tmp(filetmpl, namebuf, err); -+ tmp_dir = get_tmp_dir(); -+ tmp_file = g_strconcat(tmp_dir, "/", filetmpl, NULL); -+ -+ if (namebuf) -+ *namebuf = tmp_file; -+ -+ old_mask = ws_umask(0077); -+ fd = mkstemps(tmp_file, sfx ? (int) strlen(sfx) : 0); -+ ws_umask(old_mask); -+ - g_free(filetmpl); - } - else { -diff --git a/wsutil/tempfile.h b/wsutil/tempfile.h -index 70031b5419..72011e265a 100644 ---- a/wsutil/tempfile.h -+++ b/wsutil/tempfile.h -@@ -23,7 +23,7 @@ extern "C" { - - /** - * Create a tempfile with the given prefix (e.g. "wireshark"). The path -- * is created using g_file_open_tmp. -+ * is created using get_tmp_dir and mkstemp. - * - * @param tempdir [in] If not NULL, the directory in which to create the file. - * @param namebuf [in,out] If not NULL, receives the full path of the temp file. -diff --git a/wsutil/wstmpdir.c b/wsutil/wstmpdir.c -new file mode 100644 -index 0000000000..9128d354ce ---- /dev/null -+++ b/wsutil/wstmpdir.c -@@ -0,0 +1,71 @@ -+/* wstmpdir.c -+ * -+ * Copyright (C) 2013 Red Hat, Inc. All right reserved. -+ * -+ * Temporary directory routine -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public License -+ * as published by the Free Software Foundation; either version 2 -+ * of the License, or (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Author: Peter Hatina -+ */ -+ -+#include "config.h" -+ -+#include -+#include "wstmpdir.h" -+ -+/** -+ * Gets the directory to use for temporary files. -+ * -+ * Inspired by glib-2.0. If no TMP, TEMP or TMPDIR is set, -+ * /var/tmp is returned (Fedora specific). -+ * -+ * Returns: the directory to use for temporary files. -+ */ -+const char *get_tmp_dir(void) -+{ -+ static gchar *tmp_dir; -+ -+ if (g_once_init_enter(&tmp_dir)) { -+ gchar *tmp; -+ -+ tmp = g_strdup(g_getenv("TEMP")); -+ if (tmp == NULL || *tmp == '\0') { -+ g_free(tmp); -+ tmp = g_strdup(g_getenv("TMPDIR")); -+ } -+ -+#ifdef P_tmpdir -+ if (tmp == NULL || *tmp == '\0') { -+ gsize k; -+ g_free(tmp); -+ tmp = g_strdup(P_tmpdir); -+ k = strlen(tmp); -+ if (k > 1 && G_IS_DIR_SEPARATOR(tmp[k - 1])) -+ tmp[k - 1] = '\0'; -+ fprintf(stderr, "Using P_tmpdir: %s\n", P_tmpdir); -+ } -+#endif /* P_tmpdir */ -+ -+ if (tmp == NULL || *tmp == '\0') { -+ g_free(tmp); -+ tmp = g_strdup("/var/tmp"); -+ } -+ -+ g_once_init_leave(&tmp_dir, tmp); -+ } -+ -+ return tmp_dir; -+} -diff --git a/wsutil/wstmpdir.h b/wsutil/wstmpdir.h -new file mode 100644 -index 0000000000..07ac5837ac ---- /dev/null -+++ b/wsutil/wstmpdir.h -@@ -0,0 +1,39 @@ -+/* wstmpdir.c -+ * -+ * Copyright (C) 2013 Red Hat, Inc. All right reserved. -+ * -+ * Temporary directory routine -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public License -+ * as published by the Free Software Foundation; either version 2 -+ * of the License, or (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Author: Peter Hatina -+ */ -+ -+#ifndef __WS_TMP_DIR_H__ -+#define __WS_TMP_DIR_H__ -+ -+#include "ws_symbol_export.h" -+ -+#ifdef __cplusplus -+extern "C" { -+#endif // __cplusplus -+ -+WS_DLL_PUBLIC const char *get_tmp_dir(void); -+ -+#ifdef __cplusplus -+} -+#endif // __cplusplus -+ -+#endif --- -2.37.3 - diff --git a/SPECS-EXTENDED/wireshark/wireshark-0007-cmakelists.patch b/SPECS-EXTENDED/wireshark/wireshark-0007-cmakelists.patch deleted file mode 100644 index b794372876..0000000000 --- a/SPECS-EXTENDED/wireshark/wireshark-0007-cmakelists.patch +++ /dev/null @@ -1,20 +0,0 @@ -diff --git a/wsutil/CMakeLists.txt b/wsutil/CMakeLists.txt -index a55086c..0149801 100644 ---- a/wsutil/CMakeLists.txt -+++ b/wsutil/CMakeLists.txt -@@ -80,6 +80,7 @@ set(WSUTIL_PUBLIC_HEADERS - ws_roundup.h - ws_return.h - wsgcrypt.h -+ wstmpdir.h - wsjson.h - wslog.h - xtea.h -@@ -135,6 +136,7 @@ set(WSUTIL_COMMON_FILES - ws_mempbrk.c - ws_pipe.c - wsgcrypt.c -+ wstmpdir.c - wsjson.c - wslog.c - xtea.c diff --git a/SPECS-EXTENDED/wireshark/wireshark-0008-glib2-g_strdup-build.patch b/SPECS-EXTENDED/wireshark/wireshark-0008-glib2-g_strdup-build.patch deleted file mode 100644 index 6c4f931019..0000000000 --- a/SPECS-EXTENDED/wireshark/wireshark-0008-glib2-g_strdup-build.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/ui/qt/wireshark_main_window_slots.cpp b/ui/qt/wireshark_main_window_slots.cpp -index 0594ff6..3068797 100644 ---- a/ui/qt/wireshark_main_window_slots.cpp -+++ b/ui/qt/wireshark_main_window_slots.cpp -@@ -2513,7 +2513,7 @@ void WiresharkMainWindow::showHideMainWidgets(QAction *action) - if (widget == toolbar) { - GList *entry = g_list_find_custom(recent.interface_toolbars, action->text().toUtf8(), (GCompareFunc)strcmp); - if (show && !entry) { -- recent.interface_toolbars = g_list_append(recent.interface_toolbars, g_strdup(action->text().toUtf8())); -+ recent.interface_toolbars = g_list_append(recent.interface_toolbars, g_strdup(action->text().toUtf8().constData())); - } else if (!show && entry) { - recent.interface_toolbars = g_list_remove(recent.interface_toolbars, entry->data); - } diff --git a/SPECS-EXTENDED/wireshark/wireshark-0009-fix-asn2wrs-cmake.patch b/SPECS-EXTENDED/wireshark/wireshark-0009-fix-asn2wrs-cmake.patch deleted file mode 100644 index fc1d7bc2af..0000000000 --- a/SPECS-EXTENDED/wireshark/wireshark-0009-fix-asn2wrs-cmake.patch +++ /dev/null @@ -1,213 +0,0 @@ -From 601bf39e6b2eaff9e77588ff1b1a8a987dad404d Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jo=C3=A3o=20Valverde?= -Date: Fri, 26 May 2023 14:16:06 +0100 -Subject: [PATCH] CMake: Remove module LocatePythonModule.cmake - -This module is unnecessary and frequently causes hard-to-debug -issues during CMake's configure run. Nuke it. ---- - cmake/modules/LocatePythonModule.cmake | 53 -------------------------- - cmake/modules/UseAsn2Wrs.cmake | 13 ++----- - cmake/modules/UseMakePluginReg.cmake | 7 +--- - 3 files changed, 6 insertions(+), 67 deletions(-) - delete mode 100644 cmake/modules/LocatePythonModule.cmake - -diff --git a/cmake/modules/LocatePythonModule.cmake b/cmake/modules/LocatePythonModule.cmake -deleted file mode 100644 -index 3fbe0c7..0000000 ---- a/cmake/modules/LocatePythonModule.cmake -+++ /dev/null -@@ -1,53 +0,0 @@ --#LOCATE_PYTHON_MODULE( [PATHS ... ] [REQUIRED]) --# --# This function tries to find the given python module. --# If found the path is provided in and <_FOUND> is set to TRUE. --# --# After PATHS additional paths for python to search can be provided. --# When REQUIRED is set, the function will abort the cmake execution is the module is not found --function(LOCATE_PYTHON_MODULE module) -- if(NOT PYTHON_EXECUTABLE) -- find_package(PythonInterp) -- endif() -- -- # Parse (additional) arguments -- set(options REQUIRED) -- set(multiValueArgs PATHS) -- cmake_parse_arguments(LPM "${options}" "" "${multiValueArgs}" ${ARGN}) -- -- string(TOUPPER ${module} module_upper) -- if(NOT PY_${module_upper}) -- -- if(LPM_PATHS) -- # Append LPM_PATHS to PYTHONPATH to search at provided location (first) -- file(TO_CMAKE_PATH "$ENV{PYTHONPATH}" CMAKE_PATH) -- list(INSERT CMAKE_PATH 0 ${LPM_PATHS}) -- file(TO_NATIVE_PATH "${CMAKE_PATH}" NATIVE_PATH) -- if(UNIX) -- string(REPLACE ";" ":" NATIVE_PATH "${NATIVE_PATH}") -- endif(UNIX) -- set(ENV{PYTHONPATH} "${NATIVE_PATH}") -- endif(LPM_PATHS) -- -- # Use the (native) python impl module to find the location of the requested module -- execute_process(COMMAND "${PYTHON_EXECUTABLE}" "-c" -- "import imp; print(imp.find_module('${module}')[1])" -- RESULT_VARIABLE _${module}_status -- OUTPUT_VARIABLE _${module}_location -- ERROR_QUIET OUTPUT_STRIP_TRAILING_WHITESPACE) -- -- if(NOT _${module}_status) -- set(PY_${module_upper} ${_${module}_location} CACHE STRING -- "Location of Python module ${module}") -- set(${module_upper}_FOUND TRUE) -- message(STATUS "Found python module ${module}: ${PY_${module_upper}}") -- else(NOT _${module}_status) -- set(${module_upper}_FOUND FALSE) -- if(LPM_REQUIRED) -- message(FATAL_ERROR "Could NOT find python module ${module}") -- else(LPM_REQUIRED) -- message(STATUS "Could NOT find python module ${module}") -- endif(LPM_REQUIRED) -- endif(NOT _${module}_status) -- endif(NOT PY_${module_upper}) --endfunction(LOCATE_PYTHON_MODULE) -diff --git a/cmake/modules/UseMakePluginReg.cmake b/cmake/modules/UseMakePluginReg.cmake -index e6e6a91..fe57381 100644 ---- a/cmake/modules/UseMakePluginReg.cmake -+++ b/cmake/modules/UseMakePluginReg.cmake -@@ -1,20 +1,17 @@ - # - function(register_plugin_files _outputfile _registertype) -- include(LocatePythonModule) -- locate_python_module(make-plugin-reg REQUIRED PATHS ${CMAKE_SOURCE_DIR}/tools) -- - file(RELATIVE_PATH output "${CMAKE_BINARY_DIR}" "${CMAKE_CURRENT_BINARY_DIR}/${_outputfile}") - add_custom_command( - OUTPUT - ${_outputfile} - COMMAND ${PYTHON_EXECUTABLE} -- ${PY_MAKE-PLUGIN-REG} -+ ${CMAKE_SOURCE_DIR}/tools/make-plugin-reg.py - ${CMAKE_CURRENT_SOURCE_DIR} - ${_registertype} - ${ARGN} - COMMENT "Generating ${output}" - DEPENDS - ${ARGN} -- ${PY_MAKE-PLUGIN-REG} -+ ${CMAKE_SOURCE_DIR}/tools/make-plugin-reg.py - ) - endfunction() -diff --git a/CMakeLists.txt b/CMakeLists.txt -index 6db2e46..21e71e8 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -3825,7 +3825,6 @@ install( - ${WS_CMAKE_MODULE_PATH}/FindWSLibrary.cmake - ${WS_CMAKE_MODULE_PATH}/FindWSWinLibs.cmake - ${WS_CMAKE_MODULE_PATH}/UseAsn2Wrs.cmake -- ${WS_CMAKE_MODULE_PATH}/LocatePythonModule.cmake - ${WS_CMAKE_MODULE_PATH}/UseMakePluginReg.cmake - DESTINATION - ${WIRESHARK_INSTALL_CMAKEDIR} -diff --git a/cmake/modules/FindAsciidoctor.cmake b/cmake/modules/FindAsciidoctor.cmake -index 67cbc8d..929a4eb 100644 ---- a/cmake/modules/FindAsciidoctor.cmake -+++ b/cmake/modules/FindAsciidoctor.cmake -@@ -124,7 +124,7 @@ if(ASCIIDOCTOR_EXECUTABLE) - ADD_CUSTOM_COMMAND( - OUTPUT - ${_output_txt} -- COMMAND ${PYTHON_EXECUTABLE} ${CMAKE_SOURCE_DIR}/tools/html2text.py -+ COMMAND ${Python3_EXECUTABLE} ${CMAKE_SOURCE_DIR}/tools/html2text.py - ${_output_html} - > ${_output_txt} - DEPENDS -diff --git a/cmake/modules/UseMakePluginReg.cmake b/cmake/modules/UseMakePluginReg.cmake -index fe57381..0c7198d 100644 ---- a/cmake/modules/UseMakePluginReg.cmake -+++ b/cmake/modules/UseMakePluginReg.cmake -@@ -4,7 +4,7 @@ function(register_plugin_files _outputfile _registertype) - add_custom_command( - OUTPUT - ${_outputfile} -- COMMAND ${PYTHON_EXECUTABLE} -+ COMMAND ${Python3_EXECUTABLE} - ${CMAKE_SOURCE_DIR}/tools/make-plugin-reg.py - ${CMAKE_CURRENT_SOURCE_DIR} - ${_registertype} -diff --git a/cmake/modules/UseMakeTaps.cmake b/cmake/modules/UseMakeTaps.cmake -index aed9318..56fd628 100644 ---- a/cmake/modules/UseMakeTaps.cmake -+++ b/cmake/modules/UseMakeTaps.cmake -@@ -5,7 +5,7 @@ MACRO(REGISTER_TAP_FILES _outputfile) - OUTPUT - ${_outputfile} - COMMAND -- ${PYTHON_EXECUTABLE} ${CMAKE_SOURCE_DIR}/tools/make-regs.py taps ${_outputfile} ${_sources} -+ ${Python3_EXECUTABLE} ${CMAKE_SOURCE_DIR}/tools/make-regs.py taps ${_outputfile} ${_sources} - DEPENDS - ${CMAKE_SOURCE_DIR}/tools/make-regs.py - ${_sources} -diff --git a/cmake/modules/UseAsn2Wrs.cmake b/cmake/modules/UseAsn2Wrs.cmake -index 9d7cdfe..6b0c46c 100644 ---- a/cmake/modules/UseAsn2Wrs.cmake -+++ b/cmake/modules/UseAsn2Wrs.cmake -@@ -6,11 +6,6 @@ - # absolute path (e.g. "${CMAKE_CURRENT_SOURCE_DIR}"). - - function(ASN2WRS) -- if(NOT PY_ASN2WRS) -- include(LocatePythonModule) -- locate_python_module(asn2wrs REQUIRED PATHS "${CMAKE_SOURCE_DIR}/tools") -- endif() -- - if(NOT PROTO_OPT) - set(PROTO_OPT -p ${PROTOCOL_NAME}) - elseif(PROTO_OPT STREQUAL "_EMPTY_") -@@ -38,8 +33,8 @@ function(ASN2WRS) - # Creates a dissector in the source directory and store the timestamp. - add_custom_command( - OUTPUT packet-${PROTOCOL_NAME}-stamp -- COMMAND "${PYTHON_EXECUTABLE}" -- ${PY_ASN2WRS} -+ COMMAND "${Python3_EXECUTABLE}" -+ ${CMAKE_SOURCE_DIR}/tools/asn2wrs.py - ${A2W_FLAGS} - ${PROTO_OPT} - -c "${CMAKE_CURRENT_SOURCE_DIR}/${PROTOCOL_NAME}.cnf" -@@ -48,12 +43,12 @@ function(ASN2WRS) - -O "${A2W_OUTPUT_DIR}" - ${EXT_ASN_FILE_LIST} ${ASN_FILE_LIST} ${EXT_ASN_FILE_LIST_LATE} - COMMAND -- "${PYTHON_EXECUTABLE}" -c -+ "${Python3_EXECUTABLE}" -c - "import shutil, sys; x,s,d=sys.argv; open(d, 'w'); shutil.copystat(s, d)" - "${A2W_OUTPUT_DIR}/packet-${PROTOCOL_NAME}.c" - packet-${PROTOCOL_NAME}-stamp - DEPENDS -- "${PY_ASN2WRS}" -+ ${CMAKE_SOURCE_DIR}/tools/asn2wrs.py - ${SRC_FILES} - ${EXTRA_CNF_targets} - ${EXTRA_CNF} -@@ -67,8 +62,8 @@ function(ASN2WRS) - foreach(_asn2wrs_export_file IN LISTS EXPORT_FILES) - add_custom_command( - OUTPUT ${_asn2wrs_export_file} -- COMMAND "${PYTHON_EXECUTABLE}" -- "${PY_ASN2WRS}" -+ COMMAND "${Python3_EXECUTABLE}" -+ ${CMAKE_SOURCE_DIR}/tools/asn2wrs.py - -E - ${A2W_FLAGS} - ${PROTO_OPT} -@@ -76,7 +71,7 @@ function(ASN2WRS) - -D "${CMAKE_CURRENT_SOURCE_DIR}" - ${EXT_ASN_FILE_LIST} ${ASN_FILE_LIST} ${EXT_ASN_FILE_LIST_LATE} - DEPENDS -- "${PY_ASN2WRS}" -+ ${CMAKE_SOURCE_DIR}/tools/asn2wrs.py - ${SRC_FILES} - ${EXPORT_DEPENDS_targets} - ${EXPORT_DEPENDS} diff --git a/SPECS-EXTENDED/wireshark/wireshark-0010-ripemd-fips-core-dump.patch b/SPECS-EXTENDED/wireshark/wireshark-0010-ripemd-fips-core-dump.patch deleted file mode 100644 index f09dc1acbb..0000000000 --- a/SPECS-EXTENDED/wireshark/wireshark-0010-ripemd-fips-core-dump.patch +++ /dev/null @@ -1,164 +0,0 @@ -diff --git a/capinfos.c b/capinfos.c -index 3c7866befd..da576f88c5 100644 ---- a/capinfos.c -+++ b/capinfos.c -@@ -141,7 +141,6 @@ static gboolean cap_file_hashes = TRUE; /* Calculate file hashes */ - - // Strongest to weakest - #define HASH_SIZE_SHA256 32 --#define HASH_SIZE_RMD160 20 - #define HASH_SIZE_SHA1 20 - - #define HASH_STR_SIZE (65) /* Max hash size * 2 + '\0' */ -@@ -743,7 +742,6 @@ print_stats(const gchar *filename, capture_info *cf_info) - } - if (cap_file_hashes) { - printf ("SHA256: %s\n", file_sha256); -- printf ("RIPEMD160: %s\n", file_rmd160); - printf ("SHA1: %s\n", file_sha1); - } - if (cap_order) printf ("Strict time order: %s\n", order_string(cf_info->order)); -@@ -857,7 +855,6 @@ print_stats_table_header(void) - if (cap_packet_rate) print_stats_table_header_label("Average packet rate (packets/sec)"); - if (cap_file_hashes) { - print_stats_table_header_label("SHA256"); -- print_stats_table_header_label("RIPEMD160"); - print_stats_table_header_label("SHA1"); - } - if (cap_order) print_stats_table_header_label("Strict time order"); -@@ -1182,7 +1179,6 @@ calculate_hashes(const char *filename) - } - gcry_md_final(hd); - hash_to_str(gcry_md_read(hd, GCRY_MD_SHA256), HASH_SIZE_SHA256, file_sha256); -- hash_to_str(gcry_md_read(hd, GCRY_MD_RMD160), HASH_SIZE_RMD160, file_rmd160); - hash_to_str(gcry_md_read(hd, GCRY_MD_SHA1), HASH_SIZE_SHA1, file_sha1); - } - if (fh) fclose(fh); -@@ -1489,7 +1485,7 @@ print_usage(FILE *output) - fprintf(output, " -E display the capture file encapsulation\n"); - fprintf(output, " -I display the capture file interface information\n"); - fprintf(output, " -F display additional capture file information\n"); -- fprintf(output, " -H display the SHA256, RIPEMD160, and SHA1 hashes of the file\n"); -+ fprintf(output, " -H display the SHA256 and SHA1 hashes of the file\n"); - fprintf(output, " -k display the capture comment\n"); - fprintf(output, "\n"); - fprintf(output, "Size infos:\n"); -@@ -1842,10 +1838,9 @@ main(int argc, char *argv[]) - if (cap_file_hashes) { - gcry_check_version(NULL); - gcry_md_open(&hd, GCRY_MD_SHA256, 0); -- if (hd) { -- gcry_md_enable(hd, GCRY_MD_RMD160); -+ if (hd) - gcry_md_enable(hd, GCRY_MD_SHA1); -- } -+ - hash_buf = (char *)g_malloc(HASH_BUF_SIZE); - } - -diff --git a/doc/capinfos.adoc b/doc/capinfos.adoc -index 16ed2e300a..124fb56694 100644 ---- a/doc/capinfos.adoc -+++ b/doc/capinfos.adoc -@@ -200,7 +200,7 @@ Prints the help listing and exits. - -H:: - + - -- --Displays the SHA256, RIPEMD160, and SHA1 hashes for the file. -+Displays the SHA256 and SHA1 hashes for the file. - SHA1 output may be removed in the future. - -- - -diff --git a/capinfos.c b/capinfos.c -index f0059f4e54..e153097219 100644 ---- a/capinfos.c -+++ b/capinfos.c -@@ -148,7 +148,6 @@ static gboolean cap_file_hashes = TRUE; /* Calculate file hashes */ - - - static gchar file_sha256[HASH_STR_SIZE]; --static gchar file_rmd160[HASH_STR_SIZE]; - static gchar file_sha1[HASH_STR_SIZE]; - - static char *hash_buf = NULL; -@@ -1024,11 +1023,6 @@ print_stats_table(const gchar *filename, capture_info *cf_info) - printf("%s", file_sha256); - putquote(); - -- putsep(); -- putquote(); -- printf("%s", file_rmd160); -- putquote(); -- - putsep(); - putquote(); - printf("%s", file_sha1); -@@ -1168,7 +1162,6 @@ calculate_hashes(const char *filename) - size_t hash_bytes; - - (void) g_strlcpy(file_sha256, "", HASH_STR_SIZE); -- (void) g_strlcpy(file_rmd160, "", HASH_STR_SIZE); - (void) g_strlcpy(file_sha1, "", HASH_STR_SIZE); - - if (cap_file_hashes) { -diff --git a/ui/qt/capture_file_properties_dialog.cpp b/ui/qt/capture_file_properties_dialog.cpp -index 9e5b86a7fd..c77056818c 100644 ---- a/ui/qt/capture_file_properties_dialog.cpp -+++ b/ui/qt/capture_file_properties_dialog.cpp -@@ -175,11 +175,6 @@ QString CaptureFilePropertiesDialog::summaryToHtml() - << table_data_tmpl.arg(summary.file_sha256) - << table_row_end; - -- out << table_row_begin -- << table_vheader_tmpl.arg(tr("Hash (RIPEMD160)")) -- << table_data_tmpl.arg(summary.file_rmd160) -- << table_row_end; -- - out << table_row_begin - << table_vheader_tmpl.arg(tr("Hash (SHA1)")) - << table_data_tmpl.arg(summary.file_sha1) -diff --git a/ui/summary.c b/ui/summary.c -index 127698fd5c..58c7cd68a4 100644 ---- a/ui/summary.c -+++ b/ui/summary.c -@@ -21,7 +21,6 @@ - - // Strongest to weakest - #define HASH_SIZE_SHA256 32 --#define HASH_SIZE_RMD160 20 - #define HASH_SIZE_SHA1 20 - - #define HASH_BUF_SIZE (1024 * 1024) -@@ -213,12 +212,10 @@ summary_fill_in(capture_file *cf, summary_tally *st) - g_free(idb_info); - - (void) g_strlcpy(st->file_sha256, "", HASH_STR_SIZE); -- (void) g_strlcpy(st->file_rmd160, "", HASH_STR_SIZE); - (void) g_strlcpy(st->file_sha1, "", HASH_STR_SIZE); - - gcry_md_open(&hd, GCRY_MD_SHA256, 0); - if (hd) { -- gcry_md_enable(hd, GCRY_MD_RMD160); - gcry_md_enable(hd, GCRY_MD_SHA1); - } - hash_buf = (char *)g_malloc(HASH_BUF_SIZE); -@@ -230,7 +227,6 @@ summary_fill_in(capture_file *cf, summary_tally *st) - } - gcry_md_final(hd); - hash_to_str(gcry_md_read(hd, GCRY_MD_SHA256), HASH_SIZE_SHA256, st->file_sha256); -- hash_to_str(gcry_md_read(hd, GCRY_MD_RMD160), HASH_SIZE_RMD160, st->file_rmd160); - hash_to_str(gcry_md_read(hd, GCRY_MD_SHA1), HASH_SIZE_SHA1, st->file_sha1); - } - if (fh) fclose(fh); -diff --git a/ui/summary.h b/ui/summary.h -index 9063b99b77..95a51a38c0 100644 ---- a/ui/summary.h -+++ b/ui/summary.h -@@ -56,7 +56,6 @@ typedef struct _summary_tally { - const char *filename; /**< path of capture file */ - gint64 file_length; /**< file length in bytes */ - gchar file_sha256[HASH_STR_SIZE]; /**< SHA256 hash of capture file */ -- gchar file_rmd160[HASH_STR_SIZE]; /**< RIPEMD160 hash of capture file */ - gchar file_sha1[HASH_STR_SIZE]; /**< SHA1 hash of capture file */ - int file_type; /**< wiretap file type */ - wtap_compression_type compression_type; /**< compression type of file, or uncompressed */ diff --git a/SPECS-EXTENDED/wireshark/wireshark-0011-manage-interfaces-crash.patch b/SPECS-EXTENDED/wireshark/wireshark-0011-manage-interfaces-crash.patch deleted file mode 100644 index f2eb34750f..0000000000 --- a/SPECS-EXTENDED/wireshark/wireshark-0011-manage-interfaces-crash.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 2d55e5672b07a8a102024e0af66e821bba51213b Mon Sep 17 00:00:00 2001 -From: Gerald Combs -Date: Sun, 27 Aug 2023 14:47:52 -0700 -Subject: [PATCH] Qt: Fix ManageInterfacesDialog cleanup - -Handle our ManageInterfacesDialog cleanup tasks inside our destructor. -If we try to handle them in on_buttonBox_accepted we run into a race -condition with WA_DeleteOnClose. - -Fixes #19287 ---- - ui/qt/manage_interfaces_dialog.cpp | 25 ++++++++++++------------- - ui/qt/manage_interfaces_dialog.h | 2 -- - 2 files changed, 12 insertions(+), 15 deletions(-) - -diff --git a/ui/qt/manage_interfaces_dialog.cpp b/ui/qt/manage_interfaces_dialog.cpp -index cb9da8697b5..a8529e265a9 100644 ---- a/ui/qt/manage_interfaces_dialog.cpp -+++ b/ui/qt/manage_interfaces_dialog.cpp -@@ -209,6 +209,18 @@ ManageInterfacesDialog::ManageInterfacesDialog(QWidget *parent) : - - ManageInterfacesDialog::~ManageInterfacesDialog() - { -+ if (result() == QDialog::Accepted) { -+#ifdef HAVE_LIBPCAP -+ sourceModel->save(); -+#endif -+#ifdef HAVE_PCAP_REMOTE -+ remoteAccepted(); -+#endif -+ prefs_main_write(); -+ mainApp->refreshLocalInterfaces(); -+ emit ifsChanged(); -+ } -+ - delete ui; - } - -@@ -252,19 +264,6 @@ void ManageInterfacesDialog::updateWidgets() - ui->hintLabel->setText(hint); - } - --void ManageInterfacesDialog::on_buttonBox_accepted() --{ --#ifdef HAVE_LIBPCAP -- sourceModel->save(); --#endif --#ifdef HAVE_PCAP_REMOTE -- remoteAccepted(); --#endif -- prefs_main_write(); -- mainApp->refreshLocalInterfaces(); -- emit ifsChanged(); --} -- - #ifdef HAVE_LIBPCAP - void ManageInterfacesDialog::on_addPipe_clicked() - { -diff --git a/ui/qt/manage_interfaces_dialog.h b/ui/qt/manage_interfaces_dialog.h -index 80b78afbe7a..79e9d0d9bfa 100644 ---- a/ui/qt/manage_interfaces_dialog.h -+++ b/ui/qt/manage_interfaces_dialog.h -@@ -59,8 +59,6 @@ signals: - private slots: - void updateWidgets(); - -- void on_buttonBox_accepted(); -- - #ifdef HAVE_LIBPCAP - void on_addPipe_clicked(); - void on_delPipe_clicked(); --- -GitLab - diff --git a/SPECS-EXTENDED/wireshark/wireshark-01-pkgconfig.patch b/SPECS-EXTENDED/wireshark/wireshark-01-pkgconfig.patch new file mode 100644 index 0000000000..e32958af90 --- /dev/null +++ b/SPECS-EXTENDED/wireshark/wireshark-01-pkgconfig.patch @@ -0,0 +1,13 @@ +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 17fa031..6876018 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -4175,8 +4175,6 @@ endif() + + install(FILES "${CMAKE_BINARY_DIR}/resources/wireshark.pc" + DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig +- COMPONENT "Development" +- EXCLUDE_FROM_ALL + ) + + install( diff --git a/SPECS-EXTENDED/wireshark/wireshark.signatures.json b/SPECS-EXTENDED/wireshark/wireshark.signatures.json index f85e229de3..0861154bd1 100644 --- a/SPECS-EXTENDED/wireshark/wireshark.signatures.json +++ b/SPECS-EXTENDED/wireshark/wireshark.signatures.json @@ -1,6 +1,7 @@ { "Signatures": { "90-wireshark-usbmon.rules": "31310c5e45835563ee9daba99bc09849cc004e8d9c712d0860211d5fa5563bcb", - "wireshark-4.0.8.tar.xz": "16663585c0ffefd5593a6628d4a20cc8241b9703b11283cfe71ead2b750888c8" + "wireshark-4.4.7.tar.xz": "5644143fed6363fa6c0cf58c2a6fe9ba0922efaea8f981c7228260bf46f1494b", + "wireshark.sysusers": "faeff02f34068e5e21749bea89edca15a930f44178eef2e96121960d8cba34d6" } -} +} \ No newline at end of file diff --git a/SPECS-EXTENDED/wireshark/wireshark.spec b/SPECS-EXTENDED/wireshark/wireshark.spec index 5539087008..7ada7acb13 100644 --- a/SPECS-EXTENDED/wireshark/wireshark.spec +++ b/SPECS-EXTENDED/wireshark/wireshark.spec @@ -1,34 +1,26 @@ %global with_lua 1 -%global plugins_version 4.0 +%global plugins_version 4.4 Summary: Network traffic analyzer Name: wireshark -Version: 4.0.8 +Version: 4.4.7 Release: 1%{?dist} License: BSD-1-Clause AND BSD-2-Clause AND BSD-3-Clause AND MIT AND GPL-2.0-or-later AND LGPL-2.0-or-later AND Zlib AND ISC AND (BSD-3-Clause OR GPL-2.0-only) AND (GPL-2.0-or-later AND Zlib) Vendor: Microsoft Corporation Distribution: Azure Linux -URL: https://www.wireshark.org/ Source0: https://wireshark.org/download/src/%{name}-%{version}.tar.xz -Source1: 90-wireshark-usbmon.rules -Patch2: wireshark-0002-Customize-permission-denied-error.patch -Patch3: wireshark-0003-fix-string-overrun-in-plugins-profinet.patch -Patch4: wireshark-0004-Restore-Fedora-specific-groups.patch -Patch5: wireshark-0005-Fix-paths-in-a-wireshark.desktop-file.patch -Patch6: wireshark-0006-Move-tmp-to-var-tmp.patch -Patch7: wireshark-0007-cmakelists.patch -Patch8: wireshark-0008-glib2-g_strdup-build.patch -Patch9: wireshark-0009-fix-asn2wrs-cmake.patch -Patch10: wireshark-0010-ripemd-fips-core-dump.patch -Patch11: wireshark-0011-manage-interfaces-crash.patch +Source2: 90-wireshark-usbmon.rules +Source3: wireshark.sysusers +Patch1: wireshark-01-pkgconfig.patch BuildRequires: bison +BuildRequires: ccache BuildRequires: bzip2-devel BuildRequires: c-ares-devel BuildRequires: cmake BuildRequires: elfutils-devel BuildRequires: flex BuildRequires: gcc-c++ -BuildRequires: git +BuildRequires: git-core BuildRequires: glib2-devel BuildRequires: gnutls-devel BuildRequires: krb5-devel @@ -41,17 +33,13 @@ BuildRequires: libselinux-devel BuildRequires: libsmi-devel BuildRequires: libssh-devel BuildRequires: openssl-devel -BuildRequires: pcre-devel -BuildRequires: pcre2-devel -BuildRequires: python3 BuildRequires: python3-devel BuildRequires: systemd-devel -BuildRequires: xdg-utils BuildRequires: zlib-devel -BuildRequires: perl(English) BuildRequires: perl(Pod::Html) BuildRequires: perl(Pod::Man) BuildRequires: perl(open) +BuildRequires: systemd-rpm-macros #install tshark together with wireshark GUI Requires: %{name}-cli = %{version}-%{release} Requires: c-ares @@ -72,8 +60,7 @@ transferred over HTTP or CIFS, or play back an RTP audio stream. %package cli Summary: Network traffic analyzer -Requires(post): systemd-udev -Requires(pre): shadow-utils +Requires: shadow-utils %description cli This package contains command-line utilities, plugins, and documentation for @@ -91,31 +78,35 @@ documentation, and libraries required for development of wireshark scripts and plugins. %prep -%autosetup -S git +%autosetup -p1 -S git %build %cmake -G "Unix Makefiles" \ - -DCMAKE_INSTALL_PREFIX="%{_prefix}" \ - -DDISABLE_WERROR=ON \ - -DENABLE_LUA=ON \ - -DENABLE_LIBXML2=ON \ - -DENABLE_NETLINK=ON \ - -DENABLE_NGHTTP2=ON \ - -DENABLE_PLUGINS=ON \ - -DENABLE_SMI=ON \ - -DBUILD_androiddump=OFF \ - -DBUILD_dcerpcidl2wrs=OFF \ - -DBUILD_mmdbresolve=OFF \ - -DBUILD_randpktdump=OFF \ - -DBUILD_sdjournal=ON \ - -DBUILD_wireshark=OFF \ - . + -DCMAKE_CXX_COMPILER_LAUNCHER=ccache \ + -DCMAKE_C_COMPILER_LAUNCHER=ccache \ + -DCMAKE_INSTALL_PREFIX="%{_prefix}" \ + -DENABLE_LIBXML2=ON \ + -DENABLE_NETLINK=ON \ + -DENABLE_NGHTTP2=ON \ + -DENABLE_PLUGINS=ON \ + -DBUILD_wireshark=OFF \ + -DBUILD_logray=OFF \ + -DBUILD_sharkd=OFF \ + -DENABLE_SMI=OFF \ + -DENABLE_WERROR=OFF \ + -DENABLE_LUA=OFF \ + -DBUILD_androiddump=OFF \ + -DBUILD_dcerpcidl2wrs=OFF \ + -DBUILD_mmdbresolve=OFF \ + -DBUILD_randpktdump=OFF \ + -DBUILD_sdjournal=OFF \ + -S . %cmake_build %install %cmake_install - +%cmake_install --component Development #install devel files (inspired by debian/wireshark-dev.header-files) install -d -m 0755 %{buildroot}%{_includedir}/wireshark @@ -138,8 +129,9 @@ install -m 644 epan/dfilter/*.h "${IDIR}/epan/dfilter" install -m 644 epan/dissectors/*.h "${IDIR}/epan/dissectors" install -m 644 wiretap/*.h "${IDIR}/wiretap" install -m 644 wsutil/*.h "${IDIR}/wsutil" -install -m 644 %{SOURCE1} %{buildroot}%{_udevrulesdir} - +install -m 644 %{SOURCE2} %{buildroot}%{_udevrulesdir} +install -Dpm 644 %{SOURCE3} %{buildroot}%{_sysusersdir}/%{name}.conf +rm %{buildroot}/usr/share/doc/wireshark/COPYING touch %{buildroot}%{_bindir}/%{name} @@ -162,18 +154,16 @@ fi %files %{_bindir}/wireshark -#%{_mandir}/man1/wireshark.* %files cli %license COPYING -%doc AUTHORS INSTALL NEWS README* +%doc AUTHORS INSTALL README* %{_bindir}/capinfos %{_bindir}/captype %{_bindir}/editcap %{_bindir}/mergecap %{_bindir}/randpkt %{_bindir}/reordercap -%{_bindir}/sharkd %{_bindir}/text2pcap %{_bindir}/tshark %attr(0750, root, wireshark) %caps(cap_net_raw,cap_net_admin=ep) %{_bindir}/dumpcap @@ -187,10 +177,7 @@ fi %{_libdir}/wireshark/extcap/udpdump %{_libdir}/wireshark/extcap/wifidump %{_libdir}/wireshark/extcap/sshdump -%{_libdir}/wireshark/extcap/sdjournal %{_libdir}/wireshark/extcap/dpauxmon -%dir %{_libdir}/wireshark/cmake -%{_libdir}/wireshark/cmake/*.cmake #the version wireshark uses to store plugins is only x.y, not .z %dir %{_libdir}/wireshark/plugins/%{plugins_version} %dir %{_libdir}/wireshark/plugins/%{plugins_version}/epan @@ -199,37 +186,24 @@ fi %{_libdir}/wireshark/plugins/%{plugins_version}/epan/*.so %{_libdir}/wireshark/plugins/%{plugins_version}/wiretap/*.so %{_libdir}/wireshark/plugins/%{plugins_version}/codecs/*.so -#%{_mandir}/man1/editcap.* -#%{_mandir}/man1/tshark.* -#%{_mandir}/man1/mergecap.* -#%{_mandir}/man1/text2pcap.* -#%{_mandir}/man1/capinfos.* -#%{_mandir}/man1/dumpcap.* -#%{_mandir}/man4/wireshark-filter.* -#%{_mandir}/man1/rawshark.* -#%{_mandir}/man1/dftest.* -#%{_mandir}/man1/randpkt.* -#%{_mandir}/man1/reordercap.* -#%{_mandir}/man1/sshdump.* -#%{_mandir}/man1/udpdump.* -#%{_mandir}/man1/androiddump.* -#%{_mandir}/man1/captype.* -#%{_mandir}/man1/ciscodump.* -#%{_mandir}/man1/randpktdump.* -#%{_mandir}/man1/dpauxmon.* -#%{_mandir}/man1/sdjournal.* -#%{_mandir}/man4/extcap.* +%{_datadir}/doc/wireshark/* %dir %{_datadir}/wireshark %{_datadir}/wireshark/* -#%{_docdir}/wireshark/*.html +%{_sysusersdir}/%{name}.conf %files devel %doc doc/README.* ChangeLog -%{_includedir}/wireshark -%{_libdir}/lib*.so +%dir %{_includedir}/wireshark +%{_includedir}/wireshark/* %{_libdir}/pkgconfig/%{name}.pc +%{_libdir}/lib*.so +%{_libdir}/cmake/%{name}/*.cmake %changelog +* Tue Jun 10 2025 Sandeep Karambelkar 4.4.7-1 +- Upgrade to 4.4.7 +- Reference Fedora42 spec and patches applicable + * Thu Sep 07 2023 Muhammad Falak R Wani - 4.0.8-1 - Upgrade version to address 27 CVEs - Address CVE-2021-22207, CVE-2021-22222, CVE-2021-22235, CVE-2021-39920, CVE-2021-39921, diff --git a/SPECS-EXTENDED/wireshark/wireshark.sysusers b/SPECS-EXTENDED/wireshark/wireshark.sysusers new file mode 100644 index 0000000000..b035d11a82 --- /dev/null +++ b/SPECS-EXTENDED/wireshark/wireshark.sysusers @@ -0,0 +1,2 @@ +g wireshark - - +g usbmon - - diff --git a/SPECS-EXTENDED/xalan-j2/xalan-j2.spec b/SPECS-EXTENDED/xalan-j2/xalan-j2.spec index 9056fea62a..86bf73cd49 100644 --- a/SPECS-EXTENDED/xalan-j2/xalan-j2.spec +++ b/SPECS-EXTENDED/xalan-j2/xalan-j2.spec @@ -21,14 +21,14 @@ Distribution: Azure Linux %define cvs_version 2_7_2 Name: xalan-j2 Version: 2.7.2 -Release: 10%{?dist} +Release: 11%{?dist} Summary: Java XSLT processor License: Apache-2.0 Group: Development/Libraries/Java -Url: http://xalan.apache.org/index.html -Source0: http://www.apache.org/dist/xalan/xalan-j/source/xalan-j_%{cvs_version}-src.tar.gz -Source1: http://repo1.maven.org/maven2/xalan/xalan/%{version}/xalan-%{version}.pom -Source2: http://repo1.maven.org/maven2/xalan/serializer/%{version}/serializer-%{version}.pom +Url: https://xalan.apache.org/index.html +Source0: https://archive.apache.org/dist/xalan/xalan-j/source/xalan-j_%{cvs_version}-src.tar.gz +Source1: https://repo1.maven.org/maven2/xalan/xalan/%{version}/xalan-%{version}.pom +Source2: https://repo1.maven.org/maven2/xalan/serializer/%{version}/serializer-%{version}.pom Source3: xsltc-%{version}.pom Source4: xalan-j2-serializer-MANIFEST.MF Source5: xalan-j2-MANIFEST.MF @@ -165,7 +165,7 @@ ln -sf $(build-classpath stylebook) stylebook-1.0-b3_xalan-2.jar popd ant \ -Dservlet-api.jar=$(build-classpath servletapi5) \ - -Dcompiler.source=1.6 -Dcompiler.target=1.6 \ + -Dcompiler.source=1.8 -Dcompiler.target=1.8 \ -Djava.awt.headless=true \ -Dapi.j2se=%{_javadocdir}/java \ -Dbuild.xalan-interpretive.jar=build/xalan-interpretive.jar \ @@ -280,6 +280,10 @@ update-alternatives --install %{_javadir}/jaxp_transform_impl.jar \ %{_datadir}/%{name} %changelog +* Thu May 22 2025 Jyoti Kanase - 2.7.2-11 +- Fixed the build for 2.7.2 +- License Verified + * Thu Oct 14 2021 Pawel Winogrodzki - 2.7.2-10 - Converting the 'Release' tag to the '[number].[distribution]' format. diff --git a/SPECS-EXTENDED/xerces-j2/xerces-j2.spec b/SPECS-EXTENDED/xerces-j2/xerces-j2.spec index 25f62da8ef..a3e58a804a 100644 --- a/SPECS-EXTENDED/xerces-j2/xerces-j2.spec +++ b/SPECS-EXTENDED/xerces-j2/xerces-j2.spec @@ -22,7 +22,7 @@ Distribution: Azure Linux %define __requires_exclude system.bundle Name: xerces-j2 Version: 2.12.0 -Release: 5%{?dist} +Release: 6%{?dist} Summary: Java XML parser License: ASL 2.0 and Public Domain and W3C Group: Development/Libraries/Java @@ -106,7 +106,7 @@ popd # Build everything export ANT_OPTS="-Xmx256m -Djava.awt.headless=true -Dbuild.sysclasspath=first -Ddisconnected=true" -ant -Djavac.source=1.6 -Djavac.target=1.6 \ +ant -Djavac.source=1.8 -Djavac.target=1.8 \ -Dbuild.compiler=modern \ clean jars javadocs @@ -173,6 +173,9 @@ ln -sf %{name}.jar %{_javadir}/jaxp_parser_impl.jar %{_datadir}/%{name} %changelog +* Thu May 22 2025 Jyoti Kanase - 2.12.0-6 +- Fixed the build for 2.12.0 + * Thu Oct 14 2021 Pawel Winogrodzki - 2.12.0-5 - Converting the 'Release' tag to the '[number].[distribution]' format. - License verified. diff --git a/SPECS-EXTENDED/zix/drobilla.gpg b/SPECS-EXTENDED/zix/drobilla.gpg new file mode 100644 index 0000000000..943ca5f1c6 --- /dev/null +++ b/SPECS-EXTENDED/zix/drobilla.gpg @@ -0,0 +1,123 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.11 (GNU/Linux) + +mQGiBEXaIU8RBAC7vZmKrMkUyYMKomqHn9bpgFlT01fSQZyB5vHCTb5uW467HQGv +FMu6CCh2UbTyMDc/0py+EDgmkiqstUQ6hII2BbjoAlRgh4Kw43/6G1IDQiMAHXFx +jgs4Kx/xEsamMWXcGLYgBQExnN0EjjGy8ukLFHi5d4RAgNVY3tUlT+31wwCgoetH +x893hs3OQCNV21UCUV/Ndy0D/1RqBTZGXjTQ2eBCbZI7YCGOfPPdmNoDbSaDMubk +UNdbc78+FvG4SOnXxOdwe6W7Lc5qHwYXcga21ajEXT7Fpok+bj9/6a2WCiB4gzkg +Pi8Lwa0XTs7Hjyh9DFtxGbJHNxtsUV97pVBzrxdAiKasY0/CVWuiJBbZuLsyxWwe +rgwjA/9FJXx1tqOBclX4IGZnVzCGzNhTMtj2P248gZ8B6fOTkbt5bUGHBs2XtM0j +irsYeLWeWsfMa0fFMksfrwekbA4u2uMv9dA8VyjXmYGmKfNOtuyPm/NOS4CjpRQO +e3uB+ttbTKwK9Hx6j5WpfLlUBSlAKlxL1wt4cV03QXI5Sh5+QLQiRGF2ZSBSb2Jp +bGxhcmQgPGRhdmVAZHJvYmlsbGEubmV0PoheBBMRAgAeBQJF2iFPAhsDBgsJCAcD +AgMVAgMDFgIBAh4BAheAAAoJEMb2DmUpcnBgGoQAoIHtHRacGREDktZoKv+hMqW5 +SolkAJ9Xaolpgqa0yuO0+U0cHLqYMdN4mbkCDQRF2iFWEAgA+TUcUVyDVXmiBsbM +V6MOW4ZClnS8Ayz+jOkRbPgIaZOgaWekTVXFHvIYb8zQIZHlYNRj3cESkECKzFPH +uQbYcWLtq2AhI5I32027uoierPzM3tkAIttbqxI+ZNvyLM+rOdO/tR7N3QQy4dxB +goNN33kMYoe9M+AoAVJVhj5i+lv79lkQOiOGyIrZRe8tK2vARwl4jpxn5ZyGtY46 +1KMuoOq1H0gBxUGnHG/29gMtfM0WR+mdkB0N4Vmd5DwCBF1PZW+bz/jwUtKTYKlU +4oVLToPbbr1ZxIQ/GeaiX0QbFC6qkYAz1mbXuwIhT7NZnF1Bb5NUVaNDD6me0P/z +mys3pwADBQgAmjvG8d8Ou84Ry7KFlI5aVttIRDvVvODI14XgrRsaEamBurtqH2d1 +GiTuQKatTBcP2Vh4EBggUKvUBo6OqHl5HSJnMCssot9sbjd2INcVNhA37psZA/z0 +SiHvsU5MYJZAhIRy2OSq6f2rTJnN3tpH9uP22G0hnHwWsvaPif2rJJKa4FsLfiSJ +83nNZycmL0swG/3r2CFaWKdgI8Qxh4a9hzhQ/xp677rp+wXoR15Tiz3doVIks9gU +x/ttSOlIe1qikvIm2sK4YjGskyk3ThDnbKADBA0LPxmUw0LRwfMUpjB9w/KPB6K1 +garaVufX87EiQjMqtcatifrlt86BQG6UqIhJBBgRAgAJBQJF2iFWAhsMAAoJEMb2 +DmUpcnBgUWgAnig09zgkm9I8MYfmjNdeVicZ/TslAJ9gXHch/j3J0oVLZn7iLl8L +enSb2JkCDQROyvsgARAAymdAvdxjXiijDSh09Je1GZlWZz8DBVBSp+Sy8Er3f6aa +NjpdUagO4EBLYXTXOaCmpg+iwqmH9F9kDniyPj1JYkaLvttFhXlUaLY4bVAf74RG +Wbxkrq2Geh5WfK78SbAHuLdp9bx7mCq3HahHLB/DGkElRCgvhFwGRoju7bvkHl/Y +MJJsLpUN+Tpdle5VeVuUAH8l48D3WCwp2kUBzA6DXF/SqOHtNV3tbnuKKdB2Q4ks +JI51KwqrSa3vTrB+8TmVpocjqUK1RD+7rBJKEh4ARHhlEz6C2W3nZm0lLxsFCkgs +ccqCdLV0ZP6vYhAOPWN1kvBjkkibd0szH9a4AUWO9kUT8B0HHzcquJl6LyV2NtVj +PkPNc4zBGsb+otuPRHDU2EeW248/42royn2TgDioJ3keTe/ZCD22CJ8kNBSZOPOU +9DkZiBv/1heourSWsQAQnWTz0uE4/yVk2/Z6L4nFMk2YZYeYoiYjtz2FdMn+/9tj +eJDr+LH1q6EcBPf3qjT90gOSo3cLlswpVPOOndlrXExVi17dQSrQGi8mBxBjeMb6 +pNbF9EXcbd3Cm9oWxJy6gVEPkY0a5tRmH2Vf8uO8SdHWqh1mMgMzzFLrlvef4CmB +TS0Rp72OYq8R+9lFcRGtbeOkUdaPIL7zxCsf+H0pJTjIH4nEYkZmv9wtBW+SgfcA +EQEAAbQgRGF2aWQgUm9iaWxsYXJkIDxkQGRyb2JpbGxhLm5ldD6JAjoEEwEIACQC +GwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAk7K/HYCGQEACgkQ/GzPL3NkwkAb +RA/9Fq7wDadgPMTz47skAWqDyzc1kv4Auft+qpJDpSo9PwZWwQicAJZYNscinZVR +ZKhf+BD0v/eMoy+bzu+wf3Q+Eqq3xYCVUAHZzlQGa0MZ/8nQWfqqZe6Hq43KTgf0 +liSTWOYLHh50JuNPb0Vu2bjrgYxcLEEDIEIhulLiB+iiyuXWJ0ssA32Y9Oh+jxb2 +h62G9rWsYsvoAqvPyxhrbD1WLCMLi9KBXRpUTVaGcMtRicqpYvjZrqEkXINS6OBQ +mBuHiLoef7NGJR+22ljz2XPbQMji8m02ozOk8DDNlBMyubasIknulOEGKGgfwr2c +ZbU+1uUD4BbmWYAALGRXe2pl6AbGPU8kjgHQux2Pd7PH8qJxEvuU4O9Zi99jZgP2 +CMh4I4x3fv9RfDM4z77vMkaV8yoITz4vGdlY+UvSK5BzAMfQxuSCxPXtaqQEjS2g +r6KpUmadK7fLUmvFhXuPKwwA/BxbW6YcQKjhUZqnI5q4Hjek8iEnUiiZLnh1dSl3 +lp2us8Dxq3+TTX09qraOY25Kwf/Xjyd/l6/74JxXXFaeQkb9LHyqk3Jlk2THf3aW +TzH8h9lvTwruYhME0ib8mnPqDSfs1LQILmln8rs7Ma9HCKoUFJeMjqz3+sDMP3HC +SqqrdwxkqnufG/0S3dYjd+z910J/Qj1J/yhNAt1cA6Dwx3aIRgQQEQgABgUCTsr7 +twAKCRDG9g5lKXJwYFRNAJ4rI5MK8g+ouo85l96AAowEBrMvUQCdGdzUXaHH29N6 +FH60gGcMHi/M/jO5Ag0ETsr7IAEQALBnW/tm8zo9y8G1yOO0S0PKXxf3yPcM8J3s +wZupmuRmQyhUF3xoxiTtZH4XbMnUw2Ddzpt7XRFC8BTmI+5E32uxxR7EMgqMS1/X +MlIp+7qEiMF25DAZ6agOBFEe244MFlDt+WIt7XeJPViByKxbgi5rS14MljUazfQr +mgzAVq45RpDc3QIhgE65Q+9R4FDillWUwv5AkieRb3QdMHXrvSgsQ21bnvjdRggp +8Xw4GG4k0e5WnpU7FvDM2unDywvcU/LnRDxsZazzPNJDi1kq7CYmB94xvIdxvDed +QV8SFJ1YZkkx8MTule60t40b4pr6l2zJzR2SaR0GRsOaKeUPP08ye+20arJV/PbE +R7holpB8N68F3MYW712dosCLBVD2srpsjuWLdKA4X/SVb8i0bu/T7dwMJeDSOSmd +WXLEIMBsCQxuttk/hLkJQBVvWu/guMft8Qn2Lb9uPFe8Si8rkjiWTSEq2Q2PXcUu +X+0w9kbmuDULdovAyi+sLObkyx/dVz6LJbM1Ea6XWLhi4QVwKL5/VOey/6UctW2D +Kg0SNvLA5jiTx4L8u3Kd4TtvV8qmWOMTmLWXnezwE2Ln4gH65ZkbImgdZswt5r8G +DZ4fxLZsxjS9WPWAndH5z4yFtaUUHgf9A985baj2MVA3dhKXjoiZxLTThxxO40UK +wamCRY21ABEBAAGJAh8EGAEIAAkFAk7K+yACGwwACgkQ/GzPL3NkwkDnGA/7BVKA +/8hEHmmtrq7LzRLu6HYALdf/B7yfcpnwHjFjZchExWaQXuG+AqfgP4bm+OBnpN1e +OX7dD1x79AHJb/Mp2SX3NlzGvujzwMDrR9Hp4XmeeBXfxvSQXiRqcHH6Jr/rv564 +vYxgp0zdCmCRP1y+sSOEOyh46cTP9LD9w+1LzWW96dTo5FQ3q193rzrFBUJStbuM +Isp3puQ08ntmXXfYk+KuXB/hMKbJU9gbMBV7cQdGX4AZ4DcSsacs1TPdiqGZ4fJ3 +XjGegory9dVaTbwkK1ULEENGsPc8LIYTIlNHJ4E1ZSMAkTTn7ThphBvHnXOPG9fg +NimAhXYKpE4a+DwQJY1YY06KFJtqeGYGoFiTqfhn4R/Mq2kArFNoCmmbH1gDThsw +c7idTmyI4DHAhx8kHK0mrnkaA2J+Ah82Kimsu+sMKUxMwbYZ32yK18HQI3y8iXEu +GsGQk8X2gKO8YfOOvGFf2sPl1IN+ZZ8ZI7bZi/yzh5K04Pxyb6LTYpG+YDAZS6H5 +NkWQxPM0TCDFLDlLl5SESl7BxgqryqCY4okRGVq0WLXa3MpFCjoYOAdtkQOm6ZOE +9tjKogx0ZN9cflde2D9MSi9ADCZ8gK4tQ581Ea43owT2iMJVceGcqJE3ZVnUq2PX +DoVGVgIxT1stR69am4hgSHpShTRVU5fio+jiuHKZAg0ET0BWRQEQAOru18ePCKAr +nY43QCcDiVjDCTrPx0lswgkaGPWRwL1jOHiLnwMaafsb/SMjvgwJ3P40Tzo1wB22 +STmQ4/r5JL3nVQ7cRmeCDSMbbva9vuOAC/zOGH6N6Pd/Vyq4bJp3eWhL/bNiBF7R +4ft9E5RD1WIM7kDM0LUd2HgqyvwgKngiJFfZNCEXFuXhHNc4nuRsrLnEb5T+6PTl +noQRQyqd0rhShYTBvjL9DUhhFtgqNmjYl1hCurFnyE8G5zkxnIuJ+wWlgBiPSIIf +ZZY0IGLXH7DHDHaV+N4MKduCiOhPwLhaNHxNekBFaFNllLgVGMUE/Bp4GvHcfAgX +tAQbztqag5folJxNYNWX1qLmYh9hluJA0MRq+nFNpYWmMTcQQYOPpBuOVRf8u5qN +p/aQwH5DdoDa6Mdwfbrq+RcMBogwCjZGROe296YuBBIUfWRxfYQaIwbtrTajSZW2 +DWUze3tONLWjPJKJFDD6w42UQSp+fnDrrdZhasDU8bmVE5LUyA8B01BJWglQIgfL +Z5PzDsxSZtWulxsOoz+VwS2sbslNkVWFPWbcMoKB/fAtN+mmMzrjmHLbF+hLta4Z +ZBJcCS4Nk0Lw4+9Msf7jWWNEUbKyqvKnSK774mIDktp+o2fPXmi0KLcwxrda2SJS +bPeDbYsPzhwTR66+ZoQ430MifR4RIwanABEBAAG0IERhdmlkIFJvYmlsbGFyZCA8 +ZEBkcm9iaWxsYS5uZXQ+iQI6BBMBCAAkAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4B +AheABQJPQFfZAhkBAAoJEDZyeCqb82jzx9YQALzxj/8b+JD9px1lGb7ZbN5GTBdh +J6CgLkObSkwnU88vWxOhZDKd6dTyGYtmHg3rridM/0OMVv/hUXxTcRWKHo8S44OA +rFSNhjuarfh7IQRDpe16J9vWaStuK8uiyOmHl8IGmtDoVtlDo7yd0/b8lwCJd9R3 +4d81ruYLHguHxo6ahMyB+SjPXoqEj8dUcY4OR35wRI04H+HSq7s4kpqX4G5uhrtW +5dEk7GuqELyg9forQ4xDD/cSOXUtBX/Sak9KRKZLxNyp5h4xvSHi5wl3DjB4Of5J +P7e437J5PXQtw1mNHCwbMyp6R9cqETTwjRj11gbqFy1PjiKDgT6/iPvA+Vg4GcJH +k1Rhzq2PMLegZIqJ6+F3G2oRl0XF1J9j3XvSnXSTMlqEQd6VNFmAd1PGJMfok3kz +brPBIBt8/ltaSn71ekanzxpAVC4fHO6JzPszyqpdkRriTL7nYZ872J5+BWCC3eOr +QVvDNu+FZznHRuI8TqhdWr76w4oZMx56S/oV8bo9wVQx0urxjB851IcPWU8GyBu4 +Bqb9kpw8IzUY08AENKzal9KstCkCoG5a80B0sS7Et7a23TNZF2rBKOzza7yte+5d +PDeDg0WSexzJr35kArjUz7sgKODFfAlvTTgRPTTRIdBeQV69aUc3XvaJQFXwPobz +yvH/ie166GqJIRvOuQINBE9AVkUBEACr6qQSWRlg+AifZqLYSY64VQ4Bvj3SfVXl +MLlMWDeKFAnW49sg/DMu9t20m3m/L49UW51zyjnRlIN8j6NqmVtRKAs2C+FRpSTK +U6NSdsBweUOkQP6FGJRlb9o3cTxePBvQL/weulB/rzRhBqL4W3U4L3jUxYE0vCYs +D5Dq0/177BtazrOIBuRADABLQ7m9976jIfz9zNoix8j7CNtX0g+JB4E5kObVQ41N +LyZ8ei+t/q1MP1KxwD6e+icESlLNrO2rhXBssc6KScbdrPmCfR5bumFitEfxeIJI +s5XR/FKCgmQH4SRQJQ4MY/+B5OIRDH4zjbs8EP2kD+85hbKx8sjrQeafA1VYw+TN +FBJhCNqMkzl6WyZ2GX7ZP0xw19BS/RioOLVq3I3WSRpJGsguzE87xXDF91caaxQn +CL1LM2zqNstYDNYIAmCThVixeONFbFiPN7OsTG2lsSh79mX8+/2YAxj/9ACCxDcF +xXeWbByVdpuV2n24F3lLQBY1/Gpy8yskJLCOFEjGYVIHsEaD+FxR2x9WusWb+aeI +zHmOA8cwcLazJcneMvOTIrlgAz0yZphY+c6kx/opem0N+nKX+aEFbolnlsPXhGNC +AD5xffJOIUK+gGrPstf2WdqYfmWegd7ak1FG4j1WqHwHplOwgStPTO33IhhWXHLj +yRsf8AyumQARAQABiQIfBBgBCAAJBQJPQFZFAhsMAAoJEDZyeCqb82jzTUkP/3jv +hkMK0IGcuCVkfB3uIxsjLKl+lI2FDq/zUOo6Ko491q/8Ks2E4fGYmVrcxymnAThB +4STL0QaLJdIaRlJo0cMkcEsF0RKxu1aaLRRWk08hrdjI3aRLwzAdWxHAE3ESz75T +l26ZB1MvgWBSzyLtYJXYBz738ldIfvs5hzhDWMJTcbhf+Hnaoxt3fcDu8k0EdTIB +CRziOO7uq9npDxwMOTyPQvEMr4v8kIvn/Npu3ZQtadzkeSr+/ENCGNz1KatTV3Iy +lH6X8ANP8eiq4ODOrayjyKs0ZDtL3sn+jJhoz/AF/qBpSTnEtDUpPT3U0Noo4HHk +YQYiK8SI0OcxH9tSkgaeRcnFvlbJw2ackRpHuXNuGZ66zt2yDj7cZG6ssg9Yrrax +x3y+27MJXYnowOnRjCdCQZ5hKeOny73lyFZYDisCvqha138PRJtSwQAgnKEu0Bh/ +sSI0DtPZmsXC9iPg9AxBDqVfdxtsWqfA31JmR+MsN58cT1Ej4Li+cH9sPOFVOpSf +gylCgHUC2Lact8v5xrArHyrCBfmavDnclir84A5TuwGMLhm2Ui9yKn5fGgiF4P4U +U1zeTPb45Mf9NU5pKJXd5H0MsOU58DjaM5Af3dpH6c8wsyDkNeVDvUzLXghsUH80 +HQMSpfZtNLZ/57KoSi7YYYotWZX/mch2i4mqVEEp +=MGn/ +-----END PGP PUBLIC KEY BLOCK----- diff --git a/SPECS-EXTENDED/zix/zix-0.6.2.tar.xz.sig b/SPECS-EXTENDED/zix/zix-0.6.2.tar.xz.sig new file mode 100644 index 0000000000..99f5eb2d34 Binary files /dev/null and b/SPECS-EXTENDED/zix/zix-0.6.2.tar.xz.sig differ diff --git a/SPECS-EXTENDED/zix/zix.signatures.json b/SPECS-EXTENDED/zix/zix.signatures.json new file mode 100644 index 0000000000..df6033673a --- /dev/null +++ b/SPECS-EXTENDED/zix/zix.signatures.json @@ -0,0 +1,7 @@ +{ + "Signatures": { + "drobilla.gpg": "29c8ffc9ffee2982ad3c3355736ed043377c1f0f4ea4776df4b98a464692b70e", + "zix-0.6.2.tar.xz": "4bc771abf4fcf399ea969a1da6b375f0117784f8fd0e2db356a859f635f616a7", + "zix-0.6.2.tar.xz.sig": "304bf98da3b23d128c385181f7603b06b009cc91cc9c19af9a133f8beb97c25c" + } +} diff --git a/SPECS-EXTENDED/zix/zix.spec b/SPECS-EXTENDED/zix/zix.spec new file mode 100644 index 0000000000..22fe6195cd --- /dev/null +++ b/SPECS-EXTENDED/zix/zix.spec @@ -0,0 +1,124 @@ +%global maj 0 + +Name: zix +Version: 0.6.2 +Release: 2%{?dist} +Summary: A lightweight C library of portability wrappers and data structures +Vendor: Microsoft Corporation +Distribution: Azure Linux +License: ISC +URL: https://gitlab.com/drobilla/%{name} +Source0: https://download.drobilla.net/%{name}-%{version}.tar.xz +Source1: https://download.drobilla.net/%{name}-%{version}.tar.xz.sig +Source2: https://drobilla.net/drobilla.gpg + +BuildRequires: gcc +BuildRequires: gcc-c++ +BuildRequires: meson +BuildRequires: doxygen +BuildRequires: python3-sphinx +BuildRequires: python3-sphinxygen +BuildRequires: gnupg2 + +%description +%{name} is a lightweight C library of portability wrappers and data structures. + +%package devel +Summary: Development files for %{name} +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description devel +The %{name}-devel package contains libraries and header files for +developing applications that use %{name}. + +%package doc +Summary: Documentation files for %{name} +Provides: bundled(js-jquery) = 3.6.0 +Buildarch: noarch + +%description doc +The %{name}-doc package contains documentation files for +developing applications that use %{name}. + +%prep +%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' +%autosetup + +%build +# Do not build benchmarks +%meson -Dbenchmarks=disabled +%meson_build + +%install +%meson_install +# Delete duplicated sphinx docs +rm -rf %{buildroot}%{_docdir}/%{name}-%{maj}/singlehtml +# Delete sphinx buildinfo +rm -f %{buildroot}%{_docdir}/%{name}-%{maj}/html/.buildinfo +# Move devel docs to the right directory +install -d %{buildroot}%{_docdir}/%{name} +mv %{buildroot}%{_docdir}/%{name}-%{maj} %{buildroot}%{_docdir}/%{name} + +%check +%meson_test + +%files +%license COPYING +%doc README.md +%{_libdir}/lib%{name}-%{maj}.so.%{maj}* + +%files devel +%{_includedir}/%{name}-%{maj} +%{_libdir}/lib%{name}-%{maj}.so +%{_libdir}/pkgconfig/%{name}-%{maj}.pc + +%files doc +%license COPYING +%doc %{_docdir}/%{name}/%{name}-%{maj} + +%changelog +* Tue Feb 25 2025 Jyoti kanase - 0.6.2-2 +- Initial Azure Linux import from Fedora 41 (license: MIT). +- License Verified. + +* Sun Jan 19 2025 Guido Aulisi - 0.6.2-1 +- Update to 0.6.2 +- Verify sources + +* Sun Jan 19 2025 Fedora Release Engineering - 0.4.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + +* Sat Jul 20 2024 Fedora Release Engineering - 0.4.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + +* Thu Apr 11 2024 Guido Aulisi - 0.4.2-1 +- Update to 0.4.2 + +* Sat Jan 27 2024 Fedora Release Engineering - 0.4.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Sun Sep 17 2023 Guido Aulisi - 0.4.0-1 +- Update to 0.4.0 +- Use releases + +* Sat Aug 12 2023 Guido Aulisi - 0.3.1-7 +- Drop dependency from doc package + +* Sun Apr 16 2023 Guido Aulisi - 0.3.1-6 +- Delete single html documetation +- Make doc package noarch + +* Sun Mar 19 2023 Guido Aulisi - 0.3.1-5 +- Put documentation files into separate package + +* Sat Mar 11 2023 Guido Aulisi - 0.3.1-4 +- Fix BRs + +* Sun Feb 26 2023 Guido Aulisi - 0.3.1-3 +- Enable docs + +* Sun Feb 05 2023 Guido Aulisi - 0.3.1-2 +- Remove unneeded BR glib2-devel + +* Sun Feb 05 2023 Guido Aulisi - 0.3.1-1 +- Initial import diff --git a/SPECS-SIGNED/edk2-hvloader-signed/edk2-hvloader-signed.spec b/SPECS-SIGNED/edk2-hvloader-signed/edk2-hvloader-signed.spec index 8c82f580f7..2b73da72a2 100644 --- a/SPECS-SIGNED/edk2-hvloader-signed/edk2-hvloader-signed.spec +++ b/SPECS-SIGNED/edk2-hvloader-signed/edk2-hvloader-signed.spec @@ -11,7 +11,7 @@ Summary: Signed HvLoader.efi for %{buildarch} systems Name: edk2-hvloader-signed-%{buildarch} Version: %{GITDATE}git%{GITCOMMIT} -Release: 8%{?dist} +Release: 9%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -74,6 +74,9 @@ popd /boot/efi/HvLoader.efi %changelog +* Mon Aug 11 2025 Azure Linux Security Servicing Account - 20240524git3e722403cd16-9 +- Bump release for consistency with edk2 spec. + * Thu Apr 24 2025 Jyoti Kanase - 20240524git3e722403cd16-8 - Bump release for consistency with edk2 spec. diff --git a/SPECS-SIGNED/fwctl-signed/fwctl-signed.spec b/SPECS-SIGNED/fwctl-signed/fwctl-signed.spec index 65cddce0e0..753ffe5286 100644 --- a/SPECS-SIGNED/fwctl-signed/fwctl-signed.spec +++ b/SPECS-SIGNED/fwctl-signed/fwctl-signed.spec @@ -35,17 +35,19 @@ %define __os_install_post %{__os_install_post_leave_signatures} %{nil} %global target_kernel_version_full %(/bin/rpm -q --queryformat '%{RPMTAG_VERSION}-%{RPMTAG_RELEASE}' $(/bin/rpm -q --whatprovides kernel-headers)) -%global target_azurelinux_build_kernel_version %(/bin/rpm -q --queryformat '%{RPMTAG_VERSION}' $(/bin/rpm -q --whatprovides kernel-headers)) +%global target_azl_build_kernel_version %(/bin/rpm -q --queryformat '%{RPMTAG_VERSION}' $(/bin/rpm -q --whatprovides kernel-headers)) %global target_kernel_release %(/bin/rpm -q --queryformat '%{RPMTAG_RELEASE}' $(/bin/rpm -q --whatprovides kernel-headers) | /bin/cut -d . -f 1) +%global release_suffix _%{target_azl_build_kernel_version}.%{target_kernel_release} %global KVERSION %{target_kernel_version_full} %{!?_name: %define _name fwctl} +%{!?_mofed_full_version: %define _mofed_full_version 24.10-20%{release_suffix}%{?dist}} Summary: %{_name} Driver Name: %{_name}-signed Version: 24.10 -Release: 18%{?dist} +Release: 20%{release_suffix}%{?dist} License: GPLv2 Url: http://nvidia.com Group: System Environment/Base @@ -70,8 +72,8 @@ fwctl signed kernel modules %package -n %{_name} Summary: %{summary} -Requires: mlnx-ofa_kernel = %{version} -Requires: mlnx-ofa_kernel-modules = %{version} +Requires: mlnx-ofa_kernel = %{_mofed_full_version} +Requires: mlnx-ofa_kernel-modules = %{_mofed_full_version} Requires: kernel = %{target_kernel_version_full} Requires: kmod @@ -117,6 +119,12 @@ fi # 1 : closed %changelog +* Thu May 29 2025 Nicolas Guibourge - 24.10-20 +- Add kernel version and release nb into release nb + +* Fri May 23 2025 CBL-Mariner Servicing Account - 24.10-19 +- Bump release to rebuild for new kernel release + * Tue May 13 2025 Siddharth Chintamaneni - 24.10-18 - Bump release to rebuild for new kernel release diff --git a/SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec b/SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec index 5aeebf0080..a0dd356849 100644 --- a/SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec +++ b/SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec @@ -13,7 +13,7 @@ Summary: Signed GRand Unified Bootloader for %{buildarch} systems Name: grub2-efi-binary-signed-%{buildarch} Version: 2.06 -Release: 23%{?dist} +Release: 24%{?dist} License: GPLv3+ Vendor: Microsoft Corporation Distribution: Azure Linux @@ -84,6 +84,9 @@ cp %{SOURCE3} %{buildroot}/boot/efi/EFI/%{efidir}/%{grubpxeefiname} /boot/efi/EFI/%{efidir}/%{grubpxeefiname} %changelog +* Mon Jun 02 2025 Jyoti Kanase - 2.06-24 +- Bump release number to match grub release + * Thu Apr 17 2025 Kavya Sree Kaitepalli - 2.06-23 - Bump release number to match grb release diff --git a/SPECS-SIGNED/iser-signed/iser-signed.spec b/SPECS-SIGNED/iser-signed/iser-signed.spec index dc7f8eadf7..f088022127 100644 --- a/SPECS-SIGNED/iser-signed/iser-signed.spec +++ b/SPECS-SIGNED/iser-signed/iser-signed.spec @@ -31,17 +31,19 @@ %define __os_install_post %{__os_install_post_leave_signatures} %{nil} %global target_kernel_version_full %(/bin/rpm -q --queryformat '%{RPMTAG_VERSION}-%{RPMTAG_RELEASE}' $(/bin/rpm -q --whatprovides kernel-headers)) -%global target_azurelinux_build_kernel_version %(/bin/rpm -q --queryformat '%{RPMTAG_VERSION}' $(/bin/rpm -q --whatprovides kernel-headers)) +%global target_azl_build_kernel_version %(/bin/rpm -q --queryformat '%{RPMTAG_VERSION}' $(/bin/rpm -q --whatprovides kernel-headers)) %global target_kernel_release %(/bin/rpm -q --queryformat '%{RPMTAG_RELEASE}' $(/bin/rpm -q --whatprovides kernel-headers) | /bin/cut -d . -f 1) +%global release_suffix _%{target_azl_build_kernel_version}.%{target_kernel_release} %global KVERSION %{target_kernel_version_full} %{!?_name: %define _name iser} +%{!?_mofed_full_version: %define _mofed_full_version 24.10-20%{release_suffix}%{?dist}} Summary: %{_name} Driver Name: %{_name}-signed Version: 24.10 -Release: 18%{?dist} +Release: 20%{release_suffix}%{?dist} License: GPLv2 Url: http://www.mellanox.com Group: System Environment/Base @@ -65,8 +67,8 @@ iser signed kernel modules %package -n %{_name} Summary: %{summary} -Requires: mlnx-ofa_kernel = %{version} -Requires: mlnx-ofa_kernel-modules = %{version} +Requires: mlnx-ofa_kernel = %{_mofed_full_version} +Requires: mlnx-ofa_kernel-modules = %{_mofed_full_version} Requires: kernel = %{target_kernel_version_full} Requires: kmod @@ -108,6 +110,12 @@ fi # 1 : closed %config(noreplace) %{_sysconfdir}/depmod.d/zz02-%{_name}-*.conf %changelog +* Thu May 29 2025 Nicolas Guibourge - 24.10-20 +- Add kernel version and release nb into release nb + +* Fri May 23 2025 CBL-Mariner Servicing Account - 24.10-19 +- Bump release to rebuild for new kernel release + * Tue May 13 2025 Siddharth Chintamaneni - 24.10-18 - Bump release to rebuild for new kernel release diff --git a/SPECS-SIGNED/isert-signed/isert-signed.spec b/SPECS-SIGNED/isert-signed/isert-signed.spec index 3846afdc04..0f50113e09 100644 --- a/SPECS-SIGNED/isert-signed/isert-signed.spec +++ b/SPECS-SIGNED/isert-signed/isert-signed.spec @@ -31,17 +31,19 @@ %define __os_install_post %{__os_install_post_leave_signatures} %{nil} %global target_kernel_version_full %(/bin/rpm -q --queryformat '%{RPMTAG_VERSION}-%{RPMTAG_RELEASE}' $(/bin/rpm -q --whatprovides kernel-headers)) -%global target_azurelinux_build_kernel_version %(/bin/rpm -q --queryformat '%{RPMTAG_VERSION}' $(/bin/rpm -q --whatprovides kernel-headers)) +%global target_azl_build_kernel_version %(/bin/rpm -q --queryformat '%{RPMTAG_VERSION}' $(/bin/rpm -q --whatprovides kernel-headers)) %global target_kernel_release %(/bin/rpm -q --queryformat '%{RPMTAG_RELEASE}' $(/bin/rpm -q --whatprovides kernel-headers) | /bin/cut -d . -f 1) +%global release_suffix _%{target_azl_build_kernel_version}.%{target_kernel_release} %global KVERSION %{target_kernel_version_full} %{!?_name: %define _name isert} +%{!?_mofed_full_version: %define _mofed_full_version 24.10-20%{release_suffix}%{?dist}} Summary: %{_name} Driver -Name: %{_name}-signed +Name: %{_name}-signed Version: 24.10 -Release: 18%{?dist} +Release: 20%{release_suffix}%{?dist} License: GPLv2 Url: http://www.mellanox.com Group: System Environment/Base @@ -65,8 +67,8 @@ isert signed kernel modules %package -n %{_name} Summary: %{summary} -Requires: mlnx-ofa_kernel = %{version} -Requires: mlnx-ofa_kernel-modules = %{version} +Requires: mlnx-ofa_kernel = %{_mofed_full_version} +Requires: mlnx-ofa_kernel-modules = %{_mofed_full_version} Requires: kernel = %{target_kernel_version_full} Requires: kmod @@ -107,6 +109,12 @@ fi # 1 : closed %config(noreplace) %{_sysconfdir}/depmod.d/zz02-%{_name}-*.conf %changelog +* Thu May 29 2025 Nicolas Guibourge - 24.10-20 +- Add kernel version and release nb into release nb + +* Fri May 23 2025 CBL-Mariner Servicing Account - 24.10-19 +- Bump release to rebuild for new kernel release + * Tue May 13 2025 Siddharth Chintamaneni - 24.10-18 - Bump release to rebuild for new kernel release diff --git a/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec b/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec index 965c04c9ea..3f45012414 100644 --- a/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec +++ b/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec @@ -6,8 +6,8 @@ %define uname_r %{version}-%{release} Summary: Signed Linux Kernel for %{buildarch} systems Name: kernel-64k-signed-%{buildarch} -Version: 6.6.85.1 -Release: 4%{?dist} +Version: 6.6.96.2 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -105,6 +105,27 @@ echo "initrd of kernel %{uname_r} removed" >&2 %exclude /module_info.ld %changelog +* Fri Aug 15 2025 CBL-Mariner Servicing Account - 6.6.96.2-1 +- Auto-upgrade to 6.6.96.2 + +* Thu Jul 17 2025 Rachel Menge - 6.6.96.1-2 +- Bump release to match kernel + +* Mon Jul 07 2025 CBL-Mariner Servicing Account - 6.6.96.1-1 +- Auto-upgrade to 6.6.96.1 + +* Mon Jun 16 2025 Harshit Gupta - 6.6.92.2-3 +- Bump release to match kernel-64k + +* Mon Jun 09 2025 Rachel Menge - 6.6.92.2-2 +- Bump release to match kernel + +* Fri May 30 2025 CBL-Mariner Servicing Account - 6.6.92.2-1 +- Auto-upgrade to 6.6.92.2 + +* Fri May 23 2025 CBL-Mariner Servicing Account - 6.6.90.1-1 +- Auto-upgrade to 6.6.90.1 + * Tue May 13 2025 Siddharth Chintamaneni - 6.6.85.1-4 - Bump release to match kernel diff --git a/SPECS-SIGNED/kernel-signed/kernel-signed.spec b/SPECS-SIGNED/kernel-signed/kernel-signed.spec index 8b13c3885a..3e8362ff3f 100644 --- a/SPECS-SIGNED/kernel-signed/kernel-signed.spec +++ b/SPECS-SIGNED/kernel-signed/kernel-signed.spec @@ -9,8 +9,8 @@ %define uname_r %{version}-%{release} Summary: Signed Linux Kernel for %{buildarch} systems Name: kernel-signed-%{buildarch} -Version: 6.6.85.1 -Release: 4%{?dist} +Version: 6.6.96.2 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -145,6 +145,27 @@ echo "initrd of kernel %{uname_r} removed" >&2 %exclude /module_info.ld %changelog +* Fri Aug 15 2025 CBL-Mariner Servicing Account - 6.6.96.2-1 +- Auto-upgrade to 6.6.96.2 + +* Thu Jul 17 2025 Rachel Menge - 6.6.96.1-2 +- Bump release to match kernel + +* Mon Jul 07 2025 CBL-Mariner Servicing Account - 6.6.96.1-1 +- Auto-upgrade to 6.6.96.1 + +* Mon Jun 16 2025 Harshit Gupta - 6.6.92.2-3 +- Bump release to match kernel + +* Mon Jun 09 2025 Rachel Menge - 6.6.92.2-2 +- Bump release to match kernel + +* Fri May 30 2025 CBL-Mariner Servicing Account - 6.6.92.2-1 +- Auto-upgrade to 6.6.92.2 + +* Fri May 23 2025 CBL-Mariner Servicing Account - 6.6.90.1-1 +- Auto-upgrade to 6.6.90.1 + * Tue May 13 2025 Siddharth Chintamaneni - 6.6.85.1-4 - Bump release to match kernel @@ -370,7 +391,7 @@ echo "initrd of kernel %{uname_r} removed" >&2 * Fri Feb 23 2024 Chris Gunn - 6.6.14.1-3 - Rename initrd.img- to initramfs-.img -* Tue Jan 30 2024 Cameron Baird - 6.6.14.1-2 +* Tue Feb 20 2024 Cameron Baird - 6.6.14.1-2 - Remove legacy /boot/mariner.cfg - Introduce /etc/default/grub.d/10_kernel.cfg @@ -413,7 +434,7 @@ echo "initrd of kernel %{uname_r} removed" >&2 * Tue Sep 26 2023 CBL-Mariner Servicing Account - 5.15.133.1-1 - Auto-upgrade to 5.15.133.1 -* Tue Sep 22 2023 Cameron Baird - 5.15.131.1-3 +* Thu Sep 21 2023 Cameron Baird - 5.15.131.1-3 - Bump release to match kernel * Wed Sep 20 2023 Jon Slobodzian - 5.15.131.1-2 diff --git a/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec b/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec index e2cd3fc97a..63e6cf05d3 100644 --- a/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec +++ b/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec @@ -5,8 +5,8 @@ %define kernelver %{version}-%{release} Summary: Signed Unified Kernel Image for %{buildarch} systems Name: kernel-uki-signed-%{buildarch} -Version: 6.6.85.1 -Release: 4%{?dist} +Version: 6.6.96.2 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -68,6 +68,27 @@ popd /boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi %changelog +* Fri Aug 15 2025 CBL-Mariner Servicing Account - 6.6.96.2-1 +- Auto-upgrade to 6.6.96.2 + +* Thu Jul 17 2025 Rachel Menge - 6.6.96.1-2 +- Bump release to match kernel + +* Mon Jul 07 2025 CBL-Mariner Servicing Account - 6.6.96.1-1 +- Auto-upgrade to 6.6.96.1 + +* Mon Jun 16 2025 Harshit Gupta - 6.6.92.2-3 +- Bump release to match kernel + +* Mon Jun 09 2025 Rachel Menge - 6.6.92.2-2 +- Bump release to match kernel + +* Fri May 30 2025 CBL-Mariner Servicing Account - 6.6.92.2-1 +- Auto-upgrade to 6.6.92.2 + +* Fri May 23 2025 CBL-Mariner Servicing Account - 6.6.90.1-1 +- Auto-upgrade to 6.6.90.1 + * Tue May 13 2025 Siddharth Chintamaneni - 6.6.85.1-4 - Bump release to match kernel diff --git a/SPECS-SIGNED/knem-modules-signed/knem-modules-signed.spec b/SPECS-SIGNED/knem-modules-signed/knem-modules-signed.spec index 52bddcd8a8..7948df13f5 100644 --- a/SPECS-SIGNED/knem-modules-signed/knem-modules-signed.spec +++ b/SPECS-SIGNED/knem-modules-signed/knem-modules-signed.spec @@ -28,8 +28,9 @@ %define __os_install_post %{__os_install_post_leave_signatures} %{nil} %global target_kernel_version_full %(/bin/rpm -q --queryformat '%{RPMTAG_VERSION}-%{RPMTAG_RELEASE}' $(/bin/rpm -q --whatprovides kernel-headers)) -%global target_azurelinux_build_kernel_version %(/bin/rpm -q --queryformat '%{RPMTAG_VERSION}' $(/bin/rpm -q --whatprovides kernel-headers)) +%global target_azl_build_kernel_version %(/bin/rpm -q --queryformat '%{RPMTAG_VERSION}' $(/bin/rpm -q --whatprovides kernel-headers)) %global target_kernel_release %(/bin/rpm -q --queryformat '%{RPMTAG_RELEASE}' $(/bin/rpm -q --whatprovides kernel-headers) | /bin/cut -d . -f 1) +%global release_suffix _%{target_azl_build_kernel_version}.%{target_kernel_release} %global KVERSION %{target_kernel_version_full} @@ -42,7 +43,7 @@ Summary: KNEM: High-Performance Intra-Node MPI Communication Name: %{_name}-signed Version: 1.1.4.90mlnx3 -Release: 18%{?dist} +Release: 20%{release_suffix}%{?dist} Provides: knem-mlnx = %{version}-%{release} Obsoletes: knem-mlnx < %{version}-%{release} License: BSD and GPLv2 @@ -107,6 +108,12 @@ fi /lib/modules/ %changelog +* Thu May 29 2025 Nicolas Guibourge - 1.1.4.90mlnx3-20 +- Add kernel version and release nb into release nb + +* Fri May 23 2025 CBL-Mariner Servicing Account - 1.1.4.90mlnx3-19 +- Bump release to rebuild for new kernel release + * Tue May 13 2025 Siddharth Chintamaneni - 1.1.4.90mlnx3-18 - Bump release to rebuild for new kernel release diff --git a/SPECS-SIGNED/mlnx-nfsrdma-signed/mlnx-nfsrdma-signed.spec b/SPECS-SIGNED/mlnx-nfsrdma-signed/mlnx-nfsrdma-signed.spec index be42c285a3..2c2c33a72c 100644 --- a/SPECS-SIGNED/mlnx-nfsrdma-signed/mlnx-nfsrdma-signed.spec +++ b/SPECS-SIGNED/mlnx-nfsrdma-signed/mlnx-nfsrdma-signed.spec @@ -31,19 +31,20 @@ %define __os_install_post %{__os_install_post_leave_signatures} %{nil} %global target_kernel_version_full %(/bin/rpm -q --queryformat '%{RPMTAG_VERSION}-%{RPMTAG_RELEASE}' $(/bin/rpm -q --whatprovides kernel-headers)) -%global target_azurelinux_build_kernel_version %(/bin/rpm -q --queryformat '%{RPMTAG_VERSION}' $(/bin/rpm -q --whatprovides kernel-headers)) +%global target_azl_build_kernel_version %(/bin/rpm -q --queryformat '%{RPMTAG_VERSION}' $(/bin/rpm -q --whatprovides kernel-headers)) %global target_kernel_release %(/bin/rpm -q --queryformat '%{RPMTAG_RELEASE}' $(/bin/rpm -q --whatprovides kernel-headers) | /bin/cut -d . -f 1) +%global release_suffix _%{target_azl_build_kernel_version}.%{target_kernel_release} %global KVERSION %{target_kernel_version_full} -%define mlnx_version 24.10 +%{!?_mofed_full_version: %define _mofed_full_version 24.10-20%{release_suffix}%{?dist}} %{!?_name: %define _name mlnx-nfsrdma} Summary: %{_name} Driver Name: %{_name}-signed Version: 24.10 -Release: 18%{?dist} +Release: 20%{release_suffix}%{?dist} License: GPLv2 Url: http://www.mellanox.com Group: System Environment/Base @@ -69,8 +70,8 @@ mellanox rdma signed kernel modules %package -n %{_name} Summary: %{summary} -Requires: mlnx-ofa_kernel = %{mlnx_version} -Requires: mlnx-ofa_kernel-modules = %{mlnx_version} +Requires: mlnx-ofa_kernel = %{_mofed_full_version} +Requires: mlnx-ofa_kernel-modules = %{_mofed_full_version} Requires: kernel = %{target_kernel_version_full} Requires: kmod @@ -116,6 +117,12 @@ fi %config(noreplace) %{_sysconfdir}/depmod.d/zz02-%{_name}-*.conf %changelog +* Thu May 29 2025 Nicolas Guibourge - 24.10-20 +- Add kernel version and release nb into release nb + +* Fri May 23 2025 CBL-Mariner Servicing Account - 24.10-19 +- Bump release to rebuild for new kernel release + * Tue May 13 2025 Siddharth Chintamaneni - 24.10-18 - Bump release to rebuild for new kernel release diff --git a/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec b/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec index b844dc142e..2b0db483a4 100644 --- a/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec +++ b/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec @@ -14,7 +14,7 @@ Version: 255 # determine the build information from local checkout Version: %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/') %endif -Release: 21%{?dist} +Release: 22%{?dist} License: LGPL-2.1-or-later AND MIT AND GPL-2.0-or-later Vendor: Microsoft Corporation Distribution: Azure Linux @@ -93,6 +93,9 @@ popd /boot/efi/EFI/BOOT/grubx64.efi %changelog +* Wed Aug 06 2025 Sean Dougherty - 255-22 +- Bump release to match systemd spec + * Mon Apr 14 2025 Pawel Winogrodzki - 255-21 - Updating SRPM name to systemd-boot-signed-%%{buildarch}. diff --git a/SPECS-SIGNED/xpmem-modules-signed/xpmem-modules-signed.spec b/SPECS-SIGNED/xpmem-modules-signed/xpmem-modules-signed.spec index 1438f66430..b2badb554a 100644 --- a/SPECS-SIGNED/xpmem-modules-signed/xpmem-modules-signed.spec +++ b/SPECS-SIGNED/xpmem-modules-signed/xpmem-modules-signed.spec @@ -5,12 +5,14 @@ %define __os_install_post %{__os_install_post_leave_signatures} %{nil} %global target_kernel_version_full %(/bin/rpm -q --queryformat '%{RPMTAG_VERSION}-%{RPMTAG_RELEASE}' $(/bin/rpm -q --whatprovides kernel-headers)) -%global target_azurelinux_build_kernel_version %(/bin/rpm -q --queryformat '%{RPMTAG_VERSION}' $(/bin/rpm -q --whatprovides kernel-headers)) +%global target_azl_build_kernel_version %(/bin/rpm -q --queryformat '%{RPMTAG_VERSION}' $(/bin/rpm -q --whatprovides kernel-headers)) %global target_kernel_release %(/bin/rpm -q --queryformat '%{RPMTAG_RELEASE}' $(/bin/rpm -q --whatprovides kernel-headers) | /bin/cut -d . -f 1) +%global release_suffix _%{target_azl_build_kernel_version}.%{target_kernel_release} %global KVERSION %{target_kernel_version_full} %define _name xpmem-modules +%{!?_mofed_full_version: %define _mofed_full_version 24.10-20%{release_suffix}%{?dist}} # xpmem-modules is a sub-package in SPECS/xpmem. # We are making that into a main package for signing. @@ -18,7 +20,7 @@ Summary: Cross-partition memory Name: %{_name}-signed Version: 2.7.4 -Release: 18%{?dist} +Release: 20%{release_suffix}%{?dist} License: GPLv2 and LGPLv2.1 Group: System Environment/Libraries Vendor: Microsoft Corporation @@ -47,8 +49,8 @@ This package includes the kernel module. %package -n %{_name} Summary: %{summary} -Requires: mlnx-ofa_kernel -Requires: mlnx-ofa_kernel-modules +Requires: mlnx-ofa_kernel = %{_mofed_full_version} +Requires: mlnx-ofa_kernel-modules = %{_mofed_full_version} Requires: kernel = %{target_kernel_version_full} Requires: kmod @@ -83,6 +85,12 @@ popd %changelog +* Thu May 29 2025 Nicolas Guibourge - 2.7.4-20 +- Add kernel version and release nb into release nb + +* Fri May 23 2025 CBL-Mariner Servicing Account - 2.7.4-19 +- Bump release to rebuild for new kernel release + * Tue May 13 2025 Siddharth Chintamaneni - 2.7.4-18 - Bump release to rebuild for new kernel release diff --git a/SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.signatures.json b/SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.signatures.json index b810fb5319..a5f035b28a 100644 --- a/SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.signatures.json +++ b/SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "SymCrypt-OpenSSL-1.8.1.tar.gz": "292d9eb2e9874abd250aff2715623ccaa1bd51c470a7c5af1bbd7678383372df" + "SymCrypt-OpenSSL-1.9.1.tar.gz": "4b2a2399c2d3a875d7af9830545f17055ccbcf6159d64fb0512aebe1e70491a5" } } diff --git a/SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.spec b/SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.spec index 0d64666d92..935170bdd2 100644 --- a/SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.spec +++ b/SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.spec @@ -1,6 +1,6 @@ Summary: The SymCrypt engine for OpenSSL (SCOSSL) allows the use of OpenSSL with SymCrypt as the provider for core cryptographic operations Name: SymCrypt-OpenSSL -Version: 1.8.1 +Version: 1.9.1 Release: 1%{?dist} License: MIT Vendor: Microsoft Corporation @@ -59,7 +59,14 @@ install SymCryptEngine/inc/e_scossl.h %{buildroot}%{_includedir}/e_scossl.h install SymCryptProvider/symcrypt_prov.cnf %{buildroot}%{_sysconfdir}/pki/tls/symcrypt_prov.cnf %check -./bin/SslPlay/SslPlay +# Run in a subshell so the exit code of the test does not affect the main shell's exit code. +# This is important because the entire section is wrapped in a script by rpmbuild itself. +# The test is run twice: once with the default provider and once with the SymCrypt provider. +( + set -e + ./bin/SslPlay/SslPlay + ./bin/SslPlay/SslPlay --provider-path ./bin/SymCryptProvider/ --provider symcryptprovider --no-engine +) %files %license LICENSE @@ -80,6 +87,13 @@ install SymCryptProvider/symcrypt_prov.cnf %{buildroot}%{_sysconfdir}/pki/tls/sy %dir %attr(1733, root, root) %{_localstatedir}/log/keysinuse/ %changelog +* Fri Jul 25 2025 Tobias Brick - 1.9.1-1 +- Upgrade SymCrypt-OpenSSL to 1.9.1 for compatability and bug fixes. + +* Wed Jun 11 2025 Tobias Brick - 1.9.0-1 +- Auto-upgrade to 1.9.0 - Support digest state exports. +- Added second test run that forces the use of the SymCrypt provider. + * Tue May 13 2025 Tobias Brick - 1.8.1-1 - Upgrade to SymCrypt-OpenSSL 1.8.1 with minor bugfixes. diff --git a/SPECS/ansible/ansible.signatures.json b/SPECS/ansible/ansible.signatures.json index 2580eee18b..da5d2529d9 100644 --- a/SPECS/ansible/ansible.signatures.json +++ b/SPECS/ansible/ansible.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "ansible-2.17.0.tar.gz": "8ade6a00bdc256c65dfb3c05e05cfffbbcb7f0a37a0cb978c2ab388e37416d14" + "ansible-2.17.11.tar.gz": "913be5c4850a5128438db3233c073f762d1ff47a351304971aa05cb9e37de08d" } } diff --git a/SPECS/ansible/ansible.spec b/SPECS/ansible/ansible.spec index cdb1ced1ec..09de8aabbe 100644 --- a/SPECS/ansible/ansible.spec +++ b/SPECS/ansible/ansible.spec @@ -1,6 +1,6 @@ Summary: Configuration-management, application deployment, cloud provisioning system Name: ansible -Version: 2.17.0 +Version: 2.17.11 Release: 1%{?dist} License: GPLv3+ Vendor: Microsoft Corporation @@ -47,6 +47,9 @@ python3 setup.py test %{python3_sitelib}/* %changelog +* Thu May 08 2025 CBL-Mariner Servicing Account - 2.17.11-1 +- Auto-upgrade to 2.17.11 - CVE-2024-8775 and CVE-2024-9902 + * Mon May 20 2024 CBL-Mariner Servicing Account - 2.17.0-1 - Auto-upgrade to 2.17.0 - none diff --git a/SPECS/apache-commons-lang3/CVE-2025-48924.patch b/SPECS/apache-commons-lang3/CVE-2025-48924.patch new file mode 100644 index 0000000000..25a37f7e76 --- /dev/null +++ b/SPECS/apache-commons-lang3/CVE-2025-48924.patch @@ -0,0 +1,100 @@ +From b424803abdb2bec818e4fbcb251ce031c22aca53 Mon Sep 17 00:00:00 2001 +From: Gary Gregory +Date: Sat, 21 Sep 2024 17:23:08 -0400 +Subject: [PATCH] Rewrite ClassUtils.getClass() without recursion to avoid + StackOverflowError on very long inputs. + +- This was found fuzz testing Apache Commons Text which relies on +ClassUtils. +- OssFuzz Issue 42522972: +apache-commons-text:StringSubstitutorInterpolatorFuzzer: Security +exception in org.apache.commons.lang3.ClassUtils.getClass + +Upstream Patch Reference: https://github.com/apache/commons-lang/commit/b424803abdb2bec818e4fbcb251ce031c22aca53.patch +--- + src/changes/changes.xml | 1 + + .../org/apache/commons/lang3/ClassUtils.java | 46 +++++++++---------- + 2 files changed, 23 insertions(+), 24 deletions(-) + +diff --git a/src/changes/changes.xml b/src/changes/changes.xml +index 5731324..dd2577b 100644 +--- a/src/changes/changes.xml ++++ b/src/changes/changes.xml +@@ -47,6 +47,7 @@ The type attribute can be add,update,fix,remove. + + + Restore BundleSymbolicName for OSGi ++ Rewrite ClassUtils.getClass(...) without recursion to avoid StackOverflowError on very long inputs. OSS-Fuzz Issue 42522972: apache-commons-text:StringSubstitutorInterpolatorFuzzer: Security exception in org.apache.commons.lang3.ClassUtils.getClass. + + + +diff --git a/src/main/java/org/apache/commons/lang3/ClassUtils.java b/src/main/java/org/apache/commons/lang3/ClassUtils.java +index be9f0dd..a9ec195 100644 +--- a/src/main/java/org/apache/commons/lang3/ClassUtils.java ++++ b/src/main/java/org/apache/commons/lang3/ClassUtils.java +@@ -985,30 +985,27 @@ public class ClassUtils { + */ + public static Class getClass( + final ClassLoader classLoader, final String className, final boolean initialize) throws ClassNotFoundException { +- try { +- Class clazz; +- if (namePrimitiveMap.containsKey(className)) { +- clazz = namePrimitiveMap.get(className); +- } else { +- clazz = Class.forName(toCanonicalName(className), initialize, classLoader); +- } +- return clazz; +- } catch (final ClassNotFoundException ex) { +- // allow path separators (.) as inner class name separators +- final int lastDotIndex = className.lastIndexOf(PACKAGE_SEPARATOR_CHAR); +- +- if (lastDotIndex != -1) { +- try { +- return getClass(classLoader, className.substring(0, lastDotIndex) + +- INNER_CLASS_SEPARATOR_CHAR + className.substring(lastDotIndex + 1), +- initialize); +- } catch (final ClassNotFoundException ex2) { // NOPMD +- // ignore exception ++ // This method was re-written to avoid recursion and stack overflows found by fuzz testing. ++ String next = className; ++ int lastDotIndex = -1; ++ do { ++ try { ++ Class clazz; ++ if (namePrimitiveMap.containsKey(next)) { ++ clazz = namePrimitiveMap.get(next); ++ } else { ++ clazz = Class.forName(toCanonicalName(next), initialize, classLoader); ++ } ++ return clazz; ++ } catch (final ClassNotFoundException ex) { ++ lastDotIndex = next.lastIndexOf(PACKAGE_SEPARATOR_CHAR); ++ if (lastDotIndex != -1) { ++ next = next.substring(0, lastDotIndex) + ++ INNER_CLASS_SEPARATOR_CHAR + next.substring(lastDotIndex + 1); + } + } +- +- throw ex; +- } ++ } while (lastDotIndex != -1); ++ throw new ClassNotFoundException(next); + } + + /** +@@ -1124,9 +1121,10 @@ public class ClassUtils { + private static String toCanonicalName(String className) { + className = StringUtils.deleteWhitespace(className); + Validate.notNull(className, "className must not be null."); +- if (className.endsWith("[]")) { ++ final String arrayMarker = "[]"; ++ if (className.endsWith(arrayMarker)) { + final StringBuilder classNameBuffer = new StringBuilder(); +- while (className.endsWith("[]")) { ++ while (className.endsWith(arrayMarker)) { + className = className.substring(0, className.length() - 2); + classNameBuffer.append("["); + } +-- +2.34.1 + diff --git a/SPECS/apache-commons-lang3/apache-commons-lang3.spec b/SPECS/apache-commons-lang3/apache-commons-lang3.spec index 3e70599bf3..272f626903 100644 --- a/SPECS/apache-commons-lang3/apache-commons-lang3.spec +++ b/SPECS/apache-commons-lang3/apache-commons-lang3.spec @@ -18,7 +18,7 @@ Summary: Apache Commons Lang Package Name: apache-%{short_name} Version: 3.8.1 -Release: 5%{?dist} +Release: 6%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -27,6 +27,7 @@ URL: https://commons.apache.org/proper/commons-lang Source0: https://archive.apache.org/dist/commons/lang/source/%{short_name}-%{version}-src.tar.gz Source1: build.xml Source2: default.properties +Patch0: CVE-2025-48924.patch BuildRequires: ant BuildRequires: ant-junit BuildRequires: fdupes @@ -57,9 +58,8 @@ Group: Documentation/HTML Javadoc for %{name}. %prep -%setup -q -n %{short_name}-%{version}-src -cp %{SOURCE1} . -cp %{SOURCE2} . +%autosetup -n %{short_name}-%{version}-src -p1 +cp %{SOURCE1} %{SOURCE2} . sed -i 's/\r//' *.txt %pom_remove_parent . @@ -98,6 +98,9 @@ cp -pr target/apidocs/* %{buildroot}%{_javadocdir}/%{name}/ %{_javadocdir}/%{name} %changelog +* Wed Jul 16 2025 Aninda Pradhan - 3.8.1-6 +- Addressed CVE-2025-48924 + * Fri Mar 17 2023 Mykhailo Bykhovtsev - 3.8.1-5 - Moved from extended to core - License verified diff --git a/SPECS/asciidoc/asciidoc.spec b/SPECS/asciidoc/asciidoc.spec index b3d4a6dd24..5dcafe64da 100644 --- a/SPECS/asciidoc/asciidoc.spec +++ b/SPECS/asciidoc/asciidoc.spec @@ -1,7 +1,7 @@ Summary: AsciiDoc is a human readable text document format Name: asciidoc Version: 10.2.0 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2 URL: https://asciidoc.org/ Group: System Environment/Development @@ -15,6 +15,7 @@ BuildRequires: libxslt BuildRequires: docbook-style-xsl BuildRequires: docbook-dtd-xml BuildRequires: python3-pip +BuildRequires: python-wheel Requires: python3 Requires: python3-xml Requires: libxslt @@ -66,6 +67,9 @@ python3 tests/testasciidoc.py run %dir %{python3_sitelib}/asciidoc/resources/filters/music %changelog +* Mon Jul 07 2025 Kavya Sree Kaitepalli - 10.2.0-3 +- Add BR on python-wheel to fix build + * Fri Feb 02 2024 Andrew Phelps - 10.2.0-2 - Fix path for egg-info diff --git a/SPECS/azurelinux-image-tools/azurelinux-image-tools.signatures.json b/SPECS/azurelinux-image-tools/azurelinux-image-tools.signatures.json new file mode 100644 index 0000000000..b09f8c6096 --- /dev/null +++ b/SPECS/azurelinux-image-tools/azurelinux-image-tools.signatures.json @@ -0,0 +1,6 @@ +{ + "Signatures": { + "azurelinux-image-tools-0.18.0.tar.gz": "dc0a167cbce8164f1a051abde165a575d411774cc65020bd39d6dfe0bb120064", + "azurelinux-image-tools-0.18.0-vendor.tar.gz": "6fadff7d823a97658704183f028ecc94e9725fe3ffcba1e4eb48c2d291c184da" + } +} \ No newline at end of file diff --git a/SPECS/azurelinux-image-tools/azurelinux-image-tools.spec b/SPECS/azurelinux-image-tools/azurelinux-image-tools.spec new file mode 100644 index 0000000000..5d4c5bb4dd --- /dev/null +++ b/SPECS/azurelinux-image-tools/azurelinux-image-tools.spec @@ -0,0 +1,104 @@ +%define our_gopath %{_topdir}/.gopath + +Summary: Azure Linux Image Tools +Name: azurelinux-image-tools +Version: 0.18.0 +Release: 1%{?dist} +License: MIT +URL: https://github.com/microsoft/azure-linux-image-tools/ +Group: Applications/System +Vendor: Microsoft Corporation +Distribution: Azure Linux +Source0: https://github.com/microsoft/azure-linux-image-tools/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +# Below is a manually created tarball, no download link. +# We're using pre-populated Go modules from this tarball, since network is disabled during build time. +# Use generate_source_tarball.sh script with the package version to build this tarball. +# +Source1: %{name}-%{version}-vendor.tar.gz +BuildRequires: golang >= 1.24.1 +BuildRequires: systemd-udev +Requires: %{name}-imagecustomizer = %{version}-%{release} + +%description +Azure Linux Image Tools. This package provides the Azure Linux Image Customizer tool +and its dependencies for customizing Azure Linux images. + +%package imagecustomizer +Summary: Image Customizer +Requires: qemu-img +Requires: rpm +Requires: coreutils +Requires: util-linux +Requires: systemd +Requires: openssl +Requires: sed +Requires: createrepo_c +Requires: squashfs-tools +Requires: cdrkit +Requires: parted +Requires: e2fsprogs +Requires: dosfstools +Requires: xfsprogs +Requires: zstd +Requires: veritysetup +Requires: grub2 +Requires: binutils +Requires: lsof +Requires: python3 +Requires: python3-pip +Requires: jq +%ifarch x86_64 +Requires: grub2-pc +Requires: systemd-ukify +%endif + +%description imagecustomizer +The Azure Linux Image Customizer is a tool that can take an +existing generic Azure Linux image and modify it to be suited for a particular +scenario. By providing an Azure Linux base image, users can also supply a config +file specifying how they want the image to be customized. For example, this +could include the installation of certain RPMs, updating the SELinux mode, and +enabling DM-Verity. + +%prep +%autosetup -p1 -n azure-linux-image-tools-%{version} +tar -xf %{SOURCE1} --no-same-owner -C toolkit/tools + +%build +export GOPATH=%{our_gopath} +export GOFLAGS="-mod=vendor" +make -C toolkit go-imagecustomizer REBUILD_TOOLS=y SKIP_LICENSE_SCAN=y + +%install +mkdir -p %{buildroot}%{_bindir} +install -p -m 0755 toolkit/out/tools/imagecustomizer %{buildroot}%{_bindir}/imagecustomizer + +# Install container support files for imagecustomizer subpackage +# These files are used when building the imagecustomizer container +mkdir -p %{buildroot}/usr/local/bin +mkdir -p %{buildroot}/ + +# Copy container scripts from their source locations to container paths +install -p -m 0755 toolkit/tools/imagecustomizer/container/entrypoint.sh %{buildroot}/usr/local/bin/imagecustomizer-entrypoint.sh +install -p -m 0755 toolkit/tools/imagecustomizer/container/run.sh %{buildroot}/usr/local/bin/imagecustomizer-run.sh +install -p -m 0755 toolkit/scripts/telemetry_hopper/telemetry_hopper.py %{buildroot}/usr/local/bin/telemetry_hopper.py +install -p -m 0644 toolkit/scripts/telemetry_hopper/requirements.txt %{buildroot}/imagecustomizer-telemetry-requirements.txt + +%check +go test -C toolkit/tools ./... + +%files + +%files imagecustomizer +%license LICENSE +%{_bindir}/imagecustomizer +# Container support files - placed in container filesystem paths with imagecustomizer- prefix +/usr/local/bin/imagecustomizer-entrypoint.sh +/usr/local/bin/imagecustomizer-run.sh +/usr/local/bin/telemetry_hopper.py +/imagecustomizer-telemetry-requirements.txt + +%changelog +* Wed Aug 20 2025 Lanze Liu 0.18.0-1 +- Original version for Azure Linux (license: MIT). +- License verified. diff --git a/SPECS/helm/generate_source_tarball.sh b/SPECS/azurelinux-image-tools/generate_source_tarball.sh similarity index 57% rename from SPECS/helm/generate_source_tarball.sh rename to SPECS/azurelinux-image-tools/generate_source_tarball.sh index d710ad54dc..a027ebcbd3 100755 --- a/SPECS/helm/generate_source_tarball.sh +++ b/SPECS/azurelinux-image-tools/generate_source_tarball.sh @@ -11,11 +11,11 @@ OUT_FOLDER="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" # parameters: # -# --srcTarball : src tarball file -# this file contains the 'initial' source code of the component -# and should be replaced with the new/modified src code -# --outFolder : folder where to copy the new tarball(s) -# --pkgVersion : package version +# --srcTarball : src tarball file +# this file contains the 'initial' source code of the component +# and should be replaced with the new/modified src code +# --outFolder : folder where to copy the new tarball(s) +# --pkgVersion : package version # PARAMS="" while (( "$#" )); do @@ -58,9 +58,9 @@ while (( "$#" )); do esac done -echo "--srcTarball -> $SRC_TARBALL" -echo "--outFolder -> $OUT_FOLDER" -echo "--pkgVersion -> $PKG_VERSION" +echo "--srcTarball -> $SRC_TARBALL" +echo "--outFolder -> $OUT_FOLDER" +echo "--pkgVersion -> $PKG_VERSION" if [ -z "$PKG_VERSION" ]; then echo "--pkgVersion parameter cannot be empty" @@ -77,23 +77,37 @@ trap cleanup EXIT pushd $tmpdir > /dev/null -NAME="helm" -NAME_VER="$NAME-$PKG_VERSION" -VENDOR_TARBALL="$OUT_FOLDER/$NAME_VER-vendor.tar.gz" +PKG_NAME="azure-linux-image-tools" +NAME_VER="$PKG_NAME-$PKG_VERSION" +VENDOR_PKG_NAME="azurelinux-image-tools" +VENDOR_NAME_VER="$VENDOR_PKG_NAME-$PKG_VERSION" +VENDOR_TARBALL="$OUT_FOLDER/$VENDOR_NAME_VER-vendor.tar.gz" + +# If source tarball is provided, use it; otherwise download it +if [ -n "$SRC_TARBALL" ]; then + echo "Using provided source tarball: $SRC_TARBALL" + cp "$SRC_TARBALL" . + SOURCE_FILE=$(basename "$SRC_TARBALL") +else + echo "Downloading source tarball..." + SOURCE_FILE="$NAME_VER.tar.gz" + wget https://github.com/microsoft/azure-linux-image-tools/archive/refs/tags/v$PKG_VERSION.tar.gz -O "$SOURCE_FILE" +fi echo "Unpacking source tarball..." -tar -xf $SRC_TARBALL +tar -xf "$SOURCE_FILE" +cd "$NAME_VER/toolkit/tools" -cd "$NAME_VER" -echo "Get vendored modules" +echo "Generate vendored modules tarball" +go mod tidy go mod vendor echo "Tar vendored modules" tar --sort=name \ - --mtime="2021-04-26 00:00Z" \ + --mtime="2025-07-18 00:00Z" \ --owner=0 --group=0 --numeric-owner \ --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \ -cf "$VENDOR_TARBALL" vendor popd > /dev/null -echo "$NAME vendored modules are available at $VENDOR_TARBALL" +echo "$VENDOR_PKG_NAME vendored modules are available at $VENDOR_TARBALL" diff --git a/SPECS/bind/bind.signatures.json b/SPECS/bind/bind.signatures.json index 13e9243d3e..8f0b054bd6 100644 --- a/SPECS/bind/bind.signatures.json +++ b/SPECS/bind/bind.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { - "bind-9.20.5.tar.xz": "19274fd739c023772b4212a0b6c201cf4364855fa7e6a7d3db49693f55db1ab8", + "bind-9.20.11.tar.xz": "4da2d532e668bc21e883f6e6d9d3d81794d9ec60b181530385649a56f46ee17a", "dlz-modules-main.tar.gz": "884bef3535317a7757ad0e3556a27e2ed1a80f5b1040bce4074780c8719667d0", "generate-rndc-key.sh": "da0964516a9abe4074e262a1d0b7f63e63b2150c4cc2dddaaca029010383c422", "named-chroot.files": "5dbc7bd2a21836fb86cb740a2d4d72eb9f2b4f341996cd0c8ae9c39e95c0d76c", diff --git a/SPECS/bind/bind.spec b/SPECS/bind/bind.spec index 36f2d31440..c74140182c 100644 --- a/SPECS/bind/bind.spec +++ b/SPECS/bind/bind.spec @@ -9,8 +9,8 @@ Summary: Domain Name System software Name: bind -Version: 9.20.5 -Release: 4%{?dist} +Version: 9.20.11 +Release: 1%{?dist} License: ISC Vendor: Microsoft Corporation Distribution: Azure Linux @@ -536,7 +536,13 @@ fi; %{_mandir}/man1/named-nzd2nzf.1* %changelog -* Tue Feb 11 2025 Andrew Phelps - 9.20.5-4 +* Fri Jul 18 2025 Kevin Lockwood - 9.20.11-1 +- Upgrade to 9.20.11 - for CVE-2025-40777 + +* Mon May 26 2025 CBL-Mariner Servicing Account - 9.20.9-1 +- Auto-upgrade to 9.20.9 - for CVE-2025-40775 + +* Mon Mar 03 2025 Andrew Phelps - 9.20.5-4 - Remove duplicate shared object files in base and devel packages - Remove duplicate files from utils package - Add requires for bind-libs from base package diff --git a/SPECS/bind/nongit-fix.patch b/SPECS/bind/nongit-fix.patch index 39d8c152a2..4c6930db05 100644 --- a/SPECS/bind/nongit-fix.patch +++ b/SPECS/bind/nongit-fix.patch @@ -1,18 +1,18 @@ -From a93a15295ac2690f587711b26af84d6292d2aa1b Mon Sep 17 00:00:00 2001 -From: Kanishk Bansal -Date: Tue, 4 Feb 2025 06:49:17 +0000 -Subject: [PATCH] Fix issue where bind directory isn't downloaded via git +From 87098009404ea5d372be6268bd1d1ce356c1a4f5 Mon Sep 17 00:00:00 2001 +From: Kshitiz Godara +Date: Mon, 2 Jun 2025 16:33:19 +0000 +Subject: [PATCH 2/2] non-git download issue --- configure.ac | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac -index 168a77a..37c0acd 100644 +index 9701cdb..b7c84f6 100644 --- a/configure.ac +++ b/configure.ac @@ -19,7 +19,7 @@ m4_define([bind_VERSION_MINOR], 20)dnl - m4_define([bind_VERSION_PATCH], 5)dnl + m4_define([bind_VERSION_PATCH], 11)dnl m4_define([bind_VERSION_EXTRA], )dnl m4_define([bind_DESCRIPTION], [(Stable Release)])dnl -m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl @@ -32,5 +32,5 @@ index 168a77a..37c0acd 100644 # -- -2.43.0 +2.45.3 diff --git a/SPECS/binutils/CVE-2025-5244.patch b/SPECS/binutils/CVE-2025-5244.patch new file mode 100644 index 0000000000..daac252d7e --- /dev/null +++ b/SPECS/binutils/CVE-2025-5244.patch @@ -0,0 +1,28 @@ +From 186b3fef5b6938267c1b997ac63108a2938316f7 Mon Sep 17 00:00:00 2001 +From: AkarshHCL +Date: Thu, 29 May 2025 05:52:21 +0000 +Subject: [PATCH] Address CVE-2025-5244 + +Upstream Patch reference: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d1458933830456e54223d9fc61f0d9b3a19256f5 + +--- + bfd/elflink.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/bfd/elflink.c b/bfd/elflink.c +index 30b32bf9..be2a2f53 100644 +--- a/bfd/elflink.c ++++ b/bfd/elflink.c +@@ -14120,7 +14120,8 @@ elf_gc_sweep (bfd *abfd, struct bfd_link_info *info) + if (o->flags & SEC_GROUP) + { + asection *first = elf_next_in_group (o); +- o->gc_mark = first->gc_mark; ++ if (first != NULL) ++ o->gc_mark = first->gc_mark; + } + + if (o->gc_mark) +-- +2.45.2 + diff --git a/SPECS/binutils/CVE-2025-5245.patch b/SPECS/binutils/CVE-2025-5245.patch new file mode 100644 index 0000000000..3476035ffb --- /dev/null +++ b/SPECS/binutils/CVE-2025-5245.patch @@ -0,0 +1,41 @@ +From 0337a44778cd8c29da76653f438b39f7ce674fd1 Mon Sep 17 00:00:00 2001 +From: AkarshHCL +Date: Wed, 28 May 2025 12:10:43 +0000 +Subject: [PATCH] Address CVE-2025-5245 + +Upstream Patch Reference: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6c3458a8b7ee7d39f070c7b2350851cb2110c65a + +--- + binutils/debug.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/binutils/debug.c b/binutils/debug.c +index bb26d914..59ba206e 100644 +--- a/binutils/debug.c ++++ b/binutils/debug.c +@@ -2554,9 +2554,6 @@ debug_write_type (struct debug_handle *info, + case DEBUG_KIND_UNION_CLASS: + return debug_write_class_type (info, fns, fhandle, type, tag); + case DEBUG_KIND_ENUM: +- if (type->u.kenum == NULL) +- return (*fns->enum_type) (fhandle, tag, (const char **) NULL, +- (bfd_signed_vma *) NULL); + return (*fns->enum_type) (fhandle, tag, type->u.kenum->names, + type->u.kenum->values); + case DEBUG_KIND_POINTER: +@@ -3097,9 +3094,9 @@ debug_type_samep (struct debug_handle *info, struct debug_type_s *t1, + break; + + case DEBUG_KIND_ENUM: +- if (t1->u.kenum == NULL) +- ret = t2->u.kenum == NULL; +- else if (t2->u.kenum == NULL) ++ if (t1->u.kenum->names == NULL) ++ ret = t2->u.kenum->names == NULL; ++ else if (t2->u.kenum->names == NULL) + ret = false; + else + { +-- +2.45.2 + diff --git a/SPECS/binutils/CVE-2025-7545.patch b/SPECS/binutils/CVE-2025-7545.patch new file mode 100644 index 0000000000..28b7ca0e57 --- /dev/null +++ b/SPECS/binutils/CVE-2025-7545.patch @@ -0,0 +1,38 @@ +From 255c74cb9030905028a4f9ce07aff56039844152 Mon Sep 17 00:00:00 2001 +From: Azure Linux Security Servicing Account + +Date: Thu, 17 Jul 2025 08:46:38 +0000 +Subject: [PATCH] Fix CVE CVE-2025-7545 in binutils + +Upstream Patch Reference: https://github.com/bminor/binutils-gdb/commit/08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944.patch +--- + binutils/objcopy.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/binutils/objcopy.c b/binutils/objcopy.c +index 3569b890..c09d85d1 100644 +--- a/binutils/objcopy.c ++++ b/binutils/objcopy.c +@@ -4514,6 +4514,7 @@ copy_section (bfd *ibfd, sec_ptr isection, void *obfdarg) + char *to = (char *) memhunk; + char *end = (char *) memhunk + size; + int i; ++ bfd_size_type memhunk_size = size; + + /* If the section address is not exactly divisible by the interleave, + then we must bias the from address. If the copy_byte is less than +@@ -4533,6 +4534,11 @@ copy_section (bfd *ibfd, sec_ptr isection, void *obfdarg) + } + + size = (size + interleave - 1 - copy_byte) / interleave * copy_width; ++ ++ /* Don't extend the output section size. */ ++ if (size > memhunk_size) ++ size = memhunk_size; ++ + osection->lma /= interleave; + if (copy_byte < extra) + osection->lma++; +-- +2.45.3 + diff --git a/SPECS/binutils/CVE-2025-7546.patch b/SPECS/binutils/CVE-2025-7546.patch new file mode 100644 index 0000000000..8556d49c47 --- /dev/null +++ b/SPECS/binutils/CVE-2025-7546.patch @@ -0,0 +1,49 @@ +From 35b1514eba18a239c85867ab4132408d85e1e120 Mon Sep 17 00:00:00 2001 +From: Azure Linux Security Servicing Account + +Date: Thu, 17 Jul 2025 08:48:22 +0000 +Subject: [PATCH] Fix CVE CVE-2025-7546 in binutils + +Upstream Patch Reference: https://github.com/bminor/binutils-gdb/commit/41461010eb7c79fee7a9d5f6209accdaac66cc6b.patch +--- + bfd/elf.c | 23 ++++++++++------------- + 1 file changed, 10 insertions(+), 13 deletions(-) + +diff --git a/bfd/elf.c b/bfd/elf.c +index d38e0aff..1de0cec0 100644 +--- a/bfd/elf.c ++++ b/bfd/elf.c +@@ -4120,20 +4120,17 @@ bfd_elf_set_group_contents (bfd *abfd, asection *sec, void *failedptrarg) + break; + } + +- /* We should always get here with loc == sec->contents + 4, but it is +- possible to craft bogus SHT_GROUP sections that will cause segfaults +- in objcopy without checking loc here and in the loop above. */ +- if (loc == sec->contents) +- BFD_ASSERT (0); +- else ++ /* We should always get here with loc == sec->contents + 4. Return ++ an error for bogus SHT_GROUP sections. */ ++ loc -= 4; ++ if (loc != sec->contents) + { +- loc -= 4; +- if (loc != sec->contents) +- { +- BFD_ASSERT (0); +- memset (sec->contents + 4, 0, loc - sec->contents); +- loc = sec->contents; +- } ++ /* xgettext:c-format */ ++ _bfd_error_handler (_("%pB: corrupted group section: `%pA'"), ++ abfd, sec); ++ bfd_set_error (bfd_error_bad_value); ++ *failedptr = true; ++ return; + } + + H_PUT_32 (abfd, sec->flags & SEC_LINK_ONCE ? GRP_COMDAT : 0, loc); +-- +2.45.3 + diff --git a/SPECS/binutils/binutils.spec b/SPECS/binutils/binutils.spec index 1cad5bfe52..8a4de6daf6 100644 --- a/SPECS/binutils/binutils.spec +++ b/SPECS/binutils/binutils.spec @@ -21,7 +21,7 @@ Summary: Contains a linker, an assembler, and other tools Name: binutils Version: 2.41 -Release: 5%{?dist} +Release: 7%{?dist} License: GPLv2+ Vendor: Microsoft Corporation Distribution: Azure Linux @@ -38,6 +38,10 @@ Patch4: CVE-2025-1181.patch Patch5: CVE-2025-1182.patch Patch6: CVE-2025-0840.patch Patch7: CVE-2025-1744.patch +Patch8: CVE-2025-5245.patch +Patch9: CVE-2025-5244.patch +Patch10: CVE-2025-7546.patch +Patch11: CVE-2025-7545.patch Provides: bundled(libiberty) # Moving macro before the "SourceX" tags breaks PR checks parsing the specs. @@ -327,6 +331,12 @@ find %{buildroot} -type f -name "*.la" -delete -print %do_files aarch64-linux-gnu %{build_aarch64} %changelog +* Thu Jul 17 2025 Azure Linux Security Servicing Account - 2.41-7 +- Patch for CVE-2025-7546, CVE-2025-7545 + +* Wed May 28 2025 Akarsh Chaudhary - 2.41-6 +- Patch CVE-2025-5245 , CVE-2025-5244 + * Tue Mar 11 2025 Kavya Sree Kaitepalli - 2.41-5 - Fix CVE-2025-1744 diff --git a/SPECS/blobfuse2/CVE-2025-30204.patch b/SPECS/blobfuse2/CVE-2025-30204.patch deleted file mode 100644 index f744195603..0000000000 --- a/SPECS/blobfuse2/CVE-2025-30204.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 14906e31f0685520eb4028c916bf82e811cfcd20 Mon Sep 17 00:00:00 2001 -From: Kanishk-Bansal -Date: Wed, 26 Mar 2025 19:20:10 +0000 -Subject: [PATCH] CVE-2025-30204 - -Upstream Reference : https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3 - ---- - vendor/github.com/golang-jwt/jwt/v5/parser.go | 36 +++++++++++++++++++++++--- - 1 file changed, 33 insertions(+), 3 deletions(-) - -diff --git a/vendor/github.com/golang-jwt/jwt/v5/parser.go b/vendor/github.com/golang-jwt/jwt/v5/parser.go -index ecf99af..054c7eb 100644 ---- a/vendor/github.com/golang-jwt/jwt/v5/parser.go -+++ b/vendor/github.com/golang-jwt/jwt/v5/parser.go -@@ -8,6 +8,8 @@ import ( - "strings" - ) - -+const tokenDelimiter = "." -+ - type Parser struct { - // If populated, only these methods will be considered valid. - validMethods []string -@@ -136,9 +138,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf - // It's only ever useful in cases where you know the signature is valid (since it has already - // been or will be checked elsewhere in the stack) and you want to extract values from it. - func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) { -- parts = strings.Split(tokenString, ".") -- if len(parts) != 3 { -- return nil, parts, newError("token contains an invalid number of segments", ErrTokenMalformed) -+ var ok bool -+ parts, ok = splitToken(tokenString) -+ if !ok { -+ return nil, nil, newError("token contains an invalid number of segments", ErrTokenMalformed) - } - - token = &Token{Raw: tokenString} -@@ -196,6 +199,33 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke - return token, parts, nil - } - -+// splitToken splits a token string into three parts: header, claims, and signature. It will only -+// return true if the token contains exactly two delimiters and three parts. In all other cases, it -+// will return nil parts and false. -+func splitToken(token string) ([]string, bool) { -+ parts := make([]string, 3) -+ header, remain, ok := strings.Cut(token, tokenDelimiter) -+ if !ok { -+ return nil, false -+ } -+ parts[0] = header -+ claims, remain, ok := strings.Cut(remain, tokenDelimiter) -+ if !ok { -+ return nil, false -+ } -+ parts[1] = claims -+ // One more cut to ensure the signature is the last part of the token and there are no more -+ // delimiters. This avoids an issue where malicious input could contain additional delimiters -+ // causing unecessary overhead parsing tokens. -+ signature, _, unexpected := strings.Cut(remain, tokenDelimiter) -+ if unexpected { -+ return nil, false -+ } -+ parts[2] = signature -+ -+ return parts, true -+} -+ - // DecodeSegment decodes a JWT specific base64url encoding. This function will - // take into account whether the [Parser] is configured with additional options, - // such as [WithStrictDecoding] or [WithPaddingAllowed]. --- -2.45.2 - diff --git a/SPECS/blobfuse2/blobfuse2.signatures.json b/SPECS/blobfuse2/blobfuse2.signatures.json deleted file mode 100644 index e8a5d7ecb1..0000000000 --- a/SPECS/blobfuse2/blobfuse2.signatures.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "Signatures": { - "blobfuse2-2.3.2-vendor.tar.gz": "109d4e98f532736ace27bebd29b76a87764e60b9cc066a1289e5ae97eead4c16", - "blobfuse2-2.3.2.tar.gz": "018c23c7d2e3216392a3afc3b30e7d3836e6e6f552735bc64d3d77771aa6fb9f" - } -} \ No newline at end of file diff --git a/SPECS/blobfuse2/blobfuse2.spec b/SPECS/blobfuse2/blobfuse2.spec deleted file mode 100644 index 475e75efed..0000000000 --- a/SPECS/blobfuse2/blobfuse2.spec +++ /dev/null @@ -1,142 +0,0 @@ -%global debug_package %{nil} - -%define our_gopath %{_topdir}/.gopath -%define blobfuse2_health_monitor bfusemon - -Summary: FUSE adapter - Azure Storage -Name: blobfuse2 -Version: 2.3.2 -Release: 3%{?dist} -License: MIT -Vendor: Microsoft Corporation -Distribution: Azure Linux -Group: Applications/Tools -URL: https://github.com/Azure/azure-storage-fuse/ -Source0: https://github.com/Azure/azure-storage-fuse/archive/%{name}-%{version}.tar.gz#/%{name}-%{version}.tar.gz -# Leverage the `generate_source_tarball.sh` to create the vendor sources. -Source1: %{name}-%{version}-vendor.tar.gz -Patch0: CVE-2025-30204.patch -BuildRequires: cmake -BuildRequires: fuse3-devel -BuildRequires: gcc -BuildRequires: golang >= 1.16 -Requires: fuse3 - -%description -Blobfuse2 provides a virtual filesystem backed by the Azure Storage. -It uses the libfuse open source library (fuse3) to communicate with the -Linux FUSE kernel module, and implements the filesystem operations using -the Azure Storage REST APIs. - -%prep -%autosetup -a 1 -p1 -n azure-storage-fuse-%{name}-%{version} - -%build -export GOPATH=%{our_gopath} -go build -buildmode=pie -mod=vendor -o %{name} -go build -buildmode=pie -mod=vendor -o %{blobfuse2_health_monitor} ./tools/health-monitor/ - -%install -install -D -m 0755 ./blobfuse2 %{buildroot}%{_bindir}/blobfuse2 -install -D -m 0755 ./%{blobfuse2_health_monitor} %{buildroot}%{_bindir}/%{blobfuse2_health_monitor} -install -D -m 0644 ./setup/baseConfig.yaml %{buildroot}%{_datadir}/blobfuse2/baseConfig.yaml -install -D -m 0644 ./sampleFileCacheConfig.yaml %{buildroot}%{_datadir}/blobfuse2/sampleFileCacheConfig.yaml -install -D -m 0644 ./sampleStreamingConfig.yaml %{buildroot}%{_datadir}/blobfuse2/sampleStreamingConfig.yaml -install -D -m 0755 ./tools/postinstall.sh %{buildroot}%{_datadir}/blobfuse2/postinstall.sh -install -D -m 0644 ./setup/11-blobfuse2.conf %{buildroot}%{_sysconfdir}/rsyslog.d/11-blobfuse2.conf -install -D -m 0644 ./setup/blobfuse2-logrotate %{buildroot}%{_sysconfdir}/logrotate.d/blobfuse2 - -%files -%defattr(-,root,root,-) -%license LICENSE -%license NOTICE -%doc README.md -%{_bindir}/blobfuse2 -%{_bindir}/%{blobfuse2_health_monitor} -%{_datadir}/blobfuse2/baseConfig.yaml -%{_datadir}/blobfuse2/sampleFileCacheConfig.yaml -%{_datadir}/blobfuse2/sampleStreamingConfig.yaml -%{_datadir}/blobfuse2/postinstall.sh -%{_sysconfdir}/rsyslog.d/11-blobfuse2.conf -%{_sysconfdir}/logrotate.d/blobfuse2 - -%changelog -* Fri May 30 2025 Ranjan Dutta - 2.3.2-3 -- merge from Azure Linux 3.0.20250521-3.0 -- Patch CVE-2025-30204 - -* Fri Mar 21 2025 Anuj Mittal - 2.3.2-2 -- Bump Release to rebuild - -* Fri Sep 27 2024 Archana Choudhary - 2.3.2-1 -- Upgrade to version 2.3.2. -- Fixes CVE-2024-35255 - -* Tue Jul 09 2024 Pawel Winogrodzki - 2.3.0-1 -- Update to version 2.3.0. - -* Mon Jul 08 2024 Pawel Winogrodzki - 2.1.0-4 -- Adding a patch for CVE-2023-44487. -- Switched to building the vendor tarball with the generate_source_tarball.sh script. - -* Mon Oct 16 2023 CBL-Mariner Servicing Account - 2.1.0-3 -- Bump release to rebuild with go 1.20.10 - -* Tue Oct 10 2023 Dan Streetman - 2.1.0-2 -- Bump release to rebuild with updated version of Go. - -* Mon Sep 04 2023 Anubhuti Shruti - 2.1.0-1 -- Bump version to 2.1.0 - -* Mon Aug 07 2023 CBL-Mariner Servicing Account - 2.0.5-2 -- Bump release to rebuild with go 1.19.12 - -* Wed Aug 02 2023 Sourav Gupta - 2.0.5-1 -- Bump version to 2.0.5 - -* Mon Jul 17 2023 Sourav Gupta - 2.0.4-1 -- Bump version to 2.0.4 - -* Thu Jul 13 2023 CBL-Mariner Servicing Account - 2.0.2-6 -- Bump release to rebuild with go 1.19.11 - -* Thu Jun 15 2023 CBL-Mariner Servicing Account - 2.0.2-5 -- Bump release to rebuild with go 1.19.10 - -* Wed Apr 05 2023 CBL-Mariner Servicing Account - 2.0.2-4 -- Bump release to rebuild with go 1.19.8 - -* Tue Mar 28 2023 CBL-Mariner Servicing Account - 2.0.2-3 -- Bump release to rebuild with go 1.19.7 - -* Wed Mar 15 2023 CBL-Mariner Servicing Account - 2.0.2-2 -- Bump release to rebuild with go 1.19.6 - -* Mon Feb 27 2023 Gauri Prasad - 2.0.2-1 -- Bump version to 2.0.2 - -* Fri Feb 03 2023 CBL-Mariner Servicing Account - 2.0.1-4 -- Bump release to rebuild with go 1.19.5 - -* Wed Jan 18 2023 CBL-Mariner Servicing Account - 2.0.1-3 -- Bump release to rebuild with go 1.19.4 - -* Fri Dec 16 2022 Daniel McIlvaney - 2.0.1-2 -- Bump release to rebuild with go 1.18.8 with patch for CVE-2022-41717 - -* Fri Dec 02 2022 Gauri Prasad - 2.0.1-1 -- Bump version to 2.0.1 - -* Wed Nov 30 2022 Gauri Prasad - 2.0.0-1 -- Bump version to 2.0.0 - -* Fri Nov 04 2022 Gauri Prasad - 2.0.0.preview.4-1 -- Bump version to 2.0.0-preview.4 - -* Tue Nov 01 2022 Olivia Crain - 2.0.0.preview.3-2 -- Bump release to rebuild with go 1.18.8 - -* Mon Oct 03 2022 Gauri Prasad - 2.0.0.preview.3-1 -- Add blobfuse2 spec -- License verified -- Original version for CBL-Mariner diff --git a/SPECS/blobfuse2/generate_source_tarball.sh b/SPECS/blobfuse2/generate_source_tarball.sh deleted file mode 100755 index 66cea26055..0000000000 --- a/SPECS/blobfuse2/generate_source_tarball.sh +++ /dev/null @@ -1,96 +0,0 @@ -#!/bin/bash -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. - -# Quit on failure -set -e - -PKG_VERSION="" -SRC_TARBALL="" -OUT_FOLDER="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" - -# parameters: -# -# --srcTarball : src tarball file -# this file contains the 'initial' source code of the component -# and should be replaced with the new/modified src code -# --outFolder : folder where to copy the new tarball(s) -# --pkgVersion : package version -# -PARAMS="" -while (( "$#" )); do - case "$1" in - --srcTarball) - if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then - SRC_TARBALL=$2 - shift 2 - else - echo "Error: Argument for $1 is missing" >&2 - exit 1 - fi - ;; - --outFolder) - if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then - OUT_FOLDER=$2 - shift 2 - else - echo "Error: Argument for $1 is missing" >&2 - exit 1 - fi - ;; - --pkgVersion) - if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then - PKG_VERSION=$2 - shift 2 - else - echo "Error: Argument for $1 is missing" >&2 - exit 1 - fi - ;; - -*|--*=) # unsupported flags - echo "Error: Unsupported flag $1" >&2 - exit 1 - ;; - *) # preserve positional arguments - PARAMS="$PARAMS $1" - shift - ;; - esac -done - -echo "--srcTarball -> $SRC_TARBALL" -echo "--outFolder -> $OUT_FOLDER" -echo "--pkgVersion -> $PKG_VERSION" - -if [ -z "$PKG_VERSION" ]; then - echo "--pkgVersion parameter cannot be empty" - exit 1 -fi - -echo "-- create temp folder" -tmpdir=$(mktemp -d) -function cleanup { - echo "+++ cleanup -> remove $tmpdir" - rm -rf $tmpdir -} -trap cleanup EXIT - -pushd $tmpdir > /dev/null - -echo "Unpacking source tarball..." -tar -xf $SRC_TARBALL - -cd "azure-storage-fuse-blobfuse2-$PKG_VERSION" -echo "Get vendored modules" -go mod vendor - -echo "Tar vendored modules" -VENDOR_TARBALL="$OUT_FOLDER/blobfuse2-vendor.tar.gz" -tar --sort=name \ - --mtime="2021-04-26 00:00Z" \ - --owner=0 --group=0 --numeric-owner \ - --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \ - -cf "$VENDOR_TARBALL" vendor - -popd > /dev/null -echo "Blobfuse2 vendored modules are available at $VENDOR_TARBALL" diff --git a/SPECS/bmake/bmake.spec b/SPECS/bmake/bmake.spec index 6c24d8b6b6..4e5edcdead 100644 --- a/SPECS/bmake/bmake.spec +++ b/SPECS/bmake/bmake.spec @@ -1,13 +1,14 @@ Summary: The NetBSD make(1) tool Name: bmake Version: 20230723 -Release: 2%{?dist} +Release: 3%{?dist} License: BSD Vendor: Microsoft Corporation Distribution: Azure Linux URL: https://ftp.netbsd.org/pub/NetBSD/misc/sjg/ Source0: %{url}/bmake-%{version}.tar.gz Patch0: do-not-run-tests-on-install.patch +Patch1: remove-inconsistent-time-tests.patch BuildRequires: gcc BuildRequires: sed BuildRequires: util-linux @@ -60,6 +61,10 @@ chmod a-x %{buildroot}%{_datadir}/mk/mkopt.sh %{_datadir}/mk %changelog +* Tue July 1 2025 Mykhailo Bykhovtsev - 20230723-3 +- Add patch do-not-run-tests-on-install.patch to skip unreliable tests +- tests in varmod-localtime.mk + * Thu May 15 2025 Andrew Phelps - 20230723-2 - Move unit tests to check section diff --git a/SPECS/bmake/remove-inconsistent-time-tests.patch b/SPECS/bmake/remove-inconsistent-time-tests.patch new file mode 100644 index 0000000000..b667585d59 --- /dev/null +++ b/SPECS/bmake/remove-inconsistent-time-tests.patch @@ -0,0 +1,62 @@ +From 9a2afc4e71dea48320eeb043ff1a3317c2bd63cb Mon Sep 17 00:00:00 2001 +From: Mykhailo Bykhovtsev +Date: Tue, 1 Jul 2025 16:02:51 -0700 +Subject: [PATCH] remove flaky tests + +--- + unit-tests/varmod-localtime.mk | 34 +++++++++++++++++----------------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +diff --git a/unit-tests/varmod-localtime.mk b/unit-tests/varmod-localtime.mk +index 86f9006..1fe3605 100644 +--- a/unit-tests/varmod-localtime.mk ++++ b/unit-tests/varmod-localtime.mk +@@ -84,28 +84,28 @@ + .endif + + +-.if ${:L:localtime=1} != "Thu Jan 1 01:00:01 1970" +-. error +-.endif ++# .if ${:L:localtime=1} != "Thu Jan 1 01:00:01 1970" ++# . error ++# .endif + + +-# INT32_MAX +-.if ${:L:localtime=2147483647} != "Tue Jan 19 04:14:07 2038" +-. error +-.endif ++# # INT32_MAX ++# .if ${:L:localtime=2147483647} != "Tue Jan 19 04:14:07 2038" ++# . error ++# .endif + + +-.if ${:L:localtime=2147483648} == "Tue Jan 19 04:14:08 2038" +-# All systems that have unsigned time_t or 64-bit time_t. +-.elif ${:L:localtime=2147483648} == "Fri Dec 13 21:45:52 1901" +-# FreeBSD-12.0-i386 still has 32-bit signed time_t, see +-# sys/x86/include/_types.h, __LP64__. +-# ++# .if ${:L:localtime=2147483648} == "Tue Jan 19 04:14:08 2038" ++# # All systems that have unsigned time_t or 64-bit time_t. ++# .elif ${:L:localtime=2147483648} == "Fri Dec 13 21:45:52 1901" ++# # FreeBSD-12.0-i386 still has 32-bit signed time_t, see ++# # sys/x86/include/_types.h, __LP64__. ++# # + # Linux on 32-bit systems may still have 32-bit signed time_t, see +-# sysdeps/unix/sysv/linux/generic/bits/typesizes.h, __TIMESIZE. +-.else +-. error +-.endif ++# # sysdeps/unix/sysv/linux/generic/bits/typesizes.h, __TIMESIZE. ++# .else ++# . error ++# .endif + + + # Integer overflow, at least before var.c 1.631 from 2020-10-31. +-- +2.34.1 + diff --git a/SPECS/bpftrace/0001-Remove-cstring_view.patch b/SPECS/bpftrace/0001-Remove-cstring_view.patch new file mode 100644 index 0000000000..0f2eb6dd27 --- /dev/null +++ b/SPECS/bpftrace/0001-Remove-cstring_view.patch @@ -0,0 +1,207 @@ +From 876b5118fa521f62e31a5bec7ec0be27da3bb7ab Mon Sep 17 00:00:00 2001 +From: Thierry Treyer +Date: Fri, 11 Apr 2025 09:04:29 -0700 +Subject: [PATCH] Remove 'cstring_view' + +The `cstring_view` class was a `std::string_view` with the added +guarantee that it is NULL-terminated. It was only used by BpfMap. +This commit replaces it by a `std::string` + +Fixes: #4001 + +Signed-off-by: Thierry Treyer +--- + src/bpfmap.cpp | 2 +- + src/bpfmap.h | 10 +++--- + src/container/cstring_view.h | 39 ----------------------- + tests/CMakeLists.txt | 1 - + tests/cstring_view.cpp | 60 ------------------------------------ + 5 files changed, 5 insertions(+), 107 deletions(-) + delete mode 100644 src/container/cstring_view.h + delete mode 100644 tests/cstring_view.cpp + +diff --git a/src/bpfmap.cpp b/src/bpfmap.cpp +index 9464e8ed..eb65621e 100644 +--- a/src/bpfmap.cpp ++++ b/src/bpfmap.cpp +@@ -12,7 +12,7 @@ libbpf::bpf_map_type BpfMap::type() const + return type_; + } + +-cstring_view BpfMap::bpf_name() const ++const std::string &BpfMap::bpf_name() const + { + return name_; + } +diff --git a/src/bpfmap.h b/src/bpfmap.h +index 09153764..d48763ed 100644 +--- a/src/bpfmap.h ++++ b/src/bpfmap.h +@@ -11,8 +11,6 @@ namespace libbpf { + #include "libbpf/bpf.h" + } // namespace libbpf + +-#include "container/cstring_view.h" +- + namespace bpftrace { + + class BpfMap { +@@ -28,12 +26,12 @@ public: + } + + BpfMap(libbpf::bpf_map_type type, +- cstring_view name, ++ std::string name, + uint32_t key_size, + uint32_t value_size, + uint32_t max_entries) + : type_(type), +- name_(name), ++ name_(std::move(name)), + key_size_(key_size), + value_size_(value_size), + max_entries_(max_entries) +@@ -42,7 +40,7 @@ public: + + int fd() const; + libbpf::bpf_map_type type() const; +- cstring_view bpf_name() const; ++ const std::string &bpf_name() const; + std::string name() const; + uint32_t key_size() const; + uint32_t value_size() const; +@@ -56,7 +54,7 @@ public: + private: + struct bpf_map *bpf_map_; + libbpf::bpf_map_type type_; +- cstring_view name_; ++ std::string name_; + uint32_t key_size_; + uint32_t value_size_; + uint32_t max_entries_; +diff --git a/src/container/cstring_view.h b/src/container/cstring_view.h +deleted file mode 100644 +index 2e1c4602..00000000 +--- a/src/container/cstring_view.h ++++ /dev/null +@@ -1,39 +0,0 @@ +-#pragma once +- +-#include +-#include +- +-namespace bpftrace { +- +-// cstring_view +-// +-// A restricted version of std::string_view which guarantees that the underlying +-// string buffer will be null-terminated. This can be useful when interacting +-// with C APIs while avoiding the use of char* and unnecessary copies from using +-// std::string. +-// +-// We only allow constructing cstring_view from types which are guaranteed to +-// store null-terminated strings. All modifiers or operations on cstring_view +-// will also maintain the null-terminated property. +-class cstring_view : public std::string_view { +-public: +- constexpr cstring_view(const char *str) noexcept : std::string_view{ str } +- { +- } +- constexpr cstring_view(const std::string &str) noexcept +- : std::string_view{ str } +- { +- } +- constexpr const char *c_str() const noexcept +- { +- return data(); +- } +- +-private: +- // Disallow use of functions which can break the null-termination invariant +- using std::string_view::copy; +- using std::string_view::remove_suffix; +- using std::string_view::substr; +-}; +- +-} // namespace bpftrace +diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt +index c5d10f9c..d012cad7 100644 +--- a/tests/CMakeLists.txt ++++ b/tests/CMakeLists.txt +@@ -33,7 +33,6 @@ add_executable(bpftrace_test + clang_parser.cpp + config.cpp + collect_nodes.cpp +- cstring_view.cpp + field_analyser.cpp + function_registry.cpp + log.cpp +diff --git a/tests/cstring_view.cpp b/tests/cstring_view.cpp +deleted file mode 100644 +index 5b82a990..00000000 +--- a/tests/cstring_view.cpp ++++ /dev/null +@@ -1,60 +0,0 @@ +-#include "container/cstring_view.h" +-#include "gtest/gtest.h" +- +-#include +- +-namespace bpftrace::test::cstring_view { +- +-using bpftrace::cstring_view; +- +-TEST(cstring_view, c_string) +-{ +- const char *str = "abc"; +- cstring_view sv{ str }; +- +- EXPECT_EQ("abc", sv); +- +- EXPECT_EQ('a', sv[0]); +- EXPECT_EQ('b', sv[1]); +- EXPECT_EQ('c', sv[2]); +- EXPECT_EQ('\0', sv[3]); +-} +- +-TEST(cstring_view, std_string) +-{ +- std::string str = "abc"; +- cstring_view sv{ str }; +- +- EXPECT_EQ("abc", sv); +- +- EXPECT_EQ('a', sv[0]); +- EXPECT_EQ('b', sv[1]); +- EXPECT_EQ('c', sv[2]); +- EXPECT_EQ('\0', sv[3]); +-} +- +-TEST(cstring_view, std_string_view) +-{ +- EXPECT_FALSE((std::is_constructible_v)); +- +- // Sanity checks: +- EXPECT_TRUE((std::is_constructible_v)); +- EXPECT_TRUE((std::is_constructible_v)); +-} +- +-TEST(cstring_view, length) +-{ +- cstring_view sv{ "abc" }; +- +- EXPECT_EQ("abc", sv); +- EXPECT_EQ(3, sv.size()); +- EXPECT_EQ(3, sv.length()); +-} +- +-TEST(cstring_view, c_str) +-{ +- cstring_view sv{ "abc" }; +- EXPECT_EQ(0, strcmp(sv.c_str(), "abc")); +-} +- +-} // namespace bpftrace::test::cstring_view +-- +2.45.4 + diff --git a/SPECS/bpftrace/bpftrace-0.20-llvm18.patch b/SPECS/bpftrace/bpftrace-0.20-llvm18.patch deleted file mode 100644 index 59b4bf1603..0000000000 --- a/SPECS/bpftrace/bpftrace-0.20-llvm18.patch +++ /dev/null @@ -1,515 +0,0 @@ -From 686b73cbb7ae5ab24d1f8ad69c608225d14c94e2 Mon Sep 17 00:00:00 2001 -From: Daniel Xu -Date: Tue, 12 Mar 2024 13:13:01 -0600 -Subject: [PATCH 1/5] Update CHANGELOG - ---- - CHANGELOG.md | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/CHANGELOG.md b/CHANGELOG.md -index e699c473..c574ad3e 100644 ---- a/CHANGELOG.md -+++ b/CHANGELOG.md -@@ -9,6 +9,8 @@ and this project adheres to - ## Unreleased - - #### Added -+- Add LLVM 18 support -+ - [#3051](https://github.com/bpftrace/bpftrace/pull/3051) - #### Changed - #### Deprecated - #### Removed --- -2.33.8 - - -From 79e9282b4d2a87a3269d7fd2c595efa784fda7c4 Mon Sep 17 00:00:00 2001 -From: Wentao Zhang -Date: Tue, 15 Aug 2023 11:18:36 +0800 -Subject: [PATCH 2/5] replace python with python3 in the test - -"runtime:call" in ptest gets the following FAILED: -python: No such file or directory -replace python with python3 in the test scripts. - -$export BPFTRACE_RUNTIME_TEST_EXECUTABLE=/usr/bin -$cd /usr/lib/bpftrace/ptest/tests -$python3 runtime/engine/main.py --filter="call.*" -*** -[ RUN ] call.strftime_microsecond_extension_rollover -[ FAILED ] call.strftime_microsecond_extension_rollover - Command: /usr/bin/bpftrace -e 'BEGIN { printf("%s - %s\n", strftime - ("1%f", 1000000123000), strftime("1%f", 0)); exit(); }' | tail -n - +2 | xargs -I{} python -c "print({})" - Unclean exit code: 127 - Output: __BPFTRACE_NOTIFY_PROBES_ATTACHED\nxargs: python: No such - file or directory\n -*** - -Signed-off-by: Wentao Zhang -Signed-off-by: Khem Raj ---- - tests/runtime/call | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/tests/runtime/call b/tests/runtime/call -index 2d7d9fcd..c6dcdf12 100644 ---- a/tests/runtime/call -+++ b/tests/runtime/call -@@ -378,13 +378,13 @@ TIMEOUT 5 - # - # Note we add a `1` before the timestamp b/c leading zeros (eg `0123`) is invalid integer in python. - NAME strftime_microsecond_extension --RUN {{BPFTRACE}} -e 'BEGIN { printf("%s - %s\n", strftime("1%f", 1000123000), strftime("1%f", 0)); exit(); }' | tail -n +2 | xargs -I{} python -c "print({})" -+RUN {{BPFTRACE}} -e 'BEGIN { printf("%s - %s\n", strftime("1%f", 1000123000), strftime("1%f", 0)); exit(); }' | tail -n +2 | xargs -I{} python3 -c "print({})" - EXPECT 123 - TIMEOUT 1 - - # Similar to above test but test that rolling over past 1s works as expected - NAME strftime_microsecond_extension_rollover --RUN {{BPFTRACE}} -e 'BEGIN { printf("%s - %s\n", strftime("1%f", 1000000123000), strftime("1%f", 0)); exit(); }' | tail -n +2 | xargs -I{} python -c "print({})" -+RUN {{BPFTRACE}} -e 'BEGIN { printf("%s - %s\n", strftime("1%f", 1000000123000), strftime("1%f", 0)); exit(); }' | tail -n +2 | xargs -I{} python3 -c "print({})" - EXPECT 123 - TIMEOUT 1 - --- -2.33.8 - - -From 0cd1b0a341c3562a478c4f9a86fe3f765b5ec2bb Mon Sep 17 00:00:00 2001 -From: Khem Raj -Date: Fri, 16 Feb 2024 10:32:27 -0800 -Subject: [PATCH 3/5] ast: Repace getInt8PtrTy with getPtrTy - -getPtrTy is added in LLVM-15 and is to be used instead of getInt8PtrTy -which is gone in LLVM-18 onwards - -https://github.com/llvm/llvm-project/commit/7e0802aeb5b90 - -Signed-off-by: Khem Raj -Signed-off-by: Daniel Xu ---- - src/ast/irbuilderbpf.cpp | 67 +++++++++++++++------------------ - src/ast/irbuilderbpf.h | 6 +++ - src/ast/passes/codegen_llvm.cpp | 22 +++++------ - 3 files changed, 48 insertions(+), 47 deletions(-) - -diff --git a/src/ast/irbuilderbpf.cpp b/src/ast/irbuilderbpf.cpp -index 241ee74e..704f0a2b 100644 ---- a/src/ast/irbuilderbpf.cpp -+++ b/src/ast/irbuilderbpf.cpp -@@ -350,7 +350,7 @@ CallInst *IRBuilderBPF::createMapLookup(int mapid, - Value *key, - const std::string &name) - { -- return createMapLookup(mapid, key, getInt8PtrTy(), name); -+ return createMapLookup(mapid, key, GET_PTR_TY(), name); - } - - CallInst *IRBuilderBPF::createMapLookup(int mapid, -@@ -378,7 +378,7 @@ CallInst *IRBuilderBPF::CreateGetJoinMap(BasicBlock *failure_callback, - { - return createGetScratchMap(bpftrace_.maps[MapManager::Type::Join].value()->id, - "join", -- getInt8PtrTy(), -+ GET_PTR_TY(), - loc, - failure_callback); - } -@@ -407,8 +407,8 @@ CallInst *IRBuilderBPF::createGetScratchMap(int mapid, - BasicBlock *lookup_merge_block = BasicBlock::Create( - module_.getContext(), "lookup_" + name + "_merge", parent); - Value *condition = CreateICmpNE( -- CreateIntCast(call, getInt8PtrTy(), true), -- ConstantExpr::getCast(Instruction::IntToPtr, getInt64(0), getInt8PtrTy()), -+ CreateIntCast(call, GET_PTR_TY(), true), -+ ConstantExpr::getCast(Instruction::IntToPtr, getInt64(0), GET_PTR_TY()), - "lookup_" + name + "_cond"); - CreateCondBr(condition, lookup_merge_block, lookup_failure_block); - -@@ -428,7 +428,7 @@ Value *IRBuilderBPF::CreateMapLookupElem(Value *ctx, - Value *key, - const location &loc) - { -- assert(ctx && ctx->getType() == getInt8PtrTy()); -+ assert(ctx && ctx->getType() == GET_PTR_TY()); - int mapid = bpftrace_.maps[map.ident].value()->id; - return CreateMapLookupElem(ctx, mapid, key, map.type, loc); - } -@@ -439,7 +439,7 @@ Value *IRBuilderBPF::CreateMapLookupElem(Value *ctx, - SizedType &type, - const location &loc) - { -- assert(ctx && ctx->getType() == getInt8PtrTy()); -+ assert(ctx && ctx->getType() == GET_PTR_TY()); - CallInst *call = createMapLookup(mapid, key); - - // Check if result == 0 -@@ -450,8 +450,8 @@ Value *IRBuilderBPF::CreateMapLookupElem(Value *ctx, - - AllocaInst *value = CreateAllocaBPF(type, "lookup_elem_val"); - Value *condition = CreateICmpNE( -- CreateIntCast(call, getInt8PtrTy(), true), -- ConstantExpr::getCast(Instruction::IntToPtr, getInt64(0), getInt8PtrTy()), -+ CreateIntCast(call, GET_PTR_TY(), true), -+ ConstantExpr::getCast(Instruction::IntToPtr, getInt64(0), GET_PTR_TY()), - "map_lookup_cond"); - CreateCondBr(condition, lookup_success_block, lookup_failure_block); - -@@ -494,7 +494,7 @@ void IRBuilderBPF::CreateMapUpdateElem(Value *ctx, - { - Value *map_ptr = CreateBpfPseudoCallId(map); - -- assert(ctx && ctx->getType() == getInt8PtrTy()); -+ assert(ctx && ctx->getType() == GET_PTR_TY()); - assert(key->getType()->isPointerTy()); - assert(val->getType()->isPointerTy()); - -@@ -523,7 +523,7 @@ void IRBuilderBPF::CreateMapDeleteElem(Value *ctx, - Value *key, - const location &loc) - { -- assert(ctx && ctx->getType() == getInt8PtrTy()); -+ assert(ctx && ctx->getType() == GET_PTR_TY()); - assert(key->getType()->isPointerTy()); - Value *map_ptr = CreateBpfPseudoCallId(map); - -@@ -586,7 +586,7 @@ void IRBuilderBPF::CreateProbeRead(Value *ctx, - AddrSpace as, - const location &loc) - { -- assert(ctx && ctx->getType() == getInt8PtrTy()); -+ assert(ctx && ctx->getType() == GET_PTR_TY()); - assert(size && size->getType()->getIntegerBitWidth() <= 32); - size = CreateIntCast(size, getInt32Ty(), false); - -@@ -625,7 +625,7 @@ CallInst *IRBuilderBPF::CreateProbeReadStr(Value *ctx, - AddrSpace as, - const location &loc) - { -- assert(ctx && ctx->getType() == getInt8PtrTy()); -+ assert(ctx && ctx->getType() == GET_PTR_TY()); - assert(size && size->getType()->isIntegerTy()); - if ([[maybe_unused]] auto *dst_alloca = dyn_cast(dst)) - { -@@ -660,7 +660,7 @@ Value *IRBuilderBPF::CreateUSDTReadArgument(Value *ctx, - AddrSpace as, - const location &loc) - { -- assert(ctx && ctx->getType() == getInt8PtrTy()); -+ assert(ctx && ctx->getType() == GET_PTR_TY()); - // Argument size must be 1, 2, 4, or 8. See - // https://sourceware.org/systemtap/wiki/UserSpaceProbeImplementation - int abs_size = std::abs(argument->size); -@@ -766,7 +766,7 @@ Value *IRBuilderBPF::CreateUSDTReadArgument(Value *ctx, - AddrSpace as, - const location &loc) - { -- assert(ctx && ctx->getType() == getInt8PtrTy()); -+ assert(ctx && ctx->getType() == GET_PTR_TY()); - struct bcc_usdt_argument argument; - - void *usdt; -@@ -1419,7 +1419,7 @@ CallInst *IRBuilderBPF::CreateGetStackId(Value *ctx, - StackType stack_type, - const location &loc) - { -- assert(ctx && ctx->getType() == getInt8PtrTy()); -+ assert(ctx && ctx->getType() == GET_PTR_TY()); - - Value *map_ptr = CreateBpfPseudoCallId( - bpftrace_.maps[stack_type].value()->id); -@@ -1432,9 +1432,7 @@ CallInst *IRBuilderBPF::CreateGetStackId(Value *ctx, - // long bpf_get_stackid(struct pt_regs *ctx, struct bpf_map *map, u64 flags) - // Return: >= 0 stackid on success or negative error - FunctionType *getstackid_func_type = FunctionType::get( -- getInt64Ty(), -- { getInt8PtrTy(), map_ptr->getType(), getInt64Ty() }, -- false); -+ getInt64Ty(), { GET_PTR_TY(), map_ptr->getType(), getInt64Ty() }, false); - CallInst *call = CreateHelperCall(libbpf::BPF_FUNC_get_stackid, - getstackid_func_type, - { ctx, map_ptr, flags_val }, -@@ -1482,7 +1480,7 @@ void IRBuilderBPF::CreateOutput(Value *ctx, - size_t size, - const location *loc) - { -- assert(ctx && ctx->getType() == getInt8PtrTy()); -+ assert(ctx && ctx->getType() == GET_PTR_TY()); - assert(data && data->getType()->isPointerTy()); - - if (bpftrace_.feature_->has_map_ringbuf()) -@@ -1551,8 +1549,8 @@ void IRBuilderBPF::CreateAtomicIncCounter(int mapid, uint32_t idx) - parent); - - Value *condition = CreateICmpNE( -- CreateIntCast(call, getInt8PtrTy(), true), -- ConstantExpr::getCast(Instruction::IntToPtr, getInt64(0), getInt8PtrTy()), -+ CreateIntCast(call, GET_PTR_TY(), true), -+ ConstantExpr::getCast(Instruction::IntToPtr, getInt64(0), GET_PTR_TY()), - "map_lookup_cond"); - CreateCondBr(condition, lookup_success_block, lookup_failure_block); - -@@ -1609,8 +1607,8 @@ void IRBuilderBPF::CreateMapElemAdd(Value *ctx, - - AllocaInst *value = CreateAllocaBPF(type, "lookup_elem_val"); - Value *condition = CreateICmpNE( -- CreateIntCast(call, getInt8PtrTy(), true), -- ConstantExpr::getCast(Instruction::IntToPtr, getInt64(0), getInt8PtrTy()), -+ CreateIntCast(call, GET_PTR_TY(), true), -+ ConstantExpr::getCast(Instruction::IntToPtr, getInt64(0), GET_PTR_TY()), - "map_lookup_cond"); - CreateCondBr(condition, lookup_success_block, lookup_failure_block); - -@@ -1646,7 +1644,7 @@ void IRBuilderBPF::CreatePerfEventOutput(Value *ctx, - // long bpf_perf_event_output(struct pt_regs *ctx, struct bpf_map *map, - // u64 flags, void *data, u64 size) - FunctionType *perfoutput_func_type = FunctionType::get(getInt64Ty(), -- { getInt8PtrTy(), -+ { GET_PTR_TY(), - map_ptr->getType(), - getInt64Ty(), - data->getType(), -@@ -1690,7 +1688,7 @@ void IRBuilderBPF::CreateTracePrintk(Value *fmt_ptr, - - // long bpf_trace_printk(const char *fmt, u32 fmt_size, ...) - FunctionType *traceprintk_func_type = FunctionType::get( -- getInt64Ty(), { getInt8PtrTy(), getInt32Ty() }, true); -+ getInt64Ty(), { GET_PTR_TY(), getInt32Ty() }, true); - - CreateHelperCall(libbpf::BPF_FUNC_trace_printk, - traceprintk_func_type, -@@ -1721,7 +1719,7 @@ void IRBuilderBPF::CreateOverrideReturn(Value *ctx, Value *rc) - // long bpf_override_return(struct pt_regs *regs, u64 rc) - // Return: 0 - FunctionType *override_func_type = FunctionType::get( -- getInt64Ty(), { getInt8PtrTy(), getInt64Ty() }, false); -+ getInt64Ty(), { GET_PTR_TY(), getInt64Ty() }, false); - PointerType *override_func_ptr_type = PointerType::get(override_func_type, 0); - Constant *override_func = ConstantExpr::getCast(Instruction::IntToPtr, - getInt64(libbpf::BPF_FUNC_override_return), -@@ -1901,7 +1899,7 @@ void IRBuilderBPF::CreateHelperError(Value *ctx, - libbpf::bpf_func_id func_id, - const location &loc) - { -- assert(ctx && ctx->getType() == getInt8PtrTy()); -+ assert(ctx && ctx->getType() == GET_PTR_TY()); - assert(return_value && return_value->getType() == getInt32Ty()); - - if (bpftrace_.helper_check_level_ == 0 || -@@ -1941,7 +1939,7 @@ void IRBuilderBPF::CreateHelperErrorCond(Value *ctx, - const location &loc, - bool compare_zero) - { -- assert(ctx && ctx->getType() == getInt8PtrTy()); -+ assert(ctx && ctx->getType() == GET_PTR_TY()); - if (bpftrace_.helper_check_level_ == 0 || - (bpftrace_.helper_check_level_ == 1 && return_zero_if_err(func_id))) - return; -@@ -1977,7 +1975,7 @@ void IRBuilderBPF::CreatePath(Value *ctx, - // int bpf_d_path(struct path *path, char *buf, u32 sz) - // Return: 0 or error - FunctionType *d_path_func_type = FunctionType::get( -- getInt64Ty(), { getInt8PtrTy(), buf->getType(), getInt32Ty() }, false); -+ getInt64Ty(), { GET_PTR_TY(), buf->getType(), getInt32Ty() }, false); - CallInst *call = CreateHelperCall( - libbpf::bpf_func_id::BPF_FUNC_d_path, - d_path_func_type, -@@ -1997,13 +1995,10 @@ void IRBuilderBPF::CreateSeqPrintf(Value *ctx, - // long bpf_seq_printf(struct seq_file *m, const char *fmt, __u32 fmt_size, - // const void *data, __u32 data_len) - // Return: 0 or error -- FunctionType *seq_printf_func_type = FunctionType::get(getInt64Ty(), -- { getInt64Ty(), -- getInt8PtrTy(), -- getInt32Ty(), -- getInt8PtrTy(), -- getInt32Ty() }, -- false); -+ FunctionType *seq_printf_func_type = FunctionType::get( -+ getInt64Ty(), -+ { getInt64Ty(), GET_PTR_TY(), getInt32Ty(), GET_PTR_TY(), getInt32Ty() }, -+ false); - PointerType *seq_printf_func_ptr_type = PointerType::get(seq_printf_func_type, - 0); - Constant *seq_printf_func = ConstantExpr::getCast( -diff --git a/src/ast/irbuilderbpf.h b/src/ast/irbuilderbpf.h -index 739aa75d..a5148b60 100644 ---- a/src/ast/irbuilderbpf.h -+++ b/src/ast/irbuilderbpf.h -@@ -46,6 +46,12 @@ - CreateAtomicRMW((op), (ptr), (val), (order)) - #endif - -+#if LLVM_VERSION_MAJOR >= 15 -+#define GET_PTR_TY() getPtrTy() -+#else -+#define GET_PTR_TY() getInt8PtrTy() -+#endif -+ - namespace bpftrace { - namespace ast { - -diff --git a/src/ast/passes/codegen_llvm.cpp b/src/ast/passes/codegen_llvm.cpp -index c7adc426..0e00a14d 100644 ---- a/src/ast/passes/codegen_llvm.cpp -+++ b/src/ast/passes/codegen_llvm.cpp -@@ -439,10 +439,10 @@ void CodegenLLVM::visit(Call &call) - - AllocaInst *value = b_.CreateAllocaBPF(type, "lookup_elem_val"); - Value *condition = b_.CreateICmpNE( -- b_.CreateIntCast(lookup, b_.getInt8PtrTy(), true), -+ b_.CreateIntCast(lookup, b_.GET_PTR_TY(), true), - ConstantExpr::getCast(Instruction::IntToPtr, - b_.getInt64(0), -- b_.getInt8PtrTy()), -+ b_.GET_PTR_TY()), - "map_lookup_cond"); - b_.CreateCondBr(condition, lookup_success_block, lookup_failure_block); - -@@ -496,10 +496,10 @@ void CodegenLLVM::visit(Call &call) - - AllocaInst *value = b_.CreateAllocaBPF(type, "lookup_elem_val"); - Value *condition = b_.CreateICmpNE( -- b_.CreateIntCast(lookup, b_.getInt8PtrTy(), true), -+ b_.CreateIntCast(lookup, b_.GET_PTR_TY(), true), - ConstantExpr::getCast(Instruction::IntToPtr, - b_.getInt64(0), -- b_.getInt8PtrTy()), -+ b_.GET_PTR_TY()), - "map_lookup_cond"); - b_.CreateCondBr(condition, lookup_success_block, lookup_failure_block); - -@@ -760,7 +760,7 @@ void CodegenLLVM::visit(Call &call) - ? Instruction::BitCast - : Instruction::IntToPtr, - expr_, -- b_.getInt8PtrTy()), -+ b_.GET_PTR_TY()), - call.loc); - expr_ = buf; - expr_deleter_ = [this, buf]() { b_.CreateLifetimeEnd(buf); }; -@@ -1030,9 +1030,9 @@ void CodegenLLVM::visit(Call &call) - - // and finally the seq_printf call - b_.CreateSeqPrintf(ctx_, -- b_.CreateIntToPtr(fmt, b_.getInt8PtrTy()), -+ b_.CreateIntToPtr(fmt, b_.GET_PTR_TY()), - b_.getInt32(size), -- b_.CreatePointerCast(data, b_.getInt8PtrTy()), -+ b_.CreatePointerCast(data, b_.GET_PTR_TY()), - b_.getInt32(data_size), - call.loc); - -@@ -1066,7 +1066,7 @@ void CodegenLLVM::visit(Call &call) - values.push_back(expr_); - } - -- b_.CreateTracePrintk(b_.CreateIntToPtr(fmt, b_.getInt8PtrTy()), -+ b_.CreateTracePrintk(b_.CreateIntToPtr(fmt, b_.GET_PTR_TY()), - b_.getInt32(size), - values, - call.loc); -@@ -2093,7 +2093,7 @@ void CodegenLLVM::visit(FieldAccess &acc) - // `is_data_loc` should only be set if field access is on `args` which - // has to be a ctx access - assert(type.IsCtxAccess()); -- assert(ctx_->getType() == b_.getInt8PtrTy()); -+ assert(ctx_->getType() == b_.GET_PTR_TY()); - // Parser needs to have rewritten field to be a u64 - assert(field.type.IsIntTy()); - assert(field.type.GetIntBitWidth() == 64); -@@ -2685,7 +2685,7 @@ void CodegenLLVM::visit(Probe &probe) - { - FunctionType *func_type = FunctionType::get( - b_.getInt64Ty(), -- {b_.getInt8PtrTy()}, // struct pt_regs *ctx -+ {b_.GET_PTR_TY()}, // struct pt_regs *ctx - false); - - // Probe has at least one attach point (required by the parser) -@@ -3880,7 +3880,7 @@ Function *CodegenLLVM::createMapLenCallback() - auto saved_ip = b_.saveIP(); - - std::array args = { -- b_.getInt8PtrTy(), b_.getInt8PtrTy(), b_.getInt8PtrTy(), b_.getInt8PtrTy() -+ b_.GET_PTR_TY(), b_.GET_PTR_TY(), b_.GET_PTR_TY(), b_.GET_PTR_TY() - }; - - FunctionType *callback_type = FunctionType::get(b_.getInt64Ty(), args, false); --- -2.33.8 - - -From be31e10702e1cb747da8729ec3162ed1dae65dc4 Mon Sep 17 00:00:00 2001 -From: Khem Raj -Date: Fri, 16 Feb 2024 10:40:21 -0800 -Subject: [PATCH 4/5] ast: Adjust to enum changes in llvm 18 - -llvm 18 has change CodeGenOpt::Level/CodeGenFileType into enum classes via -https://github.com/llvm/llvm-project/commit/0a1aa6cda2758b0926a95f87d39ffefb1cb90200 - -Signed-off-by: Khem Raj -Signed-off-by: Daniel Xu ---- - src/ast/passes/codegen_llvm.cpp | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/src/ast/passes/codegen_llvm.cpp b/src/ast/passes/codegen_llvm.cpp -index 0e00a14d..f3aa091e 100644 ---- a/src/ast/passes/codegen_llvm.cpp -+++ b/src/ast/passes/codegen_llvm.cpp -@@ -72,7 +72,11 @@ CodegenLLVM::CodegenLLVM(Node *root, BPFtrace &bpftrace) - Optional() - #endif - )); -+#if LLVM_VERSION_MAJOR >= 18 -+ target_machine_->setOptLevel(llvm::CodeGenOptLevel::Aggressive); -+#else - target_machine_->setOptLevel(llvm::CodeGenOpt::Aggressive); -+#endif - - module_->setTargetTriple(LLVMTargetTriple); - module_->setDataLayout(target_machine_->createDataLayout()); -@@ -3617,7 +3621,9 @@ void CodegenLLVM::emit(raw_pwrite_stream &stream) - { - legacy::PassManager PM; - --#if LLVM_VERSION_MAJOR >= 10 -+#if LLVM_VERSION_MAJOR >= 18 -+ auto type = CodeGenFileType::ObjectFile; -+#elif LLVM_VERSION_MAJOR >= 10 - auto type = llvm::CGFT_ObjectFile; - #else - auto type = llvm::TargetMachine::CGFT_ObjectFile; --- -2.33.8 - - -From 802cb8a62aa4ff5a97e629b96ba9e069859511db Mon Sep 17 00:00:00 2001 -From: Khem Raj -Date: Fri, 16 Feb 2024 10:14:41 -0800 -Subject: [PATCH 5/5] cmake: Bump max LLVM version to 18+ - -Signed-off-by: Khem Raj ---- - CMakeLists.txt | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/CMakeLists.txt b/CMakeLists.txt -index 472068fc..fc6844de 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -139,7 +139,7 @@ else() - endif() - - set(MIN_LLVM_MAJOR 6) --set(MAX_LLVM_MAJOR 17) -+set(MAX_LLVM_MAJOR 18) - - if((${LLVM_VERSION_MAJOR} VERSION_LESS ${MIN_LLVM_MAJOR}) OR (${LLVM_VERSION_MAJOR} VERSION_GREATER ${MAX_LLVM_MAJOR})) - message(SEND_ERROR "Unsupported LLVM version found via ${LLVM_INCLUDE_DIRS}: ${LLVM_VERSION_MAJOR}") --- -2.33.8 - diff --git a/SPECS/bpftrace/bpftrace.signatures.json b/SPECS/bpftrace/bpftrace.signatures.json index b81d801dce..9e79c0a809 100644 --- a/SPECS/bpftrace/bpftrace.signatures.json +++ b/SPECS/bpftrace/bpftrace.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "bpftrace-0.20.3.tar.gz": "29057213d253f893590b3e0a358c9382ec8ddaa6efd1af500aaaf297d23beafc" + "bpftrace-0.23.5.tar.gz": "f01fea3f738f5d1174371326d2424c48f260f5fdc32dad85e009912baa9e1132" } } diff --git a/SPECS/bpftrace/bpftrace.spec b/SPECS/bpftrace/bpftrace.spec index dae6bc189f..f1691cf1cf 100644 --- a/SPECS/bpftrace/bpftrace.spec +++ b/SPECS/bpftrace/bpftrace.spec @@ -1,14 +1,14 @@ Summary: Berkeley Packet Filter Tracing Language Name: bpftrace -Version: 0.20.3 +Version: 0.23.5 Release: 1%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux Group: Applications/System -URL: https://github.com/iovisor/bpftrace +URL: https://github.com/bpftrace/bpftrace Source0: %{url}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz -Patch0: bpftrace-0.20-llvm18.patch +Patch0: 0001-Remove-cstring_view.patch BuildRequires: bcc-devel BuildRequires: binutils-devel BuildRequires: bison @@ -67,7 +67,11 @@ make %check cd build +%ifarch aarch64 +BPFTRACE_UPDATE_TESTS=1 ./tests/bpftrace_test --gtest_filter=-codegen.* --rerun-failed --output-on-failure +%else ./tests/bpftrace_test --rerun-failed --output-on-failure +%endif %install mkdir -p %{buildroot}%{_bindir}/ @@ -83,6 +87,11 @@ install -p -m 644 tools/*.txt %{buildroot}%{_datadir}/bpftrace/tools/doc %{_datadir}/bpftrace/tools %changelog +* Thu Jul 24 2025 Sriram Nambakam - 0.23.5-1 +- Upgrade version to 0.23.5 +- This version has LLVM18 support. Therefore remove corresponding patch. +- Apply patch to disable cstring_view null termination check. + * Thu Apr 18 2024 Andrew Phelps - 0.20.3-1 - Upgrade version to 0.20.3 - Add patch to support building with LLVM 18 diff --git a/SPECS/busybox/CVE-2022-48174.patch b/SPECS/busybox/CVE-2022-48174.patch new file mode 100644 index 0000000000..e1e31300e3 --- /dev/null +++ b/SPECS/busybox/CVE-2022-48174.patch @@ -0,0 +1,80 @@ +From d417193cf37ca1005830d7e16f5fa7e1d8a44209 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Mon, 12 Jun 2023 17:48:47 +0200 +Subject: [PATCH] shell: avoid segfault on ${0::0/0~09J}. Closes 15216 + +function old new delta +evaluate_string 1011 1053 +42 + +Signed-off-by: Denys Vlasenko + +Upstream Patch Reference : https://git.busybox.net/busybox/commit/?id=d417193cf37ca1005830d7e16f5fa7e1d8a44209 +Signed-off-by: Kanishk Bansal +--- + shell/math.c | 39 +++++++++++++++++++++++++++++++++++---- + 1 file changed, 35 insertions(+), 4 deletions(-) + +diff --git a/shell/math.c b/shell/math.c +index 76d22c9bd5..727c294674 100644 +--- a/shell/math.c ++++ b/shell/math.c +@@ -577,6 +577,28 @@ static arith_t strto_arith_t(const char *nptr, char **endptr) + # endif + #endif + ++//TODO: much better estimation than expr_len/2? Such as: ++//static unsigned estimate_nums_and_names(const char *expr) ++//{ ++// unsigned count = 0; ++// while (*(expr = skip_whitespace(expr)) != '\0') { ++// const char *p; ++// if (isdigit(*expr)) { ++// while (isdigit(*++expr)) ++// continue; ++// count++; ++// continue; ++// } ++// p = endofname(expr); ++// if (p != expr) { ++// expr = p; ++// count++; ++// continue; ++// } ++// } ++// return count; ++//} ++ + static arith_t + evaluate_string(arith_state_t *math_state, const char *expr) + { +@@ -584,10 +606,12 @@ evaluate_string(arith_state_t *math_state, const char *expr) + const char *errmsg; + const char *start_expr = expr = skip_whitespace(expr); + unsigned expr_len = strlen(expr) + 2; +- /* Stack of integers */ +- /* The proof that there can be no more than strlen(startbuf)/2+1 +- * integers in any given correct or incorrect expression +- * is left as an exercise to the reader. */ ++ /* Stack of integers/names */ ++ /* There can be no more than strlen(startbuf)/2+1 ++ * integers/names in any given correct or incorrect expression. ++ * (modulo "09v09v09v09v09v" case, ++ * but we have code to detect that early) ++ */ + var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0])); + var_or_num_t *numstackptr = numstack; + /* Stack of operator tokens */ +@@ -652,6 +676,13 @@ evaluate_string(arith_state_t *math_state, const char *expr) + numstackptr->var = NULL; + errno = 0; + numstackptr->val = strto_arith_t(expr, (char**) &expr); ++ /* A number can't be followed by another number, or a variable name. ++ * We'd catch this later anyway, but this would require numstack[] ++ * to be twice as deep to handle strings where _every_ char is ++ * a new number or name. Example: 09v09v09v09v09v09v09v09v09v ++ */ ++ if (isalnum(*expr) || *expr == '_') ++ goto err; + //bb_error_msg("val:%lld", numstackptr->val); + if (errno) + numstackptr->val = 0; /* bash compat */ diff --git a/SPECS/busybox/busybox.spec b/SPECS/busybox/busybox.spec index cfd118805e..e4daa9b7bb 100644 --- a/SPECS/busybox/busybox.spec +++ b/SPECS/busybox/busybox.spec @@ -1,7 +1,7 @@ Summary: Statically linked binary providing simplified versions of system commands Name: busybox Version: 1.36.1 -Release: 12%{?dist} +Release: 14%{?dist} License: GPLv2 Vendor: Intel Corporation Distribution: Edge Microvisor Toolkit @@ -18,8 +18,9 @@ Patch4: CVE-2023-42365.patch Patch5: CVE-2023-42366.patch Patch6: no-cbq.patch Patch7: CVE-2023-39810.patch +Patch8: CVE-2022-48174.patch BuildRequires: gcc -BuildRequires: glibc-static >= 2.38-10%{?dist} +BuildRequires: glibc-static >= 2.38-11%{?dist} BuildRequires: libselinux-devel >= 1.27.7-2 BuildRequires: libsepol-devel %if 0%{?with_check} @@ -106,6 +107,11 @@ SKIP_KNOWN_BUGS=1 ./runtest %{_mandir}/man1/busybox.petitboot.1.gz %changelog +* Mon Sep 8 2025 Lee Chee Yang - 1.36.1-14 +- merge from Azure Linux 3.0.20250822-3.0. +- Patch CVE-2022-48174 +- Bump to rebuild with updated glibc + * Fri May 30 2025 Ranjan Dutta - 1.36.1-12 - merge from Azure Linux 3.0.20250521-3.0 - Bump to rebuild with updated glibc diff --git a/SPECS/ceph/CVE-2024-48916.patch b/SPECS/ceph/CVE-2024-48916.patch new file mode 100644 index 0000000000..1f49d7ff82 --- /dev/null +++ b/SPECS/ceph/CVE-2024-48916.patch @@ -0,0 +1,31 @@ +From be105ab62fd4c93be9f9e5896e28c702534b0c56 Mon Sep 17 00:00:00 2001 +From: Pritha Srivastava +Date: Tue, 5 Nov 2024 12:03:00 +0530 +Subject: [PATCH] rgw/sts: fix to disallow unsupported JWT algorithms while + authenticating AssumeRoleWithWebIdentity using JWT obtained from an external + IDP. + +fixes: https://tracker.ceph.com/issues/68836 + +Signed-off-by: Pritha Srivastava +--- + src/rgw/rgw_rest_sts.cc | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/rgw/rgw_rest_sts.cc b/src/rgw/rgw_rest_sts.cc +index 09f77f61d..23328236a 100644 +--- a/src/rgw/rgw_rest_sts.cc ++++ b/src/rgw/rgw_rest_sts.cc +@@ -444,6 +444,9 @@ WebTokenEngine::validate_signature(const DoutPrefixProvider* dpp, const jwt::dec + .allow_algorithm(jwt::algorithm::ps512{cert}); + + verifier.verify(decoded); ++ } else { ++ ldpp_dout(dpp, 0) << "Unsupported algorithm: " << algorithm << dendl; ++ throw -EINVAL; + } + } catch (std::runtime_error& e) { + ldpp_dout(dpp, 0) << "Signature validation failed: " << e.what() << dendl; +-- +2.45.4 + diff --git a/SPECS/ceph/CVE-2025-52555.patch b/SPECS/ceph/CVE-2025-52555.patch new file mode 100644 index 0000000000..fd7aaf82e4 --- /dev/null +++ b/SPECS/ceph/CVE-2025-52555.patch @@ -0,0 +1,88 @@ +From 1c1e599376c5db9321c660d6ac5ba6c99fb71c38 Mon Sep 17 00:00:00 2001 +From: Azure Linux Security Servicing Account + +Date: Tue, 1 Jul 2025 10:47:03 +0000 +Subject: [PATCH] Fix CVE CVE-2025-52555 in ceph + +An unprivileged user can `chmod 777` a directory owned by root +and gain access. Fix this bug and also add a test case for the +same. + +Signed-off-by: Xiubo Li +Signed-off-by: Venky Shankar + +Upstream Patch Reference: https://patch-diff.githubusercontent.com/raw/ceph/ceph/pull/60314.patch + +--- + src/client/Client.cc | 24 ++++++++++++++---------- + src/test/libcephfs/suidsgid.cc | 10 ++++++++++ + 2 files changed, 24 insertions(+), 10 deletions(-) + +diff --git a/src/client/Client.cc b/src/client/Client.cc +index 2b7db5a89..eca980a25 100644 +--- a/src/client/Client.cc ++++ b/src/client/Client.cc +@@ -5949,18 +5949,22 @@ int Client::may_setattr(Inode *in, struct ceph_statx *stx, int mask, + } + + if (mask & CEPH_SETATTR_MODE) { ++ bool allowed = false; ++ /* ++ * Currently the kernel fuse and libfuse code is buggy and ++ * won't pass the ATTR_KILL_SUID/ATTR_KILL_SGID to ceph-fuse. ++ * But will just set the ATTR_MODE and at the same time by ++ * clearing the suid/sgid bits. ++ * ++ * Only allow unprivileged users to clear S_ISUID and S_ISUID. ++ */ ++ if ((in->mode & (S_ISUID | S_ISGID)) != (stx->stx_mode & (S_ISUID | S_ISGID)) && ++ (in->mode & ~(S_ISUID | S_ISGID)) == (stx->stx_mode & ~(S_ISUID | S_ISGID))) { ++ allowed = true; ++ } + uint32_t m = ~stx->stx_mode & in->mode; // mode bits removed + ldout(cct, 20) << __func__ << " " << *in << " = " << hex << m << dec << dendl; +- if (perms.uid() != 0 && perms.uid() != in->uid && +- /* +- * Currently the kernel fuse and libfuse code is buggy and +- * won't pass the ATTR_KILL_SUID/ATTR_KILL_SGID to ceph-fuse. +- * But will just set the ATTR_MODE and at the same time by +- * clearing the suid/sgid bits. +- * +- * Only allow unprivileged users to clear S_ISUID and S_ISUID. +- */ +- (m & ~(S_ISUID | S_ISGID))) ++ if (perms.uid() != 0 && perms.uid() != in->uid && !allowed) + goto out; + + gid_t i_gid = (mask & CEPH_SETATTR_GID) ? stx->stx_gid : in->gid; +diff --git a/src/test/libcephfs/suidsgid.cc b/src/test/libcephfs/suidsgid.cc +index d750613eb..474795cc4 100644 +--- a/src/test/libcephfs/suidsgid.cc ++++ b/src/test/libcephfs/suidsgid.cc +@@ -134,6 +134,14 @@ void run_truncate_test_case(int mode, int result, size_t size, bool with_admin=f + ceph_close(_cmount, fd); + } + ++void run_change_mode_test_case() ++{ ++ char c_dir[1024]; ++ sprintf(c_dir, "/mode_test_%d", getpid()); ++ ASSERT_EQ(0, ceph_mkdirs(admin, c_dir, 0700)); ++ ASSERT_EQ(ceph_chmod(cmount, c_dir, 0777), -CEPHFS_EPERM); ++} ++ + TEST(SuidsgidTest, WriteClearSetuid) { + ASSERT_EQ(0, ceph_create(&admin, NULL)); + ASSERT_EQ(0, ceph_conf_read_file(admin, NULL)); +@@ -206,6 +214,8 @@ TEST(SuidsgidTest, WriteClearSetuid) { + // 14, Truncate by unprivileged user clears the suid and sgid + run_truncate_test_case(06766, 0, 100); + ++ run_change_mode_test_case(); ++ + // clean up + ceph_shutdown(cmount); + ceph_shutdown(admin); +-- +2.45.3 + diff --git a/SPECS/ceph/ceph.spec b/SPECS/ceph/ceph.spec index 3bbb2947ac..64f8ba6e31 100644 --- a/SPECS/ceph/ceph.spec +++ b/SPECS/ceph/ceph.spec @@ -5,7 +5,7 @@ Summary: User space components of the Ceph file system Name: ceph Version: 18.2.2 -Release: 8%{?dist} +Release: 10%{?dist} License: LGPLv2 and LGPLv3 and CC-BY-SA and GPLv2 and Boost and BSD and MIT and Public Domain and GPLv3 and ASL-2.0 URL: https://ceph.io/ Vendor: Microsoft Corporation @@ -28,6 +28,8 @@ Patch13: CVE-2020-10724.patch Patch14: CVE-2025-1744.patch Patch15: CVE-2021-28361.patch Patch16: CVE-2020-14378.patch +Patch17: CVE-2025-52555.patch +Patch18: CVE-2024-48916.patch # # Copyright (C) 2004-2019 The Ceph Project Developers. See COPYING file # at the top-level directory of this distribution and at @@ -2018,6 +2020,12 @@ exit 0 %config %{_sysconfdir}/prometheus/ceph/ceph_default_alerts.yml %changelog +* Fri Aug 01 2025 Azure Linux Security Servicing Account - 18.2.2-10 +- Patch for CVE-2024-48916 + +* Tue Jul 01 2025 Azure Linux Security Servicing Account - 18.2.2-9 +- Patch for CVE-2025-52555 + * Wed 16 Apr 2025 Archana Shettigar - 18.2.2-8 - Patch CVE-2020-14378 diff --git a/SPECS/cert-manager/CVE-2025-22872.patch b/SPECS/cert-manager/CVE-2025-22872.patch new file mode 100644 index 0000000000..af3845d83b --- /dev/null +++ b/SPECS/cert-manager/CVE-2025-22872.patch @@ -0,0 +1,42 @@ +From 160cea2aabe42233d5840bcdd246e0232bee0035 Mon Sep 17 00:00:00 2001 +From: Kevin Lockwood +Date: Thu, 8 May 2025 12:53:56 -0700 +Subject: [PATCH] Patch CVE-2025-22872 + +Upstream Patch Reference: https://github.com/golang/net/commit/e1fcd82abba34df74614020343be8eb1fe85f0d9.patch +--- + cmd/ctl/vendor/golang.org/x/net/html/token.go | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/cmd/ctl/vendor/golang.org/x/net/html/token.go b/cmd/ctl/vendor/golang.org/x/net/html/token.go +index 3c57880..6598c1f 100644 +--- a/cmd/ctl/vendor/golang.org/x/net/html/token.go ++++ b/cmd/ctl/vendor/golang.org/x/net/html/token.go +@@ -839,8 +839,22 @@ func (z *Tokenizer) readStartTag() TokenType { + if raw { + z.rawTag = strings.ToLower(string(z.buf[z.data.start:z.data.end])) + } +- // Look for a self-closing token like "
". +- if z.err == nil && z.buf[z.raw.end-2] == '/' { ++ // Look for a self-closing token (e.g.
). ++ // ++ // Originally, we did this by just checking that the last character of the ++ // tag (ignoring the closing bracket) was a solidus (/) character, but this ++ // is not always accurate. ++ // ++ // We need to be careful that we don't misinterpret a non-self-closing tag ++ // as self-closing, as can happen if the tag contains unquoted attribute ++ // values (i.e.

). ++ // ++ // To avoid this, we check that the last non-bracket character of the tag ++ // (z.raw.end-2) isn't the same character as the last non-quote character of ++ // the last attribute of the tag (z.pendingAttr[1].end-1), if the tag has ++ // attributes. ++ nAttrs := len(z.attr) ++ if z.err == nil && z.buf[z.raw.end-2] == '/' && (nAttrs == 0 || z.raw.end-2 != z.attr[nAttrs-1][1].end-1) { + return SelfClosingTagToken + } + return StartTagToken +-- +2.34.1 + diff --git a/SPECS/cert-manager/CVE-2025-32386.patch b/SPECS/cert-manager/CVE-2025-32386.patch new file mode 100644 index 0000000000..9f7253f228 --- /dev/null +++ b/SPECS/cert-manager/CVE-2025-32386.patch @@ -0,0 +1,89 @@ +From 8374e59e76c401229470d6f3840cdbbdfa1512a8 Mon Sep 17 00:00:00 2001 +From: Kevin Lockwood +Date: Wed, 21 May 2025 13:29:45 -0700 +Subject: [PATCH] Fix CVE-2025-32387 + +Upstream Link: https://github.com/helm/helm/commit/d8ca55fc669645c10c0681d49723f4bb8c0b1ce7.patch +--- + .../helm/v3/pkg/chart/loader/archive.go | 32 ++++++++++++++++++- + .../helm/v3/pkg/chart/loader/directory.go | 4 +++ + 2 files changed, 35 insertions(+), 1 deletion(-) + +diff --git a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/loader/archive.go b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/loader/archive.go +index 196e5f8..4cb994c 100644 +--- a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/loader/archive.go ++++ b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/loader/archive.go +@@ -33,6 +33,15 @@ import ( + "helm.sh/helm/v3/pkg/chart" + ) + ++// MaxDecompressedChartSize is the maximum size of a chart archive that will be ++// decompressed. This is the decompressed size of all the files. ++// The default value is 100 MiB. ++var MaxDecompressedChartSize int64 = 100 * 1024 * 1024 // Default 100 MiB ++ ++// MaxDecompressedFileSize is the size of the largest file that Helm will attempt to load. ++// The size of the file is the decompressed version of it when it is stored in an archive. ++var MaxDecompressedFileSize int64 = 5 * 1024 * 1024 // Default 5 MiB ++ + var drivePathPattern = regexp.MustCompile(`^[a-zA-Z]:/`) + + // FileLoader loads a chart from a file +@@ -119,6 +128,7 @@ func LoadArchiveFiles(in io.Reader) ([]*BufferedFile, error) { + + files := []*BufferedFile{} + tr := tar.NewReader(unzipped) ++ remainingSize := MaxDecompressedChartSize + for { + b := bytes.NewBuffer(nil) + hd, err := tr.Next() +@@ -178,10 +188,30 @@ func LoadArchiveFiles(in io.Reader) ([]*BufferedFile, error) { + return nil, errors.New("chart yaml not in base directory") + } + +- if _, err := io.Copy(b, tr); err != nil { ++ if hd.Size > remainingSize { ++ return nil, fmt.Errorf("decompressed chart is larger than the maximum size %d", MaxDecompressedChartSize) ++ } ++ ++ if hd.Size > MaxDecompressedFileSize { ++ return nil, fmt.Errorf("decompressed chart file %q is larger than the maximum file size %d", hd.Name, MaxDecompressedFileSize) ++ } ++ ++ limitedReader := io.LimitReader(tr, remainingSize) ++ ++ bytesWritten, err := io.Copy(b, limitedReader) ++ if err != nil { + return nil, err + } + ++ remainingSize -= bytesWritten ++ // When the bytesWritten are less than the file size it means the limit reader ended ++ // copying early. Here we report that error. This is important if the last file extracted ++ // is the one that goes over the limit. It assumes the Size stored in the tar header ++ // is correct, something many applications do. ++ if bytesWritten < hd.Size || remainingSize <= 0 { ++ return nil, fmt.Errorf("decompressed chart is larger than the maximum size %d", MaxDecompressedChartSize) ++ } ++ + data := bytes.TrimPrefix(b.Bytes(), utf8bom) + + files = append(files, &BufferedFile{Name: n, Data: data}) +diff --git a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/loader/directory.go b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/loader/directory.go +index 9bcbee6..fd8e02e 100644 +--- a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/loader/directory.go ++++ b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/loader/directory.go +@@ -101,6 +101,10 @@ func LoadDir(dir string) (*chart.Chart, error) { + return fmt.Errorf("cannot load irregular file %s as it has file mode type bits set", name) + } + ++ if fi.Size() > MaxDecompressedFileSize { ++ return fmt.Errorf("chart file %q is larger than the maximum file size %d", fi.Name(), MaxDecompressedFileSize) ++ } ++ + data, err := os.ReadFile(name) + if err != nil { + return errors.Wrapf(err, "error reading %s", n) +-- +2.34.1 + diff --git a/SPECS/cert-manager/cert-manager.spec b/SPECS/cert-manager/cert-manager.spec index 243f7f8fc8..6bd11ab09f 100644 --- a/SPECS/cert-manager/cert-manager.spec +++ b/SPECS/cert-manager/cert-manager.spec @@ -1,7 +1,7 @@ Summary: Automatically provision and manage TLS certificates in Kubernetes Name: cert-manager Version: 1.12.15 -Release: 4%{?dist} +Release: 5%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -18,6 +18,9 @@ Patch1: CVE-2025-27144.patch Patch2: CVE-2025-22868.patch Patch3: CVE-2025-22869.patch Patch4: CVE-2025-30204.patch +Patch5: CVE-2025-32386.patch +Patch6: CVE-2025-22872.patch + BuildRequires: golang Requires: %{name}-acmesolver Requires: %{name}-cainjector @@ -108,6 +111,11 @@ install -D -m0755 bin/webhook %{buildroot}%{_bindir}/ %{_bindir}/webhook %changelog +* Mon Sep 8 2025 Lee Chee Yang - 1.12.15-5 +- merge from Azure Linux 3.0.20250822-3.0. +- Patch CVE-2025-32386 (also fixes CVE-2025-32387) +- Patch CVE-2025-22872 + * Fri Apr 28 2025 Ranjan Dutta - 1.12.15-4 - merge from Azure Linux 3.0.20250423. - Patch CVE-2025-30204 diff --git a/SPECS/clamav/CVE-2022-48579.patch b/SPECS/clamav/CVE-2022-48579.patch deleted file mode 100644 index d1a072302c..0000000000 --- a/SPECS/clamav/CVE-2022-48579.patch +++ /dev/null @@ -1,445 +0,0 @@ -From 0c606d48b8e5b1e0c178b47cbbaee60c57cc5d82 Mon Sep 17 00:00:00 2001 -From: Tobias Brick -Date: Mon, 21 Aug 2023 19:26:18 +0000 -Subject: [PATCH] Port CVE-2022-48579 from unrar to clamav/libclamunrar. CVE - Details: https://nvd.nist.gov/vuln/detail/CVE-2022-48579 Original Patch: - https://github.com/pmachapman/unrar/commit/2ecab6bb5ac4f3b88f270218445496662020205f - -Change from original patch: -The original patch added a member field to LastCheckedSymlink CmdExtract, defined as a std::wstring. However, the fork we're patching doesn't use std::wstring and uses wchar* everywhere. So I had to manually change that field and everywhere that uses it. This touched: -* extinfo.cpp -* extinfo.hpp -* extract.cpp -* extract.hpp - -Rejected some files in the initial patch: -* crypt.hpp: Patch changed CRYPT5_KDF_LG2_COUNT from 16 to 15 but clamav already had it at 15. -* dll.rc: Patch changed a bunch of dll information for the windows build but we don't build for windows. -* version.hpp: Patch bumps some version constants but in the clamav version, they don't always seem to take those version bumps. -* win32stm.cpp: Patch changes windows code, which we don't use. - -Original Commit Header: -From 2ecab6bb5ac4f3b88f270218445496662020205f Mon Sep 17 00:00:00 2001 -From: Peter Chapman -Date: Tue, 20 Dec 2022 20:03:01 +1300 -Subject: [PATCH] Updated to 6.2.3 - - arcread.cpp | 4 ++- - crypt.hpp | 5 +-- - dll.rc | 8 ++--- - extinfo.cpp | 89 +++++++++++++++++++++++++++++++++++++++++++++++---- - extinfo.hpp | 3 +- - extract.cpp | 47 ++++++++++++++++++++++++--- - extract.hpp | 6 ++++ - hardlinks.cpp | 2 -- - model.cpp | 6 ++-- - pathfn.cpp | 14 +++++--- - timefn.hpp | 11 +++++++ - ulinks.cpp | 6 ++-- - version.hpp | 6 ++-- - win32stm.cpp | 8 +++-- - 14 files changed, 180 insertions(+), 35 deletions(-) ---- - libclamunrar/arcread.cpp | 4 +- - libclamunrar/extinfo.cpp | 90 +++++++++++++++++++++++++++++++++++--- - libclamunrar/extinfo.hpp | 3 +- - libclamunrar/extract.cpp | 47 ++++++++++++++++++-- - libclamunrar/extract.hpp | 6 +++ - libclamunrar/hardlinks.cpp | 2 - - libclamunrar/model.cpp | 6 ++- - libclamunrar/pathfn.cpp | 14 ++++-- - libclamunrar/timefn.hpp | 11 +++++ - libclamunrar/ulinks.cpp | 6 ++- - 10 files changed, 167 insertions(+), 22 deletions(-) - -diff --git a/libclamunrar/arcread.cpp b/libclamunrar/arcread.cpp -index 1a401f4..73954c7 100644 ---- a/libclamunrar/arcread.cpp -+++ b/libclamunrar/arcread.cpp -@@ -1453,7 +1453,9 @@ bool Archive::ReadSubData(Array *UnpData,File *DestFile,bool TestMode) - { - if (SubHead.UnpSize>0x1000000) - { -- // So huge allocation must never happen in valid archives. -+ // Prevent the excessive allocation. When reading to memory, normally -+ // this function operates with reasonably small blocks, such as -+ // the archive comment, NTFS ACL or "Zone.Identifier" NTFS stream. - uiMsg(UIERROR_SUBHEADERUNKNOWN,FileName); - return false; - } -diff --git a/libclamunrar/extinfo.cpp b/libclamunrar/extinfo.cpp -index 5cb90a4..1cfe1c4 100644 ---- a/libclamunrar/extinfo.cpp -+++ b/libclamunrar/extinfo.cpp -@@ -112,6 +112,69 @@ static bool LinkInPath(const wchar *Name) - } - - -+// Delete symbolic links in file path, if any, and replace them by directories. -+// Prevents extracting files outside of destination folder with symlink chains. -+bool LinksToDirs(const wchar *SrcName,const wchar *SkipPart,wchar *LastChecked,const size_t LastCheckedSize) -+{ -+ // Unlike Unix, Windows doesn't expand lnk1 in symlink targets like -+ // "lnk1/../dir", but converts the path to "dir". In Unix we need to call -+ // this function to prevent placing unpacked files outside of destination -+ // folder if previously we unpacked "dir/lnk1" -> "..", -+ // "dir/lnk2" -> "lnk1/.." and "dir/lnk2/anypath/poc.txt". -+ // We may still need this function to prevent abusing symlink chains -+ // in link source path if we remove detection of such chains -+ // in IsRelativeSymlinkSafe. This function seems to make other symlink -+ // related safety checks redundant, but for now we prefer to keep them too. -+ // -+ // 2022.12.01: the performance impact is minimized after adding the check -+ // against the previous path and enabling this verification only after -+ // extracting a symlink with ".." in target. So we enabled it for Windows -+ // as well for extra safety. -+//#ifdef _UNIX -+ wchar Path[NM]; -+ if (wcslen(SrcName)>=ASIZE(Path)) -+ return false; // It should not be that long, skip. -+ wcsncpyz(Path,SrcName,ASIZE(Path)); -+ -+ size_t SkipLength=wcslen(SkipPart); -+ -+ if (SkipLength>0 && wcsncmp(Path,SkipPart,SkipLength)!=0) -+ SkipLength=0; // Parameter validation, not really needed now. -+ -+ // Do not check parts already checked in previous path to improve performance. -+ size_t LastCheckedLength=wcsnlen(LastChecked, LastCheckedSize); -+ for (uint I=0;Path[I]!=0 && ISkipLength) -+ SkipLength=I; -+ -+ wchar *Name=Path; -+ if (SkipLength>0) -+ { -+ // Avoid converting symlinks in destination path part specified by user. -+ Name+=SkipLength; -+ while (IsPathDiv(*Name)) -+ Name++; -+ } -+ -+ for (wchar *s=Path+wcslen(Path)-1;s>Name;s--) -+ if (IsPathDiv(*s)) -+ { -+ *s=0; -+ FindData FD; -+ if (FindFile::FastFind(Path,&FD,true) && FD.IsLink) -+#ifdef _WIN_ALL -+ if (!DelDir(Path)) -+#else -+ if (!DelFile(Path)) -+#endif -+ return false; // Couldn't delete the symlink to replace it with directory. -+ } -+ wcsncpyz(LastChecked,SrcName,LastCheckedSize); -+//#endif -+ return true; -+} -+ -+ - bool IsRelativeSymlinkSafe(CommandData *Cmd,const wchar *SrcName,const wchar *PrepSrcName,const wchar *TargetName) - { - // Catch root dir based /path/file paths also as stuff like \\?\. -@@ -131,10 +194,14 @@ bool IsRelativeSymlinkSafe(CommandData *Cmd,const wchar *SrcName,const wchar *Pr - UpLevels++; - TargetName++; - } -- // If link target includes "..", it must not have another links -- // in the path, because they can bypass our safety check. For example, -+ // If link target includes "..", it must not have another links in its -+ // source path, because they can bypass our safety check. For example, - // suppose we extracted "lnk1" -> "." first and "lnk1/lnk2" -> ".." next -- // or "dir/lnk1" -> ".." first and "dir/lnk1/lnk2" -> ".." next. -+ // or "dir/lnk1" -> ".." first, "dir/lnk1/lnk2" -> ".." next and -+ // file "dir/lnk1/lnk2/poc.txt" last. -+ // Do not confuse with link chains in target, this is in link source path. -+ // It is important for Windows too, though this check can be omitted -+ // if LinksToDirs is invoked in Windows as well. - if (UpLevels>0 && LinkInPath(PrepSrcName)) - return false; - -@@ -160,15 +227,26 @@ bool IsRelativeSymlinkSafe(CommandData *Cmd,const wchar *SrcName,const wchar *Pr - } - - --bool ExtractSymlink(CommandData *Cmd,ComprDataIO &DataIO,Archive &Arc,const wchar *LinkName) -+bool ExtractSymlink(CommandData *Cmd,ComprDataIO &DataIO,Archive &Arc,const wchar *LinkName,bool &UpLink) - { -+ // Returning true in Uplink indicates that link target might include ".." -+ // and enables additional checks. It is ok to falsely return true here, -+ // as it implies only the minor performance penalty. But we shall always -+ // return true for links with ".." in target for security reason. -+ -+ UpLink=true; // Assume the target might include potentially unsafe "..". -+#if defined(SAVE_LINKS) && defined(_UNIX) || defined(_WIN_ALL) -+ if (Arc.Format==RARFMT50) // For RAR5 archives we can check RedirName for both Unix and Windows. -+ UpLink=wcsstr(Arc.FileHead.RedirName,L"..")!=NULL; -+#endif -+ - #if defined(SAVE_LINKS) && defined(_UNIX) - // For RAR 3.x archives we process links even in test mode to skip link data. - if (Arc.Format==RARFMT15) -- return ExtractUnixLink30(Cmd,DataIO,Arc,LinkName); -+ return ExtractUnixLink30(Cmd,DataIO,Arc,LinkName,UpLink); - if (Arc.Format==RARFMT50) - return ExtractUnixLink50(Cmd,LinkName,&Arc.FileHead); --#elif defined _WIN_ALL -+#elif defined(_WIN_ALL) - // RAR 5.0 archives store link information in file header, so there is - // no need to additionally test it if we do not create a file. - if (Arc.Format==RARFMT50) -diff --git a/libclamunrar/extinfo.hpp b/libclamunrar/extinfo.hpp -index f3c7511..a77fac8 100644 ---- a/libclamunrar/extinfo.hpp -+++ b/libclamunrar/extinfo.hpp -@@ -1,8 +1,9 @@ - #ifndef _RAR_EXTINFO_ - #define _RAR_EXTINFO_ - -+bool LinksToDirs(const wchar *SrcName,const wchar *SkipPart,wchar *LastChecked,const size_t LastCheckedSize); - bool IsRelativeSymlinkSafe(CommandData *Cmd,const wchar *SrcName,const wchar *PrepSrcName,const wchar *TargetName); --bool ExtractSymlink(CommandData *Cmd,ComprDataIO &DataIO,Archive &Arc,const wchar *LinkName); -+bool ExtractSymlink(CommandData *Cmd,ComprDataIO &DataIO,Archive &Arc,const wchar *LinkName,bool &UpLink); - #ifdef _UNIX - void SetUnixOwner(Archive &Arc,const wchar *FileName); - #endif -diff --git a/libclamunrar/extract.cpp b/libclamunrar/extract.cpp -index dc109b9..e133770 100644 ---- a/libclamunrar/extract.cpp -+++ b/libclamunrar/extract.cpp -@@ -9,6 +9,12 @@ CmdExtract::CmdExtract(CommandData *Cmd) - *DestFileName=0; - - TotalFileCount=0; -+ -+ // Common for all archives involved. Set here instead of DoExtract() -+ // to use in unrar.dll too. Allows to avoid LinksToDirs() calls -+ // and save CPU time in no symlinks including ".." in target were extracted. -+ UpLinkExtracted=false; -+ - Unp=new Unpack(&DataIO); - #ifdef RAR_SMP - Unp->SetThreads(Cmd->Threads); -@@ -98,6 +104,8 @@ void CmdExtract::ExtractArchiveInit(Archive &Arc) - AnySolidDataUnpackedWell=false; - - StartTime.SetCurrentTime(); -+ -+ *LastCheckedSymlink=0; - } - - -@@ -539,6 +547,10 @@ bool CmdExtract::ExtractCurrentFile(Archive &Arc,size_t HeaderSize,bool &Repeat) - wcsncpyz(DestFileName,Cmd->DllDestName,ASIZE(DestFileName)); - #endif - -+ if (ExtrFile && Command!='P' && !Cmd->Test && !Cmd->AbsoluteLinks && -+ UpLinkExtracted) -+ ExtrFile=LinksToDirs(DestFileName,Cmd->ExtrPath,LastCheckedSymlink, ASIZE(LastCheckedSymlink)); -+ - File CurFile; - - bool LinkEntry=Arc.FileHead.RedirType!=FSREDIR_NONE; -@@ -667,7 +679,17 @@ bool CmdExtract::ExtractCurrentFile(Archive &Arc,size_t HeaderSize,bool &Repeat) - if (Type==FSREDIR_HARDLINK || Type==FSREDIR_FILECOPY) - { - wchar RedirName[NM]; -- ConvertPath(Arc.FileHead.RedirName,RedirName,ASIZE(RedirName)); -+ -+ // 2022.11.15: Might be needed when unpacking WinRAR 5.0 links with -+ // Unix RAR. WinRAR 5.0 used \ path separators here, when beginning -+ // from 5.10 even Windows version uses / internally and converts -+ // them to \ when reading FHEXTRA_REDIR. -+ // We must perform this conversion before ConvertPath call, -+ // so paths mixing different slashes like \dir1/dir2\file are -+ // processed correctly. -+ SlashToNative(Arc.FileHead.RedirName,RedirName,ASIZE(RedirName)); -+ -+ ConvertPath(RedirName,RedirName,ASIZE(RedirName)); - - wchar NameExisting[NM]; - ExtrPrepareName(Arc,RedirName,NameExisting,ASIZE(NameExisting)); -@@ -681,7 +703,22 @@ bool CmdExtract::ExtractCurrentFile(Archive &Arc,size_t HeaderSize,bool &Repeat) - if (Type==FSREDIR_UNIXSYMLINK || Type==FSREDIR_WINSYMLINK || Type==FSREDIR_JUNCTION) - { - if (FileCreateMode) -- LinkSuccess=ExtractSymlink(Cmd,DataIO,Arc,DestFileName); -+ { -+ bool UpLink; -+ LinkSuccess=ExtractSymlink(Cmd,DataIO,Arc,DestFileName,UpLink); -+ UpLinkExtracted|=LinkSuccess && UpLink; -+ -+ // We do not actually need to reset the cache here if we cache -+ // only the single last checked path, because at this point -+ // it will always contain the link own path and link can't -+ // overwrite its parent folder. But if we ever decide to cache -+ // several already checked paths, we'll need to reset them here. -+ // Otherwise if no files were created in one of such paths, -+ // let's say because of file create error, it might be possible -+ // to overwrite the path with link and avoid checks. We keep this -+ // code here as a reminder in case of possible modifications. -+ *LastCheckedSymlink=0; // Reset cache for safety reason. -+ } - } - else - { -@@ -868,8 +905,6 @@ void CmdExtract::UnstoreFile(ComprDataIO &DataIO,int64 DestUnpSize) - - bool CmdExtract::ExtractFileCopy(File &New,wchar *ArcName,wchar *NameNew,wchar *NameExisting,size_t NameExistingSize) - { -- SlashToNative(NameExisting,NameExisting,NameExistingSize); // Not needed for RAR 5.1+ archives. -- - File Existing; - if (!Existing.WOpen(NameExisting)) - { -@@ -1131,6 +1166,8 @@ void CmdExtract::ExtrCreateDir(Archive &Arc,const wchar *ArcFileName) - DirExist=FileExist(DestFileName) && IsDir(GetFileAttr(DestFileName)); - if (!DirExist) - { -+ if (!Cmd->AbsoluteLinks && UpLinkExtracted) -+ LinksToDirs(DestFileName,Cmd->ExtrPath,LastCheckedSymlink, ASIZE(LastCheckedSymlink)); - CreatePath(DestFileName,true,Cmd->DisableNames); - MDCode=MakeDir(DestFileName,!Cmd->IgnoreGeneralAttr,Arc.FileHead.FileAttr); - } -@@ -1212,6 +1249,8 @@ bool CmdExtract::ExtrCreateFile(Archive &Arc,File &CurFile) - - MakeNameUsable(DestFileName,true); - -+ if (!Cmd->AbsoluteLinks && UpLinkExtracted) -+ LinksToDirs(DestFileName,Cmd->ExtrPath,LastCheckedSymlink, ASIZE(LastCheckedSymlink)); - CreatePath(DestFileName,true,Cmd->DisableNames); - if (FileCreate(Cmd,&CurFile,DestFileName,ASIZE(DestFileName),&UserReject,Arc.FileHead.UnpSize,&Arc.FileHead.mtime,true)) - { -diff --git a/libclamunrar/extract.hpp b/libclamunrar/extract.hpp -index 159759b..6de575f 100644 ---- a/libclamunrar/extract.hpp -+++ b/libclamunrar/extract.hpp -@@ -52,6 +52,12 @@ class CmdExtract - bool PrevProcessed; // If previous file was successfully extracted or tested. - wchar DestFileName[NM]; - bool PasswordCancelled; -+ bool UpLinkExtracted; // At least one symlink with ".." in target was extracted. -+ -+ // Last path checked for symlinks. We use it to improve the performance, -+ // so we do not check recently checked folders again. -+ wchar LastCheckedSymlink[NM]; -+ - #if defined(_WIN_ALL) && !defined(SFX_MODULE) && !defined(SILENT) - bool Fat32,NotFat32; - #endif -diff --git a/libclamunrar/hardlinks.cpp b/libclamunrar/hardlinks.cpp -index 40cc0aa..171b5fa 100644 ---- a/libclamunrar/hardlinks.cpp -+++ b/libclamunrar/hardlinks.cpp -@@ -1,7 +1,5 @@ - bool ExtractHardlink(CommandData *Cmd,wchar *NameNew,wchar *NameExisting,size_t NameExistingSize) - { -- SlashToNative(NameExisting,NameExisting,NameExistingSize); // Not needed for RAR 5.1+ archives. -- - if (!FileExist(NameExisting)) - { - uiMsg(UIERROR_HLINKCREATE,NameNew); -diff --git a/libclamunrar/model.cpp b/libclamunrar/model.cpp -index 83391c5..e4f9e3c 100644 ---- a/libclamunrar/model.cpp -+++ b/libclamunrar/model.cpp -@@ -532,13 +532,15 @@ inline bool RARPPM_CONTEXT::decodeSymbol2(ModelPPM *Model) - Model->Coder.SubRange.LowCount=HiCnt; - Model->Coder.SubRange.HighCount=Model->Coder.SubRange.scale; - i=NumStats-Model->NumMasked; -- pps--; -+ -+ // 2022.12.02: we removed pps-- here and changed the code below to avoid -+ // "array subscript -1 is outside array bounds" warning in some compilers. - do - { -- pps++; - if (pps>=ps+ASIZE(ps)) // Extra safety check. - return false; - Model->CharMask[(*pps)->Symbol]=Model->EscCount; -+ pps++; - } while ( --i ); - psee2c->Summ += Model->Coder.SubRange.scale; - Model->NumMasked = NumStats; -diff --git a/libclamunrar/pathfn.cpp b/libclamunrar/pathfn.cpp -index 983bd74..162eda2 100644 ---- a/libclamunrar/pathfn.cpp -+++ b/libclamunrar/pathfn.cpp -@@ -31,11 +31,17 @@ wchar* ConvertPath(const wchar *SrcPath,wchar *DestPath,size_t DestSize) - const wchar *s=DestPtr; - if (s[0]!=0 && IsDriveDiv(s[1])) - s+=2; -- if (s[0]=='\\' && s[1]=='\\') -+ -+ // Skip UNC Windows \\server\share\ or Unix //server/share/ -+ if (IsPathDiv(s[0]) && IsPathDiv(s[1])) - { -- const wchar *Slash=wcschr(s+2,'\\'); -- if (Slash!=NULL && (Slash=wcschr(Slash+1,'\\'))!=NULL) -- s=Slash+1; -+ uint SlashCount=0; -+ for (const wchar *t=s+2;*t!=0;t++) -+ if (IsPathDiv(*t) && ++SlashCount==2) -+ { -+ s=t+1; // Found two more path separators after leading two. -+ break; -+ } - } - for (const wchar *t=s;*t!=0;t++) - if (IsPathDiv(*t)) -diff --git a/libclamunrar/timefn.hpp b/libclamunrar/timefn.hpp -index 5271361..49b61e8 100644 ---- a/libclamunrar/timefn.hpp -+++ b/libclamunrar/timefn.hpp -@@ -22,6 +22,17 @@ class RarTime - - // Internal time representation in 1/TICKS_PER_SECOND since 01.01.1601. - // We use nanoseconds here to handle the high precision Unix time. -+ // It allows dates up to July 2185. -+ // -+ // If we'll ever need to extend the date range, we can define a lower -+ // precision Windows version of TICKS_PER_SECOND. But then Unix and Windows -+ // versions can differ in least significant digits of "lt" time output -+ // for Unix archives. -+ // Alternatively we can introduce 'bool HighPrecision' set to true -+ // in SetUnixNS() and TicksPerSecond() instead of constant above. -+ // It might be more reliable than defining TicksPerSecond variable, -+ // which wouldn't survive memset of any structure hosting RarTime. -+ // We would need to eliminate all such memsets in the entire code first. - uint64 itime; - public: - // RarLocalTime::Reminder precision. Must be equal to TICKS_PER_SECOND. -diff --git a/libclamunrar/ulinks.cpp b/libclamunrar/ulinks.cpp -index af6ef36..cd93628 100644 ---- a/libclamunrar/ulinks.cpp -+++ b/libclamunrar/ulinks.cpp -@@ -70,7 +70,8 @@ static bool SafeCharToWide(const char *Src,wchar *Dest,size_t DestSize) - } - - --bool ExtractUnixLink30(CommandData *Cmd,ComprDataIO &DataIO,Archive &Arc,const wchar *LinkName) -+static bool ExtractUnixLink30(CommandData *Cmd,ComprDataIO &DataIO,Archive &Arc, -+ const wchar *LinkName,bool &UpLink) - { - char Target[NM]; - if (IsLink(Arc.FileHead.FileAttr)) -@@ -100,13 +101,14 @@ bool ExtractUnixLink30(CommandData *Cmd,ComprDataIO &DataIO,Archive &Arc,const w - if (!Cmd->AbsoluteLinks && (IsFullPath(TargetW) || - !IsRelativeSymlinkSafe(Cmd,Arc.FileHead.FileName,LinkName,TargetW))) - return false; -+ UpLink=strstr(Target,"..")!=NULL; - return UnixSymlink(Cmd,Target,LinkName,&Arc.FileHead.mtime,&Arc.FileHead.atime); - } - return false; - } - - --bool ExtractUnixLink50(CommandData *Cmd,const wchar *Name,FileHeader *hd) -+static bool ExtractUnixLink50(CommandData *Cmd,const wchar *Name,FileHeader *hd) - { - char Target[NM]; - WideToChar(hd->RedirName,Target,ASIZE(Target)); --- -2.34.1 - diff --git a/SPECS/clamav/clamav.signatures.json b/SPECS/clamav/clamav.signatures.json index 99f3ed17b3..fcd2ddfec3 100644 --- a/SPECS/clamav/clamav.signatures.json +++ b/SPECS/clamav/clamav.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { - "clamav-1.0.7-cargo.tar.gz": "3066cc6c80a01e6a65926c320af5d3d8b465a20e4975ec381e8e1b758598b532", - "clamav-1.0.7.tar.gz": "cf9908f68b07fda099fd382710863e99d064c7851c0a01bd9336ca8845d7644c" + "clamav-1.0.9-cargo.tar.gz": "d9e596d93abedbe2cf5f79bbc3dd3539ea1d185620a91f387c1779fd22e75e0b", + "clamav-1.0.9.tar.gz": "c3ac983568e3df274833839a7aa45c1b2650b192f7d2a8524cddbb0111062d93" } } \ No newline at end of file diff --git a/SPECS/clamav/clamav.spec b/SPECS/clamav/clamav.spec index 40fbf28ccf..9b36c72f4c 100644 --- a/SPECS/clamav/clamav.spec +++ b/SPECS/clamav/clamav.spec @@ -1,6 +1,6 @@ Summary: Open source antivirus engine Name: clamav -Version: 1.0.7 +Version: 1.0.9 Release: 2%{?dist} License: ASL 2.0 AND BSD AND bzip2-1.0.4 AND GPLv2 AND LGPLv2+ AND MIT AND Public Domain AND UnRar Vendor: Microsoft Corporation @@ -136,6 +136,15 @@ fi %dir %attr(-,clamav,clamav) %{_sharedstatedir}/clamav %changelog +* Mon Jul 21 2025 Jyoti Kanase - 1.0.9-2 +- Bump release to rebuild with rust + +* Tue Jun 24 2025 Kshitiz Godara - 1.0.9-1 +- Upgrade to version 1.0.9 to fix CVE-2025-20260 + +* Tue Jun 10 2025 Kavya Sree Kaitepalli - 1.0.7-3 +- Bump release to rebuild with rust + * Mon Apr 21 2025 Kavya Sree Kaitepalli - 1.0.7-2 - Pin rust version diff --git a/SPECS/clang/clang-format-fix.patch b/SPECS/clang/clang-format-fix.patch new file mode 100644 index 0000000000..835138459e --- /dev/null +++ b/SPECS/clang/clang-format-fix.patch @@ -0,0 +1,90 @@ +From 85df28180bd38d3fd5356efe6022eebec31e0814 Mon Sep 17 00:00:00 2001 +From: Owen Pan +Date: Fri, 18 Oct 2024 21:10:00 -0700 +Subject: [PATCH] [clang-format] Fix a bug that always returns error for JSON + (#112839) + +Fixes #108556. + +--- + clang/test/Format/dry-run-warning.cpp | 22 ++++++++++++++++++++++ + clang/tools/clang-format/ClangFormat.cpp | 18 +++++++++--------- + 2 files changed, 31 insertions(+), 9 deletions(-) + create mode 100644 clang/test/Format/dry-run-warning.cpp + +diff --git a/clang/test/Format/dry-run-warning.cpp b/clang/test/Format/dry-run-warning.cpp +new file mode 100644 +index 000000000..4b85de40b +--- /dev/null ++++ b/clang/test/Format/dry-run-warning.cpp +@@ -0,0 +1,22 @@ ++// RUN: echo '{' > %t.json ++// RUN: echo ' "married": true' >> %t.json ++// RUN: echo '}' >> %t.json ++ ++// RUN: clang-format -n -style=LLVM %t.json 2>&1 | FileCheck %s -allow-empty ++ ++// RUN: clang-format -n -style=LLVM < %t.json 2>&1 \ ++// RUN: | FileCheck %s -check-prefix=CHECK2 -strict-whitespace ++ ++// RUN: echo '{' > %t.json ++// RUN: echo ' "married" : true' >> %t.json ++// RUN: echo '}' >> %t.json ++ ++// RUN: clang-format -n -style=LLVM < %t.json 2>&1 | FileCheck %s -allow-empty ++ ++// RUN: clang-format -n -style=LLVM %t.json 2>&1 \ ++// RUN: | FileCheck %s -check-prefix=CHECK2 -strict-whitespace ++ ++// RUN: rm %t.json ++ ++// CHECK-NOT: warning ++// CHECK2: warning: code should be clang-formatted +diff --git a/clang/tools/clang-format/ClangFormat.cpp b/clang/tools/clang-format/ClangFormat.cpp +index e122cea50..d40d8f5d1 100644 +--- a/clang/tools/clang-format/ClangFormat.cpp ++++ b/clang/tools/clang-format/ClangFormat.cpp +@@ -341,9 +341,6 @@ static void outputReplacementsXML(const Replacements &Replaces) { + static bool + emitReplacementWarnings(const Replacements &Replaces, StringRef AssumedFileName, + const std::unique_ptr &Code) { +- if (Replaces.empty()) +- return false; +- + unsigned Errors = 0; + if (WarnFormat && !NoWarnFormat) { + llvm::SourceMgr Mgr; +@@ -479,9 +476,11 @@ static bool format(StringRef FileName) { + Replacements Replaces = sortIncludes(*FormatStyle, Code->getBuffer(), Ranges, + AssumedFileName, &CursorPosition); + ++ const bool IsJson = FormatStyle->isJson(); ++ + // To format JSON insert a variable to trick the code into thinking its + // JavaScript. +- if (FormatStyle->isJson() && !FormatStyle->DisableFormat) { ++ if (IsJson && !FormatStyle->DisableFormat) { + auto Err = Replaces.add(tooling::Replacement( + tooling::Replacement(AssumedFileName, 0, 0, "x = "))); + if (Err) +@@ -499,11 +498,12 @@ static bool format(StringRef FileName) { + Replacements FormatChanges = + reformat(*FormatStyle, *ChangedCode, Ranges, AssumedFileName, &Status); + Replaces = Replaces.merge(FormatChanges); +- if (OutputXML || DryRun) { +- if (DryRun) +- return emitReplacementWarnings(Replaces, AssumedFileName, Code); +- else +- outputXML(Replaces, FormatChanges, Status, Cursor, CursorPosition); ++ if (DryRun) { ++ return Replaces.size() > (IsJson ? 1 : 0) && ++ emitReplacementWarnings(Replaces, AssumedFileName, Code); ++ } ++ if (OutputXML) { ++ outputXML(Replaces, FormatChanges, Status, Cursor, CursorPosition); + } else { + IntrusiveRefCntPtr InMemoryFileSystem( + new llvm::vfs::InMemoryFileSystem); +-- +2.34.1 + diff --git a/SPECS/clang/clang.signatures.json b/SPECS/clang/clang.signatures.json index f93006b26f..6ded1b1af7 100644 --- a/SPECS/clang/clang.signatures.json +++ b/SPECS/clang/clang.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "llvmorg-18.1.2.tar.gz": "8d686d5ece6f12b09985cb382a3a530dc06bb6e7eb907f57c7f8bf2d868ebb0b" + "llvmorg-18.1.8.tar.gz": "09c08693a9afd6236f27a2ebae62cda656eba19021ef3f94d59e931d662d4856" } } diff --git a/SPECS/clang/clang.spec b/SPECS/clang/clang.spec index f971fa185c..991be843f0 100644 --- a/SPECS/clang/clang.spec +++ b/SPECS/clang/clang.spec @@ -4,8 +4,8 @@ Summary: C, C++, Objective C and Objective C++ front-end for the LLVM compiler. Name: clang -Version: 18.1.2 -Release: 4%{?dist} +Version: 18.1.8 +Release: 1%{?dist} License: NCSA Vendor: Microsoft Corporation Distribution: Azure Linux @@ -13,6 +13,7 @@ Group: Development/Tools URL: https://clang.llvm.org Source0: https://github.com/llvm/llvm-project/archive/refs/tags/llvmorg-%{version}.tar.gz Patch1: CVE-2024-7883.patch +Patch2: clang-format-fix.patch BuildRequires: cmake BuildRequires: libxml2-devel BuildRequires: llvm-devel = %{version} @@ -245,6 +246,9 @@ make clang-check %{_includedir}/clang-tidy/ %changelog +* Tue Jun 03 2025 Pawel Winogrodzki - 18.1.8-1 +- Updated to version 18.1.8. + * Thu Apr 10 2025 Jyoti Kanase - 18.1.2-4 - Fix CVE-2024-7883 diff --git a/SPECS/cloud-hypervisor-cvm/cloud-hypervisor-cvm.spec b/SPECS/cloud-hypervisor-cvm/cloud-hypervisor-cvm.spec index 9918d922bf..50bb34e5ad 100644 --- a/SPECS/cloud-hypervisor-cvm/cloud-hypervisor-cvm.spec +++ b/SPECS/cloud-hypervisor-cvm/cloud-hypervisor-cvm.spec @@ -5,7 +5,7 @@ Name: cloud-hypervisor-cvm Summary: Cloud Hypervisor CVM is an open source Virtual Machine Monitor (VMM) that enables running SEV SNP enabled VMs on top of MSHV using the IGVM file format as payload. Version: 41.0.79 -Release: 1%{?dist} +Release: 3%{?dist} License: ASL 2.0 OR BSD-3-clause Vendor: Microsoft Corporation Distribution: Azure Linux @@ -136,6 +136,12 @@ cargo build --release --target=%{rust_musl_target} %{cargo_pkg_feature_opts} %{c %license LICENSES/CC-BY-4.0.txt %changelog +* Mon Jul 21 2025 Jyoti Kanase - 41.0.79-3 +- Bump release to rebuild with rust + +* Fri Jun 13 2025 Kavya Sree Kaitepalli - 41.0.79-2 +- Bump release to rebuild with rust + * Mon Apr 28 2025 CBL-Mariner Servicing Account - 41.0.79-1 - Auto-upgrade to 41.0.79 diff --git a/SPECS/cloud-init/CVE-2024-11584.patch b/SPECS/cloud-init/CVE-2024-11584.patch new file mode 100644 index 0000000000..c7414df415 --- /dev/null +++ b/SPECS/cloud-init/CVE-2024-11584.patch @@ -0,0 +1,88 @@ +From ff05ded14b0555e8e7bc034bbe9c8fba35ed07bc Mon Sep 17 00:00:00 2001 +From: archana25-ms +Date: Fri, 27 Jun 2025 10:59:56 +0000 +Subject: [PATCH] Address CVE-2024-11584 +Upstream Patch Reference: https://github.com/canonical/cloud-init/pull/6265/commits/6e10240a7f0a2d6110b398640b3fd46cfa9a7cf3 + +--- + cloudinit/cmd/devel/logs.py | 2 +- + systemd/cloud-init-hotplugd.service | 2 +- + systemd/cloud-init-hotplugd.socket | 5 +++-- + tools/cloud-init-hotplugd | 2 +- + tools/hook-hotplug | 2 +- + 5 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/cloudinit/cmd/devel/logs.py b/cloudinit/cmd/devel/logs.py +index f18bfbe..45a300a 100755 +--- a/cloudinit/cmd/devel/logs.py ++++ b/cloudinit/cmd/devel/logs.py +@@ -295,7 +295,7 @@ def _get_run_dir(run_dir: pathlib.Path) -> Iterator[pathlib.Path]: + Note that this only globs the top-level directory as there are currently + no relevant files within subdirectories. + """ +- return (p for p in run_dir.glob("*") if p.name != "hook-hotplug-cmd") ++ return run_dir.glob("*") + + + def _collect_logs_into_tmp_dir( +diff --git a/systemd/cloud-init-hotplugd.service b/systemd/cloud-init-hotplugd.service +index 2e552a0..5f4c8e8 100644 +--- a/systemd/cloud-init-hotplugd.service ++++ b/systemd/cloud-init-hotplugd.service +@@ -1,5 +1,5 @@ + # Paired with cloud-init-hotplugd.socket to read from the FIFO +-# /run/cloud-init/hook-hotplug-cmd which is created during a udev network ++# hook-hotplug-cmd which is created during a udev network + # add or remove event as processed by 90-cloud-init-hook-hotplug.rules. + + # On start, read args from the FIFO, process and provide structured arguments +diff --git a/systemd/cloud-init-hotplugd.socket b/systemd/cloud-init-hotplugd.socket +index 8300e71..8d6d07c 100644 +--- a/systemd/cloud-init-hotplugd.socket ++++ b/systemd/cloud-init-hotplugd.socket +@@ -1,5 +1,5 @@ + # cloud-init-hotplugd.socket listens on the FIFO file +-# /run/cloud-init/hook-hotplug-cmd which is created during a udev network ++# hook-hotplug-cmd which is created during a udev network + # add or remove event as processed by 90-cloud-init-hook-hotplug.rules. + + # Known bug with an enforcing SELinux policy: LP: #1936229 +@@ -11,7 +11,8 @@ ConditionKernelCommandLine=!cloud-init=disabled + ConditionEnvironment=!KERNEL_CMDLINE=cloud-init=disabled + + [Socket] +-ListenFIFO=/run/cloud-init/hook-hotplug-cmd ++ListenFIFO=/run/cloud-init/share/hook-hotplug-cmd ++SocketMode=0600 + + [Install] + WantedBy=cloud-config.target +diff --git a/tools/cloud-init-hotplugd b/tools/cloud-init-hotplugd +index 70977d4..3d56fff 100755 +--- a/tools/cloud-init-hotplugd ++++ b/tools/cloud-init-hotplugd +@@ -9,7 +9,7 @@ + # upon a network device event). Anything received via the pipe is then + # passed on via the "cloud-init devel hotplug-hook handle" command. + +-PIPE="/run/cloud-init/hook-hotplug-cmd" ++PIPE="/run/cloud-init/share/hook-hotplug-cmd" + + mkfifo -m700 $PIPE + +diff --git a/tools/hook-hotplug b/tools/hook-hotplug +index e3cd2a1..7bd2830 100755 +--- a/tools/hook-hotplug ++++ b/tools/hook-hotplug +@@ -4,7 +4,7 @@ + # This script checks if cloud-init has hotplug hooked and if + # cloud-init is ready; if so invoke cloud-init hotplug-hook + +-fifo=/run/cloud-init/hook-hotplug-cmd ++fifo=/run/cloud-init/share/hook-hotplug-cmd + + should_run() { + if [ -d /run/systemd ]; then +-- +2.45.3 + diff --git a/SPECS/cloud-init/CVE-2024-6174.patch b/SPECS/cloud-init/CVE-2024-6174.patch new file mode 100644 index 0000000000..563e0b9e70 --- /dev/null +++ b/SPECS/cloud-init/CVE-2024-6174.patch @@ -0,0 +1,146 @@ +From 161590728c951b933885ef40e664b9db9e585566 Mon Sep 17 00:00:00 2001 +From: archana25-ms +Date: Fri, 27 Jun 2025 10:54:59 +0000 +Subject: [PATCH] Address CVE-2024-6174 +Upstream Patch Reference: https://github.com/canonical/cloud-init/commit/8c3ae1bb9f1d80fbf217b41a222ee434e7f58900 + +--- + doc/rtd/reference/breaking_changes.rst | 48 ++++++++++++++++++++++++++ + tests/unittests/test_ds_identify.py | 13 ++++--- + tools/ds-identify | 8 ++--- + 3 files changed, 58 insertions(+), 11 deletions(-) + +diff --git a/doc/rtd/reference/breaking_changes.rst b/doc/rtd/reference/breaking_changes.rst +index 0eba443..6fab8e5 100644 +--- a/doc/rtd/reference/breaking_changes.rst ++++ b/doc/rtd/reference/breaking_changes.rst +@@ -11,6 +11,54 @@ releases. + many operating system vendors patch out breaking changes in + cloud-init to ensure consistent behavior on their platform. + ++24.3.1 ++====== ++ ++Strict datasource identity before network ++----------------------------------------- ++Affects detection of Ec2, OpenStack or AltCloud datasources for non-x86 ++architectures where DMI may not be accessible. ++ ++Datasource detection provided by ds-identify in cloud-init now requires strict ++identification based on DMI platform information, kernel command line or ++`datasource_list:` system configuration in /etc/cloud/cloud.cfg.d. ++ ++Prior to this change, ds-identify would allow non-x86 architectures without ++strict identifying platform information to run in a discovery mode which would ++attempt to reach out to well known static link-local IPs to attempt to ++retrieve configuration once system networking is up. ++ ++To mitigate the potential of a bad-actor in a local network responding ++to such provisioning requests from cloud-init clients, ds-identify will no ++longer allow this late discovery mode for platforms unable to expose clear ++identifying characteristics of a known cloud-init datasource. ++ ++The most likely affected cloud platforms are AltCloud, Ec2 and OpenStack for ++non-x86 architectures where DMI data is not exposed by the kernel. ++ ++If your non-x86 architecture or images no longer detect the proper datasource, ++any of the following steps can ensure proper detection of cloud-init config: ++ ++- Provide kernel commandline containing ``ds=`` ++ which forces ds-identify to discover a specific datasource. ++- Image creators: provide a config file part such as ++ :file:`/etc/cloud/cloud.cfg.d/*.cfg` containing the ++ case-sensitive ``datasource_list: [ ]`` to force cloud-init ++ to use a specific datasource without performing discovery. ++ ++For example, to force OpenStack discovery in cloud-init any of the following ++approaches work: ++ ++- OpenStack: `attach a ConfigDrive`_ as an alternative config source ++- Kernel command line containing ``ds=openstack`` ++- Custom images provide :file:`/etc/cloud/cloud.cfg.d/91-set-datasource.cfg` ++ containing: ++ ++.. code-block:: yaml ++ ++ datasource_list: [ OpenStack ] ++ ++ + 24.3 + ==== + +diff --git a/tests/unittests/test_ds_identify.py b/tests/unittests/test_ds_identify.py +index d8f10c1..d2b0f87 100644 +--- a/tests/unittests/test_ds_identify.py ++++ b/tests/unittests/test_ds_identify.py +@@ -208,9 +208,9 @@ system_info: + """ + + POLICY_FOUND_ONLY = "search,found=all,maybe=none,notfound=disabled" +-POLICY_FOUND_OR_MAYBE = "search,found=all,maybe=all,notfound=disabled" +-DI_DEFAULT_POLICY = "search,found=all,maybe=all,notfound=disabled" +-DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=all,notfound=enabled" ++POLICY_FOUND_OR_MAYBE = "search,found=all,maybe=none,notfound=disabled" ++DI_DEFAULT_POLICY = "search,found=all,maybe=none,notfound=disabled" ++DI_DEFAULT_POLICY_NO_DMI = "search,found=all,maybe=none,notfound=enabled" + DI_EC2_STRICT_ID_DEFAULT = "true" + OVF_MATCH_STRING = "http://schemas.dmtf.org/ovf/environment/1" + +@@ -937,7 +937,7 @@ class TestDsIdentify(DsIdentifyBase): + self._test_ds_found("OpenStack-AssetTag-Compute") + + def test_openstack_on_non_intel_is_maybe(self): +- """On non-Intel, openstack without dmi info is maybe. ++ """On non-Intel, openstack without dmi info is none. + + nova does not identify itself on platforms other than intel. + https://bugs.launchpad.net/cloud-init/+bugs?field.tag=dsid-nova""" +@@ -957,10 +957,9 @@ class TestDsIdentify(DsIdentifyBase): + + # updating the uname to ppc64 though should get a maybe. + data.update({"mocks": [MOCK_VIRT_IS_KVM, MOCK_UNAME_IS_PPC64]}) +- (_, _, err, _, _) = self._check_via_dict( +- data, RC_FOUND, dslist=["OpenStack", "None"] +- ) ++ (_, _, err, _, _) = self._check_via_dict(data, RC_NOT_FOUND) + self.assertIn("check for 'OpenStack' returned maybe", err) ++ self.assertIn("No ds found", err) + + def test_default_ovf_is_found(self): + """OVF is identified found when ovf/ovf-env.xml seed file exists.""" +diff --git a/tools/ds-identify b/tools/ds-identify +index 606be9c..bfc8db4 100755 +--- a/tools/ds-identify ++++ b/tools/ds-identify +@@ -14,7 +14,7 @@ + # The format is: + # ,found=value,maybe=value,notfound=value + # default setting is: +-# search,found=all,maybe=all,notfound=disabled ++# search,found=all,maybe=none,notfound=disabled + # + # kernel command line option: ci.di.policy= + # example line in /etc/cloud/ds-identify.cfg: +@@ -40,7 +40,7 @@ + # first: use the first found do no further checking + # all: enable all DS_FOUND + # +-# maybe: (default=all) ++# maybe: (default=none) + # if nothing returned 'found', then how to handle maybe. + # no network sources are allowed to return 'maybe'. + # all: enable all DS_MAYBE +@@ -100,8 +100,8 @@ DI_MAIN=${DI_MAIN:-main} + + DI_BLKID_EXPORT_OUT="" + DI_GEOM_LABEL_STATUS_OUT="" +-DI_DEFAULT_POLICY="search,found=all,maybe=all,notfound=${DI_DISABLED}" +-DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=all,notfound=${DI_ENABLED}" ++DI_DEFAULT_POLICY="search,found=all,maybe=none,notfound=${DI_DISABLED}" ++DI_DEFAULT_POLICY_NO_DMI="search,found=all,maybe=none,notfound=${DI_ENABLED}" + DI_DMI_BOARD_NAME="" + DI_DMI_CHASSIS_ASSET_TAG="" + DI_DMI_PRODUCT_NAME="" +-- +2.45.3 + diff --git a/SPECS/cloud-init/cloud-init.spec b/SPECS/cloud-init/cloud-init.spec index 0bb7c00e1b..0f997a03c2 100644 --- a/SPECS/cloud-init/cloud-init.spec +++ b/SPECS/cloud-init/cloud-init.spec @@ -1,7 +1,7 @@ Summary: Cloud instance init scripts Name: cloud-init Version: 24.3.1 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv3 Vendor: Intel Corporation Distribution: Edge Microvisor Toolkit @@ -12,6 +12,8 @@ Source1: 10-azure-kvp.cfg Patch0: Add-Network-Interface-Renaming-Support-for-CAPM3-Met.patch Patch1: no-single-process.patch Patch2: 0001-feat-Add-new-distro.patch +Patch3: CVE-2024-6174.patch +Patch4: CVE-2024-11584.patch %define cl_services cloud-config.service cloud-config.target cloud-final.service cloud-init.service cloud-init.target cloud-init-local.service BuildRequires: automake BuildRequires: dbus @@ -143,6 +145,10 @@ make check %{?_smp_mflags} %config(noreplace) %{_sysconfdir}/cloud/cloud.cfg.d/10-azure-kvp.cfg %changelog +* Mon Sep 8 2025 Lee Chee Yang - 24.3.1-6 +- merge from Azure Linux 3.0.20250822-3.0. +- Patch CVE-2024-6174 & CVE-2024-11584 + * Tue Mar 27 2025 Naveen Saini - 24.3.1-5 - Added edgemicrovisortoolkit distro support to install ca_certs. - Refresh patch. diff --git a/SPECS/cmake/CVE-2025-4947.patch b/SPECS/cmake/CVE-2025-4947.patch new file mode 100644 index 0000000000..64378f6b6d --- /dev/null +++ b/SPECS/cmake/CVE-2025-4947.patch @@ -0,0 +1,40 @@ +From f0b4659205da774d835434cfbf40425c25a0c813 Mon Sep 17 00:00:00 2001 +From: dj_palli +Date: Wed, 4 Jun 2025 03:37:55 +0000 +Subject: [PATCH] Address CVE-2025-4947.patch + +Upstream patch URL: https://github.com/curl/curl/commit/a85f1df4803bbd272905c9e7125 + +--- + Utilities/cmcurl/lib/vquic/vquic-tls.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/Utilities/cmcurl/lib/vquic/vquic-tls.c b/Utilities/cmcurl/lib/vquic/vquic-tls.c +index aca18b45..61cb6c51 100644 +--- a/Utilities/cmcurl/lib/vquic/vquic-tls.c ++++ b/Utilities/cmcurl/lib/vquic/vquic-tls.c +@@ -324,15 +324,13 @@ CURLcode Curl_vquic_tls_verify_peer(struct curl_tls_ctx *ctx, + #elif defined(USE_WOLFSSL) + (void)data; + if(conn_config->verifyhost) { +- if(peer->sni) { +- WOLFSSL_X509* cert = wolfSSL_get_peer_certificate(ctx->ssl); +- if(wolfSSL_X509_check_host(cert, peer->sni, strlen(peer->sni), 0, NULL) +- == WOLFSSL_FAILURE) { +- result = CURLE_PEER_FAILED_VERIFICATION; +- } +- wolfSSL_X509_free(cert); ++ char *snihost = peer->sni ? peer->sni : peer->hostname; ++ WOLFSSL_X509* cert = wolfSSL_get_peer_certificate(ctx->wssl.ssl); ++ if(wolfSSL_X509_check_host(cert, snihost, strlen(snihost), 0, NULL) ++ == WOLFSSL_FAILURE) { ++ result = CURLE_PEER_FAILED_VERIFICATION; + } +- ++ wolfSSL_X509_free(cert); + } + #endif + return result; +-- +2.45.2 + diff --git a/SPECS/cmake/CVE-2025-5916.patch b/SPECS/cmake/CVE-2025-5916.patch new file mode 100644 index 0000000000..d5fc6b5d2f --- /dev/null +++ b/SPECS/cmake/CVE-2025-5916.patch @@ -0,0 +1,39 @@ +From 849da096e8170a70652c191d6e22ca00b05f8d94 Mon Sep 17 00:00:00 2001 +From: dj_palli +Date: Mon, 23 Jun 2025 20:41:17 +0000 +Subject: [PATCH] Address CVE-2025-5916 + +Upstream patch reference: https://github.com/libarchive/libarchive/pull/2568 + +--- + .../libarchive/archive_read_support_format_warc.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/Utilities/cmlibarchive/libarchive/archive_read_support_format_warc.c b/Utilities/cmlibarchive/libarchive/archive_read_support_format_warc.c +index 61ab29ea..d955af95 100644 +--- a/Utilities/cmlibarchive/libarchive/archive_read_support_format_warc.c ++++ b/Utilities/cmlibarchive/libarchive/archive_read_support_format_warc.c +@@ -379,7 +379,8 @@ start_over: + case LAST_WT: + default: + /* consume the content and start over */ +- _warc_skip(a); ++ if (_warc_skip(a) < 0) ++ return (ARCHIVE_FATAL); + goto start_over; + } + return (ARCHIVE_OK); +@@ -432,7 +433,9 @@ _warc_skip(struct archive_read *a) + { + struct warc_s *w = a->format->data; + +- __archive_read_consume(a, w->cntlen + 4U/*\r\n\r\n separator*/); ++ if (__archive_read_consume(a, w->cntlen) < 0 || ++ __archive_read_consume(a, 4U/*\r\n\r\n separator*/) < 0) ++ return (ARCHIVE_FATAL); + w->cntlen = 0U; + w->cntoff = 0U; + return (ARCHIVE_OK); +-- +2.45.2 + diff --git a/SPECS/cmake/CVE-2025-5917.patch b/SPECS/cmake/CVE-2025-5917.patch new file mode 100644 index 0000000000..8c3928d716 --- /dev/null +++ b/SPECS/cmake/CVE-2025-5917.patch @@ -0,0 +1,35 @@ +From e055a3a5392d95ea781cadb7613d51d355df8597 Mon Sep 17 00:00:00 2001 +From: dj_palli +Date: Mon, 23 Jun 2025 20:45:00 +0000 +Subject: [PATCH] Address CVE-2025-5917 + +Upstream patch reference: https://github.com/libarchive/libarchive/pull/2588 +--- + .../cmlibarchive/libarchive/archive_write_set_format_pax.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Utilities/cmlibarchive/libarchive/archive_write_set_format_pax.c b/Utilities/cmlibarchive/libarchive/archive_write_set_format_pax.c +index 1eb9a9a4..4a931f96 100644 +--- a/Utilities/cmlibarchive/libarchive/archive_write_set_format_pax.c ++++ b/Utilities/cmlibarchive/libarchive/archive_write_set_format_pax.c +@@ -1556,7 +1556,7 @@ build_ustar_entry_name(char *dest, const char *src, size_t src_length, + const char *filename, *filename_end; + char *p; + int need_slash = 0; /* Was there a trailing slash? */ +- size_t suffix_length = 99; ++ size_t suffix_length = 98; /* 99 - 1 for trailing slash */ + size_t insert_length; + + /* Length of additional dir element to be added. */ +@@ -1608,7 +1608,7 @@ build_ustar_entry_name(char *dest, const char *src, size_t src_length, + /* Step 2: Locate the "prefix" section of the dirname, including + * trailing '/'. */ + prefix = src; +- prefix_end = prefix + 155; ++ prefix_end = prefix + 154 /* 155 - 1 for trailing / */; + if (prefix_end > filename) + prefix_end = filename; + while (prefix_end > prefix && *prefix_end != '/') +-- +2.45.2 + diff --git a/SPECS/cmake/CVE-2025-5918.patch b/SPECS/cmake/CVE-2025-5918.patch new file mode 100644 index 0000000000..bbb845a7d9 --- /dev/null +++ b/SPECS/cmake/CVE-2025-5918.patch @@ -0,0 +1,189 @@ +From f4b4b476a8ade08201ce9dda57445ca1e6b6921d Mon Sep 17 00:00:00 2001 +From: dj_palli +Date: Tue, 8 Jul 2025 13:11:24 +0000 +Subject: [PATCH] Address CVE-2025-5918 + +Upstream patch reference: https://github.com/libarchive/libarchive/pull/2584 + +--- + .../libarchive/archive_read_open_fd.c | 13 ++++++-- + .../libarchive/archive_read_open_file.c | 33 ++++++++++++++----- + .../libarchive/archive_read_open_filename.c | 29 ++++++++++++---- + 3 files changed, 58 insertions(+), 17 deletions(-) + +diff --git a/Utilities/cmlibarchive/libarchive/archive_read_open_fd.c b/Utilities/cmlibarchive/libarchive/archive_read_open_fd.c +index f59cd07f..2c4dfa35 100644 +--- a/Utilities/cmlibarchive/libarchive/archive_read_open_fd.c ++++ b/Utilities/cmlibarchive/libarchive/archive_read_open_fd.c +@@ -53,6 +53,7 @@ __FBSDID("$FreeBSD: head/lib/libarchive/archive_read_open_fd.c 201103 2009-12-28 + struct read_fd_data { + int fd; + size_t block_size; ++ int64_t size; + char use_lseek; + void *buffer; + }; +@@ -96,6 +97,7 @@ archive_read_open_fd(struct archive *a, int fd, size_t block_size) + if (S_ISREG(st.st_mode)) { + archive_read_extract_set_skip_file(a, st.st_dev, st.st_ino); + mine->use_lseek = 1; ++ mine->size = st.st_size; + } + #if defined(__CYGWIN__) || defined(_WIN32) + setmode(mine->fd, O_BINARY); +@@ -152,9 +154,14 @@ file_skip(struct archive *a, void *client_data, int64_t request) + if (request == 0) + return (0); + +- if (((old_offset = lseek(mine->fd, 0, SEEK_CUR)) >= 0) && +- ((new_offset = lseek(mine->fd, skip, SEEK_CUR)) >= 0)) +- return (new_offset - old_offset); ++ if ((old_offset = lseek(mine->fd, 0, SEEK_CUR)) >= 0) { ++ if (old_offset >= mine->size || ++ skip > mine->size - old_offset) { ++ /* Do not seek past end of file. */ ++ errno = ESPIPE; ++ } else if ((new_offset = lseek(mine->fd, skip, SEEK_CUR)) >= 0) ++ return (new_offset - old_offset); ++ } + + /* If seek failed once, it will probably fail again. */ + mine->use_lseek = 0; +diff --git a/Utilities/cmlibarchive/libarchive/archive_read_open_file.c b/Utilities/cmlibarchive/libarchive/archive_read_open_file.c +index 03719e8b..3dc5d319 100644 +--- a/Utilities/cmlibarchive/libarchive/archive_read_open_file.c ++++ b/Utilities/cmlibarchive/libarchive/archive_read_open_file.c +@@ -53,6 +53,7 @@ __FBSDID("$FreeBSD: head/lib/libarchive/archive_read_open_file.c 201093 2009-12- + struct read_FILE_data { + FILE *f; + size_t block_size; ++ int64_t size; + void *buffer; + char can_skip; + }; +@@ -91,6 +92,7 @@ archive_read_open_FILE(struct archive *a, FILE *f) + archive_read_extract_set_skip_file(a, st.st_dev, st.st_ino); + /* Enable the seek optimization only for regular files. */ + mine->can_skip = 1; ++ mine->size = st.st_size; + } else + mine->can_skip = 0; + +@@ -130,6 +132,7 @@ file_skip(struct archive *a, void *client_data, int64_t request) + #else + long skip = (long)request; + #endif ++ int64_t old_offset, new_offset; + int skip_bits = sizeof(skip) * 8 - 1; + + (void)a; /* UNUSED */ +@@ -153,19 +156,33 @@ file_skip(struct archive *a, void *client_data, int64_t request) + + #ifdef __ANDROID__ + /* fileno() isn't safe on all platforms ... see above. */ +- if (lseek(fileno(mine->f), skip, SEEK_CUR) < 0) ++ old_offset = lseek(fileno(mine->f), 0, SEEK_CUR); + #elif HAVE__FSEEKI64 +- if (_fseeki64(mine->f, skip, SEEK_CUR) != 0) ++ old_offset = _ftelli64(mine->f); + #elif HAVE_FSEEKO +- if (fseeko(mine->f, skip, SEEK_CUR) != 0) ++ old_offset = ftello(mine->f); + #else +- if (fseek(mine->f, skip, SEEK_CUR) != 0) ++ old_offset = ftell(mine->f); + #endif +- { +- mine->can_skip = 0; +- return (0); ++ if (old_offset >= 0) { ++ if (old_offset < mine->size && ++ skip <= mine->size - old_offset) { ++#ifdef __ANDROID__ ++ new_offset = lseek(fileno(mine->f), skip, SEEK_CUR); ++#elif HAVE__FSEEKI64 ++ new_offset = _fseeki64(mine->f, skip, SEEK_CUR); ++#elif HAVE_FSEEKO ++ new_offset = fseeko(mine->f, skip, SEEK_CUR); ++#else ++ new_offset = fseek(mine->f, skip, SEEK_CUR); ++#endif ++ if (new_offset >= 0) ++ return (new_offset - old_offset); ++ } + } +- return (request); ++ ++ mine->can_skip = 0; ++ return (0); + } + + static int +diff --git a/Utilities/cmlibarchive/libarchive/archive_read_open_filename.c b/Utilities/cmlibarchive/libarchive/archive_read_open_filename.c +index 561289b6..20b57464 100644 +--- a/Utilities/cmlibarchive/libarchive/archive_read_open_filename.c ++++ b/Utilities/cmlibarchive/libarchive/archive_read_open_filename.c +@@ -75,6 +75,7 @@ struct read_file_data { + size_t block_size; + void *buffer; + mode_t st_mode; /* Mode bits for opened file. */ ++ int64_t size; + char use_lseek; + enum fnt_e { FNT_STDIN, FNT_MBS, FNT_WCS } filename_type; + union { +@@ -370,8 +371,10 @@ file_open(struct archive *a, void *client_data) + mine->st_mode = st.st_mode; + + /* Disk-like inputs can use lseek(). */ +- if (is_disk_like) ++ if (is_disk_like) { + mine->use_lseek = 1; ++ mine->size = st.st_size; ++ } + + return (ARCHIVE_OK); + fail: +@@ -449,21 +452,35 @@ file_skip_lseek(struct archive *a, void *client_data, int64_t request) + struct read_file_data *mine = (struct read_file_data *)client_data; + #if defined(_WIN32) && !defined(__CYGWIN__) + /* We use _lseeki64() on Windows. */ +- int64_t old_offset, new_offset; ++ int64_t old_offset, new_offset, skip = request; + #else +- off_t old_offset, new_offset; ++ off_t old_offset, new_offset, skip = (off_t)request; + #endif ++ int skip_bits = sizeof(skip) * 8 - 1; + + /* We use off_t here because lseek() is declared that way. */ + ++ /* Reduce a request that would overflow the 'skip' variable. */ ++ if (sizeof(request) > sizeof(skip)) { ++ const int64_t max_skip = ++ (((int64_t)1 << (skip_bits - 1)) - 1) * 2 + 1; ++ if (request > max_skip) ++ skip = max_skip; ++ } ++ + /* TODO: Deal with case where off_t isn't 64 bits. + * This shouldn't be a problem on Linux or other POSIX + * systems, since the configuration logic for libarchive + * tries to obtain a 64-bit off_t. + */ +- if ((old_offset = lseek(mine->fd, 0, SEEK_CUR)) >= 0 && +- (new_offset = lseek(mine->fd, request, SEEK_CUR)) >= 0) +- return (new_offset - old_offset); ++ if ((old_offset = lseek(mine->fd, 0, SEEK_CUR)) >= 0) { ++ if (old_offset >= mine->size || ++ skip > mine->size - old_offset) { ++ /* Do not seek past end of file. */ ++ errno = ESPIPE; ++ } else if ((new_offset = lseek(mine->fd, skip, SEEK_CUR)) >= 0) ++ return (new_offset - old_offset); ++ } + + /* If lseek() fails, don't bother trying again. */ + mine->use_lseek = 0; +-- +2.45.2 + diff --git a/SPECS/cmake/cmake.spec b/SPECS/cmake/cmake.spec index ad726a4dc5..aa8ef76182 100644 --- a/SPECS/cmake/cmake.spec +++ b/SPECS/cmake/cmake.spec @@ -2,7 +2,7 @@ Summary: Cmake Name: cmake Version: 3.30.3 -Release: 6%{?dist} +Release: 8%{?dist} License: BSD AND LGPLv2+ Vendor: Microsoft Corporation Distribution: Azure Linux @@ -26,6 +26,11 @@ Patch7: CVE-2023-44487.patch # required to determine what upstream patches are included. Patch8: CVE-2023-35945.patch Patch9: CVE-2024-48615.patch +Patch10: CVE-2025-4947.patch +Patch11: CVE-2025-5916.patch +Patch12: CVE-2025-5917.patch +Patch13: CVE-2025-5918.patch + BuildRequires: bzip2 BuildRequires: bzip2-devel BuildRequires: curl @@ -105,6 +110,12 @@ bin/ctest --force-new-ctest-process --rerun-failed --output-on-failure %{_libdir}/rpm/macros.d/macros.cmake %changelog +* Tue Jun 24 2025 Durga Jagadeesh Palli - 3.30.3-8 +- Patch CVE-2025-5916, CVE-2025-5917 & CVE-2025-5918 + +* Tue Jun 03 2025 Durga Jagadeesh Palli - 3.30.3-7 +- Patch CVE-2025-4947 + * Mon Apr 07 2025 Kavya Sree Kaitepalli - 3.30.3-6 - Backport patch to fix CVE-2024-48615 diff --git a/SPECS/compiler-rt/compiler-rt.signatures.json b/SPECS/compiler-rt/compiler-rt.signatures.json index f93006b26f..6ded1b1af7 100644 --- a/SPECS/compiler-rt/compiler-rt.signatures.json +++ b/SPECS/compiler-rt/compiler-rt.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "llvmorg-18.1.2.tar.gz": "8d686d5ece6f12b09985cb382a3a530dc06bb6e7eb907f57c7f8bf2d868ebb0b" + "llvmorg-18.1.8.tar.gz": "09c08693a9afd6236f27a2ebae62cda656eba19021ef3f94d59e931d662d4856" } } diff --git a/SPECS/compiler-rt/compiler-rt.spec b/SPECS/compiler-rt/compiler-rt.spec index 616ee8ce0b..ae915bed7c 100644 --- a/SPECS/compiler-rt/compiler-rt.spec +++ b/SPECS/compiler-rt/compiler-rt.spec @@ -4,8 +4,8 @@ Summary: LLVM compiler support routines Name: compiler-rt -Version: 18.1.2 -Release: 3%{?dist} +Version: 18.1.8 +Release: 1%{?dist} License: Apache 2.0 WITH exceptions Vendor: Microsoft Corporation Distribution: Azure Linux @@ -50,6 +50,9 @@ cd build %{_libdir}/clang/%{maj_ver}/share/* %changelog +* Tue Jun 03 2025 Pawel Winogrodzki - 18.1.8-1 +- Updated to version 18.1.8. + * Thu Jul 25 2024 Andrew Phelps - 18.1.2-3 - Fix installation path diff --git a/SPECS/conda/conda.spec b/SPECS/conda/conda.spec index b709aad792..988e925ffb 100644 --- a/SPECS/conda/conda.spec +++ b/SPECS/conda/conda.spec @@ -1,7 +1,7 @@ Summary: Cross-platform, Python-agnostic binary package manager Name: conda Version: 24.3.0 -Release: 3%{?dist} +Release: 4%{?dist} License: BSD-3-Clause AND Apache-2.0 # The conda code is BSD-3-Clause # adapters/ftp.py is Apache-2.0 @@ -44,7 +44,6 @@ BuildRequires: python3-setuptools BuildRequires: python3-setuptools_scm BuildRequires: python3-trove-classifiers BuildRequires: sed - Requires: python%{python3_pkgversion}-conda = %{version}-%{release} %?python_enable_dependency_generator @@ -187,13 +186,14 @@ mkdir -p %{buildroot}%{_localstatedir}/cache/conda/pkgs/cache # install does not create the directory on EL7 install -m 0644 -Dt %{buildroot}/etc/profile.d/ conda/shell/etc/profile.d/conda.{sh,csh} +install -m 0644 -Dt %{buildroot}/etc/profile.d/ conda/shell/conda.xsh sed -r -i -e '1i [ -z "$CONDA_EXE" ] && CONDA_EXE=%{_bindir}/conda' \ -e '/PATH=.*condabin/s|PATH=|[ -d $(dirname "$CONDA_EXE")/condabin ] \&\& PATH=|' %{buildroot}/etc/profile.d/conda.sh sed -r -i -e '1i set _CONDA_EXE=%{_bindir}/conda\nset _CONDA_ROOT=' \ -e 's/CONDA_PFX=.*/CONDA_PFX=/' %{buildroot}/etc/profile.d/conda.csh -install -m 0644 -Dt %{buildroot}%{_datadir}/fish/vendor_conf.d/ conda/shell/etc/fish/conf.d/conda.fish +install -m 0644 -Dt %{buildroot}/etc/fish/conf.d/ conda/shell/etc/fish/conf.d/conda.fish sed -r -i -e '1i set -gx CONDA_EXE "/usr/bin/conda"\nset _CONDA_ROOT "/usr"\nset _CONDA_EXE "/usr/bin/conda"\nset -gx CONDA_PYTHON_EXE "/usr/bin/python3"' \ - %{buildroot}%{_datadir}/fish/vendor_conf.d/conda.fish + %{buildroot}/etc/fish/conf.d/conda.fish # Install bash completion script install -m 0644 -Dt %{buildroot}%{bash_completionsdir}/ %SOURCE1 @@ -384,11 +384,11 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} conda info %{_bindir}/conda %{_bindir}/conda-env %{bash_completionsdir}/conda -# TODO - better ownership for fish/vendor_conf.d -%dir %{_datadir}/fish/vendor_conf.d -%{_datadir}/fish/vendor_conf.d/conda.fish +%dir /etc/fish/conf.d +/etc/fish/conf.d/conda.fish /etc/profile.d/conda.sh /etc/profile.d/conda.csh +/etc/profile.d/conda.xsh %files tests %{_datadir}/conda/tests/ @@ -402,6 +402,10 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} conda info %{_datadir}/conda/condarc.d/ %changelog +* Thu Aug 07 2025 Riken Maharjan - 24.3.0-4 +- Add missing conda.xsh file to /etc/profile.d +- also move conda.fish to /etc/fish/conf.d/ + * Thu May 01 2025 Riken Maharjan - 24.3.0-3 - Skip some test cases that are failing in the current version of conda using Fedora (License: MIT) diff --git a/SPECS/containerd/CVE-2023-44487.patch b/SPECS/containerd/CVE-2023-44487.patch deleted file mode 100644 index 3ad7eccf28..0000000000 --- a/SPECS/containerd/CVE-2023-44487.patch +++ /dev/null @@ -1,30 +0,0 @@ -backport of a0fd4b065528566eec54fe207aa5e3131babc378 (https://github.com/kubernetes/apimachinery/commit/a0fd4b065528566eec54fe207aa5e3131babc378.patch) - -diff -ru containerd-1.7.13-orig/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go containerd-1.7.13/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go ---- containerd-1.7.13-orig/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go 2024-06-26 14:41:05.173893133 +0000 -+++ containerd-1.7.13/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go 2024-06-26 14:56:56.288354267 +0000 -@@ -126,14 +126,18 @@ - // OnError will block if it is called more often than the embedded period time. - // This will prevent overly tight hot error loops. - func (r *rudimentaryErrorBackoff) OnError(error) { -+ now := time.Now() // start the timer before acquiring the lock - r.lastErrorTimeLock.Lock() -- defer r.lastErrorTimeLock.Unlock() -- d := time.Since(r.lastErrorTime) -- if d < r.minPeriod { -- // If the time moves backwards for any reason, do nothing -- time.Sleep(r.minPeriod - d) -- } -+ d := now.Sub(r.lastErrorTime) - r.lastErrorTime = time.Now() -+ r.lastErrorTimeLock.Unlock() -+ -+ // Do not sleep with the lock held because that causes all callers of HandleError to block. -+ // We only want the current goroutine to block. -+ // A negative or zero duration causes time.Sleep to return immediately. -+ // If the time moves backwards for any reason, do nothing. -+ time.Sleep(r.minPeriod - d) -+ - } - - // GetCaller returns the caller of the function that calls it. diff --git a/SPECS/containerd/CVE-2023-45288.patch b/SPECS/containerd/CVE-2023-45288.patch deleted file mode 100644 index 80eaa40216..0000000000 --- a/SPECS/containerd/CVE-2023-45288.patch +++ /dev/null @@ -1,83 +0,0 @@ -Author: Damien Neil -AuthorDate: 2024-01-10 13:41:39 -0800 -Commit: Gopher Robot -CommitDate: 2024-04-03 17:06:00 +0000 - -[internal-branch.go1.21-vendor] http2: close connections when receiving too many headers - -Maintaining HPACK state requires that we parse and process -all HEADERS and CONTINUATION frames on a connection. -When a request's headers exceed MaxHeaderBytes, we don't -allocate memory to store the excess headers but we do -parse them. This permits an attacker to cause an HTTP/2 -endpoint to read arbitrary amounts of data, all associated -with a request which is going to be rejected. - -Set a limit on the amount of excess header frames we -will process before closing a connection. - -Thanks to Bartek Nowotarski for reporting this issue. - -Fixes CVE-2023-45288 -For golang/go#65051 - -Change-Id: I15df097268df13bb5a9e9d3a5c04a8a141d850f6 -Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2130527 -Reviewed-by: Roland Shoemaker -Reviewed-by: Tatiana Bradley -Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2197243 -Run-TryBot: Damien Neil -Reviewed-by: Dmitri Shuralyov -Reviewed-on: https://go-review.googlesource.com/c/net/+/576057 -LUCI-TryBot-Result: Go LUCI -Auto-Submit: Dmitri Shuralyov - -diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go -index c1f6b90..175c154 100644 ---- a/vendor/golang.org/x/net/http2/frame.go -+++ b/vendor/golang.org/x/net/http2/frame.go -@@ -1565,6 +1565,7 @@ - if size > remainSize { - hdec.SetEmitEnabled(false) - mh.Truncated = true -+ remainSize = 0 - return - } - remainSize -= size -@@ -1577,6 +1578,36 @@ - var hc headersOrContinuation = hf - for { - frag := hc.HeaderBlockFragment() -+ -+ // Avoid parsing large amounts of headers that we will then discard. -+ // If the sender exceeds the max header list size by too much, -+ // skip parsing the fragment and close the connection. -+ // -+ // "Too much" is either any CONTINUATION frame after we've already -+ // exceeded the max header list size (in which case remainSize is 0), -+ // or a frame whose encoded size is more than twice the remaining -+ // header list bytes we're willing to accept. -+ if int64(len(frag)) > int64(2*remainSize) { -+ if VerboseLogs { -+ log.Printf("http2: header list too large") -+ } -+ // It would be nice to send a RST_STREAM before sending the GOAWAY, -+ // but the struture of the server's frame writer makes this difficult. -+ return nil, ConnectionError(ErrCodeProtocol) -+ } -+ -+ // Also close the connection after any CONTINUATION frame following an -+ // invalid header, since we stop tracking the size of the headers after -+ // an invalid one. -+ if invalid != nil { -+ if VerboseLogs { -+ log.Printf("http2: invalid header: %v", invalid) -+ } -+ // It would be nice to send a RST_STREAM before sending the GOAWAY, -+ // but the struture of the server's frame writer makes this difficult. -+ return nil, ConnectionError(ErrCodeProtocol) -+ } -+ - if _, err := hdec.Write(frag); err != nil { - return nil, ConnectionError(ErrCodeCompression) - } diff --git a/SPECS/containerd/CVE-2023-47108.patch b/SPECS/containerd/CVE-2023-47108.patch deleted file mode 100644 index 14b25cfefd..0000000000 --- a/SPECS/containerd/CVE-2023-47108.patch +++ /dev/null @@ -1,67 +0,0 @@ -backport of b44dfc9092b157625a5815cb437583cee663333b (https://github.com/open-telemetry/opentelemetry-go-contrib/commit/b44dfc9092b157625a5815cb437583cee663333b) - -diff -ru containerd-1.7.13-orig/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go containerd-1.7.13/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go ---- containerd-1.7.13-orig/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go 2024-06-26 14:41:04.713891799 +0000 -+++ containerd-1.7.13/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go 2024-06-26 15:24:51.636920349 +0000 -@@ -83,7 +83,7 @@ - return invoker(ctx, method, req, reply, cc, callOpts...) - } - -- name, attr := spanInfo(method, cc.Target()) -+ name, attr, _ := telemetryAttributes(method, cc.Target()) - - startOpts := append([]trace.SpanStartOption{ - trace.WithSpanKind(trace.SpanKindClient), -@@ -278,7 +278,7 @@ - return streamer(ctx, desc, cc, method, callOpts...) - } - -- name, attr := spanInfo(method, cc.Target()) -+ name, attr, _ := telemetryAttributes(method, cc.Target()) - - startOpts := append([]trace.SpanStartOption{ - trace.WithSpanKind(trace.SpanKindClient), -@@ -346,7 +346,7 @@ - } - - ctx = extract(ctx, cfg.Propagators) -- name, attr := spanInfo(info.FullMethod, peerFromCtx(ctx)) -+ name, attr, _ := telemetryAttributes(info.FullMethod, peerFromCtx(ctx)) - - startOpts := append([]trace.SpanStartOption{ - trace.WithSpanKind(trace.SpanKindServer), -@@ -469,7 +469,7 @@ - } - - ctx = extract(ctx, cfg.Propagators) -- name, attr := spanInfo(info.FullMethod, peerFromCtx(ctx)) -+ name, attr, _ := telemetryAttributes(info.FullMethod, peerFromCtx(ctx)) - - startOpts := append([]trace.SpanStartOption{ - trace.WithSpanKind(trace.SpanKindServer), -@@ -498,17 +498,18 @@ - } - } - --// spanInfo returns a span name and all appropriate attributes from the gRPC --// method and peer address. --func spanInfo(fullMethod, peerAddress string) (string, []attribute.KeyValue) { -- name, mAttrs := internal.ParseFullMethod(fullMethod) -+// telemetryAttributes returns a span name and span and metric attributes from -+// the gRPC method and peer address. -+func telemetryAttributes(fullMethod, peerAddress string) (string, []attribute.KeyValue, []attribute.KeyValue) { -+ name, methodAttrs := internal.ParseFullMethod(fullMethod) - peerAttrs := peerAttr(peerAddress) - -- attrs := make([]attribute.KeyValue, 0, 1+len(mAttrs)+len(peerAttrs)) -+ attrs := make([]attribute.KeyValue, 0, 1+len(methodAttrs)+len(peerAttrs)) - attrs = append(attrs, RPCSystemGRPC) -- attrs = append(attrs, mAttrs...) -+ attrs = append(attrs, methodAttrs...) -+ metricAttrs := attrs[:1+len(methodAttrs)] - attrs = append(attrs, peerAttrs...) -- return name, attrs -+ return name, attrs, metricAttrs - } - - // peerAttr returns attributes about the peer address. diff --git a/SPECS/containerd/CVE-2024-24786.patch b/SPECS/containerd/CVE-2024-24786.patch deleted file mode 100644 index 6c80204f5b..0000000000 --- a/SPECS/containerd/CVE-2024-24786.patch +++ /dev/null @@ -1,152 +0,0 @@ -From 1576982839ab9771784526720ed0a2f4a2aa2280 Mon Sep 17 00:00:00 2001 -From: bala -Date: Mon, 25 Nov 2024 16:47:53 +0000 -Subject: [PATCH] Vendor patch applied - ---- - .../protobuf/encoding/protojson/decode.go | 12 ++++ - .../encoding/protojson/well_known_types.go | 59 +++++++------------ - .../protobuf/internal/encoding/json/decode.go | 2 +- - 3 files changed, 33 insertions(+), 40 deletions(-) - -diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go -index 5f28148..67fe4e7 100644 ---- a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go -+++ b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go -@@ -11,6 +11,7 @@ import ( - "strconv" - "strings" - -+ "google.golang.org/protobuf/encoding/protowire" - "google.golang.org/protobuf/internal/encoding/json" - "google.golang.org/protobuf/internal/encoding/messageset" - "google.golang.org/protobuf/internal/errors" -@@ -47,6 +48,10 @@ type UnmarshalOptions struct { - protoregistry.MessageTypeResolver - protoregistry.ExtensionTypeResolver - } -+ -+ // RecursionLimit limits how deeply messages may be nested. -+ // If zero, a default limit is applied. -+ RecursionLimit int - } - - // Unmarshal reads the given []byte and populates the given proto.Message -@@ -67,6 +72,9 @@ func (o UnmarshalOptions) unmarshal(b []byte, m proto.Message) error { - if o.Resolver == nil { - o.Resolver = protoregistry.GlobalTypes - } -+ if o.RecursionLimit == 0 { -+ o.RecursionLimit = protowire.DefaultRecursionLimit -+ } - - dec := decoder{json.NewDecoder(b), o} - if err := dec.unmarshalMessage(m.ProtoReflect(), false); err != nil { -@@ -114,6 +122,10 @@ func (d decoder) syntaxError(pos int, f string, x ...interface{}) error { - - // unmarshalMessage unmarshals a message into the given protoreflect.Message. - func (d decoder) unmarshalMessage(m protoreflect.Message, skipTypeURL bool) error { -+ d.opts.RecursionLimit-- -+ if d.opts.RecursionLimit < 0 { -+ return errors.New("exceeded max recursion depth") -+ } - if unmarshal := wellKnownTypeUnmarshaler(m.Descriptor().FullName()); unmarshal != nil { - return unmarshal(d, m) - } -diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go -index 6c37d41..4b177c8 100644 ---- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go -+++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go -@@ -176,7 +176,7 @@ func (d decoder) unmarshalAny(m protoreflect.Message) error { - // Use another decoder to parse the unread bytes for @type field. This - // avoids advancing a read from current decoder because the current JSON - // object may contain the fields of the embedded type. -- dec := decoder{d.Clone(), UnmarshalOptions{}} -+ dec := decoder{d.Clone(), UnmarshalOptions{RecursionLimit: d.opts.RecursionLimit}} - tok, err := findTypeURL(dec) - switch err { - case errEmptyObject: -@@ -308,48 +308,29 @@ Loop: - // array) in order to advance the read to the next JSON value. It relies on - // the decoder returning an error if the types are not in valid sequence. - func (d decoder) skipJSONValue() error { -- tok, err := d.Read() -- if err != nil { -- return err -- } -- // Only need to continue reading for objects and arrays. -- switch tok.Kind() { -- case json.ObjectOpen: -- for { -- tok, err := d.Read() -- if err != nil { -- return err -- } -- switch tok.Kind() { -- case json.ObjectClose: -- return nil -- case json.Name: -- // Skip object field value. -- if err := d.skipJSONValue(); err != nil { -- return err -- } -- } -+ var open int -+ for { -+ tok, err := d.Read() -+ if err != nil { -+ return err - } -- -- case json.ArrayOpen: -- for { -- tok, err := d.Peek() -- if err != nil { -- return err -- } -- switch tok.Kind() { -- case json.ArrayClose: -- d.Read() -- return nil -- default: -- // Skip array item. -- if err := d.skipJSONValue(); err != nil { -- return err -- } -+ switch tok.Kind() { -+ case json.ObjectClose, json.ArrayClose: -+ open-- -+ case json.ObjectOpen, json.ArrayOpen: -+ open++ -+ if open > d.opts.RecursionLimit { -+ return errors.New("exceeded max recursion depth") - } -+ case json.EOF: -+ // This can only happen if there's a bug in Decoder.Read. -+ // Avoid an infinite loop if this does happen. -+ return errors.New("unexpected EOF") -+ } -+ if open == 0 { -+ return nil - } - } -- return nil - } - - // unmarshalAnyValue unmarshals the given custom-type message from the JSON -diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go -index d043a6e..d2b3ac0 100644 ---- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go -+++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go -@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) { - - case ObjectClose: - if len(d.openStack) == 0 || -- d.lastToken.kind == comma || -+ d.lastToken.kind&(Name|comma) != 0 || - d.openStack[len(d.openStack)-1] != ObjectOpen { - return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString()) - } --- -2.39.4 - diff --git a/SPECS/containerd/CVE-2024-28180.patch b/SPECS/containerd/CVE-2024-28180.patch deleted file mode 100644 index 3a087357aa..0000000000 --- a/SPECS/containerd/CVE-2024-28180.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 7cee86cae1b4ec55714208ca4d6e091d21f200da Mon Sep 17 00:00:00 2001 -From: Kanishk Bansal -Date: Fri, 31 Jan 2025 13:46:44 +0000 -Subject: [PATCH] Address CVE-2024-28180 for containerd - ---- - vendor/gopkg.in/square/go-jose.v2/crypter.go | 6 ++++++ - vendor/gopkg.in/square/go-jose.v2/encoding.go | 20 +++++++++++++++---- - 2 files changed, 22 insertions(+), 4 deletions(-) - -diff --git a/vendor/gopkg.in/square/go-jose.v2/crypter.go b/vendor/gopkg.in/square/go-jose.v2/crypter.go -index d24cabf..a628386 100644 ---- a/vendor/gopkg.in/square/go-jose.v2/crypter.go -+++ b/vendor/gopkg.in/square/go-jose.v2/crypter.go -@@ -405,6 +405,9 @@ func (ctx *genericEncrypter) Options() EncrypterOptions { - // Decrypt and validate the object and return the plaintext. Note that this - // function does not support multi-recipient, if you desire multi-recipient - // decryption use DecryptMulti instead. -+// -+// Automatically decompresses plaintext, but returns an error if the decompressed -+// data would be >250kB or >10x the size of the compressed data, whichever is larger. - func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) { - headers := obj.mergedHeaders(nil) - -@@ -469,6 +472,9 @@ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) - // with support for multiple recipients. It returns the index of the recipient - // for which the decryption was successful, the merged headers for that recipient, - // and the plaintext. -+// -+// Automatically decompresses plaintext, but returns an error if the decompressed -+// data would be >250kB or >3x the size of the compressed data, whichever is larger. - func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Header, []byte, error) { - globalHeaders := obj.mergedHeaders(nil) - -diff --git a/vendor/gopkg.in/square/go-jose.v2/encoding.go b/vendor/gopkg.in/square/go-jose.v2/encoding.go -index 70f7385..2b92116 100644 ---- a/vendor/gopkg.in/square/go-jose.v2/encoding.go -+++ b/vendor/gopkg.in/square/go-jose.v2/encoding.go -@@ -21,6 +21,7 @@ import ( - "compress/flate" - "encoding/base64" - "encoding/binary" -+ "fmt" - "io" - "math/big" - "strings" -@@ -85,7 +86,7 @@ func decompress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) { - } - } - --// Compress with DEFLATE -+// deflate compresses the input. - func deflate(input []byte) ([]byte, error) { - output := new(bytes.Buffer) - -@@ -97,15 +98,26 @@ func deflate(input []byte) ([]byte, error) { - return output.Bytes(), err - } - --// Decompress with DEFLATE -+// inflate decompresses the input. -+// -+// Errors if the decompressed data would be >250kB or >10x the size of the -+// compressed data, whichever is larger. - func inflate(input []byte) ([]byte, error) { - output := new(bytes.Buffer) - reader := flate.NewReader(bytes.NewBuffer(input)) - -- _, err := io.Copy(output, reader) -- if err != nil { -+ maxCompressedSize := 10 * int64(len(input)) -+ if maxCompressedSize < 250000 { -+ maxCompressedSize = 250000 -+ } -+ limit := maxCompressedSize + 1 -+ n, err := io.CopyN(output, reader, limit) -+ if err != nil && err != io.EOF { - return nil, err - } -+ if n == limit { -+ return nil, fmt.Errorf("uncompressed data would be too large (>%d bytes)", maxCompressedSize) -+ } - - err = reader.Close() - return output.Bytes(), err --- -2.43.0 - diff --git a/SPECS/containerd/CVE-2024-40635.patch b/SPECS/containerd/CVE-2024-40635.patch deleted file mode 100644 index 91649d0d73..0000000000 --- a/SPECS/containerd/CVE-2024-40635.patch +++ /dev/null @@ -1,173 +0,0 @@ -From 11504c3fc5f45634f2d93d57743a998194430b82 Mon Sep 17 00:00:00 2001 -From: Craig Ingram -Date: Fri, 7 Mar 2025 13:29:47 +0000 -Subject: [PATCH] validate uid/gid - ---- - oci/spec_opts.go | 24 ++++++++-- - oci/spec_opts_linux_test.go | 92 +++++++++++++++++++++++++++++++++++++ - 2 files changed, 112 insertions(+), 4 deletions(-) - -diff --git a/oci/spec_opts.go b/oci/spec_opts.go -index f1422d505203..e89d54a8f19a 100644 ---- a/oci/spec_opts.go -+++ b/oci/spec_opts.go -@@ -22,6 +22,7 @@ import ( - "encoding/json" - "errors" - "fmt" -+ "math" - "os" - "path/filepath" - "runtime" -@@ -594,6 +595,20 @@ func WithUser(userstr string) SpecOpts { - defer ensureAdditionalGids(s) - setProcess(s) - s.Process.User.AdditionalGids = nil -+ // While the Linux kernel allows the max UID to be MaxUint32 - 2, -+ // and the OCI Runtime Spec has no definition about the max UID, -+ // the runc implementation is known to require the UID to be <= MaxInt32. -+ // -+ // containerd follows runc's limitation here. -+ // -+ // In future we may relax this limitation to allow MaxUint32 - 2, -+ // or, amend the OCI Runtime Spec to codify the implementation limitation. -+ const ( -+ minUserID = 0 -+ maxUserID = math.MaxInt32 -+ minGroupID = 0 -+ maxGroupID = math.MaxInt32 -+ ) - - // For LCOW it's a bit harder to confirm that the user actually exists on the host as a rootfs isn't - // mounted on the host and shared into the guest, but rather the rootfs is constructed entirely in the -@@ -612,8 +627,8 @@ func WithUser(userstr string) SpecOpts { - switch len(parts) { - case 1: - v, err := strconv.Atoi(parts[0]) -- if err != nil { -- // if we cannot parse as a uint they try to see if it is a username -+ if err != nil || v < minUserID || v > maxUserID { -+ // if we cannot parse as an int32 then try to see if it is a username - return WithUsername(userstr)(ctx, client, c, s) - } - return WithUserID(uint32(v))(ctx, client, c, s) -@@ -624,12 +639,13 @@ func WithUser(userstr string) SpecOpts { - ) - var uid, gid uint32 - v, err := strconv.Atoi(parts[0]) -- if err != nil { -+ if err != nil || v < minUserID || v > maxUserID { - username = parts[0] - } else { - uid = uint32(v) - } -- if v, err = strconv.Atoi(parts[1]); err != nil { -+ v, err = strconv.Atoi(parts[1]) -+ if err != nil || v < minGroupID || v > maxGroupID { - groupname = parts[1] - } else { - gid = uint32(v) -diff --git a/oci/spec_opts_linux_test.go b/oci/spec_opts_linux_test.go -index 2293a1c874af..b80d01259d90 100644 ---- a/oci/spec_opts_linux_test.go -+++ b/oci/spec_opts_linux_test.go -@@ -33,6 +33,98 @@ import ( - "golang.org/x/sys/unix" - ) - -+//nolint:gosec -+func TestWithUser(t *testing.T) { -+ t.Parallel() -+ -+ expectedPasswd := `root:x:0:0:root:/root:/bin/ash -+guest:x:405:100:guest:/dev/null:/sbin/nologin -+` -+ expectedGroup := `root:x:0:root -+bin:x:1:root,bin,daemon -+daemon:x:2:root,bin,daemon -+sys:x:3:root,bin,adm -+guest:x:100:guest -+` -+ td := t.TempDir() -+ apply := fstest.Apply( -+ fstest.CreateDir("/etc", 0777), -+ fstest.CreateFile("/etc/passwd", []byte(expectedPasswd), 0777), -+ fstest.CreateFile("/etc/group", []byte(expectedGroup), 0777), -+ ) -+ if err := apply.Apply(td); err != nil { -+ t.Fatalf("failed to apply: %v", err) -+ } -+ c := containers.Container{ID: t.Name()} -+ testCases := []struct { -+ user string -+ expectedUID uint32 -+ expectedGID uint32 -+ err string -+ }{ -+ { -+ user: "0", -+ expectedUID: 0, -+ expectedGID: 0, -+ }, -+ { -+ user: "root:root", -+ expectedUID: 0, -+ expectedGID: 0, -+ }, -+ { -+ user: "guest", -+ expectedUID: 405, -+ expectedGID: 100, -+ }, -+ { -+ user: "guest:guest", -+ expectedUID: 405, -+ expectedGID: 100, -+ }, -+ { -+ user: "guest:nobody", -+ err: "no groups found", -+ }, -+ { -+ user: "405:100", -+ expectedUID: 405, -+ expectedGID: 100, -+ }, -+ { -+ user: "405:2147483648", -+ err: "no groups found", -+ }, -+ { -+ user: "-1000", -+ err: "no users found", -+ }, -+ { -+ user: "2147483648", -+ err: "no users found", -+ }, -+ } -+ for _, testCase := range testCases { -+ testCase := testCase -+ t.Run(testCase.user, func(t *testing.T) { -+ t.Parallel() -+ s := Spec{ -+ Version: specs.Version, -+ Root: &specs.Root{ -+ Path: td, -+ }, -+ Linux: &specs.Linux{}, -+ } -+ err := WithUser(testCase.user)(context.Background(), nil, &c, &s) -+ if err != nil { -+ assert.EqualError(t, err, testCase.err) -+ } -+ assert.Equal(t, testCase.expectedUID, s.Process.User.UID) -+ assert.Equal(t, testCase.expectedGID, s.Process.User.GID) -+ }) -+ } -+} -+ - //nolint:gosec - func TestWithUserID(t *testing.T) { - t.Parallel() diff --git a/SPECS/containerd/CVE-2025-27144.patch b/SPECS/containerd/CVE-2025-27144.patch deleted file mode 100644 index 6015ed48ca..0000000000 --- a/SPECS/containerd/CVE-2025-27144.patch +++ /dev/null @@ -1,50 +0,0 @@ -From fa324fa38481f9d2da9109cb5983326f62ff7507 Mon Sep 17 00:00:00 2001 -From: Kanishk-Bansal -Date: Fri, 28 Feb 2025 07:45:53 +0000 -Subject: [PATCH] CVE-2025-27144 -Upstream Ref: https://github.com/go-jose/go-jose/commit/c9ed84d8f0cfadcfad817150158caca6fcbc518b - ---- - vendor/gopkg.in/square/go-jose.v2/jwe.go | 5 +++-- - vendor/gopkg.in/square/go-jose.v2/jws.go | 5 +++-- - 2 files changed, 6 insertions(+), 4 deletions(-) - -diff --git a/vendor/gopkg.in/square/go-jose.v2/jwe.go b/vendor/gopkg.in/square/go-jose.v2/jwe.go -index b5a6dcd..cd1de9e 100644 ---- a/vendor/gopkg.in/square/go-jose.v2/jwe.go -+++ b/vendor/gopkg.in/square/go-jose.v2/jwe.go -@@ -201,10 +201,11 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) { - - // parseEncryptedCompact parses a message in compact format. - func parseEncryptedCompact(input string) (*JSONWebEncryption, error) { -- parts := strings.Split(input, ".") -- if len(parts) != 5 { -+ // Five parts is four separators -+ if strings.Count(input, ".") != 4 { - return nil, fmt.Errorf("square/go-jose: compact JWE format must have five parts") - } -+ parts := strings.SplitN(input, ".", 5) - - rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0]) - if err != nil { -diff --git a/vendor/gopkg.in/square/go-jose.v2/jws.go b/vendor/gopkg.in/square/go-jose.v2/jws.go -index 7e261f9..a8d55fb 100644 ---- a/vendor/gopkg.in/square/go-jose.v2/jws.go -+++ b/vendor/gopkg.in/square/go-jose.v2/jws.go -@@ -275,10 +275,11 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) { - - // parseSignedCompact parses a message in compact format. - func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) { -- parts := strings.Split(input, ".") -- if len(parts) != 3 { -+ // Three parts is two separators -+ if strings.Count(input, ".") != 2 { - return nil, fmt.Errorf("square/go-jose: compact JWS format must have three parts") - } -+ parts := strings.SplitN(input, ".", 3) - - if parts[1] != "" && payload != nil { - return nil, fmt.Errorf("square/go-jose: payload is not detached") --- -2.45.2 - diff --git a/SPECS/containerd/Makefile.patch b/SPECS/containerd/Makefile.patch deleted file mode 100644 index 0cc0ae4c3a..0000000000 --- a/SPECS/containerd/Makefile.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -ru containerd-1.6.0-orig/Makefile containerd-1.6.0/Makefile ---- containerd-1.6.0-orig/Makefile 2022-01-19 19:13:47.000000000 -0800 -+++ containerd-1.6.0/Makefile 2022-02-01 14:39:00.558994210 -0800 -@@ -31,7 +31,7 @@ - - # Used to populate variables in version package. - VERSION ?= $(shell git describe --match 'v[0-9]*' --dirty='.m' --always) --REVISION=$(shell git rev-parse HEAD)$(shell if ! git diff --no-ext-diff --quiet --exit-code; then echo .m; fi) -+REVISION ?= $(shell git rev-parse HEAD)$(shell if ! git diff --no-ext-diff --quiet --exit-code; then echo .m; fi) - PACKAGE=github.com/containerd/containerd - SHIM_CGO_ENABLED ?= 0 diff --git a/SPECS/containerd/containerd.service b/SPECS/containerd/containerd.service deleted file mode 100644 index 06b501178b..0000000000 --- a/SPECS/containerd/containerd.service +++ /dev/null @@ -1,15 +0,0 @@ -[Unit] -Description=containerd container runtime -Documentation=https://containerd.io -After=network.target - -[Service] -ExecStartPre=/sbin/modprobe overlay -ExecStart=/usr/bin/containerd -Restart=always -Delegate=yes -KillMode=process -OOMScoreAdjust=-999 - -[Install] -WantedBy=multi-user.target diff --git a/SPECS/containerd/containerd.signatures.json b/SPECS/containerd/containerd.signatures.json deleted file mode 100644 index f813a22eee..0000000000 --- a/SPECS/containerd/containerd.signatures.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "Signatures": { - "containerd.service": "a07bfcf412669b06673190b0779f48e652c9adcf1758289e849a00802804eec8", - "containerd.toml": "793d4f11a4e69bdb3b1903da2cdf76b7f32dbc97197b12d295a05ecc284e230e", - "containerd-1.7.13.tar.gz": "ae2b914bff0ddbb9b29d5fc689a51e1ce89ea4edfc4df9ae10517c6f5d2d5aaf" - } -} diff --git a/SPECS/containerd/containerd.spec b/SPECS/containerd/containerd.spec deleted file mode 100644 index d510700d9e..0000000000 --- a/SPECS/containerd/containerd.spec +++ /dev/null @@ -1,251 +0,0 @@ -%global debug_package %{nil} -%define commit_hash 7c3aca7a610df76212171d200ca3811ff6096eb8 - -Summary: Industry-standard container runtime -Name: containerd -Version: 1.7.13 -Release: 9%{?dist} -License: ASL 2.0 -Group: Tools/Container -URL: https://www.containerd.io -Vendor: Microsoft Corporation -Distribution: Azure Linux - -Source0: https://github.com/containerd/containerd/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz -Source1: containerd.service -Source2: containerd.toml -Patch0: Makefile.patch -Patch1: fix_tests_for_golang1.21.patch -Patch2: CVE-2023-44487.patch -Patch3: CVE-2023-47108.patch -Patch4: CVE-2024-24786.patch -Patch5: CVE-2024-28180.patch -Patch6: CVE-2023-45288.patch -Patch7: CVE-2025-27144.patch -Patch8: CVE-2024-40635.patch - -%{?systemd_requires} - -BuildRequires: git -BuildRequires: golang < 1.23 -BuildRequires: go-md2man -BuildRequires: make -BuildRequires: systemd-rpm-macros - -Requires: runc - -# This package replaces the old name of moby-containerd -Provides: moby-containerd = %{version}-%{release} -Obsoletes: moby-containerd < %{version}-%{release} - -%description -containerd is an industry-standard container runtime with an emphasis on -simplicity, robustness and portability. It is available as a daemon for Linux -and Windows, which can manage the complete container lifecycle of its host -system: image transfer and storage, container execution and supervision, -low-level storage and network attachments, etc. - -containerd is designed to be embedded into a larger system, rather than being -used directly by developers or end-users. - -%prep -%autosetup -p1 - -%build -export BUILDTAGS="-mod=vendor" -make VERSION="%{version}" REVISION="%{commit_hash}" binaries man - -%check -export BUILDTAGS="-mod=vendor" -make VERSION="%{version}" REVISION="%{commit_hash}" test - -%install -make VERSION="%{version}" REVISION="%{commit_hash}" DESTDIR="%{buildroot}" PREFIX="/usr" install install-man - -mkdir -p %{buildroot}/%{_unitdir} -install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/containerd.service -install -D -p -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/containerd/config.toml -install -vdm 755 %{buildroot}/opt/containerd/{bin,lib} - -%post -%systemd_post containerd.service - -if [ $1 -eq 1 ]; then # Package install - systemctl enable containerd.service > /dev/null 2>&1 || : - systemctl start containerd.service > /dev/null 2>&1 || : -fi - -%preun -%systemd_preun containerd.service - -%postun -%systemd_postun_with_restart containerd.service - -%files -%license LICENSE NOTICE -%{_bindir}/* -%{_mandir}/* -%config(noreplace) %{_unitdir}/containerd.service -%config(noreplace) %{_sysconfdir}/containerd/config.toml -%dir /opt/containerd -%dir /opt/containerd/bin -%dir /opt/containerd/lib - -%changelog -* Fri May 30 2025 Ranjan Dutta - 1.7.13-9 -- merge from Azure Linux 3.0.20250521-3.0 -- Fix CVE-2024-40635 - -* Fri Apr 28 2025 Ranjan Dutta - 1.7.13-8 -- merge from Azure Linux 3.0.20250423-3.0 -- Fix CVE-2025-27144 - -* Fri Mar 21 2025 Anuj Mittal - 1.7.13-7 -- Bump release to rebuild - -* Fri Feb 14 2025 Kanishk Bansal - 1.7.13-6 -- Fix CVE-2024-28180, CVE-2023-45288 - -* Mon Nov 25 2024 Bala - 1.7.13-5 -- Fix CVE-2024-24786 - -* Tue Oct 15 2024 Muhammad Falak - 1.7.13-4 -- Pin golang version to <= 1.22 - -* Wed Jun 26 2024 Nicolas Guibourge - 1.7.13-3 -- Address CVE-2023-44487 and CVE-2023-47108 - -* Fri Mar 08 2024 Henry Beberman - 1.7.13-2 -- Add OOMScoreAdjust -999 to containerd.service - -* Fri Feb 23 2024 Henry Beberman - 1.7.13-1 -- Rename package to containerd -- Upgrade to 1.7.13, remove unused patches -- Add patch to fix tests on golang 1.21 - -* Wed Oct 18 2023 Chris PeBenito - 1.6.22-4 -- Precreate /opt/containerd/{bin,lib} to ensure correct SELinux labeling. - -* Mon Oct 16 2023 CBL-Mariner Servicing Account - 1.6.22-3 -- Bump release to rebuild with go 1.20.10 - -* Tue Oct 10 2023 Dan Streetman - 1.6.22-2 -- Bump release to rebuild with updated version of Go. - -* Wed Aug 16 2023 Muhammad Falak - 1.6.22-1 -- Bump version to 1.6.22 - -* Mon Aug 07 2023 CBL-Mariner Servicing Account - 1.6.18-7 -- Bump release to rebuild with go 1.19.12 - -* Thu Jul 13 2023 CBL-Mariner Servicing Account - 1.6.18-6 -- Bump release to rebuild with go 1.19.11 - -* Thu Jun 15 2023 CBL-Mariner Servicing Account - 1.6.18-5 -- Bump release to rebuild with go 1.19.10 - -* Wed Apr 05 2023 CBL-Mariner Servicing Account - 1.6.18-4 -- Bump release to rebuild with go 1.19.8 - -* Tue Mar 28 2023 CBL-Mariner Servicing Account - 1.6.18-3 -- Bump release to rebuild with go 1.19.7 - -* Wed Mar 15 2023 CBL-Mariner Servicing Account - 1.6.18-2 -- Bump release to rebuild with go 1.19.6 - -* Mon Mar 13 2023 CBL-Mariner Servicing Account - 1.6.18-1 -- Auto-upgrade to 1.6.18 - to fix CVE-2023-25173, CVE-2023-25153 - -* Fri Feb 03 2023 CBL-Mariner Servicing Account - 1.6.12-5 -- Bump release to rebuild with go 1.19.5 - -* Wed Jan 18 2023 CBL-Mariner Servicing Account - 1.6.12-4 -- Bump release to rebuild with go 1.19.4 - -* Mon Dec 19 2022 Aadhar Agarwal - 1.6.12-3 -- Backport upstream fix in containerd to add ptrace readby and tracedby to default AppArmor profile (add_ptrace_readby_tracedby_to_apparmor.patch) - -* Fri Dec 16 2022 Daniel McIlvaney - 1.6.12-2 -- Bump release to rebuild with go 1.18.8 with patch for CVE-2022-41717 - -* Wed Dec 14 2022 CBL-Mariner Servicing Account - 1.6.12-1 -- Auto-upgrade to 1.6.12 - to fix CVE-2022-23471 - -* Tue Nov 01 2022 Olivia Crain - 1.6.6-3 -- Bump release to rebuild with go 1.18.8 - -* Mon Aug 22 2022 Olivia Crain - 1.6.6-2 -- Bump release to rebuild against Go 1.18.5 - -* Thu Jun 23 2022 Henry Beberman - 1.6.6-1 -- Bump version to 1.6.6 to address CVE-2022-31030 - -* Tue Jun 14 2022 Muhammad Falak - 1.6.2-1 -- Bump version to 1.6.2 to address CVE-2022-24769 -- Rebuild with golang 1.18.3 - -* Mon Mar 28 2022 Nicolas Guibourge - 1.6.1-3 -- Default cgroup to 'systemd' - -* Wed Mar 23 2022 Anirudh Gopal - 1.6.1-2 -- Always restart containerd service - -* Mon Mar 14 2022 Nicolas Guibourge - 1.6.1-1 -- Update to version 1.6.1 - -* Fri Jan 28 2022 Nicolas Guibourge - 1.6.0.rc.3-1 -- Update to version 1.6.0-rc.3 -- Use code from upstream instead of Azure fork. - -* Mon Jan 24 2022 Henry Beberman - 1.5.9+azure-1 -- Update to version 1.5.9+azure - -* Wed Jan 19 2022 Henry Li - 1.4.4+azure-6 -- Increment release for force republishing using golang 1.16.12 - -* Tue Nov 02 2021 Thomas Crain - 1.4.4+azure-5 -- Increment release for force republishing using golang 1.16.9 - -* Mon Oct 04 2021 Henry Beberman 1.4.4+azure-4 -- Patch CVE-2021-41103 -- Change config to noreplace -- Refactor how files is specified - -* Fri Aug 06 2021 Nicolas Guibourge 1.4.4+azure-3 -- Increment release to force republishing using golang 1.16.7. - -* Mon Jul 19 2021 Neha Agarwal 1.4.4+azure-2 -- CVE-2021-32760 fix - -* Mon Jul 12 2021 Andrew Phelps 1.4.4+azure-1 -- Update to version 1.4.4+azure - -* Tue Jun 08 2021 Henry Beberman 1.3.4+azure-3 -- Increment release to force republishing using golang 1.15.13. - -* Thu Dec 10 2020 Andrew Phelps 1.3.4+azure-2 -- Increment release to force republishing using golang 1.15. - -* Thu Jun 11 2020 Andrew Phelps 1.3.4+azure-1 -- Update to version 1.3.4+azure - -* Wed May 20 2020 Joe Schmitt 1.3.3+azure-6 -- Remove reliance on existing GOPATH environment variable. - -* Sat May 09 2020 Nick Samson 1.3.3+azure-5 -- Added %%license line automatically - -* Wed May 06 2020 Pawel Winogrodzki 1.3.3+azure-4 -- Removing *Requires for "ca-certificates". - -* Tue May 05 2020 Eric Li 1.3.3+azure-3 -- Add #Source0: and license verified - -* Fri May 01 2020 Emre Girgin 1.3.3+azure-2 -- Renaming go to golang - -* Fri Apr 03 2020 Mohan Datla 1.3.3+azure-1 -- Initial CBL-Mariner import from Azure. - -* Thu Jan 23 2020 Brian Goff -- Initial version diff --git a/SPECS/containerd/containerd.toml b/SPECS/containerd/containerd.toml deleted file mode 100644 index f8b83c6ab9..0000000000 --- a/SPECS/containerd/containerd.toml +++ /dev/null @@ -1,25 +0,0 @@ -#root = "/var/lib/containerd" -#state = "/run/containerd" -#subreaper = true -#oom_score = 0 - -#[grpc] -# address = "/run/containerd/containerd.sock" -# uid = 0 -# gid = 0 - -#[debug] -# address = "/run/containerd/debug.sock" -# uid = 0 -# gid = 0 -# level = "info" - -version = 2 -[plugins] - [plugins."io.containerd.grpc.v1.cri"] - [plugins."io.containerd.grpc.v1.cri".containerd] - [plugins."io.containerd.grpc.v1.cri".containerd.runtimes] - [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] - runtime_type = "io.containerd.runc.v2" - [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options] - SystemdCgroup = true \ No newline at end of file diff --git a/SPECS/containerd/fix_tests_for_golang1.21.patch b/SPECS/containerd/fix_tests_for_golang1.21.patch deleted file mode 100644 index ad71bcd164..0000000000 --- a/SPECS/containerd/fix_tests_for_golang1.21.patch +++ /dev/null @@ -1,47 +0,0 @@ -Backported from upstream 5d9bf7d1398f645882e5c2becc7815daa1770c26 - -Signed-off-by: Akihiro Suda -Signed-off-by: Henry Beberman - -diff -Naur a/contrib/apparmor/apparmor.go b/contrib/apparmor/apparmor.go ---- a/contrib/apparmor/apparmor.go 2024-01-31 20:48:57.000000000 +0000 -+++ b/contrib/apparmor/apparmor.go 2024-02-23 18:49:37.691534024 +0000 -@@ -39,6 +39,11 @@ - - // WithDefaultProfile will generate a default apparmor profile under the provided name - // for the container. It is only generated if a profile under that name does not exist. -+// -+// FIXME: pkg/cri/[sb]server/container_create_linux_test.go depends on go:noinline -+// since Go 1.21. -+// -+//go:noinline - func WithDefaultProfile(name string) oci.SpecOpts { - return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error { - if err := LoadDefaultProfile(name); err != nil { -diff -Naur a/contrib/seccomp/seccomp.go b/contrib/seccomp/seccomp.go ---- a/contrib/seccomp/seccomp.go 2024-01-31 20:48:57.000000000 +0000 -+++ b/contrib/seccomp/seccomp.go 2024-02-23 18:49:37.691534024 +0000 -@@ -30,6 +30,11 @@ - // WithProfile receives the name of a file stored on disk comprising a json - // formatted seccomp profile, as specified by the opencontainers/runtime-spec. - // The profile is read from the file, unmarshaled, and set to the spec. -+// -+// FIXME: pkg/cri/[sb]server/container_create_linux_test.go depends on go:noinline -+// since Go 1.21. -+// -+//go:noinline - func WithProfile(profile string) oci.SpecOpts { - return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error { - s.Linux.Seccomp = &specs.LinuxSeccomp{} -@@ -46,6 +51,11 @@ - - // WithDefaultProfile sets the default seccomp profile to the spec. - // Note: must follow the setting of process capabilities -+// -+// FIXME: pkg/cri/[sb]server/container_create_linux_test.go depends on go:noinline -+// since Go 1.21. -+// -+//go:noinline - func WithDefaultProfile() oci.SpecOpts { - return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error { - s.Linux.Seccomp = DefaultProfile(s) diff --git a/SPECS/containerd2/CVE-2025-22872.patch b/SPECS/containerd2/CVE-2025-22872.patch new file mode 100644 index 0000000000..c4c75f054f --- /dev/null +++ b/SPECS/containerd2/CVE-2025-22872.patch @@ -0,0 +1,42 @@ +From 072aace3657090fc2cd827741839d229aafd693e Mon Sep 17 00:00:00 2001 +From: Aninda +Date: Thu, 22 May 2025 10:01:10 -0400 +Subject: [PATCH] Address CVE-2025-22872 +Upstream Patch Reference: https://github.com/golang/net/commit/e1fcd82abba34df74614020343be8eb1fe85f0d9 + +--- + vendor/golang.org/x/net/html/token.go | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/vendor/golang.org/x/net/html/token.go b/vendor/golang.org/x/net/html/token.go +index 3c57880..6598c1f 100644 +--- a/vendor/golang.org/x/net/html/token.go ++++ b/vendor/golang.org/x/net/html/token.go +@@ -839,8 +839,22 @@ func (z *Tokenizer) readStartTag() TokenType { + if raw { + z.rawTag = strings.ToLower(string(z.buf[z.data.start:z.data.end])) + } +- // Look for a self-closing token like "
". +- if z.err == nil && z.buf[z.raw.end-2] == '/' { ++ // Look for a self-closing token (e.g.
). ++ // ++ // Originally, we did this by just checking that the last character of the ++ // tag (ignoring the closing bracket) was a solidus (/) character, but this ++ // is not always accurate. ++ // ++ // We need to be careful that we don't misinterpret a non-self-closing tag ++ // as self-closing, as can happen if the tag contains unquoted attribute ++ // values (i.e.

). ++ // ++ // To avoid this, we check that the last non-bracket character of the tag ++ // (z.raw.end-2) isn't the same character as the last non-quote character of ++ // the last attribute of the tag (z.pendingAttr[1].end-1), if the tag has ++ // attributes. ++ nAttrs := len(z.attr) ++ if z.err == nil && z.buf[z.raw.end-2] == '/' && (nAttrs == 0 || z.raw.end-2 != z.attr[nAttrs-1][1].end-1) { + return SelfClosingTagToken + } + return StartTagToken +-- +2.34.1 + diff --git a/SPECS/containerd2/CVE-2025-47291.patch b/SPECS/containerd2/CVE-2025-47291.patch new file mode 100644 index 0000000000..5393e181fb --- /dev/null +++ b/SPECS/containerd2/CVE-2025-47291.patch @@ -0,0 +1,220 @@ +From 0bb95c53ec07aad729470844c8f0e5ab2838a8db Mon Sep 17 00:00:00 2001 +From: dj_palli +Date: Mon, 2 Jun 2025 14:45:30 +0000 +Subject: [PATCH] Address CVE-2025-47291 + +Upstream patch URL : https://github.com/containerd/containerd/commit/ec3567d6b369cde39739b41db8763a19d6f35c39 + +--- + client/container.go | 3 ++- + client/task.go | 27 ++++++++++++++++++++++ + client/task_opts.go | 27 ++++++++-------------- + client/task_opts_unix.go | 48 +++++++++++++--------------------------- + 4 files changed, 53 insertions(+), 52 deletions(-) + +diff --git a/client/container.go b/client/container.go +index b9cf25e..5763ae6 100644 +--- a/client/container.go ++++ b/client/container.go +@@ -279,7 +279,8 @@ func (c *container) NewTask(ctx context.Context, ioCreate cio.Creator, opts ...N + } + } + info := TaskInfo{ +- runtime: r.Runtime.Name, ++ runtime: r.Runtime.Name, ++ runtimeOptions: r.Runtime.Options, + } + for _, o := range opts { + if err := o(ctx, c.client, &info); err != nil { +diff --git a/client/task.go b/client/task.go +index 20312a9..152babe 100644 +--- a/client/task.go ++++ b/client/task.go +@@ -146,6 +146,10 @@ type TaskInfo struct { + + // runtime is the runtime name for the container, and cannot be changed. + runtime string ++ // runtimeOptions is the runtime options for the container, and when task options are set, ++ // they will be based on the runtimeOptions. ++ // https://github.com/containerd/containerd/issues/11568 ++ runtimeOptions typeurl.Any + } + + // Runtime name for the container +@@ -153,6 +157,29 @@ func (i *TaskInfo) Runtime() string { + return i.runtime + } + ++// getRuncOptions returns a reference to the runtime options for use by the task. ++// If the set of options is not set by the opts passed into the NewTask creation ++// this function first attempts to initialize the runtime options with a copy of the runtimeOptions, ++// otherwise an empty set of options is assigned and returned ++func (i *TaskInfo) getRuncOptions() (*options.Options, error) { ++ if i.Options != nil { ++ opts, ok := i.Options.(*options.Options) ++ if !ok { ++ return nil, errors.New("invalid runtime v2 options format") ++ } ++ return opts, nil ++ } ++ ++ opts := &options.Options{} ++ if i.runtimeOptions != nil && i.runtimeOptions.GetValue() != nil { ++ if err := typeurl.UnmarshalTo(i.runtimeOptions, opts); err != nil { ++ return nil, fmt.Errorf("failed to get runtime v2 options: %w", err) ++ } ++ } ++ i.Options = opts ++ return opts, nil ++} ++ + // Task is the executable object within containerd + type Task interface { + Process +diff --git a/client/task_opts.go b/client/task_opts.go +index 8e94d4c..27bde35 100644 +--- a/client/task_opts.go ++++ b/client/task_opts.go +@@ -54,12 +54,9 @@ func WithRuntimePath(absRuntimePath string) NewTaskOpts { + // usually it is served inside a sandbox, and we can get it from sandbox status. + func WithTaskAPIEndpoint(address string, version uint32) NewTaskOpts { + return func(ctx context.Context, client *Client, info *TaskInfo) error { +- if info.Options == nil { +- info.Options = &options.Options{} +- } +- opts, ok := info.Options.(*options.Options) +- if !ok { +- return errors.New("invalid runtime v2 options format") ++ opts, err := info.getRuncOptions() ++ if err != nil { ++ return err + } + opts.TaskApiAddress = address + opts.TaskApiVersion = version +@@ -119,12 +116,9 @@ func WithCheckpointImagePath(path string) CheckpointTaskOpts { + // WithRestoreImagePath sets image path for create option + func WithRestoreImagePath(path string) NewTaskOpts { + return func(ctx context.Context, c *Client, ti *TaskInfo) error { +- if ti.Options == nil { +- ti.Options = &options.Options{} +- } +- opts, ok := ti.Options.(*options.Options) +- if !ok { +- return errors.New("invalid runtime v2 options format") ++ opts, err := ti.getRuncOptions() ++ if err != nil { ++ return err + } + opts.CriuImagePath = path + return nil +@@ -134,12 +128,9 @@ func WithRestoreImagePath(path string) NewTaskOpts { + // WithRestoreWorkPath sets criu work path for create option + func WithRestoreWorkPath(path string) NewTaskOpts { + return func(ctx context.Context, c *Client, ti *TaskInfo) error { +- if ti.Options == nil { +- ti.Options = &options.Options{} +- } +- opts, ok := ti.Options.(*options.Options) +- if !ok { +- return errors.New("invalid runtime v2 options format") ++ opts, err := ti.getRuncOptions() ++ if err != nil { ++ return err + } + opts.CriuWorkPath = path + return nil +diff --git a/client/task_opts_unix.go b/client/task_opts_unix.go +index d33e302..26b5c17 100644 +--- a/client/task_opts_unix.go ++++ b/client/task_opts_unix.go +@@ -20,20 +20,14 @@ package client + + import ( + "context" +- "errors" +- +- "github.com/containerd/containerd/api/types/runc/options" + ) + + // WithNoNewKeyring causes tasks not to be created with a new keyring for secret storage. + // There is an upper limit on the number of keyrings in a linux system + func WithNoNewKeyring(ctx context.Context, c *Client, ti *TaskInfo) error { +- if ti.Options == nil { +- ti.Options = &options.Options{} +- } +- opts, ok := ti.Options.(*options.Options) +- if !ok { +- return errors.New("invalid v2 shim create options format") ++ opts, err := ti.getRuncOptions() ++ if err != nil { ++ return err + } + opts.NoNewKeyring = true + return nil +@@ -41,12 +35,9 @@ func WithNoNewKeyring(ctx context.Context, c *Client, ti *TaskInfo) error { + + // WithNoPivotRoot instructs the runtime not to you pivot_root + func WithNoPivotRoot(_ context.Context, _ *Client, ti *TaskInfo) error { +- if ti.Options == nil { +- ti.Options = &options.Options{} +- } +- opts, ok := ti.Options.(*options.Options) +- if !ok { +- return errors.New("invalid v2 shim create options format") ++ opts, err := ti.getRuncOptions() ++ if err != nil { ++ return err + } + opts.NoPivotRoot = true + return nil +@@ -55,12 +46,9 @@ func WithNoPivotRoot(_ context.Context, _ *Client, ti *TaskInfo) error { + // WithShimCgroup sets the existing cgroup for the shim + func WithShimCgroup(path string) NewTaskOpts { + return func(ctx context.Context, c *Client, ti *TaskInfo) error { +- if ti.Options == nil { +- ti.Options = &options.Options{} +- } +- opts, ok := ti.Options.(*options.Options) +- if !ok { +- return errors.New("invalid v2 shim create options format") ++ opts, err := ti.getRuncOptions() ++ if err != nil { ++ return err + } + opts.ShimCgroup = path + return nil +@@ -70,12 +58,9 @@ func WithShimCgroup(path string) NewTaskOpts { + // WithUIDOwner allows console I/O to work with the remapped UID in user namespace + func WithUIDOwner(uid uint32) NewTaskOpts { + return func(ctx context.Context, c *Client, ti *TaskInfo) error { +- if ti.Options == nil { +- ti.Options = &options.Options{} +- } +- opts, ok := ti.Options.(*options.Options) +- if !ok { +- return errors.New("invalid v2 shim create options format") ++ opts, err := ti.getRuncOptions() ++ if err != nil { ++ return err + } + opts.IoUid = uid + return nil +@@ -85,12 +70,9 @@ func WithUIDOwner(uid uint32) NewTaskOpts { + // WithGIDOwner allows console I/O to work with the remapped GID in user namespace + func WithGIDOwner(gid uint32) NewTaskOpts { + return func(ctx context.Context, c *Client, ti *TaskInfo) error { +- if ti.Options == nil { +- ti.Options = &options.Options{} +- } +- opts, ok := ti.Options.(*options.Options) +- if !ok { +- return errors.New("invalid v2 shim create options format") ++ opts, err := ti.getRuncOptions() ++ if err != nil { ++ return err + } + opts.IoGid = gid + return nil +-- +2.45.2 + diff --git a/SPECS/containerd2/containerd2.spec b/SPECS/containerd2/containerd2.spec index a3a441d18f..214c224d39 100644 --- a/SPECS/containerd2/containerd2.spec +++ b/SPECS/containerd2/containerd2.spec @@ -5,7 +5,7 @@ Summary: Industry-standard container runtime Name: %{upstream_name}2 Version: 2.0.0 -Release: 8%{?dist} +Release: 13%{?dist} License: ASL 2.0 Group: Tools/Container URL: https://www.containerd.io @@ -19,6 +19,10 @@ Source2: containerd.toml Patch0: CVE-2024-45338.patch Patch1: CVE-2025-27144.patch Patch2: CVE-2024-40635.patch +Patch3: CVE-2025-22872.patch +Patch4: CVE-2025-47291.patch +Patch5: multi-snapshotters-support.patch +Patch6: tardev-support.patch %{?systemd_requires} BuildRequires: golang @@ -37,6 +41,10 @@ Requires: %{name}-stress = %{version}-%{release} Provides: moby-containerd = %{version}-%{release} Obsoletes: moby-containerd < %{version}-%{release} +# This package replaces moby-containerd-cc +Provides: moby-containerd-cc = %{version}-%{release} +Obsoletes: moby-containerd-cc < %{version}-%{release} + %description containerd is an industry-standard container runtime with an emphasis on simplicity, robustness and portability. It is available as a daemon for Linux @@ -116,14 +124,22 @@ fi %dir /opt/containerd/bin %dir /opt/containerd/lib +%files stress +%{_bindir}/containerd-stress + %files ctr %{_bindir}/ctr %{_mandir}/man8/ctr.8.gz -%files stress -%{_bindir}/containerd-stress - %changelog +* Mon Sep 8 2025 Lee Chee Yang - 2.0.0-13 +- merge from Azure Linux 3.0.20250822-3.0. +- Add "Provides/Obsoletes:" to shift all installs of moby-containerd-cc to containerd2 +- Add updated tardev-snapshotter support patch +- Add updated multi-snapshotters-support patch +- Patch CVE-2025-47291 +- Patch CVE-2025-22872 + * Fri Jul 18 2025 Ranjan Dutta - 2.0.0-8 - merge from Azure Linux 3.0.20250521-3.0 - Fix CVE-2024-40635 diff --git a/SPECS/containerd2/multi-snapshotters-support.patch b/SPECS/containerd2/multi-snapshotters-support.patch new file mode 100644 index 0000000000..3fae23406f --- /dev/null +++ b/SPECS/containerd2/multi-snapshotters-support.patch @@ -0,0 +1,279 @@ +From 5b8c263396b67acc8ea67e22d532e69e04085b35 Mon Sep 17 00:00:00 2001 +From: Mitch Zhu +Date: Thu, 22 May 2025 23:55:57 +0000 +Subject: [PATCH] Add multi-snapshotter support + +--- + internal/cri/server/container_status_test.go | 2 +- + internal/cri/server/images/image_pull.go | 37 +++++++++++-------- + internal/cri/server/images/image_pull_test.go | 2 +- + internal/cri/server/podsandbox/controller.go | 2 +- + internal/cri/server/podsandbox/sandbox_run.go | 30 ++++++++------- + internal/cri/server/service.go | 2 +- + internal/cri/store/image/image.go | 29 ++++++++++++--- + 7 files changed, 66 insertions(+), 38 deletions(-) + +diff --git a/internal/cri/server/container_status_test.go b/internal/cri/server/container_status_test.go +index 05b1650..71dcc10 100644 +--- a/internal/cri/server/container_status_test.go ++++ b/internal/cri/server/container_status_test.go +@@ -302,7 +302,7 @@ func (s *fakeImageService) LocalResolve(refOrID string) (imagestore.Image, error + + func (s *fakeImageService) ImageFSPaths() map[string]string { return make(map[string]string) } + +-func (s *fakeImageService) PullImage(context.Context, string, func(string) (string, string, error), *runtime.PodSandboxConfig, string) (string, error) { ++func (s *fakeImageService) PullImage(context.Context, string, func(string) (string, string, error), *runtime.PodSandboxConfig, string, string) (string, error) { + return "", errors.New("not implemented") + } + +diff --git a/internal/cri/server/images/image_pull.go b/internal/cri/server/images/image_pull.go +index e59b88b..f9c90b7 100644 +--- a/internal/cri/server/images/image_pull.go ++++ b/internal/cri/server/images/image_pull.go +@@ -96,6 +96,15 @@ import ( + + // PullImage pulls an image with authentication config. + func (c *GRPCCRIImageService) PullImage(ctx context.Context, r *runtime.PullImageRequest) (_ *runtime.PullImageResponse, err error) { ++ imageRef := r.GetImage().GetImage() ++ snapshotter, err := c.snapshotterFromPodSandboxConfig(ctx, imageRef, r.SandboxConfig, r.GetImage().GetRuntimeHandler()) ++ if err != nil { ++ return nil, err ++ } ++ return c.pullImage(ctx, r, snapshotter) ++} ++ ++func (c *GRPCCRIImageService) pullImage(ctx context.Context, r *runtime.PullImageRequest, snapshotter string) (_ *runtime.PullImageResponse, err error) { + + imageRef := r.GetImage().GetImage() + +@@ -110,14 +119,14 @@ func (c *GRPCCRIImageService) PullImage(ctx context.Context, r *runtime.PullImag + return ParseAuth(hostauth, host) + } + +- ref, err := c.CRIImageService.PullImage(ctx, imageRef, credentials, r.SandboxConfig, r.GetImage().GetRuntimeHandler()) ++ ref, err := c.CRIImageService.PullImage(ctx, imageRef, credentials, r.SandboxConfig, r.GetImage().GetRuntimeHandler(), snapshotter) + if err != nil { + return nil, err + } + return &runtime.PullImageResponse{ImageRef: ref}, nil + } + +-func (c *CRIImageService) PullImage(ctx context.Context, name string, credentials func(string) (string, string, error), sandboxConfig *runtime.PodSandboxConfig, runtimeHandler string) (_ string, err error) { ++func (c *CRIImageService) PullImage(ctx context.Context, name string, credentials func(string) (string, string, error), sandboxConfig *runtime.PodSandboxConfig, runtimeHandler string, snapshotter string) (_ string, err error) { + span := tracing.SpanFromContext(ctx) + defer func() { + // TODO: add domain label for imagePulls metrics, and we may need to provide a mechanism +@@ -167,10 +176,6 @@ func (c *CRIImageService) PullImage(ctx context.Context, name string, credential + ) + + defer pcancel() +- snapshotter, err := c.snapshotterFromPodSandboxConfig(ctx, ref, sandboxConfig) +- if err != nil { +- return "", err +- } + log.G(ctx).Debugf("PullImage %q with snapshotter %s", ref, snapshotter) + span.SetAttributes( + tracing.Attribute("image.ref", ref), +@@ -761,17 +766,19 @@ func (rt *pullRequestReporterRoundTripper) RoundTrip(req *http.Request) (*http.R + // Once we know the runtime, try to override default snapshotter if it is set for this runtime. + // See https://github.com/containerd/containerd/issues/6657 + func (c *CRIImageService) snapshotterFromPodSandboxConfig(ctx context.Context, imageRef string, +- s *runtime.PodSandboxConfig) (string, error) { ++ s *runtime.PodSandboxConfig, runtimeHandler string) (string, error) { + snapshotter := c.config.Snapshotter +- if s == nil || s.Annotations == nil { +- return snapshotter, nil +- } + +- // TODO(kiashok): honor the new CRI runtime handler field added to v0.29.0 +- // for image pull per runtime class support. +- runtimeHandler, ok := s.Annotations[annotations.RuntimeHandler] +- if !ok { +- return snapshotter, nil ++ if runtimeHandler == "" { ++ if s == nil || s.Annotations == nil { ++ return snapshotter, nil ++ } else { ++ ok := false ++ runtimeHandler, ok = s.Annotations[annotations.RuntimeHandler] ++ if !ok { ++ return snapshotter, nil ++ } ++ } + } + + // TODO: Ensure error is returned if runtime not found? +diff --git a/internal/cri/server/images/image_pull_test.go b/internal/cri/server/images/image_pull_test.go +index bc79e35..af6a451 100644 +--- a/internal/cri/server/images/image_pull_test.go ++++ b/internal/cri/server/images/image_pull_test.go +@@ -429,7 +429,7 @@ func TestSnapshotterFromPodSandboxConfig(t *testing.T) { + Platform: platforms.DefaultSpec(), + Snapshotter: runtimeSnapshotter, + } +- snapshotter, err := cri.snapshotterFromPodSandboxConfig(context.Background(), "test-image", tt.podSandboxConfig) ++ snapshotter, err := cri.snapshotterFromPodSandboxConfig(context.Background(), "test-image", tt.podSandboxConfig, "") + assert.Equal(t, tt.expectedSnapshotter, snapshotter) + if tt.expectedErr { + assert.Error(t, err) +diff --git a/internal/cri/server/podsandbox/controller.go b/internal/cri/server/podsandbox/controller.go +index a185a4c..8fd032b 100644 +--- a/internal/cri/server/podsandbox/controller.go ++++ b/internal/cri/server/podsandbox/controller.go +@@ -110,7 +110,7 @@ type RuntimeService interface { + type ImageService interface { + LocalResolve(refOrID string) (imagestore.Image, error) + GetImage(id string) (imagestore.Image, error) +- PullImage(ctx context.Context, name string, creds func(string) (string, string, error), sc *runtime.PodSandboxConfig, runtimeHandler string) (string, error) ++ PullImage(ctx context.Context, name string, creds func(string) (string, string, error), sc *runtime.PodSandboxConfig, runtimeHandler string, snapshotter string) (string, error) + RuntimeSnapshotter(ctx context.Context, ociRuntime criconfig.Runtime) string + PinnedImage(string) string + } +diff --git a/internal/cri/server/podsandbox/sandbox_run.go b/internal/cri/server/podsandbox/sandbox_run.go +index 53d949f..35e0075 100644 +--- a/internal/cri/server/podsandbox/sandbox_run.go ++++ b/internal/cri/server/podsandbox/sandbox_run.go +@@ -77,23 +77,25 @@ func (c *Controller) Start(ctx context.Context, id string) (cin sandbox.Controll + + sandboxImage := c.getSandboxImageName() + // Ensure sandbox container image snapshot. +- image, err := c.ensureImageExists(ctx, sandboxImage, config, metadata.RuntimeHandler) ++ ociRuntime, err := c.config.GetSandboxRuntime(config, metadata.RuntimeHandler) + if err != nil { +- return cin, fmt.Errorf("failed to get sandbox image %q: %w", sandboxImage, err) ++ return cin, fmt.Errorf("failed to get sandbox runtime: %w", err) + } ++ log.G(ctx).WithField("podsandboxid", id).Debugf("use OCI runtime %+v", ociRuntime) + +- containerdImage, err := c.toContainerdImage(ctx, *image) ++ labels["oci_runtime_type"] = ociRuntime.Type ++ ++ snapshotter := c.imageService.RuntimeSnapshotter(ctx, ociRuntime) ++ ++ image, err := c.ensureImageExists(ctx, sandboxImage, config, metadata.RuntimeHandler, snapshotter) + if err != nil { +- return cin, fmt.Errorf("failed to get image from containerd %q: %w", image.ID, err) ++ return cin, fmt.Errorf("failed to get sandbox image %q: %w", sandboxImage, err) + } + +- ociRuntime, err := c.config.GetSandboxRuntime(config, metadata.RuntimeHandler) ++ containerdImage, err := c.toContainerdImage(ctx, *image) + if err != nil { +- return cin, fmt.Errorf("failed to get sandbox runtime: %w", err) ++ return cin, fmt.Errorf("failed to get image from containerd %q: %w", image.ID, err) + } +- log.G(ctx).WithField("podsandboxid", id).Debugf("use OCI runtime %+v", ociRuntime) +- +- labels["oci_runtime_type"] = ociRuntime.Type + + // Create sandbox container root directories. + sandboxRootDir := c.getSandboxRootDir(id) +@@ -173,7 +175,7 @@ func (c *Controller) Start(ctx context.Context, id string) (cin sandbox.Controll + snapshotterOpt = append(snapshotterOpt, extraSOpts...) + + opts := []containerd.NewContainerOpts{ +- containerd.WithSnapshotter(c.imageService.RuntimeSnapshotter(ctx, ociRuntime)), ++ containerd.WithSnapshotter(snapshotter), + customopts.WithNewSnapshot(id, containerdImage, snapshotterOpt...), + containerd.WithSpec(spec, specOpts...), + containerd.WithContainerLabels(sandboxLabels), +@@ -299,17 +301,19 @@ func (c *Controller) Create(_ctx context.Context, info sandbox.Sandbox, opts ... + return c.store.Save(podSandbox) + } + +-func (c *Controller) ensureImageExists(ctx context.Context, ref string, config *runtime.PodSandboxConfig, runtimeHandler string) (*imagestore.Image, error) { ++func (c *Controller) ensureImageExists(ctx context.Context, ref string, config *runtime.PodSandboxConfig, runtimeHandler string, snapshotter string) (*imagestore.Image, error) { + image, err := c.imageService.LocalResolve(ref) + if err != nil && !errdefs.IsNotFound(err) { + return nil, fmt.Errorf("failed to get image %q: %w", ref, err) + } + if err == nil { +- return &image, nil ++ if _, ok := image.Snapshotters[snapshotter]; ok || len(image.Snapshotters) == 0 { ++ return &image, nil ++ } + } + // Pull image to ensure the image exists + // TODO: Cleaner interface +- imageID, err := c.imageService.PullImage(ctx, ref, nil, config, runtimeHandler) ++ imageID, err := c.imageService.PullImage(ctx, ref, nil, config, runtimeHandler, snapshotter) + if err != nil { + return nil, fmt.Errorf("failed to pull image %q: %w", ref, err) + } +diff --git a/internal/cri/server/service.go b/internal/cri/server/service.go +index 37d66f0..5d1546e 100644 +--- a/internal/cri/server/service.go ++++ b/internal/cri/server/service.go +@@ -97,7 +97,7 @@ type RuntimeService interface { + type ImageService interface { + RuntimeSnapshotter(ctx context.Context, ociRuntime criconfig.Runtime) string + +- PullImage(ctx context.Context, name string, credentials func(string) (string, string, error), sandboxConfig *runtime.PodSandboxConfig, runtimeHandler string) (string, error) ++ PullImage(ctx context.Context, name string, credentials func(string) (string, string, error), sandboxConfig *runtime.PodSandboxConfig, runtimeHandler string, snapshotter string) (string, error) + UpdateImage(ctx context.Context, r string) error + + CheckImages(ctx context.Context) error +diff --git a/internal/cri/store/image/image.go b/internal/cri/store/image/image.go +index 5887e75..43ecf0d 100644 +--- a/internal/cri/store/image/image.go ++++ b/internal/cri/store/image/image.go +@@ -20,6 +20,7 @@ import ( + "context" + "encoding/json" + "fmt" ++ "strings" + "sync" + + "github.com/containerd/containerd/v2/core/content" +@@ -53,6 +54,8 @@ type Image struct { + ImageSpec imagespec.Image + // Pinned image to prevent it from garbage collection + Pinned bool ++ // Snapshotters is a map whose keys are snapshotters for which this image has a snapshot. ++ Snapshotters map[string]struct{} + } + + // Getter is used to get images but does not make changes +@@ -170,6 +173,19 @@ func (s *Store) getImage(ctx context.Context, i images.Image) (*Image, error) { + return nil, fmt.Errorf("read image config from content store: %w", err) + } + ++ info, err := s.provider.Info(ctx, desc.Digest) ++ if err != nil { ++ return nil, fmt.Errorf("get content store config info: %w", err) ++ } ++ ++ snapshotters := make(map[string]struct{}) ++ for label := range info.Labels { ++ const Prefix = "containerd.io/gc.ref.snapshot." ++ if strings.HasPrefix(label, Prefix) { ++ snapshotters[label[len(Prefix):]] = struct{}{} ++ } ++ } ++ + var spec imagespec.Image + if err := json.Unmarshal(blob, &spec); err != nil { + return nil, fmt.Errorf("unmarshal image config %s: %w", blob, err) +@@ -178,12 +194,13 @@ func (s *Store) getImage(ctx context.Context, i images.Image) (*Image, error) { + pinned := i.Labels[labels.PinnedImageLabelKey] == labels.PinnedImageLabelValue + + return &Image{ +- ID: id, +- References: []string{i.Name}, +- ChainID: chainID.String(), +- Size: size, +- ImageSpec: spec, +- Pinned: pinned, ++ ID: id, ++ References: []string{i.Name}, ++ ChainID: chainID.String(), ++ Size: size, ++ ImageSpec: spec, ++ Pinned: pinned, ++ Snapshotters: snapshotters, + }, nil + + } +-- +2.34.1 + diff --git a/SPECS/containerd2/tardev-support.patch b/SPECS/containerd2/tardev-support.patch new file mode 100644 index 0000000000..5ab03ccd53 --- /dev/null +++ b/SPECS/containerd2/tardev-support.patch @@ -0,0 +1,38 @@ +From b11c8fadd114d1c75480fcfb600587351e1789bc Mon Sep 17 00:00:00 2001 +From: Mitch Zhu +Date: Tue, 27 May 2025 21:19:31 +0000 +Subject: [PATCH] tardev-snapshotter support patch + +--- + client/image.go | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/client/image.go b/client/image.go +index 355bcba..54b5890 100644 +--- a/client/image.go ++++ b/client/image.go +@@ -31,6 +31,7 @@ import ( + "github.com/containerd/containerd/v2/internal/kmutex" + "github.com/containerd/containerd/v2/pkg/labels" + "github.com/containerd/containerd/v2/pkg/rootfs" ++ "github.com/containerd/containerd/v2/pkg/snapshotters" + "github.com/containerd/errdefs" + "github.com/containerd/platforms" + "github.com/opencontainers/go-digest" +@@ -333,7 +334,12 @@ func (i *image) Unpack(ctx context.Context, snapshotterName string, opts ...Unpa + } + + for _, layer := range layers { +- unpacked, err = rootfs.ApplyLayerWithOpts(ctx, layer, chain, sn, a, config.SnapshotOpts, config.ApplyOpts) ++ snOpts := append(config.SnapshotOpts, snapshots.WithLabels(map[string]string{ ++ snapshotters.TargetLayerDigestLabel: layer.Blob.Digest.String(), ++ snapshotters.TargetManifestDigestLabel: i.Target().Digest.String(), ++ snapshotters.TargetRefLabel: i.Name(), ++ })) ++ unpacked, err = rootfs.ApplyLayerWithOpts(ctx, layer, chain, sn, a, snOpts, config.ApplyOpts) + if err != nil { + return fmt.Errorf("apply layer error for %q: %w", i.Name(), err) + } +-- +2.34.1 + diff --git a/SPECS/core-packages/core-packages.spec b/SPECS/core-packages/core-packages.spec index 574077f276..857dfb6811 100644 --- a/SPECS/core-packages/core-packages.spec +++ b/SPECS/core-packages/core-packages.spec @@ -3,8 +3,8 @@ Name: core-packages Version: %{emt}.0 Release: 6%{?dist} License: ASL 2.0 -Vendor: Microsoft Corporation -Distribution: Azure Linux +Vendor: Intel Corporation +Distribution: Edge Microvisor Toolkit Group: System Environment/Base URL: https://aka.ms/mariner @@ -89,8 +89,9 @@ Requires: zlib %files container %changelog -* Mon July 16 2024 Jon Slobodzian - 3.0-6 -- Restore azurelinux-repos to their production versions for all images. +* Mon Sep 8 2025 Lee Chee Yang - 3.0-6 +- merge from Azure Linux 3.0.20250822-3.0. +- Initial Edge Microvisor Toolkit import from Azure Linux (license: MIT). License verified. * Mon July 08 2024 Riken Maharjan - 3.0-5 - Add azurelinux-repos-ms-oss-preview to the base container diff --git a/SPECS/coredns/CVE-2025-47950.patch b/SPECS/coredns/CVE-2025-47950.patch new file mode 100644 index 0000000000..43a06bccbc --- /dev/null +++ b/SPECS/coredns/CVE-2025-47950.patch @@ -0,0 +1,849 @@ +From 9ceb055d96d6c3c6e7485c0cf456467bb82a32fd Mon Sep 17 00:00:00 2001 +From: Aninda +Date: Mon, 16 Jun 2025 15:03:49 -0400 +Subject: [PATCH] Address CVE-2025-47950 +Upstream Patch Reference: https://github.com/coredns/coredns/commit/efaed02c6a480ec147b1f799aab7cf815b17dfe1 +--- + core/dnsserver/config.go | 8 ++ + core/dnsserver/server_quic.go | 49 +++++-- + core/dnsserver/zdirectives.go | 1 + + core/plugin/zplugin.go | 1 + + man/coredns-quic.7 | 69 ++++++++++ + plugin.cfg | 1 + + plugin/quic/README.md | 48 +++++++ + plugin/quic/setup.go | 79 +++++++++++ + plugin/quic/setup_test.go | 242 ++++++++++++++++++++++++++++++++++ + test/quic_test.go | 189 ++++++++++++++++++++++++++ + 10 files changed, 678 insertions(+), 9 deletions(-) + create mode 100644 man/coredns-quic.7 + create mode 100644 plugin/quic/README.md + create mode 100644 plugin/quic/setup.go + create mode 100644 plugin/quic/setup_test.go + +diff --git a/core/dnsserver/config.go b/core/dnsserver/config.go +index 9e11166..cba5795 100644 +--- a/core/dnsserver/config.go ++++ b/core/dnsserver/config.go +@@ -54,6 +54,14 @@ type Config struct { + // TLSConfig when listening for encrypted connections (gRPC, DNS-over-TLS). + TLSConfig *tls.Config + ++ // MaxQUICStreams defines the maximum number of concurrent QUIC streams for a QUIC server. ++ // This is nil if not specified, allowing for a default to be used. ++ MaxQUICStreams *int ++ ++ // MaxQUICWorkerPoolSize defines the size of the worker pool for processing QUIC streams. ++ // This is nil if not specified, allowing for a default to be used. ++ MaxQUICWorkerPoolSize *int ++ + // Timeouts for TCP, TLS and HTTPS servers. + ReadTimeout time.Duration + WriteTimeout time.Duration +diff --git a/core/dnsserver/server_quic.go b/core/dnsserver/server_quic.go +index ba7867c..a744cd0 100644 +--- a/core/dnsserver/server_quic.go ++++ b/core/dnsserver/server_quic.go +@@ -7,7 +7,6 @@ import ( + "errors" + "fmt" + "io" +- "math" + "net" + + "github.com/coredns/coredns/plugin/metrics/vars" +@@ -32,15 +31,26 @@ const ( + // DoQCodeProtocolError signals that the DoQ implementation encountered + // a protocol error and is forcibly aborting the connection. + DoQCodeProtocolError quic.ApplicationErrorCode = 2 ++ ++ // DefaultMaxQUICStreams is the default maximum number of concurrent QUIC streams ++ // on a per-connection basis. RFC 9250 (DNS-over-QUIC) does not require a high ++ // concurrent-stream limit; normal stub or recursive resolvers open only a handful ++ // of streams in parallel. This default (256) is a safe upper bound. ++ DefaultMaxQUICStreams = 256 ++ ++ // DefaultQUICStreamWorkers is the default number of workers for processing QUIC streams. ++ DefaultQUICStreamWorkers = 1024 + ) + + // ServerQUIC represents an instance of a DNS-over-QUIC server. + type ServerQUIC struct { + *Server +- listenAddr net.Addr +- tlsConfig *tls.Config +- quicConfig *quic.Config +- quicListener *quic.Listener ++ listenAddr net.Addr ++ tlsConfig *tls.Config ++ quicConfig *quic.Config ++ quicListener *quic.Listener ++ maxStreams int ++ streamProcessPool chan struct{} + } + + // NewServerQUIC returns a new CoreDNS QUIC server and compiles all plugin in to it. +@@ -63,16 +73,32 @@ func NewServerQUIC(addr string, group []*Config) (*ServerQUIC, error) { + tlsConfig.NextProtos = []string{"doq"} + } + ++ maxStreams := DefaultMaxQUICStreams ++ if len(group) > 0 && group[0] != nil && group[0].MaxQUICStreams != nil { ++ maxStreams = *group[0].MaxQUICStreams ++ } ++ ++ streamProcessPoolSize := DefaultQUICStreamWorkers ++ if len(group) > 0 && group[0] != nil && group[0].MaxQUICWorkerPoolSize != nil { ++ streamProcessPoolSize = *group[0].MaxQUICWorkerPoolSize ++ } ++ + var quicConfig *quic.Config + quicConfig = &quic.Config{ + MaxIdleTimeout: s.idleTimeout, +- MaxIncomingStreams: math.MaxUint16, +- MaxIncomingUniStreams: math.MaxUint16, ++ MaxIncomingStreams: int64(maxStreams), ++ MaxIncomingUniStreams: int64(maxStreams), + // Enable 0-RTT by default for all connections on the server-side. + Allow0RTT: true, + } + +- return &ServerQUIC{Server: s, tlsConfig: tlsConfig, quicConfig: quicConfig}, nil ++ return &ServerQUIC{ ++ Server: s, ++ tlsConfig: tlsConfig, ++ quicConfig: quicConfig, ++ maxStreams: maxStreams, ++ streamProcessPool: make(chan struct{}, streamProcessPoolSize), ++ }, nil + } + + // ServePacket implements caddy.UDPServer interface. +@@ -120,7 +146,12 @@ func (s *ServerQUIC) serveQUICConnection(conn quic.Connection) { + return + } + +- go s.serveQUICStream(stream, conn) ++ // Use a bounded worker pool ++ s.streamProcessPool <- struct{}{} // Acquire a worker slot, may block ++ go func(st quic.Stream, cn quic.Connection) { ++ defer func() { <-s.streamProcessPool }() // Release worker slot ++ s.serveQUICStream(st, cn) ++ }(stream, conn) + } + } + +diff --git a/core/dnsserver/zdirectives.go b/core/dnsserver/zdirectives.go +index 83743ac..eb054c9 100644 +--- a/core/dnsserver/zdirectives.go ++++ b/core/dnsserver/zdirectives.go +@@ -15,6 +15,7 @@ var Directives = []string{ + "geoip", + "cancel", + "tls", ++ "quic", + "timeouts", + "reload", + "nsid", +diff --git a/core/plugin/zplugin.go b/core/plugin/zplugin.go +index b97cd85..5cdb101 100644 +--- a/core/plugin/zplugin.go ++++ b/core/plugin/zplugin.go +@@ -41,6 +41,7 @@ import ( + _ "github.com/coredns/coredns/plugin/minimal" + _ "github.com/coredns/coredns/plugin/nsid" + _ "github.com/coredns/coredns/plugin/pprof" ++ _ "github.com/coredns/coredns/plugin/quic" + _ "github.com/coredns/coredns/plugin/ready" + _ "github.com/coredns/coredns/plugin/reload" + _ "github.com/coredns/coredns/plugin/rewrite" +diff --git a/man/coredns-quic.7 b/man/coredns-quic.7 +new file mode 100644 +index 0000000..6301ec2 +--- /dev/null ++++ b/man/coredns-quic.7 +@@ -0,0 +1,69 @@ ++.\" Generated by Mmark Markdown Processer - mmark.miek.nl ++.TH "COREDNS-QUIC" 7 "May 2025" "CoreDNS" "CoreDNS Plugins" ++ ++.SH "NAME" ++.PP ++\fIquic\fP - configures DNS-over-QUIC (DoQ) server options. ++ ++.SH "DESCRIPTION" ++.PP ++The \fIquic\fP plugin allows you to configure parameters for the DNS-over-QUIC (DoQ) server to fine-tune the security posture and performance of the server. ++ ++.PP ++This plugin can only be used once per quic Server Block. ++ ++.SH "SYNTAX" ++.PP ++.RS ++ ++.nf ++quic { ++ max\_streams POSITIVE\_INTEGER ++ worker\_pool\_size POSITIVE\_INTEGER ++} ++ ++.fi ++.RE ++ ++.IP \(bu 4 ++\fB\fCmax_streams\fR limits the number of concurrent QUIC streams per connection. This helps prevent DoS attacks where an attacker could open many streams on a single connection, exhausting server resources. The default value is 256 if not specified. ++.IP \(bu 4 ++\fB\fCworker_pool_size\fR defines the size of the worker pool for processing QUIC streams across all connections. The default value is 512 if not specified. This limits the total number of concurrent streams that can be processed across all connections. ++ ++ ++.SH "EXAMPLES" ++.PP ++Enable DNS-over-QUIC with default settings (256 concurrent streams per connection, 512 worker pool size): ++ ++.PP ++.RS ++ ++.nf ++quic://.:8853 { ++ tls cert.pem key.pem ++ quic ++ whoami ++} ++ ++.fi ++.RE ++ ++.PP ++Set custom limits for maximum QUIC streams per connection and worker pool size: ++ ++.PP ++.RS ++ ++.nf ++quic://.:8853 { ++ tls cert.pem key.pem ++ quic { ++ max\_streams 16 ++ worker\_pool\_size 65536 ++ } ++ whoami ++} ++ ++.fi ++.RE ++ +diff --git a/plugin.cfg b/plugin.cfg +index 532c3dd..a01852b 100644 +--- a/plugin.cfg ++++ b/plugin.cfg +@@ -24,6 +24,7 @@ metadata:metadata + geoip:geoip + cancel:cancel + tls:tls ++quic:quic + timeouts:timeouts + reload:reload + nsid:nsid +diff --git a/plugin/quic/README.md b/plugin/quic/README.md +new file mode 100644 +index 0000000..63fe56d +--- /dev/null ++++ b/plugin/quic/README.md +@@ -0,0 +1,48 @@ ++# quic ++ ++## Name ++ ++*quic* - configures DNS-over-QUIC (DoQ) server options. ++ ++## Description ++ ++The *quic* plugin allows you to configure parameters for the DNS-over-QUIC (DoQ) server to fine-tune the security posture and performance of the server. ++ ++This plugin can only be used once per quic Server Block. ++ ++## Syntax ++ ++```txt ++quic { ++ max_streams POSITIVE_INTEGER ++ worker_pool_size POSITIVE_INTEGER ++} ++``` ++ ++* `max_streams` limits the number of concurrent QUIC streams per connection. This helps prevent DoS attacks where an attacker could open many streams on a single connection, exhausting server resources. The default value is 256 if not specified. ++* `worker_pool_size` defines the size of the worker pool for processing QUIC streams across all connections. The default value is 512 if not specified. This limits the total number of concurrent streams that can be processed across all connections. ++ ++## Examples ++ ++Enable DNS-over-QUIC with default settings (256 concurrent streams per connection, 512 worker pool size): ++ ++``` ++quic://.:8853 { ++ tls cert.pem key.pem ++ quic ++ whoami ++} ++``` ++ ++Set custom limits for maximum QUIC streams per connection and worker pool size: ++ ++``` ++quic://.:8853 { ++ tls cert.pem key.pem ++ quic { ++ max_streams 16 ++ worker_pool_size 65536 ++ } ++ whoami ++} ++``` +diff --git a/plugin/quic/setup.go b/plugin/quic/setup.go +new file mode 100644 +index 0000000..4c49101 +--- /dev/null ++++ b/plugin/quic/setup.go +@@ -0,0 +1,79 @@ ++package quic ++ ++import ( ++ "strconv" ++ ++ "github.com/coredns/caddy" ++ "github.com/coredns/coredns/core/dnsserver" ++ "github.com/coredns/coredns/plugin" ++) ++ ++func init() { ++ caddy.RegisterPlugin("quic", caddy.Plugin{ ++ ServerType: "dns", ++ Action: setup, ++ }) ++} ++ ++func setup(c *caddy.Controller) error { ++ err := parseQuic(c) ++ if err != nil { ++ return plugin.Error("quic", err) ++ } ++ return nil ++} ++ ++func parseQuic(c *caddy.Controller) error { ++ config := dnsserver.GetConfig(c) ++ ++ // Skip the "quic" directive itself ++ c.Next() ++ ++ // Get any arguments on the "quic" line ++ args := c.RemainingArgs() ++ if len(args) > 0 { ++ return c.ArgErr() ++ } ++ ++ // Process all nested directives in the block ++ for c.NextBlock() { ++ switch c.Val() { ++ case "max_streams": ++ args := c.RemainingArgs() ++ if len(args) != 1 { ++ return c.ArgErr() ++ } ++ val, err := strconv.Atoi(args[0]) ++ if err != nil { ++ return c.Errf("invalid max_streams value '%s': %v", args[0], err) ++ } ++ if val <= 0 { ++ return c.Errf("max_streams must be a positive integer: %d", val) ++ } ++ if config.MaxQUICStreams != nil { ++ return c.Err("max_streams already defined for this server block") ++ } ++ config.MaxQUICStreams = &val ++ case "worker_pool_size": ++ args := c.RemainingArgs() ++ if len(args) != 1 { ++ return c.ArgErr() ++ } ++ val, err := strconv.Atoi(args[0]) ++ if err != nil { ++ return c.Errf("invalid worker_pool_size value '%s': %v", args[0], err) ++ } ++ if val <= 0 { ++ return c.Errf("worker_pool_size must be a positive integer: %d", val) ++ } ++ if config.MaxQUICWorkerPoolSize != nil { ++ return c.Err("worker_pool_size already defined for this server block") ++ } ++ config.MaxQUICWorkerPoolSize = &val ++ default: ++ return c.Errf("unknown property '%s'", c.Val()) ++ } ++ } ++ ++ return nil ++} +diff --git a/plugin/quic/setup_test.go b/plugin/quic/setup_test.go +new file mode 100644 +index 0000000..48a982b +--- /dev/null ++++ b/plugin/quic/setup_test.go +@@ -0,0 +1,242 @@ ++package quic ++ ++import ( ++ "fmt" ++ "strings" ++ "testing" ++ ++ "github.com/coredns/caddy" ++ "github.com/coredns/coredns/core/dnsserver" ++) ++ ++func TestQuicSetup(t *testing.T) { ++ tests := []struct { ++ input string ++ shouldErr bool ++ expectedMaxStreams *int ++ expectedWorkerPoolSize *int ++ expectedErrContent string ++ }{ ++ // Valid configurations ++ { ++ input: `quic`, ++ shouldErr: false, ++ expectedMaxStreams: nil, ++ expectedWorkerPoolSize: nil, ++ }, ++ { ++ input: `quic { ++ }`, ++ shouldErr: false, ++ expectedMaxStreams: nil, ++ expectedWorkerPoolSize: nil, ++ }, ++ { ++ input: `quic { ++ max_streams 100 ++ }`, ++ shouldErr: false, ++ expectedMaxStreams: pint(100), ++ expectedWorkerPoolSize: nil, ++ }, ++ { ++ input: `quic { ++ worker_pool_size 1000 ++ }`, ++ shouldErr: false, ++ expectedMaxStreams: nil, ++ expectedWorkerPoolSize: pint(1000), ++ }, ++ { ++ input: `quic { ++ max_streams 100 ++ worker_pool_size 1000 ++ }`, ++ shouldErr: false, ++ expectedMaxStreams: pint(100), ++ expectedWorkerPoolSize: pint(1000), ++ }, ++ { ++ input: `quic { ++ # Comment ++ }`, ++ shouldErr: false, ++ expectedMaxStreams: nil, ++ expectedWorkerPoolSize: nil, ++ }, ++ // Invalid configurations ++ { ++ input: `quic arg`, ++ shouldErr: true, ++ expectedErrContent: "Wrong argument count", ++ }, ++ { ++ input: `quic { ++ max_streams ++ }`, ++ shouldErr: true, ++ expectedErrContent: "Wrong argument count", ++ }, ++ { ++ input: `quic { ++ max_streams abc ++ }`, ++ shouldErr: true, ++ expectedErrContent: "invalid max_streams value", ++ }, ++ { ++ input: `quic { ++ max_streams 0 ++ }`, ++ shouldErr: true, ++ expectedErrContent: "positive integer", ++ }, ++ { ++ input: `quic { ++ max_streams -10 ++ }`, ++ shouldErr: true, ++ expectedErrContent: "positive integer", ++ }, ++ { ++ input: `quic { ++ worker_pool_size ++ }`, ++ shouldErr: true, ++ expectedErrContent: "Wrong argument count", ++ }, ++ { ++ input: `quic { ++ worker_pool_size abc ++ }`, ++ shouldErr: true, ++ expectedErrContent: "invalid worker_pool_size value", ++ }, ++ { ++ input: `quic { ++ worker_pool_size 0 ++ }`, ++ shouldErr: true, ++ expectedErrContent: "positive integer", ++ }, ++ { ++ input: `quic { ++ worker_pool_size -10 ++ }`, ++ shouldErr: true, ++ expectedErrContent: "positive integer", ++ }, ++ { ++ input: `quic { ++ max_streams 100 ++ max_streams 200 ++ }`, ++ shouldErr: true, ++ expectedErrContent: "already defined", ++ expectedMaxStreams: pint(100), ++ }, ++ { ++ input: `quic { ++ worker_pool_size 1000 ++ worker_pool_size 2000 ++ }`, ++ shouldErr: true, ++ expectedErrContent: "already defined", ++ expectedWorkerPoolSize: pint(1000), ++ }, ++ { ++ input: `quic { ++ unknown_directive ++ }`, ++ shouldErr: true, ++ expectedErrContent: "unknown property", ++ }, ++ { ++ input: `quic { ++ max_streams 100 200 ++ }`, ++ shouldErr: true, ++ expectedErrContent: "Wrong argument count", ++ }, ++ { ++ input: `quic { ++ worker_pool_size 1000 2000 ++ }`, ++ shouldErr: true, ++ expectedErrContent: "Wrong argument count", ++ }, ++ } ++ ++ for i, test := range tests { ++ c := caddy.NewTestController("dns", test.input) ++ err := setup(c) ++ ++ if test.shouldErr && err == nil { ++ t.Errorf("Test %d (%s): Expected error but found none", i, test.input) ++ continue ++ } ++ if !test.shouldErr && err != nil { ++ t.Errorf("Test %d (%s): Expected no error but found: %v", i, test.input, err) ++ continue ++ } ++ ++ if test.shouldErr && !strings.Contains(err.Error(), test.expectedErrContent) { ++ t.Errorf("Test %d (%s): Expected error containing '%s', but got: %v", ++ i, test.input, test.expectedErrContent, err) ++ continue ++ } ++ ++ if !test.shouldErr || (test.shouldErr && strings.Contains(test.expectedErrContent, "already defined")) { ++ config := dnsserver.GetConfig(c) ++ assertMaxStreamsValue(t, i, test.input, config.MaxQUICStreams, test.expectedMaxStreams) ++ assertWorkerPoolSizeValue(t, i, test.input, config.MaxQUICWorkerPoolSize, test.expectedWorkerPoolSize) ++ } ++ } ++} ++ ++// assertMaxStreamsValue compares the actual MaxQUICStreams value with the expected one ++func assertMaxStreamsValue(t *testing.T, testIndex int, testInput string, actual, expected *int) { ++ if actual == nil && expected == nil { ++ return ++ } ++ ++ if (actual == nil) != (expected == nil) { ++ t.Errorf("Test %d (%s): Expected MaxQUICStreams to be %v, but got %v", ++ testIndex, testInput, formatNilableInt(expected), formatNilableInt(actual)) ++ return ++ } ++ ++ if *actual != *expected { ++ t.Errorf("Test %d (%s): Expected MaxQUICStreams to be %d, but got %d", ++ testIndex, testInput, *expected, *actual) ++ } ++} ++ ++// assertWorkerPoolSizeValue compares the actual MaxQUICWorkerPoolSize value with the expected one ++func assertWorkerPoolSizeValue(t *testing.T, testIndex int, testInput string, actual, expected *int) { ++ if actual == nil && expected == nil { ++ return ++ } ++ ++ if (actual == nil) != (expected == nil) { ++ t.Errorf("Test %d (%s): Expected MaxQUICWorkerPoolSize to be %v, but got %v", ++ testIndex, testInput, formatNilableInt(expected), formatNilableInt(actual)) ++ return ++ } ++ ++ if *actual != *expected { ++ t.Errorf("Test %d (%s): Expected MaxQUICWorkerPoolSize to be %d, but got %d", ++ testIndex, testInput, *expected, *actual) ++ } ++} ++ ++func formatNilableInt(v *int) string { ++ if v == nil { ++ return "nil" ++ } ++ return fmt.Sprintf("%d", *v) ++} ++ ++func pint(i int) *int { ++ return &i ++} +diff --git a/test/quic_test.go b/test/quic_test.go +index 002d232..cff8653 100644 +--- a/test/quic_test.go ++++ b/test/quic_test.go +@@ -7,6 +7,7 @@ import ( + "errors" + "io" + "strings" ++ "sync" + "testing" + "time" + +@@ -22,6 +23,16 @@ var quicCorefile = `quic://.:0 { + whoami + }` + ++// Corefile with custom stream limits ++var quicLimitCorefile = `quic://.:0 { ++ tls ../plugin/tls/test_cert.pem ../plugin/tls/test_key.pem ../plugin/tls/test_ca.pem ++ quic { ++ max_streams 5 ++ worker_pool_size 10 ++ } ++ whoami ++ }` ++ + func TestQUIC(t *testing.T) { + q, udp, _, err := CoreDNSServerAndPorts(quicCorefile) + if err != nil { +@@ -117,6 +128,184 @@ func TestQUICProtocolError(t *testing.T) { + } + } + ++// TestQUICStreamLimits tests that the max_streams limit is correctly enforced ++func TestQUICStreamLimits(t *testing.T) { ++ q, udp, _, err := CoreDNSServerAndPorts(quicLimitCorefile) ++ if err != nil { ++ t.Fatalf("Could not get CoreDNS serving instance: %s", err) ++ } ++ defer q.Stop() ++ ++ ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) ++ defer cancel() ++ ++ conn, err := quic.DialAddr(ctx, convertAddress(udp), generateTLSConfig(), nil) ++ if err != nil { ++ t.Fatalf("Expected no error but got: %s", err) ++ } ++ ++ m := createTestMsg() ++ ++ // Test opening exactly the max number of streams ++ var wg sync.WaitGroup ++ streamCount := 5 // Must match max_streams in quicLimitCorefile ++ successCount := 0 ++ var mu sync.Mutex ++ ++ // Create a slice to store all the streams so we can keep them open ++ streams := make([]quic.Stream, 0, streamCount) ++ streamsMu := sync.Mutex{} ++ ++ // Attempt to open exactly the configured number of streams ++ for i := 0; i < streamCount; i++ { ++ wg.Add(1) ++ go func(idx int) { ++ defer wg.Done() ++ ++ // Open stream ++ streamSync, err := conn.OpenStreamSync(ctx) ++ if err != nil { ++ t.Logf("Stream %d: Failed to open: %s", idx, err) ++ return ++ } ++ ++ // Store the stream so we can keep it open ++ streamsMu.Lock() ++ streams = append(streams, streamSync) ++ streamsMu.Unlock() ++ ++ // Write DNS message ++ _, err = streamSync.Write(m) ++ if err != nil { ++ t.Logf("Stream %d: Failed to write: %s", idx, err) ++ return ++ } ++ ++ // Read response ++ sizeBuf := make([]byte, 2) ++ _, err = io.ReadFull(streamSync, sizeBuf) ++ if err != nil { ++ t.Logf("Stream %d: Failed to read size: %s", idx, err) ++ return ++ } ++ ++ size := binary.BigEndian.Uint16(sizeBuf) ++ buf := make([]byte, size) ++ _, err = io.ReadFull(streamSync, buf) ++ if err != nil { ++ t.Logf("Stream %d: Failed to read response: %s", idx, err) ++ return ++ } ++ ++ mu.Lock() ++ successCount++ ++ mu.Unlock() ++ }(i) ++ } ++ ++ wg.Wait() ++ ++ if successCount != streamCount { ++ t.Errorf("Expected all %d streams to succeed, but only %d succeeded", streamCount, successCount) ++ } ++ ++ // Now try to open more streams beyond the limit while keeping existing streams open ++ // The QUIC protocol doesn't immediately reject streams; they might be allowed ++ // to open but will be blocked (flow control) until other streams close ++ ++ // First, make sure none of our streams have been closed ++ for i, s := range streams { ++ if s == nil { ++ t.Errorf("Stream %d is nil", i) ++ continue ++ } ++ } ++ ++ // Try to open a batch of additional streams - with streams limited to 5, ++ // these should either block or be queued but should not allow concurrent use ++ extraCount := 10 ++ extraSuccess := 0 ++ var extraSuccessMu sync.Mutex ++ ++ // Set a shorter timeout for these attempts ++ extraCtx, extraCancel := context.WithTimeout(context.Background(), 2*time.Second) ++ defer extraCancel() ++ ++ var extraWg sync.WaitGroup ++ ++ // Create a channel to signal test completion ++ done := make(chan struct{}) ++ ++ // Launch goroutines to attempt opening additional streams ++ for i := 0; i < extraCount; i++ { ++ extraWg.Add(1) ++ go func(idx int) { ++ defer extraWg.Done() ++ ++ select { ++ case <-done: ++ return // Test is finishing, abandon attempts ++ default: ++ // Continue with the test ++ } ++ ++ // Attempt to open an additional stream ++ stream, err := conn.OpenStreamSync(extraCtx) ++ if err != nil { ++ t.Logf("Extra stream %d correctly failed to open: %s", idx, err) ++ return ++ } ++ ++ // If we got this far, we managed to open a stream ++ // But we shouldn't be able to use more than max_streams concurrently ++ _, err = stream.Write(m) ++ if err != nil { ++ t.Logf("Extra stream %d failed to write: %s", idx, err) ++ return ++ } ++ ++ // Read response ++ sizeBuf := make([]byte, 2) ++ _, err = io.ReadFull(stream, sizeBuf) ++ if err != nil { ++ t.Logf("Extra stream %d failed to read: %s", idx, err) ++ return ++ } ++ ++ // This stream completed successfully ++ extraSuccessMu.Lock() ++ extraSuccess++ ++ extraSuccessMu.Unlock() ++ ++ // Close the stream explicitly ++ _ = stream.Close() ++ }(i) ++ } ++ ++ // Start closing original streams after a delay ++ // This should allow extra streams to proceed as slots become available ++ time.Sleep(500 * time.Millisecond) ++ ++ // Close all the original streams ++ for _, s := range streams { ++ _ = s.Close() ++ } ++ ++ // Allow extra streams some time to progress ++ extraWg.Wait() ++ close(done) ++ ++ // Since original streams are now closed, extra streams might succeed ++ // But we shouldn't see more than max_streams succeed during the blocked phase ++ if extraSuccess > streamCount { ++ t.Logf("Warning: %d extra streams succeeded, which is more than the limit of %d. This might be because original streams were closed.", ++ extraSuccess, streamCount) ++ } ++ ++ t.Logf("%d/%d extra streams were able to complete after original streams were closed", ++ extraSuccess, extraCount) ++} ++ + func isProtocolErr(err error) bool { + var qAppErr *quic.ApplicationError + return errors.As(err, &qAppErr) && qAppErr.ErrorCode == 2 +-- +2.34.1 + diff --git a/SPECS/coredns/coredns.spec b/SPECS/coredns/coredns.spec index 770aeb9a7a..f06cd2a932 100644 --- a/SPECS/coredns/coredns.spec +++ b/SPECS/coredns/coredns.spec @@ -6,7 +6,7 @@ Summary: Fast and flexible DNS server Name: coredns Version: 1.11.4 -Release: 7%{?dist} +Release: 8%{?dist} License: Apache License 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -40,6 +40,7 @@ Patch1: coredns-example-net-test.patch Patch2: CVE-2025-29786.patch Patch3: CVE-2025-30204.patch Patch4: CVE-2024-53259.patch +Patch5: CVE-2025-47950.patch BuildRequires: golang >= 1.23 @@ -47,10 +48,7 @@ BuildRequires: golang >= 1.23 CoreDNS is a fast and flexible DNS server. %prep -%autosetup -N -# Apply vendor before patching -tar --no-same-owner -xf %{SOURCE1} -%autopatch -p1 +%autosetup -a1 -p1 %build export BUILDOPTS="-mod=vendor -v" @@ -84,6 +82,10 @@ go install github.com/fatih/faillint@latest && \ %{_bindir}/%{name} %changelog +* Mon Sep 8 2025 Lee Chee Yang - 1.11.4-8 +- merge from Azure Linux 3.0.20250822-3.0. +- Fix CVE-2025-47950 with an upstream patch + * Fri May 30 2025 Ranjan Dutta - 1.11.4-7 - merge from Azure Linux 3.0.20250521-3.0 - Add patch for CVE-2024-53259 diff --git a/SPECS/cri-tools/CVE-2025-22872.patch b/SPECS/cri-tools/CVE-2025-22872.patch new file mode 100644 index 0000000000..da0c224b9b --- /dev/null +++ b/SPECS/cri-tools/CVE-2025-22872.patch @@ -0,0 +1,42 @@ +From 25759747eeb4a11d5eca81632cc6a7245b14a99a Mon Sep 17 00:00:00 2001 +From: Aninda +Date: Wed, 21 May 2025 22:12:30 -0400 +Subject: [PATCH] Address CVE-2025-22872 +Upstream Patch Reference: https://github.com/golang/net/commit/e1fcd82abba34df74614020343be8eb1fe85f0d9 + +--- + vendor/golang.org/x/net/html/token.go | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/vendor/golang.org/x/net/html/token.go b/vendor/golang.org/x/net/html/token.go +index 3c57880..6598c1f 100644 +--- a/vendor/golang.org/x/net/html/token.go ++++ b/vendor/golang.org/x/net/html/token.go +@@ -839,8 +839,22 @@ func (z *Tokenizer) readStartTag() TokenType { + if raw { + z.rawTag = strings.ToLower(string(z.buf[z.data.start:z.data.end])) + } +- // Look for a self-closing token like "
". +- if z.err == nil && z.buf[z.raw.end-2] == '/' { ++ // Look for a self-closing token (e.g.
). ++ // ++ // Originally, we did this by just checking that the last character of the ++ // tag (ignoring the closing bracket) was a solidus (/) character, but this ++ // is not always accurate. ++ // ++ // We need to be careful that we don't misinterpret a non-self-closing tag ++ // as self-closing, as can happen if the tag contains unquoted attribute ++ // values (i.e.

). ++ // ++ // To avoid this, we check that the last non-bracket character of the tag ++ // (z.raw.end-2) isn't the same character as the last non-quote character of ++ // the last attribute of the tag (z.pendingAttr[1].end-1), if the tag has ++ // attributes. ++ nAttrs := len(z.attr) ++ if z.err == nil && z.buf[z.raw.end-2] == '/' && (nAttrs == 0 || z.raw.end-2 != z.attr[nAttrs-1][1].end-1) { + return SelfClosingTagToken + } + return StartTagToken +-- +2.34.1 + diff --git a/SPECS/cri-tools/cri-tools.spec b/SPECS/cri-tools/cri-tools.spec index 0e32bf2d46..283525d1f6 100644 --- a/SPECS/cri-tools/cri-tools.spec +++ b/SPECS/cri-tools/cri-tools.spec @@ -7,7 +7,7 @@ Summary: CRI tools Name: cri-tools Version: 1.32.0 -Release: 2%{?dist} +Release: 3%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -15,6 +15,7 @@ Group: Development/Tools URL: https://github.com/kubernetes-sigs/cri-tools Source0: https://github.com/kubernetes-sigs/cri-tools/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Patch0: CVE-2024-45338.patch +Patch1: CVE-2025-22872.patch BuildRequires: glib-devel BuildRequires: glibc-devel BuildRequires: golang @@ -45,6 +46,10 @@ install -p -m 755 -t %{buildroot}%{_bindir} "${BUILD_FOLDER}/critest" %{_bindir}/critest %changelog +* Mon Sep 8 2025 Lee Chee Yang - 1.32.0-3 +- merge from Azure Linux 3.0.20250822-3.0. +- Patch CVE-2025-22872 + * Fri Mar 21 2025 Anuj Mittal - 1.32.0-2 - Bump Release to rebuild diff --git a/SPECS/node-problem-detector/CVE-2024-45338.patch b/SPECS/dasel/CVE-2024-45338.patch similarity index 68% rename from SPECS/node-problem-detector/CVE-2024-45338.patch rename to SPECS/dasel/CVE-2024-45338.patch index c2fb46031c..153fa7031f 100644 --- a/SPECS/node-problem-detector/CVE-2024-45338.patch +++ b/SPECS/dasel/CVE-2024-45338.patch @@ -1,25 +1,9 @@ -From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001 -From: Roland Shoemaker -Date: Wed, 04 Dec 2024 09:35:55 -0800 -Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves +From f5b552163cea9d792f8bdecb2bc5693891442be6 Mon Sep 17 00:00:00 2001 +From: archana25-ms +Date: Tue, 24 Jun 2025 12:26:02 +0000 +Subject: [PATCH] Address CVE-2024-45338 +Upstream Patch Reference: https://github.com/golang/net/commit/8e66b04771e35c4e4125e8c60334b34e2423effb -Instead of using strings.ToLower and == to check case insensitive -equality, just use strings.EqualFold, even when the strings are only -ASCII. This prevents us unnecessarily lowering extremely long strings, -which can be a somewhat expensive operation, even if we're only -attempting to compare equality with five characters. - -Thanks to Guido Vranken for reporting this issue. - -Fixes golang/go#70906 -Fixes CVE-2024-45338 - -Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128 -Reviewed-on: https://go-review.googlesource.com/c/net/+/637536 -LUCI-TryBot-Result: Go LUCI -Auto-Submit: Gopher Robot -Reviewed-by: Roland Shoemaker -Reviewed-by: Tatiana Bradley --- vendor/golang.org/x/net/html/doctype.go | 2 +- vendor/golang.org/x/net/html/foreign.go | 3 +-- @@ -54,7 +38,7 @@ index 9da9e9d..e8515d8 100644 } } diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go -index 038941d..cb012d8 100644 +index 46a89ed..5b8374b 100644 --- a/vendor/golang.org/x/net/html/parse.go +++ b/vendor/golang.org/x/net/html/parse.go @@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { @@ -76,5 +60,5 @@ index 038941d..cb012d8 100644 p.oe.pop() return true -- -2.25.1 +2.45.3 diff --git a/SPECS/dasel/CVE-2025-22872.patch b/SPECS/dasel/CVE-2025-22872.patch new file mode 100644 index 0000000000..69f33d4cf5 --- /dev/null +++ b/SPECS/dasel/CVE-2025-22872.patch @@ -0,0 +1,42 @@ +From df9962d449d529e4fb36db406acdbff44d894d5d Mon Sep 17 00:00:00 2001 +From: archana25-ms +Date: Tue, 24 Jun 2025 12:27:01 +0000 +Subject: [PATCH] Address CVE-2025-22872 +Upstream Patch Reference: https://github.com/golang/net/commit/e1fcd82abba34df74614020343be8eb1fe85f0d9 + +--- + vendor/golang.org/x/net/html/token.go | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/vendor/golang.org/x/net/html/token.go b/vendor/golang.org/x/net/html/token.go +index 3c57880..6598c1f 100644 +--- a/vendor/golang.org/x/net/html/token.go ++++ b/vendor/golang.org/x/net/html/token.go +@@ -839,8 +839,22 @@ func (z *Tokenizer) readStartTag() TokenType { + if raw { + z.rawTag = strings.ToLower(string(z.buf[z.data.start:z.data.end])) + } +- // Look for a self-closing token like "
". +- if z.err == nil && z.buf[z.raw.end-2] == '/' { ++ // Look for a self-closing token (e.g.
). ++ // ++ // Originally, we did this by just checking that the last character of the ++ // tag (ignoring the closing bracket) was a solidus (/) character, but this ++ // is not always accurate. ++ // ++ // We need to be careful that we don't misinterpret a non-self-closing tag ++ // as self-closing, as can happen if the tag contains unquoted attribute ++ // values (i.e.

). ++ // ++ // To avoid this, we check that the last non-bracket character of the tag ++ // (z.raw.end-2) isn't the same character as the last non-quote character of ++ // the last attribute of the tag (z.pendingAttr[1].end-1), if the tag has ++ // attributes. ++ nAttrs := len(z.attr) ++ if z.err == nil && z.buf[z.raw.end-2] == '/' && (nAttrs == 0 || z.raw.end-2 != z.attr[nAttrs-1][1].end-1) { + return SelfClosingTagToken + } + return StartTagToken +-- +2.45.3 + diff --git a/SPECS/dasel/dasel.signatures.json b/SPECS/dasel/dasel.signatures.json new file mode 100644 index 0000000000..dfa316a5b2 --- /dev/null +++ b/SPECS/dasel/dasel.signatures.json @@ -0,0 +1,6 @@ +{ + "Signatures": { + "dasel-2.8.1.tar.gz": "ba8da9569f38e7f33453c03ac988382291a01004a96c307d52cccadb9ef7837e", + "dasel-2.8.1-govendor-v1.tar.gz": "b51752bc8bbe80c4b35e449279affa1c663129bbd16e37817da910230b9d429f" + } +} diff --git a/SPECS/dasel/dasel.spec b/SPECS/dasel/dasel.spec new file mode 100644 index 0000000000..d70565bff3 --- /dev/null +++ b/SPECS/dasel/dasel.spec @@ -0,0 +1,53 @@ +Summary: Dasel (short for data-selector) allows you to query and modify data structures using selector strings. Comparable to jq, yq, and xmlstarlet, but for any data format. +Name: dasel +Version: 2.8.1 +Release: 2%{?dist} +License: MIT +Vendor: Microsoft Corporation +Distribution: Azure Linux +Group: Applications/System +URL: https://github.com/TomWright/dasel +Source0: %{url}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +Source1: %{name}-%{version}-govendor-v1.tar.gz +Patch1: CVE-2024-45338.patch +Patch2: CVE-2025-22872.patch +BuildRequires: golang >= 1.22 + +%description +Say good bye to learning new tools just to work with a different data format. +Dasel uses a standard selector syntax no matter the data format. This means that once you learn how to use dasel you immediately have the ability to query/modify any of the supported data types without any additional tools or effort. + +%prep +%autosetup -p1 -a 1 + +%build +export GOPATH=$HOME/go +export GOBIN=$GOPATH/bin +export PATH=$PATH:$GOPATH:$GOBIN +export GO111MODULE=on + +# Build dasel +go build -mod vendor -o bin/dasel ./cmd/dasel + +%install +mkdir -p %{buildroot}%{_bindir} +install -D -m 0755 bin/dasel %{buildroot}%{_bindir}/ + +%check +export GOTRACEBACK=all +export GO111MODULE=on +go test ./... + +%files +%license LICENSE +%doc README.md CHANGELOG.md +%{_bindir}/dasel + +%changelog +* Tue Jun 24 2025 Archana Shettigar - 2.8.1-2 +- Patch CVE-2024-45338 & CVE-2025-22872 + +* Tue Jun 17 2025 Mykhailo Bykhovtsev - 2.8.1-1 +- Original version for Azure Linux (license: MIT) +- License verified + diff --git a/SPECS/ig/generate_source_tarball.sh b/SPECS/dasel/generate_source_tarball.sh old mode 100644 new mode 100755 similarity index 87% rename from SPECS/ig/generate_source_tarball.sh rename to SPECS/dasel/generate_source_tarball.sh index e7f1bd89e6..aaf230b288 --- a/SPECS/ig/generate_source_tarball.sh +++ b/SPECS/dasel/generate_source_tarball.sh @@ -7,7 +7,6 @@ set -e PKG_VERSION="" SRC_TARBALL="" -VENDOR_VERSION="1" OUT_FOLDER="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" # parameters: @@ -93,7 +92,7 @@ cp $SRC_TARBALL $tmpdir pushd $tmpdir > /dev/null -PKG_NAME="ig" +PKG_NAME="dasel" NAME_VER="$PKG_NAME-$PKG_VERSION" VENDOR_TARBALL="$OUT_FOLDER/$NAME_VER-govendor-v$VENDOR_VERSION.tar.gz" @@ -101,17 +100,16 @@ echo "Unpacking source tarball..." tar -xf $SRC_TARBALL echo "Vendor go modules..." -cd inspektor-gadget-"$PKG_VERSION" +cd $NAME_VER go mod vendor echo "" echo "=========================" echo "Tar vendored tarball" -tar --sort=name \ - --mtime="2021-04-26 00:00Z" \ - --owner=0 --group=0 --numeric-owner \ - --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \ - -cf "$VENDOR_TARBALL" vendor +PIGZ=-n tar -Ipigz --sort=name \ + --mtime="2021-04-26 00:00Z" \ + --owner=0 --group=0 --numeric-owner \ + --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \ + -cf "$VENDOR_TARBALL" vendor + -popd > /dev/null -echo "$PKG_NAME vendored modules are available at $VENDOR_TARBALL" diff --git a/SPECS/dbus-python/0001-Move-python-modules-to-architecture-specific-directo.patch b/SPECS/dbus-python/0001-Move-python-modules-to-architecture-specific-directo.patch index a9fded06c9..e2074a216f 100644 --- a/SPECS/dbus-python/0001-Move-python-modules-to-architecture-specific-directo.patch +++ b/SPECS/dbus-python/0001-Move-python-modules-to-architecture-specific-directo.patch @@ -7,14 +7,14 @@ This is because dbus-python gets dragged in as a dependency of other things people want to be multilib-compatible. As is the Python modules conflict. --- - Makefile.am | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) + Makefile.am | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Makefile.am b/Makefile.am -index fd480d4..0859994 100644 +index 8738d57..b6d30c0 100644 --- a/Makefile.am +++ b/Makefile.am -@@ -155,7 +155,8 @@ test_dbus_py_test_la_SOURCES = \ +@@ -176,7 +176,8 @@ test_dbus_py_test_la_SOURCES = \ # === dbus package === @@ -24,29 +24,23 @@ index fd480d4..0859994 100644 dbus/bus.py \ dbus/connection.py \ dbus/_compat.py \ -@@ -175,12 +176,12 @@ nobase_python_PYTHON = \ +@@ -195,7 +196,7 @@ nobase_python_PYTHON = \ + dbus/service.py \ dbus/types.py - if !HAVE_PYTHON_3 --nobase_python_PYTHON += \ -+nobase_dbuspy_DATA += \ - dbus/gobject_service.py \ - $(NULL) - endif - -check_py_sources = $(nobase_python_PYTHON) +check_py_sources = $(nobase_dbuspy_DATA) include $(top_srcdir)/tools/check-coding-style.mk # === Devel stuff === -@@ -416,7 +417,7 @@ uninstall-local: uninstall-local-sphinx +@@ -434,7 +435,7 @@ uninstall-local-pycache: if ENABLE_DOCUMENTATION - all: doc/_build/.stamp + all: doc/html/.stamp --doc/_build/.stamp: $(nobase_python_PYTHON) \ -+doc/_build/.stamp: $(nobase_dbuspy_DATA) \ +-doc/html/.stamp: $(nobase_python_PYTHON) \ ++doc/html/.stamp: $(nobase_dbuspy_DATA) \ _dbus_bindings.la \ _dbus_glib_bindings.la \ $(sphinx_sources) \ -- -2.17.0 +2.45.3 diff --git a/SPECS/dbus-python/dbus-python.signatures.json b/SPECS/dbus-python/dbus-python.signatures.json index 8135479991..88fd0f30b3 100644 --- a/SPECS/dbus-python/dbus-python.signatures.json +++ b/SPECS/dbus-python/dbus-python.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "dbus-python-1.2.16.tar.gz": "11238f1d86c995d8aed2e22f04a1e3779f0d70e587caffeab4857f3c662ed5a4" + "dbus-python-1.3.2.tar.gz": "ad67819308618b5069537be237f8e68ca1c7fcc95ee4a121fe6845b1418248f8" } -} +} \ No newline at end of file diff --git a/SPECS/dbus-python/dbus-python.spec b/SPECS/dbus-python/dbus-python.spec index 587957c123..de470bea87 100644 --- a/SPECS/dbus-python/dbus-python.spec +++ b/SPECS/dbus-python/dbus-python.spec @@ -1,7 +1,7 @@ Summary: D-Bus Python Bindings Name: dbus-python -Version: 1.2.16 -Release: 3%{?dist} +Version: 1.3.2 +Release: 1%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -9,8 +9,6 @@ URL: https://www.freedesktop.org/wiki/Software/DBusBindings/ Source0: https://dbus.freedesktop.org/releases/%{name}/%{name}-%{version}.tar.gz # borrow centos7 patch to use sitearch properly Patch0: 0001-Move-python-modules-to-architecture-specific-directo.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1788491 -Patch1: python39.patch BuildRequires: autoconf-archive BuildRequires: automake @@ -28,6 +26,7 @@ Summary: D-Bus bindings for python3 BuildRequires: python3-devel # for py3_build BuildRequires: python3dist(setuptools) +BuildRequires: python3dist(wheel) %description -n python3-dbus %{summary}. @@ -46,12 +45,14 @@ bindings. autoreconf -vif %build +export DBUS_PYTHON_USE_AUTOTOOLS=1 %set_build_flags %py3_build %configure PYTHON="%{__python3}" %make_build %install +export DBUS_PYTHON_USE_AUTOTOOLS=1 %py3_install %make_install @@ -75,6 +76,9 @@ make check -k || (cat test-suite.log && false) %{_libdir}/pkgconfig/dbus-python.pc %changelog +* Wed May 28 2025 Sumedh Sharma - 1.3.2-1 +- Bump version to 1.3.2 + * Fri Jul 16 2021 Pawel Winogrodzki - 1.2.16-3 - License verified. diff --git a/SPECS/dbus-python/python39.patch b/SPECS/dbus-python/python39.patch deleted file mode 100644 index e7bd1b5824..0000000000 --- a/SPECS/dbus-python/python39.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- a/dbus/service.py -+++ b/dbus/service.py -@@ -32,7 +32,7 @@ - import logging - import threading - import traceback --from collections import Sequence -+from collections.abc import Sequence - - import _dbus_bindings - from dbus import ( - diff --git a/SPECS/ig/CVE-2025-22872.patch b/SPECS/docker-buildx/CVE-2025-22872.patch similarity index 94% rename from SPECS/ig/CVE-2025-22872.patch rename to SPECS/docker-buildx/CVE-2025-22872.patch index 6b00732d02..3d414cdacf 100644 --- a/SPECS/ig/CVE-2025-22872.patch +++ b/SPECS/docker-buildx/CVE-2025-22872.patch @@ -1,6 +1,6 @@ -From c0b4926a47050ef2ffd83031e1485c9f5169af23 Mon Sep 17 00:00:00 2001 +From 3d8f07a885376e45fcffcb5c4e33a867a951935b Mon Sep 17 00:00:00 2001 From: Sreenivasulu Malavathula -Date: Wed, 30 Apr 2025 17:26:32 -0500 +Date: Tue, 29 Apr 2025 18:29:16 -0500 Subject: [PATCH] Address CVE-2025-22872 Upstream Patch Reference: https://github.com/golang/net/commit/e1fcd82abba34df74614020343be8eb1fe85f0d9 diff --git a/SPECS/docker-buildx/docker-buildx.spec b/SPECS/docker-buildx/docker-buildx.spec index 2bb4b77ab6..5059c22fd3 100644 --- a/SPECS/docker-buildx/docker-buildx.spec +++ b/SPECS/docker-buildx/docker-buildx.spec @@ -4,7 +4,7 @@ Summary: A Docker CLI plugin for extended build capabilities with BuildKi Name: docker-buildx # update "commit_hash" above when upgrading version Version: 0.14.0 -Release: 6%{?dist} +Release: 7%{?dist} License: ASL 2.0 Group: Tools/Container Vendor: Microsoft Corporation @@ -15,6 +15,7 @@ Patch0: CVE-2024-45337.patch Patch1: CVE-2024-45338.patch Patch2: CVE-2025-22869.patch Patch3: CVE-2025-0495.patch +Patch4: CVE-2025-22872.patch BuildRequires: bash BuildRequires: golang @@ -48,6 +49,10 @@ install -m 755 buildx "%{buildroot}%{_libexecdir}/docker/cli-plugins/docker-buil %{_libexecdir}/docker/cli-plugins/docker-buildx %changelog +* Mon Sep 8 2025 Lee Chee Yang - 0.14.0-7 +- merge from Azure Linux 3.0.20250822-3.0. +- Patch CVE-2025-22872 + * Fri May 30 2025 Ranjan Dutta - 0.14.0-6 - merge from Azure Linux 3.0.20250521-3.0 - Fix CVE-2025-0495 with upstream patch modified to apply for azurelinux package diff --git a/SPECS/doxygen/CVE-2025-6140.patch b/SPECS/doxygen/CVE-2025-6140.patch new file mode 100644 index 0000000000..67270b28ef --- /dev/null +++ b/SPECS/doxygen/CVE-2025-6140.patch @@ -0,0 +1,37 @@ +From 4bc70904d4e31b768f38c2b321c29a370c614497 Mon Sep 17 00:00:00 2001 +From: Suneel Yadava +Date: Mon, 23 Jun 2025 10:51:55 +0000 +Subject: [PATCH] Fix for CVE-2025-6140 +Upstream Patch Reference: +https://github.com/gabime/spdlog/commit/10320184df1eb4638e253a34b1eb44ce78954094 + +--- + deps/spdlog/include/spdlog/pattern_formatter-inl.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/deps/spdlog/include/spdlog/pattern_formatter-inl.h b/deps/spdlog/include/spdlog/pattern_formatter-inl.h +index 01afbe6..ee01489 100644 +--- a/deps/spdlog/include/spdlog/pattern_formatter-inl.h ++++ b/deps/spdlog/include/spdlog/pattern_formatter-inl.h +@@ -76,6 +76,9 @@ public: + else if (padinfo_.truncate_) + { + long new_size = static_cast(dest_.size()) + remaining_pad_; ++ if (new_size < 0) { ++ new_size = 0; ++ } + dest_.resize(static_cast(new_size)); + } + } +@@ -303,7 +306,7 @@ public: + + void format(const details::log_msg &, const std::tm &tm_time, memory_buf_t &dest) override + { +- const size_t field_size = 10; ++ const size_t field_size = 8; + ScopedPadder p(field_size, padinfo_, dest); + + fmt_helper::pad2(tm_time.tm_mon + 1, dest); +-- +2.45.3 + diff --git a/SPECS/doxygen/doxygen.spec b/SPECS/doxygen/doxygen.spec index 686112de3a..d624808179 100644 --- a/SPECS/doxygen/doxygen.spec +++ b/SPECS/doxygen/doxygen.spec @@ -1,6 +1,6 @@ Name: doxygen Version: 1.9.8 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Automated C, C++, and Java Documentation Generator License: GPLv2 Group: Development/Tools/Doc Generators @@ -8,6 +8,7 @@ Url: https://www.doxygen.nl Vendor: Microsoft Corporation Distribution: Azure Linux Source0: https://doxygen.nl/files/%{name}-%{version}.src.tar.gz +Patch0: CVE-2025-6140.patch %global debug_package %{nil} @@ -29,7 +30,7 @@ developed on a Linux platform, but it runs on most other UNIX flavors as well. %prep -%setup -q +%autosetup -p1 %build cmake -G "Unix Makefiles" \ @@ -38,7 +39,6 @@ cmake -G "Unix Makefiles" \ -Wno-dev . make %{?_smp_mflags} - %install make install DESTDIR=%{buildroot} mkdir -p %{buildroot}%{_mandir}/man1/ @@ -51,6 +51,9 @@ install -vm 644 doc/doxygen.1 %{buildroot}%{_mandir}/man1/ %license LICENSE %changelog +* Mon Jun 23 2025 Suneel Yadava - 1.9.8-2 +- Patch for CVE-2025-6140 + * Fri Oct 27 2023 CBL-Mariner Servicing Account - 1.9.8-1 - Auto-upgrade to 1.9.8 - Azure Linux 3.0 - package upgrades diff --git a/SPECS/edk2/CVE-2025-3770.patch b/SPECS/edk2/CVE-2025-3770.patch new file mode 100644 index 0000000000..3577990bc2 --- /dev/null +++ b/SPECS/edk2/CVE-2025-3770.patch @@ -0,0 +1,46 @@ +From 9e882b45ee5648f415540cea3c2c0f7e274b5e86 Mon Sep 17 00:00:00 2001 +From: John Mathews +Date: Fri, 30 May 2025 11:06:49 -0700 +Subject: [PATCH] UefiCpuPkg/PiSmmCpuDxeSmm: Safe handling of IDT register on + SMM entry + +Mitigates CVE-2025-3770 + +Do not assume that IDT.limit is loaded with a zero value upon SMM entry. +Delay enabling Machine Check Exceptions in SMM until after the SMM IDT +has been reloaded. + +Signed-off-by: John Mathews +Signed-off-by: rpm-build +Upstream-reference: https://github.com/tianocore/edk2/commit/d2d8d38ee08c5e602fb092f940dfecc1f5a4eb38.patch +--- + UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm +index 644366b..6e1cd45 100644 +--- a/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm ++++ b/UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm +@@ -113,7 +113,7 @@ ProtFlatMode: + mov eax, strict dword 0 ; source operand will be patched + ASM_PFX(gPatchSmiCr3): + mov cr3, rax +- mov eax, 0x668 ; as cr4.PGE is not set here, refresh cr3 ++ mov eax, 0x628 ; as cr4.PGE is not set here, refresh cr3 + + mov cl, strict byte 0 ; source operand will be patched + ASM_PFX(gPatch5LevelPagingNeeded): +@@ -204,6 +204,10 @@ SmiHandlerIdtrAbsAddr: + mov ax, [rbx + DSC_SS] + mov ss, eax + ++ mov rax, cr4 ; enable MCE ++ bts rax, 6 ++ mov cr4, rax ++ + mov rbx, [rsp + 0x8] ; rbx <- CpuIndex + + ; enable CET if supported +-- +2.45.4 + diff --git a/SPECS/edk2/edk2.spec b/SPECS/edk2/edk2.spec index ec328e5e29..3134061a0c 100644 --- a/SPECS/edk2/edk2.spec +++ b/SPECS/edk2/edk2.spec @@ -55,7 +55,7 @@ ExclusiveArch: x86_64 Name: edk2 Version: %{GITDATE}git%{GITCOMMIT} -Release: 8%{?dist} +Release: 9%{?dist} Summary: UEFI firmware for 64-bit virtual machines License: Apache-2.0 AND (BSD-2-Clause OR GPL-2.0-or-later) AND BSD-2-Clause-Patent AND BSD-3-Clause AND BSD-4-Clause AND ISC AND MIT AND LicenseRef-Fedora-Public-Domain URL: https://www.tianocore.org @@ -138,6 +138,7 @@ Patch1002: CVE-2024-4741.patch Patch1003: CVE-2024-13176.patch Patch1004: CVE-2024-2511.patch Patch1005: CVE-2024-4603.patch +Patch1006: CVE-2025-3770.patch # python3-devel and libuuid-devel are required for building tools. # python3-devel is also needed for varstore template generation and @@ -799,6 +800,9 @@ done /boot/efi/HvLoader.efi %changelog +* Mon Aug 11 2025 Azure Linux Security Servicing Account - 20240524git3e722403cd16-9 +- Patch for CVE-2025-3770 + * Thu Apr 24 2025 Jyoti Kanase - 20240524git3e722403cd16-8 - Fix CVE-2024-38796 diff --git a/SPECS/elfutils/CVE-2025-1352.patch b/SPECS/elfutils/CVE-2025-1352.patch new file mode 100644 index 0000000000..898a0293f8 --- /dev/null +++ b/SPECS/elfutils/CVE-2025-1352.patch @@ -0,0 +1,125 @@ +From 1b6211c6fe3e85b4415ae22d7e97467182a5bdc4 Mon Sep 17 00:00:00 2001 +From: dj_palli +Date: Wed, 28 May 2025 11:13:05 +0000 +Subject: [PATCH] Address CVE-2025-1352 + +Upstream patch URL: https://sourceware.org/cgit/elfutils/commit/?id=2636426a091bd6c6f7f02e49ab20d4cdc6bfc753 + +--- + libdw/dwarf_getabbrev.c | 12 ++++-------- + libdw/dwarf_offabbrev.c | 10 +++++++--- + libdw/dwarf_tag.c | 3 +-- + libdw/libdw.h | 4 +++- + libdw/libdwP.h | 3 +-- + 5 files changed, 16 insertions(+), 16 deletions(-) + +diff --git a/libdw/dwarf_getabbrev.c b/libdw/dwarf_getabbrev.c +index 5b02333..d9a6c02 100644 +--- a/libdw/dwarf_getabbrev.c ++++ b/libdw/dwarf_getabbrev.c +@@ -1,5 +1,6 @@ + /* Get abbreviation at given offset. + Copyright (C) 2003, 2004, 2005, 2006, 2014, 2017 Red Hat, Inc. ++ Copyright (C) 2025 Mark J. Wielaard + This file is part of elfutils. + Written by Ulrich Drepper , 2003. + +@@ -38,7 +39,7 @@ + Dwarf_Abbrev * + internal_function + __libdw_getabbrev (Dwarf *dbg, struct Dwarf_CU *cu, Dwarf_Off offset, +- size_t *lengthp, Dwarf_Abbrev *result) ++ size_t *lengthp) + { + /* Don't fail if there is not .debug_abbrev section. */ + if (dbg->sectiondata[IDX_debug_abbrev] == NULL) +@@ -85,12 +86,7 @@ __libdw_getabbrev (Dwarf *dbg, struct Dwarf_CU *cu, Dwarf_Off offset, + Dwarf_Abbrev *abb = NULL; + if (cu == NULL + || (abb = Dwarf_Abbrev_Hash_find (&cu->abbrev_hash, code)) == NULL) +- { +- if (result == NULL) +- abb = libdw_typed_alloc (dbg, Dwarf_Abbrev); +- else +- abb = result; +- } ++ abb = libdw_typed_alloc (dbg, Dwarf_Abbrev); + else + { + foundit = true; +@@ -183,5 +179,5 @@ dwarf_getabbrev (Dwarf_Die *die, Dwarf_Off offset, size_t *lengthp) + return NULL; + } + +- return __libdw_getabbrev (dbg, cu, abbrev_offset + offset, lengthp, NULL); ++ return __libdw_getabbrev (dbg, cu, abbrev_offset + offset, lengthp); + } +diff --git a/libdw/dwarf_offabbrev.c b/libdw/dwarf_offabbrev.c +index 27cdad6..41df69b 100644 +--- a/libdw/dwarf_offabbrev.c ++++ b/libdw/dwarf_offabbrev.c +@@ -41,11 +41,15 @@ dwarf_offabbrev (Dwarf *dbg, Dwarf_Off offset, size_t *lengthp, + if (dbg == NULL) + return -1; + +- Dwarf_Abbrev *abbrev = __libdw_getabbrev (dbg, NULL, offset, lengthp, +- abbrevp); ++ Dwarf_Abbrev *abbrev = __libdw_getabbrev (dbg, NULL, offset, lengthp); + + if (abbrev == NULL) + return -1; + +- return abbrev == DWARF_END_ABBREV ? 1 : 0; ++ if (abbrev == DWARF_END_ABBREV) ++ return 1; ++ ++ *abbrevp = *abbrev; ++ ++ return 0; + } +diff --git a/libdw/dwarf_tag.c b/libdw/dwarf_tag.c +index d784970..218382a 100644 +--- a/libdw/dwarf_tag.c ++++ b/libdw/dwarf_tag.c +@@ -53,8 +53,7 @@ __libdw_findabbrev (struct Dwarf_CU *cu, unsigned int code) + + /* Find the next entry. It gets automatically added to the + hash table. */ +- abb = __libdw_getabbrev (cu->dbg, cu, cu->last_abbrev_offset, &length, +- NULL); ++ abb = __libdw_getabbrev (cu->dbg, cu, cu->last_abbrev_offset, &length); + if (abb == NULL || abb == DWARF_END_ABBREV) + { + /* Make sure we do not try to search for it again. */ +diff --git a/libdw/libdw.h b/libdw/libdw.h +index 64d1689..829cc21 100644 +--- a/libdw/libdw.h ++++ b/libdw/libdw.h +@@ -587,7 +587,9 @@ extern int dwarf_srclang (Dwarf_Die *die); + extern Dwarf_Abbrev *dwarf_getabbrev (Dwarf_Die *die, Dwarf_Off offset, + size_t *lengthp); + +-/* Get abbreviation at given offset in .debug_abbrev section. */ ++/* Get abbreviation at given offset in .debug_abbrev section. On ++ success return zero and fills in ABBREVP. When there is no (more) ++ abbrev at offset returns one. On error returns a negative value. */ + extern int dwarf_offabbrev (Dwarf *dbg, Dwarf_Off offset, size_t *lengthp, + Dwarf_Abbrev *abbrevp) + __nonnull_attribute__ (4); +diff --git a/libdw/libdwP.h b/libdw/libdwP.h +index 5cbdc27..6ea34bd 100644 +--- a/libdw/libdwP.h ++++ b/libdw/libdwP.h +@@ -682,8 +682,7 @@ extern Dwarf_Abbrev *__libdw_findabbrev (struct Dwarf_CU *cu, + + /* Get abbreviation at given offset. */ + extern Dwarf_Abbrev *__libdw_getabbrev (Dwarf *dbg, struct Dwarf_CU *cu, +- Dwarf_Off offset, size_t *lengthp, +- Dwarf_Abbrev *result) ++ Dwarf_Off offset, size_t *lengthp) + __nonnull_attribute__ (1) internal_function; + + /* Get abbreviation of given DIE, and optionally set *READP to the DIE memory +-- +2.45.2 + diff --git a/SPECS/elfutils/elfutils.spec b/SPECS/elfutils/elfutils.spec index 0671db63c3..acff1c3a7a 100644 --- a/SPECS/elfutils/elfutils.spec +++ b/SPECS/elfutils/elfutils.spec @@ -4,7 +4,7 @@ Summary: A collection of utilities and DSOs to handle compiled objects Name: elfutils Version: 0.189 -Release: 6%{?dist} +Release: 7%{?dist} License: GPLv3+ AND (GPLv2+ OR LGPLv3+) Vendor: Intel Corporation Distribution: Edge Microvisor Toolkit @@ -16,6 +16,7 @@ Source1: 10-ptrace-yama.conf Patch0: CVE-2025-1372.patch Patch1: CVE-2025-1376.patch Patch2: CVE-2025-1377.patch +Patch3: CVE-2025-1352.patch BuildRequires: bison >= 1.875 BuildRequires: bzip2-devel @@ -282,6 +283,10 @@ fi %defattr(-,root,root) %changelog +* Mon Sep 8 2025 Lee Chee Yang - 0.189-7 +- merge from Azure Linux 3.0.20250822-3.0. +- add patch for CVE-2025-1352 + * Fri May 30 2025 Ranjan Dutta - 0.189-6 - merge from Azure Linux 3.0.20250521-3.0 - Add patch for CVE-2025-1372, CVE-2025-1376 & CVE-2025-1377 @@ -291,6 +296,7 @@ fi * Thu Nov 21 2024 Wang, Junyuan - 0.189-4 - Change default value of kernel.yama.ptrace_scope to 2 (Admin-only for ptrace attach). +- Initial Edge Microvisor Toolkit import from Azure Linux (license: MIT). License verified. * Mon Jun 24 2024 Chris Co - 0.189-3 - Use our own ptrace yama conf file to override default yama scope setting to be more secure diff --git a/SPECS/erlang/erlang.signatures.json b/SPECS/erlang/erlang.signatures.json index 43aa474fe0..7cd73acc12 100644 --- a/SPECS/erlang/erlang.signatures.json +++ b/SPECS/erlang/erlang.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "erlang-26.2.5.11.tar.gz": "2eef7aac690a6cedfe0e6a20fc2d700db3490b4e4249683c0e5b812ad71304ed" + "erlang-26.2.5.13.tar.gz": "b58e5caf34ef4e94b766173f3839ff29db3bfa9710881f246a9958886b466ac4" } } \ No newline at end of file diff --git a/SPECS/erlang/erlang.spec b/SPECS/erlang/erlang.spec index a16365e2ed..acbe23dfdb 100644 --- a/SPECS/erlang/erlang.spec +++ b/SPECS/erlang/erlang.spec @@ -1,14 +1,14 @@ %define debug_package %{nil} Summary: erlang Name: erlang -Version: 26.2.5.11 +Version: 26.2.5.13 Release: 1%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation Distribution: Azure Linux Group: Development/Languages URL: https://erlang.org -Source0: https://github.com/erlang/otp/archive/OTP-%{version}/otp-OTP-%{version}.tar.gz#/%{name}-%{version}.tar.gz +Source0: https://github.com/erlang/otp/archive/OTP-%{version}/otp-OTP-%{version}.tar.gz#/%{name}-%{version}.tar.gz BuildRequires: ncurses-devel BuildRequires: openssl-devel BuildRequires: unixODBC-devel @@ -34,7 +34,7 @@ export ERL_TOP=`pwd` %check export ERL_TOP=`pwd` -./otp_build check --no-docs +./otp_build check --no-docs --no-format-check %post @@ -53,6 +53,15 @@ export ERL_TOP=`pwd` %{_libdir}/erlang/* %changelog +* Tue Jun 24 2025 Kevin Lockwood - 26.2.5.13-1 +- Upgrade to 26.2.5.13 to fix CVE-2025-4748 + +* Wed Jun 04 2025 Muhammad Falak - 26.2.5.12-2 +- Skip format-check in tests + +* Wed May 14 2025 CBL-Mariner Servicing Account - 26.2.5.12-1 +- Auto-upgrade to 26.2.5.12 - for CVE-2025-46712 + * Thu Apr 17 2025 Kshitiz Godara - 26.2.5.11-1 - Upgrade to 26.2.5.11 - fix cve CVE-2025-32433. diff --git a/SPECS/firewalld/firewalld.spec b/SPECS/firewalld/firewalld.spec index eee1266a0a..6eadba3355 100644 --- a/SPECS/firewalld/firewalld.spec +++ b/SPECS/firewalld/firewalld.spec @@ -3,7 +3,7 @@ Summary: A firewall daemon with D-Bus interface providing a dynamic firewall Name: firewalld Version: 2.0.2 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ Vendor: Microsoft Corporation Distribution: Azure Linux @@ -12,6 +12,7 @@ Source0: https://github.com/firewalld/firewalld/releases/download/v%{vers Source1: FedoraServer.xml Source2: FedoraWorkstation.xml Patch0: firewalld-only-MDNS-default.patch +Patch1: firewalld_fix_testsuite.patch BuildRequires: autoconf BuildRequires: automake @@ -55,7 +56,7 @@ firewall with a D-Bus interface. %{?python_provide:%python_provide python3-firewall} Summary: Python3 bindings for firewalld -Requires: python3-dbus +Requires: python3-dbus >= 1.3.2 Requires: python3-gobject-base Requires: python3-nftables @@ -72,6 +73,8 @@ are required by other packages that add firewalld configuration files. %package -n firewalld-test Summary: Firewalld testsuite +Requires: time + %description -n firewalld-test This package provides the firewalld testsuite. @@ -137,6 +140,8 @@ install -c -m 644 %{SOURCE2} %{buildroot}%{_libdir}/firewalld/zones/FedoraWorkst # standard firewalld.conf mv %{buildroot}%{_sysconfdir}/firewalld/firewalld.conf \ %{buildroot}%{_sysconfdir}/firewalld/firewalld-standard.conf +sed -i 's|^IPv6_rpfilter=.*|IPv6_rpfilter=no|g' \ + %{buildroot}%{_sysconfdir}/firewalld/firewalld-standard.conf # server firewalld.conf cp -a %{buildroot}%{_sysconfdir}/firewalld/firewalld-standard.conf \ @@ -304,6 +309,10 @@ fi %{_mandir}/man1/firewall-config*.1* %changelog +* Mon Jun 16 2025 Sumedh Sharma - 2.0.2-3 +- disable ipv6_rpfilter in configuration +- fix testsuite provided by firewalld-test sub-package + * Sun Feb 04 2024 Dan Streetman - 2.0.2-2 - workaround "circular dependencies" from build tooling diff --git a/SPECS/firewalld/firewalld_fix_testsuite.patch b/SPECS/firewalld/firewalld_fix_testsuite.patch new file mode 100644 index 0000000000..a8fa6c8f53 --- /dev/null +++ b/SPECS/firewalld/firewalld_fix_testsuite.patch @@ -0,0 +1,870 @@ +From 8d24ed67aeadd1e807e6e7a09ee3087130063d73 Mon Sep 17 00:00:00 2001 +From: Sumedh Alok Sharma +Date: Fri, 13 Jun 2025 09:52:22 +0000 +Subject: [PATCH] Fix testsuite based on firewalld config in Azl3. + +--- + src/tests/cli/firewall-cmd.at | 34 ++++-- + src/tests/features/features.at | 1 - + src/tests/features/helpers_custom.at | 24 +++- + .../features/iptables_no_flush_on_shutdown.at | 10 +- + src/tests/features/nftables_counters.at | 8 ++ + src/tests/features/rich_destination_ipset.at | 5 +- + src/tests/features/rich_tcp_mss_clamp.at | 1 + + src/tests/features/startup_failsafe.at | 2 + + src/tests/features/zone_combine.at | 4 +- + src/tests/regression/gh1152.at | 108 +++++++++++++++++- + src/tests/regression/gh366.at | 4 +- + src/tests/regression/gh453.at | 4 + + src/tests/regression/gh696.at | 16 ++- + src/tests/regression/regression.at | 1 - + src/tests/regression/rhbz1404076.at | 1 - + src/tests/regression/rhbz1514043.at | 2 +- + src/tests/regression/rhbz1596304.at | 2 +- + src/tests/regression/rhbz1715977.at | 16 +-- + src/tests/regression/rhbz1855140.at | 8 +- + src/tests/regression/rhbz2181406.at | 4 + + 20 files changed, 205 insertions(+), 50 deletions(-) + +diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at +index 5363667..8ed25ab 100644 +--- a/src/tests/cli/firewall-cmd.at ++++ b/src/tests/cli/firewall-cmd.at +@@ -1469,6 +1469,8 @@ FWD_START_TEST([rich rules priority]) + table inet firewalld { + chain filter_IN_public_allow { + tcp dport 22 accept ++ ip daddr 224.0.0.251 udp dport 5353 accept ++ ip6 daddr ff02::fb udp dport 5353 accept + ip6 daddr fe80::/64 udp dport 546 accept + tcp dport 1122 accept + tcp dport 3333 accept +@@ -1484,7 +1486,8 @@ FWD_START_TEST([rich rules priority]) + DROP 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222 + ]) + IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl +- ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ++ ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ++ ACCEPT 17 -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 + ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1122 + ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3333 + ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4444 +@@ -1497,7 +1500,8 @@ FWD_START_TEST([rich rules priority]) + DROP 6 -- ::/0 ::/0 tcp dpt:2222 + ]) + IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl +- ACCEPT 6 -- ::/0 ::/0 tcp dpt:22 ++ ACCEPT 6 -- ::/0 ::/0 tcp dpt:22 ++ ACCEPT 17 -- ::/0 ff02::fb udp dpt:5353 + ACCEPT 17 -- ::/0 fe80::/64 udp dpt:546 + ACCEPT 6 -- ::/0 ::/0 tcp dpt:1122 + ACCEPT 6 -- ::/0 ::/0 tcp dpt:3333 +@@ -1579,6 +1583,8 @@ FWD_START_TEST([rich rules priority]) + table inet firewalld { + chain filter_IN_public_allow { + tcp dport 22 accept ++ ip daddr 224.0.0.251 udp dport 5353 accept ++ ip6 daddr ff02::fb udp dport 5353 accept + ip6 daddr fe80::/64 udp dport 546 accept + } + } +@@ -1644,7 +1650,8 @@ FWD_START_TEST([rich rules priority]) + DROP 0 -- 10.1.0.0/16 0.0.0.0/0 + ]) + IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl +- ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ++ ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ++ ACCEPT 17 -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 + ]) + IPTABLES_LIST_RULES([filter], [FWD_public_pre], 0, [dnl + ]) +@@ -1671,7 +1678,8 @@ FWD_START_TEST([rich rules priority]) + IP6TABLES_LIST_RULES([filter], [IN_public_pre], 0, [dnl + ]) + IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl +- ACCEPT 6 -- ::/0 ::/0 tcp dpt:22 ++ ACCEPT 6 -- ::/0 ::/0 tcp dpt:22 ++ ACCEPT 17 -- ::/0 ff02::fb udp dpt:5353 + ACCEPT 17 -- ::/0 fe80::/64 udp dpt:546 + ]) + IP6TABLES_LIST_RULES([filter], [FWD_public_pre], 0, [dnl +@@ -1719,6 +1727,8 @@ FWD_START_TEST([rich rules priority]) + table inet firewalld { + chain filter_IN_public_allow { + tcp dport 22 accept ++ ip daddr 224.0.0.251 udp dport 5353 accept ++ ip6 daddr ff02::fb udp dport 5353 accept + ip6 daddr fe80::/64 udp dport 546 accept + icmp echo-request accept + icmpv6 echo-request accept +@@ -1751,7 +1761,8 @@ FWD_START_TEST([rich rules priority]) + REJECT 1 -- 0.0.0.0/0 0.0.0.0/0 icmptype 3 reject-with icmp-host-prohibited + ]) + IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl +- ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ++ ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ++ ACCEPT 17 -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 + ACCEPT 1 -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 + ]) + IPTABLES_LIST_RULES([filter], [FWD_public_pre], 0, [dnl +@@ -1768,7 +1779,8 @@ FWD_START_TEST([rich rules priority]) + REJECT 58 -- ::/0 ::/0 ipv6-icmptype 1 reject-with icmp6-adm-prohibited + ]) + IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl +- ACCEPT 6 -- ::/0 ::/0 tcp dpt:22 ++ ACCEPT 6 -- ::/0 ::/0 tcp dpt:22 ++ ACCEPT 17 -- ::/0 ff02::fb udp dpt:5353 + ACCEPT 17 -- ::/0 fe80::/64 udp dpt:546 + ACCEPT 58 -- ::/0 ::/0 ipv6-icmptype 128 + ]) +@@ -1821,6 +1833,8 @@ FWD_START_TEST([rich rules priority]) + table inet firewalld { + chain filter_IN_public_allow { + tcp dport 22 accept ++ ip daddr 224.0.0.251 udp dport 5353 accept ++ ip6 daddr ff02::fb udp dport 5353 accept + ip6 daddr fe80::/64 udp dport 546 accept + } + } +@@ -1858,7 +1872,8 @@ FWD_START_TEST([rich rules priority]) + DROP 0 -- 10.0.0.0/8 0.0.0.0/0 + ]) + IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl +- ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ++ ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ++ ACCEPT 17 -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 + ]) + IPTABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl + ]) +@@ -1877,7 +1892,8 @@ FWD_START_TEST([rich rules priority]) + DROP 6 -- ::/0 ::/0 tcp dpt:1111 + ]) + IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl +- ACCEPT 6 -- ::/0 ::/0 tcp dpt:22 ++ ACCEPT 6 -- ::/0 ::/0 tcp dpt:22 ++ ACCEPT 17 -- ::/0 ff02::fb udp dpt:5353 + ACCEPT 17 -- ::/0 fe80::/64 udp dpt:546 + ]) + IP6TABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl +@@ -1906,7 +1922,7 @@ FWD_START_TEST([rich rules priority]) + icmp-block-inversion: no + interfaces: + sources: +- services: dhcpv6-client ssh ++ services: dhcpv6-client mdns ssh + ports: + protocols: + forward: yes +diff --git a/src/tests/features/features.at b/src/tests/features/features.at +index 9c7ec1b..b1ab409 100644 +--- a/src/tests/features/features.at ++++ b/src/tests/features/features.at +@@ -14,7 +14,6 @@ m4_include([features/icmp_blocks.at]) + m4_include([features/rich_tcp_mss_clamp.at]) + m4_include([features/rich_destination_ipset.at]) + m4_include([features/zone.at]) +-m4_include([features/rpfilter.at]) + m4_include([features/zone_combine.at]) + m4_include([features/startup_failsafe.at]) + m4_include([features/ipset.at]) +diff --git a/src/tests/features/helpers_custom.at b/src/tests/features/helpers_custom.at +index f51557a..788d8eb 100644 +--- a/src/tests/features/helpers_custom.at ++++ b/src/tests/features/helpers_custom.at +@@ -36,6 +36,8 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + table inet firewalld { + chain filter_IN_public_allow { + tcp dport 22 accept ++ ip daddr 224.0.0.251 udp dport 5353 accept ++ ip6 daddr ff02::fb udp dport 5353 accept + ip6 daddr fe80::/64 udp dport 546 accept + tcp dport 2121 ct helper set "helper-ftptest-tcp" + tcp dport 2121 accept +@@ -46,14 +48,16 @@ IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl + CT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 CT helper ftp + ]) + IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl +- ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ++ ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ++ ACCEPT 17 -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 + ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 + ]) + IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl + CT 6 -- ::/0 ::/0 tcp dpt:2121 CT helper ftp + ]) + IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl +- ACCEPT 6 -- ::/0 ::/0 tcp dpt:22 ++ ACCEPT 6 -- ::/0 ::/0 tcp dpt:22 ++ ACCEPT 17 -- ::/0 ff02::fb udp dpt:5353 + ACCEPT 17 -- ::/0 fe80::/64 udp dpt:546 + ACCEPT 6 -- ::/0 ::/0 tcp dpt:2121 + ]) +@@ -90,6 +94,8 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + table inet firewalld { + chain filter_IN_public_allow { + tcp dport 22 accept ++ ip daddr 224.0.0.251 udp dport 5353 accept ++ ip6 daddr ff02::fb udp dport 5353 accept + ip6 daddr fe80::/64 udp dport 546 accept + tcp dport 2121 ct helper set "helper-ftptest-tcp" + tcp dport 2121 accept +@@ -100,14 +106,16 @@ IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl + CT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 CT helper ftp + ]) + IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl +- ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ++ ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ++ ACCEPT 17 -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 + ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 + ]) + IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl + CT 6 -- ::/0 ::/0 tcp dpt:2121 CT helper ftp + ]) + IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl +- ACCEPT 6 -- ::/0 ::/0 tcp dpt:22 ++ ACCEPT 6 -- ::/0 ::/0 tcp dpt:22 ++ ACCEPT 17 -- ::/0 ff02::fb udp dpt:5353 + ACCEPT 17 -- ::/0 fe80::/64 udp dpt:546 + ACCEPT 6 -- ::/0 ::/0 tcp dpt:2121 + ]) +@@ -125,6 +133,8 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + table inet firewalld { + chain filter_IN_public_allow { + tcp dport 22 accept ++ ip daddr 224.0.0.251 udp dport 5353 accept ++ ip6 daddr ff02::fb udp dport 5353 accept + ip6 daddr fe80::/64 udp dport 546 accept + tcp dport 21 ct helper set "helper-ftp-tcp" + tcp dport 2121 ct helper set "helper-ftptest-tcp" +@@ -138,7 +148,8 @@ IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl + CT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 CT helper ftp + ]) + IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl +- ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ++ ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ++ ACCEPT 17 -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 + ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 + ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 + ]) +@@ -147,7 +158,8 @@ IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl + CT 6 -- ::/0 ::/0 tcp dpt:2121 CT helper ftp + ]) + IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl +- ACCEPT 6 -- ::/0 ::/0 tcp dpt:22 ++ ACCEPT 6 -- ::/0 ::/0 tcp dpt:22 ++ ACCEPT 17 -- ::/0 ff02::fb udp dpt:5353 + ACCEPT 17 -- ::/0 fe80::/64 udp dpt:546 + ACCEPT 6 -- ::/0 ::/0 tcp dpt:2121 + ACCEPT 6 -- ::/0 ::/0 tcp dpt:21 +diff --git a/src/tests/features/iptables_no_flush_on_shutdown.at b/src/tests/features/iptables_no_flush_on_shutdown.at +index fbd7c79..df64b45 100644 +--- a/src/tests/features/iptables_no_flush_on_shutdown.at ++++ b/src/tests/features/iptables_no_flush_on_shutdown.at +@@ -53,7 +53,7 @@ dnl the first runtime direct rule should trigger an iptables flush + FWD_CHECK([--direct --add-rule ipv4 filter INPUT 1 -j ACCEPT], 0, [ignore]) + IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore]) + IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore]) +-EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 1, [ignore], [ignore]) ++EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 255, [ignore], [ignore]) + IPTABLES_LIST_RULES_ALWAYS([filter], [INPUT], 0, [dnl + ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 + ]) +@@ -81,7 +81,7 @@ IPTABLES_LIST_RULES_ALWAYS([filter], [INPUT], 0, [dnl + IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore]) + IP6TABLES_LIST_RULES_ALWAYS([filter], [INPUT], 0, [dnl + ]) +-EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 1, [ignore], [ignore]) ++EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 255, [ignore], [ignore]) + EBTABLES_LIST_RULES([filter], [INPUT], 0, [dnl + ]) + +@@ -103,7 +103,7 @@ IPTABLES_LIST_RULES_ALWAYS([filter], [INPUT], 0, [dnl + IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore]) + IP6TABLES_LIST_RULES_ALWAYS([filter], [INPUT], 0, [dnl + ]) +-EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 1, [ignore], [ignore]) ++EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 255, [ignore], [ignore]) + EBTABLES_LIST_RULES([filter], [INPUT], 0, [dnl + ]) + +@@ -122,7 +122,7 @@ NS_CHECK([$EBTABLES -t filter -I firewalld_testsuite -j ACCEPT]) + FWD_CHECK([--direct --add-chain ipv4 filter firewalld_foobar], 0, [ignore]) + IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore]) + IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore]) +-EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 1, [ignore], [ignore]) ++EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 255, [ignore], [ignore]) + FWD_RELOAD() + + dnl adding a chain should trigger a flush +@@ -137,7 +137,7 @@ NS_CHECK([$EBTABLES -t filter -I firewalld_testsuite -j ACCEPT]) + FWD_CHECK([--direct --add-passthrough ipv4 -t filter -I INPUT -j ACCEPT], 0, [ignore]) + IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore]) + IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore]) +-EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 1, [ignore], [ignore]) ++EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 255, [ignore], [ignore]) + + FWD_END_TEST() + +diff --git a/src/tests/features/nftables_counters.at b/src/tests/features/nftables_counters.at +index 533fce6..be7ab2b 100644 +--- a/src/tests/features/nftables_counters.at ++++ b/src/tests/features/nftables_counters.at +@@ -16,6 +16,8 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + table inet firewalld { + chain filter_IN_public_allow { + tcp dport 22 accept ++ ip daddr 224.0.0.251 udp dport 5353 accept ++ ip6 daddr ff02::fb udp dport 5353 accept + ip6 daddr fe80::/64 udp dport 546 accept + } + } +@@ -38,6 +40,8 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + table inet firewalld { + chain filter_IN_public_allow { + tcp dport 22 counter packets 0 bytes 0 accept ++ ip daddr 224.0.0.251 udp dport 5353 counter packets 0 bytes 0 accept ++ ip6 daddr ff02::fb udp dport 5353 counter packets 0 bytes 0 accept + ip6 daddr fe80::/64 udp dport 546 counter packets 0 bytes 0 accept + } + } +@@ -49,6 +53,8 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + table inet firewalld { + chain filter_IN_public_allow { + tcp dport 22 counter packets 0 bytes 0 accept ++ ip daddr 224.0.0.251 udp dport 5353 counter packets 0 bytes 0 accept ++ ip6 daddr ff02::fb udp dport 5353 counter packets 0 bytes 0 accept + ip6 daddr fe80::/64 udp dport 546 counter packets 0 bytes 0 accept + tcp dport 1234 counter packets 0 bytes 0 accept + } +@@ -59,6 +65,8 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + table inet firewalld { + chain filter_IN_public_allow { + tcp dport 22 counter packets 0 bytes 0 accept ++ ip daddr 224.0.0.251 udp dport 5353 counter packets 0 bytes 0 accept ++ ip6 daddr ff02::fb udp dport 5353 counter packets 0 bytes 0 accept + ip6 daddr fe80::/64 udp dport 546 counter packets 0 bytes 0 accept + } + } +diff --git a/src/tests/features/rich_destination_ipset.at b/src/tests/features/rich_destination_ipset.at +index 7b5932c..1ae4339 100644 +--- a/src/tests/features/rich_destination_ipset.at ++++ b/src/tests/features/rich_destination_ipset.at +@@ -15,13 +15,16 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + table inet firewalld { + chain filter_IN_public_allow { + tcp dport 22 accept ++ ip daddr 224.0.0.251 udp dport 5353 accept ++ ip6 daddr ff02::fb udp dport 5353 accept + ip6 daddr fe80::/64 udp dport 546 accept + ip daddr @foobar accept + } + } + ]) + IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl +- ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ++ ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ++ ACCEPT 17 -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 + ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 match-set foobar dst + ]) + +diff --git a/src/tests/features/rich_tcp_mss_clamp.at b/src/tests/features/rich_tcp_mss_clamp.at +index e3afb75..66079d9 100644 +--- a/src/tests/features/rich_tcp_mss_clamp.at ++++ b/src/tests/features/rich_tcp_mss_clamp.at +@@ -97,6 +97,7 @@ AT_CHECK([cat ./zones/public.xml], 0, [dnl + Public + For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. + ++ + + + +diff --git a/src/tests/features/startup_failsafe.at b/src/tests/features/startup_failsafe.at +index 3cdf7c3..741e174 100644 +--- a/src/tests/features/startup_failsafe.at ++++ b/src/tests/features/startup_failsafe.at +@@ -19,6 +19,8 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + table inet firewalld { + chain filter_IN_public_allow { + tcp dport 22 accept ++ ip daddr 224.0.0.251 udp dport 5353 accept ++ ip6 daddr ff02::fb udp dport 5353 accept + ip6 daddr fe80::/64 udp dport 546 accept + tcp dport 443 accept + } +diff --git a/src/tests/features/zone_combine.at b/src/tests/features/zone_combine.at +index 0aea5f1..25eb3ca 100644 +--- a/src/tests/features/zone_combine.at ++++ b/src/tests/features/zone_combine.at +@@ -27,7 +27,7 @@ AT_DATA([./zones/combined/zone3.xml], [dnl + FWD_RELOAD() + + FWD_CHECK([--get-zones], 0, [dnl +-block combined dmz drop external home internal public trusted work ++FedoraServer FedoraWorkstation block combined dmz drop external home internal public trusted work + ]) + FWD_CHECK([--zone combined --list-all | TRIM_WHITESPACE], 0, [dnl + combined +@@ -49,7 +49,7 @@ rich rules: + ]) + + FWD_CHECK([--permanent --get-zones], 0, [dnl +-block combined/zone1 combined/zone2 combined/zone3 dmz drop external home internal public trusted work ++FedoraServer FedoraWorkstation block combined/zone1 combined/zone2 combined/zone3 dmz drop external home internal public trusted work + ]) + FWD_CHECK([--permanent --zone combined/zone1 --list-all | TRIM_WHITESPACE], 0, [dnl + combined/zone1 +diff --git a/src/tests/regression/gh1152.at b/src/tests/regression/gh1152.at +index 3011b09..fad455a 100644 +--- a/src/tests/regression/gh1152.at ++++ b/src/tests/regression/gh1152.at +@@ -4,6 +4,38 @@ AT_KEYWORDS(cli gh1152) + FWD_CHECK([--permanent --zone block --add-interface dummy0], 0, [ignore]) + + FWD_CHECK([--permanent --list-all-zones | TRIM_WHITESPACE], 0, [m4_strip([dnl ++FedoraServer ++ target: default ++ ingress-priority: 0 ++ egress-priority: 0 ++ icmp-block-inversion: no ++ interfaces: ++ sources: ++ services: cockpit dhcpv6-client ssh ++ ports: ++ protocols: ++ forward: no ++ masquerade: no ++ forward-ports: ++ source-ports: ++ icmp-blocks: ++ rich rules: ++FedoraWorkstation ++ target: default ++ ingress-priority: 0 ++ egress-priority: 0 ++ icmp-block-inversion: no ++ interfaces: ++ sources: ++ services: dhcpv6-client samba-client ssh ++ ports: 1025-65535/udp 1025-65535/tcp ++ protocols: ++ forward: no ++ masquerade: no ++ forward-ports: ++ source-ports: ++ icmp-blocks: ++ rich rules: + block + target: %%REJECT%% + ingress-priority: 0 +@@ -107,7 +139,7 @@ public (default) + icmp-block-inversion: no + interfaces: + sources: +- services: dhcpv6-client ssh ++ services: dhcpv6-client mdns ssh + ports: + protocols: + forward: yes +@@ -139,7 +171,7 @@ work + icmp-block-inversion: no + interfaces: + sources: +- services: dhcpv6-client ssh ++ services: dhcpv6-client mdns ssh + ports: + protocols: + forward: yes +@@ -150,6 +182,38 @@ work + rich rules: + ])]) + FWD_OFFLINE_CHECK([--list-all-zones | TRIM_WHITESPACE], 0, [m4_strip([dnl ++FedoraServer ++ target: default ++ ingress-priority: 0 ++ egress-priority: 0 ++ icmp-block-inversion: no ++ interfaces: ++ sources: ++ services: cockpit dhcpv6-client ssh ++ ports: ++ protocols: ++ forward: no ++ masquerade: no ++ forward-ports: ++ source-ports: ++ icmp-blocks: ++ rich rules: ++FedoraWorkstation ++ target: default ++ ingress-priority: 0 ++ egress-priority: 0 ++ icmp-block-inversion: no ++ interfaces: ++ sources: ++ services: dhcpv6-client samba-client ssh ++ ports: 1025-65535/udp 1025-65535/tcp ++ protocols: ++ forward: no ++ masquerade: no ++ forward-ports: ++ source-ports: ++ icmp-blocks: ++ rich rules: + block + target: %%REJECT%% + ingress-priority: 0 +@@ -253,7 +317,7 @@ public (default) + icmp-block-inversion: no + interfaces: + sources: +- services: dhcpv6-client ssh ++ services: dhcpv6-client mdns ssh + ports: + protocols: + forward: yes +@@ -285,7 +349,7 @@ work + icmp-block-inversion: no + interfaces: + sources: +- services: dhcpv6-client ssh ++ services: dhcpv6-client mdns ssh + ports: + protocols: + forward: yes +@@ -365,6 +429,38 @@ foobar + + FWD_RELOAD() + FWD_CHECK([--list-all-zones | TRIM_WHITESPACE], 0, [m4_strip([dnl ++FedoraServer ++ target: default ++ ingress-priority: 0 ++ egress-priority: 0 ++ icmp-block-inversion: no ++ interfaces: ++ sources: ++ services: cockpit dhcpv6-client ssh ++ ports: ++ protocols: ++ forward: no ++ masquerade: no ++ forward-ports: ++ source-ports: ++ icmp-blocks: ++ rich rules: ++FedoraWorkstation ++ target: default ++ ingress-priority: 0 ++ egress-priority: 0 ++ icmp-block-inversion: no ++ interfaces: ++ sources: ++ services: dhcpv6-client samba-client ssh ++ ports: 1025-65535/udp 1025-65535/tcp ++ protocols: ++ forward: no ++ masquerade: no ++ forward-ports: ++ source-ports: ++ icmp-blocks: ++ rich rules: + block (active) + target: %%REJECT%% + ingress-priority: 0 +@@ -468,7 +564,7 @@ public (default, active) + icmp-block-inversion: no + interfaces: + sources: +- services: dhcpv6-client ssh ++ services: dhcpv6-client mdns ssh + ports: + protocols: + forward: yes +@@ -500,7 +596,7 @@ work + icmp-block-inversion: no + interfaces: + sources: +- services: dhcpv6-client ssh ++ services: dhcpv6-client mdns ssh + ports: + protocols: + forward: yes +diff --git a/src/tests/regression/gh366.at b/src/tests/regression/gh366.at +index dd367b5..10ac1dc 100644 +--- a/src/tests/regression/gh366.at ++++ b/src/tests/regression/gh366.at +@@ -6,9 +6,9 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + table inet firewalld { + chain filter_IN_public_allow { + tcp dport 22 accept +-ip6 daddr fe80::/64 udp dport 546 accept + ip daddr 224.0.0.251 udp dport 5353 accept + ip6 daddr ff02::fb udp dport 5353 accept ++ip6 daddr fe80::/64 udp dport 546 accept + } + } + ]) +@@ -18,8 +18,8 @@ ACCEPT 17 -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 + ]) + IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT 6 -- ::/0 ::/0 tcp dpt:22 +-ACCEPT 17 -- ::/0 fe80::/64 udp dpt:546 + ACCEPT 17 -- ::/0 ff02::fb udp dpt:5353 ++ACCEPT 17 -- ::/0 fe80::/64 udp dpt:546 + ])]) + + FWD_CHECK([-q --zone=public --add-service=mdns]) +diff --git a/src/tests/regression/gh453.at b/src/tests/regression/gh453.at +index 309b3c5..650d8fe 100644 +--- a/src/tests/regression/gh453.at ++++ b/src/tests/regression/gh453.at +@@ -17,6 +17,8 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + table inet firewalld { + chain filter_IN_public_allow { + tcp dport 22 accept ++ ip daddr 224.0.0.251 udp dport 5353 accept ++ ip6 daddr ff02::fb udp dport 5353 accept + ip6 daddr fe80::/64 udp dport 546 accept + tcp dport 21 ct helper set "helper-ftp-tcp" + tcp dport 21 accept +@@ -41,6 +43,8 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + table inet firewalld { + chain filter_IN_public_allow { + tcp dport 22 accept ++ ip daddr 224.0.0.251 udp dport 5353 accept ++ ip6 daddr ff02::fb udp dport 5353 accept + ip6 daddr fe80::/64 udp dport 546 accept + tcp dport 21 ct helper set "helper-ftp-tcp" + tcp dport 21 accept +diff --git a/src/tests/regression/gh696.at b/src/tests/regression/gh696.at +index adf2e0f..a46dec8 100644 +--- a/src/tests/regression/gh696.at ++++ b/src/tests/regression/gh696.at +@@ -57,6 +57,8 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + table inet firewalld { + chain filter_IN_public_allow { + tcp dport 22 accept ++ ip daddr 224.0.0.251 udp dport 5353 accept ++ ip6 daddr ff02::fb udp dport 5353 accept + ip6 daddr fe80::/64 udp dport 546 accept + icmp echo-request accept + icmpv6 echo-request accept +@@ -65,11 +67,13 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + ]) + + IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl +- ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ++ ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ++ ACCEPT 17 -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 + ACCEPT 1 -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 + ]) + IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl +- ACCEPT 6 -- ::/0 ::/0 tcp dpt:22 ++ ACCEPT 6 -- ::/0 ::/0 tcp dpt:22 ++ ACCEPT 17 -- ::/0 ff02::fb udp dpt:5353 + ACCEPT 17 -- ::/0 fe80::/64 udp dpt:546 + ACCEPT 58 -- ::/0 ::/0 ipv6-icmptype 128 + ]) +@@ -82,6 +86,8 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + table inet firewalld { + chain filter_IN_public_allow { + tcp dport 22 accept ++ ip daddr 224.0.0.251 udp dport 5353 accept ++ ip6 daddr ff02::fb udp dport 5353 accept + ip6 daddr fe80::/64 udp dport 546 accept + icmp echo-request accept + icmpv6 echo-request accept +@@ -90,11 +96,13 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + ]) + + IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl +- ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ++ ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ++ ACCEPT 17 -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 + ACCEPT 1 -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 + ]) + IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl +- ACCEPT 6 -- ::/0 ::/0 tcp dpt:22 ++ ACCEPT 6 -- ::/0 ::/0 tcp dpt:22 ++ ACCEPT 17 -- ::/0 ff02::fb udp dpt:5353 + ACCEPT 17 -- ::/0 fe80::/64 udp dpt:546 + ACCEPT 58 -- ::/0 ::/0 ipv6-icmptype 128 + ]) +diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at +index 9c0aae6..68c947b 100644 +--- a/src/tests/regression/regression.at ++++ b/src/tests/regression/regression.at +@@ -12,7 +12,6 @@ m4_include([regression/rhbz1506742.at]) + m4_include([regression/rhbz1594657.at]) + m4_include([regression/rhbz1571957.at]) + m4_include([regression/rhbz1404076.at]) +-m4_include([regression/gh366.at]) + m4_include([regression/rhbz1601610.at]) + m4_include([regression/gh303.at]) + m4_include([regression/gh335.at]) +diff --git a/src/tests/regression/rhbz1404076.at b/src/tests/regression/rhbz1404076.at +index f4063c7..f55d7cf 100644 +--- a/src/tests/regression/rhbz1404076.at ++++ b/src/tests/regression/rhbz1404076.at +@@ -14,7 +14,6 @@ FWD_CHECK([-q $2 --query-$1=8085-8087/tcp]) + FWD_CHECK([-q $2 --query-$1=8080-8090/tcp]) + FWD_CHECK([-q $2 --query-$1=8080-8089/tcp]) + FWD_CHECK([-q $2 --query-$1=8081-8090/tcp]) +-FWD_CHECK([-q $2 --query-$1=webcache/tcp]) dnl named port + FWD_CHECK([-q $2 --query-$1=8091/tcp], 1) dnl negative test + FWD_CHECK([-q $2 --query-$1=8085/udp], 1) dnl negative test + FWD_CHECK([$2 --list-$1s], 0, [dnl +diff --git a/src/tests/regression/rhbz1514043.at b/src/tests/regression/rhbz1514043.at +index c036050..1e9c7c5 100644 +--- a/src/tests/regression/rhbz1514043.at ++++ b/src/tests/regression/rhbz1514043.at +@@ -5,7 +5,7 @@ FWD_CHECK([-q --set-log-denied=all]) + FWD_CHECK([-q --permanent --zone=public --add-service=samba]) + FWD_RELOAD + FWD_CHECK([--zone=public --list-all | TRIM | grep ^services], 0, [dnl +-services: dhcpv6-client samba ssh ++services: dhcpv6-client mdns samba ssh + ]) + + dnl check that log denied actually took effect +diff --git a/src/tests/regression/rhbz1596304.at b/src/tests/regression/rhbz1596304.at +index 1565eb4..bd188f2 100644 +--- a/src/tests/regression/rhbz1596304.at ++++ b/src/tests/regression/rhbz1596304.at +@@ -12,7 +12,7 @@ FWD_CHECK([--list-all | TRIM_WHITESPACE], 0, [m4_strip([dnl + icmp-block-inversion: no + interfaces: + sources: +- services: dhcpv6-client ssh ++ services: dhcpv6-client mdns ssh + ports: + protocols: + forward: yes +diff --git a/src/tests/regression/rhbz1715977.at b/src/tests/regression/rhbz1715977.at +index 7a00888..adc1ded 100644 +--- a/src/tests/regression/rhbz1715977.at ++++ b/src/tests/regression/rhbz1715977.at +@@ -19,18 +19,18 @@ NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl + } + ]) + IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl +- ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ++ ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 + ACCEPT 17 -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 + ACCEPT 17 -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 +- ACCEPT 17 -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ++ ACCEPT 17 -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 + ACCEPT 6 -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 + ]) + IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl +- ACCEPT 6 -- ::/0 ::/0 tcp dpt:22 ++ ACCEPT 6 -- ::/0 ::/0 tcp dpt:22 + ACCEPT 17 -- ::/0 ff02::fb udp dpt:5353 + ACCEPT 17 -- ::/0 ::/0 udp dpt:137 + ACCEPT 17 -- ::/0 ::/0 udp dpt:138 +- ACCEPT 17 -- ::/0 fe80::/64 udp dpt:546 ++ ACCEPT 17 -- ::/0 fe80::/64 udp dpt:546 + ]) + + FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.111.222/32" source address="10.10.10.0/24" service name="ssh" accept']) +@@ -38,7 +38,7 @@ NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl + table inet firewalld { + chain filter_IN_internal_allow { + tcp dport 22 accept +- ip daddr 224.0.0.251 udp dport 5353 accept ++ ip daddr 224.0.0.251 udp dport 5353 accept + ip6 daddr ff02::fb udp dport 5353 accept + udp dport 137 ct helper set "helper-netbios-ns-udp" + udp dport 137 accept +@@ -53,7 +53,7 @@ IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl + ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 + ACCEPT 17 -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 + ACCEPT 17 -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 +- ACCEPT 17 -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ++ ACCEPT 17 -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 + ACCEPT 6 -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 + ACCEPT 6 -- 10.10.10.0/24 192.168.111.222 tcp dpt:22 + ]) +@@ -62,7 +62,7 @@ IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl + ACCEPT 17 -- ::/0 ff02::fb udp dpt:5353 + ACCEPT 17 -- ::/0 ::/0 udp dpt:137 + ACCEPT 17 -- ::/0 ::/0 udp dpt:138 +- ACCEPT 17 -- ::/0 fe80::/64 udp dpt:546 ++ ACCEPT 17 -- ::/0 fe80::/64 udp dpt:546 + ]) + + FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 service name="ssdp" accept']) +@@ -86,7 +86,7 @@ IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl + ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 + ACCEPT 17 -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 + ACCEPT 17 -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 +- ACCEPT 17 -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ++ ACCEPT 17 -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 + ACCEPT 6 -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 + ACCEPT 6 -- 10.10.10.0/24 192.168.111.222 tcp dpt:22 + ACCEPT 17 -- 0.0.0.0/0 239.255.255.250 udp dpt:1900 +diff --git a/src/tests/regression/rhbz1855140.at b/src/tests/regression/rhbz1855140.at +index a941428..36b352a 100644 +--- a/src/tests/regression/rhbz1855140.at ++++ b/src/tests/regression/rhbz1855140.at +@@ -17,6 +17,8 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + table inet firewalld { + chain filter_IN_public_allow { + tcp dport 22 accept ++ ip daddr 224.0.0.251 udp dport 5353 accept ++ ip6 daddr ff02::fb udp dport 5353 accept + ip6 daddr fe80::/64 udp dport 546 accept + icmp echo-request accept + icmpv6 echo-request accept +@@ -28,7 +30,8 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + IPTABLES_LIST_RULES([mangle], [PRE_public_allow], 0, [dnl + ]) + IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl +- ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ++ ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ++ ACCEPT 17 -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 + ACCEPT 1 -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 + ACCEPT 1 -- 0.0.0.0/0 0.0.0.0/0 icmptype 13 + ]) +@@ -36,7 +39,8 @@ IP6TABLES_LIST_RULES([mangle], [PRE_public_allow], 0, [dnl + MARK 58 -- ::/0 ::/0 ipv6-icmptype 4 code 0 MARK or 0x86 + ]) + IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl +- ACCEPT 6 -- ::/0 ::/0 tcp dpt:22 ++ ACCEPT 6 -- ::/0 ::/0 tcp dpt:22 ++ ACCEPT 17 -- ::/0 ff02::fb udp dpt:5353 + ACCEPT 17 -- ::/0 fe80::/64 udp dpt:546 + ACCEPT 58 -- ::/0 ::/0 ipv6-icmptype 128 + ACCEPT 58 -- ::/0 ::/0 ipv6-icmptype 136 +diff --git a/src/tests/regression/rhbz2181406.at b/src/tests/regression/rhbz2181406.at +index b5ac531..f27af5a 100644 +--- a/src/tests/regression/rhbz2181406.at ++++ b/src/tests/regression/rhbz2181406.at +@@ -20,6 +20,8 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + table inet firewalld { + chain filter_IN_public_allow { + tcp dport 22 accept ++ ip daddr 224.0.0.251 udp dport 5353 accept ++ ip6 daddr ff02::fb udp dport 5353 accept + ip6 daddr fe80::/64 udp dport 546 accept + ip6 daddr fc00::10:10:10:10 tcp dport 22 accept + ip saddr 10.10.10.10 tcp dport 80 limit rate 2/day accept +@@ -33,6 +35,7 @@ LOG 6 -- 10.10.10.10 0.0.0.0/0 tcp dpt:22 limit: avg 2/day burst 5 LOG flags 0 l + ]) + IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ++ACCEPT 17 -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 + ACCEPT 6 -- 10.10.10.10 0.0.0.0/0 tcp dpt:80 limit: avg 2/day burst 5 + ]) + +@@ -41,6 +44,7 @@ AUDIT 6 -- ::/0 fc00::10:10:10:10 tcp dpt:22 limit: avg 5/min burst 5 AUDIT acce + ]) + IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT 6 -- ::/0 ::/0 tcp dpt:22 ++ACCEPT 17 -- ::/0 ff02::fb udp dpt:5353 + ACCEPT 17 -- ::/0 fe80::/64 udp dpt:546 + ACCEPT 6 -- ::/0 fc00::10:10:10:10 tcp dpt:22 + ACCEPT 6 -- ::/0 fc00::10:10:10:10 tcp dpt:80 limit: avg 5/min burst 5 +-- +2.45.3 + diff --git a/SPECS/flannel/flannel.spec b/SPECS/flannel/flannel.spec index 99ba96ea73..88c7d8b6a6 100644 --- a/SPECS/flannel/flannel.spec +++ b/SPECS/flannel/flannel.spec @@ -3,7 +3,7 @@ Summary: Simple and easy way to configure a layer 3 network fabric designed for Kubernetes Name: flannel Version: 0.24.2 -Release: 15%{?dist} +Release: 16%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -18,7 +18,7 @@ Patch3: CVE-2025-30204.patch Patch4: CVE-2024-51744.patch BuildRequires: gcc BuildRequires: glibc-devel -BuildRequires: glibc-static >= 2.38-10%{?dist} +BuildRequires: glibc-static >= 2.38-11%{?dist} BuildRequires: golang >= 1.20 BuildRequires: kernel-headers @@ -52,6 +52,10 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./dist/flanneld %{_bindir}/flanneld %changelog +* Mon Sep 8 2025 Lee Chee Yang - 0.24.2-16 +- merge from Azure Linux 3.0.20250822-3.0. +- Bump to rebuild with updated glibc + * Fri May 30 2025 Ranjan Dutta - 0.24.2-15 - merge from Azure Linux 3.0.20250521-3.0 - Bump to rebuild with updated glibc diff --git a/SPECS/flux/flux.spec b/SPECS/flux/flux.spec index 9e60255c3c..7d165c8eb2 100644 --- a/SPECS/flux/flux.spec +++ b/SPECS/flux/flux.spec @@ -22,7 +22,7 @@ Summary: Influx data language Name: flux Version: 0.194.5 -Release: 4%{?dist} +Release: 6%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -146,6 +146,12 @@ RUSTFLAGS=%{rustflags} cargo test --release %{_includedir}/influxdata/flux.h %changelog +* Mon Jul 21 2025 Jyoti Kanase - 0.194.5-6 +- Bump release to rebuild with rust + +* Tue Jun 10 2025 Kavya Sree Kaitepalli - 0.194.5-5 +- Bump release to rebuild with rust + * Mon Apr 21 2025 Kavya Sree Kaitepalli - 0.194.5-4 - Pin rust version diff --git a/SPECS/frr/CVE-2024-55553.patch b/SPECS/frr/CVE-2024-55553.patch new file mode 100644 index 0000000000..4581bab08d --- /dev/null +++ b/SPECS/frr/CVE-2024-55553.patch @@ -0,0 +1,258 @@ +From ee33d7a891c9e7abb5020e849f51a9ea8a91b850 Mon Sep 17 00:00:00 2001 +From: Kanishk Bansal +Date: Thu, 19 Jun 2025 06:40:11 +0000 +Subject: [PATCH] Backport CVE-2024-55553 + +Upstream Reference : https://github.com/FRRouting/frr/commit/b0800bfdf04b4fcf48504737ebfe4ba7f05268d3 + +Signed-off-by: Kanishk Bansal +--- + bgpd/bgp_rpki.c | 139 ++++++++++++++++++++++-------------------------- + bgpd/bgpd.c | 4 -- + bgpd/bgpd.h | 1 - + 3 files changed, 65 insertions(+), 79 deletions(-) + +diff --git a/bgpd/bgp_rpki.c b/bgpd/bgp_rpki.c +index f0b2ffd..8ccb948 100644 +--- a/bgpd/bgp_rpki.c ++++ b/bgpd/bgp_rpki.c +@@ -48,6 +48,7 @@ DEFINE_MTYPE_STATIC(BGPD, BGP_RPKI_CACHE_GROUP, "BGP RPKI Cache server group"); + DEFINE_MTYPE_STATIC(BGPD, BGP_RPKI_RTRLIB, "BGP RPKI RTRLib"); + DEFINE_MTYPE_STATIC(BGPD, BGP_RPKI_REVALIDATE, "BGP RPKI Revalidation"); + ++ + #define POLLING_PERIOD_DEFAULT 3600 + #define EXPIRE_INTERVAL_DEFAULT 7200 + #define RETRY_INTERVAL_DEFAULT 600 +@@ -108,7 +109,6 @@ static void print_record(const struct pfx_record *record, struct vty *vty, + json_object *json, enum asnotation_mode asnotation); + static bool is_synchronized(void); + static bool is_running(void); +-static bool is_stopping(void); + static void route_match_free(void *rule); + static enum route_map_cmd_result_t route_match(void *rule, + const struct prefix *prefix, +@@ -116,7 +116,6 @@ static enum route_map_cmd_result_t route_match(void *rule, + void *object); + static void *route_match_compile(const char *arg); + static void revalidate_bgp_node(struct bgp_dest *dest, afi_t afi, safi_t safi); +-static void revalidate_all_routes(void); + + static struct rtr_mgr_config *rtr_config; + static struct list *cache_list; +@@ -354,11 +353,6 @@ inline bool is_running(void) + return rtr_is_running; + } + +-inline bool is_stopping(void) +-{ +- return rtr_is_stopping; +-} +- + static void pfx_record_to_prefix(struct pfx_record *record, + struct prefix *prefix) + { +@@ -402,40 +396,19 @@ static void rpki_revalidate_prefix(struct event *thread) + XFREE(MTYPE_BGP_RPKI_REVALIDATE, rrp); + } + +-static void bgpd_sync_callback(struct event *thread) ++static void revalidate_single_prefix(struct vrf *vrf, struct prefix prefix, afi_t afi) + { + struct bgp *bgp; + struct listnode *node; +- struct prefix prefix; +- struct pfx_record rec; +- +- event_add_read(bm->master, bgpd_sync_callback, NULL, +- rpki_sync_socket_bgpd, NULL); +- +- if (atomic_load_explicit(&rtr_update_overflow, memory_order_seq_cst)) { +- while (read(rpki_sync_socket_bgpd, &rec, +- sizeof(struct pfx_record)) != -1) +- ; +- +- atomic_store_explicit(&rtr_update_overflow, 0, +- memory_order_seq_cst); +- revalidate_all_routes(); +- return; +- } +- +- int retval = +- read(rpki_sync_socket_bgpd, &rec, sizeof(struct pfx_record)); +- if (retval != sizeof(struct pfx_record)) { +- RPKI_DEBUG("Could not read from rpki_sync_socket_bgpd"); +- return; +- } +- pfx_record_to_prefix(&rec, &prefix); +- +- afi_t afi = (rec.prefix.ver == LRTR_IPV4) ? AFI_IP : AFI_IP6; + + for (ALL_LIST_ELEMENTS_RO(bm->bgp, node, bgp)) { + safi_t safi; + ++ if (!vrf && bgp->vrf_id != VRF_DEFAULT) ++ continue; ++ if (vrf && bgp->vrf_id != vrf->vrf_id) ++ continue; ++ + for (safi = SAFI_UNICAST; safi < SAFI_MAX; safi++) { + struct bgp_table *table = bgp->rib[afi][safi]; + struct rpki_revalidate_prefix *rrp; +@@ -448,12 +421,67 @@ static void bgpd_sync_callback(struct event *thread) + rrp->prefix = prefix; + rrp->afi = afi; + rrp->safi = safi; +- event_add_event(bm->master, rpki_revalidate_prefix, rrp, +- 0, &bgp->t_revalidate[afi][safi]); ++ event_add_event(bm->master, rpki_revalidate_prefix, rrp, 0, &bgp->t_revalidate[afi][safi]); + } + } + } + ++ ++static void bgpd_sync_callback(struct event *thread) ++{ ++ struct prefix prefix; ++ struct pfx_record rec; ++ struct rpki_vrf *rpki_vrf = EVENT_ARG(thread); ++ struct vrf *vrf = NULL; ++ afi_t afi; ++ int retval; ++ ++ event_add_read(bm->master, bgpd_sync_callback, rpki_vrf, rpki_vrf->rpki_sync_socket_bgpd, ++ NULL); ++ ++ if (rpki_vrf->vrfname) { ++ vrf = vrf_lookup_by_name(rpki_vrf->vrfname); ++ if (!vrf) { ++ zlog_err("%s(): vrf for rpki %s not found", __func__, rpki_vrf->vrfname); ++ return; ++ } ++ } ++ ++ if (atomic_load_explicit(&rpki_vrf->rtr_update_overflow, memory_order_seq_cst)) { ++ ssize_t size = 0; ++ ++ retval = read(rpki_vrf->rpki_sync_socket_bgpd, &rec, sizeof(struct pfx_record)); ++ while (retval != -1) { ++ if (retval != sizeof(struct pfx_record)) ++ break; ++ ++ size += retval; ++ pfx_record_to_prefix(&rec, &prefix); ++ afi = (rec.prefix.ver == LRTR_IPV4) ? AFI_IP : AFI_IP6; ++ revalidate_single_prefix(vrf, prefix, afi); ++ ++ retval = read(rpki_vrf->rpki_sync_socket_bgpd, &rec, ++ sizeof(struct pfx_record)); ++ } ++ ++ RPKI_DEBUG("Socket overflow detected (%zu), revalidating affected prefixes", size); ++ ++ atomic_store_explicit(&rpki_vrf->rtr_update_overflow, 0, memory_order_seq_cst); ++ return; ++ } ++ ++ retval = read(rpki_vrf->rpki_sync_socket_bgpd, &rec, sizeof(struct pfx_record)); ++ if (retval != sizeof(struct pfx_record)) { ++ RPKI_DEBUG("Could not read from rpki_sync_socket_bgpd"); ++ return; ++ } ++ pfx_record_to_prefix(&rec, &prefix); ++ ++ afi = (rec.prefix.ver == LRTR_IPV4) ? AFI_IP : AFI_IP6; ++ ++ revalidate_single_prefix(vrf, prefix, afi); ++} ++ + static void revalidate_bgp_node(struct bgp_dest *bgp_dest, afi_t afi, + safi_t safi) + { +@@ -501,48 +529,11 @@ static void bgp_rpki_revalidate_peer(struct event *thread) + XFREE(MTYPE_BGP_RPKI_REVALIDATE, rvp); + } + +-static void revalidate_all_routes(void) +-{ +- struct bgp *bgp; +- struct listnode *node; +- +- for (ALL_LIST_ELEMENTS_RO(bm->bgp, node, bgp)) { +- struct peer *peer; +- struct listnode *peer_listnode; +- +- for (ALL_LIST_ELEMENTS_RO(bgp->peer, peer_listnode, peer)) { +- afi_t afi; +- safi_t safi; +- +- FOREACH_AFI_SAFI (afi, safi) { +- struct rpki_revalidate_peer *rvp; +- +- if (!bgp->rib[afi][safi]) +- continue; +- +- if (!peer_established(peer->connection)) +- continue; +- +- rvp = XCALLOC(MTYPE_BGP_RPKI_REVALIDATE, +- sizeof(*rvp)); +- rvp->peer = peer; +- rvp->afi = afi; +- rvp->safi = safi; +- +- event_add_event( +- bm->master, bgp_rpki_revalidate_peer, +- rvp, 0, +- &peer->t_revalidate_all[afi][safi]); +- } +- } +- } +-} +- + static void rpki_update_cb_sync_rtr(struct pfx_table *p __attribute__((unused)), + const struct pfx_record rec, + const bool added __attribute__((unused))) + { +- if (is_stopping() || ++ if (rtr_is_stopping || + atomic_load_explicit(&rtr_update_overflow, memory_order_seq_cst)) + return; + +diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c +index edb20ac..cfa1930 100644 +--- a/bgpd/bgpd.c ++++ b/bgpd/bgpd.c +@@ -1248,8 +1248,6 @@ static void peer_free(struct peer *peer) + bgp_reads_off(peer->connection); + bgp_writes_off(peer->connection); + event_cancel_event_ready(bm->master, peer->connection); +- FOREACH_AFI_SAFI (afi, safi) +- EVENT_OFF(peer->t_revalidate_all[afi][safi]); + assert(!peer->connection->t_write); + assert(!peer->connection->t_read); + event_cancel_event_ready(bm->master, peer->connection); +@@ -2637,8 +2635,6 @@ int peer_delete(struct peer *peer) + bgp_reads_off(peer->connection); + bgp_writes_off(peer->connection); + event_cancel_event_ready(bm->master, peer->connection); +- FOREACH_AFI_SAFI (afi, safi) +- EVENT_OFF(peer->t_revalidate_all[afi][safi]); + assert(!CHECK_FLAG(peer->connection->thread_flags, + PEER_THREAD_WRITES_ON)); + assert(!CHECK_FLAG(peer->connection->thread_flags, +diff --git a/bgpd/bgpd.h b/bgpd/bgpd.h +index dda108b..70c728c 100644 +--- a/bgpd/bgpd.h ++++ b/bgpd/bgpd.h +@@ -1568,7 +1568,6 @@ struct peer { + + /* Threads. */ + struct event *t_llgr_stale[AFI_MAX][SAFI_MAX]; +- struct event *t_revalidate_all[AFI_MAX][SAFI_MAX]; + struct event *t_refresh_stalepath; + + /* Thread flags. */ +-- +2.45.3 + diff --git a/SPECS/frr/frr.spec b/SPECS/frr/frr.spec index 5a7dc0e1cb..64f6026a82 100644 --- a/SPECS/frr/frr.spec +++ b/SPECS/frr/frr.spec @@ -3,7 +3,7 @@ Summary: Routing daemon Name: frr Version: 9.1.1 -Release: 2%{?dist} +Release: 3%{?dist} License: GPL-2.0-or-later Vendor: Microsoft Corporation Distribution: Azure Linux @@ -17,6 +17,7 @@ Patch2: 0002-disable-eigrp-crypto.patch Patch3: 0003-fips-mode.patch Patch4: 0004-remove-grpc-test.patch Patch5: CVE-2024-44070.patch +Patch6: CVE-2024-55553.patch BuildRequires: autoconf BuildRequires: automake @@ -199,6 +200,9 @@ rm tests/lib/*grpc* %{_sysusersdir}/%{name}.conf %changelog +* Tue Jun 17 2025 Kanishk Bansal - 9.1.1-3 +- Backport Patch CVE-2024-55553 + * Wed Aug 21 2024 Brian Fjeldstad - 9.1.1-2 - Fix CVE-2024-44070 diff --git a/SPECS/gdk-pixbuf2/CVE-2025-6199.patch b/SPECS/gdk-pixbuf2/CVE-2025-6199.patch new file mode 100644 index 0000000000..8836701464 --- /dev/null +++ b/SPECS/gdk-pixbuf2/CVE-2025-6199.patch @@ -0,0 +1,27 @@ +From 5c0fdbcfecf1a21f35f778c1599a3bc237999d3f Mon Sep 17 00:00:00 2001 +From: Azure Linux Security Servicing Account + +Date: Tue, 1 Jul 2025 08:46:50 +0000 +Subject: [PATCH] Fix CVE CVE-2025-6199 in gdk-pixbuf2 + +Upstream Patch Reference: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/191.patch +--- + gdk-pixbuf/lzw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gdk-pixbuf/lzw.c b/gdk-pixbuf/lzw.c +index 1529356..4f3dd8b 100644 +--- a/gdk-pixbuf/lzw.c ++++ b/gdk-pixbuf/lzw.c +@@ -208,7 +208,7 @@ lzw_decoder_feed (LZWDecoder *self, + /* Invalid code received - just stop here */ + if (self->code >= self->code_table_size) { + self->last_code = self->eoi_code; +- return output_length; ++ return n_written; + } + + /* Convert codeword into indexes */ +-- +2.45.3 + diff --git a/SPECS/gdk-pixbuf2/CVE-2025-7345.patch b/SPECS/gdk-pixbuf2/CVE-2025-7345.patch new file mode 100644 index 0000000000..43ec663994 --- /dev/null +++ b/SPECS/gdk-pixbuf2/CVE-2025-7345.patch @@ -0,0 +1,44 @@ +From 4b544734b6b7944de8c0a2442ad3db482779303a Mon Sep 17 00:00:00 2001 +From: Azure Linux Security Servicing Account + +Date: Mon, 14 Jul 2025 08:50:39 +0000 +Subject: [PATCH] Fix CVE CVE-2025-7345 in gdk-pixbuf2 + +Upstream Patch Reference: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/217.patch +--- + gdk-pixbuf/io-jpeg.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c +index 3841fc0..9ee1d21 100644 +--- a/gdk-pixbuf/io-jpeg.c ++++ b/gdk-pixbuf/io-jpeg.c +@@ -356,6 +356,7 @@ jpeg_parse_exif_app2_segment (JpegExifContext *context, jpeg_saved_marker_ptr ma + context->icc_profile = g_new (gchar, chunk_size); + /* copy the segment data to the profile space */ + memcpy (context->icc_profile, marker->data + 14, chunk_size); ++ ret = TRUE; + goto out; + } + +@@ -377,12 +378,15 @@ jpeg_parse_exif_app2_segment (JpegExifContext *context, jpeg_saved_marker_ptr ma + /* copy the segment data to the profile space */ + memcpy (context->icc_profile + offset, marker->data + 14, chunk_size); + +- /* it's now this big plus the new data we've just copied */ +- context->icc_profile_size += chunk_size; ++ context->icc_profile_size = MAX (context->icc_profile_size, offset + chunk_size); + + /* success */ + ret = TRUE; + out: ++ if (!ret) { ++ g_free (context->icc_profile); ++ context->icc_profile = NULL; ++ } + return ret; + } + +-- +2.45.3 + diff --git a/SPECS/gdk-pixbuf2/gdk-pixbuf2.spec b/SPECS/gdk-pixbuf2/gdk-pixbuf2.spec index 0da9c1a358..f0e7daa227 100644 --- a/SPECS/gdk-pixbuf2/gdk-pixbuf2.spec +++ b/SPECS/gdk-pixbuf2/gdk-pixbuf2.spec @@ -2,13 +2,15 @@ Summary: An image loading library Name: gdk-pixbuf2 Version: 2.42.10 -Release: 2%{?dist} +Release: 4%{?dist} License: LGPLv2+ Vendor: Microsoft Corporation Distribution: Azure Linux URL: https://gitlab.gnome.org/GNOME/gdk-pixbuf Source0: https://download.gnome.org/sources/gdk-pixbuf/2.42/gdk-pixbuf-%{version}.tar.xz Patch0: CVE-2022-48622.patch +Patch1: CVE-2025-6199.patch +Patch2: CVE-2025-7345.patch BuildRequires: %{_bindir}/rst2man BuildRequires: gettext BuildRequires: libjpeg-devel @@ -115,6 +117,12 @@ gdk-pixbuf-query-loaders-%{__isa_bits} --update-cache %{_datadir}/installed-tests %changelog +* Mon Jul 14 2025 Azure Linux Security Servicing Account - 2.42.10-4 +- Patch for CVE-2025-7345 + +* Tue Jul 01 2025 Azure Linux Security Servicing Account - 2.42.10-3 +- Patch for CVE-2025-6199 + * Thu Sep 19 2024 Sumedh Sharma - 2.42.10-2 - Add patch for CVE-2022-48622 diff --git a/SPECS/gh/CVE-2025-48938.patch b/SPECS/gh/CVE-2025-48938.patch new file mode 100644 index 0000000000..34f673b2c3 --- /dev/null +++ b/SPECS/gh/CVE-2025-48938.patch @@ -0,0 +1,98 @@ +From f30373d5ac9c1af048f352ce32eaddc7c83a9156 Mon Sep 17 00:00:00 2001 +From: Sreenivasulu Malavathula +Date: Mon, 16 Jun 2025 16:28:52 -0500 +Subject: [PATCH] Address CVE-2025-48938 +Upstream Patch Reference: https://github.com/cli/go-gh/commit/a08820a.diff + +--- + .../cli/go-gh/v2/pkg/browser/browser.go | 59 +++++++++++++++++++ + 1 file changed, 59 insertions(+) + +diff --git a/vendor/github.com/cli/go-gh/v2/pkg/browser/browser.go b/vendor/github.com/cli/go-gh/v2/pkg/browser/browser.go +index 4d56710..d17951a 100644 +--- a/vendor/github.com/cli/go-gh/v2/pkg/browser/browser.go ++++ b/vendor/github.com/cli/go-gh/v2/pkg/browser/browser.go +@@ -2,7 +2,9 @@ + package browser + + import ( ++ "fmt" + "io" ++ "net/url" + "os" + "os/exec" + +@@ -45,9 +47,20 @@ func (b *Browser) Browse(url string) error { + } + + func (b *Browser) browse(url string, env []string) error { ++ // Ensure the URL is supported including the scheme, ++ // overwrite `url` for use within the function. ++ urlParsed, err := isPossibleProtocol(url) ++ if err != nil { ++ return err ++ } ++ ++ url = urlParsed.String() ++ ++ // Use default `gh` browsing module for opening URL if not customized. + if b.launcher == "" { + return cliBrowser.OpenURL(url) + } ++ + launcherArgs, err := shlex.Split(b.launcher) + if err != nil { + return err +@@ -78,3 +91,49 @@ func resolveLauncher() string { + } + return os.Getenv("BROWSER") + } ++ ++func isSupportedScheme(scheme string) bool { ++ switch scheme { ++ case "http", "https", "vscode", "vscode-insiders": ++ return true ++ default: ++ return false ++ } ++} ++ ++func isPossibleProtocol(u string) (*url.URL, error) { ++ // Parse URL for known supported schemes before handling unknown cases. ++ urlParsed, err := url.Parse(u) ++ if err != nil { ++ return nil, fmt.Errorf("opening unparsable URL is unsupported: %s", u) ++ } ++ ++ if isSupportedScheme(urlParsed.Scheme) { ++ return urlParsed, nil ++ } ++ ++ // Disallow any unrecognized URL schemes if explicitly present. ++ if urlParsed.Scheme != "" { ++ return nil, fmt.Errorf("opening unsupport URL scheme: %s", u) ++ } ++ ++ // Disallow URLs that match existing files or directories on the filesystem ++ // as these could be executables or executed by the launcher browser due to ++ // the file extension and/or associated application. ++ // ++ // Symlinks should not be resolved in order to avoid broken links or other ++ // vulnerabilities trying to resolve them. ++ if fileInfo, _ := os.Lstat(u); fileInfo != nil { ++ return nil, fmt.Errorf("opening files or directories is unsupported: %s", u) ++ } ++ ++ // Disallow URLs that match executables found in the user path. ++ exec, _ := safeexec.LookPath(u) ++ if exec != "" { ++ return nil, fmt.Errorf("opening executables is unsupported: %s", u) ++ } ++ ++ // Otherwise, assume HTTP URL using `https` to ensure secure browsing. ++ urlParsed.Scheme = "https" ++ return urlParsed, nil ++} +-- +2.45.2 + diff --git a/SPECS/gh/gh.spec b/SPECS/gh/gh.spec index 1e308b2c54..09be261701 100644 --- a/SPECS/gh/gh.spec +++ b/SPECS/gh/gh.spec @@ -1,7 +1,7 @@ Summary: GitHub official command line tool Name: gh Version: 2.62.0 -Release: 9%{?dist} +Release: 10%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -22,6 +22,7 @@ Patch6: CVE-2025-25204.patch Patch7: CVE-2025-27144.patch Patch8: CVE-2025-22869.patch Patch9: CVE-2025-22872.patch +Patch10: CVE-2025-48938.patch BuildRequires: golang < 1.23 BuildRequires: git @@ -64,6 +65,10 @@ make test %{_datadir}/zsh/site-functions/_gh %changelog +* Mon Sep 8 2025 Lee Chee Yang - 2.62.0-10 +- merge from Azure Linux 3.0.20250822-3.0. +- Patch CVE-2025-48938 + * Fri May 30 2025 Ranjan Dutta - 2.62.0-9 - merge from Azure Linux 3.0.20250521-3.0 - Patch CVE-2025-22872 diff --git a/SPECS/git/Ptest-fix-git-config-syntax.patch b/SPECS/git/Ptest-fix-git-config-syntax.patch new file mode 100644 index 0000000000..b2db562952 --- /dev/null +++ b/SPECS/git/Ptest-fix-git-config-syntax.patch @@ -0,0 +1,46 @@ +From 5415cf267c1b5a4ef9591e11106085bc24b7131b Mon Sep 17 00:00:00 2001 +From: archana25-ms +Date: Thu, 17 Jul 2025 17:21:37 +0000 +Subject: [PATCH] Fix git config syntax +Upstream Patch reference: https://lkml.org/lkml/2025/7/8/1608 + +--- + t/t1300-config.sh | 4 ++-- + t/t7450-bad-git-dotfiles.sh | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/t/t1300-config.sh b/t/t1300-config.sh +index 00f34c5..3ed4a0b 100755 +--- a/t/t1300-config.sh ++++ b/t/t1300-config.sh +@@ -2743,8 +2743,8 @@ test_expect_success 'writing value with trailing CR not stripped on read' ' + + printf "bar\r\n" >expect && + git init cr-test && +- git -C cr-test config set core.foo $(printf "bar\r") && +- git -C cr-test config get core.foo >actual && ++ git -C cr-test config core.foo $(printf "bar\r") && ++ git -C cr-test config --get core.foo >actual && + + test_cmp expect actual + ' +diff --git a/t/t7450-bad-git-dotfiles.sh b/t/t7450-bad-git-dotfiles.sh +index ff63c05..38b9db8 100755 +--- a/t/t7450-bad-git-dotfiles.sh ++++ b/t/t7450-bad-git-dotfiles.sh +@@ -388,10 +388,10 @@ test_expect_success SYMLINKS,!WINDOWS,!MINGW 'submodule must not checkout into d + git -C repo mv sub $(printf "sub\r") && + + # Ensure config values containing CR are wrapped in quotes. +- git config unset -f repo/.gitmodules submodule.sub.path && ++ git config --unset -f repo/.gitmodules submodule.sub.path && + printf "\tpath = \"sub\r\"\n" >>repo/.gitmodules && + +- git config unset -f repo/.git/modules/sub/config core.worktree && ++ git config --unset -f repo/.git/modules/sub/config core.worktree && + { + printf "[core]\n" && + printf "\tworktree = \"../../../sub\r\"\n" +-- +2.45.3 + diff --git a/SPECS/git/git.signatures.json b/SPECS/git/git.signatures.json index d27c966578..15db5ce8dd 100644 --- a/SPECS/git/git.signatures.json +++ b/SPECS/git/git.signatures.json @@ -1,5 +1,5 @@ { - "Signatures": { - "git-2.45.3.tar.gz": "3075ec9cbcf44a72d7fb232191c0982d6676a1d7432d3c74b96d397ff874b071" - } -} + "Signatures": { + "git-2.45.4.tar.gz": "edd4f60430139bbfc8b724eed3583502493f82c082ccf7760c8df1c432cfe4a3" + } +} \ No newline at end of file diff --git a/SPECS/git/git.spec b/SPECS/git/git.spec index 541d2df8a8..53aa9b9ba5 100644 --- a/SPECS/git/git.spec +++ b/SPECS/git/git.spec @@ -1,4 +1,3 @@ - %bcond daemon 1 %bcond subtree 1 %bcond svn 0 @@ -6,14 +5,16 @@ Summary: Fast distributed version control system Name: git -Version: 2.45.3 -Release: 2%{?dist} +Version: 2.45.4 +Release: 3%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux Group: System Environment/Programming URL: https://git-scm.com/ Source0: https://github.com/git/git/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +# Below patch not needed for Git 2.46.0, already includes this fix. +Patch0: Ptest-fix-git-config-syntax.patch BuildRequires: curl-devel BuildRequires: python3-devel Requires: curl @@ -106,7 +107,7 @@ BuildArch: noarch %endif %prep -%setup -q +%autosetup -p1 %{py3_shebang_fix} git-p4.py %build @@ -118,11 +119,13 @@ make configure --libexec=%{_libexecdir} \ --with-gitconfig=%{_sysconfdir}/gitconfig make %{?_smp_mflags} CFLAGS="%{optflags}" CXXFLAGS="%{optflags}" +%make_build -C contrib/subtree/ all %install %make_install install -vdm 755 %{buildroot}%{_datadir}/bash-completion/completions install -m 0644 contrib/completion/git-completion.bash %{buildroot}%{_datadir}/bash-completion/completions/git +%make_install -C contrib/subtree %find_lang %{name} %{_fixperms} %{buildroot}/* @@ -164,7 +167,7 @@ fi %if %{with subtree} %files subtree -%{_libexecdir}/git-core/git-merge-subtree +%{_libexecdir}/git-core/git-subtree %endif %if %{with svn} @@ -173,6 +176,15 @@ fi %endif %changelog +* Wed Jul 23 2025 Muhammad Falak - 2.45.4-3 +- Fix subtree subpackage + +* Fri Jul 18 2025 Archana Shettigar - 2.45.4-2 +- Fix ptest with new git config syntax in CVE-2025-48384 + +* Fri Jul 11 2025 Archana Shettigar - 2.45.4-1 +- Upgrade to 2.45.4 - CVE-2025-48384, CVE-2025-48385, CVE-2025-27613 & CVE-2025-27614 + * Thu Apr 17 2025 Muhammad Falak - 2.45.3-2 - Add dependency only for openssh-clients instead of openssh diff --git a/SPECS/glib/CVE-2025-3360.patch b/SPECS/glib/CVE-2025-3360.patch new file mode 100644 index 0000000000..7f063b1af8 --- /dev/null +++ b/SPECS/glib/CVE-2025-3360.patch @@ -0,0 +1,138 @@ +From 407e37b2f0464eee439866e9c15d626cfb06a072 Mon Sep 17 00:00:00 2001 +From: archana25-ms +Date: Wed, 16 Apr 2025 05:26:51 +0000 +Subject: [PATCH] Address CVE-2025-3360 +Upstream Patch Reference : +1. https://gitlab.gnome.org/GNOME/glib/-/commit/8d60d7dc168aee73a15eb5edeb2deaf196d96114 +2. https://gitlab.gnome.org/GNOME/glib/-/commit/2fa1e183613bf58d31151ecaceab91607ccc0c6d +3. https://gitlab.gnome.org/GNOME/glib/-/commit/0b225e7cd80801aca6e627696064d1698aaa85e7 +4. https://gitlab.gnome.org/GNOME/glib/-/commit/3672764a17c26341ab8224dcaddf3e7cad699443 +5. https://gitlab.gnome.org/GNOME/glib/-/commit/0ffdbebd9ab3246958e14ab33bd0c65b6f05fd13 + +--- + glib/gdatetime.c | 48 ++++++++++++++++++++++++++++-------------------- + 1 file changed, 28 insertions(+), 20 deletions(-) + +diff --git a/glib/gdatetime.c b/glib/gdatetime.c +index 2640e3b..a28e55d 100644 +--- a/glib/gdatetime.c ++++ b/glib/gdatetime.c +@@ -1346,12 +1346,16 @@ parse_iso8601_date (const gchar *text, gsize length, + return FALSE; + } + ++/* Value returned in tz_offset is valid if and only if the function return value ++ * is non-NULL. */ + static GTimeZone * +-parse_iso8601_timezone (const gchar *text, gsize length, gssize *tz_offset) ++parse_iso8601_timezone (const gchar *text, gsize length, size_t *tz_offset) + { +- gint i, tz_length, offset_hours, offset_minutes; ++ size_t tz_length; ++ gint offset_hours, offset_minutes; + gint offset_sign = 1; + GTimeZone *tz; ++ const char *tz_start; + + /* UTC uses Z suffix */ + if (length > 0 && text[length - 1] == 'Z') +@@ -1361,42 +1365,42 @@ parse_iso8601_timezone (const gchar *text, gsize length, gssize *tz_offset) + } + + /* Look for '+' or '-' of offset */ +- for (i = length - 1; i >= 0; i--) +- if (text[i] == '+' || text[i] == '-') ++ for (tz_length = 1; tz_length <= length; tz_length++) ++ if (text[length - tz_length] == '+' || text[length - tz_length] == '-') + { +- offset_sign = text[i] == '-' ? -1 : 1; ++ offset_sign = text[length - tz_length] == '-' ? -1 : 1; + break; + } +- if (i < 0) ++ if (tz_length > length) + return NULL; +- tz_length = length - i; ++ tz_start = text + length - tz_length; + + /* +hh:mm or -hh:mm */ +- if (tz_length == 6 && text[i+3] == ':') ++ if (tz_length == 6 && tz_start[3] == ':') + { +- if (!get_iso8601_int (text + i + 1, 2, &offset_hours) || +- !get_iso8601_int (text + i + 4, 2, &offset_minutes)) ++ if (!get_iso8601_int (tz_start + 1, 2, &offset_hours) || ++ !get_iso8601_int (tz_start + 4, 2, &offset_minutes)) + return NULL; + } + /* +hhmm or -hhmm */ + else if (tz_length == 5) + { +- if (!get_iso8601_int (text + i + 1, 2, &offset_hours) || +- !get_iso8601_int (text + i + 3, 2, &offset_minutes)) ++ if (!get_iso8601_int (tz_start + 1, 2, &offset_hours) || ++ !get_iso8601_int (tz_start + 3, 2, &offset_minutes)) + return NULL; + } + /* +hh or -hh */ + else if (tz_length == 3) + { +- if (!get_iso8601_int (text + i + 1, 2, &offset_hours)) ++ if (!get_iso8601_int (tz_start + 1, 2, &offset_hours)) + return NULL; + offset_minutes = 0; + } + else + return NULL; + +- *tz_offset = i; +- tz = g_time_zone_new_identifier (text + i); ++ *tz_offset = tz_start - text; ++ tz = g_time_zone_new_identifier (tz_start); + + /* Double-check that the GTimeZone matches our interpretation of the timezone. + * This can fail because our interpretation is less strict than (for example) +@@ -1415,11 +1419,11 @@ static gboolean + parse_iso8601_time (const gchar *text, gsize length, + gint *hour, gint *minute, gdouble *seconds, GTimeZone **tz) + { +- gssize tz_offset = -1; ++ size_t tz_offset = 0; + + /* Check for timezone suffix */ + *tz = parse_iso8601_timezone (text, length, &tz_offset); +- if (tz_offset >= 0) ++ if (*tz != NULL) + length = tz_offset; + + /* hh:mm:ss(.sss) */ +@@ -1497,7 +1501,8 @@ parse_iso8601_time (const gchar *text, gsize length, + GDateTime * + g_date_time_new_from_iso8601 (const gchar *text, GTimeZone *default_tz) + { +- gint length, date_length = -1; ++ size_t length, date_length = 0; ++ gboolean date_length_set = FALSE; + gint hour = 0, minute = 0; + gdouble seconds = 0.0; + GTimeZone *tz = NULL; +@@ -1508,11 +1513,14 @@ g_date_time_new_from_iso8601 (const gchar *text, GTimeZone *default_tz) + /* Count length of string and find date / time separator ('T', 't', or ' ') */ + for (length = 0; text[length] != '\0'; length++) + { +- if (date_length < 0 && (text[length] == 'T' || text[length] == 't' || text[length] == ' ')) ++ if (!date_length_set && (text[length] == 'T' || text[length] == 't' || text[length] == ' ')) ++ { + date_length = length; ++ date_length_set = TRUE; ++ } + } + +- if (date_length < 0) ++ if (!date_length_set) + return NULL; + + if (!parse_iso8601_time (text + date_length + 1, length - (date_length + 1), +-- +2.45.3 + diff --git a/SPECS/glib/CVE-2025-4373.patch b/SPECS/glib/CVE-2025-4373.patch new file mode 100644 index 0000000000..9beea66471 --- /dev/null +++ b/SPECS/glib/CVE-2025-4373.patch @@ -0,0 +1,105 @@ +From f8cd5f93b2ba7fedf79fd4572ad3275bc8b52f77 Mon Sep 17 00:00:00 2001 +From: Aninda +Date: Mon, 9 Jun 2025 07:06:12 -0400 +Subject: [PATCH] Address CVE-2025-4373 +Upstream Patch Reference: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4588.patch + +--- + glib/gstring.c | 36 +++++++++++++++++++++++------------- + 1 file changed, 23 insertions(+), 13 deletions(-) + +diff --git a/glib/gstring.c b/glib/gstring.c +index 9f04144..d016b65 100644 +--- a/glib/gstring.c ++++ b/glib/gstring.c +@@ -490,8 +490,9 @@ g_string_insert_len (GString *string, + return string; + + if (len < 0) +- len = strlen (val); +- len_unsigned = len; ++ len_unsigned = strlen (val); ++ else ++ len_unsigned = len; + + if (pos < 0) + pos_unsigned = string->len; +@@ -788,10 +789,12 @@ g_string_insert_c (GString *string, + g_string_maybe_expand (string, 1); + + if (pos < 0) +- pos = string->len; ++ pos_unsigned = string->len; + else +- g_return_val_if_fail ((gsize) pos <= string->len, string); +- pos_unsigned = pos; ++ { ++ pos_unsigned = pos; ++ g_return_val_if_fail (pos_unsigned <= string->len, string); ++ } + + /* If not just an append, move the old stuff */ + if (pos_unsigned < string->len) +@@ -824,6 +827,7 @@ g_string_insert_unichar (GString *string, + gssize pos, + gunichar wc) + { ++ gsize pos_unsigned; + gint charlen, first, i; + gchar *dest; + +@@ -865,15 +869,18 @@ g_string_insert_unichar (GString *string, + g_string_maybe_expand (string, charlen); + + if (pos < 0) +- pos = string->len; ++ pos_unsigned = string->len; + else +- g_return_val_if_fail ((gsize) pos <= string->len, string); ++ { ++ pos_unsigned = pos; ++ g_return_val_if_fail (pos_unsigned <= string->len, string); ++ } + + /* If not just an append, move the old stuff */ +- if ((gsize) pos < string->len) +- memmove (string->str + pos + charlen, string->str + pos, string->len - pos); ++ if (pos_unsigned < string->len) ++ memmove (string->str + pos_unsigned + charlen, string->str + pos_unsigned, string->len - pos_unsigned); + +- dest = string->str + pos; ++ dest = string->str + pos_unsigned; + /* Code copied from g_unichar_to_utf() */ + for (i = charlen - 1; i > 0; --i) + { +@@ -931,6 +938,7 @@ g_string_overwrite_len (GString *string, + const gchar *val, + gssize len) + { ++ gssize len_unsigned; + gsize end; + + g_return_val_if_fail (string != NULL, NULL); +@@ -942,14 +950,16 @@ g_string_overwrite_len (GString *string, + g_return_val_if_fail (pos <= string->len, string); + + if (len < 0) +- len = strlen (val); ++ len_unsigned = strlen (val); ++ else ++ len_unsigned = len; + +- end = pos + len; ++ end = pos + len_unsigned; + + if (end > string->len) + g_string_maybe_expand (string, end - string->len); + +- memcpy (string->str + pos, val, len); ++ memcpy (string->str + pos, val, len_unsigned); + + if (end > string->len) + { +-- +2.34.1 + diff --git a/SPECS/glib/CVE-2025-6052.patch b/SPECS/glib/CVE-2025-6052.patch new file mode 100644 index 0000000000..a34cd466ba --- /dev/null +++ b/SPECS/glib/CVE-2025-6052.patch @@ -0,0 +1,39 @@ +From fc1479f9951f046198bb50c89b052f9c0ad09a06 Mon Sep 17 00:00:00 2001 +From: Aninda +Date: Sun, 22 Jun 2025 08:32:39 -0400 +Subject: [PATCH] Address CVE-2025-6052 + +Upstream Patch Reference: https://gitlab.gnome.org/GNOME/glib/-/commit/37eecaa7efc48a0df22277444ff25ff791ac0ac1 +--- + glib/gstring.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/glib/gstring.c b/glib/gstring.c +index d016b65..75f7853 100644 +--- a/glib/gstring.c ++++ b/glib/gstring.c +@@ -78,10 +78,6 @@ static void + g_string_expand (GString *string, + gsize len) + { +- /* Detect potential overflow */ +- if G_UNLIKELY ((G_MAXSIZE - string->len - 1) < len) +- g_error ("adding %" G_GSIZE_FORMAT " to string would overflow", len); +- + string->allocated_len = g_nearest_pow (string->len + len + 1); + /* If the new size is bigger than G_MAXSIZE / 2, only allocate enough + * memory for this string and don't over-allocate. +@@ -96,6 +92,10 @@ static inline void + g_string_maybe_expand (GString *string, + gsize len) + { ++ /* Detect potential overflow */ ++ if G_UNLIKELY ((G_MAXSIZE - string->len - 1) < len) ++ g_error ("adding %" G_GSIZE_FORMAT " to string would overflow", len); ++ + if (G_UNLIKELY (string->len + len >= string->allocated_len)) + g_string_expand (string, len); + } +-- +2.34.1 + diff --git a/SPECS/glib/glib.spec b/SPECS/glib/glib.spec index 0b6c64ddbc..4a75d78d59 100644 --- a/SPECS/glib/glib.spec +++ b/SPECS/glib/glib.spec @@ -2,7 +2,7 @@ Summary: Low-level libraries useful for providing data structure handling for C. Name: glib Version: 2.78.6 -Release: 1%{?dist} +Release: 3%{?dist} License: LGPLv2+ Vendor: Microsoft Corporation Distribution: Azure Linux @@ -10,6 +10,9 @@ Group: Applications/System URL: https://developer.gnome.org/glib/ Source0: https://ftp.gnome.org/pub/gnome/sources/glib/%{majorver}/%{name}-%{version}.tar.xz Patch0: CVE-2024-52533.patch +Patch1: CVE-2025-3360.patch +Patch2: CVE-2025-4373.patch +Patch3: CVE-2025-6052.patch BuildRequires: cmake BuildRequires: gtk-doc BuildRequires: libffi-devel @@ -89,7 +92,7 @@ touch %{buildroot}%{_libdir}/gio/modules/giomodule.cache %files %defattr(-,root,root) -%license COPYING +%license LICENSES/LGPL-2.1-or-later.txt %{_libdir}/libglib-*.so.* %{_libdir}/libgthread-*.so.* %{_libdir}/libgmodule-*.so.* @@ -122,6 +125,12 @@ touch %{buildroot}%{_libdir}/gio/modules/giomodule.cache %doc %{_datadir}/gtk-doc/html/* %changelog +* Mon Jun 09 2025 Aninda Pradhan - 2.78.6-3 +- Patch CVE-2025-4373 and CVE-2025-6052.patch + +* Wed Apr 16 2025 Archana Shettigar - 2.78.6-2 +- Patch CVE-2025-3360 + * Wed Mar 05 2025 CBL-Mariner Servicing Account - 2.78.6-1 - Auto-upgrade to 2.78.6 - for CVE-2024-34397 diff --git a/SPECS/glibc/CVE-2023-4527.patch b/SPECS/glibc/CVE-2023-4527.patch new file mode 100644 index 0000000000..de489ab9d4 --- /dev/null +++ b/SPECS/glibc/CVE-2023-4527.patch @@ -0,0 +1,188 @@ +From 6562a534ff741667d0725729ebc521bb0dac0e73 Mon Sep 17 00:00:00 2001 +From: Kanishk Bansal +Date: Thu, 22 May 2025 08:46:55 +0000 +Subject: [PATCH] CVE-2023-4527 + +Upstream Patch Reference : https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b25508dd774b617f99419bdc3cf2ace4560cd2d6 + +https://sourceware.org/cgit/glibc/tree/advisories/GLIBC-SA-2023-0002 + +Signed-off-by: Kanishk Bansal +--- + resolv/Makefile | 2 + + resolv/nss_dns/dns-host.c | 2 +- + resolv/tst-resolv-noaaaa-vc.c | 129 ++++++++++++++++++++++++++++++++++ + 3 files changed, 132 insertions(+), 1 deletion(-) + create mode 100644 resolv/tst-resolv-noaaaa-vc.c + +diff --git a/resolv/Makefile b/resolv/Makefile +index 054b1fa3..2f99eb38 100644 +--- a/resolv/Makefile ++++ b/resolv/Makefile +@@ -102,6 +102,7 @@ tests += \ + tst-resolv-invalid-cname \ + tst-resolv-network \ + tst-resolv-noaaaa \ ++ tst-resolv-noaaaa-vc \ + tst-resolv-nondecimal \ + tst-resolv-res_init-multi \ + tst-resolv-search \ +@@ -293,6 +294,7 @@ $(objpfx)tst-resolv-res_init-thread: $(objpfx)libresolv.so \ + $(objpfx)tst-resolv-invalid-cname: $(objpfx)libresolv.so \ + $(shared-thread-library) + $(objpfx)tst-resolv-noaaaa: $(objpfx)libresolv.so $(shared-thread-library) ++$(objpfx)tst-resolv-noaaaa-vc: $(objpfx)libresolv.so $(shared-thread-library) + $(objpfx)tst-resolv-nondecimal: $(objpfx)libresolv.so $(shared-thread-library) + $(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library) + $(objpfx)tst-resolv-rotate: $(objpfx)libresolv.so $(shared-thread-library) +diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c +index 1d60c51f..5d0ab30d 100644 +--- a/resolv/nss_dns/dns-host.c ++++ b/resolv/nss_dns/dns-host.c +@@ -427,7 +427,7 @@ _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat, + { + n = __res_context_search (ctx, name, C_IN, T_A, + dns_packet_buffer, sizeof (dns_packet_buffer), +- NULL, NULL, NULL, NULL, NULL); ++ &alt_dns_packet_buffer, NULL, NULL, NULL, NULL); + if (n >= 0) + status = gaih_getanswer_noaaaa (alt_dns_packet_buffer, n, + &abuf, pat, errnop, herrnop, ttlp); +diff --git a/resolv/tst-resolv-noaaaa-vc.c b/resolv/tst-resolv-noaaaa-vc.c +new file mode 100644 +index 00000000..9f5aebd9 +--- /dev/null ++++ b/resolv/tst-resolv-noaaaa-vc.c +@@ -0,0 +1,129 @@ ++/* Test the RES_NOAAAA resolver option with a large response. ++ Copyright (C) 2022-2023 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++/* Used to keep track of the number of queries. */ ++static volatile unsigned int queries; ++ ++/* If true, add a large TXT record at the start of the answer section. */ ++static volatile bool stuff_txt; ++ ++static void ++response (const struct resolv_response_context *ctx, ++ struct resolv_response_builder *b, ++ const char *qname, uint16_t qclass, uint16_t qtype) ++{ ++ /* If not using TCP, just force its use. */ ++ if (!ctx->tcp) ++ { ++ struct resolv_response_flags flags = {.tc = true}; ++ resolv_response_init (b, flags); ++ resolv_response_add_question (b, qname, qclass, qtype); ++ return; ++ } ++ ++ /* The test needs to send four queries, the first three are used to ++ grow the NSS buffer via the ERANGE handshake. */ ++ ++queries; ++ TEST_VERIFY (queries <= 4); ++ ++ /* AAAA queries are supposed to be disabled. */ ++ TEST_COMPARE (qtype, T_A); ++ TEST_COMPARE (qclass, C_IN); ++ TEST_COMPARE_STRING (qname, "example.com"); ++ ++ struct resolv_response_flags flags = {}; ++ resolv_response_init (b, flags); ++ resolv_response_add_question (b, qname, qclass, qtype); ++ ++ resolv_response_section (b, ns_s_an); ++ ++ if (stuff_txt) ++ { ++ resolv_response_open_record (b, qname, qclass, T_TXT, 60); ++ int zero = 0; ++ for (int i = 0; i <= 15000; ++i) ++ resolv_response_add_data (b, &zero, sizeof (zero)); ++ resolv_response_close_record (b); ++ } ++ ++ for (int i = 0; i < 200; ++i) ++ { ++ resolv_response_open_record (b, qname, qclass, qtype, 60); ++ char ipv4[4] = {192, 0, 2, i + 1}; ++ resolv_response_add_data (b, &ipv4, sizeof (ipv4)); ++ resolv_response_close_record (b); ++ } ++} ++ ++static int ++do_test (void) ++{ ++ struct resolv_test *obj = resolv_test_start ++ ((struct resolv_redirect_config) ++ { ++ .response_callback = response ++ }); ++ ++ _res.options |= RES_NOAAAA; ++ ++ for (int do_stuff_txt = 0; do_stuff_txt < 2; ++do_stuff_txt) ++ { ++ queries = 0; ++ stuff_txt = do_stuff_txt; ++ ++ struct addrinfo *ai = NULL; ++ int ret; ++ ret = getaddrinfo ("example.com", "80", ++ &(struct addrinfo) ++ { ++ .ai_family = AF_UNSPEC, ++ .ai_socktype = SOCK_STREAM, ++ }, &ai); ++ ++ char *expected_result; ++ { ++ struct xmemstream mem; ++ xopen_memstream (&mem); ++ for (int i = 0; i < 200; ++i) ++ fprintf (mem.out, "address: STREAM/TCP 192.0.2.%d 80\n", i + 1); ++ xfclose_memstream (&mem); ++ expected_result = mem.buffer; ++ } ++ ++ check_addrinfo ("example.com", ai, ret, expected_result); ++ ++ free (expected_result); ++ freeaddrinfo (ai); ++ } ++ ++ resolv_test_end (obj); ++ return 0; ++} ++ ++#include +-- +2.45.3 + diff --git a/SPECS/glibc/CVE-2023-4806.patch b/SPECS/glibc/CVE-2023-4806.patch new file mode 100644 index 0000000000..c8973010fe --- /dev/null +++ b/SPECS/glibc/CVE-2023-4806.patch @@ -0,0 +1,338 @@ +From 00ae4f10b504bc4564e9f22f00907093f1ab9338 Mon Sep 17 00:00:00 2001 +From: Siddhesh Poyarekar +Date: Fri, 15 Sep 2023 13:51:12 -0400 +Subject: [PATCH] getaddrinfo: Fix use after free in getcanonname + (CVE-2023-4806) + +When an NSS plugin only implements the _gethostbyname2_r and +_getcanonname_r callbacks, getaddrinfo could use memory that was freed +during tmpbuf resizing, through h_name in a previous query response. + +The backing store for res->at->name when doing a query with +gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in +gethosts during the query. For AF_INET6 lookup with AI_ALL | +AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second +for a v4 lookup. In this case, if the first call reallocates tmpbuf +enough number of times, resulting in a malloc, th->h_name (that +res->at->name refers to) ends up on a heap allocated storage in tmpbuf. +Now if the second call to gethosts also causes the plugin callback to +return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF +reference in res->at->name. This then gets dereferenced in the +getcanonname_r plugin call, resulting in the use after free. + +Fix this by copying h_name over and freeing it at the end. This +resolves BZ #30843, which is assigned CVE-2023-4806. + +Signed-off-by: Siddhesh Poyarekar +(cherry picked from commit 973fe93a5675c42798b2161c6f29c01b0e243994) + +Signed-off-by: Kanishk Bansal + +--- + nss/Makefile | 15 ++++- + nss/nss_test_gai_hv2_canonname.c | 56 +++++++++++++++++ + nss/tst-nss-gai-hv2-canonname.c | 63 +++++++++++++++++++ + nss/tst-nss-gai-hv2-canonname.h | 1 + + .../postclean.req | 0 + .../tst-nss-gai-hv2-canonname.script | 2 + + sysdeps/posix/getaddrinfo.c | 25 +++++--- + 7 files changed, 152 insertions(+), 10 deletions(-) + create mode 100644 nss/nss_test_gai_hv2_canonname.c + create mode 100644 nss/tst-nss-gai-hv2-canonname.c + create mode 100644 nss/tst-nss-gai-hv2-canonname.h + create mode 100644 nss/tst-nss-gai-hv2-canonname.root/postclean.req + create mode 100644 nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script + +diff --git a/nss/Makefile b/nss/Makefile +index 06fcdc450f1..8a5126ecf34 100644 +--- a/nss/Makefile ++++ b/nss/Makefile +@@ -82,6 +82,7 @@ tests-container := \ + tst-nss-test3 \ + tst-reload1 \ + tst-reload2 \ ++ tst-nss-gai-hv2-canonname \ + # tests-container + + # Tests which need libdl +@@ -145,7 +146,8 @@ libnss_compat-inhibit-o = $(filter-out .os,$(object-suffixes)) + ifeq ($(build-static-nss),yes) + tests-static += tst-nss-static + endif +-extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os ++extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os \ ++ nss_test_gai_hv2_canonname.os + + include ../Rules + +@@ -180,12 +182,16 @@ rtld-tests-LDFLAGS += -Wl,--dynamic-list=nss_test.ver + libof-nss_test1 = extramodules + libof-nss_test2 = extramodules + libof-nss_test_errno = extramodules ++libof-nss_test_gai_hv2_canonname = extramodules + $(objpfx)/libnss_test1.so: $(objpfx)nss_test1.os $(link-libc-deps) + $(build-module) + $(objpfx)/libnss_test2.so: $(objpfx)nss_test2.os $(link-libc-deps) + $(build-module) + $(objpfx)/libnss_test_errno.so: $(objpfx)nss_test_errno.os $(link-libc-deps) + $(build-module) ++$(objpfx)/libnss_test_gai_hv2_canonname.so: \ ++ $(objpfx)nss_test_gai_hv2_canonname.os $(link-libc-deps) ++ $(build-module) + $(objpfx)nss_test2.os : nss_test1.c + # Use the nss_files suffix for these objects as well. + $(objpfx)/libnss_test1.so$(libnss_files.so-version): $(objpfx)/libnss_test1.so +@@ -195,10 +201,14 @@ $(objpfx)/libnss_test2.so$(libnss_files.so-version): $(objpfx)/libnss_test2.so + $(objpfx)/libnss_test_errno.so$(libnss_files.so-version): \ + $(objpfx)/libnss_test_errno.so + $(make-link) ++$(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version): \ ++ $(objpfx)/libnss_test_gai_hv2_canonname.so ++ $(make-link) + $(patsubst %,$(objpfx)%.out,$(tests) $(tests-container)) : \ + $(objpfx)/libnss_test1.so$(libnss_files.so-version) \ + $(objpfx)/libnss_test2.so$(libnss_files.so-version) \ +- $(objpfx)/libnss_test_errno.so$(libnss_files.so-version) ++ $(objpfx)/libnss_test_errno.so$(libnss_files.so-version) \ ++ $(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version) + + ifeq (yes,$(have-thread-library)) + $(objpfx)tst-cancel-getpwuid_r: $(shared-thread-library) +@@ -215,3 +225,4 @@ LDFLAGS-tst-nss-test3 = -Wl,--disable-new-dtags + LDFLAGS-tst-nss-test4 = -Wl,--disable-new-dtags + LDFLAGS-tst-nss-test5 = -Wl,--disable-new-dtags + LDFLAGS-tst-nss-test_errno = -Wl,--disable-new-dtags ++LDFLAGS-tst-nss-test_gai_hv2_canonname = -Wl,--disable-new-dtags +diff --git a/nss/nss_test_gai_hv2_canonname.c b/nss/nss_test_gai_hv2_canonname.c +new file mode 100644 +index 00000000000..4439c83c9f4 +--- /dev/null ++++ b/nss/nss_test_gai_hv2_canonname.c +@@ -0,0 +1,56 @@ ++/* NSS service provider that only provides gethostbyname2_r. ++ Copyright The GNU Toolchain Authors. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include "nss/tst-nss-gai-hv2-canonname.h" ++ ++/* Catch misnamed and functions. */ ++#pragma GCC diagnostic error "-Wmissing-prototypes" ++NSS_DECLARE_MODULE_FUNCTIONS (test_gai_hv2_canonname) ++ ++extern enum nss_status _nss_files_gethostbyname2_r (const char *, int, ++ struct hostent *, char *, ++ size_t, int *, int *); ++ ++enum nss_status ++_nss_test_gai_hv2_canonname_gethostbyname2_r (const char *name, int af, ++ struct hostent *result, ++ char *buffer, size_t buflen, ++ int *errnop, int *herrnop) ++{ ++ return _nss_files_gethostbyname2_r (name, af, result, buffer, buflen, errnop, ++ herrnop); ++} ++ ++enum nss_status ++_nss_test_gai_hv2_canonname_getcanonname_r (const char *name, char *buffer, ++ size_t buflen, char **result, ++ int *errnop, int *h_errnop) ++{ ++ /* We expect QUERYNAME, which is a small enough string that it shouldn't fail ++ the test. */ ++ if (memcmp (QUERYNAME, name, sizeof (QUERYNAME)) ++ || buflen < sizeof (QUERYNAME)) ++ abort (); ++ ++ strncpy (buffer, name, buflen); ++ *result = buffer; ++ return NSS_STATUS_SUCCESS; ++} +diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c +new file mode 100644 +index 00000000000..d5f10c07d6a +--- /dev/null ++++ b/nss/tst-nss-gai-hv2-canonname.c +@@ -0,0 +1,63 @@ ++/* Test NSS query path for plugins that only implement gethostbyname2 ++ (#30843). ++ Copyright The GNU Toolchain Authors. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include "nss/tst-nss-gai-hv2-canonname.h" ++ ++#define PREPARE do_prepare ++ ++static void do_prepare (int a, char **av) ++{ ++ FILE *hosts = xfopen ("/etc/hosts", "w"); ++ for (unsigned i = 2; i < 255; i++) ++ { ++ fprintf (hosts, "ff01::ff02:ff03:%u:2\ttest.example.com\n", i); ++ fprintf (hosts, "192.168.0.%u\ttest.example.com\n", i); ++ } ++ xfclose (hosts); ++} ++ ++static int ++do_test (void) ++{ ++ __nss_configure_lookup ("hosts", "test_gai_hv2_canonname"); ++ ++ struct addrinfo hints = {}; ++ struct addrinfo *result = NULL; ++ ++ hints.ai_family = AF_INET6; ++ hints.ai_flags = AI_ALL | AI_V4MAPPED | AI_CANONNAME; ++ ++ int ret = getaddrinfo (QUERYNAME, NULL, &hints, &result); ++ ++ if (ret != 0) ++ FAIL_EXIT1 ("getaddrinfo failed: %s\n", gai_strerror (ret)); ++ ++ TEST_COMPARE_STRING (result->ai_canonname, QUERYNAME); ++ ++ freeaddrinfo(result); ++ return 0; ++} ++ ++#include +diff --git a/nss/tst-nss-gai-hv2-canonname.h b/nss/tst-nss-gai-hv2-canonname.h +new file mode 100644 +index 00000000000..14f2a9cb086 +--- /dev/null ++++ b/nss/tst-nss-gai-hv2-canonname.h +@@ -0,0 +1 @@ ++#define QUERYNAME "test.example.com" +diff --git a/nss/tst-nss-gai-hv2-canonname.root/postclean.req b/nss/tst-nss-gai-hv2-canonname.root/postclean.req +new file mode 100644 +index 00000000000..e69de29bb2d +diff --git a/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script b/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script +new file mode 100644 +index 00000000000..31848b4a285 +--- /dev/null ++++ b/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script +@@ -0,0 +1,2 @@ ++cp $B/nss/libnss_test_gai_hv2_canonname.so $L/libnss_test_gai_hv2_canonname.so.2 ++su +diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c +index 0356b622be6..b2236b105c1 100644 +--- a/sysdeps/posix/getaddrinfo.c ++++ b/sysdeps/posix/getaddrinfo.c +@@ -120,6 +120,7 @@ struct gaih_result + { + struct gaih_addrtuple *at; + char *canon; ++ char *h_name; + bool free_at; + bool got_ipv6; + }; +@@ -165,6 +166,7 @@ gaih_result_reset (struct gaih_result *res) + if (res->free_at) + free (res->at); + free (res->canon); ++ free (res->h_name); + memset (res, 0, sizeof (*res)); + } + +@@ -203,9 +205,8 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp, + return 0; + } + +-/* Convert struct hostent to a list of struct gaih_addrtuple objects. h_name +- is not copied, and the struct hostent object must not be deallocated +- prematurely. The new addresses are appended to the tuple array in RES. */ ++/* Convert struct hostent to a list of struct gaih_addrtuple objects. The new ++ addresses are appended to the tuple array in RES. */ + static bool + convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family, + struct hostent *h, struct gaih_result *res) +@@ -238,6 +239,15 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family, + res->at = array; + res->free_at = true; + ++ /* Duplicate h_name because it may get reclaimed when the underlying storage ++ is freed. */ ++ if (res->h_name == NULL) ++ { ++ res->h_name = __strdup (h->h_name); ++ if (res->h_name == NULL) ++ return false; ++ } ++ + /* Update the next pointers on reallocation. */ + for (size_t i = 0; i < old; i++) + array[i].next = array + i + 1; +@@ -262,7 +272,6 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family, + } + array[i].next = array + i + 1; + } +- array[0].name = h->h_name; + array[count - 1].next = NULL; + + return true; +@@ -324,15 +333,15 @@ gethosts (nss_gethostbyname3_r fct, int family, const char *name, + memory allocation failure. The returned string is allocated on the + heap; the caller has to free it. */ + static char * +-getcanonname (nss_action_list nip, struct gaih_addrtuple *at, const char *name) ++getcanonname (nss_action_list nip, const char *hname, const char *name) + { + nss_getcanonname_r *cfct = __nss_lookup_function (nip, "getcanonname_r"); + char *s = (char *) name; + if (cfct != NULL) + { + char buf[256]; +- if (DL_CALL_FCT (cfct, (at->name ?: name, buf, sizeof (buf), +- &s, &errno, &h_errno)) != NSS_STATUS_SUCCESS) ++ if (DL_CALL_FCT (cfct, (hname ?: name, buf, sizeof (buf), &s, &errno, ++ &h_errno)) != NSS_STATUS_SUCCESS) + /* If the canonical name cannot be determined, use the passed + string. */ + s = (char *) name; +@@ -771,7 +780,7 @@ get_nss_addresses (const char *name, const struct addrinfo *req, + if ((req->ai_flags & AI_CANONNAME) != 0 + && res->canon == NULL) + { +- char *canonbuf = getcanonname (nip, res->at, name); ++ char *canonbuf = getcanonname (nip, res->h_name, name); + if (canonbuf == NULL) + { + __resolv_context_put (res_ctx); diff --git a/SPECS/glibc/CVE-2023-5156.patch b/SPECS/glibc/CVE-2023-5156.patch index 4a869922cf..562e11bb29 100644 --- a/SPECS/glibc/CVE-2023-5156.patch +++ b/SPECS/glibc/CVE-2023-5156.patch @@ -1,9 +1,91 @@ -backport of https://sourceware.org/git?p=glibc.git;a=commit;h=17092c0311f954e6f3c010f73ce3a78c24ac279a +From 5ee59ca371b99984232d7584fe2b1a758b4421d3 Mon Sep 17 00:00:00 2001 +From: Romain Geissler +Date: Mon, 25 Sep 2023 01:21:51 +0100 +Subject: [PATCH] Fix leak in getaddrinfo introduced by the fix for + CVE-2023-4806 [BZ #30843] -diff -ru glibc-2.38-orig/sysdeps/posix/getaddrinfo.c glibc-2.38/sysdeps/posix/getaddrinfo.c ---- glibc-2.38-orig/sysdeps/posix/getaddrinfo.c 2024-06-17 21:53:25.432414431 +0000 -+++ glibc-2.38/sysdeps/posix/getaddrinfo.c 2024-06-17 23:44:56.127284457 +0000 -@@ -1187,9 +1187,7 @@ +This patch fixes a very recently added leak in getaddrinfo. + +This was assigned CVE-2023-5156. + +Resolves: BZ #30884 +Related: BZ #30842 + +Reviewed-by: Siddhesh Poyarekar +(cherry picked from commit ec6b95c3303c700eb89eebeda2d7264cc184a796) + +Signed-off-by: Kanishk Bansal + +--- + nss/Makefile | 20 ++++++++++++++++++++ + nss/tst-nss-gai-hv2-canonname.c | 3 +++ + sysdeps/posix/getaddrinfo.c | 4 +--- + 3 files changed, 24 insertions(+), 3 deletions(-) + +diff --git a/nss/Makefile b/nss/Makefile +index 8a5126ecf34..668ba34b187 100644 +--- a/nss/Makefile ++++ b/nss/Makefile +@@ -149,6 +149,15 @@ endif + extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os \ + nss_test_gai_hv2_canonname.os + ++ifeq ($(run-built-tests),yes) ++ifneq (no,$(PERL)) ++tests-special += $(objpfx)mtrace-tst-nss-gai-hv2-canonname.out ++endif ++endif ++ ++generated += mtrace-tst-nss-gai-hv2-canonname.out \ ++ tst-nss-gai-hv2-canonname.mtrace ++ + include ../Rules + + ifeq (yes,$(have-selinux)) +@@ -217,6 +226,17 @@ endif + $(objpfx)tst-nss-files-alias-leak.out: $(objpfx)/libnss_files.so + $(objpfx)tst-nss-files-alias-truncated.out: $(objpfx)/libnss_files.so + ++tst-nss-gai-hv2-canonname-ENV = \ ++ MALLOC_TRACE=$(objpfx)tst-nss-gai-hv2-canonname.mtrace \ ++ LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so ++$(objpfx)mtrace-tst-nss-gai-hv2-canonname.out: \ ++ $(objpfx)tst-nss-gai-hv2-canonname.out ++ { test -r $(objpfx)tst-nss-gai-hv2-canonname.mtrace \ ++ || ( echo "tst-nss-gai-hv2-canonname.mtrace does not exist"; exit 77; ) \ ++ && $(common-objpfx)malloc/mtrace \ ++ $(objpfx)tst-nss-gai-hv2-canonname.mtrace; } > $@; \ ++ $(evaluate-test) ++ + # Disable DT_RUNPATH on NSS tests so that the glibc internal NSS + # functions can load testing NSS modules via DT_RPATH. + LDFLAGS-tst-nss-test1 = -Wl,--disable-new-dtags +diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c +index d5f10c07d6a..7db53cf09da 100644 +--- a/nss/tst-nss-gai-hv2-canonname.c ++++ b/nss/tst-nss-gai-hv2-canonname.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + #include + #include "nss/tst-nss-gai-hv2-canonname.h" +@@ -41,6 +42,8 @@ static void do_prepare (int a, char **av) + static int + do_test (void) + { ++ mtrace (); ++ + __nss_configure_lookup ("hosts", "test_gai_hv2_canonname"); + + struct addrinfo hints = {}; +diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c +index b2236b105c1..13082305d3f 100644 +--- a/sysdeps/posix/getaddrinfo.c ++++ b/sysdeps/posix/getaddrinfo.c +@@ -1196,9 +1196,7 @@ gaih_inet (const char *name, const struct gaih_service *service, if (malloc_name) free ((char *) name); free (addrmem); diff --git a/SPECS/glibc/CVE-2024-33599.patch b/SPECS/glibc/CVE-2024-33599.patch new file mode 100644 index 0000000000..2d5610b282 --- /dev/null +++ b/SPECS/glibc/CVE-2024-33599.patch @@ -0,0 +1,38 @@ +From 5968aebb86164034b8f8421b4abab2f837a5bdaf Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Thu, 25 Apr 2024 15:00:45 +0200 +Subject: [PATCH] CVE-2024-33599: nscd: Stack-based buffer overflow in netgroup + cache (bug 31677) + +Using alloca matches what other caches do. The request length is +bounded by MAXKEYLEN. + +Reviewed-by: Carlos O'Donell +(cherry picked from commit 87801a8fd06db1d654eea3e4f7626ff476a9bdaa) + +Signed-off-by: Kanishk Bansal + +--- + nscd/netgroupcache.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c +index 06b7d7b6ca8..31b721bbee2 100644 +--- a/nscd/netgroupcache.c ++++ b/nscd/netgroupcache.c +@@ -502,12 +502,13 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, + = (struct indataset *) mempool_alloc (db, + sizeof (*dataset) + req->key_len, + 1); +- struct indataset dataset_mem; + bool cacheable = true; + if (__glibc_unlikely (dataset == NULL)) + { + cacheable = false; +- dataset = &dataset_mem; ++ /* The alloca is safe because nscd_run_worker verfies that ++ key_len is not larger than MAXKEYLEN. */ ++ dataset = alloca (sizeof (*dataset) + req->key_len); + } + + datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len, diff --git a/SPECS/glibc/CVE-2024-33600.patch b/SPECS/glibc/CVE-2024-33600.patch new file mode 100644 index 0000000000..cf1c0687f0 --- /dev/null +++ b/SPECS/glibc/CVE-2024-33600.patch @@ -0,0 +1,86 @@ +From e4cb5367b33c57ae078da755c7432cf33681defa Mon Sep 17 00:00:00 2001 +From: Kanishk Bansal +Date: Thu, 22 May 2025 09:27:05 +0000 +Subject: [PATCH] CVE-2024-33600 + +Upstream Patch Reference : https://github.com/bminor/glibc/commit/541ea5172aa658c4bd5c6c6d6fd13903c3d5bb0a, https://github.com/bminor/glibc/commit/2ae9446c1b7a3064743b4a51c0bbae668ee43e4c + +Signed-off-by: Kanishk Bansal +--- + nscd/netgroupcache.c | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c +index 31b721bb..c3cd79de 100644 +--- a/nscd/netgroupcache.c ++++ b/nscd/netgroupcache.c +@@ -147,7 +147,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + /* No such service. */ + cacheable = do_notfound (db, fd, req, key, &dataset, &total, &timeout, + &key_copy); +- goto writeout; ++ goto maybe_cache_add; + } + + memset (&data, '\0', sizeof (data)); +@@ -348,7 +348,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + { + cacheable = do_notfound (db, fd, req, key, &dataset, &total, &timeout, + &key_copy); +- goto writeout; ++ goto maybe_cache_add; + } + + total = buffilled; +@@ -410,14 +410,12 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + } + + if (he == NULL && fd != -1) +- { +- /* We write the dataset before inserting it to the database +- since while inserting this thread might block and so would +- unnecessarily let the receiver wait. */ +- writeout: ++ /* We write the dataset before inserting it to the database since ++ while inserting this thread might block and so would ++ unnecessarily let the receiver wait. */ + writeall (fd, &dataset->resp, dataset->head.recsize); +- } + ++ maybe_cache_add: + if (cacheable) + { + /* If necessary, we also propagate the data to disk. */ +@@ -513,14 +511,15 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, + + datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len, + sizeof (innetgroup_response_header), +- he == NULL ? 0 : dh->nreloads + 1, result->head.ttl); ++ he == NULL ? 0 : dh->nreloads + 1, ++ result == NULL ? db->negtimeout : result->head.ttl); + /* Set the notfound status and timeout based on the result from + getnetgrent. */ +- dataset->head.notfound = result->head.notfound; ++ dataset->head.notfound = result == NULL || result->head.notfound; + dataset->head.timeout = timeout; + + dataset->resp.version = NSCD_VERSION; +- dataset->resp.found = result->resp.found; ++ dataset->resp.found = result != NULL && result->resp.found; + /* Until we find a matching entry the result is 0. */ + dataset->resp.result = 0; + +@@ -568,7 +567,9 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, + goto out; + } + +- if (he == NULL) ++ /* addgetnetgrentX may have already sent a notfound response. Do ++ not send another one. */ ++ if (he == NULL && dataset->resp.found) + { + /* We write the dataset before inserting it to the database + since while inserting this thread might block and so would +-- +2.45.3 + diff --git a/SPECS/glibc/CVE-2024-33601.patch b/SPECS/glibc/CVE-2024-33601.patch new file mode 100644 index 0000000000..4829bfc0b9 --- /dev/null +++ b/SPECS/glibc/CVE-2024-33601.patch @@ -0,0 +1,390 @@ +From 71af8ca864345d39b746d5cee84b94b430fad5db Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Thu, 25 Apr 2024 15:01:07 +0200 +Subject: [PATCH] CVE-2024-33601, CVE-2024-33602: nscd: netgroup: Use two + buffers in addgetnetgrentX (bug 31680) + +This avoids potential memory corruption when the underlying NSS +callback function does not use the buffer space to store all strings +(e.g., for constant strings). + +Instead of custom buffer management, two scratch buffers are used. +This increases stack usage somewhat. + +Scratch buffer allocation failure is handled by return -1 +(an invalid timeout value) instead of terminating the process. +This fixes bug 31679. + +Reviewed-by: Siddhesh Poyarekar +(cherry picked from commit c04a21e050d64a1193a6daab872bca2528bda44b) + +Signed-off-by: Kanishk Bansal + +--- + nscd/netgroupcache.c | 219 ++++++++++++++++++++++++------------------- + 1 file changed, 121 insertions(+), 98 deletions(-) + +diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c +index c3cd79dec59..cc4e270c1f0 100644 +--- a/nscd/netgroupcache.c ++++ b/nscd/netgroupcache.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + + #include "../inet/netgroup.h" + #include "nscd.h" +@@ -65,6 +66,16 @@ struct dataset + char strdata[0]; + }; + ++/* Send a notfound response to FD. Always returns -1 to indicate an ++ ephemeral error. */ ++static time_t ++send_notfound (int fd) ++{ ++ if (fd != -1) ++ TEMP_FAILURE_RETRY (send (fd, ¬found, sizeof (notfound), MSG_NOSIGNAL)); ++ return -1; ++} ++ + /* Sends a notfound message and prepares a notfound dataset to write to the + cache. Returns true if there was enough memory to allocate the dataset and + returns the dataset in DATASETP, total bytes to write in TOTALP and the +@@ -83,8 +94,7 @@ do_notfound (struct database_dyn *db, int fd, request_header *req, + total = sizeof (notfound); + timeout = time (NULL) + db->negtimeout; + +- if (fd != -1) +- TEMP_FAILURE_RETRY (send (fd, ¬found, total, MSG_NOSIGNAL)); ++ send_notfound (fd); + + dataset = mempool_alloc (db, sizeof (struct dataset) + req->key_len, 1); + /* If we cannot permanently store the result, so be it. */ +@@ -109,11 +119,78 @@ do_notfound (struct database_dyn *db, int fd, request_header *req, + return cacheable; + } + ++struct addgetnetgrentX_scratch ++{ ++ /* This is the result that the caller should use. It can be NULL, ++ point into buffer, or it can be in the cache. */ ++ struct dataset *dataset; ++ ++ struct scratch_buffer buffer; ++ ++ /* Used internally in addgetnetgrentX as a staging area. */ ++ struct scratch_buffer tmp; ++ ++ /* Number of bytes in buffer that are actually used. */ ++ size_t buffer_used; ++}; ++ ++static void ++addgetnetgrentX_scratch_init (struct addgetnetgrentX_scratch *scratch) ++{ ++ scratch->dataset = NULL; ++ scratch_buffer_init (&scratch->buffer); ++ scratch_buffer_init (&scratch->tmp); ++ ++ /* Reserve space for the header. */ ++ scratch->buffer_used = sizeof (struct dataset); ++ static_assert (sizeof (struct dataset) < sizeof (scratch->tmp.__space), ++ "initial buffer space"); ++ memset (scratch->tmp.data, 0, sizeof (struct dataset)); ++} ++ ++static void ++addgetnetgrentX_scratch_free (struct addgetnetgrentX_scratch *scratch) ++{ ++ scratch_buffer_free (&scratch->buffer); ++ scratch_buffer_free (&scratch->tmp); ++} ++ ++/* Copy LENGTH bytes from S into SCRATCH. Returns NULL if SCRATCH ++ could not be resized, otherwise a pointer to the copy. */ ++static char * ++addgetnetgrentX_append_n (struct addgetnetgrentX_scratch *scratch, ++ const char *s, size_t length) ++{ ++ while (true) ++ { ++ size_t remaining = scratch->buffer.length - scratch->buffer_used; ++ if (remaining >= length) ++ break; ++ if (!scratch_buffer_grow_preserve (&scratch->buffer)) ++ return NULL; ++ } ++ char *copy = scratch->buffer.data + scratch->buffer_used; ++ memcpy (copy, s, length); ++ scratch->buffer_used += length; ++ return copy; ++} ++ ++/* Copy S into SCRATCH, including its null terminator. Returns false ++ if SCRATCH could not be resized. */ ++static bool ++addgetnetgrentX_append (struct addgetnetgrentX_scratch *scratch, const char *s) ++{ ++ if (s == NULL) ++ s = ""; ++ return addgetnetgrentX_append_n (scratch, s, strlen (s) + 1) != NULL; ++} ++ ++/* Caller must initialize and free *SCRATCH. If the return value is ++ negative, this function has sent a notfound response. */ + static time_t + addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + const char *key, uid_t uid, struct hashentry *he, +- struct datahead *dh, struct dataset **resultp, +- void **tofreep) ++ struct datahead *dh, struct addgetnetgrentX_scratch *scratch) + { + if (__glibc_unlikely (debug_level > 0)) + { +@@ -132,14 +209,10 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + + char *key_copy = NULL; + struct __netgrent data; +- size_t buflen = MAX (1024, sizeof (*dataset) + req->key_len); +- size_t buffilled = sizeof (*dataset); +- char *buffer = NULL; + size_t nentries = 0; + size_t group_len = strlen (key) + 1; + struct name_list *first_needed + = alloca (sizeof (struct name_list) + group_len); +- *tofreep = NULL; + + if (netgroup_database == NULL + && !__nss_database_get (nss_database_netgroup, &netgroup_database)) +@@ -151,8 +224,6 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + } + + memset (&data, '\0', sizeof (data)); +- buffer = xmalloc (buflen); +- *tofreep = buffer; + first_needed->next = first_needed; + memcpy (first_needed->name, key, group_len); + data.needed_groups = first_needed; +@@ -195,8 +266,8 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + while (1) + { + int e; +- status = getfct.f (&data, buffer + buffilled, +- buflen - buffilled - req->key_len, &e); ++ status = getfct.f (&data, scratch->tmp.data, ++ scratch->tmp.length, &e); + if (status == NSS_STATUS_SUCCESS) + { + if (data.type == triple_val) +@@ -204,68 +275,10 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + const char *nhost = data.val.triple.host; + const char *nuser = data.val.triple.user; + const char *ndomain = data.val.triple.domain; +- +- size_t hostlen = strlen (nhost ?: "") + 1; +- size_t userlen = strlen (nuser ?: "") + 1; +- size_t domainlen = strlen (ndomain ?: "") + 1; +- +- if (nhost == NULL || nuser == NULL || ndomain == NULL +- || nhost > nuser || nuser > ndomain) +- { +- const char *last = nhost; +- if (last == NULL +- || (nuser != NULL && nuser > last)) +- last = nuser; +- if (last == NULL +- || (ndomain != NULL && ndomain > last)) +- last = ndomain; +- +- size_t bufused +- = (last == NULL +- ? buffilled +- : last + strlen (last) + 1 - buffer); +- +- /* We have to make temporary copies. */ +- size_t needed = hostlen + userlen + domainlen; +- +- if (buflen - req->key_len - bufused < needed) +- { +- buflen += MAX (buflen, 2 * needed); +- /* Save offset in the old buffer. We don't +- bother with the NULL check here since +- we'll do that later anyway. */ +- size_t nhostdiff = nhost - buffer; +- size_t nuserdiff = nuser - buffer; +- size_t ndomaindiff = ndomain - buffer; +- +- char *newbuf = xrealloc (buffer, buflen); +- /* Fix up the triplet pointers into the new +- buffer. */ +- nhost = (nhost ? newbuf + nhostdiff +- : NULL); +- nuser = (nuser ? newbuf + nuserdiff +- : NULL); +- ndomain = (ndomain ? newbuf + ndomaindiff +- : NULL); +- *tofreep = buffer = newbuf; +- } +- +- nhost = memcpy (buffer + bufused, +- nhost ?: "", hostlen); +- nuser = memcpy ((char *) nhost + hostlen, +- nuser ?: "", userlen); +- ndomain = memcpy ((char *) nuser + userlen, +- ndomain ?: "", domainlen); +- } +- +- char *wp = buffer + buffilled; +- wp = memmove (wp, nhost ?: "", hostlen); +- wp += hostlen; +- wp = memmove (wp, nuser ?: "", userlen); +- wp += userlen; +- wp = memmove (wp, ndomain ?: "", domainlen); +- wp += domainlen; +- buffilled = wp - buffer; ++ if (!(addgetnetgrentX_append (scratch, nhost) ++ && addgetnetgrentX_append (scratch, nuser) ++ && addgetnetgrentX_append (scratch, ndomain))) ++ return send_notfound (fd); + ++nentries; + } + else +@@ -317,8 +330,8 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + } + else if (status == NSS_STATUS_TRYAGAIN && e == ERANGE) + { +- buflen *= 2; +- *tofreep = buffer = xrealloc (buffer, buflen); ++ if (!scratch_buffer_grow (&scratch->tmp)) ++ return send_notfound (fd); + } + else if (status == NSS_STATUS_RETURN + || status == NSS_STATUS_NOTFOUND +@@ -351,10 +364,17 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + goto maybe_cache_add; + } + +- total = buffilled; ++ /* Capture the result size without the key appended. */ ++ total = scratch->buffer_used; ++ ++ /* Make a copy of the key. The scratch buffer must not move after ++ this point. */ ++ key_copy = addgetnetgrentX_append_n (scratch, key, req->key_len); ++ if (key_copy == NULL) ++ return send_notfound (fd); + + /* Fill in the dataset. */ +- dataset = (struct dataset *) buffer; ++ dataset = scratch->buffer.data; + timeout = datahead_init_pos (&dataset->head, total + req->key_len, + total - offsetof (struct dataset, resp), + he == NULL ? 0 : dh->nreloads + 1, +@@ -363,11 +383,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + dataset->resp.version = NSCD_VERSION; + dataset->resp.found = 1; + dataset->resp.nresults = nentries; +- dataset->resp.result_len = buffilled - sizeof (*dataset); +- +- assert (buflen - buffilled >= req->key_len); +- key_copy = memcpy (buffer + buffilled, key, req->key_len); +- buffilled += req->key_len; ++ dataset->resp.result_len = total - sizeof (*dataset); + + /* Now we can determine whether on refill we have to create a new + record or not. */ +@@ -398,7 +414,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + if (__glibc_likely (newp != NULL)) + { + /* Adjust pointer into the memory block. */ +- key_copy = (char *) newp + (key_copy - buffer); ++ key_copy = (char *) newp + (key_copy - (char *) dataset); + + dataset = memcpy (newp, dataset, total + req->key_len); + cacheable = true; +@@ -439,7 +455,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + } + + out: +- *resultp = dataset; ++ scratch->dataset = dataset; + + return timeout; + } +@@ -460,6 +476,9 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, + if (user != NULL) + key = strchr (key, '\0') + 1; + const char *domain = *key++ ? key : NULL; ++ struct addgetnetgrentX_scratch scratch; ++ ++ addgetnetgrentX_scratch_init (&scratch); + + if (__glibc_unlikely (debug_level > 0)) + { +@@ -475,12 +494,8 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, + group, group_len, + db, uid); + time_t timeout; +- void *tofree; + if (result != NULL) +- { +- timeout = result->head.timeout; +- tofree = NULL; +- } ++ timeout = result->head.timeout; + else + { + request_header req_get = +@@ -489,7 +504,10 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, + .key_len = group_len + }; + timeout = addgetnetgrentX (db, -1, &req_get, group, uid, NULL, NULL, +- &result, &tofree); ++ &scratch); ++ result = scratch.dataset; ++ if (timeout < 0) ++ goto out; + } + + struct indataset +@@ -603,7 +621,7 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, + } + + out: +- free (tofree); ++ addgetnetgrentX_scratch_free (&scratch); + return timeout; + } + +@@ -613,11 +631,12 @@ addgetnetgrentX_ignore (struct database_dyn *db, int fd, request_header *req, + const char *key, uid_t uid, struct hashentry *he, + struct datahead *dh) + { +- struct dataset *ignore; +- void *tofree; +- time_t timeout = addgetnetgrentX (db, fd, req, key, uid, he, dh, +- &ignore, &tofree); +- free (tofree); ++ struct addgetnetgrentX_scratch scratch; ++ addgetnetgrentX_scratch_init (&scratch); ++ time_t timeout = addgetnetgrentX (db, fd, req, key, uid, he, dh, &scratch); ++ addgetnetgrentX_scratch_free (&scratch); ++ if (timeout < 0) ++ timeout = 0; + return timeout; + } + +@@ -661,5 +680,9 @@ readdinnetgr (struct database_dyn *db, struct hashentry *he, + .key_len = he->len + }; + +- return addinnetgrX (db, -1, &req, db->data + he->key, he->owner, he, dh); ++ int timeout = addinnetgrX (db, -1, &req, db->data + he->key, he->owner, ++ he, dh); ++ if (timeout < 0) ++ timeout = 0; ++ return timeout; + } diff --git a/SPECS/glibc/CVE-2025-0395.patch b/SPECS/glibc/CVE-2025-0395.patch new file mode 100644 index 0000000000..0def90aa7c --- /dev/null +++ b/SPECS/glibc/CVE-2025-0395.patch @@ -0,0 +1,173 @@ +From e4b60c61eba1812eeaeaea5d1520ba86ead98607 Mon Sep 17 00:00:00 2001 +From: Kanishk Bansal +Date: Thu, 22 May 2025 09:35:53 +0000 +Subject: [PATCH] CVE-2025-0395 + +Upstream Patch Reference : https://github.com/bminor/glibc/commit/c32fd59314c343db88c3ea4a203870481d33c3d2, https://github.com/bminor/glibc/commit/f984e2d7e8299726891a1a497a3c36cd5542a0bf + +Signed-off-by: Kanishk Bansal +--- + assert/Makefile | 1 + + assert/assert.c | 4 +- + assert/tst-assert-sa-2025-0001.c | 92 ++++++++++++++++++++++++++++++++ + sysdeps/posix/libc_fatal.c | 4 +- + 4 files changed, 99 insertions(+), 2 deletions(-) + create mode 100644 assert/tst-assert-sa-2025-0001.c + +diff --git a/assert/Makefile b/assert/Makefile +index 67f4e6a5..b0fc9fc4 100644 +--- a/assert/Makefile ++++ b/assert/Makefile +@@ -38,6 +38,7 @@ tests := \ + test-assert-perr \ + tst-assert-c++ \ + tst-assert-g++ \ ++ tst-assert-sa-2025-0001 \ + # tests + + ifeq ($(have-cxx-thread_local),yes) +diff --git a/assert/assert.c b/assert/assert.c +index b7c7a4a1..65a9fedf 100644 +--- a/assert/assert.c ++++ b/assert/assert.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -64,7 +65,8 @@ __assert_fail_base (const char *fmt, const char *assertion, const char *file, + (void) __fxprintf (NULL, "%s", str); + (void) fflush (stderr); + +- total = (total + 1 + GLRO(dl_pagesize) - 1) & ~(GLRO(dl_pagesize) - 1); ++ total = ALIGN_UP (total + sizeof (struct abort_msg_s) + 1, ++ GLRO(dl_pagesize)); + struct abort_msg_s *buf = __mmap (NULL, total, PROT_READ | PROT_WRITE, + MAP_ANON | MAP_PRIVATE, -1, 0); + if (__glibc_likely (buf != MAP_FAILED)) +diff --git a/assert/tst-assert-sa-2025-0001.c b/assert/tst-assert-sa-2025-0001.c +new file mode 100644 +index 00000000..102cb007 +--- /dev/null ++++ b/assert/tst-assert-sa-2025-0001.c +@@ -0,0 +1,92 @@ ++/* Test for CVE-2025-0395. ++ Copyright The GNU Toolchain Authors. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++/* Test that a large enough __progname does not result in a buffer overflow ++ when printing an assertion failure. This was CVE-2025-0395. */ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++extern const char *__progname; ++ ++int ++do_test (int argc, char **argv) ++{ ++ ++ support_need_proc ("Reads /proc/self/maps to add guards to writable maps."); ++ ignore_stderr (); ++ ++ /* XXX assumes that the assert is on a 2 digit line number. */ ++ const char *prompt = ": %s:99: do_test: Assertion `argc < 1' failed.\n"; ++ ++ int ret = fprintf (stderr, prompt, __FILE__); ++ if (ret < 0) ++ FAIL_EXIT1 ("fprintf failed: %m\n"); ++ ++ size_t pagesize = getpagesize (); ++ size_t namesize = pagesize - 1 - ret; ++ ++ /* Alter the progname so that the assert message fills the entire page. */ ++ char progname[namesize]; ++ memset (progname, 'A', namesize - 1); ++ progname[namesize - 1] = '\0'; ++ __progname = progname; ++ ++ FILE *f = xfopen ("/proc/self/maps", "r"); ++ char *line = NULL; ++ size_t len = 0; ++ uintptr_t prev_to = 0; ++ ++ /* Pad the beginning of every writable mapping with a PROT_NONE map. This ++ ensures that the mmap in the assert_fail path never ends up below a ++ writable map and will terminate immediately in case of a buffer ++ overflow. */ ++ while (xgetline (&line, &len, f)) ++ { ++ uintptr_t from, to; ++ char perm[4]; ++ ++ sscanf (line, "%" SCNxPTR "-%" SCNxPTR " %c%c%c%c ", ++ &from, &to, ++ &perm[0], &perm[1], &perm[2], &perm[3]); ++ ++ bool writable = (memchr (perm, 'w', 4) != NULL); ++ ++ if (prev_to != 0 && from - prev_to > pagesize && writable) ++ xmmap ((void *) from - pagesize, pagesize, PROT_NONE, ++ MAP_ANONYMOUS | MAP_PRIVATE, 0); ++ ++ prev_to = to; ++ } ++ ++ xfclose (f); ++ ++ assert (argc < 1); ++ return 0; ++} ++ ++#define EXPECTED_SIGNAL SIGABRT ++#define TEST_FUNCTION_ARGV do_test ++#include +diff --git a/sysdeps/posix/libc_fatal.c b/sysdeps/posix/libc_fatal.c +index 70edcc10..5b9e4b79 100644 +--- a/sysdeps/posix/libc_fatal.c ++++ b/sysdeps/posix/libc_fatal.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -123,7 +124,8 @@ __libc_message (const char *fmt, ...) + + WRITEV_FOR_FATAL (fd, iov, nlist, total); + +- total = (total + 1 + GLRO(dl_pagesize) - 1) & ~(GLRO(dl_pagesize) - 1); ++ total = ALIGN_UP (total + sizeof (struct abort_msg_s) + 1, ++ GLRO(dl_pagesize)); + struct abort_msg_s *buf = __mmap (NULL, total, + PROT_READ | PROT_WRITE, + MAP_ANON | MAP_PRIVATE, -1, 0); +-- +2.45.3 + diff --git a/SPECS/glibc/CVE-2025-4802.patch b/SPECS/glibc/CVE-2025-4802.patch new file mode 100644 index 0000000000..b766e5da8d --- /dev/null +++ b/SPECS/glibc/CVE-2025-4802.patch @@ -0,0 +1,79 @@ +From 3be3728df2f1912c80abd3288bc6e3a25ad679e4 Mon Sep 17 00:00:00 2001 +From: Adhemerval Zanella +Date: Mon, 6 Nov 2023 17:25:49 -0300 +Subject: [PATCH] elf: Ignore LD_LIBRARY_PATH and debug env var for setuid for + static + +It mimics the ld.so behavior. + +Checked on x86_64-linux-gnu. +Reviewed-by: Siddhesh Poyarekar + +(cherry picked from commit 5451fa962cd0a90a0e2ec1d8910a559ace02bba0) + +Changes: + + git/elf/dl-support.c + (missing commit 55f41ef8de4a4d0c5762d78659e11202d3c765d4 + ("elf: Remove LD_PROFILE for static binaries")) +--- + elf/dl-support.c | 32 ++++++++++++++++---------------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +diff --git a/elf/dl-support.c b/elf/dl-support.c +index 44a54dea074..d57e6505835 100644 +--- a/elf/dl-support.c ++++ b/elf/dl-support.c +@@ -276,8 +276,6 @@ _dl_non_dynamic_init (void) + _dl_main_map.l_phdr = GL(dl_phdr); + _dl_main_map.l_phnum = GL(dl_phnum); + +- _dl_verbose = *(getenv ("LD_WARN") ?: "") == '\0' ? 0 : 1; +- + /* Set up the data structures for the system-supplied DSO early, + so they can influence _dl_init_paths. */ + setup_vdso (NULL, NULL); +@@ -285,6 +283,22 @@ _dl_non_dynamic_init (void) + /* With vDSO setup we can initialize the function pointers. */ + setup_vdso_pointers (); + ++ if (__libc_enable_secure) ++ { ++ static const char unsecure_envvars[] = ++ UNSECURE_ENVVARS ++ ; ++ const char *cp = unsecure_envvars; ++ ++ while (cp < unsecure_envvars + sizeof (unsecure_envvars)) ++ { ++ __unsetenv (cp); ++ cp = strchr (cp, '\0') + 1; ++ } ++ } ++ ++ _dl_verbose = *(getenv ("LD_WARN") ?: "") == '\0' ? 0 : 1; ++ + /* Initialize the data structures for the search paths for shared + objects. */ + _dl_init_paths (getenv ("LD_LIBRARY_PATH"), "LD_LIBRARY_PATH", +@@ -306,20 +320,6 @@ _dl_non_dynamic_init (void) + _dl_profile_output + = &"/var/tmp\0/var/profile"[__libc_enable_secure ? 9 : 0]; + +- if (__libc_enable_secure) +- { +- static const char unsecure_envvars[] = +- UNSECURE_ENVVARS +- ; +- const char *cp = unsecure_envvars; +- +- while (cp < unsecure_envvars + sizeof (unsecure_envvars)) +- { +- __unsetenv (cp); +- cp = strchr (cp, '\0') + 1; +- } +- } +- + #ifdef DL_PLATFORM_INIT + DL_PLATFORM_INIT; + #endif diff --git a/SPECS/glibc/glibc.spec b/SPECS/glibc/glibc.spec index f2a3314e43..2c11a96776 100644 --- a/SPECS/glibc/glibc.spec +++ b/SPECS/glibc/glibc.spec @@ -10,7 +10,7 @@ Summary: Main C library Name: glibc Version: 2.38 -Release: 10%{?dist} +Release: 11%{?dist} License: BSD AND GPLv2+ AND Inner-Net AND ISC AND LGPLv2+ AND MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -31,13 +31,21 @@ Patch3: CVE-2020-1751.nopatch Patch4: CVE-2018-20796.nopatch Patch5: https://www.linuxfromscratch.org/patches/downloads/glibc/glibc-2.38-memalign_fix-1.patch Patch6: CVE-2023-4911.patch -Patch7: CVE-2023-5156.patch -Patch8: CVE-2023-6246.patch -Patch9: CVE-2023-6779.patch -Patch10: CVE-2023-6780.patch +Patch7: CVE-2023-6246.patch +Patch8: CVE-2023-6779.patch +Patch9: CVE-2023-6780.patch # Upstream backport for fixing: nscd fails to build with cleanup handler if built with -fexceptions -Patch11: nscd-Do-not-rebuild-getaddrinfo-bug-30709.patch -Patch12: glibc-2.34_pthread_cond_wait.patch +Patch10: nscd-Do-not-rebuild-getaddrinfo-bug-30709.patch +Patch11: glibc-2.34_pthread_cond_wait.patch +Patch12: CVE-2023-4527.patch +Patch13: CVE-2023-4806.patch +Patch14: CVE-2023-5156.patch +Patch15: CVE-2024-33599.patch +Patch16: CVE-2024-33600.patch +# Patch of CVE-2024-33601 fixes CVE-2024-33602 also +Patch17: CVE-2024-33601.patch +Patch18: CVE-2025-0395.patch + # Patches for testing Patch100: 0001-Remove-Wno-format-cflag-from-tests.patch @@ -359,6 +367,10 @@ grep "^FAIL: nptl/tst-mutex10" tests.sum >/dev/null && n=$((n+1)) ||: %exclude %{_libdir}/locale/C.utf8 %changelog +* Thu May 22 2025 Kanishk Bansal - 2.38-11 +- Patch CVE-2023-4527, CVE-2023-4806, CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2025-0395, CVE-2025-4802 +- Fix CVE-2023-5156 + * Mon May 12 2025 Andrew Phelps - 2.38-10 - Add glibc-2.34_pthread_cond_wait.patch diff --git a/SPECS/gnupg2/gnupg2.signatures.json b/SPECS/gnupg2/gnupg2.signatures.json index 079ddd248f..eff1528cff 100644 --- a/SPECS/gnupg2/gnupg2.signatures.json +++ b/SPECS/gnupg2/gnupg2.signatures.json @@ -1,5 +1,5 @@ { - "Signatures": { - "gnupg-2.4.4.tar.bz2": "67ebe016ca90fa7688ce67a387ebd82c6261e95897db7b23df24ff335be85bc6" - } -} + "Signatures": { + "gnupg-2.4.7.tar.bz2": "7b24706e4da7e0e3b06ca068231027401f238102c41c909631349dcc3b85eb46" + } +} \ No newline at end of file diff --git a/SPECS/gnupg2/gnupg2.spec b/SPECS/gnupg2/gnupg2.spec index e5cbe3fb10..23b380ed71 100644 --- a/SPECS/gnupg2/gnupg2.spec +++ b/SPECS/gnupg2/gnupg2.spec @@ -1,7 +1,7 @@ Summary: OpenPGP standard implementation used for encrypted communication and data storage. Name: gnupg2 -Version: 2.4.4 -Release: 2%{?dist} +Version: 2.4.7 +Release: 1%{?dist} License: BSD and CC0 and GPLv2+ and LGPLv2+ Vendor: Microsoft Corporation Distribution: Azure Linux @@ -15,10 +15,10 @@ BuildRequires: npth-devel >= 1.2 BuildRequires: libassuan-devel >= 2.5.0 BuildRequires: libksba-devel >= 1.3.4 BuildRequires: libgcrypt-devel > 1.9.1 -BuildRequires: libgpg-error-devel >= 1.46 +BuildRequires: libgpg-error-devel >= 1.48 Requires: libksba > 1.3.4 Requires: libgcrypt >= 1.9.1 -Requires: libgpg-error >= 1.46 +Requires: libgpg-error >= 1.48 Requires: npth >= 1.2 Requires: libassuan >= 2.5.0 Requires: pinentry @@ -63,6 +63,9 @@ These are the additional language files of gnupg2 %make_build %install +ln -sf gpg2.1 doc/gpg.1 +ln -sf gpgv2.1 doc/gpgv.1 + %make_install pushd %{buildroot}%{_bindir} @@ -90,6 +93,7 @@ ln -s $(pwd)/bin/gpg $(pwd)/bin/gpg2 %{_mandir}/man1/* %{_mandir}/man7/* %{_mandir}/man8/* +%{_mandir}/manh/* %{_infodir}/gnupg* %{_libexecdir}/* %{_datadir}/gnupg/* @@ -101,6 +105,9 @@ ln -s $(pwd)/bin/gpg $(pwd)/bin/gpg2 %defattr(-,root,root) %changelog +* Mon Jun 23 2025 Kavya Sree Kaitepalli - 2.4.7-1 +- Upgrade to version 2.4.7 + * Tue May 07 2024 Pawel Winogrodzki - 2.4.4-2 - Disabled keyboxd. diff --git a/SPECS/gnutls/CVE-2025-32988.patch b/SPECS/gnutls/CVE-2025-32988.patch new file mode 100644 index 0000000000..808e1bdb8f --- /dev/null +++ b/SPECS/gnutls/CVE-2025-32988.patch @@ -0,0 +1,34 @@ +From aee5e661655a57617e7c1742440acd802ed15d5e Mon Sep 17 00:00:00 2001 +From: Azure Linux Security Servicing Account + +Date: Mon, 14 Jul 2025 13:55:55 +0000 +Subject: [PATCH] Fix CVE CVE-2025-32988 in gnutls + +Upstream Patch Reference: https://gitlab.com/gnutls/gnutls/-/commit/608829769cbc247679ffe98841109fc73875e573.patch +--- + lib/x509/extensions.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/lib/x509/extensions.c b/lib/x509/extensions.c +index 6c2da8f..e8be12e 100644 +--- a/lib/x509/extensions.c ++++ b/lib/x509/extensions.c +@@ -754,7 +754,6 @@ int _gnutls_write_new_othername(asn1_node ext, const char *ext_name, + result = asn1_write_value(ext, name2, oid, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); +- asn1_delete_structure(&ext); + return _gnutls_asn2err(result); + } + +@@ -763,7 +762,6 @@ int _gnutls_write_new_othername(asn1_node ext, const char *ext_name, + result = asn1_write_value(ext, name2, data, data_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); +- asn1_delete_structure(&ext); + return _gnutls_asn2err(result); + } + +-- +2.45.3 + diff --git a/SPECS/gnutls/CVE-2025-32989.patch b/SPECS/gnutls/CVE-2025-32989.patch new file mode 100644 index 0000000000..f97c2dda4a --- /dev/null +++ b/SPECS/gnutls/CVE-2025-32989.patch @@ -0,0 +1,27 @@ +From 8bd8fed8a12f671eb479776196ac02098a179083 Mon Sep 17 00:00:00 2001 +From: Azure Linux Security Servicing Account + +Date: Mon, 14 Jul 2025 13:56:14 +0000 +Subject: [PATCH] Fix CVE CVE-2025-32989 in gnutls + +Upstream Patch Reference: https://gitlab.com/gnutls/gnutls/-/commit/8e5ca951257202089246fa37e93a99d210ee5ca2.patch +--- + lib/x509/x509_ext.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c +index 064ca83..05336a0 100644 +--- a/lib/x509/x509_ext.c ++++ b/lib/x509/x509_ext.c +@@ -3757,7 +3757,7 @@ int gnutls_x509_ext_ct_import_scts(const gnutls_datum_t *ext, + } + + length = _gnutls_read_uint16(scts_content.data); +- if (length < 4) { ++ if (length < 4 || length > scts_content.size) { + gnutls_free(scts_content.data); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } +-- +2.45.3 + diff --git a/SPECS/gnutls/CVE-2025-32990.patch b/SPECS/gnutls/CVE-2025-32990.patch new file mode 100644 index 0000000000..544f4dafef --- /dev/null +++ b/SPECS/gnutls/CVE-2025-32990.patch @@ -0,0 +1,36 @@ +From bdc30f568829c08f52705ee60ad4914502345d29 Mon Sep 17 00:00:00 2001 +From: Azure Linux Security Servicing Account + +Date: Mon, 14 Jul 2025 13:56:33 +0000 +Subject: [PATCH] Fix CVE CVE-2025-32990 in gnutls + +Upstream Patch Reference: https://gitlab.com/gnutls/gnutls/-/commit/8a36455fd75ce76391cfc00c53213d8b0e1648da.patch +--- + src/certtool-cfg.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/certtool-cfg.c b/src/certtool-cfg.c +index 2d7a1dc..bce2390 100644 +--- a/src/certtool-cfg.c ++++ b/src/certtool-cfg.c +@@ -257,7 +257,7 @@ void cfg_init(void) + if (val != NULL) { \ + if (s_name == NULL) { \ + i = 0; \ +- s_name = malloc(sizeof(char *) * MAX_ENTRIES); \ ++ s_name = calloc(MAX_ENTRIES + 1, sizeof(char *)); \ + CHECK_MALLOC(s_name); \ + do { \ + if (val && strcmp(val->name, k_name) != 0) \ +@@ -279,7 +279,7 @@ void cfg_init(void) + char *p; \ + if (s_name == NULL) { \ + i = 0; \ +- s_name = malloc(sizeof(char *) * MAX_ENTRIES); \ ++ s_name = calloc(MAX_ENTRIES + 1, sizeof(char *)); \ + CHECK_MALLOC(s_name); \ + do { \ + if (val && strcmp(val->name, k_name) != 0) \ +-- +2.45.3 + diff --git a/SPECS/gnutls/CVE-2025-6395.patch b/SPECS/gnutls/CVE-2025-6395.patch new file mode 100644 index 0000000000..99ae7bd47c --- /dev/null +++ b/SPECS/gnutls/CVE-2025-6395.patch @@ -0,0 +1,73 @@ +From 001a6b04cfea193c4e3073d002a5cb7058d01714 Mon Sep 17 00:00:00 2001 +From: Azure Linux Security Servicing Account + +Date: Tue, 15 Jul 2025 05:54:27 +0000 +Subject: [PATCH] Fix CVE CVE-2025-6395 in gnutls + +Upstream Patch Reference: https://gitlab.com/gnutls/gnutls/-/commit/23135619773e6ec087ff2abc65405bd4d5676bad.patch +--- + lib/handshake.c | 25 ++++++++++++++++++++++--- + lib/state.c | 4 +++- + 2 files changed, 25 insertions(+), 4 deletions(-) + +diff --git a/lib/handshake.c b/lib/handshake.c +index 722307b..489d021 100644 +--- a/lib/handshake.c ++++ b/lib/handshake.c +@@ -589,9 +589,28 @@ static int set_auth_types(gnutls_session_t session) + /* Under TLS1.3 this returns a KX which matches the negotiated + * groups from the key shares; if we are resuming then the KX seen + * here doesn't match the original session. */ +- if (!session->internals.resumed) +- kx = gnutls_kx_get(session); +- else ++ if (!session->internals.resumed) { ++ const gnutls_group_entry_st *group = get_group(session); ++ ++ if (session->internals.hsk_flags & HSK_PSK_SELECTED) { ++ if (group) { ++ kx = group->pk == GNUTLS_PK_DH ? ++ GNUTLS_KX_DHE_PSK : ++ GNUTLS_KX_ECDHE_PSK; ++ } else { ++ kx = GNUTLS_KX_PSK; ++ } ++ } else if (group) { ++ /* Not necessarily be RSA, but just to ++ * make _gnutls_map_kx_get_cred below ++ * work. ++ */ ++ kx = group->pk == GNUTLS_PK_DH ? ++ GNUTLS_KX_DHE_RSA : ++ GNUTLS_KX_ECDHE_RSA; ++ } else ++ kx = GNUTLS_KX_UNKNOWN; ++ } else + kx = GNUTLS_KX_UNKNOWN; + } else { + /* TLS1.2 or earlier, kx is associated with ciphersuite */ +diff --git a/lib/state.c b/lib/state.c +index ec514c0..10ec0ea 100644 +--- a/lib/state.c ++++ b/lib/state.c +@@ -202,7 +202,8 @@ gnutls_kx_algorithm_t gnutls_kx_get(gnutls_session_t session) + const gnutls_group_entry_st *group = get_group(session); + + if (ver->tls13_sem) { +- if (session->internals.hsk_flags & HSK_PSK_SELECTED) { ++ if (gnutls_auth_client_get_type(session) == ++ GNUTLS_CRD_PSK) { + if (group) { + if (group->pk == GNUTLS_PK_DH) + return GNUTLS_KX_DHE_PSK; +@@ -349,6 +350,7 @@ void reset_binders(gnutls_session_t session) + _gnutls_free_temp_key_datum(&session->key.binders[0].psk); + _gnutls_free_temp_key_datum(&session->key.binders[1].psk); + memset(session->key.binders, 0, sizeof(session->key.binders)); ++ session->internals.hsk_flags &= ~HSK_PSK_SELECTED; + } + + /* Check whether certificate credentials of type @cert_type are set +-- +2.45.3 + diff --git a/SPECS/gnutls/gnutls.spec b/SPECS/gnutls/gnutls.spec index 9c289f8379..40142f7d22 100644 --- a/SPECS/gnutls/gnutls.spec +++ b/SPECS/gnutls/gnutls.spec @@ -1,7 +1,7 @@ Summary: The GnuTLS Transport Layer Security Library Name: gnutls Version: 3.8.3 -Release: 4%{?dist} +Release: 6%{?dist} License: GPLv3+ AND LGPLv2.1+ Vendor: Microsoft Corporation Distribution: Azure Linux @@ -14,6 +14,10 @@ Patch1: CVE-2024-28834.patch Patch2: CVE-2024-28835.patch Patch3: CVE-2024-12133.patch Patch4: CVE-2024-12243.patch +Patch5: CVE-2025-32990.patch +Patch6: CVE-2025-32989.patch +Patch7: CVE-2025-32988.patch +Patch8: CVE-2025-6395.patch BuildRequires: autogen-libopts-devel BuildRequires: gc-devel BuildRequires: libtasn1-devel @@ -95,6 +99,12 @@ sed -i 's/TESTS += test-ciphers-openssl.sh//' tests/slow/Makefile.am %{_mandir}/man3/* %changelog +* Tue Jul 15 2025 Azure Linux Security Servicing Account - 3.8.3-6 +- Patch for CVE-2025-6395 + +* Mon Jul 14 2025 Azure Linux Security Servicing Account - 3.8.3-5 +- Patch for CVE-2025-32990, CVE-2025-32989, CVE-2025-32988 + * Tue Mar 11 2025 Sreeniavsulu Malavathula - 3.8.3-4 - Patch CVE-2024-12243 diff --git a/SPECS/golang/golang-1.23.signatures.json b/SPECS/golang/golang-1.23.signatures.json index 0c956f6d41..066c31a419 100644 --- a/SPECS/golang/golang-1.23.signatures.json +++ b/SPECS/golang/golang-1.23.signatures.json @@ -2,7 +2,7 @@ "Signatures": { "go.20230802.5.src.tar.gz": "56b9e0e0c3c13ca95d5efa6de4e7d49a9d190eca77919beff99d33cd3fa74e95", "go.20240206.2.src.tar.gz": "7982e0011aa9ab95fd0530404060410af4ba57326d26818690f334fdcb6451cd", - "go1.23.9-20250506.5.src.tar.gz": "bb5d23552167ba2920ba8b2484f7c1ae7faa4bda9b02fdf260c8d489fcfdfdd3", + "go1.23.12-20250806.6.src.tar.gz": "af71ab0ba0dfa9f129ce0e5a2ba58da4ac7d189fa332e3ead68d10d5d6c93808", "go1.4-bootstrap-20171003.tar.gz": "f4ff5b5eb3a3cae1c993723f3eab519c5bae18866b5e5f96fe1102f0cb5c3e52" } } diff --git a/SPECS/golang/golang-1.23.spec b/SPECS/golang/golang-1.23.spec index 4ecac48076..cc48eed4a7 100644 --- a/SPECS/golang/golang-1.23.spec +++ b/SPECS/golang/golang-1.23.spec @@ -1,6 +1,6 @@ %global goroot %{_libdir}/golang %global gopath %{_datadir}/gocode -%global ms_go_filename go1.23.9-20250506.5.src.tar.gz +%global ms_go_filename go1.23.12-20250806.6.src.tar.gz %global ms_go_revision 1 %ifarch aarch64 %global gohostarch arm64 @@ -14,7 +14,7 @@ %define __find_requires %{nil} Summary: Go Name: golang -Version: 1.23.9 +Version: 1.23.12 Release: 1%{?dist} License: BSD-3-Clause Vendor: Microsoft Corporation @@ -154,6 +154,15 @@ fi %{_bindir}/* %changelog +* Wed Aug 06 2025 bot-for-go[bot] <199222863+bot-for-go[bot]@users.noreply.github.com> - 1.23.12-1 +- Bump version to 1.23.12-1 + +* Tue Jul 08 2025 bot-for-go[bot] <199222863+bot-for-go[bot]@users.noreply.github.com> - 1.23.11-1 +- Bump version to 1.23.11-1 + +* Fri Jun 06 2025 bot-for-go[bot] <199222863+bot-for-go[bot]@users.noreply.github.com> - 1.23.10-1 +- Bump version to 1.23.10-1 + * Wed May 07 2025 bot-for-go[bot] <199222863+bot-for-go[bot]@users.noreply.github.com> - 1.23.9-1 - Bump version to 1.23.9-1 diff --git a/SPECS/golang/golang.signatures.json b/SPECS/golang/golang.signatures.json index e772ad4629..2e580b0f11 100644 --- a/SPECS/golang/golang.signatures.json +++ b/SPECS/golang/golang.signatures.json @@ -3,7 +3,7 @@ "go.20230802.5.src.tar.gz": "56b9e0e0c3c13ca95d5efa6de4e7d49a9d190eca77919beff99d33cd3fa74e95", "go.20240206.2.src.tar.gz": "7982e0011aa9ab95fd0530404060410af4ba57326d26818690f334fdcb6451cd", "go1.22.12-20250211.4.src.tar.gz": "e1cc3bff8fdf1f24843ffc9f0eaddfd344eb40fd9ca0d9ba2965165be519eeb7", - "go1.24.4-20250605.5.src.tar.gz": "a54803e23684bfc6b0acc8ce3a793c3666dcad1a323b5561158c63741367c3a2", + "go1.24.6-20250806.4.src.tar.gz": "3a1108d710b5916c5c6477a3052c870a543f129428267bf6939a4f96a5a8b95c", "go1.4-bootstrap-20171003.tar.gz": "f4ff5b5eb3a3cae1c993723f3eab519c5bae18866b5e5f96fe1102f0cb5c3e52" } } diff --git a/SPECS/golang/golang.spec b/SPECS/golang/golang.spec index ca34c0402e..d1313d71b1 100644 --- a/SPECS/golang/golang.spec +++ b/SPECS/golang/golang.spec @@ -1,6 +1,6 @@ %global goroot %{_libdir}/golang %global gopath %{_datadir}/gocode -%global ms_go_filename go1.24.4-20250605.5.src.tar.gz +%global ms_go_filename go1.24.6-20250806.4.src.tar.gz %global ms_go_revision 1 %ifarch aarch64 %global gohostarch arm64 @@ -14,7 +14,7 @@ %define __find_requires %{nil} Summary: Go Name: golang -Version: 1.24.4 +Version: 1.24.6 Release: 1%{?dist} License: BSD-3-Clause Vendor: Microsoft Corporation @@ -160,6 +160,12 @@ fi %{_bindir}/* %changelog +* Wed Aug 06 2025 bot-for-go[bot] <199222863+bot-for-go[bot]@users.noreply.github.com> - 1.24.6-1 +- Bump version to 1.24.6-1 + +* Tue Jul 08 2025 bot-for-go[bot] <199222863+bot-for-go[bot]@users.noreply.github.com> - 1.24.5-1 +- Bump version to 1.24.5-1 + * Fri Jun 06 2025 bot-for-go[bot] <199222863+bot-for-go[bot]@users.noreply.github.com> - 1.24.4-1 - Bump version to 1.24.4-1 diff --git a/SPECS/graphviz/graphviz.spec b/SPECS/graphviz/graphviz.spec index 312b19ffa3..52296430d8 100644 --- a/SPECS/graphviz/graphviz.spec +++ b/SPECS/graphviz/graphviz.spec @@ -45,7 +45,7 @@ Summary: Graph Visualization Tools Name: graphviz Version: 2.42.4 -Release: 12%{?dist} +Release: 13%{?dist} License: EPL-1.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -87,9 +87,12 @@ BuildRequires: sed BuildRequires: swig >= 1.3.33 BuildRequires: tcl-devel >= 8.3 BuildRequires: zlib-devel +BuildRequires: cairo-devel BuildRequires: pkgconfig(cairo) >= 1.1.10 Requires(post): /sbin/ldconfig Requires(postun): /sbin/ldconfig +Requires: cairo + %if %{PHP} BuildRequires: php-devel %endif @@ -269,6 +272,7 @@ sed -i 's|_MY_JAVA_INCLUDES_|-I%{java_home}/include/ -I%{java_home}/include/linu --without-mylibgd --with-ipsepcola --with-pangocairo \ --without-gdk-pixbuf --with-visio --disable-silent-rules \ --without-ruby --without-python2 \ + --with-cairo --with-expat \ --with-freetypeincludedir=%{_includedir}/freetype2 --with-freetypelibdir=%{_libdir}/lib \ %if ! %{LASI} --without-lasi \ @@ -338,7 +342,6 @@ find %{buildroot}%{_docdir}/%{name}/demo -type f -name "*.py" -exec mv {} {}.dem rm -f %{buildroot}%{_bindir}/dot_builtins # These are part of gnome subpkg -rm -f %{buildroot}%{_libdir}/graphviz/libgvplugin_pango* rm -f %{buildroot}%{_libdir}/graphviz/libgvplugin_xlib* # This is part of the x11 subpkg only rm -rf %{buildroot}%{_datadir}/graphviz/lefty @@ -520,6 +523,9 @@ php --no-php-ini \ %{_mandir}/man3/*.3tcl* %changelog +* Mon Aug 18 2025 Durga Jagadeesh Palli - 2.42.4-13 +- add pdf support for the graphviz + * Mon Apr 21 2025 Kanishk Bansal - 2.42.4-12 - Patch CVE-2023-46045 using an upstream patch diff --git a/SPECS/grub2/CVE-2025-0624.patch b/SPECS/grub2/CVE-2025-0624.patch new file mode 100644 index 0000000000..697a6df3fe --- /dev/null +++ b/SPECS/grub2/CVE-2025-0624.patch @@ -0,0 +1,124 @@ +From 8ab67bb3b37cec634490294560d082bafda7cc66 Mon Sep 17 00:00:00 2001 +From: jykanase +Date: Mon, 2 Jun 2025 07:47:48 +0000 +Subject: [PATCH] CVE-2025-0624 + +Upstream Reference Patch: https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00052.html +https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00027.html +--- + grub-core/net/net.c | 7 ++++--- + grub-core/normal/main.c | 2 +- + include/grub/misc.h | 39 +++++++++++++++++++++++++++++++++++++++ + include/grub/net.h | 2 +- + 4 files changed, 45 insertions(+), 5 deletions(-) + +diff --git a/grub-core/net/net.c b/grub-core/net/net.c +index 4d3eb5c..ec7f01c 100644 +--- a/grub-core/net/net.c ++++ b/grub-core/net/net.c +@@ -1773,14 +1773,15 @@ grub_config_search_through (char *config, char *suffix, + } + + grub_err_t +-grub_net_search_config_file (char *config) ++grub_net_search_config_file (char *config, grub_size_t config_buf_len) + { +- grub_size_t config_len; ++ grub_size_t config_len, suffix_len; + char *suffix; + + config_len = grub_strlen (config); + config[config_len] = '-'; + suffix = config + config_len + 1; ++ suffix_len = config_buf_len - (config_len + 1); + + struct grub_net_network_level_interface *inf; + FOR_NET_NETWORK_LEVEL_INTERFACES (inf) +@@ -1806,7 +1807,7 @@ grub_net_search_config_file (char *config) + + if (client_uuid) + { +- grub_strcpy (suffix, client_uuid); ++ grub_strlcpy (suffix, client_uuid, suffix_len); + if (grub_config_search_through (config, suffix, 1, 0) == 0) + return GRUB_ERR_NONE; + } +diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c +index c4ebe9e..68ef09c 100644 +--- a/grub-core/normal/main.c ++++ b/grub-core/normal/main.c +@@ -344,7 +344,7 @@ grub_cmd_normal (struct grub_command *cmd __attribute__ ((unused)), + + if (grub_strncmp (prefix + 1, "tftp", sizeof ("tftp") - 1) == 0 && + !disable_net_search) +- grub_net_search_config_file (config); ++ grub_net_search_config_file (config, config_len); + + grub_enter_normal_mode (config); + grub_free (config); +diff --git a/include/grub/misc.h b/include/grub/misc.h +index 7d2b551..0507567 100644 +--- a/include/grub/misc.h ++++ b/include/grub/misc.h +@@ -64,6 +64,45 @@ grub_stpcpy (char *dest, const char *src) + return d - 1; + } + ++static inline grub_size_t ++grub_strlcpy (char *dest, const char *src, grub_size_t size) ++{ ++ char *d = dest; ++ grub_size_t res = 0; ++ /* ++ * We do not subtract one from size here to avoid dealing with underflowing ++ * the value, which is why to_copy is always checked to be greater than one ++ * throughout this function. ++ */ ++ grub_size_t to_copy = size; ++ ++ /* Copy size - 1 bytes to dest. */ ++ if (to_copy > 1) ++ while ((*d++ = *src++) != '\0' && ++res && --to_copy > 1) ++ ; ++ ++ /* ++ * NUL terminate if size != 0. The previous step may have copied a NUL byte ++ * if it reached the end of the string, but we know dest[size - 1] must always ++ * be a NUL byte. ++ */ ++ if (size != 0) ++ dest[size - 1] = '\0'; ++ ++ /* If there is still space in dest, but are here, we reached the end of src. */ ++ if (to_copy > 1) ++ return res; ++ ++ /* ++ * If we haven't reached the end of the string, iterate through to determine ++ * the strings total length. ++ */ ++ while (*src++ != '\0' && ++res) ++ ; ++ ++ return res; ++} ++ + /* XXX: If grub_memmove is too slow, we must implement grub_memcpy. */ + static inline void * + grub_memcpy (void *dest, const void *src, grub_size_t n) +diff --git a/include/grub/net.h b/include/grub/net.h +index 7ae4b6b..d6ba8b1 100644 +--- a/include/grub/net.h ++++ b/include/grub/net.h +@@ -570,7 +570,7 @@ void + grub_net_remove_dns_server (const struct grub_net_network_level_address *s); + + grub_err_t +-grub_net_search_config_file (char *config); ++grub_net_search_config_file (char *config, grub_size_t config_buf_len); + + extern char *grub_net_default_server; + +-- +2.45.2 + diff --git a/SPECS/grub2/grub2.spec b/SPECS/grub2/grub2.spec index bade2f5843..101ecf8c11 100644 --- a/SPECS/grub2/grub2.spec +++ b/SPECS/grub2/grub2.spec @@ -7,7 +7,7 @@ Summary: GRand Unified Bootloader Name: grub2 Version: 2.06 -Release: 24%{?dist} +Release: 25%{?dist} License: GPLv3+ Vendor: Intel Corporation Distribution: Edge Microvisor Toolkit @@ -109,6 +109,7 @@ Patch: sbat-4-0006-fs-ntfs-Make-code-more-readable.patch # time optimizes the code incorrectly, leading to network traffic getting # dropped in scenarios like PXE booting. Patch: disable-checksum-code-optimization.patch +Patch: CVE-2025-0624.patch BuildRequires: autoconf BuildRequires: device-mapper-devel BuildRequires: python3 @@ -435,6 +436,10 @@ cp $GRUB_PXE_MODULE_SOURCE $EFI_BOOT_DIR/$GRUB_PXE_MODULE_NAME %config(noreplace) %{_sysconfdir}/grub.d/41_custom %changelog +* Mon Sep 8 2025 Lee Chee Yang - 2.06-25 +- merge from Azure Linux 3.0.20250822-3.0. +- Patch CVE-2025-0624 + * Fri May 30 2025 Ranjan Dutta - 2.06-24 - merge from Azure Linux 3.0.20250521-3.0 - Add patch to replace fgrep with grep -F diff --git a/SPECS/helm/helm.signatures.json b/SPECS/helm/helm.signatures.json deleted file mode 100644 index 6951a75c71..0000000000 --- a/SPECS/helm/helm.signatures.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "Signatures": { - "helm-3.18.3-vendor.tar.gz": "dab598d7d52c4da5f91f6890d8b8a4664ed8d3c54d2834ebaa23b67c2f008306", - "helm-3.18.3.tar.gz": "9e8f43ebf48786f41fd83ca67405c7f73753a46c65c041e51888a142c82cab96" - } -} diff --git a/SPECS/helm/helm.spec b/SPECS/helm/helm.spec deleted file mode 100644 index 87bc20a675..0000000000 --- a/SPECS/helm/helm.spec +++ /dev/null @@ -1,158 +0,0 @@ -%global debug_package %{nil} - -Name: helm -Version: 3.18.3 -Release: 1%{?dist} -Summary: The Kubernetes Package Manager -Group: Applications/Networking -License: Apache 2.0 -Vendor: Intel Corporation -Distribution: Edge Microvisor Toolkit -Url: https://helm.sh/ -Source0: https://github.com/helm/helm/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz -# Below is a manually created tarball, no download link. -# We're using pre-populated Go modules from this tarball, since network is disabled during build time. -# How to re-build this file: -# 1. wget https://github.com/helm/helm/archive/v%%{version}.tar.gz -O %%{name}-%%{version}.tar.gz -# 2. tar -xf %%{name}-%%{version}.tar.gz -# 3. cd %%{name}-%%{version} -# 4. go mod vendor -# 5. tar --sort=name \ -# --mtime="2021-04-26 00:00Z" \ -# --owner=0 --group=0 --numeric-owner \ -# --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \ -# -cf %%{name}-%%{version}-vendor.tar.gz vendor -# -Source1: %{name}-%{version}-vendor.tar.gz -BuildRequires: golang - -%description -Helm is a tool that streamlines installing and managing Kubernetes applications. Think of it like apt/yum/homebrew for Kubernetes. - -%prep -%autosetup -N -tar -xf %{SOURCE1} --no-same-owner - -%build -export VERSION=%{version} -for cmd in cmd/* ; do - go build -tags '' -ldflags '-w -s -X helm.sh/helm/v3/internal/version.version=v%{version} -X helm.sh/helm/v3/internal/version.metadata= -X helm.sh/helm/v3/internal/version.gitCommit= -X helm.sh/helm/v3/internal/version.gitTreeState=clean ' \ - -mod=vendor -v -o $(basename $cmd) ./$cmd -done - -%install -install -d -m 755 %{buildroot}%{_bindir} -install -m 755 ./helm %{buildroot}%{_bindir} - -%files -%license LICENSE -%doc ADOPTERS.md SECURITY.md code-of-conduct.md CONTRIBUTING.md README.md -%{_bindir}/helm - -%check -go test -v ./cmd/helm - -%changelog -* Thu Jun 26 2025 Aaron Dorney - 3.18.3-1 -- Bump Release to rebuild and remove CVE patch - -* Fri Mar 21 2025 Anuj Mittal - 3.15.2-3 -- Bump Release to rebuild - -* Tue Dec 31 2024 Rohit Rawat - 3.15.2-2 -- Add patch for CVE-2024-45338 - -* Wed Jul 10 2024 Sumedh Sharma - 3.15.2-1 -- Bump package version to address CVE-2023-45288 & CVE-2023-44487 -- Remove patches fixed in sources - -* Wed May 29 2024 Neha Agarwal - 3.13.2-3 -- Patch CVE-2024-25620 - -* Wed May 22 2024 Neha Agarwal - 3.13.2-2 -- Patch CVE-2024-26147 - -* Fri Nov 10 2023 Nicolas Guibourge - 3.13.2-1 -- Upgrade to 3.13.2 - Azure Linux 3.0 - package upgrades - -* Mon Oct 16 2023 CBL-Mariner Servicing Account - 3.10.3-11 -- Bump release to rebuild with go 1.20.10 - -* Tue Oct 10 2023 Dan Streetman - 3.10.3-10 -- Bump release to rebuild with updated version of Go. - -* Mon Aug 07 2023 CBL-Mariner Servicing Account - 3.10.3-9 -- Bump release to rebuild with go 1.19.12 - -* Thu Jul 13 2023 CBL-Mariner Servicing Account - 3.10.3-8 -- Bump release to rebuild with go 1.19.11 - -* Thu Jun 15 2023 CBL-Mariner Servicing Account - 3.10.3-7 -- Bump release to rebuild with go 1.19.10 - -* Wed Apr 05 2023 CBL-Mariner Servicing Account - 3.10.3-6 -- Bump release to rebuild with go 1.19.8 - -* Tue Mar 28 2023 CBL-Mariner Servicing Account - 3.10.3-5 -- Bump release to rebuild with go 1.19.7 - -* Wed Mar 15 2023 CBL-Mariner Servicing Account - 3.10.3-4 -- Bump release to rebuild with go 1.19.6 - -* Thu Feb 16 2023 Suresh Thelkar - 3.10.3-3 -- Patch CVE-2023-25165 -- License verified. - -* Wed Jan 18 2023 CBL-Mariner Servicing Account - 3.10.3-2 -- - Set golang <= 1.18.8 build requires - -* Wed Jan 04 2023 CBL-Mariner Servicing Account - 3.10.3-1 -- Auto-upgrade to 3.10.3 - to fix CVE-2022-23524 - -* Thu Dec 22 2022 Nan Liu - 3.9.4-5 -- Enable the check tests - -* Wed Dec 21 2022 Nan Liu - 3.9.4-4 -- Patch CVE-2022-23525, CVE-2022-23526 - -* Fri Dec 16 2022 Daniel McIlvaney - 3.9.4-3 -- Bump release to rebuild with go 1.18.8 with patch for CVE-2022-41717 - -* Tue Nov 01 2022 Olivia Crain - 3.9.4-2 -- Bump release to rebuild with go 1.18.8 - -* Mon Oct 24 2022 CBL-Mariner Servicing Account - 3.9.4-1 -- Upgrade to 3.9.4 - -* Mon Aug 22 2022 Olivia Crain - 3.9.3-2 -- Bump release to rebuild against Go 1.18.5 - -* Mon Aug 22 2022 Suresh Babu Chalamalasetty 3.9.3-1 -- Update helm version to 3.9.3 -- Fix version info not displaying correct version. - -* Tue Jun 14 2022 Muhammad Falak - 3.4.1-5 -- Bump release to rebuild with golang 1.18.3 -- License verified - -* Mon Sep 20 2021 Henry Beberman - 3.4.1-4 -- Patch CVE-2021-32690 - -* Mon Sep 20 2021 Henry Beberman - 3.4.1-3 -- Patch CVE-2021-21303 - -* Tue Aug 17 2021 Henry Li 3.4.1-2 -- Update and rename vendor source tarball -- Use go to build the project from vendor source -- Remove glide and ca-certificates from BR -- Modify file section to add license and document files - -* Wed Nov 25 2020 Suresh Babu Chalamalasetty 3.4.1-1 -- Update helm version 3 - -* Tue Jun 02 2020 Paul Monson 2.14.3-2 -- Rename go to golang -- Add ca-certificates temporarily - -* Thu Oct 17 2019 Andrew Phelps 2.14.3-1 -- Original version for CBL-Mariner diff --git a/SPECS/httpd/httpd.signatures.json b/SPECS/httpd/httpd.signatures.json index 169d5d31f1..211c5279ba 100644 --- a/SPECS/httpd/httpd.signatures.json +++ b/SPECS/httpd/httpd.signatures.json @@ -5,11 +5,11 @@ "01-ldap.conf": "cbbbdd396fe056e8ab167abd7b2cb5145b42210bfea38452968ff02a03493fc8", "01-session.conf": "51df0ceeb7dae9922817f4af0554f83fe01d6268025ee08260aeed69be3953d1", "10-listen443.conf": "fc7484790ec6328b9082e04083137551a5ae2e8f4d4696d9846b052915b6a0cb", - "httpd-2.4.62.tar.bz2": "674188e7bf44ced82da8db522da946849e22080d73d16c93f7f4df89e25729ec", + "httpd-2.4.65.tar.bz2": "58b8be97d9940ec17f7656c0c6b9f41b618aac468b894b534148e3296c53b8b3", "httpd-init.service": "2501b44bdb02f583d98cc5296accbf0af36957b93ed5b871358aeb10a0512a7c", "httpd-ssl-gencerts": "ae96a94eeb0be8731c0bb976e5b878e0e5a196442a001c9e809bed3873f4755d", "httpd-ssl-pass-dialog": "b9bd4816dda673ad9294a0fbd2904fac9b96eabddb4d72080ae58b498bcd1db9", "macros.httpd": "6dbf9313a5d085cb705fa5ef393372ec940008f08bf1c9350f8f49d58df75dff", "ssl.conf": "6690cb873d2312d0ecffcda3822562cd1b1b11ac44b1fcb7bd1b720a9e53c333" } -} +} \ No newline at end of file diff --git a/SPECS/httpd/httpd.spec b/SPECS/httpd/httpd.spec index 3e79741653..aa4257b7ec 100644 --- a/SPECS/httpd/httpd.spec +++ b/SPECS/httpd/httpd.spec @@ -2,7 +2,7 @@ %define _confdir %{_sysconfdir} Summary: The Apache HTTP Server Name: httpd -Version: 2.4.62 +Version: 2.4.65 Release: 1%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation @@ -316,7 +316,7 @@ fi %{_bindir}/* %{_mandir}/man1/* %license LICENSE -%doc NOTICE +%license NOTICE %exclude %{_bindir}/apxs %exclude %{_mandir}/man1/apxs.1* @@ -345,6 +345,12 @@ fi %{_libexecdir}/httpd-ssl-pass-dialog %changelog +* Mon Jul 28 2025 Kshitiz Godara - 2.4.65-1 +- Upgrade to 2.4.65 to fix CVE-2025-54090 + +* Mon Jul 14 2025 Kevin Lockwood - 2.4.64-1 +- Upgrade to 2.4.64 to fix CVE-2025-49812, CVE-2025-53020 + * Thu Jul 25 2024 Sumedh Sharma - 2.4.62-1 - Upgrade to 2.4.62 to address CVE-2024-40725 diff --git a/SPECS/hwloc/fix-test-gather-topology.patch b/SPECS/hwloc/fix-test-gather-topology.patch new file mode 100644 index 0000000000..e404d0b3f8 --- /dev/null +++ b/SPECS/hwloc/fix-test-gather-topology.patch @@ -0,0 +1,36 @@ +From 268ffea51d623e9eff721a76a396b3feecaf7fa8 Mon Sep 17 00:00:00 2001 +From: Andrew Phelps +Date: Thu, 5 Jun 2025 16:16:23 +0000 +Subject: [PATCH] disable dmi in test-gather-topology + +test-gather-topology.sh test fails due to MemoryModule difference #719 +https://github.com/open-mpi/hwloc/issues/719 + +--- + tests/hwloc/linux/gather/test-gather-topology.sh.in | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tests/hwloc/linux/gather/test-gather-topology.sh.in b/tests/hwloc/linux/gather/test-gather-topology.sh.in +index 41f8dee57..219d8f7a9 100644 +--- a/tests/hwloc/linux/gather/test-gather-topology.sh.in ++++ b/tests/hwloc/linux/gather/test-gather-topology.sh.in +@@ -62,7 +62,7 @@ export HWLOC_FSROOT=// + + echo "Saving current system topology to XML..." + # ignore DAXDevice info attr because it won't appear in save2.xml unless we pass --io to gather below +-if ! "$lstopo" --no-io -.xml | grep -v DAXDevice > "$tmpdir/save1.xml" ; then ++if ! "$lstopo" --no-io --ignore misc -.xml | grep -v DAXDevice > "$tmpdir/save1.xml" ; then + error "Failed" + exit 1 + fi +@@ -85,7 +85,7 @@ export HWLOC_FSROOT="$tmpdir/save" + rm -f "$tmpdir/save/proc/hwloc-nofile-info" + + echo "Saving tarball topology to XML..." +-if ! "$lstopo" --no-io "$tmpdir/save2.xml" ; then ++if ! "$lstopo" --no-io --ignore misc "$tmpdir/save2.xml" ; then + error "Failed" + exit 1 + fi +-- +2.45.3 diff --git a/SPECS/hwloc/hwloc.spec b/SPECS/hwloc/hwloc.spec index e119a60616..32ecaba188 100644 --- a/SPECS/hwloc/hwloc.spec +++ b/SPECS/hwloc/hwloc.spec @@ -1,13 +1,14 @@ Summary: Portable Hardware Locality - portable abstraction of hierarchical architectures Name: hwloc Version: 2.9.2 -Release: 2%{?dist} +Release: 3%{?dist} License: BSD-2-Clause Vendor: Microsoft Corporation Distribution: Azure Linux URL: https://www.open-mpi.org/projects/hwloc/ Source0: http://www.open-mpi.org/software/hwloc/v2.9/downloads/%{name}-%{version}.tar.bz2 Patch0: CVE-2022-47022.patch +Patch1: fix-test-gather-topology.patch BuildRequires: gcc # C++ only for hwloc-hello-cpp test: BuildRequires: gcc-c++ @@ -168,6 +169,9 @@ LD_LIBRARY_PATH=$PWD/hwloc/.libs make check %{_libdir}/%{name}/hwloc* %changelog +* Fri Jun 06 2025 Andrew Phelps - 2.9.2-3 +- Add patch fix-test-gather-topology.patch + * Wed Jan 29 2025 Jyoti Kanase - 2.9.2-2 - Fix CVE-2022-47022 diff --git a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json index 7c02940294..d3c0bd1f84 100644 --- a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json +++ b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json @@ -7,6 +7,6 @@ "hypervkvpd.service": "c1bb207cf9f388f8f3cf5b649abbf8cfe4c4fcf74538612946e68f350d1f265f", "hypervvss.rules": "94cead44245ef6553ab79c0bbac8419e3ff4b241f01bcec66e6f508098cbedd1", "hypervvssd.service": "22270d9f0f23af4ea7905f19c1d5d5495e40c1f782cbb87a99f8aec5a011078d", - "kernel-6.6.85.1.tar.gz": "4dab471d68ce07dd31e925788c128ff1c7d9a6d2c7e0a073bd8e6701514cfee6" + "kernel-6.6.96.2.tar.gz": "e367d388de5dd5c891377cba4022e0b5887b060b0f842a7aa2c5b05229b30f87" } } diff --git a/SPECS/hyperv-daemons/hyperv-daemons.spec b/SPECS/hyperv-daemons/hyperv-daemons.spec index ccc8e5ccc2..aa5783f560 100644 --- a/SPECS/hyperv-daemons/hyperv-daemons.spec +++ b/SPECS/hyperv-daemons/hyperv-daemons.spec @@ -10,7 +10,7 @@ Summary: Hyper-V daemons suite Name: hyperv-daemons -Version: 6.6.85.1 +Version: 6.6.96.2 Release: 1%{?dist} License: GPLv2+ Vendor: Microsoft Corporation @@ -221,6 +221,18 @@ fi %{_sbindir}/lsvmbus %changelog +* Fri Aug 15 2025 CBL-Mariner Servicing Account - 6.6.96.2-1 +- Auto-upgrade to 6.6.96.2 + +* Mon Jul 07 2025 CBL-Mariner Servicing Account - 6.6.96.1-1 +- Auto-upgrade to 6.6.96.1 + +* Fri May 30 2025 CBL-Mariner Servicing Account - 6.6.92.2-1 +- Auto-upgrade to 6.6.92.2 + +* Fri May 23 2025 CBL-Mariner Servicing Account - 6.6.90.1-1 +- Auto-upgrade to 6.6.90.1 + * Sat Apr 05 2025 CBL-Mariner Servicing Account - 6.6.85.1-1 - Auto-upgrade to 6.6.85.1 diff --git a/SPECS/icu/CVE-2025-5222.patch b/SPECS/icu/CVE-2025-5222.patch new file mode 100644 index 0000000000..8a9127fa6b --- /dev/null +++ b/SPECS/icu/CVE-2025-5222.patch @@ -0,0 +1,164 @@ +From 0b0011c3ef49c8c6c2c902d5ae5dda5656cb9162 Mon Sep 17 00:00:00 2001 +From: Frank Tang +Date: Wed, 22 Jan 2025 11:50:59 -0800 +Subject: [PATCH] ICU-22973 Fix buffer overflow by using CharString + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/unicode-org/icu/commit/2c667e31cfd0b6bb1923627a932fd3453a5bac77.patch +--- + icu/icu4c/source/tools/genrb/parse.cpp | 49 +++++++++++++++----------- + 1 file changed, 29 insertions(+), 20 deletions(-) + +diff --git a/icu/icu4c/source/tools/genrb/parse.cpp b/icu/icu4c/source/tools/genrb/parse.cpp +index 96fd81a..b590a03 100644 +--- a/icu/icu4c/source/tools/genrb/parse.cpp ++++ b/icu/icu4c/source/tools/genrb/parse.cpp +@@ -1153,7 +1153,7 @@ addCollation(ParseState* state, TableResource *result, const char *collationTyp + struct UString *tokenValue; + struct UString comment; + enum ETokenType token; +- char subtag[1024]; ++ CharString subtag; + UnicodeString rules; + UBool haveRules = false; + UVersionInfo version; +@@ -1189,15 +1189,15 @@ addCollation(ParseState* state, TableResource *result, const char *collationTyp + return NULL; + } + +- u_UCharsToChars(tokenValue->fChars, subtag, u_strlen(tokenValue->fChars) + 1); +- ++ subtag.clear(); ++ subtag.appendInvariantChars(tokenValue->fChars, u_strlen(tokenValue->fChars), *status); + if (U_FAILURE(*status)) + { + res_close(result); + return NULL; + } + +- member = parseResource(state, subtag, NULL, status); ++ member = parseResource(state, subtag.data(), NULL, status); + + if (U_FAILURE(*status)) + { +@@ -1208,7 +1208,7 @@ addCollation(ParseState* state, TableResource *result, const char *collationTyp + { + // Ignore the parsed resources, continue parsing. + } +- else if (uprv_strcmp(subtag, "Version") == 0 && member->isString()) ++ else if (uprv_strcmp(subtag.data(), "Version") == 0 && member->isString()) + { + StringResource *sr = static_cast(member); + char ver[40]; +@@ -1225,11 +1225,11 @@ addCollation(ParseState* state, TableResource *result, const char *collationTyp + result->add(member, line, *status); + member = NULL; + } +- else if(uprv_strcmp(subtag, "%%CollationBin")==0) ++ else if(uprv_strcmp(subtag.data(), "%%CollationBin")==0) + { + /* discard duplicate %%CollationBin if any*/ + } +- else if (uprv_strcmp(subtag, "Sequence") == 0 && member->isString()) ++ else if (uprv_strcmp(subtag.data(), "Sequence") == 0 && member->isString()) + { + StringResource *sr = static_cast(member); + rules = sr->fString; +@@ -1395,7 +1395,7 @@ parseCollationElements(ParseState* state, char *tag, uint32_t startline, UBool n + struct UString *tokenValue; + struct UString comment; + enum ETokenType token; +- char subtag[1024], typeKeyword[1024]; ++ CharString subtag, typeKeyword; + uint32_t line; + + result = table_open(state->bundle, tag, NULL, status); +@@ -1437,7 +1437,8 @@ parseCollationElements(ParseState* state, char *tag, uint32_t startline, UBool n + return NULL; + } + +- u_UCharsToChars(tokenValue->fChars, subtag, u_strlen(tokenValue->fChars) + 1); ++ subtag.clear(); ++ subtag.appendInvariantChars(tokenValue->fChars, u_strlen(tokenValue->fChars), *status); + + if (U_FAILURE(*status)) + { +@@ -1445,9 +1446,9 @@ parseCollationElements(ParseState* state, char *tag, uint32_t startline, UBool n + return NULL; + } + +- if (uprv_strcmp(subtag, "default") == 0) ++ if (uprv_strcmp(subtag.data(), "default") == 0) + { +- member = parseResource(state, subtag, NULL, status); ++ member = parseResource(state, subtag.data(), NULL, status); + + if (U_FAILURE(*status)) + { +@@ -1466,22 +1467,29 @@ parseCollationElements(ParseState* state, char *tag, uint32_t startline, UBool n + if(token == TOK_OPEN_BRACE) { + token = getToken(state, &tokenValue, &comment, &line, status); + TableResource *collationRes; +- if (keepCollationType(subtag)) { +- collationRes = table_open(state->bundle, subtag, NULL, status); ++ if (keepCollationType(subtag.data())) { ++ collationRes = table_open(state->bundle, subtag.data(), NULL, status); + } else { + collationRes = NULL; + } + // need to parse the collation data regardless +- collationRes = addCollation(state, collationRes, subtag, startline, status); ++ collationRes = addCollation(state, collationRes, subtag.data(), startline, status); + if (collationRes != NULL) { + result->add(collationRes, startline, *status); + } + } else if(token == TOK_COLON) { /* right now, we'll just try to see if we have aliases */ + /* we could have a table too */ + token = peekToken(state, 1, &tokenValue, &line, &comment, status); +- u_UCharsToChars(tokenValue->fChars, typeKeyword, u_strlen(tokenValue->fChars) + 1); +- if(uprv_strcmp(typeKeyword, "alias") == 0) { +- member = parseResource(state, subtag, NULL, status); ++ typeKeyword.clear(); ++ typeKeyword.appendInvariantChars(tokenValue->fChars, u_strlen(tokenValue->fChars), *status); ++ if (U_FAILURE(*status)) ++ { ++ res_close(result); ++ return NULL; ++ } ++ ++ if(uprv_strcmp(typeKeyword.data(), "alias") == 0) { ++ member = parseResource(state, subtag.data(), NULL, status); + if (U_FAILURE(*status)) + { + res_close(result); +@@ -1523,7 +1531,7 @@ realParseTable(ParseState* state, TableResource *table, char *tag, uint32_t star + struct UString *tokenValue=NULL; + struct UString comment; + enum ETokenType token; +- char subtag[1024]; ++ CharString subtag; + uint32_t line; + UBool readToken = false; + +@@ -1562,7 +1570,8 @@ realParseTable(ParseState* state, TableResource *table, char *tag, uint32_t star + } + + if(uprv_isInvariantUString(tokenValue->fChars, -1)) { +- u_UCharsToChars(tokenValue->fChars, subtag, u_strlen(tokenValue->fChars) + 1); ++ subtag.clear(); ++ subtag.appendInvariantChars(tokenValue->fChars, u_strlen(tokenValue->fChars), *status); + } else { + *status = U_INVALID_FORMAT_ERROR; + error(line, "invariant characters required for table keys"); +@@ -1575,7 +1584,7 @@ realParseTable(ParseState* state, TableResource *table, char *tag, uint32_t star + return NULL; + } + +- member = parseResource(state, subtag, &comment, status); ++ member = parseResource(state, subtag.data(), &comment, status); + + if (member == NULL || U_FAILURE(*status)) + { +-- +2.45.4 + diff --git a/SPECS/icu/icu.spec b/SPECS/icu/icu.spec index 45e20b1d3d..15dcd80b74 100644 --- a/SPECS/icu/icu.spec +++ b/SPECS/icu/icu.spec @@ -5,13 +5,14 @@ Summary: International Components for Unicode. Name: icu Version: 72.1.0.3 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD and MIT and Public Domain and naist-2003 URL: https://github.com/microsoft/icu Group: System Environment/Libraries Vendor: Microsoft Corporation Distribution: Azure Linux Source0: https://github.com/microsoft/icu/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +Patch0: CVE-2025-5222.patch BuildRequires: autoconf BuildRequires: python3 BuildRequires: python3-xml @@ -29,7 +30,7 @@ Provides: libicu-devel = %{version}-%{release} It contains the libraries and header files to create applications %prep -%setup -q +%autosetup -p1 %build pushd icu/icu4c/source @@ -59,11 +60,16 @@ make -C icu/icu4c/source DESTDIR=%{buildroot} install %files devel %defattr(-,root,root) %{_includedir}/* -%{_datadir}/* +%{_datadir}/%{name} +%{_datadir}/man %{_libdir}/*.so %{_libdir}/pkgconfig/*.pc %changelog +* Tue Aug 12 2025 Azure Linux Security Servicing Account - 72.1.0.3-2 +- Patch for CVE-2025-5222 +- Fixed license check warning. + * Thu Feb 05 2024 corvus-callidus <108946721+corvus-callidus@users.noreply.github.com> - 72.1.0.3-1 - Update to version "72.1.0.3". - Add check section. diff --git a/SPECS/ig/CVE-2025-27144.patch b/SPECS/ig/CVE-2025-27144.patch deleted file mode 100644 index 3afcb40bff..0000000000 --- a/SPECS/ig/CVE-2025-27144.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 2bc5b8e5cd3b02064b046513ca7e0b6b773f6762 Mon Sep 17 00:00:00 2001 -From: Kanishk-Bansal -Date: Thu, 13 Mar 2025 19:28:52 +0000 -Subject: [PATCH] CVE-2025-27144 - -Upstream Reference: https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22 - ---- - github.com/go-jose/go-jose/v4/jwe.go | 5 +++-- - github.com/go-jose/go-jose/v4/jws.go | 5 +++-- - 2 files changed, 6 insertions(+), 4 deletions(-) - -diff --git a/vendor/github.com/go-jose/go-jose/v4/jwe.go b/vendor/github.com/go-jose/go-jose/v4/jwe.go -index 89f03ee..9f1322d 100644 ---- a/vendor/github.com/go-jose/go-jose/v4/jwe.go -+++ b/vendor/github.com/go-jose/go-jose/v4/jwe.go -@@ -288,10 +288,11 @@ func ParseEncryptedCompact( - keyAlgorithms []KeyAlgorithm, - contentEncryption []ContentEncryption, - ) (*JSONWebEncryption, error) { -- parts := strings.Split(input, ".") -- if len(parts) != 5 { -+ // Five parts is four separators -+ if strings.Count(input, ".") != 4 { - return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts") - } -+ parts := strings.SplitN(input, ".", 5) - - rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0]) - if err != nil { -diff --git a/vendor/github.com/go-jose/go-jose/v4/jws.go b/vendor/github.com/go-jose/go-jose/v4/jws.go -index 3a91230..d09d8ba 100644 ---- a/vendor/github.com/go-jose/go-jose/v4/jws.go -+++ b/vendor/github.com/go-jose/go-jose/v4/jws.go -@@ -327,10 +327,11 @@ func parseSignedCompact( - payload []byte, - signatureAlgorithms []SignatureAlgorithm, - ) (*JSONWebSignature, error) { -- parts := strings.Split(input, ".") -- if len(parts) != 3 { -+ // Three parts is two separators -+ if strings.Count(input, ".") != 2 { - return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts") - } -+ parts := strings.SplitN(input, ".", 3) - - if parts[1] != "" && payload != nil { - return nil, fmt.Errorf("go-jose/go-jose: payload is not detached") --- -2.45.2 - diff --git a/SPECS/ig/CVE-2025-29786.patch b/SPECS/ig/CVE-2025-29786.patch deleted file mode 100644 index 43afca11fd..0000000000 --- a/SPECS/ig/CVE-2025-29786.patch +++ /dev/null @@ -1,635 +0,0 @@ -From 387fc2ebedb3b5f54f9494c95506e6163f6f7af5 Mon Sep 17 00:00:00 2001 -From: Kshitiz Godara -Date: Mon, 24 Mar 2025 13:30:36 +0000 -Subject: [PATCH] Fix for CVE-2025-29786 - -Upstream source reference: -https://github.com/expr-lang/expr/pull/762 - -Signed-off-by: Kshitiz Godara ---- - .../github.com/expr-lang/expr/conf/config.go | 52 ++-- - .../expr-lang/expr/parser/parser.go | 228 +++++++++++++----- - vendor/github.com/expr-lang/expr/vm/utils.go | 3 - - vendor/github.com/expr-lang/expr/vm/vm.go | 23 +- - 4 files changed, 213 insertions(+), 93 deletions(-) - -diff --git a/vendor/github.com/expr-lang/expr/conf/config.go b/vendor/github.com/expr-lang/expr/conf/config.go -index 01a407a..2312984 100644 ---- a/vendor/github.com/expr-lang/expr/conf/config.go -+++ b/vendor/github.com/expr-lang/expr/conf/config.go -@@ -9,34 +9,46 @@ import ( - "github.com/expr-lang/expr/vm/runtime" - ) - -+const ( -+ // DefaultMemoryBudget represents an upper limit of memory usage -+ DefaultMemoryBudget uint = 1e6 -+ -+ // DefaultMaxNodes represents an upper limit of AST nodes -+ DefaultMaxNodes uint = 10000 -+) -+ - type FunctionsTable map[string]*builtin.Function - - type Config struct { -- Env any -- Types TypesTable -- MapEnv bool -- DefaultType reflect.Type -- Expect reflect.Kind -- ExpectAny bool -- Optimize bool -- Strict bool -- Profile bool -- ConstFns map[string]reflect.Value -- Visitors []ast.Visitor -- Functions FunctionsTable -- Builtins FunctionsTable -- Disabled map[string]bool // disabled builtins -+ Env any -+ Types TypesTable -+ MapEnv bool -+ DefaultType reflect.Type -+ Expect reflect.Kind -+ ExpectAny bool -+ Optimize bool -+ Strict bool -+ Profile bool -+ MaxNodes uint -+ MemoryBudget uint -+ ConstFns map[string]reflect.Value -+ Visitors []ast.Visitor -+ Functions FunctionsTable -+ Builtins FunctionsTable -+ Disabled map[string]bool // disabled builtins - } - - // CreateNew creates new config with default values. - func CreateNew() *Config { - c := &Config{ -- Optimize: true, -- Types: make(TypesTable), -- ConstFns: make(map[string]reflect.Value), -- Functions: make(map[string]*builtin.Function), -- Builtins: make(map[string]*builtin.Function), -- Disabled: make(map[string]bool), -+ Optimize: true, -+ Types: make(TypesTable), -+ MaxNodes: DefaultMaxNodes, -+ MemoryBudget: DefaultMemoryBudget, -+ ConstFns: make(map[string]reflect.Value), -+ Functions: make(map[string]*builtin.Function), -+ Builtins: make(map[string]*builtin.Function), -+ Disabled: make(map[string]bool), - } - for _, f := range builtin.Builtins { - c.Builtins[f.Name] = f -diff --git a/vendor/github.com/expr-lang/expr/parser/parser.go b/vendor/github.com/expr-lang/expr/parser/parser.go -index 6d96561..a75557c 100644 ---- a/vendor/github.com/expr-lang/expr/parser/parser.go -+++ b/vendor/github.com/expr-lang/expr/parser/parser.go -@@ -45,12 +45,47 @@ var predicates = map[string]struct { - } - - type parser struct { -- tokens []Token -- current Token -- pos int -- err *file.Error -- depth int // closure call depth -- config *conf.Config -+ tokens []Token -+ current Token -+ pos int -+ err *file.Error -+ depth int // closure call depth -+ config *conf.Config -+ nodeCount uint // tracks number of AST nodes created -+} -+ -+// checkNodeLimit verifies that adding a new node won't exceed configured limits -+func (p *parser) checkNodeLimit() error { -+ p.nodeCount++ -+ if p.config.MaxNodes > 0 && p.nodeCount > p.config.MaxNodes { -+ p.error("compilation failed: expression exceeds maximum allowed nodes") -+ return nil -+ } -+ return nil -+} -+ -+// createNode handles creation of regular nodes -+func (p *parser) createNode(n Node, loc file.Location) Node { -+ if err := p.checkNodeLimit(); err != nil { -+ return nil -+ } -+ if n == nil || p.err != nil { -+ return nil -+ } -+ n.SetLocation(loc) -+ return n -+} -+ -+// createMemberNode handles creation of member nodes -+func (p *parser) createMemberNode(n *MemberNode, loc file.Location) *MemberNode { -+ if err := p.checkNodeLimit(); err != nil { -+ return nil -+ } -+ if n == nil || p.err != nil { -+ return nil -+ } -+ n.SetLocation(loc) -+ return n - } - - type Tree struct { -@@ -127,6 +162,10 @@ func (p *parser) expect(kind Kind, values ...string) { - // parse functions - - func (p *parser) parseExpression(precedence int) Node { -+ if p.err != nil { -+ return nil -+ } -+ - if precedence == 0 && p.current.Is(Operator, "let") { - return p.parseVariableDeclaration() - } -@@ -185,19 +224,23 @@ func (p *parser) parseExpression(precedence int) Node { - nodeRight = p.parseExpression(op.Precedence) - } - -- nodeLeft = &BinaryNode{ -+ nodeLeft = p.createNode(&BinaryNode{ - Operator: opToken.Value, - Left: nodeLeft, - Right: nodeRight, -+ }, opToken.Location) -+ if nodeLeft == nil { -+ return nil - } -- nodeLeft.SetLocation(opToken.Location) - - if negate { -- nodeLeft = &UnaryNode{ -+ nodeLeft = p.createNode(&UnaryNode{ - Operator: "not", - Node: nodeLeft, -+ }, notToken.Location) -+ if nodeLeft == nil { -+ return nil - } -- nodeLeft.SetLocation(notToken.Location) - } - - goto next -@@ -224,13 +267,11 @@ func (p *parser) parseVariableDeclaration() Node { - value := p.parseExpression(0) - p.expect(Operator, ";") - node := p.parseExpression(0) -- let := &VariableDeclaratorNode{ -+ return p.createNode(&VariableDeclaratorNode{ - Name: variableName.Value, - Value: value, - Expr: node, -- } -- let.SetLocation(variableName.Location) -- return let -+ }, variableName.Location) - } - - func (p *parser) parseConditional(node Node) Node { -@@ -248,10 +289,13 @@ func (p *parser) parseConditional(node Node) Node { - expr2 = p.parseExpression(0) - } - -- node = &ConditionalNode{ -+ node = p.createNode(&ConditionalNode{ - Cond: node, - Exp1: expr1, - Exp2: expr2, -+ }, p.current.Location) -+ if node == nil { -+ return nil - } - } - return node -@@ -264,11 +308,13 @@ func (p *parser) parsePrimary() Node { - if op, ok := operator.Unary[token.Value]; ok { - p.next() - expr := p.parseExpression(op.Precedence) -- node := &UnaryNode{ -+ node := p.createNode(&UnaryNode{ - Operator: token.Value, - Node: expr, -+ }, token.Location) -+ if node == nil { -+ return nil - } -- node.SetLocation(token.Location) - return p.parsePostfixExpression(node) - } - } -@@ -290,8 +336,10 @@ func (p *parser) parsePrimary() Node { - p.next() - } - } -- node := &PointerNode{Name: name} -- node.SetLocation(token.Location) -+ node := p.createNode(&PointerNode{Name: name}, token.Location) -+ if node == nil { -+ return nil -+ } - return p.parsePostfixExpression(node) - } - } else { -@@ -320,23 +368,31 @@ func (p *parser) parseSecondary() Node { - p.next() - switch token.Value { - case "true": -- node := &BoolNode{Value: true} -- node.SetLocation(token.Location) -+ node = p.createNode(&BoolNode{Value: true}, token.Location) -+ if node == nil { -+ return nil -+ } - return node - case "false": -- node := &BoolNode{Value: false} -- node.SetLocation(token.Location) -+ node = p.createNode(&BoolNode{Value: false}, token.Location) -+ if node == nil { -+ return nil -+ } - return node - case "nil": -- node := &NilNode{} -- node.SetLocation(token.Location) -+ node = p.createNode(&NilNode{}, token.Location) -+ if node == nil { -+ return nil -+ } - return node - default: - if p.current.Is(Bracket, "(") { - node = p.parseCall(token, []Node{}, true) - } else { -- node = &IdentifierNode{Value: token.Value} -- node.SetLocation(token.Location) -+ node = p.createNode(&IdentifierNode{Value: token.Value}, token.Location) -+ if node == nil { -+ return nil -+ } - } - } - -@@ -383,8 +439,10 @@ func (p *parser) parseSecondary() Node { - return node - case String: - p.next() -- node = &StringNode{Value: token.Value} -- node.SetLocation(token.Location) -+ node = p.createNode(&StringNode{Value: token.Value}, token.Location) -+ if node == nil { -+ return nil -+ } - - default: - if token.Is(Bracket, "[") { -@@ -404,7 +462,7 @@ func (p *parser) toIntegerNode(number int64) Node { - p.error("integer literal is too large") - return nil - } -- return &IntegerNode{Value: int(number)} -+ return p.createNode(&IntegerNode{Value: int(number)}, p.current.Location) - } - - func (p *parser) toFloatNode(number float64) Node { -@@ -412,7 +470,7 @@ func (p *parser) toFloatNode(number float64) Node { - p.error("float literal is too large") - return nil - } -- return &FloatNode{Value: number} -+ return p.createNode(&FloatNode{Value: number}, p.current.Location) - } - - func (p *parser) parseCall(token Token, arguments []Node, checkOverrides bool) Node { -@@ -454,25 +512,34 @@ func (p *parser) parseCall(token Token, arguments []Node, checkOverrides bool) N - - p.expect(Bracket, ")") - -- node = &BuiltinNode{ -+ node = p.createNode(&BuiltinNode{ - Name: token.Value, - Arguments: arguments, -+ }, token.Location) -+ if node == nil { -+ return nil - } -- node.SetLocation(token.Location) - } else if _, ok := builtin.Index[token.Value]; ok && !p.config.Disabled[token.Value] && !isOverridden { -- node = &BuiltinNode{ -+ node = p.createNode(&BuiltinNode{ - Name: token.Value, - Arguments: p.parseArguments(arguments), -+ }, token.Location) -+ if node == nil { -+ return nil - } -- node.SetLocation(token.Location) -+ - } else { -- callee := &IdentifierNode{Value: token.Value} -- callee.SetLocation(token.Location) -- node = &CallNode{ -+ callee := p.createNode(&IdentifierNode{Value: token.Value}, token.Location) -+ if callee == nil { -+ return nil -+ } -+ node = p.createNode(&CallNode{ - Callee: callee, - Arguments: p.parseArguments(arguments), -+ }, token.Location) -+ if node == nil { -+ return nil - } -- node.SetLocation(token.Location) - } - return node - } -@@ -534,8 +601,10 @@ func (p *parser) parseArrayExpression(token Token) Node { - end: - p.expect(Bracket, "]") - -- node := &ArrayNode{Nodes: nodes} -- node.SetLocation(token.Location) -+ node := p.createNode(&ArrayNode{Nodes: nodes}, token.Location) -+ if node == nil { -+ return nil -+ } - return node - } - -@@ -561,8 +630,10 @@ func (p *parser) parseMapExpression(token Token) Node { - // * identifier, which is equivalent to a string - // * expression, which must be enclosed in parentheses -- (1 + 2) - if p.current.Is(Number) || p.current.Is(String) || p.current.Is(Identifier) { -- key = &StringNode{Value: p.current.Value} -- key.SetLocation(token.Location) -+ key = p.createNode(&StringNode{Value: p.current.Value}, p.current.Location) -+ if key == nil { -+ return nil -+ } - p.next() - } else if p.current.Is(Bracket, "(") { - key = p.parseExpression(0) -@@ -573,16 +644,20 @@ func (p *parser) parseMapExpression(token Token) Node { - p.expect(Operator, ":") - - node := p.parseExpression(0) -- pair := &PairNode{Key: key, Value: node} -- pair.SetLocation(token.Location) -+ pair := p.createNode(&PairNode{Key: key, Value: node}, token.Location) -+ if pair == nil { -+ return nil -+ } - nodes = append(nodes, pair) - } - - end: - p.expect(Bracket, "}") - -- node := &MapNode{Pairs: nodes} -- node.SetLocation(token.Location) -+ node := p.createNode(&MapNode{Pairs: nodes}, token.Location) -+ if node == nil { -+ return nil -+ } - return node - } - -@@ -607,8 +682,10 @@ func (p *parser) parsePostfixExpression(node Node) Node { - p.error("expected name") - } - -- property := &StringNode{Value: propertyToken.Value} -- property.SetLocation(propertyToken.Location) -+ property := p.createNode(&StringNode{Value: propertyToken.Value}, propertyToken.Location) -+ if property == nil { -+ return nil -+ } - - chainNode, isChain := node.(*ChainNode) - optional := postfixToken.Value == "?." -@@ -617,26 +694,33 @@ func (p *parser) parsePostfixExpression(node Node) Node { - node = chainNode.Node - } - -- memberNode := &MemberNode{ -+ memberNode := p.createMemberNode(&MemberNode{ - Node: node, - Property: property, - Optional: optional, -+ }, propertyToken.Location) -+ if memberNode == nil { -+ return nil - } -- memberNode.SetLocation(propertyToken.Location) - - if p.current.Is(Bracket, "(") { - memberNode.Method = true -- node = &CallNode{ -+ node = p.createNode(&CallNode{ - Callee: memberNode, - Arguments: p.parseArguments([]Node{}), -+ }, propertyToken.Location) -+ if node == nil { -+ return nil - } -- node.SetLocation(propertyToken.Location) - } else { - node = memberNode - } - - if isChain || optional { -- node = &ChainNode{Node: node} -+ node = p.createNode(&ChainNode{Node: node}, propertyToken.Location) -+ if node == nil { -+ return nil -+ } - } - - } else if postfixToken.Value == "[" { -@@ -650,11 +734,13 @@ func (p *parser) parsePostfixExpression(node Node) Node { - to = p.parseExpression(0) - } - -- node = &SliceNode{ -+ node = p.createNode(&SliceNode{ - Node: node, - To: to, -+ }, postfixToken.Location) -+ if node == nil { -+ return nil - } -- node.SetLocation(postfixToken.Location) - p.expect(Bracket, "]") - - } else { -@@ -668,25 +754,32 @@ func (p *parser) parsePostfixExpression(node Node) Node { - to = p.parseExpression(0) - } - -- node = &SliceNode{ -+ node = p.createNode(&SliceNode{ - Node: node, - From: from, - To: to, -+ }, postfixToken.Location) -+ if node == nil { -+ return nil - } -- node.SetLocation(postfixToken.Location) - p.expect(Bracket, "]") - - } else { - // Slice operator [:] was not found, - // it should be just an index node. -- node = &MemberNode{ -+ node = p.createNode(&MemberNode{ - Node: node, - Property: from, - Optional: optional, -+ }, postfixToken.Location) -+ if node == nil { -+ return nil - } -- node.SetLocation(postfixToken.Location) - if optional { -- node = &ChainNode{Node: node} -+ node = p.createNode(&ChainNode{Node: node}, postfixToken.Location) -+ if node == nil { -+ return nil -+ } - } - p.expect(Bracket, "]") - } -@@ -698,26 +791,29 @@ func (p *parser) parsePostfixExpression(node Node) Node { - } - return node - } -- - func (p *parser) parseComparison(left Node, token Token, precedence int) Node { - var rootNode Node - for { - comparator := p.parseExpression(precedence + 1) -- cmpNode := &BinaryNode{ -+ cmpNode := p.createNode(&BinaryNode{ - Operator: token.Value, - Left: left, - Right: comparator, -+ }, token.Location) -+ if cmpNode == nil { -+ return nil - } -- cmpNode.SetLocation(token.Location) - if rootNode == nil { - rootNode = cmpNode - } else { -- rootNode = &BinaryNode{ -+ rootNode = p.createNode(&BinaryNode{ - Operator: "&&", - Left: rootNode, - Right: cmpNode, -+ }, token.Location) -+ if rootNode == nil { -+ return nil - } -- rootNode.SetLocation(token.Location) - } - - left = comparator -diff --git a/vendor/github.com/expr-lang/expr/vm/utils.go b/vendor/github.com/expr-lang/expr/vm/utils.go -index fc2f5e7..1100513 100644 ---- a/vendor/github.com/expr-lang/expr/vm/utils.go -+++ b/vendor/github.com/expr-lang/expr/vm/utils.go -@@ -11,9 +11,6 @@ type ( - ) - - var ( -- // MemoryBudget represents an upper limit of memory usage. -- MemoryBudget uint = 1e6 -- - errorType = reflect.TypeOf((*error)(nil)).Elem() - ) - -diff --git a/vendor/github.com/expr-lang/expr/vm/vm.go b/vendor/github.com/expr-lang/expr/vm/vm.go -index 7e933ce..b497990 100644 ---- a/vendor/github.com/expr-lang/expr/vm/vm.go -+++ b/vendor/github.com/expr-lang/expr/vm/vm.go -@@ -11,6 +11,7 @@ import ( - "time" - - "github.com/expr-lang/expr/builtin" -+ "github.com/expr-lang/expr/conf" - "github.com/expr-lang/expr/file" - "github.com/expr-lang/expr/internal/deref" - "github.com/expr-lang/expr/vm/runtime" -@@ -20,11 +21,23 @@ func Run(program *Program, env any) (any, error) { - if program == nil { - return nil, fmt.Errorf("program is nil") - } -- - vm := VM{} - return vm.Run(program, env) - } - -+func RunWithConfig(program *Program, env any, config *conf.Config) (any, error) { -+ if program == nil { -+ return nil, fmt.Errorf("program is nil") -+ } -+ if config == nil { -+ return nil, fmt.Errorf("config is nil") -+ } -+ vm := VM{ -+ MemoryBudget: config.MemoryBudget, -+ } -+ return vm.Run(program, env) -+} -+ - func Debug() *VM { - vm := &VM{ - debug: true, -@@ -38,9 +51,9 @@ type VM struct { - Stack []any - Scopes []*Scope - Variables []any -+ MemoryBudget uint - ip int - memory uint -- memoryBudget uint - debug bool - step chan struct{} - curr chan int -@@ -76,7 +89,9 @@ func (vm *VM) Run(program *Program, env any) (_ any, err error) { - vm.Variables = make([]any, program.variables) - } - -- vm.memoryBudget = MemoryBudget -+ if vm.MemoryBudget == 0 { -+ vm.MemoryBudget = conf.DefaultMemoryBudget -+ } - vm.memory = 0 - vm.ip = 0 - -@@ -580,7 +595,7 @@ func (vm *VM) pop() any { - - func (vm *VM) memGrow(size uint) { - vm.memory += size -- if vm.memory >= vm.memoryBudget { -+ if vm.memory >= vm.MemoryBudget { - panic("memory budget exceeded") - } - } --- -2.48.1.431.g5a526e5e18 - diff --git a/SPECS/ig/ig.signatures.json b/SPECS/ig/ig.signatures.json deleted file mode 100644 index 07f4cc7d79..0000000000 --- a/SPECS/ig/ig.signatures.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "Signatures": { - "ig-0.37.0-govendor-v1.tar.gz": "bc05262d7dc5a4585e8d9f8cac81577046312d5a7361c57c8280b826b81196ba", - "ig-0.37.0.tar.gz": "dde011c72ac3ccd4943b58bd9d240dcd6311c82a6c89904ecb77b86f727fe420" - } -} diff --git a/SPECS/ig/ig.spec b/SPECS/ig/ig.spec deleted file mode 100644 index 3511625457..0000000000 --- a/SPECS/ig/ig.spec +++ /dev/null @@ -1,114 +0,0 @@ -Summary: The eBPF tool and systems inspection framework for Kubernetes, containers and Linux hosts. -Name: ig -Version: 0.37.0 -Release: 5%{?dist} -License: Apache 2.0 and GPL 2.0 for eBPF code -Vendor: Microsoft Corporation -Distribution: Azure Linux -Group: Tools/Container -URL: https://github.com/inspektor-gadget/inspektor-gadget -Source0: https://github.com/inspektor-gadget/inspektor-gadget/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz -Source1: %{name}-%{version}-govendor-v1.tar.gz -Patch0: CVE-2025-27144.patch -Patch1: CVE-2025-29786.patch -Patch2: CVE-2025-22872.patch -BuildRequires: golang >= 1.23 - - -%description -Inspektor Gadget is a collection of tools (or gadgets) to debug and inspect Kubernetes resources and applications. It manages the packaging, deployment and execution of eBPF programs in a Kubernetes cluster, including many based on BCC tools, as well as some developed specifically for use in Inspektor Gadget. It automatically maps low-level kernel primitives to high-level Kubernetes resources, making it easier and quicker to find the relevant information. - -This package contains ig, the local CLI flavor of Inspektor Gadget. - -%prep -%autosetup -N -n inspektor-gadget-%{version} -%setup -q -n inspektor-gadget-%{version} -T -D -a 1 -%autopatch -p1 - -%build -CGO_ENABLED=0 go build \ - -ldflags "-X github.com/inspektor-gadget/inspektor-gadget/internal/version.version=v%{version} \ - -X github.com/inspektor-gadget/inspektor-gadget/cmd/common/image.builderImage=ghcr.io/inspektor-gadget/ebpf-builder:v%{version} \ - -extldflags '-static'" \ - -tags "netgo" \ - -o ./bin/build/ig ./cmd/ig - -%install -mkdir -p "%{buildroot}/%{_bindir}" -install -D -m0755 bin/build/ig %{buildroot}/%{_bindir} - -%check -set -e -set -o pipefail - -# Inspektor Gadget provides unit tests but they rely on several components which -# are not present in the chroot used to build and test the package, among -# others: -# * runc: https://github.com/inspektor-gadget/inspektor-gadget/blob/3c8d1455525b/pkg/container-hook/tracer.go#L302 -# * dockerd: https://github.com/inspektor-gadget/inspektor-gadget/blob/3c8d1455525b/pkg/container-utils/testutils/docker.go#L67 -# Even if we recreate a proper testing environment, we will still have problems -# as, for example, the path tested will be inside the chroot while ig reports -# the full path from host point of view. -# For all these reasons, we will skip the unit tests and rather run a small -# integration test. -# Moreover, Inspektor Gadget CI covers Azure Linux extensively: -# https://github.com/inspektor-gadget/inspektor-gadget/pull/1186/commits/066bf618d158 -if [ -d /sys/kernel/debug/tracing ]; then - sleep inf & - sleep_pid=$! - ./bin/build/ig snapshot process --host | grep -qP "sleep\s+${sleep_pid}" - kill $sleep_pid -else - echo "Skipping ig check as prerequisites are not satisfied in the chroot" -fi - -%files -%license LICENSE -%license LICENSE-bpf.txt -%{_bindir}/ig - -%changelog -* Fri May 30 2025 Ranjan Dutta - 0.37.0-5 -- merge from Azure Linux 3.0.20250521-3.0 -- Patch CVE-2025-22872 - -* Fri Apr 28 2025 Ranjan Dutta - 0.37.0-3 -- merge from Azure Linux tag 3.0.20250423-3.0 -- Fix CVE-2025-29786 with an upstream patch -- Add patch for CVE-2025-27144 - -* Fri Mar 21 2025 Anuj Mittal - 0.37.0-2 -- Bump Release to rebuild - -* Mon Feb 03 2025 Francis Laniel - 0.37.0-1 -- Bump to version 0.37.0 -- Drop patch for CVE-2024-45338 as it was fixed in golang.org/x/net 0.33.0 and ig uses 0.34.0. - -* Tue Dec 31 2024 Rohit Rawat - 0.32.0-3 -- Add patch for CVE-2024-45338 - -* Tue Oct 15 2024 Muhammad Falak - 0.32.0-2 -- Pin golang version to <= 1.22 - -* Tue Sep 03 2024 Francis Laniel - 0.32.0-1 -- Bump to version 0.32.0 - -* Tue Aug 06 2024 Francis Laniel - 0.31.0-1 -- Bump to version 0.31.0 - -* Mon Jul 01 2024 Francis Laniel - 0.30.0-1 -- Bump to version 0.30.0 -- Update how binary version is set while building - -* Fri May 31 2024 Francis Laniel - 0.29.0-1 -- Bump to version 0.29.0 - -* Tue Mar 12 2024 Francis Laniel - 0.26.0-1 -- Bump to version 0.26.0 - -* Tue Mar 14 2023 Francis Laniel - 0.25.0-2 -- Fix %check. - -* Tue Feb 14 2023 Francis Laniel - 0.25.0-1 -- Original version for Azure Linux -- License Verified diff --git a/SPECS/influxdb/config.yaml b/SPECS/influxdb/config.yaml index d01dea66ab..87c3ee52b2 100644 --- a/SPECS/influxdb/config.yaml +++ b/SPECS/influxdb/config.yaml @@ -18,7 +18,6 @@ query-memory-bytes: 67108863 # Allow to move storage to different directory -# Metadata -# bolt-path: /var/lib/influxdb/.influxdbv2/influxd.bolt -# Time series data -# engine-path: /var/lib/influxdb/.influxdbv2/engine \ No newline at end of file +bolt-path: /var/lib/influxdb/influxd.bolt +engine-path: /var/lib/influxdb/engine +nats-port: 4222 diff --git a/SPECS/influxdb/influxdb.signatures.json b/SPECS/influxdb/influxdb.signatures.json index 8f4400e77a..e8cee76290 100644 --- a/SPECS/influxdb/influxdb.signatures.json +++ b/SPECS/influxdb/influxdb.signatures.json @@ -2,7 +2,7 @@ "Signatures": { "influxdb-2.7.5-vendor.tar.gz": "190ddfeb625f24fc4791da536290cd15b919821666ae52a50d668536fc0f3cb8", "influxdb-2.7.5-static-data.tar.gz": "23e0f0503368bae46d41840934f3c907f3978cdbbc9a1f8f250e396b2d004842", - "config.yaml": "f0eb56d58d2685bdfc16ee73d835f022c2df6905458381a972375449fde6170c", + "config.yaml": "d3c2224c67665929764d9056583df9796f71c36499ace0ef9dccd1df235d5ee5", "influxdb.service": "570fdbb685c8468f3c4e75b7f482bbc5c0ab4382ad2259a595e7839244747645", "influxdb-user.conf": "ca5a50bb6ca9f4fcb91d745d552e70af934fdad86196c535c4eb8699a20e7aa0", "influxdb.tmpfiles": "2e1880f1d7675464b93984a635e770f6f8ac1777d21a607f7e4d9d1480776f68", diff --git a/SPECS/influxdb/influxdb.spec b/SPECS/influxdb/influxdb.spec index ca4e8b3728..5f9e66487b 100644 --- a/SPECS/influxdb/influxdb.spec +++ b/SPECS/influxdb/influxdb.spec @@ -18,7 +18,7 @@ Summary: Scalable datastore for metrics, events, and real-time analytics Name: influxdb Version: 2.7.5 -Release: 6%{?dist} +Release: 8%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -156,6 +156,11 @@ go test ./... %{_tmpfilesdir}/influxdb.conf %changelog +* Mon Sep 8 2025 Lee Chee Yang - 2.7.5-8 +- merge from Azure Linux 3.0.20250822-3.0. +- Bump release to rebuild with rust +- Updated config.yaml file to include boltpath, engine path and nats port + * Fri May 30 2025 Ranjan Dutta - 2.7.5-6 - merge from Azure Linux 3.0.20250521-3.0 - Patch CVE-2025-22872 diff --git a/SPECS/iperf3/CVE-2025-54349.patch b/SPECS/iperf3/CVE-2025-54349.patch new file mode 100644 index 0000000000..7867866f99 --- /dev/null +++ b/SPECS/iperf3/CVE-2025-54349.patch @@ -0,0 +1,93 @@ +From 79d560d64d50497717847bb2c12ede1f4a8ea7e9 Mon Sep 17 00:00:00 2001 +From: Sarah Larsen +Date: Wed, 25 Jun 2025 15:11:03 +0000 +Subject: [PATCH] Fix off-by-one heap overflow in auth. + +Reported by Han Lee (Apple Information Security) +CVE-2025-54349 +--- + src/iperf_auth.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/src/iperf_auth.c b/src/iperf_auth.c +index 72e85fc..86b4eba 100644 +--- a/src/iperf_auth.c ++++ b/src/iperf_auth.c +@@ -288,6 +288,7 @@ int encrypt_rsa_message(const char *plaintext, EVP_PKEY *public_key, unsigned ch + } + + int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedtext_len, EVP_PKEY *private_key, unsigned char **plaintext, int use_pkcs1_padding) { ++ int ret =0; + #if OPENSSL_VERSION_MAJOR >= 3 + EVP_PKEY_CTX *ctx; + #else +@@ -310,7 +311,8 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt + keysize = RSA_size(rsa); + #endif + rsa_buffer = OPENSSL_malloc(keysize * 2); +- *plaintext = (unsigned char*)OPENSSL_malloc(keysize); ++ // Note: +1 for NULL ++ *plaintext = (unsigned char*)OPENSSL_malloc(keysize + 1); + + BIO *bioBuff = BIO_new_mem_buf((void*)encryptedtext, encryptedtext_len); + rsa_buffer_len = BIO_read(bioBuff, rsa_buffer, keysize * 2); +@@ -320,13 +322,15 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt + padding = RSA_PKCS1_PADDING; + } + #if OPENSSL_VERSION_MAJOR >= 3 ++ + plaintext_len = keysize; + EVP_PKEY_decrypt_init(ctx); +- int ret = EVP_PKEY_CTX_set_rsa_padding(ctx, padding); ++ ++ ret = EVP_PKEY_CTX_set_rsa_padding(ctx, padding); + if (ret < 0){ + goto errreturn; + } +- EVP_PKEY_decrypt(ctx, *plaintext, &plaintext_len, rsa_buffer, rsa_buffer_len); ++ ret = EVP_PKEY_decrypt(ctx, *plaintext, &plaintext_len, rsa_buffer, rsa_buffer_len); + EVP_PKEY_CTX_free(ctx); + #else + plaintext_len = RSA_private_decrypt(rsa_buffer_len, rsa_buffer, *plaintext, rsa, padding); +@@ -337,7 +341,7 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt + BIO_free(bioBuff); + + /* Treat a decryption error as an empty string. */ +- if (plaintext_len < 0) { ++ if (plaintext_len <= 0) { + plaintext_len = 0; + } + +@@ -386,24 +390,28 @@ int decode_auth_setting(int enable_debug, const char *authtoken, EVP_PKEY *priva + int plaintext_len; + plaintext_len = decrypt_rsa_message(encrypted_b64, encrypted_len_b64, private_key, &plaintext, use_pkcs1_padding); + free(encrypted_b64); +- if (plaintext_len < 0) { ++ if (plaintext_len <= 0) { + return -1; + } ++ + plaintext[plaintext_len] = '\0'; + + char *s_username, *s_password; + s_username = (char *) calloc(plaintext_len, sizeof(char)); + if (s_username == NULL) { ++ OPENSSL_free(plaintext); + return -1; + } + s_password = (char *) calloc(plaintext_len, sizeof(char)); + if (s_password == NULL) { ++ OPENSSL_free(plaintext); + free(s_username); + return -1; + } + + int rc = sscanf((char *) plaintext, auth_text_format, s_username, s_password, &utc_seconds); + if (rc != 3) { ++ OPENSSL_free(plaintext); + free(s_password); + free(s_username); + return -1; +-- +2.45.4 + diff --git a/SPECS/iperf3/CVE-2025-54350.patch b/SPECS/iperf3/CVE-2025-54350.patch new file mode 100644 index 0000000000..c26afc29d2 --- /dev/null +++ b/SPECS/iperf3/CVE-2025-54350.patch @@ -0,0 +1,35 @@ +From 86bc637b483dc5de37f9a33583251bc08d32892e Mon Sep 17 00:00:00 2001 +From: "Bruce A. Mah" +Date: Tue, 24 Jun 2025 15:58:21 -0700 +Subject: [PATCH] Prevent crash due to assertion failures on malformed + authentication attempt. + +Reported by Han Lee (Apple Information Security) +CVE-2025-54350 +--- + src/iperf_auth.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/src/iperf_auth.c b/src/iperf_auth.c +index 72e85fc..b9f2bc0 100644 +--- a/src/iperf_auth.c ++++ b/src/iperf_auth.c +@@ -28,7 +28,6 @@ + #include "iperf_config.h" + + #include +-#include + #include + #include + /* FreeBSD needs _WITH_GETLINE to enable the getline() declaration */ +@@ -152,7 +151,6 @@ int Base64Decode(const char* b64message, unsigned char** buffer, size_t* length) + + BIO_set_flags(bio, BIO_FLAGS_BASE64_NO_NL); //Do not use newlines to flush buffer + *length = BIO_read(bio, *buffer, strlen(b64message)); +- assert(*length == decodeLen); //length should equal decodeLen, else something went horribly wrong + BIO_free_all(bio); + + return (0); //success +-- +2.45.4 + diff --git a/SPECS/iperf3/iperf3.spec b/SPECS/iperf3/iperf3.spec index 6b5adf200c..3c8edabf0f 100644 --- a/SPECS/iperf3/iperf3.spec +++ b/SPECS/iperf3/iperf3.spec @@ -1,7 +1,7 @@ Summary: A network performance benchmark tool. Name: iperf3 Version: 3.17.1 -Release: 2%{?dist} +Release: 3%{?dist} License: BSD and MIT and Public Domain Vendor: Microsoft Corporation Distribution: Azure Linux @@ -10,6 +10,8 @@ URL: https://github.com/esnet/iperf Source0: https://github.com/esnet/iperf/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz Patch1: disablepg.patch Patch2: CVE-2024-53580.patch +Patch3: CVE-2025-54350.patch +Patch4: CVE-2025-54349.patch BuildRequires: autoconf >= 2.71 BuildRequires: automake @@ -67,6 +69,9 @@ make %{?_smp_mflags} check %{_mandir}/man3/libiperf.3.gz %changelog +* Mon Aug 04 2025 Azure Linux Security Servicing Account - 3.17.1-3 +- Patch for CVE-2025-54350, CVE-2025-54349 + * Tue Dec 31 2024 Kanishk Bansal - 3.17.1-2 - Address CVE-2024-53580 using an upstream patch. diff --git a/SPECS/iputils/CVE-2025-47268.patch b/SPECS/iputils/CVE-2025-47268.patch new file mode 100644 index 0000000000..949444bf49 --- /dev/null +++ b/SPECS/iputils/CVE-2025-47268.patch @@ -0,0 +1,137 @@ +From 33ebd21ac99d3e6ab2d51b6581cbec7e9fba17b6 Mon Sep 17 00:00:00 2001 +From: Petr Vorel +Date: Mon, 5 May 2025 23:55:57 +0200 +Subject: [PATCH] ping: Fix signed 64-bit integer overflow in RTT calculation + +Crafted ICMP Echo Reply packet can cause signed integer overflow in + +1) triptime calculation: +triptime = tv->tv_sec * 1000000 + tv->tv_usec; + +2) tsum2 increment which uses triptime +rts->tsum2 += (double)((long long)triptime * (long long)triptime); + +3) final tmvar: +tmvar = (rts->tsum2 / total) - (tmavg * tmavg) + + $ export CFLAGS="-O1 -g -fsanitize=address,undefined -fno-omit-frame-pointer" + $ export LDFLAGS="-fsanitize=address,undefined -fno-omit-frame-pointer" + $ meson setup .. -Db_sanitize=address,undefined + $ ninja + $ ./ping/ping -c2 127.0.0.1 + + PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. + 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.061 ms + ../ping/ping_common.c:757:25: runtime error: signed integer overflow: -2513732689199106 * 1000000 cannot be represented in type 'long int' + ../ping/ping_common.c:757:12: runtime error: signed integer overflow: -4975495174606980224 + -6510615555425289427 cannot be represented in type 'long int' + ../ping/ping_common.c:769:47: runtime error: signed integer overflow: 6960633343677281965 * 6960633343677281965 cannot be represented in type 'long int' + 24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated) + ./ping/ping: Warning: time of day goes back (-7256972569576721377us), taking countermeasures + ./ping/ping: Warning: time of day goes back (-7256972569576721232us), taking countermeasures + 24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated) + ../ping/ping_common.c:265:16: runtime error: signed integer overflow: 6960633343677281965 * 2 cannot be represented in type 'long int' + 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.565 ms + + --- 127.0.0.1 ping statistics --- + 2 packets transmitted, 2 received, +2 duplicates, 0% packet loss, time 1002ms + ../ping/ping_common.c:940:42: runtime error: signed integer overflow: 1740158335919320832 * 1740158335919320832 cannot be represented in type 'long int' + rtt min/avg/max/mdev = 0.000/1740158335919320.832/6960633343677281.965/-1623514645242292.-224 ms + +To fix the overflow check allowed ranges of struct timeval members: +* tv_sec <0, LONG_MAX/1000000> +* tv_usec <0, 999999> + +Fix includes 2 new error messages (needs translation). +Also existing message "time of day goes back ..." needed to be modified +as it now prints tv->tv_sec which is a second (needs translation update). + +After fix: + + $ ./ping/ping -c2 127.0.0.1 + 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.057 ms + ./ping/ping: Warning: invalid tv_usec -6510615555424928611 us + ./ping/ping: Warning: time of day goes back (-3985394643238914 s), taking countermeasures + ./ping/ping: Warning: invalid tv_usec -6510615555424928461 us + ./ping/ping: Warning: time of day goes back (-3985394643238914 s), taking countermeasures + 24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated) + ./ping/ping: Warning: invalid tv_usec -6510615555425884541 us + ./ping/ping: Warning: time of day goes back (-4243165695442945 s), taking countermeasures + 24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated) + 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.111 ms + + --- 127.0.0.1 ping statistics --- + 2 packets transmitted, 2 received, +2 duplicates, 0% packet loss, time 101ms + rtt min/avg/max/mdev = 0.000/0.042/0.111/0.046 ms + +Fixes: https://github.com/iputils/iputils/issues/584 +Fixes: CVE-2025-472 +Link: https://github.com/Zephkek/ping-rtt-overflow/ +Co-developed-by: Cyril Hrubis +Reported-by: Mohamed Maatallah +Reviewed-by: Mohamed Maatallah +Reviewed-by: Cyril Hrubis +Signed-off-by: Petr Vorel +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/iputils/iputils/pull/585/commits/b41e4a10ab1f749a9bd149c608213c9704c3147f.patch +--- + iputils_common.h | 3 +++ + ping/ping_common.c | 22 +++++++++++++++++++--- + 2 files changed, 22 insertions(+), 3 deletions(-) + +diff --git a/iputils_common.h b/iputils_common.h +index 49e790d..829a749 100644 +--- a/iputils_common.h ++++ b/iputils_common.h +@@ -10,6 +10,9 @@ + !!__builtin_types_compatible_p(__typeof__(arr), \ + __typeof__(&arr[0]))])) * 0) + ++/* 1000001 = 1000000 tv_sec + 1 tv_usec */ ++#define TV_SEC_MAX_VAL (LONG_MAX/1000001) ++ + #ifdef __GNUC__ + # define iputils_attribute_format(t, n, m) __attribute__((__format__ (t, n, m))) + #else +diff --git a/ping/ping_common.c b/ping/ping_common.c +index 73da26c..f44b2c0 100644 +--- a/ping/ping_common.c ++++ b/ping/ping_common.c +@@ -744,16 +744,32 @@ int gather_statistics(struct ping_rts *rts, uint8_t *icmph, int icmplen, + + restamp: + tvsub(tv, &tmp_tv); +- triptime = tv->tv_sec * 1000000 + tv->tv_usec; +- if (triptime < 0) { +- error(0, 0, _("Warning: time of day goes back (%ldus), taking countermeasures"), triptime); ++ ++ if (tv->tv_usec >= 1000000) { ++ error(0, 0, _("Warning: invalid tv_usec %ld us"), tv->tv_usec); ++ tv->tv_usec = 999999; ++ } ++ ++ if (tv->tv_usec < 0) { ++ error(0, 0, _("Warning: invalid tv_usec %ld us"), tv->tv_usec); ++ tv->tv_usec = 0; ++ } ++ ++ if (tv->tv_sec > TV_SEC_MAX_VAL) { ++ error(0, 0, _("Warning: invalid tv_sec %ld s"), tv->tv_sec); ++ triptime = 0; ++ } else if (tv->tv_sec < 0) { ++ error(0, 0, _("Warning: time of day goes back (%ld s), taking countermeasures"), tv->tv_sec); + triptime = 0; + if (!rts->opt_latency) { + gettimeofday(tv, NULL); + rts->opt_latency = 1; + goto restamp; + } ++ } else { ++ triptime = tv->tv_sec * 1000000 + tv->tv_usec; + } ++ + if (!csfailed) { + rts->tsum += triptime; + rts->tsum2 += (double)((long long)triptime * (long long)triptime); +-- +2.45.4 + diff --git a/SPECS/iputils/CVE-2025-48964.patch b/SPECS/iputils/CVE-2025-48964.patch new file mode 100644 index 0000000000..c553479c76 --- /dev/null +++ b/SPECS/iputils/CVE-2025-48964.patch @@ -0,0 +1,100 @@ +From 339a67ae9f589b2e42c9b932066208b34f272d97 Mon Sep 17 00:00:00 2001 +From: Cyril Hrubis +Date: Fri, 16 May 2025 17:57:10 +0200 +Subject: [PATCH] ping: Fix moving average rtt calculation + +The rts->rtt counts an exponential weight moving average in a fixed +point, that means that even if we limit the triptime to fit into a 32bit +number the average will overflow because because fixed point needs eight +more bits. + +We also have to limit the triptime to 32bit number because otherwise the +moving average may stil overflow if we manage to produce a large enough +triptime. + +Fixes: CVE-2025-48964 +Fixes: https://bugzilla.suse.com/show_bug.cgi?id=1243772 +Closes: https://github.com/iputils/iputils-ghsa-25fr-jw29-74f9/pull/1 +Reported-by: Mohamed Maatallah +Reviewed-by: Petr Vorel +Tested-by: Petr Vorel +Reviewed-by: Michal Kubecek +Reviewed-by: Mohamed Maatallah +Signed-off-by: Cyril Hrubis +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/iputils/iputils/commit/afa36390394a6e0cceba03b52b59b6d41710608c.patch +--- + iputils_common.h | 2 +- + ping/ping.h | 2 +- + ping/ping_common.c | 8 ++++---- + 3 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/iputils_common.h b/iputils_common.h +index 829a749..1296905 100644 +--- a/iputils_common.h ++++ b/iputils_common.h +@@ -11,7 +11,7 @@ + __typeof__(&arr[0]))])) * 0) + + /* 1000001 = 1000000 tv_sec + 1 tv_usec */ +-#define TV_SEC_MAX_VAL (LONG_MAX/1000001) ++#define TV_SEC_MAX_VAL (INT32_MAX/1000001) + + #ifdef __GNUC__ + # define iputils_attribute_format(t, n, m) __attribute__((__format__ (t, n, m))) +diff --git a/ping/ping.h b/ping/ping.h +index a40c8f8..f5a5bb8 100644 +--- a/ping/ping.h ++++ b/ping/ping.h +@@ -191,7 +191,7 @@ struct ping_rts { + long tmax; /* maximum round trip time */ + double tsum; /* sum of all times, for doing average */ + double tsum2; +- int rtt; ++ uint64_t rtt; /* Exponential weight moving average calculated in fixed point */ + int rtt_addend; + uint16_t acked; + int pipesize; +diff --git a/ping/ping_common.c b/ping/ping_common.c +index f44b2c0..013a007 100644 +--- a/ping/ping_common.c ++++ b/ping/ping_common.c +@@ -282,7 +282,7 @@ int __schedule_exit(int next) + + static inline void update_interval(struct ping_rts *rts) + { +- int est = rts->rtt ? rts->rtt / 8 : rts->interval * 1000; ++ int est = rts->rtt ? (int)(rts->rtt / 8) : rts->interval * 1000; + + rts->interval = (est + rts->rtt_addend + 500) / 1000; + if (rts->uid && rts->interval < MIN_USER_INTERVAL_MS) +@@ -778,7 +778,7 @@ restamp: + if (triptime > rts->tmax) + rts->tmax = triptime; + if (!rts->rtt) +- rts->rtt = triptime * 8; ++ rts->rtt = ((uint64_t)triptime) * 8; + else + rts->rtt += triptime - rts->rtt / 8; + if (rts->opt_adaptive) +@@ -948,7 +948,7 @@ int finish(struct ping_rts *rts) + int ipg = (1000000 * (long long)tv.tv_sec + tv.tv_nsec / 1000) / (rts->ntransmitted - 1); + + printf(_("%sipg/ewma %d.%03d/%d.%03d ms"), +- comma, ipg / 1000, ipg % 1000, rts->rtt / 8000, (rts->rtt / 8) % 1000); ++ comma, ipg / 1000, ipg % 1000, (int)(rts->rtt / 8000), (int)((rts->rtt / 8) % 1000)); + } + putchar('\n'); + return (!rts->nreceived || (rts->deadline && rts->nreceived < rts->npackets)); +@@ -973,7 +973,7 @@ void status(struct ping_rts *rts) + fprintf(stderr, _(", min/avg/ewma/max = %ld.%03ld/%lu.%03ld/%d.%03d/%ld.%03ld ms"), + (long)rts->tmin / 1000, (long)rts->tmin % 1000, + tavg / 1000, tavg % 1000, +- rts->rtt / 8000, (rts->rtt / 8) % 1000, (long)rts->tmax / 1000, (long)rts->tmax % 1000); ++ (int)(rts->rtt / 8000), (int)((rts->rtt / 8) % 1000), (long)rts->tmax / 1000, (long)rts->tmax % 1000); + } + fprintf(stderr, "\n"); + } +-- +2.45.4 + diff --git a/SPECS/iputils/iputils.spec b/SPECS/iputils/iputils.spec index a0b4d8de6a..291e7c7cd8 100644 --- a/SPECS/iputils/iputils.spec +++ b/SPECS/iputils/iputils.spec @@ -1,14 +1,16 @@ Summary: Programs for basic networking Name: iputils Version: 20240117 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD-3 AND GPLv2+ AND Rdisc Vendor: Microsoft Corporation Distribution: Azure Linux Group: Applications/Communications URL: https://github.com/iputils/iputils Source0: https://github.com/iputils/iputils/archive/20240117.tar.gz#/%{name}-%{version}.tar.gz -Patch0: ping_test_ipv6_localhost.patch + +Patch0: CVE-2025-47268.patch +Patch1: CVE-2025-48964.patch BuildRequires: iproute BuildRequires: libcap-devel BuildRequires: libgcrypt-devel @@ -64,6 +66,10 @@ mv -f RELNOTES.tmp RELNOTES.old %exclude %{_datadir}/locale/ %changelog +* Wed Aug 06 2025 Azure Linux Security Servicing Account - 20240117-2 +- Patch for CVE-2025-48964, CVE-2025-47268 +- Remove patch for ping_test_ipv6_localhost as it causes test failure + * Thu Feb 01 2024 Suresh Thelkar - 20240117-1 - Upgrade to 20240117 diff --git a/SPECS/iputils/ping_test_ipv6_localhost.patch b/SPECS/iputils/ping_test_ipv6_localhost.patch deleted file mode 100644 index a857688c6c..0000000000 --- a/SPECS/iputils/ping_test_ipv6_localhost.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 503d6e54847974d0b0d63f2354919c64cbda611d Mon Sep 17 00:00:00 2001 -From: Rachel Menge -Date: Fri, 18 Feb 2022 12:13:21 -0800 -Subject: [PATCH] Mark ping6 for localhost as expected failure - -Azure Linux does not map 'localhost' for ipv6 addresses ---- - test/ping/meson.build | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/test/ping/meson.build b/test/ping/meson.build -index 11f15f5..7198369 100644 ---- a/test/ping/meson.build -+++ b/test/ping/meson.build -@@ -37,7 +37,7 @@ foreach dst : [ 'localhost', '127.0.0.1' ] + ipv6_dst - - if switch != '' - args = [switch] + args -- if (switch == '-4' and dst == '::1') or (switch == '-6' and dst == '127.0.0.1') -+ if (switch == '-4' and dst == '::1') or (switch == '-6' and dst == '127.0.0.1') or (switch == '-6' and dst == 'localhost') - should_fail = true - endif - endif --- -2.17.1 - diff --git a/SPECS/javapackages-bootstrap/CVE-2024-25710.patch b/SPECS/javapackages-bootstrap/CVE-2024-25710.patch new file mode 100644 index 0000000000..56dc3dc2c9 --- /dev/null +++ b/SPECS/javapackages-bootstrap/CVE-2024-25710.patch @@ -0,0 +1,52 @@ +From 74d2bf8a7f2ad282ebd0055c0f41ed2e6d1f5ea5 Mon Sep 17 00:00:00 2001 +From: Sudipta Pandit +Date: Fri, 16 May 2025 17:10:24 +0530 +Subject: [PATCH] Backport patch for CVE-2024-25710 + +Upstream Reference: https://github.com/apache/commons-compress/commit/8a9a5847c04ae39a1d45b365f8bb82022466067d +--- + .../commons/compress/archivers/dump/DumpArchiveUtil.java | 6 ++++++ + .../commons/compress/archivers/dump/TapeInputStream.java | 3 +++ + 2 files changed, 9 insertions(+) + +diff --git a/src/main/java/org/apache/commons/compress/archivers/dump/DumpArchiveUtil.java b/src/main/java/org/apache/commons/compress/archivers/dump/DumpArchiveUtil.java +index 80cd93588..0484d329b 100644 +--- a/src/main/java/org/apache/commons/compress/archivers/dump/DumpArchiveUtil.java ++++ b/src/main/java/org/apache/commons/compress/archivers/dump/DumpArchiveUtil.java +@@ -83,6 +83,9 @@ public static final long convert64(final byte[] buffer, final int offset) { + */ + static String decode(final ZipEncoding encoding, final byte[] b, final int offset, final int len) + throws IOException { ++ if (offset > offset + len) { ++ throw new IOException("Invalid offset/length combination"); ++ } + return encoding.decode(Arrays.copyOfRange(b, offset, offset + len)); + } + +@@ -103,6 +106,9 @@ public static final int getIno(final byte[] buffer) { + * @return Whether the buffer contains a tape segment header. + */ + public static final boolean verify(final byte[] buffer) { ++ if (buffer == null) { ++ return false; ++ } + // verify magic. for now only accept NFS_MAGIC. + final int magic = convert32(buffer, 24); + +diff --git a/src/main/java/org/apache/commons/compress/archivers/dump/TapeInputStream.java b/src/main/java/org/apache/commons/compress/archivers/dump/TapeInputStream.java +index 08d23f7f3..85735a189 100644 +--- a/src/main/java/org/apache/commons/compress/archivers/dump/TapeInputStream.java ++++ b/src/main/java/org/apache/commons/compress/archivers/dump/TapeInputStream.java +@@ -311,6 +311,9 @@ public void resetBlockSize(final int recsPerBlock, final boolean isCompressed) + + " records found, must be at least 1"); + } + blockSize = RECORD_SIZE * recsPerBlock; ++ if (blockSize < 1) { ++ throw new IOException("Block size cannot be less than or equal to 0: " + blockSize); ++ } + + // save first block in case we need it again + final byte[] oldBuffer = blockBuffer; +-- +2.34.1 + diff --git a/SPECS/javapackages-bootstrap/javapackages-bootstrap.spec b/SPECS/javapackages-bootstrap/javapackages-bootstrap.spec index 010f335573..7181b76a81 100644 --- a/SPECS/javapackages-bootstrap/javapackages-bootstrap.spec +++ b/SPECS/javapackages-bootstrap/javapackages-bootstrap.spec @@ -19,7 +19,7 @@ Name: javapackages-bootstrap Version: 1.14.0 -Release: 2%{?dist} +Release: 3%{?dist} Summary: A means of bootstrapping Java Packages Tools # For detailed info see the file javapackages-bootstrap-PACKAGE-LICENSING License: ASL 2.0 and ASL 1.1 and (ASL 2.0 or EPL-2.0) and (EPL-2.0 or GPLv2 with exceptions) and MIT and (BSD with advertising) and BSD-3-Clause and EPL-1.0 and EPL-2.0 and CDDL-1.0 and xpp and CC0 and Public Domain @@ -154,6 +154,8 @@ Source1118: xmvn-jpb-4.2.0.tar.xz Source1119: xmvn-generator-1.2.1.tar.xz Source1120: xz-java-1.9.tar.xz +Patch0: CVE-2024-25710.patch + Provides: bundled(ant) = 1.10.14 Provides: bundled(aopalliance) = 1.0 Provides: bundled(apache-pom) = 30 @@ -316,6 +318,10 @@ do tar -xf "${source}" done +pushd "downstream/commons-compress" +%patch -P 0 -p1 +popd + for patch_path in patches/*/* do package_name="$(echo ${patch_path} | cut -f2 -d/)" @@ -402,6 +408,9 @@ sed -i s/_xmvngen_/_jpbgen_/ %{buildroot}%{_fileattrsdir}/jpbgen.attr %doc AUTHORS %changelog +* Fri May 16 2025 Sudipta Pandit - 1.14.0-3 +- Add backported patch for CVE-2024-25710 + * Thu Mar 21 2024 Riken Maharjan - 1.14.0-2 - Change JAVA_HOME for xmvn to be msopenjdk location. - Upgrade to 1.14.0 - azl 3.0 diff --git a/SPECS/jq/CVE-2024-23337.patch b/SPECS/jq/CVE-2024-23337.patch new file mode 100644 index 0000000000..a0c0579762 --- /dev/null +++ b/SPECS/jq/CVE-2024-23337.patch @@ -0,0 +1,231 @@ +From f5147060e3339e81857283a61839af58464bca08 Mon Sep 17 00:00:00 2001 +From: akhila-guruju +Date: Mon, 26 May 2025 09:31:29 +0000 +Subject: [PATCH] Address CVE-2024-23337 + +Upstream Patch Reference: https://github.com/jqlang/jq/commit/de21386681c0df0104a99d9d09db23a9b2a78b1e + +--- + src/jv.c | 57 ++++++++++++++++++++++++++++++++++++++++----------- + src/jv_aux.c | 9 ++++---- + tests/jq.test | 4 ++++ + 3 files changed, 54 insertions(+), 16 deletions(-) + +diff --git a/src/jv.c b/src/jv.c +index 34573b8..15990f1 100644 +--- a/src/jv.c ++++ b/src/jv.c +@@ -1001,6 +1001,11 @@ jv jv_array_set(jv j, int idx, jv val) { + jv_free(val); + return jv_invalid_with_msg(jv_string("Out of bounds negative array index")); + } ++ if (idx > (INT_MAX >> 2) - jvp_array_offset(j)) { ++ jv_free(j); ++ jv_free(val); ++ return jv_invalid_with_msg(jv_string("Array index too large")); ++ } + // copy/free of val,j coalesced + jv* slot = jvp_array_write(&j, idx); + jv_free(*slot); +@@ -1020,6 +1025,7 @@ jv jv_array_concat(jv a, jv b) { + // FIXME: could be faster + jv_array_foreach(b, i, elem) { + a = jv_array_append(a, elem); ++ if (!jv_is_valid(a)) break; + } + jv_free(b); + return a; +@@ -1283,15 +1289,22 @@ jv jv_string_indexes(jv j, jv k) { + assert(JVP_HAS_KIND(k, JV_KIND_STRING)); + const char *jstr = jv_string_value(j); + const char *idxstr = jv_string_value(k); +- const char *p; ++ const char *p, *lp; + int jlen = jv_string_length_bytes(jv_copy(j)); + int idxlen = jv_string_length_bytes(jv_copy(k)); + jv a = jv_array(); + + if (idxlen != 0) { +- p = jstr; ++ int n = 0; ++ p = lp = jstr; + while ((p = _jq_memmem(p, (jstr + jlen) - p, idxstr, idxlen)) != NULL) { +- a = jv_array_append(a, jv_number(p - jstr)); ++ while (lp < p) { ++ lp += jvp_utf8_decode_length(*lp); ++ n++; ++ } ++ ++ a = jv_array_append(a, jv_number(n)); ++ if (!jv_is_valid(a)) break; + p++; + } + } +@@ -1314,14 +1327,17 @@ jv jv_string_split(jv j, jv sep) { + + if (seplen == 0) { + int c; +- while ((jstr = jvp_utf8_next(jstr, jend, &c))) ++ while ((jstr = jvp_utf8_next(jstr, jend, &c))) { + a = jv_array_append(a, jv_string_append_codepoint(jv_string(""), c)); ++ if (!jv_is_valid(a)) break; ++ } + } else { + for (p = jstr; p < jend; p = s + seplen) { + s = _jq_memmem(p, jend - p, sepstr, seplen); + if (s == NULL) + s = jend; + a = jv_array_append(a, jv_string_sized(p, s - p)); ++ if (!jv_is_valid(a)) break; + // Add an empty string to denote that j ends on a sep + if (s + seplen == jend && seplen != 0) + a = jv_array_append(a, jv_string("")); +@@ -1339,8 +1355,10 @@ jv jv_string_explode(jv j) { + const char* end = i + len; + jv a = jv_array_sized(len); + int c; +- while ((i = jvp_utf8_next(i, end, &c))) ++ while ((i = jvp_utf8_next(i, end, &c))) { + a = jv_array_append(a, jv_number(c)); ++ if (!jv_is_valid(a)) break; ++ } + jv_free(j); + return a; + } +@@ -1614,10 +1632,13 @@ static void jvp_object_free(jv o) { + } + } + +-static jv jvp_object_rehash(jv object) { ++static int jvp_object_rehash(jv *objectp) { ++ jv object = *objectp; + assert(JVP_HAS_KIND(object, JV_KIND_OBJECT)); + assert(jvp_refcnt_unshared(object.u.ptr)); + int size = jvp_object_size(object); ++ if (size > INT_MAX >> 2) ++ return 0; + jv new_object = jvp_object_new(size * 2); + for (int i=0; ivalue; ++ *valpp = &slot->value; ++ return 1; + } + slot = jvp_object_add_slot(*object, key, bucket); + if (slot) { + slot->value = jv_invalid(); + } else { +- *object = jvp_object_rehash(*object); ++ if (!jvp_object_rehash(object)) { ++ *valpp = NULL; ++ return 0; ++ } + bucket = jvp_object_find_bucket(*object, key); + assert(!jvp_object_find_slot(*object, key, bucket)); + slot = jvp_object_add_slot(*object, key, bucket); + assert(slot); + slot->value = jv_invalid(); + } +- return &slot->value; ++ *valpp = &slot->value; ++ return 1; + } + + static int jvp_object_delete(jv* object, jv key) { +@@ -1779,7 +1806,11 @@ jv jv_object_set(jv object, jv key, jv value) { + assert(JVP_HAS_KIND(object, JV_KIND_OBJECT)); + assert(JVP_HAS_KIND(key, JV_KIND_STRING)); + // copy/free of object, key, value coalesced +- jv* slot = jvp_object_write(&object, key); ++ jv* slot; ++ if (!jvp_object_write(&object, key, &slot)) { ++ jv_free(object); ++ return jv_invalid_with_msg(jv_string("Object too big")); ++ } + jv_free(*slot); + *slot = value; + return object; +@@ -1804,6 +1835,7 @@ jv jv_object_merge(jv a, jv b) { + assert(JVP_HAS_KIND(a, JV_KIND_OBJECT)); + jv_object_foreach(b, k, v) { + a = jv_object_set(a, k, v); ++ if (!jv_is_valid(a)) break; + } + jv_free(b); + return a; +@@ -1823,6 +1855,7 @@ jv jv_object_merge_recursive(jv a, jv b) { + jv_free(elem); + a = jv_object_set(a, k, v); + } ++ if (!jv_is_valid(a)) break; + } + jv_free(b); + return a; +diff --git a/src/jv_aux.c b/src/jv_aux.c +index 6004799..bbe1c0d 100644 +--- a/src/jv_aux.c ++++ b/src/jv_aux.c +@@ -193,18 +193,19 @@ jv jv_set(jv t, jv k, jv v) { + if (slice_len < insert_len) { + // array is growing + int shift = insert_len - slice_len; +- for (int i = array_len - 1; i >= end; i--) { ++ for (int i = array_len - 1; i >= end && jv_is_valid(t); i--) { + t = jv_array_set(t, i + shift, jv_array_get(jv_copy(t), i)); + } + } else if (slice_len > insert_len) { + // array is shrinking + int shift = slice_len - insert_len; +- for (int i = end; i < array_len; i++) { ++ for (int i = end; i < array_len && jv_is_valid(t); i++) { + t = jv_array_set(t, i - shift, jv_array_get(jv_copy(t), i)); + } +- t = jv_array_slice(t, 0, array_len - shift); ++ if (jv_is_valid(t)) ++ t = jv_array_slice(t, 0, array_len - shift); + } +- for (int i=0; i < insert_len; i++) { ++ for (int i = 0; i < insert_len && jv_is_valid(t); i++) { + t = jv_array_set(t, start + i, jv_array_get(jv_copy(v), i)); + } + jv_free(v); +diff --git a/tests/jq.test b/tests/jq.test +index 7011cf9..cd650d4 100644 +--- a/tests/jq.test ++++ b/tests/jq.test +@@ -198,6 +198,10 @@ null + [0,1,2] + [0,5,2] + ++try (.[999999999] = 0) catch . ++null ++"Array index too large" ++ + # + # Multiple outputs, iteration + # +-- +2.45.2 + diff --git a/SPECS/jq/CVE-2025-48060.patch b/SPECS/jq/CVE-2025-48060.patch new file mode 100644 index 0000000000..34c56b49f0 --- /dev/null +++ b/SPECS/jq/CVE-2025-48060.patch @@ -0,0 +1,42 @@ +From b87793372b4a54b49fcb56b60e9b0f29795f521a Mon Sep 17 00:00:00 2001 +From: Azure Linux Security Servicing Account + +Date: Wed, 23 Jul 2025 03:35:30 +0000 +Subject: [PATCH] Fix CVE CVE-2025-48060 in jq + +Upstream Patch Reference: https://github.com/jqlang/jq/commit/c6e041699d8cd31b97375a2596217aff2cfca85b.patch +--- + src/jv.c | 1 + + tests/jq.test | 4 ++++ + 2 files changed, 5 insertions(+) + +diff --git a/src/jv.c b/src/jv.c +index 15990f1..18dbb54 100644 +--- a/src/jv.c ++++ b/src/jv.c +@@ -1125,6 +1125,7 @@ static jv jvp_string_empty_new(uint32_t length) { + jvp_string* s = jvp_string_alloc(length); + s->length_hashed = 0; + memset(s->data, 0, length); ++ s->data[length] = 0; + jv r = {JVP_FLAGS_STRING, 0, 0, 0, {&s->refcnt}}; + return r; + } +diff --git a/tests/jq.test b/tests/jq.test +index cd650d4..500e741 100644 +--- a/tests/jq.test ++++ b/tests/jq.test +@@ -2031,6 +2031,10 @@ map(try implode catch .) + [123,["a"],[nan]] + ["implode input must be an array","string (\"a\") can't be imploded, unicode codepoint needs to be numeric","number (null) can't be imploded, unicode codepoint needs to be numeric"] + ++try 0[implode] catch . ++[] ++"Cannot index number with string \"\"" ++ + # walk + walk(.) + {"x":0} +-- +2.45.2 + diff --git a/SPECS/jq/jq.spec b/SPECS/jq/jq.spec index fecbe587ea..52c3f9a1f6 100644 --- a/SPECS/jq/jq.spec +++ b/SPECS/jq/jq.spec @@ -1,13 +1,15 @@ Summary: jq is a lightweight and flexible command-line JSON processor. Name: jq Version: 1.7.1 -Release: 2%{?dist} +Release: 4%{?dist} Group: Applications/System Vendor: Microsoft Corporation License: MIT URL: https://jqlang.github.io/jq/ Source0: https://github.com/jqlang/jq/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz Patch0: CVE-2024-53427.patch +Patch1: CVE-2024-23337.patch +Patch2: CVE-2025-48060.patch Distribution: Azure Linux BuildRequires: bison BuildRequires: chrpath @@ -52,6 +54,7 @@ make check %license COPYING %{_bindir}/* %{_datadir}/* +%exclude %{_datadir}/doc/jq/COPYING %{_libdir}/libjq.so.* %{_libdir}/pkgconfig/libjq.pc @@ -60,6 +63,13 @@ make check %{_includedir}/* %changelog +* Wed Jul 23 2025 Azure Linux Security Servicing Account - 1.7.1-4 +- Patch for CVE-2025-48060 +- Updated files section to fix duplicated license files + +* Mon May 26 2025 Akhila Guruju - 1.7.1-3 +- Patch CVE-2024-23337 + * Wed Mar 05 2025 Kanishk Bansal - 1.7.1-2 - Patch CVE-2024-53427 diff --git a/SPECS/kata-containers-cc/kata-containers-cc.spec b/SPECS/kata-containers-cc/kata-containers-cc.spec index ca7f3c05ff..4a472b2162 100644 --- a/SPECS/kata-containers-cc/kata-containers-cc.spec +++ b/SPECS/kata-containers-cc/kata-containers-cc.spec @@ -3,7 +3,7 @@ Name: kata-containers-cc Version: 3.15.0.aks0 -Release: 2%{?dist} +Release: 4%{?dist} Summary: Kata Confidential Containers package developed for Confidential Containers on AKS License: ASL 2.0 URL: https://github.com/microsoft/kata-containers @@ -28,7 +28,7 @@ BuildRequires: fuse-devel # kernel-uvm is required for debuggability, exercising confidential guest (confidential_guest=true) # code paths without actual SEV SNP enablement (sev_snp_guest=false) Requires: kernel-uvm -Requires: moby-containerd-cc +Requires: containerd2 # Must match the version specified by the `assets.virtiofsd.version` field in the source's versions.yaml. Requires: virtiofsd = 1.8.0 @@ -150,6 +150,11 @@ fi %{tools_pkg}/tools/osbuilder/node-builder/azure-linux/agent-install/usr/lib/systemd/system/kata-agent.service %changelog +* Mon Sep 8 2025 Lee Chee Yang - 3.15.0.aks0-4 +- merge from Azure Linux 3.0.20250822-3.0. +- Bump release to rebuild with rust +- Update dependency on containerd2 + * Fri May 30 2025 Ranjan Dutta - 3.15.0.aks0-2 - merge from Azure Linux 3.0.20250521-3.0 - Auto-upgrade to 3.15.0.aks0 @@ -247,7 +252,7 @@ fi * Mon Aug 07 2023 CBL-Mariner Servicing Account - 0.6.0-2 - Bump release to rebuild with go 1.19.12 -* Tue Jul 11 2023 Dallas Delaney 0.6.0-1 +* Fri Jul 28 2023 Dallas Delaney 0.6.0-1 - Upgrade to version 0.6.0 * Thu Jul 13 2023 CBL-Mariner Servicing Account - 0.4.2-2 diff --git a/SPECS/kata-containers/kata-containers.signatures.json b/SPECS/kata-containers/kata-containers.signatures.json index 65431f2575..3d8c85ccea 100644 --- a/SPECS/kata-containers/kata-containers.signatures.json +++ b/SPECS/kata-containers/kata-containers.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { - "kata-containers-3.15.0.aks0.tar.gz": "14a1b95ab695935cc9e7ae326af02378010a04e6cb5735211beebab8e4074b40", - "kata-containers-3.15.0.aks0-cargo.tar.gz": "613cd7d1730b41699b9af2191c08df2107021cf9aca78ae7d88bf0c93644c0fe" + "kata-containers-3.18.0.kata0.tar.gz": "164ac643e28b022449d0361decdcaa67df59c4eb589ae9ee87ff14926020f9d4", + "kata-containers-3.18.0.kata0-cargo.tar.gz": "fa08007f886b70c8bb475fb35da13c3ac9315427f1e390f1a8d36887a000da45" } } diff --git a/SPECS/kata-containers/kata-containers.spec b/SPECS/kata-containers/kata-containers.spec index c875cb1170..66a30eef9f 100644 --- a/SPECS/kata-containers/kata-containers.spec +++ b/SPECS/kata-containers/kata-containers.spec @@ -1,8 +1,8 @@ %global debug_package %{nil} Name: kata-containers -Version: 3.15.0.aks0 -Release: 2%{?dist} +Version: 3.18.0.kata0 +Release: 3%{?dist} Summary: Kata Containers package developed for Pod Sandboxing on AKS License: ASL 2.0 URL: https://github.com/microsoft/kata-containers @@ -26,6 +26,7 @@ BuildRequires: cmake Requires: kernel-uvm # Must match the version specified by the `assets.virtiofsd.version` field in the source's versions.yaml. Requires: virtiofsd = 1.8.0 +Requires: containerd2 %description The Kata Containers package ships the Kata components for Pod Sandboxing on AKS. @@ -67,6 +68,7 @@ popd %{kata_bin}/kata-runtime %{defaults_kata}/configuration.toml +%{defaults_kata}/configuration-clh-debug.toml %{kata_shim_bin}/containerd-shim-kata-v2 @@ -92,6 +94,7 @@ popd %dir %{tools_pkg}/tools/osbuilder/image-builder %{tools_pkg}/tools/osbuilder/image-builder/image_builder.sh +%{tools_pkg}/tools/osbuilder/image-builder/nsdax.gpl.c %dir %{tools_pkg}/tools/osbuilder/node-builder %dir %{tools_pkg}/tools/osbuilder/node-builder/azure-linux @@ -112,6 +115,12 @@ popd %{tools_pkg}/tools/osbuilder/node-builder/azure-linux/agent-install/usr/lib/systemd/system/kata-agent.service %changelog +* Mon Sep 8 2025 Lee Chee Yang - 3.18.0.kata0-3 +- merge from Azure Linux 3.0.20250822-3.0. +- Add dependency on containerd2 +- Auto-upgrade to 3.18.0.kata0 +- Bump release to rebuild with rust + * Fri May 30 2025 Ranjan Dutta - 3.15.0.aks0-2 - merge from Azure Linux 3.0.20250521-3.0 - Auto-upgrade to 3.15.0.aks0 diff --git a/SPECS/kernel-64k/config_aarch64 b/SPECS/kernel-64k/config_aarch64 index d14eddbd62..830216ba24 100644 --- a/SPECS/kernel-64k/config_aarch64 +++ b/SPECS/kernel-64k/config_aarch64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 6.6.85.1 Kernel Configuration +# Linux/arm64 6.6.96.2 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 13.2.0" CONFIG_CC_IS_GCC=y @@ -1173,7 +1173,6 @@ CONFIG_SKB_EXTENSIONS=y CONFIG_PACKET=y CONFIG_PACKET_DIAG=m CONFIG_UNIX=y -CONFIG_UNIX_SCM=y CONFIG_AF_UNIX_OOB=y CONFIG_UNIX_DIAG=m CONFIG_TLS=m @@ -2324,6 +2323,7 @@ CONFIG_PROC_EVENTS=y # CONFIG_ARM_SCMI_PROTOCOL=m # CONFIG_ARM_SCMI_RAW_MODE_SUPPORT is not set +# CONFIG_ARM_SCMI_DEBUG_COUNTERS is not set CONFIG_ARM_SCMI_HAVE_TRANSPORT=y CONFIG_ARM_SCMI_HAVE_SHMEM=y CONFIG_ARM_SCMI_TRANSPORT_MAILBOX=y @@ -3372,6 +3372,7 @@ CONFIG_MLX5_CORE_IPOIB=y CONFIG_MLX5_EN_IPSEC=y CONFIG_MLX5_EN_TLS=y CONFIG_MLX5_SW_STEERING=y +# CONFIG_MLX5_HW_STEERING is not set # CONFIG_MLX5_SF is not set CONFIG_MLXSW_CORE=m CONFIG_MLXSW_CORE_HWMON=y @@ -7585,6 +7586,7 @@ CONFIG_HID_THRUSTMASTER=m CONFIG_THRUSTMASTER_FF=y CONFIG_HID_UDRAW_PS3=m CONFIG_HID_U2FZERO=m +# CONFIG_HID_UNIVERSAL_PIDFF is not set CONFIG_HID_WACOM=m CONFIG_HID_WIIMOTE=m CONFIG_HID_XINMO=m @@ -10561,7 +10563,7 @@ CONFIG_CRYPTO_HASH=y CONFIG_CRYPTO_HASH2=y CONFIG_CRYPTO_RNG=y CONFIG_CRYPTO_RNG2=y -CONFIG_CRYPTO_RNG_DEFAULT=m +CONFIG_CRYPTO_RNG_DEFAULT=y CONFIG_CRYPTO_AKCIPHER2=y CONFIG_CRYPTO_AKCIPHER=y CONFIG_CRYPTO_KPP2=y @@ -10586,10 +10588,10 @@ CONFIG_CRYPTO_ENGINE=y # CONFIG_CRYPTO_RSA=y CONFIG_CRYPTO_DH=m -# CONFIG_CRYPTO_DH_RFC7919_GROUPS is not set -CONFIG_CRYPTO_ECC=m +CONFIG_CRYPTO_DH_RFC7919_GROUPS=y +CONFIG_CRYPTO_ECC=y CONFIG_CRYPTO_ECDH=m -# CONFIG_CRYPTO_ECDSA is not set +CONFIG_CRYPTO_ECDSA=y # CONFIG_CRYPTO_ECRDSA is not set # CONFIG_CRYPTO_SM2 is not set # CONFIG_CRYPTO_CURVE25519 is not set diff --git a/SPECS/kernel-64k/kernel-64k.signatures.json b/SPECS/kernel-64k/kernel-64k.signatures.json index 885bd737bd..565a8b4478 100644 --- a/SPECS/kernel-64k/kernel-64k.signatures.json +++ b/SPECS/kernel-64k/kernel-64k.signatures.json @@ -1,10 +1,10 @@ { "Signatures": { "azurelinux-ca-20230216.pem": "d545401163c75878319f01470455e6bc18a5968e39dd964323225e3fe308849b", - "config_aarch64": "0993f596a336aceaf8fc36349d76859091e963c1247d46f9a71feb8f0f02841c", + "config_aarch64": "d588d516f00f7fc2c5aa906befcd219ea1ca04e2c4d97aaffa53a32f31bdcda3", "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985", "cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", - "kernel-6.6.85.1.tar.gz": "4dab471d68ce07dd31e925788c128ff1c7d9a6d2c7e0a073bd8e6701514cfee6" + "kernel-6.6.96.2.tar.gz": "e367d388de5dd5c891377cba4022e0b5887b060b0f842a7aa2c5b05229b30f87" } } diff --git a/SPECS/kernel-64k/kernel-64k.spec b/SPECS/kernel-64k/kernel-64k.spec index 897bc5a71d..3b4c14786c 100644 --- a/SPECS/kernel-64k/kernel-64k.spec +++ b/SPECS/kernel-64k/kernel-64k.spec @@ -14,6 +14,8 @@ %undefine _unique_debug_names %global _missing_build_ids_terminate_build 1 %global _no_recompute_build_ids 1 +# Prevent find_debuginfo.sh from removing the BTF section from modules +%define _find_debuginfo_opts --keep-section '.BTF' %ifarch aarch64 %global __provides_exclude_from %{_libdir}/debug/.build-id/ @@ -24,8 +26,8 @@ Summary: Linux Kernel Name: kernel-64k -Version: 6.6.85.1 -Release: 4%{?dist} +Version: 6.6.96.2 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -70,6 +72,10 @@ Requires: filesystem Requires: kmod Requires(post): coreutils Requires(postun): coreutils +Conflicts: kernel +Conflicts: kernel-ipe +Conflicts: kernel-lpg-innovate +Conflicts: kernel-rt %{?grub2_configuration_requires} # When updating the config files it is important to sanitize them. # Steps for updating a config file: @@ -142,6 +148,7 @@ This package contains the 'perf' performance analysis tools for Linux kernel. %package -n python3-perf-%{short_name} Summary: Python 3 extension for perf tools +Provides: python3-perf Requires: %{name} = %{version}-%{release} Requires: python3 @@ -150,6 +157,7 @@ This package contains the Python 3 extension for the 'perf' performance analysis %package -n bpftool-%{short_name} Summary: Inspection and simple manipulation of eBPF programs and maps +Provides: bpftool Requires: %{name} = %{version}-%{release} %description -n bpftool-%{short_name} @@ -371,6 +379,28 @@ echo "initrd of kernel %{uname_r} removed" >&2 %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Fri Aug 15 2025 CBL-Mariner Servicing Account - 6.6.96.2-1 +- Auto-upgrade to 6.6.96.2 + +* Thu Jul 17 2025 Rachel Menge - 6.6.96.1-2 +- Bump release to match kernel + +* Mon Jul 07 2025 CBL-Mariner Servicing Account - 6.6.96.1-1 +- Auto-upgrade to 6.6.96.1 + +* Mon Jun 16 2025 Harshit Gupta - 6.6.92.2-3 +- Add Conflicts with other kernels +- Rename bpftool and python3-perf to be kernel specific + +* Mon Jun 09 2025 Rachel Menge - 6.6.92.2-2 +- Prevent debuginfo from stripping BTF data + +* Fri May 30 2025 CBL-Mariner Servicing Account - 6.6.92.2-1 +- Auto-upgrade to 6.6.92.2 + +* Fri May 23 2025 CBL-Mariner Servicing Account - 6.6.90.1-1 +- Auto-upgrade to 6.6.90.1 + * Tue May 13 2025 Siddharth Chintamaneni - 6.6.85.1-4 - Added a new patch to EFI slack slots issue diff --git a/SPECS/kubernetes/CVE-2025-4563.patch b/SPECS/kubernetes/CVE-2025-4563.patch new file mode 100644 index 0000000000..d73c8767a3 --- /dev/null +++ b/SPECS/kubernetes/CVE-2025-4563.patch @@ -0,0 +1,199 @@ +From 3f3e38728b8cff51c68fcae662488edb59184a9e Mon Sep 17 00:00:00 2001 +From: dj_palli +Date: Mon, 30 Jun 2025 11:15:01 +0000 +Subject: [PATCH] Address CVE-2025-4563 + +Upstream patch reference: https://github.com/kubernetes/kubernetes/pull/131876/commits/1fde2b884c7110c5e253db7143b24bfd91202c4d + +--- + pkg/apis/core/validation/validation.go | 7 +++ + pkg/apis/core/validation/validation_test.go | 11 +++- + pkg/kubelet/config/common.go | 6 ++ + pkg/kubelet/config/common_test.go | 56 +++++++++++++++++++ + .../admission/noderestriction/admission.go | 4 ++ + .../noderestriction/admission_test.go | 9 +++ + 6 files changed, 92 insertions(+), 1 deletion(-) + +diff --git a/pkg/apis/core/validation/validation.go b/pkg/apis/core/validation/validation.go +index ecccf969..98da9166 100644 +--- a/pkg/apis/core/validation/validation.go ++++ b/pkg/apis/core/validation/validation.go +@@ -3011,6 +3011,13 @@ func gatherPodResourceClaimNames(claims []core.PodResourceClaim) sets.Set[string + } + + func validatePodResourceClaim(podMeta *metav1.ObjectMeta, claim core.PodResourceClaim, podClaimNames *sets.Set[string], fldPath *field.Path) field.ErrorList { ++ // static pods don't support resource claims ++ if podMeta != nil { ++ if _, ok := podMeta.Annotations[core.MirrorPodAnnotationKey]; ok { ++ return field.ErrorList{field.Forbidden(field.NewPath(""), "static pods do not support resource claims")} ++ } ++ } ++ + var allErrs field.ErrorList + if claim.Name == "" { + allErrs = append(allErrs, field.Required(fldPath.Child("name"), "")) +diff --git a/pkg/apis/core/validation/validation_test.go b/pkg/apis/core/validation/validation_test.go +index 6b837f21..ba1210fa 100644 +--- a/pkg/apis/core/validation/validation_test.go ++++ b/pkg/apis/core/validation/validation_test.go +@@ -26016,6 +26016,8 @@ func TestValidateDynamicResourceAllocation(t *testing.T) { + } + + failureCases := map[string]core.PodSpec{ ++ "static pod with resource claim reference": goodClaimReference, ++ "static pod with resource claim template": goodClaimTemplate, + "pod claim name with prefix": { + Containers: []core.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", TerminationMessagePolicy: "File"}}, + RestartPolicy: core.RestartPolicyAlways, +@@ -26144,7 +26146,14 @@ func TestValidateDynamicResourceAllocation(t *testing.T) { + }(), + } + for k, v := range failureCases { +- if errs := ValidatePodSpec(&v, nil, field.NewPath("field"), PodValidationOptions{}); len(errs) == 0 { ++ podMeta := shortPodName ++ if strings.HasPrefix(k, "static pod") { ++ podMeta = podMeta.DeepCopy() ++ podMeta.Annotations = map[string]string{ ++ core.MirrorPodAnnotationKey: "True", ++ } ++ } ++ if errs := ValidatePodSpec(&v.Spec, podMeta, field.NewPath("field"), PodValidationOptions{}); len(errs) == 0 { + t.Errorf("expected failure for %q", k) + } + } +diff --git a/pkg/kubelet/config/common.go b/pkg/kubelet/config/common.go +index 69d67126..a73d6372 100644 +--- a/pkg/kubelet/config/common.go ++++ b/pkg/kubelet/config/common.go +@@ -106,6 +106,9 @@ type defaultFunc func(pod *api.Pod) error + // A static pod tried to use a ClusterTrustBundle projected volume source. + var ErrStaticPodTriedToUseClusterTrustBundle = errors.New("static pods may not use ClusterTrustBundle projected volume sources") + ++// A static pod tried to use a resource claim. ++var ErrStaticPodTriedToUseResourceClaims = errors.New("static pods may not use ResourceClaims") ++ + // tryDecodeSinglePod takes data and tries to extract valid Pod config information from it. + func tryDecodeSinglePod(data []byte, defaultFn defaultFunc) (parsed bool, pod *v1.Pod, err error) { + // JSON is valid YAML, so this should work for everything. +@@ -152,6 +155,9 @@ func tryDecodeSinglePod(data []byte, defaultFn defaultFunc) (parsed bool, pod *v + } + } + } ++ if len(v1Pod.Spec.ResourceClaims) > 0 { ++ return true, nil, ErrStaticPodTriedToUseResourceClaims ++ } + + return true, v1Pod, nil + } +diff --git a/pkg/kubelet/config/common_test.go b/pkg/kubelet/config/common_test.go +index f390b6f9..ae4f4473 100644 +--- a/pkg/kubelet/config/common_test.go ++++ b/pkg/kubelet/config/common_test.go +@@ -179,6 +179,62 @@ func TestDecodeSinglePodRejectsClusterTrustBundleVolumes(t *testing.T) { + } + } + ++func TestDecodeSinglePodRejectsResourceClaims(t *testing.T) { ++ grace := int64(30) ++ enableServiceLinks := v1.DefaultEnableServiceLinks ++ pod := &v1.Pod{ ++ TypeMeta: metav1.TypeMeta{ ++ APIVersion: "", ++ }, ++ ObjectMeta: metav1.ObjectMeta{ ++ Name: "test", ++ UID: "12345", ++ Namespace: "mynamespace", ++ }, ++ Spec: v1.PodSpec{ ++ RestartPolicy: v1.RestartPolicyAlways, ++ DNSPolicy: v1.DNSClusterFirst, ++ TerminationGracePeriodSeconds: &grace, ++ Containers: []v1.Container{{ ++ Name: "image", ++ Image: "test/image", ++ ImagePullPolicy: "IfNotPresent", ++ TerminationMessagePath: "/dev/termination-log", ++ TerminationMessagePolicy: v1.TerminationMessageReadFile, ++ SecurityContext: securitycontext.ValidSecurityContextWithContainerDefaults(), ++ Resources: v1.ResourceRequirements{ ++ Claims: []v1.ResourceClaim{{ ++ Name: "my-claim", ++ }}, ++ }, ++ }}, ++ ResourceClaims: []v1.PodResourceClaim{{ ++ Name: "my-claim", ++ ResourceClaimName: ptr.To("some-external-claim"), ++ }}, ++ SecurityContext: &v1.PodSecurityContext{}, ++ SchedulerName: v1.DefaultSchedulerName, ++ EnableServiceLinks: &enableServiceLinks, ++ }, ++ Status: v1.PodStatus{ ++ PodIP: "1.2.3.4", ++ PodIPs: []v1.PodIP{ ++ { ++ IP: "1.2.3.4", ++ }, ++ }, ++ }, ++ } ++ json, err := runtime.Encode(clientscheme.Codecs.LegacyCodec(v1.SchemeGroupVersion), pod) ++ if err != nil { ++ t.Errorf("unexpected error: %v", err) ++ } ++ _, _, err = tryDecodeSinglePod(json, noDefault) ++ if !errors.Is(err, ErrStaticPodTriedToUseResourceClaims) { ++ t.Errorf("Got error %q, want %q", err, ErrStaticPodTriedToUseResourceClaims) ++ } ++} ++ + func TestDecodePodList(t *testing.T) { + grace := int64(30) + enableServiceLinks := v1.DefaultEnableServiceLinks +diff --git a/plugin/pkg/admission/noderestriction/admission.go b/plugin/pkg/admission/noderestriction/admission.go +index 9388ac52..c58dbc34 100644 +--- a/plugin/pkg/admission/noderestriction/admission.go ++++ b/plugin/pkg/admission/noderestriction/admission.go +@@ -283,6 +283,10 @@ func (p *Plugin) admitPodCreate(nodeName string, a admission.Attributes) error { + } + } + ++ if len(pod.Spec.ResourceClaims) > 0 { ++ return admission.NewForbidden(a, fmt.Errorf("node %q can not create pods that reference resourceclaims", nodeName)) ++ } ++ + return nil + } + +diff --git a/plugin/pkg/admission/noderestriction/admission_test.go b/plugin/pkg/admission/noderestriction/admission_test.go +index 17bb2f50..10a8d99b 100644 +--- a/plugin/pkg/admission/noderestriction/admission_test.go ++++ b/plugin/pkg/admission/noderestriction/admission_test.go +@@ -401,6 +401,9 @@ func Test_nodePlugin_Admit(t *testing.T) { + pvcpod, _ := makeTestPod("ns", "mypvcpod", "mynode", true) + pvcpod.Spec.Volumes = []api.Volume{{VolumeSource: api.VolumeSource{PersistentVolumeClaim: &api.PersistentVolumeClaimVolumeSource{ClaimName: "foo"}}}} + ++ claimpod, _ := makeTestPod("ns", "myclaimpod", "mynode", true) ++ claimpod.Spec.ResourceClaims = []api.PodResourceClaim{{Name: "myclaim", ResourceClaimName: pointer.String("myexternalclaim")}} ++ + tests := []admitTestCase{ + // Mirror pods bound to us + { +@@ -882,6 +885,12 @@ func Test_nodePlugin_Admit(t *testing.T) { + attributes: admission.NewAttributesRecord(pvcpod, nil, podKind, pvcpod.Namespace, pvcpod.Name, podResource, "", admission.Create, &metav1.CreateOptions{}, false, mynode), + err: "reference persistentvolumeclaims", + }, ++ { ++ name: "forbid create of pod referencing resourceclaim", ++ podsGetter: noExistingPods, ++ attributes: admission.NewAttributesRecord(claimpod, nil, podKind, claimpod.Namespace, claimpod.Name, podResource, "", admission.Create, &metav1.CreateOptions{}, false, mynode), ++ err: "reference resourceclaim", ++ }, + + // My node object + { +-- +2.45.2 + diff --git a/SPECS/kubernetes/kubernetes.spec b/SPECS/kubernetes/kubernetes.spec index 61d75e4713..c4a97b35cd 100644 --- a/SPECS/kubernetes/kubernetes.spec +++ b/SPECS/kubernetes/kubernetes.spec @@ -10,7 +10,7 @@ Summary: Microsoft Kubernetes Name: kubernetes Version: 1.30.10 -Release: 8%{?dist} +Release: 9%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -26,8 +26,9 @@ Patch4: CVE-2025-22869.patch Patch5: CVE-2024-51744.patch Patch6: CVE-2025-30204.patch Patch7: CVE-2025-22872.patch +Patch8: CVE-2025-4563.patch BuildRequires: flex-devel -BuildRequires: glibc-static >= 2.38-10%{?dist} +BuildRequires: glibc-static >= 2.38-11%{?dist} BuildRequires: golang BuildRequires: rsync BuildRequires: systemd-devel @@ -277,6 +278,11 @@ fi %{_exec_prefix}/local/bin/pause %changelog +* Mon Sep 8 2025 Lee Chee Yang - 1.30.10-9 +- merge from Azure Linux 3.0.20250822-3.0. +- Patch CVE-2025-4563 +- Bump to rebuild with updated glibc + * Fri May 30 2025 Ranjan Dutta - 1.30.10-8 - merge from Azure Linux 3.0.20250521-3.0 - Patch CVE-2025-22872 diff --git a/SPECS/kubevirt/kubevirt.spec b/SPECS/kubevirt/kubevirt.spec index e0c6c29379..65e3c93c18 100644 --- a/SPECS/kubevirt/kubevirt.spec +++ b/SPECS/kubevirt/kubevirt.spec @@ -20,7 +20,7 @@ Summary: Container native virtualization Name: kubevirt Version: 1.2.0 -Release: 18%{?dist} +Release: 19%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -43,7 +43,7 @@ Patch8: CVE-2025-22872.patch %global debug_package %{nil} BuildRequires: swtpm-tools BuildRequires: glibc-devel -BuildRequires: glibc-static >= 2.38-10%{?dist} +BuildRequires: glibc-static >= 2.38-11%{?dist} BuildRequires: golang >= 1.21 BuildRequires: golang-packaging BuildRequires: pkgconfig @@ -280,6 +280,10 @@ install -p -m 0644 cmd/virt-launcher/qemu.conf %{buildroot}%{_datadir}/kube-virt %{_bindir}/virt-tests %changelog +* Mon Sep 8 2025 Lee Chee Yang - 1.2.0-19 +- merge from Azure Linux 3.0.20250822-3.0. +- Bump to rebuild with updated glibc + * Fri May 30 2025 Ranjan Dutta - 1.2.0-18 - merge from Azure Linux 3.0.20250521-3.0 - Patch CVE-2025-22872 diff --git a/SPECS/libbpf/0001-libbpf-Fix-buffer-overflow-in-bpf_object__init_prog.patch b/SPECS/libbpf/0001-libbpf-Fix-buffer-overflow-in-bpf_object__init_prog.patch new file mode 100644 index 0000000000..e807926174 --- /dev/null +++ b/SPECS/libbpf/0001-libbpf-Fix-buffer-overflow-in-bpf_object__init_prog.patch @@ -0,0 +1,101 @@ +From 806b4e0a9f658d831119cece11a082ba1578b800 Mon Sep 17 00:00:00 2001 +From: Viktor Malik +Date: Tue, 15 Apr 2025 17:50:14 +0200 +Subject: [PATCH] libbpf: Fix buffer overflow in bpf_object__init_prog + +As shown in [1], it is possible to corrupt a BPF ELF file such that +arbitrary BPF instructions are loaded by libbpf. This can be done by +setting a symbol (BPF program) section offset to a large (unsigned) +number such that

overflows and points +before the section data in the memory. + +Consider the situation below where: +- prog_start = sec_start + symbol_offset <-- size_t overflow here +- prog_end = prog_start + prog_size + + prog_start sec_start prog_end sec_end + | | | | + v v v v + .....................|################################|............ + +The report in [1] also provides a corrupted BPF ELF which can be used as +a reproducer: + + $ readelf -S crash + Section Headers: + [Nr] Name Type Address Offset + Size EntSize Flags Link Info Align + ... + [ 2] uretprobe.mu[...] PROGBITS 0000000000000000 00000040 + 0000000000000068 0000000000000000 AX 0 0 8 + + $ readelf -s crash + Symbol table '.symtab' contains 8 entries: + Num: Value Size Type Bind Vis Ndx Name + ... + 6: ffffffffffffffb8 104 FUNC GLOBAL DEFAULT 2 handle_tp + +Here, the handle_tp prog has section offset ffffffffffffffb8, i.e. will +point before the actual memory where section 2 is allocated. + +This is also reported by AddressSanitizer: + + ================================================================= + ==1232==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7c7302fe0000 at pc 0x7fc3046e4b77 bp 0x7ffe64677cd0 sp 0x7ffe64677490 + READ of size 104 at 0x7c7302fe0000 thread T0 + #0 0x7fc3046e4b76 in memcpy (/lib64/libasan.so.8+0xe4b76) + #1 0x00000040df3e in bpf_object__init_prog /src/libbpf/src/libbpf.c:856 + #2 0x00000040df3e in bpf_object__add_programs /src/libbpf/src/libbpf.c:928 + #3 0x00000040df3e in bpf_object__elf_collect /src/libbpf/src/libbpf.c:3930 + #4 0x00000040df3e in bpf_object_open /src/libbpf/src/libbpf.c:8067 + #5 0x00000040f176 in bpf_object__open_file /src/libbpf/src/libbpf.c:8090 + #6 0x000000400c16 in main /poc/poc.c:8 + #7 0x7fc3043d25b4 in __libc_start_call_main (/lib64/libc.so.6+0x35b4) + #8 0x7fc3043d2667 in __libc_start_main@@GLIBC_2.34 (/lib64/libc.so.6+0x3667) + #9 0x000000400b34 in _start (/poc/poc+0x400b34) + + 0x7c7302fe0000 is located 64 bytes before 104-byte region [0x7c7302fe0040,0x7c7302fe00a8) + allocated by thread T0 here: + #0 0x7fc3046e716b in malloc (/lib64/libasan.so.8+0xe716b) + #1 0x7fc3045ee600 in __libelf_set_rawdata_wrlock (/lib64/libelf.so.1+0xb600) + #2 0x7fc3045ef018 in __elf_getdata_rdlock (/lib64/libelf.so.1+0xc018) + #3 0x00000040642f in elf_sec_data /src/libbpf/src/libbpf.c:3740 + +The problem here is that currently, libbpf only checks that the program +end is within the section bounds. There used to be a check +`while (sec_off < sec_sz)` in bpf_object__add_programs, however, it was +removed by commit 6245947c1b3c ("libbpf: Allow gaps in BPF program +sections to support overriden weak functions"). + +Add a check for detecting the overflow of `sec_off + prog_sz` to +bpf_object__init_prog to fix this issue. + +[1] https://github.com/lmarch2/poc/blob/main/libbpf/libbpf.md + +Fixes: 6245947c1b3c ("libbpf: Allow gaps in BPF program sections to support overriden weak functions") +Reported-by: lmarch2 <2524158037@qq.com> +Signed-off-by: Viktor Malik +Signed-off-by: Andrii Nakryiko +Reviewed-by: Shung-Hsi Yu +Link: https://github.com/lmarch2/poc/blob/main/libbpf/libbpf.md +Link: https://lore.kernel.org/bpf/20250415155014.397603-1-vmalik@redhat.com +--- + src/libbpf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libbpf.c b/src/libbpf.c +index b2591f5..56250b5 100644 +--- a/src/libbpf.c ++++ b/src/libbpf.c +@@ -896,7 +896,7 @@ bpf_object__add_programs(struct bpf_object *obj, Elf_Data *sec_data, + return -LIBBPF_ERRNO__FORMAT; + } + +- if (sec_off + prog_sz > sec_sz) { ++ if (sec_off + prog_sz > sec_sz || sec_off + prog_sz < sec_off) { + pr_warn("sec '%s': program at offset %zu crosses section boundary\n", + sec_name, sec_off); + return -LIBBPF_ERRNO__FORMAT; +-- +2.45.4 + diff --git a/SPECS/libbpf/CVE-2025-29481.patch b/SPECS/libbpf/CVE-2025-29481.patch deleted file mode 100644 index 6eb0104010..0000000000 --- a/SPECS/libbpf/CVE-2025-29481.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 61aa55706bb3792731eeab1496ece30c011ddb52 Mon Sep 17 00:00:00 2001 -From: jykanase -Date: Fri, 11 Apr 2025 12:07:55 +0000 -Subject: [PATCH] CVE-2025-29481 - -Upstream patch reference: https://lore.kernel.org/bpf/20250410073407.131211-1-vmalik@redhat.com/ ---- - src/libbpf.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/libbpf.c b/src/libbpf.c -index 1b95c06..36ec2e0 100644 ---- a/src/libbpf.c -+++ b/src/libbpf.c -@@ -826,7 +826,7 @@ bpf_object__add_programs(struct bpf_object *obj, Elf_Data *sec_data, - return -LIBBPF_ERRNO__FORMAT; - } - -- if (sec_off + prog_sz > sec_sz) { -+ if (sec_off >= sec_sz || sec_off + prog_sz > sec_sz) { - pr_warn("sec '%s': program at offset %zu crosses section boundary\n", - sec_name, sec_off); - return -LIBBPF_ERRNO__FORMAT; --- -2.45.2 - diff --git a/SPECS/libbpf/libbpf.signatures.json b/SPECS/libbpf/libbpf.signatures.json index d3349ea891..f56e8b72f0 100644 --- a/SPECS/libbpf/libbpf.signatures.json +++ b/SPECS/libbpf/libbpf.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "libbpf-1.2.2.tar.gz": "32b0c41eabfbbe8e0c8aea784d7495387ff9171b5a338480a8fbaceb9da8d5e5" + "libbpf-1.5.0.tar.gz": "53492aff6dd47e4da04ef5e672d753b9743848bdb38e9d90eafbe190b7983c44" } } diff --git a/SPECS/libbpf/libbpf.spec b/SPECS/libbpf/libbpf.spec index 2f3e277481..58a184b4f9 100644 --- a/SPECS/libbpf/libbpf.spec +++ b/SPECS/libbpf/libbpf.spec @@ -1,13 +1,13 @@ Summary: Libbpf library Name: libbpf -Version: 1.2.2 -Release: 3%{?dist} +Version: 1.5.0 +Release: 2%{?dist} License: LGPLv2 OR BSD Vendor: Intel Corporation Distribution: Edge Microvisor Toolkit URL: https://github.com/%{name}/%{name} Source0: https://github.com/%{name}/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz -Patch0: CVE-2025-29481.patch +Patch0: 0001-libbpf-Fix-buffer-overflow-in-bpf_object__init_prog.patch BuildRequires: elfutils-devel BuildRequires: elfutils-libelf-devel @@ -54,6 +54,11 @@ find %{buildroot} -type f -name "*.a" -delete -print %{_libdir}/pkgconfig/libbpf.pc %changelog +* Mon Sep 8 2025 Lee Chee Yang - 1.5.0-2 +- merge from Azure Linux 3.0.20250822-3.0. +- Patch CVE-2025-29481 +- Update to version 1.5.0 + * Thu Jul 3 2025 Ranjan Dutta - 1.2.2-3 - merge from Azure Linux 3.0.20250521-3.0 - Address CVE-2025-31498 with a patch diff --git a/SPECS/libcap/libcap.spec b/SPECS/libcap/libcap.spec index 8c665337a4..882f53ebf8 100644 --- a/SPECS/libcap/libcap.spec +++ b/SPECS/libcap/libcap.spec @@ -1,7 +1,7 @@ Summary: Libcap Name: libcap Version: 2.69 -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv2+ Group: System Environment/Security URL: https://www.gnu.org/software/hurd/community/gsoc/project_ideas/libcap.html @@ -9,7 +9,7 @@ Source0: https://www.kernel.org/pub/linux/libs/security/linux-privs/libca Patch0: CVE-2025-1390.patch Vendor: Microsoft Corporation Distribution: Azure Linux -BuildRequires: glibc-static >= 2.38-10%{?dist} +BuildRequires: glibc-static >= 2.38-11%{?dist} %description The libcap package implements the user-space interfaces to the POSIX 1003.1e capabilities available @@ -62,6 +62,9 @@ sed -i '/echo "attempt to exploit kernel bug"/,/^fi$/d' quicktest.sh %{_mandir}/man3/* %changelog +* Thu May 22 2025 Kanishk Bansal - 2.69-5 +- Bump to rebuild with updated glibc + * Mon May 12 2025 Andrew Phelps anphel@microsoft.com - 2.69-4 - Bump to rebuild with updated glibc diff --git a/SPECS/libcxx/CVE-2024-31852.patch b/SPECS/libcxx/CVE-2024-31852.patch deleted file mode 100644 index feb7886cbf..0000000000 --- a/SPECS/libcxx/CVE-2024-31852.patch +++ /dev/null @@ -1,153 +0,0 @@ -diff --git a/llvm/lib/Target/ARM/ARMFrameLowering.cpp b/llvm/lib/Target/ARM/ARMFrameLowering.cpp -index eeb7f64..d39a949 100644 ---- a/llvm/lib/Target/ARM/ARMFrameLowering.cpp -+++ b/llvm/lib/Target/ARM/ARMFrameLowering.cpp -@@ -2781,9 +2781,7 @@ void ARMFrameLowering::determineCalleeSaves(MachineFunction &MF, - AFI->setLRIsSpilled(SavedRegs.test(ARM::LR)); - } - --void ARMFrameLowering::processFunctionBeforeFrameFinalized( -- MachineFunction &MF, RegScavenger *RS) const { -- TargetFrameLowering::processFunctionBeforeFrameFinalized(MF, RS); -+void ARMFrameLowering::updateLRRestored(MachineFunction &MF) { - - MachineFrameInfo &MFI = MF.getFrameInfo(); - if (!MFI.isCalleeSavedInfoValid()) -@@ -2808,6 +2806,12 @@ void ARMFrameLowering::processFunctionBeforeFrameFinalized( - } - } - -+void ARMFrameLowering::processFunctionBeforeFrameFinalized( -+ MachineFunction &MF, RegScavenger *RS) const { -+ TargetFrameLowering::processFunctionBeforeFrameFinalized(MF, RS); -+ updateLRRestored(MF); -+} -+ - void ARMFrameLowering::getCalleeSaves(const MachineFunction &MF, - BitVector &SavedRegs) const { - TargetFrameLowering::getCalleeSaves(MF, SavedRegs); -diff --git a/llvm/lib/Target/ARM/ARMFrameLowering.h b/llvm/lib/Target/ARM/ARMFrameLowering.h -index 8d2b8be..a5ea9c4 100644 ---- a/llvm/lib/Target/ARM/ARMFrameLowering.h -+++ b/llvm/lib/Target/ARM/ARMFrameLowering.h -@@ -58,6 +58,10 @@ public: - BitVector &SavedRegs) const override; - void determineCalleeSaves(MachineFunction &MF, BitVector &SavedRegs, - RegScavenger *RS) const override; -+ -+ /// Update the IsRestored flag on LR if it is spilled, based on the return -+ /// instructions. -+ static void updateLRRestored(MachineFunction &MF); - - void processFunctionBeforeFrameFinalized( - MachineFunction &MF, RegScavenger *RS = nullptr) const override; -diff --git a/llvm/lib/Target/ARM/ARMLoadStoreOptimizer.cpp b/llvm/lib/Target/ARM/ARMLoadStoreOptimizer.cpp -index ed9d30c..6121055 100644 ---- a/llvm/lib/Target/ARM/ARMLoadStoreOptimizer.cpp -+++ b/llvm/lib/Target/ARM/ARMLoadStoreOptimizer.cpp -@@ -2062,17 +2062,6 @@ bool ARMLoadStoreOpt::MergeReturnIntoLDM(MachineBasicBlock &MBB) { - MO.setReg(ARM::PC); - PrevMI.copyImplicitOps(*MBB.getParent(), *MBBI); - MBB.erase(MBBI); -- // We now restore LR into PC so it is not live-out of the return block -- // anymore: Clear the CSI Restored bit. -- MachineFrameInfo &MFI = MBB.getParent()->getFrameInfo(); -- // CSI should be fixed after PrologEpilog Insertion -- assert(MFI.isCalleeSavedInfoValid() && "CSI should be valid"); -- for (CalleeSavedInfo &Info : MFI.getCalleeSavedInfo()) { -- if (Info.getReg() == ARM::LR) { -- Info.setRestored(false); -- break; -- } -- } - return true; - } - } -@@ -2120,14 +2109,22 @@ bool ARMLoadStoreOpt::runOnMachineFunction(MachineFunction &Fn) { - isThumb2 = AFI->isThumb2Function(); - isThumb1 = AFI->isThumbFunction() && !isThumb2; - -- bool Modified = false; -+ bool Modified = false, ModifiedLDMReturn = false; - for (MachineBasicBlock &MBB : Fn) { - Modified |= LoadStoreMultipleOpti(MBB); - if (STI->hasV5TOps() && !AFI->shouldSignReturnAddress()) -- Modified |= MergeReturnIntoLDM(MBB); -+ ModifiedLDMReturn |= MergeReturnIntoLDM(MBB); - if (isThumb1) - Modified |= CombineMovBx(MBB); - } -+ Modified |= ModifiedLDMReturn; -+ -+ // If we merged a BX instruction into an LDM, we need to re-calculate whether -+ // LR is restored. This check needs to consider the whole function, not just -+ // the instruction(s) we changed, because there may be other BX returns which -+ // still need LR to be restored. -+ if (ModifiedLDMReturn) -+ ARMFrameLowering::updateLRRestored(Fn); - - Allocator.DestroyAll(); - return Modified; -diff --git a/llvm/test/CodeGen/ARM/ldst-opt-lr-restored.ll b/llvm/test/CodeGen/ARM/ldst-opt-lr-restored.ll -new file mode 100644 -index 0000000..2fb0db9 ---- /dev/null -+++ b/llvm/test/CodeGen/ARM/ldst-opt-lr-restored.ll -@@ -0,0 +1,56 @@ -+; NOTE: Assertions have been autogenerated by utils/update_llc_test_checks.py UTC_ARGS: --version 4 -+; RUN: llc -mtriple thumbv7a-none-eabi < %s | FileCheck %s -+ -+@val0 = global i32 0, align 4 -+@val1 = global i32 0, align 4 -+@val2 = global i32 0, align 4 -+ -+define i32 @foo(ptr %ctx) { -+; CHECK-LABEL: foo: -+; CHECK: @ %bb.0: @ %entry -+; CHECK-NEXT: cbz r0, .LBB0_2 -+; CHECK-NEXT: @ %bb.1: @ %if.end -+; CHECK-NEXT: movw r12, :lower16:val2 -+; CHECK-NEXT: movw r3, :lower16:val1 -+; CHECK-NEXT: movw r2, :lower16:val0 -+; CHECK-NEXT: mov r1, r0 -+; CHECK-NEXT: movs r0, #0 -+; CHECK-NEXT: movt r12, :upper16:val2 -+; CHECK-NEXT: movt r3, :upper16:val1 -+; CHECK-NEXT: movt r2, :upper16:val0 -+; CHECK-NEXT: str r2, [r1, #4] -+; CHECK-NEXT: str r3, [r1, #8] -+; CHECK-NEXT: str.w r12, [r1, #12] -+; CHECK-NEXT: str r0, [r1, #16] -+; CHECK-NEXT: bx lr -+; CHECK-NEXT: .LBB0_2: @ %if.then -+; CHECK-NEXT: .save {r7, lr} -+; CHECK-NEXT: push {r7, lr} -+; CHECK-NEXT: bl bar -+; CHECK-NEXT: mov.w r0, #-1 -+; CHECK-NEXT: pop {r7, pc} -+entry: -+ %tobool.not = icmp eq ptr %ctx, null -+ br i1 %tobool.not, label %if.then, label %if.end -+ -+if.then: ; preds = %entry -+ tail call void @bar() #2 -+ br label %return -+ -+if.end: ; preds = %entry -+ %cmd_a = getelementptr inbounds i8, ptr %ctx, i32 4 -+ store ptr @val0, ptr %cmd_a, align 4 -+ %cmd_b = getelementptr inbounds i8, ptr %ctx, i32 8 -+ store ptr @val1, ptr %cmd_b, align 4 -+ %cmd_c = getelementptr inbounds i8, ptr %ctx, i32 12 -+ store ptr @val2, ptr %cmd_c, align 4 -+ %cmd_d = getelementptr inbounds i8, ptr %ctx, i32 16 -+ store ptr null, ptr %cmd_d, align 4 -+ br label %return -+ -+return: ; preds = %if.end, %if.then -+ %retval.0 = phi i32 [ 0, %if.end ], [ -1, %if.then ] -+ ret i32 %retval.0 -+} -+ -+declare void @bar() -\ No newline at end of file diff --git a/SPECS/libcxx/libcxx.signatures.json b/SPECS/libcxx/libcxx.signatures.json index f93006b26f..6ded1b1af7 100644 --- a/SPECS/libcxx/libcxx.signatures.json +++ b/SPECS/libcxx/libcxx.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "llvmorg-18.1.2.tar.gz": "8d686d5ece6f12b09985cb382a3a530dc06bb6e7eb907f57c7f8bf2d868ebb0b" + "llvmorg-18.1.8.tar.gz": "09c08693a9afd6236f27a2ebae62cda656eba19021ef3f94d59e931d662d4856" } } diff --git a/SPECS/libcxx/libcxx.spec b/SPECS/libcxx/libcxx.spec index eb88de5f5d..2796edee72 100644 --- a/SPECS/libcxx/libcxx.spec +++ b/SPECS/libcxx/libcxx.spec @@ -8,15 +8,14 @@ Summary: C++ standard library targeting C++11 Name: libcxx -Version: %{maj_ver}.1.2 -Release: 3%{?dist} +Version: %{maj_ver}.1.8 +Release: 1%{?dist} License: Apache-2.0 WITH LLVM-exception OR MIT OR NCSA Vendor: Microsoft Corporation Distribution: Azure Linux Group: Development/Tools URL: http://libcxx.llvm.org/ Source0: https://github.com/llvm/llvm-project/archive/refs/tags/llvmorg-%{version}.tar.gz -Patch0: CVE-2024-31852.patch BuildRequires: clang BuildRequires: cmake @@ -180,6 +179,10 @@ popd %{_libdir}/libunwind.a %changelog +* Tue Jun 03 2025 Pawel Winogrodzki - 18.1.8-1 +- Updated to version 18.1.8. +- Removed the patch for CVE-2024-31852 - already fixed in 18.1.3. + * Wed Oct 03 2024 Henry Li - 18.1.2-3 - Add patch to resolve CVE-2024-31852 diff --git a/SPECS/libgcrypt/libgcrypt.signatures.json b/SPECS/libgcrypt/libgcrypt.signatures.json index 7fc8fba391..99d89962b4 100644 --- a/SPECS/libgcrypt/libgcrypt.signatures.json +++ b/SPECS/libgcrypt/libgcrypt.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "libgcrypt-1.10.2.tar.bz2": "3b9c02a004b68c256add99701de00b383accccf37177e0d6c58289664cce0c03" + "libgcrypt-1.10.3.tar.bz2": "8b0870897ac5ac67ded568dcfadf45969cfa8a6beb0fd60af2a9eadc2a3272aa" } } diff --git a/SPECS/libgcrypt/libgcrypt.spec b/SPECS/libgcrypt/libgcrypt.spec index dff63f243f..4d1316e032 100644 --- a/SPECS/libgcrypt/libgcrypt.spec +++ b/SPECS/libgcrypt/libgcrypt.spec @@ -1,6 +1,6 @@ Summary: GNU Crypto Libraries Name: libgcrypt -Version: 1.10.2 +Version: 1.10.3 Release: 1%{?dist} License: GPLv2+ and LGPLv2+ and BSD and MIT and Public Domain Vendor: Microsoft Corporation @@ -59,6 +59,9 @@ rm -rf %{buildroot}%{_infodir} %{_libdir}/pkgconfig/%{name}.pc %changelog +* Tue Jul 15 2025 Andrew Phelps - 1.10.3-1 +- Upgrade to 1.10.3 + * Tue Nov 21 2023 CBL-Mariner Servicing Account - 1.10.2-1 - Auto-upgrade to 1.10.2 - Azure Linux 3.0 - package upgrades diff --git a/SPECS/libglvnd/CVE-2023-26819.patch b/SPECS/libglvnd/CVE-2023-26819.patch new file mode 100644 index 0000000000..ae95e58b34 --- /dev/null +++ b/SPECS/libglvnd/CVE-2023-26819.patch @@ -0,0 +1,98 @@ +From 02bebb13f150e1585dc799c84f04e2df0669dd45 Mon Sep 17 00:00:00 2001 +From: BinduSri-6522866 +Date: Mon, 30 Jun 2025 03:04:16 +0000 +Subject: [PATCH] Address CVE-2023-2681.patch + +Upstream Patch reference: https://github.com/DaveGamble/cJSON/commit/a328d65ad490b64da8c87523cbbfe16050ba5bf6 +--- + src/util/cJSON.c | 37 ++++++++++++++++++++++++++++++++----- + 1 file changed, 32 insertions(+), 5 deletions(-) + +diff --git a/src/util/cJSON.c b/src/util/cJSON.c +index b0bc3e8..4955fe6 100644 +--- a/src/util/cJSON.c ++++ b/src/util/cJSON.c +@@ -277,9 +277,11 @@ static cJSON_bool parse_number(cJSON * const item, parse_buffer * const input_bu + { + double number = 0; + unsigned char *after_end = NULL; +- unsigned char number_c_string[64]; ++ unsigned char *number_c_string; + unsigned char decimal_point = get_decimal_point(); + size_t i = 0; ++ size_t number_string_length = 0; ++ cJSON_bool has_decimal_point = false; + + if ((input_buffer == NULL) || (input_buffer->content == NULL)) + { +@@ -289,7 +291,7 @@ static cJSON_bool parse_number(cJSON * const item, parse_buffer * const input_bu + /* copy the number into a temporary buffer and replace '.' with the decimal point + * of the current locale (for strtod) + * This also takes care of '\0' not necessarily being available for marking the end of the input */ +- for (i = 0; (i < (sizeof(number_c_string) - 1)) && can_access_at_index(input_buffer, i); i++) ++ for (i = 0; can_access_at_index(input_buffer, i); i++) + { + switch (buffer_at_offset(input_buffer)[i]) + { +@@ -307,11 +309,12 @@ static cJSON_bool parse_number(cJSON * const item, parse_buffer * const input_bu + case '-': + case 'e': + case 'E': +- number_c_string[i] = buffer_at_offset(input_buffer)[i]; ++ number_string_length++; + break; + + case '.': +- number_c_string[i] = decimal_point; ++ number_string_length++; ++ has_decimal_point = true; + break; + + default: +@@ -319,11 +322,33 @@ static cJSON_bool parse_number(cJSON * const item, parse_buffer * const input_bu + } + } + loop_end: +- number_c_string[i] = '\0'; ++ /* malloc for temporary buffer, add 1 for '\0' */ ++ number_c_string = (unsigned char *) input_buffer->hooks.allocate(number_string_length + 1); ++ if (number_c_string == NULL) ++ { ++ return false; /* allocation failure */ ++ } ++ ++ memcpy(number_c_string, buffer_at_offset(input_buffer), number_string_length); ++ number_c_string[number_string_length] = '\0'; ++ ++ if (has_decimal_point) ++ { ++ for (i = 0; i < number_string_length; i++) ++ { ++ if (number_c_string[i] == '.') ++ { ++ /* replace '.' with the decimal point of the current locale (for strtod) */ ++ number_c_string[i] = decimal_point; ++ } ++ } ++ } + + number = strtod((const char*)number_c_string, (char**)&after_end); + if (number_c_string == after_end) + { ++ /* free the temporary buffer */ ++ input_buffer->hooks.deallocate(number_c_string); + return false; /* parse_error */ + } + +@@ -346,6 +371,8 @@ loop_end: + item->type = cJSON_Number; + + input_buffer->offset += (size_t)(after_end - number_c_string); ++ /* free the temporary buffer */ ++ input_buffer->hooks.deallocate(number_c_string); + return true; + } + +-- +2.45.3 + diff --git a/SPECS/libglvnd/libglvnd.spec b/SPECS/libglvnd/libglvnd.spec index 030de790b7..370fda7db7 100644 --- a/SPECS/libglvnd/libglvnd.spec +++ b/SPECS/libglvnd/libglvnd.spec @@ -3,7 +3,7 @@ Summary: The GL Vendor-Neutral Dispatch library Name: libglvnd Version: 1.7.0 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT AND GPLv3+ Vendor: Microsoft Corporation Distribution: Azure Linux @@ -15,6 +15,7 @@ Patch1: 0001-glx-Add-another-fallback-library-name.patch Patch2: 0002-Adding-a-separate-conditional-to-disable-running-GLX.patch # this patch address both CVE-2019-11834 and CVE-2019-11835 Patch3: CVE-2019-11834.patch +Patch4: CVE-2023-26819.patch BuildRequires: gcc BuildRequires: libtool @@ -214,6 +215,9 @@ make check V=1 || \ %{_libdir}/pkgconfig/opengl.pc %changelog +* Mon Jun 30 2025 BinduSri Adabala - 1.7.0-3 +- Patch CVE-2023-26819. + * Tue Jun 04 2024 Nicolas Guibourge - 1.7.0-2 - Address CVE-2019-11834 and CVE-2019-11835. diff --git a/SPECS/libgpg-error/libgpg-error.signatures.json b/SPECS/libgpg-error/libgpg-error.signatures.json index fa18454b0c..1c7cdcf7cb 100644 --- a/SPECS/libgpg-error/libgpg-error.signatures.json +++ b/SPECS/libgpg-error/libgpg-error.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "libgpg-error-1.47.tar.bz2": "9e3c670966b96ecc746c28c2c419541e3bcb787d1a73930f5e5f5e1bcbbb9bdb" + "libgpg-error-1.48.tar.bz2": "89ce1ae893e122924b858de84dc4f67aae29ffa610ebf668d5aa539045663d6f" } -} +} \ No newline at end of file diff --git a/SPECS/libgpg-error/libgpg-error.spec b/SPECS/libgpg-error/libgpg-error.spec index 6551d6df9c..284edfebd9 100644 --- a/SPECS/libgpg-error/libgpg-error.spec +++ b/SPECS/libgpg-error/libgpg-error.spec @@ -1,6 +1,6 @@ Summary: libgpg-error Name: libgpg-error -Version: 1.47 +Version: 1.48 Release: 1%{?dist} License: GPLv2+ URL: https://gnupg.org/ @@ -75,6 +75,9 @@ make %{?_smp_mflags} check %defattr(-,root,root) %changelog +* Mon Jun 23 2025 Kavya Sree Kaitepalli - 1.48-1 +- Upgrade to version 1.48 to support gnupg2 + * Fri Nov 10 2023 Andrew Phelps - 1.47-1 - Upgrade to version 1.47 diff --git a/SPECS/libguestfs/libguestfs.spec b/SPECS/libguestfs/libguestfs.spec index 3b5eaed73e..6797cae3c5 100644 --- a/SPECS/libguestfs/libguestfs.spec +++ b/SPECS/libguestfs/libguestfs.spec @@ -25,7 +25,7 @@ Summary: Access and modify virtual machine disk images Name: libguestfs Version: 1.52.0 -Release: 13%{?dist} +Release: 14%{?dist} License: LGPLv2+ Vendor: Microsoft Corporation Distribution: Azure Linux @@ -82,7 +82,7 @@ BuildRequires: gcc-c++ BuildRequires: gdisk BuildRequires: genisoimage BuildRequires: gfs2-utils -BuildRequires: glibc-static >= 2.38-10%{?dist} +BuildRequires: glibc-static >= 2.38-11%{?dist} BuildRequires: gobject-introspection-devel BuildRequires: gperf BuildRequires: grep @@ -1147,6 +1147,10 @@ rm ocaml/html/.gitignore %endif %changelog +* Mon Sep 8 2025 Lee Chee Yang - 1.52.0-14 +- merge from Azure Linux 3.0.20250822-3.0. +- Bump to rebuild with updated glibc + * Fri May 30 2025 Ranjan Dutta - 1.52.0-13 - merge from Azure Linux 3.0.20250521-3.0 - Bump to rebuild with updated glibc diff --git a/SPECS/libnvidia-container/libnvidia-container.signatures.json b/SPECS/libnvidia-container/libnvidia-container.signatures.json index fd5dabaa67..36bec2d03c 100644 --- a/SPECS/libnvidia-container/libnvidia-container.signatures.json +++ b/SPECS/libnvidia-container/libnvidia-container.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { "nvidia-modprobe-550.54.14.tar.gz": "5687b0dfa6087dd480ae91e91ff1dca975794e35a2edcf9ec08d8f9cb98ef905", - "libnvidia-container-1.17.4.tar.gz": "dca982cb83a5937c4533e707dc8fb1070496dff989d71319b64e698519b3a0b9" + "libnvidia-container-1.17.8.tar.gz": "4a85cb927954a4751b0695de03d6a49a3c79bb2fcaf687bbf1b7d081a956319f" } } diff --git a/SPECS/libnvidia-container/libnvidia-container.spec b/SPECS/libnvidia-container/libnvidia-container.spec index ede9248a20..fd259e2fab 100644 --- a/SPECS/libnvidia-container/libnvidia-container.spec +++ b/SPECS/libnvidia-container/libnvidia-container.spec @@ -3,8 +3,8 @@ %define mod_probe_dir deps/src/nvidia-modprobe-%{modprobe_version} Summary: NVIDIA container runtime library Name: libnvidia-container -Version: 1.17.4 -Release: 3%{?dist} +Version: 1.17.8 +Release: 1%{?dist} License: BSD AND ASL2.0 AND GPLv3+ AND LGPLv3+ AND MIT AND GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -135,6 +135,10 @@ This package contains command-line tools that facilitate using the library. %{_bindir}/* %changelog +* Mon Sep 8 2025 Lee Chee Yang - 1.17.8-1 +- merge from Azure Linux 3.0.20250822-3.0. +- Upgrade to version 1.17.8 in sync with nvidia-container-toolkit + * Fri Mar 21 2025 Anuj Mittal - 1.17.4-3 - Bump Release to rebuild diff --git a/SPECS/librsvg2/librsvg2.spec b/SPECS/librsvg2/librsvg2.spec index c7dbc0abaf..0cda5e56ac 100644 --- a/SPECS/librsvg2/librsvg2.spec +++ b/SPECS/librsvg2/librsvg2.spec @@ -8,7 +8,7 @@ Summary: An SVG library based on cairo Name: librsvg2 Version: 2.58.1 -Release: 2%{?dist} +Release: 4%{?dist} License: LGPLv2+ Vendor: Microsoft Corporation Distribution: Azure Linux @@ -125,6 +125,12 @@ rm -vrf %{buildroot}%{_docdir} %{_bindir}/rsvg-convert %changelog +* Mon Jul 21 2025 Jyoti Kanase - 2.58.1-4 +- Bump release to rebuild with rust + +* Tue Jun 10 2025 Kavya Sree Kaitepalli - 2.58.1-3 +- Bump release to rebuild with rust + * Mon Apr 21 2025 Kavya Sree Kaitepalli - 2.58.1-2 - Pin rust version diff --git a/SPECS/libsoup/CVE-2025-32907.patch b/SPECS/libsoup/CVE-2025-32907.patch new file mode 100644 index 0000000000..01c36f6e35 --- /dev/null +++ b/SPECS/libsoup/CVE-2025-32907.patch @@ -0,0 +1,259 @@ +From 9bb92f7a685e31e10e9e8221d0342280432ce836 Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Tue, 15 Apr 2025 12:17:39 +0200 +Subject: [PATCH 1/2] soup-message-headers: Correct merge of ranges + +It had been skipping every second range, which generated an array +of a lot of insane ranges, causing large memory usage by the server. + +Closes #428 + +Part-of: +--- + libsoup/soup-message-headers.c | 1 + + tests/meson.build | 1 + + tests/server-mem-limit-test.c | 144 +++++++++++++++++++++++++++++++++ + 3 files changed, 146 insertions(+) + create mode 100644 tests/server-mem-limit-test.c + +diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c +index 8eec4200..e799082b 100644 +--- a/libsoup/soup-message-headers.c ++++ b/libsoup/soup-message-headers.c +@@ -1244,6 +1244,7 @@ soup_message_headers_get_ranges_internal (SoupMessageHeaders *hdrs, + if (cur->start <= prev->end) { + prev->end = MAX (prev->end, cur->end); + g_array_remove_index (array, i); ++ i--; + } + } + } +diff --git a/tests/meson.build b/tests/meson.build +index 02924c03..ac892359 100644 +--- a/tests/meson.build ++++ b/tests/meson.build +@@ -103,6 +103,7 @@ tests = [ + {'name': 'samesite'}, + {'name': 'session'}, + {'name': 'server-auth'}, ++ {'name': 'server-mem-limit'}, + {'name': 'server'}, + {'name': 'sniffing', + 'depends': [test_resources], +diff --git a/tests/server-mem-limit-test.c b/tests/server-mem-limit-test.c +new file mode 100644 +index 00000000..98f1c40f +--- /dev/null ++++ b/tests/server-mem-limit-test.c +@@ -0,0 +1,144 @@ ++/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 8 -*- */ ++/* ++ * Copyright (C) 2025 Red Hat ++ */ ++ ++#include "test-utils.h" ++ ++#include ++ ++/* ++ This test limits memory usage to trigger too large buffer allocation crash. ++ As restoring the limits back to what it was does not always work, it's split ++ out of the server-test.c test with copied minimal server code. ++ */ ++ ++typedef struct { ++ SoupServer *server; ++ GUri *base_uri, *ssl_base_uri; ++ GSList *handlers; ++} ServerData; ++ ++static void ++server_setup_nohandler (ServerData *sd, gconstpointer test_data) ++{ ++ sd->server = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD); ++ sd->base_uri = soup_test_server_get_uri (sd->server, "http", NULL); ++ if (tls_available) ++ sd->ssl_base_uri = soup_test_server_get_uri (sd->server, "https", NULL); ++} ++ ++static void ++server_add_handler (ServerData *sd, ++ const char *path, ++ SoupServerCallback callback, ++ gpointer user_data, ++ GDestroyNotify destroy) ++{ ++ soup_server_add_handler (sd->server, path, callback, user_data, destroy); ++ sd->handlers = g_slist_prepend (sd->handlers, g_strdup (path)); ++} ++ ++static void ++server_setup (ServerData *sd, gconstpointer test_data) ++{ ++ server_setup_nohandler (sd, test_data); ++} ++ ++static void ++server_teardown (ServerData *sd, gconstpointer test_data) ++{ ++ GSList *iter; ++ ++ for (iter = sd->handlers; iter; iter = iter->next) ++ soup_server_remove_handler (sd->server, iter->data); ++ g_slist_free_full (sd->handlers, g_free); ++ ++ g_clear_pointer (&sd->server, soup_test_server_quit_unref); ++ g_clear_pointer (&sd->base_uri, g_uri_unref); ++ g_clear_pointer (&sd->ssl_base_uri, g_uri_unref); ++} ++ ++static void ++server_file_callback (SoupServer *server, ++ SoupServerMessage *msg, ++ const char *path, ++ GHashTable *query, ++ gpointer data) ++{ ++ void *mem; ++ ++ g_assert_cmpstr (path, ==, "/file"); ++ g_assert_cmpstr (soup_server_message_get_method (msg), ==, SOUP_METHOD_GET); ++ ++ mem = g_malloc0 (sizeof (char) * 1024 * 1024); ++ /* fedora-scan CI claims a warning about possibly leaked `mem` variable, thus use ++ the copy and free it explicitly, to workaround the false positive; the g_steal_pointer() ++ did not help for the malloc-ed memory */ ++ soup_server_message_set_response (msg, "application/octet-stream", SOUP_MEMORY_COPY, mem, sizeof (char) * 1024 *1024); ++ soup_server_message_set_status (msg, SOUP_STATUS_OK, NULL); ++ g_free (mem); ++} ++ ++static void ++do_ranges_overlaps_test (ServerData *sd, gconstpointer test_data) ++{ ++ SoupSession *session; ++ SoupMessage *msg; ++ GString *range; ++ GUri *uri; ++ const char *chunk = ",0,0,0,0,0,0,0,0,0,0,0"; ++ ++ g_test_bug ("428"); ++ ++ #ifdef G_OS_WIN32 ++ g_test_skip ("Cannot run under windows"); ++ return; ++ #endif ++ ++ range = g_string_sized_new (99 * 1024); ++ g_string_append (range, "bytes=1024"); ++ while (range->len < 99 * 1024) ++ g_string_append (range, chunk); ++ ++ session = soup_test_session_new (NULL); ++ server_add_handler (sd, "/file", server_file_callback, NULL, NULL); ++ ++ uri = g_uri_parse_relative (sd->base_uri, "/file", SOUP_HTTP_URI_FLAGS, NULL); ++ ++ msg = soup_message_new_from_uri ("GET", uri); ++ soup_message_headers_append (soup_message_get_request_headers (msg), "Range", range->str); ++ ++ soup_test_session_send_message (session, msg); ++ ++ soup_test_assert_message_status (msg, SOUP_STATUS_PARTIAL_CONTENT); ++ ++ g_object_unref (msg); ++ ++ g_string_free (range, TRUE); ++ g_uri_unref (uri); ++ ++ soup_test_session_abort_unref (session); ++} ++ ++int ++main (int argc, char **argv) ++{ ++ int ret; ++ ++ test_init (argc, argv, NULL); ++ ++ #ifndef G_OS_WIN32 ++ struct rlimit new_rlimit = { 1024 * 1024 * 64, 1024 * 1024 * 64 }; ++ /* limit memory usage, to trigger too large memory allocation abort */ ++ g_assert_cmpint (setrlimit (RLIMIT_DATA, &new_rlimit), ==, 0); ++ #endif ++ ++ g_test_add ("/server-mem/range-overlaps", ServerData, NULL, ++ server_setup, do_ranges_overlaps_test, server_teardown); ++ ++ ret = g_test_run (); ++ ++ test_cleanup (); ++ return ret; ++} +-- +GitLab + + +From eeace39ec686094ff6a05a43e5fce06e9c37f376 Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Tue, 13 May 2025 14:20:46 +0200 +Subject: [PATCH 2/2] server-mem-limit-test: Limit memory usage only when not + built witha sanitizer + +A build with -Db_sanitize=address crashes with failed mmap(), which is done +inside libasan. The test requires 20.0TB of virtual memory when running with +the sanitizer, which is beyond unsigned integer limits and may not trigger +the bug anyway. + +Part-of: +--- + meson.build | 4 ++++ + tests/server-mem-limit-test.c | 13 +++++++++---- + 2 files changed, 13 insertions(+), 4 deletions(-) + +diff --git a/meson.build b/meson.build +index 8772a0ea..b31a8791 100644 +--- a/meson.build ++++ b/meson.build +@@ -357,6 +357,10 @@ configinc = include_directories('.') + + prefix = get_option('prefix') + ++if get_option('b_sanitize') != 'none' ++ cdata.set_quoted('B_SANITIZE_OPTION', get_option('b_sanitize')) ++endif ++ + cdata.set_quoted('PACKAGE_VERSION', soup_version) + cdata.set_quoted('LOCALEDIR', join_paths(prefix, get_option('localedir'))) + cdata.set_quoted('GETTEXT_PACKAGE', libsoup_api_name) +diff --git a/tests/server-mem-limit-test.c b/tests/server-mem-limit-test.c +index 98f1c40f..65dc875e 100644 +--- a/tests/server-mem-limit-test.c ++++ b/tests/server-mem-limit-test.c +@@ -126,14 +126,19 @@ main (int argc, char **argv) + { + int ret; + +- test_init (argc, argv, NULL); +- +- #ifndef G_OS_WIN32 +- struct rlimit new_rlimit = { 1024 * 1024 * 64, 1024 * 1024 * 64 }; ++ /* a build with an address sanitizer may crash on mmap() with the limit, ++ thus skip the limit set in such case, even it may not necessarily ++ trigger the bug if it regresses */ ++ #if !defined(G_OS_WIN32) && !defined(B_SANITIZE_OPTION) ++ struct rlimit new_rlimit = { 1024UL * 1024UL * 1024UL * 2UL, 1024UL * 1024UL * 1024UL * 2UL }; + /* limit memory usage, to trigger too large memory allocation abort */ + g_assert_cmpint (setrlimit (RLIMIT_DATA, &new_rlimit), ==, 0); ++ #else ++ g_message ("server-mem-limit-test: Running without memory limit"); + #endif + ++ test_init (argc, argv, NULL); ++ + g_test_add ("/server-mem/range-overlaps", ServerData, NULL, + server_setup, do_ranges_overlaps_test, server_teardown); + +-- +GitLab + diff --git a/SPECS/libsoup/CVE-2025-4476.patch b/SPECS/libsoup/CVE-2025-4476.patch new file mode 100644 index 0000000000..da06eabba1 --- /dev/null +++ b/SPECS/libsoup/CVE-2025-4476.patch @@ -0,0 +1,34 @@ +From e64c221f9c7d09b48b610c5626b3b8c400f0907c Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Thu, 8 May 2025 09:27:01 -0500 +Subject: [PATCH] auth-digest: fix crash in + soup_auth_digest_get_protection_space() + +We need to validate the Domain parameter in the WWW-Authenticate header. + +Unfortunately this crash only occurs when listening on default ports 80 +and 443, so there's no good way to test for this. The test would require +running as root. + +Fixes #440 +Upstream Link: https://gitlab.gnome.org/GNOME/libsoup/-/commit/e64c221f9c7d09b48b610c5626b3b8c400f0907 +--- + libsoup/auth/soup-auth-digest.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c +index d8bb2910..292f2045 100644 +--- a/libsoup/auth/soup-auth-digest.c ++++ b/libsoup/auth/soup-auth-digest.c +@@ -220,7 +220,7 @@ soup_auth_digest_get_protection_space (SoupAuth *auth, GUri *source_uri) + if (uri && + g_strcmp0 (g_uri_get_scheme (uri), g_uri_get_scheme (source_uri)) == 0 && + g_uri_get_port (uri) == g_uri_get_port (source_uri) && +- !strcmp (g_uri_get_host (uri), g_uri_get_host (source_uri))) ++ !g_strcmp0 (g_uri_get_host (uri), g_uri_get_host (source_uri))) + dir = g_strdup (g_uri_get_path (uri)); + else + dir = NULL; +-- +GitLab + diff --git a/SPECS/libsoup/CVE-2025-4948.patch b/SPECS/libsoup/CVE-2025-4948.patch new file mode 100644 index 0000000000..a662a16a7f --- /dev/null +++ b/SPECS/libsoup/CVE-2025-4948.patch @@ -0,0 +1,91 @@ +From 9045f1ae252a5bbda8b51335c81aca009c753838 Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Thu, 15 May 2025 17:49:11 +0200 +Subject: [PATCH] soup-multipart: Verify boundary limits for multipart body + +It could happen that the boundary started at a place which resulted into +a negative number, which in an unsigned integer is a very large value. +Check the body size is not a negative value before setting it. + +Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/449 + +Part-of: +--- + libsoup/soup-multipart.c | 2 +- + tests/multipart-test.c | 40 ++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 41 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c +index 102ce37..a587fe7 100644 +--- a/libsoup/soup-multipart.c ++++ b/libsoup/soup-multipart.c +@@ -204,7 +204,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers, + */ + part_body = g_bytes_new_from_bytes (body, // FIXME + split - body_data, +- end - 2 - split); ++ end - 2 >= split ? end - 2 - split : 0); + g_ptr_array_add (multipart->bodies, part_body); + + start = end; +diff --git a/tests/multipart-test.c b/tests/multipart-test.c +index ab5f41c..a3a0b36 100644 +--- a/tests/multipart-test.c ++++ b/tests/multipart-test.c +@@ -527,6 +527,45 @@ test_multipart_bounds_bad (void) + g_bytes_unref (bytes); + } + ++static void ++test_multipart_too_large (void) ++{ ++ const char *raw_body = ++ "-------------------\r\n" ++ "-\n" ++ "Cont\"\r\n" ++ "Content-Tynt----e:n\x8erQK\r\n" ++ "Content-Disposition: name= form-; name=\"file\"; filename=\"ype:i/ -d; ----\xae\r\n" ++ "Content-Typimag\x01/png--\\\n" ++ "\r\n" ++ "---:\n\r\n" ++ "\r\n" ++ "-------------------------------------\r\n" ++ "---------\r\n" ++ "----------------------"; ++ GBytes *body; ++ GHashTable *params; ++ SoupMessageHeaders *headers; ++ SoupMultipart *multipart; ++ ++ params = g_hash_table_new (g_str_hash, g_str_equal); ++ g_hash_table_insert (params, (gpointer) "boundary", (gpointer) "-----------------"); ++ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART); ++ soup_message_headers_set_content_type (headers, "multipart/form-data", params); ++ g_hash_table_unref (params); ++ ++ body = g_bytes_new_static (raw_body, strlen (raw_body)); ++ multipart = soup_multipart_new_from_message (headers, body); ++ soup_message_headers_unref (headers); ++ g_bytes_unref (body); ++ ++ g_assert_nonnull (multipart); ++ g_assert_cmpint (soup_multipart_get_length (multipart), ==, 1); ++ g_assert_true (soup_multipart_get_part (multipart, 0, &headers, &body)); ++ g_assert_cmpint (g_bytes_get_size (body), ==, 0); ++ soup_multipart_free (multipart); ++} ++ + int + main (int argc, char **argv) + { +@@ -556,6 +595,7 @@ main (int argc, char **argv) + g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart); + g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good); + g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad); ++ g_test_add_func ("/multipart/too-large", test_multipart_too_large); + + ret = g_test_run (); + +-- +2.45.4 + diff --git a/SPECS/libsoup/CVE-2025-4969.patch b/SPECS/libsoup/CVE-2025-4969.patch new file mode 100644 index 0000000000..7f18332301 --- /dev/null +++ b/SPECS/libsoup/CVE-2025-4969.patch @@ -0,0 +1,75 @@ +From 41e93c07278ce3d2f353c396045d757a7c4ed824 Mon Sep 17 00:00:00 2001 +From: Milan Crha +Date: Mon, 19 May 2025 17:48:27 +0200 +Subject: [PATCH] soup-multipart: Verify array bounds before accessing its + members + +The boundary could be at a place which, calculated, pointed +before the beginning of the array. Check the bounds, to avoid +read out of the array bounds. + +Closes https://gitlab.gnome.org/GNOME/libsoup/-/issues/447 + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/467.patch +--- + libsoup/soup-multipart.c | 2 +- + tests/multipart-test.c | 22 ++++++++++++++++++++++ + 2 files changed, 23 insertions(+), 1 deletion(-) + +diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c +index a587fe7..27257e4 100644 +--- a/libsoup/soup-multipart.c ++++ b/libsoup/soup-multipart.c +@@ -104,7 +104,7 @@ find_boundary (const char *start, const char *end, + continue; + + /* Check that it's at start of line */ +- if (!(b == start || (b[-1] == '\n' && b[-2] == '\r'))) ++ if (!(b == start || (b - start >= 2 && b[-1] == '\n' && b[-2] == '\r'))) + continue; + + /* Check for "--" or "\r\n" after boundary */ +diff --git a/tests/multipart-test.c b/tests/multipart-test.c +index a3a0b36..b07e4db 100644 +--- a/tests/multipart-test.c ++++ b/tests/multipart-test.c +@@ -527,6 +527,27 @@ test_multipart_bounds_bad (void) + g_bytes_unref (bytes); + } + ++static void ++test_multipart_bounds_bad_2 (void) ++{ ++ SoupMultipart *multipart; ++ SoupMessageHeaders *headers; ++ GBytes *bytes; ++ const char *raw_data = "\n--123\r\nline\r\n--123--\r"; ++ ++ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART); ++ soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\""); ++ ++ bytes = g_bytes_new (raw_data, strlen (raw_data)); ++ ++ multipart = soup_multipart_new_from_message (headers, bytes); ++ g_assert_nonnull (multipart); ++ ++ soup_multipart_free (multipart); ++ soup_message_headers_unref (headers); ++ g_bytes_unref (bytes); ++} ++ + static void + test_multipart_too_large (void) + { +@@ -595,6 +616,7 @@ main (int argc, char **argv) + g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart); + g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good); + g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad); ++ g_test_add_func ("/multipart/bounds-bad-2", test_multipart_bounds_bad_2); + g_test_add_func ("/multipart/too-large", test_multipart_too_large); + + ret = g_test_run (); +-- +2.45.4 + diff --git a/SPECS/libsoup/libsoup.spec b/SPECS/libsoup/libsoup.spec index 0350327f7f..49df913c88 100644 --- a/SPECS/libsoup/libsoup.spec +++ b/SPECS/libsoup/libsoup.spec @@ -4,7 +4,7 @@ Summary: libsoup HTTP client/server library Name: libsoup Version: 3.4.4 -Release: 6%{?dist} +Release: 9%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -63,6 +63,10 @@ Patch13: CVE-2025-32051.patch Patch14: CVE-2025-46420.patch Patch15: CVE-2025-46421.patch Patch16: CVE-2025-32053.patch +Patch17: CVE-2025-4476.patch +Patch18: CVE-2025-32907.patch +Patch19: CVE-2025-4948.patch +Patch20: CVE-2025-4969.patch %description libsoup is HTTP client/server library for GNOME @@ -130,6 +134,16 @@ find %{buildroot} -type f -name "*.la" -delete -print %defattr(-,root,root) %changelog +* Tue Aug 12 2025 Azure Linux Security Servicing Account - 3.4.4-9 +- Patch for CVE-2025-4969 + +* Tue Jul 29 2025 Azure Linux Security Servicing Account - 3.4.4-8 +- Patch for CVE-2025-4948 + +* Fri Jun 13 2025 Kevin Lockwood - 3.4.4-7 +- Add patch for CVE-2025-4476 +- Add patch for CVE-2025-32907 + * Wed May 7 2025 Bhagyashri Pathak - 3.4.4-6 - Patch for CVE-2025-32053 diff --git a/SPECS/libssh/CVE-2025-5318.patch b/SPECS/libssh/CVE-2025-5318.patch new file mode 100644 index 0000000000..8e4cd3213a --- /dev/null +++ b/SPECS/libssh/CVE-2025-5318.patch @@ -0,0 +1,27 @@ +From b950d47ae47367a53ff3f5dc8021fc02dfcae17d Mon Sep 17 00:00:00 2001 +From: Azure Linux Security Servicing Account + +Date: Thu, 10 Jul 2025 14:19:59 +0000 +Subject: [PATCH] Fix CVE CVE-2025-5318 in libssh + +[AI Backported] Upstream Patch Reference: https://git.libssh.org/projects/libssh.git/commit/?id=5f4ffda88770f95482fd0e66aa44106614dbf466 +--- + src/sftpserver.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/sftpserver.c b/src/sftpserver.c +index 9117f15..b3349e1 100644 +--- a/src/sftpserver.c ++++ b/src/sftpserver.c +@@ -538,7 +538,7 @@ void *sftp_handle(sftp_session sftp, ssh_string handle){ + + memcpy(&val, ssh_string_data(handle), sizeof(uint32_t)); + +- if (val > SFTP_HANDLES) { ++ if (val >= SFTP_HANDLES) { + return NULL; + } + +-- +2.45.3 + diff --git a/SPECS/libssh/CVE-2025-5351.patch b/SPECS/libssh/CVE-2025-5351.patch new file mode 100644 index 0000000000..b974218dc0 --- /dev/null +++ b/SPECS/libssh/CVE-2025-5351.patch @@ -0,0 +1,34 @@ +From 5f21b769c263f77db24b7a2757a7394608e3c4a4 Mon Sep 17 00:00:00 2001 +From: Azure Linux Security Servicing Account + +Date: Thu, 10 Jul 2025 14:07:05 +0000 +Subject: [PATCH] Fix CVE CVE-2025-5351 in libssh + +Upstream Patch Reference: https://git.libssh.org/projects/libssh.git/patch/?id=6ddb730a27338983851248af59b128b995aad256 +--- + src/pki_crypto.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/pki_crypto.c b/src/pki_crypto.c +index 5b0d7de..aec4954 100644 +--- a/src/pki_crypto.c ++++ b/src/pki_crypto.c +@@ -2023,6 +2023,7 @@ ssh_string pki_publickey_to_blob(const ssh_key key) + bignum_safe_free(bn); + bignum_safe_free(be); + OSSL_PARAM_free(params); ++ params = NULL; + #endif /* OPENSSL_VERSION_NUMBER */ + break; + } +@@ -2143,6 +2144,7 @@ ssh_string pki_publickey_to_blob(const ssh_key key) + */ + #if 0 + OSSL_PARAM_free(params); ++ params = NULL; + #endif /* OPENSSL_VERSION_NUMBER */ + + if (key->type == SSH_KEYTYPE_SK_ECDSA && +-- +2.45.3 + diff --git a/SPECS/libssh/CVE-2025-5372.patch b/SPECS/libssh/CVE-2025-5372.patch new file mode 100644 index 0000000000..efec56e89a --- /dev/null +++ b/SPECS/libssh/CVE-2025-5372.patch @@ -0,0 +1,148 @@ +From a9d8a3d44829cf9182b252bc951f35fb0d573972 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 14 May 2025 14:07:58 +0200 +Subject: CVE-2025-5372 libgcrypto: Simplify error checking and handling of + return codes in ssh_kdf() + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider + +Upstream Patch Reference: https://git.libssh.org/projects/libssh.git/patch/?id=a9d8a3d44829cf9182b252bc951f35fb0d573972 +--- + src/libcrypto.c | 63 ++++++++++++++++++++++--------------------------- + 1 file changed, 28 insertions(+), 35 deletions(-) + +diff --git a/src/libcrypto.c b/src/libcrypto.c +index 911b363..aa48c67 100644 +--- a/src/libcrypto.c ++++ b/src/libcrypto.c +@@ -163,7 +163,7 @@ int ssh_kdf(struct ssh_crypto_struct *crypto, + uint8_t key_type, unsigned char *output, + size_t requested_len) + { +- int rc = -1; ++ int ret = SSH_ERROR, rv; + #if OPENSSL_VERSION_NUMBER < 0x30000000L + EVP_KDF_CTX *ctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF); + #else +@@ -185,90 +185,83 @@ int ssh_kdf(struct ssh_crypto_struct *crypto, + } + + #if OPENSSL_VERSION_NUMBER < 0x30000000L +- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_MD, ++ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_MD, + sshkdf_digest_to_md(crypto->digest_type)); +- if (rc != 1) { ++ if (rv != 1) { + goto out; + } +- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KEY, key, key_len); +- if (rc != 1) { ++ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KEY, key, key_len); ++ if (rv != 1) { + goto out; + } +- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH, ++ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH, + crypto->secret_hash, crypto->digest_len); +- if (rc != 1) { ++ if (rv != 1) { + goto out; + } +- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, key_type); +- if (rc != 1) { ++ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, key_type); ++ if (rv != 1) { + goto out; + } +- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID, ++ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID, + crypto->session_id, crypto->session_id_len); +- if (rc != 1) { ++ if (rv != 1) { + goto out; + } +- rc = EVP_KDF_derive(ctx, output, requested_len); +- if (rc != 1) { ++ rv = EVP_KDF_derive(ctx, output, requested_len); ++ if (rv != 1) { + goto out; + } + #else +- rc = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_DIGEST, ++ rv = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_DIGEST, + md, strlen(md)); +- if (rc != 1) { +- rc = -1; ++ if (rv != 1) { + goto out; + } +- rc = OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_KDF_PARAM_KEY, ++ rv = OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_KDF_PARAM_KEY, + key, key_len); +- if (rc != 1) { +- rc = -1; ++ if (rv != 1) { + goto out; + } +- rc = OSSL_PARAM_BLD_push_octet_string(param_bld, ++ rv = OSSL_PARAM_BLD_push_octet_string(param_bld, + OSSL_KDF_PARAM_SSHKDF_XCGHASH, + crypto->secret_hash, + crypto->digest_len); +- if (rc != 1) { +- rc = -1; ++ if (rv != 1) { + goto out; + } +- rc = OSSL_PARAM_BLD_push_octet_string(param_bld, ++ rv = OSSL_PARAM_BLD_push_octet_string(param_bld, + OSSL_KDF_PARAM_SSHKDF_SESSION_ID, + crypto->session_id, + crypto->session_id_len); +- if (rc != 1) { +- rc = -1; ++ if (rv != 1) { + goto out; + } +- rc = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_SSHKDF_TYPE, ++ rv = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_SSHKDF_TYPE, + (const char*)&key_type, 1); +- if (rc != 1) { +- rc = -1; ++ if (rv != 1) { + goto out; + } + + params = OSSL_PARAM_BLD_to_param(param_bld); + if (params == NULL) { +- rc = -1; + goto out; + } + +- rc = EVP_KDF_derive(ctx, output, requested_len, params); +- if (rc != 1) { +- rc = -1; ++ rv = EVP_KDF_derive(ctx, output, requested_len, params); ++ if (rv != 1) { + goto out; + } + #endif /* OPENSSL_VERSION_NUMBER */ +- ++ ret = SSH_OK; + out: + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + OSSL_PARAM_BLD_free(param_bld); + OSSL_PARAM_free(params); + #endif + EVP_KDF_CTX_free(ctx); +- if (rc < 0) { +- return rc; ++ if (ret < 0) { ++ return ret; + } + return 0; + } +-- +2.34.1 + diff --git a/SPECS/libssh/CVE-2025-5987.patch b/SPECS/libssh/CVE-2025-5987.patch new file mode 100644 index 0000000000..7b960399be --- /dev/null +++ b/SPECS/libssh/CVE-2025-5987.patch @@ -0,0 +1,30 @@ +From 3f1f9958b798bffbf2968306712aea63d93eebf9 Mon Sep 17 00:00:00 2001 +From: Azure Linux Security Servicing Account + +Date: Thu, 10 Jul 2025 14:19:53 +0000 +Subject: [PATCH] Fix CVE CVE-2025-5987 in libssh + +[AI Backported] Upstream Patch Reference: https://git.libssh.org/projects/libssh.git/commit/?id=90b4845e0c98574bbf7bea9e97796695f064bf57 +--- + src/libcrypto.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/libcrypto.c b/src/libcrypto.c +index 4f945d9..911b363 100644 +--- a/src/libcrypto.c ++++ b/src/libcrypto.c +@@ -777,9 +777,9 @@ chacha20_poly1305_set_key(struct ssh_cipher_struct *cipher, + SSH_LOG(SSH_LOG_WARNING, "EVP_CIPHER_CTX_new failed"); + goto out; + } +- ret = EVP_EncryptInit_ex(ctx->header_evp, EVP_chacha20(), NULL, ++ rv = EVP_EncryptInit_ex(ctx->header_evp, EVP_chacha20(), NULL, + u8key + CHACHA20_KEYLEN, NULL); +- if (ret != 1) { ++ if (rv != 1) { + SSH_LOG(SSH_LOG_WARNING, "EVP_CipherInit failed"); + goto out; + } +-- +2.45.3 + diff --git a/SPECS/libssh/libssh.spec b/SPECS/libssh/libssh.spec index 238cea54e0..3604070ed8 100644 --- a/SPECS/libssh/libssh.spec +++ b/SPECS/libssh/libssh.spec @@ -2,7 +2,7 @@ Vendor: Microsoft Corporation Distribution: Azure Linux Name: libssh Version: 0.10.6 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A library implementing the SSH protocol License: LGPLv2+ URL: http://www.libssh.org @@ -12,6 +12,10 @@ Source1: https://www.libssh.org/files/0.10/%{name}-%{version}.tar.xz.asc Source2: https://cryptomilk.org/gpgkey-8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D.gpg#/%{name}.keyring Source3: libssh_client.config Source4: libssh_server.config +Patch0: CVE-2025-5987.patch +Patch1: CVE-2025-5372.patch +Patch2: CVE-2025-5351.patch +Patch3: CVE-2025-5318.patch BuildRequires: cmake BuildRequires: gcc-c++ @@ -144,6 +148,9 @@ popd %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config %changelog +* Thu Jul 10 2025 Azure Linux Security Servicing Account - 0.10.6-2 +- Patch for CVE-2025-5987, CVE-2025-5372, CVE-2025-5351, CVE-2025-5318 + * Tue Feb 25 2025 CBL-Mariner Servicing Account - 0.10.6-1 - Auto-upgrade to 0.10.6 - for CVE-2023-6004, CVE-2023-6918 & CVE-2023-48795 [Medium] diff --git a/SPECS/libtiff/CVE-2025-8176.patch b/SPECS/libtiff/CVE-2025-8176.patch new file mode 100644 index 0000000000..fa0f9c153a --- /dev/null +++ b/SPECS/libtiff/CVE-2025-8176.patch @@ -0,0 +1,115 @@ +From 80c3f0f9ca0e882c4af1b98ccf473411ccbc123f Mon Sep 17 00:00:00 2001 +From: Lee Howard +Date: Mon, 19 May 2025 10:53:30 -0700 +Subject: [PATCH 1/3] Don't skip the first line of the input image. Addresses + issue #703 + +--- + archive/tools/tiffdither.c | 4 ++-- + archive/tools/tiffmedian.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/archive/tools/tiffdither.c b/archive/tools/tiffdither.c +index 187a61a..0c86e7f 100644 +--- a/archive/tools/tiffdither.c ++++ b/archive/tools/tiffdither.c +@@ -98,7 +98,7 @@ static int fsdither(TIFF *in, TIFF *out) + nextptr = nextline; + for (j = 0; j < imagewidth; ++j) + *nextptr++ = *inptr++; +- for (i = 1; i < imagelength; ++i) ++ for (i = 0; i < imagelength; ++i) + { + tmpptr = thisline; + thisline = nextline; +@@ -146,7 +146,7 @@ static int fsdither(TIFF *in, TIFF *out) + nextptr[0] += v / 16; + } + } +- if (TIFFWriteScanline(out, outline, i - 1, 0) < 0) ++ if (TIFFWriteScanline(out, outline, i, 0) < 0) + goto skip_on_error; + } + goto exit_label; +diff --git a/archive/tools/tiffmedian.c b/archive/tools/tiffmedian.c +index 334566a..291e73b 100644 +--- a/archive/tools/tiffmedian.c ++++ b/archive/tools/tiffmedian.c +@@ -912,7 +912,7 @@ static void quant_fsdither(TIFF *in, TIFF *out) + outline = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); + + GetInputLine(in, 0, goto bad); /* get first line */ +- for (i = 1; i <= imagelength; ++i) ++ for (i = 0; i <= imagelength; ++i) + { + SWAP(short *, thisline, nextline); + lastline = (i >= imax); +@@ -992,7 +992,7 @@ static void quant_fsdither(TIFF *in, TIFF *out) + nextptr += 3; + } + } +- if (TIFFWriteScanline(out, outline, i - 1, 0) < 0) ++ if (TIFFWriteScanline(out, outline, i, 0) < 0) + break; + } + bad: +-- +2.45.4 + + +From e39690d84c229788cdceec9cd4d11f46aad72da7 Mon Sep 17 00:00:00 2001 +From: Lee Howard +Date: Sat, 24 May 2025 21:25:16 -0700 +Subject: [PATCH 2/3] Fix tiffmedian bug #707 + +--- + archive/tools/tiffmedian.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/archive/tools/tiffmedian.c b/archive/tools/tiffmedian.c +index 291e73b..b3b2671 100644 +--- a/archive/tools/tiffmedian.c ++++ b/archive/tools/tiffmedian.c +@@ -410,7 +410,10 @@ static void get_histogram(TIFF *in, Colorbox *box) + for (i = 0; i < imagelength; i++) + { + if (TIFFReadScanline(in, inputline, i, 0) <= 0) +- break; ++ { ++ fprintf(stderr, "Error reading scanline\n"); ++ exit(EXIT_FAILURE); ++ } + inptr = inputline; + for (j = imagewidth; j-- > 0;) + { +-- +2.45.4 + + +From 0f6f0eaeefe9e98e41b96d9a47292c41e1fdf66d Mon Sep 17 00:00:00 2001 +From: Lee Howard +Date: Sat, 24 May 2025 21:38:09 -0700 +Subject: [PATCH 3/3] conflict resolution + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://gitlab.com/libtiff/libtiff/-/merge_requests/727.patch +--- + archive/tools/tiffmedian.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/archive/tools/tiffmedian.c b/archive/tools/tiffmedian.c +index b3b2671..3d5c9ca 100644 +--- a/archive/tools/tiffmedian.c ++++ b/archive/tools/tiffmedian.c +@@ -915,7 +915,7 @@ static void quant_fsdither(TIFF *in, TIFF *out) + outline = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out)); + + GetInputLine(in, 0, goto bad); /* get first line */ +- for (i = 0; i <= imagelength; ++i) ++ for (i = 0; i < imagelength; ++i) + { + SWAP(short *, thisline, nextline); + lastline = (i >= imax); +-- +2.45.4 + diff --git a/SPECS/libtiff/CVE-2025-8177.patch b/SPECS/libtiff/CVE-2025-8177.patch new file mode 100644 index 0000000000..21dbce5fb9 --- /dev/null +++ b/SPECS/libtiff/CVE-2025-8177.patch @@ -0,0 +1,62 @@ +From 853f57d485fa4df27f8dffc7c691f320320a9506 Mon Sep 17 00:00:00 2001 +From: Lee Howard +Date: Thu, 19 Jun 2025 11:51:33 -0700 +Subject: [PATCH 1/2] Fix for thumbnail issue #715 + +--- + archive/tools/thumbnail.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/archive/tools/thumbnail.c b/archive/tools/thumbnail.c +index 8ce0d9b..a94a738 100644 +--- a/archive/tools/thumbnail.c ++++ b/archive/tools/thumbnail.c +@@ -620,7 +620,15 @@ static void setrow(uint8_t *row, uint32_t nrows, const uint8_t *rows[]) + } + acc += bits[*src & mask1]; + } +- *row++ = cmap[(255 * acc) / area]; ++ if (255 * acc / area < 256) ++ { ++ *row++ = cmap[(255 * acc) / area]; ++ } ++ else ++ { ++ fprintf(stderr, "acc=%d, area=%d\n", acc, area); ++ row++; ++ } + } + } + +-- +2.45.4 + + +From 026ac684b76ea9c393c616e6d3ba67a609bc751c Mon Sep 17 00:00:00 2001 +From: Lee Howard +Date: Mon, 23 Jun 2025 10:09:07 -0700 +Subject: [PATCH 2/2] set a default value - assumes cmap[0] was not, itself, + uninitialized + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://gitlab.com/libtiff/libtiff/-/merge_requests/737.patch +--- + archive/tools/thumbnail.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/archive/tools/thumbnail.c b/archive/tools/thumbnail.c +index a94a738..237d99e 100644 +--- a/archive/tools/thumbnail.c ++++ b/archive/tools/thumbnail.c +@@ -627,7 +627,7 @@ static void setrow(uint8_t *row, uint32_t nrows, const uint8_t *rows[]) + else + { + fprintf(stderr, "acc=%d, area=%d\n", acc, area); +- row++; ++ *row++ = cmap[0]; + } + } + } +-- +2.45.4 + diff --git a/SPECS/libtiff/CVE-2025-8534.patch b/SPECS/libtiff/CVE-2025-8534.patch new file mode 100644 index 0000000000..343d89db6a --- /dev/null +++ b/SPECS/libtiff/CVE-2025-8534.patch @@ -0,0 +1,60 @@ +From ca74283defdcb02685da93e63e9f93d05f4bf547 Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Sat, 2 Aug 2025 18:55:54 +0200 +Subject: [PATCH] tiff2ps: check return of TIFFGetFiled() for + TIFFTAG_STRIPBYTECOUNTS and TIFFTAG_TILEBYTECOUNTS to avoid NULL pointer + dereference. + +Closes #718 + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://gitlab.com/libtiff/libtiff/-/commit/6ba36f159fd396ad11bf6b7874554197736ecc8b.patch +--- + tools/unsupported/tiff2ps.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/tools/unsupported/tiff2ps.c b/tools/unsupported/tiff2ps.c +index 541495d..d6a54b4 100644 +--- a/tools/unsupported/tiff2ps.c ++++ b/tools/unsupported/tiff2ps.c +@@ -2432,12 +2432,22 @@ int PS_Lvl2page(FILE *fd, TIFF *tif, uint32_t w, uint32_t h) + if (tiled_image) + { + num_chunks = TIFFNumberOfTiles(tif); +- TIFFGetField(tif, TIFFTAG_TILEBYTECOUNTS, &bc); ++ if (!TIFFGetField(tif, TIFFTAG_TILEBYTECOUNTS, &bc)) ++ { ++ TIFFError(filename, ++ "Can't read bytecounts of tiles at PS_Lvl2page()"); ++ return (FALSE); ++ } + } + else + { + num_chunks = TIFFNumberOfStrips(tif); +- TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc); ++ if (!TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc)) ++ { ++ TIFFError(filename, ++ "Can't read bytecounts of strips at PS_Lvl2page()"); ++ return (FALSE); ++ } + } + + if (use_rawdata) +@@ -3107,7 +3117,11 @@ void PSRawDataBW(FILE *fd, TIFF *tif, uint32_t w, uint32_t h) + (void)w; + (void)h; + TIFFGetFieldDefaulted(tif, TIFFTAG_FILLORDER, &fillorder); +- TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc); ++ if (!TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &bc)) ++ { ++ TIFFError(filename, "Can't read bytecounts of strips at PSRawDataBW()"); ++ return; ++ } + + /* + * Find largest strip: +-- +2.45.4 + diff --git a/SPECS/libtiff/libtiff.spec b/SPECS/libtiff/libtiff.spec index 2e3e3b5594..83def11075 100644 --- a/SPECS/libtiff/libtiff.spec +++ b/SPECS/libtiff/libtiff.spec @@ -1,7 +1,7 @@ Summary: TIFF libraries and associated utilities. Name: libtiff Version: 4.6.0 -Release: 6%{?dist} +Release: 7%{?dist} License: libtiff Vendor: Microsoft Corporation Distribution: Azure Linux @@ -13,6 +13,9 @@ Patch1: CVE-2023-6277.patch Patch2: CVE-2024-7006.patch Patch3: CVE-2023-3164.patch Patch4: CVE-2023-6228.patch +Patch5: CVE-2025-8534.patch +Patch6: CVE-2025-8177.patch +Patch7: CVE-2025-8176.patch BuildRequires: autoconf BuildRequires: automake @@ -63,9 +66,15 @@ make %{?_smp_mflags} -k check %{_includedir}/* %{_libdir}/*.so %{_libdir}/pkgconfig/*.pc +%license LICENSE.md %{_docdir}/* +# The above LICENSE.md is same as below hence removing duplicate in doc file +%exclude %{_docdir}/tiff-%{version}/LICENSE.md %changelog +* Tue Aug 05 2025 Azure Linux Security Servicing Account - 4.6.0-7 +- Patch for CVE-2025-8534, CVE-2025-8177, CVE-2025-8176 + * Mon Feb 03 2025 Ankita Pareek - 4.6.0-6 - Address CVE-2023-6228 with a patch diff --git a/SPECS/libtpms/CVE-2025-49133.patch b/SPECS/libtpms/CVE-2025-49133.patch new file mode 100644 index 0000000000..20d0113b17 --- /dev/null +++ b/SPECS/libtpms/CVE-2025-49133.patch @@ -0,0 +1,266 @@ +From 83474625ad1816e55afa224dabfb4a6f29bd6123 Mon Sep 17 00:00:00 2001 +From: archana25-ms +Date: Mon, 16 Jun 2025 16:40:42 +0000 +Subject: [PATCH] Address CVE-2025-49133 +Upstream Patch Reference: https://github.com/stefanberger/libtpms/commit/9f9baccdba9cd3fc32f1355613abd094b21f7ba0 +--- + src/tpm2/CryptUtil.c | 119 +++++++++++++++++++++++----- + src/tpm2/SigningCommands.c | 11 ++- + src/tpm2/crypto/CryptHash_fp.h | 2 +- + src/tpm2/crypto/openssl/CryptHash.c | 4 +- + 4 files changed, 109 insertions(+), 27 deletions(-) + +diff --git a/src/tpm2/CryptUtil.c b/src/tpm2/CryptUtil.c +index 8fae5b6..f0d8a28 100644 +--- a/src/tpm2/CryptUtil.c ++++ b/src/tpm2/CryptUtil.c +@@ -67,7 +67,7 @@ + #include "Tpm.h" + /* 10.2.6.3 Hash/HMAC Functions */ + /* 10.2.6.3.1 CryptHmacSign() */ +-/* Sign a digest using an HMAC key. This an HMAC of a digest, not an HMAC of a message. */ ++/* Sign a digest using an HMAC key. This is an HMAC of a digest, not an HMAC of a message. */ + /* Error Returns Meaning */ + /* TPM_RC_HASH not a valid hash */ + static TPM_RC +@@ -79,12 +79,18 @@ CryptHmacSign( + { + HMAC_STATE hmacState; + UINT32 digestSize; +- digestSize = CryptHmacStart2B(&hmacState, signature->signature.any.hashAlg, +- &signKey->sensitive.sensitive.bits.b); +- CryptDigestUpdate2B(&hmacState.hashState, &hashData->b); +- CryptHmacEnd(&hmacState, digestSize, +- (BYTE *)&signature->signature.hmac.digest); +- return TPM_RC_SUCCESS; ++ ++ if(signature->sigAlg == TPM_ALG_HMAC) ++ { ++ digestSize = CryptHmacStart2B(&hmacState, ++ signature->signature.any.hashAlg, ++ &signKey->sensitive.sensitive.bits.b); ++ CryptDigestUpdate2B(&hmacState.hashState, &hashData->b); ++ CryptHmacEnd(&hmacState, digestSize, ++ (BYTE *)&signature->signature.hmac.digest); ++ return TPM_RC_SUCCESS; ++ } ++ return TPM_RC_SCHEME; + } + /* 10.2.6.3.2 CryptHMACVerifySignature() */ + /* This function will verify a signature signed by a HMAC key. Note that a caller needs to prepare +@@ -1096,7 +1102,7 @@ CryptIsSplitSign( + } + } + /* 10.2.6.6.11 CryptIsAsymSignScheme() */ +-/* This function indicates if a scheme algorithm is a sign algorithm. */ ++/* This function indicates if a scheme algorithm is a sign algorithm valid for the public key type. */ + BOOL + CryptIsAsymSignScheme( + TPMI_ALG_PUBLIC publicType, // IN: Type of the object +@@ -1125,9 +1131,11 @@ CryptIsAsymSignScheme( + #if ALG_ECC + // If ECC is implemented ECDSA is required + case TPM_ALG_ECC: ++# if !ALG_ECDSA ++# error "ECDSA required if ECC enabled." ++# endif + switch(scheme) + { +- // Support for ECDSA is required for ECC + case TPM_ALG_ECDSA: + #if ALG_ECDAA // ECDAA is optional + case TPM_ALG_ECDAA: +@@ -1151,6 +1159,58 @@ CryptIsAsymSignScheme( + } + return isSignScheme; + } ++//*** CryptIsValidSignScheme() ++// This function checks that a signing scheme is valid. This includes verifying ++// that the scheme signing algorithm is compatible with the signing object type ++// and that the scheme specifies a valid hash algorithm. ++static BOOL CryptIsValidSignScheme(TPMI_ALG_PUBLIC publicType, // IN: Type of the object ++ TPMT_SIG_SCHEME* scheme // IN: the signing scheme ++) ++{ ++ BOOL isValidSignScheme = TRUE; ++ ++ switch(publicType) ++ { ++#if ALG_RSA ++ case TPM_ALG_RSA: ++ isValidSignScheme = CryptIsAsymSignScheme(publicType, scheme->scheme); ++ break; ++#endif // ALG_RSA ++ ++#if ALG_ECC ++ case TPM_ALG_ECC: ++ isValidSignScheme = CryptIsAsymSignScheme(publicType, scheme->scheme); ++ break; ++#endif // ALG_ECC ++ ++ case TPM_ALG_KEYEDHASH: ++ if(scheme->scheme != TPM_ALG_HMAC) ++ { ++ isValidSignScheme = FALSE; ++ } ++ break; ++ ++ default: ++ isValidSignScheme = FALSE; ++ break; ++ } ++ ++ // Ensure that a valid hash algorithm is specified. Pass 'flag' = FALSE to ++ // indicate that TPM_ALG_NULL should not be treated as valid. ++ // ++ // NOTE: 'details' is of type TPMU_SIG_SCHEME which is a union of many ++ // different signature scheme types. In all these types (including the type ++ // of 'any'), the very first member is of type TPMI_ALG_HASH. Therefore, ++ // when 'any.hashAlg' is set to a valid hash algorithm ID, the hash for any ++ // signature scheme type will also be a valid hash algorithm ID. (All valid ++ // hash algorithm IDs are the same for all signature scheme types.) ++ if(!CryptHashIsValidAlg(scheme->details.any.hashAlg, /* flag = */ FALSE)) ++ { ++ isValidSignScheme = FALSE; ++ } ++ ++ return isValidSignScheme; ++} + /* 10.2.6.6.12 CryptIsAsymDecryptScheme() */ + /* This function indicate if a scheme algorithm is a decrypt algorithm. */ + BOOL +@@ -1205,8 +1265,9 @@ CryptIsAsymDecryptScheme( + } + /* 10.2.6.6.13 CryptSelectSignScheme() */ + /* This function is used by the attestation and signing commands. It implements the rules for +- selecting the signature scheme to use in signing. This function requires that the signing key +- either be TPM_RH_NULL or be loaded. */ ++ selecting the signature scheme to use in signing and validates that the selected scheme is ++ compatible with the key type. It also ensures the selected scheme specifies a valid hash ++ algorithm. This function requires that the signing key either be TPM_RH_NULL or be loaded. */ + /* If a default scheme is defined in object, the default scheme should be chosen, otherwise, the + input scheme should be chosen. In the case that both object and input scheme has a non-NULL + scheme algorithm, if the schemes are compatible, the input scheme will be chosen. */ +@@ -1237,25 +1298,32 @@ CryptSelectSignScheme( + { + // assignment to save typing. + publicArea = &signObject->publicArea; +- // A symmetric cipher can be used to encrypt and decrypt but it can't +- // be used for signing +- if(publicArea->type == TPM_ALG_SYMCIPHER) +- return FALSE; +- // Point to the scheme object ++ ++ // Get a point to the scheme object + if(CryptIsAsymAlgorithm(publicArea->type)) +- objectScheme = +- (TPMT_SIG_SCHEME *)&publicArea->parameters.asymDetail.scheme; ++ { ++ objectScheme = ++ (TPMT_SIG_SCHEME *)&publicArea->parameters.asymDetail.scheme; ++ } ++ else if(publicArea->type == TPM_ALG_KEYEDHASH) ++ { ++ objectScheme = ++ (TPMT_SIG_SCHEME *)&publicArea->parameters.keyedHashDetail.scheme; ++ } + else +- objectScheme = +- (TPMT_SIG_SCHEME *)&publicArea->parameters.keyedHashDetail.scheme; ++ { ++ // Only asymmetric key types (RSA, ECC) and keyed hashes can be ++ // used for signing. A symmetric cipher can be used to encrypt and ++ // decrypt but can't be used for signing. ++ return FALSE; ++ } ++ + // If the object doesn't have a default scheme, then use the + // input scheme. + if(objectScheme->scheme == TPM_ALG_NULL) + { + // Input and default can't both be NULL + OK = (scheme->scheme != TPM_ALG_NULL); +- // Assume that the scheme is compatible with the key. If not, +- // an error will be generated in the signing operation. + } + else if(scheme->scheme == TPM_ALG_NULL) + { +@@ -1282,6 +1350,13 @@ CryptSelectSignScheme( + && (objectScheme->details.any.hashAlg + == scheme->details.any.hashAlg); + } ++ ++ if(OK) ++ { ++ // Check that the scheme is compatible with the key type and has a ++ // valid hash algorithm specified. ++ OK = CryptIsValidSignScheme(publicArea->type, scheme); ++ } + } + return OK; + } +diff --git a/src/tpm2/SigningCommands.c b/src/tpm2/SigningCommands.c +index 529c40c..ec93c84 100644 +--- a/src/tpm2/SigningCommands.c ++++ b/src/tpm2/SigningCommands.c +@@ -116,16 +116,23 @@ TPM2_Sign( + // + // Input Validation + if(!IsSigningObject(signObject)) ++ { + return TPM_RCS_KEY + RC_Sign_keyHandle; ++ } + + // A key that will be used for x.509 signatures can't be used in TPM2_Sign(). + if(IS_ATTRIBUTE(signObject->publicArea.objectAttributes, TPMA_OBJECT, x509sign)) ++ { + return TPM_RCS_ATTRIBUTES + RC_Sign_keyHandle; ++ } + +- // pick a scheme for sign. If the input sign scheme is not compatible with +- // the default scheme, return an error. ++ // Pick a scheme for signing. If the input signing scheme is not compatible ++ // with the default scheme or the signing key type, return an error. If a ++ // valid hash algorithm is not specified, return an error. + if(!CryptSelectSignScheme(signObject, &in->inScheme)) ++ { + return TPM_RCS_SCHEME + RC_Sign_inScheme; ++ } + // If validation is provided, or the key is restricted, check the ticket + if(in->validation.digest.t.size != 0 + || IS_ATTRIBUTE(signObject->publicArea.objectAttributes, TPMA_OBJECT, restricted)) +diff --git a/src/tpm2/crypto/CryptHash_fp.h b/src/tpm2/crypto/CryptHash_fp.h +index adf1ba9..721d335 100644 +--- a/src/tpm2/crypto/CryptHash_fp.h ++++ b/src/tpm2/crypto/CryptHash_fp.h +@@ -77,7 +77,7 @@ CryptGetHashDef( + BOOL + CryptHashIsValidAlg( + TPM_ALG_ID hashAlg, +- BOOL flag ++ BOOL isAlgNullValid + ); + LIB_EXPORT TPM_ALG_ID + CryptHashGetAlgByIndex( +diff --git a/src/tpm2/crypto/openssl/CryptHash.c b/src/tpm2/crypto/openssl/CryptHash.c +index cb5bd0f..eb484b8 100644 +--- a/src/tpm2/crypto/openssl/CryptHash.c ++++ b/src/tpm2/crypto/openssl/CryptHash.c +@@ -139,12 +139,12 @@ CryptGetHashDef( + BOOL + CryptHashIsValidAlg( + TPM_ALG_ID hashAlg, // IN: the algorithm to check +- BOOL flag // IN: TRUE if TPM_ALG_NULL is to be treated ++ BOOL isAlgNullValid // IN: TRUE if TPM_ALG_NULL is to be treated + // as a valid hash + ) + { + if(hashAlg == TPM_ALG_NULL) +- return flag; ++ return isAlgNullValid; + return CryptGetHashDef(hashAlg) != &NULL_Def; + } + /* 10.2.13.4.4 CryptHashGetAlgByIndex() */ +-- +2.45.3 + diff --git a/SPECS/libtpms/libtpms.spec b/SPECS/libtpms/libtpms.spec index 8503a8cfb4..061a3d344c 100644 --- a/SPECS/libtpms/libtpms.spec +++ b/SPECS/libtpms/libtpms.spec @@ -1,6 +1,6 @@ Name: libtpms Version: 0.9.6 -Release: 7%{?dist} +Release: 8%{?dist} Summary: Library providing Trusted Platform Module (TPM) functionality License: BSD and TCGL @@ -12,6 +12,7 @@ Source1: %{url}/releases/download/v%{version}/v%{version}.tar.gz.asc#/%{n # https://github.com/stefanberger.gpg Source2: gpgkey-B818B9CADF9089C2D5CEC66B75AD65802A0B4211.asc Patch1: 0001-Export-RSA-private-key-primes-to-OpenSSL.patch +Patch2: CVE-2025-49133.patch BuildRequires: autoconf BuildRequires: automake @@ -66,6 +67,9 @@ make check %{_mandir}/man3/TPM* %changelog +* Tue Jun 17 2025 Archana Shettigar - 0.9.6-8 +- Patch CVE-2025-49133 + * Tue Sep 03 2024 Neha Agarwal - 0.9.6-7 - Add missing Vendor and Distribution tags. diff --git a/SPECS/libvirt/CVE-2024-1441.patch b/SPECS/libvirt/CVE-2024-1441.patch new file mode 100644 index 0000000000..2b8f87a6ec --- /dev/null +++ b/SPECS/libvirt/CVE-2024-1441.patch @@ -0,0 +1,54 @@ +From 2ebd1f031ecd93d74cb01051f23c8c4564998489 Mon Sep 17 00:00:00 2001 +From: Aninda +Date: Thu, 22 May 2025 22:10:00 -0400 +Subject: [PATCH] Address CVE-2024-1441 +Upstream Patch Reference: https://github.com/libvirt/libvirt/commit/c664015fe3a7bf59db26686e9ed69af011c6ebb8.patch + +--- + NEWS.rst | 16 ++++++++++++++++ + src/interface/interface_backend_udev.c | 2 +- + 2 files changed, 17 insertions(+), 1 deletion(-) + +diff --git a/NEWS.rst b/NEWS.rst +index d013fc7..97c3bc6 100644 +--- a/NEWS.rst ++++ b/NEWS.rst +@@ -10,6 +10,22 @@ For a more fine-grained view, use the `git log`_. + + v10.0.0 (2024-01-15) + ==================== ++* **Security** ++ ++ * ``CVE-2024-1441``: Fix off-by-one error leading to a crash ++ ++ In **libvirt-1.0.0** there were couple of interface listing APIs ++ introduced which had an off-by-one error. That error could lead to a ++ very rare crash if an array was passed to those functions which did ++ not fit all the interfaces. ++ ++ In **libvirt-5.10** a check for non-NULL arrays has been adjusted to ++ allow for NULL arrays with size 0 instead of rejecting all NULL ++ arrays. However that made the above issue significantly worse since ++ that off-by-one error now did not write beyond an array, but ++ dereferenced said NULL pointer making the crash certain in a ++ specific scenario in which a NULL array of size 0 was passed to the ++ aforementioned functions. + + * **New features** + +diff --git a/src/interface/interface_backend_udev.c b/src/interface/interface_backend_udev.c +index fb6799e..4091483 100644 +--- a/src/interface/interface_backend_udev.c ++++ b/src/interface/interface_backend_udev.c +@@ -222,7 +222,7 @@ udevListInterfacesByStatus(virConnectPtr conn, + g_autoptr(virInterfaceDef) def = NULL; + + /* Ensure we won't exceed the size of our array */ +- if (count > names_len) ++ if (count >= names_len) + break; + + path = udev_list_entry_get_name(dev_entry); +-- +2.34.1 + diff --git a/SPECS/libvirt/CVE-2024-2494.patch b/SPECS/libvirt/CVE-2024-2494.patch new file mode 100644 index 0000000000..d7b6f9fb09 --- /dev/null +++ b/SPECS/libvirt/CVE-2024-2494.patch @@ -0,0 +1,197 @@ +From f0fbb57dae0b9328f53c9d8ba9d672bfc9fd5cf3 Mon Sep 17 00:00:00 2001 +From: Aninda +Date: Thu, 22 May 2025 22:27:55 -0400 +Subject: [PATCH] Address CVE-2024-2494 +Upstream Patch Reference: https://gitlab.com/libvirt/libvirt/-/commit/8a3f8d957507c1f8223fdcf25a3ff885b15557f2.patch + +--- + src/remote/remote_daemon_dispatch.c | 65 +++++++++++++++++++++++++++++ + src/rpc/gendispatch.pl | 5 +++ + 2 files changed, 70 insertions(+) + +diff --git a/src/remote/remote_daemon_dispatch.c b/src/remote/remote_daemon_dispatch.c +index 7daf503..7542caa 100644 +--- a/src/remote/remote_daemon_dispatch.c ++++ b/src/remote/remote_daemon_dispatch.c +@@ -2291,6 +2291,10 @@ remoteDispatchDomainGetSchedulerParameters(virNetServer *server G_GNUC_UNUSED, + if (!conn) + goto cleanup; + ++ if (args->nparams < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); ++ goto cleanup; ++ } + if (args->nparams > REMOTE_DOMAIN_SCHEDULER_PARAMETERS_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); + goto cleanup; +@@ -2339,6 +2343,10 @@ remoteDispatchDomainGetSchedulerParametersFlags(virNetServer *server G_GNUC_UNUS + if (!conn) + goto cleanup; + ++ if (args->nparams < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); ++ goto cleanup; ++ } + if (args->nparams > REMOTE_DOMAIN_SCHEDULER_PARAMETERS_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); + goto cleanup; +@@ -2497,6 +2505,10 @@ remoteDispatchDomainBlockStatsFlags(virNetServer *server G_GNUC_UNUSED, + goto cleanup; + flags = args->flags; + ++ if (args->nparams < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); ++ goto cleanup; ++ } + if (args->nparams > REMOTE_DOMAIN_BLOCK_STATS_PARAMETERS_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); + goto cleanup; +@@ -2717,6 +2729,14 @@ remoteDispatchDomainGetVcpuPinInfo(virNetServer *server G_GNUC_UNUSED, + if (!(dom = get_nonnull_domain(conn, args->dom))) + goto cleanup; + ++ if (args->ncpumaps < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("ncpumaps must be non-negative")); ++ goto cleanup; ++ } ++ if (args->maplen < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maplen must be non-negative")); ++ goto cleanup; ++ } + if (args->ncpumaps > REMOTE_VCPUINFO_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("ncpumaps > REMOTE_VCPUINFO_MAX")); + goto cleanup; +@@ -2811,6 +2831,11 @@ remoteDispatchDomainGetEmulatorPinInfo(virNetServer *server G_GNUC_UNUSED, + if (!(dom = get_nonnull_domain(conn, args->dom))) + goto cleanup; + ++ if (args->maplen < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maplen must be non-negative")); ++ goto cleanup; ++ } ++ + /* Allocate buffers to take the results */ + if (args->maplen > 0) + cpumaps = g_new0(unsigned char, args->maplen); +@@ -2858,6 +2883,14 @@ remoteDispatchDomainGetVcpus(virNetServer *server G_GNUC_UNUSED, + if (!(dom = get_nonnull_domain(conn, args->dom))) + goto cleanup; + ++ if (args->maxinfo < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo must be non-negative")); ++ goto cleanup; ++ } ++ if (args->maplen < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo must be non-negative")); ++ goto cleanup; ++ } + if (args->maxinfo > REMOTE_VCPUINFO_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo > REMOTE_VCPUINFO_MAX")); + goto cleanup; +@@ -3096,6 +3129,10 @@ remoteDispatchDomainGetMemoryParameters(virNetServer *server G_GNUC_UNUSED, + + flags = args->flags; + ++ if (args->nparams < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); ++ goto cleanup; ++ } + if (args->nparams > REMOTE_DOMAIN_MEMORY_PARAMETERS_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); + goto cleanup; +@@ -3156,6 +3193,10 @@ remoteDispatchDomainGetNumaParameters(virNetServer *server G_GNUC_UNUSED, + + flags = args->flags; + ++ if (args->nparams < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); ++ goto cleanup; ++ } + if (args->nparams > REMOTE_DOMAIN_NUMA_PARAMETERS_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); + goto cleanup; +@@ -3216,6 +3257,10 @@ remoteDispatchDomainGetBlkioParameters(virNetServer *server G_GNUC_UNUSED, + + flags = args->flags; + ++ if (args->nparams < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); ++ goto cleanup; ++ } + if (args->nparams > REMOTE_DOMAIN_BLKIO_PARAMETERS_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); + goto cleanup; +@@ -3277,6 +3322,10 @@ remoteDispatchNodeGetCPUStats(virNetServer *server G_GNUC_UNUSED, + + flags = args->flags; + ++ if (args->nparams < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); ++ goto cleanup; ++ } + if (args->nparams > REMOTE_NODE_CPU_STATS_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); + goto cleanup; +@@ -3339,6 +3388,10 @@ remoteDispatchNodeGetMemoryStats(virNetServer *server G_GNUC_UNUSED, + + flags = args->flags; + ++ if (args->nparams < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); ++ goto cleanup; ++ } + if (args->nparams > REMOTE_NODE_MEMORY_STATS_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); + goto cleanup; +@@ -3514,6 +3567,10 @@ remoteDispatchDomainGetBlockIoTune(virNetServer *server G_GNUC_UNUSED, + if (!conn) + goto cleanup; + ++ if (args->nparams < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); ++ goto cleanup; ++ } + if (args->nparams > REMOTE_DOMAIN_BLOCK_IO_TUNE_PARAMETERS_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); + goto cleanup; +@@ -5079,6 +5136,10 @@ remoteDispatchDomainGetInterfaceParameters(virNetServer *server G_GNUC_UNUSED, + + flags = args->flags; + ++ if (args->nparams < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); ++ goto cleanup; ++ } + if (args->nparams > REMOTE_DOMAIN_INTERFACE_PARAMETERS_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); + goto cleanup; +@@ -5299,6 +5360,10 @@ remoteDispatchNodeGetMemoryParameters(virNetServer *server G_GNUC_UNUSED, + + flags = args->flags; + ++ if (args->nparams < 0) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative")); ++ goto cleanup; ++ } + if (args->nparams > REMOTE_NODE_MEMORY_PARAMETERS_MAX) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large")); + goto cleanup; +diff --git a/src/rpc/gendispatch.pl b/src/rpc/gendispatch.pl +index 5ce988c..c5842dc 100755 +--- a/src/rpc/gendispatch.pl ++++ b/src/rpc/gendispatch.pl +@@ -1070,6 +1070,11 @@ elsif ($mode eq "server") { + print "\n"; + + if ($single_ret_as_list) { ++ print " if (args->$single_ret_list_max_var < 0) {\n"; ++ print " virReportError(VIR_ERR_RPC,\n"; ++ print " \"%s\", _(\"max$single_ret_list_name must be non-negative\"));\n"; ++ print " goto cleanup;\n"; ++ print " }\n"; + print " if (args->$single_ret_list_max_var > $single_ret_list_max_define) {\n"; + print " virReportError(VIR_ERR_RPC,\n"; + print " \"%s\", _(\"max$single_ret_list_name > $single_ret_list_max_define\"));\n"; +-- +2.34.1 + diff --git a/SPECS/libvirt/CVE-2024-4418.patch b/SPECS/libvirt/CVE-2024-4418.patch new file mode 100644 index 0000000000..eedfaf9f5f --- /dev/null +++ b/SPECS/libvirt/CVE-2024-4418.patch @@ -0,0 +1,44 @@ +From e35fd05e2512a1c650b1940910bb394bfe8bd27d Mon Sep 17 00:00:00 2001 +From: Aninda +Date: Thu, 15 May 2025 08:56:07 -0400 +Subject: [PATCH] Address CVE-2024-4418 +Upstream Patch Reference: https://gitlab.com/libvirt/libvirt/-/commit/8074d64dc2eca846d6a61efe1a9b7428a0ce1dd1 +--- + src/rpc/virnetclient.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/src/rpc/virnetclient.c b/src/rpc/virnetclient.c +index 68098b1..147b0d6 100644 +--- a/src/rpc/virnetclient.c ++++ b/src/rpc/virnetclient.c +@@ -1657,7 +1657,7 @@ static int virNetClientIOEventLoop(virNetClient *client, + #endif /* !WIN32 */ + int timeout = -1; + virNetMessage *msg = NULL; +- g_autoptr(GSource) G_GNUC_UNUSED source = NULL; ++ g_autoptr(GSource) source = NULL; + GIOCondition ev = 0; + struct virNetClientIOEventData data = { + .client = client, +@@ -1721,6 +1721,18 @@ static int virNetClientIOEventLoop(virNetClient *client, + + g_main_loop_run(client->eventLoop); + ++ /* ++ * If virNetClientIOEventFD ran, this GSource will already be ++ * destroyed due to G_SOURCE_REMOVE. It is harmless to re-destroy ++ * it, since we still own a reference. ++ * ++ * If virNetClientIOWakeup ran, it will have interrupted the ++ * g_main_loop_run call, before virNetClientIOEventFD could ++ * run, and thus the GSource is still registered, and we need ++ * to destroy it since it is referencing stack memory for 'data' ++ */ ++ g_source_destroy(source); ++ + #ifndef WIN32 + ignore_value(pthread_sigmask(SIG_SETMASK, &oldmask, NULL)); + #endif /* !WIN32 */ +-- +2.34.1 + diff --git a/SPECS/libvirt/libvirt.spec b/SPECS/libvirt/libvirt.spec index 693e61b6ff..c8573f7fee 100644 --- a/SPECS/libvirt/libvirt.spec +++ b/SPECS/libvirt/libvirt.spec @@ -185,7 +185,7 @@ Summary: Library providing a simple virtualization API Name: libvirt Version: 10.0.0 -Release: 4%{?dist} +Release: 5%{?dist} License: GPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND OFL-1.1 Vendor: Intel Corporation Distribution: Edge Microvisor Toolkit @@ -197,6 +197,9 @@ URL: https://libvirt.org/ Source: https://download.libvirt.org/%{?mainturl}libvirt-%{version}.tar.xz Patch0: libvirt-conf.patch Patch1: 0001-PATCH-After-iptables.service.patch +Patch2: CVE-2024-1441.patch +Patch3: CVE-2024-2494.patch +Patch4: CVE-2024-4418.patch Requires: libvirt-daemon = %{version}-%{release} Requires: libvirt-daemon-config-network = %{version}-%{release} @@ -2187,6 +2190,15 @@ exit 0 %endif %changelog +* Mon Sep 8 2025 Lee Chee Yang - 10.0.0-5 +- merge from Azure Linux 3.0.20250822-3.0. +- Fixes CVE-2024-4418 with an upstream patch. +- Fix for CVE-2024-1441 and CVE-2024-2494. + +* Mon Jan 6 2025 Swee Yee Fonn - 10.0.0-4 +- Initial Edge Microvisor Toolkit import from Azure Linux (license: MIT). License verified. +- Add After iptables.service + * Thu May 30 2024 Sharath Srikanth Chellappa - 10.0.0-3 - Add patch to libvirt.conf to work with kubevirt. diff --git a/SPECS/libxml2/CVE-2025-49794_CVE-2025-49796.patch b/SPECS/libxml2/CVE-2025-49794_CVE-2025-49796.patch new file mode 100644 index 0000000000..97c381a3b7 --- /dev/null +++ b/SPECS/libxml2/CVE-2025-49794_CVE-2025-49796.patch @@ -0,0 +1,182 @@ +From 29efbea1666252fe4fb2185808a0a655aaa680bc Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 4 Jul 2025 14:28:26 +0200 +Subject: [PATCH] schematron: Fix memory safety issues in + xmlSchematronReportOutput + +Fix use-after-free (CVE-2025-49794) and type confusion (CVE-2025-49796) +in xmlSchematronReportOutput. + +Fixes #931. +Fixes #933. +--- + result/schematron/cve-2025-49794_0.err | 2 ++ + result/schematron/cve-2025-49796_0.err | 2 ++ + schematron.c | 49 ++++++++++++++------------ + test/schematron/cve-2025-49794.sct | 10 ++++++ + test/schematron/cve-2025-49794_0.xml | 6 ++++ + test/schematron/cve-2025-49796.sct | 9 +++++ + test/schematron/cve-2025-49796_0.xml | 3 ++ + 7 files changed, 58 insertions(+), 23 deletions(-) + create mode 100644 result/schematron/cve-2025-49794_0.err + create mode 100644 result/schematron/cve-2025-49796_0.err + create mode 100644 test/schematron/cve-2025-49794.sct + create mode 100644 test/schematron/cve-2025-49794_0.xml + create mode 100644 test/schematron/cve-2025-49796.sct + create mode 100644 test/schematron/cve-2025-49796_0.xml + +diff --git a/result/schematron/cve-2025-49794_0.err b/result/schematron/cve-2025-49794_0.err +new file mode 100644 +index 0000000..5775231 +--- /dev/null ++++ b/result/schematron/cve-2025-49794_0.err +@@ -0,0 +1,2 @@ ++./test/schematron/cve-2025-49794_0.xml:2: element boo0: schematron error : /librar0/boo0 line 2: ++./test/schematron/cve-2025-49794_0.xml fails to validate +diff --git a/result/schematron/cve-2025-49796_0.err b/result/schematron/cve-2025-49796_0.err +new file mode 100644 +index 0000000..bf875ee +--- /dev/null ++++ b/result/schematron/cve-2025-49796_0.err +@@ -0,0 +1,2 @@ ++./test/schematron/cve-2025-49796_0.xml:2: element boo0: schematron error : /librar0/boo0 line 2: ++./test/schematron/cve-2025-49796_0.xml fails to validate +diff --git a/schematron.c b/schematron.c +index c105a75..a1602ab 100644 +--- a/schematron.c ++++ b/schematron.c +@@ -1388,27 +1388,15 @@ exit: + * * + ************************************************************************/ + +-static xmlNodePtr ++static xmlXPathObjectPtr + xmlSchematronGetNode(xmlSchematronValidCtxtPtr ctxt, + xmlNodePtr cur, const xmlChar *xpath) { +- xmlNodePtr node = NULL; +- xmlXPathObjectPtr ret; +- + if ((ctxt == NULL) || (cur == NULL) || (xpath == NULL)) + return(NULL); + + ctxt->xctxt->doc = cur->doc; + ctxt->xctxt->node = cur; +- ret = xmlXPathEval(xpath, ctxt->xctxt); +- if (ret == NULL) +- return(NULL); +- +- if ((ret->type == XPATH_NODESET) && +- (ret->nodesetval != NULL) && (ret->nodesetval->nodeNr > 0)) +- node = ret->nodesetval->nodeTab[0]; +- +- xmlXPathFreeObject(ret); +- return(node); ++ return(xmlXPathEval(xpath, ctxt->xctxt)); + } + + /** +@@ -1454,25 +1442,40 @@ xmlSchematronFormatReport(xmlSchematronValidCtxtPtr ctxt, + (child->type == XML_CDATA_SECTION_NODE)) + ret = xmlStrcat(ret, child->content); + else if (IS_SCHEMATRON(child, "name")) { ++ xmlXPathObject *obj = NULL; + xmlChar *path; + + path = xmlGetNoNsProp(child, BAD_CAST "path"); + + node = cur; + if (path != NULL) { +- node = xmlSchematronGetNode(ctxt, cur, path); +- if (node == NULL) +- node = cur; ++ obj = xmlSchematronGetNode(ctxt, cur, path); ++ if ((obj != NULL) && ++ (obj->type == XPATH_NODESET) && ++ (obj->nodesetval != NULL) && ++ (obj->nodesetval->nodeNr > 0)) ++ node = obj->nodesetval->nodeTab[0]; + xmlFree(path); + } + +- if ((node->ns == NULL) || (node->ns->prefix == NULL)) +- ret = xmlStrcat(ret, node->name); +- else { +- ret = xmlStrcat(ret, node->ns->prefix); +- ret = xmlStrcat(ret, BAD_CAST ":"); +- ret = xmlStrcat(ret, node->name); ++ switch (node->type) { ++ case XML_ELEMENT_NODE: ++ case XML_ATTRIBUTE_NODE: ++ if ((node->ns == NULL) || (node->ns->prefix == NULL)) ++ ret = xmlStrcat(ret, node->name); ++ else { ++ ret = xmlStrcat(ret, node->ns->prefix); ++ ret = xmlStrcat(ret, BAD_CAST ":"); ++ ret = xmlStrcat(ret, node->name); ++ } ++ break; ++ ++ /* TODO: handle other node types */ ++ default: ++ break; + } ++ ++ xmlXPathFreeObject(obj); + } else if (IS_SCHEMATRON(child, "value-of")) { + xmlChar *select; + xmlXPathObjectPtr eval; +diff --git a/test/schematron/cve-2025-49794.sct b/test/schematron/cve-2025-49794.sct +new file mode 100644 +index 0000000..7fc9ee3 +--- /dev/null ++++ b/test/schematron/cve-2025-49794.sct +@@ -0,0 +1,10 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ +diff --git a/test/schematron/cve-2025-49794_0.xml b/test/schematron/cve-2025-49794_0.xml +new file mode 100644 +index 0000000..debc64b +--- /dev/null ++++ b/test/schematron/cve-2025-49794_0.xml +@@ -0,0 +1,6 @@ ++ ++ ++ ++ ++ ++ +diff --git a/test/schematron/cve-2025-49796.sct b/test/schematron/cve-2025-49796.sct +new file mode 100644 +index 0000000..e9702d7 +--- /dev/null ++++ b/test/schematron/cve-2025-49796.sct +@@ -0,0 +1,9 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ +diff --git a/test/schematron/cve-2025-49796_0.xml b/test/schematron/cve-2025-49796_0.xml +new file mode 100644 +index 0000000..be33c4e +--- /dev/null ++++ b/test/schematron/cve-2025-49796_0.xml +@@ -0,0 +1,3 @@ ++ ++ ++ +-- +2.45.4 + diff --git a/SPECS/libxml2/CVE-2025-6021.patch b/SPECS/libxml2/CVE-2025-6021.patch new file mode 100644 index 0000000000..ea1102703d --- /dev/null +++ b/SPECS/libxml2/CVE-2025-6021.patch @@ -0,0 +1,50 @@ +From 0bf1ca14616c240c2d87d9ae44c5df810bc2e229 Mon Sep 17 00:00:00 2001 +From: Sreenivasulu Malavathula +Date: Wed, 25 Jun 2025 11:22:06 -0500 +Subject: [PATCH] Address CVE-2025-6021 +Upstream Patch Reference: https://gitlab.gnome.org/GNOME/libxml2/-/commit/ad346c9a249c4b380bf73c460ad3e81135c5d781 + +--- + tree.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/tree.c b/tree.c +index 8910dd8..7172c46 100644 +--- a/tree.c ++++ b/tree.c +@@ -49,6 +49,10 @@ + #include "private/error.h" + #include "private/tree.h" + ++#ifndef SIZE_MAX ++#define SIZE_MAX ((size_t) -1) ++#endif ++ + int __xmlRegisterCallbacks = 0; + + /************************************************************************ +@@ -221,16 +225,18 @@ xmlGetParameterEntityFromDtd(const xmlDtd *dtd, const xmlChar *name) { + xmlChar * + xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix, + xmlChar *memory, int len) { +- int lenn, lenp; ++ size_t lenn, lenp; + xmlChar *ret; + +- if (ncname == NULL) return(NULL); ++ if ((ncname == NULL) || (len < 0)) return(NULL); + if (prefix == NULL) return((xmlChar *) ncname); + + lenn = strlen((char *) ncname); + lenp = strlen((char *) prefix); ++ if (lenn >= SIZE_MAX - lenp - 1) ++ return(NULL); + +- if ((memory == NULL) || (len < lenn + lenp + 2)) { ++ if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) { + ret = (xmlChar *) xmlMallocAtomic(lenn + lenp + 2); + if (ret == NULL) { + xmlTreeErrMemory("building QName"); +-- +2.45.2 + diff --git a/SPECS/libxml2/CVE-2025-6170.patch b/SPECS/libxml2/CVE-2025-6170.patch new file mode 100644 index 0000000000..36129b40c6 --- /dev/null +++ b/SPECS/libxml2/CVE-2025-6170.patch @@ -0,0 +1,61 @@ +From af4d4fd3e12fc9553b532f66c3717fe5dedfae98 Mon Sep 17 00:00:00 2001 +From: BinduSri-6522866 +Date: Fri, 4 Jul 2025 11:04:50 +0000 +Subject: [PATCH] Address CVE-2025-6170 + +Upstream Patch reference: https://gitlab.gnome.org/GNOME/libxml2/-/issues/941 +--- + debugXML.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/debugXML.c b/debugXML.c +index 3bb1930..2d11213 100644 +--- a/debugXML.c ++++ b/debugXML.c +@@ -2781,6 +2781,10 @@ xmlShellPwd(xmlShellCtxtPtr ctxt ATTRIBUTE_UNUSED, char *buffer, + return (0); + } + ++#define MAX_PROMPT_SIZE 500 ++#define MAX_ARG_SIZE 400 ++#define MAX_COMMAND_SIZE 100 ++ + /** + * xmlShell: + * @doc: the initial document +@@ -2796,10 +2800,10 @@ void + xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input, + FILE * output) + { +- char prompt[500] = "/ > "; ++ char prompt[MAX_PROMPT_SIZE] = "/ > "; + char *cmdline = NULL, *cur; +- char command[100]; +- char arg[400]; ++ char command[MAX_COMMAND_SIZE]; ++ char arg[MAX_ARG_SIZE]; + int i; + xmlShellCtxtPtr ctxt; + xmlXPathObjectPtr list; +@@ -2857,7 +2861,8 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input, + cur++; + i = 0; + while ((*cur != ' ') && (*cur != '\t') && +- (*cur != '\n') && (*cur != '\r')) { ++ (*cur != '\n') && (*cur != '\r') && ++ (i < (MAX_COMMAND_SIZE - 1))) { + if (*cur == 0) + break; + command[i++] = *cur++; +@@ -2872,7 +2877,7 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input, + while ((*cur == ' ') || (*cur == '\t')) + cur++; + i = 0; +- while ((*cur != '\n') && (*cur != '\r') && (*cur != 0)) { ++ while ((*cur != '\n') && (*cur != '\r') && (*cur != 0) && (i < (MAX_ARG_SIZE-1))) { + if (*cur == 0) + break; + arg[i++] = *cur++; +-- +2.45.3 + diff --git a/SPECS/libxml2/libxml2.spec b/SPECS/libxml2/libxml2.spec index a7b1cf51f0..92cca70706 100644 --- a/SPECS/libxml2/libxml2.spec +++ b/SPECS/libxml2/libxml2.spec @@ -1,7 +1,7 @@ Summary: Libxml2 Name: libxml2 Version: 2.11.5 -Release: 5%{?dist} +Release: 6%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -17,6 +17,10 @@ Patch5: CVE-2024-25062.patch Patch6: CVE-2025-27113.patch Patch7: CVE-2025-32414.patch Patch8: CVE-2025-32415.patch +Patch9: CVE-2025-6021.patch +Patch10: CVE-2025-6170.patch +Patch11: CVE-2025-49794_CVE-2025-49796.patch + BuildRequires: python3-devel BuildRequires: python3-xml Provides: %{name}-tools = %{version}-%{release} @@ -87,6 +91,10 @@ find %{buildroot} -type f -name "*.la" -delete -print %{_libdir}/cmake/libxml2/libxml2-config.cmake %changelog +* Sat Jul 19 2025 Kshitiz Godara - 2.11.5-6 +- Patch CVE-2025-49794 and CVE-2025-49796 +- Also added patches for CVE-2025-6021 (PR#14237) and CVE-2025-6170 (PR#14226) + * Mon May 05 2025 Sreeniavsulu Malavathula - 2.11.5-5 - Patch CVE-2025-32414 and CVE-2025-32415 diff --git a/SPECS/libzip/libzip.signatures.json b/SPECS/libzip/libzip.signatures.json index a8c351cafd..1625394e50 100644 --- a/SPECS/libzip/libzip.signatures.json +++ b/SPECS/libzip/libzip.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "libzip-1.10.1.tar.xz": "dc3c8d5b4c8bbd09626864f6bcf93de701540f761d76b85d7c7d710f4bd90318" + "libzip-1.10.1-scrubbed.tar.xz": "22fcb0d7f7ae38bbe0baea0c2c54378881024f55a32be00a8641d3f9f71f32e4" } } diff --git a/SPECS/libzip/libzip.spec b/SPECS/libzip/libzip.spec index 7bf2d9909a..ed7bba3d65 100644 --- a/SPECS/libzip/libzip.spec +++ b/SPECS/libzip/libzip.spec @@ -1,12 +1,13 @@ Summary: C library for reading, creating, and modifying zip archives Name: libzip Version: 1.10.1 -Release: 2%{?dist} +Release: 3%{?dist} License: BSD Vendor: Microsoft Corporation Distribution: Azure Linux URL: https://libzip.org/ -Source0: https://libzip.org/download/libzip-%{version}.tar.xz +# Note that scrubbed version of the source tarball contains upstream source minus password protected files which password is not known +Source0: https://libzip.org/download/libzip-%{version}.tar.xz#/libzip-%{version}-scrubbed.tar.xz BuildRequires: bzip2-devel BuildRequires: cmake >= 3.0.2 BuildRequires: gcc @@ -115,6 +116,9 @@ make test %{_libdir}/pkgconfig/libzip.pc %changelog +* Tue May 27 2025 Nicolas Guibourge - 1.10.1-3 +- Remove password protected zip files from upstream src tarball + * Mon Aug 19 2024 Andrew Phelps - 1.10.1-2 - Fix package tests - Switch to out-of-source build diff --git a/SPECS/lld/lld.signatures.json b/SPECS/lld/lld.signatures.json index f93006b26f..6ded1b1af7 100644 --- a/SPECS/lld/lld.signatures.json +++ b/SPECS/lld/lld.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "llvmorg-18.1.2.tar.gz": "8d686d5ece6f12b09985cb382a3a530dc06bb6e7eb907f57c7f8bf2d868ebb0b" + "llvmorg-18.1.8.tar.gz": "09c08693a9afd6236f27a2ebae62cda656eba19021ef3f94d59e931d662d4856" } } diff --git a/SPECS/lld/lld.spec b/SPECS/lld/lld.spec index ab0e767b80..d48e1933fb 100644 --- a/SPECS/lld/lld.spec +++ b/SPECS/lld/lld.spec @@ -2,8 +2,8 @@ Summary: LLD is a linker from the LLVM project that is a drop-in replacement for system linkers and runs much faster than them Name: lld -Version: 18.1.2 -Release: 3%{?dist} +Version: 18.1.8 +Release: 1%{?dist} License: NCSA Vendor: Microsoft Corporation Distribution: Azure Linux @@ -76,6 +76,9 @@ cd build %{_libdir}/liblld*.so.* %changelog +* Tue Jun 03 2025 Pawel Winogrodzki - 18.1.8-1 +- Updated to version 18.1.8. + * Tue Sep 03 2024 Andrew Phelps - 18.1.2-3 - Update file listing with explicit filenames - Remove unnecessary BR on build-essential diff --git a/SPECS/lldb/lldb.signatures.json b/SPECS/lldb/lldb.signatures.json index f93006b26f..6ded1b1af7 100644 --- a/SPECS/lldb/lldb.signatures.json +++ b/SPECS/lldb/lldb.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "llvmorg-18.1.2.tar.gz": "8d686d5ece6f12b09985cb382a3a530dc06bb6e7eb907f57c7f8bf2d868ebb0b" + "llvmorg-18.1.8.tar.gz": "09c08693a9afd6236f27a2ebae62cda656eba19021ef3f94d59e931d662d4856" } } diff --git a/SPECS/lldb/lldb.spec b/SPECS/lldb/lldb.spec index c751f4b1a8..5f8c2053a7 100644 --- a/SPECS/lldb/lldb.spec +++ b/SPECS/lldb/lldb.spec @@ -2,8 +2,8 @@ Summary: A next generation, high-performance debugger. Name: lldb -Version: 18.1.2 -Release: 2%{?dist} +Version: 18.1.8 +Release: 1%{?dist} License: NCSA Vendor: Microsoft Corporation Distribution: Azure Linux @@ -106,6 +106,9 @@ rm -f %{buildroot}%{python3_sitelib}/six.* %{python3_sitelib}/* %changelog +* Tue Jun 03 2025 Pawel Winogrodzki - 18.1.8-1 +- Updated to version 18.1.8. + * Wed May 29 2024 Neha Agarwal - 18.1.2-2 - Bump release to build with new llvm to fix CVE-2024-31852 diff --git a/SPECS/llvm/CVE-2024-31852.patch b/SPECS/llvm/CVE-2024-31852.patch deleted file mode 100644 index f3760794b0..0000000000 --- a/SPECS/llvm/CVE-2024-31852.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 0e16af8e4cf3a66ad5d078d52744ae2776f9c4b2 Mon Sep 17 00:00:00 2001 -From: ostannard -Date: Mon, 26 Feb 2024 12:23:25 +0000 -Subject: [PATCH] [ARM] Update IsRestored for LR based on all returns (#82745) - -PR #75527 fixed ARMFrameLowering to set the IsRestored flag for LR based -on all of the return instructions in the function, not just one. -However, there is also code in ARMLoadStoreOptimizer which changes -return instructions, but it set IsRestored based on the one instruction -it changed, not the whole function. - -The fix is to factor out the code added in #75527, and also call it from -ARMLoadStoreOptimizer if it made a change to return instructions. - -Fixes #80287. - -(cherry picked from commit 749384c08e042739342c88b521c8ba5dac1b9276) ---- - llvm/lib/Target/ARM/ARMFrameLowering.cpp | 11 +++++---- - llvm/lib/Target/ARM/ARMFrameLowering.h | 4 ++++ - llvm/lib/Target/ARM/ARMLoadStoreOptimizer.cpp | 23 ++++++++----------- - llvm/test/CodeGen/ARM/ldst-opt-lr-restored.ll | 11 +++++---- - 4 files changed, 27 insertions(+), 22 deletions(-) - -diff --git a/llvm/lib/Target/ARM/ARMFrameLowering.cpp b/llvm/lib/Target/ARM/ARMFrameLowering.cpp -index eeb7f64aa5810..9b54dd4e4e618 100644 ---- a/llvm/lib/Target/ARM/ARMFrameLowering.cpp -+++ b/llvm/lib/Target/ARM/ARMFrameLowering.cpp -@@ -2781,10 +2781,7 @@ void ARMFrameLowering::determineCalleeSaves(MachineFunction &MF, - AFI->setLRIsSpilled(SavedRegs.test(ARM::LR)); - } - --void ARMFrameLowering::processFunctionBeforeFrameFinalized( -- MachineFunction &MF, RegScavenger *RS) const { -- TargetFrameLowering::processFunctionBeforeFrameFinalized(MF, RS); -- -+void ARMFrameLowering::updateLRRestored(MachineFunction &MF) { - MachineFrameInfo &MFI = MF.getFrameInfo(); - if (!MFI.isCalleeSavedInfoValid()) - return; -@@ -2808,6 +2805,12 @@ void ARMFrameLowering::processFunctionBeforeFrameFinalized( - } - } - -+void ARMFrameLowering::processFunctionBeforeFrameFinalized( -+ MachineFunction &MF, RegScavenger *RS) const { -+ TargetFrameLowering::processFunctionBeforeFrameFinalized(MF, RS); -+ updateLRRestored(MF); -+} -+ - void ARMFrameLowering::getCalleeSaves(const MachineFunction &MF, - BitVector &SavedRegs) const { - TargetFrameLowering::getCalleeSaves(MF, SavedRegs); -diff --git a/llvm/lib/Target/ARM/ARMFrameLowering.h b/llvm/lib/Target/ARM/ARMFrameLowering.h -index 8d2b8beb9a58f..3c7358d8cd53e 100644 ---- a/llvm/lib/Target/ARM/ARMFrameLowering.h -+++ b/llvm/lib/Target/ARM/ARMFrameLowering.h -@@ -59,6 +59,10 @@ class ARMFrameLowering : public TargetFrameLowering { - void determineCalleeSaves(MachineFunction &MF, BitVector &SavedRegs, - RegScavenger *RS) const override; - -+ /// Update the IsRestored flag on LR if it is spilled, based on the return -+ /// instructions. -+ static void updateLRRestored(MachineFunction &MF); -+ - void processFunctionBeforeFrameFinalized( - MachineFunction &MF, RegScavenger *RS = nullptr) const override; - -diff --git a/llvm/lib/Target/ARM/ARMLoadStoreOptimizer.cpp b/llvm/lib/Target/ARM/ARMLoadStoreOptimizer.cpp -index ed9d30c3c3ab9..6121055eb0217 100644 ---- a/llvm/lib/Target/ARM/ARMLoadStoreOptimizer.cpp -+++ b/llvm/lib/Target/ARM/ARMLoadStoreOptimizer.cpp -@@ -2062,17 +2062,6 @@ bool ARMLoadStoreOpt::MergeReturnIntoLDM(MachineBasicBlock &MBB) { - MO.setReg(ARM::PC); - PrevMI.copyImplicitOps(*MBB.getParent(), *MBBI); - MBB.erase(MBBI); -- // We now restore LR into PC so it is not live-out of the return block -- // anymore: Clear the CSI Restored bit. -- MachineFrameInfo &MFI = MBB.getParent()->getFrameInfo(); -- // CSI should be fixed after PrologEpilog Insertion -- assert(MFI.isCalleeSavedInfoValid() && "CSI should be valid"); -- for (CalleeSavedInfo &Info : MFI.getCalleeSavedInfo()) { -- if (Info.getReg() == ARM::LR) { -- Info.setRestored(false); -- break; -- } -- } - return true; - } - } -@@ -2120,14 +2109,22 @@ bool ARMLoadStoreOpt::runOnMachineFunction(MachineFunction &Fn) { - isThumb2 = AFI->isThumb2Function(); - isThumb1 = AFI->isThumbFunction() && !isThumb2; - -- bool Modified = false; -+ bool Modified = false, ModifiedLDMReturn = false; - for (MachineBasicBlock &MBB : Fn) { - Modified |= LoadStoreMultipleOpti(MBB); - if (STI->hasV5TOps() && !AFI->shouldSignReturnAddress()) -- Modified |= MergeReturnIntoLDM(MBB); -+ ModifiedLDMReturn |= MergeReturnIntoLDM(MBB); - if (isThumb1) - Modified |= CombineMovBx(MBB); - } -+ Modified |= ModifiedLDMReturn; -+ -+ // If we merged a BX instruction into an LDM, we need to re-calculate whether -+ // LR is restored. This check needs to consider the whole function, not just -+ // the instruction(s) we changed, because there may be other BX returns which -+ // still need LR to be restored. -+ if (ModifiedLDMReturn) -+ ARMFrameLowering::updateLRRestored(Fn); - - Allocator.DestroyAll(); - return Modified; diff --git a/SPECS/llvm/llvm.signatures.json b/SPECS/llvm/llvm.signatures.json index f93006b26f..6ded1b1af7 100644 --- a/SPECS/llvm/llvm.signatures.json +++ b/SPECS/llvm/llvm.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "llvmorg-18.1.2.tar.gz": "8d686d5ece6f12b09985cb382a3a530dc06bb6e7eb907f57c7f8bf2d868ebb0b" + "llvmorg-18.1.8.tar.gz": "09c08693a9afd6236f27a2ebae62cda656eba19021ef3f94d59e931d662d4856" } } diff --git a/SPECS/llvm/llvm.spec b/SPECS/llvm/llvm.spec index 5960c67560..00e6dd716e 100644 --- a/SPECS/llvm/llvm.spec +++ b/SPECS/llvm/llvm.spec @@ -1,18 +1,17 @@ %global maj_ver 18 %global min_ver 1 -%global patch_ver 2 +%global patch_ver 8 Summary: A collection of modular and reusable compiler and toolchain technologies. Name: llvm Version: %{maj_ver}.%{min_ver}.%{patch_ver} -Release: 4%{?dist} +Release: 1%{?dist} License: NCSA Vendor: Microsoft Corporation Distribution: Azure Linux Group: Development/Tools URL: https://llvm.org/ Source0: https://github.com/llvm/llvm-project/archive/refs/tags/llvmorg-%{version}.tar.gz -Patch0: CVE-2024-31852.patch BuildRequires: binutils-devel BuildRequires: cmake BuildRequires: libffi-devel @@ -123,6 +122,10 @@ ninja check-all %{_includedir}/llvm-c %changelog +* Tue Jun 03 2025 Pawel Winogrodzki - 18.1.8-1 +- Updated to version 18.1.8. +- Removed the patch for CVE-2024-31852 - already fixed in 18.1.3. + * Tue Sep 03 2024 Andrew Phelps - 18.1.2-4 - Update file listing with explicit filenames diff --git a/SPECS/local-path-provisioner/CVE-2020-8565.patch b/SPECS/local-path-provisioner/CVE-2020-8565.patch deleted file mode 100644 index a78ccd25b7..0000000000 --- a/SPECS/local-path-provisioner/CVE-2020-8565.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 0e2a9c6cdbf88b5f4ec393d9e8794866bd2e7f17 Mon Sep 17 00:00:00 2001 -From: archana25-ms -Date: Wed, 12 Feb 2025 09:32:34 +0000 -Subject: [PATCH] Address CVE-2020-8565 - -Source link: https://github.com/kubernetes/kubernetes/pull/95316 - ---- - vendor/k8s.io/client-go/transport/round_trippers.go | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/vendor/k8s.io/client-go/transport/round_trippers.go b/vendor/k8s.io/client-go/transport/round_trippers.go -index a05208d..f4cfadb 100644 ---- a/vendor/k8s.io/client-go/transport/round_trippers.go -+++ b/vendor/k8s.io/client-go/transport/round_trippers.go -@@ -340,6 +340,7 @@ func (r *requestInfo) toCurl() string { - headers := "" - for key, values := range r.RequestHeaders { - for _, value := range values { -+ value = maskValue(key, value) - headers += fmt.Sprintf(` -H %q`, fmt.Sprintf("%s: %s", key, value)) - } - } --- -2.45.2 - diff --git a/SPECS/local-path-provisioner/CVE-2023-39325.patch b/SPECS/local-path-provisioner/CVE-2023-39325.patch deleted file mode 100644 index 234ef01788..0000000000 --- a/SPECS/local-path-provisioner/CVE-2023-39325.patch +++ /dev/null @@ -1,129 +0,0 @@ -From aa710e1624a59109fa963de2afc047e411f2c268 Mon Sep 17 00:00:00 2001 -From: Kanishk-Bansal -Date: Fri, 14 Feb 2025 12:37:21 +0000 -Subject: [PATCH] CVE-2023-39325 - ---- - vendor/golang.org/x/net/http2/server.go | 66 ++++++++++++++++++++++++- - 1 file changed, 64 insertions(+), 2 deletions(-) - -diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go -index 8cb14f3..6000140 100644 ---- a/vendor/golang.org/x/net/http2/server.go -+++ b/vendor/golang.org/x/net/http2/server.go -@@ -581,9 +581,11 @@ type serverConn struct { - advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client - curClientStreams uint32 // number of open streams initiated by the client - curPushedStreams uint32 // number of open streams initiated by server push -+ curHandlers uint32 // number of running handler goroutines - maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests - maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes - streams map[uint32]*stream -+ unstartedHandlers []unstartedHandler - initialStreamSendWindowSize int32 - maxFrameSize int32 - peerMaxHeaderListSize uint32 // zero means unknown (default) -@@ -981,6 +983,8 @@ func (sc *serverConn) serve() { - return - case gracefulShutdownMsg: - sc.startGracefulShutdownInternal() -+ case handlerDoneMsg: -+ sc.handlerDone() - default: - panic("unknown timer") - } -@@ -1028,6 +1032,7 @@ var ( - idleTimerMsg = new(serverMessage) - shutdownTimerMsg = new(serverMessage) - gracefulShutdownMsg = new(serverMessage) -+ handlerDoneMsg = new(serverMessage) - ) - - func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) } -@@ -2022,8 +2027,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error { - } - } - -- go sc.runHandler(rw, req, handler) -- return nil -+ return sc.scheduleHandler(id, rw, req, handler) - } - - func (sc *serverConn) upgradeRequest(req *http.Request) { -@@ -2043,6 +2047,10 @@ func (sc *serverConn) upgradeRequest(req *http.Request) { - sc.conn.SetReadDeadline(time.Time{}) - } - -+ // This is the first request on the connection, -+ // so start the handler directly rather than going -+ // through scheduleHandler. -+ sc.curHandlers++ - go sc.runHandler(rw, req, sc.handler.ServeHTTP) - } - -@@ -2283,8 +2291,62 @@ func (sc *serverConn) newResponseWriter(st *stream, req *http.Request) *response - return &responseWriter{rws: rws} - } - -+type unstartedHandler struct { -+ streamID uint32 -+ rw *responseWriter -+ req *http.Request -+ handler func(http.ResponseWriter, *http.Request) -+} -+ -+// scheduleHandler starts a handler goroutine, -+// or schedules one to start as soon as an existing handler finishes. -+func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error { -+ sc.serveG.check() -+ maxHandlers := sc.advMaxStreams -+ if sc.curHandlers < maxHandlers { -+ sc.curHandlers++ -+ go sc.runHandler(rw, req, handler) -+ return nil -+ } -+ if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) { -+ return sc.countError("too_many_early_resets", ConnectionError(ErrCodeEnhanceYourCalm)) -+ } -+ sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{ -+ streamID: streamID, -+ rw: rw, -+ req: req, -+ handler: handler, -+ }) -+ return nil -+} -+ -+func (sc *serverConn) handlerDone() { -+ sc.serveG.check() -+ sc.curHandlers-- -+ i := 0 -+ maxHandlers := sc.advMaxStreams -+ for ; i < len(sc.unstartedHandlers); i++ { -+ u := sc.unstartedHandlers[i] -+ if sc.streams[u.streamID] == nil { -+ // This stream was reset before its goroutine had a chance to start. -+ continue -+ } -+ if sc.curHandlers >= maxHandlers { -+ break -+ } -+ sc.curHandlers++ -+ go sc.runHandler(u.rw, u.req, u.handler) -+ sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references -+ } -+ sc.unstartedHandlers = sc.unstartedHandlers[i:] -+ if len(sc.unstartedHandlers) == 0 { -+ sc.unstartedHandlers = nil -+ } -+} -+ - // Run on its own goroutine. - func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) { -+ defer sc.sendServeMsg(handlerDoneMsg) - didPanic := true - defer func() { - rw.rws.stream.cancelCtx() --- -2.45.2 - diff --git a/SPECS/local-path-provisioner/CVE-2023-44487.patch b/SPECS/local-path-provisioner/CVE-2023-44487.patch deleted file mode 100644 index 5daf815464..0000000000 --- a/SPECS/local-path-provisioner/CVE-2023-44487.patch +++ /dev/null @@ -1,77 +0,0 @@ -From a0fd4b065528566eec54fe207aa5e3131babc378 Mon Sep 17 00:00:00 2001 -From: Monis Khan -Date: Sat, 7 Oct 2023 21:50:37 -0400 -Subject: [PATCH] Prevent rapid reset http2 DOS on API server - -This change fully addresses CVE-2023-44487 and CVE-2023-39325 for -the API server when the client is unauthenticated. - -The changes to util/runtime are required because otherwise a large -number of requests can get blocked on the time.Sleep calls. - -For unauthenticated clients (either via 401 or the anonymous user), -we simply no longer allow such clients to hold open http2 -connections. They can use http2, but with the performance of http1 -(with keep-alive disabled). - -Since this change has the potential to cause issues, the -UnauthenticatedHTTP2DOSMitigation feature gate can be disabled to -remove this protection (it is enabled by default). For example, -when the API server is fronted by an L7 load balancer that is set up -to mitigate http2 attacks, unauthenticated clients could force -disable connection reuse between the load balancer and the API -server (many incoming connections could share the same backend -connection). An API server that is on a private network may opt to -disable this protection to prevent performance regressions for -unauthenticated clients. - -For all other clients, we rely on the golang.org/x/net fix in -https://github.com/golang/net/commit/b225e7ca6dde1ef5a5ae5ce922861bda011cfabd -That change is not sufficient to adequately protect against a -motivated client - future changes to Kube and/or golang.org/x/net -will be explored to address this gap. - -The Kube API server now uses a max stream of 100 instead of 250 -(this matches the Go http2 client default). This lowers the abuse -limit from 1000 to 400. - -Signed-off-by: Monis Khan - -Modified-by: corvus-callidus <108946721+corvus-callidus@users.noreply.github.com> -- Adjust paths to apply to AzL3 package source -- Remove runtime_test.go portion of patch since AzL3 package source doesn't - contain that file - -Kubernetes-commit: 800a8eaba7f25bd223fefe6e7613e39a5d7f1eeb ---- - vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go | 15 +++++++++------ - 1 files changed, 9 insertions(+), 6 deletions(-) - -diff --git a/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go b/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go -index d738725ca..3674914f7 100644 ---- a/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go -+++ b/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go -@@ -126,14 +126,17 @@ type rudimentaryErrorBackoff struct { - // OnError will block if it is called more often than the embedded period time. - // This will prevent overly tight hot error loops. - func (r *rudimentaryErrorBackoff) OnError(error) { -+ now := time.Now() // start the timer before acquiring the lock - r.lastErrorTimeLock.Lock() -- defer r.lastErrorTimeLock.Unlock() -- d := time.Since(r.lastErrorTime) -- if d < r.minPeriod { -- // If the time moves backwards for any reason, do nothing -- time.Sleep(r.minPeriod - d) -- } -+ d := now.Sub(r.lastErrorTime) - r.lastErrorTime = time.Now() -+ r.lastErrorTimeLock.Unlock() -+ -+ // Do not sleep with the lock held because that causes all callers of HandleError to block. -+ // We only want the current goroutine to block. -+ // A negative or zero duration causes time.Sleep to return immediately. -+ // If the time moves backwards for any reason, do nothing. -+ time.Sleep(r.minPeriod - d) - } - - // GetCaller returns the caller of the function that calls it. diff --git a/SPECS/local-path-provisioner/CVE-2023-45288.patch b/SPECS/local-path-provisioner/CVE-2023-45288.patch deleted file mode 100644 index 80eaa40216..0000000000 --- a/SPECS/local-path-provisioner/CVE-2023-45288.patch +++ /dev/null @@ -1,83 +0,0 @@ -Author: Damien Neil -AuthorDate: 2024-01-10 13:41:39 -0800 -Commit: Gopher Robot -CommitDate: 2024-04-03 17:06:00 +0000 - -[internal-branch.go1.21-vendor] http2: close connections when receiving too many headers - -Maintaining HPACK state requires that we parse and process -all HEADERS and CONTINUATION frames on a connection. -When a request's headers exceed MaxHeaderBytes, we don't -allocate memory to store the excess headers but we do -parse them. This permits an attacker to cause an HTTP/2 -endpoint to read arbitrary amounts of data, all associated -with a request which is going to be rejected. - -Set a limit on the amount of excess header frames we -will process before closing a connection. - -Thanks to Bartek Nowotarski for reporting this issue. - -Fixes CVE-2023-45288 -For golang/go#65051 - -Change-Id: I15df097268df13bb5a9e9d3a5c04a8a141d850f6 -Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2130527 -Reviewed-by: Roland Shoemaker -Reviewed-by: Tatiana Bradley -Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2197243 -Run-TryBot: Damien Neil -Reviewed-by: Dmitri Shuralyov -Reviewed-on: https://go-review.googlesource.com/c/net/+/576057 -LUCI-TryBot-Result: Go LUCI -Auto-Submit: Dmitri Shuralyov - -diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go -index c1f6b90..175c154 100644 ---- a/vendor/golang.org/x/net/http2/frame.go -+++ b/vendor/golang.org/x/net/http2/frame.go -@@ -1565,6 +1565,7 @@ - if size > remainSize { - hdec.SetEmitEnabled(false) - mh.Truncated = true -+ remainSize = 0 - return - } - remainSize -= size -@@ -1577,6 +1578,36 @@ - var hc headersOrContinuation = hf - for { - frag := hc.HeaderBlockFragment() -+ -+ // Avoid parsing large amounts of headers that we will then discard. -+ // If the sender exceeds the max header list size by too much, -+ // skip parsing the fragment and close the connection. -+ // -+ // "Too much" is either any CONTINUATION frame after we've already -+ // exceeded the max header list size (in which case remainSize is 0), -+ // or a frame whose encoded size is more than twice the remaining -+ // header list bytes we're willing to accept. -+ if int64(len(frag)) > int64(2*remainSize) { -+ if VerboseLogs { -+ log.Printf("http2: header list too large") -+ } -+ // It would be nice to send a RST_STREAM before sending the GOAWAY, -+ // but the struture of the server's frame writer makes this difficult. -+ return nil, ConnectionError(ErrCodeProtocol) -+ } -+ -+ // Also close the connection after any CONTINUATION frame following an -+ // invalid header, since we stop tracking the size of the headers after -+ // an invalid one. -+ if invalid != nil { -+ if VerboseLogs { -+ log.Printf("http2: invalid header: %v", invalid) -+ } -+ // It would be nice to send a RST_STREAM before sending the GOAWAY, -+ // but the struture of the server's frame writer makes this difficult. -+ return nil, ConnectionError(ErrCodeProtocol) -+ } -+ - if _, err := hdec.Write(frag); err != nil { - return nil, ConnectionError(ErrCodeCompression) - } diff --git a/SPECS/local-path-provisioner/local-path-provisioner.signatures.json b/SPECS/local-path-provisioner/local-path-provisioner.signatures.json deleted file mode 100644 index f28de4a2b6..0000000000 --- a/SPECS/local-path-provisioner/local-path-provisioner.signatures.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "Signatures": { - "local-path-provisioner-0.0.24.tar.gz": "c7f22719de46fe7e0b552b83f08830c9d085639c13fb95e72ef139a040425fff" - } -} diff --git a/SPECS/local-path-provisioner/local-path-provisioner.spec b/SPECS/local-path-provisioner/local-path-provisioner.spec deleted file mode 100644 index b90bd8dda6..0000000000 --- a/SPECS/local-path-provisioner/local-path-provisioner.spec +++ /dev/null @@ -1,94 +0,0 @@ -Summary: Provides a way for the Kubernetes users to utilize the local storage in each node -Name: local-path-provisioner -Version: 0.0.24 -Release: 6%{?dist} -License: ASL 2.0 -URL: https://github.com/rancher/local-path-provisioner -Group: Applications/Text -Vendor: Microsoft Corporation -Distribution: Azure Linux -Source0: https://github.com/rancher/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz -#Note that the source file should be renamed to the format {name}-%%{version}.tar.gz -Patch0: CVE-2023-45288.patch -Patch1: CVE-2023-39325.patch -Patch2: CVE-2023-44487.patch -Patch3: CVE-2020-8565.patch -BuildRequires: golang - -%description -Provides a way for the Kubernetes users to utilize the local storage in each node. - -%prep -%autosetup -p1 - -%build -export CGO_ENABLED=0 -go build -mod=vendor - -%install -install -d %{buildroot}%{_bindir} -install local-path-provisioner %{buildroot}%{_bindir}/local-path-provisioner - -%files -%{_bindir}/local-path-provisioner - -%changelog -* Fri Apr 28 2025 Ranjan Dutta - 0.0.24-6 -- merge from Azure Linux tag 3.0.20250423-3.0 -- Address CVE-2020-8565 - -* Fri Mar 21 2025 Anuj Mittal - 0.0.24-5 -- Bump Release to rebuild - -* Tue Mar 04 2025 corvus-callidus <108946721+corvus-callidus@users.noreply.github.com> - 0.0.24-4 -* Address CVE-2023-44487 - - -* Fri Feb 14 2025 Kanishk Bansal - 0.0.24-3 -- Address CVE-2023-45288, CVE-2023-39325 - -* Tue Sep 03 2024 Pawel Winogrodzki - 0.0.24-2 -- Release bump to fix package information. - -* Fri Oct 27 2023 CBL-Mariner Servicing Account - 0.0.24-1 -- Auto-upgrade to 0.0.24 - Azure Linux 3.0 - package upgrades - -* Mon Oct 16 2023 CBL-Mariner Servicing Account - 0.0.21-13 -- Bump release to rebuild with go 1.20.10 - -* Tue Oct 10 2023 Dan Streetman - 0.0.21-12 -- Bump release to rebuild with updated version of Go. - -* Mon Aug 07 2023 CBL-Mariner Servicing Account - 0.0.21-11 -- Bump release to rebuild with go 1.19.12 - -* Thu Jul 13 2023 CBL-Mariner Servicing Account - 0.0.21-10 -- Bump release to rebuild with go 1.19.11 - -* Thu Jun 15 2023 CBL-Mariner Servicing Account - 0.0.21-9 -- Bump release to rebuild with go 1.19.10 - -* Wed Apr 05 2023 CBL-Mariner Servicing Account - 0.0.21-8 -- Bump release to rebuild with go 1.19.8 - -* Tue Mar 28 2023 CBL-Mariner Servicing Account - 0.0.21-7 -- Bump release to rebuild with go 1.19.7 - -* Wed Mar 15 2023 CBL-Mariner Servicing Account - 0.0.21-6 -- Bump release to rebuild with go 1.19.6 - -* Fri Feb 03 2023 CBL-Mariner Servicing Account - 0.0.21-5 -- Bump release to rebuild with go 1.19.5 - -* Wed Jan 18 2023 CBL-Mariner Servicing Account - 0.0.21-4 -- Bump release to rebuild with go 1.19.4 - -* Fri Dec 16 2022 Daniel McIlvaney - 0.0.21-3 -- Bump release to rebuild with go 1.18.8 with patch for CVE-2022-41717 - -* Tue Nov 01 2022 Olivia Crain - 0.0.21-2 -- Bump release to rebuild with go 1.18.8 - -* Thu Jun 23 2022 Lior Lustgarten 0.0.21-1 -- Original version for CBL-Mariner -- License Verified diff --git a/SPECS/mariadb/CVE-2023-52971.patch b/SPECS/mariadb/CVE-2023-52971.patch new file mode 100644 index 0000000000..539898527c --- /dev/null +++ b/SPECS/mariadb/CVE-2023-52971.patch @@ -0,0 +1,157 @@ +From a9b6bf9fa83604ac13e921c150a2806a64d23f92 Mon Sep 17 00:00:00 2001 +From: Mayank Singh +Date: Mon, 5 May 2025 09:20:46 +0000 +Subject: [PATCH] Address CVE-2023-52971 +Upstream Reference Link: https://github.com/MariaDB/server/commit/3b4de4c281cb3e33e6d3ee9537e542bf0a84b83e + +--- + mysql-test/main/join_nested.result | 12 +++++ + mysql-test/main/join_nested.test | 13 ++++++ + mysql-test/main/join_nested_jcl6.result | 12 +++++ + sql/sql_select.cc | 58 +++++++++++++++++++++++-- + 4 files changed, 91 insertions(+), 4 deletions(-) + +diff --git a/mysql-test/main/join_nested.result b/mysql-test/main/join_nested.result +index cb9dffc8..56468518 100644 +--- a/mysql-test/main/join_nested.result ++++ b/mysql-test/main/join_nested.result +@@ -2051,3 +2051,15 @@ a b c a a b + DROP TABLE t1, t2, t3; + set join_cache_level= @save_join_cache_level; + # end of 10.3 tests ++# ++# MDEV-32084: Assertion in best_extension_by_limited_search(), or crash elsewhere in release ++# ++CREATE TABLE t1 (i int); ++INSERT INTO t1 values (1),(2); ++SELECT 1 FROM t1 WHERE i IN ++(SELECT 1 FROM t1 c ++LEFT JOIN (t1 a LEFT JOIN t1 b ON t1.i = b.i) ON c.i = t1.i); ++1 ++1 ++DROP TABLE t1; ++# end of 10.11 tests +diff --git a/mysql-test/main/join_nested.test b/mysql-test/main/join_nested.test +index ed1fe4c9..62370b95 100644 +--- a/mysql-test/main/join_nested.test ++++ b/mysql-test/main/join_nested.test +@@ -1458,3 +1458,16 @@ DROP TABLE t1, t2, t3; + set join_cache_level= @save_join_cache_level; + + --echo # end of 10.3 tests ++ ++--echo # ++--echo # MDEV-32084: Assertion in best_extension_by_limited_search(), or crash elsewhere in release ++--echo # ++CREATE TABLE t1 (i int); ++INSERT INTO t1 values (1),(2); ++ ++SELECT 1 FROM t1 WHERE i IN ++ (SELECT 1 FROM t1 c ++ LEFT JOIN (t1 a LEFT JOIN t1 b ON t1.i = b.i) ON c.i = t1.i); ++ ++DROP TABLE t1; ++--echo # end of 10.11 tests +diff --git a/mysql-test/main/join_nested_jcl6.result b/mysql-test/main/join_nested_jcl6.result +index 0bda8d43..50a1e83a 100644 +--- a/mysql-test/main/join_nested_jcl6.result ++++ b/mysql-test/main/join_nested_jcl6.result +@@ -2060,6 +2060,18 @@ a b c a a b + DROP TABLE t1, t2, t3; + set join_cache_level= @save_join_cache_level; + # end of 10.3 tests ++# ++# MDEV-32084: Assertion in best_extension_by_limited_search(), or crash elsewhere in release ++# ++CREATE TABLE t1 (i int); ++INSERT INTO t1 values (1),(2); ++SELECT 1 FROM t1 WHERE i IN ++(SELECT 1 FROM t1 c ++LEFT JOIN (t1 a LEFT JOIN t1 b ON t1.i = b.i) ON c.i = t1.i); ++1 ++1 ++DROP TABLE t1; ++# end of 10.11 tests + CREATE TABLE t5 (a int, b int, c int, PRIMARY KEY(a), KEY b_i (b)); + CREATE TABLE t6 (a int, b int, c int, PRIMARY KEY(a), KEY b_i (b)); + CREATE TABLE t7 (a int, b int, c int, PRIMARY KEY(a), KEY b_i (b)); +diff --git a/sql/sql_select.cc b/sql/sql_select.cc +index b88e8b4c..b8e15264 100644 +--- a/sql/sql_select.cc ++++ b/sql/sql_select.cc +@@ -18544,6 +18544,8 @@ simplify_joins(JOIN *join, List *join_list, COND *conds, bool top, + prev_table->dep_tables|= used_tables; + if (prev_table->on_expr) + { ++ /* If the ON expression is still there, it's an outer join */ ++ DBUG_ASSERT(prev_table->outer_join); + prev_table->dep_tables|= table->on_expr_dep_tables; + table_map prev_used_tables= prev_table->nested_join ? + prev_table->nested_join->used_tables : +@@ -18558,11 +18560,59 @@ simplify_joins(JOIN *join, List *join_list, COND *conds, bool top, + prevents update of inner table dependences. + For example it might happen if RAND() function + is used in JOIN ON clause. +- */ +- if (!((prev_table->on_expr->used_tables() & +- ~(OUTER_REF_TABLE_BIT | RAND_TABLE_BIT)) & +- ~prev_used_tables)) ++ */ ++ table_map prev_on_expr_deps= prev_table->on_expr->used_tables() & ++ ~(OUTER_REF_TABLE_BIT | RAND_TABLE_BIT); ++ prev_on_expr_deps&= ~prev_used_tables; ++ ++ if (!prev_on_expr_deps) + prev_table->dep_tables|= used_tables; ++ else ++ { ++ /* ++ Another possible case is when prev_on_expr_deps!=0 but it depends ++ on a table outside this join nest. SQL name resolution don't allow ++ this but it is possible when LEFT JOIN is inside a subquery which ++ is converted into a semi-join nest, Example: ++ ++ t1 SEMI JOIN ( ++ t2 ++ LEFT JOIN (t3 LEFT JOIN t4 ON t4.col=t1.col) ON expr ++ ) ON ... ++ ++ here, we would have prev_table=t4, table=t3. The condition ++ "ON t4.col=t1.col" depends on tables {t1, t4}. To make sure the ++ optimizer puts t3 before t4 we need to make sure t4.dep_tables ++ includes t3. ++ */ ++ ++ DBUG_ASSERT(table->embedding == prev_table->embedding); ++ if (table->embedding) ++ { ++ /* ++ Find what are the "peers" of "table" in the join nest. Normally, ++ it is table->embedding->nested_join->used_tables, but here we are ++ in the process of recomputing that value. ++ So, we walk the join list and collect the bitmap of peers: ++ */ ++ table_map peers= 0; ++ List_iterator_fast li(*join_list); ++ TABLE_LIST *peer; ++ while ((peer= li++)) ++ { ++ table_map curmap= peer->nested_join ++ ? peer->nested_join->used_tables ++ : peer->get_map(); ++ peers|= curmap; ++ } ++ /* ++ If prev_table doesn't depend on any of its peers, add a ++ dependency on nearest peer, that is, on 'table'. ++ */ ++ if (!(prev_on_expr_deps & peers)) ++ prev_table->dep_tables|= used_tables; ++ } ++ } + } + } + prev_table= table; +-- +2.45.3 + diff --git a/SPECS/mariadb/LICENSE.clustercheck b/SPECS/mariadb/LICENSE.clustercheck new file mode 100644 index 0000000000..609015d07c --- /dev/null +++ b/SPECS/mariadb/LICENSE.clustercheck @@ -0,0 +1,27 @@ +Copyright (c) 2012-2014, Olaf van Zandwijk +All rights reserved. + +Redistribution and use in source and binary forms, with or without modification, +are permitted provided that the following conditions are met: + +1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + +3. Neither the name of the copyright holder nor the names of its contributors + may be used to endorse or promote products derived from this software without + specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR +ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON +ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/SPECS/mariadb/README.mariadb-docs b/SPECS/mariadb/README.mariadb-docs new file mode 100644 index 0000000000..bff53eb8dc --- /dev/null +++ b/SPECS/mariadb/README.mariadb-docs @@ -0,0 +1,9 @@ +MariaDB haven't yet made a document package available for offline. + +You can create your own copy with the instructions here: + +https://mariadb.com/kb/en/meta/mirroring-the-mariadb-knowledge-base/ + +You can find view the on-line documentation at: + +https://mariadb.com/kb/en/documentation/ diff --git a/SPECS/mariadb/README.md b/SPECS/mariadb/README.md new file mode 100644 index 0000000000..14226ddc55 --- /dev/null +++ b/SPECS/mariadb/README.md @@ -0,0 +1,3 @@ +# mariadb10.11 + +The mariadb10.11 package diff --git a/SPECS/mariadb/README.wsrep_sst_rsync_tunnel b/SPECS/mariadb/README.wsrep_sst_rsync_tunnel new file mode 100644 index 0000000000..0222b34a32 --- /dev/null +++ b/SPECS/mariadb/README.wsrep_sst_rsync_tunnel @@ -0,0 +1,132 @@ +socat tunnel for encrypted rsync SST +==================================== + +`wsrep_sst_rsync_tunnel` is an extension of the rsync-based [SST](http://galeracluster.com/documentation-webpages/glossary.html#term-state-snapshot-transfer) +implementation that ships with mariadb. Its purpose is to encrypt +communication between the donor and the joiner during an SST. + +Encryption is implemented by means of a socat tunnel, using OPENSSL +addresses. It can be configured via the regular openssl flags exposed +by socat. + + +## How to configure the script + +This SST script can configured by setting a few keys in your favorite +mariadb option file in addition to the usual galera settings. + + [mysqld] + ... + bind_address= + wsrep_sst_method=rsync_tunnel + ... + + [sst] + tca=/path/to/your/ca-file.crt + tcert=/path/to/node/certificate.crt + tkey=/path/to/node/key.key + sockopt= + +When a joiner node requests an SST, `wsrep_sst_rsync_tunnel` uses +socat to listen to incoming SSL connections on port 4444 in lieu of +the original rsync daemon. Received data will be forwarded to the +rscynd daemon started locally to replicate the database. + +When a donor node serves the SST, `wsrep_sst_rsync_tunnel` makes +a series of rsync calls that target a locally started socat daemon. +The daemon tunnels all rsync traffic into an encrypted SSL connection +that targets the joiner's end of the socat tunnel. + +Encryption parameters are specified under the `[sst]` group in the +mariadb option file, where `tkey` and `tcert` are respectively the key +and the certificate that are used by both sides of the socat tunnel. +Each node typically has a different key and cert. Both key and +certificate can be combined into a single PEM file and referenced by +`tcert`. Option `tca` holds a list of the trusted signing +certificates. + +In case you need to tweak the creation of the SSL connection, you can +pass valid socat options (as per socat manual) via the `sockopt` key. +For debugging purpose, the exact socat command that is being executed +shows up in the mariadb log file. + +Note that socat verifies that the certificate's commonName matches +that of the host that is being targeted. The target name comes from +the value configured in `bind_address`, so it's important that it +matches the certificate's commonName. An IP address can be used for +`bind_address`, but you may get into trouble in case different +hostnames resolve to the same IP (e.g. multiple networks per host). + + +## Examples of use + +Suppose you're running a 3-node galera cluster +`node1.my.cluster`, `node2.my.cluster`, `node3.my.cluster`. + +### Scenario: using self-signed certificates + +On each node, create a key and a certificate, and bundle them into a +single PEM file. For instance on `node1.my.cluster`: + + openssl genrsa -out /tls/mysql-$(hostname -f).key 2048 + openssl req -new -key /tls/mysql-$(hostname -f).key -x509 -days 365000 -subj "/CN=$(hostname -f)" -out /tls/mysql-$(hostname -f).crt -batch + cat /tls/mysql-$(hostname -f).key /tls/mysql-$(hostname -f).crt > /tls/mysql.pem + +Then, on each node, create a cafile that will contain all the certs to +trust: + + for n in node1.my.cluster node2.my.cluster node3.my.cluster; do + ssh $n 'cat /tls/mysql-$(hostname -f).crt' >> /tls/all-mysql.crt + done + +Once you have those two files on each host, you can configure the SST +appropriately. For instance from `/etc/my.cnf.d/galera.cnf`: + + [mysqld] + ... + + [sst] + tca=/tls/all-mysql.crt + tcert=/tls/mysql.pem + +### Scenario: using self-signed certificates, without verification + +By default, when socat tries to establish a SSL connection to a peer, +it also verifies that it can trust the peer's certificate. If for some +reason you need to disable that feature, you can amend the previous +configuration with a sockopt option: + + [mysqld] + ... + + [sst] + tca=/tls/all-mysql.crt + tcert=/tls/mysql.pem + sockopt="verify=0" + +The associated sockopt value is passed to socat when +the donor or the joiner configures his part of the tunnel. + +Note: please do not do so in production, this is inherently insecure +as you will not verify the identity of the peer you're connecting to! + +### Scenario: using certificates from a CA + +Suppose you have a FreeIPA service which generated a key file and a +certificate file for the three galera nodes, respectively located at +/tls/mysql.key and /tls/mysql.crt. + +Assuming that the certificate for the FreeIPA server is available at +/etc/ipa/ca.crt, you can configure you galera servers as follows: + + [sst] + tca=/etc/ipa/ca.crt + tcert=/tls/mysql.crt + tkey=/tls/mysql.key + +## License + +Copyright © 2017 [Damien Ciabrini](https://github.com/dciabrin). +This work is derived from the original `wsrep_rsync_sst`, copyright +© 2010-2014 [Codership Oy](https://github.com/codership). +Released under the GNU GPLv2. diff --git a/SPECS/mariadb/clustercheck.sh b/SPECS/mariadb/clustercheck.sh new file mode 100644 index 0000000000..782dbb6f1e --- /dev/null +++ b/SPECS/mariadb/clustercheck.sh @@ -0,0 +1,89 @@ +#!/bin/bash +# +# Script to make a proxy (ie HAProxy) capable of monitoring Galera cluster nodes properly +# +# Author: Olaf van Zandwijk +# Author: Raghavendra Prabhu +# Author: Ryan O'Hara +# +# Documentation and download: https://github.com/olafz/percona-clustercheck +# +# Based on the original script from Unai Rodriguez +# + +if [ -f @INSTALL_SYSCONFDIR@/sysconfig/clustercheck ]; then + . @INSTALL_SYSCONFDIR@/sysconfig/clustercheck +fi + +MYSQL_USERNAME="${MYSQL_USERNAME-clustercheckuser}" +MYSQL_PASSWORD="${MYSQL_PASSWORD-clustercheckpassword!}" +MYSQL_HOST="${MYSQL_HOST:-127.0.0.1}" +MYSQL_PORT="${MYSQL_PORT:-3306}" +ERR_FILE="${ERR_FILE:-/dev/null}" +AVAILABLE_WHEN_DONOR=${AVAILABLE_WHEN_DONOR:-0} +AVAILABLE_WHEN_READONLY=${AVAILABLE_WHEN_READONLY:-1} +DEFAULTS_EXTRA_FILE=${DEFAULTS_EXTRA_FILE:-@INSTALL_SYSCONFDIR@/my.cnf} + +#Timeout exists for instances where mysqld may be hung +TIMEOUT=10 + +if [[ -r $DEFAULTS_EXTRA_FILE ]];then + MYSQL_CMDLINE="mysql --defaults-extra-file=$DEFAULTS_EXTRA_FILE -nNE \ + --connect-timeout=$TIMEOUT \ + --user=${MYSQL_USERNAME} --password=${MYSQL_PASSWORD} \ + --host=${MYSQL_HOST} --port=${MYSQL_PORT}" +else + MYSQL_CMDLINE="mysql -nNE --connect-timeout=$TIMEOUT \ + --user=${MYSQL_USERNAME} --password=${MYSQL_PASSWORD} \ + --host=${MYSQL_HOST} --port=${MYSQL_PORT}" +fi +# +# Perform the query to check the wsrep_local_state +# +WSREP_STATUS=$($MYSQL_CMDLINE -e "SHOW STATUS LIKE 'wsrep_local_state';" \ + 2>${ERR_FILE} | tail -1 2>>${ERR_FILE}) + +if [[ "${WSREP_STATUS}" == "4" ]] || [[ "${WSREP_STATUS}" == "2" && ${AVAILABLE_WHEN_DONOR} == 1 ]] +then + # Check only when set to 0 to avoid latency in response. + if [[ $AVAILABLE_WHEN_READONLY -eq 0 ]];then + READ_ONLY=$($MYSQL_CMDLINE -e "SHOW GLOBAL VARIABLES LIKE 'read_only';" \ + 2>${ERR_FILE} | tail -1 2>>${ERR_FILE}) + + if [[ "${READ_ONLY}" == "ON" ]];then + # Galera cluster node local state is 'Synced', but it is in + # read-only mode. The variable AVAILABLE_WHEN_READONLY is set to 0. + # => return HTTP 503 + # Shell return-code is 1 + echo -en "HTTP/1.1 503 Service Unavailable\r\n" + echo -en "Content-Type: text/plain\r\n" + echo -en "Connection: close\r\n" + echo -en "Content-Length: 35\r\n" + echo -en "\r\n" + echo -en "Galera cluster node is read-only.\r\n" + sleep 0.1 + exit 1 + fi + fi + # Galera cluster node local state is 'Synced' => return HTTP 200 + # Shell return-code is 0 + echo -en "HTTP/1.1 200 OK\r\n" + echo -en "Content-Type: text/plain\r\n" + echo -en "Connection: close\r\n" + echo -en "Content-Length: 32\r\n" + echo -en "\r\n" + echo -en "Galera cluster node is synced.\r\n" + sleep 0.1 + exit 0 +else + # Galera cluster node local state is not 'Synced' => return HTTP 503 + # Shell return-code is 1 + echo -en "HTTP/1.1 503 Service Unavailable\r\n" + echo -en "Content-Type: text/plain\r\n" + echo -en "Connection: close\r\n" + echo -en "Content-Length: 36\r\n" + echo -en "\r\n" + echo -en "Galera cluster node is not synced.\r\n" + sleep 0.1 + exit 1 +fi diff --git a/SPECS/mariadb/mariadb-check-socket.sh b/SPECS/mariadb/mariadb-check-socket.sh new file mode 100644 index 0000000000..51a7e43107 --- /dev/null +++ b/SPECS/mariadb/mariadb-check-socket.sh @@ -0,0 +1,39 @@ +#!/bin/sh + +# We check if there is already a process using the socket file, +# since otherwise the systemd service file could report false +# positive result when starting and mysqld_safe could remove +# a socket file, which is actually being used by a different daemon. + +source "`dirname ${BASH_SOURCE[0]}`/mariadb-scripts-common" + +if test -e "$socketfile" ; then + echo "Socket file $socketfile exists." >&2 + + # no write permissions + if ! test -w "$socketfile" ; then + echo "Not enough permission to write to the socket file $socketfile, which is suspicious." >&2 + echo "Please, remove $socketfile manually to start the service." >&2 + exit 1 + fi + + # not a socket file + if ! test -S "$socketfile" ; then + echo "The file $socketfile is not a socket file, which is suspicious." >&2 + echo "Please, remove $socketfile manually to start the service." >&2 + exit 1 + fi + + # some process uses the socket file + response=`@bindir@/mariadb-admin --no-defaults --socket="$socketfile" --user=UNKNOWN_MYSQL_USER --connect-timeout="${CHECKSOCKETTIMEOUT:-10}" ping 2>&1` + if [ $? -eq 0 ] || echo "$response" | grep -q "Access denied for user" ; then + echo "Is another MariaDB daemon already running with the same unix socket?" >&2 + echo "Please, stop the process using the socket $socketfile or remove the file manually to start the service." >&2 + exit 1 + fi + + # socket file is a garbage + echo "No process is using $socketfile, which means it is a garbage, so it will be removed automatically." >&2 +fi + +exit 0 diff --git a/SPECS/mariadb/mariadb-check-upgrade.sh b/SPECS/mariadb/mariadb-check-upgrade.sh new file mode 100644 index 0000000000..fe9554420c --- /dev/null +++ b/SPECS/mariadb/mariadb-check-upgrade.sh @@ -0,0 +1,39 @@ +#!/bin/sh + +source "`dirname ${BASH_SOURCE[0]}`/mariadb-scripts-common" + +upgrade_info_file="$datadir/mysql_upgrade_info" +version=0 +# get version as integer from mysql_upgrade_info file +if [ -f "$upgrade_info_file" ] && [ -r "$upgrade_info_file" ] ; then + version_major=$(cat "$upgrade_info_file" | head -n 1 | sed -e 's/\([0-9]*\)\.\([0-9]*\)\..*$/\1/') + version_minor=$(cat "$upgrade_info_file" | head -n 1 | sed -e 's/\([0-9]*\)\.\([0-9]*\)\..*$/\2/') + if [[ $version_major =~ ^[0-9]+$ ]] && [[ $version_minor =~ ^[0-9]+$ ]] ; then + version=$((version_major*100+version_minor)) + fi +fi + +# compute current version as integer +thisversion=$((@MAJOR_VERSION@*100+@MINOR_VERSION@)) + +# provide warning in cases we should run mysql_upgrade +if [ $version -ne $thisversion ] ; then + + # give extra warning if some version seems to be skipped + if [ $version -gt 0 ] && [ $version -lt 505 ] ; then + echo "The datadir located at $datadir seems to be older than of a version 5.5. Please, mind that as a general rule, to upgrade from one release series to another, go to the next series rather than skipping a series." >&2 + fi + + cat <&2 +The datadir located at $datadir needs to be upgraded using 'mariadb-upgrade' tool. This can be done using the following steps: + + 1. Back-up your data before with 'mariadb-upgrade' + 2. Start the database daemon using 'systemctl start @DAEMON_NAME@.service' + 3. Run 'mariadb-upgrade' with a database user that has sufficient privileges + +Read more about 'mariadb-upgrade' usage at: +https://mariadb.com/kb/en/mysql_upgrade/ +EOF +fi + +exit 0 diff --git a/SPECS/mariadb/mariadb-libfmt.patch b/SPECS/mariadb/mariadb-libfmt.patch new file mode 100644 index 0000000000..58f1e63a3a --- /dev/null +++ b/SPECS/mariadb/mariadb-libfmt.patch @@ -0,0 +1,31 @@ +MariaDB upstream uses an old version (8.0) of the FMT library, unlike Fedora which packs a current one (10.2) + https://src.fedoraproject.org/rpms/fmt + https://github.com/MariaDB/server/blob/10.11/cmake/libfmt.cmake#L18 + +There is a breaking change between the FMT library version 8 and 10. +Sergei Golubchik from MariaDB upstream noticed that and decided to not rebase to the newer version for now. In the same commit: + https://github.com/MariaDB/server/commit/b5c367cd88e37091ab5f8dab0396c01c97d037e2 +He also fixed the CMake file controlling the FMT library. +It now correctly detects, whether the system version is able to compile a given code in an expected way. + +The incompatibility between FMT library version has been reported both agains Fedora and FMT upstream + https://bugzilla.redhat.com/show_bug.cgi?id=2266807 +The upstream created a patch and Fedora backported it + https://src.fedoraproject.org/rpms/fmt/c/7d6d6e2c33e845b3cbf3fcaf83f14dfeddfa8a70?branch=rawhide +but only in F40 and later. + +To avoid potential issues on systems with FMT library between 8.0 and the one with the fix backported, +introduce a bundling mechanism for use on such distributions. +We pre-download the sources archive and supply the CMake with it, instead of the web URL. + +--- mariadb-10.11.10/cmake/libfmt.cmake 2024-10-29 15:32:31.000000000 +0100 ++++ mariadb-10.11.10/cmake/libfmt.cmake_patched 2024-11-14 12:06:35.961435488 +0100 +@@ -15,7 +15,7 @@ MACRO(BUNDLE_LIBFMT) + ExternalProject_Add( + libfmt + PREFIX "${dir}" +- URL "https://github.com/fmtlib/fmt/releases/download/11.0.2/fmt-11.0.2.zip" ++ URL "file:///${dir}/fmt-11.0.2.zip" + URL_MD5 c622dca45ec3fc95254c48370a9f7a1d + INSTALL_COMMAND "" + CONFIGURE_COMMAND "" diff --git a/SPECS/mariadb/mariadb-logrotate.patch b/SPECS/mariadb/mariadb-logrotate.patch new file mode 100644 index 0000000000..ec522b0306 --- /dev/null +++ b/SPECS/mariadb/mariadb-logrotate.patch @@ -0,0 +1,32 @@ +Adjust the 'mariadb.logrotate.sh' script in several ways: + +* Use the correct log file pathname for Red Hat installations. + +* Remove Debian specific code + for the very unlikely, but possible scenario + in which the debian config file would exist. + +--- mariadb-10.11.6/support-files/mariadb.logrotate.sh 2023-11-08 16:51:43.000000000 +0100 ++++ mariadb-10.11.6/support-files/mariadb.logrotate.sh_patched 2023-12-17 18:03:36.955861025 +0100 +@@ -6,7 +6,7 @@ + # Read https://mariadb.com/kb/en/error-log/ to learn more about logging and + # https://mariadb.com/kb/en/rotating-logs-on-unix-and-linux/ about rotating logs. + +-@localstatedir@/mysqld.log @localstatedir@/mariadb.log @logdir@/*.log { ++@LOG_LOCATION@ { + + # Depends on a mysql@localhost unix_socket authenticated user with RELOAD privilege + @su_user@ +@@ -45,11 +45,6 @@ + # has thanks to the default use of Unix socket authentication for the 'mysql' + # (or root on Debian) account used everywhere since MariaDB 10.4. + postrotate +- if test -r /etc/mysql/debian.cnf +- then +- EXTRAPARAM='--defaults-file=/etc/mysql/debian.cnf' +- fi +- + if test -x @bindir@/mariadb-admin + then + @bindir@/mariadb-admin $EXTRAPARAM --local flush-error-log \ + diff --git a/SPECS/mariadb/mariadb-mtr.patch b/SPECS/mariadb/mariadb-mtr.patch new file mode 100644 index 0000000000..592f73ca4e --- /dev/null +++ b/SPECS/mariadb/mariadb-mtr.patch @@ -0,0 +1,70 @@ +diff --git a/mysql-test/mariadb-test-run.pl b/mysql-test/mariadb-test-run.pl +index 594e052a16e..6a274b2d597 100755 +--- a/mysql-test/mariadb-test-run.pl ++++ b/mysql-test/mariadb-test-run.pl +@@ -1491,7 +1491,6 @@ sub command_line_setup { + mtr_warning ("Port base $opt_port_base rounded down to multiple of 10"); + $opt_port_base-= $rem; + } +- $opt_build_thread= $opt_port_base / 10 - 1000; + } + + # -------------------------------------------------------------------------- +@@ -1719,11 +1718,6 @@ sub command_line_setup { + # an environment variable can be used to control all ports. A small + # number is to be used, 0 - 16 or similar. + # +-# Note the MASTER_MYPORT has to be set the same in all 4.x and 5.x +-# versions of this script, else a 4.0 test run might conflict with a +-# 5.1 test run, even if different MTR_BUILD_THREAD is used. This means +-# all port numbers might not be used in this version of the script. +-# + # Also note the limitation of ports we are allowed to hand out. This + # differs between operating systems and configuration, see + # http://www.ncftp.com/ncftpd/doc/misc/ephemeral_ports.html +@@ -1734,10 +1728,14 @@ sub set_build_thread_ports($) { + + if ( lc($opt_build_thread) eq 'auto' ) { + my $found_free = 0; +- $build_thread = 300; # Start attempts from here +- my $build_thread_upper = $build_thread + ($opt_parallel > 1500 +- ? 3000 +- : 2 * $opt_parallel) + 300; ++ if ($opt_port_base eq "auto") { ++ $build_thread = 15000; ++ } else { ++ $build_thread = $opt_port_base; ++ } ++ $build_thread += ($thread - 1) * $opt_port_group_size; ++ my $build_thread_upper = $build_thread + $opt_parallel * 2; ++ + while (! $found_free) + { + $build_thread= mtr_get_unique_id($build_thread, $build_thread_upper); +@@ -1754,7 +1752,7 @@ sub set_build_thread_ports($) { + } + else + { +- $build_thread = $opt_build_thread + $thread - 1; ++ $build_thread = $opt_port_base + $thread - 1; + if (! check_ports_free($build_thread)) { + # Some port was not free(which one has already been printed) + mtr_error("Some port(s) was not free") +@@ -1763,7 +1761,7 @@ sub set_build_thread_ports($) { + $ENV{MTR_BUILD_THREAD}= $build_thread; + + # Calculate baseport +- $baseport= $build_thread * $opt_port_group_size + 10000; ++ $baseport= $build_thread; + if ( $baseport < 5001 or $baseport + $opt_port_group_size >= 32767 ) + { + mtr_error("MTR_BUILD_THREAD number results in a port", +@@ -2968,7 +2966,7 @@ sub kill_leftovers ($) { + sub check_ports_free ($) + { + my $bthread= shift; +- my $portbase = $bthread * $opt_port_group_size + 10000; ++ my $portbase = $bthread; + for ($portbase..$portbase+($opt_port_group_size-1)){ + if (mtr_ping_port($_)){ + mtr_report(" - 'localhost:$_' was not free"); diff --git a/SPECS/mariadb/mariadb-ownsetup.patch b/SPECS/mariadb/mariadb-ownsetup.patch new file mode 100644 index 0000000000..7728cf1a62 --- /dev/null +++ b/SPECS/mariadb/mariadb-ownsetup.patch @@ -0,0 +1,31 @@ +--- mariadb-10.4.14/support-files/CMakeLists.txt 2020-08-06 17:28:28.000000000 +0200 ++++ mariadb-10.4.14/support-files/CMakeLists.txt_patched 2020-09-03 13:21:07.826658279 +0200 +@@ -187,6 +187,7 @@ IF(UNIX) + COMPONENT SharedLibraries) + INSTALL(FILES rpm/mysql-clients.cnf DESTINATION ${INSTALL_SYSCONF2DIR} + COMPONENT Client) ++ CONFIGURE_FILE(rpm/server.cnf ${CMAKE_CURRENT_SOURCE_DIR}/rpm/server.cnf @ONLY) + INSTALL(FILES rpm/server.cnf DESTINATION ${INSTALL_SYSCONF2DIR} + COMPONENT IniFiles) + INSTALL(FILES rpm/enable_encryption.preset DESTINATION ${INSTALL_SYSCONF2DIR} + +diff -up mariadb-10.0.15/support-files/rpm/server.cnf.ownsetup mariadb-10.0.15/support-files/rpm/server.cnf +--- mariadb-10.0.15/support-files/rpm/server.cnf.ownsetup 2015-01-24 23:55:55.110063592 +0100 ++++ mariadb-10.0.15/support-files/rpm/server.cnf 2015-01-24 23:57:42.308114387 +0100 +@@ -9,7 +9,16 @@ + [server] + + # this is only for the mysqld standalone daemon ++# Settings user and group are ignored when systemd is used. ++# If you need to run mysqld under a different user or group, ++# customize your systemd unit file for mysqld/mariadb according to the ++# instructions in http://fedoraproject.org/wiki/Systemd + [mysqld] ++datadir=@MYSQL_DATADIR@ ++socket=@MYSQL_UNIX_ADDR@ ++log-error=@LOG_LOCATION@ ++pid-file=@PID_FILE_DIR@/@DAEMON_NO_PREFIX@.pid ++ + + # + # * Galera-related settings diff --git a/SPECS/mariadb/mariadb-prepare-db-dir.sh b/SPECS/mariadb/mariadb-prepare-db-dir.sh new file mode 100644 index 0000000000..cccfe96e80 --- /dev/null +++ b/SPECS/mariadb/mariadb-prepare-db-dir.sh @@ -0,0 +1,137 @@ +#!/bin/sh + +# This script creates the MariaDB data directory during first service start. +# In subsequent starts, it does nothing much. + +source "`dirname ${BASH_SOURCE[0]}`/mariadb-scripts-common" + +export LC_ALL=C + +# Returns content of the specified directory +# If listing files fails, fake-file is returned so which means +# we'll behave like there was some data initialized +# Some files or directories are fine to be there, so those are +# explicitly removed from the listing +# @param datadir +list_datadir () +{ + ( ls -1A "$1" 2>/dev/null || echo "fake-file" ) | grep -v \ + -e '^lost+found$' \ + -e '\.err$' \ + -e '^.bash_history$' +} + +# Checks whether datadir should be initialized +# @param datadir +should_initialize () +{ + test -z "$(list_datadir "$1")" +} + +# If two args given first is user, second is group +# otherwise the arg is the systemd service file +if [ "$#" -eq 2 ] +then + myuser="$1" + mygroup="$2" +else + # Absorb configuration settings from the specified systemd service file, + # or the default service if not specified + SERVICE_NAME="$1" + if [ x"$SERVICE_NAME" = x ] + then + SERVICE_NAME=@DAEMON_NAME@.service + fi + + myuser=`systemctl show -p User "${SERVICE_NAME}" | + sed 's/^User=//'` + if [ x"$myuser" = x ] + then + myuser=mysql + fi + + mygroup=`systemctl show -p Group "${SERVICE_NAME}" | + sed 's/^Group=//'` + if [ x"$mygroup" = x ] + then + mygroup=mysql + fi +fi + +# Set up the errlogfile with appropriate permissions +if [ ! -e "$errlogfile" -a ! -h "$errlogfile" -a x$(dirname "$errlogfile") = "x/var/log" ]; then + case $(basename "$errlogfile") in + mysql*.log|mariadb*.log) install /dev/null -m0640 -o$myuser -g$mygroup "$errlogfile" ;; + *) ;; + esac +else + # Provide some advice if the log file cannot be created by this script + errlogdir=$(dirname "$errlogfile") + if ! [ -d "$errlogdir" ] ; then + echo "The directory $errlogdir does not exist." >&2 + exit 1 + elif [ -e "$errlogfile" -a ! -w "$errlogfile" ] ; then + echo "The log file $errlogfile cannot be written, please, fix its permissions." >&2 + echo "The daemon will be run under $myuser:$mygroup" >&2 + exit 1 + fi +fi + +# Make the data directory if doesn't exist or empty +if should_initialize "$datadir" ; then + # First, make sure $datadir is there with correct permissions + # (note: if it's not, and we're not root, this'll fail ...) + if [ ! -e "$datadir" -a ! -h "$datadir" ] + then + mkdir -p "$datadir" || exit 1 + fi + chown "$myuser:$mygroup" "$datadir" + chmod 0755 "$datadir" + [ -x /sbin/restorecon ] && /sbin/restorecon "$datadir" + + # Now create the database + echo "Initializing @NICE_PROJECT_NAME@ database" >&2 + # Avoiding deletion of files not created by mysql_install_db is + # guarded by time check and sleep should help work-arounded + # potential issues on systems with 1 second resolution timestamps + # https://bugzilla.redhat.com/show_bug.cgi?id=1335849#c19 + INITDB_TIMESTAMP=`LANG=C date -u` + sleep 1 + @bindir@/mariadb-install-db --rpm --datadir="$datadir" --user="$myuser" --skip-test-db >&2 + ret=$? + if [ $ret -ne 0 ] ; then + echo "Initialization of @NICE_PROJECT_NAME@ database failed." >&2 + echo "Perhaps @sysconfdir@/my.cnf is misconfigured or there is some problem with permissions of $datadir." >&2 + # Clean up any partially-created database files + if [ ! -e "$datadir/mysql/user.frm" ] && [ -d "$datadir" ] ; then + echo "Initialization of @NICE_PROJECT_NAME@ database was not finished successfully." >&2 + echo "Files created so far will be removed." >&2 + find "$datadir" -mindepth 1 -maxdepth 1 -newermt "$INITDB_TIMESTAMP" \ + -not -name "lost+found" -exec rm -rf {} + + if [ $? -ne 0 ] ; then + echo "Removing of created files was not successfull." >&2 + echo "Please, clean directory $datadir manually." >&2 + fi + else + echo "However, part of data has been initialized and those will not be removed." >&2 + echo "Please, clean directory $datadir manually." >&2 + fi + exit $ret + fi + # upgrade does not need to be run on a fresh datadir + echo "@VERSION@-MariaDB" >"$datadir/mysql_upgrade_info" +else + if [ -d "$datadir/mysql/" ] ; then + # mysql dir exists, it seems data are initialized properly + echo "Database @NICE_PROJECT_NAME@ is probably initialized in $datadir already, nothing is done." + echo "If this is not the case, make sure the $datadir is empty before running `basename $0`." + else + # if the directory is not empty but mysql/ directory is missing, then + # print error and let user to initialize manually or empty the directory + echo "Database @NICE_PROJECT_NAME@ is not initialized, but the directory $datadir is not empty, so initialization cannot be done." >&2 + echo "Make sure the $datadir is empty before running `basename $0`." >&2 + exit 1 + fi +fi + +exit 0 diff --git a/SPECS/mariadb/mariadb-scripts-common.sh b/SPECS/mariadb/mariadb-scripts-common.sh new file mode 100644 index 0000000000..e603a9e1d9 --- /dev/null +++ b/SPECS/mariadb/mariadb-scripts-common.sh @@ -0,0 +1,68 @@ +#!/bin/sh + +# Some useful functions used in other MariaDB helper scripts +# This scripts defines variables datadir, errlogfile, socketfile + +export LC_ALL=C + +# extract value of a MariaDB option from config files +# Usage: get_mysql_option VARNAME DEFAULT SECTION [ SECTION, ... ] +# result is returned in $result +# We use my_print_defaults which prints all options from multiple files, +# with the more specific ones later; hence take the last match. +get_mysql_option(){ + if [ $# -ne 3 ] ; then + echo "get_mysql_option requires 3 arguments: section option default_value" + return + fi + sections="$1" + option_name="$2" + default_value="$3" + result=`@bindir@/my_print_defaults $my_print_defaults_extra_args $sections | sed -n "s/^--${option_name}=//p" | tail -n 1` + if [ -z "$result" ]; then + # not found, use default + result="${default_value}" + fi +} + +# For the case of running more instances via systemd, scripts that source +# this file can get --default-group-suffix or similar option as the first +# argument. The utility my_print_defaults needs to use it as well, so the +# scripts sourcing this file work with the same options as the daemon. +my_print_defaults_extra_args='' +while echo "$1" | grep -q '^--defaults' ; do + my_print_defaults_extra_args="${my_print_defaults_extra_args} $1" + shift +done + +# Defaults here had better match what mariadbd-safe will default to +# The option values are generally defined on three important places +# on the default installation: +# 1) default values are hardcoded in the code of mariadbd daemon or +# mariadbd-safe script +# 2) configurable values are defined in @sysconfdir@/my.cnf +# 3) default values for helper scripts are specified bellow +# So, in case values are defined in my.cnf, we need to get that value. +# In case they are not defined in my.cnf, we need to get the same value +# in the daemon, as in the helper scripts. Thus, default values here +# must correspond with values defined in mariadbd-safe script and source +# code itself. + +server_sections="mysqld_safe mysqld server mysqld-@MAJOR_VERSION@.@MINOR_VERSION@ mariadb mariadb-@MAJOR_VERSION@.@MINOR_VERSION@ mariadbd mariadbd-@MAJOR_VERSION@.@MINOR_VERSION@ client-server galera" + +get_mysql_option "$server_sections" datadir "@MYSQL_DATADIR@" +datadir="$result" + +# if there is log_error in the my.cnf, my_print_defaults still +# returns log-error +# log-error might be defined in mysqld_safe and mysqld sections, +# the former has bigger priority +get_mysql_option "$server_sections" log-error "$datadir/`uname -n`.err" +errlogfile="$result" + +get_mysql_option "$server_sections" socket "@MYSQL_UNIX_ADDR@" +socketfile="$result" + +get_mysql_option "$server_sections" pid-file "$datadir/`uname -n`.pid" +pidfile="$result" + diff --git a/SPECS/mariadb/mariadb-scripts.patch b/SPECS/mariadb/mariadb-scripts.patch new file mode 100644 index 0000000000..3b6dc1689c --- /dev/null +++ b/SPECS/mariadb/mariadb-scripts.patch @@ -0,0 +1,41 @@ +We have some downstream patches and other scripts that include variables to +be expanded by cmake. Cmake needs to know about them, so adding them manually. + + # Install libgcc as mylibgcc.a +--- mariadb-10.5.5/scripts/CMakeLists.txt.old 2020-09-24 10:13:35.272589689 +0200 ++++ mariadb-10.5.5/scripts/CMakeLists.txt 2020-09-24 10:17:31.428985798 +0200 +@@ -377,6 +377,34 @@ + INSTALL_LINK(${file} ${binname} ${INSTALL_BINDIR} ${${file}_COMPONENT}) + ENDIF() + ENDFOREACH() ++ ++ # files for systemd ++ SET(SYSTEMD_SCRIPTS ++ mariadb.tmpfiles.d ++ mysql.service ++ mysql@.service ++ mariadb-prepare-db-dir ++ mariadb-check-socket ++ mariadb-check-upgrade ++ mariadb-scripts-common ++ mysql_config_multilib ++ clustercheck ++ galera_new_cluster ++ my.cnf ++ ) ++ FOREACH(file ${SYSTEMD_SCRIPTS}) ++ IF(EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/${file}.sh) ++ CONFIGURE_FILE(${CMAKE_CURRENT_SOURCE_DIR}/${file}.sh ++ ${CMAKE_CURRENT_BINARY_DIR}/${file} ESCAPE_QUOTES @ONLY) ++ ELSEIF(EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/${file}.in) ++ CONFIGURE_FILE(${CMAKE_CURRENT_SOURCE_DIR}/${file}.in ++ ${CMAKE_CURRENT_BINARY_DIR}/${file} ESCAPE_QUOTES @ONLY) ++ ELSE() ++ MESSAGE(FATAL_ERROR "Can not find ${file}.sh or ${file}.in in " ++ "${CMAKE_CURRENT_SOURCE_DIR}" ) ++ ENDIF() ++ ENDFOREACH() ++ + ENDIF() + + # Install libgcc as mylibgcc.a diff --git a/SPECS/mariadb/mariadb-server-galera.te b/SPECS/mariadb/mariadb-server-galera.te new file mode 100644 index 0000000000..bdce127cfa --- /dev/null +++ b/SPECS/mariadb/mariadb-server-galera.te @@ -0,0 +1,23 @@ + +module mariadb-server-galera 1.0; + +require { + type mysqld_t; + type rsync_exec_t; + type anon_inodefs_t; + type proc_net_t; + type kerberos_port_t; + class file { read execute execute_no_trans getattr open }; + class tcp_socket { name_bind name_connect }; + class process { setpgid siginh rlimitinh noatsecure }; +} + +# allow mysqld to run rsyncd +allow mysqld_t self:process setpgid; +allow mysqld_t rsync_exec_t:file { read execute execute_no_trans getattr open }; +allow mysqld_t anon_inodefs_t:file getattr; +allow mysqld_t proc_net_t:file { read open }; + +# allow rsyncd to listen on port 4444 +allow mysqld_t kerberos_port_t:tcp_socket { name_bind name_connect }; + diff --git a/SPECS/mariadb/mariadb-ssl-cypher.patch b/SPECS/mariadb/mariadb-ssl-cypher.patch new file mode 100644 index 0000000000..a1a9dcfded --- /dev/null +++ b/SPECS/mariadb/mariadb-ssl-cypher.patch @@ -0,0 +1,21 @@ +diff -up mariadb-10.1.19/mysql-test/r/ssl_8k_key.result.sslbak mariadb-10.1.19/mysql-test/r/ssl_8k_key.result +--- mariadb-10.1.19/mysql-test/r/ssl_8k_key.result.sslbak 2016-11-24 08:55:21.637000000 -0500 ++++ mariadb-10.1.19/mysql-test/r/ssl_8k_key.result 2016-11-24 08:55:55.853000000 -0500 +@@ -1,2 +1,2 @@ +-Variable_name Value +-Ssl_cipher DHE-RSA-AES256-SHA ++have_ssl ++1 +diff -up mariadb-10.1.19/mysql-test/t/ssl_8k_key.test.sslbak mariadb-10.1.19/mysql-test/t/ssl_8k_key.test +--- mariadb-10.1.19/mysql-test/t/ssl_8k_key.test.sslbak 2016-11-24 08:54:10.485000000 -0500 ++++ mariadb-10.1.19/mysql-test/t/ssl_8k_key.test 2016-11-24 08:54:35.724000000 -0500 +@@ -5,7 +5,7 @@ + # + # Bug#29784 YaSSL assertion failure when reading 8k key. + # +---exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1 ++--exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SELECT (VARIABLE_VALUE <> '') AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher'" 2>&1 + + ## This test file is for testing encrypted communication only, not other + ## encryption routines that the SSL library happens to provide! + diff --git a/SPECS/mariadb/mariadb.rpmlintrc b/SPECS/mariadb/mariadb.rpmlintrc new file mode 100644 index 0000000000..ff69b0e486 --- /dev/null +++ b/SPECS/mariadb/mariadb.rpmlintrc @@ -0,0 +1,79 @@ +# THIS FILE SERVES FOR WHITELISTING RPMLINT ERRORS AND WARNINGS IN TASKOTRON +# https://fedoraproject.org/wiki/Taskotron/Tasks/dist.rpmlint#Whitelisting_errors + +# (same file in python3 package served as a great example) + + + +# Spelling errors +addFilter(r'spelling-error .* en_US (cnf|mysqld|benchmarking|pam|passwordless|subpackage|libmariadb|mariadbd) ') + +# Debugsource +addFilter(r'^mariadb.*debugsource\.[^:]+: (E|W): no-documentation') +# Debuginfo +addFilter(r'^mariadb.*debuginfo\.[^:]+: (E|W): useless-provides debuginfo\(build-id\)') +# Debug symlinks +addFilter(r'dangling-relative-symlink /usr/lib/.build-id') + +# Testsuite +# Some expected tests results are zero-length files +addFilter(r'(zero-length|pem-certificate) /usr/share/mysql-test/*') + +# Chroot function +# False positive; checked by upstream +addFilter(r'missing-call-to-chdir-with-chroot') + +# Missing documentation +# I don't think that's on the upstream priority list +addFilter(r'no-documentation') +addFilter(r'no-manual-page-for-binary') + +# Obsoleted not provided +# Obsoleting upstream packages, not providing them is expected to not mix them up +addFilter(r'obsolete-not-provided MySQL') +# Provided by mariadb-connector-c +addFilter(r'obsolete-not-provided mariadb-libs') +# Upstream dropped support +addFilter(r'obsolete-not-provided mariadb-bench') +addFilter(r'obsolete-not-provided mariadb-tokudb-engine') + +# Config file without noreplace flag +# Don't replace logs that may contain old entries +addFilter(r'conffile-without-noreplace-flag /var/log/mariadb/mariadb.log') + +# Log rotation +# MariaDB log rotation script is commented out, because it is still not ready for big industry usage. +# Let the user decide, if they want to enable it (uncomment it) +addFilter(r'incoherent-logrotate-file /etc/logrotate.d/mariadb') + +# Permissions +# wsrep_sst_common +# It contains a parser of arguments for other sst scripts. +# It is meant to be sourced, not to be executed alone. +# So it correctly does not have shebang nor executable bit. +addFilter(r'non-executable-in-bin /usr/bin/wsrep_sst_common 644') +addFilter(r'script-without-shebang /usr/bin/wsrep_sst_common') +addFilter(r'non-executable-script /usr/bin/wsrep_sst_common 644 None') +# mariadb-scripts-common has a similar issue +addFilter(r'non-executable-script /usr/libexec/mariadb-scripts-common 644 /bin/sh') +# Seems pretty standard to me ... +addFilter(r'non-standard-dir-perm /var/log/mariadb 750') +# 640 is IMO also prety OK +addFilter(r'non-readable /etc/sysconfig/clustercheck 640') + +# Unversioned bundles +# RocksDB has so rapid developement, it it not compatible through versions. +# That means we need to stick to the exact verison upstream use. +addFilter(r'unversioned-explicit-provides bundled\(rocksdb\)') + +# Testsuite errors +addFilter(r'non-executable-script /usr/share/mysql-test') +addFilter(r'arch-dependent-file-in-usr-share /usr/share/mysql-test') + +# Comments at the end of RPM %endif tags +addFilter(r'extra tokens at the end of %endif directive') + +# PAM plugin specialities - all expected +addFilter(r'non-conffile-in-etc /etc/security/user_map.conf') +addFilter(r'setuid-binary /usr/lib64/mariadb/plugin/auth_pam_tool_dir/auth_pam_tool') +addFilter(r'non-standard-executable-perm /usr/lib64/mariadb/plugin/auth_pam_tool_dir/auth_pam_tool') diff --git a/SPECS/mariadb/mariadb.signatures.json b/SPECS/mariadb/mariadb.signatures.json index b4fa24c0e2..2481d68eed 100644 --- a/SPECS/mariadb/mariadb.signatures.json +++ b/SPECS/mariadb/mariadb.signatures.json @@ -1,5 +1,24 @@ { - "Signatures": { - "mariadb-10.11.11.tar.gz": "14cc0d9d9a7a330231d9ed91ac28f29b502d2f1e7021d81c940280db52bac812" - } + "Signatures": { + "LICENSE.clustercheck": "f0349fec3ea7c49b1e7cd04df004dc49c6271f4e13dfec2a6e501d7546a79590", + "README.mariadb-docs": "c3c6584dbdc35445014ac48023da59cafc5abc6996859cebb4e357c2f380990f", + "README.wsrep_sst_rsync_tunnel": "f121b2f6e804a8aaf01e0c835e62b64a0d0bf6cd922cc1a21897f196f8b0714f", + "clustercheck.sh": "4be47a46f99b714bc3681fdf11b09d242dae5e3eb81274b3040a73f9d7800d50", + "mariadb-10.11.11.tar.gz": "14cc0d9d9a7a330231d9ed91ac28f29b502d2f1e7021d81c940280db52bac812", + "mariadb-check-socket.sh": "6d04410549275140f07b89a1dcef99f31cd47751ef9142d14e7898e7cbcff023", + "mariadb-check-upgrade.sh": "e49c23e79155d416f7bad292d073213c0beafed99c172a06d909ec3e24ee6e75", + "mariadb-prepare-db-dir.sh": "ff8d2e719f6db158eda0acb58a9d84b43c959baf0d2a8f4d9ce7a62f13af36d0", + "mariadb-scripts-common.sh": "6eec82621056a28a9cc3f8693ca65077ccc7e8c241569fcabe3c970b5e5ded1b", + "mariadb-server-galera.te": "e8e5aa82c4602b3b87ee1d2cf688ab1d1381c69b1c636de7b0e8eabd09dd1936", + "mariadb.tmpfiles.d.in": "be0e2e13e4a61aa009f49f9a8d3d8f903f859fcc4a6dbb74e84961126c8e3dc2", + "my.cnf.in": "cd6f7fe1f084d82d27b35bd2f0442fb4e2f9f51ff9a95707b94f5f1fe37c4a80", + "mysql.service.in": "e23fe7186f0ef85e062c94c5e105220df9e9f6a949aec86ce3e733a6c5146abd", + "mysql@.service.in": "269e4209e87f5c13a18185b118b9bab0c1c9b556adf4d9edc9218347af2cd00a", + "mysql_config_multilib.sh": "56737ac556128fe5bd4df9209e41a7e0808333872c812b11457c4c0c17ab9529", + "rh-skipped-tests-arm.list": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "rh-skipped-tests-base.list": "a3dbb078c009c5f0b671fbff65b087d61b2d4a3473c3e99e1a8efaf2a580ff1c", + "rh-skipped-tests-ppc.list": "8d844255335c4dbeeaf363f95b8b690d024c84ad65620d36ec78650a9d54460e", + "rh-skipped-tests-s390.list": "5e826f9f3cc920c0fe67434fd32b25a205d6a8530552e998edb376c4661b59f3", + "wsrep_sst_rsync_tunnel": "5194ed1971d0afe8d2836c1d143263f6891311c9ac0fae536b866f2a885d056e" + } } diff --git a/SPECS/mariadb/mariadb.spec b/SPECS/mariadb/mariadb.spec index 5fb98b71e1..2c115a681f 100644 --- a/SPECS/mariadb/mariadb.spec +++ b/SPECS/mariadb/mariadb.spec @@ -1,568 +1,3131 @@ -Summary: Database servers made by the original developers of MySQL. -Name: mariadb -Version: 10.11.11 -Release: 1%{?dist} -License: GPLv2 WITH exceptions AND LGPLv2 AND BSD -Vendor: Microsoft Corporation -Distribution: Azure Linux -Group: Applications/Databases +# Plain package name for cases, where %%{name} differs (e.g. for versioned packages) +%global majorname mariadb +%define package_version 10.11.11 +%define majorversion %(echo %{package_version} | cut -d'.' -f1-2 ) -# A buildable mariadb environment needs functioning submodules that do not work from the archive download -# To generate run CBL-Mariner/SPECS/mariadb/generate_source_tarball.sh script -URL: https://mariadb.org/ -Source0: https://github.com/MariaDB/server/archive/mariadb-%{version}.tar.gz -BuildRequires: cmake -BuildRequires: curl-devel -BuildRequires: e2fsprogs-devel -BuildRequires: fmt-devel -BuildRequires: krb5-devel -BuildRequires: libxml2-devel -BuildRequires: openssl-devel -BuildRequires: pam-devel -BuildRequires: pcre2-devel -BuildRequires: pkgconf -BuildRequires: systemd-bootstrap-devel -BuildRequires: zlib-devel -Requires: %{name}-connector-c -Conflicts: mysql -%if 0%{?with_check} -BuildRequires: perl(Test::More) -%endif - -%description -MariaDB Server is one of the most popular database servers in the world. It’s made by the original developers of MySQL and guaranteed to stay open source. Notable users include Wikipedia, WordPress.com and Google. - -MariaDB turns data into structured information in a wide array of applications, ranging from banking to websites. It is an enhanced, drop-in replacement for MySQL. MariaDB is used because it is fast, scalable and robust, with a rich ecosystem of storage engines, plugins and many other tools make it very versatile for a wide variety of use cases. -%package server -Summary: MariaDB server -Requires: %{name}-errmsg = %{version}-%{release} -Requires: mariadb-connector-c-config -Requires(postun): shadow-utils -Requires(pre): shadow-utils +%define _vpath_builddir . -%description server -The MariaDB server and related files - -%package server-galera -Summary: MariaDB Galera Cluster is a synchronous multi-master cluster for MariaDB -Group: Applications/Databases -Requires: %{name}-server = %{version}-%{release} +# Set if this package will be the default one in distribution +%{!?mariadb_default:%global mariadb_default 1} + +# Regression tests may take a long time (many cores recommended), skip them by +%{!?runselftest:%global runselftest 0} + +# Set this to 1 to see which tests fail, but 0 on production ready build +%global ignore_testsuite_result 0 + +# The last version on which the full testsuite has been run +# In case of further rebuilds of that version, don't require full testsuite to be run +# run only "main" suite +%global last_tested_version 10.11.11 +# Set to 1 to force run the testsuite even if it was already tested in current version +%global force_run_testsuite 0 + +# Filtering: https://docs.fedoraproject.org/en-US/packaging-guidelines/AutoProvidesAndRequiresFiltering/ +%global __requires_exclude ^perl\\((hostnames|lib::mtr|lib::v1|mtr_|My::|wsrep) +%global __provides_exclude_from ^(%{_datadir}/(mysql|mysql-test)/.*|%{_libdir}/%{majorname}/plugin/.*\\.so)$ + +# Temporary workaround to fix the "internal compiler error" described in https://bugzilla.redhat.com/show_bug.cgi?id=2239498 +# TODO: Remove when the issue is resolved +%ifarch i686 +%global _lto_cflags %{nil} +%endif + + + +# For some use cases we do not need some parts of the package. Set to "...with" to exclude +%bcond_with clibrary +%bcond_with config +%bcond_with embedded +%bcond_without devel +%bcond_without client +%bcond_without common +%bcond_without errmsg +%bcond_without galera +%bcond_without backup +%if !0%{?flatpak} +%bcond_without test +%endif + +# Page compression algorithms for various storage engines +%bcond_without lz4 +%bcond_without bzip2 +%bcond_without lzo +%bcond_without snappy +%bcond_without zstd +%bcond_with lzma + +# Aditional SELinux rules from a standalone package 'mysql-selinux' (that holds rules shared between MariaDB and MySQL) +%bcond_with require_mysql_selinux + +# For deep debugging we need to build binaries with extra debug info +%bcond_with debug + +# Authentication plugins +%bcond_without gssapi +%bcond_with pam +%bcond_with hashicorp + +# The Open Query GRAPH engine (OQGRAPH) is a computation engine allowing +# hierarchies and more complex graph structures to be handled in a relational fashion +%bcond_with oqgraph -%description server-galera -MariaDB Galera Cluster is a synchronous multi-master cluster for MariaDB. It is available on Linux only, and only supports the XtraDB/InnoDB storage engines (although there is experimental support for MyISAM - see the wsrep_replicate_myisam system variable). +# Other plugins +# S3 storage engine +# https://mariadb.com/kb/en/s3-storage-engine/ +%bcond_with cracklib +%bcond_with connect +%bcond_with sphinx +%bcond_with s3 + +# Mroonga engine +# https://mariadb.com/kb/en/mariadb/about-mroonga/ +# Current version in MariaDB, 7.07, only supports the x86_64 +# Mroonga upstream warns about using 32-bit package: http://mroonga.org/docs/install.html +# RocksDB engine +# https://mariadb.com/kb/en/library/about-myrocks-for-mariadb/ +# RocksDB engine is available only for x86_64 +# RocksDB may be built with jemalloc, if specified in CMake +%ifarch x86_64 +%bcond_with mroonga +%bcond_with rocksdb +%endif + + + +# MariaDB 10.0 and later requires pcre >= 10.34, otherwise we need to use +# the bundled library, since the package cannot be build with older version +# https://mariadb.com/kb/en/pcre/ +%bcond_without unbundled_pcre + +# To avoid issues with a breaking change in FMT library, bundle it on systems where FMT wasn't fixed yet +# See mariadb-libfmt.patch for detailed description. +%bcond bundled_fmt 0 +%if %{with bundled_fmt} +%global fmt_bundled_version 11.0.2 +%endif + +# Include systemd files +%global daemon_name %{majorname} +%global daemon_no_prefix %{majorname} + +# We define some system's well known locations here so we can use them easily +# later when building to another location (like SCL) +%global logrotateddir %{_sysconfdir}/logrotate.d +%global logfiledir %{_localstatedir}/log/%{daemon_name} +%global logfile %{logfiledir}/%{daemon_name}.log +# Directory for storing pid file +%global pidfiledir %{_rundir}/%{daemon_name} +# Defining where database data live +%global dbdatadir %{_localstatedir}/lib/mysql + + + +# Set explicit conflicts with 'mysql' packages +%bcond_without conflicts_mysql +# Set explicit conflicts with 'community-mysql' names, provided by 'mysql' packages +# 'community-mysql' names are deprecated and to be removed in future Fedora +%bcond_without conflicts_community_mysql + +# Make long macros shorter +%global sameevr %{epoch}:%{version}-%{release} + +Name: %{majorname} +Version: %{package_version} +Release: 1%{?dist} +Epoch: 3 + +Summary: A very fast and robust SQL database server +URL: http://mariadb.org +License: ( GPL-2.0-only OR Apache-2.0 ) AND ( GPL-2.0-or-later OR Apache-2.0 ) AND BSD-2-Clause AND BSD-3-Clause AND CC-BY-4.0 AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-3.0-or-later AND ( GPL-3.0-or-later WITH Bison-exception-2.2 ) AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND OpenSSL AND MIT AND OFL-1.1 AND CC0-1.0 AND PHP-3.0 AND PHP-3.01 AND zlib AND dtoa AND FSFAP AND blessing AND Info-ZIP AND Boehm-GC +Vendor: Microsoft Corporation +Distribution: Azure Linux -%package devel -Summary: Development headers for mariadb -Requires: %{name} = %{version}-%{release} -Requires: mariadb-connector-c-devel +Source0: https://downloads.mariadb.org/interstitial/mariadb-%{version}/source/mariadb-%{version}.tar.gz +%if %{with bundled_fmt} +Source1: https://github.com/fmtlib/fmt/releases/download/%{fmt_bundled_version}/fmt-%{fmt_bundled_version}.zip +%endif +Source2: mysql_config_multilib.sh +Source3: my.cnf.in +Source6: README.mariadb-docs +Source8: README.wsrep_sst_rsync_tunnel +Source10: mariadb.tmpfiles.d.in +Source11: mysql.service.in +Source12: mariadb-prepare-db-dir.sh +Source14: mariadb-check-socket.sh +Source15: mariadb-scripts-common.sh +Source16: mariadb-check-upgrade.sh +Source18: mysql@.service.in +Source50: rh-skipped-tests-base.list +Source51: rh-skipped-tests-arm.list +Source52: rh-skipped-tests-s390.list +Source53: rh-skipped-tests-ppc.list +# Red Hat OpenStack scripts: +# Clustercheck: +# Maintainer: +# Damien Ciabrini +# Source / Upstream: +# Damien; based on https://github.com/olafz/percona-clustercheck +# not updated in 5 years; low-effort maintenance +# Purpose: +# In Openstack, galera is accessed like an A/P database, we have a +# load balancer (haproxy) that drives traffic to a single node and +# performs failover when the galera node monitor fails. +# clustercheck.sh is the monitoring script that is being called remotely +# by haproxy. It is a glue between haproxy and the local galera node that +# can run SQL commands to check whether the local galera is connected to the galera cluster. +# Proposed to MariaDB upstream: https://jira.mariadb.org/browse/MDEV-12442 +# General upstream response was slightly positive +Source70: clustercheck.sh +Source71: LICENSE.clustercheck + +# Upstream said: "Generally MariaDB has more allows to allow for xtradb sst mechanism". +# https://jira.mariadb.org/browse/MDEV-12646 +Source72: mariadb-server-galera.te + +# Script to support encrypted rsync transfers when SST is required between nodes. +# https://github.com/dciabrin/wsrep_sst_rsync_tunnel/blob/master/wsrep_sst_rsync_tunnel +Source73: wsrep_sst_rsync_tunnel + +# Patch4: Red Hat distributions specific logrotate fix +# it would be big unexpected change, if we start shipping it now. Better wait for MariaDB 10.2 +Patch4: %{majorname}-logrotate.patch +# Patch7: add to the CMake file all files where we want macros to be expanded +Patch7: %{majorname}-scripts.patch +# Patch9: pre-configure to comply with guidelines +Patch9: %{majorname}-ownsetup.patch +# Patch12: fixes of RocksDB for GCC 13 +Patch12: rocksdb-6.8-gcc13.patch +# Patch13: bundle the FMT library +Patch13: %{majorname}-libfmt.patch +# Patch14: make MTR port calculation reasonably predictable +Patch14: %{majorname}-mtr.patch +Patch15: CVE-2023-52971.patch -%description devel -Development headers for developing applications linking to maridb +%global pkgname %{majorname} + +BuildRequires: make cmake gcc-c++ +BuildRequires: libxcrypt-devel +#BuildRequires: multilib-rpm-config +BuildRequires: selinux-policy-devel +BuildRequires: systemd systemd-devel + +# Page compression algorithms for various storage engines +BuildRequires: zlib-devel +%{?with_lz4:BuildRequires: lz4-devel >= 1.6} +%{?with_bzip2:BuildRequires: bzip2-devel} +%{?with_lzma:BuildRequires: xz-devel} +%{?with_lzo:BuildRequires: lzo-devel} +%{?with_snappy:BuildRequires: snappy-devel} +%{?with_zstd:BuildRequires: libzstd-devel} + +# asynchornous operations stuff; needed also for wsrep API +BuildRequires: libaio-devel +# commands history features +BuildRequires: libedit-devel +# CLI graphic; needed also for wsrep API +BuildRequires: ncurses-devel +# debugging stuff +BuildRequires: systemtap-sdt-devel +%if 0%{?fedora} >= 41 || 0%{?rhel} >= 11 +BuildRequires: systemtap-sdt-dtrace +%endif +# Bison SQL parser; needed also for wsrep API +BuildRequires: bison >= 2.4 +#BuildRequires: bison-devel >= 2.4 + +# use either new enough version of pcre2 or provide bundles(pcre2) +%{?with_unbundled_pcre:BuildRequires: pcre2-devel >= 10.34 pkgconf} +%{!?with_unbundled_pcre:Provides: bundled(pcre2) = %{pcre_bundled_version}} +# Few utilities needs Perl +BuildRequires: perl-interpreter +BuildRequires: perl-generators +# Some tests requires python +BuildRequires: python3 +# Tests requires time and ps and some perl modules +BuildRequires: procps +BuildRequires: time +BuildRequires: perl(base) +BuildRequires: perl(Cwd) +BuildRequires: perl(Data::Dumper) +BuildRequires: perl(English) +BuildRequires: perl(Env) +BuildRequires: perl(Errno) +BuildRequires: perl(Exporter) +BuildRequires: perl(Fcntl) +BuildRequires: perl(File::Basename) +BuildRequires: perl(File::Copy) +BuildRequires: perl(File::Find) +BuildRequires: perl(File::Spec) +BuildRequires: perl(File::Spec::Functions) +BuildRequires: perl(File::Temp) +BuildRequires: perl(Getopt::Long) +BuildRequires: perl(IO::File) +BuildRequires: perl(IO::Handle) +BuildRequires: perl(IO::Select) +BuildRequires: perl(IO::Socket) +BuildRequires: perl(IO::Socket::INET) +BuildRequires: perl(IPC::Open3) +BuildRequires: perl(lib) +BuildRequires: perl(Memoize) +BuildRequires: perl(POSIX) +BuildRequires: perl(Socket) +BuildRequires: perl(strict) +BuildRequires: perl(Symbol) +BuildRequires: perl(Sys::Hostname) +BuildRequires: perl(Term::ANSIColor) +BuildRequires: perl(Test::More) +BuildRequires: perl(Time::HiRes) +BuildRequires: perl(Time::localtime) +BuildRequires: perl(warnings) +# for running some openssl tests rhbz#1189180 +BuildRequires: openssl openssl-devel + +%{!?with_bundled_fmt:BuildRequires: fmt-devel >= 10.2.1-4} + +Requires: bash coreutils grep +BuildRequires: perl(Test::Harness) +BuildRequires: perl(TAP::Harness) + +Requires: %{pkgname}-common = %{sameevr} + +%if %{with clibrary} +# Explicit EVR requirement for -libs is needed for RHBZ#1406320 +Requires: %{pkgname}-libs%{?_isa} = %{sameevr} +%else +# If not built with client library in this package, use connector-c +Requires: mariadb-connector-c >= 3.0 +%endif + +# Recommend additional client utils that require Perl +Recommends: %{pkgname}-client-utils + +Suggests: %{pkgname}-server%{?_isa} = %{sameevr} + +%{?with_conflicts_mysql:Conflicts: mysql} +%{?with_conflicts_community_mysql:Conflicts: community-mysql} +# Explicitly disallow combination mariadb + mysql-server +%{?with_conflicts_mysql:Conflicts: mysql-server} +%{?with_conflicts_community_mysql:Conflicts: community-mysql-server} + +%define conflict_with_other_streams() %{expand:\ +Provides: %{majorname}%{?1:-%{1}}-any\ +Conflicts: %{majorname}%{?1:-%{1}}-any\ +} + +# Provide also mariadbXX.XX if default +%if %?mariadb_default +%define mariadbXX_if_default() %{expand:\ +Provides: mariadb%{majorversion}%{?1:-%{1}} = %{sameevr}\ +Provides: mariadb%{majorversion}%{?1:-%{1}}%{?_isa} = %{sameevr}\ +} +%else +%define mariadbXX_if_default() %{nil} +%endif + +%define virtual_conflicts_and_provides() %{expand:\ +%conflict_with_other_streams %{**}\ +%mariadbXX_if_default %{**}\ +} + +%virtual_conflicts_and_provides + +%description -n %{pkgname} +MariaDB is a community developed fork from MySQL - a multi-user, multi-threaded +SQL database server. It is a client/server implementation consisting of +a server daemon (mariadbd) and many different client programs and libraries. +The base package contains the standard MariaDB/MySQL client programs and +utilities. + + +%package -n %{pkgname}-client-utils +Summary: Non-essential client utilities for MariaDB/MySQL applications +Requires: %{pkgname}%{?_isa} = %{sameevr} +Requires: perl(DBI) + +%virtual_conflicts_and_provides client-utils + +%description -n %{pkgname}-client-utils +This package contains all non-essential client utilities and scripts for +managing databases. It also contains all utilities requiring Perl and it is the +only MariaDB sub-package with the corresponding server-utils one, except test +subpackage, that depends on Perl. + + +%if %{with clibrary} +%package -n %{pkgname}-libs +Summary: The shared libraries required for MariaDB/MySQL clients +Requires: %{pkgname}-common = %{sameevr} + +%virtual_conflicts_and_provides libs + +%{?with_conflicts_mysql:Conflicts: mysql-libs} +%{?with_conflicts_community_mysql:Conflicts: community-mysql-libs} + +%description -n %{pkgname}-libs +The mariadb-libs package provides the essential shared libraries for any +MariaDB/MySQL client program or interface. You will need to install this +package to use any other MariaDB package or any clients that need to connect +to a MariaDB/MySQL server. +%endif + + +# At least main config file /etc/my.cnf is shared for client and server part +# Since we want to support combination of different client and server +# implementations (e.g. mariadb library and community-mysql server), +# we need the config file(s) to be in a separate package, so no extra packages +# are pulled, because these would likely conflict. +# More specifically, the dependency on the main configuration file (/etc/my.cnf) +# is supposed to be defined as Requires: /etc/my.cnf rather than requiring +# a specific package, so installer app can choose whatever package fits to +# the transaction. +%if %{with config} +%package -n %{pkgname}-config +Summary: The config files required by server and client + +%virtual_conflicts_and_provides config + +%description -n %{pkgname}-config +The package provides the config file my.cnf and my.cnf.d directory used by any +MariaDB or MySQL program. You will need to install this package to use any +other MariaDB or MySQL package if the config files are not provided in the +package itself. +%endif + + +%if %{with common} +%package -n %{pkgname}-common +Summary: The shared files required by server and client +BuildArch: noarch +%if 0%{?flatpak} +Requires: mariadb-connector-c-config +%else +Requires: %{_sysconfdir}/my.cnf +%endif + +# Only conflicts, provides would add %%{_isa} provides for noarch, +# which is not wanted +%conflict_with_other_streams common + +%if %{without clibrary} +Obsoletes: %{pkgname}-libs <= %{sameevr} +%endif + +%description -n %{pkgname}-common +The package provides the essential shared files for any MariaDB program. +You will need to install this package to use any other MariaDB package. +%endif + + +%if %{with errmsg} +%package -n %{pkgname}-errmsg +Summary: The error messages files required by server and embedded +BuildArch: noarch +Requires: %{pkgname}-common = %{sameevr} + +# Only conflicts, provides would add %%{_isa} provides for noarch, +# which is not wanted +%conflict_with_other_streams errmsg + +%description -n %{pkgname}-errmsg +The package provides error messages files for the MariaDB daemon and the +embedded server. You will need to install this package to use any of those +MariaDB packages. +%endif + + +%if %{with galera} +%package -n %{pkgname}-server-galera +Summary: The configuration files and scripts for galera replication +Requires: %{pkgname}-common = %{sameevr} +Requires: %{pkgname}-server%{?_isa} = %{sameevr} +#Requires: galera >= 26.4.3 +BuildRequires: selinux-policy-devel +Requires(post): (libselinux-utils if selinux-policy-targeted) +Requires(post): (policycoreutils if selinux-policy-targeted) +Requires(post): (policycoreutils-python-utils if selinux-policy-targeted) +# wsrep requirements +Requires: lsof +# Default wsrep_sst_method +Requires: rsync + +%virtual_conflicts_and_provides server-galera + +%description -n %{pkgname}-server-galera +MariaDB is a multi-user, multi-threaded SQL database server. It is a +client/server implementation consisting of a server daemon (mariadbd) +and many different client programs and libraries. This package contains +added files to allow MariaDB server to operate as a Galera cluster +member. MariaDB is a community developed fork originally from MySQL. +%endif + + +%package -n %{pkgname}-server +Summary: The MariaDB server and related files + +Requires: %{pkgname}%{?_isa} = %{sameevr} +Requires: %{pkgname}-common = %{sameevr} +Requires: %{pkgname}-errmsg = %{sameevr} +Recommends: %{pkgname}-server-utils%{?_isa} = %{sameevr} +Recommends: %{pkgname}-backup%{?_isa} = %{sameevr} +%{?with_cracklib:Recommends: %{pkgname}-cracklib-password-check%{?_isa} = %{sameevr}} +%{?with_gssapi:Recommends: %{pkgname}-gssapi-server%{?_isa} = %{sameevr}} +%{?with_rocksdb:Suggests: %{pkgname}-rocksdb-engine%{?_isa} = %{sameevr}} +%{?with_sphinx:Suggests: %{pkgname}-sphinx-engine%{?_isa} = %{sameevr}} +%{?with_oqgraph:Suggests: %{pkgname}-oqgraph-engine%{?_isa} = %{sameevr}} +%{?with_connect:Suggests: %{pkgname}-connect-engine%{?_isa} = %{sameevr}} +%{?with_pam:Suggests: %{pkgname}-pam%{?_isa} = %{sameevr}} + +%{?with_bundled_fmt:Provides: bundled(fmt) = %{fmt_bundled_version}} + +Suggests: mytop +Suggests: logrotate + +%if 0%{?flatpak} +Requires: mariadb-connector-c-config +%else +Requires: %{_sysconfdir}/my.cnf +Requires: %{_sysconfdir}/my.cnf.d +%endif + +%virtual_conflicts_and_provides server + +# Additional SELinux rules (common for MariaDB & MySQL) shipped in a separate package +# For cases, where we want to fix a SELinux issues in MariaDB sooner than patched selinux-policy-targeted package is released +%if %{with require_mysql_selinux} +# The *-selinux package should only be required on SELinux enabled systems. Therefore the following rich dependency syntax should be used: +Requires: (mysql-selinux >= 1.0.10 if selinux-policy-targeted) +# This ensures that the *-selinux package and all its dependencies are not pulled into containers and other systems that do not use SELinux. +# https://fedoraproject.org/wiki/SELinux/IndependentPolicy#Adding_dependency_to_the_spec_file_of_corresponding_package +%endif + +Requires: coreutils +Requires(pre): /usr/sbin/useradd +# We require this to be present for %%{_tmpfilesdir} +Requires: systemd +# Make sure it's there when scriptlets run, too +%{?systemd_requires} +# RHBZ#1496131; use 'iproute' instead of 'net-tools' +Requires: iproute + +%{?with_conflicts_mysql:Conflicts: mysql-server} +%{?with_conflicts_community_mysql:Conflicts: community-mysql-server} +# Explicitly disallow combination mariadb-server + mysql +%{?with_conflicts_mysql:Conflicts: mysql} +%{?with_conflicts_community_mysql:Conflicts: community-mysql} + +%description -n %{pkgname}-server +MariaDB is a multi-user, multi-threaded SQL database server. It is a +client/server implementation consisting of a server daemon (mariadbd) +and many different client programs and libraries. This package contains +the MariaDB server and some accompanying files and directories. +MariaDB is a community developed fork from MySQL. + + +%if %{with oqgraph} +%package -n %{pkgname}-oqgraph-engine +Summary: The Open Query GRAPH engine for MariaDB +Requires: %{pkgname}-server%{?_isa} = %{sameevr} +# boost and Judy required for oograph +BuildRequires: boost-devel >= 1.40.0 +BuildRequires: Judy-devel + +%virtual_conflicts_and_provides oqgraph-engine + +%description -n %{pkgname}-oqgraph-engine +The package provides Open Query GRAPH engine (OQGRAPH) as plugin for MariaDB +database server. OQGRAPH is a computation engine allowing hierarchies and more +complex graph structures to be handled in a relational fashion. In a nutshell, +tree structures and friend-of-a-friend style searches can now be done using +standard SQL syntax, and results joined onto other tables. +%endif + + +%if %{with connect} +%package -n %{pkgname}-connect-engine +Summary: The CONNECT storage engine for MariaDB +Requires: %{pkgname}-server%{?_isa} = %{sameevr} + +# As per https://jira.mariadb.org/browse/MDEV-21450 +BuildRequires: libxml2-devel + +%virtual_conflicts_and_provides connect-engine + +%description -n %{pkgname}-connect-engine +The CONNECT storage engine enables MariaDB to access external local or +remote data (MED). This is done by defining tables based on different data +types, in particular files in various formats, data extracted from other DBMS +or products (such as Excel), or data retrieved from the environment +(for example DIR, WMI, and MAC tables). +%endif + + +%if %{with backup} +%package -n %{pkgname}-backup +Summary: The mariabackup tool for physical online backups +Requires: %{pkgname}-server%{?_isa} = %{sameevr} +BuildRequires: libarchive-devel + +%virtual_conflicts_and_provides backup + +%description -n %{pkgname}-backup +MariaDB Backup is an open source tool provided by MariaDB for performing +physical online backups of InnoDB, Aria and MyISAM tables. +For InnoDB, "hot online" backups are possible. +%endif + + +%if %{with rocksdb} +%package -n %{pkgname}-rocksdb-engine +Summary: The RocksDB storage engine for MariaDB +Requires: %{pkgname}-server%{?_isa} = %{sameevr} +Provides: bundled(rocksdb) + +%virtual_conflicts_and_provides rocksdb-engine + +%description -n %{pkgname}-rocksdb-engine +The RocksDB storage engine is used for high performance servers on SSD drives. +%endif + + +%if %{with cracklib} +%package -n %{pkgname}-cracklib-password-check +Summary: The password strength checking plugin +Requires: %{pkgname}-server%{?_isa} = %{sameevr} +BuildRequires: cracklib-dicts cracklib-devel +Requires: cracklib-dicts + +BuildRequires: selinux-policy-devel +Requires(post): (libselinux-utils if selinux-policy-targeted) +Requires(post): (policycoreutils if selinux-policy-targeted) +Requires(post): (policycoreutils-python-utils if selinux-policy-targeted) + +%virtual_conflicts_and_provides cracklib-password-check + +%description -n %{pkgname}-cracklib-password-check +CrackLib is a password strength checking library. It is installed by default +in many Linux distributions and is invoked automatically (by pam_cracklib.so) +whenever the user login password is modified. +Now, with the cracklib_password_check password validation plugin, one can +also use it to check MariaDB account passwords. +%endif + + +%if %{with gssapi} +%package -n %{pkgname}-gssapi-server +Summary: GSSAPI authentication plugin for server +Requires: %{pkgname}-server%{?_isa} = %{sameevr} +BuildRequires: krb5-devel + +%virtual_conflicts_and_provides gssapi-server + +%description -n %{pkgname}-gssapi-server +GSSAPI authentication server-side plugin for MariaDB for passwordless login. +This plugin includes support for Kerberos on Unix. +%endif + + +%if %{with pam} +%package -n %{pkgname}-pam +Summary: PAM authentication plugin for the MariaDB server + +Requires: %{pkgname}-server%{?_isa} = %{sameevr} +# This subpackage NEED the 'mysql' user/group (created during mariadb-server %%pre) to be available prior installation +Requires(pre): %{pkgname}-server%{?_isa} = %{sameevr} + +BuildRequires: pam-devel + +%virtual_conflicts_and_provides pam + +%description -n %{pkgname}-pam +PAM authentication server-side plugin for MariaDB. +%endif + + +%if %{with sphinx} +%package -n %{pkgname}-sphinx-engine +Summary: The Sphinx storage engine for MariaDB +Requires: %{pkgname}-server%{?_isa} = %{sameevr} +BuildRequires: sphinx libsphinxclient libsphinxclient-devel +Requires: sphinx libsphinxclient + +%virtual_conflicts_and_provides sphinx-engine + +%description -n %{pkgname}-sphinx-engine +The Sphinx storage engine for MariaDB. +%endif + + +%if %{with s3} +%package -n %{pkgname}-s3-engine +Summary: The S3 storage engine for MariaDB +Requires: %{pkgname}-server%{?_isa} = %{sameevr} + +BuildRequires: curl-devel + +%virtual_conflicts_and_provides s3-engine + +%description -n %{pkgname}-s3-engine +The S3 read only storage engine allows archiving MariaDB tables in Amazon S3, +or any third-party public or private cloud that implements S3 API, +but still have them accessible for reading in MariaDB. +%endif -%package errmsg -Summary: errmsg for mariadb -%description errmsg -errmsg for maridb +%package -n %{pkgname}-server-utils +Summary: Non-essential server utilities for MariaDB/MySQL applications +Requires: %{pkgname}-server%{?_isa} = %{sameevr} +# mysqlhotcopy needs DBI/DBD support +Requires: perl(DBI) +#Requires: perl(DBD::MariaDB) + +%virtual_conflicts_and_provides server-utils + +%{?with_conflicts_mysql:Conflicts: mysql-server} +%{?with_conflicts_community_mysql:Conflicts: community-mysql-server} + +%description -n %{pkgname}-server-utils +This package contains all non-essential server utilities and scripts for +managing databases. It also contains all utilities requiring Perl and it is +the only MariaDB sub-package with the corresponding client-utils one, except +test subpackage, that depends on Perl. + +%if %{with devel} +%package -n %{pkgname}-devel +Summary: Files for development of MariaDB/MySQL applications +%{?with_clibrary:Requires: %{pkgname}-libs%{?_isa} = %{sameevr}} +Requires: openssl-devel +%if %{without clibrary} +Requires: mariadb-connector-c-devel >= 3.0 +%endif + +%virtual_conflicts_and_provides devel + +%{?with_conflicts_mysql:Conflicts: mysql-devel} +%{?with_conflicts_community_mysql:Conflicts: community-mysql-devel} + +%description -n %{pkgname}-devel +MariaDB is a multi-user, multi-threaded SQL database server. +MariaDB is a community developed branch of MySQL. +%if %{with clibrary} +This package contains everything needed for developing MariaDB/MySQL client +and server plugins and applications. +%else +This package contains everything needed for developing MariaDB/MySQL server +plugins and applications. For developing client applications, use +mariadb-connector-c package. +%endif +%endif + + +%if %{with embedded} +%package -n %{pkgname}-embedded +Summary: MariaDB as an embeddable library +Requires: %{pkgname}-common = %{sameevr} +Requires: %{pkgname}-errmsg = %{sameevr} + +%virtual_conflicts_and_provides embedded + +%description -n %{pkgname}-embedded +MariaDB is a multi-user, multi-threaded SQL database server. This +package contains a version of the MariaDB server that can be embedded +into a client application instead of running as a separate process. +MariaDB is a community developed fork from MySQL. + + +%package -n %{pkgname}-embedded-devel +Summary: Development files for MariaDB as an embeddable library +Requires: %{pkgname}-embedded%{?_isa} = %{sameevr} +Requires: %{pkgname}-devel%{?_isa} = %{sameevr} +# embedded-devel should require libaio-devel (rhbz#1290517) +Requires: libaio-devel + +%virtual_conflicts_and_provides embedded-devel + +%{?with_conflicts_mysql:Conflicts: mysql-embedded-devel} +%{?with_conflicts_community_mysql:Conflicts: community-mysql-embedded-devel} + +%description -n %{pkgname}-embedded-devel +MariaDB is a multi-user, multi-threaded SQL database server. +MariaDB is a community developed fork from MySQL. +This package contains files needed for developing and testing with +the embedded version of the MariaDB server. +%endif + + +%if %{with test} +%package -n %{pkgname}-test +Summary: The test suite distributed with MariaDB +Requires: %{pkgname}%{?_isa} = %{sameevr} +Requires: %{pkgname}-common = %{sameevr} +Requires: %{pkgname}-server%{?_isa} = %{sameevr} +Requires: patch +Requires: perl(Env) +Requires: perl(Exporter) +Requires: perl(Fcntl) +Requires: perl(File::Temp) +Requires: perl(Data::Dumper) +Requires: perl(Getopt::Long) +Requires: perl(IPC::Open3) +Requires: perl(Socket) +Requires: perl(Sys::Hostname) +Requires: perl(Test::More) +Requires: perl(Time::HiRes) + +%virtual_conflicts_and_provides test + +%{?with_conflicts_mysql:Conflicts: mysql-test} +%{?with_conflicts_community_mysql:Conflicts: community-mysql-test} + +%description -n %{pkgname}-test +MariaDB is a multi-user, multi-threaded SQL database server. +MariaDB is a community developed fork from MySQL. +This package contains the regression test suite distributed with the MariaDB +sources. +%endif + + %prep -%autosetup -p1 -# Remove PerconaFT from here because of AGPL licence -rm -rf storage/tokudb/PerconaFT -# Disable "embedded" directory which only contains "test-connect" test -sed -i '/ADD_SUBDIRECTORY(unittest\/embedded)/d' ./CMakeLists.txt - -%build -# Disable symbol generation -export CFLAGS="`echo " %{build_cflags} " | sed 's/ -g//'`" -export CXXFLAGS="`echo " %{build_cxxflags} " | sed 's/ -g//'`" - -mkdir build && cd build - -cmake -DCMAKE_BUILD_TYPE=Release \ - -DCMAKE_INSTALL_PREFIX=%{_prefix} \ - -DINSTALL_DOCDIR=share/doc/mariadb-%{version} \ - -DINSTALL_DOCREADMEDIR=share/doc/mariadb-%{version} \ - -DINSTALL_MANDIR=share/man \ - -DINSTALL_MYSQLSHAREDIR="share/mysql" \ - -DINSTALL_SYSCONFDIR="%{_sysconfdir}" \ - -DINSTALL_SYSCONF2DIR="%{_sysconfdir}/my.cnf.d" \ - -DINSTALL_MYSQLTESTDIR=share/mysql/test \ - -DINSTALL_PLUGINDIR=lib/mysql/plugin \ - -DINSTALL_SBINDIR=sbin \ - -DINSTALL_SCRIPTDIR=bin \ - -DINSTALL_SQLBENCHDIR=share/mysql/bench \ - -DINSTALL_SUPPORTFILESDIR=share \ - -DMYSQL_DATADIR="%{_sharedstatedir}/mysql" \ - -DMYSQL_UNIX_ADDR="%{_sharedstatedir}/mysql/mysqld.sock" \ - -DWITH_EXTRA_CHARSETS=complex \ - -DWITH_EMBEDDED_SERVER=ON \ - -DWITH_PCRE=system \ - -DWITH_SSL=system \ - -DWITH_ZLIB=system \ - -DWITH_LIBFMT=system \ - -DSKIP_TESTS=ON \ - -DTOKUDB_OK=0 \ - -DUPDATE_SUBMODULES=OFF \ - .. +%setup -q -n %{majorname}-%{version} + +# Remove bundled code that is unused (all cases in which we use the system version of the library instead) +# as required by https://docs.fedoraproject.org/en-US/packaging-guidelines/#bundling +rm -r zlib libmariadb/external/zlib +rm -r win libmariadb/win +rm -r extra/wolfssl +rm -r storage/columnstore +rm -r debian + +%if %{with bundled_fmt} +mkdir -p redhat-linux-build/extra/libfmt/ +mv %{SOURCE1} redhat-linux-build/extra/libfmt/ +%endif + +# Remove JAR files that upstream puts into tarball +find . -name "*.jar" -type f -exec rm --verbose -f {} \; +# Remove testsuite for the mariadb-connector-c +rm -rf libmariadb/unittest +%if %{without rocksdb} +rm -r storage/rocksdb/ +%endif -make %{?_smp_mflags} + +%patch -P4 -p1 +%patch -P7 -p1 +%patch -P9 -p1 +%if %{with rocksdb} +%patch -P12 -p1 -d storage/rocksdb/rocksdb/ +%endif +%if %{with bundled_fmt} +%patch -P13 -p1 +%endif + +%patch -P14 -p1 +%patch -P15 -p1 +# generate a list of tests that fail, but are not disabled by upstream +cat %{SOURCE50} | tee -a mysql-test/unstable-tests + +# disable some tests failing on different architectures +%ifarch %{arm} aarch64 +cat %{SOURCE51} | tee -a mysql-test/unstable-tests +%endif + +%ifarch s390 s390x +cat %{SOURCE52} | tee -a mysql-test/unstable-tests +%endif + +%ifarch ppc ppc64 ppc64p7 ppc64le +cat %{SOURCE53} | tee -a mysql-test/unstable-tests +%endif + +cp %{SOURCE2} %{SOURCE3} %{SOURCE10} %{SOURCE11} %{SOURCE12} \ + %{SOURCE14} %{SOURCE15} %{SOURCE16} %{SOURCE18} %{SOURCE70} %{SOURCE73} scripts + +%if %{with galera} +# prepare selinux policy +mkdir selinux +sed 's/mariadb-server-galera/%{majorname}-server-galera/' %{SOURCE72} > selinux/%{majorname}-server-galera.te +%endif + + +# Get version of PCRE, that upstream use +pcre_version=`grep -e "https://github.com/PCRE2Project/pcre2/releases/download" cmake/pcre.cmake | sed -r "s;.*pcre2-([[:digit:]]+\.[[:digit:]]+).*;\1;" ` + +# Check if the PCRE version in macro 'pcre_bundled_version', used in Provides: bundled(...), is the same version as upstream actually bundles +%if %{without unbundled_pcre} +if [ %{pcre_bundled_version} != "$pcre_version" ] ; then + echo -e "\n Error: Bundled PCRE version is not correct. \n\tBundled version number: %{pcre_bundled_version} \n\tUpstream version number: $pcre_version\n" + exit 1 +fi +%else +# Check if the PCRE version that upstream use, is the same as the one present in system +pcre_system_version=`pkgconf /usr/%{_lib}/pkgconfig/libpcre2-*.pc --modversion 2>/dev/null | head -n 1` + +if [ "$pcre_system_version" != "$pcre_version" ] ; then + echo -e "\n Warning: Error: Bundled PCRE version is not correct. \n\tSystem version number: $pcre_system_version \n\tUpstream version number: $pcre_version\n" +fi +%endif + + + +%build +# fail quickly and obviously if user tries to build as root +%if %runselftest + if [ x"$(id -u)" = "x0" ]; then + echo "mysql's regression tests fail if run as root." + echo "If you really need to build the RPM as root, use" + echo "--nocheck to skip the regression tests." + exit 1 + fi +%endif + +# The INSTALL_xxx macros have to be specified relative to CMAKE_INSTALL_PREFIX +# so we can't use %%{_datadir} and so forth here. +%cmake \ + -DBUILD_CONFIG=mysql_release \ + -DFEATURE_SET="community" \ + -DINSTALL_LAYOUT=RPM \ + -DDAEMON_NAME="%{daemon_name}" \ + -DDAEMON_NO_PREFIX="%{daemon_no_prefix}" \ + -DLOG_LOCATION="%{logfile}" \ + -DPID_FILE_DIR="%{pidfiledir}" \ + -DNICE_PROJECT_NAME="MariaDB" \ + -DRPM="%{?rhel:rhel%{rhel}}%{!?rhel:fedora%{fedora}}" \ + -DCMAKE_INSTALL_PREFIX="%{_prefix}" \ + -DINSTALL_SYSCONFDIR="%{_sysconfdir}" \ + -DINSTALL_SYSCONF2DIR="%{_sysconfdir}/my.cnf.d" \ + -DINSTALL_DOCDIR="share/doc/%{majorname}" \ + -DINSTALL_DOCREADMEDIR="share/doc/%{majorname}" \ + -DINSTALL_INCLUDEDIR=include/mysql \ + -DINSTALL_INFODIR=share/info \ + -DINSTALL_LIBDIR="%{_lib}" \ + -DINSTALL_MANDIR=share/man \ + -DINSTALL_MYSQLSHAREDIR=share/%{majorname} \ + -DINSTALL_MYSQLTESTDIR=%{?with_test:share/mysql-test}%{!?with_test:} \ + -DINSTALL_PLUGINDIR="%{_lib}/%{majorname}/plugin" \ + -DINSTALL_SBINDIR=libexec \ + -DINSTALL_SCRIPTDIR=bin \ + -DINSTALL_SUPPORTFILESDIR=share/%{majorname} \ + -DMYSQL_DATADIR="%{dbdatadir}" \ + -DMYSQL_UNIX_ADDR="/var/lib/mysql/mysql.sock" \ + -DTMPDIR=/var/tmp \ + -DGRN_DATA_DIR=share/%{majorname}-server/groonga \ + -DGROONGA_NORMALIZER_MYSQL_PROJECT_NAME=%{majorname}-server/groonga-normalizer-mysql \ + -DENABLED_LOCAL_INFILE=ON \ + -DENABLE_DTRACE=ON \ + -DSECURITY_HARDENED=OFF \ + -DWITH_WSREP=%{?with_galera:ON}%{!?with_galera:OFF} \ + -DWITH_INNODB_DISALLOW_WRITES=%{?with_galera:ON}%{!?with_galera:OFF} \ + -DWITH_EMBEDDED_SERVER=%{?with_embedded:ON}%{!?with_embedded:OFF} \ + -DWITH_MARIABACKUP=%{?with_backup:ON}%{!?with_backup:NO} \ + -DWITH_UNIT_TESTS=%{?with_test:ON}%{!?with_test:NO} \ + -DCONC_WITH_SSL=%{?with_clibrary:ON}%{!?with_clibrary:NO} \ + -DWITH_SSL=system \ + -DWITH_ZLIB=system \ + -DWITH_LIBFMT=%{?with_bundled_fmt:bundled}%{!?with_bundled_fmt:system} \ + -DPLUGIN_PROVIDER_LZ4=%{?with_lz4:DYNAMIC}%{!?with_lz4:NO} \ + -DWITH_ROCKSDB_LZ4=%{?with_lz4:ON}%{!?with_lz4:OFF} \ + -DPLUGIN_PROVIDER_BZIP2=%{?with_bzip2:DYNAMIC}%{!?with_bzip2:NO} \ + -DWITH_ROCKSDB_BZip2=%{?with_bzip2:ON}%{!?with_bzip2:OFF} \ + -DPLUGIN_PROVIDER_LZMA=%{?with_lzma:DYNAMIC}%{!?with_lzma:NO} \ + \ + -DPLUGIN_MROONGA=%{?with_mroonga:DYNAMIC}%{!?with_mroonga:NO} \ + -DPLUGIN_OQGRAPH=%{?with_oqgraph:DYNAMIC}%{!?with_oqgraph:NO} \ + -DPLUGIN_CRACKLIB_PASSWORD_CHECK=%{?with_cracklib:DYNAMIC}%{!?with_cracklib:NO} \ + -DPLUGIN_ROCKSDB=%{?with_rocksdb:DYNAMIC}%{!?with_rocksdb:NO} \ + -DPLUGIN_SPHINX=%{?with_sphinx:DYNAMIC}%{!?with_sphinx:NO} \ + -DPLUGIN_CONNECT=%{?with_connect:DYNAMIC}%{!?with_connect:NO} \ + -DPLUGIN_S3=%{?with_s3:DYNAMIC}%{!?with_s3:NO} \ + -DPLUGIN_AUTH_PAM=%{?with_pam:YES}%{!?with_pam:NO} \ + -DPLUGIN_AUTH_PAM_V1=%{?with_pam:DYNAMIC}%{!?with_pam:NO} \ + -DPLUGIN_COLUMNSTORE=NO \ + -DPLUGIN_CLIENT_ED25519=OFF \ + -DPLUGIN_CACHING_SHA2_PASSWORD=%{?with_clibrary:DYNAMIC}%{!?with_clibrary:OFF} \ + -DPLUGIN_AWS_KEY_MANAGEMENT=OFF \ + -DCONNECT_WITH_MONGO=OFF \ + -DCONNECT_WITH_JDBC=OFF \ + -DPLUGIN_HASHICORP_KEY_MANAGEMENT=%{?with_hashicorp:DYNAMIC}%{!?with_hashicorp:NO} + +# The -DSECURITY_HARDENED is used to force a set of compilation flags for hardening +# The issue is that the MariaDB upstream level of hardening is lower than expected by Red Hat +# We disable this option to the default compilation flags (which have higher level of hardening) will be used + + +CFLAGS="$CFLAGS -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE" +# force PIC mode so that we can build libmysqld.so +CFLAGS="$CFLAGS -fPIC" + +%if %{with debug} +# Override all optimization flags when making a debug build +# -D_FORTIFY_SOURCE requires optimizations enabled. Disable the fortify. +%undefine _fortify_level +CFLAGS=`echo "$CFLAGS" | sed -r 's/-O[0123]//'` + +CFLAGS="$CFLAGS -O0 -g" + +# Fixes for Fedora 32 & Rawhide (GCC 10.0): +%if 0%{?fedora} >= 32 +CFLAGS="$CFLAGS -Wno-error=class-memaccess" +CFLAGS="$CFLAGS -Wno-error=enum-conversion" +# endif f32 +%endif +# endif debug +%endif + +CXXFLAGS="$CFLAGS" +CPPFLAGS="$CFLAGS" +export CFLAGS CXXFLAGS CPPFLAGS + + +# Print all Cmake options values; "-LAH" means "List Advanced Help" +#cmake -B %{_vpath_builddir} -LAH + +%cmake_build +# build selinux policy +%if %{with galera} +#pushd selinux +#make -f /usr/share/selinux/devel/Makefile %{majorname}-server-galera.pp +%endif + + + %install -cd build -make DESTDIR=%{buildroot} install -mkdir -p %{buildroot}/%{_libdir}/systemd/system - -# Remove files that overlap with mariadb-connector-c packages -rm %{buildroot}%{_bindir}/{mariadb_config,mariadb-config,mysql_config} +%cmake_install +# multilib header support #1625157 +#for header in mysql/server/my_config.h mysql/server/private/config.h; do +#%multilib_fix_c_header --file %{_includedir}/$header +#done + +ln -s mysql_config.1.gz %{buildroot}%{_mandir}/man1/mariadb_config.1.gz + +# multilib support for shell scripts +# we only apply this to known Red Hat multilib arches, per bug #181335 +if [ %multilib_capable ] +then +mv %{buildroot}%{_bindir}/mysql_config %{buildroot}%{_bindir}/mysql_config-%{__isa_bits} +install -p -m 0755 %{_vpath_builddir}/scripts/mysql_config_multilib %{buildroot}%{_bindir}/mysql_config +# Copy manual page for multilib mysql_config; https://jira.mariadb.org/browse/MDEV-11961 +ln -s mysql_config.1 %{buildroot}%{_mandir}/man1/mysql_config-%{__isa_bits}.1 +fi + +# install INFO_SRC, INFO_BIN into libdir (upstream thinks these are doc files, +# but that's pretty wacko --- see also %%{majorname}-file-contents.patch) +install -p -m 644 %{_vpath_builddir}/Docs/INFO_SRC %{buildroot}%{_libdir}/%{majorname}/ +install -p -m 644 %{_vpath_builddir}/Docs/INFO_BIN %{buildroot}%{_libdir}/%{majorname}/ +rm -r %{buildroot}%{_datadir}/doc/%{majorname}/MariaDB-server-%{version} + +# Logfile creation +mkdir -p %{buildroot}%{logfiledir} +chmod 0750 %{buildroot}%{logfiledir} +touch %{buildroot}%{logfile} + +# current setting in my.cnf is to use /var/run/mariadb for creating pid file, +# however since my.cnf is not updated by RPM if changed, we need to create mysqld +# as well because users can have odd settings in their /etc/my.cnf +mkdir -p %{buildroot}%{pidfiledir} +install -p -m 0755 -d %{buildroot}%{dbdatadir} + +%if %{with config} +install -D -p -m 0644 %{_vpath_builddir}/scripts/my.cnf %{buildroot}%{_sysconfdir}/my.cnf +%else +rm %{_vpath_builddir}/scripts/my.cnf rm %{buildroot}%{_sysconfdir}/my.cnf +%endif + +# use different config file name for each variant of server (mariadb / mysql) +mv %{buildroot}%{_sysconfdir}/my.cnf.d/server.cnf %{buildroot}%{_sysconfdir}/my.cnf.d/%{majorname}-server.cnf + +# Remove upstream SysV init script and a symlink to that, we use systemd +rm %{buildroot}%{_libexecdir}/rcmysql +# Remove upstream Systemd service files +rm -r %{buildroot}%{_datadir}/%{majorname}/systemd +# Our downstream Systemd service file have set aliases to the "mysql" names in the [Install] section. +# They can be enabled / disabled by "systemctl enable / diable " +rm %{buildroot}%{_unitdir}/{mysql,mysqld}.service + +# install systemd unit files and scripts for handling server startup +install -D -p -m 644 %{_vpath_builddir}/scripts/mysql.service %{buildroot}%{_unitdir}/%{daemon_name}.service +install -D -p -m 644 %{_vpath_builddir}/scripts/mysql@.service %{buildroot}%{_unitdir}/%{daemon_name}@.service + +# helper scripts for service starting +install -p -m 755 %{_vpath_builddir}/scripts/mariadb-prepare-db-dir %{buildroot}%{_libexecdir}/mariadb-prepare-db-dir +install -p -m 755 %{_vpath_builddir}/scripts/mariadb-check-socket %{buildroot}%{_libexecdir}/mariadb-check-socket +install -p -m 755 %{_vpath_builddir}/scripts/mariadb-check-upgrade %{buildroot}%{_libexecdir}/mariadb-check-upgrade +install -p -m 644 %{_vpath_builddir}/scripts/mariadb-scripts-common %{buildroot}%{_libexecdir}/mariadb-scripts-common + +# Install downstream version of tmpfiles +install -D -p -m 0644 %{_vpath_builddir}/scripts/mariadb.tmpfiles.d %{buildroot}%{_tmpfilesdir}/%{majorname}.conf +echo "d %{pidfiledir} 0755 mysql mysql -" >>%{buildroot}%{_tmpfilesdir}/%{majorname}.conf + +# Install additional cracklib selinux policy +%if %{with cracklib} +mkdir -p %{buildroot}%{_datadir}/selinux/packages/targeted/ +mv %{buildroot}%{_datadir}/mariadb/policy/selinux/mariadb-plugin-cracklib-password-check.pp %{buildroot}%{_datadir}/selinux/packages/targeted/%{majorname}-plugin-cracklib-password-check.pp +rm %{buildroot}%{_datadir}/mariadb/policy/selinux/mariadb-plugin-cracklib-password-check.te +%endif + +%if %{with test} +# mysql-test includes one executable that doesn't belong under /usr/share, so move it and provide a symlink +mv %{buildroot}%{_datadir}/mysql-test/lib/My/SafeProcess/my_safe_process %{buildroot}%{_bindir} +ln -s ../../../../../bin/my_safe_process %{buildroot}%{_datadir}/mysql-test/lib/My/SafeProcess/my_safe_process +# Provide symlink expected by RH QA tests +ln -s unstable-tests %{buildroot}%{_datadir}/mysql-test/rh-skipped-tests.list +%endif + + +# Client that uses libmysqld embedded server. +# Pretty much like normal mysql command line client, but it doesn't require a running mariadb server. +%{?with_embedded:rm %{buildroot}%{_bindir}/{mariadb-,mysql_}embedded} +rm %{buildroot}%{_mandir}/man1/{mysql_,mariadb-}embedded.1* +# Static libraries +rm %{buildroot}%{_libdir}/*.a +# This script creates the MySQL system tables and starts the server. +# Upstream says: +# It looks like it's just "mysql_install_db && mysqld_safe" +# I've never heard of anyone using it, I'd say, no need to pack it. +rm %{buildroot}%{_datadir}/%{majorname}/binary-configure +# FS files first-bytes recoginiton +# Not updated by upstream since nobody realy use that +rm %{buildroot}%{_datadir}/%{majorname}/magic + +# Upstream ships them because of, https://jira.mariadb.org/browse/MDEV-10797 +# In Fedora we use our own systemd unit files and scripts +rm %{buildroot}%{_datadir}/%{majorname}/mysql.server +rm %{buildroot}%{_datadir}/%{majorname}/mysqld_multi.server + +# Binary for monitoring MySQL performance +# Shipped as a standalone package in Fedora +rm %{buildroot}%{_bindir}/mytop +rm %{buildroot}%{_mandir}/man1/mytop.1* + +# Should be shipped with mariadb-connector-c +rm %{buildroot}%{_mandir}/man1/mariadb_config.1* + +# for compatibility with upstream RPMs, create mysqld symlink in sbin +mkdir -p %{buildroot}%{_sbindir} +ln -s %{_libexecdir}/mysqld %{buildroot}%{_sbindir}/mysqld +ln -s %{_libexecdir}/mariadbd %{buildroot}%{_sbindir}/mariadbd + +# copy additional docs into build tree so %%doc will find them +install -p -m 0644 %{SOURCE6} %{basename:%{SOURCE6}} +install -p -m 0644 %{SOURCE16} %{basename:%{SOURCE16}} + +%if %{with galera} +# Add wsrep_sst_rsync_tunnel script +install -p -m 0755 scripts/wsrep_sst_rsync_tunnel %{buildroot}%{_bindir}/wsrep_sst_rsync_tunnel +install -p -m 0644 %{SOURCE8} %{basename:%{SOURCE8}} + +# install the clustercheck script +mkdir -p %{buildroot}%{_sysconfdir}/sysconfig +touch %{buildroot}%{_sysconfdir}/sysconfig/clustercheck +install -p -m 0755 %{_vpath_builddir}/scripts/clustercheck %{buildroot}%{_bindir}/clustercheck +# clustercheck license +install -p -m 0644 %{SOURCE71} %{basename:%{SOURCE71}} + +# install galera config file +sed -i -r 's|^wsrep_provider=none|wsrep_provider=%{_libdir}/galera/libgalera_smm.so|' %{_vpath_builddir}/support-files/wsrep.cnf +install -p -m 0644 %{_vpath_builddir}/support-files/wsrep.cnf %{buildroot}%{_sysconfdir}/my.cnf.d/galera.cnf + +# install additional galera selinux policy +#install -p -m 644 -D selinux/%{majorname}-server-galera.pp %{buildroot}%{_datadir}/selinux/packages/targeted/%{majorname}-server-galera.pp + +# Fix Galera Replication config file +# The replication requires cluster address upon startup (which is end-user specific). +# Disable it entirely, rather than have it failing out-of-the-box. +sed -i 's/^wsrep_on=1/wsrep_on=0/' %{buildroot}%{_sysconfdir}/my.cnf.d/galera.cnf +%endif + +# remove duplicate logrotate script +rm %{buildroot}%{_datadir}/mariadb/mariadb.logrotate +# Remove AppArmor files +rm -r %{buildroot}%{_datadir}/%{majorname}/policy/apparmor + +# Buildroot does not have symlink /lib64 --> /usr/lib64 +%if %{with pam} +mv %{buildroot}/%{_lib}/security %{buildroot}%{_libdir} +%endif + +# Disable plugins +%if %{with gssapi} +sed -i 's/^plugin-load-add/#plugin-load-add/' %{buildroot}%{_sysconfdir}/my.cnf.d/auth_gssapi.cnf +%endif +%if %{with cracklib} +sed -i 's/^plugin-load-add/#plugin-load-add/' %{buildroot}%{_sysconfdir}/my.cnf.d/cracklib_password_check.cnf +%endif + +%if %{without embedded} +rm %{buildroot}%{_mandir}/man1/{mysql_client_test_embedded,mysqltest_embedded}.1* +rm %{buildroot}%{_mandir}/man1/{mariadb-client-test-embedded,mariadb-test-embedded}.1* +%endif + + +%if %{without clibrary} +# Client part should be included in package 'mariadb-connector-c' +[ -e %{buildroot}%{_libdir}/pkgconfig/libmariadb.pc ] && rm %{buildroot}%{_libdir}/pkgconfig/libmariadb.pc +[ -e %{buildroot}/usr/lib64/pkgconfig/libmariadb.pc ] && rm %{buildroot}/usr/lib64/pkgconfig/libmariadb.pc + rm %{buildroot}%{_sysconfdir}/my.cnf.d/client.cnf +# Client library and links rm %{buildroot}%{_libdir}/libmariadb.so.* -rm %{buildroot}%{_libdir}/libmysqlclient.so -rm %{buildroot}%{_libdir}/libmysqlclient_r.so -rm %{buildroot}%{_libdir}/libmariadb.so -rm %{buildroot}%{_libdir}/mysql/plugin/{auth_gssapi_client.so,caching_sha2_password.so,client_ed25519.so,dialog.so,mysql_clear_password.so,sha256_password.so} -rm %{buildroot}%{_libdir}/pkgconfig/libmariadb.pc -rm %{buildroot}%{_includedir}/mysql/{errmsg.h,ma_list.h,ma_pvio.h,ma_tls.h,mysql_version.h,mysqld_error.h,mariadb_com.h,mariadb_ctype.h,mariadb_dyncol.h,mariadb_rpl.h,mariadb_stmt.h,mariadb_version.h,mysql.h} -rm %{buildroot}%{_includedir}/mysql/mariadb/ma_io.h -rm %{buildroot}%{_includedir}/mysql/mysql/{client_plugin.h,plugin_auth.h} - -mv %{buildroot}%{_datadir}/systemd/mariadb.service %{buildroot}/%{_libdir}/systemd/system/mariadb.service -mv %{buildroot}%{_datadir}/systemd/mariadb@.service %{buildroot}/%{_libdir}/systemd/system/mariadb@.service -mv %{buildroot}%{_datadir}/systemd/mariadb-extra@.socket %{buildroot}/%{_libdir}/systemd/system/mariadb-extra@.socket -mv %{buildroot}%{_datadir}/systemd/mariadb@.socket %{buildroot}/%{_libdir}/systemd/system/mariadb@.socket -mv %{buildroot}%{_datadir}/systemd/mysql.service %{buildroot}/%{_libdir}/systemd/system/mysql.service -mv %{buildroot}%{_datadir}/systemd/mysqld.service %{buildroot}/%{_libdir}/systemd/system/mysqld.service -rm %{buildroot}/%{_sbindir}/rcmysql -rm %{buildroot}/%{_libdir}/*.a -mkdir -p %{buildroot}/%{_sharedstatedir}/mysql -install -vdm755 %{buildroot}%{_libdir}/systemd/system-preset -echo "disable mariadb.service" > %{buildroot}%{_libdir}/systemd/system-preset/50-mariadb.preset - +unlink %{buildroot}%{_libdir}/libmysqlclient.so +unlink %{buildroot}%{_libdir}/libmysqlclient_r.so +unlink %{buildroot}%{_libdir}/libmariadb.so +rm %{buildroot}%{_mandir}/man3/* +# Client plugins +rm %{buildroot}%{_libdir}/%{majorname}/plugin/{dialog.so,mysql_clear_password.so,sha256_password.so} +%if %{with gssapi} +rm %{buildroot}%{_libdir}/%{majorname}/plugin/auth_gssapi_client.so +%endif +%endif + +%if %{without clibrary} || %{without devel} +rm %{buildroot}%{_bindir}/mysql_config* +rm %{buildroot}%{_bindir}/mariadb_config +rm %{buildroot}%{_bindir}/mariadb-config +rm %{buildroot}%{_mandir}/man1/mysql_config*.1* +%endif + +%if %{without clibrary} && %{with devel} +# This files are already included in mariadb-connector-c +rm %{buildroot}%{_includedir}/mysql/mysql_version.h +rm %{buildroot}%{_includedir}/mysql/{errmsg.h,ma_list.h,ma_pvio.h,mariadb_com.h,\ +mariadb_ctype.h,mariadb_dyncol.h,mariadb_stmt.h,mariadb_version.h,ma_tls.h,mysqld_error.h,mysql.h,mariadb_rpl.h} +rm -r %{buildroot}%{_includedir}/mysql/{mariadb,mysql} +%endif + +%if %{without devel} +rm -r %{buildroot}%{_includedir}/mysql +rm %{buildroot}%{_datadir}/aclocal/mysql.m4 +rm %{buildroot}%{_libdir}/pkgconfig/mariadb.pc +%if %{with clibrary} +rm %{buildroot}%{_libdir}/libmariadb*.so +unlink %{buildroot}%{_libdir}/libmysqlclient.so +unlink %{buildroot}%{_libdir}/libmysqlclient_r.so +%endif +%endif + +%if %{without client} +rm %{buildroot}%{_bindir}/msql2mysql +rm %{buildroot}%{_bindir}/{mysql,mariadb} +rm %{buildroot}%{_bindir}/mysql{access,admin,binlog,check,dump,_find_rows,import,_plugin,show,slap,_waitpid} +rm %{buildroot}%{_bindir}/mariadb-{access,admin,binlog,check,dump,find-rows,import,plugin,show,slap,waitpid} + +rm %{buildroot}%{_mandir}/man1/msql2mysql.1* +rm %{buildroot}%{_mandir}/man1/{mysql,mariadb}.1* +rm %{buildroot}%{_mandir}/man1/mysql{access,admin,binlog,check,dump,_find_rows,import,_plugin,show,slap,_waitpid}.1* +rm %{buildroot}%{_mandir}/man1/mariadb-{access,admin,binlog,check,dump,find-rows,import,plugin,show,slap,waitpid}.1* + +rm %{buildroot}%{_sysconfdir}/my.cnf.d/mysql-clients.cnf +%endif + +%if %{without common} +rm -r %{buildroot}%{_datadir}/%{majorname}/charsets +%endif + +%if %{without errmsg} +rm %{buildroot}%{_datadir}/%{majorname}/errmsg-utf8.txt +rm -r %{buildroot}%{_datadir}/%{majorname}/{english,czech,danish,dutch,estonian,\ +french,german,greek,hungarian,italian,japanese,korean,norwegian,norwegian-ny,\ +polish,portuguese,romanian,russian,serbian,slovak,spanish,swedish,ukrainian,hindi,\ +bulgarian,chinese,georgian} +%endif + +%if %{without test} +%if %{with embedded} +rm %{buildroot}%{_bindir}/test-connect-t +rm %{buildroot}%{_bindir}/{mysql_client_test_embedded,mysqltest_embedded} +rm %{buildroot}%{_bindir}/{mariadb-client-test-embedded,mariadb-test-embedded} +rm %{buildroot}%{_mandir}/man1/{mysql_client_test_embedded,mysqltest_embedded}.1* +rm %{buildroot}%{_mandir}/man1/{mariadb-client-test-embedded,mariadb-test-embedded}.1* +# endif embedded +%endif +%if %{with pam} +rm %{buildroot}/suite/plugins/pam/mariadb_mtr +rm %{buildroot}/suite/plugins/pam/pam_mariadb_mtr.so +# endif pam +%endif +rm %{buildroot}%{_bindir}/{mysql_client_test,mysqltest} +rm %{buildroot}%{_bindir}/{mariadb-client-test,mariadb-test} +rm %{buildroot}%{_mandir}/man1/{mysql_client_test,mysqltest,my_safe_process}.1* +rm %{buildroot}%{_mandir}/man1/{mariadb-client-test,mariadb-test}.1* +rm %{buildroot}%{_mandir}/man1/{mysql-test-run,mysql-stress-test}.pl.1* +%endif + +%if %{without rocksdb} +rm %{buildroot}%{_mandir}/man1/{mysql_,mariadb-}ldb.1* +rm %{buildroot}%{_mandir}/man1/myrocks_hotbackup.1* +%endif + +%if %{without backup} +rm %{buildroot}%{_mandir}/man1/maria{,db-}backup.1* +rm %{buildroot}%{_mandir}/man1/mbstream.1* +%endif + +%if %{without s3} +rm %{buildroot}%{_mandir}/man1/aria_s3_copy.1* +%endif + %check -cd build -make test - -%post -p /sbin/ldconfig -%postun -p /sbin/ldconfig -%pre server -if [ $1 -eq 1 ] ; then - getent group mysql >/dev/null || groupadd -r mysql - getent passwd mysql >/dev/null || useradd -c "mysql" -s /bin/false -g mysql -M -r mysql +cd unittest +perl ./unit.pl --verbose run +%if %{with test} +%if %runselftest +# The cmake build scripts don't provide any simple way to control the +# options for mysql-test-run, so ignore the make target and just call it +# manually. Nonstandard options chosen are: +# --force to continue tests after a failure +# no retries please +# test SSL with --ssl +# skip tests that are listed in rh-skipped-tests.list +# avoid redundant test runs with --binlog-format=mixed +# increase timeouts to prevent unwanted failures during mass rebuilds + +# Usefull arguments: +# --do-test=mysql_client_test_nonblock \ +# --skip-rpl +# --suite=roles +# --mem for running in the RAM; Not enough space in KOJI for this + +( + set -ex + cd %{buildroot}%{_datadir}/mysql-test + + export common_testsuite_arguments=" --port-base=$(( $(date +%s) % 20000 + 10000 )) --parallel=auto --force --retry=2 --suite-timeout=900 --testcase-timeout=30 --mysqld=--binlog-format=mixed --force-restart --shutdown-timeout=60 --max-test-fail=5 " + + # If full testsuite has already been run on this version and we don't explicitly want the full testsuite to be run + if [[ "%{last_tested_version}" == "%{version}" ]] && [[ %{force_run_testsuite} -eq 0 ]] + then + # in further rebuilds only run the basic "main" suite (~800 tests) + echo -e "\n\nRunning just the base testsuite\n\n" + perl ./mysql-test-run.pl $common_testsuite_arguments --ssl --suite=main --mem --skip-test-list=unstable-tests + fi + + # If either this version wasn't marked as tested yet or I explicitly want to run the testsuite, run everything we have (~4000 test) + if [[ "%{last_tested_version}" != "%{version}" ]] || [[ %{force_run_testsuite} -ne 0 ]] + then + echo -e "\n\nRunning the advanced testsuite\n\n" + perl ./mysql-test-run.pl $common_testsuite_arguments --ssl --big-test --skip-test=spider \ + %if %{ignore_testsuite_result} + --max-test-fail=9999 || : + %else + --skip-test-list=unstable-tests + %endif + + # Spider tests can't be run in the Fedora KOJI at this moment, see #2291227 + %if 0 + # Second run for the SPIDER suites that fail with SCA (ssl self signed certificate) + perl ./mysql-test-run.pl $common_testsuite_arguments --skip-ssl --big-test --suite=spider,spider/bg,spider/bugfix \ + %if %{ignore_testsuite_result} + --max-test-fail=999 || : + %else + --skip-test-list=unstable-tests + %endif + %endif + # blank line + fi + + # There might be a dangling symlink left from the testing, remove it to not be installed + rm -rf ./var + # Remove temporary files created by the testsuite execution + find ./ -type f -name '*~' -exec rm {} + +) + +# NOTE: the Spider SE has 2 more hidden testsuites "oracle" and "oracle2". +# however, all of the tests fail with: "failed: 12521: Can't use wrapper 'oracle' for SQL connection" + +%endif +%endif + + + +%pre -n %{pkgname}-server +/usr/sbin/groupadd -g 27 -o -r mysql >/dev/null 2>&1 || : +/usr/sbin/useradd -M -N -g mysql -o -r -d %{dbdatadir} -s /sbin/nologin \ + -c "MySQL Server" -u 27 mysql >/dev/null 2>&1 || : + +%post -n %{pkgname}-server +%systemd_post %{daemon_name}.service + +%preun -n %{pkgname}-server +%systemd_preun %{daemon_name}.service + +%postun -n %{pkgname}-server +%systemd_postun_with_restart %{daemon_name}.service + +%if %{with galera} +%post -n %{pkgname}-server-galera +#%selinux_modules_install -s "targeted" %{_datadir}/selinux/packages/targeted/%{majorname}-server-galera.pp + +# Allow ports needed for the replication: +# https://fedoraproject.org/wiki/SELinux/IndependentPolicy#Port_Labeling +if [ $1 -eq 1 ]; then + # https://mariadb.com/kb/en/library/configuring-mariadb-galera-cluster/#network-ports + # Galera Replication Port + semanage port -a -t mysqld_port_t -p tcp 4567 >/dev/null 2>&1 || : + semanage port -a -t mysqld_port_t -p udp 4567 >/dev/null 2>&1 || : + # IST Port + semanage port -a -t mysqld_port_t -p tcp 4568 >/dev/null 2>&1 || : + # SST Port + semanage port -a -t mysqld_port_t -p tcp 4444 >/dev/null 2>&1 || : fi - -%post server -/sbin/ldconfig -chown mysql:mysql %{_sharedstatedir}/mysql || : -mysql_install_db --datadir="%{_sharedstatedir}/mysql" --user="mysql" --basedir="%{_prefix}" >/dev/null || : -%systemd_post mariadb.service - -%postun server -/sbin/ldconfig -if [ $1 -eq 0 ] ; then - if getent passwd mysql >/dev/null; then - userdel mysql - fi - if getent group mysql >/dev/null; then - groupdel mysql - fi + +%postun -n %{pkgname}-server-galera +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s "targeted" %{majorname}-server-galera + + # Delete port labeling when the package is removed + # https://fedoraproject.org/wiki/SELinux/IndependentPolicy#Port_Labeling + semanage port -d -t mysqld_port_t -p tcp 4567 >/dev/null 2>&1 || : + semanage port -d -t mysqld_port_t -p udp 4567 >/dev/null 2>&1 || : + semanage port -d -t mysqld_port_t -p tcp 4568 >/dev/null 2>&1 || : + semanage port -d -t mysqld_port_t -p tcp 4444 >/dev/null 2>&1 || : fi -%systemd_postun_with_restart mariadb.service - -%preun server -%systemd_preun mariadb.service - -%files -%defattr(-,root,root) -%{_libdir}/libmariadbd.so.* -%{_bindir}/aria_s3_copy -%{_bindir}/mariadb -%{_bindir}/mariadb-access -%{_bindir}/mariadb-admin -%{_bindir}/mariadb-backup -%{_bindir}/mariadb-binlog -%{_bindir}/mariadb-check -%{_bindir}/mariadb-client-test -%{_bindir}/mariadb-client-test-embedded -%{_bindir}/mariadb-conv -%{_bindir}/mariadb-convert-table-format -%{_bindir}/mariadb-dump -%{_bindir}/mariadb-dumpslow -%{_bindir}/mariadb-embedded -%{_bindir}/mariadb-find-rows -%{_bindir}/mariadb-fix-extensions -%{_bindir}/mariadb-hotcopy -%{_bindir}/mariadb-import -%{_bindir}/mariadb-install-db -%{_bindir}/mariadb-ldb -%{_bindir}/mariadb-plugin -%{_bindir}/mariadb-secure-installation -%{_bindir}/mariadb-setpermission -%{_bindir}/mariadb-show -%{_bindir}/mariadb-slap -%{_bindir}/mariadb-test -%{_bindir}/mariadb-test-embedded -%{_bindir}/mariadb-tzinfo-to-sql -%{_bindir}/mariadb-upgrade -%{_bindir}/mariadb-waitpid -%{_bindir}/mariadbd-multi -%{_bindir}/mariadbd-safe -%{_bindir}/mariadbd-safe-helper +%endif + +%if %{with cracklib} +%post -n %{pkgname}-cracklib-password-check +%selinux_modules_install -s "targeted" %{_datadir}/selinux/packages/targeted/%{majorname}-plugin-cracklib-password-check.pp + +%postun -n %{pkgname}-cracklib-password-check +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s "targeted" %{majorname}-plugin-cracklib-password-check +fi +%endif + + + +%if %{with client} +%files -n %{pkgname} %{_bindir}/msql2mysql -%{_bindir}/mysql -%{_bindir}/mysql_find_rows -%{_bindir}/mysql_plugin -%{_bindir}/mysql_waitpid -%{_bindir}/mysqlaccess -%{_bindir}/mysqladmin -%{_bindir}/mysqlbinlog -%{_bindir}/mysqlcheck -%{_bindir}/mysqldump -%{_bindir}/mysqlimport -%{_bindir}/mysqlshow -%{_bindir}/mysqlslap -%{_bindir}/mysql_client_test -%{_bindir}/mysql_client_test_embedded -%{_bindir}/mysql_convert_table_format -%{_bindir}/mysql_embedded -%{_bindir}/mysql_fix_extensions -%{_bindir}/mysql_ldb -%{_bindir}/mysql_setpermission -%{_bindir}/mysql_upgrade -%{_bindir}/mysqltest -%{_bindir}/mysqltest_embedded -%{_bindir}/mytop -%{_bindir}/perror -%{_bindir}/sst_dump -%{_bindir}/myrocks_hotbackup -%{_mandir}/man1/msql2mysql.1.gz -%{_mandir}/man1/mysql.1.gz -%{_mandir}/man1/mysqlaccess.1.gz -%{_mandir}/man1/mysqladmin.1.gz -%{_mandir}/man1/mysqlbinlog.1.gz -%{_mandir}/man1/mysqlcheck.1.gz -%{_mandir}/man1/mysql_client_test.1.gz -%{_mandir}/man1/mysql_client_test_embedded.1.gz -%{_mandir}/man1/mysql_config.1.gz -%{_mandir}/man1/mysql_convert_table_format.1.gz -%{_mandir}/man1/mysqldump.1.gz -%{_mandir}/man1/mysqldumpslow.1.gz -%{_mandir}/man1/mysql_find_rows.1.gz -%{_mandir}/man1/mysql_fix_extensions.1.gz -%{_mandir}/man1/mysql_plugin.1.gz -%{_mandir}/man1/mysql_secure_installation.1.gz -%{_mandir}/man1/mysql_setpermission.1.gz -%{_mandir}/man1/mysqlshow.1.gz -%{_mandir}/man1/mysqlslap.1.gz -%{_mandir}/man1/mysql-stress-test.pl.1.gz -%{_mandir}/man1/mysqltest.1.gz -%{_mandir}/man1/mysqltest_embedded.1.gz -%{_mandir}/man1/mysql-test-run.pl.1.gz -%{_mandir}/man1/mysql_tzinfo_to_sql.1.gz -%{_mandir}/man1/mysql_upgrade.1.gz -%{_mandir}/man1/mysql_waitpid.1.gz -%{_mandir}/man1/perror.1.gz -%{_datadir}/mysql/charsets/* -%{_datadir}/magic -%{_datadir}/pam_user_map.so -%{_datadir}/user_map.conf -%config(noreplace) /etc/my.cnf.d/s3.cnf -%config(noreplace) /etc/my.cnf.d/spider.cnf -%license COPYING -%doc CREDITS - -%exclude %{_datadir}/mysql/bench -%exclude %{_datadir}/mysql/test -%exclude %{_docdir}/mariadb-%{version}/* - -%files server -%config(noreplace) %{_sysconfdir}/logrotate.d/mariadb -%config(noreplace) %{_sysconfdir}/my.cnf.d/enable_encryption.preset +%{_bindir}/{mysql,mariadb} +%{_bindir}/mysql{admin,binlog,check,dump,import,_plugin,show,slap,_waitpid} +%{_bindir}/mariadb-{admin,binlog,check,dump,import,plugin,show,slap,waitpid} + +%{_mandir}/man1/msql2mysql.1* +%{_mandir}/man1/{mysql,mariadb}.1* +%{_mandir}/man1/mysql{access,admin,binlog,check,dump,_find_rows,import,_plugin,show,slap,_waitpid}.1* +%{_mandir}/man1/mariadb-{access,admin,binlog,check,dump,find-rows,import,plugin,show,slap,waitpid}.1* + %config(noreplace) %{_sysconfdir}/my.cnf.d/mysql-clients.cnf -%config(noreplace) %{_sysconfdir}/my.cnf.d/server.cnf -%config(noreplace) %{_sysconfdir}/my.cnf.d/hashicorp_key_management.cnf -%config(noreplace) %{_sysconfdir}/my.cnf.d/provider_bzip2.cnf -%config(noreplace) %{_sysconfdir}/my.cnf.d/provider_lzma.cnf -%dir %attr(0750,mysql,mysql) %{_sharedstatedir}/mysql -%{_libdir}/mysql/plugin* -%{_bindir}/aria_chk -%{_bindir}/aria_dump_log -%{_bindir}/aria_ftdump -%{_bindir}/aria_pack -%{_bindir}/aria_read_log -%{_bindir}/innochecksum -%{_bindir}/mariabackup + +%files -n %{pkgname}-client-utils +%{_bindir}/mysql{access,_find_rows} +%{_bindir}/mariadb-{access,find-rows} +%{_mandir}/man1/mysql{access,_find_rows}.1* +%{_mandir}/man1/mariadb-{access,find-rows}.1* +%endif + +%if %{with clibrary} +%files -n %{pkgname}-libs +%exclude %{_libdir}/{libmysqlclient.so.18,libmariadb.so,libmysqlclient.so,libmysqlclient_r.so} +%{_libdir}/libmariadb.so* +%config(noreplace) %{_sysconfdir}/my.cnf.d/client.cnf +%endif + +%if %{with config} +%files -n %{pkgname}-config +# although the default my.cnf contains only server settings, we put it in the +# common package because it can be used for client settings too. +%dir %{_sysconfdir}/my.cnf.d +%config(noreplace) %{_sysconfdir}/my.cnf +%endif + +%if %{with common} +%files -n %{pkgname}-common +%doc %{_datadir}/doc/%{majorname} +%dir %{_datadir}/%{majorname} +%{_datadir}/%{majorname}/charsets +%if %{with clibrary} +%{_libdir}/%{majorname}/plugin/dialog.so +%{_libdir}/%{majorname}/plugin/mysql_clear_password.so +%endif +%endif + +%if %{with errmsg} +%files -n %{pkgname}-errmsg +%{_datadir}/%{majorname}/errmsg-utf8.txt +%{_datadir}/%{majorname}/english +%lang(cs) %{_datadir}/%{majorname}/czech +%lang(da) %{_datadir}/%{majorname}/danish +%lang(nl) %{_datadir}/%{majorname}/dutch +%lang(et) %{_datadir}/%{majorname}/estonian +%lang(fr) %{_datadir}/%{majorname}/french +%lang(de) %{_datadir}/%{majorname}/german +%lang(el) %{_datadir}/%{majorname}/greek +%lang(hi) %{_datadir}/%{majorname}/hindi +%lang(hu) %{_datadir}/%{majorname}/hungarian +%lang(it) %{_datadir}/%{majorname}/italian +%lang(ja) %{_datadir}/%{majorname}/japanese +%lang(ko) %{_datadir}/%{majorname}/korean +%lang(no) %{_datadir}/%{majorname}/norwegian +%lang(no) %{_datadir}/%{majorname}/norwegian-ny +%lang(pl) %{_datadir}/%{majorname}/polish +%lang(pt) %{_datadir}/%{majorname}/portuguese +%lang(ro) %{_datadir}/%{majorname}/romanian +%lang(ru) %{_datadir}/%{majorname}/russian +%lang(sr) %{_datadir}/%{majorname}/serbian +%lang(sk) %{_datadir}/%{majorname}/slovak +%lang(es) %{_datadir}/%{majorname}/spanish +%lang(sv) %{_datadir}/%{majorname}/swedish +%lang(uk) %{_datadir}/%{majorname}/ukrainian +%lang(bg) %{_datadir}/%{majorname}/bulgarian +%lang(zh) %{_datadir}/%{majorname}/chinese +%lang(ka) %{_datadir}/%{majorname}/georgian +%endif + +%if %{with galera} +%files -n %{pkgname}-server-galera +%doc Docs/README-wsrep +%license LICENSE.clustercheck +%{_bindir}/clustercheck +%{_bindir}/galera_new_cluster +%{_bindir}/galera_recovery +%{_mandir}/man1/galera_new_cluster.1* +%{_mandir}/man1/galera_recovery.1* +%config(noreplace) %{_sysconfdir}/my.cnf.d/galera.cnf +%attr(0640,root,root) %ghost %config(noreplace) %{_sysconfdir}/sysconfig/clustercheck +#%{_datadir}/selinux/packages/targeted/%{majorname}-server-galera.pp +%endif + +%files -n %{pkgname}-server + +%{_bindir}/aria_{chk,dump_log,ftdump,pack,read_log} %{_bindir}/mariadb-service-convert -%{_bindir}/mbstream -%{_bindir}/myisam_ftdump %{_bindir}/myisamchk +%{_bindir}/myisam_ftdump %{_bindir}/myisamlog %{_bindir}/myisampack -%{_bindir}/mysql_install_db -%{_bindir}/mysql_secure_installation -%{_bindir}/mysql_tzinfo_to_sql -%{_bindir}/mysqld_safe -%{_bindir}/mysqld_multi -%{_bindir}/mysqld_safe_helper -%{_bindir}/mysqldumpslow -%{_bindir}/mysqlhotcopy %{_bindir}/my_print_defaults + +%{_bindir}/mariadb-conv + +%{_bindir}/mysql_{install_db,secure_installation,tzinfo_to_sql} +%{_bindir}/mariadb-{install-db,secure-installation,tzinfo-to-sql} +%{_bindir}/{mysqld_,mariadbd-}safe +%{_bindir}/{mysqld_safe_helper,mariadbd-safe-helper} + +%{_bindir}/innochecksum %{_bindir}/replace %{_bindir}/resolve_stack_dump %{_bindir}/resolveip -%{_bindir}/wsrep_sst_backup -%{_bindir}/wsrep_sst_common -%{_bindir}/wsrep_sst_mariabackup -%{_bindir}/wsrep_sst_mysqldump -%{_bindir}/wsrep_sst_rsync -%{_bindir}/wsrep_sst_rsync_wan -%{_sbindir}/* -%{_unitdir}/*.service -%{_unitdir}/*.socket -%{_libdir}/systemd/system-preset/50-mariadb.preset -%{_datadir}/binary-configure -%{_datadir}/mariadb.logrotate -%{_datadir}/mini-benchmark -%{_datadir}/mysql.server -%{_datadir}/mysqld_multi.server -%{_datadir}/policy/apparmor/README -%{_datadir}/policy/apparmor/usr.sbin.mysqld -%{_datadir}/policy/apparmor/usr.sbin.mysqld.local -%{_datadir}/policy/selinux/README -%{_datadir}/policy/selinux/mariadb-server.fc -%{_datadir}/policy/selinux/mariadb-server.te -%{_datadir}/policy/selinux/mariadb.te -%{_datadir}/wsrep.cnf -%{_datadir}/wsrep_notify -%{_mandir}/man1/aria_chk.1.gz -%{_mandir}/man1/aria_dump_log.1.gz -%{_mandir}/man1/aria_ftdump.1.gz -%{_mandir}/man1/aria_pack.1.gz -%{_mandir}/man1/aria_read_log.1.gz -%{_mandir}/man1/aria_s3_copy.1.gz -%{_mandir}/man1/innochecksum.1.gz -%{_mandir}/man1/mariadb-service-convert.1.gz -%{_mandir}/man1/myisamchk.1.gz -%{_mandir}/man1/myisam_ftdump.1.gz -%{_mandir}/man1/myisamlog.1.gz -%{_mandir}/man1/myisampack.1.gz -%{_mandir}/man1/my_print_defaults.1.gz -%{_mandir}/man1/my_safe_process.1.gz -%{_mandir}/man1/mysqld_multi.1.gz -%{_mandir}/man1/mysqld_safe.1.gz -%{_mandir}/man1/mysqld_safe_helper.1.gz -%{_mandir}/man1/mysqlhotcopy.1.gz -%{_mandir}/man1/mysqlimport.1.gz -%{_mandir}/man1/mysql_install_db.1.gz -%{_mandir}/man1/mysql.server.1.gz -%{_mandir}/man1/replace.1.gz -%{_mandir}/man1/resolveip.1.gz -%{_mandir}/man1/resolve_stack_dump.1.gz -%{_mandir}/man1/wsrep_sst_common.1.gz -%{_mandir}/man1/wsrep_sst_mysqldump.1.gz -%{_mandir}/man1/wsrep_sst_rsync.1.gz -%{_mandir}/man1/wsrep_sst_backup.1.gz -%{_mandir}/man1/mariabackup.1.gz -%{_mandir}/man1/mbstream.1.gz -%{_mandir}/man1/mysql_embedded.1.gz -%{_mandir}/man1/mysql_ldb.1.gz -%{_mandir}/man1/wsrep_sst_mariabackup.1.gz -%{_mandir}/man1/wsrep_sst_rsync_wan.1.gz -%{_mandir}/man1/mariadb-access.1.gz -%{_mandir}/man1/mariadb-admin.1.gz -%{_mandir}/man1/mariadb-backup.1.gz -%{_mandir}/man1/mariadb-binlog.1.gz -%{_mandir}/man1/mariadb-check.1.gz -%{_mandir}/man1/mariadb-client-test-embedded.1.gz -%{_mandir}/man1/mariadb-client-test.1.gz -%{_mandir}/man1/mariadb-conv.1.gz -%{_mandir}/man1/mariadb-convert-table-format.1.gz -%{_mandir}/man1/mariadb-dump.1.gz -%{_mandir}/man1/mariadb-dumpslow.1.gz -%{_mandir}/man1/mariadb-embedded.1.gz -%{_mandir}/man1/mariadb-find-rows.1.gz -%{_mandir}/man1/mariadb-fix-extensions.1.gz -%{_mandir}/man1/mariadb-hotcopy.1.gz -%{_mandir}/man1/mariadb-import.1.gz -%{_mandir}/man1/mariadb-install-db.1.gz -%{_mandir}/man1/mariadb-ldb.1.gz -%{_mandir}/man1/mariadb-plugin.1.gz -%{_mandir}/man1/mariadb-secure-installation.1.gz -%{_mandir}/man1/mariadb-setpermission.1.gz -%{_mandir}/man1/mariadb-show.1.gz -%{_mandir}/man1/mariadb-slap.1.gz -%{_mandir}/man1/mariadb-test-embedded.1.gz -%{_mandir}/man1/mariadb-test.1.gz -%{_mandir}/man1/mariadb-tzinfo-to-sql.1.gz -%{_mandir}/man1/mariadb-upgrade.1.gz -%{_mandir}/man1/mariadb-waitpid.1.gz -%{_mandir}/man1/mariadb.1.gz -%{_mandir}/man1/mariadb_config.1.gz -%{_mandir}/man1/mariadbd-multi.1.gz -%{_mandir}/man1/mariadbd-safe-helper.1.gz -%{_mandir}/man1/mariadbd-safe.1.gz -%{_mandir}/man1/myrocks_hotbackup.1.gz -%{_mandir}/man1/mytop.1.gz -%{_mandir}/man8/* -%{_datadir}/mysql/fill_help_tables.sql -%{_datadir}/mysql/maria_add_gis_sp.sql -%{_datadir}/mysql/maria_add_gis_sp_bootstrap.sql -%{_datadir}/mysql/mroonga/install.sql -%{_datadir}/mysql/mroonga/uninstall.sql -%{_datadir}/mysql/mysql_performance_tables.sql -%{_datadir}/mysql/mysql_system_tables.sql -%{_datadir}/mysql/mysql_system_tables_data.sql -%{_datadir}/mysql/mysql_test_data_timezone.sql -%{_datadir}/mysql/mysql_test_db.sql -%{_datadir}/mysql/mysql_sys_schema.sql -%license %{_datadir}/mysql/mroonga/AUTHORS -%license %{_datadir}/mysql/mroonga/COPYING -%license %{_datadir}/groonga-normalizer-mysql/lgpl-2.0.txt -%license %{_datadir}/groonga/COPYING -%doc %{_datadir}/groonga-normalizer-mysql/README.md -%doc %{_datadir}/groonga/README.md - -%files server-galera -%{_bindir}/galera_new_cluster -%{_bindir}/galera_recovery -%{_datadir}/systemd/use_galera_new_cluster.conf -%{_mandir}/man1/galera_new_cluster.1.gz -%{_mandir}/man1/galera_recovery.1.gz +%if %{with galera} +# wsrep_sst_common should be moved to /usr/share/mariadb: https://jira.mariadb.org/browse/MDEV-14296 +%{_bindir}/wsrep_* +%{_mandir}/man1/wsrep_*.1* +%doc README.wsrep_sst_rsync_tunnel +%endif + +%config(noreplace) %{_sysconfdir}/my.cnf.d/%{majorname}-server.cnf +%config(noreplace) %{_sysconfdir}/my.cnf.d/enable_encryption.preset +%config(noreplace) %{_sysconfdir}/my.cnf.d/spider.cnf + +%{?with_lz4:%config(noreplace) %{_sysconfdir}/my.cnf.d/provider_lz4.cnf} +%{?with_bzip2:%config(noreplace) %{_sysconfdir}/my.cnf.d/provider_bzip2.cnf} +%{?with_lzma:%config(noreplace) %{_sysconfdir}/my.cnf.d/provider_lzma.cnf} +%{?with_lzo:%config(noreplace) %{_sysconfdir}/my.cnf.d/provider_lzo.cnf} +%{?with_snappy:%config(noreplace) %{_sysconfdir}/my.cnf.d/provider_snappy.cnf} + +%{?with_hashicorp:%config(noreplace) %{_sysconfdir}/my.cnf.d/hashicorp_key_management.cnf} + +%{_sbindir}/mysqld +%{_sbindir}/mariadbd +%{_libexecdir}/{mysqld,mariadbd} + +%{_libdir}/%{majorname}/INFO_SRC +%{_libdir}/%{majorname}/INFO_BIN +%if %{without common} +%dir %{_datadir}/%{majorname} +%endif + +%dir %{_libdir}/%{majorname} +%dir %{_libdir}/%{majorname}/plugin + +%{_libdir}/%{majorname}/plugin/* +%{?with_oqgraph:%exclude %{_libdir}/%{majorname}/plugin/ha_oqgraph.so} +%{?with_connect:%exclude %{_libdir}/%{majorname}/plugin/ha_connect.so} +%{?with_cracklib:%exclude %{_libdir}/%{majorname}/plugin/cracklib_password_check.so} +%{?with_rocksdb:%exclude %{_libdir}/%{majorname}/plugin/ha_rocksdb.so} +%{?with_gssapi:%exclude %{_libdir}/%{majorname}/plugin/auth_gssapi.so} +%{?with_sphinx:%exclude %{_libdir}/%{majorname}/plugin/ha_sphinx.so} +%{?with_s3:%exclude %{_libdir}/%{majorname}/plugin/ha_s3.so} +%if %{with clibrary} +%exclude %{_libdir}/%{majorname}/plugin/dialog.so +%exclude %{_libdir}/%{majorname}/plugin/mysql_clear_password.so +%endif + +# PAM plugin; moved to a standalone sub-package +%exclude %{_libdir}/%{majorname}/plugin/{auth_pam_v1.so,auth_pam.so} +%exclude %dir %{_libdir}/%{majorname}/plugin/auth_pam_tool_dir +%exclude %{_libdir}/%{majorname}/plugin/auth_pam_tool_dir/auth_pam_tool + +%{_mandir}/man1/aria_{chk,dump_log,ftdump,pack,read_log}.1* +%{_mandir}/man1/mariadb-service-convert.1* +%{_mandir}/man1/myisamchk.1* +%{_mandir}/man1/myisamlog.1* +%{_mandir}/man1/myisampack.1* +%{_mandir}/man1/myisam_ftdump.1* +%{_mandir}/man1/my_print_defaults.1* + +%{_mandir}/man1/mariadb-conv.1* + +%{_mandir}/man1/mysql_{install_db,secure_installation,tzinfo_to_sql}.1* +%{_mandir}/man1/mariadb-{install-db,secure-installation,tzinfo-to-sql}.1* +%{_mandir}/man1/{mysqld_,mariadbd-}safe.1* +%{_mandir}/man1/{mysqld_safe_helper,mariadbd-safe-helper}.1* + +%{_mandir}/man1/innochecksum.1* +%{_mandir}/man1/replace.1* +%{_mandir}/man1/resolveip.1* +%{_mandir}/man1/resolve_stack_dump.1* +%{_mandir}/man8/{mysqld,mariadbd}.8* + +%{_mandir}/man1/mysql.server.1* + +%{_datadir}/%{majorname}/mini-benchmark +%{_datadir}/%{majorname}/fill_help_tables.sql +%{_datadir}/%{majorname}/maria_add_gis_sp.sql +%{_datadir}/%{majorname}/maria_add_gis_sp_bootstrap.sql +%{_datadir}/%{majorname}/mysql_system_tables.sql +%{_datadir}/%{majorname}/mysql_sys_schema.sql +%{_datadir}/%{majorname}/mysql_system_tables_data.sql +%{_datadir}/%{majorname}/mysql_test_data_timezone.sql +%{_datadir}/%{majorname}/mysql_performance_tables.sql +%{_datadir}/%{majorname}/mysql_test_db.sql +%if %{with mroonga} +%dir %{_datadir}/%{majorname}/mroonga +%dir %{_datadir}/%{majorname}-server +%dir %{_datadir}/%{majorname}-server/groonga +%dir %{_datadir}/%{majorname}-server/groonga-normalizer-mysql +%{_datadir}/%{majorname}/mroonga/install.sql +%{_datadir}/%{majorname}/mroonga/uninstall.sql +%license %{_datadir}/%{majorname}/mroonga/COPYING +%license %{_datadir}/%{majorname}/mroonga/AUTHORS +%license %{_datadir}/%{majorname}-server/groonga-normalizer-mysql/lgpl-2.0.txt +%license %{_datadir}/%{majorname}-server/groonga/COPYING +%doc %{_datadir}/%{majorname}-server/groonga-normalizer-mysql/README.md +%doc %{_datadir}/%{majorname}-server/groonga/README.md +%endif +%if %{with galera} +%{_datadir}/%{majorname}/wsrep.cnf +%{_datadir}/%{majorname}/wsrep_notify +%endif +%dir %{_datadir}/%{majorname}/policy +%dir %{_datadir}/%{majorname}/policy/selinux +%{_datadir}/%{majorname}/policy/selinux/README +%{_datadir}/%{majorname}/policy/selinux/mariadb-server.* +%{_datadir}/%{majorname}/policy/selinux/mariadb.* + +# More on socket activation or extra port service at +# https://mariadb.com/kb/en/systemd/ +%{_unitdir}/%{daemon_name}.service +%{_unitdir}/%{daemon_name}@.service +%{_unitdir}/%{daemon_name}.socket +%{_unitdir}/%{daemon_name}@.socket +%{_unitdir}/%{daemon_name}-extra.socket +%{_unitdir}/%{daemon_name}-extra@.socket +%{_unitdir}/%{daemon_name}@bootstrap.service.d + +%{_libexecdir}/mariadb-prepare-db-dir +%{_libexecdir}/mariadb-check-socket +%{_libexecdir}/mariadb-check-upgrade +%{_libexecdir}/mariadb-scripts-common + +%attr(0755,mysql,mysql) %dir %{pidfiledir} +%attr(0755,mysql,mysql) %dir %{dbdatadir} +%attr(0750,mysql,mysql) %dir %{logfiledir} +# This does what it should. +# RPMLint error "conffile-without-noreplace-flag /var/log/mariadb/mariadb.log" is false positive. +%attr(0660,mysql,mysql) %config %ghost %verify(not md5 size mtime) %{logfile} +%config(noreplace) %{logrotateddir}/%{daemon_name} + +%{_tmpfilesdir}/%{majorname}.conf +%{_sysusersdir}/%{majorname}.conf + +%if %{with cracklib} +%files -n %{pkgname}-cracklib-password-check +%config(noreplace) %{_sysconfdir}/my.cnf.d/cracklib_password_check.cnf +%{_libdir}/%{majorname}/plugin/cracklib_password_check.so +%{_datadir}/selinux/packages/targeted/%{majorname}-plugin-cracklib-password-check.pp +%endif + +%if %{with backup} +%files -n %{pkgname}-backup +%{_bindir}/maria{,db-}backup +%{_bindir}/mbstream +%{_mandir}/man1/maria{,db-}backup.1* +%{_mandir}/man1/mbstream.1* +%endif + +%if %{with rocksdb} +%files -n %{pkgname}-rocksdb-engine +%config(noreplace) %{_sysconfdir}/my.cnf.d/rocksdb.cnf +%{_bindir}/myrocks_hotbackup +%{_bindir}/{mysql_,mariadb-}ldb +%{_bindir}/sst_dump +%{_libdir}/%{majorname}/plugin/ha_rocksdb.so +%{_mandir}/man1/{mysql_,mariadb-}ldb.1* +%{_mandir}/man1/myrocks_hotbackup.1* +%endif + +%if %{with gssapi} +%files -n %{pkgname}-gssapi-server +%{_libdir}/%{majorname}/plugin/auth_gssapi.so +%config(noreplace) %{_sysconfdir}/my.cnf.d/auth_gssapi.cnf +%endif + +%if %{with pam} +%files -n %{pkgname}-pam +%{_libdir}/%{majorname}/plugin/{auth_pam_v1.so,auth_pam.so} +%attr(0755,root,root) %dir %{_libdir}/%{majorname}/plugin/auth_pam_tool_dir +# SUID-to-root binary. Access MUST be restricted (https://jira.mariadb.org/browse/MDEV-25126) +%attr(4750,root,mysql) %{_libdir}/%{majorname}/plugin/auth_pam_tool_dir/auth_pam_tool +%{_libdir}/security/pam_user_map.so +%config(noreplace) %{_sysconfdir}/security/user_map.conf +%endif + +%if %{with sphinx} +%files -n %{pkgname}-sphinx-engine +%{_libdir}/%{majorname}/plugin/ha_sphinx.so +%endif + +%if %{with oqgraph} +%files -n %{pkgname}-oqgraph-engine +%config(noreplace) %{_sysconfdir}/my.cnf.d/oqgraph.cnf +%{_libdir}/%{majorname}/plugin/ha_oqgraph.so +%endif + +%if %{with connect} +%files -n %{pkgname}-connect-engine +%config(noreplace) %{_sysconfdir}/my.cnf.d/connect.cnf +%{_libdir}/%{majorname}/plugin/ha_connect.so +%endif + +%if %{with s3} +%files -n %{pkgname}-s3-engine +%{_bindir}/aria_s3_copy +%{_mandir}/man1/aria_s3_copy.1* +%config(noreplace) %{_sysconfdir}/my.cnf.d/s3.cnf +%{_libdir}/%{majorname}/plugin/ha_s3.so +%endif + +%files -n %{pkgname}-server-utils +# Perl utilities +%{_bindir}/mysql{_convert_table_format,dumpslow,_fix_extensions,hotcopy,_setpermission} +%{_bindir}/mariadb-{convert-table-format,dumpslow,fix-extensions,hotcopy,setpermission} +%{_bindir}/{mysqld_,mariadbd-}multi + +%{_mandir}/man1/mysql{_convert_table_format,dumpslow,_fix_extensions,hotcopy,_setpermission}.1* +%{_mandir}/man1/mariadb-{convert-table-format,dumpslow,fix-extensions,hotcopy,setpermission}.1* +%{_mandir}/man1/{mysqld_,mariadbd-}multi.1* +# Utilities that can be used remotely +%{_bindir}/{mysql_,mariadb-}upgrade +%{_bindir}/perror +%{_mandir}/man1/{mysql_,mariadb-}upgrade.1* +%{_mandir}/man1/perror.1* -%files devel -%{_includedir}/mysql/* +%if %{with devel} +%files -n %{pkgname}-devel +%{_includedir}/* %{_datadir}/aclocal/mysql.m4 -%{_libdir}/libmariadbd.so +%{_libdir}/pkgconfig/*mariadb.pc +%if %{with clibrary} +%{_mandir}/man3/* +%{_libdir}/{libmysqlclient.so.18,libmariadb.so,libmysqlclient.so,libmysqlclient_r.so} +%{_bindir}/mysql_config* +%{_bindir}/mariadb_config* +%{_bindir}/mariadb-config +%{_libdir}/libmariadb.so +%{_libdir}/libmysqlclient.so +%{_libdir}/libmysqlclient_r.so +%{_mandir}/man1/mysql_config* +%endif +%endif + +%if %{with embedded} +%files -n %{pkgname}-embedded +%{_libdir}/libmariadbd.so.* + +%files -n %{pkgname}-embedded-devel %{_libdir}/libmysqld.so -%{_libdir}/pkgconfig/mariadb.pc -%{_mandir}/man3/*.3.gz - -%files errmsg -%{_datadir}/mysql/bulgarian/errmsg.sys -%{_datadir}/mysql/chinese/errmsg.sys -%{_datadir}/mysql/czech/errmsg.sys -%{_datadir}/mysql/danish/errmsg.sys -%{_datadir}/mysql/dutch/errmsg.sys -%{_datadir}/mysql/english/errmsg.sys -%{_datadir}/mysql/errmsg-utf8.txt -%{_datadir}/mysql/estonian/errmsg.sys -%{_datadir}/mysql/french/errmsg.sys -%{_datadir}/mysql/georgian/errmsg.sys -%{_datadir}/mysql/german/errmsg.sys -%{_datadir}/mysql/greek/errmsg.sys -%{_datadir}/mysql/hungarian/errmsg.sys -%{_datadir}/mysql/italian/errmsg.sys -%{_datadir}/mysql/japanese/errmsg.sys -%{_datadir}/mysql/korean/errmsg.sys -%{_datadir}/mysql/norwegian-ny/errmsg.sys -%{_datadir}/mysql/norwegian/errmsg.sys -%{_datadir}/mysql/polish/errmsg.sys -%{_datadir}/mysql/portuguese/errmsg.sys -%{_datadir}/mysql/romanian/errmsg.sys -%{_datadir}/mysql/russian/errmsg.sys -%{_datadir}/mysql/serbian/errmsg.sys -%{_datadir}/mysql/slovak/errmsg.sys -%{_datadir}/mysql/spanish/errmsg.sys -%{_datadir}/mysql/swedish/errmsg.sys -%{_datadir}/mysql/ukrainian/errmsg.sys -%{_datadir}/mysql/hindi/errmsg.sys - +%{_libdir}/libmariadbd.so +%endif + +%if %{with test} +%files -n %{pkgname}-test +%if %{with embedded} +%{_bindir}/test-connect-t +%{_bindir}/{mysql_client_test_embedded,mysqltest_embedded} +%{_bindir}/{mariadb-client-test-embedded,mariadb-test-embedded} +%{_mandir}/man1/{mysql_client_test_embedded,mysqltest_embedded}.1* +%{_mandir}/man1/{mariadb-client-test-embedded,mariadb-test-embedded}.1* +%endif +%{_bindir}/{mysql_client_test,mysqltest,mariadb-client-test,mariadb-test} +%{_bindir}/my_safe_process +%attr(-,mysql,mysql) %{_datadir}/mysql-test +%{_mandir}/man1/{mysql_client_test,mysqltest,mariadb-client-test,mariadb-test}.1* +%{_mandir}/man1/my_safe_process.1* +%{_mandir}/man1/mysql-stress-test.pl.1* +%{_mandir}/man1/mysql-test-run.pl.1* +%endif + %changelog +* Fri Apr 04 2025 Mayank Singh - 10.11.11-1 +- Initial Azure Linux import from Fedora 42 (license: MIT). +- License verified +- Fix CVE-2023-52971 with an upstream patch + * Thu Mar 27 2025 CBL-Mariner Servicing Account - 10.11.11-1 - Auto-upgrade to 10.11.11 - for CVE-2025-21490 * Tue Nov 05 2024 CBL-Mariner Servicing Account - 10.11.10-1 - Auto-upgrade to 10.11.10 - to address CVE-2024-21096 -* Fri Jun 21 2024 Neha Agarwal - 10.11.6-3 -- Patch CVE-2024-0901 - -* Sun Feb 04 2024 Dan Streetman - 10.11.6-2 -- workaround "circular dependencies" from build tooling - -* Thu Nov 16 2023 Andrew Phelps - 10.11.6-1 -- Upgrade to version 10.11.6 - -* Wed Sep 20 2023 Jon Slobodzian - 10.6.9-5 -- Recompile with stack-protection fixed gcc version (CVE-2023-4039) - -* Mon Jul 31 2023 Pawel Winogrodzki - 10.6.9-4 -- Explicitly using the system versions of PCRE2, openSSL, and zlib. - -* Thu Feb 09 2023 Rachel Menge - 10.6.9-3 -- Add patch for CVE-2022-47015 - -* Wed Sep 07 2022 Andrew Phelps - 10.6.9-2 -- Add shadow-utils pre/postun requirements - -* Tue Aug 30 2022 Henry Beberman - 10.6.9-1 -- Upgrade to v10.6.9 to address CVE-2022-32091, CVE-2022-32081 - -* Fri May 20 2022 Chris Co - 10.6.8-1 -- Upgrade to v10.6.8 to address CVE-2022-27448, CVE-2022-27449, - CVE-2022-27451, CVE-2022-27457, CVE-2022-27458 -- Add new files bulgarian errmsg.sys, chinese errmsg.sys, wsrep_sst_backup - -* Fri Apr 29 2022 Olivia Crain - 10.6.7-2 -- Fix conflicts with mariadb-connector-c - -* Tue Feb 15 2022 Max Brodeur-Urbas - 10.6.7-1 -- Upgrading to v10.6.7. -- Adding reference to new unpackaged man files. -- Adding comment and script to help with submodule tarball creation. -- Adding with_check perl(Test::More) BR for "dbug" ptest failure. - -* Thu Dec 16 2021 Pawel Winogrodzki - 10.3.28-3 -- Removing the explicit %%clean stage. - -* Fri Nov 19 2021 Pawel Winogrodzki - 10.3.28-2 -- Adding a fix to work with newer version of cmake. - -* Fri Apr 02 2021 Nicolas Ontiveros - 10.3.28-1 -- Upgrade to version 10.3.28, which resolves CVE-2021-27928 - -* Thu Jan 14 2021 Andrew Phelps 10.3.17-4 -- Disable failing "test-connect" test and binary "test-connect-t" - -* Fri Jun 12 2020 Henry Beberman 10.3.17-3 -- Temporarily disable generation of debug symbols. - -* Tue Apr 28 2020 Emre Girgin 10.3.17-2 -- Renaming Linux-PAM to pam - -* Fri Mar 13 2020 Paul Monson 10.3.17-1 -- Update to version 10.3.17. License verified. - -* Tue Sep 03 2019 Mateusz Malisz 10.3.11-3 -- Initial CBL-Mariner import from Photon (license: Apache2). - -* Wed Jan 23 2019 Ajay Kaher 10.3.11-2 -- Remove PerconaFT from mariadb pkg because of AGPL licence - -* Wed Jan 02 2019 Him Kalyan Bordoloi 10.3.11-1 -- Upgrade to version 10.3.11 - -* Mon Nov 19 2018 Ajay Kaher 10.3.9-3 -- Enabling for aarch64 - -* Mon Oct 22 2018 Ajay Kaher 10.3.9-2 -- Adding BuildArch - -* Thu Sep 06 2018 Srivatsa S. Bhat 10.3.9-1 -- Update to version 10.3.9 - -* Tue Nov 07 2017 Xiaolin Li 10.2.10-1 -- Update to verion 10.2.10 to address CVE-2017-10378, CVE-2017-10268 - -* Wed Sep 06 2017 Xiaolin Li 10.2.8-1 -- Update to 10.2.8 and enable build server. - -* Thu Aug 31 2017 Xiaolin Li 10.1.24-3 -- Fixed make check issue. - -* Fri Aug 25 2017 Dheeraj Shetty 10.1.24-2 -- Specify MariaDB conflicts with MySQL - -* Wed Apr 05 2017 Xiaolin Li 10.1.24-1 -- Initial packaging for Photon +* Wed Feb 05 2025 Michal Schorm - 3:10.11.11-1 +- Rebase to 10.11.11 + +* Sat Feb 01 2025 Björn Esser - 3:10.11.10-4 +- Add explicit BR: libxcrypt-devel + +* Fri Jan 17 2025 Fedora Release Engineering - 3:10.11.10-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + +* Fri Nov 29 2024 Timothée Ravier - 3:10.11.10-2 +- Split mariadb-access & mariadb-find-rows into a client-utils subpackage + +* Sat Nov 16 2024 Michal Schorm - 3:10.11.10-1 +- Rebase to 10.11.10 + +* Tue Aug 13 2024 Michal Schorm - 3:10.11.9-1 +- Rebase to 10.11.9 + +* Tue Jul 23 2024 Lumír Balhar - 3:10.11.8-5 +- Add new systemtap-sdt-dtrace to build deps + +* Thu Jul 18 2024 Fedora Release Engineering - 3:10.11.8-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + +* Mon Jun 10 2024 Michal Schorm - 3:10.11.8-3 +- Bump release for rebuild + +* Sun Jun 09 2024 Michal Schorm - 3:10.11.8-2 +- Add wsrep_sst_rsync_tunnel script + +* Fri Jun 07 2024 Michal Schorm - 3:10.11.8-1 +- Rebase to 10.11.8 + +* Thu Jun 06 2024 Michal Schorm - 3:10.11.7-1 +- Rebase to 10.11.7 +- Patch 10 removed, the main.ssl_cipher test has been fixed + and re-enabled by upstream and now passes on all architectures + +* Tue Apr 09 2024 Yaakov Selkowitz - 3:10.11.6-4 +- Fix my.cnf dependency + +* Wed Feb 7 2024 Filip Janus - 3:10.11.6-3 +- Rename macros related to demodularization + +* Wed Jan 31 2024 Filip Janus - 3:10.11.6-2 +- Apply demodularization +- the default stream builds mariadb.rpm +- the non-default stream builds mariadbXX.XX.rpm + +* Thu Jan 25 2024 Michal Schorm - 3:10.11.6-1 +- Rebase to 10.11.6 + +* Thu Jan 25 2024 Michal Schorm - 3:10.10.7-1 +- Rebase to 10.10.7 + +* Thu Jan 25 2024 Michal Schorm - 3:10.9.8-1 +- Rebase to 10.9.8 + +* Thu Jan 25 2024 Michal Schorm - 3:10.8.8-1 +- Rebase to 10.8.8 + +* Thu Jan 25 2024 Michal Schorm - 3:10.7.8-1 +- Rebase to 10.7.8 + +* Thu Jan 25 2024 Michal Schorm - 3:10.6.16-1 +- Rebase to 10.6.16 + +* Thu Jan 25 2024 Fedora Release Engineering - 3:10.5.23-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Sun Jan 21 2024 Fedora Release Engineering - 3:10.5.23-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Thu Nov 16 2023 Michal Schorm - 3:10.5.23-1 +- Rebase to 10.5.23 + +* Mon Sep 04 2023 Michal Schorm - 3:10.5.22-1 +- Rebase to 10.5.22 + +* Wed Jul 26 2023 Michal Schorm - 3:10.5.21-1 +- Rebase to version 10.5.21 + +* Thu Jul 20 2023 Fedora Release Engineering - 3:10.5.20-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Tue May 30 2023 Lukas Javorsky - 3:10.5.20-1 +- Rebase to version 10.5.20 +- Patches 11 and 13 were upstreamed + +* Fri Apr 28 2023 Siddhesh Poyarekar - 3:10.5.19-2 +- Use _fortify_level to disable fortification in debug builds. + +* Fri Apr 28 2023 Michal Schorm - 3:10.5.19-1 +- Rebase to 10.5.19 + +* Tue Apr 11 2023 Florian Weimer - 3:10.5.18-3 +- Port to C99 + +* Thu Jan 19 2023 Fedora Release Engineering - 3:10.5.18-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Wed Nov 16 2022 Michal Schorm - 3:10.5.18-1 +- Rebase to 10.5.18 +- OpenSSL 3 patch upstreamed + +* Thu Jul 21 2022 Fedora Release Engineering - 3:10.5.16-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Mon Jun 13 2022 Michal Schorm - 3:10.5.16-2 +- Release bump for rebuild + +* Mon May 23 2022 Michal Schorm - 3:10.5.16-1 +- Rebase to 10.5.16 + +* Sun Feb 20 2022 Michal Schorm - 3:10.5.15-1 +- Rebase to 10.5.15 + +* Mon Feb 07 2022 Honza Horak - 3:10.5.13-3 +- Fix md5 in FIPS mode with OpenSSL 3.0.0 + Resolves: #2050541 + +* Thu Jan 20 2022 Fedora Release Engineering - 3:10.5.13-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Thu Dec 02 2021 Michal Schorm - 3:10.5.13-1 +- Rebase to 10.5.13 + +* Tue Sep 14 2021 Sahana Prasad - 3:10.5.12-3 +- Rebuilt with OpenSSL 3.0.0 + +* Thu Aug 26 2021 Marek Kulik - 3:10.5.12-2 +- Add patch for mysql_setpermissions: BZ#1976224 + +* Sat Aug 07 2021 Michal Schorm - 3:10.5.12-1 +- Rebase to 10.5.12 + +* Tue Aug 03 2021 Lukas Javorsky - 3:10.5.11-4 +- Set user_map.conf file to be noreplace config file +- Related: BZ#1989534 + +* Thu Jul 22 2021 Fedora Release Engineering - 3:10.5.11-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Wed Jul 14 2021 Lukas Javorsky - 3:10.5.11-2 +- Rebuild against pcre2-10.37 (bug #1965025) + +* Thu Jul 01 2021 Michal Schorm - 3:10.5.11-1 +- Rebase to 10.5.11 + +* Wed May 12 2021 Michal Schorm - 3:10.5.10-2 +- Use modified sources instead of the upstream original ones + +* Tue May 11 2021 Michal Schorm - 3:10.5.10-1 +- Rebase to 10.5.10 + +* Tue Mar 30 2021 Jonathan Wakely - 3:10.5.9-5 +- Rebuilt for removed libstdc++ symbol (#1937698) + +* Thu Mar 18 2021 Michal Schorm - 3:10.5.9-4 +- Move PAM plugin to standalone subpackage + +* Thu Mar 18 2021 Michal Schorm - 3:10.5.9-3 +- Fixed permissions on files from PAMv2 plugin + +* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 3:10.5.9-2 +- Rebuilt for updated systemd-rpm-macros + See https://pagure.io/fesco/issue/2583. + +* Wed Feb 24 2021 Michal Schorm - 3:10.5.9-1 +- Rebase to 10.5.9 + +* Tue Feb 16 2021 Lukas Javorsky - 3:10.5.8-8 +- Replace the tokudb Obsoletes to the right place +- Resolves: #1928757 + +* Fri Feb 12 2021 Michal Schorm - 3:10.5.8-7 +- Enhance the logrotate script +- Resolves: #1683981 + +* Fri Feb 12 2021 Michal Schorm - 3:10.5.8-6 +- Fix Perl database driver dependency + +* Wed Feb 10 2021 Michal Schorm - 3:10.5.8-5 +- Add support for S3 storage engine + +* Thu Jan 28 2021 Honza Horak - 3:10.5.8-4 +- For compatibility with upstream RPMs, create mysqld symlink in sbin + +* Tue Jan 26 2021 Fedora Release Engineering - 3:10.5.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Fri Dec 11 2020 Lukas Javorsky - 3:10.5.8-2 +- Add tokudb-engine to obsoletes +- Resolves: #1906559 + +* Wed Nov 11 2020 Michal Schorm - 3:10.5.8-1 +- Rebase to 10.5.8 + +* Fri Nov 06 2020 Michal Schorm - 3:10.5.7-1 +- Rebase to 10.5.7 + +* Mon Sep 21 2020 Lukas Javorsky - 3:10.5.5-1 +- Rebase to 10.5.5 +- Fix mariadb-ownsetup +- Add manual for aria_s3_copy + +* Wed Sep 16 2020 Lukas Javorsky - 3:10.5.4-1 +- Rebase to 10.5.4 +- Add spider.cnf to the server config files + +* Mon Sep 14 2020 Lukas Javorsky - 3:10.5.3-1 +- Rebase to 10.5.3 + +* Fri Sep 11 2020 Michal Schorm - 3:10.5.2-1 +- Test rebase to 10.5.2 - Beta +- TokuDB SE has been deprecated + +* Thu Sep 10 2020 Michal Schorm - 3:10.5.1-1 +- Test rebase to 10.5.1 - Beta + +* Thu Sep 10 2020 Michal Schorm - 3:10.5.0-1 +- Test rebase to 10.5.0 - Alpha + +* Sun Sep 06 2020 Michal Schorm - 3:10.4.14-3 +- Resolves: #1851605 + +* Thu Sep 03 2020 Michal Schorm - 3:10.4.14-2 +- Resolves: #1873999, #1874446 + +* Thu Aug 20 2020 Michal Schorm - 3:10.4.14-1 +- Rebase to 10.4.14 + +* Tue Aug 18 2020 Michal Schorm - 3:10.4.13-7 +- Do CMake out-of-source builds +- Force the CMake change regarding the in-source builds also to F31 and F32 +- Use CMake macros instead of cmake & make direct commands +- %%cmake macro covers the %%{set_build_flags}, so they are not needed + Other changes to compile flags must be specified *after* the %%cmake macro + +* Wed Aug 05 2020 Jeff Law - 3:10.4.13-6 +- Disable LTO + +* Sat Aug 01 2020 Fedora Release Engineering - 3:10.4.13-5 +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jul 28 2020 Fedora Release Engineering - 3:10.4.13-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jul 14 2020 Michal Schorm - 3:10.4.13-3 +- Make conflicts between corresponding mariadb and mysql packages explicit +- Get rid of the Conflicts macro, it was intended to mark conflicts with + *upstream* packages + +* Fri Jun 05 2020 Michal Schorm - 3:10.4.13-2 +- Extend Perl "Requires" filtering to wsrep + Resolves: #1845376 + +* Fri Jun 05 2020 Michal Schorm - 3:10.4.13-1 +- Rebase to 10.4.13 + +* Sun May 24 2020 Lukas Javorsky - 3:10.4.12-6 +- Remove mariadb_rpl.h from includedir to prevent conflict with connector-c's libraries + +* Thu Apr 02 2020 Björn Esser - 3:10.4.12-5 +- Fix string quoting for rpm >= 4.16 + +* Thu Mar 26 2020 Jitka Plesnikova - 3:10.4.12-4 +- Add perl dependencies needed for tests + +* Mon Mar 16 2020 Michal Schorm - 3:10.4.12-3 +- Rebase mariadb-connector-c git submodule to commit fbf1db6 + For fix: https://jira.mariadb.org/browse/CONC-441 + +* Tue Mar 10 2020 Michal Schorm - 3:10.4.12-2 +- Update the fix for building in the debug mode + +* Thu Feb 06 2020 Michal Schorm - 3:10.4.12-1 +- Rebase to 10.4.12 + +* Wed Jan 29 2020 Fedora Release Engineering - 3:10.4.11-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Jan 17 2020 Michal Schorm - 3:10.4.11-1 +- Rebase to 10.4.11 + Related: #1756468 +- Remove 'bench' subpackage. Upstream no longer maintains it. +- Use Valgrind for debug builds +- Remove ancient obsoletions +- Tweak build flags +- Add patch for auth_pam_tool directory + +* Fri Jan 10 2020 Michal Schorm - 3:10.3.21-1 +- Rebase to 10.3.21 + +* Mon Nov 18 2019 Lukas Javorsky - 3:10.3.20-3 +- Change path of groonga's packaged files +- Fix bz#1763287 + +* Tue Nov 12 2019 Michal Schorm - 3:10.3.20-2 +- Rebuild on top fo new mariadb-connector-c + +* Mon Nov 11 2019 Michal Schorm - 3:10.3.20-1 +- Rebase to 10.3.20 + +* Wed Nov 06 2019 Michal Schorm - 3:10.3.19-1 +- Rebase to 10.3.19 + +* Thu Oct 31 2019 Carl George - 3:10.3.18-1 +- Rebase to 10.3.18 + +* Wed Sep 11 2019 Michal Schorm - 3:10.3.17-3 +- Disable building of the ed25519 client plugin. + From now on it will be shipped by 'mariadb-connector-c' package + +* Fri Sep 06 2019 Michal Schorm - 3:10.3.17-2 +- Fix the debug build + +* Thu Aug 01 2019 Michal Schorm - 3:10.3.17-1 +- Rebase to 10.3.17 + +* Thu Jul 25 2019 Fedora Release Engineering - 3:10.3.16-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Tue Jun 18 2019 Michal Schorm - 3:10.3.16-1 +- Rebase to 10.3.16 +- Added patch for armv7hl builds of spider SE + +* Tue Jun 11 2019 Michal Schorm - 3:10.3.15-1 +- Rebase to 10.3.15 +- CVEs fixed: + CVE-2019-2510 CVE-2019-2537 +- CVEs fixed: + CVE-2019-2614 CVE-2019-2627 CVE-2019-2628 + +* Tue Jun 11 2019 Michal Schorm - 3:10.3.12-15 +- Remove Cassandra subpackage; it is no longer developed + +* Thu Mar 21 2019 Michal Schorm - 3:10.3.12-14 +- Fix building of TokuDB with Jemalloc 5 +- Fix building with / without lz4 + +* Thu Mar 21 2019 Michal Schorm - 3:10.3.12-13 +- Add patch for mysqld_safe --dry-run + +* Wed Mar 20 2019 Michal Schorm - 3:10.3.12-12 +- Add patch for server pkgconfig file location + +* Sat Feb 23 2019 Pavel Raiskup - 3:10.3.12-11 +- conditionally depend on selinux-policy-targeted again (rhbz#1665643) + +* Mon Feb 11 2019 Michal Schorm - 3:10.3.12-10 +- Disable the requirement of mysql-selinux, until its bug is solved for good; #1665643 + +* Fri Feb 01 2019 Fedora Release Engineering - 3:10.3.12-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Wed Jan 30 2019 Honza Horak - 3:10.3.12-8 +- Fix several SSL tests that failed because of different SSL cipher expectation + +* Wed Jan 23 2019 Michal Schorm - 3:10.3.12-7 +- Fix TokuDB Jemalloc ld_preload + Resolves: #1668375 +- Tweak macros usage + +* Sat Jan 19 2019 Michal Schorm - 3:10.3.12-6 +- Enable mysql-selinux requirement +- Tweak the testsuite execution, speed up the testsuite on rebuilds +- Change weak dependency of RocksDB and TokuDB storage engines + from Recommends to Suggests +- Add "Suggests" weak dependencies to more storage engines + +* Wed Jan 16 2019 Michal Schorm - 3:10.3.12-5 +- Tweak handling of the mysql-selinux requirement, leave disabled due to #1665643 + +* Mon Jan 14 2019 Björn Esser - 3:10.3.12-4 +- Rebuilt for libcrypt.so.2 (#1666033) + +* Fri Jan 11 2019 Kevin Fenzi - 3:10.3.12-3 +- Drop mysql-selinux recommends for now due to bug #1665643 + +* Wed Jan 09 2019 Honza Horak - 3:10.3.12-2 +- Use specific python shebang + +* Tue Jan 08 2019 Michal Schorm - 3:10.3.12-1 +- Rebase to 10.3.12 +- Disable building of the caching_sha2_password plugin, it is shipped + by 'mariadb-connector-c' +- Remove libmariadb.pc, is it shipped by 'mariadb-connector-c' + +* Mon Dec 10 2018 Michal Schorm - 3:10.3.11-1 +- Rebase to 10.3.11 +- CVEs fixed: + CVE-2018-3282, CVE-2016-9843, CVE-2018-3174, CVE-2018-3143, CVE-2018-3156 + CVE-2018-3251, CVE-2018-3185, CVE-2018-3277, CVE-2018-3162, CVE-2018-3173 + CVE-2018-3200, CVE-2018-3284 + +* Fri Oct 05 2018 Michal Schorm - 3:10.3.10-1 +- Rebase to 10.3.10 + +* Tue Sep 04 2018 Michal Schorm - 3:10.3.9-2 +- Fix parallel installability of x86_64 and i686 devel packages + +* Mon Aug 20 2018 Michal Schorm - 3:10.3.9-1 +- Rebase to 10.3.9 + +* Fri Aug 10 2018 Petr Lautrbach - 3:10.3.8-5 +- Update mariadb-server-galera sub-package to require the correct package with /usr/sbin/semanage + +* Wed Jul 25 2018 Honza Horak - 3:10.3.8-4 +- Do not build config on systems where mariadb-connector-c-config exists instead + +* Tue Jul 17 2018 Honza Horak - 3:10.3.8-3 +- Move config files mysql-clients.cnf and enable_encryption.preset to correct + sub-packages, similar to what upstream does + +* Fri Jul 13 2018 Fedora Release Engineering - 3:10.3.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Tue Jul 03 2018 Michal Schorm - 3:10.3.8-1 +- Rebase to 10.3.8 +- Build TokuDB with jemalloc + +* Wed Jun 27 2018 Michal Schorm - 3:10.3.7-2 +- Rebase to 10.3.7 +- Remove the galera obsoletes + +* Tue Jun 05 2018 Honza Horak - 3:10.2.15-2 +- Use mysqladmin for checking the socket +- Jemalloc dependency moved to the TokuDB subpackage. + CMake jemalloc option removed, not used anymore. + The server doesn't need jemalloc since 10.2: https://jira.mariadb.org/browse/MDEV-11059 +- Build MariaDB with TokuDB without Jemalloc. + +* Wed May 23 2018 Michal Schorm - 3:10.2.15-1 +- Rebase to 10.2.15 +- CVEs fixed: #1568962 + CVE-2018-2755 CVE-2018-2761 CVE-2018-2766 CVE-2018-2771 CVE-2018-2781 + CVE-2018-2782 CVE-2018-2784 CVE-2018-2787 CVE-2018-2813 CVE-2018-2817 + CVE-2018-2819 CVE-2018-2786 CVE-2018-2759 CVE-2018-2777 CVE-2018-2810 + +* Thu Mar 29 2018 Michal Schorm - 3:10.2.14-1 +- Rebase to 10.2.14 +- Update testsuite run for SSL self signed certificates + +* Tue Mar 6 2018 Michal Schorm - 3:10.2.13-2 +- Further fix of ldconfig scriptlets for F27 +- Fix hardcoded paths, move unversioned libraries and symlinks to the devel subpackage + +* Thu Mar 1 2018 Michal Schorm - 3:10.2.13-1 +- Rebase to 10.2.13 + +* Mon Feb 26 2018 Michal Schorm - 3:10.2.12-8 +- SPECfile refresh, RHEL6, SySV init and old fedora stuff removed + +* Sun Feb 25 2018 Michal Schorm - 3:10.2.12-7 +- Rebuilt for ldconfig_post and ldconfig_postun bug + Related: #1548331 + +* Thu Feb 08 2018 Fedora Release Engineering - 3:10.2.12-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Fri Jan 26 2018 Michal Schorm - 3:10.2.12-5 +- Use '-ldl' compiler flag when associated library used + Resolves: #1538990 + +* Thu Jan 25 2018 Michal Schorm - 3:10.2.12-4 +- Fix the upgrade path. Build TokuDB subpackage again, but build a unsupported + configuration by upstream (without Jemalloc). + Jemmalloc has been updated to version 5, which isn't backwards compatible. +- Use downstream tmpfiles instead of the upstream one + Related: #1538066 + +* Sat Jan 20 2018 Björn Esser - 3:10.2.12-3 +- Rebuilt for switch to libxcrypt + +* Thu Jan 11 2018 Honza Horak - 3:10.2.12-1 +- Do not build connect plugin with mongo and jdbc connectors +- Support MYSQLD_OPTS and _WSREP_NEW_CLUSTER env vars in init script, + same as it is done in case of systemd unit file + Related: #1455850 +- Print the same messages as before when starting the service in SysV init, + to not scare users + Related: #1463411 + +* Wed Jan 10 2018 Michal Schorm - 3:10.2.12-1 +- Rebase to 10.2.12 +- Temporary fix for https://jira.mariadb.org/browse/MDEV-14537 removed +- TokuDB disabled + +* Mon Dec 11 2017 Michal Schorm - 3:10.2.11-2 +- Temporary fix for #1523875 removed, bug in Annobin fixed + Resolves: #1523875 + +* Sat Dec 09 2017 Michal Schorm - 3:10.2.11-1 +- Rebase to 10.2.11 +- Temporary fix for https://jira.mariadb.org/browse/MDEV-14537 introduced +- Temporary fix for #1523875 intoruced + Related: #1523875 + +* Wed Dec 06 2017 Michal Schorm - 3:10.2.10-2 +- Fix PID file location + Related: #1483331, #1515779 +- Remove 'Group' tags as they should not be used any more + Related: https://fedoraproject.org/wiki/RPMGroups + +* Mon Nov 20 2017 Michal Schorm - 3:10.2.10-1 +- Rebase to 10.2.10 version +- Patch 2: mariadb-install-test.patch has been incorporated by upstream +- Patch 8: mariadb-install-db-sharedir.patch; upstream started to use macros +- Update PCRE check +- Start using location libdir/mariadb for plugins +- Move libraries to libdir +- Divided to more sub-packages to match upstream's RPM list + Resolves: #1490401; #1400463 +- Update of Cmake arguments to supported format + Related: https://lists.launchpad.net/maria-discuss/msg04852.html +- Remove false Provides + +* Thu Oct 05 2017 Michal Schorm - 3:10.2.9-3 +- Fix client library obsolete + Related: #1498956 +- Enable testsuite again +- RPMLint error fix: + Remove unused python scripts which remained from TokuDB upstream +- RPMLint error fix: description line too long + +* Wed Oct 04 2017 Michal Schorm - 3:10.2.9-2 +- Fix of "with" and "without" macros, so they works +- Use 'iproute' dependency instead of 'net-tools' + Related: #1496131 +- Set server package to own /usr/lib64/mysql directory +- Use correct obsolete, so upgrade from maridb 10.1 to 10.2 is possible + with dnf "--allowerasing" option + Related: #1497234 +- Fix building with client library + +* Thu Sep 28 2017 Michal Schorm - 3:10.2.9-1 +- Rebase to 10.2.9 +- Testsuite temorarly disabled in order to fast deploy critical fix + Related: #1497234 + +* Wed Sep 20 2017 Michal Schorm - 3:10.2.8-5 +- Fix building without client library part +- Start building mariadb without client library part, + use mariadb-connector-c package >= 3.0 instead +- Use obosletes of "-libs" in "-common", if built without client library part + +* Mon Aug 28 2017 Honza Horak - 3:10.2.8-2 +- Fix paths in galera_recovery and galera_new_cluster + Resolves: #1403416 +- Support --defaults-group-suffix properly in systemd unit file + Resolves: #1485777 +- Allow 4567 port for tcp as well +- Install mysql-wait-ready on RHEL-6 for the SysV init +- Run mysql-prepare-db-dir as non-root +- Sync mysql.init with community-mysql + +* Sun Aug 20 2017 Honza Horak - 3:10.2.8-1 +- Rebase to 10.2.8 + +* Thu Aug 03 2017 Fedora Release Engineering - 3:10.2.7-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 3:10.2.7-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Tue Jul 25 2017 Adam Williamson - 3:10.2.7-6 +- Revert previous change, go back to libmariadb headers (RHBZ #1474764) + +* Fri Jul 21 2017 Adam Williamson - 3:10.2.7-5 +- Install correct headers (server, not client) - MDEV-13370 + +* Wed Jul 19 2017 Jonathan Wakely - 3:10.2.7-4 +- Rebuilt for s390x binutils bug + +* Tue Jul 18 2017 Jonathan Wakely - 3:10.2.7-3 +- Rebuilt for Boost 1.64 + +* Thu Jul 13 2017 Michal Schorm - 3:10.2.7-2 +- Remove mysql-wait-* scripts. They aren't needed when using systemd "Type=notify" + +* Thu Jul 13 2017 Michal Schorm - 3:10.2.7-1 +- Rebase to 10.2.7 +- Get back mysql_config, its "--libmysqld-libs" is still needed + +* Wed Jul 12 2017 Adam Williamson - 3:10.2.6-4 +- Add manual Provides: for the libmysqlcient compat symlink + +* Wed Jul 12 2017 Adam Williamson - 3:10.2.6-3 +- Move libmysqlclient.so.18 compat link to -libs subpackage + +* Tue Jul 11 2017 Michal Schorm - 3:10.2.6-2 +- Disable Dtrace +- Disable Sphinx, circural dependency + +* Tue Jul 11 2017 Michal Schorm - 3:10.2.6-1 +- Rebase to 10.2.6 +- SSL patch removed +- 'libmariadb.so.3' replaced 'limysqlclient.so.18.0.0', symlinks provided +- "make test" removed, it needs running server and same test are included in the testsuite + +* Mon Jul 10 2017 Michal Schorm - 3:10.1.25-1 +- Rebase to 10.1.25 +- Disable plugins 'cracklib' and 'gssapi' by default +- Related: #1468028, #1464070 +- Looks like the testsuite removes its 'var' content correctly, + no need to do that explicitly. + +* Fri Jul 07 2017 Igor Gnatenko - 3:10.1.24-5 +- Rebuild due to bug in RPM (RHBZ #1468476) + +* Mon Jun 19 2017 Michal Schorm - 3:10.1.24-4 +- Use "/run" location instead of "/var/run" symlink +- Related: #1455811 +- Remove AppArmor files + +* Fri Jun 09 2017 Honza Horak - 3:10.1.24-3 +- Downstream script mariadb-prepare-db-dir fixed for CVE-2017-3265 +- Resolves: #1458940 +- Check properly that datadir includes only expected files +- Related: #1356897 + +* Wed Jun 07 2017 Michal Schorm - 3:10.1.24-2 +- Fixed incorrect Jemalloc initialization; #1459671 + +* Fri Jun 02 2017 Michal Schorm - 3:10.1.24-1 +- Rebase to 10.1.24 +- Build dependecies Bison and Libarchive added, others corrected +- Disabling Mroonga engine for i686 architecture, as it is not supported by MariaDB +- Removed patches: (fixed by upstream) + Patch5: mariadb-file-contents.patch + Patch14: mariadb-example-config-files.patch + Patch31: mariadb-string-overflow.patch + Patch32: mariadb-basedir.patch + Patch41: mariadb-galera-new-cluster-help.patch +- Resolves: rhbz#1414387 + CVE-2017-3313 +- Resolves partly: rhbz#1443408 + CVE-2017-3308 CVE-2017-3309 CVE-2017-3453 CVE-2017-3456 CVE-2017-3464 + +* Tue May 23 2017 Michal Schorm - 3:10.1.21-6 +- Plugin oqgraph enabled +- Plugin jemalloc enabled +- 'force' option for 'rm' removed +- Enabled '--big-test' option for the testsuite +- Disabled '--skip-rpl' option for the testsuite = replication tests enabled +- Multilib manpage added + +* Mon May 15 2017 Fedora Release Engineering - 3:10.1.21-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_27_Mass_Rebuild + +* Tue Mar 07 2017 Michal Schorm - 3:10.1.21-4 +- Cracklib plugin enabled +- Removed strmov patch, it is no longer needed. The issue was fixed long ago in both MariaDB and MySQL + +* Wed Feb 15 2017 Michal Schorm - 3:10.1.21-3 +- Fix for some RPMLint issues +- Fix: Only server utilities can be move to server-utils subpackage. The rest (from client) + were moved back to where they came from (client - the main subpackage) +- Added correct "Obsoletes" for the server-utils subpackage +- Fixed FTBFS in F26 on x86_64, because of -Werror option +- Related: #1421092, #1395127 + +* Fri Feb 10 2017 Fedora Release Engineering - 3:10.1.21-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Tue Jan 24 2017 Michal Schorm - 3:10.1.21-1 +- Rebase to version 10.1.21 +- Most of the non-essential utilites has been moved to the new sub-package mariadb-server-utils +- Patches "admincrash" and "errno" removed, they are no longer relevant + "mysql-embedded-check.c" removed, no longer relevant +- Buildrequires krb5-devel duplicity removed +- Manpage for mysql_secure_installation extended +- Preparation for the CrackLib plugin to be added (waiting for correct SELinux rules to be relased) +- Related: #1260821, #1205082, #1414387 + +* Tue Jan 03 2017 Honza Horak - 3:10.1.20-3 +- Add explicit EVR requirement in main package for -libs +- Related: #1406320 + +* Tue Dec 20 2016 Honza Horak - 3:10.1.20-2 +- Use correct macro when removing doc files +- Resolves: #1400981 + +* Sat Dec 17 2016 Michal Schorm - 3:10.1.20-1 +- Rebase to version 10.1.20 +- Related: #1405258 + +* Fri Dec 02 2016 Michal Schorm - 3:10.1.19-6 +- Move patch from specfile to standalone patch file +- Related: #1382988 + +* Thu Dec 01 2016 Rex Dieter - 3:10.1.19-6 +- -devel: use pkgconfig(openssl) to allow any implementation (like compat-openssl10) + +* Wed Nov 30 2016 Michal Schorm - 3:10.1.19-5 +- Testsuite blacklists heavily updated. Current tracker: #1399847 +- Log-error option added to all config files examples +- Resolves: #1382988 + +* Wed Nov 16 2016 Michal Schorm - 3:10.1.19-4 +- JdbcMariaDB.jar test removed +- PCRE version check added +- Related: #1382988, #1396945, #1096787 + +* Wed Nov 16 2016 Michal Schorm - 3:10.1.19-4 +- test suite ENABLED, consensus was made it still should be run every build + +* Wed Nov 16 2016 Michal Schorm - 3:10.1.19-2 +- fixed bug 1382988 +- added comment to the test suite +- test suite DISABLED for most builds in Koji, see comments + +* Wed Nov 16 2016 Michal Schorm - 3:10.1.19-1 +- Update to 10.1.19 +- added temporary support to build with OpenSSL 1.0 on Fedora >= 26 +- added krb5-devel pkg as Buldrquires to prevent gssapi failure + +* Tue Oct 4 2016 Jakub Dorňák - 3:10.1.18-1 +- Update to 10.1.18 + +* Wed Aug 31 2016 Jakub Dorňák - 3:10.1.17-1 +- Update to 10.1.17 + +* Mon Aug 29 2016 Jakub Dorňák - 3:10.1.16-2 +- Fixed galera replication +- Resolves: #1352946 + +* Tue Jul 19 2016 Jakub Dorňák - 3:10.1.16-1 +- Update to 10.1.16 + +* Fri Jul 15 2016 Honza Horak - 3:10.1.14-5 +- Fail build when test-suite fails +- Use license macro for inclusion of licenses + +* Thu Jul 14 2016 Honza Horak - 3:10.1.14-4 +- Revert Update to 10.1.15, this release is broken + https://lists.launchpad.net/maria-discuss/msg03691.html + +* Thu Jul 14 2016 Honza Horak - 2:10.1.15-3 +- Check datadir more carefully to avoid unwanted data corruption +- Related: #1335849 + +* Thu Jul 7 2016 Jakub Dorňák - 2:10.1.15-2 +- Bump epoch + (related to the downgrade from the pre-release version) + +* Fri Jul 1 2016 Jakub Dorňák - 1:10.1.15-1 +- Update to 10.1.15 + +* Fri Jul 1 2016 Jakub Dorňák - 1:10.1.14-3 +- Revert "Update to 10.2.0" + It is possible that MariaDB 10.2.0 won't be stable till f25 GA. + +* Tue Jun 21 2016 Pavel Raiskup - 1:10.1.14-3 +- BR multilib-rpm-config and use it for multilib workarounds +- install architecture dependant pc file to arch-dependant location + +* Thu May 26 2016 Jakub Dorňák - 1:10.2.0-2 +- Fix mysql-prepare-db-dir +- Resolves: #1335849 + +* Thu May 12 2016 Jakub Dorňák - 1:10.2.0-1 +- Update to 10.2.0 + +* Thu May 12 2016 Jakub Dorňák - 1:10.1.14-1 +- Add selinux policy +- Update to 10.1.14 (includes various bug fixes) +- Add -h and --help options to galera_new_cluster + +* Thu Apr 7 2016 Jakub Dorňák - 1:10.1.13-3 +- wsrep_on in galera.cnf + +* Tue Apr 5 2016 Jakub Dorňák - 1:10.1.13-2 +- Moved /etc/sysconfig/clustercheck + and /usr/share/mariadb/systemd/use_galera_new_cluster.conf + to mariadb-server-galera + +* Tue Mar 29 2016 Jakub Dorňák - 1:10.1.13-1 +- Update to 10.1.13 + +* Wed Mar 23 2016 Jakub Dorňák - 1:10.1.12-4 +- Fixed conflict with mariadb-galera-server + +* Tue Mar 22 2016 Jakub Dorňák - 1:10.1.12-3 +- Add subpackage mariadb-server-galera +- Resolves: 1310622 + +* Tue Mar 01 2016 Honza Horak - 1:10.1.12-2 +- Rebuild for BZ#1309199 (symbol versioning) + +* Mon Feb 29 2016 Jakub Dorňák - 1:10.1.12-1 +- Update to 10.1.12 + +* Tue Feb 16 2016 Honza Horak - 1:10.1.11-9 +- Remove dangling symlink to /etc/init.d/mysql + +* Sat Feb 13 2016 Honza Horak - 1:10.1.11-8 +- Use epoch for obsoleting mariadb-galera-server + +* Fri Feb 12 2016 Honza Horak - 1:10.1.11-7 +- Add Provides: bundled(pcre) in case we build with bundled pcre +- Related: #1302296 +- embedded-devel should require libaio-devel +- Resolves: #1290517 + +* Fri Feb 12 2016 Honza Horak - 1:10.1.11-6 +- Fix typo s/obsolate/obsolete/ + +* Thu Feb 11 2016 Honza Horak - 1:10.1.11-5 +- Add missing requirements for proper wsrep functionality +- Obsolate mariadb-galera & mariadb-galera-server (thanks Tomas Repik) +- Resolves: #1279753 +- Re-enable using libedit, which should be now fixed +- Related: #1201988 +- Remove mariadb-wait-ready call from systemd unit, we have now systemd notify support +- Make mariadb@.service similar to mariadb.service + +* Mon Feb 08 2016 Honza Horak - 1:10.1.11-4 +- Use systemd unit file more compatible with upstream + +* Sun Feb 07 2016 Honza Horak - 1:10.1.11-3 +- Temporarily disabling oqgraph for + https://mariadb.atlassian.net/browse/MDEV-9479 + +* Thu Feb 04 2016 Fedora Release Engineering - 1:10.1.11-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Feb 3 2016 Jakub Dorňák - 1:10.1.11-1 +- Update to 10.1.11 + +* Tue Jan 19 2016 Jakub Dorňák - 1:10.1.10-1 +- Update to 10.1.10 + +* Mon Dec 07 2015 Dan Horák - 1:10.1.8-3 +- rebuilt for s390(x) + +* Tue Nov 03 2015 Honza Horak - 1:10.1.8-2 +- Expand variables in server.cnf + +* Thu Oct 22 2015 Jakub Dorňák - 1:10.1.8-1 +- Update to 10.1.8 + +* Thu Aug 27 2015 Jonathan Wakely - 1:10.0.21-2 +- Rebuilt for Boost 1.59 + +* Mon Aug 10 2015 Jakub Dorňák - 1:10.0.21-1 +- Update to 10.0.21 + +* Wed Jul 29 2015 Fedora Release Engineering - 1:10.0.20-3 +- Rebuilt for https://fedoraproject.org/wiki/Changes/F23Boost159 + +* Wed Jul 22 2015 David Tardon - 1:10.0.20-2 +- rebuild for Boost 1.58 + +* Tue Jun 23 2015 Honza Horak - 1:10.0.20-1 +- Update to 10.0.20 + +* Wed Jun 17 2015 Fedora Release Engineering - 1:10.0.19-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Wed Jun 03 2015 Dan Horák - 1:10.0.19-2 +- Update lists of failing tests (jdornak) +- Related: #1149647 + +* Mon May 11 2015 Honza Horak - 1:10.0.19-1 +- Update to 10.0.19 + +* Thu May 07 2015 Honza Horak - 1:10.0.18-1 +- Update to 10.0.18 + +* Thu May 07 2015 Honza Horak - 1:10.0.17-4 +- Include client plugins into -common package since they are used by both -libs + and base packages. +- Do not use libedit +- Related: #1201988 +- Let plugin dir to be owned by -common +- Use correct comment in the init script +- Related: #1184604 +- Add openssl as BuildRequires to run some openssl tests during build +- Related: #1189180 +- Fail in case any command in check fails +- Related: #1124791 +- Fix mysqladmin crash if run with -u root -p +- Resolves: #1207170 + +* Sat May 02 2015 Kalev Lember - 1:10.0.17-3 +- Rebuilt for GCC 5 C++11 ABI change + +* Fri Mar 06 2015 Honza Horak - 1:10.0.17-2 +- Wait for daemon ends +- Resolves: #1072958 +- Do not include symlink to libmysqlclient if not shipping the library +- Do not use scl prefix more than once in paths + Based on https://www.redhat.com/archives/sclorg/2015-February/msg00038.html + +* Wed Mar 04 2015 Honza Horak - 1:10.0.17-1 +- Rebase to version 10.0.17 +- Added variable for turn off skipping some tests + +* Tue Mar 03 2015 Honza Horak - 1:10.0.16-6 +- Check permissions when starting service on RHEL-6 +- Resolves: #1194699 +- Do not create test database by default +- Related: #1194611 + +* Fri Feb 13 2015 Matej Muzila - 1:10.0.16-4 +- Enable tokudb + +* Tue Feb 10 2015 Honza Horak - 1:10.0.16-3 +- Fix openssl_1 test + +* Wed Feb 4 2015 Jakub Dorňák - 1:10.0.16-2 +- Include new certificate for tests +- Update lists of failing tests +- Related: #1186110 + +* Tue Feb 3 2015 Jakub Dorňák - 1:10.0.16-9 +- Rebase to version 10.0.16 +- Resolves: #1187895 + +* Tue Jan 27 2015 Petr Machata - 1:10.0.15-9 +- Rebuild for boost 1.57.0 + +* Mon Jan 26 2015 Honza Horak - 1:10.0.15-8 +- Fix typo in the config file + +* Sun Jan 25 2015 Honza Horak - 1:10.0.15-7 +- Do not create log file in post script + +* Sat Jan 24 2015 Honza Horak - 1:10.0.15-6 +- Move server settings to config file under my.cnf.d dir + +* Sat Jan 24 2015 Honza Horak - 1:10.0.15-5 +- Fix path for sysconfig file + Filter provides in el6 properly + Fix initscript file location + +* Tue Jan 06 2015 Honza Horak - 1:10.0.15-4 +- Disable failing tests connect.mrr, connect.updelx2 on ppc and s390 + +* Mon Dec 22 2014 Honza Horak - 1:10.0.15-3 +- Fix macros paths in my.cnf +- Create old location for pid file if it remained in my.cnf + +* Fri Dec 05 2014 Honza Horak - 1:10.0.15-2 +- Rework usage of macros and remove some compatibility artefacts + +* Thu Nov 27 2014 Jakub Dorňák - 1:10.0.15-1 +- Update to 10.0.15 + +* Thu Nov 20 2014 Jan Stanek - 1:10.0.14-8 +- Applied upstream fix for mysql_config --cflags output. +- Resolves: #1160845 + +* Fri Oct 24 2014 Jan Stanek - 1:10.0.14-7 +- Fixed compat service file. +- Resolves: #1155700 + +* Mon Oct 13 2014 Honza Horak - 1:10.0.14-6 +- Remove bundled cmd-line-utils +- Related: #1079637 +- Move mysqlimport man page to proper package +- Disable main.key_cache test on s390 + Releated: #1149647 + +* Wed Oct 08 2014 Honza Horak - 1:10.0.14-5 +- Disable tests connect.part_file, connect.part_table + and connect.updelx +- Related: #1149647 + +* Wed Oct 01 2014 Honza Horak - 1:10.0.14-4 +- Add bcond_without mysql_names + Use more correct path when deleting mysql logrotate script + +* Wed Oct 01 2014 Honza Horak - 1:10.0.14-3 +- Build with system libedit +- Resolves: #1079637 + +* Mon Sep 29 2014 Honza Horak - 1:10.0.14-2 +- Add with_debug option + +* Mon Sep 29 2014 Honza Horak - 1:10.0.14-1 +- Update to 10.0.14 + +* Wed Sep 24 2014 Honza Horak - 1:10.0.13-8 +- Move connect engine to a separate package + Rename oqgraph engine to align with upstream packages +- Move some files to correspond with MariaDB upstream packages + client.cnf into -libs, mysql_plugin and msql2mysql into base, + tokuftdump and aria_* into -server, errmsg-utf8.txt into -errmsg +- Remove duplicate cnf files packaged using %%doc +- Check upgrade script added to warn about need for mysql_upgrade + +* Wed Sep 24 2014 Matej Muzila - 1:10.0.13-7 +- Client related libraries moved from mariadb-server to mariadb-libs +- Related: #1138843 + +* Mon Sep 08 2014 Honza Horak - 1:10.0.13-6 +- Disable vcol_supported_sql_funcs_myisam test on all arches +- Related: #1096787 +- Install systemd service file on RHEL-7+ + Server requires any mysql package, so it should be fine with older client + +* Thu Sep 04 2014 Honza Horak - 1:10.0.13-5 +- Fix paths in mysql_install_db script +- Resolves: #1134328 +- Use %%cmake macro + +* Tue Aug 19 2014 Honza Horak - 1:10.0.13-4 +- Build config subpackage everytime +- Disable failing tests: innodb_simulate_comp_failures_small, key_cache + rhbz#1096787 + +* Sun Aug 17 2014 Fedora Release Engineering - 1:10.0.13-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Thu Aug 14 2014 Honza Horak - 1:10.0.13-2 +- Include mysqld_unit only if required; enable tokudb in f20- + +* Wed Aug 13 2014 Honza Horak - 1:10.0.13-1 +- Rebase to version 10.0.13 + +* Tue Aug 12 2014 Honza Horak - 1:10.0.12-8 +- Introduce -config subpackage and ship base config files here + +* Tue Aug 5 2014 Honza Horak - 1:10.0.12-7 +- Adopt changes from mysql, thanks Bjorn Munch + +* Mon Jul 28 2014 Honza Horak - 1:10.0.12-6 +- Use explicit sysconfdir +- Absolut path for default value for pid file and error log + +* Tue Jul 22 2014 Honza Horak - 1:10.0.12-5 +- Hardcoded paths removed to work fine in chroot +- Spec rewrite to be more similar to oterh MySQL implementations +- Use variable for daemon unit name +- Include SysV init script if built on older system +- Add possibility to not ship some sub-packages + +* Mon Jul 21 2014 Honza Horak - 1:10.0.12-4 +- Reformating spec and removing unnecessary snippets + +* Tue Jul 15 2014 Honza Horak - 1:10.0.12-3 +- Enable OQGRAPH engine and package it as a sub-package +- Add support for TokuDB engine for x86_64 (currently still disabled) +- Re-enable tokudb_innodb_xa_crash again, seems to be fixed now +- Drop superfluous -libs and -embedded ldconfig deps (thanks Ville Skyttä) +- Separate -lib and -common sub-packages +- Require /etc/my.cnf instead of shipping it +- Include README.mysql-cnf +- Multilib support re-worked +- Introduce new option with_mysqld_unit +- Removed obsolete mysql-cluster, the package should already be removed +- Improve error message when log file is not writable +- Compile all binaries with full RELRO (RHBZ#1092548) +- Use modern symbol filtering with compatible backup +- Add more groupnames for server's my.cnf +- Error messages now provided by a separate package (thanks Alexander Barkov) +- Expand paths in helper scripts using cmake + +* Wed Jun 18 2014 Mikko Tiihonen - 1:10.0.12-2 +- Use -fno-delete-null-pointer-checks to avoid segfaults with gcc 4.9 + +* Tue Jun 17 2014 Jakub Dorňák - 1:10.0.12-1 +- Rebase to version 10.0.12 + +* Sat Jun 07 2014 Fedora Release Engineering - 1:10.0.11-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Tue Jun 3 2014 Jakub Dorňák - 1:10.0.11-4 +- rebuild with tests failing on different arches disabled (#1096787) + +* Thu May 29 2014 Dan Horák - 1:10.0.11-2 +- rebuild with tests failing on big endian arches disabled (#1096787) + +* Wed May 14 2014 Jakub Dorňák - 1:10.0.11-1 +- Rebase to version 10.0.11 + +* Mon May 05 2014 Honza Horak - 1:10.0.10-3 +- Script for socket check enhanced + +* Thu Apr 10 2014 Jakub Dorňák - 1:10.0.10-2 +- use system pcre library + +* Thu Apr 10 2014 Jakub Dorňák - 1:10.0.10-1 +- Rebase to version 10.0.10 + +* Wed Mar 12 2014 Honza Horak - 1:5.5.36-2 +- Server crashes on SQL select containing more group by and left join statements using innodb tables +- Resolves: #1065676 +- Fix paths in helper scripts +- Move language files into mariadb directory + +* Thu Mar 06 2014 Honza Horak - 1:5.5.36-1 +- Rebase to 5.5.36 + https://kb.askmonty.org/en/mariadb-5536-changelog/ + +* Tue Feb 25 2014 Honza Horak 1:5.5.35-5 +- Daemon helper scripts sanity changes and spec files clean-up + +* Tue Feb 11 2014 Honza Horak 1:5.5.35-4 +- Fix typo in mysqld.service +- Resolves: #1063981 + +* Wed Feb 5 2014 Honza Horak 1:5.5.35-3 +- Do not touch the log file in post script, so it does not get wrong owner +- Resolves: #1061045 + +* Thu Jan 30 2014 Honza Horak 1:5.5.35-1 +- Rebase to 5.5.35 + https://kb.askmonty.org/en/mariadb-5535-changelog/ + Also fixes: CVE-2014-0001, CVE-2014-0412, CVE-2014-0437, CVE-2013-5908, + CVE-2014-0420, CVE-2014-0393, CVE-2013-5891, CVE-2014-0386, CVE-2014-0401, + CVE-2014-0402 +- Resolves: #1054043 +- Resolves: #1059546 + +* Tue Jan 14 2014 Honza Horak - 1:5.5.34-9 +- Adopt compatible system versioning +- Related: #1045013 +- Use compatibility mysqld.service instead of link +- Related: #1014311 + +* Mon Jan 13 2014 Rex Dieter 1:5.5.34-8 +- move mysql_config alternatives scriptlets to -devel too + +* Fri Jan 10 2014 Honza Horak 1:5.5.34-7 +- Build with -O3 on ppc64 +- Related: #1051069 +- Move mysql_config to -devel sub-package and remove Require: mariadb +- Related: #1050920 + +* Fri Jan 10 2014 Marcin Juszkiewicz 1:5.5.34-6 +- Disable main.gis-precise test also for AArch64 +- Disable perfschema.func_file_io and perfschema.func_mutex for AArch64 + (like it is done for 32-bit ARM) + +* Fri Jan 10 2014 Honza Horak 1:5.5.34-5 +- Clean all non-needed doc files properly + +* Wed Jan 8 2014 Honza Horak 1:5.5.34-4 +- Read socketfile location in mariadb-prepare-db-dir script + +* Mon Jan 6 2014 Honza Horak 1:5.5.34-3 +- Don't test EDH-RSA-DES-CBC-SHA cipher, it seems to be removed from openssl + which now makes mariadb/mysql FTBFS because openssl_1 test fails +- Related: #1044565 +- Use upstream's layout for symbols version in client library +- Related: #1045013 +- Check if socket file is not being used by another process at a time + of starting the service +- Related: #1045435 +- Use %%ghost directive for the log file +- Related: 1043501 + +* Wed Nov 27 2013 Honza Horak 1:5.5.34-2 +- Fix mariadb-wait-ready script + +* Fri Nov 22 2013 Honza Horak 1:5.5.34-1 +- Rebase to 5.5.34 + +* Mon Nov 4 2013 Honza Horak 1:5.5.33a-4 +- Fix spec file to be ready for backport by Oden Eriksson +- Resolves: #1026404 + +* Mon Nov 4 2013 Honza Horak 1:5.5.33a-3 +- Add pam-devel to build-requires in order to build +- Related: #1019945 +- Check if correct process is running in mysql-wait-ready script +- Related: #1026313 + +* Mon Oct 14 2013 Honza Horak 1:5.5.33a-2 +- Turn on test suite + +* Thu Oct 10 2013 Honza Horak 1:5.5.33a-1 +- Rebase to 5.5.33a + https://kb.askmonty.org/en/mariadb-5533-changelog/ + https://kb.askmonty.org/en/mariadb-5533a-changelog/ +- Enable outfile_loaddata test +- Disable tokudb_innodb_xa_crash test + +* Mon Sep 2 2013 Honza Horak - 1:5.5.32-12 +- Re-organize my.cnf to include only generic settings +- Resolves: #1003115 +- Move pid file location to /var/run/mariadb +- Make mysqld a symlink to mariadb unit file rather than the opposite way +- Related: #999589 + +* Thu Aug 29 2013 Honza Horak - 1:5.5.32-11 +- Move log file into /var/log/mariadb/mariadb.log +- Rename logrotate script to mariadb +- Resolves: #999589 + +* Wed Aug 14 2013 Rex Dieter 1:5.5.32-10 +- fix alternatives usage + +* Tue Aug 13 2013 Honza Horak - 1:5.5.32-9 +- Multilib issues solved by alternatives +- Resolves: #986959 + +* Sat Aug 03 2013 Petr Pisar - 1:5.5.32-8 +- Perl 5.18 rebuild + +* Wed Jul 31 2013 Honza Horak - 1:5.5.32-7 +- Do not use login shell for mysql user + +* Tue Jul 30 2013 Honza Horak - 1:5.5.32-6 +- Remove unneeded systemd-sysv requires +- Provide mysql-compat-server symbol +- Create mariadb.service symlink +- Fix multilib header location for arm +- Enhance documentation in the unit file +- Use scriptstub instead of links to avoid multilib conflicts +- Add condition for doc placement in F20+ + +* Sun Jul 28 2013 Dennis Gilmore - 1:5.5.32-5 +- remove "Requires(pretrans): systemd" since its not possible +- when installing mariadb and systemd at the same time. as in a new install + +* Sat Jul 27 2013 Kevin Fenzi 1:5.5.32-4 +- Set rpm doc macro to install docs in unversioned dir + +* Fri Jul 26 2013 Dennis Gilmore 1:5.5.32-3 +- add Requires(pre) on systemd for the server package + +* Tue Jul 23 2013 Dennis Gilmore 1:5.5.32-2 +- replace systemd-units requires with systemd +- remove solaris files + +* Fri Jul 19 2013 Honza Horak 1:5.5.32-1 +- Rebase to 5.5.32 + https://kb.askmonty.org/en/mariadb-5532-changelog/ +- Clean-up un-necessary systemd snippets + +* Wed Jul 17 2013 Petr Pisar - 1:5.5.31-7 +- Perl 5.18 rebuild + +* Mon Jul 1 2013 Honza Horak 1:5.5.31-6 +- Test suite params enhanced to decrease server condition influence +- Fix misleading error message when uninstalling built-in plugins +- Related: #966873 + +* Thu Jun 27 2013 Honza Horak 1:5.5.31-5 +- Apply fixes found by Coverity static analysis tool + +* Wed Jun 19 2013 Honza Horak 1:5.5.31-4 +- Do not use pretrans scriptlet, which doesn't work in anaconda +- Resolves: #975348 + +* Fri Jun 14 2013 Honza Horak 1:5.5.31-3 +- Explicitly enable mysqld if it was enabled in the beginning + of the transaction. + +* Thu Jun 13 2013 Honza Horak 1:5.5.31-2 +- Apply man page fix from Jan Stanek + +* Fri May 24 2013 Honza Horak 1:5.5.31-1 +- Rebase to 5.5.31 + https://kb.askmonty.org/en/mariadb-5531-changelog/ +- Preserve time-stamps in case of installed files +- Use /var/tmp instead of /tmp, since the later is using tmpfs, + which can cause problems +- Resolves: #962087 +- Fix test suite requirements + +* Sun May 5 2013 Honza Horak 1:5.5.30-2 +- Remove mytop utility, which is packaged separately +- Resolve multilib conflicts in mysql/private/config.h + +* Fri Mar 22 2013 Honza Horak 1:5.5.30-1 +- Rebase to 5.5.30 + https://kb.askmonty.org/en/mariadb-5530-changelog/ + +* Fri Mar 22 2013 Honza Horak 1:5.5.29-11 +- Obsolete MySQL since it is now renamed to community-mysql +- Remove real- virtual names + +* Thu Mar 21 2013 Honza Horak 1:5.5.29-10 +- Adding epoch to have higher priority than other mysql implementations + when comes to provider comparison + +* Wed Mar 13 2013 Honza Horak 5.5.29-9 +- Let mariadb-embedded-devel conflict with MySQL-embedded-devel +- Adjust mariadb-sortbuffer.patch to correspond with upstream patch + +* Mon Mar 4 2013 Honza Horak 5.5.29-8 +- Mask expected warnings about setrlimit in test suite + +* Thu Feb 28 2013 Honza Horak 5.5.29-7 +- Use configured prefix value instead of guessing basedir + in mysql_config +- Resolves: #916189 +- Export dynamic columns and non-blocking API functions documented + by upstream + +* Wed Feb 27 2013 Honza Horak 5.5.29-6 +- Fix sort_buffer_length option type + +* Wed Feb 13 2013 Honza Horak 5.5.29-5 +- Suppress warnings in tests and skip tests also on ppc64p7 + +* Tue Feb 12 2013 Honza Horak 5.5.29-4 +- Suppress warning in tests on ppc +- Enable fixed index_merge_myisam test case + +* Thu Feb 07 2013 Honza Horak 5.5.29-3 +- Packages need to provide also %%_isa version of mysql package +- Provide own symbols with real- prefix to distinguish from mysql + unambiguously +- Fix format for buffer size in error messages (MDEV-4156) +- Disable some tests that fail on ppc and s390 +- Conflict only with real-mysql, otherwise mariadb conflicts with ourself + +* Tue Feb 05 2013 Honza Horak 5.5.29-2 +- Let mariadb-libs to own /etc/my.cnf.d + +* Thu Jan 31 2013 Honza Horak 5.5.29-1 +- Rebase to 5.5.29 + https://kb.askmonty.org/en/mariadb-5529-changelog/ +- Fix inaccurate default for socket location in mysqld-wait-ready +- Resolves: #890535 + +* Thu Jan 31 2013 Honza Horak 5.5.28a-8 +- Enable obsoleting mysql + +* Wed Jan 30 2013 Honza Horak 5.5.28a-7 +- Adding necessary hacks for perl dependency checking, rpm is still + not wise enough +- Namespace sanity re-added for symbol default_charset_info + +* Mon Jan 28 2013 Honza Horak 5.5.28a-6 +- Removed %%{_isa} from provides/obsoletes, which doesn't allow + proper obsoleting +- Do not obsolete mysql at the time of testing + +* Thu Jan 10 2013 Honza Horak 5.5.28a-5 +- Added licenses LGPLv2 and BSD +- Removed wrong usage of %%{epoch} +- Test-suite is run in %%check +- Removed perl dependency checking adjustment, rpm seems to be smart enough +- Other minor spec file fixes + +* Tue Dec 18 2012 Honza Horak 5.5.28a-4 +- Packaging of MariaDB based on MySQL package \ No newline at end of file diff --git a/SPECS/mariadb/mariadb.tmpfiles.d.in b/SPECS/mariadb/mariadb.tmpfiles.d.in new file mode 100644 index 0000000000..9e6b6e8bf5 --- /dev/null +++ b/SPECS/mariadb/mariadb.tmpfiles.d.in @@ -0,0 +1,3 @@ +# Do not edit this file. +# To override this, put /etc/tmpfiles.d/mariadb.conf instead. +d @PID_FILE_DIR@ 0755 mysql mysql - diff --git a/SPECS/mariadb/my.cnf.in b/SPECS/mariadb/my.cnf.in new file mode 100644 index 0000000000..247e12d8e3 --- /dev/null +++ b/SPECS/mariadb/my.cnf.in @@ -0,0 +1,18 @@ +# +# This group is read both both by the client and the server +# use it for options that affect everything +# +[client-server] + +# +# This group is read by the server +# +[mysqld] +# Disabling symbolic-links is recommended to prevent assorted security risks +symbolic-links=0 + +# +# include all files from the config directory +# +!includedir @INSTALL_SYSCONF2DIR@ + diff --git a/SPECS/mariadb/mysql.service.in b/SPECS/mariadb/mysql.service.in new file mode 100644 index 0000000000..91dfecadc2 --- /dev/null +++ b/SPECS/mariadb/mysql.service.in @@ -0,0 +1,64 @@ +# It's not recommended to modify this file in-place, because it will be +# overwritten during package upgrades. If you want to customize, the +# best way is to: +# +# root> systemctl edit @DAEMON_NAME@.service +# +# Then add additonal directives under a section (probably [Service]). +# +# For more info about custom unit files, see systemd.unit(5) or +# http://fedoraproject.org/wiki/Systemd#How_do_I_customize_a_unit_file.2F_add_a_custom_unit_file.3F +# +# For example, if you want to increase MariaDB's open-files-limit to 10000, +# you need to increase systemd's LimitNOFILE setting, use the contents below: +# +# [Service] +# LimitNOFILE=10000 +# + +[Unit] +Description=@NICE_PROJECT_NAME@ @MAJOR_VERSION@.@MINOR_VERSION@ database server +Documentation=man:mariadbd(8) +Documentation=https://mariadb.com/kb/en/library/systemd/ +After=network.target + +[Install] +WantedBy=multi-user.target +Alias=mysql.service +Alias=mysqld.service + +[Service] +Type=notify +User=mysql +Group=mysql + +ExecStartPre=@libexecdir@/mariadb-check-socket +# '%n' expands to 'Full unit name'; man systemd.unit +ExecStartPre=@libexecdir@/mariadb-prepare-db-dir %n +# MYSQLD_OPTS here is for users to set in /etc/systemd/system/@DAEMON_NAME@@.service.d/MY_SPECIAL.conf +# Note: we set --basedir to prevent probes that might trigger SELinux alarms, +# per bug #547485 +ExecStart=@libexecdir@/mariadbd --basedir=@prefix@ $MYSQLD_OPTS $_WSREP_NEW_CLUSTER +ExecStartPost=@libexecdir@/mariadb-check-upgrade + +# Setting this to true can break replication and the Type=notify settings +# See also bind-address MariaDB option. +PrivateNetwork=false + +KillSignal=SIGTERM + +# Don't want to see an automated SIGKILL ever +SendSIGKILL=no + +# Restart crashed server only, on-failure would also restart, for example, when +# my.cnf contains unknown option +Restart=on-abort +RestartSec=5s + +UMask=007 + +# Give a reasonable amount of time for the server to start up/shut down +TimeoutSec=300 + +# Place temp files in a secure directory, not /tmp +PrivateTmp=true diff --git a/SPECS/mariadb/mysql@.service.in b/SPECS/mariadb/mysql@.service.in new file mode 100644 index 0000000000..acb2c57c14 --- /dev/null +++ b/SPECS/mariadb/mysql@.service.in @@ -0,0 +1,85 @@ +# Multi instance version of MariaDB. For if you run mutiple verions at once. +# Also used for @DAEMON_NAME@@bootstrap to bootstrap Galera. +# +# To use multi instance variant, use [mariadbd.INSTANCENAME] as sections in +# @sysconfdir@/@my.cnf to change per instance settings. A minimumal necessary +# configuration items to change to avoid conflicts between instances is: +# +# [mariadbd.instancename] +# # TCP port to make available for clients +# port=3306 +# # Socket to make available for clients +# socket=/tmp/mariadb-instancename.sock +# # Where MariaDB should store all its data +# datadir=/usr/local/mariadb-instancename/data +# +# and start the service via: +# +# root> systemctl start @DAEMON_NAME@@{instancename}.server +# +# It's not recommended to modify this file in-place, because it will be +# overwritten during package upgrades. If you want to customize, for +# all instances, the best way is: +# +# root> systemctl edit @DAEMON_NAME@@.service +# +# Then add additonal directives under a section (probably [Service]). +# +# If you only want to change a specific instance: +# +# root> systemctl edit @DAEMON_NAME@@{instancename}.server +# +# For more info about custom unit files, see systemd.unit(5) or +# http://fedoraproject.org/wiki/Systemd#How_do_I_customize_a_unit_file.2F_add_a_custom_unit_file.3F +# +# For example, if you want to increase MariaDB's open-files-limit to 10000, +# you need to increase systemd's LimitNOFILE setting, use the contents below: +# +# [Service] +# LimitNOFILE=10000 + +[Unit] +Description=@NICE_PROJECT_NAME@ @MAJOR_VERSION@.@MINOR_VERSION@ database server +Documentation=man:mariadbd(8) +Documentation=https://mariadb.com/kb/en/library/systemd/ +After=network.target + +[Install] +WantedBy=multi-user.target +Alias=mysql.service +Alias=mysqld.service + +[Service] +Type=notify +User=mysql +Group=mysql + +ExecStartPre=@libexecdir@/mariadb-check-socket --defaults-group-suffix=.%I +ExecStartPre=@libexecdir@/mariadb-prepare-db-dir --defaults-group-suffix=.%I %n +# MYSQLD_OPTS here is for users to set in /etc/systemd/system/@DAEMON_NAME@@.service.d/MY_SPECIAL.conf +# Note: we set --basedir to prevent probes that might trigger SELinux alarms, +# per bug #547485 +ExecStart=@libexecdir@/mariadbd --defaults-group-suffix=.%I --basedir=@prefix@ $MYSQLD_OPTS $_WSREP_NEW_CLUSTER +ExecStartPost=@libexecdir@/mariadb-check-upgrade --defaults-group-suffix=.%I + +# Setting this to true can break replication and the Type=notify settings +# See also bind-address MariaDB option. +PrivateNetwork=false + +KillSignal=SIGTERM + +# Don't want to see an automated SIGKILL ever +SendSIGKILL=no + +# Restart crashed server only, on-failure would also restart, for example, when +# my.cnf contains unknown option +Restart=on-abort +RestartSec=5s + +UMask=007 + +# Give a reasonable amount of time for the server to start up/shut down +TimeoutSec=300 + +# Place temp files in a secure directory, not /tmp +PrivateTmp=true diff --git a/SPECS/mariadb/mysql_config_multilib.sh b/SPECS/mariadb/mysql_config_multilib.sh new file mode 100644 index 0000000000..06c2a2b45d --- /dev/null +++ b/SPECS/mariadb/mysql_config_multilib.sh @@ -0,0 +1,26 @@ +#! /bin/sh +# +# Wrapper script for mysql_config to support multilib +# +# This command respects setarch + +bits=$(rpm --eval %__isa_bits) + +case $bits in + 32|64) status=known ;; + *) status=unknown ;; +esac + +if [ "$status" = "unknown" ] ; then + echo "$0: error: command 'rpm --eval %__isa_bits' returned unknown value: $bits" + exit 1 +fi + + +if [ -x @bindir@/mysql_config-$bits ] ; then + @bindir@/mysql_config-$bits "$@" +else + echo "$0: error: needed binary: @bindir@/mysql_config-$bits is missing" + exit 1 +fi + diff --git a/SPECS/mariadb/rh-skipped-tests-arm.list b/SPECS/mariadb/rh-skipped-tests-arm.list new file mode 100644 index 0000000000..e69de29bb2 diff --git a/SPECS/mariadb/rh-skipped-tests-base.list b/SPECS/mariadb/rh-skipped-tests-base.list new file mode 100644 index 0000000000..b3d6acc226 --- /dev/null +++ b/SPECS/mariadb/rh-skipped-tests-base.list @@ -0,0 +1,126 @@ +# The SSL test are failing correctly. Fro more explanation, see: +# https://jira.mariadb.org/browse/MDEV-8404?focusedCommentId=84275&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-84275 +main.ssl_7937 : #1399847 +main.ssl_8k_key : +main.ssl_crl : #1399847 + +# ------------------------------ +# Tests that fails because of 'Self Signed Certificate in the Certificate Chain' +perfschema.cnf_option : + +rpl.rpl_row_img_blobs : +rpl.rpl_row_img_eng_min : +rpl.rpl_row_img_eng_noblob : + +sys_vars.slave_parallel_threads_basic : + +# ------------------------------ +# Expected to fail, the plugin is not build with server, but 'mariadb-connector-c' instead +plugins.auth_ed25519 : +plugins.multiauth : + +# ------------------------------ +perfschema.nesting : #1399847 +perfschema.socket_summary_by_instance_func : #1399847 +perfschema.socket_summary_by_event_name_func : + +# ------------------------------ +# Fails since 10.1.12 +innodb.innodb_defrag_binlog : + +# Fails everywhere since 10.4.11 +sys_vars.tcp_nodelay : + +# Fails since 10.5.3 +main.mysqld--help-aria : + +# Fails since 10.5.4 +main.ssl_system_ca : + +# Fails on all architectures since 10.5.13 +oqgraph.regression_mdev6345 : +type_test.type_test_double : +# Fails on i686 since 10.5.13 +oqgraph.general-innodb : +oqgraph.general-Aria : +oqgraph.general-MyISAM : +oqgraph.legacy_upgrade : +oqgraph.regression_1133093 : +oqgraph.regression_1196036 : +oqgraph.regression_1213120 : + +# Fails on all architectures since 10.5.18 +main.loadxml : +main.lock_kill : + +# Fails since 10.5.20 +innodb.innodb_bug51920 : +binlog_encryption.rpl_cant_read_event_incident : +bg.spider_fixes : +bugfix.mdev_29904 : "[Warning] mariadbd: Can't get hardware address with error 0" +sys_vars.completion_type_func : +rpl.rpl_report_port : +rpl.rpl_reset_slave_fail : +rpl.rpl_xa_survive_disconnect_lsu_off : +rpl.rpl_heartbeat_basic : +rpl.rpl_xa_survive_disconnect : +rpl.rpl_err_ignoredtable : +rpl.rpl_row_img_sequence_full : +rpl.rpl_row_img_sequence_min : +rpl.rpl_row_img_sequence_noblob : +rpl.rpl_xa_empty_transaction : +rpl.rpl_slave_shutdown_mdev20821 : + +# Fails on 10.11.6 +main.plugin_auth : +main.userstat : +main.information_schema : +main.func_sformat : + +binlog_encryption.rpl_gtid_basic : +multi_source.info_logs : +perfschema.threads_mysql : +rpl.rpl_cant_read_event_incident : +rpl.rpl_change_master_demote : +rpl.rpl_domain_id_filter_restart : +rpl.rpl_gtid_basic : +rpl.rpl_mdev6020 : +rpl.rpl_old_master : +rpl.rpl_perfschema_applier_status_by_coordinator : +rpl.rpl_rewrite_db_sys_vars : +rpl.rpl_semi_sync_wait_point : +rpl.rpl_trigger : +rpl.rpl_upgrade_master_info : + +# Fails since 10.11.7 +main.mdev375 : + +oqgraph.social : +perfschema.show_aggregate : +archive.archive : + +spider/bugfix.ddl_log : +spider/bugfix.mdev_28218 : +spider/bugfix.mdev_28218_mixed : +spider/bugfix.mdev_30370 : +spider/bugfix.mdev_32683 : +spider/bugfix.plugin_load_add_all : +spider/bugfix.plugin_load_add_spider : +spider/bugfix.udf_mysql_func_early : +spider/bugfix.udf_mysql_func_early_init_file : + +# Fails since 10.11.8 +rpl.rpl_get_lock : + +# Fails since 10.11.9 +plugins.feedback_plugin_load : +main.init_connect : + +# Fails since 10.11.10 +main.connect : + +# Fails since year 2025 +main.timezone : + +# Fails since 10.11.11 +main.ssl_cipher : diff --git a/SPECS/mariadb/rh-skipped-tests-ppc.list b/SPECS/mariadb/rh-skipped-tests-ppc.list new file mode 100644 index 0000000000..91285c1aa3 --- /dev/null +++ b/SPECS/mariadb/rh-skipped-tests-ppc.list @@ -0,0 +1,7 @@ +# Fails since 10.5.20 +innodb.innodb_defrag_concurrent : +parts.partition_alter4_innodb : +rpl.rpl_parallel_optimistic_xa_lsu_off : + +# Fails on 10.11.6 +perfschema.threads_innodb : diff --git a/SPECS/mariadb/rh-skipped-tests-s390.list b/SPECS/mariadb/rh-skipped-tests-s390.list new file mode 100644 index 0000000000..150e3e7567 --- /dev/null +++ b/SPECS/mariadb/rh-skipped-tests-s390.list @@ -0,0 +1,15 @@ +# Fails since 10.5.2 +perfschema.memory_aggregate_32bit : +period.overlaps : + +# Fails on 10.11.6 +main.func_json_notembedded : +main.analyze_stmt_slow_query_log : + +innodb_gis.rtree_rollback1 : +mariabackup.encrypted_page_corruption : +mariabackup.huge_lsn : +mariabackup.xb_file_key_management : + +# Fails since 10.11.9 +main.having_cond_pushdown : diff --git a/SPECS/mariadb/rocksdb-6.8-gcc13.patch b/SPECS/mariadb/rocksdb-6.8-gcc13.patch new file mode 100644 index 0000000000..597c493eb9 --- /dev/null +++ b/SPECS/mariadb/rocksdb-6.8-gcc13.patch @@ -0,0 +1,164 @@ +diff --git a/db/compaction/compaction_iteration_stats.h b/db/compaction/compaction_iteration_stats.h +index 963c1d8eb..79acbec6a 100644 +--- a/db/compaction/compaction_iteration_stats.h ++++ b/db/compaction/compaction_iteration_stats.h +@@ -5,6 +5,8 @@ + + #pragma once + ++#include ++ + #include "rocksdb/rocksdb_namespace.h" + + struct CompactionIterationStats { +diff --git a/include/rocksdb/thread_status.h b/include/rocksdb/thread_status.h +index 6b2f5c885..bb2de6c7b 100644 +--- a/include/rocksdb/thread_status.h ++++ b/include/rocksdb/thread_status.h +@@ -13,13 +13,15 @@ + + #pragma once + +-#include + #include ++#include + #include + #include + #include + #include + ++#include "rocksdb/rocksdb_namespace.h" ++ + #if !defined(ROCKSDB_LITE) && !defined(NROCKSDB_THREAD_STATUS) && \ + defined(ROCKSDB_SUPPORT_THREAD_LOCAL) + #define ROCKSDB_USING_THREAD_STATUS +diff --git a/include/rocksdb/universal_compaction.h b/include/rocksdb/universal_compaction.h +index e3aeee6ce..58323f2d9 100644 +--- a/include/rocksdb/universal_compaction.h ++++ b/include/rocksdb/universal_compaction.h +@@ -5,10 +5,12 @@ + + #pragma once + +-#include + #include ++#include + #include + ++#include "rocksdb/rocksdb_namespace.h" ++ + namespace ROCKSDB_NAMESPACE { + + // +diff --git a/include/rocksdb/utilities/checkpoint.h b/include/rocksdb/utilities/checkpoint.h +index c7f93b4cf..3c2ab8053 100644 +--- a/include/rocksdb/utilities/checkpoint.h ++++ b/include/rocksdb/utilities/checkpoint.h +@@ -8,6 +8,7 @@ + #pragma once + #ifndef ROCKSDB_LITE + ++#include + #include + #include + #include "rocksdb/status.h" +diff --git a/include/rocksdb/utilities/ldb_cmd_execute_result.h b/include/rocksdb/utilities/ldb_cmd_execute_result.h +index c837b47f7..57bac3346 100644 +--- a/include/rocksdb/utilities/ldb_cmd_execute_result.h ++++ b/include/rocksdb/utilities/ldb_cmd_execute_result.h +@@ -5,6 +5,10 @@ + // + #pragma once + ++#include ++ ++#include "rocksdb/rocksdb_namespace.h" ++ + #ifdef FAILED + #undef FAILED + #endif +diff --git a/memory/memory_usage.h b/memory/memory_usage.h +index 15e8b87cd..4c73cd40b 100644 +--- a/memory/memory_usage.h ++++ b/memory/memory_usage.h +@@ -5,8 +5,11 @@ + + #pragma once + ++#include + #include + ++#include "rocksdb/rocksdb_namespace.h" ++ + namespace ROCKSDB_NAMESPACE { + + // Helper methods to estimate memroy usage by std containers. +diff --git a/table/block_based/data_block_hash_index.h b/table/block_based/data_block_hash_index.h +index f356395f3..321522175 100644 +--- a/table/block_based/data_block_hash_index.h ++++ b/table/block_based/data_block_hash_index.h +@@ -5,6 +5,7 @@ + + #pragma once + ++#include + #include + #include + +diff --git a/util/crc32c_ppc.h b/util/crc32c_ppc.h +index c359061c6..5cb12c89a 100644 +--- a/util/crc32c_ppc.h ++++ b/util/crc32c_ppc.h +@@ -7,6 +7,9 @@ + + #pragma once + ++#include ++#include ++ + #ifdef __cplusplus + extern "C" { + #endif +diff --git a/util/string_util.h b/util/string_util.h +index a761be66c..064d059f0 100644 +--- a/util/string_util.h ++++ b/util/string_util.h +@@ -6,6 +6,7 @@ + + #pragma once + ++#include + #include + #include + #include +diff --git a/utilities/blob_db/blob_db_gc_stats.h b/utilities/blob_db/blob_db_gc_stats.h +index 1e6e4a25d..fea6b0032 100644 +--- a/utilities/blob_db/blob_db_gc_stats.h ++++ b/utilities/blob_db/blob_db_gc_stats.h +@@ -5,6 +5,10 @@ + // + #pragma once + ++#include ++ ++#include "rocksdb/rocksdb_namespace.h" ++ + #ifndef ROCKSDB_LITE + + namespace ROCKSDB_NAMESPACE { +diff --git a/utilities/cassandra/serialize.h b/utilities/cassandra/serialize.h +index cd980ade0..8f50a02dd 100644 +--- a/utilities/cassandra/serialize.h ++++ b/utilities/cassandra/serialize.h +@@ -10,6 +10,11 @@ + + #pragma once + ++#include ++#include ++ ++#include "rocksdb/rocksdb_namespace.h" ++ + namespace ROCKSDB_NAMESPACE { + namespace cassandra { + namespace { diff --git a/SPECS/mariadb/wsrep_sst_rsync_tunnel b/SPECS/mariadb/wsrep_sst_rsync_tunnel new file mode 100644 index 0000000000..f537249ade --- /dev/null +++ b/SPECS/mariadb/wsrep_sst_rsync_tunnel @@ -0,0 +1,492 @@ +#!/bin/bash -ue + +# Copyright (C) 2010-2014 Codership Oy +# Copyright (C) 2017-2020 Damien Ciabrini +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston +# MA 02110-1301 USA. + +# This is a reference script for rsync-based state snapshot tansfer +# over an encrypted communication channel, managed by socat + +RSYNC_PID= # rsync pid file +RSYNC_CONF= # rsync configuration file +RSYNC_REAL_PID= # rsync process id + +SOCAT_PID= # socat pid file +SOCAT_REAL_PID= # socat process id + +SOCAT_OPTS= # openssl connection args + +MODULE="rsync_tunnel_sst" + +OS=$(uname) +[ "$OS" == "Darwin" ] && export -n LD_LIBRARY_PATH + +# Setting the path for lsof on CentOS +export PATH="/usr/sbin:/sbin:$PATH" + +. $(dirname $0)/wsrep_sst_common + +wsrep_check_programs rsync socat + +cleanup_pid() +{ + local real_pid=$1 + [ "0" != "$real_pid" ] && \ + kill $real_pid && \ + sleep 0.5 && \ + kill -9 $real_pid >/dev/null 2>&1 || \ + : +} + +cleanup_tunnel() +{ + if [ -n "$SOCAT_REAL_PID" ] && ps -p "$SOCAT_REAL_PID" >/dev/null 2>&1; then + wsrep_log_info "cleanup socat PID: $SOCAT_REAL_PID" + cleanup_pid $SOCAT_REAL_PID + fi + rm -rf "$SOCAT_PID" +} + +cleanup_joiner() +{ + wsrep_log_info "Joiner cleanup. rsync PID: $RSYNC_REAL_PID" + [ -n "$RSYNC_REAL_PID" ] && cleanup_pid $RSYNC_REAL_PID + rm -rf "$RSYNC_CONF" + rm -rf "$MAGIC_FILE" + rm -rf "$RSYNC_PID" + + cleanup_tunnel + + wsrep_log_info "Joiner cleanup done." + if [ "${WSREP_SST_OPT_ROLE}" = "joiner" ];then + wsrep_cleanup_progress_file + fi +} + +# Check whether process is still running. +check_pid() +{ + local pid_file=$1 + [ -r "$pid_file" ] && ps -p $(cat $pid_file) >/dev/null 2>&1 +} + +check_pid_and_port() +{ + local pid_file=$1 + local service_pid=$2 + local service_port=$3 + local service_host=$4 + local service_name=$5 + + if ! which lsof > /dev/null; then + wsrep_log_error "lsof tool not found in PATH! Make sure you have it installed." + exit 2 # ENOENT + fi + + local port_info=$(lsof -i "@"$service_host:$service_port -Pn 2>/dev/null | \ + grep "(LISTEN)") + local is_service=$(echo $port_info | \ + grep -w '^'"$service_name"'[[:space:]]\+'"$service_pid" 2>/dev/null) + + if [ -n "$port_info" -a -z "$is_service" ]; then + wsrep_log_error "$service_name daemon port '$service_port' has been taken" + exit 16 # EBUSY + fi + + if ! check_pid $pid_file; then + wsrep_log_error "$service_name process terminated unexpectedly" + exit 10 # ECHILD + fi + + [ -n "$port_info" ] && [ -n "$is_service" ] && \ + [ $(cat $pid_file) -eq $service_pid ] +} + +config_from_cnf() +{ + local group=$1 + local key=$2 + echo $($MY_PRINT_DEFAULTS $group | grep -- "--$key=" | cut -d= -f2- | tail -1) +} + +setup_tunnel_args() +{ + tca=$(config_from_cnf sst tca) + tkey=$(config_from_cnf sst tkey) + tcert=$(config_from_cnf sst tcert) + sockopt=$(config_from_cnf sst sockopt) + + if [ -z "$tcert" ]; then + wsrep_log_error "Encryption certificate not found in my.cnf" + exit 3 + else + SOCAT_OPTS="cert=$tcert" + fi + [ -n "$tkey" ] && SOCAT_OPTS="$SOCAT_OPTS,key=$tkey" + [ -n "$tca" ] && SOCAT_OPTS="$SOCAT_OPTS,cafile=$tca" + wsrep_log_info "Encryption setting to be used for socat tunnel: $SOCAT_OPTS" + + [ -n "$sockopt" ] && SOCAT_OPTS="$SOCAT_OPTS,$sockopt" +} + +MAGIC_FILE="$WSREP_SST_OPT_DATA/rsync_tunnel_sst_complete" +rm -rf "$MAGIC_FILE" + +BINLOG_TAR_FILE="$WSREP_SST_OPT_DATA/wsrep_sst_binlog.tar" +BINLOG_N_FILES=1 +rm -f "$BINLOG_TAR_FILE" || : + +if ! [ -z $WSREP_SST_OPT_BINLOG ] +then + BINLOG_DIRNAME=$(dirname $WSREP_SST_OPT_BINLOG) + BINLOG_FILENAME=$(basename $WSREP_SST_OPT_BINLOG) +fi + +WSREP_LOG_DIR=${WSREP_LOG_DIR:-""} +# if WSREP_LOG_DIR env. variable is not set, try to get it from my.cnf +if [ -z "$WSREP_LOG_DIR" ]; then + WSREP_LOG_DIR=$($MY_PRINT_DEFAULTS --mysqld \ + | grep -- '--innodb[-_]log[-_]group[-_]home[-_]dir=' \ + | cut -b 29- ) +fi + +if [ -n "$WSREP_LOG_DIR" ]; then + # handle both relative and absolute paths + WSREP_LOG_DIR=$(cd $WSREP_SST_OPT_DATA; mkdir -p "$WSREP_LOG_DIR"; cd $WSREP_LOG_DIR; pwd -P) +else + # default to datadir + WSREP_LOG_DIR=$(cd $WSREP_SST_OPT_DATA; pwd -P) +fi + +# Old filter - include everything except selected +# FILTER=(--exclude '*.err' --exclude '*.pid' --exclude '*.sock' \ +# --exclude '*.conf' --exclude core --exclude 'galera.*' \ +# --exclude grastate.txt --exclude '*.pem' \ +# --exclude '*.[0-9][0-9][0-9][0-9][0-9][0-9]' --exclude '*.index') + +# New filter - exclude everything except dirs (schemas) and innodb files +FILTER=(-f '- /lost+found' -f '- /.fseventsd' -f '- /.Trashes' + -f '+ /wsrep_sst_binlog.tar' -f '+ /ib_lru_dump' -f '+ /ibdata*' -f '+ /*/' -f '- /*') + +SOCAT_PID="$WSREP_SST_OPT_DATA/$MODULE-socat.pid" + +if check_pid $SOCAT_PID +then + wsrep_log_error "socat tunnel already running." + exit 114 # EALREADY +fi +rm -rf "$SOCAT_PID" + +setup_tunnel_args + +if [ "$WSREP_SST_OPT_ROLE" = "donor" ] +then + + SOCAT_JOINER_ADDR=$(echo $WSREP_SST_OPT_ADDR | awk -F'/' '{print $1}') + # map to name in case we received an IP + SOCAT_JOINER_HOST=$(getent hosts $SOCAT_JOINER_ADDR | awk '{ print $2 }') + if [ -z "$SOCAT_JOINER_HOST" ]; then + SOCAT_JOINER_HOST=$SOCAT_JOINER_ADDR + fi + SOCAT_PORT=$(echo $SOCAT_JOINER_ADDR | awk -F ':' '{ print $2 }') + if [ -z "$SOCAT_PORT" ] + then + SOCAT_PORT=4444 + fi + TARGET_ADDR=localhost:$SOCAT_PORT/$MODULE + + trap cleanup_tunnel EXIT + + # Socat forwards rsync connections to the joiner + SOCAT_SRC=tcp-listen:$SOCAT_PORT,bind=localhost,reuseaddr,fork + SOCAT_DST=openssl:$SOCAT_JOINER_HOST,$SOCAT_OPTS + wsrep_log_info "Setting up tunnel for donor: socat $SOCAT_SRC $SOCAT_DST" + socat $SOCAT_SRC $SOCAT_DST & + SOCAT_REAL_PID=$! + # This is ok because a local galera node doesn't run SST concurrently + echo $SOCAT_REAL_PID >"$SOCAT_PID" + until check_pid_and_port $SOCAT_PID $SOCAT_REAL_PID $SOCAT_PORT localhost "socat" + do + sleep 0.2 + done + + if [ $WSREP_SST_OPT_BYPASS -eq 0 ] + then + + FLUSHED="$WSREP_SST_OPT_DATA/tables_flushed" + ERROR="$WSREP_SST_OPT_DATA/sst_error" + + rm -rf "$FLUSHED" + rm -rf "$ERROR" + + # Use deltaxfer only for WAN + inv=$(basename $0) + [ "$inv" = "wsrep_sst_rsync_wan" ] && WHOLE_FILE_OPT="" \ + || WHOLE_FILE_OPT="--whole-file" + + echo "flush tables" + + # Wait for : + # (a) Tables to be flushed, AND + # (b) Cluster state ID & wsrep_gtid_domain_id to be written to the file, OR + # (c) ERROR file, in case flush tables operation failed. + + while [ ! -r "$FLUSHED" ] && ! grep -q ':' "$FLUSHED" >/dev/null 2>&1 + do + # Check whether ERROR file exists. + if [ -f "$ERROR" ] + then + # Flush tables operation failed. + rm -rf "$ERROR" + exit 255 + fi + + sleep 0.2 + done + + STATE="$(cat $FLUSHED)" + rm -rf "$FLUSHED" + + sync + + if ! [ -z $WSREP_SST_OPT_BINLOG ] + then + # Prepare binlog files + pushd $BINLOG_DIRNAME &> /dev/null + binlog_files_full=$(tail -n $BINLOG_N_FILES ${BINLOG_FILENAME}.index) + binlog_files="" + for ii in $binlog_files_full + do + binlog_files="$binlog_files $(basename $ii)" + done + if ! [ -z "$binlog_files" ] + then + wsrep_log_info "Preparing binlog files for transfer:" + tar -cvf $BINLOG_TAR_FILE $binlog_files >&2 + fi + popd &> /dev/null + fi + + # first, the normal directories, so that we can detect incompatible protocol + RC=0 + rsync --owner --group --perms --links --specials \ + --ignore-times --inplace --dirs --delete --quiet \ + $WHOLE_FILE_OPT "${FILTER[@]}" "$WSREP_SST_OPT_DATA/" \ + rsync://$TARGET_ADDR >&2 || RC=$? + + if [ "$RC" -ne 0 ]; then + wsrep_log_error "rsync returned code $RC:" + + case $RC in + 12) RC=71 # EPROTO + wsrep_log_error \ + "rsync server on the other end has incompatible protocol. " \ + "Make sure you have the same version of rsync on all nodes." + ;; + 22) RC=12 # ENOMEM + ;; + *) RC=255 # unknown error + ;; + esac + exit $RC + fi + + # second, we transfer InnoDB log files + rsync --owner --group --perms --links --specials \ + --ignore-times --inplace --dirs --delete --quiet \ + $WHOLE_FILE_OPT -f '+ /ib_logfile[0-9]*' -f '- **' "$WSREP_LOG_DIR/" \ + rsync://$TARGET_ADDR-log_dir >&2 || RC=$? + + if [ $RC -ne 0 ]; then + wsrep_log_error "rsync innodb_log_group_home_dir returned code $RC:" + exit 255 # unknown error + fi + + # then, we parallelize the transfer of database directories, use . so that pathconcatenation works + pushd "$WSREP_SST_OPT_DATA" >/dev/null + + count=1 + [ "$OS" == "Linux" ] && count=$(grep -c processor /proc/cpuinfo) + [ "$OS" == "Darwin" -o "$OS" == "FreeBSD" ] && count=$(sysctl -n hw.ncpu) + + find . -maxdepth 1 -mindepth 1 -type d -not -name "lost+found" -print0 | \ + xargs -I{} -0 -P $count \ + rsync --owner --group --perms --links --specials \ + --ignore-times --inplace --recursive --delete --quiet \ + $WHOLE_FILE_OPT --exclude '*/ib_logfile*' "$WSREP_SST_OPT_DATA"/{}/ \ + rsync://$TARGET_ADDR/{} >&2 || RC=$? + + popd >/dev/null + + if [ $RC -ne 0 ]; then + wsrep_log_error "find/rsync returned code $RC:" + exit 255 # unknown error + fi + + else # BYPASS + wsrep_log_info "Bypassing state dump." + + # Store donor's wsrep GTID (state ID) and wsrep_gtid_domain_id + # (separated by a space). + STATE="$WSREP_SST_OPT_GTID $WSREP_SST_OPT_GTID_DOMAIN_ID" + fi + + echo "continue" # now server can resume updating data + + echo "$STATE" > "$MAGIC_FILE" + rsync --archive --quiet --checksum "$MAGIC_FILE" rsync://$TARGET_ADDR + + # to avoid cleanup race, stop tunnel before declaring the SST finished. + # This ensures galera won't start a new SST locally before we exit. + cleanup_tunnel + + echo "done $STATE" + +elif [ "$WSREP_SST_OPT_ROLE" = "joiner" ] +then + wsrep_check_programs lsof socat + + touch $SST_PROGRESS_FILE + MYSQLD_PID=$WSREP_SST_OPT_PARENT + + RSYNC_PID="$WSREP_SST_OPT_DATA/$MODULE.pid" + + if check_pid $RSYNC_PID + then + wsrep_log_error "rsync daemon already running." + exit 114 # EALREADY + fi + rm -rf "$RSYNC_PID" + + ADDR=$WSREP_SST_OPT_ADDR + RSYNC_PORT=$(echo $ADDR | awk -F ':' '{ print $2 }') + if [ -z "$RSYNC_PORT" ] + then + RSYNC_PORT=4444 + ADDR="$(echo $ADDR | awk -F ':' '{ print $1 }'):$RSYNC_PORT" + fi + + SOCAT_ADDR=$(echo $ADDR | awk -F ':' '{ print $1 }') + # map to name in case we received an IP + SOCAT_HOST=$(getent hosts $SOCAT_ADDR | awk '{ print $2 }') + if [ -z "$SOCAT_HOST" ]; then + SOCAT_HOST=$SOCAT_ADDR + fi + SOCAT_PORT=$RSYNC_PORT + + trap "exit 32" HUP PIPE + trap "exit 3" INT TERM ABRT + trap cleanup_joiner EXIT + + RSYNC_CONF="$WSREP_SST_OPT_DATA/$MODULE.conf" + + if [ -n "${MYSQL_TMP_DIR:-}" ] ; then + SILENT="log file = $MYSQL_TMP_DIR/rsynd.log" + else + SILENT="" + fi + +cat << EOF > "$RSYNC_CONF" +pid file = $RSYNC_PID +use chroot = no +read only = no +timeout = 300 +$SILENT +[$MODULE] + path = $WSREP_SST_OPT_DATA +[$MODULE-log_dir] + path = $WSREP_LOG_DIR +EOF + +# rm -rf "$DATA"/ib_logfile* # we don't want old logs around + + # Socat receives rsync connections from the donor + SOCAT_SRC=openssl-listen:$SOCAT_PORT,bind=$SOCAT_HOST,reuseaddr,fork,$SOCAT_OPTS + SOCAT_DST=tcp:localhost:$RSYNC_PORT + wsrep_log_info "Setting up tunnel for joiner: socat $SOCAT_SRC $SOCAT_DST" + socat $SOCAT_SRC $SOCAT_DST & + SOCAT_REAL_PID=$! + # This is ok because a local galera node doesn't run SST concurrently + echo $SOCAT_REAL_PID >"$SOCAT_PID" + until check_pid_and_port $SOCAT_PID $SOCAT_REAL_PID $SOCAT_PORT $SOCAT_HOST "socat" + do + sleep 0.2 + done + + wsrep_log_info "rsync --daemon --no-detach --address localhost --port $RSYNC_PORT --config \"$RSYNC_CONF\"" + rsync --daemon --no-detach --address localhost --port $RSYNC_PORT --config "$RSYNC_CONF" & + RSYNC_REAL_PID=$! + + until check_pid_and_port $RSYNC_PID $RSYNC_REAL_PID $RSYNC_PORT localhost "rsync" + do + sleep 0.2 + done + + echo "ready $ADDR/$MODULE" + + # wait for SST to complete by monitoring magic file + while [ ! -r "$MAGIC_FILE" ] && check_pid "$RSYNC_PID" && \ + check_pid "$SOCAT_PID" && ps -p $MYSQLD_PID >/dev/null + do + sleep 1 + done + + # to avoid cleanup race, we can tear down the socat tunnel now + # before signaling the end of the SST to galera. + cleanup_tunnel + + if ! ps -p $MYSQLD_PID >/dev/null + then + wsrep_log_error \ + "Parent mysqld process (PID:$MYSQLD_PID) terminated unexpectedly." + exit 32 + fi + + if ! [ -z $WSREP_SST_OPT_BINLOG ] + then + + pushd $BINLOG_DIRNAME &> /dev/null + if [ -f $BINLOG_TAR_FILE ] + then + # Clean up old binlog files first + rm -f ${BINLOG_FILENAME}.* + wsrep_log_info "Extracting binlog files:" + tar -xvf $BINLOG_TAR_FILE >&2 + for ii in $(ls -1 ${BINLOG_FILENAME}.*) + do + echo ${BINLOG_DIRNAME}/${ii} >> ${BINLOG_FILENAME}.index + done + fi + popd &> /dev/null + fi + if [ -r "$MAGIC_FILE" ] + then + # UUID:seqno & wsrep_gtid_domain_id is received here. + cat "$MAGIC_FILE" # Output : UUID:seqno wsrep_gtid_domain_id + else + # this message should cause joiner to abort + echo "rsync process ended without creating '$MAGIC_FILE'" + fi + wsrep_cleanup_progress_file +# cleanup_joiner +else + wsrep_log_error "Unrecognized role: '$WSREP_SST_OPT_ROLE'" + exit 22 # EINVAL +fi + +rm -f $BINLOG_TAR_FILE || : + +exit 0 diff --git a/SPECS/mesa/mesa.spec b/SPECS/mesa/mesa.spec index 2dec4662bf..ce3254300a 100644 --- a/SPECS/mesa/mesa.spec +++ b/SPECS/mesa/mesa.spec @@ -68,7 +68,7 @@ Name: mesa Summary: Mesa graphics libraries Version: 24.0.1 -Release: 4%{?dist} +Release: 5%{?dist} License: BSD Vendor: Intel Corporation Distribution: Edge Microvisor Toolkit @@ -747,6 +747,10 @@ popd %endif %changelog +* Mon Sep 8 2025 Lee Chee Yang - 24.0.1-5 +- merge from Azure Linux 3.0.20250822-3.0. +- Bump release to rebuild with rust + * Fri May 30 2025 Ranjan Dutta - 24.0.1-4 - merge from Azure Linux 3.0.20250521-3.0 - Pin rust version diff --git a/SPECS/moby-engine/CVE-2024-51744.patch b/SPECS/moby-engine/CVE-2024-51744.patch new file mode 100644 index 0000000000..e179f3e471 --- /dev/null +++ b/SPECS/moby-engine/CVE-2024-51744.patch @@ -0,0 +1,64 @@ +From c0a8f88b3e611b0a2533319636115226b6c3ee35 Mon Sep 17 00:00:00 2001 +From: akhila-guruju +Date: Thu, 22 May 2025 12:13:45 +0000 +Subject: [PATCH] Address CVE-2024-51744 + +Upstream Patch reference: https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c + +--- + vendor/github.com/golang-jwt/jwt/v4/parser.go | 23 ++++++++----------- + 1 file changed, 10 insertions(+), 13 deletions(-) + +diff --git a/vendor/github.com/golang-jwt/jwt/v4/parser.go b/vendor/github.com/golang-jwt/jwt/v4/parser.go +index 9484f28..d6e75db 100644 +--- a/vendor/github.com/golang-jwt/jwt/v4/parser.go ++++ b/vendor/github.com/golang-jwt/jwt/v4/parser.go +@@ -80,12 +80,17 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf + return token, &ValidationError{Inner: err, Errors: ValidationErrorUnverifiable} + } + ++ // Perform validation ++ token.Signature = parts[2] ++ if err := token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil { ++ return token, &ValidationError{Inner: err, Errors: ValidationErrorSignatureInvalid} ++ } ++ + vErr := &ValidationError{} + + // Validate Claims + if !p.SkipClaimsValidation { + if err := token.Claims.Valid(); err != nil { +- + // If the Claims Valid returned an error, check if it is a validation error, + // If it was another error type, create a ValidationError with a generic ClaimsInvalid flag set + if e, ok := err.(*ValidationError); !ok { +@@ -93,22 +98,14 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf + } else { + vErr = e + } ++ return token, vErr + } + } + +- // Perform validation +- token.Signature = parts[2] +- if err = token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil { +- vErr.Inner = err +- vErr.Errors |= ValidationErrorSignatureInvalid +- } +- +- if vErr.valid() { +- token.Valid = true +- return token, nil +- } ++ // No errors so far, token is valid. ++ token.Valid = true + +- return token, vErr ++ return token, nil + } + + // ParseUnverified parses the token but doesn't validate the signature. +-- +2.45.2 + diff --git a/SPECS/moby-engine/moby-engine.spec b/SPECS/moby-engine/moby-engine.spec index 03ce27f21f..bd3d67d8ef 100644 --- a/SPECS/moby-engine/moby-engine.spec +++ b/SPECS/moby-engine/moby-engine.spec @@ -3,7 +3,7 @@ Summary: The open-source application container engine Name: moby-engine Version: 25.0.3 -Release: 13%{?dist} +Release: 14%{?dist} License: ASL 2.0 Group: Tools/Container URL: https://mobyproject.org @@ -27,6 +27,7 @@ Patch9: CVE-2023-45288.patch Patch10: CVE-2025-22868.patch Patch11: CVE-2025-22869.patch Patch12: CVE-2025-30204.patch +Patch13: CVE-2024-51744.patch %{?systemd_requires} @@ -122,6 +123,10 @@ fi %{_unitdir}/* %changelog +* Mon Sep 8 2025 Lee Chee Yang - 25.0.3-14 +- merge from Azure Linux 3.0.20250822-3.0. +- Patch CVE-2024-51744 + * Fri May 30 2025 Ranjan Dutta - 25.0.3-13 - merge from Azure Linux 3.0.20250521-3.0 - Patch CVE-2025-30204 diff --git a/SPECS/mtr/CVE-2025-49809.patch b/SPECS/mtr/CVE-2025-49809.patch new file mode 100644 index 0000000000..4de7d7af7e --- /dev/null +++ b/SPECS/mtr/CVE-2025-49809.patch @@ -0,0 +1,39 @@ +From de4cc71f2bca9ac59bed53ed5697147195d0226c Mon Sep 17 00:00:00 2001 +From: Azure Linux Security Servicing Account + +Date: Mon, 14 Jul 2025 19:49:55 +0000 +Subject: [PATCH] Fix CVE CVE-2025-49809 in mtr + +Upstream Patch Reference: https://github.com/traviscross/mtr/commit/5226f105f087c29d3cfad9f28000e7536af91ac6.patch +--- + ui/cmdpipe.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/ui/cmdpipe.c b/ui/cmdpipe.c +index d22b236..1a66293 100644 +--- a/ui/cmdpipe.c ++++ b/ui/cmdpipe.c +@@ -220,10 +220,17 @@ void execute_packet_child( + the path to the mtr-packet executable. This is necessary + for debugging changes for mtr-packet. + */ +- char *mtr_packet_path = getenv("MTR_PACKET"); +- if (mtr_packet_path == NULL) { ++ char * mtr_packet_path = NULL; ++ ++ // In the rare case that mtr-packet is not setuid-root, ++ // and a select group of users has sudo privileges to run ++ // mtr and not much else, THEN create /etc/mtr.is.run.under.sudo ++ // to prevent a privilege escalation when one of those accounts ++ // is compromised. CVE-2025-49809 ++ if (access ("/etc/mtr.is.run.under.sudo", F_OK) != 0) ++ mtr_packet_path = getenv("MTR_PACKET"); ++ if (mtr_packet_path == NULL) + mtr_packet_path = "mtr-packet"; +- } + + /* + First, try to execute mtr-packet from PATH +-- +2.45.3 + diff --git a/SPECS/mtr/mtr.spec b/SPECS/mtr/mtr.spec index c0d21ffbe6..15a8dce4fb 100644 --- a/SPECS/mtr/mtr.spec +++ b/SPECS/mtr/mtr.spec @@ -3,7 +3,7 @@ Summary: Network diagnostic tool combining 'traceroute' and 'ping' Name: mtr Version: 0.95 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -12,6 +12,7 @@ Source0: https://github.com/traviscross/mtr/archive/v%{version}/%{name}-%{versio Source1: net-x%{name}.desktop Source2: mtr-gtk-pkexec-wrapper.sh Source3: org.fedoraproject.mtr.policy +Patch0:CVE-2025-49809.patch BuildRequires: ncurses-devel BuildRequires: autoconf automake libtool git @@ -32,7 +33,7 @@ command line, e.g. for SSH sessions; and a GTK+ interface for X (provided in the mtr-gtk package). %prep -%autosetup +%autosetup -p1 %build export CFLAGS="%{optflags} -fPIE" @@ -61,6 +62,9 @@ install -D -p -m 0755 mtr %{buildroot}%{_sbindir}/mtr %{_datadir}/bash-completion/completions/%{name} %changelog +* Mon Jul 14 2025 Azure Linux Security Servicing Account - 0.95-3 +- Patch for CVE-2025-49809 + * Mon Jul 22 2024 Aditya Dubey - 0.95-2 - Promoting package from SPECS-EXTENDED to SPECS diff --git a/SPECS/mysql/mysql.signatures.json b/SPECS/mysql/mysql.signatures.json index cd1f08536d..b4c4c16aac 100644 --- a/SPECS/mysql/mysql.signatures.json +++ b/SPECS/mysql/mysql.signatures.json @@ -1,5 +1,5 @@ { - "Signatures": { - "mysql-boost-8.0.41.tar.gz": "719589993b1a6769edb82b59f28e0dab8d47df94fa53ac4e9340b7c5eaba937c" - } -} + "Signatures": { + "mysql-boost-8.0.43.tar.gz": "85fd5c3ac88884dc5ac4522ce54ad9c11a91f9396fecaa27152c757a3e6e936f" + } +} \ No newline at end of file diff --git a/SPECS/mysql/mysql.spec b/SPECS/mysql/mysql.spec index b4b307f6ce..8b2e20fe5a 100644 --- a/SPECS/mysql/mysql.spec +++ b/SPECS/mysql/mysql.spec @@ -2,7 +2,7 @@ Summary: MySQL. Name: mysql -Version: 8.0.41 +Version: 8.0.43 Release: 1%{?dist} License: GPLv2 with exceptions AND LGPLv2 AND BSD Vendor: Microsoft Corporation @@ -10,7 +10,6 @@ Distribution: Azure Linux Group: Applications/Databases URL: https://www.mysql.com Source0: https://dev.mysql.com/get/Downloads/MySQL-%{majmin}/%{name}-boost-%{version}.tar.gz -Patch0: CVE-2012-5627.nopatch # AZL's OpenSSL builds with the "no-chacha" option making all ChaCha # ciphers unavailable. Patch1: fix-tests-for-unsupported-chacha-ciphers.patch @@ -73,8 +72,14 @@ groupadd test useradd test -g test -m chown -R test:test . +echo "Detected architecture: %{_arch}" # In case of failure, print the test log. -sudo -u test make test || { cat Testing/Temporary/LastTest.log; false; } +%if "%{_arch}" == "aarch64" +# merge_large_tests takes long time to run and eventually times out and fails. +sudo -u test ctest -E merge_large_tests || { cat Testing/Temporary/LastTest.log || echo 'No log found'; false; } +%else +sudo -u test ctest || { cat Testing/Temporary/LastTest.log || echo 'No log found'; false; } +%endif %files %defattr(-,root,root) @@ -97,18 +102,27 @@ sudo -u test make test || { cat Testing/Temporary/LastTest.log; false; } %files devel %{_libdir}/*.so %{_libdir}/*.a -%{_libdir}/private/icudt73l/brkitr/*.res -%{_libdir}/private/icudt73l/brkitr/*.brk -%{_libdir}/private/icudt73l/brkitr/*.dict -%{_libdir}/private/icudt73l/unames.icu -%{_libdir}/private/icudt73l/ulayout.icu -%{_libdir}/private/icudt73l/uemoji.icu -%{_libdir}/private/icudt73l/cnvalias.icu +%{_libdir}/private/icudt77l/brkitr/*.res +%{_libdir}/private/icudt77l/brkitr/*.brk +%{_libdir}/private/icudt77l/brkitr/*.dict +%{_libdir}/private/icudt77l/unames.icu +%{_libdir}/private/icudt77l/ulayout.icu +%{_libdir}/private/icudt77l/uemoji.icu +%{_libdir}/private/icudt77l/cnvalias.icu %{_includedir}/* %{_libdir}/pkgconfig/mysqlclient.pc %changelog -* Tue Mar 26 2025 Kanishk Bansal - 8.0.41-1 +* Wed Jul 23 2025 Aninda Pradhan - 8.0.43-1 +- Upgrade to 8.0.43 to fix CVE-2025-50081,CVE-2025-50077,CVE-2025-50099,CVE-2025-50102,CVE-2025-53023,CVE-2025-50096,CVE-2025-50084,CVE-2025-50104,CVE-2025-50098,CVE-2025-50085,CVE-2025-50093,CVE-2025-50087,CVE-2025-50083,CVE-2025-50082,CVE-2025-50086,CVE-2025-50092,CVE-2025-50094,CVE-2025-50100,CVE-2025-50097,CVE-2025-50101,CVE-2025-50091,CVE-2025-50078,CVE-2025-50080,CVE-2025-50079 + +* Wed Jun 04 2025 Kanishk Bansal - 8.0.42-1 +- Upgrade to 8.0.42 to fix CVE-2025-30687, CVE-2025-30705, CVE-2025-30699, CVE-2025-30681, CVE-2025-30721, CVE-2025-21581, CVE-2025-30685, + CVE-2025-30704, CVE-2025-30703, CVE-2025-30683, CVE-2025-30689, CVE-2025-21579, CVE-2025-30695, CVE-2025-21585, CVE-2025-30715, + CVE-2025-21574, CVE-2025-30682, CVE-2025-21580, CVE-2025-21575, CVE-2025-21577, CVE-2025-30693, CVE-2025-30696, CVE-2025-30688, + CVE-2025-21584, CVE-2025-30684 + +* Wed Mar 26 2025 Kanishk Bansal - 8.0.41-1 - Upgrade to 8.0.41 to fix CVE-2025-21490 & CVE-2024-11053 - Remove patch for CVE-2024-9681 - Remove patch for CVE-2025-0725 as we are building without curl diff --git a/SPECS/nbdkit/CVE-2025-47711.patch b/SPECS/nbdkit/CVE-2025-47711.patch new file mode 100644 index 0000000000..5089c891a7 --- /dev/null +++ b/SPECS/nbdkit/CVE-2025-47711.patch @@ -0,0 +1,40 @@ +From 474c0df27522beb33db2822e1478bdac946e2cb2 Mon Sep 17 00:00:00 2001 +From: AkarshHCL +Date: Thu, 19 Jun 2025 12:47:53 +0000 +Subject: [PATCH] Address CVE-2025-47711.patch + +Upstream Patch reference:https://gitlab.com/nbdkit/nbdkit/-/commit/c3c1950867ea8d9c2108ff066ed9e78dde3cfc3f + +--- + server/protocol.c | 2 +- + tests/Makefile.am | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/server/protocol.c b/server/protocol.c +index d9a5e28..c32fec8 100644 +--- a/server/protocol.c ++++ b/server/protocol.c +@@ -493,7 +493,7 @@ extents_to_block_descriptors (struct nbdkit_extents *extents, + (*nr_blocks)++; + + pos += length; +- if (pos > offset + count) /* this must be the last block */ ++ if (pos >= offset + count) /* this must be the last block */ + break; + + /* If we reach here then we must have consumed this whole +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 429ba11..dae753f 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -789,6 +789,7 @@ EXTRA_DIST += \ + test-eval.sh \ + test-eval-file.sh \ + test-eval-exports.sh \ ++ test-eval-extents.sh \ + test-eval-cache.sh \ + test-eval-dump-plugin.sh \ + test-eval-disconnect.sh \ +-- +2.45.2 + diff --git a/SPECS/nbdkit/CVE-2025-47712.patch b/SPECS/nbdkit/CVE-2025-47712.patch new file mode 100644 index 0000000000..6c6eb3330d --- /dev/null +++ b/SPECS/nbdkit/CVE-2025-47712.patch @@ -0,0 +1,50 @@ +From 7718fa6355d6f395d0822e824c943f74750500b4 Mon Sep 17 00:00:00 2001 +From: AkarshHCL +Date: Tue, 17 Jun 2025 05:45:34 +0000 +Subject: [PATCH] Address CVE-2025-47712 + +Upstream Patch reference: https://gitlab.com/nbdkit/nbdkit/-/commit/a486f88d1eea653ea88b0bf8804c4825dab25ec7 + +--- + filters/blocksize/blocksize.c | 5 +++-- + tests/Makefile.am | 2 ++ + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/filters/blocksize/blocksize.c b/filters/blocksize/blocksize.c +index 09195ce..e5c8b74 100644 +--- a/filters/blocksize/blocksize.c ++++ b/filters/blocksize/blocksize.c +@@ -482,8 +482,9 @@ blocksize_extents (nbdkit_next *next, + return -1; + } + +- if (nbdkit_extents_aligned (next, MIN (ROUND_UP (count, h->minblock), +- h->maxlen), ++ if (nbdkit_extents_aligned (next, ++ MIN (ROUND_UP ((uint64_t) count, h->minblock), ++ h->maxlen), + ROUND_DOWN (offset, h->minblock), flags, + h->minblock, extents2, err) == -1) + return -1; +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 9233c37..429ba11 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -1481,12 +1481,14 @@ test_layers_filter3_la_LIBADD = $(IMPORT_LIBRARY_ON_WINDOWS) + TESTS += \ + test-blocksize.sh \ + test-blocksize-extents.sh \ ++ test-blocksize-extents-overflow.sh \ + test-blocksize-default.sh \ + test-blocksize-sharding.sh \ + $(NULL) + EXTRA_DIST += \ + test-blocksize.sh \ + test-blocksize-extents.sh \ ++ test-blocksize-extents-overflow.sh \ + test-blocksize-default.sh \ + test-blocksize-sharding.sh \ + $(NULL) +-- +2.45.2 + diff --git a/SPECS/nbdkit/nbdkit.spec b/SPECS/nbdkit/nbdkit.spec index e2029d37d2..bfee948eee 100644 --- a/SPECS/nbdkit/nbdkit.spec +++ b/SPECS/nbdkit/nbdkit.spec @@ -51,7 +51,7 @@ Distribution: Azure Linux Name: nbdkit Version: 1.35.3 -Release: 6%{?dist} +Release: 7%{?dist} Summary: NBD server License: BSD @@ -59,6 +59,9 @@ URL: https://gitlab.com/nbdkit/nbdkit Source0: http://libguestfs.org/download/nbdkit/%{source_directory}/%{name}-%{version}.tar.gz +Patch0: CVE-2025-47711.patch +Patch1: CVE-2025-47712.patch + BuildRequires: make %if 0%{patches_touch_autotools} BuildRequires: autoconf, automake, libtool @@ -1195,6 +1198,9 @@ export LIBGUESTFS_TRACE=1 %changelog +* Thu Jun 19 2025 Akarsh Chaudhary - 1.35.3-7 +- Patch CVE-2025-47712 ,CVE-2025-47711 + * Thu Aug 29 2024 Pawel Winogrodzki - 1.35.3-6 - Fixed test-time dependencies to match correct AZL paths. diff --git a/SPECS/net-tools/CVE-2025-46836.patch b/SPECS/net-tools/CVE-2025-46836.patch new file mode 100644 index 0000000000..2e7d53909f --- /dev/null +++ b/SPECS/net-tools/CVE-2025-46836.patch @@ -0,0 +1,89 @@ +From c4e1e6b0319f35b0ceafa8b9502fd71798a7bcf7 Mon Sep 17 00:00:00 2001 +From: Aninda +Date: Mon, 19 May 2025 11:04:33 -0400 +Subject: [PATCH] Address CVE-2025-46836 +Upstream Patch Reference: https://github.com/ecki/net-tools/commit/7a8f42fb20013a1493d8cae1c43436f85e656f2d + +--- + lib/interface.c | 63 ++++++++++++++++++++++++++++++------------------- + 1 file changed, 39 insertions(+), 24 deletions(-) + +diff --git a/lib/interface.c b/lib/interface.c +index 42cddda..2d6b6a3 100644 +--- a/lib/interface.c ++++ b/lib/interface.c +@@ -211,32 +211,47 @@ out: + } + + static const char *get_name(char *name, const char *p) ++/* Safe version — guarantees at most IFNAMSIZ‑1 bytes are copied ++ and the destination buffer is always NUL‑terminated. */ + { +- while (isspace(*p)) +- p++; +- while (*p) { +- if (isspace(*p)) +- break; +- if (*p == ':') { /* could be an alias */ +- const char *dot = p++; +- while (*p && isdigit(*p)) p++; +- if (*p == ':') { +- /* Yes it is, backup and copy it. */ +- p = dot; +- *name++ = *p++; +- while (*p && isdigit(*p)) { +- *name++ = *p++; +- } +- } else { +- /* No, it isn't */ +- p = dot; +- } +- p++; +- break; +- } +- *name++ = *p++; ++ char *dst = name; /* current write ptr */ ++ const char *end = name + IFNAMSIZ - 1; /* last byte we may write */ ++ ++ /* Skip leading white‑space. */ ++ while (isspace((unsigned char)*p)) ++ ++p; ++ ++ /* Copy until white‑space, end of string, or buffer full. */ ++ while (*p && !isspace((unsigned char)*p) && dst < end) { ++ if (*p == ':') { /* possible alias veth0:123: */ ++ const char *dot = p; /* remember the colon */ ++ ++p; ++ while (*p && isdigit((unsigned char)*p)) ++ ++p; ++ ++ if (*p == ':') { /* confirmed alias */ ++ p = dot; /* rewind and copy it all */ ++ ++ /* copy the colon */ ++ if (dst < end) ++ *dst++ = *p++; ++ ++ /* copy the digits */ ++ while (*p && isdigit((unsigned char)*p) && dst < end) ++ *dst++ = *p++; ++ ++ if (*p == ':') /* consume trailing colon */ ++ ++p; ++ } else { /* if so treat as normal */ ++ p = dot; ++ } ++ break; /* interface name ends here */ ++ } ++ ++ *dst++ = *p++; /* ordinary character copy */ + } +- *name++ = '\0'; ++ ++ *dst = '\0'; /* always NUL‑terminate */ + return p; + } + +-- +2.34.1 + diff --git a/SPECS/net-tools/net-tools.spec b/SPECS/net-tools/net-tools.spec index 56a04d8e13..fc4f2a7d93 100644 --- a/SPECS/net-tools/net-tools.spec +++ b/SPECS/net-tools/net-tools.spec @@ -1,13 +1,14 @@ Summary: Networking Tools Name: net-tools Version: 2.10 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv2+ Vendor: Microsoft Corporation Distribution: Azure Linux Group: System Environment/Base URL: https://sourceforge.net/projects/net-tools/ Source0: https://downloads.sourceforge.net/project/%{name}/%{name}-%{version}.tar.xz +Patch0: CVE-2025-46836.patch Conflicts: toybox Obsoletes: inetutils Provides: hostname = %{version}-%{release} @@ -47,6 +48,9 @@ make BASEDIR=%{buildroot} install %{_mandir}/man8/* %changelog +* Mon May 19 2025 Aninda Pradhan - 2.10-4 +- Fixes CVE-2025-46836 with an upstream patch + * Wed Sep 20 2023 Jon Slobodzian - 2.10-3 - Recompile with stack-protection fixed gcc version (CVE-2023-4039) diff --git a/SPECS/netavark/netavark.spec b/SPECS/netavark/netavark.spec index 5b8a4ff150..bd59c25d56 100644 --- a/SPECS/netavark/netavark.spec +++ b/SPECS/netavark/netavark.spec @@ -11,7 +11,7 @@ Name: netavark Version: 1.10.3 -Release: 2%{?dist} +Release: 4%{?dist} Summary: OCI network stack License: ASL 2.0 and BSD and MIT Vendor: Microsoft Corporation @@ -225,6 +225,12 @@ popd %{_unitdir}/%{name}-firewalld-reload.service %changelog +* Mon Jul 21 2025 Jyoti Kanase - 1.10.3-4 +- Bump release to rebuild with rust + +* Tue Jun 10 2025 Kavya Sree Kaitepalli - 1.10.3-3 +- Bump release to rebuild with rust + * Mon Apr 21 2025 Kavya Sree Kaitepalli - 1.10.3-2 - Pin rust version diff --git a/SPECS/node-problem-detector/0001-remove-arch-specific-logic-from-makefile.patch b/SPECS/node-problem-detector/0001-remove-arch-specific-logic-from-makefile.patch deleted file mode 100644 index f0120a3a72..0000000000 --- a/SPECS/node-problem-detector/0001-remove-arch-specific-logic-from-makefile.patch +++ /dev/null @@ -1,136 +0,0 @@ -From 2ca12f89f9b6a8c1390a7a66b080538f4142beea Mon Sep 17 00:00:00 2001 -From: Sean Dougherty -Date: Tue, 20 Feb 2024 20:41:16 +0000 -Subject: [PATCH] remove arch specific logic from makefile - ---- - Makefile | 58 +++++++++++++++----------------------------------------- - 1 file changed, 15 insertions(+), 43 deletions(-) - mode change 100644 => 100755 Makefile - -diff --git a/Makefile b/Makefile -old mode 100644 -new mode 100755 -index b329e7a..7be5307 ---- a/Makefile -+++ b/Makefile -@@ -22,9 +22,9 @@ - all: build - - # PLATFORMS is the set of OS_ARCH that NPD can build against. --LINUX_PLATFORMS=linux_amd64 linux_arm64 -+LINUX_PLATFORMS=linux - DOCKER_PLATFORMS=linux/amd64,linux/arm64 --PLATFORMS=$(LINUX_PLATFORMS) windows_amd64 -+PLATFORMS=$(LINUX_PLATFORMS) - - # VERSION is the version of the binary. - VERSION?=$(shell if [ -d .git ]; then echo `git describe --tags --dirty`; else echo "UNKNOWN"; fi) -@@ -77,8 +77,6 @@ BASEIMAGE:=registry.k8s.io/build-image/debian-base:bookworm-v1.0.0 - # Disable cgo by default to make the binary statically linked. - CGO_ENABLED:=0 - --# Set default Go architecture to AMD64. --GOARCH ?= amd64 - - # Construct the "-tags" parameter used by "go build". - BUILD_TAGS?= -@@ -126,55 +124,25 @@ ifeq ($(ENABLE_JOURNALD), 1) - endif - - ALL_BINARIES = $(foreach binary, $(BINARIES) $(BINARIES_LINUX_ONLY), ./$(binary)) \ -- $(foreach platform, $(LINUX_PLATFORMS), $(foreach binary, $(BINARIES) $(BINARIES_LINUX_ONLY), output/$(platform)/$(binary))) \ -- $(foreach binary, $(BINARIES), output/windows_amd64/$(binary).exe) -+ $(foreach platform, $(LINUX_PLATFORMS), $(foreach binary, $(BINARIES) $(BINARIES_LINUX_ONLY), output/$(platform)/$(binary))) - ALL_TARBALLS = $(foreach platform, $(PLATFORMS), $(NPD_NAME_VERSION)-$(platform).tar.gz) - --output/windows_amd64/bin/%.exe: $(PKG_SOURCES) -- GOOS=windows GOARCH=amd64 CGO_ENABLED=$(CGO_ENABLED) go build \ -- -o $@ \ -- -ldflags '-X $(PKG)/pkg/version.version=$(VERSION)' \ -- -tags "$(WINDOWS_BUILD_TAGS)" \ -- ./cmd/$(subst -,,$*) -- touch $@ -- --output/windows_amd64/test/bin/%.exe: $(PKG_SOURCES) -- cd test && \ -- GOOS=windows GOARCH=amd64 CGO_ENABLED=$(CGO_ENABLED) go build \ -- -o ../$@ \ -- -tags "$(WINDOWS_BUILD_TAGS)" \ -- ./e2e/$(subst -,,$*) -- --output/linux_amd64/bin/%: $(PKG_SOURCES) -- GOOS=linux GOARCH=amd64 CGO_ENABLED=$(CGO_ENABLED) \ -- CC=x86_64-linux-gnu-gcc go build \ -- -o $@ \ -- -ldflags '-X $(PKG)/pkg/version.version=$(VERSION)' \ -- -tags "$(LINUX_BUILD_TAGS)" \ -- ./cmd/$(subst -,,$*) -- touch $@ -- --output/linux_amd64/test/bin/%: $(PKG_SOURCES) -- cd test && \ -- GOOS=linux GOARCH=amd64 CGO_ENABLED=$(CGO_ENABLED) \ -- CC=x86_64-linux-gnu-gcc go build \ -- -o ../$@ \ -- -tags "$(LINUX_BUILD_TAGS)" \ -- ./e2e/$(subst -,,$*) - --output/linux_arm64/bin/%: $(PKG_SOURCES) -- GOOS=linux GOARCH=arm64 CGO_ENABLED=$(CGO_ENABLED) \ -- CC=aarch64-linux-gnu-gcc go build \ -+output/linux/bin/%: $(PKG_SOURCES) -+ GOOS=linux CGO_ENABLED=$(CGO_ENABLED) \ -+ go build \ -+ -mod=vendor \ - -o $@ \ - -ldflags '-X $(PKG)/pkg/version.version=$(VERSION)' \ - -tags "$(LINUX_BUILD_TAGS)" \ - ./cmd/$(subst -,,$*) - touch $@ - --output/linux_arm64/test/bin/%: $(PKG_SOURCES) -+output/linux/test/bin/%: $(PKG_SOURCES) - cd test && \ -- GOOS=linux GOARCH=arm64 CGO_ENABLED=$(CGO_ENABLED) \ -- CC=aarch64-linux-gnu-gcc go build \ -+ GOOS=linux CGO_ENABLED=$(CGO_ENABLED) \ -+ go build \ -+ -mod=vendor \ - -o ../$@ \ - -tags "$(LINUX_BUILD_TAGS)" \ - ./e2e/$(subst -,,$*) -@@ -183,6 +151,7 @@ output/linux_arm64/test/bin/%: $(PKG_SOURCES) - ./bin/log-counter: $(PKG_SOURCES) - ifeq ($(ENABLE_JOURNALD), 1) - CGO_ENABLED=$(CGO_ENABLED) GOOS=linux GOARCH=$(GOARCH) go build \ -+ -mod=vendor \ - -o bin/log-counter \ - -ldflags '-X $(PKG)/pkg/version.version=$(VERSION)' \ - -tags "$(LINUX_BUILD_TAGS)" \ -@@ -193,6 +162,7 @@ endif - - ./bin/node-problem-detector: $(PKG_SOURCES) - CGO_ENABLED=$(CGO_ENABLED) GOOS=linux GOARCH=$(GOARCH) go build \ -+ -mod=vendor \ - -o bin/node-problem-detector \ - -ldflags '-X $(PKG)/pkg/version.version=$(VERSION)' \ - -tags "$(LINUX_BUILD_TAGS)" \ -@@ -201,12 +171,14 @@ endif - ./test/bin/problem-maker: $(PKG_SOURCES) - cd test && \ - CGO_ENABLED=$(CGO_ENABLED) GOOS=linux GOARCH=$(GOARCH) go build \ -+ -mod=vendor \ - -o bin/problem-maker \ - -tags "$(LINUX_BUILD_TAGS)" \ - ./e2e/problemmaker/problem_maker.go - - ./bin/health-checker: $(PKG_SOURCES) - CGO_ENABLED=$(CGO_ENABLED) GOOS=linux GOARCH=$(GOARCH) go build \ -+ -mod=vendor \ - -o bin/health-checker \ - -ldflags '-X $(PKG)/pkg/version.version=$(VERSION)' \ - -tags "$(LINUX_BUILD_TAGS)" \ --- -2.42.0 - diff --git a/SPECS/node-problem-detector/CVE-2025-22868.patch b/SPECS/node-problem-detector/CVE-2025-22868.patch deleted file mode 100644 index c4f136f3ca..0000000000 --- a/SPECS/node-problem-detector/CVE-2025-22868.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 681b4d8edca1bcfea5bce685d77ea7b82ed3e7b3 Mon Sep 17 00:00:00 2001 -From: Neal Patel -Date: Thu, 30 Jan 2025 14:10:09 -0500 -Subject: [PATCH] jws: split token into fixed number of parts - -Thanks to 'jub0bs' for reporting this issue. - -Fixes #71490 -Fixes CVE-2025-22868 - -Change-Id: I2552731f46d4907f29aafe7863c558387b6bd6e2 -Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/652155 -Auto-Submit: Gopher Robot -Reviewed-by: Damien Neil -Reviewed-by: Roland Shoemaker -LUCI-TryBot-Result: Go LUCI ---- - vendor/golang.org/x/oauth2/jws/jws.go | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/vendor/golang.org/x/oauth2/jws/jws.go b/vendor/golang.org/x/oauth2/jws/jws.go -index 95015648b..6f03a49d3 100644 ---- a/vendor/golang.org/x/oauth2/jws/jws.go -+++ b/vendor/golang.org/x/oauth2/jws/jws.go -@@ -165,11 +165,11 @@ func Encode(header *Header, c *ClaimSet, key *rsa.PrivateKey) (string, error) { - // Verify tests whether the provided JWT token's signature was produced by the private key - // associated with the supplied public key. - func Verify(token string, key *rsa.PublicKey) error { -- parts := strings.Split(token, ".") -- if len(parts) != 3 { -+ if strings.Count(token, ".") != 2 { - return errors.New("jws: invalid token received, token must have 3 parts") - } - -+ parts := strings.SplitN(token, ".", 3) - signedContent := parts[0] + "." + parts[1] - signatureString, err := base64.RawURLEncoding.DecodeString(parts[2]) - if err != nil { diff --git a/SPECS/node-problem-detector/CVE-2025-22869.patch b/SPECS/node-problem-detector/CVE-2025-22869.patch deleted file mode 100644 index c0415fddb0..0000000000 --- a/SPECS/node-problem-detector/CVE-2025-22869.patch +++ /dev/null @@ -1,140 +0,0 @@ -From 041b89a18f81265899e42e6801f830c101a96120 Mon Sep 17 00:00:00 2001 -From: Kanishk-Bansal -Date: Sun, 2 Mar 2025 13:46:00 +0000 -Subject: [PATCH] CVE-2025-22869 - -Upstream Reference : https://github.com/golang/crypto/commit/7292932d45d55c7199324ab0027cc86e8198aa22 - -ssh: limit the size of the internal packet queue while waiting for KEX - -In the SSH protocol, clients and servers execute the key exchange to -generate one-time session keys used for encryption and authentication. -The key exchange is performed initially after the connection is -established and then periodically after a configurable amount of data. -While a key exchange is in progress, we add the received packets to an -internal queue until we receive SSH_MSG_KEXINIT from the other side. -This can result in high memory usage if the other party is slow to -respond to the SSH_MSG_KEXINIT packet, or memory exhaustion if a -malicious client never responds to an SSH_MSG_KEXINIT packet during a -large file transfer. -We now limit the internal queue to 64 packets: this means 2MB with the -typical 32KB packet size. -When the internal queue is full we block further writes until the -pending key exchange is completed or there is a read or write error. - -Thanks to Yuichi Watanabe for reporting this issue. - -Change-Id: I1ce2214cc16e08b838d4bc346c74c72addafaeec -Reviewed-on: https://go-review.googlesource.com/c/crypto/+/652135 -Reviewed-by: Neal Patel -Auto-Submit: Gopher Robot -Reviewed-by: Roland Shoemaker -LUCI-TryBot-Result: Go LUCI - ---- - vendor/golang.org/x/crypto/ssh/handshake.go | 47 ++++++++++++++++----- - 1 file changed, 37 insertions(+), 10 deletions(-) - -diff --git a/vendor/golang.org/x/crypto/ssh/handshake.go b/vendor/golang.org/x/crypto/ssh/handshake.go -index 70a7369..e14eb6c 100644 ---- a/vendor/golang.org/x/crypto/ssh/handshake.go -+++ b/vendor/golang.org/x/crypto/ssh/handshake.go -@@ -24,6 +24,11 @@ const debugHandshake = false - // quickly. - const chanSize = 16 - -+// maxPendingPackets sets the maximum number of packets to queue while waiting -+// for KEX to complete. This limits the total pending data to maxPendingPackets -+// * maxPacket bytes, which is ~16.8MB. -+const maxPendingPackets = 64 -+ - // keyingTransport is a packet based transport that supports key - // changes. It need not be thread-safe. It should pass through - // msgNewKeys in both directions. -@@ -58,11 +63,19 @@ type handshakeTransport struct { - incoming chan []byte - readError error - -- mu sync.Mutex -- writeError error -- sentInitPacket []byte -- sentInitMsg *kexInitMsg -- pendingPackets [][]byte // Used when a key exchange is in progress. -+ mu sync.Mutex -+ // Condition for the above mutex. It is used to notify a completed key -+ // exchange or a write failure. Writes can wait for this condition while a -+ // key exchange is in progress. -+ writeCond *sync.Cond -+ writeError error -+ sentInitPacket []byte -+ sentInitMsg *kexInitMsg -+ // Used to queue writes when a key exchange is in progress. The length is -+ // limited by pendingPacketsSize. Once full, writes will block until the key -+ // exchange is completed or an error occurs. If not empty, it is emptied -+ // all at once when the key exchange is completed in kexLoop. -+ pendingPackets [][]byte - writePacketsLeft uint32 - writeBytesLeft int64 - -@@ -114,6 +127,7 @@ func newHandshakeTransport(conn keyingTransport, config *Config, clientVersion, - - config: config, - } -+ t.writeCond = sync.NewCond(&t.mu) - t.resetReadThresholds() - t.resetWriteThresholds() - -@@ -236,6 +250,7 @@ func (t *handshakeTransport) recordWriteError(err error) { - defer t.mu.Unlock() - if t.writeError == nil && err != nil { - t.writeError = err -+ t.writeCond.Broadcast() - } - } - -@@ -339,6 +354,8 @@ write: - } - } - t.pendingPackets = t.pendingPackets[:0] -+ // Unblock writePacket if waiting for KEX. -+ t.writeCond.Broadcast() - t.mu.Unlock() - } - -@@ -526,11 +543,20 @@ func (t *handshakeTransport) writePacket(p []byte) error { - } - - if t.sentInitMsg != nil { -- // Copy the packet so the writer can reuse the buffer. -- cp := make([]byte, len(p)) -- copy(cp, p) -- t.pendingPackets = append(t.pendingPackets, cp) -- return nil -+ if len(t.pendingPackets) < maxPendingPackets { -+ // Copy the packet so the writer can reuse the buffer. -+ cp := make([]byte, len(p)) -+ copy(cp, p) -+ t.pendingPackets = append(t.pendingPackets, cp) -+ return nil -+ } -+ for t.sentInitMsg != nil { -+ // Block and wait for KEX to complete or an error. -+ t.writeCond.Wait() -+ if t.writeError != nil { -+ return t.writeError -+ } -+ } - } - - if t.writeBytesLeft > 0 { -@@ -547,6 +573,7 @@ func (t *handshakeTransport) writePacket(p []byte) error { - - if err := t.pushPacket(p); err != nil { - t.writeError = err -+ t.writeCond.Broadcast() - } - - return nil --- -2.45.2 - diff --git a/SPECS/node-problem-detector/node-problem-detector.signatures.json b/SPECS/node-problem-detector/node-problem-detector.signatures.json deleted file mode 100644 index 045b03ba07..0000000000 --- a/SPECS/node-problem-detector/node-problem-detector.signatures.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "Signatures": { - "node-problem-detector-0.8.20-vendor.tar.gz": "e5baa02e9ab94fdc16f9ebe50c5cb513daee7e50fd349357c53df6fd0c2e98a2", - "node-problem-detector-0.8.20-test-vendor.tar.gz": "4a7f7e879234c938b09a62bef08387478424b88f0eac683891ab8b201cb69c8a", - "node-problem-detector-0.8.20.tar.gz": "0580a72d59483997dc5ef68b8f65c6119ad3373347624d555d89b3ad9947380e" - } -} \ No newline at end of file diff --git a/SPECS/node-problem-detector/node-problem-detector.spec b/SPECS/node-problem-detector/node-problem-detector.spec deleted file mode 100644 index 36a36e7913..0000000000 --- a/SPECS/node-problem-detector/node-problem-detector.spec +++ /dev/null @@ -1,192 +0,0 @@ -Summary: Kubernetes daemon to detect and report node issues -Name: node-problem-detector -Version: 0.8.20 -Release: 3%{?dist} -License: ASL 2.0 -Vendor: Microsoft Corporation -Distribution: Azure Linux -Group: System Environment/Daemons -URL: https://github.com/kubernetes/node-problem-detector -#Source0: https://github.com/kubernetes/%%{name}/archive/refs/tags/v%%{version}.tar.gz#/%%{name}-%%{version}.tar.gz -Source0: %{name}-%{version}.tar.gz -# Below is a manually created tarball, no download link. -# We're using pre-populated Go modules from this tarball, since network is disabled during build time. -# How to re-build this file: -# 1. wget https://github.com/kubernetes/%%{name}/archive/refs/tags/v%%{version}.tar.gz#/%%{name}-%%{version}.tar.gz -# 2. tar -xf %%{name}-%%{version}.tar.gz -# 3. cd %%{name}-%%{version} -# 4. go mod vendor -# 5. tar --sort=name \ -# --mtime="2021-04-26 00:00Z" \ -# --owner=0 --group=0 --numeric-owner \ -# --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \ -# -cf %%{name}-%%{version}-vendor.tar.gz vendor -# -Source1: %{name}-%{version}-vendor.tar.gz -# Below is a manually created tarball, no download link. -# We're using pre-populated Go modules from this tarball, since network is disabled during build time. -# How to re-build this file: -# 1. wget https://github.com/kubernetes/%%{name}/archive/refs/tags/v%%{version}.tar.gz#/%%{name}-%%{version}.tar.gz -# 2. tar -xf %%{name}-%%{version}.tar.gz -# 3. cd %%{name}-%%{version}/test -# 4. go mod vendor -# 5. tar --sort=name \ -# --mtime="2021-04-26 00:00Z" \ -# --owner=0 --group=0 --numeric-owner \ -# --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \ -# -cf %%{name}-%%{version}-test-vendor.tar.gz vendor -# -Source2: %{name}-%{version}-test-vendor.tar.gz -Patch1: 0001-remove-arch-specific-logic-from-makefile.patch -Patch2: CVE-2024-45338.patch -Patch3: CVE-2025-22868.patch -Patch4: CVE-2025-22869.patch -BuildRequires: golang -BuildRequires: systemd-devel -Requires: azurelinux-release -%if %{with check} -BuildRequires: azurelinux-release -%endif - -%description -node-problem-detector aims to make various node problems visible to the -upstream layers in the cluster management stack. It is a daemon that -runs on each node, detects node problems and reports them to apiserver. - -%package config -Summary: Default configs for node-problem-detector -Requires: node-problem-detector - -%description config -Default configuration files for node-problem-detector - -%prep -%autosetup -p1 -N -%patch 1 -p1 -%patch 3 -p1 - -# create vendor folder from the vendor tarball -tar -xf %{SOURCE1} --no-same-owner -%patch 3 -p1 -pushd test -tar -xf %{SOURCE2} --no-same-owner -%patch 2 -p1 -%patch 3 -p1 -%patch 4 -p1 -popd - -%build -%make_build build-binaries VERSION=%{version} - -%install -mkdir -p %{buildroot}%{_bindir}/ -install -vdm 755 %{buildroot}/%{_bindir} -install -pm 755 output/linux/bin/node-problem-detector %{buildroot}%{_bindir}/ -install -pm 755 output/linux/bin/health-checker %{buildroot}%{_bindir}/ -install -pm 755 output/linux/bin/log-counter %{buildroot}%{_bindir}/ - -install -vdm 755 %{buildroot}%{_sysconfdir}/node-problem-detector.d -cp -R config %{buildroot}%{_sysconfdir}/node-problem-detector.d - -chmod 755 %{buildroot}%{_sysconfdir}/node-problem-detector.d/config/plugin/check_ntp.sh -chmod 755 %{buildroot}%{_sysconfdir}/node-problem-detector.d/config/plugin/network_problem.sh - -%check -make test - -%files -%license LICENSE -%defattr(-,root,root,0755) -%{_bindir}/node-problem-detector -%{_bindir}/health-checker -%{_bindir}/log-counter - -%files config -%license LICENSE -%defattr(-,root,root,0755) -%config(noreplace) %{_sysconfdir}/node-problem-detector.d/* - -%changelog -* Fri Mar 21 2025 Anuj Mittal - 0.8.20-3 -- Bump Release to rebuild - -* Mon Mar 03 2025 Kanishk Bansal - 0.8.20-2 -- Address CVE-2025-22868 and CVE-2025-22869 with an upstream patch. -- Correct the name and SHA256 checksum of vendor tarballs. -- Remove previously applied patches that are no longer required. - -* Thu Feb 27 2025 CBL-Mariner Servicing Account - 0.8.20-1 -- Auto-upgrade to 0.8.20 - fix CVE-2023-44487 - -* Fri Feb 14 2025 Kanishk Bansal - 0.8.15-4 -- Address CVE-2023-45288 - -* Thu Jan 23 2025 Kavya Sree Kaitepalli - 0.8.15-3 -- Fix CVE-2024-45338 by patching - -* Mon Nov 25 2024 Bala - 0.8.15-2 -- Fix CVE-2024-24786 by patching - -* Fri Feb 16 2024 Sean Dougherty - 0.8.15-1 -- Upgrade to 0.8.15 for Azure Linux 3.0 - -* Wed Feb 07 2024 Mykhailo Bykhovtsev - 0.8.10-18 -- Update the build and dependency from mariner-release to azurelinux-release - -* Mon Oct 16 2023 CBL-Mariner Servicing Account - 0.8.10-17 -- Bump release to rebuild with go 1.20.10 - -* Tue Oct 10 2023 Dan Streetman - 0.8.10-16 -- Bump release to rebuild with updated version of Go. - -* Mon Aug 07 2023 CBL-Mariner Servicing Account - 0.8.10-15 -- Bump release to rebuild with go 1.19.12 - -* Thu Jul 13 2023 CBL-Mariner Servicing Account - 0.8.10-14 -- Bump release to rebuild with go 1.19.11 - -* Thu Jun 15 2023 CBL-Mariner Servicing Account - 0.8.10-13 -- Bump release to rebuild with go 1.19.10 - -* Wed Apr 05 2023 CBL-Mariner Servicing Account - 0.8.10-12 -- Bump release to rebuild with go 1.19.8 - -* Tue Mar 28 2023 CBL-Mariner Servicing Account - 0.8.10-11 -- Bump release to rebuild with go 1.19.7 - -* Wed Mar 15 2023 CBL-Mariner Servicing Account - 0.8.10-10 -- Bump release to rebuild with go 1.19.6 - -* Fri Feb 03 2023 CBL-Mariner Servicing Account - 0.8.10-9 -- Bump release to rebuild with go 1.19.5 - -* Wed Jan 18 2023 CBL-Mariner Servicing Account - 0.8.10-8 -- Bump release to rebuild with go 1.19.4 - -* Fri Dec 16 2022 Daniel McIlvaney - 0.8.10-7 -- Bump release to rebuild with go 1.18.8 with patch for CVE-2022-41717 - -* Tue Nov 01 2022 Olivia Crain - 0.8.10-6 -- Bump release to rebuild with go 1.18.8 - -* Mon Aug 29 2022 Sean Dougherty - 0.8.10-5 -- Removed arch-specific logic in Makefile with 001-remove_arch_specific_makefile_logic.patch. - -* Mon Aug 22 2022 Olivia Crain - 0.8.10-4 -- Bump release to rebuild against Go 1.18.5 - -* Tue Jun 14 2022 Muhammad Falak - 0.8.10-3 -- Bump release to rebuild with golang 1.18.3 - -* Wed Jun 01 2022 Olivia Crain - 0.8.10-2 -- Add explicit check/run-time dependencies on mariner-release. - -* Fri Feb 25 2022 Max Brodeur-Urbas - 0.8.10-1 -- Upgrading to v0.8.10 -- Disable arm64 builds in Makefile with remove_arm64_build.patch. - -* Tue Jun 15 2021 Henry Beberman - 0.8.8-1 -- Add node-problem-detector spec. -- Add Mariner to OSVersion detection and disable exe builds in makefile. -- License verified -- Original version for CBL-Mariner diff --git a/SPECS/nodejs/CVE-2025-23165.patch b/SPECS/nodejs/CVE-2025-23165.patch new file mode 100644 index 0000000000..da41f64457 --- /dev/null +++ b/SPECS/nodejs/CVE-2025-23165.patch @@ -0,0 +1,28 @@ +From 3badbd012233828132ec938253ed40a7854fd65c Mon Sep 17 00:00:00 2001 +From: Aninda +Date: Sat, 24 May 2025 11:03:53 -0400 +Subject: [PATCH] Address CVE-2025-23165 +Upstream Patch Reference: https://github.com/nodejs/node/commit/9e13bf0a81e15c7b3a9f1826dccbcea991d7e63a + +--- + src/node_file.cc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/node_file.cc b/src/node_file.cc +index 0ec5c6f4..ba69879b 100644 +--- a/src/node_file.cc ++++ b/src/node_file.cc +@@ -2609,9 +2609,9 @@ static void ReadFileUtf8(const FunctionCallbackInfo& args) { + FS_SYNC_TRACE_END(open); + if (req.result < 0) { + uv_fs_req_cleanup(&req); +- // req will be cleaned up by scope leave. + return env->ThrowUVException(req.result, "open", nullptr, path.out()); + } ++ uv_fs_req_cleanup(&req); + } + + auto defer_close = OnScopeLeave([file, is_fd, &req]() { +-- +2.34.1 + diff --git a/SPECS/nodejs/CVE-2025-23166.patch b/SPECS/nodejs/CVE-2025-23166.patch new file mode 100644 index 0000000000..467bda0915 --- /dev/null +++ b/SPECS/nodejs/CVE-2025-23166.patch @@ -0,0 +1,537 @@ +From cca703fb8440504e580a92256a8f16ca0e38a08e Mon Sep 17 00:00:00 2001 +From: Aninda +Date: Sat, 24 May 2025 10:33:47 -0400 +Subject: [PATCH] Address CVE-2025-23166 +Upstream Patch Reference: https://github.com/nodejs/node/commit/6c57465920cf1b981a63031e71b1e4a73bf9beaa + +--- + src/crypto/crypto_dh.cc | 8 +++--- + src/crypto/crypto_dh.h | 8 +++--- + src/crypto/crypto_ec.cc | 3 +- + src/crypto/crypto_ec.h | 8 +++--- + src/crypto/crypto_hash.cc | 8 +++--- + src/crypto/crypto_hash.h | 8 +++--- + src/crypto/crypto_hkdf.cc | 8 +++--- + src/crypto/crypto_hkdf.h | 8 +++--- + src/crypto/crypto_hmac.cc | 8 +++--- + src/crypto/crypto_hmac.h | 8 +++--- + src/crypto/crypto_pbkdf2.cc | 8 +++--- + src/crypto/crypto_pbkdf2.h | 8 +++--- + src/crypto/crypto_random.cc | 20 ++++++------- + src/crypto/crypto_random.h | 19 +++++++------ + src/crypto/crypto_scrypt.cc | 8 +++--- + src/crypto/crypto_scrypt.h | 8 +++--- + src/crypto/crypto_sig.cc | 28 +++++++++++-------- + src/crypto/crypto_sig.h | 8 +++--- + src/crypto/crypto_util.h | 3 +- + .../parallel/test-crypto-async-sign-verify.js | 26 +++++++++++++++++ + 20 files changed, 122 insertions(+), 89 deletions(-) + +diff --git a/src/crypto/crypto_dh.cc b/src/crypto/crypto_dh.cc +index b4447102..7c984652 100644 +--- a/src/crypto/crypto_dh.cc ++++ b/src/crypto/crypto_dh.cc +@@ -705,10 +705,10 @@ Maybe DHBitsTraits::EncodeOutput( + return Just(!result->IsEmpty()); + } + +-bool DHBitsTraits::DeriveBits( +- Environment* env, +- const DHBitsConfig& params, +- ByteSource* out) { ++bool DHBitsTraits::DeriveBits(Environment* env, ++ const DHBitsConfig& params, ++ ByteSource* out, ++ CryptoJobMode mode) { + *out = StatelessDiffieHellmanThreadsafe( + params.private_key->GetAsymmetricKey(), + params.public_key->GetAsymmetricKey()); +diff --git a/src/crypto/crypto_dh.h b/src/crypto/crypto_dh.h +index ec12548d..f7c4b675 100644 +--- a/src/crypto/crypto_dh.h ++++ b/src/crypto/crypto_dh.h +@@ -131,10 +131,10 @@ struct DHBitsTraits final { + unsigned int offset, + DHBitsConfig* params); + +- static bool DeriveBits( +- Environment* env, +- const DHBitsConfig& params, +- ByteSource* out_); ++ static bool DeriveBits(Environment* env, ++ const DHBitsConfig& params, ++ ByteSource* out_, ++ CryptoJobMode mode); + + static v8::Maybe EncodeOutput( + Environment* env, +diff --git a/src/crypto/crypto_ec.cc b/src/crypto/crypto_ec.cc +index 860d5048..356e21f1 100644 +--- a/src/crypto/crypto_ec.cc ++++ b/src/crypto/crypto_ec.cc +@@ -481,7 +481,8 @@ Maybe ECDHBitsTraits::AdditionalConfig( + + bool ECDHBitsTraits::DeriveBits(Environment* env, + const ECDHBitsConfig& params, +- ByteSource* out) { ++ ByteSource* out, ++ CryptoJobMode mode) { + size_t len = 0; + ManagedEVPPKey m_privkey = params.private_->GetAsymmetricKey(); + ManagedEVPPKey m_pubkey = params.public_->GetAsymmetricKey(); +diff --git a/src/crypto/crypto_ec.h b/src/crypto/crypto_ec.h +index f9570bd4..a6bd48d4 100644 +--- a/src/crypto/crypto_ec.h ++++ b/src/crypto/crypto_ec.h +@@ -77,10 +77,10 @@ struct ECDHBitsTraits final { + unsigned int offset, + ECDHBitsConfig* params); + +- static bool DeriveBits( +- Environment* env, +- const ECDHBitsConfig& params, +- ByteSource* out_); ++ static bool DeriveBits(Environment* env, ++ const ECDHBitsConfig& params, ++ ByteSource* out_, ++ CryptoJobMode mode); + + static v8::Maybe EncodeOutput( + Environment* env, +diff --git a/src/crypto/crypto_hash.cc b/src/crypto/crypto_hash.cc +index 46086018..7d974d3d 100644 +--- a/src/crypto/crypto_hash.cc ++++ b/src/crypto/crypto_hash.cc +@@ -501,10 +501,10 @@ Maybe HashTraits::AdditionalConfig( + return Just(true); + } + +-bool HashTraits::DeriveBits( +- Environment* env, +- const HashConfig& params, +- ByteSource* out) { ++bool HashTraits::DeriveBits(Environment* env, ++ const HashConfig& params, ++ ByteSource* out, ++ CryptoJobMode mode) { + EVPMDCtxPointer ctx(EVP_MD_CTX_new()); + + if (UNLIKELY(!ctx || +diff --git a/src/crypto/crypto_hash.h b/src/crypto/crypto_hash.h +index 07e3a2ae..0ea2114f 100644 +--- a/src/crypto/crypto_hash.h ++++ b/src/crypto/crypto_hash.h +@@ -70,10 +70,10 @@ struct HashTraits final { + unsigned int offset, + HashConfig* params); + +- static bool DeriveBits( +- Environment* env, +- const HashConfig& params, +- ByteSource* out); ++ static bool DeriveBits(Environment* env, ++ const HashConfig& params, ++ ByteSource* out, ++ CryptoJobMode mode); + + static v8::Maybe EncodeOutput( + Environment* env, +diff --git a/src/crypto/crypto_hkdf.cc b/src/crypto/crypto_hkdf.cc +index 0dd9b424..526be1d0 100644 +--- a/src/crypto/crypto_hkdf.cc ++++ b/src/crypto/crypto_hkdf.cc +@@ -100,10 +100,10 @@ Maybe HKDFTraits::AdditionalConfig( + return Just(true); + } + +-bool HKDFTraits::DeriveBits( +- Environment* env, +- const HKDFConfig& params, +- ByteSource* out) { ++bool HKDFTraits::DeriveBits(Environment* env, ++ const HKDFConfig& params, ++ ByteSource* out, ++ CryptoJobMode mode) { + EVPKeyCtxPointer ctx = + EVPKeyCtxPointer(EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, nullptr)); + if (!ctx || !EVP_PKEY_derive_init(ctx.get()) || +diff --git a/src/crypto/crypto_hkdf.h b/src/crypto/crypto_hkdf.h +index c4a537ce..acd2b670 100644 +--- a/src/crypto/crypto_hkdf.h ++++ b/src/crypto/crypto_hkdf.h +@@ -42,10 +42,10 @@ struct HKDFTraits final { + unsigned int offset, + HKDFConfig* params); + +- static bool DeriveBits( +- Environment* env, +- const HKDFConfig& params, +- ByteSource* out); ++ static bool DeriveBits(Environment* env, ++ const HKDFConfig& params, ++ ByteSource* out, ++ CryptoJobMode mode); + + static v8::Maybe EncodeOutput( + Environment* env, +diff --git a/src/crypto/crypto_hmac.cc b/src/crypto/crypto_hmac.cc +index b101d5c7..5d81a60a 100644 +--- a/src/crypto/crypto_hmac.cc ++++ b/src/crypto/crypto_hmac.cc +@@ -220,10 +220,10 @@ Maybe HmacTraits::AdditionalConfig( + return Just(true); + } + +-bool HmacTraits::DeriveBits( +- Environment* env, +- const HmacConfig& params, +- ByteSource* out) { ++bool HmacTraits::DeriveBits(Environment* env, ++ const HmacConfig& params, ++ ByteSource* out, ++ CryptoJobMode mode) { + HMACCtxPointer ctx(HMAC_CTX_new()); + + if (!ctx || +diff --git a/src/crypto/crypto_hmac.h b/src/crypto/crypto_hmac.h +index c80cc36f..dd490f05 100644 +--- a/src/crypto/crypto_hmac.h ++++ b/src/crypto/crypto_hmac.h +@@ -73,10 +73,10 @@ struct HmacTraits final { + unsigned int offset, + HmacConfig* params); + +- static bool DeriveBits( +- Environment* env, +- const HmacConfig& params, +- ByteSource* out); ++ static bool DeriveBits(Environment* env, ++ const HmacConfig& params, ++ ByteSource* out, ++ CryptoJobMode mode); + + static v8::Maybe EncodeOutput( + Environment* env, +diff --git a/src/crypto/crypto_pbkdf2.cc b/src/crypto/crypto_pbkdf2.cc +index 963d0db6..f6d37dad 100644 +--- a/src/crypto/crypto_pbkdf2.cc ++++ b/src/crypto/crypto_pbkdf2.cc +@@ -111,10 +111,10 @@ Maybe PBKDF2Traits::AdditionalConfig( + return Just(true); + } + +-bool PBKDF2Traits::DeriveBits( +- Environment* env, +- const PBKDF2Config& params, +- ByteSource* out) { ++bool PBKDF2Traits::DeriveBits(Environment* env, ++ const PBKDF2Config& params, ++ ByteSource* out, ++ CryptoJobMode mode) { + ByteSource::Builder buf(params.length); + + // Both pass and salt may be zero length here. +diff --git a/src/crypto/crypto_pbkdf2.h b/src/crypto/crypto_pbkdf2.h +index 6fda7cd3..11ffad78 100644 +--- a/src/crypto/crypto_pbkdf2.h ++++ b/src/crypto/crypto_pbkdf2.h +@@ -55,10 +55,10 @@ struct PBKDF2Traits final { + unsigned int offset, + PBKDF2Config* params); + +- static bool DeriveBits( +- Environment* env, +- const PBKDF2Config& params, +- ByteSource* out); ++ static bool DeriveBits(Environment* env, ++ const PBKDF2Config& params, ++ ByteSource* out, ++ CryptoJobMode mode); + + static v8::Maybe EncodeOutput( + Environment* env, +diff --git a/src/crypto/crypto_random.cc b/src/crypto/crypto_random.cc +index 48154df7..03bdcd5c 100644 +--- a/src/crypto/crypto_random.cc ++++ b/src/crypto/crypto_random.cc +@@ -56,10 +56,10 @@ Maybe RandomBytesTraits::AdditionalConfig( + return Just(true); + } + +-bool RandomBytesTraits::DeriveBits( +- Environment* env, +- const RandomBytesConfig& params, +- ByteSource* unused) { ++bool RandomBytesTraits::DeriveBits(Environment* env, ++ const RandomBytesConfig& params, ++ ByteSource* unused, ++ CryptoJobMode mode) { + return CSPRNG(params.buffer, params.size).is_ok(); + } + +@@ -151,7 +151,8 @@ Maybe RandomPrimeTraits::AdditionalConfig( + + bool RandomPrimeTraits::DeriveBits(Environment* env, + const RandomPrimeConfig& params, +- ByteSource* unused) { ++ ByteSource* unused, ++ CryptoJobMode mode) { + // BN_generate_prime_ex() calls RAND_bytes_ex() internally. + // Make sure the CSPRNG is properly seeded. + CHECK(CSPRNG(nullptr, 0).is_ok()); +@@ -194,11 +195,10 @@ Maybe CheckPrimeTraits::AdditionalConfig( + return Just(true); + } + +-bool CheckPrimeTraits::DeriveBits( +- Environment* env, +- const CheckPrimeConfig& params, +- ByteSource* out) { +- ++bool CheckPrimeTraits::DeriveBits(Environment* env, ++ const CheckPrimeConfig& params, ++ ByteSource* out, ++ CryptoJobMode mode) { + BignumCtxPointer ctx(BN_CTX_new()); + + int ret = BN_is_prime_ex( +diff --git a/src/crypto/crypto_random.h b/src/crypto/crypto_random.h +index a2807ed6..b673cbbf 100644 +--- a/src/crypto/crypto_random.h ++++ b/src/crypto/crypto_random.h +@@ -32,10 +32,10 @@ struct RandomBytesTraits final { + unsigned int offset, + RandomBytesConfig* params); + +- static bool DeriveBits( +- Environment* env, +- const RandomBytesConfig& params, +- ByteSource* out_); ++ static bool DeriveBits(Environment* env, ++ const RandomBytesConfig& params, ++ ByteSource* out_, ++ CryptoJobMode mode); + + static v8::Maybe EncodeOutput( + Environment* env, +@@ -72,7 +72,8 @@ struct RandomPrimeTraits final { + static bool DeriveBits( + Environment* env, + const RandomPrimeConfig& params, +- ByteSource* out_); ++ ByteSource* out_, ++ CryptoJobMode mode); + + static v8::Maybe EncodeOutput( + Environment* env, +@@ -105,10 +106,10 @@ struct CheckPrimeTraits final { + unsigned int offset, + CheckPrimeConfig* params); + +- static bool DeriveBits( +- Environment* env, +- const CheckPrimeConfig& params, +- ByteSource* out); ++ static bool DeriveBits(Environment* env, ++ const CheckPrimeConfig& params, ++ ByteSource* out, ++ CryptoJobMode mode); + + static v8::Maybe EncodeOutput( + Environment* env, +diff --git a/src/crypto/crypto_scrypt.cc b/src/crypto/crypto_scrypt.cc +index 4dae07f1..99a6a0e7 100644 +--- a/src/crypto/crypto_scrypt.cc ++++ b/src/crypto/crypto_scrypt.cc +@@ -114,10 +114,10 @@ Maybe ScryptTraits::AdditionalConfig( + return Just(true); + } + +-bool ScryptTraits::DeriveBits( +- Environment* env, +- const ScryptConfig& params, +- ByteSource* out) { ++bool ScryptTraits::DeriveBits(Environment* env, ++ const ScryptConfig& params, ++ ByteSource* out, ++ CryptoJobMode mode) { + ByteSource::Builder buf(params.length); + + // Both the pass and salt may be zero-length at this point +diff --git a/src/crypto/crypto_scrypt.h b/src/crypto/crypto_scrypt.h +index 3d185637..9ea9d75d 100644 +--- a/src/crypto/crypto_scrypt.h ++++ b/src/crypto/crypto_scrypt.h +@@ -57,10 +57,10 @@ struct ScryptTraits final { + unsigned int offset, + ScryptConfig* params); + +- static bool DeriveBits( +- Environment* env, +- const ScryptConfig& params, +- ByteSource* out); ++ static bool DeriveBits(Environment* env, ++ const ScryptConfig& params, ++ ByteSource* out, ++ CryptoJobMode mode); + + static v8::Maybe EncodeOutput( + Environment* env, +diff --git a/src/crypto/crypto_sig.cc b/src/crypto/crypto_sig.cc +index ab020efb..b84fd3b7 100644 +--- a/src/crypto/crypto_sig.cc ++++ b/src/crypto/crypto_sig.cc +@@ -706,11 +706,11 @@ Maybe SignTraits::AdditionalConfig( + return Just(true); + } + +-bool SignTraits::DeriveBits( +- Environment* env, +- const SignConfiguration& params, +- ByteSource* out) { +- ClearErrorOnReturn clear_error_on_return; ++bool SignTraits::DeriveBits(Environment* env, ++ const SignConfiguration& params, ++ ByteSource* out, ++ CryptoJobMode mode) { ++ bool can_throw = mode == CryptoJobMode::kCryptoJobSync; + EVPMDCtxPointer context(EVP_MD_CTX_new()); + EVP_PKEY_CTX* ctx = nullptr; + +@@ -722,7 +722,7 @@ bool SignTraits::DeriveBits( + params.digest, + nullptr, + params.key.get())) { +- crypto::CheckThrow(env, SignBase::Error::kSignInit); ++ if (can_throw) crypto::CheckThrow(env, SignBase::Error::kSignInit); + return false; + } + break; +@@ -733,7 +733,7 @@ bool SignTraits::DeriveBits( + params.digest, + nullptr, + params.key.get())) { +- crypto::CheckThrow(env, SignBase::Error::kSignInit); ++ if (can_throw) crypto::CheckThrow(env, SignBase::Error::kSignInit); + return false; + } + break; +@@ -751,7 +751,7 @@ bool SignTraits::DeriveBits( + ctx, + padding, + salt_length)) { +- crypto::CheckThrow(env, SignBase::Error::kSignPrivateKey); ++ if (can_throw) crypto::CheckThrow(env, SignBase::Error::kSignPrivateKey); + return false; + } + +@@ -765,7 +765,8 @@ bool SignTraits::DeriveBits( + &len, + params.data.data(), + params.data.size())) { +- crypto::CheckThrow(env, SignBase::Error::kSignPrivateKey); ++ if (can_throw) ++ crypto::CheckThrow(env, SignBase::Error::kSignPrivateKey); + return false; + } + ByteSource::Builder buf(len); +@@ -774,7 +775,8 @@ bool SignTraits::DeriveBits( + &len, + params.data.data(), + params.data.size())) { +- crypto::CheckThrow(env, SignBase::Error::kSignPrivateKey); ++ if (can_throw) ++ crypto::CheckThrow(env, SignBase::Error::kSignPrivateKey); + return false; + } + *out = std::move(buf).release(len); +@@ -785,13 +787,15 @@ bool SignTraits::DeriveBits( + params.data.data(), + params.data.size()) || + !EVP_DigestSignFinal(context.get(), nullptr, &len)) { +- crypto::CheckThrow(env, SignBase::Error::kSignPrivateKey); ++ if (can_throw) ++ crypto::CheckThrow(env, SignBase::Error::kSignPrivateKey); + return false; + } + ByteSource::Builder buf(len); + if (!EVP_DigestSignFinal( + context.get(), buf.data(), &len)) { +- crypto::CheckThrow(env, SignBase::Error::kSignPrivateKey); ++ if (can_throw) ++ crypto::CheckThrow(env, SignBase::Error::kSignPrivateKey); + return false; + } + +diff --git a/src/crypto/crypto_sig.h b/src/crypto/crypto_sig.h +index 63320147..3b2801fa 100644 +--- a/src/crypto/crypto_sig.h ++++ b/src/crypto/crypto_sig.h +@@ -147,10 +147,10 @@ struct SignTraits final { + unsigned int offset, + SignConfiguration* params); + +- static bool DeriveBits( +- Environment* env, +- const SignConfiguration& params, +- ByteSource* out); ++ static bool DeriveBits(Environment* env, ++ const SignConfiguration& params, ++ ByteSource* out, ++ CryptoJobMode mode); + + static v8::Maybe EncodeOutput( + Environment* env, +diff --git a/src/crypto/crypto_util.h b/src/crypto/crypto_util.h +index 0ae2946e..260df59d 100644 +--- a/src/crypto/crypto_util.h ++++ b/src/crypto/crypto_util.h +@@ -498,9 +498,10 @@ class DeriveBitsJob final : public CryptoJob { + std::move(params)) {} + + void DoThreadPoolWork() override { ++ ClearErrorOnReturn clear_error_on_return; + if (!DeriveBitsTraits::DeriveBits( + AsyncWrap::env(), +- *CryptoJob::params(), &out_)) { ++ *CryptoJob::params(), &out_, this->mode())) { + CryptoErrorStore* errors = CryptoJob::errors(); + errors->Capture(); + if (errors->Empty()) +diff --git a/test/parallel/test-crypto-async-sign-verify.js b/test/parallel/test-crypto-async-sign-verify.js +index 4e3c32fd..5924d36e 100644 +--- a/test/parallel/test-crypto-async-sign-verify.js ++++ b/test/parallel/test-crypto-async-sign-verify.js +@@ -141,3 +141,29 @@ test('dsa_public.pem', 'dsa_private.pem', 'sha256', false, + }) + .catch(common.mustNotCall()); + } ++ ++{ ++ const untrustedKey = `-----BEGIN PUBLIC KEY----- ++MCowBQYDK2VuAyEA6pwGRbadNQAI/tYN8+/p/0/hbsdHfOEGr1ADiLVk/Gc= ++-----END PUBLIC KEY-----`; ++ const data = crypto.randomBytes(32); ++ const signature = crypto.randomBytes(16); ++ ++ const expected = common.hasOpenSSL3 ? ++ /operation not supported for this keytype/ : /no default digest/; ++ ++ crypto.verify(undefined, data, untrustedKey, signature, common.mustCall((err) => { ++ assert.ok(err); ++ assert.match(err.message, expected); ++ })); ++} ++ ++{ ++ const { privateKey } = crypto.generateKeyPairSync('rsa', { ++ modulusLength: 512 ++ }); ++ crypto.sign('sha512', 'message', privateKey, common.mustCall((err) => { ++ assert.ok(err); ++ assert.match(err.message, /digest too big for rsa key/); ++ })); ++} +-- +2.34.1 + diff --git a/SPECS/nodejs/CVE-2025-47279.patch b/SPECS/nodejs/CVE-2025-47279.patch new file mode 100644 index 0000000000..32e733d851 --- /dev/null +++ b/SPECS/nodejs/CVE-2025-47279.patch @@ -0,0 +1,39 @@ +From 65cefbb3615e056330686cf5ffd1f7201fd8db58 Mon Sep 17 00:00:00 2001 +From: Aninda +Date: Mon, 19 May 2025 20:44:26 -0400 +Subject: [PATCH] Address CVE-2025-47279 +Upstream Patch Reference: https://github.com/nodejs/undici/commit/f317618ec28753a4218beccea048bcf89c36db25 + +--- + deps/undici/src/lib/dispatcher/pool.js | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/deps/undici/src/lib/dispatcher/pool.js b/deps/undici/src/lib/dispatcher/pool.js +index 0ba3a2b5..8cea1476 100644 +--- a/deps/undici/src/lib/dispatcher/pool.js ++++ b/deps/undici/src/lib/dispatcher/pool.js +@@ -73,6 +73,21 @@ class Pool extends PoolBase { + ? { ...options.interceptors } + : undefined + this[kFactory] = factory ++ ++ this.on('connectionError', (origin, targets, error) => { ++ // If a connection error occurs, we remove the client from the pool, ++ // and emit a connectionError event. They will not be re-used. ++ // Fixes https://github.com/nodejs/undici/issues/3895 ++ for (const target of targets) { ++ // Do not use kRemoveClient here, as it will close the client, ++ // but the client cannot be closed in this state. ++ const idx = this[kClients].indexOf(target) ++ if (idx !== -1) { ++ this[kClients].splice(idx, 1) ++ } ++ } ++ }) ++ + } + + [kGetDispatcher] () { +-- +2.34.1 + diff --git a/SPECS/nodejs/nodejs.spec b/SPECS/nodejs/nodejs.spec index 3ba19889c4..2b28b31fe8 100644 --- a/SPECS/nodejs/nodejs.spec +++ b/SPECS/nodejs/nodejs.spec @@ -5,7 +5,7 @@ Name: nodejs # WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package. # The version of NPM can be found inside the sources under 'deps/npm/package.json'. Version: 20.14.0 -Release: 7%{?dist} +Release: 9%{?dist} License: BSD AND MIT AND Public Domain AND NAIST-2003 AND Artistic-2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -26,6 +26,9 @@ Patch7: CVE-2024-22195.patch Patch8: CVE-2020-28493.patch Patch9: CVE-2024-34064.patch Patch10: CVE-2025-27516.patch +Patch11: CVE-2025-47279.patch +Patch12: CVE-2025-23165.patch +Patch13: CVE-2025-23166.patch BuildRequires: brotli-devel BuildRequires: c-ares-devel BuildRequires: coreutils >= 8.22 @@ -137,6 +140,12 @@ make cctest %{_prefix}/lib/node_modules/* %changelog +* Tue May 27 2025 Aninda Pradhan - 20.14.0-9 +- Patch CVE-2025-23165, CVE-2025-23166 + +* Wed May 21 2025 Aninda Pradhan - 20.14.0-8 +- Patch CVE-2025-47279 + * Mon Mar 10 2025 Sandeep Karambelkar - 20.14.0-7 - Patch CVE-2025-27516 diff --git a/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.signatures.json b/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.signatures.json index 0d05496be4..7cd1ed0bb1 100644 --- a/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.signatures.json +++ b/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { - "nvidia-container-toolkit-1.17.4-vendor.tar.gz": "cf32482be12a65f1a5d8fd9cf4175824fe78f7f2dd022394568df18c4580b69a", - "nvidia-container-toolkit-1.17.4.tar.gz": "f960b9ec55e479e591c6deb10166c9c73a0cefc01c10659af6eaf3f17d96fd8c" + "nvidia-container-toolkit-1.17.8-vendor.tar.gz": "c19168dff49faeb886cc4d9a49bc9ce5e84996e66b68530eb68a7148334f8c56", + "nvidia-container-toolkit-1.17.8.tar.gz": "9ce6fc5dd355441febf0008d4fd48cc621b9ec936cad122c64d3f252ba845199" } } diff --git a/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.spec b/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.spec index 6ab95dfd5d..51228d9939 100644 --- a/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.spec +++ b/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.spec @@ -1,8 +1,8 @@ %global debug_package %{nil} Summary: NVIDIA container runtime hook Name: nvidia-container-toolkit -Version: 1.17.4 -Release: 4%{?dist} +Version: 1.17.8 +Release: 1%{?dist} License: ALS2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -87,6 +87,10 @@ rm -f %{_bindir}/nvidia-container-toolkit %{_bindir}/nvidia-cdi-hook %changelog +* Mon Sep 8 2025 Lee Chee Yang - 1.17.8-1 +- merge from Azure Linux 3.0.20250822-3.0. +- Upgrade to 1.17.8 to resolve CVE-2025-23266 + * Fri May 30 2025 Ranjan Dutta - 1.17.4-4 - merge from Azure Linux 3.0.20250521-3.0 - Removed extraction command from prep diff --git a/SPECS/opa/CVE-2025-46569.patch b/SPECS/opa/CVE-2025-46569.patch new file mode 100644 index 0000000000..994c86126c --- /dev/null +++ b/SPECS/opa/CVE-2025-46569.patch @@ -0,0 +1,373 @@ +From 7884928e4539de0a800414e2c68a2912a386344d Mon Sep 17 00:00:00 2001 +From: akhila-guruju +Date: Tue, 10 Jun 2025 07:21:09 +0000 +Subject: [PATCH] Address CVE-2025-46569 + +Upstream Patch Reference: https://github.com/open-policy-agent/opa/commit/ad2063247a14711882f18c387a511fc8094aa79c + +--- + server/server.go | 92 +++++++++++++++---- + server/server_test.go | 150 ++++++++++++++++++++++++++++++- + test/e2e/metrics/metrics_test.go | 1 - + 3 files changed, 226 insertions(+), 17 deletions(-) + +diff --git a/server/server.go b/server/server.go +index 64eeaa6..e5ab876 100644 +--- a/server/server.go ++++ b/server/server.go +@@ -1135,19 +1135,23 @@ func (s *Server) v0QueryPath(w http.ResponseWriter, r *http.Request, urlPath str + } + + if len(rs) == 0 { +- ref := stringPathToDataRef(urlPath) ++ ref, err := stringPathToDataRef(urlPath) ++ if err != nil { ++ writer.Error(w, http.StatusBadRequest, types.NewErrorV1(types.CodeInvalidParameter, "invalid path: %v", err)) ++ return ++ } + + var messageType = types.MsgMissingError + if len(s.getCompiler().GetRulesForVirtualDocument(ref)) > 0 { + messageType = types.MsgFoundUndefinedError + } +- err := types.NewErrorV1(types.CodeUndefinedDocument, fmt.Sprintf("%v: %v", messageType, ref)) +- if err := logger.Log(ctx, txn, urlPath, "", goInput, input, nil, ndbCache, err, m); err != nil { ++ errV1 := types.NewErrorV1(types.CodeUndefinedDocument, "%v: %v", messageType, ref) ++ if err := logger.Log(ctx, txn, urlPath, "", goInput, input, nil, ndbCache, errV1, m); err != nil { + writer.ErrorAuto(w, err) + return + } + +- writer.Error(w, http.StatusNotFound, err) ++ writer.Error(w, http.StatusNotFound, errV1) + return + } + err = logger.Log(ctx, txn, urlPath, "", goInput, input, &rs[0].Expressions[0].Value, ndbCache, nil, m) +@@ -1306,10 +1310,15 @@ func (s *Server) unversionedGetHealthWithPolicy(w http.ResponseWriter, r *http.R + vars := mux.Vars(r) + urlPath := vars["path"] + healthDataPath := fmt.Sprintf("/system/health/%s", urlPath) +- healthDataPath = stringPathToDataRef(healthDataPath).String() ++ ++ healthDataPathQuery, err := stringPathToQuery(healthDataPath) ++ if err != nil { ++ writer.Error(w, http.StatusBadRequest, types.NewErrorV1(types.CodeInvalidParameter, "invalid path: %v", err)) ++ return ++ } + + rego := rego.New( +- rego.Query(healthDataPath), ++ rego.ParsedQuery(healthDataPathQuery), + rego.Compiler(s.getCompiler()), + rego.Store(s.store), + rego.Input(input), +@@ -1324,7 +1333,7 @@ func (s *Server) unversionedGetHealthWithPolicy(w http.ResponseWriter, r *http.R + } + + if len(rs) == 0 { +- writeHealthResponse(w, fmt.Errorf("health check (%v) was undefined", healthDataPath)) ++ writeHealthResponse(w, fmt.Errorf("health check (%v) was undefined", healthDataPathQuery)) + return + } + +@@ -1334,7 +1343,7 @@ func (s *Server) unversionedGetHealthWithPolicy(w http.ResponseWriter, r *http.R + return + } + +- writeHealthResponse(w, fmt.Errorf("health check (%v) returned unexpected value", healthDataPath)) ++ writeHealthResponse(w, fmt.Errorf("health check (%v) returned unexpected value", healthDataPathQuery)) + } + + func writeHealthResponse(w http.ResponseWriter, err error) { +@@ -2551,12 +2560,15 @@ func (s *Server) makeRego(ctx context.Context, + tracer topdown.QueryTracer, + opts []func(*rego.Rego), + ) (*rego.Rego, error) { +- queryPath := stringPathToDataRef(urlPath).String() ++ query, err := stringPathToQuery(urlPath) ++ if err != nil { ++ return nil, types.NewErrorV1(types.CodeInvalidParameter, "invalid path: %v", err) ++ } + + opts = append( + opts, + rego.Transaction(txn), +- rego.Query(queryPath), ++ rego.ParsedQuery(query), + rego.ParsedInput(input), + rego.Metrics(m), + rego.QueryTracer(tracer), +@@ -2571,6 +2583,43 @@ func (s *Server) makeRego(ctx context.Context, + return rego.New(opts...), nil + } + ++func stringPathToQuery(urlPath string) (ast.Body, error) { ++ ref, err := stringPathToDataRef(urlPath) ++ if err != nil { ++ return nil, err ++ } ++ ++ return parseRefQuery(ref.String()) ++} ++ ++// parseRefQuery parses a string into a query ast.Body. ++// The resulting query must be comprised of a single ref, or an error will be returned. ++func parseRefQuery(str string) (ast.Body, error) { ++ query, err := ast.ParseBody(str) ++ if err != nil { ++ return nil, errors.New("failed to parse query") ++ } ++ ++ // assert the query is exactly one statement ++ if l := len(query); l == 0 { ++ return nil, errors.New("no ref") ++ } else if l > 1 { ++ return nil, errors.New("complex query") ++ } ++ ++ // assert the single statement is a lone ref ++ expr := query[0] ++ switch t := expr.Terms.(type) { ++ case *ast.Term: ++ switch t.Value.(type) { ++ case ast.Ref: ++ return query, nil ++ } ++ } ++ ++ return nil, errors.New("complex query") ++} ++ + func (s *Server) prepareV1PatchSlice(root string, ops []types.PatchV1) (result []patchImpl, err error) { + + root = "/" + strings.Trim(root, "/") +@@ -2678,23 +2727,36 @@ func (s *Server) updateNDCache(enabled bool) { + s.ndbCacheEnabled = enabled + } + +-func stringPathToDataRef(s string) (r ast.Ref) { ++func stringPathToDataRef(s string) (ast.Ref, error) { + result := ast.Ref{ast.DefaultRootDocument} +- return append(result, stringPathToRef(s)...) ++ r, err := stringPathToRef(s) ++ if err != nil { ++ return nil, err ++ } ++ return append(result, r...), nil + } + +-func stringPathToRef(s string) (r ast.Ref) { ++func stringPathToRef(s string) (ast.Ref, error) { ++ r := ast.Ref{} ++ + if len(s) == 0 { +- return r ++ return r, nil + } ++ + p := strings.Split(s, "/") + for _, x := range p { + if x == "" { + continue + } ++ + if y, err := url.PathUnescape(x); err == nil { + x = y + } ++ ++ if strings.Contains(x, "\"") { ++ return nil, fmt.Errorf("invalid ref term '%s'", x) ++ } ++ + i, err := strconv.Atoi(x) + if err != nil { + r = append(r, ast.StringTerm(x)) +@@ -2702,7 +2764,7 @@ func stringPathToRef(s string) (r ast.Ref) { + r = append(r, ast.IntNumberTerm(i)) + } + } +- return r ++ return r, nil + } + + func validateQuery(query string) (ast.Body, error) { +diff --git a/server/server_test.go b/server/server_test.go +index 9a827af..8de136e 100644 +--- a/server/server_test.go ++++ b/server/server_test.go +@@ -2736,7 +2736,6 @@ func TestDataMetricsEval(t *testing.T) { + "counter_disk_read_keys", + "counter_disk_read_bytes", + "timer_rego_input_parse_ns", +- "timer_rego_query_parse_ns", + "timer_rego_query_compile_ns", + "timer_rego_query_eval_ns", + "timer_server_handler_ns", +@@ -5739,3 +5738,152 @@ func zipString(input string) []byte { + } + return b.Bytes() + } ++ ++func TestStringPathToDataRef(t *testing.T) { ++ t.Parallel() ++ ++ cases := []struct { ++ note string ++ path string ++ expRef string ++ expErr string ++ }{ ++ {path: "foo", expRef: `data.foo`}, ++ {path: "foo/", expRef: `data.foo`}, ++ {path: "foo/bar", expRef: `data.foo.bar`}, ++ {path: "foo/bar/", expRef: `data.foo.bar`}, ++ {path: "foo/../bar", expRef: `data.foo[".."].bar`}, ++ ++ // Path injection attack ++ // url path: `foo%22%5D%3Bmalicious_call%28%29%3Bx%3D%5B%22` ++ // url decoded: `foo"];malicious_call();x=["` ++ // data ref .String(): `data.foo["\"];malicious_call();x=[\""]` ++ // Above attack is mitigated by rejecting any ref component containing string terminators (`"`). ++ { ++ note: "string terminals inside ref term", ++ path: "foo%22%5D%3Bmalicious_call%28%29%3Bx%3D%5B%22", // foo"];malicious_call();x=[" ++ expErr: `invalid ref term 'foo"];malicious_call();x=["'`, ++ }, ++ } ++ ++ for _, tc := range cases { ++ note := tc.note ++ if note == "" { ++ note = strings.ReplaceAll(tc.path, "/", "_") ++ } ++ ++ t.Run(note, func(t *testing.T) { ++ ref, err := stringPathToDataRef(tc.path) ++ ++ if tc.expRef != "" { ++ if err != nil { ++ t.Fatalf("Expected ref:\n\n%s\n\nbut got error:\n\n%s", tc.expRef, err) ++ } ++ if refStr := ref.String(); refStr != tc.expRef { ++ t.Fatalf("Expected ref:\n\n%s\n\nbut got:\n\n%s", tc.expRef, refStr) ++ } ++ } ++ ++ if tc.expErr != "" { ++ if ref != nil { ++ t.Fatalf("Expected error:\n\n%s\n\nbut got ref:\n\n%s", tc.expErr, ref.String()) ++ } ++ if errStr := err.Error(); errStr != tc.expErr { ++ t.Fatalf("Expected error:\n\n%s\n\nbut got ref:\n\n%s", tc.expErr, errStr) ++ } ++ } ++ }) ++ } ++} ++ ++func TestParseRefQuery(t *testing.T) { ++ t.Parallel() ++ ++ cases := []struct { ++ note string ++ raw string ++ expBody ast.Body ++ expErr string ++ }{ ++ { ++ note: "unparseable", ++ raw: `}abc{`, ++ expErr: "failed to parse query", ++ }, ++ { ++ note: "empty", ++ raw: ``, ++ expErr: "no ref", ++ }, ++ { ++ note: "single ref", ++ raw: `data.foo.bar`, ++ expBody: ast.MustParseBody(`data.foo.bar`), ++ }, ++ { ++ note: "multiple refs,';' separated", ++ raw: `data.foo.bar;data.baz.qux`, ++ expErr: "complex query", ++ }, ++ { ++ note: "multiple refs,newline separated", ++ raw: `data.foo.bar ++data.baz.qux`, ++ expErr: "complex query", ++ }, ++ { ++ note: "single ref + call", ++ raw: `data.foo.bar;data.baz.qux()`, ++ expErr: "complex query", ++ }, ++ { ++ note: "single ref + assignment", ++ raw: `data.foo.bar;x := 42`, ++ expErr: "complex query", ++ }, ++ { ++ note: "single call", ++ raw: `data.foo.bar()`, ++ expErr: "complex query", ++ }, ++ { ++ note: "single assignment", ++ raw: `x := 42`, ++ expErr: "complex query", ++ }, ++ { ++ note: "single unification", ++ raw: `x = 42`, ++ expErr: "complex query", ++ }, ++ { ++ note: "single equality", ++ raw: `x == 42`, ++ expErr: "complex query", ++ }, ++ } ++ ++ for _, tc := range cases { ++ t.Run(tc.note, func(t *testing.T) { ++ body, err := parseRefQuery(tc.raw) ++ ++ if tc.expBody != nil { ++ if err != nil { ++ t.Fatalf("Expected body:\n\n%s\n\nbut got error:\n\n%s", tc.expBody, err) ++ } ++ if body.String() != tc.expBody.String() { ++ t.Fatalf("Expected body:\n\n%s\n\nbut got:\n\n%s", tc.expBody, body.String()) ++ } ++ } ++ ++ if tc.expErr != "" { ++ if body != nil { ++ t.Fatalf("Expected error:\n\n%s\n\nbut got body:\n\n%s", tc.expErr, body.String()) ++ } ++ if errStr := err.Error(); errStr != tc.expErr { ++ t.Fatalf("Expected error:\n\n%s\n\nbut got body:\n\n%s", tc.expErr, errStr) ++ } ++ } ++ }) ++ } ++} +diff --git a/test/e2e/metrics/metrics_test.go b/test/e2e/metrics/metrics_test.go +index e067909..e90d8fb 100644 +--- a/test/e2e/metrics/metrics_test.go ++++ b/test/e2e/metrics/metrics_test.go +@@ -211,7 +211,6 @@ func assertDataInstrumentationMetricsInMap(t *testing.T, includeCompile bool, me + "timer_server_handler_ns", + } + compileStageKeys := []string{ +- "timer_rego_query_parse_ns", + "timer_rego_query_compile_ns", + "timer_query_compile_stage_build_comprehension_index_ns", + "timer_query_compile_stage_check_safety_ns", +-- +2.45.2 + diff --git a/SPECS/opa/opa.spec b/SPECS/opa/opa.spec index 7f3253ffac..20b3b3e820 100644 --- a/SPECS/opa/opa.spec +++ b/SPECS/opa/opa.spec @@ -5,7 +5,7 @@ Summary: Open source, general-purpose policy engine Name: opa Version: 0.63.0 -Release: 2%{?dist} +Release: 3%{?dist} # Upstream license specification: MIT and Apache-2.0 # Main package: ASL 2.0 # internal/jwx: MIT @@ -21,6 +21,7 @@ Patch0: 0001-Make-telemetry-opt-out.patch # Skip tests requiring network Patch1: 0001-Skip-tests-requiring-network.patch Patch2: CVE-2023-45288.patch +Patch3: CVE-2025-46569.patch # Warn users about WebAssembly missing BuildRequires: golang BuildRequires: make @@ -54,6 +55,10 @@ install -D -p -m 0644 man/* %{buildroot}%{_mandir}/man1/ %{_bindir}/* %changelog +* Mon Sep 8 2025 Chee Yang Lee - 0.63.0-3 +- merge from Azure Linux 3.0.20250822-3.0. +- Patch CVE-2025-46569 + * Fri Mar 21 2025 Anuj Mittal - 0.63.0-2 - Bump Release to rebuild diff --git a/SPECS/pam/CVE-2025-6020.patch b/SPECS/pam/CVE-2025-6020.patch new file mode 100644 index 0000000000..f08e6ef453 --- /dev/null +++ b/SPECS/pam/CVE-2025-6020.patch @@ -0,0 +1,1272 @@ +From 21c16e9d0ef6a98386eb386461adaceae26cffe0 Mon Sep 17 00:00:00 2001 +From: jykanase +Date: Tue, 24 Jun 2025 06:43:33 +0000 +Subject: [PATCH] CVE-2025-6020 + +Upstream Patch Reference: https://launchpadlibrarian.net/799962342/pam_1.5.3-5ubuntu5.4_source.changes +--- + modules/pam_namespace/namespace.init | 56 +- + modules/pam_namespace/pam_namespace.c | 715 +++++++++++++++++++------- + modules/pam_namespace/pam_namespace.h | 11 + + 3 files changed, 572 insertions(+), 210 deletions(-) + +diff --git a/modules/pam_namespace/namespace.init b/modules/pam_namespace/namespace.init +index 1a6b624..8782178 100755 +--- a/modules/pam_namespace/namespace.init ++++ b/modules/pam_namespace/namespace.init +@@ -1,25 +1,43 @@ + #!/bin/sh +-# It receives polydir path as $1, the instance path as $2, +-# a flag whether the instance dir was newly created (0 - no, 1 - yes) in $3, +-# and user name in $4. ++# It receives as arguments: ++# - $1 polydir path (see WARNING below) ++# - $2 instance path (see WARNING below) ++# - $3 flag whether the instance dir was newly created (0 - no, 1 - yes) ++# - $4 user name ++# - $5 flag whether the polydir path ($1) is safe (0 - unsafe, 1 -safe) ++# - $6 flag whether the instance path ($2) is safe (0 - unsafe, 1 - safe) ++# ++# WARNING: This script is invoked with full root privileges. Accessing ++# the polydir ($1) and the instance ($2) directories in this context may be ++# extremely dangerous as those can be under user control. The flags $5 and $6 ++# are provided to let you know if all the segments part of the path (except the ++# last one) are owned by root and are writable by root only. If the path does ++# not meet these criteria, you expose yourself to possible symlink attacks when ++# accessing these path. ++# However, even if the path components are safe, the content of the ++# directories may still be owned/writable by a user, so care must be taken! + # + # The following section will copy the contents of /etc/skel if this is a + # newly created home directory. +-if [ "$3" = 1 ]; then +- # This line will fix the labeling on all newly created directories +- [ -x /sbin/restorecon ] && /sbin/restorecon "$1" +- user="$4" +- passwd=$(getent passwd "$user") +- homedir=$(echo "$passwd" | cut -f6 -d":") +- if [ "$1" = "$homedir" ]; then +- gid=$(echo "$passwd" | cut -f4 -d":") +- cp -rT /etc/skel "$homedir" +- chown -R "$user":"$gid" "$homedir" +- mask=$(sed -E -n 's/^UMASK[[:space:]]+([^#[:space:]]+).*/\1/p' /etc/login.defs) +- mode=$(printf "%o" $((0777 & ~mask))) +- chmod ${mode:-700} "$homedir" +- [ -x /sbin/restorecon ] && /sbin/restorecon -R "$homedir" +- fi +-fi + ++# Executes only if the polydir path is safe ++if [ "$5" = 1 ]; then ++ ++ if [ "$3" = 1 ]; then ++ # This line will fix the labeling on all newly created directories ++ [ -x /sbin/restorecon ] && /sbin/restorecon "$1" ++ user="$4" ++ passwd=$(getent passwd "$user") ++ homedir=$(echo "$passwd" | cut -f6 -d":") ++ if [ "$1" = "$homedir" ]; then ++ gid=$(echo "$passwd" | cut -f4 -d":") ++ cp -rT /etc/skel "$homedir" ++ chown -R "$user":"$gid" "$homedir" ++ mask=$(sed -E -n 's/^UMASK[[:space:]]+([^#[:space:]]+).*/\1/p' /etc/login.defs) ++ mode=$(printf "%o" $((0777 & ~mask))) ++ chmod ${mode:-700} "$homedir" ++ [ -x /sbin/restorecon ] && /sbin/restorecon -R "$homedir" ++ fi ++ fi ++fi + exit 0 +diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c +index 83d0a52..7716c45 100644 +--- a/modules/pam_namespace/pam_namespace.c ++++ b/modules/pam_namespace/pam_namespace.c +@@ -78,6 +78,8 @@ pam_snprintf(char *str, size_t size, const char *fmt, ...) + ##__VA_ARGS__) + + ++#define MAGIC_LNK_FD_SIZE 64 ++ + /* --- evaluating all files in VENDORDIR/security/namespace.d and /etc/security/namespace.d --- */ + static const char *base_name(const char *path) + { +@@ -104,7 +106,7 @@ strip_trailing_slashes(char *str) + static int protect_mount(int dfd, const char *path, struct instance_data *idata) + { + struct protect_dir_s *dir = idata->protect_dirs; +- char tmpbuf[64]; ++ char tmpbuf[MAGIC_LNK_FD_SIZE]; + + while (dir != NULL) { + if (strcmp(path, dir->dir) == 0) { +@@ -149,56 +151,106 @@ static int protect_mount(int dfd, const char *path, struct instance_data *idata) + return 0; + } + +-static int protect_dir(const char *path, mode_t mode, int do_mkdir, ++/* ++ * Returns a fd to the given absolute path, acquired securely. This means: ++ * - iterating on each segment of the path, ++ * - not following user symlinks, ++ * - using race-free operations. ++ * ++ * Takes a bit mask to specify the operation mode: ++ * - SECURE_OPENDIR_PROTECT: call protect_mount() on each unsafe segment of path ++ * - SECURE_OPENDIR_MKDIR: create last segment of path if does not exist ++ * - SECURE_OPENDIR_FULL_FD: open the directory with O_RDONLY instead of O_PATH, ++ * allowing more operations to be done with the returned fd ++ * ++ * Be aware that using SECURE_OPENDIR_PROTECT: ++ * - will modify some external state (global structure...) and should not be ++ * called in cleanup code paths. See wrapper secure_opendir_stateless() ++ * - need a non-NULL idata to call protect_mount() ++ */ ++static int secure_opendir(const char *path, int opm, mode_t mode, + struct instance_data *idata) + { +- char *p = strdup(path); ++ char *p; + char *d; +- char *dir = p; +- int dfd = AT_FDCWD; ++ char *dir; ++ int dfd = -1; + int dfd_next; + int save_errno; +- int flags = O_RDONLY | O_DIRECTORY; ++ int flags = O_DIRECTORY | O_CLOEXEC; + int rv = -1; + struct stat st; + +- if (p == NULL) { ++ if (opm & SECURE_OPENDIR_FULL_FD) ++ flags |= O_RDONLY; ++ else ++ flags |= O_PATH; ++ ++ /* Check for args consistency */ ++ if ((opm & SECURE_OPENDIR_PROTECT) && idata == NULL) + return -1; +- } + +- if (*dir == '/') { +- dfd = open("/", flags); +- if (dfd == -1) { +- goto error; +- } +- dir++; /* assume / is safe */ ++ /* Accept only absolute paths */ ++ if (*path != '/') ++ return -1; ++ ++ dir = p = strdup(path); ++ if (p == NULL) ++ return -1; ++ ++ /* Assume '/' is safe */ ++ dfd = open("/", flags); ++ if (dfd == -1) ++ goto error; ++ ++ /* Needed to not loop too far and call openat() on NULL */ ++ strip_trailing_slashes(p); ++ ++ dir++; ++ ++ /* In case path is '/' */ ++ if (*dir == '\0') { ++ free(p); ++ return dfd; + } + + while ((d=strchr(dir, '/')) != NULL) { + *d = '\0'; ++ + dfd_next = openat(dfd, dir, flags); +- if (dfd_next == -1) { ++ if (dfd_next == -1) + goto error; +- } +- +- if (dfd != AT_FDCWD) +- close(dfd); +- dfd = dfd_next; + +- if (fstat(dfd, &st) != 0) { ++ if (fstat(dfd_next, &st) != 0) { ++ close(dfd_next); + goto error; + } + +- if (flags & O_NOFOLLOW) { ++ if ((flags & O_NOFOLLOW) && (opm & SECURE_OPENDIR_PROTECT)) { + /* we are inside user-owned dir - protect */ +- if (protect_mount(dfd, p, idata) == -1) ++ if (protect_mount(dfd_next, p, idata) == -1) { ++ close(dfd_next); ++ goto error; ++ } ++ /* ++ * Reopen the directory to obtain a new descriptor ++ * after protect_mount(), this is necessary in cases ++ * when another directory is going to be mounted over ++ * the given path. ++ */ ++ close(dfd_next); ++ dfd_next = openat(dfd, dir, flags); ++ if (dfd_next == -1) + goto error; +- } else if (st.st_uid != 0 || st.st_gid != 0 || +- (st.st_mode & S_IWOTH)) { ++ } else if (st.st_uid != 0 ++ || (st.st_mode & (S_IWGRP|S_IWOTH))) { + /* do not follow symlinks on subdirectories */ + flags |= O_NOFOLLOW; + } + ++ close(dfd); ++ dfd = dfd_next; ++ + *d = '/'; + dir = d + 1; + } +@@ -206,13 +258,14 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, + rv = openat(dfd, dir, flags); + + if (rv == -1) { +- if (!do_mkdir || mkdirat(dfd, dir, mode) != 0) { ++ if ((opm & SECURE_OPENDIR_MKDIR) && mkdirat(dfd, dir, mode) == 0) ++ rv = openat(dfd, dir, flags); ++ ++ if (rv == -1) + goto error; +- } +- rv = openat(dfd, dir, flags); + } + +- if (flags & O_NOFOLLOW) { ++ if ((flags & O_NOFOLLOW) && (opm & SECURE_OPENDIR_PROTECT)) { + /* we are inside user-owned dir - protect */ + if (protect_mount(rv, p, idata) == -1) { + save_errno = errno; +@@ -220,18 +273,95 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, + rv = -1; + errno = save_errno; + } ++ /* ++ * Reopen the directory to obtain a new descriptor after ++ * protect_mount(), this is necessary in cases when another ++ * directory is going to be mounted over the given path. ++ */ ++ close(rv); ++ rv = openat(dfd, dir, flags); + } + + error: + save_errno = errno; + free(p); +- if (dfd != AT_FDCWD && dfd >= 0) ++ if (dfd >= 0) + close(dfd); + errno = save_errno; + + return rv; + } + ++/* ++ * Returns a fd to the given path, acquired securely. ++ * It can be called in all situations, including in cleanup code paths, as ++ * it does not modify external state (no access to global structures...). ++ */ ++static int secure_opendir_stateless(const char *path) ++{ ++ return secure_opendir(path, 0, 0, NULL); ++} ++ ++/* ++ * Umount securely the given path, even if the directories along ++ * the path are under user control. It should protect against ++ * symlinks attacks and race conditions. ++ */ ++static int secure_umount(const char *path) ++{ ++ int save_errno; ++ int rv = -1; ++ int dfd = -1; ++ char s_path[MAGIC_LNK_FD_SIZE]; ++ ++ dfd = secure_opendir_stateless(path); ++ if (dfd == -1) ++ return rv; ++ ++ if (pam_sprintf(s_path, "/proc/self/fd/%d", dfd) < 0) ++ goto error; ++ ++ /* ++ * We still have a fd open to path itself, ++ * so we need to do a lazy umount. ++ */ ++ rv = umount2(s_path, MNT_DETACH); ++ ++error: ++ save_errno = errno; ++ close(dfd); ++ errno = save_errno; ++ return rv; ++} ++ ++/* ++ * Rmdir the given path securely, protecting against symlinks attacks ++ * and race conditions. ++ * This function is currently called only in cleanup code paths where ++ * any errors returned are not handled, so do not handle them either. ++ * Basically, try to rmdir the path on a best-effort basis. ++ */ ++static void secure_try_rmdir(const char *path) ++{ ++ int dfd; ++ char *buf; ++ char *parent; ++ ++ buf = strdup(path); ++ if (buf == NULL) ++ return; ++ ++ parent = dirname(buf); ++ ++ dfd = secure_opendir_stateless(parent); ++ if (dfd >= 0) { ++ unlinkat(dfd, base_name(path), AT_REMOVEDIR); ++ close(dfd); ++ } ++ ++ free(buf); ++} ++ + /* Evaluating a list of files which have to be parsed in the right order: + * + * - If etc/security/namespace.d/@filename@.conf exists, then +@@ -357,7 +487,7 @@ static void unprotect_dirs(struct protect_dir_s *dir) + struct protect_dir_s *next; + + while (dir != NULL) { +- umount(dir->dir); ++ secure_umount(dir->dir); + free(dir->dir); + next = dir->next; + free(dir); +@@ -761,13 +891,9 @@ static int process_line(char *line, const char *home, const char *rhome, + goto skipping; + } + +-#define COPY_STR(dst, src, apd) \ +- pam_sprintf((dst), "%s%s", (src), (apd)) +- +- if (COPY_STR(poly->dir, dir, "") < 0 +- || COPY_STR(poly->rdir, rdir, "") < 0 +- || COPY_STR(poly->instance_prefix, instance_prefix, +- poly->method == TMPDIR ? "XXXXXX" : "") < 0) { ++ if (pam_sprintf(poly->dir, "%s", dir) < 0 ++ || pam_sprintf(poly->rdir, "%s", rdir) < 0 ++ || pam_sprintf(poly->instance_prefix, "%s", instance_prefix) < 0) { + pam_syslog(idata->pamh, LOG_NOTICE, "Pathnames too long"); + goto skipping; + } +@@ -1050,6 +1176,23 @@ static char *md5hash(const char *instname, struct instance_data *idata) + } + + #ifdef WITH_SELINUX ++static char *secure_getfilecon(pam_handle_t *pamh, const char *dir) ++{ ++ char *ctx = NULL; ++ int dfd = secure_opendir(dir, SECURE_OPENDIR_FULL_FD, 0, NULL); ++ if (dfd < 0) { ++ pam_syslog(pamh, LOG_ERR, "Error getting fd to %s: %m", dir); ++ return NULL; ++ } ++ if (fgetfilecon(dfd, &ctx) < 0) ++ ctx = NULL; ++ if (ctx == NULL) ++ pam_syslog(pamh, LOG_ERR, ++ "Error getting poly dir context for %s: %m", dir); ++ close(dfd); ++ return ctx; ++} ++ + static int form_context(const struct polydir_s *polyptr, + char **i_context, char **origcon, + struct instance_data *idata) +@@ -1061,12 +1204,9 @@ static int form_context(const struct polydir_s *polyptr, + /* + * Get the security context of the directory to polyinstantiate. + */ +- rc = getfilecon(polyptr->dir, origcon); +- if (rc < 0 || *origcon == NULL) { +- pam_syslog(idata->pamh, LOG_ERR, +- "Error getting poly dir context, %m"); ++ *origcon = secure_getfilecon(idata->pamh, polyptr->dir); ++ if (*origcon == NULL) + return PAM_SESSION_ERR; +- } + + if (polyptr->method == USER) return PAM_SUCCESS; + +@@ -1163,29 +1303,52 @@ static int form_context(const struct polydir_s *polyptr, + #endif + + /* +- * poly_name returns the name of the polyinstantiated instance directory ++ * From the instance differentiation string, set in the polyptr structure: ++ * - the absolute path to the instance dir, ++ * - the absolute path to the previous dir (parent), ++ * - the instance name (may be different than the instance differentiation string) ++ */ ++static int set_polydir_paths(struct polydir_s *polyptr, const char *inst_differentiation) ++{ ++ char *tmp; ++ ++ if (pam_sprintf(polyptr->instance_absolute, "%s%s", ++ polyptr->instance_prefix, inst_differentiation) < 0) ++ return -1; ++ ++ polyptr->instname = strrchr(polyptr->instance_absolute, '/') + 1; ++ ++ if (pam_sprintf(polyptr->instance_parent, "%s", polyptr->instance_absolute) < 0) ++ return -1; ++ ++ tmp = strrchr(polyptr->instance_parent, '/') + 1; ++ *tmp = '\0'; ++ ++ return 0; ++} ++ ++/* ++ * Set the name of the polyinstantiated instance directory + * based on the method used for polyinstantiation (user, context or level) + * In addition, the function also returns the security contexts of the + * original directory to polyinstantiate and the polyinstantiated instance + * directory. + */ + #ifdef WITH_SELINUX +-static int poly_name(const struct polydir_s *polyptr, char **i_name, +- char **i_context, char **origcon, +- struct instance_data *idata) ++static int poly_name(struct polydir_s *polyptr, char **i_context, ++ char **origcon, struct instance_data *idata) + #else +-static int poly_name(const struct polydir_s *polyptr, char **i_name, +- struct instance_data *idata) ++static int poly_name(struct polydir_s *polyptr, struct instance_data *idata) + #endif + { + int rc; ++ char *inst_differentiation = NULL; + char *hash = NULL; + enum polymethod pm; + #ifdef WITH_SELINUX + char *rawcon = NULL; + #endif + +- *i_name = NULL; + #ifdef WITH_SELINUX + *i_context = NULL; + *origcon = NULL; +@@ -1219,7 +1382,7 @@ static int poly_name(const struct polydir_s *polyptr, char **i_name, + + switch (pm) { + case USER: +- if ((*i_name = strdup(idata->user)) == NULL) ++ if ((inst_differentiation = strdup(idata->user)) == NULL) + goto fail; + break; + +@@ -1231,20 +1394,24 @@ static int poly_name(const struct polydir_s *polyptr, char **i_name, + goto fail; + } + if (polyptr->flags & POLYDIR_SHARED) +- *i_name = strdup(rawcon); ++ inst_differentiation = strdup(rawcon); + else +- *i_name = pam_asprintf("%s_%s", rawcon, idata->user); +- if (*i_name == NULL) ++ inst_differentiation = pam_asprintf("%s_%s", rawcon, idata->user); ++ if (inst_differentiation == NULL) + goto fail; + break; + + #endif /* WITH_SELINUX */ + + case TMPDIR: ++ if ((inst_differentiation = strdup("XXXXXX")) == NULL) ++ goto fail; ++ goto success; ++ + case TMPFS: +- if ((*i_name=strdup("")) == NULL) ++ if ((inst_differentiation=strdup("")) == NULL) + goto fail; +- return PAM_SUCCESS; ++ goto success; + + default: + if (idata->flags & PAMNS_DEBUG) +@@ -1253,32 +1420,37 @@ static int poly_name(const struct polydir_s *polyptr, char **i_name, + } + + if (idata->flags & PAMNS_DEBUG) +- pam_syslog(idata->pamh, LOG_DEBUG, "poly_name %s", *i_name); ++ pam_syslog(idata->pamh, LOG_DEBUG, "poly_name %s", inst_differentiation); + +- if ((idata->flags & PAMNS_GEN_HASH) || strlen(*i_name) > NAMESPACE_MAX_DIR_LEN) { +- hash = md5hash(*i_name, idata); ++ if ((idata->flags & PAMNS_GEN_HASH) || strlen(inst_differentiation) > NAMESPACE_MAX_DIR_LEN) { ++ hash = md5hash(inst_differentiation, idata); + if (hash == NULL) { + goto fail; + } + if (idata->flags & PAMNS_GEN_HASH) { +- free(*i_name); +- *i_name = hash; ++ free(inst_differentiation); ++ inst_differentiation = hash; + hash = NULL; + } else { + char *newname = + pam_asprintf("%.*s_%s", + NAMESPACE_MAX_DIR_LEN - 1 - (int)strlen(hash), +- *i_name, hash); ++ inst_differentiation, hash); + if (newname == NULL) + goto fail; +- free(*i_name); +- *i_name = newname; ++ free(inst_differentiation); ++ inst_differentiation = newname; + } + } +- rc = PAM_SUCCESS; + ++success: ++ if (set_polydir_paths(polyptr, inst_differentiation) == -1) ++ goto fail; ++ ++ rc = PAM_SUCCESS; + fail: + free(hash); ++ free(inst_differentiation); + #ifdef WITH_SELINUX + freecon(rawcon); + #endif +@@ -1289,58 +1461,111 @@ fail: + freecon(*origcon); + *origcon = NULL; + #endif +- free(*i_name); +- *i_name = NULL; + } + return rc; + } + +-static int check_inst_parent(char *ipath, struct instance_data *idata) ++static int check_inst_parent(int dfd, struct instance_data *idata) + { + struct stat instpbuf; +- char *inst_parent, *trailing_slash; +- int dfd; ++ + /* +- * stat the instance parent path to make sure it exists +- * and is a directory. Check that its mode is 000 (unless the +- * admin explicitly instructs to ignore the instance parent +- * mode by the "ignore_instance_parent_mode" argument). ++ * Stat the instance parent directory to make sure it's writable by ++ * root only (unless the admin explicitly instructs to ignore the ++ * instance parent mode by the "ignore_instance_parent_mode" argument). + */ +- inst_parent = strdup(ipath); +- if (!inst_parent) { +- pam_syslog(idata->pamh, LOG_CRIT, "Error allocating pathname string"); +- return PAM_SESSION_ERR; +- } +- +- trailing_slash = strrchr(inst_parent, '/'); +- if (trailing_slash) +- *trailing_slash = '\0'; + +- dfd = protect_dir(inst_parent, 0, 1, idata); ++ if (idata->flags & PAMNS_IGN_INST_PARENT_MODE) ++ return PAM_SUCCESS; + +- if (dfd == -1 || fstat(dfd, &instpbuf) < 0) { ++ if (fstat(dfd, &instpbuf) < 0) { + pam_syslog(idata->pamh, LOG_ERR, +- "Error creating or accessing instance parent %s, %m", inst_parent); +- if (dfd != -1) +- close(dfd); +- free(inst_parent); ++ "Error accessing instance parent, %m"); + return PAM_SESSION_ERR; + } + +- if ((idata->flags & PAMNS_IGN_INST_PARENT_MODE) == 0) { +- if ((instpbuf.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO)) || instpbuf.st_uid != 0) { +- pam_syslog(idata->pamh, LOG_ERR, "Mode of inst parent %s not 000 or owner not root", +- inst_parent); +- close(dfd); +- free(inst_parent); +- return PAM_SESSION_ERR; +- } ++ if ((instpbuf.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO)) || instpbuf.st_uid != 0) { ++ pam_syslog(idata->pamh, LOG_ERR, ++ "Mode of inst parent not 000 or owner not root"); ++ return PAM_SESSION_ERR; + } +- close(dfd); +- free(inst_parent); ++ + return PAM_SUCCESS; + } + ++/* ++ * Check for a given absolute path that all segments except the last one are: ++ * 1. a directory owned by root and not writable by group or others ++ * 2. a symlink owned by root and referencing a directory respecting 1. ++ * Returns 0 if safe, -1 is unsafe. ++ * If the path is not accessible (does not exist, hidden under a mount...), ++ * returns -1 (unsafe). ++ */ ++static int check_safe_path(const char *path, struct instance_data *idata) ++{ ++ char *p = strdup(path); ++ char *d; ++ char *dir = p; ++ struct stat st; ++ ++ if (p == NULL) ++ return -1; ++ ++ /* Check path is absolute */ ++ if (p[0] != '/') ++ goto error; ++ ++ strip_trailing_slashes(p); ++ ++ /* Last segment of the path may be owned by the user */ ++ if ((d = strrchr(dir, '/')) != NULL) ++ *d = '\0'; ++ ++ while ((d=strrchr(dir, '/')) != NULL) { ++ ++ /* Do not follow symlinks */ ++ if (lstat(dir, &st) != 0) ++ goto error; ++ ++ if (S_ISLNK(st.st_mode)) { ++ if (st.st_uid != 0) { ++ if (idata->flags & PAMNS_DEBUG) ++ pam_syslog(idata->pamh, LOG_DEBUG, ++ "Path deemed unsafe: Symlink %s should be owned by root", dir); ++ goto error; ++ } ++ ++ /* Follow symlinks */ ++ if (stat(dir, &st) != 0) ++ goto error; ++ } ++ ++ if (!S_ISDIR(st.st_mode)) { ++ if (idata->flags & PAMNS_DEBUG) ++ pam_syslog(idata->pamh, LOG_DEBUG, ++ "Path deemed unsafe: %s is expected to be a directory", dir); ++ goto error; ++ } ++ ++ if (st.st_uid != 0 || ++ ((st.st_mode & (S_IWGRP|S_IWOTH)) && !(st.st_mode & S_ISVTX))) { ++ if (idata->flags & PAMNS_DEBUG) ++ pam_syslog(idata->pamh, LOG_DEBUG, ++ "Path deemed unsafe: %s should be owned by root, and not be writable by group or others", dir); ++ goto error; ++ } ++ ++ *d = '\0'; ++ } ++ ++ free(p); ++ return 0; ++ ++error: ++ free(p); ++ return -1; ++} ++ + /* + * Check to see if there is a namespace initialization script in + * the /etc/security directory. If such a script exists +@@ -1400,7 +1625,11 @@ static int inst_init(const struct polydir_s *polyptr, const char *ipath, + } + + execle(init_script, init_script, +- polyptr->dir, ipath, newdir?"1":"0", idata->user, NULL, envp); ++ polyptr->dir, ipath, ++ newdir ? "1":"0", idata->user, ++ (check_safe_path(polyptr->dir, idata) == -1) ? "0":"1", ++ (check_safe_path(ipath, idata) == -1) ? "0":"1", ++ NULL, envp); + _exit(1); + } else if (pid > 0) { + while (((rc = waitpid(pid, &status, 0)) == (pid_t)-1) && +@@ -1475,14 +1704,16 @@ static int create_polydir(struct polydir_s *polyptr, + } + #endif + +- rc = protect_dir(dir, mode, 1, idata); ++ rc = secure_opendir(dir, ++ SECURE_OPENDIR_PROTECT | SECURE_OPENDIR_MKDIR | SECURE_OPENDIR_FULL_FD, ++ mode, idata); + if (rc == -1) { + pam_syslog(idata->pamh, LOG_ERR, + "Error creating directory %s: %m", dir); + #ifdef WITH_SELINUX + freecon(oldcon_raw); + #endif +- return PAM_SESSION_ERR; ++ return -1; + } + + #ifdef WITH_SELINUX +@@ -1503,9 +1734,9 @@ static int create_polydir(struct polydir_s *polyptr, + pam_syslog(idata->pamh, LOG_ERR, + "Error changing mode of directory %s: %m", dir); + close(rc); +- umount(dir); /* undo the eventual protection bind mount */ +- rmdir(dir); +- return PAM_SESSION_ERR; ++ secure_umount(dir); /* undo the eventual protection bind mount */ ++ secure_try_rmdir(dir); ++ return -1; + } + } + +@@ -1523,41 +1754,37 @@ static int create_polydir(struct polydir_s *polyptr, + pam_syslog(idata->pamh, LOG_ERR, + "Unable to change owner on directory %s: %m", dir); + close(rc); +- umount(dir); /* undo the eventual protection bind mount */ +- rmdir(dir); +- return PAM_SESSION_ERR; ++ secure_umount(dir); /* undo the eventual protection bind mount */ ++ secure_try_rmdir(dir); ++ return -1; + } + +- close(rc); +- + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, + "Polydir owner %u group %u", uid, gid); + +- return PAM_SUCCESS; ++ return rc; + } + + /* +- * Create polyinstantiated instance directory (ipath). ++ * Create polyinstantiated instance directory. ++ * To protect against races, changes are done on a fd to the parent of the ++ * instance directory (dfd_iparent) and a relative path (polyptr->instname). ++ * The absolute path (polyptr->instance_absolute) is only updated when creating ++ * a tmpdir and used for logging purposes. + */ + #ifdef WITH_SELINUX +-static int create_instance(struct polydir_s *polyptr, char *ipath, struct stat *statbuf, +- const char *icontext, const char *ocontext, +- struct instance_data *idata) ++static int create_instance(struct polydir_s *polyptr, int dfd_iparent, ++ struct stat *statbuf, const char *icontext, const char *ocontext, ++ struct instance_data *idata) + #else +-static int create_instance(struct polydir_s *polyptr, char *ipath, struct stat *statbuf, +- struct instance_data *idata) ++static int create_instance(struct polydir_s *polyptr, int dfd_iparent, ++ struct stat *statbuf, struct instance_data *idata) + #endif + { + struct stat newstatbuf; + int fd; + +- /* +- * Check to make sure instance parent is valid. +- */ +- if (check_inst_parent(ipath, idata)) +- return PAM_SESSION_ERR; +- + /* + * Create instance directory and set its security context to the context + * returned by the security policy. Set its mode and ownership +@@ -1566,29 +1793,39 @@ static int create_instance(struct polydir_s *polyptr, char *ipath, struct stat * + */ + + if (polyptr->method == TMPDIR) { +- if (mkdtemp(polyptr->instance_prefix) == NULL) { +- pam_syslog(idata->pamh, LOG_ERR, "Error creating temporary instance %s, %m", +- polyptr->instance_prefix); +- polyptr->method = NONE; /* do not clean up! */ +- return PAM_SESSION_ERR; +- } +- /* copy the actual directory name to ipath */ +- strcpy(ipath, polyptr->instance_prefix); +- } else if (mkdir(ipath, S_IRUSR) < 0) { ++ char s_path[PATH_MAX]; ++ /* ++ * Create the template for mkdtemp() as a magic link based on ++ * our existing fd to avoid symlink attacks and races. ++ */ ++ if (pam_sprintf(s_path, "/proc/self/fd/%d/%s", dfd_iparent, polyptr->instname) < 0 ++ || mkdtemp(s_path) == NULL) { ++ pam_syslog(idata->pamh, LOG_ERR, ++ "Error creating temporary instance dir %s, %m", ++ polyptr->instance_absolute); ++ polyptr->method = NONE; /* do not clean up! */ ++ return PAM_SESSION_ERR; ++ } ++ ++ /* Copy the actual directory name to polyptr->instname */ ++ strcpy(polyptr->instname, base_name(s_path)); ++ } else if (mkdirat(dfd_iparent, polyptr->instname, S_IRUSR) < 0) { + if (errno == EEXIST) + return PAM_IGNORE; + else { + pam_syslog(idata->pamh, LOG_ERR, "Error creating %s, %m", +- ipath); ++ polyptr->instance_absolute); + return PAM_SESSION_ERR; + } + } + +- /* Open a descriptor to it to prevent races */ +- fd = open(ipath, O_DIRECTORY | O_RDONLY); ++ /* Open a descriptor to prevent races, based on our existing fd. */ ++ fd = openat(dfd_iparent, polyptr->instname, ++ O_RDONLY | O_DIRECTORY | O_NOFOLLOW | O_CLOEXEC); + if (fd < 0) { +- pam_syslog(idata->pamh, LOG_ERR, "Error opening %s, %m", ipath); +- rmdir(ipath); ++ pam_syslog(idata->pamh, LOG_ERR, "Error opening %s, %m", ++ polyptr->instance_absolute); ++ unlinkat(dfd_iparent, polyptr->instname, AT_REMOVEDIR); + return PAM_SESSION_ERR; + } + #ifdef WITH_SELINUX +@@ -1598,17 +1835,19 @@ static int create_instance(struct polydir_s *polyptr, char *ipath, struct stat * + if (icontext) { + if (fsetfilecon(fd, icontext) < 0) { + pam_syslog(idata->pamh, LOG_ERR, +- "Error setting context of %s to %s", ipath, icontext); ++ "Error setting context of %s to %s", ++ polyptr->instance_absolute, icontext); + close(fd); +- rmdir(ipath); ++ unlinkat(dfd_iparent, polyptr->instname, AT_REMOVEDIR); + return PAM_SESSION_ERR; + } + } else { + if (fsetfilecon(fd, ocontext) < 0) { + pam_syslog(idata->pamh, LOG_ERR, +- "Error setting context of %s to %s", ipath, ocontext); ++ "Error setting context of %s to %s", ++ polyptr->instance_absolute, ocontext); + close(fd); +- rmdir(ipath); ++ unlinkat(dfd_iparent, polyptr->instname, AT_REMOVEDIR); + return PAM_SESSION_ERR; + } + } +@@ -1616,9 +1855,9 @@ static int create_instance(struct polydir_s *polyptr, char *ipath, struct stat * + #endif + if (fstat(fd, &newstatbuf) < 0) { + pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m", +- ipath); ++ polyptr->instance_absolute); + close(fd); +- rmdir(ipath); ++ unlinkat(dfd_iparent, polyptr->instname, AT_REMOVEDIR); + return PAM_SESSION_ERR; + } + if (newstatbuf.st_uid != statbuf->st_uid || +@@ -1626,17 +1865,17 @@ static int create_instance(struct polydir_s *polyptr, char *ipath, struct stat * + if (fchown(fd, statbuf->st_uid, statbuf->st_gid) < 0) { + pam_syslog(idata->pamh, LOG_ERR, + "Error changing owner for %s, %m", +- ipath); ++ polyptr->instance_absolute); + close(fd); +- rmdir(ipath); ++ unlinkat(dfd_iparent, polyptr->instname, AT_REMOVEDIR); + return PAM_SESSION_ERR; + } + } + if (fchmod(fd, statbuf->st_mode & 07777) < 0) { + pam_syslog(idata->pamh, LOG_ERR, "Error changing mode for %s, %m", +- ipath); ++ polyptr->instance_absolute); + close(fd); +- rmdir(ipath); ++ unlinkat(dfd_iparent, polyptr->instname, AT_REMOVEDIR); + return PAM_SESSION_ERR; + } + close(fd); +@@ -1655,9 +1894,12 @@ static int ns_setup(struct polydir_s *polyptr, + struct instance_data *idata) + { + int retval; ++ int dfd_iparent = -1; ++ int dfd_ipath = -1; ++ int dfd_pptrdir = -1; + int newdir = 1; +- char *inst_dir = NULL; +- char *instname = NULL; ++ char s_ipath[MAGIC_LNK_FD_SIZE]; ++ char s_pptrdir[MAGIC_LNK_FD_SIZE]; + struct stat statbuf; + #ifdef WITH_SELINUX + char *instcontext = NULL, *origcontext = NULL; +@@ -1667,37 +1909,48 @@ static int ns_setup(struct polydir_s *polyptr, + pam_syslog(idata->pamh, LOG_DEBUG, + "Set namespace for directory %s", polyptr->dir); + +- retval = protect_dir(polyptr->dir, 0, 0, idata); ++ dfd_pptrdir = secure_opendir(polyptr->dir, SECURE_OPENDIR_PROTECT, 0, idata); + +- if (retval < 0) { ++ if (dfd_pptrdir < 0) { + if (errno != ENOENT || !(polyptr->flags & POLYDIR_CREATE)) { + pam_syslog(idata->pamh, LOG_ERR, "Polydir %s access error: %m", + polyptr->dir); + return PAM_SESSION_ERR; + } +- if (create_polydir(polyptr, idata) != PAM_SUCCESS) ++ dfd_pptrdir = create_polydir(polyptr, idata); ++ if (dfd_pptrdir < 0) + return PAM_SESSION_ERR; +- } else { +- close(retval); + } + + if (polyptr->method == TMPFS) { +- if (mount("tmpfs", polyptr->dir, "tmpfs", polyptr->mount_flags, polyptr->mount_opts) < 0) { +- pam_syslog(idata->pamh, LOG_ERR, "Error mounting tmpfs on %s, %m", +- polyptr->dir); +- return PAM_SESSION_ERR; +- } ++ /* ++ * There is no function mount() that operate on a fd, so instead, we ++ * get the magic link corresponding to the fd and give it to mount(). ++ * This protects against potential races exploitable by an unpriv user. ++ */ ++ if (pam_sprintf(s_pptrdir, "/proc/self/fd/%d", dfd_pptrdir) < 0) { ++ pam_syslog(idata->pamh, LOG_ERR, "Error pam_sprintf s_pptrdir"); ++ goto error_out; ++ } + +- if (polyptr->flags & POLYDIR_NOINIT) +- return PAM_SUCCESS; ++ if (mount("tmpfs", s_pptrdir, "tmpfs", polyptr->mount_flags, polyptr->mount_opts) < 0) { ++ pam_syslog(idata->pamh, LOG_ERR, "Error mounting tmpfs on %s, %m", ++ polyptr->dir); ++ goto error_out; ++ } ++ ++ if (polyptr->flags & POLYDIR_NOINIT) { ++ retval = PAM_SUCCESS; ++ goto cleanup; ++ } + +- return inst_init(polyptr, "tmpfs", idata, 1); ++ retval = inst_init(polyptr, "tmpfs", idata, 1); ++ goto cleanup; + } + +- if (stat(polyptr->dir, &statbuf) < 0) { +- pam_syslog(idata->pamh, LOG_ERR, "Error stating %s: %m", +- polyptr->dir); +- return PAM_SESSION_ERR; ++ if (fstat(dfd_pptrdir, &statbuf) < 0) { ++ pam_syslog(idata->pamh, LOG_ERR, "Error stating %s: %m", polyptr->dir); ++ goto error_out; + } + + /* +@@ -1706,15 +1959,16 @@ static int ns_setup(struct polydir_s *polyptr, + * security policy. + */ + #ifdef WITH_SELINUX +- retval = poly_name(polyptr, &instname, &instcontext, +- &origcontext, idata); ++ retval = poly_name(polyptr, &instcontext, &origcontext, idata); + #else +- retval = poly_name(polyptr, &instname, idata); ++ retval = poly_name(polyptr, idata); + #endif + + if (retval != PAM_SUCCESS) { +- if (retval != PAM_IGNORE) ++ if (retval != PAM_IGNORE) { + pam_syslog(idata->pamh, LOG_ERR, "Error getting instance name"); ++ goto error_out; ++ } + goto cleanup; + } else { + #ifdef WITH_SELINUX +@@ -1725,22 +1979,33 @@ static int ns_setup(struct polydir_s *polyptr, + #endif + } + +- if ((inst_dir = pam_asprintf("%s%s", polyptr->instance_prefix, instname)) == NULL) +- goto error_out; +- +- if (idata->flags & PAMNS_DEBUG) +- pam_syslog(idata->pamh, LOG_DEBUG, "instance_dir %s", +- inst_dir); ++ /* ++ * Gets a fd in a secure manner (we may be operating on a path under ++ * user control), and check it's compliant. ++ * Then, we should *always* operate on *this* fd and a relative path ++ * to be protected against race conditions. ++ */ ++ dfd_iparent = secure_opendir(polyptr->instance_parent, ++ SECURE_OPENDIR_PROTECT | SECURE_OPENDIR_MKDIR, 0, idata); ++ if (dfd_iparent == -1) { ++ pam_syslog(idata->pamh, LOG_ERR, ++ "polyptr->instance_parent %s access error", ++ polyptr->instance_parent); ++ goto error_out; ++ } ++ if (check_inst_parent(dfd_iparent, idata)) { ++ goto error_out; ++ } + + /* + * Create instance directory with appropriate security + * contexts, owner, group and mode bits. + */ + #ifdef WITH_SELINUX +- retval = create_instance(polyptr, inst_dir, &statbuf, instcontext, +- origcontext, idata); ++ retval = create_instance(polyptr, dfd_iparent, &statbuf, instcontext, ++ origcontext, idata); + #else +- retval = create_instance(polyptr, inst_dir, &statbuf, idata); ++ retval = create_instance(polyptr, dfd_iparent, &statbuf, idata); + #endif + + if (retval == PAM_IGNORE) { +@@ -1752,19 +2017,48 @@ static int ns_setup(struct polydir_s *polyptr, + goto error_out; + } + ++ /* ++ * Instead of getting a new secure fd, we reuse the fd opened on directory ++ * polyptr->instance_parent to ensure we are working on the same dir as ++ * previously, and thus ensure that previous checks (e.g. check_inst_parent()) ++ * are still relevant. ++ */ ++ dfd_ipath = openat(dfd_iparent, polyptr->instname, ++ O_PATH | O_DIRECTORY | O_NOFOLLOW | O_CLOEXEC); ++ if (dfd_ipath == -1) { ++ pam_syslog(idata->pamh, LOG_ERR, "Error openat on %s, %m", ++ polyptr->instname); ++ goto error_out; ++ } ++ ++ if (pam_sprintf(s_ipath, "/proc/self/fd/%d", dfd_ipath) < 0) { ++ pam_syslog(idata->pamh, LOG_ERR, "Error pam_sprintf s_ipath"); ++ goto error_out; ++ } ++ ++ if (pam_sprintf(s_pptrdir, "/proc/self/fd/%d", dfd_pptrdir) < 0) { ++ pam_syslog(idata->pamh, LOG_ERR, "Error pam_sprintf s_pptrdir"); ++ goto error_out; ++ } ++ + /* + * Bind mount instance directory on top of the polyinstantiated + * directory to provide an instance of polyinstantiated directory + * based on polyinstantiated method. ++ * ++ * Operates on magic links created from two fd obtained securely ++ * to protect against race conditions and symlink attacks. Indeed, ++ * the source and destination can be in a user controled path. + */ +- if (mount(inst_dir, polyptr->dir, NULL, MS_BIND, NULL) < 0) { +- pam_syslog(idata->pamh, LOG_ERR, "Error mounting %s on %s, %m", +- inst_dir, polyptr->dir); ++ if(mount(s_ipath, s_pptrdir, NULL, MS_BIND, NULL) < 0) { ++ pam_syslog(idata->pamh, LOG_ERR, ++ "Error mounting %s on %s (%s on %s), %m", ++ s_ipath, s_pptrdir, polyptr->instance_absolute, polyptr->dir); + goto error_out; + } + + if (!(polyptr->flags & POLYDIR_NOINIT)) +- retval = inst_init(polyptr, inst_dir, idata, newdir); ++ retval = inst_init(polyptr, polyptr->instance_absolute, idata, newdir); + + goto cleanup; + +@@ -1776,8 +2070,12 @@ error_out: + retval = PAM_SESSION_ERR; + + cleanup: +- free(inst_dir); +- free(instname); ++ if (dfd_iparent != -1) ++ close(dfd_iparent); ++ if (dfd_ipath != -1) ++ close(dfd_ipath); ++ if (dfd_pptrdir != -1) ++ close(dfd_pptrdir); + #ifdef WITH_SELINUX + freecon(instcontext); + freecon(origcontext); +@@ -1816,6 +2114,7 @@ static int cleanup_tmpdirs(struct instance_data *idata) + { + struct polydir_s *pptr; + pid_t rc, pid; ++ int dfd = -1; + struct sigaction newsa, oldsa; + int status; + +@@ -1827,7 +2126,17 @@ static int cleanup_tmpdirs(struct instance_data *idata) + } + + for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) { +- if (pptr->method == TMPDIR && access(pptr->instance_prefix, F_OK) == 0) { ++ if (pptr->method == TMPDIR) { ++ ++ dfd = secure_opendir_stateless(pptr->instance_parent); ++ if (dfd == -1) ++ continue; ++ ++ if (faccessat(dfd, pptr->instname, F_OK, AT_SYMLINK_NOFOLLOW) != 0) { ++ close(dfd); ++ continue; ++ } ++ + pid = fork(); + if (pid == 0) { + static char *envp[] = { NULL }; +@@ -1837,9 +2146,20 @@ static int cleanup_tmpdirs(struct instance_data *idata) + _exit(1); + } + #endif +- execle("/bin/rm", "/bin/rm", "-rf", pptr->instance_prefix, NULL, envp); ++ if (fchdir(dfd) == -1) { ++ pam_syslog(idata->pamh, LOG_ERR, "Failed fchdir to %s: %m", ++ pptr->instance_absolute); ++ _exit(1); ++ } ++ ++ ++ execle("/bin/rm", "/bin/rm", "-rf", pptr->instname, NULL, envp); + _exit(1); + } else if (pid > 0) { ++ ++ if (dfd != -1) ++ close(dfd); ++ + while (((rc = waitpid(pid, &status, 0)) == (pid_t)-1) && + (errno == EINTR)); + if (rc == (pid_t)-1) { +@@ -1852,6 +2172,10 @@ static int cleanup_tmpdirs(struct instance_data *idata) + "Error removing %s", pptr->instance_prefix); + } + } else if (pid < 0) { ++ ++ if (dfd != -1) ++ close(dfd); ++ + pam_syslog(idata->pamh, LOG_ERR, + "Cannot fork to cleanup temporary directory, %m"); + rc = PAM_SESSION_ERR; +@@ -1875,6 +2199,7 @@ out: + static int setup_namespace(struct instance_data *idata, enum unmnt_op unmnt) + { + int retval = 0, need_poly = 0, changing_dir = 0; ++ int dfd = -1; + char *cptr, *fptr, poly_parent[PATH_MAX]; + struct polydir_s *pptr; + +@@ -1990,13 +2315,21 @@ static int setup_namespace(struct instance_data *idata, enum unmnt_op unmnt) + strcpy(poly_parent, "/"); + else if (cptr) + *cptr = '\0'; +- if (chdir(poly_parent) < 0) { ++ ++ dfd = secure_opendir_stateless(poly_parent); ++ if (dfd == -1) { ++ pam_syslog(idata->pamh, LOG_ERR, ++ "Failed opening %s to fchdir: %m", poly_parent); ++ } ++ else if (fchdir(dfd) == -1) { + pam_syslog(idata->pamh, LOG_ERR, +- "Can't chdir to %s, %m", poly_parent); ++ "Failed fchdir to %s: %m", poly_parent); + } ++ if (dfd != -1) ++ close(dfd); + } + +- if (umount(pptr->rdir) < 0) { ++ if (secure_umount(pptr->rdir) < 0) { + int saved_errno = errno; + pam_syslog(idata->pamh, LOG_ERR, "Unmount of %s failed, %m", + pptr->rdir); +@@ -2066,7 +2399,7 @@ static int orig_namespace(struct instance_data *idata) + "Unmounting instance dir for user %d & dir %s", + idata->uid, pptr->dir); + +- if (umount(pptr->dir) < 0) { ++ if (secure_umount(pptr->dir) < 0) { + pam_syslog(idata->pamh, LOG_ERR, "Unmount of %s failed, %m", + pptr->dir); + return PAM_SESSION_ERR; +diff --git a/modules/pam_namespace/pam_namespace.h b/modules/pam_namespace/pam_namespace.h +index 180e042..2b5f48a 100644 +--- a/modules/pam_namespace/pam_namespace.h ++++ b/modules/pam_namespace/pam_namespace.h +@@ -51,6 +51,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -121,6 +122,13 @@ + #define NAMESPACE_POLYDIR_DATA "pam_namespace:polydir_data" + #define NAMESPACE_PROTECT_DATA "pam_namespace:protect_data" + ++/* ++ * Operation mode for function secure_opendir() ++ */ ++#define SECURE_OPENDIR_PROTECT 0x00000001 ++#define SECURE_OPENDIR_MKDIR 0x00000002 ++#define SECURE_OPENDIR_FULL_FD 0x00000004 ++ + /* + * Polyinstantiation method options, based on user, security context + * or both +@@ -158,6 +166,9 @@ struct polydir_s { + char dir[PATH_MAX]; /* directory to polyinstantiate */ + char rdir[PATH_MAX]; /* directory to unmount (based on RUSER) */ + char instance_prefix[PATH_MAX]; /* prefix for instance dir path name */ ++ char instance_absolute[PATH_MAX]; /* absolute path to the instance dir (instance_parent + instname) */ ++ char instance_parent[PATH_MAX]; /* parent dir of the instance dir */ ++ char *instname; /* last segment of the path to the instance dir */ + enum polymethod method; /* method used to polyinstantiate */ + unsigned int num_uids; /* number of override uids */ + uid_t *uid; /* list of override uids */ +-- +2.45.2 + diff --git a/SPECS/pam/pam.spec b/SPECS/pam/pam.spec index 2342234b90..b323ab5a87 100644 --- a/SPECS/pam/pam.spec +++ b/SPECS/pam/pam.spec @@ -1,7 +1,7 @@ Summary: Linux Pluggable Authentication Modules Name: pam Version: 1.5.3 -Release: 4%{?dist} +Release: 5%{?dist} License: BSD and GPLv2+ URL: https://github.com/linux-pam/linux-pam Source0: https://github.com/linux-pam/linux-pam/releases/download/v%{version}/Linux-PAM-%{version}.tar.xz @@ -18,6 +18,8 @@ Recommends: cracklib-dicts Patch0: CVE-2024-22365.patch Patch1: CVE-2024-10963.patch Patch2: CVE-2024-10041.patch +Patch3: sync_pam_namespace_module_to_version_1.7.0.patch +Patch4: CVE-2025-6020.patch %description The Linux PAM package contains Pluggable Authentication Modules used to @@ -106,6 +108,9 @@ EOF %{_libdir}/pkgconfig/pamc.pc %changelog +* Tue Jun 24 2025 Jyoti Kanase - 1.5.3-5 +- Add patch for sync_pam_namespace_module_to_version_1.7.0.patch and CVE-2025-6020 + * Wed Dec 18 2024 Adit Jha - 1.5.3-4 - Patching CVE-2024-10041. diff --git a/SPECS/pam/sync_pam_namespace_module_to_version_1.7.0.patch b/SPECS/pam/sync_pam_namespace_module_to_version_1.7.0.patch new file mode 100644 index 0000000000..46ae7c6c2e --- /dev/null +++ b/SPECS/pam/sync_pam_namespace_module_to_version_1.7.0.patch @@ -0,0 +1,971 @@ +From a9b0d98f640e3675ffd9cd4711bdd38d28aa1c97 Mon Sep 17 00:00:00 2001 +From: jykanase +Date: Tue, 24 Jun 2025 06:42:29 +0000 +Subject: [PATCH] sync pam_namespace module to version 1.7.0 + +Upstream Patch Reference: https://launchpadlibrarian.net/799962342/pam_1.5.3-5ubuntu5.4_source.changes +--- + libpam/include/pam_cc_compat.h | 6 + + modules/pam_namespace/argv_parse.c | 17 +- + modules/pam_namespace/namespace.init | 2 +- + modules/pam_namespace/pam_namespace.c | 575 ++++++++++++++------------ + modules/pam_namespace/pam_namespace.h | 7 +- + 5 files changed, 322 insertions(+), 285 deletions(-) + +diff --git a/libpam/include/pam_cc_compat.h b/libpam/include/pam_cc_compat.h +index 0a6e32d..af05428 100644 +--- a/libpam/include/pam_cc_compat.h ++++ b/libpam/include/pam_cc_compat.h +@@ -21,6 +21,12 @@ + # define PAM_ATTRIBUTE_ALIGNED(arg) /* empty */ + #endif + ++#if PAM_GNUC_PREREQ(3, 0) ++# define PAM_ATTRIBUTE_MALLOC __attribute__((__malloc__)) ++#else ++# define PAM_ATTRIBUTE_MALLOC /* empty */ ++#endif ++ + #if PAM_GNUC_PREREQ(4, 6) + # define DIAG_PUSH_IGNORE_CAST_QUAL \ + _Pragma("GCC diagnostic push"); \ +diff --git a/modules/pam_namespace/argv_parse.c b/modules/pam_namespace/argv_parse.c +index 4051054..cbae783 100644 +--- a/modules/pam_namespace/argv_parse.c ++++ b/modules/pam_namespace/argv_parse.c +@@ -28,6 +28,9 @@ + * Version 1.1, modified 2/27/1999 + */ + ++#include "config.h" ++ ++#include + #include + #include + #include +@@ -56,16 +59,21 @@ int argv_parse(const char *in_buf, int *ret_argc, char ***ret_argv) + outcp = buf; + for (cp = in_buf; (ch = *cp); cp++) { + if (state == STATE_WHITESPACE) { +- if (isspace((int) ch)) ++ if (isspace((unsigned char)ch)) + continue; + /* Not whitespace, so start a new token */ + state = STATE_TOKEN; + if (argc >= max_argc) { ++ if (max_argc >= INT_MAX - 3) { ++ free(argv); ++ free(buf); ++ return -1; ++ } + max_argc += 3; + new_argv = realloc(argv, + (max_argc+1)*sizeof(char *)); + if (!new_argv) { +- if (argv) free(argv); ++ free(argv); + free(buf); + return -1; + } +@@ -81,7 +89,7 @@ int argv_parse(const char *in_buf, int *ret_argc, char ***ret_argv) + continue; + } + /* Must be processing characters in a word */ +- if (isspace((int) ch)) { ++ if (isspace((unsigned char)ch)) { + /* + * Terminate the current word and start + * looking for the beginning of the next word. +@@ -131,8 +139,7 @@ int argv_parse(const char *in_buf, int *ret_argc, char ***ret_argv) + void argv_free(char **argv) + { + if (argv) { +- if (*argv) +- free(*argv); ++ free(*argv); + free(argv); + } + } +diff --git a/modules/pam_namespace/namespace.init b/modules/pam_namespace/namespace.init +index d9053a1..1a6b624 100755 +--- a/modules/pam_namespace/namespace.init ++++ b/modules/pam_namespace/namespace.init +@@ -15,7 +15,7 @@ if [ "$3" = 1 ]; then + gid=$(echo "$passwd" | cut -f4 -d":") + cp -rT /etc/skel "$homedir" + chown -R "$user":"$gid" "$homedir" +- mask=$(awk '/^UMASK/{gsub("#.*$", "", $2); print $2; exit}' /etc/login.defs) ++ mask=$(sed -E -n 's/^UMASK[[:space:]]+([^#[:space:]]+).*/\1/p' /etc/login.defs) + mode=$(printf "%o" $((0777 & ~mask))) + chmod ${mode:-700} "$homedir" + [ -x /sbin/restorecon ] && /sbin/restorecon -R "$homedir" +diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c +index ef85644..83d0a52 100644 +--- a/modules/pam_namespace/pam_namespace.c ++++ b/modules/pam_namespace/pam_namespace.c +@@ -34,12 +34,51 @@ + + #define _ATFILE_SOURCE + ++#include "config.h" ++#include ++#include ++#include + #include "pam_cc_compat.h" + #include "pam_inline.h" + #include "pam_namespace.h" + #include "argv_parse.h" + +-/* --- evaluting all files in VENDORDIR/security/namespace.d and /etc/security/namespace.d --- */ ++ ++static char * PAM_FORMAT((printf, 1, 2)) PAM_NONNULL((1)) PAM_ATTRIBUTE_MALLOC ++pam_asprintf(const char *fmt, ...) ++{ ++ int rc; ++ char *res; ++ va_list ap; ++ ++ va_start(ap, fmt); ++ rc = vasprintf(&res, fmt, ap); ++ va_end(ap); ++ ++ return rc < 0 ? NULL : res; ++} ++ ++static int PAM_FORMAT((printf, 3, 4)) PAM_NONNULL((3)) ++pam_snprintf(char *str, size_t size, const char *fmt, ...) ++{ ++ int rc; ++ va_list ap; ++ ++ va_start(ap, fmt); ++ rc = vsnprintf(str, size, fmt, ap); ++ va_end(ap); ++ ++ if (rc < 0 || (unsigned int) rc >= size) ++ return -1; ++ return rc; ++} ++ ++#define pam_sprintf(str_, fmt_, ...) \ ++ pam_snprintf((str_), sizeof(str_) + PAM_MUST_BE_ARRAY(str_), (fmt_), \ ++ ##__VA_ARGS__) ++ ++ ++/* --- evaluating all files in VENDORDIR/security/namespace.d and /etc/security/namespace.d --- */ + static const char *base_name(const char *path) + { + const char *base = strrchr(path, '/'); +@@ -53,6 +92,146 @@ compare_filename(const void *a, const void *b) + base_name(* (char * const *) b)); + } + ++static void ++strip_trailing_slashes(char *str) ++{ ++ char *p = str + strlen(str); ++ ++ while (--p > str && *p == '/') ++ *p = '\0'; ++} ++ ++static int protect_mount(int dfd, const char *path, struct instance_data *idata) ++{ ++ struct protect_dir_s *dir = idata->protect_dirs; ++ char tmpbuf[64]; ++ ++ while (dir != NULL) { ++ if (strcmp(path, dir->dir) == 0) { ++ return 0; ++ } ++ dir = dir->next; ++ } ++ ++ snprintf(tmpbuf, sizeof(tmpbuf), "/proc/self/fd/%d", dfd); ++ ++ dir = calloc(1, sizeof(*dir)); ++ ++ if (dir == NULL) { ++ return -1; ++ } ++ ++ dir->dir = strdup(path); ++ ++ if (dir->dir == NULL) { ++ free(dir); ++ return -1; ++ } ++ ++ if (idata->flags & PAMNS_DEBUG) { ++ pam_syslog(idata->pamh, LOG_INFO, ++ "Protect mount of %s over itself", path); ++ } ++ ++ if (mount(tmpbuf, tmpbuf, NULL, MS_BIND, NULL) != 0) { ++ int save_errno = errno; ++ pam_syslog(idata->pamh, LOG_ERR, ++ "Protect mount of %s failed: %m", tmpbuf); ++ free(dir->dir); ++ free(dir); ++ errno = save_errno; ++ return -1; ++ } ++ ++ dir->next = idata->protect_dirs; ++ idata->protect_dirs = dir; ++ ++ return 0; ++} ++ ++static int protect_dir(const char *path, mode_t mode, int do_mkdir, ++ struct instance_data *idata) ++{ ++ char *p = strdup(path); ++ char *d; ++ char *dir = p; ++ int dfd = AT_FDCWD; ++ int dfd_next; ++ int save_errno; ++ int flags = O_RDONLY | O_DIRECTORY; ++ int rv = -1; ++ struct stat st; ++ ++ if (p == NULL) { ++ return -1; ++ } ++ ++ if (*dir == '/') { ++ dfd = open("/", flags); ++ if (dfd == -1) { ++ goto error; ++ } ++ dir++; /* assume / is safe */ ++ } ++ ++ while ((d=strchr(dir, '/')) != NULL) { ++ *d = '\0'; ++ dfd_next = openat(dfd, dir, flags); ++ if (dfd_next == -1) { ++ goto error; ++ } ++ ++ if (dfd != AT_FDCWD) ++ close(dfd); ++ dfd = dfd_next; ++ ++ if (fstat(dfd, &st) != 0) { ++ goto error; ++ } ++ ++ if (flags & O_NOFOLLOW) { ++ /* we are inside user-owned dir - protect */ ++ if (protect_mount(dfd, p, idata) == -1) ++ goto error; ++ } else if (st.st_uid != 0 || st.st_gid != 0 || ++ (st.st_mode & S_IWOTH)) { ++ /* do not follow symlinks on subdirectories */ ++ flags |= O_NOFOLLOW; ++ } ++ ++ *d = '/'; ++ dir = d + 1; ++ } ++ ++ rv = openat(dfd, dir, flags); ++ ++ if (rv == -1) { ++ if (!do_mkdir || mkdirat(dfd, dir, mode) != 0) { ++ goto error; ++ } ++ rv = openat(dfd, dir, flags); ++ } ++ ++ if (flags & O_NOFOLLOW) { ++ /* we are inside user-owned dir - protect */ ++ if (protect_mount(rv, p, idata) == -1) { ++ save_errno = errno; ++ close(rv); ++ rv = -1; ++ errno = save_errno; ++ } ++ } ++ ++error: ++ save_errno = errno; ++ free(p); ++ if (dfd != AT_FDCWD && dfd >= 0) ++ close(dfd); ++ errno = save_errno; ++ ++ return rv; ++} ++ + /* Evaluating a list of files which have to be parsed in the right order: + * + * - If etc/security/namespace.d/@filename@.conf exists, then +@@ -196,7 +375,7 @@ static void cleanup_protect_data(pam_handle_t *pamh UNUSED , void *data, int err + unprotect_dirs(data); + } + +-static char *expand_variables(const char *orig, const char *var_names[], const char *var_values[]) ++static char *expand_variables(const char *orig, const char *const var_names[], const char *var_values[]) + { + const char *src = orig; + char *dst; +@@ -207,7 +386,7 @@ static char *expand_variables(const char *orig, const char *var_names[], const c + if (*src == '$') { + int i; + for (i = 0; var_names[i]; i++) { +- int namelen = strlen(var_names[i]); ++ size_t namelen = strlen(var_names[i]); + if (strncmp(var_names[i], src+1, namelen) == 0) { + dstlen += strlen(var_values[i]) - 1; /* $ */ + src += namelen; +@@ -225,7 +404,7 @@ static char *expand_variables(const char *orig, const char *var_names[], const c + if (c == '$') { + int i; + for (i = 0; var_names[i]; i++) { +- int namelen = strlen(var_names[i]); ++ size_t namelen = strlen(var_names[i]); + if (strncmp(var_names[i], src+1, namelen) == 0) { + dst = stpcpy(dst, var_values[i]); + --dst; +@@ -309,8 +488,7 @@ static int parse_iscript_params(char *params, struct polydir_s *poly) + + if (*params != '\0') { + if (*params != '/') { /* path is relative to NAMESPACE_D_DIR */ +- if (asprintf(&poly->init_script, "%s%s", NAMESPACE_D_DIR, params) == -1) +- return -1; ++ poly->init_script = pam_asprintf("%s%s", NAMESPACE_D_DIR, params); + } else { + poly->init_script = strdup(params); + } +@@ -392,9 +570,9 @@ static int parse_method(char *method, struct polydir_s *poly, + { + enum polymethod pm; + char *sptr = NULL; +- static const char *method_names[] = { "user", "context", "level", "tmpdir", ++ static const char *const method_names[] = { "user", "context", "level", "tmpdir", + "tmpfs", NULL }; +- static const char *flag_names[] = { "create", "noinit", "iscript", ++ static const char *const flag_names[] = { "create", "noinit", "iscript", + "shared", "mntopts", NULL }; + static const unsigned int flag_values[] = { POLYDIR_CREATE, POLYDIR_NOINIT, + POLYDIR_ISCRIPT, POLYDIR_SHARED, POLYDIR_MNTOPTS }; +@@ -419,7 +597,7 @@ static int parse_method(char *method, struct polydir_s *poly, + + while ((flag=strtok_r(NULL, ":", &sptr)) != NULL) { + for (i = 0; flag_names[i]; i++) { +- int namelen = strlen(flag_names[i]); ++ size_t namelen = strlen(flag_names[i]); + + if (strncmp(flag, flag_names[i], namelen) == 0) { + poly->flags |= flag_values[i]; +@@ -465,27 +643,27 @@ static int parse_method(char *method, struct polydir_s *poly, + * of the namespace configuration file. It skips over comments and incomplete + * or malformed lines. It processes a valid line with information on + * polyinstantiating a directory by populating appropriate fields of a +- * polyinstatiated directory structure and then calling add_polydir_entry to ++ * polyinstantiated directory structure and then calling add_polydir_entry to + * add that entry to the linked list of polyinstantiated directories. + */ + static int process_line(char *line, const char *home, const char *rhome, + struct instance_data *idata) + { + char *dir = NULL, *instance_prefix = NULL, *rdir = NULL; ++ const char *config_dir, *config_instance_prefix; + char *method, *uids; + char *tptr; + struct polydir_s *poly; + int retval = 0; + char **config_options = NULL; +- static const char *var_names[] = {"HOME", "USER", NULL}; ++ static const char *const var_names[] = {"HOME", "USER", NULL}; + const char *var_values[] = {home, idata->user}; + const char *rvar_values[] = {rhome, idata->ruser}; +- int len; + + /* + * skip the leading white space + */ +- while (*line && isspace(*line)) ++ while (*line && isspace((unsigned char)*line)) + line++; + + /* +@@ -521,22 +699,19 @@ static int process_line(char *line, const char *home, const char *rhome, + goto erralloc; + } + +- dir = config_options[0]; +- if (dir == NULL) { ++ config_dir = config_options[0]; ++ if (config_dir == NULL) { + pam_syslog(idata->pamh, LOG_NOTICE, "Invalid line missing polydir"); + goto skipping; + } +- instance_prefix = config_options[1]; +- if (instance_prefix == NULL) { ++ config_instance_prefix = config_options[1]; ++ if (config_instance_prefix == NULL) { + pam_syslog(idata->pamh, LOG_NOTICE, "Invalid line missing instance_prefix"); +- instance_prefix = NULL; + goto skipping; + } + method = config_options[2]; + if (method == NULL) { + pam_syslog(idata->pamh, LOG_NOTICE, "Invalid line missing method"); +- instance_prefix = NULL; +- dir = NULL; + goto skipping; + } + +@@ -551,19 +726,16 @@ static int process_line(char *line, const char *home, const char *rhome, + /* + * Expand $HOME and $USER in poly dir and instance dir prefix + */ +- if ((rdir=expand_variables(dir, var_names, rvar_values)) == NULL) { +- instance_prefix = NULL; +- dir = NULL; ++ if ((rdir = expand_variables(config_dir, var_names, rvar_values)) == NULL) { + goto erralloc; + } + +- if ((dir=expand_variables(dir, var_names, var_values)) == NULL) { +- instance_prefix = NULL; ++ if ((dir = expand_variables(config_dir, var_names, var_values)) == NULL) { + goto erralloc; + } + +- if ((instance_prefix=expand_variables(instance_prefix, var_names, var_values)) +- == NULL) { ++ if ((instance_prefix = expand_variables(config_instance_prefix, ++ var_names, var_values)) == NULL) { + goto erralloc; + } + +@@ -573,15 +745,8 @@ static int process_line(char *line, const char *home, const char *rhome, + pam_syslog(idata->pamh, LOG_DEBUG, "Expanded instance prefix: '%s'", instance_prefix); + } + +- len = strlen(dir); +- if (len > 0 && dir[len-1] == '/') { +- dir[len-1] = '\0'; +- } +- +- len = strlen(rdir); +- if (len > 0 && rdir[len-1] == '/') { +- rdir[len-1] = '\0'; +- } ++ strip_trailing_slashes(dir); ++ strip_trailing_slashes(rdir); + + if (dir[0] == '\0' || rdir[0] == '\0') { + pam_syslog(idata->pamh, LOG_NOTICE, "Invalid polydir"); +@@ -592,26 +757,19 @@ static int process_line(char *line, const char *home, const char *rhome, + * Populate polyinstantiated directory structure with appropriate + * pathnames and the method with which to polyinstantiate. + */ +- if (strlen(dir) >= sizeof(poly->dir) +- || strlen(rdir) >= sizeof(poly->rdir) +- || strlen(instance_prefix) >= sizeof(poly->instance_prefix)) { +- pam_syslog(idata->pamh, LOG_NOTICE, "Pathnames too long"); +- goto skipping; +- } +- strcpy(poly->dir, dir); +- strcpy(poly->rdir, rdir); +- strcpy(poly->instance_prefix, instance_prefix); +- + if (parse_method(method, poly, idata) != 0) { + goto skipping; + } + +- if (poly->method == TMPDIR) { +- if (sizeof(poly->instance_prefix) - strlen(poly->instance_prefix) < 7) { +- pam_syslog(idata->pamh, LOG_NOTICE, "Pathnames too long"); +- goto skipping; +- } +- strcat(poly->instance_prefix, "XXXXXX"); ++#define COPY_STR(dst, src, apd) \ ++ pam_sprintf((dst), "%s%s", (src), (apd)) ++ ++ if (COPY_STR(poly->dir, dir, "") < 0 ++ || COPY_STR(poly->rdir, rdir, "") < 0 ++ || COPY_STR(poly->instance_prefix, instance_prefix, ++ poly->method == TMPDIR ? "XXXXXX" : "") < 0) { ++ pam_syslog(idata->pamh, LOG_NOTICE, "Pathnames too long"); ++ goto skipping; + } + + /* +@@ -635,7 +793,7 @@ static int process_line(char *line, const char *home, const char *rhome, + if (uids) { + uid_t *uidptr; + const char *ustr, *sstr; +- int count, i; ++ size_t count, i; + + if (*uids == '~') { + poly->flags |= POLYDIR_EXCLUSIVE; +@@ -644,8 +802,13 @@ static int process_line(char *line, const char *home, const char *rhome, + for (count = 0, ustr = sstr = uids; sstr; ustr = sstr + 1, count++) + sstr = strchr(ustr, ','); + ++ if (count > UINT_MAX || count > SIZE_MAX / sizeof(uid_t)) { ++ pam_syslog(idata->pamh, LOG_ERR, "Too many uids encountered in configuration"); ++ goto skipping; ++ } ++ + poly->num_uids = count; +- poly->uid = (uid_t *) malloc(count * sizeof (uid_t)); ++ poly->uid = malloc(count * sizeof (uid_t)); + uidptr = poly->uid; + if (uidptr == NULL) { + goto erralloc; +@@ -994,6 +1157,7 @@ static int form_context(const struct polydir_s *polyptr, + return rc; + } + /* Should never get here */ ++ freecon(scon); + return PAM_SUCCESS; + } + #endif +@@ -1055,10 +1219,8 @@ static int poly_name(const struct polydir_s *polyptr, char **i_name, + + switch (pm) { + case USER: +- if (asprintf(i_name, "%s", idata->user) < 0) { +- *i_name = NULL; ++ if ((*i_name = strdup(idata->user)) == NULL) + goto fail; +- } + break; + + #ifdef WITH_SELINUX +@@ -1068,17 +1230,12 @@ static int poly_name(const struct polydir_s *polyptr, char **i_name, + pam_syslog(idata->pamh, LOG_ERR, "Error translating directory context"); + goto fail; + } +- if (polyptr->flags & POLYDIR_SHARED) { +- if (asprintf(i_name, "%s", rawcon) < 0) { +- *i_name = NULL; +- goto fail; +- } +- } else { +- if (asprintf(i_name, "%s_%s", rawcon, idata->user) < 0) { +- *i_name = NULL; +- goto fail; +- } +- } ++ if (polyptr->flags & POLYDIR_SHARED) ++ *i_name = strdup(rawcon); ++ else ++ *i_name = pam_asprintf("%s_%s", rawcon, idata->user); ++ if (*i_name == NULL) ++ goto fail; + break; + + #endif /* WITH_SELINUX */ +@@ -1108,11 +1265,12 @@ static int poly_name(const struct polydir_s *polyptr, char **i_name, + *i_name = hash; + hash = NULL; + } else { +- char *newname; +- if (asprintf(&newname, "%.*s_%s", NAMESPACE_MAX_DIR_LEN-1-(int)strlen(hash), +- *i_name, hash) < 0) { ++ char *newname = ++ pam_asprintf("%.*s_%s", ++ NAMESPACE_MAX_DIR_LEN - 1 - (int)strlen(hash), ++ *i_name, hash); ++ if (newname == NULL) + goto fail; +- } + free(*i_name); + *i_name = newname; + } +@@ -1137,137 +1295,6 @@ fail: + return rc; + } + +-static int protect_mount(int dfd, const char *path, struct instance_data *idata) +-{ +- struct protect_dir_s *dir = idata->protect_dirs; +- char tmpbuf[64]; +- +- while (dir != NULL) { +- if (strcmp(path, dir->dir) == 0) { +- return 0; +- } +- dir = dir->next; +- } +- +- dir = calloc(1, sizeof(*dir)); +- +- if (dir == NULL) { +- return -1; +- } +- +- dir->dir = strdup(path); +- +- if (dir->dir == NULL) { +- free(dir); +- return -1; +- } +- +- snprintf(tmpbuf, sizeof(tmpbuf), "/proc/self/fd/%d", dfd); +- +- if (idata->flags & PAMNS_DEBUG) { +- pam_syslog(idata->pamh, LOG_INFO, +- "Protect mount of %s over itself", path); +- } +- +- if (mount(tmpbuf, tmpbuf, NULL, MS_BIND, NULL) != 0) { +- int save_errno = errno; +- pam_syslog(idata->pamh, LOG_ERR, +- "Protect mount of %s failed: %m", tmpbuf); +- free(dir->dir); +- free(dir); +- errno = save_errno; +- return -1; +- } +- +- dir->next = idata->protect_dirs; +- idata->protect_dirs = dir; +- +- return 0; +-} +- +-static int protect_dir(const char *path, mode_t mode, int do_mkdir, +- struct instance_data *idata) +-{ +- char *p = strdup(path); +- char *d; +- char *dir = p; +- int dfd = AT_FDCWD; +- int dfd_next; +- int save_errno; +- int flags = O_RDONLY | O_DIRECTORY; +- int rv = -1; +- struct stat st; +- +- if (p == NULL) { +- goto error; +- } +- +- if (*dir == '/') { +- dfd = open("/", flags); +- if (dfd == -1) { +- goto error; +- } +- dir++; /* assume / is safe */ +- } +- +- while ((d=strchr(dir, '/')) != NULL) { +- *d = '\0'; +- dfd_next = openat(dfd, dir, flags); +- if (dfd_next == -1) { +- goto error; +- } +- +- if (dfd != AT_FDCWD) +- close(dfd); +- dfd = dfd_next; +- +- if (fstat(dfd, &st) != 0) { +- goto error; +- } +- +- if (flags & O_NOFOLLOW) { +- /* we are inside user-owned dir - protect */ +- if (protect_mount(dfd, p, idata) == -1) +- goto error; +- } else if (st.st_uid != 0 || st.st_gid != 0 || +- (st.st_mode & S_IWOTH)) { +- /* do not follow symlinks on subdirectories */ +- flags |= O_NOFOLLOW; +- } +- +- *d = '/'; +- dir = d + 1; +- } +- +- rv = openat(dfd, dir, flags); +- +- if (rv == -1) { +- if (!do_mkdir || mkdirat(dfd, dir, mode) != 0) { +- goto error; +- } +- rv = openat(dfd, dir, flags); +- } +- +- if (flags & O_NOFOLLOW) { +- /* we are inside user-owned dir - protect */ +- if (protect_mount(rv, p, idata) == -1) { +- save_errno = errno; +- close(rv); +- rv = -1; +- errno = save_errno; +- } +- } +- +-error: +- save_errno = errno; +- free(p); +- if (dfd != AT_FDCWD && dfd >= 0) +- close(dfd); +- errno = save_errno; +- +- return rv; +-} +- + static int check_inst_parent(char *ipath, struct instance_data *idata) + { + struct stat instpbuf; +@@ -1279,13 +1306,12 @@ static int check_inst_parent(char *ipath, struct instance_data *idata) + * admin explicitly instructs to ignore the instance parent + * mode by the "ignore_instance_parent_mode" argument). + */ +- inst_parent = (char *) malloc(strlen(ipath)+1); ++ inst_parent = strdup(ipath); + if (!inst_parent) { + pam_syslog(idata->pamh, LOG_CRIT, "Error allocating pathname string"); + return PAM_SESSION_ERR; + } + +- strcpy(inst_parent, ipath); + trailing_slash = strrchr(inst_parent, '/'); + if (trailing_slash) + *trailing_slash = '\0'; +@@ -1340,66 +1366,66 @@ static int inst_init(const struct polydir_s *polyptr, const char *ipath, + if ((polyptr->flags & POLYDIR_ISCRIPT) && polyptr->init_script) + init_script = polyptr->init_script; + +- if (access(init_script, F_OK) == 0) { +- if (access(init_script, X_OK) < 0) { +- if (idata->flags & PAMNS_DEBUG) +- pam_syslog(idata->pamh, LOG_ERR, +- "Namespace init script not executable"); +- return PAM_SESSION_ERR; +- } else { +- struct sigaction newsa, oldsa; +- +- memset(&newsa, '\0', sizeof(newsa)); +- newsa.sa_handler = SIG_DFL; +- if (sigaction(SIGCHLD, &newsa, &oldsa) == -1) { +- pam_syslog(idata->pamh, LOG_ERR, "failed to reset SIGCHLD handler"); +- return PAM_SESSION_ERR; +- } ++ if (access(init_script, F_OK) != 0) ++ return PAM_SUCCESS; + +- pid = fork(); +- if (pid == 0) { +- static char *envp[] = { NULL }; ++ if (access(init_script, X_OK) < 0) { ++ if (idata->flags & PAMNS_DEBUG) ++ pam_syslog(idata->pamh, LOG_ERR, ++ "Namespace init script not executable"); ++ return PAM_SESSION_ERR; ++ } ++ ++ struct sigaction newsa, oldsa; ++ ++ memset(&newsa, '\0', sizeof(newsa)); ++ newsa.sa_handler = SIG_DFL; ++ if (sigaction(SIGCHLD, &newsa, &oldsa) == -1) { ++ pam_syslog(idata->pamh, LOG_ERR, "failed to reset SIGCHLD handler"); ++ return PAM_SESSION_ERR; ++ } ++ ++ pid = fork(); ++ if (pid == 0) { ++ static char *envp[] = { NULL }; + #ifdef WITH_SELINUX +- if (idata->flags & PAMNS_SELINUX_ENABLED) { +- if (setexeccon(NULL) < 0) +- _exit(1); +- } ++ if (idata->flags & PAMNS_SELINUX_ENABLED) { ++ if (setexeccon(NULL) < 0) ++ _exit(1); ++ } + #endif +- /* Pass maximum privs when we exec() */ +- if (setuid(geteuid()) < 0) { +- /* ignore failures, they don't matter */ +- } ++ /* Pass maximum privs when we exec() */ ++ if (setuid(geteuid()) < 0) { ++ /* ignore failures, they don't matter */ ++ } + +- if (execle(init_script, init_script, +- polyptr->dir, ipath, newdir?"1":"0", idata->user, NULL, envp) < 0) +- _exit(1); +- } else if (pid > 0) { +- while (((rc = waitpid(pid, &status, 0)) == (pid_t)-1) && +- (errno == EINTR)); +- if (rc == (pid_t)-1) { +- pam_syslog(idata->pamh, LOG_ERR, "waitpid failed- %m"); +- rc = PAM_SESSION_ERR; +- goto out; +- } +- if (!WIFEXITED(status) || WIFSIGNALED(status) > 0) { +- pam_syslog(idata->pamh, LOG_ERR, +- "Error initializing instance"); +- rc = PAM_SESSION_ERR; +- goto out; +- } +- } else if (pid < 0) { +- pam_syslog(idata->pamh, LOG_ERR, +- "Cannot fork to run namespace init script, %m"); +- rc = PAM_SESSION_ERR; +- goto out; +- } +- rc = PAM_SUCCESS; +-out: +- (void) sigaction(SIGCHLD, &oldsa, NULL); +- return rc; ++ execle(init_script, init_script, ++ polyptr->dir, ipath, newdir?"1":"0", idata->user, NULL, envp); ++ _exit(1); ++ } else if (pid > 0) { ++ while (((rc = waitpid(pid, &status, 0)) == (pid_t)-1) && ++ (errno == EINTR)); ++ if (rc == (pid_t)-1) { ++ pam_syslog(idata->pamh, LOG_ERR, "waitpid failed- %m"); ++ rc = PAM_SESSION_ERR; ++ goto out; + } ++ if (!WIFEXITED(status) || WIFSIGNALED(status) > 0) { ++ pam_syslog(idata->pamh, LOG_ERR, ++ "Error initializing instance"); ++ rc = PAM_SESSION_ERR; ++ goto out; ++ } ++ } else if (pid < 0) { ++ pam_syslog(idata->pamh, LOG_ERR, ++ "Cannot fork to run namespace init script, %m"); ++ rc = PAM_SESSION_ERR; ++ goto out; + } +- return PAM_SUCCESS; ++ rc = PAM_SUCCESS; ++out: ++ (void) sigaction(SIGCHLD, &oldsa, NULL); ++ return rc; + } + + static int create_polydir(struct polydir_s *polyptr, +@@ -1422,7 +1448,9 @@ static int create_polydir(struct polydir_s *polyptr, + + #ifdef WITH_SELINUX + if (idata->flags & PAMNS_SELINUX_ENABLED) { +- getfscreatecon_raw(&oldcon_raw); ++ if (getfscreatecon_raw(&oldcon_raw) != 0) ++ pam_syslog(idata->pamh, LOG_NOTICE, ++ "Error retrieving fs create context: %m"); + + label_handle = selabel_open(SELABEL_CTX_FILE, NULL, 0); + if (!label_handle) { +@@ -1451,6 +1479,9 @@ static int create_polydir(struct polydir_s *polyptr, + if (rc == -1) { + pam_syslog(idata->pamh, LOG_ERR, + "Error creating directory %s: %m", dir); ++#ifdef WITH_SELINUX ++ freecon(oldcon_raw); ++#endif + return PAM_SESSION_ERR; + } + +@@ -1638,16 +1669,14 @@ static int ns_setup(struct polydir_s *polyptr, + + retval = protect_dir(polyptr->dir, 0, 0, idata); + +- if (retval < 0 && errno != ENOENT) { +- pam_syslog(idata->pamh, LOG_ERR, "Polydir %s access error: %m", +- polyptr->dir); +- return PAM_SESSION_ERR; +- } +- + if (retval < 0) { +- if ((polyptr->flags & POLYDIR_CREATE) && +- create_polydir(polyptr, idata) != PAM_SUCCESS) +- return PAM_SESSION_ERR; ++ if (errno != ENOENT || !(polyptr->flags & POLYDIR_CREATE)) { ++ pam_syslog(idata->pamh, LOG_ERR, "Polydir %s access error: %m", ++ polyptr->dir); ++ return PAM_SESSION_ERR; ++ } ++ if (create_polydir(polyptr, idata) != PAM_SUCCESS) ++ return PAM_SESSION_ERR; + } else { + close(retval); + } +@@ -1696,7 +1725,7 @@ static int ns_setup(struct polydir_s *polyptr, + #endif + } + +- if (asprintf(&inst_dir, "%s%s", polyptr->instance_prefix, instname) < 0) ++ if ((inst_dir = pam_asprintf("%s%s", polyptr->instance_prefix, instname)) == NULL) + goto error_out; + + if (idata->flags & PAMNS_DEBUG) +@@ -1808,8 +1837,8 @@ static int cleanup_tmpdirs(struct instance_data *idata) + _exit(1); + } + #endif +- if (execle("/bin/rm", "/bin/rm", "-rf", pptr->instance_prefix, NULL, envp) < 0) +- _exit(1); ++ execle("/bin/rm", "/bin/rm", "-rf", pptr->instance_prefix, NULL, envp); ++ _exit(1); + } else if (pid > 0) { + while (((rc = waitpid(pid, &status, 0)) == (pid_t)-1) && + (errno == EINTR)); +@@ -1824,7 +1853,7 @@ static int cleanup_tmpdirs(struct instance_data *idata) + } + } else if (pid < 0) { + pam_syslog(idata->pamh, LOG_ERR, +- "Cannot fork to run namespace init script, %m"); ++ "Cannot fork to cleanup temporary directory, %m"); + rc = PAM_SESSION_ERR; + goto out; + } +diff --git a/modules/pam_namespace/pam_namespace.h b/modules/pam_namespace/pam_namespace.h +index a991b4c..180e042 100644 +--- a/modules/pam_namespace/pam_namespace.h ++++ b/modules/pam_namespace/pam_namespace.h +@@ -44,21 +44,16 @@ + #include + #include + #include +-#include +-#include + #include + #include + #include + #include + #include +-#include + #include + #include +-#include + #include + #include + #include +-#include + #include "security/pam_modules.h" + #include "security/pam_modutil.h" + #include "security/pam_ext.h" +@@ -114,7 +109,7 @@ + #define PAMNS_MOUNT_PRIVATE 0x00080000 /* Make the polydir mounts private */ + + /* polydir flags */ +-#define POLYDIR_EXCLUSIVE 0x00000001 /* polyinstatiate exclusively for override uids */ ++#define POLYDIR_EXCLUSIVE 0x00000001 /* polyinstantiate exclusively for override uids */ + #define POLYDIR_CREATE 0x00000002 /* create the polydir */ + #define POLYDIR_NOINIT 0x00000004 /* no init script */ + #define POLYDIR_SHARED 0x00000008 /* share context/level instances among users */ +-- +2.45.2 + diff --git a/SPECS/perl-CPAN-Changes/perl-CPAN-Changes.spec b/SPECS/perl-CPAN-Changes/perl-CPAN-Changes.spec index c71c987a94..b4ab1f9754 100644 --- a/SPECS/perl-CPAN-Changes/perl-CPAN-Changes.spec +++ b/SPECS/perl-CPAN-Changes/perl-CPAN-Changes.spec @@ -1,7 +1,7 @@ Summary: Read and write Changes files Name: perl-CPAN-Changes Version: 0.500002 -Release: 1%{?dist} +Release: 2%{?dist} License: GPL+ OR Artistic Vendor: Microsoft Corporation Distribution: Azure Linux @@ -18,6 +18,8 @@ BuildRequires: perl-interpreter # Module Runtime BuildRequires: perl(Encode) +BuildRequires: perl(Module::Runtime) + BuildRequires: perl(ExtUtils::MakeMaker) # Script Runtime @@ -29,24 +31,29 @@ BuildRequires: perl(Text::Wrap) BuildRequires: perl(strict) BuildRequires: perl(version) >= 0.99.06 BuildRequires: perl(warnings) +BuildRequires: perl(Moo) >= 1.006000 +BuildRequires: perl(Sub::Quote) >= 1.005000 +BuildRequires: perl(Types::Standard) %if 0%{?with_check} # Test Suite BuildRequires: perl(Test::More) >= 0.96 - +BuildRequires: perl(constant) +BuildRequires: perl(Data::Dumper) +BuildRequires: perl(File::Spec) # Extra Tests BuildRequires: perl(Test::Pod) >= 1.00 BuildRequires: perl(Test::Pod::Coverage) >= 1.00 - -# Optional Tests, currently not supported in Mariner. -%if 0 -BuildRequires: perl(Moo) -%endif %endif # Runtime Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version)) Requires: perl(version) >= 0.99.06 +Requires: perl(Module::Runtime) +Requires: perl(Moo) >= 1.006000 +Requires: perl(Sub::Quote) >= 1.005000 +Requires: perl(Types::Standard) +Requires: perl(Role::Tiny) %description It is standard practice to include a Changes file in your distribution. The @@ -77,6 +84,7 @@ make test make test TEST_FILES="$(echo $(find xt/ -name '*.t'))" %files +%license LICENSE %doc Changes README %{_bindir}/tidy_changelog %{perl_vendorlib}/CPAN/ @@ -87,6 +95,9 @@ make test TEST_FILES="$(echo $(find xt/ -name '*.t'))" %{_mandir}/man3/Test::CPAN::Changes.3* %changelog +* Mon May 12 2025 Kanishk Bansal - 0.500002-2 +- Fix ptest and installation issue + * Mon Dec 18 2023 CBL-Mariner Servicing Account - 0.500002-1 - Auto-upgrade to 0.500002 - Azure Linux 3.0 - package upgrades diff --git a/SPECS-EXTENDED/perl-Class-Method-Modifiers/perl-Class-Method-Modifiers.signatures.json b/SPECS/perl-Class-Method-Modifiers/perl-Class-Method-Modifiers.signatures.json similarity index 100% rename from SPECS-EXTENDED/perl-Class-Method-Modifiers/perl-Class-Method-Modifiers.signatures.json rename to SPECS/perl-Class-Method-Modifiers/perl-Class-Method-Modifiers.signatures.json diff --git a/SPECS-EXTENDED/perl-Class-Method-Modifiers/perl-Class-Method-Modifiers.spec b/SPECS/perl-Class-Method-Modifiers/perl-Class-Method-Modifiers.spec similarity index 100% rename from SPECS-EXTENDED/perl-Class-Method-Modifiers/perl-Class-Method-Modifiers.spec rename to SPECS/perl-Class-Method-Modifiers/perl-Class-Method-Modifiers.spec diff --git a/SPECS/perl-Module-Implementation/perl-Module-Implementation.spec b/SPECS/perl-Module-Implementation/perl-Module-Implementation.spec index 9fa3c31733..f7633625ad 100644 --- a/SPECS/perl-Module-Implementation/perl-Module-Implementation.spec +++ b/SPECS/perl-Module-Implementation/perl-Module-Implementation.spec @@ -10,7 +10,7 @@ Name: perl-Module-Implementation Version: 0.09 -Release: 25%{?dist} +Release: 26%{?dist} Summary: Loads one of several alternate underlying implementations for a module License: Artistic 2.0 Vendor: Microsoft Corporation @@ -45,6 +45,7 @@ BuildRequires: perl(lib) BuildRequires: perl(Test::Fatal) >= 0.006 BuildRequires: perl(Test::More) >= 0.96 BuildRequires: perl(Test::Requires) +BuildRequires: perl(blib) %if %{with perl_Module_Implementation_enables_optional_test} # =================================================================== # Optional test requirements @@ -131,6 +132,9 @@ make test %{_mandir}/man3/Module::Implementation.3* %changelog +* Wed May 21 2025 Riken Maharjan - 0.09-26 +- Fix ptest byadding missing test dep. + * Wed Aug 28 2024 Neha Agarwal - 0.09-25 - Promote package to Core repository. - License verified. diff --git a/SPECS-EXTENDED/perl-Moo/perl-Moo.signatures.json b/SPECS/perl-Moo/perl-Moo.signatures.json similarity index 100% rename from SPECS-EXTENDED/perl-Moo/perl-Moo.signatures.json rename to SPECS/perl-Moo/perl-Moo.signatures.json diff --git a/SPECS-EXTENDED/perl-Moo/perl-Moo.spec b/SPECS/perl-Moo/perl-Moo.spec similarity index 98% rename from SPECS-EXTENDED/perl-Moo/perl-Moo.spec rename to SPECS/perl-Moo/perl-Moo.spec index be52cb3881..69e02ae997 100644 --- a/SPECS-EXTENDED/perl-Moo/perl-Moo.spec +++ b/SPECS/perl-Moo/perl-Moo.spec @@ -1,6 +1,6 @@ Name: perl-Moo Version: 2.003006 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Minimalist Object Orientation (with Moose compatibility) License: GPL+ or Artistic Vendor: Microsoft Corporation @@ -98,6 +98,10 @@ not quite- two thirds of Moose. %{_mandir}/man3/* %changelog +* Mon May 12 2025 Kanishk Bansal - 2.003006-4 +- Promote package to Core repository. +- License verified + * Fri Oct 15 2021 Pawel Winogrodzki - 2.003006-3 - Initial CBL-Mariner import from Fedora 32 (license: MIT). diff --git a/SPECS/perl-Net-SSLeay/compatible-openssl.patch b/SPECS/perl-Net-SSLeay/compatible-openssl.patch new file mode 100644 index 0000000000..3e4ddb5198 --- /dev/null +++ b/SPECS/perl-Net-SSLeay/compatible-openssl.patch @@ -0,0 +1,51 @@ +diff -urN Net-SSLeay-1.92/t/local/33_x509_create_cert.t Net-SSLeay-1.92/t/local/33_x509_create_cert.t +--- Net-SSLeay-1.92/t/local/33_x509_create_cert.t 2021-09-28 22:15:32.000000000 +0000 ++++ Net-SSLeay-1.92/t/local/33_x509_create_cert.t 2025-05-21 19:23:50.928133272 +0000 +@@ -53,7 +53,8 @@ + #set organizationName via add_entry_by_txt + ok(Net::SSLeay::X509_NAME_add_entry_by_txt($name, "organizationName", MBSTRING_UTF8, "Company Name"), "X509_NAME_add_entry_by_txt"); + +- ok(Net::SSLeay::X509_set_version($x509, 3), "X509_set_version"); ++ my $x509_version_3 = (defined &Net::SSLeay::X509_VERSION_3) ? Net::SSLeay::X509_VERSION_3() : 2; # Note: X509_VERSION_3 is 2 ++ ok(Net::SSLeay::X509_set_version($x509, $x509_version_3), "X509_set_version"); + ok(my $sn = Net::SSLeay::X509_get_serialNumber($x509), "X509_get_serialNumber"); + + my $pubkey = Net::SSLeay::X509_get_X509_PUBKEY($x509); +@@ -96,7 +97,7 @@ + ok(my $sha1_digest = Net::SSLeay::EVP_get_digestbyname("sha1"), "EVP_get_digestbyname"); + ok(Net::SSLeay::X509_sign($x509, $ca_pk, $sha1_digest), "X509_sign"); + +- is(Net::SSLeay::X509_get_version($x509), 3, "X509_get_version"); ++ is(Net::SSLeay::X509_get_version($x509), $x509_version_3, "X509_get_version"); + is(Net::SSLeay::X509_verify($x509, Net::SSLeay::X509_get_pubkey($ca_cert)), 1, "X509_verify"); + + like(my $crt_pem = Net::SSLeay::PEM_get_string_X509($x509), qr/-----BEGIN CERTIFICATE-----/, "PEM_get_string_X509"); +@@ -184,7 +185,8 @@ + #49 = NID_pkcs9_unstructuredName - XXX-TODO add new constant + ok(Net::SSLeay::X509_REQ_add1_attr_by_NID($req, 49, MBSTRING_ASC, 'Any Uns.name'), "X509_REQ_add1_attr_by_NID"); + +- ok(Net::SSLeay::X509_REQ_set_version($req, 2), "X509_REQ_set_version"); ++ my $x509_req_version_1 = (defined &Net::SSLeay::X509_REQ_VERSION_1) ? Net::SSLeay::X509_REQ_VERSION_1() : 0; # Note: X509_REQ_VERSION_1 is 0 ++ ok(Net::SSLeay::X509_REQ_set_version($req, $x509_req_version_1), "X509_REQ_set_version"); + + ok(my $sha1_digest = Net::SSLeay::EVP_get_digestbyname("sha1"), "EVP_get_digestbyname"); + ok(Net::SSLeay::X509_REQ_sign($req, $pk, $sha1_digest), "X509_REQ_sign"); +@@ -192,7 +194,7 @@ + ok(my $req_pubkey = Net::SSLeay::X509_REQ_get_pubkey($req), "X509_REQ_get_pubkey"); + is(Net::SSLeay::X509_REQ_verify($req, $req_pubkey), 1, "X509_REQ_verify"); + +- is(Net::SSLeay::X509_REQ_get_version($req), 2, "X509_REQ_get_version"); ++ is(Net::SSLeay::X509_REQ_get_version($req), $x509_req_version_1, "X509_REQ_get_version"); + ok(my $obj_challengePassword = Net::SSLeay::OBJ_txt2obj('1.2.840.113549.1.9.7'), "OBJ_txt2obj"); + ok(my $nid_challengePassword = Net::SSLeay::OBJ_obj2nid($obj_challengePassword), "OBJ_obj2nid"); + is(Net::SSLeay::X509_REQ_get_attr_count($req), 3, "X509_REQ_get_attr_count"); +@@ -214,7 +216,8 @@ + + ## PHASE2 - turn X509_REQ into X509 cert + sign with CA key + ok(my $x509ss = Net::SSLeay::X509_new(), "X509_new"); +- ok(Net::SSLeay::X509_set_version($x509ss, 2), "X509_set_version"); ++ my $x509_version_3 = (defined &Net::SSLeay::X509_VERSION_3) ? Net::SSLeay::X509_VERSION_3() : 2; # Note: X509_VERSION_3 is 2 ++ ok(Net::SSLeay::X509_set_version($x509ss, $x509_version_3), "X509_set_version"); + ok(my $sn = Net::SSLeay::X509_get_serialNumber($x509ss), "X509_get_serialNumber"); + Net::SSLeay::P_ASN1_INTEGER_set_hex($sn, 'ABCDEF'); + Net::SSLeay::X509_set_issuer_name($x509ss, Net::SSLeay::X509_get_subject_name($ca_cert)); diff --git a/SPECS/perl-Net-SSLeay/perl-Net-SSLeay.spec b/SPECS/perl-Net-SSLeay/perl-Net-SSLeay.spec index 9d7ec23e23..12695ca6ec 100644 --- a/SPECS/perl-Net-SSLeay/perl-Net-SSLeay.spec +++ b/SPECS/perl-Net-SSLeay/perl-Net-SSLeay.spec @@ -1,12 +1,14 @@ Summary: Perl extension for using OpenSSL Name: perl-Net-SSLeay Version: 1.92 -Release: 5%{?dist} +Release: 6%{?dist} License: Artistic 2.0 Group: Development/Libraries URL: https://metacpan.org/pod/distribution/Net-SSLeay/lib/Net/SSLeay.pod Source: https://cpan.metacpan.org/modules/by-module/Net/Net-SSLeay-%{version}.tar.gz Patch0: 0001-local-tests-skip-2-failing-tests.patch +Patch1: compatible-openssl.patch + %if 0%{?with_fips:1} Source100: openssl-fips-2.0.9-lin64.tar.gz %endif @@ -49,7 +51,7 @@ Net::SSLeay module basically comprise of: %prep %setup -q -n Net-SSLeay-%{version} -%patch 0 -p1 +%autopatch -p1 %build %if 0%{?with_fips:1} @@ -81,6 +83,9 @@ make test %{_mandir}/man?/* %changelog +* Wed May 21 2025 Riken Maharjan - 1.92-6 +- Fix ptest by adding upstream fix to the test. + * Mon Aug 05 2024 Daniel McIlvaney - 1.92-5 - Fix bad capitalization of perl(AutoLoader) diff --git a/SPECS-EXTENDED/perl-Role-Tiny/perl-Role-Tiny.signatures.json b/SPECS/perl-Role-Tiny/perl-Role-Tiny.signatures.json similarity index 100% rename from SPECS-EXTENDED/perl-Role-Tiny/perl-Role-Tiny.signatures.json rename to SPECS/perl-Role-Tiny/perl-Role-Tiny.signatures.json diff --git a/SPECS-EXTENDED/perl-Role-Tiny/perl-Role-Tiny.spec b/SPECS/perl-Role-Tiny/perl-Role-Tiny.spec similarity index 100% rename from SPECS-EXTENDED/perl-Role-Tiny/perl-Role-Tiny.spec rename to SPECS/perl-Role-Tiny/perl-Role-Tiny.spec diff --git a/SPECS/perl-Type-Tiny/perl-Type-Tiny.signatures.json b/SPECS/perl-Type-Tiny/perl-Type-Tiny.signatures.json new file mode 100644 index 0000000000..f5f01cae0b --- /dev/null +++ b/SPECS/perl-Type-Tiny/perl-Type-Tiny.signatures.json @@ -0,0 +1,6 @@ +{ + "Signatures": { + "perl-Type-Tiny-2.008002.tar.gz": "3d12f4c4952e1184b10a45ce45bba8226aad2ec584032dcde6adf5074be6b46e" + } +} + diff --git a/SPECS/perl-Type-Tiny/perl-Type-Tiny.spec b/SPECS/perl-Type-Tiny/perl-Type-Tiny.spec new file mode 100644 index 0000000000..802560b740 --- /dev/null +++ b/SPECS/perl-Type-Tiny/perl-Type-Tiny.spec @@ -0,0 +1,396 @@ +Name: perl-Type-Tiny +Version: 2.008002 +Release: 2%{?dist} +Summary: Tiny, yet Moo(se)-compatible type constraint +License: GPL+ OR Artistic +Vendor: Microsoft Corporation +Distribution: Azure Linux +URL: https://metacpan.org/release/Type-Tiny +Source0: https://cpan.metacpan.org/authors/id/T/TO/TOBYINK/Type-Tiny-%{version}.tar.gz#/perl-Type-Tiny-%{version}.tar.gz +BuildArch: noarch + +# --with reply_plugin +# Default: --without +# Marked as unstable (cf. lib/Reply/Plugin/TypeTiny.pm) +%bcond_with reply_plugin + +BuildRequires: coreutils +BuildRequires: findutils +BuildRequires: sed +BuildRequires: %{__make} +BuildRequires: %{__perl} + +BuildRequires: perl-interpreter +BuildRequires: perl-generators +BuildRequires: perl(:VERSION) >= 5.6.1 + +BuildRequires: perl(B) +BuildRequires: perl(B::Deparse) +BuildRequires: perl(Carp) +BuildRequires: perl(Config) +BuildRequires: perl(constant) +BuildRequires: perl(CPAN::Meta::Requirements) +BuildRequires: perl(Data::Dumper) +BuildRequires: perl(Encode) +%if "%{version}" >= "2.000001" +BuildRequires: perl(Exporter::Tiny) >= 1.004001 +%else +BuildRequires: perl(Exporter::Tiny) >= 0.040 +%endif +BuildRequires: perl(ExtUtils::MakeMaker) >= 6.17 +%if "%{version}" >= "2.000001" +BuildRequires: perl(experimental) +%endif +BuildRequires: perl(feature) +BuildRequires: perl(lib) +BuildRequires: perl(Math::BigFloat) +BuildRequires: perl(Scalar::Util) +BuildRequires: perl(Test::Fatal) +#BuildRequires: perl(Test::Moose) +BuildRequires: perl(Test::More) >= 0.96 +BuildRequires: perl(Test::Requires) +BuildRequires: perl(Test::Tester) >= 0.109 +%if "%{version}" >= "2.000001" +BuildRequires: perl(Test::Deep) +%endif +BuildRequires: perl(Text::Balanced) +BuildRequires: perl(overload) +BuildRequires: perl(strict) +BuildRequires: perl(threads) +BuildRequires: perl(Tie::Array) +BuildRequires: perl(Tie::Hash) +BuildRequires: perl(Tie::Scalar) +BuildRequires: perl(utf8) +BuildRequires: perl(warnings) + +Requires: perl(B::Deparse) +Requires: perl(Carp) +Requires: perl(Data::Dumper) + +Recommends: perl(Type::Tiny::XS) + +%description +Type::Tiny is a tiny class for creating Moose-like type constraint objects +which are compatible with Moo, Moose and Mouse. + +%package -n perl-Test-TypeTiny +Summary: Test::TypeTiny module + +%description -n perl-Test-TypeTiny +Test::TypeTiny module. + +%prep +%setup -q -n Type-Tiny-%{version} +# Remove bundled modules +rm -r ./inc +sed -i -e '/^inc\//d' MANIFEST + +%build +%{__perl} Makefile.PL INSTALLDIRS=vendor NO_PACKLIST=1 NO_PERLLOCAL=1 +%{make_build} + +%install +%{make_install} DESTDIR=$RPM_BUILD_ROOT +%{_fixperms} $RPM_BUILD_ROOT/* + +%check +%{__make} test + +%files +%doc Changes CREDITS NEWS README +%license LICENSE COPYRIGHT +%{perl_vendorlib}/* +%{!?with_reply_plugin:%exclude %{perl_vendorlib}/Reply} +%{_mandir}/man3/* +%exclude %{perl_vendorlib}/Test +%exclude %{_mandir}/man3/Test::TypeTiny.3pm* + +%files -n perl-Test-TypeTiny +%{perl_vendorlib}/Test +%{_mandir}/man3/Test::TypeTiny.3pm* + +%changelog +* Mon May 12 2025 Kanishk Bansal - 2.008002-2 +- Initial Azure Linux import from Fedora 43 (license: MIT) +- License verified + +* Mon May 05 2025 Jitka Plesnikova - 2.008002-1 +- 2.008002 bump (rhbz#2357958) + +* Sat Jan 18 2025 Fedora Release Engineering - 2.006000-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + +* Tue Oct 01 2024 Ralf Corsépius - 2.006000-1 +- Update to 2.006000. +- Reflect perl(Reply::Plugin) having been added to Fedora. +- Remove references to perl-Type-Tie. + +* Fri Jul 19 2024 Fedora Release Engineering - 2.004000-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + +* Thu Jan 25 2024 Fedora Release Engineering - 2.004000-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Sun Jan 21 2024 Fedora Release Engineering - 2.004000-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Fri Jul 21 2023 Fedora Release Engineering - 2.004000-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Mon Apr 24 2023 Ralf Corsépius - 2.004000-1 +- Update to 2.004000. + +* Mon Jan 30 2023 Ralf Corsépius - 2.002001-1 +- Update to 2.002001. + +* Fri Jan 20 2023 Fedora Release Engineering - 2.002000-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Wed Jan 04 2023 Ralf Corsépius - 2.002000-1 +- Update to 2.002000. + +* Sat Nov 19 2022 Ralf Corsépius - 2.000001-3 +- Don't BR: perl(Type::Tiny::XS) if bootstrapping. + +* Wed Nov 16 2022 Ralf Corsépius - 2.000001-2 +- Add perl(Type::Tiny::XS) + +* Tue Oct 04 2022 Ralf Corsépius - 2.000001-1 +- Update to 2.000001. + +* Mon Sep 12 2022 Ralf Corsépius - 1.016010-1 +- Update to 1.016010. + +* Mon Aug 22 2022 Ralf Corsépius - 1.016008-2 +- Re-add BR: perl(Data::Constraint). + +* Thu Aug 18 2022 Ralf Corsépius - 1.016008-1 +- Update to 1.016008. + +* Fri Jul 22 2022 Fedora Release Engineering - 1.014000-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Mon Jul 11 2022 Ralf Corsépius - 1.014000-1 +- Update to 1.014000. + +* Fri Jul 01 2022 Ralf Corsépius - 1.012005-3 +- Add BR: perl(MouseX::Types::Common). +- Address BR-cycle (RHBZ#2096309#c2). + +* Mon Jun 13 2022 Ralf Corsépius - 1.012005-2 +- Add and comment out BR: perl(Data::Constraint), + BR: perl(MooseX::Types::DBIx::Class), BR: perl(Types::ReadOnly) + +* Mon Jun 13 2022 Ralf Corsépius - 1.012005-1 +- Upstream update to 1.012005. +- Add BR: perl(MooX::TypeTiny). + +* Fri Jun 03 2022 Jitka Plesnikova - 1.012004-4 +- Perl 5.36 re-rebuild of bootstrapped packages + +* Wed Jun 01 2022 Jitka Plesnikova - 1.012004-3 +- Perl 5.36 rebuild + +* Fri Jan 21 2022 Fedora Release Engineering - 1.012004-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Mon Sep 13 2021 Ralf Corsépius - 1.012004-1 +- Update to 1.012004. + +* Sun Sep 12 2021 Ralf Corsépius - 1.012003-1 +- Cleanup Jitka's broken git-merger. +- Update to 1.012003. + +* Tue Jul 27 2021 Fedora Release Engineering - 1.012001-4 +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Mon May 24 2021 Jitka Plesnikova - 1.012001-3 +- Perl 5.34 re-rebuild of bootstrapped packages + +* Sun May 23 2021 Jitka Plesnikova - 1.012001-2 +- Perl 5.34 rebuild + +* Tue Apr 27 2021 Ralf Corsépius - 1.012001-1 +- Update to 1.012001. +- Add BR: perl(Devel::Refcount). + +* Wed Jan 27 2021 Fedora Release Engineering - 1.010006-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Thu Sep 17 2020 Ralf Corsépius - 1.010006-1 +- Update to 1.010006. + +* Thu Sep 17 2020 Ralf Corsépius - 1.010005-1 +- Update to 1.010005. + +* Fri Aug 21 2020 Ralf Corsépius - 1.010004-1 +- Update to 1.010004. +- Add BR: perl(match::simple). + +* Tue Jul 28 2020 Fedora Release Engineering - 1.010002-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Fri Jun 26 2020 Jitka Plesnikova - 1.010002-3 +- Perl 5.32 re-rebuild of bootstrapped packages + +* Tue Jun 23 2020 Jitka Plesnikova - 1.010002-2 +- Perl 5.32 rebuild + +* Wed May 06 2020 Ralf Corsépius - 1.010002-1 +- Update to 1.010002. + +* Thu Mar 26 2020 Ralf Corsépius - 1.010001-1 +- Update to 1.010001. + +* Thu Mar 05 2020 Ralf Corsépius - 1.010000-1 +- Update to 1.010000. + +* Wed Feb 12 2020 Ralf Corsépius - 1.008005-1 +- Update to 1.008005. + +* Thu Jan 30 2020 Fedora Release Engineering - 1.008003-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Jan 17 2020 Ralf Corsépius - 1.008003-1 +- Update to 1.008003. + +* Tue Jan 14 2020 Ralf Corsépius - 1.008002-1 +- Update to 1.008002. +- Add BR: perl(Specio), perl(Specio::Library::Builtins, + perl(Test::Memory::Cycle). + +* Thu Dec 19 2019 Ralf Corsépius - 1.008000-1 +- Update to 1.008000. + +* Fri Jul 26 2019 Fedora Release Engineering - 1.004004-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Sun Jun 02 2019 Jitka Plesnikova - 1.004004-4 +- Perl 5.30 re-rebuild of bootstrapped packages + +* Fri May 31 2019 Jitka Plesnikova - 1.004004-3 +- Perl 5.30 rebuild + +* Sat Feb 02 2019 Fedora Release Engineering - 1.004004-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jan 11 2019 Ralf Corsépius - 1.004004-1 +- Update to 1.004004. + +* Tue Aug 07 2018 Ralf Corsépius - 1.004002-1 +- Update to 1.004002. +- Add BR: perl(IO::String). +- Add and comment out BR: perl(MouseX::Types::Common). + +* Fri Jul 13 2018 Fedora Release Engineering - 1.002002-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Sat Jun 30 2018 Jitka Plesnikova - 1.002002-3 +- Perl 5.28 re-rebuild of bootstrapped packages + +* Sat Jun 30 2018 Jitka Plesnikova - 1.002002-2 +- Perl 5.28 rebuild + +* Mon May 21 2018 Ralf Corsépius - 1.002002-1 +- Update to 1.002002. +- Add BR: perl(Ref::Util::XS). + +* Fri Feb 09 2018 Fedora Release Engineering - 1.002001-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 1.002001-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Wed Jun 21 2017 Ralf Corsépius - 1.002001-1 +- Update to 1.002001. + +* Wed Jun 07 2017 Jitka Plesnikova - 1.002000-2 +- Perl 5.26 re-rebuild of bootstrapped packages + +* Wed Jun 07 2017 Ralf Corsépius - 1.002000-1 +- Update to 1.002000. + +* Tue Jun 06 2017 Jitka Plesnikova - 1.000006-7 +- Perl 5.26 rebuild + +* Mon Mar 20 2017 Ralf Corsépius - 1.000006-6 +- Don't BR: perl(Return::Type), perl(Types::Path::Tiny) if perl_bootstrapping + (From ppisar@redhat.com, RHBZ#1433344) + +* Mon Feb 13 2017 Ralf Corsépius - 1.000006-5 +- Add further optional part of testsuites: BR: perl(Validation::Class), + perl(Validation::Class::Simple). + +* Fri Feb 10 2017 Ralf Corsépius - 1.000006-4 +- Add further optional part of testsuite: BR: perl(Return::Type). + +* Thu Feb 09 2017 Ralf Corsépius - 1.000006-3 +- Add further optional part of testsuite: BR: perl(Type::Tie). + +* Thu Feb 09 2017 Ralf Corsépius - 1.000006-2 +- Add more optional parts of testsuite: + - BR: perl(Sub::Exporter::Lexical). + - BR: perl(Types::Path::Tiny). + +* Thu Feb 02 2017 Ralf Corsépius - 1.000006-1 +- Update to 1.000006. +- Add BuildRequires: perl(Function::Parameters) + +* Mon May 16 2016 Jitka Plesnikova - 1.000005-7 +- Perl 5.24 rebuild + +* Thu Feb 04 2016 Fedora Release Engineering - 1.000005-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Fri Jan 29 2016 Ralf Corsépius - 1.000005-5 +- Modernize spec. +- Add COPYRIGHT to %%license. +* Tue Jul 21 2015 Petr Pisar - 1.000005-4 +- Specify all dependencies (bug #1245096) + +* Thu Jun 18 2015 Fedora Release Engineering - 1.000005-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Mon Jun 08 2015 Jitka Plesnikova - 1.000005-2 +- Perl 5.22 rebuild + +* Mon Oct 27 2014 Ralf Corsépius - 1.000005-1 +- Upstream update. + +* Thu Sep 04 2014 Jitka Plesnikova - 1.000004-2 +- Perl 5.20 rebuild + +* Thu Sep 04 2014 Ralf Corsépius - 1.000004-1 +- Upstream update. + +* Mon Sep 01 2014 Jitka Plesnikova - 1.000003-2 +- Perl 5.20 rebuild + +* Sun Aug 31 2014 Ralf Corsépius - 1.000003-1 +- Upstream update. + +* Fri Aug 22 2014 Ralf Corsépius - 1.000002-1 +- Upstream update. +- Update deps. + +* Mon Aug 18 2014 Ralf Corsépius - 1.000000-1 +- Upstream update. + +* Thu Jul 24 2014 Ralf Corsépius - 0.046-1 +- Upstream update. + +* Mon Jun 23 2014 Ralf Corsépius - 0.044-1 +- Upstream update. +- Spec file cosmetics. +- BR: perl(Test::Moose), perl(MooseX::Getopt). + +* Sat Jun 07 2014 Fedora Release Engineering - 0.042-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Tue Apr 08 2014 Ralf Corsépius - 0.042-1 +- Upstream update. +- Split out perl(Test::TypeTiny) to avoid deps on perl(Test::*). + +* Fri Mar 21 2014 Ralf Corsépius - 0.040-1 +- Initial Fedora package. diff --git a/SPECS/perl-URI/perl-URI.spec b/SPECS/perl-URI/perl-URI.spec index ad6ad0a6ea..3171847de0 100644 --- a/SPECS/perl-URI/perl-URI.spec +++ b/SPECS/perl-URI/perl-URI.spec @@ -3,7 +3,7 @@ Name: perl-URI Version: 5.21 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A Perl module implementing URI parsing and manipulation License: GPL+ or Artistic Vendor: Microsoft Corporation @@ -42,6 +42,8 @@ BuildRequires: perl(Storable) BuildRequires: perl(Test) BuildRequires: perl(Test::More) >= 0.96 BuildRequires: perl(Test::Needs) +BuildRequires: perl(Test::Fatal) +BuildRequires: perl(Test::Warnings) # Runtime Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version)) Requires: perl(Cwd) @@ -90,6 +92,9 @@ make test %{_mandir}/man3/URI::*.3* %changelog +* Wed May 21 2025 Riken Maharjan - 5.21-2 +- Fix ptest by adding missing runtime dep + * Mon Dec 18 2023 CBL-Mariner Servicing Account - 5.21-1 - Auto-upgrade to 5.21 - Azure Linux 3.0 - package upgrades diff --git a/SPECS/perl/CVE-2025-40909.patch b/SPECS/perl/CVE-2025-40909.patch new file mode 100644 index 0000000000..f1f7bc6927 --- /dev/null +++ b/SPECS/perl/CVE-2025-40909.patch @@ -0,0 +1,409 @@ +From 288b4a81fe815d7193154e92593ece358ff947e2 Mon Sep 17 00:00:00 2001 +From: Aninda +Date: Tue, 3 Jun 2025 09:33:20 -0400 +Subject: [PATCH] Address CVE-2025-40909 +Upstream Patch Reference: https://github.com/Perl/perl5/commit/918bfff86ca8d6d4e4ec5b30994451e0bd74aba9.patch + +--- + Configure | 6 ++ + Cross/config.sh-arm-linux | 1 + + Cross/config.sh-arm-linux-n770 | 1 + + Porting/Glossary | 5 ++ + Porting/config.sh | 1 + + config_h.SH | 6 ++ + configure.com | 1 + + plan9/config_sh.sample | 1 + + sv.c | 91 +---------------------------- + t/op/threads-dirh.t | 104 +-------------------------------- + win32/config.gc | 1 + + win32/config.vc | 1 + + 12 files changed, 28 insertions(+), 191 deletions(-) + +diff --git a/Configure b/Configure +index e662b49..8327989 100755 +--- a/Configure ++++ b/Configure +@@ -478,6 +478,7 @@ d_fd_set='' + d_fds_bits='' + d_fdclose='' + d_fdim='' ++d_fdopendir='' + d_fegetround='' + d_ffs='' + d_ffsl='' +@@ -13337,6 +13338,10 @@ esac + set i_fcntl + eval $setvar + ++: see if fdopendir exists ++set fdopendir d_fdopendir ++eval $inlibc ++ + : see if fork exists + set fork d_fork + eval $inlibc +@@ -24808,6 +24813,7 @@ d_flockproto='$d_flockproto' + d_fma='$d_fma' + d_fmax='$d_fmax' + d_fmin='$d_fmin' ++d_fdopendir='$d_fdopendir' + d_fork='$d_fork' + d_fp_class='$d_fp_class' + d_fp_classify='$d_fp_classify' +diff --git a/Cross/config.sh-arm-linux b/Cross/config.sh-arm-linux +index a61ea41..19154f2 100644 +--- a/Cross/config.sh-arm-linux ++++ b/Cross/config.sh-arm-linux +@@ -212,6 +212,7 @@ d_fd_macros='define' + d_fd_set='define' + d_fdclose='undef' + d_fdim='undef' ++d_fdopendir=undef + d_fds_bits='undef' + d_fegetround='define' + d_ffs='undef' +diff --git a/Cross/config.sh-arm-linux-n770 b/Cross/config.sh-arm-linux-n770 +index ed18781..ec32ad9 100644 +--- a/Cross/config.sh-arm-linux-n770 ++++ b/Cross/config.sh-arm-linux-n770 +@@ -211,6 +211,7 @@ d_fd_macros='define' + d_fd_set='define' + d_fdclose='undef' + d_fdim='undef' ++d_fdopendir=undef + d_fds_bits='undef' + d_fegetround='define' + d_ffs='undef' +diff --git a/Porting/Glossary b/Porting/Glossary +index f38aa14..2b0df05 100644 +--- a/Porting/Glossary ++++ b/Porting/Glossary +@@ -947,6 +947,11 @@ d_fmin (d_fmin.U): + This variable conditionally defines the HAS_FMIN symbol, which + indicates to the C program that the fmin() routine is available. + ++d_fdopendir (d_fdopendir.U): ++ This variable conditionally defines the HAS_FORK symbol, which ++ indicates that the fdopen routine is available to open a ++ directory descriptor. ++ + d_fork (d_fork.U): + This variable conditionally defines the HAS_FORK symbol, which + indicates to the C program that the fork() routine is available. +diff --git a/Porting/config.sh b/Porting/config.sh +index f914487..5834918 100644 +--- a/Porting/config.sh ++++ b/Porting/config.sh +@@ -223,6 +223,7 @@ d_fd_macros='define' + d_fd_set='define' + d_fdclose='undef' + d_fdim='define' ++d_fdopendir='define' + d_fds_bits='define' + d_fegetround='define' + d_ffs='define' +diff --git a/config_h.SH b/config_h.SH +index 5880dc5..bf930a6 100755 +--- a/config_h.SH ++++ b/config_h.SH +@@ -142,6 +142,12 @@ sed <$CONFIG_H -e 's!^#undef\(.*/\)\*!/\*#define\1 \*!' -e 's!^#un + */ + #$d_fcntl HAS_FCNTL /**/ + ++/* HAS_FDOPENDIR: ++ * This symbol, if defined, indicates that the fdopen routine is ++ * available to open a directory descriptor. ++ */ ++#$d_fdopendir HAS_FDOPENDIR /**/ ++ + /* HAS_FGETPOS: + * This symbol, if defined, indicates that the fgetpos routine is + * available to get the file position indicator, similar to ftell(). +diff --git a/configure.com b/configure.com +index 9b43ca6..6514f32 100644 +--- a/configure.com ++++ b/configure.com +@@ -6010,6 +6010,7 @@ $ WC "d_fd_set='" + d_fd_set + "'" + $ WC "d_fd_macros='define'" + $ WC "d_fdclose='undef'" + $ WC "d_fdim='" + d_fdim + "'" ++$ WC "d_fdopendir='undef'" + $ WC "d_fds_bits='define'" + $ WC "d_fegetround='undef'" + $ WC "d_ffs='undef'" +diff --git a/plan9/config_sh.sample b/plan9/config_sh.sample +index e9dba44..12322fa 100644 +--- a/plan9/config_sh.sample ++++ b/plan9/config_sh.sample +@@ -212,6 +212,7 @@ d_fd_macros='undef' + d_fd_set='undef' + d_fdclose='undef' + d_fdim='undef' ++d_fdopendir=undef + d_fds_bits='undef' + d_fegetround='undef' + d_ffs='undef' +diff --git a/sv.c b/sv.c +index ae40a2d..f3403fd 100644 +--- a/sv.c ++++ b/sv.c +@@ -13944,15 +13944,6 @@ Perl_dirp_dup(pTHX_ DIR *const dp, CLONE_PARAMS *const param) + { + DIR *ret; + +-#if defined(HAS_FCHDIR) && defined(HAS_TELLDIR) && defined(HAS_SEEKDIR) +- DIR *pwd; +- const Direntry_t *dirent; +- char smallbuf[256]; /* XXX MAXPATHLEN, surely? */ +- char *name = NULL; +- STRLEN len = 0; +- long pos; +-#endif +- + PERL_UNUSED_CONTEXT; + PERL_ARGS_ASSERT_DIRP_DUP; + +@@ -13964,89 +13955,13 @@ Perl_dirp_dup(pTHX_ DIR *const dp, CLONE_PARAMS *const param) + if (ret) + return ret; + +-#if defined(HAS_FCHDIR) && defined(HAS_TELLDIR) && defined(HAS_SEEKDIR) ++#ifdef HAS_FDOPENDIR + + PERL_UNUSED_ARG(param); + +- /* create anew */ +- +- /* open the current directory (so we can switch back) */ +- if (!(pwd = PerlDir_open("."))) return (DIR *)NULL; +- +- /* chdir to our dir handle and open the present working directory */ +- if (fchdir(my_dirfd(dp)) < 0 || !(ret = PerlDir_open("."))) { +- PerlDir_close(pwd); +- return (DIR *)NULL; +- } +- /* Now we should have two dir handles pointing to the same dir. */ +- +- /* Be nice to the calling code and chdir back to where we were. */ +- /* XXX If this fails, then what? */ +- PERL_UNUSED_RESULT(fchdir(my_dirfd(pwd))); ++ ret = fdopendir(dup(my_dirfd(dp))); + +- /* We have no need of the pwd handle any more. */ +- PerlDir_close(pwd); +- +-#ifdef DIRNAMLEN +-# define d_namlen(d) (d)->d_namlen +-#else +-# define d_namlen(d) strlen((d)->d_name) +-#endif +- /* Iterate once through dp, to get the file name at the current posi- +- tion. Then step back. */ +- pos = PerlDir_tell(dp); +- if ((dirent = PerlDir_read(dp))) { +- len = d_namlen(dirent); +- if (len > sizeof(dirent->d_name) && sizeof(dirent->d_name) > PTRSIZE) { +- /* If the len is somehow magically longer than the +- * maximum length of the directory entry, even though +- * we could fit it in a buffer, we could not copy it +- * from the dirent. Bail out. */ +- PerlDir_close(ret); +- return (DIR*)NULL; +- } +- if (len <= sizeof smallbuf) name = smallbuf; +- else Newx(name, len, char); +- Move(dirent->d_name, name, len, char); +- } +- PerlDir_seek(dp, pos); +- +- /* Iterate through the new dir handle, till we find a file with the +- right name. */ +- if (!dirent) /* just before the end */ +- for(;;) { +- pos = PerlDir_tell(ret); +- if (PerlDir_read(ret)) continue; /* not there yet */ +- PerlDir_seek(ret, pos); /* step back */ +- break; +- } +- else { +- const long pos0 = PerlDir_tell(ret); +- for(;;) { +- pos = PerlDir_tell(ret); +- if ((dirent = PerlDir_read(ret))) { +- if (len == (STRLEN)d_namlen(dirent) +- && memEQ(name, dirent->d_name, len)) { +- /* found it */ +- PerlDir_seek(ret, pos); /* step back */ +- break; +- } +- /* else we are not there yet; keep iterating */ +- } +- else { /* This is not meant to happen. The best we can do is +- reset the iterator to the beginning. */ +- PerlDir_seek(ret, pos0); +- break; +- } +- } +- } +-#undef d_namlen +- +- if (name && name != smallbuf) +- Safefree(name); +-#endif +- +-#ifdef WIN32 ++#elif defined(WIN32) + ret = win32_dirp_dup(dp, param); + #endif + +diff --git a/t/op/threads-dirh.t b/t/op/threads-dirh.t +index bb4bcfc..14c399c 100644 +--- a/t/op/threads-dirh.t ++++ b/t/op/threads-dirh.t +@@ -13,16 +13,12 @@ BEGIN { + skip_all_if_miniperl("no dynamic loading on miniperl, no threads"); + skip_all("runs out of memory on some EBCDIC") if $ENV{PERL_SKIP_BIG_MEM_TESTS}; + +- plan(6); ++ plan(1); + } + + use strict; + use warnings; + use threads; +-use threads::shared; +-use File::Path; +-use File::Spec::Functions qw 'updir catdir'; +-use Cwd 'getcwd'; + + # Basic sanity check: make sure this does not crash + fresh_perl_is <<'# this is no comment', 'ok', {}, 'crash when duping dirh'; +@@ -31,101 +27,3 @@ fresh_perl_is <<'# this is no comment', 'ok', {}, 'crash when duping dirh'; + async{}->join for 1..2; + print "ok"; + # this is no comment +- +-my $dir; +-SKIP: { +- skip "telldir or seekdir not defined on this platform", 5 +- if !$Config::Config{d_telldir} || !$Config::Config{d_seekdir}; +- my $skip = sub { +- chdir($dir); +- chdir updir; +- skip $_[0], 5 +- }; +- +- if(!$Config::Config{d_fchdir} && $^O ne "MSWin32") { +- $::TODO = 'dir handle cloning currently requires fchdir on non-Windows platforms'; +- } +- +- my @w :shared; # warnings accumulator +- local $SIG{__WARN__} = sub { push @w, $_[0] }; +- +- $dir = catdir getcwd(), "thrext$$" . int rand() * 100000; +- +- rmtree($dir) if -d $dir; +- mkdir($dir); +- +- # Create a dir structure like this: +- # $dir +- # | +- # `- toberead +- # | +- # +---- thrit +- # | +- # +---- rile +- # | +- # `---- zor +- +- chdir($dir); +- mkdir 'toberead'; +- chdir 'toberead'; +- {open my $fh, ">thrit" or &$skip("Cannot create file thrit")} +- {open my $fh, ">rile" or &$skip("Cannot create file rile")} +- {open my $fh, ">zor" or &$skip("Cannot create file zor")} +- chdir updir; +- +- # Then test that dir iterators are cloned correctly. +- +- opendir my $toberead, 'toberead'; +- my $start_pos = telldir $toberead; +- my @first_2 = (scalar readdir $toberead, scalar readdir $toberead); +- my @from_thread = @{; async { [readdir $toberead ] } ->join }; +- my @from_main = readdir $toberead; +- is join('-', sort @from_thread), join('-', sort @from_main), +- 'dir iterator is copied from one thread to another'; +- like +- join('-', "", sort(@first_2, @from_thread), ""), +- qr/(?join, 'undef', +- 'cloned dir iterator that points to the end of the directory' +- ; +- } +- +- # Make sure the cloning code can handle file names longer than 255 chars +- SKIP: { +- chdir 'toberead'; +- open my $fh, +- ">floccipaucinihilopilification-" +- . "pneumonoultramicroscopicsilicovolcanoconiosis-" +- . "lopadotemachoselachogaleokranioleipsanodrimypotrimmatosilphiokarabo" +- . "melitokatakechymenokichlepikossyphophattoperisteralektryonoptokephal" +- . "liokinklopeleiolagoiosiraiobaphetraganopterygon" +- or +- chdir updir, +- skip("OS does not support long file names (and I mean *long*)", 1); +- chdir updir; +- opendir my $dirh, "toberead"; +- my $test_name +- = "dir iterators can be cloned when the next fn > 255 chars"; +- while() { +- my $pos = telldir $dirh; +- my $fn = readdir($dirh); +- if(!defined $fn) { fail($test_name); last SKIP; } +- if($fn =~ 'lagoio') { +- seekdir $dirh, $pos; +- last; +- } +- } +- is length async { scalar readdir $dirh } ->join, 258, $test_name; +- } +- +- is scalar @w, 0, 'no warnings during all that' or diag @w; +- chdir updir; +-} +-rmtree($dir); +diff --git a/win32/config.gc b/win32/config.gc +index 3de8b72..6223615 100644 +--- a/win32/config.gc ++++ b/win32/config.gc +@@ -199,6 +199,7 @@ d_fd_macros='define' + d_fd_set='define' + d_fdclose='undef' + d_fdim='undef' ++d_fdopendir='undef' + d_fds_bits='define' + d_fegetround='undef' + d_ffs='undef' +diff --git a/win32/config.vc b/win32/config.vc +index 934e78f..b621cbf 100644 +--- a/win32/config.vc ++++ b/win32/config.vc +@@ -199,6 +199,7 @@ d_fd_macros='define' + d_fd_set='define' + d_fdclose='undef' + d_fdim='undef' ++d_fdopendir='undef' + d_fds_bits='define' + d_fegetround='undef' + d_ffs='undef' +-- +2.34.1 + diff --git a/SPECS/perl/perl-remove-psw-protected-zip.patch b/SPECS/perl/perl-remove-psw-protected-zip.patch new file mode 100644 index 0000000000..a985e22284 --- /dev/null +++ b/SPECS/perl/perl-remove-psw-protected-zip.patch @@ -0,0 +1,38 @@ +diff -ru perl-5.38.2-orig/MANIFEST perl-5.38.2/MANIFEST +--- perl-5.38.2-orig/MANIFEST 2025-05-27 11:19:46.070345254 -0400 ++++ perl-5.38.2/MANIFEST 2025-05-27 11:23:50.224235644 -0400 +@@ -1399,7 +1399,6 @@ + cpan/IO-Compress/t/cz-14gzopen.t IO::Compress + cpan/IO-Compress/t/files/bad-efs.zip + cpan/IO-Compress/t/files/encrypt-aes.zip +-cpan/IO-Compress/t/files/encrypt-standard.zip + cpan/IO-Compress/t/files/jar.zip + cpan/IO-Compress/t/files/meta.xml + cpan/IO-Compress/t/files/test.ods +diff -ru perl-5.38.2-orig/cpan/IO-Compress/t/105oneshot-zip-only.t perl-5.38.2/cpan/IO-Compress/t/105oneshot-zip-only.t +--- perl-5.38.2-orig/cpan/IO-Compress/t/105oneshot-zip-only.t 2025-05-27 11:19:46.300345249 -0400 ++++ perl-5.38.2/cpan/IO-Compress/t/105oneshot-zip-only.t 2025-05-27 11:23:45.336599173 -0400 +@@ -163,23 +163,6 @@ + } + + { +- title "Detect encrypted zip file"; +- +- my $files = "./t/" ; +- $files = "./" if $ENV{PERL_CORE} ; +- $files .= "files/"; +- +- my $zipfile = "$files/encrypt-standard.zip" ; +- my $output; +- +- ok ! unzip "$files/encrypt-standard.zip" => \$output ; +- like $UnzipError, qr/Encrypted content not supported/ ; +- +- ok ! unzip "$files/encrypt-aes.zip" => \$output ; +- like $UnzipError, qr/Encrypted content not supported/ ; +-} +- +-{ + title "jar file with deflated directory"; + + # Create Jar as follow diff --git a/SPECS/perl/perl.signatures.json b/SPECS/perl/perl.signatures.json index 5c367339a8..5e9e0824d2 100644 --- a/SPECS/perl/perl.signatures.json +++ b/SPECS/perl/perl.signatures.json @@ -3,6 +3,6 @@ "Pod-Html-license-clarification": "8667642d6d3a4ca8d8281b33b5e83a264e7681eb5080256331ae34b09d63b0cc", "gendep.macros": "acde93c38249583f6e24fa21cc4066ffbca617d36f8cba5d4676408ae0bbefb2", "macros.perl": "0597172591cea26c81e92b580b63cb1c5e812cc354c34ac21b8ebc1854713183", - "perl-5.38.2.tar.xz": "d91115e90b896520e83d4de6b52f8254ef2b70a8d545ffab33200ea9f1cf29e8" + "perl-5.38.2-scrubbed.tar.xz": "6f5b72cd31d009f364b5ac8b20b0e5493203b70a8d997ced785d5a2a5d68a1a7" } } diff --git a/SPECS/perl/perl.spec b/SPECS/perl/perl.spec index ad77394698..331aaba694 100644 --- a/SPECS/perl/perl.spec +++ b/SPECS/perl/perl.spec @@ -127,12 +127,13 @@ License: GPL+ or Artistic Epoch: %{perl_epoch} Version: %{perl_version} # release number must be even higher, because dual-lived modules will be broken otherwise -Release: 507%{?dist} +Release: 509%{?dist} Summary: Practical Extraction and Report Language Url: https://www.perl.org/ Vendor: Microsoft Corporation Distribution: Azure Linux -Source0: https://www.cpan.org/src/5.0/perl-%{perl_version}.tar.xz +# Note that scrubbed version of the source tarball contains upstream source minus password protected files which password is not known +Source0: https://www.cpan.org/src/5.0/perl-%{perl_version}.tar.xz#/perl-%{perl_version}-scrubbed.tar.xz Source3: macros.perl # Tom Christiansen confirms Pod::Html uses the same license as perl Source6: Pod-Html-license-clarification @@ -174,6 +175,9 @@ Patch13: perl-5.28.0-Pass-CFLAGS-to-dtrace.patch # Fixed in perl 5.39.3, in locale.c was more changes Patch14: perl-5.38.0-Revert-Do-uselocale-earlier-in-init-process.patch +# remove password protected zip file which password is not known +Patch15: perl-remove-psw-protected-zip.patch + # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048 Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch @@ -185,6 +189,8 @@ Patch202: perl-5.36.0-Add-definition-of-OPTIMIZE-to-.ph-files.patch Patch203: CVE-2024-56406.patch +Patch204: CVE-2025-40909.patch + # Update some of the bundled modules # see http://fedoraproject.org/wiki/Perl/perl.spec for instructions @@ -6840,6 +6846,12 @@ popd # Old changelog entries are preserved in CVS. %changelog +* Wed Jun 04 2025 Aninda Pradhan - 4:5.38.2-509 +- Patch CVE-2025-40909 + +* Tue May 27 2025 Nicolas Guibourge - 4:5.38.2-508 +- Remove password protected zip files from upstream src tarball + * Tue Apr 08 2025 Andrew Phelps - 4:5.38.2-507 - Patch CVE-2024-56406 diff --git a/SPECS/php/php-8.0.0-embed.patch b/SPECS/php/php-8.3.20-embed.patch similarity index 67% rename from SPECS/php/php-8.0.0-embed.patch rename to SPECS/php/php-8.3.20-embed.patch index 27533ea4e5..72538ff3eb 100644 --- a/SPECS/php/php-8.0.0-embed.patch +++ b/SPECS/php/php-8.3.20-embed.patch @@ -1,10 +1,10 @@ diff -up ./sapi/embed/config.m4.embed ./sapi/embed/config.m4 ---- ./sapi/embed/config.m4.embed 2020-07-07 13:51:05.879764972 +0200 -+++ ./sapi/embed/config.m4 2020-07-07 13:52:50.128412148 +0200 -@@ -12,7 +12,8 @@ if test "$PHP_EMBED" != "no"; then - yes|shared) - LIBPHP_CFLAGS="-shared" - PHP_EMBED_TYPE=shared +--- ./sapi/embed/config.m4.embed 2025-03-26 08:07:06.692333414 +0100 ++++ ./sapi/embed/config.m4 2025-03-26 08:07:42.872879994 +0100 +@@ -15,7 +15,8 @@ if test "$PHP_EMBED" != "no"; then + SAPI_SHARED="libs/libphp.dylib" + PHP_EMBED_TYPE=shared-dylib + ], [PHP_EMBED_TYPE=shared]) - INSTALL_IT="\$(mkinstalldirs) \$(INSTALL_ROOT)\$(prefix)/lib; \$(INSTALL) -m 0755 $SAPI_SHARED \$(INSTALL_ROOT)\$(prefix)/lib" + EXTRA_LDFLAGS="$EXTRA_LDFLAGS -release \$(PHP_MAJOR_VERSION).\$(PHP_MINOR_VERSION)" + INSTALL_IT="\$(mkinstalldirs) \$(INSTALL_ROOT)\$(libdir); \$(LIBTOOL) --mode=install \$(INSTALL) -m 0755 \$(OVERALL_TARGET) \$(INSTALL_ROOT)\$(libdir)" @@ -12,8 +12,8 @@ diff -up ./sapi/embed/config.m4.embed ./sapi/embed/config.m4 static) LIBPHP_CFLAGS="-static" diff -up ./scripts/php-config.in.embed ./scripts/php-config.in ---- ./scripts/php-config.in.embed 2020-07-07 12:54:42.000000000 +0200 -+++ ./scripts/php-config.in 2020-07-07 13:51:05.880764968 +0200 +--- ./scripts/php-config.in.embed 2025-03-25 22:00:06.000000000 +0100 ++++ ./scripts/php-config.in 2025-03-26 08:07:06.692518461 +0100 @@ -18,7 +18,7 @@ exe_extension="@EXEEXT@" php_cli_binary=NONE php_cgi_binary=NONE @@ -22,4 +22,4 @@ diff -up ./scripts/php-config.in.embed ./scripts/php-config.in +php_sapis="apache2handler litespeed fpm phpdbg @PHP_INSTALLED_SAPIS@" ini_dir="@EXPANDED_PHP_CONFIG_FILE_SCAN_DIR@" ini_path="@EXPANDED_PHP_CONFIG_FILE_PATH@" - + \ No newline at end of file diff --git a/SPECS/php/php.signatures.json b/SPECS/php/php.signatures.json index 9564d45aae..f47d317aef 100644 --- a/SPECS/php/php.signatures.json +++ b/SPECS/php/php.signatures.json @@ -1,19 +1,19 @@ { - "Signatures": { - "10-opcache.ini": "6065beb2ace54d6cb5a8cde751330ea358bd23692073c6e3d2c57f7c97bec869", - "20-ffi.ini": "f5e968fdd3eca54f3dab2399e243931cf16cd9da034f0364800aefab222271c0", - "macros.php": "917104496e8239e1ed1d4812871be772a5fa8b38cf80c4c59ec3e0c36d48310e", - "nginx-fpm.conf": "5a222ab2c3fc0145cb67a1c5125471bbf097de304e77c9858e7077a3b4fcad59", - "nginx-php.conf": "b3b3f744c4c122302fcb11f39cac78d01cef15ee6f8bd67e98b3438efcf8dc95", - "opcache-default.blacklist": "4eef0875e1a0c6a75b8a2bafd4ddc029b83be74dd336a6a99214b0c32808cb38", - "php-fpm-www.conf": "1cacdd4962c01a0a968933c38db503023940ad9105f021bdab85d6cdc46dcbb8", - "php-fpm.conf": "bb261d53b9b42bb163a7637bb373ffa18a20dddf27a3efe6cb5ed1b1cf5981a9", - "php-fpm.logrotate": "7d8279bebb9ffabc596a2699150e93d4ce4513245890b9b786d337288b19fa79", - "php-fpm.service": "574f50dec5a0edd60e60e44e7cc2d03575bc728bdc0b0cab021ce3c55abc0117", - "php-fpm.wants": "846297e91ba02bd0e29b6635eeddcca01a7ad4faf5a8f27113543804331d0328", - "php.conf": "e2388be032eccf7c0197d597ba72259a095bf8434438a184e6a640edb4b59de2", - "php.ini": "8fd5a4d891c19320c07010fbbbac982c886b422bc8d062acaeae49d70c136fc8", - "php.modconf": "dc7303ea584452d2f742d002a648abe74905025aabf240259c7e8bd01746d278", - "php-8.3.19.tar.xz": "976e4077dd25bec96b5dfe8938052d243bbd838f95368a204896eff12756545f" - } -} + "Signatures": { + "10-opcache.ini": "6065beb2ace54d6cb5a8cde751330ea358bd23692073c6e3d2c57f7c97bec869", + "20-ffi.ini": "f5e968fdd3eca54f3dab2399e243931cf16cd9da034f0364800aefab222271c0", + "macros.php": "917104496e8239e1ed1d4812871be772a5fa8b38cf80c4c59ec3e0c36d48310e", + "nginx-fpm.conf": "5a222ab2c3fc0145cb67a1c5125471bbf097de304e77c9858e7077a3b4fcad59", + "nginx-php.conf": "b3b3f744c4c122302fcb11f39cac78d01cef15ee6f8bd67e98b3438efcf8dc95", + "opcache-default.blacklist": "4eef0875e1a0c6a75b8a2bafd4ddc029b83be74dd336a6a99214b0c32808cb38", + "php-8.3.23.tar.xz": "08be64700f703bca6ff1284bf1fdaffa37ae1b9734b6559f8350248e8960a6db", + "php-fpm-www.conf": "1cacdd4962c01a0a968933c38db503023940ad9105f021bdab85d6cdc46dcbb8", + "php-fpm.conf": "bb261d53b9b42bb163a7637bb373ffa18a20dddf27a3efe6cb5ed1b1cf5981a9", + "php-fpm.logrotate": "7d8279bebb9ffabc596a2699150e93d4ce4513245890b9b786d337288b19fa79", + "php-fpm.service": "574f50dec5a0edd60e60e44e7cc2d03575bc728bdc0b0cab021ce3c55abc0117", + "php-fpm.wants": "846297e91ba02bd0e29b6635eeddcca01a7ad4faf5a8f27113543804331d0328", + "php.conf": "e2388be032eccf7c0197d597ba72259a095bf8434438a184e6a640edb4b59de2", + "php.ini": "8fd5a4d891c19320c07010fbbbac982c886b422bc8d062acaeae49d70c136fc8", + "php.modconf": "dc7303ea584452d2f742d002a648abe74905025aabf240259c7e8bd01746d278" + } +} \ No newline at end of file diff --git a/SPECS/php/php.spec b/SPECS/php/php.spec index 8a4c6b64a8..51f7b8f6f1 100644 --- a/SPECS/php/php.spec +++ b/SPECS/php/php.spec @@ -32,7 +32,7 @@ %global with_qdbm 0 Summary: PHP scripting language for creating dynamic web sites Name: php -Version: 8.3.19 +Version: 8.3.23 Release: 1%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend @@ -64,7 +64,7 @@ Source53: 20-ffi.ini # Build fixes Patch1: php-7.4.0-httpd.patch Patch5: php-7.2.0-includedir.patch -Patch6: php-8.0.0-embed.patch +Patch6: php-8.3.20-embed.patch Patch8: php-8.1.0-libdb.patch # Functional changes # Use system nikic/php-parser @@ -1514,6 +1514,10 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || : %dir %{_datadir}/php/preload %changelog +* Tue Jul 15 2025 Aninda Pradhan - 8.3.23-1 +- Upgrade to 8.3.23 to fix CVE-2025-1735, CVE-2025-6491, CVE-2025-1220 +- Fixed build issue by replacing php-8.0.0-embed.patch with php-8.3.20-embed.patch + * Sun Mar 30 2025 CBL-Mariner Servicing Account - 8.3.19-1 - Auto-upgrade to 8.3.19 - for CVE-2025-1217 CVE-2025-1219, CVE-2025-1736, CVE-2025-1861 diff --git a/SPECS/polkit/CVE-2025-7519.patch b/SPECS/polkit/CVE-2025-7519.patch new file mode 100644 index 0000000000..4488ff5d0a --- /dev/null +++ b/SPECS/polkit/CVE-2025-7519.patch @@ -0,0 +1,31 @@ +From 56e9d27e620a0f60d7490ebf3fc2766b39209a1c Mon Sep 17 00:00:00 2001 +From: Azure Linux Security Servicing Account + +Date: Thu, 17 Jul 2025 06:41:24 +0000 +Subject: [PATCH] Fix CVE CVE-2025-7519 in polkit + +Upstream Patch Reference: https://github.com/polkit-org/polkit/commit/107d3801361b9f9084f78710178e683391f1d245.patch +--- + src/polkitbackend/polkitbackendactionpool.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/polkitbackend/polkitbackendactionpool.c b/src/polkitbackend/polkitbackendactionpool.c +index 3894fe9..c9fa23e 100644 +--- a/src/polkitbackend/polkitbackendactionpool.c ++++ b/src/polkitbackend/polkitbackendactionpool.c +@@ -672,6 +672,12 @@ _start (void *data, const char *el, const char **attr) + guint num_attr; + ParserData *pd = data; + ++ if (pd->stack_depth < 0 || pd->stack_depth >= PARSER_MAX_DEPTH) ++ { ++ g_warning ("XML parsing reached max depth?"); ++ goto error; ++ } ++ + for (num_attr = 0; attr[num_attr] != NULL; num_attr++) + ; + +-- +2.45.3 + diff --git a/SPECS/polkit/polkit.spec b/SPECS/polkit/polkit.spec index c26f7c2701..4138bbdb77 100644 --- a/SPECS/polkit/polkit.spec +++ b/SPECS/polkit/polkit.spec @@ -1,12 +1,13 @@ Summary: A toolkit for defining and handling authorizations. Name: polkit Version: 123 -Release: 2%{?dist} +Release: 3%{?dist} Group: Applications/System Vendor: Microsoft Corporation License: GPLv2+ URL: https://gitlab.freedesktop.org/polkit/polkit Source0: https://gitlab.freedesktop.org/polkit/polkit/-/archive/%{version}/polkit-%{version}.tar.gz +Patch0: CVE-2025-7519.patch Distribution: Azure Linux BuildRequires: duktape-devel BuildRequires: expat-devel @@ -123,6 +124,9 @@ fi %changelog +* Thu Jul 17 2025 Azure Linux Security Servicing Account - 123-3 +- Patch for CVE-2025-7519 + * Thu Feb 01 2024 Dan Streetman - 123-2 - workaround "circular dependencies" from build tooling diff --git a/SPECS/postgresql/postgresql.signatures.json b/SPECS/postgresql/postgresql.signatures.json index 4bf458c305..8aa16d005f 100644 --- a/SPECS/postgresql/postgresql.signatures.json +++ b/SPECS/postgresql/postgresql.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { "postgresql.service": "2d209e10523c43e7011b4a85e9e32f5f5911a74a25012cdeaf5fdeb0a5664461", - "postgresql-16.7.tar.bz2": "62e02f77ebfc4a37f1700c20cc3ccd85ff797b5613766ebf949a7899bb2113fe" + "postgresql-16.10.tar.bz2": "de8485f4ce9c32e3ddfeef0b7c261eed1cecb54c9bcd170e437ff454cb292b42" } } diff --git a/SPECS/postgresql/postgresql.spec b/SPECS/postgresql/postgresql.spec index b807478485..1ee0f14d75 100644 --- a/SPECS/postgresql/postgresql.spec +++ b/SPECS/postgresql/postgresql.spec @@ -2,7 +2,7 @@ %define groupname postgres Summary: PostgreSQL database engine Name: postgresql -Version: 16.7 +Version: 16.10 Release: 1%{?dist} License: PostgreSQL Vendor: Microsoft Corporation @@ -243,6 +243,12 @@ fi %{_unitdir}/%{name}.service %changelog +* Mon Aug 18 2025 CBL-Mariner Servicing Account - 16.10-1 +- Auto-upgrade to 16.10 - for CVE-2025-8714, CVE-2025-8715, CVE-2025-8713 + +* Mon May 19 2025 CBL-Mariner Servicing Account - 16.9-1 +- Auto-upgrade to 16.9 - for CVE-2025-4207 + * Mon Feb 17 2025 CBL-Mariner Servicing Account - 16.7-1 - Auto-upgrade to 16.7 - to fix CVE-2025-1094 diff --git a/SPECS/prometheus/0001-Fix-exit-condition-of-TestQuerierIndexQueriesRace.patch b/SPECS/prometheus/0001-Fix-exit-condition-of-TestQuerierIndexQueriesRace.patch deleted file mode 100644 index ff60e55e2b..0000000000 --- a/SPECS/prometheus/0001-Fix-exit-condition-of-TestQuerierIndexQueriesRace.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 41bc1097c65a402355dc2b0b9402811a78389b63 Mon Sep 17 00:00:00 2001 -From: Dimitar Dimitrov -Date: Wed, 20 Sep 2023 17:41:33 +0200 -Subject: [PATCH] Fix exit condition of TestQuerierIndexQueriesRace - -The test was introduced in # but was changed during the code review and not reran with the faulty code since then. - -Closes # - -Signed-off-by: Dimitar Dimitrov ---- - tsdb/querier_test.go | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tsdb/querier_test.go b/tsdb/querier_test.go -index 8cfd5d141..2c5ff7477 100644 ---- a/tsdb/querier_test.go -+++ b/tsdb/querier_test.go -@@ -2248,7 +2248,7 @@ func TestQuerierIndexQueriesRace(t *testing.T) { - func appendSeries(t *testing.T, ctx context.Context, wg *sync.WaitGroup, h *Head) { - defer wg.Done() - -- for i := 0; ctx.Err() != nil; i++ { -+ for i := 0; ctx.Err() == nil; i++ { - app := h.Appender(context.Background()) - _, err := app.Append(0, labels.FromStrings(labels.MetricName, "metric", "n", strconv.Itoa(i), "m", "0"), 0, 0) - require.NoError(t, err) --- -2.33.8 - diff --git a/SPECS/prometheus/0002-Improve-sensitivity-of-TestQuerierIndexQueriesRace.patch b/SPECS/prometheus/0002-Improve-sensitivity-of-TestQuerierIndexQueriesRace.patch deleted file mode 100644 index 14be60ee22..0000000000 --- a/SPECS/prometheus/0002-Improve-sensitivity-of-TestQuerierIndexQueriesRace.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 0e66dc19b9f93c247dd938f8099626573df0e998 Mon Sep 17 00:00:00 2001 -From: Dimitar Dimitrov -Date: Thu, 21 Sep 2023 12:30:08 +0200 -Subject: [PATCH] Improve sensitivity of TestQuerierIndexQueriesRace - -Currently, the two goroutines race against each other and it's possible that the main test goroutine finishes way earlier than appendSeries has had a chance to run at all. - -I tested this change by breaking the code that X fixed and running the race test 100 times. Without the additional time.Sleep the test failed 11 times. With the sleep it failed 65 out of the 100 runs. Which is still not ideal, but it's a step forward. - -Signed-off-by: Dimitar Dimitrov ---- - tsdb/querier_test.go | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/tsdb/querier_test.go b/tsdb/querier_test.go -index 2c5ff7477..4938443c2 100644 ---- a/tsdb/querier_test.go -+++ b/tsdb/querier_test.go -@@ -2221,6 +2221,7 @@ func TestQuerierIndexQueriesRace(t *testing.T) { - for _, c := range testCases { - c := c - t.Run(fmt.Sprintf("%v", c.matchers), func(t *testing.T) { -+ t.Parallel() - db := openTestDB(t, DefaultOptions(), nil) - h := db.Head() - t.Cleanup(func() { -@@ -2240,6 +2241,9 @@ func TestQuerierIndexQueriesRace(t *testing.T) { - values, _, err := q.LabelValues("n", c.matchers...) - require.NoError(t, err) - require.Emptyf(t, values, `label values for label "n" should be empty`) -+ -+ // Sleep to give the appends some change to run. -+ time.Sleep(time.Millisecond) - } - }) - } -@@ -2256,6 +2260,7 @@ func appendSeries(t *testing.T, ctx context.Context, wg *sync.WaitGroup, h *Head - require.NoError(t, err) - - // Throttle down the appends to keep the test somewhat nimble. -+ // Otherwise, we end up appending thousands or millions of samples. - time.Sleep(time.Millisecond) - } - } --- -2.33.8 - diff --git a/SPECS/prometheus/02-Default_settings.patch b/SPECS/prometheus/02-Default_settings.patch deleted file mode 100644 index fbe798aeed..0000000000 --- a/SPECS/prometheus/02-Default_settings.patch +++ /dev/null @@ -1,50 +0,0 @@ -From: Martina Ferrari -Date: Sat, 20 Jun 2020 15:14:34 -0300 -Subject: Add default settings adapted for Debian. -Forwarded: not-needed ---- - cmd/prometheus/main.go | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - ---- a/cmd/prometheus/main.go -+++ b/cmd/prometheus/main.go -@@ -232,7 +232,7 @@ func main() { - a.HelpFlag.Short('h') - - a.Flag("config.file", "Prometheus configuration file path."). -- Default("prometheus.yml").StringVar(&cfg.configFile) -+ Default("/etc/prometheus/prometheus.yml").StringVar(&cfg.configFile) - - a.Flag("web.listen-address", "Address to listen on for UI, API, and telemetry."). - Default("0.0.0.0:9090").StringVar(&cfg.web.ListenAddress) -@@ -254,7 +254,7 @@ func main() { - "Prefix for the internal routes of web endpoints. Defaults to path of --web.external-url."). - PlaceHolder("").StringVar(&cfg.web.RoutePrefix) - -- a.Flag("web.user-assets", "Path to static asset directory, available at /user."). -+ a.Flag("web.user-assets", "Path to user asset directory, available at /user."). - PlaceHolder("").StringVar(&cfg.web.UserAssetsPath) - - a.Flag("web.enable-lifecycle", "Enable shutdown and reload via HTTP request."). -@@ -267,10 +267,10 @@ func main() { - Default("false").BoolVar(&cfg.web.EnableRemoteWriteReceiver) - - a.Flag("web.console.templates", "Path to the console template directory, available at /consoles."). -- Default("consoles").StringVar(&cfg.web.ConsoleTemplatesPath) -+ Default("/etc/prometheus/consoles").StringVar(&cfg.web.ConsoleTemplatesPath) - - a.Flag("web.console.libraries", "Path to the console library directory."). -- Default("console_libraries").StringVar(&cfg.web.ConsoleLibrariesPath) -+ Default("/etc/prometheus/console_libraries").StringVar(&cfg.web.ConsoleLibrariesPath) - - a.Flag("web.page-title", "Document title of Prometheus instance."). - Default("Prometheus Time Series Collection and Processing Server").StringVar(&cfg.web.PageTitle) -@@ -279,7 +279,7 @@ func main() { - Default(".*").StringVar(&cfg.corsRegexString) - - serverOnlyFlag(a, "storage.tsdb.path", "Base path for metrics storage."). -- Default("data/").StringVar(&cfg.serverStoragePath) -+ Default("/var/lib/prometheus").StringVar(&cfg.serverStoragePath) - - serverOnlyFlag(a, "storage.tsdb.min-block-duration", "Minimum duration of a data block before being persisted. For use in testing."). - Hidden().Default("2h").SetValue(&cfg.tsdb.MinBlockDuration) diff --git a/SPECS/prometheus/CVE-2023-44487.patch b/SPECS/prometheus/CVE-2023-44487.patch deleted file mode 100644 index d8013e7d9f..0000000000 --- a/SPECS/prometheus/CVE-2023-44487.patch +++ /dev/null @@ -1,76 +0,0 @@ -From a0fd4b065528566eec54fe207aa5e3131babc378 Mon Sep 17 00:00:00 2001 -From: Monis Khan -Date: Sat, 7 Oct 2023 21:50:37 -0400 -Subject: [PATCH] Prevent rapid reset http2 DOS on API server - -This change fully addresses CVE-2023-44487 and CVE-2023-39325 for -the API server when the client is unauthenticated. - -The changes to util/runtime are required because otherwise a large -number of requests can get blocked on the time.Sleep calls. - -For unauthenticated clients (either via 401 or the anonymous user), -we simply no longer allow such clients to hold open http2 -connections. They can use http2, but with the performance of http1 -(with keep-alive disabled). - -Since this change has the potential to cause issues, the -UnauthenticatedHTTP2DOSMitigation feature gate can be disabled to -remove this protection (it is enabled by default). For example, -when the API server is fronted by an L7 load balancer that is set up -to mitigate http2 attacks, unauthenticated clients could force -disable connection reuse between the load balancer and the API -server (many incoming connections could share the same backend -connection). An API server that is on a private network may opt to -disable this protection to prevent performance regressions for -unauthenticated clients. - -For all other clients, we rely on the golang.org/x/net fix in -https://github.com/golang/net/commit/b225e7ca6dde1ef5a5ae5ce922861bda011cfabd -That change is not sufficient to adequately protect against a -motivated client - future changes to Kube and/or golang.org/x/net -will be explored to address this gap. - -The Kube API server now uses a max stream of 100 instead of 250 -(this matches the Go http2 client default). This lowers the abuse -limit from 1000 to 400. - -Signed-off-by: Monis Khan - -Modified by: corvus-callidus <108946721+corvus-callidus@users.noreply.github.com> -- Adjust paths to apply to vendored code -- Remove references to runtime_test.go which isn't included in the AzL3 package source - -Kubernetes-commit: 800a8eaba7f25bd223fefe6e7613e39a5d7f1eeb ---- - vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go | 15 +++++++++------ - 1 files changed, 9 insertions(+), 6 deletions(-) - -diff --git a/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go b/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go -index d738725ca..3674914f7 100644 ---- a/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go -+++ b/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go -@@ -126,14 +126,17 @@ type rudimentaryErrorBackoff struct { - // OnError will block if it is called more often than the embedded period time. - // This will prevent overly tight hot error loops. - func (r *rudimentaryErrorBackoff) OnError(error) { -+ now := time.Now() // start the timer before acquiring the lock - r.lastErrorTimeLock.Lock() -- defer r.lastErrorTimeLock.Unlock() -- d := time.Since(r.lastErrorTime) -- if d < r.minPeriod { -- // If the time moves backwards for any reason, do nothing -- time.Sleep(r.minPeriod - d) -- } -+ d := now.Sub(r.lastErrorTime) - r.lastErrorTime = time.Now() -+ r.lastErrorTimeLock.Unlock() -+ -+ // Do not sleep with the lock held because that causes all callers of HandleError to block. -+ // We only want the current goroutine to block. -+ // A negative or zero duration causes time.Sleep to return immediately. -+ // If the time moves backwards for any reason, do nothing. -+ time.Sleep(r.minPeriod - d) - } - - // GetCaller returns the caller of the function that calls it. diff --git a/SPECS/prometheus/CVE-2023-45288.patch b/SPECS/prometheus/CVE-2023-45288.patch deleted file mode 100644 index 95295abb44..0000000000 --- a/SPECS/prometheus/CVE-2023-45288.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 87bba52321835fa92f7c91be1b8eef89a93d2506 Mon Sep 17 00:00:00 2001 -From: Damien Neil -Date: Wed, 10 Jan 2024 13:41:39 -0800 -Subject: [PATCH] http2: close connections when receiving too many headers - -Maintaining HPACK state requires that we parse and process -all HEADERS and CONTINUATION frames on a connection. -When a request's headers exceed MaxHeaderBytes, we don't -allocate memory to store the excess headers but we do -parse them. This permits an attacker to cause an HTTP/2 -endpoint to read arbitrary amounts of data, all associated -with a request which is going to be rejected. - -Set a limit on the amount of excess header frames we -will process before closing a connection. - -Thanks to Bartek Nowotarski for reporting this issue. - -Fixes CVE-2023-45288 -Fixes golang/go#65051 - -Change-Id: I15df097268df13bb5a9e9d3a5c04a8a141d850f6 -Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2130527 -Reviewed-by: Roland Shoemaker -Reviewed-by: Tatiana Bradley -Reviewed-on: https://go-review.googlesource.com/c/net/+/576155 -Reviewed-by: Dmitri Shuralyov -Auto-Submit: Dmitri Shuralyov -Reviewed-by: Than McIntosh -LUCI-TryBot-Result: Go LUCI ---- - vendor/golang.org/x/net/http2/frame.go | 31 ++++++++++++++++++++++++++ - 1 file changed, 31 insertions(+) - -diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go -index c1f6b90..175c154 100644 ---- a/vendor/golang.org/x/net/http2/frame.go -+++ b/vendor/golang.org/x/net/http2/frame.go -@@ -1565,6 +1565,7 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) { - if size > remainSize { - hdec.SetEmitEnabled(false) - mh.Truncated = true -+ remainSize = 0 - return - } - remainSize -= size -@@ -1577,6 +1578,36 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) { - var hc headersOrContinuation = hf - for { - frag := hc.HeaderBlockFragment() -+ -+ // Avoid parsing large amounts of headers that we will then discard. -+ // If the sender exceeds the max header list size by too much, -+ // skip parsing the fragment and close the connection. -+ // -+ // "Too much" is either any CONTINUATION frame after we've already -+ // exceeded the max header list size (in which case remainSize is 0), -+ // or a frame whose encoded size is more than twice the remaining -+ // header list bytes we're willing to accept. -+ if int64(len(frag)) > int64(2*remainSize) { -+ if VerboseLogs { -+ log.Printf("http2: header list too large") -+ } -+ // It would be nice to send a RST_STREAM before sending the GOAWAY, -+ // but the struture of the server's frame writer makes this difficult. -+ return nil, ConnectionError(ErrCodeProtocol) -+ } -+ -+ // Also close the connection after any CONTINUATION frame following an -+ // invalid header, since we stop tracking the size of the headers after -+ // an invalid one. -+ if invalid != nil { -+ if VerboseLogs { -+ log.Printf("http2: invalid header: %v", invalid) -+ } -+ // It would be nice to send a RST_STREAM before sending the GOAWAY, -+ // but the struture of the server's frame writer makes this difficult. -+ return nil, ConnectionError(ErrCodeProtocol) -+ } -+ - if _, err := hdec.Write(frag); err != nil { - return nil, ConnectionError(ErrCodeCompression) - } --- -2.44.0 - diff --git a/SPECS/prometheus/CVE-2024-24786.patch b/SPECS/prometheus/CVE-2024-24786.patch deleted file mode 100644 index 6c80204f5b..0000000000 --- a/SPECS/prometheus/CVE-2024-24786.patch +++ /dev/null @@ -1,152 +0,0 @@ -From 1576982839ab9771784526720ed0a2f4a2aa2280 Mon Sep 17 00:00:00 2001 -From: bala -Date: Mon, 25 Nov 2024 16:47:53 +0000 -Subject: [PATCH] Vendor patch applied - ---- - .../protobuf/encoding/protojson/decode.go | 12 ++++ - .../encoding/protojson/well_known_types.go | 59 +++++++------------ - .../protobuf/internal/encoding/json/decode.go | 2 +- - 3 files changed, 33 insertions(+), 40 deletions(-) - -diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go -index 5f28148..67fe4e7 100644 ---- a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go -+++ b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go -@@ -11,6 +11,7 @@ import ( - "strconv" - "strings" - -+ "google.golang.org/protobuf/encoding/protowire" - "google.golang.org/protobuf/internal/encoding/json" - "google.golang.org/protobuf/internal/encoding/messageset" - "google.golang.org/protobuf/internal/errors" -@@ -47,6 +48,10 @@ type UnmarshalOptions struct { - protoregistry.MessageTypeResolver - protoregistry.ExtensionTypeResolver - } -+ -+ // RecursionLimit limits how deeply messages may be nested. -+ // If zero, a default limit is applied. -+ RecursionLimit int - } - - // Unmarshal reads the given []byte and populates the given proto.Message -@@ -67,6 +72,9 @@ func (o UnmarshalOptions) unmarshal(b []byte, m proto.Message) error { - if o.Resolver == nil { - o.Resolver = protoregistry.GlobalTypes - } -+ if o.RecursionLimit == 0 { -+ o.RecursionLimit = protowire.DefaultRecursionLimit -+ } - - dec := decoder{json.NewDecoder(b), o} - if err := dec.unmarshalMessage(m.ProtoReflect(), false); err != nil { -@@ -114,6 +122,10 @@ func (d decoder) syntaxError(pos int, f string, x ...interface{}) error { - - // unmarshalMessage unmarshals a message into the given protoreflect.Message. - func (d decoder) unmarshalMessage(m protoreflect.Message, skipTypeURL bool) error { -+ d.opts.RecursionLimit-- -+ if d.opts.RecursionLimit < 0 { -+ return errors.New("exceeded max recursion depth") -+ } - if unmarshal := wellKnownTypeUnmarshaler(m.Descriptor().FullName()); unmarshal != nil { - return unmarshal(d, m) - } -diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go -index 6c37d41..4b177c8 100644 ---- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go -+++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go -@@ -176,7 +176,7 @@ func (d decoder) unmarshalAny(m protoreflect.Message) error { - // Use another decoder to parse the unread bytes for @type field. This - // avoids advancing a read from current decoder because the current JSON - // object may contain the fields of the embedded type. -- dec := decoder{d.Clone(), UnmarshalOptions{}} -+ dec := decoder{d.Clone(), UnmarshalOptions{RecursionLimit: d.opts.RecursionLimit}} - tok, err := findTypeURL(dec) - switch err { - case errEmptyObject: -@@ -308,48 +308,29 @@ Loop: - // array) in order to advance the read to the next JSON value. It relies on - // the decoder returning an error if the types are not in valid sequence. - func (d decoder) skipJSONValue() error { -- tok, err := d.Read() -- if err != nil { -- return err -- } -- // Only need to continue reading for objects and arrays. -- switch tok.Kind() { -- case json.ObjectOpen: -- for { -- tok, err := d.Read() -- if err != nil { -- return err -- } -- switch tok.Kind() { -- case json.ObjectClose: -- return nil -- case json.Name: -- // Skip object field value. -- if err := d.skipJSONValue(); err != nil { -- return err -- } -- } -+ var open int -+ for { -+ tok, err := d.Read() -+ if err != nil { -+ return err - } -- -- case json.ArrayOpen: -- for { -- tok, err := d.Peek() -- if err != nil { -- return err -- } -- switch tok.Kind() { -- case json.ArrayClose: -- d.Read() -- return nil -- default: -- // Skip array item. -- if err := d.skipJSONValue(); err != nil { -- return err -- } -+ switch tok.Kind() { -+ case json.ObjectClose, json.ArrayClose: -+ open-- -+ case json.ObjectOpen, json.ArrayOpen: -+ open++ -+ if open > d.opts.RecursionLimit { -+ return errors.New("exceeded max recursion depth") - } -+ case json.EOF: -+ // This can only happen if there's a bug in Decoder.Read. -+ // Avoid an infinite loop if this does happen. -+ return errors.New("unexpected EOF") -+ } -+ if open == 0 { -+ return nil - } - } -- return nil - } - - // unmarshalAnyValue unmarshals the given custom-type message from the JSON -diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go -index d043a6e..d2b3ac0 100644 ---- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go -+++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go -@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) { - - case ObjectClose: - if len(d.openStack) == 0 || -- d.lastToken.kind == comma || -+ d.lastToken.kind&(Name|comma) != 0 || - d.openStack[len(d.openStack)-1] != ObjectOpen { - return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString()) - } --- -2.39.4 - diff --git a/SPECS/prometheus/CVE-2024-35255.patch b/SPECS/prometheus/CVE-2024-35255.patch deleted file mode 100644 index b9b599f9d3..0000000000 --- a/SPECS/prometheus/CVE-2024-35255.patch +++ /dev/null @@ -1,181 +0,0 @@ -From 8fa19b4611b944daef768c89ef0f9771a743c163 Mon Sep 17 00:00:00 2001 -From: Mayank Singh -Date: Fri, 28 Feb 2025 08:49:40 +0000 -Subject: [PATCH] Address CVE-2024-35255 -Upstream Reference Link: https://github.com/microsoft/azurelinux/commit/4cb64e8195ad11547d887025b28b04737f330b92 - ---- - .../sdk/azidentity/managed_identity_client.go | 66 ++++++++++++++----- - 1 file changed, 49 insertions(+), 17 deletions(-) - -diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed_identity_client.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed_identity_client.go -index c9b72663..7fc16e7f 100644 ---- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed_identity_client.go -+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed_identity_client.go -@@ -14,13 +14,15 @@ import ( - "net/http" - "net/url" - "os" -+ "path/filepath" -+ "runtime" - "strconv" - "strings" - "time" - - "github.com/Azure/azure-sdk-for-go/sdk/azcore" - "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" -- "github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime" -+ azruntime "github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime" - "github.com/Azure/azure-sdk-for-go/sdk/azcore/streaming" - "github.com/Azure/azure-sdk-for-go/sdk/internal/log" - "github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential" -@@ -55,13 +57,29 @@ const ( - // managedIdentityClient provides the base for authenticating in managed identity environments - // This type includes an runtime.Pipeline and TokenCredentialOptions. - type managedIdentityClient struct { -- pipeline runtime.Pipeline -+ pipeline azruntime.Pipeline - msiType msiType - endpoint string - id ManagedIDKind - imdsTimeout time.Duration - } - -+// arcKeyDirectory returns the directory expected to contain Azure Arc keys -+var arcKeyDirectory = func() (string, error) { -+ switch runtime.GOOS { -+ case "linux": -+ return "/var/opt/azcmagent/tokens", nil -+ case "windows": -+ pd := os.Getenv("ProgramData") -+ if pd == "" { -+ return "", errors.New("environment variable ProgramData has no value") -+ } -+ return filepath.Join(pd, "AzureConnectedMachineAgent", "Tokens"), nil -+ default: -+ return "", fmt.Errorf("unsupported OS %q", runtime.GOOS) -+ } -+} -+ - type wrappedNumber json.Number - - func (n *wrappedNumber) UnmarshalJSON(b []byte) error { -@@ -140,7 +158,7 @@ func newManagedIdentityClient(options *ManagedIdentityCredentialOptions) (*manag - } else { - setIMDSRetryOptionDefaults(&cp.Retry) - } -- c.pipeline = runtime.NewPipeline(component, version, runtime.PipelineOptions{}, &cp) -+ c.pipeline = azruntime.NewPipeline(component, version, azruntime.PipelineOptions{}, &cp) - - if log.Should(EventAuthentication) { - log.Writef(EventAuthentication, "Managed Identity Credential will use %s managed identity", env) -@@ -184,7 +202,7 @@ func (c *managedIdentityClient) authenticate(ctx context.Context, id ManagedIDKi - // got a response, remove the IMDS timeout so future requests use the transport's configuration - c.imdsTimeout = 0 - -- if runtime.HasStatusCode(resp, http.StatusOK, http.StatusCreated) { -+ if azruntime.HasStatusCode(resp, http.StatusOK, http.StatusCreated) { - return c.createAccessToken(resp) - } - -@@ -206,7 +224,7 @@ func (c *managedIdentityClient) createAccessToken(res *http.Response) (azcore.Ac - ExpiresIn wrappedNumber `json:"expires_in,omitempty"` // this field should always return the number of seconds for which a token is valid - ExpiresOn interface{} `json:"expires_on,omitempty"` // the value returned in this field varies between a number and a date string - }{} -- if err := runtime.UnmarshalAsJSON(res, &value); err != nil { -+ if err := azruntime.UnmarshalAsJSON(res, &value); err != nil { - return azcore.AccessToken{}, fmt.Errorf("internal AccessToken: %v", err) - } - if value.ExpiresIn != "" { -@@ -254,7 +272,7 @@ func (c *managedIdentityClient) createAuthRequest(ctx context.Context, id Manage - } - - func (c *managedIdentityClient) createIMDSAuthRequest(ctx context.Context, id ManagedIDKind, scopes []string) (*policy.Request, error) { -- request, err := runtime.NewRequest(ctx, http.MethodGet, c.endpoint) -+ request, err := azruntime.NewRequest(ctx, http.MethodGet, c.endpoint) - if err != nil { - return nil, err - } -@@ -274,7 +292,7 @@ func (c *managedIdentityClient) createIMDSAuthRequest(ctx context.Context, id Ma - } - - func (c *managedIdentityClient) createAppServiceAuthRequest(ctx context.Context, id ManagedIDKind, scopes []string) (*policy.Request, error) { -- request, err := runtime.NewRequest(ctx, http.MethodGet, c.endpoint) -+ request, err := azruntime.NewRequest(ctx, http.MethodGet, c.endpoint) - if err != nil { - return nil, err - } -@@ -294,7 +312,7 @@ func (c *managedIdentityClient) createAppServiceAuthRequest(ctx context.Context, - } - - func (c *managedIdentityClient) createServiceFabricAuthRequest(ctx context.Context, id ManagedIDKind, scopes []string) (*policy.Request, error) { -- request, err := runtime.NewRequest(ctx, http.MethodGet, c.endpoint) -+ request, err := azruntime.NewRequest(ctx, http.MethodGet, c.endpoint) - if err != nil { - return nil, err - } -@@ -317,7 +335,7 @@ func (c *managedIdentityClient) createServiceFabricAuthRequest(ctx context.Conte - - func (c *managedIdentityClient) getAzureArcSecretKey(ctx context.Context, resources []string) (string, error) { - // create the request to retreive the secret key challenge provided by the HIMDS service -- request, err := runtime.NewRequest(ctx, http.MethodGet, c.endpoint) -+ request, err := azruntime.NewRequest(ctx, http.MethodGet, c.endpoint) - if err != nil { - return "", err - } -@@ -339,22 +357,36 @@ func (c *managedIdentityClient) getAzureArcSecretKey(ctx context.Context, resour - } - header := response.Header.Get("WWW-Authenticate") - if len(header) == 0 { -- return "", errors.New("did not receive a value from WWW-Authenticate header") -+ return "", newAuthenticationFailedError(credNameManagedIdentity, "HIMDS response has no WWW-Authenticate header", nil) - } - // the WWW-Authenticate header is expected in the following format: Basic realm=/some/file/path.key -- pos := strings.LastIndex(header, "=") -- if pos == -1 { -- return "", fmt.Errorf("did not receive a correct value from WWW-Authenticate header: %s", header) -+ _, p, found := strings.Cut(header, "=") -+ if !found { -+ return "", newAuthenticationFailedError(credNameManagedIdentity, "unexpected WWW-Authenticate header from HIMDS: "+header, nil) -+ } -+ expected, err := arcKeyDirectory() -+ if err != nil { -+ return "", err -+ } -+ if filepath.Dir(p) != expected || !strings.HasSuffix(p, ".key") { -+ return "", newAuthenticationFailedError(credNameManagedIdentity, "unexpected file path from HIMDS service: "+p, nil) -+ } -+ f, err := os.Stat(p) -+ if err != nil { -+ return "", newAuthenticationFailedError(credNameManagedIdentity, fmt.Sprintf("could not stat %q: %v", p, err), nil) -+ } -+ if s := f.Size(); s > 4096 { -+ return "", newAuthenticationFailedError(credNameManagedIdentity, fmt.Sprintf("key is too large (%d bytes)", s), nil) - } -- key, err := os.ReadFile(header[pos+1:]) -+ key, err := os.ReadFile(p) - if err != nil { -- return "", fmt.Errorf("could not read file (%s) contents: %v", header[pos+1:], err) -+ return "", newAuthenticationFailedError(credNameManagedIdentity, fmt.Sprintf("could not read %q: %v", p, err), nil) - } - return string(key), nil - } - - func (c *managedIdentityClient) createAzureArcAuthRequest(ctx context.Context, id ManagedIDKind, resources []string, key string) (*policy.Request, error) { -- request, err := runtime.NewRequest(ctx, http.MethodGet, c.endpoint) -+ request, err := azruntime.NewRequest(ctx, http.MethodGet, c.endpoint) - if err != nil { - return nil, err - } -@@ -376,7 +408,7 @@ func (c *managedIdentityClient) createAzureArcAuthRequest(ctx context.Context, i - } - - func (c *managedIdentityClient) createCloudShellAuthRequest(ctx context.Context, id ManagedIDKind, scopes []string) (*policy.Request, error) { -- request, err := runtime.NewRequest(ctx, http.MethodPost, c.endpoint) -+ request, err := azruntime.NewRequest(ctx, http.MethodPost, c.endpoint) - if err != nil { - return nil, err - } --- -2.45.3 - diff --git a/SPECS/prometheus/CVE-2024-51744.patch b/SPECS/prometheus/CVE-2024-51744.patch deleted file mode 100644 index 1f98666ae0..0000000000 --- a/SPECS/prometheus/CVE-2024-51744.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 2b1e1d0f9e8d12b297996b6aea71156794844a3e Mon Sep 17 00:00:00 2001 -From: Sreenivasulu Malavathula -Date: Thu, 3 Apr 2025 12:41:39 -0500 -Subject: [PATCH] Address CVE-2024-51744 -Upstream Patch Reference: https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c - ---- - vendor/github.com/golang-jwt/jwt/v4/parser.go | 41 +++++++++---------- - 1 file changed, 20 insertions(+), 21 deletions(-) - -diff --git a/vendor/github.com/golang-jwt/jwt/v4/parser.go b/vendor/github.com/golang-jwt/jwt/v4/parser.go -index 8e7e67c4..0fc510a0 100644 ---- a/vendor/github.com/golang-jwt/jwt/v4/parser.go -+++ b/vendor/github.com/golang-jwt/jwt/v4/parser.go -@@ -38,19 +38,21 @@ func NewParser(options ...ParserOption) *Parser { - return p - } - --// Parse parses, validates, verifies the signature and returns the parsed token. --// keyFunc will receive the parsed token and should return the key for validating. -+// Parse parses, validates, verifies the signature and returns the parsed token. keyFunc will -+// receive the parsed token and should return the key for validating. - func (p *Parser) Parse(tokenString string, keyFunc Keyfunc) (*Token, error) { - return p.ParseWithClaims(tokenString, MapClaims{}, keyFunc) - } - --// ParseWithClaims parses, validates, and verifies like Parse, but supplies a default object implementing the Claims --// interface. This provides default values which can be overridden and allows a caller to use their own type, rather --// than the default MapClaims implementation of Claims. -+// ParseWithClaims parses, validates, and verifies like Parse, but supplies a default object -+// implementing the Claims interface. This provides default values which can be overridden and -+// allows a caller to use their own type, rather than the default MapClaims implementation of -+// Claims. - // --// Note: If you provide a custom claim implementation that embeds one of the standard claims (such as RegisteredClaims), --// make sure that a) you either embed a non-pointer version of the claims or b) if you are using a pointer, allocate the --// proper memory for it before passing in the overall claims, otherwise you might run into a panic. -+// Note: If you provide a custom claim implementation that embeds one of the standard claims (such -+// as RegisteredClaims), make sure that a) you either embed a non-pointer version of the claims or -+// b) if you are using a pointer, allocate the proper memory for it before passing in the overall -+// claims, otherwise you might run into a panic. - func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc) (*Token, error) { - token, parts, err := p.ParseUnverified(tokenString, claims) - if err != nil { -@@ -87,12 +89,17 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf - return token, &ValidationError{Inner: err, Errors: ValidationErrorUnverifiable} - } - -+ // Perform validation -+ token.Signature = parts[2] -+ if err := token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil { -+ return token, &ValidationError{Inner: err, Errors: ValidationErrorSignatureInvalid} -+ } -+ - vErr := &ValidationError{} - - // Validate Claims - if !p.SkipClaimsValidation { - if err := token.Claims.Valid(); err != nil { -- - // If the Claims Valid returned an error, check if it is a validation error, - // If it was another error type, create a ValidationError with a generic ClaimsInvalid flag set - if e, ok := err.(*ValidationError); !ok { -@@ -100,22 +107,14 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf - } else { - vErr = e - } -+ return token, vErr - } - } - -- // Perform validation -- token.Signature = parts[2] -- if err = token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil { -- vErr.Inner = err -- vErr.Errors |= ValidationErrorSignatureInvalid -- } -- -- if vErr.valid() { -- token.Valid = true -- return token, nil -- } -+ // No errors so far, token is valid. -+ token.Valid = true - -- return token, vErr -+ return token, nil - } - - // ParseUnverified parses the token but doesn't validate the signature. --- -2.45.2 - diff --git a/SPECS/prometheus/CVE-2024-6104.patch b/SPECS/prometheus/CVE-2024-6104.patch deleted file mode 100644 index 13d9518bc9..0000000000 --- a/SPECS/prometheus/CVE-2024-6104.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 3092822936979ff70b133650af0bf1742b1c0a5e Mon Sep 17 00:00:00 2001 -From: Balakumaran Kannan -Date: Fri, 2 Aug 2024 07:38:20 +0000 -Subject: [PATCH] Patch CVE-2024-6104 - ---- - .../hashicorp/go-retryablehttp/client.go | 28 ++++++++++++++----- - 1 file changed, 21 insertions(+), 7 deletions(-) - -diff --git a/vendor/github.com/hashicorp/go-retryablehttp/client.go b/vendor/github.com/hashicorp/go-retryablehttp/client.go -index f40d241..6e347eb 100644 ---- a/vendor/github.com/hashicorp/go-retryablehttp/client.go -+++ b/vendor/github.com/hashicorp/go-retryablehttp/client.go -@@ -584,9 +584,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) { - if logger != nil { - switch v := logger.(type) { - case LeveledLogger: -- v.Debug("performing request", "method", req.Method, "url", req.URL) -+ v.Debug("performing request", "method", req.Method, "url", redactURL(req.URL)) - case Logger: -- v.Printf("[DEBUG] %s %s", req.Method, req.URL) -+ v.Printf("[DEBUG] %s %s", req.Method, redactURL(req.URL)) - } - } - -@@ -641,9 +641,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) { - if err != nil { - switch v := logger.(type) { - case LeveledLogger: -- v.Error("request failed", "error", err, "method", req.Method, "url", req.URL) -+ v.Error("request failed", "error", err, "method", req.Method, "url", redactURL(req.URL)) - case Logger: -- v.Printf("[ERR] %s %s request failed: %v", req.Method, req.URL, err) -+ v.Printf("[ERR] %s %s request failed: %v", req.Method, redactURL(req.URL), err) - } - } else { - // Call this here to maintain the behavior of logging all requests, -@@ -679,7 +679,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) { - - wait := c.Backoff(c.RetryWaitMin, c.RetryWaitMax, i, resp) - if logger != nil { -- desc := fmt.Sprintf("%s %s", req.Method, req.URL) -+ desc := fmt.Sprintf("%s %s", req.Method, redactURL(req.URL)) - if resp != nil { - desc = fmt.Sprintf("%s (status: %d)", desc, resp.StatusCode) - } -@@ -735,11 +735,11 @@ func (c *Client) Do(req *Request) (*http.Response, error) { - // communicate why - if err == nil { - return nil, fmt.Errorf("%s %s giving up after %d attempt(s)", -- req.Method, req.URL, attempt) -+ req.Method, redactURL(req.URL), attempt) - } - - return nil, fmt.Errorf("%s %s giving up after %d attempt(s): %w", -- req.Method, req.URL, attempt, err) -+ req.Method, redactURL(req.URL), attempt, err) - } - - // Try to read the response body so we can reuse this connection. -@@ -820,3 +820,17 @@ func (c *Client) StandardClient() *http.Client { - Transport: &RoundTripper{Client: c}, - } - } -+ -+ -+// Taken from url.URL#Redacted() which was introduced in go 1.15. -+func redactURL(u *url.URL) string { -+ if u == nil { -+ return "" -+ } -+ -+ ru := *u -+ if _, has := ru.User.Password(); has { -+ ru.User = url.UserPassword(ru.User.Username(), "xxxxx") -+ } -+ return ru.String() -+} --- -2.33.8 - diff --git a/SPECS/prometheus/CVE-2025-22868.patch b/SPECS/prometheus/CVE-2025-22868.patch deleted file mode 100644 index 5a7a211469..0000000000 --- a/SPECS/prometheus/CVE-2025-22868.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 681b4d8edca1bcfea5bce685d77ea7b82ed3e7b3 Mon Sep 17 00:00:00 2001 -From: Neal Patel -Date: Thu, 30 Jan 2025 14:10:09 -0500 -Subject: [PATCH] jws: split token into fixed number of parts - -Thanks to 'jub0bs' for reporting this issue. - -Fixes #71490 -Fixes CVE-2025-22868 - -Change-Id: I2552731f46d4907f29aafe7863c558387b6bd6e2 -Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/652155 -Auto-Submit: Gopher Robot -Reviewed-by: Damien Neil -Reviewed-by: Roland Shoemaker -LUCI-TryBot-Result: Go LUCI ---- - vendor/golang.org/x/oauth2/jws/jws.go | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/vendor/golang.org/x/oauth2/jws/jws.go b/vendor/golang.org/x/oauth2/jws/jws.go -index 95015648b..6f03a49d3 100644 ---- a/vendor/golang.org/x/oauth2/jws/jws.go -+++ b/vendor/golang.org/x/oauth2/jws/jws.go -@@ -165,11 +165,11 @@ func Encode(header *Header, c *ClaimSet, key *rsa.PrivateKey) (string, error) { - // Verify tests whether the provided JWT token's signature was produced by the private key - // associated with the supplied public key. - func Verify(token string, key *rsa.PublicKey) error { -- parts := strings.Split(token, ".") -- if len(parts) != 3 { -+ if strings.Count(token, ".") != 2 { - return errors.New("jws: invalid token received, token must have 3 parts") - } - -+ parts := strings.SplitN(token, ".", 3) - signedContent := parts[0] + "." + parts[1] - signatureString, err := base64.RawURLEncoding.DecodeString(parts[2]) - if err != nil { diff --git a/SPECS/prometheus/CVE-2025-22870.patch b/SPECS/prometheus/CVE-2025-22870.patch deleted file mode 100644 index ccdf41a279..0000000000 --- a/SPECS/prometheus/CVE-2025-22870.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 31238fb0b1b52a54942f9766fde5067ffa078320 Mon Sep 17 00:00:00 2001 -From: Sreenivasulu Malavathula -Date: Thu, 3 Apr 2025 12:36:33 -0500 -Subject: [PATCH] Address CVE-2025-22870 -Upstream Patch Reference: https://github.com/golang/go/commit/25177ecde0922c50753c043579d17828b7ee88e7 - ---- - vendor/golang.org/x/net/http/httpproxy/proxy.go | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/vendor/golang.org/x/net/http/httpproxy/proxy.go b/vendor/golang.org/x/net/http/httpproxy/proxy.go -index c3bd9a1e..864961c7 100644 ---- a/vendor/golang.org/x/net/http/httpproxy/proxy.go -+++ b/vendor/golang.org/x/net/http/httpproxy/proxy.go -@@ -14,6 +14,7 @@ import ( - "errors" - "fmt" - "net" -+ "net/netip" - "net/url" - "os" - "strings" -@@ -180,8 +181,10 @@ func (cfg *config) useProxy(addr string) bool { - if host == "localhost" { - return false - } -- ip := net.ParseIP(host) -- if ip != nil { -+ nip, err := netip.ParseAddr(host) -+ var ip net.IP -+ if err == nil { -+ ip = net.IP(nip.AsSlice()) - if ip.IsLoopback() { - return false - } -@@ -363,6 +366,9 @@ type domainMatch struct { - } - - func (m domainMatch) match(host, port string, ip net.IP) bool { -+ if ip != nil { -+ return false -+ } - if strings.HasSuffix(host, m.host) || (m.matchHost && host == m.host[1:]) { - return m.port == "" || m.port == port - } --- -2.45.2 - diff --git a/SPECS/prometheus/CVE-2025-30204.patch b/SPECS/prometheus/CVE-2025-30204.patch deleted file mode 100644 index b4bfb7aefa..0000000000 --- a/SPECS/prometheus/CVE-2025-30204.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 5dc62bf02f675d71ba521c6ae2a502474a0f351b Mon Sep 17 00:00:00 2001 -From: Kanishk-Bansal -Date: Fri, 28 Mar 2025 21:58:44 +0000 -Subject: [PATCH] CVE-2025-30204 - -Upstream Patch Reference : v4: https://github.com/golang-jwt/jwt/commit/2f0e9add62078527821828c76865661aa7718a84 - ---- - vendor/github.com/golang-jwt/jwt/v4/parser.go | 36 +++++++++++++++++++++++--- - 1 file changed, 33 insertions(+), 3 deletions(-) - -diff --git a/vendor/github.com/golang-jwt/jwt/v4/parser.go b/vendor/github.com/golang-jwt/jwt/v4/parser.go -index c0a6f69..8e7e67c 100644 ---- a/vendor/github.com/golang-jwt/jwt/v4/parser.go -+++ b/vendor/github.com/golang-jwt/jwt/v4/parser.go -@@ -7,6 +7,8 @@ import ( - "strings" - ) - -+const tokenDelimiter = "." -+ - type Parser struct { - // If populated, only these methods will be considered valid. - // -@@ -123,9 +125,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf - // It's only ever useful in cases where you know the signature is valid (because it has - // been checked previously in the stack) and you want to extract values from it. - func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) { -- parts = strings.Split(tokenString, ".") -- if len(parts) != 3 { -- return nil, parts, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed) -+ var ok bool -+ parts, ok = splitToken(tokenString) -+ if !ok { -+ return nil, nil, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed) - } - - token = &Token{Raw: tokenString} -@@ -175,3 +178,30 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke - - return token, parts, nil - } -+ -+// splitToken splits a token string into three parts: header, claims, and signature. It will only -+// return true if the token contains exactly two delimiters and three parts. In all other cases, it -+// will return nil parts and false. -+func splitToken(token string) ([]string, bool) { -+ parts := make([]string, 3) -+ header, remain, ok := strings.Cut(token, tokenDelimiter) -+ if !ok { -+ return nil, false -+ } -+ parts[0] = header -+ claims, remain, ok := strings.Cut(remain, tokenDelimiter) -+ if !ok { -+ return nil, false -+ } -+ parts[1] = claims -+ // One more cut to ensure the signature is the last part of the token and there are no more -+ // delimiters. This avoids an issue where malicious input could contain additional delimiters -+ // causing unecessary overhead parsing tokens. -+ signature, _, unexpected := strings.Cut(remain, tokenDelimiter) -+ if unexpected { -+ return nil, false -+ } -+ parts[2] = signature -+ -+ return parts, true -+} --- -2.45.2 - diff --git a/SPECS/prometheus/generate_source_tarball.sh b/SPECS/prometheus/generate_source_tarball.sh deleted file mode 100755 index bcdbdfd7a2..0000000000 --- a/SPECS/prometheus/generate_source_tarball.sh +++ /dev/null @@ -1,143 +0,0 @@ -#!/bin/bash - -# The flow of this script is as such: -# 1. Download prometheus tarball to a temp working directory and extract it. -# 2. Parse prometheus's Makefile.common and grep the promu version from it. -# 3. Make a temp subfolder for the promu vendor cache. -# 4. Download promu & extract it, then build it with `make build`. Then save the go vendor cache. -# 5. Copy the vendor folder from promu to our temp subfolder, then delete the built promu & extract the source tarball again. -# 6. Copy the vendor folder back into the extract promu folder and remove the temp subfolder. -# 7. Reinitialize the temp subfolder and switch back to prometheus. We modify web/ui to add an npm cache, and we modify Makefile.common's promu build to use our local tarball instead of the remote prom. -# 8. Then we run make build on prometheus, and save the go vendor cache after that. -# 9. We copy our npm cache and go vendor cache to the temp subfolder & remove our built prometheus. We re-extract the source tarball and copy the npm cache & go vendor cache into prometheus. -# 10. Make some changes to Makefile.common again and compress our custom prometheus and promu folders into their respective tarballs. -# 11. Print SHA256 of prometheus and promu tarballs - -set -e - -SRC_TARBALL="" -OUT_FOLDER="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" -PKG_VERSION="" - -# parameters: -# -# --srcTarball : src tarball file -# this file contains the 'initial' source code of the component -# and should be replaced with the new/modified src code -# --outFolder : folder where to copy the new tarball(s) -# --pkgVersion : package version -# -PARAMS="" -while (( "$#" )); do - case "$1" in - --srcTarball) - if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then - SRC_TARBALL=$2 - shift 2 - else - echo "Error: Argument for $1 is missing" >&2 - exit 1 - fi - ;; - --outFolder) - if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then - OUT_FOLDER=$2 - shift 2 - else - echo "Error: Argument for $1 is missing" >&2 - exit 1 - fi - ;; - --pkgVersion) - if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then - PKG_VERSION=$2 - shift 2 - else - echo "Error: Argument for $1 is missing" >&2 - exit 1 - fi - ;; - -*|--*=) # unsupported flags - echo "Error: Unsupported flag $1" >&2 - exit 1 - ;; - *) # preserve positional arguments - PARAMS="$PARAMS $1" - shift - ;; - esac -done - -echo "--srcTarball -> $SRC_TARBALL" -echo "--outFolder -> $OUT_FOLDER" -echo "--pkgVersion -> $PKG_VERSION" - -if [ -z "$PKG_VERSION" ]; then - echo "--pkgVersion parameter cannot be empty" - exit 1 -fi - -echo "-- create temp folder" -TEMPDIR=$(mktemp -d) -function cleanup { - echo "+++ cleanup -> remove $TEMPDIR" - rm -rf $TEMPDIR -} -trap cleanup EXIT - -echo "Starting Prometheus source tarball creation" -PROMETHEUS_VERSION=$PKG_VERSION -PROMETHEUS_URL="https://github.com/prometheus/prometheus/archive/refs/tags/v$PROMETHEUS_VERSION.tar.gz" - -cd "$TEMPDIR" -wget -c $PROMETHEUS_URL -O "prometheus-$PROMETHEUS_VERSION.tar.gz" -tar -xzf "prometheus-$PROMETHEUS_VERSION.tar.gz" -#PROMU_VERSION is found in prometheus-$PROMETHEUS_VERSION/Makefile.common -PROMU_VERSION=$(cat "prometheus-$PROMETHEUS_VERSION/Makefile.common" | grep "PROMU_VERSION ?= " | cut -d' ' -f3) -PROMU_URL="https://github.com/prometheus/promu/archive/refs/tags/v$PROMU_VERSION.tar.gz" -mkdir temp_vendor -wget -c $PROMU_URL -O "promu-$PROMU_VERSION.tar.gz" -tar -xzf "promu-$PROMU_VERSION.tar.gz" - -cd "promu-$PROMU_VERSION" -make build -go mod vendor -cp -r vendor "$TEMPDIR/temp_vendor" - -cd "$TEMPDIR" -rm -rf "promu-$PROMU_VERSION" -tar -xzf "promu-$PROMU_VERSION.tar.gz" -cp -r "temp_vendor/vendor" "promu-$PROMU_VERSION" -rm -rf "temp_vendor" - -echo "cache=.npm_cache" > "prometheus-$PROMETHEUS_VERSION/web/ui/.npmrc" -sed -i "s/\$(eval PROMU_TMP := \$(shell mktemp -d))/cd ..\/promu-\$(PROMU_VERSION)/g" prometheus-$PROMETHEUS_VERSION/Makefile.common -sed -i "s/curl -s -L \$(PROMU_URL) | tar -xvzf - -C \$(PROMU_TMP)/make build/g" prometheus-$PROMETHEUS_VERSION/Makefile.common -sed -i "s/cp \$(PROMU_TMP)\/promu-\$(PROMU_VERSION).\$(GO_BUILD_PLATFORM)\/promu/cp promu-\$(PROMU_VERSION)/g" prometheus-$PROMETHEUS_VERSION/Makefile.common -sed -i "s/rm -r \$(PROMU_TMP)//g" prometheus-$PROMETHEUS_VERSION/Makefile.common - -mkdir temp_vendor -cd "prometheus-$PROMETHEUS_VERSION" -make build -go mod vendor - -cd "$TEMPDIR" -cp -r "prometheus-$PROMETHEUS_VERSION/vendor" temp_vendor -cp "prometheus-$PROMETHEUS_VERSION/web/ui/.npmrc" temp_vendor -cp -r "prometheus-$PROMETHEUS_VERSION/web/ui/.npm_cache" temp_vendor -rm -rf "prometheus-$PROMETHEUS_VERSION" -tar -xzf "prometheus-$PROMETHEUS_VERSION.tar.gz" -cp -r "temp_vendor/vendor" "prometheus-$PROMETHEUS_VERSION" -cp "temp_vendor/.npmrc" "prometheus-$PROMETHEUS_VERSION/web/ui" -cp -r "temp_vendor/.npm_cache" "prometheus-$PROMETHEUS_VERSION/web/ui" -rm -rf "temp_vendor" - -sed -i "s/\$(eval PROMU_TMP := \$(shell mktemp -d))/cd ..\/promu-\$(PROMU_VERSION)/g" prometheus-$PROMETHEUS_VERSION/Makefile.common -sed -i "s/curl -s -L \$(PROMU_URL) | tar -xvzf - -C \$(PROMU_TMP)//g" prometheus-$PROMETHEUS_VERSION/Makefile.common -sed -i "s/cp \$(PROMU_TMP)\/promu-\$(PROMU_VERSION).\$(GO_BUILD_PLATFORM)\/promu/cp promu-\$(PROMU_VERSION)/g" prometheus-$PROMETHEUS_VERSION/Makefile.common -sed -i "s/rm -r \$(PROMU_TMP)//g" prometheus-$PROMETHEUS_VERSION/Makefile.common - -tar -czf "$OUT_FOLDER/prometheus-$PROMETHEUS_VERSION.tar.gz" prometheus-$PROMETHEUS_VERSION -tar -czf "$OUT_FOLDER/promu-$PROMU_VERSION.tar.gz" promu-$PROMU_VERSION - -echo "Source tarball $OUT_FOLDER/prometheus-$PROMETHEUS_VERSION.tar.gz successfully created!" \ No newline at end of file diff --git a/SPECS/prometheus/prometheus.conf b/SPECS/prometheus/prometheus.conf deleted file mode 100644 index e7a3d6bf47..0000000000 --- a/SPECS/prometheus/prometheus.conf +++ /dev/null @@ -1,5 +0,0 @@ -#Type Name ID GECOS Home directory -u prometheus - Prometheus /var/lib/prometheus -g prometheus - -m prometheus prometheus -r - 500-900 diff --git a/SPECS/prometheus/prometheus.logrotate b/SPECS/prometheus/prometheus.logrotate deleted file mode 100644 index 40d373f1de..0000000000 --- a/SPECS/prometheus/prometheus.logrotate +++ /dev/null @@ -1,9 +0,0 @@ -/var/log/prometheus/prometheus.log { - weekly - rotate 10 - copytruncate - compress - delaycompress - notifempty - missingok -} diff --git a/SPECS/prometheus/prometheus.service b/SPECS/prometheus/prometheus.service deleted file mode 100644 index 5b391b3ebb..0000000000 --- a/SPECS/prometheus/prometheus.service +++ /dev/null @@ -1,23 +0,0 @@ -[Unit] -Description=Prometheus service monitoring system and time series database -Documentation=https://prometheus.io/docs/introduction/overview/ man:prometheus(1) -Wants=network-online.target -After=network-online.target - -[Service] -Restart=on-failure -EnvironmentFile=/etc/sysconfig/prometheus -User=prometheus -Group=prometheus -ExecStart=/usr/bin/prometheus \ - --config.file=${CONFIG_FILE} \ - --storage.tsdb.path=${STORAGE_TSDB_PATH} \ - --web.console.libraries=${WEB_CONSOLE_LIBRARIES_PATH} \ - --web.console.templates=${WEB_CONSOLE_TEMPLATES_PATH} \ - --web.listen-address=${WEB_LISTEN_ADDRESS} -ExecReload=/bin/kill -HUP $MAINPID -TimeoutStopSec=20s -SendSIGKILL=no - -[Install] -WantedBy=multi-user.target diff --git a/SPECS/prometheus/prometheus.signatures.json b/SPECS/prometheus/prometheus.signatures.json deleted file mode 100644 index 9e7fd8523f..0000000000 --- a/SPECS/prometheus/prometheus.signatures.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "Signatures": { - "prometheus-2.45.4.tar.gz": "c2440fd3cce8fcf3987691357bedd4470255492f4dfe2b24cdd25d8168d469b5", - "prometheus.conf": "ce522e82dfb2945c520b482b15b5cf591364f7a571f0f28259b64dbeda42b043", - "prometheus.logrotate": "061b92500cd40fcaaf486ff488bcf1b09eac6743d8e840ba6966dc70d4e2067b", - "prometheus.service": "29bf1c886e1d55080e859f2afe112bb7344490e6992e946efe3360fd94d1a604", - "prometheus.sysconfig": "ec89a45641e3411478794106246aa91e7b72f86070a28a4782e3b8be955e4587", - "prometheus.yml": "0112e0bf54660c5e2391fff11a56404a25684c588caa7281677f7f8e19da6f28", - "promu-0.14.0.tar.gz": "d71d2a0d54093f3f17dc406d7a5825b6d6acd304cd90d9c60ed3f1335fb6ed2a" - } -} diff --git a/SPECS/prometheus/prometheus.spec b/SPECS/prometheus/prometheus.spec deleted file mode 100644 index 9a1c8d0b04..0000000000 --- a/SPECS/prometheus/prometheus.spec +++ /dev/null @@ -1,365 +0,0 @@ -# When upgrading Prometheus, run `./generate_source_tarball.sh --pkgVersion ` -# The script will spit out custom tarballs for `prometheus` and `promu` (More details in the script) -%global promu_version 0.14.0 -Summary: Prometheus monitoring system and time series database -Name: prometheus -Version: 2.45.4 -Release: 13%{?dist} -License: Apache-2.0 -Vendor: Microsoft Corporation -Distribution: Azure Linux -URL: https://github.com/prometheus/prometheus -Source0: https://github.com/prometheus/prometheus/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz -Source1: prometheus.service -Source2: prometheus.sysconfig -Source3: prometheus.yml -Source4: prometheus.conf -Source5: prometheus.logrotate -Source6: promu-%{promu_version}.tar.gz -# Debian patch for default settings -Patch0: 02-Default_settings.patch -Patch1: CVE-2023-45288.patch -Patch2: CVE-2024-6104.patch -Patch3: CVE-2024-24786.patch -Patch4: CVE-2023-44487.patch -Patch5: CVE-2025-22868.patch -Patch6: CVE-2025-30204.patch -Patch7: 0001-Fix-exit-condition-of-TestQuerierIndexQueriesRace.patch -Patch8: 0002-Improve-sensitivity-of-TestQuerierIndexQueriesRace.patch -Patch9: CVE-2024-35255.patch -Patch10: CVE-2025-22870.patch -Patch11: CVE-2024-51744.patch - -BuildRequires: golang -BuildRequires: nodejs -BuildRequires: nodejs-npm -BuildRequires: systemd-rpm-macros -Requires(pre): %{_bindir}/systemd-sysusers - -%description -The Prometheus monitoring system and time series database - -%package docs -Summary: prometheus docs -Requires: %{name} = %{version}-%{release} - -%description docs -Documentation for prometheus. - -%prep -%autosetup -p1 - -%build -tar -xf %{SOURCE6} -C .. -cd ../promu-%{promu_version} -make build -cd ../%{name}-%{version} -# This needs to be built for one of the tests -make cli-documentation -make build - -%install -install -m 0755 -vd %{buildroot}%{_bindir} -install -m 0755 -vp prometheus %{buildroot}%{_bindir}/ -install -m 0755 -vp promtool %{buildroot}%{_bindir}/ - -# Unit file -install -m 0755 -vd %{buildroot}%{_unitdir} -install -m 0644 -vp %{SOURCE1} %{buildroot}%{_unitdir}/ - -install -m 0755 -vd %{buildroot}%{_sysconfdir} -install -m 0755 -vd %{buildroot}%{_sysconfdir}/prometheus -install -m 0644 -vp %{SOURCE3} %{buildroot}%{_sysconfdir}/prometheus/ -install -m 0755 -vd %{buildroot}%{_sysconfdir}/sysconfig -install -m 0644 -vp %{SOURCE2} %{buildroot}%{_sysconfdir}/sysconfig/prometheus -install -m 0755 -vd %{buildroot}%{_sysconfdir}/logrotate.d -install -m 0644 -vp %{SOURCE5} %{buildroot}%{_sysconfdir}/logrotate.d/prometheus -install -m 0755 -vd %{buildroot}%{_sysusersdir} -install -m 0644 -vp %{SOURCE4} %{buildroot}%{_sysusersdir}/ - -mkdir -p %{buildroot}%{_sysconfdir}/prometheus/consoles -mkdir -p %{buildroot}%{_sysconfdir}/prometheus/console_libraries -mkdir -p %{buildroot}%{_sharedstatedir}/prometheus - -%pre -%sysusers_create_package prometheus %{SOURCE4} - -%post -%systemd_post prometheus.service - -%preun -%systemd_preun prometheus.service - -%postun -%systemd_postun_with_restart prometheus.service - -%check -# scrape: needs network -# tsdb: https://github.com/prometheus/prometheus/issues/8393 -# NOTE '%gocheck' is avalible via go-rpm-tools which is currently in SPECS-EXTENDED -# use the raw go test till we import go-rpm-macros to CBL-Mariner core -# go check -t cmd -d scrape -d discovery/kubernetes -d web -d tsdb -d tsdb/chunks -go_test_status=0 -go test -v ./scrape/ -check_result=$? -if [[ $check_result -ne 0 ]]; then - go_test_status=1 -fi -go test -v ./discovery/... -check_result=$? -if [[ $check_result -ne 0 ]]; then - go_test_status=1 -fi -go test -v ./web/ -check_result=$? -if [[ $check_result -ne 0 ]]; then - go_test_status=1 -fi -go test -v ./tsdb/... -check_result=$? -if [[ $check_result -ne 0 ]]; then - go_test_status=1 -fi -go test -v ./cmd/prometheus/ -check_result=$? -if [[ $check_result -ne 0 ]]; then - go_test_status=1 -fi - -[[ go_test_status -eq 0 ]] - -%files -%license LICENSE NOTICE -%dir %{_sysconfdir}/prometheus/ -%dir %{_sysconfdir}/prometheus/consoles -%dir %{_sysconfdir}/prometheus/console_libraries -%config(noreplace) %{_sysconfdir}/sysconfig/prometheus -%config(noreplace) %{_sysconfdir}/prometheus/prometheus.yml -%config(noreplace) %{_sysconfdir}/logrotate.d/prometheus -%{_bindir}/* -%{_unitdir}/prometheus.service -%{_sysusersdir}/prometheus.conf -%attr(0755,prometheus,prometheus) %{_sharedstatedir}/prometheus - -%files docs -%doc docs CHANGELOG.md MAINTAINERS.md CODE_OF_CONDUCT.md CONTRIBUTING.md -%doc README.md RELEASE.md documentation - -%changelog -* Fri May 30 2025 Ranjan Dutta - 2.45.4-13 -- merge from Azure Linux 3.0.20250521-3.0 -- Patch CVE-2025-22870, CVE-2024-51744 -- Fix CVE-2024-35255 with an upstream patch -- Add patches to fix test reliability issues with TestQuerierIndexQueriesRace - -* Fri Apr 28 2025 Ranjan Dutta - 2.45.4-9 -- merge from Azure Linux tag 3.0.20250423-3.0 - -* Fri Mar 21 2025 Anuj Mittal - 2.45.4-8 -- Bump Release to rebuild - -* Tue Mar 04 2025 corvus-callidus <108946721+corvus-callidus@users.noreply.github.com> - 2.45.4-7 -- Fix CVE-2023-44487 - -* Mon Nov 25 2024 Bala - 2.45.4-6 -- Fix CVE-2024-24786 by patching - -* Wed Nov 06 2024 Nicolas Guibourge - 2.45.4-4 -- Fix CVE-2023-45288 - -* Fri Aug 02 2024 Bala - 2.45.4-3 -- Fix CVE-2024-6104 by patching vendor gomodule - -* Thu Jun 06 2024 Andrew Phelps - 2.45.4-2 -- Add BR for nodejs-npm - -* Thu Mar 28 2024 Andrew Phelps - 2.45.4-1 -- Upgrade to version 2.45.4 - -* Mon Oct 16 2023 CBL-Mariner Servicing Account - 2.37.0-11 -- Bump release to rebuild with go 1.20.10 - -* Tue Oct 10 2023 Dan Streetman - 2.37.0-10 -- Bump release to rebuild with updated version of Go. - -* Mon Aug 07 2023 CBL-Mariner Servicing Account - 2.37.0-9 -- Bump release to rebuild with go 1.19.12 - -* Wed Jul 26 2023 Osama Esmail - 2.37.0-8 -- Making docs a separate package - -* Thu Jul 13 2023 CBL-Mariner Servicing Account - 2.37.0-7 -- Bump release to rebuild with go 1.19.11 - -* Thu Jun 15 2023 CBL-Mariner Servicing Account - 2.37.0-6 -- Bump release to rebuild with go 1.19.10 - -* Wed Apr 05 2023 CBL-Mariner Servicing Account - 2.37.0-5 -- Bump release to rebuild with go 1.19.8 - -* Tue Mar 28 2023 CBL-Mariner Servicing Account - 2.37.0-4 -- Bump release to rebuild with go 1.19.7 - -* Wed Mar 15 2023 CBL-Mariner Servicing Account - 2.37.0-3 -- Bump release to rebuild with go 1.19.6 - -* Fri Feb 03 2023 CBL-Mariner Servicing Account - 2.37.0-2 -- Bump release to rebuild with go 1.19.5 - -* Thu Jan 19 2023 CBL-Mariner Servicing Account - 2.36.0-6 -- Bump release to rebuild with go 1.19.4 - -* Tue Jan 18 2022 Osama Esmail - 2.37.0-1 -- Upgrade to LTS v2.37.0 (next LTS is v2.41.0) -- Created generate_source_tarball.sh for handling the custom tarballs for prometheus/promu -- Simplified %build section to use the custom tarballs - -* Fri Dec 16 2022 Daniel McIlvaney - 2.36.0-5 -- Bump release to rebuild with go 1.18.8 with patch for CVE-2022-41717 - -* Tue Nov 01 2022 Olivia Crain - 2.36.0-4 -- Bump release to rebuild with go 1.18.8 - -* Mon Aug 22 2022 Olivia Crain - 2.36.0-3 -- Bump release to rebuild against Go 1.18.5 - -* Tue Jun 14 2022 Muhammad Falak - 2.36.0-2 -- Bump release to rebuild with golang 1.18.3 - -* Mon Jun 06 2022 Pawel Winogrodzki - 2.36.0-1 -- Updating to version 2.36.0 to fix CVE-2021-29622. - -* Mon Jan 31 2022 Muhammad Falak - 2.24.1-8 -- Fix ptest by using 'go test' instead of 'go check' -- Backport a patch to fix test in 'tsdb/chunks' - -* Wed Jul 28 2021 Henry Li - 2.24.1-7 -- Initial CBL-Mariner import from Fedora 34 (license: MIT) -- License Verified -- Use golang for BR -- Use prebuilt go vendor tarball for building -- Remove unused/un-supported macro usage - -* Tue Jun 15 17:51:49 CEST 2021 Robert-André Mauchin - 2.24.1-6 -- Add systemd-sysusers as Requires -- Fix: rhbz#1972026 - -* Sun Mar 28 18:57:11 CEST 2021 Robert-André Mauchin - 2.24.1-5 -- Add ExecReload to service file - -* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 2.24.1-4 -- Rebuilt for updated systemd-rpm-macros - See https://pagure.io/fesco/issue/2583. - -* Tue Jan 26 22:05:24 CET 2021 Robert-André Mauchin - 2.24.1-3 -- Set default settings in main.go -- Embedded assets in the binary -- Added a logrotate file -- Fix: rhbz#1902496 - -* Tue Jan 26 2021 Fedora Release Engineering - 2.24.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - -* Thu Jan 21 19:43:35 CET 2021 Robert-André Mauchin - 2.24.1-1 -- Update to 2.24.1 -- Close: rhbz#1918532 - -* Thu Jan 7 17:40:17 CET 2021 Robert-André Mauchin - 2.24.0-1 -- Update to 2.24.0 -- Close: rhbz#1911731 - -* Sat Dec 05 22:54:14 CET 2020 Robert-André Mauchin - 2.23.0-2 -- Add new React based UI -- Fix rhbz#1902496 - -* Thu Dec 03 13:12:59 CET 2020 Robert-André Mauchin - 2.23.0-1 -- Update to 2.23.0 -- Add configuration -- Close rhbz#1866613 -- Fix rhbz#1894089 -- Fix rhbz#1902496 - -* Sat Aug 01 2020 Fedora Release Engineering - 2.20.0-2 -- Second attempt - Rebuilt for - https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Thu Jul 30 22:32:01 CEST 2020 Robert-André Mauchin - 2.20.0-1 -- Update to 2.20.0 - -* Mon Jul 27 2020 Fedora Release Engineering - 2.11.0-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Mon Feb 17 2020 Elliott Sales de Andrade - 2.11.0-4 -- Rebuilt for GHSA-jf24-p9p9-4rjh - -* Wed Jan 29 2020 Fedora Release Engineering - 2.11.0-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Thu Jul 25 2019 Fedora Release Engineering - 2.11.0-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - -* Tue Jul 09 19:29:38 CEST 2019 Robert-André Mauchin - 2.11.0-1 -- Release 2.11.0 - -* Tue Jul 09 2019 Elliott Sales de Andrade - 2.9.2-2 -- Add Obsoletes for old names - -* Wed May 15 03:08:50 CEST 2019 Robert-André Mauchin - 2.9.2-1 -- Release 2.9.2 - -* Fri Feb 01 2019 Fedora Release Engineering - 1.8.0-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Fri Jul 13 2018 Fedora Release Engineering - 1.8.0-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Wed Feb 07 2018 Fedora Release Engineering - 1.8.0-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - -* Tue Oct 10 2017 Jan Chaloupka - 1.8.0-1 -- Update to 1.8.0 - resolves: #1495180 - -* Tue Aug 22 2017 Jan Chaloupka - 0.15.0-8 -- Polish the spec file - -* Wed Aug 02 2017 Fedora Release Engineering - 0.15.0-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - -* Wed Jul 26 2017 Fedora Release Engineering - 0.15.0-6 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Fri Feb 10 2017 Fedora Release Engineering - 0.15.0-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Thu Jul 21 2016 Fedora Release Engineering - 0.15.0-4 -- https://fedoraproject.org/wiki/Changes/golang1.7 - -* Mon Feb 22 2016 Fedora Release Engineering - 0.15.0-3 -- https://fedoraproject.org/wiki/Changes/golang1.6 - -* Wed Feb 03 2016 Fedora Release Engineering - 0.15.0-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - -* Thu Jul 23 2015 jchaloup - 0.15.0-1 -- Update to 0.15.0 - resolves: #1246058 - -* Wed Jun 17 2015 Fedora Release Engineering - 0.13.3-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild - -* Wed May 13 2015 jchaloup - 0.13.3-2 -- Add debug info - related: #1190426 - -* Tue May 12 2015 jchaloup - 0.13.3-1 -- Update to 0.13.3 - related: #1190426 - -* Sat May 09 2015 jchaloup - 0.13.2-1 -- Update to 0.13.2 - related: #1190426 - -* Sat Feb 07 2015 jchaloup - 0-0.1.git4e6a807 -- First package for Fedora - resolves: #1190426 diff --git a/SPECS/prometheus/prometheus.sysconfig b/SPECS/prometheus/prometheus.sysconfig deleted file mode 100644 index 503800f714..0000000000 --- a/SPECS/prometheus/prometheus.sysconfig +++ /dev/null @@ -1,5 +0,0 @@ -CONFIG_FILE=/etc/prometheus/prometheus.yml -STORAGE_TSDB_PATH=/var/lib/prometheus -WEB_CONSOLE_LIBRARIES_PATH=/etc/prometheus/console_libraries -WEB_CONSOLE_TEMPLATES_PATH=/etc/prometheus/consoles -WEB_LISTEN_ADDRESS=127.0.0.1:9090 diff --git a/SPECS/prometheus/prometheus.yml b/SPECS/prometheus/prometheus.yml deleted file mode 100644 index af33d8704f..0000000000 --- a/SPECS/prometheus/prometheus.yml +++ /dev/null @@ -1,29 +0,0 @@ -# my global config -global: - scrape_interval: 15s # Set the scrape interval to every 15 seconds. Default is every 1 minute. - evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute. - # scrape_timeout is set to the global default (10s). - -# Alertmanager configuration -alerting: - alertmanagers: - - static_configs: - - targets: - # - alertmanager:9093 - -# Load rules once and periodically evaluate them according to the global 'evaluation_interval'. -rule_files: - # - "first_rules.yml" - # - "second_rules.yml" - -# A scrape configuration containing exactly one endpoint to scrape: -# Here it's Prometheus itself. -scrape_configs: - # The job name is added as a label `job=` to any timeseries scraped from this config. - - job_name: 'prometheus' - - # metrics_path defaults to '/metrics' - # scheme defaults to 'http'. - - static_configs: - - targets: ['localhost:9090'] diff --git a/SPECS/protobuf/CVE-2025-4565.patch b/SPECS/protobuf/CVE-2025-4565.patch new file mode 100644 index 0000000000..6ad668947a --- /dev/null +++ b/SPECS/protobuf/CVE-2025-4565.patch @@ -0,0 +1,604 @@ +From ba0c3b2cc3489833ef3b6a7901ac586b46762514 Mon Sep 17 00:00:00 2001 +From: akhila-guruju +Date: Sat, 21 Jun 2025 10:38:15 +0000 +Subject: [PATCH] CVE-2025-4565 + +Upstream Patch reference: https://github.com/protocolbuffers/protobuf/commit/17838beda2943d08b8a9d4df5b68f5f04f2 +--- + python/google/protobuf/internal/decoder.py | 111 +++++++++++------- + .../google/protobuf/internal/message_test.py | 60 +++++++++- + .../protobuf/internal/python_message.py | 39 +----- + .../protobuf/internal/self_recursive.proto | 24 ++++ + 4 files changed, 152 insertions(+), 82 deletions(-) + create mode 100644 python/google/protobuf/internal/self_recursive.proto + +diff --git a/python/google/protobuf/internal/decoder.py b/python/google/protobuf/internal/decoder.py +index acb91aa..e16c5a5 100755 +--- a/python/google/protobuf/internal/decoder.py ++++ b/python/google/protobuf/internal/decoder.py +@@ -172,7 +172,8 @@ def _SimpleDecoder(wire_type, decode_value): + clear_if_default=False): + if is_packed: + local_DecodeVarint = _DecodeVarint +- def DecodePackedField(buffer, pos, end, message, field_dict): ++ def DecodePackedField(buffer, pos, end, message, field_dict, current_depth=0): ++ del current_depth # unused + value = field_dict.get(key) + if value is None: + value = field_dict.setdefault(key, new_default(message)) +@@ -191,7 +192,8 @@ def _SimpleDecoder(wire_type, decode_value): + elif is_repeated: + tag_bytes = encoder.TagBytes(field_number, wire_type) + tag_len = len(tag_bytes) +- def DecodeRepeatedField(buffer, pos, end, message, field_dict): ++ def DecodeRepeatedField(buffer, pos, end, message, field_dict, current_depth=0): ++ del current_depth # unused + value = field_dict.get(key) + if value is None: + value = field_dict.setdefault(key, new_default(message)) +@@ -208,7 +210,8 @@ def _SimpleDecoder(wire_type, decode_value): + return new_pos + return DecodeRepeatedField + else: +- def DecodeField(buffer, pos, end, message, field_dict): ++ def DecodeField(buffer, pos, end, message, field_dict, current_depth=0): ++ del current_depth # unused + (new_value, pos) = decode_value(buffer, pos) + if pos > end: + raise _DecodeError('Truncated message.') +@@ -352,7 +355,7 @@ def EnumDecoder(field_number, is_repeated, is_packed, key, new_default, + enum_type = key.enum_type + if is_packed: + local_DecodeVarint = _DecodeVarint +- def DecodePackedField(buffer, pos, end, message, field_dict): ++ def DecodePackedField(buffer, pos, end, message, field_dict, current_depth=0): + """Decode serialized packed enum to its value and a new position. + + Args: +@@ -365,6 +368,7 @@ def EnumDecoder(field_number, is_repeated, is_packed, key, new_default, + Returns: + int, new position in serialized data. + """ ++ del current_depth # unused + value = field_dict.get(key) + if value is None: + value = field_dict.setdefault(key, new_default(message)) +@@ -386,18 +390,12 @@ def EnumDecoder(field_number, is_repeated, is_packed, key, new_default, + + message._unknown_fields.append( + (tag_bytes, buffer[value_start_pos:pos].tobytes())) +- if message._unknown_field_set is None: +- message._unknown_field_set = containers.UnknownFieldSet() +- message._unknown_field_set._add( +- field_number, wire_format.WIRETYPE_VARINT, element) + # pylint: enable=protected-access + if pos > endpoint: + if element in enum_type.values_by_number: + del value[-1] # Discard corrupt value. + else: + del message._unknown_fields[-1] +- # pylint: disable=protected-access +- del message._unknown_field_set._values[-1] + # pylint: enable=protected-access + raise _DecodeError('Packed element was truncated.') + return pos +@@ -405,7 +403,7 @@ def EnumDecoder(field_number, is_repeated, is_packed, key, new_default, + elif is_repeated: + tag_bytes = encoder.TagBytes(field_number, wire_format.WIRETYPE_VARINT) + tag_len = len(tag_bytes) +- def DecodeRepeatedField(buffer, pos, end, message, field_dict): ++ def DecodeRepeatedField(buffer, pos, end, message, field_dict, current_depth=0): + """Decode serialized repeated enum to its value and a new position. + + Args: +@@ -418,6 +416,7 @@ def EnumDecoder(field_number, is_repeated, is_packed, key, new_default, + Returns: + int, new position in serialized data. + """ ++ del current_depth # unused + value = field_dict.get(key) + if value is None: + value = field_dict.setdefault(key, new_default(message)) +@@ -431,10 +430,6 @@ def EnumDecoder(field_number, is_repeated, is_packed, key, new_default, + message._unknown_fields = [] + message._unknown_fields.append( + (tag_bytes, buffer[pos:new_pos].tobytes())) +- if message._unknown_field_set is None: +- message._unknown_field_set = containers.UnknownFieldSet() +- message._unknown_field_set._add( +- field_number, wire_format.WIRETYPE_VARINT, element) + # pylint: enable=protected-access + # Predict that the next tag is another copy of the same repeated + # field. +@@ -446,7 +441,7 @@ def EnumDecoder(field_number, is_repeated, is_packed, key, new_default, + return new_pos + return DecodeRepeatedField + else: +- def DecodeField(buffer, pos, end, message, field_dict): ++ def DecodeField(buffer, pos, end, message, field_dict, current_depth=0): + """Decode serialized repeated enum to its value and a new position. + + Args: +@@ -459,6 +454,7 @@ def EnumDecoder(field_number, is_repeated, is_packed, key, new_default, + Returns: + int, new position in serialized data. + """ ++ del current_depth # unused + value_start_pos = pos + (enum_value, pos) = _DecodeSignedVarint32(buffer, pos) + if pos > end: +@@ -476,10 +472,6 @@ def EnumDecoder(field_number, is_repeated, is_packed, key, new_default, + wire_format.WIRETYPE_VARINT) + message._unknown_fields.append( + (tag_bytes, buffer[value_start_pos:pos].tobytes())) +- if message._unknown_field_set is None: +- message._unknown_field_set = containers.UnknownFieldSet() +- message._unknown_field_set._add( +- field_number, wire_format.WIRETYPE_VARINT, enum_value) + # pylint: enable=protected-access + return pos + return DecodeField +@@ -540,7 +532,8 @@ def StringDecoder(field_number, is_repeated, is_packed, key, new_default, + tag_bytes = encoder.TagBytes(field_number, + wire_format.WIRETYPE_LENGTH_DELIMITED) + tag_len = len(tag_bytes) +- def DecodeRepeatedField(buffer, pos, end, message, field_dict): ++ def DecodeRepeatedField(buffer, pos, end, message, field_dict, current_depth=0): ++ del current_depth # unused + value = field_dict.get(key) + if value is None: + value = field_dict.setdefault(key, new_default(message)) +@@ -557,7 +550,8 @@ def StringDecoder(field_number, is_repeated, is_packed, key, new_default, + return new_pos + return DecodeRepeatedField + else: +- def DecodeField(buffer, pos, end, message, field_dict): ++ def DecodeField(buffer, pos, end, message, field_dict, current_depth=0): ++ del current_depth # unused + (size, pos) = local_DecodeVarint(buffer, pos) + new_pos = pos + size + if new_pos > end: +@@ -581,7 +575,8 @@ def BytesDecoder(field_number, is_repeated, is_packed, key, new_default, + tag_bytes = encoder.TagBytes(field_number, + wire_format.WIRETYPE_LENGTH_DELIMITED) + tag_len = len(tag_bytes) +- def DecodeRepeatedField(buffer, pos, end, message, field_dict): ++ def DecodeRepeatedField(buffer, pos, end, message, field_dict, current_depth=0): ++ del current_depth # unused + value = field_dict.get(key) + if value is None: + value = field_dict.setdefault(key, new_default(message)) +@@ -598,7 +593,8 @@ def BytesDecoder(field_number, is_repeated, is_packed, key, new_default, + return new_pos + return DecodeRepeatedField + else: +- def DecodeField(buffer, pos, end, message, field_dict): ++ def DecodeField(buffer, pos, end, message, field_dict, current_depth=0): ++ del current_depth # unused + (size, pos) = local_DecodeVarint(buffer, pos) + new_pos = pos + size + if new_pos > end: +@@ -623,7 +619,7 @@ def GroupDecoder(field_number, is_repeated, is_packed, key, new_default): + tag_bytes = encoder.TagBytes(field_number, + wire_format.WIRETYPE_START_GROUP) + tag_len = len(tag_bytes) +- def DecodeRepeatedField(buffer, pos, end, message, field_dict): ++ def DecodeRepeatedField(buffer, pos, end, message, field_dict, current_depth=0): + value = field_dict.get(key) + if value is None: + value = field_dict.setdefault(key, new_default(message)) +@@ -632,7 +628,13 @@ def GroupDecoder(field_number, is_repeated, is_packed, key, new_default): + if value is None: + value = field_dict.setdefault(key, new_default(message)) + # Read sub-message. +- pos = value.add()._InternalParse(buffer, pos, end) ++ current_depth += 1 ++ if current_depth > _recursion_limit: ++ raise _DecodeError( ++ 'Error parsing message: too many levels of nesting.' ++ ) ++ pos = value.add()._InternalParse(buffer, pos, end, current_depth) ++ current_depth -= 1 + # Read end tag. + new_pos = pos+end_tag_len + if buffer[pos:new_pos] != end_tag_bytes or new_pos > end: +@@ -644,12 +646,16 @@ def GroupDecoder(field_number, is_repeated, is_packed, key, new_default): + return new_pos + return DecodeRepeatedField + else: +- def DecodeField(buffer, pos, end, message, field_dict): ++ def DecodeField(buffer, pos, end, message, field_dict, current_depth=0): + value = field_dict.get(key) + if value is None: + value = field_dict.setdefault(key, new_default(message)) + # Read sub-message. +- pos = value._InternalParse(buffer, pos, end) ++ current_depth += 1 ++ if current_depth > _recursion_limit: ++ raise _DecodeError('Error parsing message: too many levels of nesting.') ++ pos = value._InternalParse(buffer, pos, end, current_depth) ++ current_depth -= 1 + # Read end tag. + new_pos = pos+end_tag_len + if buffer[pos:new_pos] != end_tag_bytes or new_pos > end: +@@ -668,7 +674,7 @@ def MessageDecoder(field_number, is_repeated, is_packed, key, new_default): + tag_bytes = encoder.TagBytes(field_number, + wire_format.WIRETYPE_LENGTH_DELIMITED) + tag_len = len(tag_bytes) +- def DecodeRepeatedField(buffer, pos, end, message, field_dict): ++ def DecodeRepeatedField(buffer, pos, end, message, field_dict, current_depth=0): + value = field_dict.get(key) + if value is None: + value = field_dict.setdefault(key, new_default(message)) +@@ -679,10 +685,16 @@ def MessageDecoder(field_number, is_repeated, is_packed, key, new_default): + if new_pos > end: + raise _DecodeError('Truncated message.') + # Read sub-message. +- if value.add()._InternalParse(buffer, pos, new_pos) != new_pos: ++ current_depth += 1 ++ if current_depth > _recursion_limit: ++ raise _DecodeError( ++ 'Error parsing message: too many levels of nesting.' ++ ) ++ if value.add()._InternalParse(buffer, pos, new_pos, current_depth) != new_pos: + # The only reason _InternalParse would return early is if it + # encountered an end-group tag. + raise _DecodeError('Unexpected end-group tag.') ++ current_depth -= 1 + # Predict that the next tag is another copy of the same repeated field. + pos = new_pos + tag_len + if buffer[new_pos:pos] != tag_bytes or new_pos == end: +@@ -690,7 +702,7 @@ def MessageDecoder(field_number, is_repeated, is_packed, key, new_default): + return new_pos + return DecodeRepeatedField + else: +- def DecodeField(buffer, pos, end, message, field_dict): ++ def DecodeField(buffer, pos, end, message, field_dict, current_depth=0): + value = field_dict.get(key) + if value is None: + value = field_dict.setdefault(key, new_default(message)) +@@ -700,10 +712,14 @@ def MessageDecoder(field_number, is_repeated, is_packed, key, new_default): + if new_pos > end: + raise _DecodeError('Truncated message.') + # Read sub-message. +- if value._InternalParse(buffer, pos, new_pos) != new_pos: ++ current_depth += 1 ++ if current_depth > _recursion_limit: ++ raise _DecodeError('Error parsing message: too many levels of nesting.') ++ if value._InternalParse(buffer, pos, new_pos, current_depth) != new_pos: + # The only reason _InternalParse would return early is if it encountered + # an end-group tag. + raise _DecodeError('Unexpected end-group tag.') ++ current_depth -= 1 + return new_pos + return DecodeField + +@@ -795,12 +811,6 @@ def MessageSetItemDecoder(descriptor): + message._unknown_fields = [] + message._unknown_fields.append( + (MESSAGE_SET_ITEM_TAG, buffer[message_set_item_start:pos].tobytes())) +- if message._unknown_field_set is None: +- message._unknown_field_set = containers.UnknownFieldSet() +- message._unknown_field_set._add( +- type_id, +- wire_format.WIRETYPE_LENGTH_DELIMITED, +- buffer[message_start:message_end].tobytes()) + # pylint: enable=protected-access + + return pos +@@ -859,7 +869,8 @@ def MapDecoder(field_descriptor, new_default, is_message_map): + # Can't read _concrete_class yet; might not be initialized. + message_type = field_descriptor.message_type + +- def DecodeMap(buffer, pos, end, message, field_dict): ++ def DecodeMap(buffer, pos, end, message, field_dict, current_depth=0): ++ del current_depth # unused + submsg = message_type._concrete_class() + value = field_dict.get(key) + if value is None: +@@ -942,7 +953,16 @@ def _SkipGroup(buffer, pos, end): + pos = new_pos + + +-def _DecodeUnknownFieldSet(buffer, pos, end_pos=None): ++DEFAULT_RECURSION_LIMIT = 100 ++_recursion_limit = DEFAULT_RECURSION_LIMIT ++ ++ ++def SetRecursionLimit(new_limit): ++ global _recursion_limit ++ _recursion_limit = new_limit ++ ++ ++def _DecodeUnknownFieldSet(buffer, pos, end_pos=None, current_depth=0): + """Decode UnknownFieldSet. Returns the UnknownFieldSet and new position.""" + + unknown_field_set = containers.UnknownFieldSet() +@@ -952,16 +972,15 @@ def _DecodeUnknownFieldSet(buffer, pos, end_pos=None): + field_number, wire_type = wire_format.UnpackTag(tag) + if wire_type == wire_format.WIRETYPE_END_GROUP: + break +- (data, pos) = _DecodeUnknownField(buffer, pos, wire_type) ++ (data, pos) = _DecodeUnknownField(buffer, pos, wire_type, current_depth) + # pylint: disable=protected-access + unknown_field_set._add(field_number, wire_type, data) + + return (unknown_field_set, pos) + + +-def _DecodeUnknownField(buffer, pos, wire_type): ++def _DecodeUnknownField(buffer, pos, wire_type, current_depth=0): + """Decode a unknown field. Returns the UnknownField and new position.""" +- + if wire_type == wire_format.WIRETYPE_VARINT: + (data, pos) = _DecodeVarint(buffer, pos) + elif wire_type == wire_format.WIRETYPE_FIXED64: +@@ -973,7 +992,11 @@ def _DecodeUnknownField(buffer, pos, wire_type): + data = buffer[pos:pos+size].tobytes() + pos += size + elif wire_type == wire_format.WIRETYPE_START_GROUP: +- (data, pos) = _DecodeUnknownFieldSet(buffer, pos) ++ current_depth += 1 ++ if current_depth >= _recursion_limit: ++ raise _DecodeError('Error parsing message: too many levels of nesting.') ++ data, pos = _DecodeUnknownFieldSet(buffer, pos, None, current_depth) ++ current_depth -= 1 + elif wire_type == wire_format.WIRETYPE_END_GROUP: + return (0, -1) + else: +diff --git a/python/google/protobuf/internal/message_test.py b/python/google/protobuf/internal/message_test.py +index b0f1ae7..2b12c90 100755 +--- a/python/google/protobuf/internal/message_test.py ++++ b/python/google/protobuf/internal/message_test.py +@@ -33,6 +33,7 @@ from google.protobuf.internal import encoder + from google.protobuf.internal import more_extensions_pb2 + from google.protobuf.internal import more_messages_pb2 + from google.protobuf.internal import packed_field_test_pb2 ++from google.protobuf.internal import self_recursive_pb2 + from google.protobuf.internal import test_proto3_optional_pb2 + from google.protobuf.internal import test_util + from google.protobuf.internal import testing_refleaks +@@ -1288,6 +1289,52 @@ class MessageTest(unittest.TestCase): + self.assertNotEqual(ComparesWithFoo(), m) + + ++@testing_refleaks.TestCase ++class TestRecursiveGroup(unittest.TestCase): ++ ++ def _MakeRecursiveGroupMessage(self, n): ++ msg = self_recursive_pb2.SelfRecursive() ++ sub = msg ++ for _ in range(n): ++ sub = sub.sub_group ++ sub.i = 1 ++ return msg.SerializeToString() ++ ++ def testRecursiveGroups(self): ++ recurse_msg = self_recursive_pb2.SelfRecursive() ++ data = self._MakeRecursiveGroupMessage(100) ++ recurse_msg.ParseFromString(data) ++ self.assertTrue(recurse_msg.HasField('sub_group')) ++ ++ def testRecursiveGroupsException(self): ++ if api_implementation.Type() != 'python': ++ api_implementation._c_module.SetAllowOversizeProtos(False) ++ recurse_msg = self_recursive_pb2.SelfRecursive() ++ data = self._MakeRecursiveGroupMessage(300) ++ with self.assertRaises(message.DecodeError) as context: ++ recurse_msg.ParseFromString(data) ++ self.assertIn('Error parsing message', str(context.exception)) ++ if api_implementation.Type() == 'python': ++ self.assertIn('too many levels of nesting', str(context.exception)) ++ ++ def testRecursiveGroupsUnknownFields(self): ++ if api_implementation.Type() != 'python': ++ api_implementation._c_module.SetAllowOversizeProtos(False) ++ test_msg = unittest_pb2.TestAllTypes() ++ data = self._MakeRecursiveGroupMessage(300) # unknown to test_msg ++ with self.assertRaises(message.DecodeError) as context: ++ test_msg.ParseFromString(data) ++ self.assertIn( ++ 'Error parsing message', ++ str(context.exception), ++ ) ++ if api_implementation.Type() == 'python': ++ self.assertIn('too many levels of nesting', str(context.exception)) ++ decoder.SetRecursionLimit(310) ++ test_msg.ParseFromString(data) ++ decoder.SetRecursionLimit(decoder.DEFAULT_RECURSION_LIMIT) ++ ++ + # Class to test proto2-only features (required, extensions, etc.) + @testing_refleaks.TestCase + class Proto2Test(unittest.TestCase): +@@ -2635,8 +2682,6 @@ class PackedFieldTest(unittest.TestCase): + self.assertEqual(golden_data, message.SerializeToString()) + + +-@unittest.skipIf(api_implementation.Type() == 'python', +- 'explicit tests of the C++ implementation') + @testing_refleaks.TestCase + class OversizeProtosTest(unittest.TestCase): + +@@ -2653,16 +2698,23 @@ class OversizeProtosTest(unittest.TestCase): + msg.ParseFromString(self.GenerateNestedProto(100)) + + def testAssertOversizeProto(self): +- api_implementation._c_module.SetAllowOversizeProtos(False) ++ if api_implementation.Type() != 'python': ++ api_implementation._c_module.SetAllowOversizeProtos(False) + msg = unittest_pb2.TestRecursiveMessage() + with self.assertRaises(message.DecodeError) as context: + msg.ParseFromString(self.GenerateNestedProto(101)) + self.assertIn('Error parsing message', str(context.exception)) + + def testSucceedOversizeProto(self): +- api_implementation._c_module.SetAllowOversizeProtos(True) ++ ++ if api_implementation.Type() == 'python': ++ decoder.SetRecursionLimit(310) ++ else: ++ api_implementation._c_module.SetAllowOversizeProtos(True) ++ + msg = unittest_pb2.TestRecursiveMessage() + msg.ParseFromString(self.GenerateNestedProto(101)) ++ decoder.SetRecursionLimit(decoder.DEFAULT_RECURSION_LIMIT) + + + if __name__ == '__main__': +diff --git a/python/google/protobuf/internal/python_message.py b/python/google/protobuf/internal/python_message.py +index 40c7764..4451477 100755 +--- a/python/google/protobuf/internal/python_message.py ++++ b/python/google/protobuf/internal/python_message.py +@@ -240,7 +240,6 @@ def _AddSlots(message_descriptor, dictionary): + '_cached_byte_size_dirty', + '_fields', + '_unknown_fields', +- '_unknown_field_set', + '_is_present_in_parent', + '_listener', + '_listener_for_children', +@@ -503,9 +502,6 @@ def _AddInitMethod(message_descriptor, cls): + # _unknown_fields is () when empty for efficiency, and will be turned into + # a list if fields are added. + self._unknown_fields = () +- # _unknown_field_set is None when empty for efficiency, and will be +- # turned into UnknownFieldSet struct if fields are added. +- self._unknown_field_set = None # pylint: disable=protected-access + self._is_present_in_parent = False + self._listener = message_listener_mod.NullMessageListener() + self._listener_for_children = _Listener(self) +@@ -1136,7 +1132,7 @@ def _AddMergeFromStringMethod(message_descriptor, cls): + fields_by_tag = cls._fields_by_tag + message_set_decoders_by_tag = cls._message_set_decoders_by_tag + +- def InternalParse(self, buffer, pos, end): ++ def InternalParse(self, buffer, pos, end, current_depth=0): + """Create a message from serialized bytes. + + Args: +@@ -1153,8 +1149,6 @@ def _AddMergeFromStringMethod(message_descriptor, cls): + assert isinstance(buffer, memoryview) + self._Modified() + field_dict = self._fields +- # pylint: disable=protected-access +- unknown_field_set = self._unknown_field_set + while pos != end: + (tag_bytes, new_pos) = local_ReadTag(buffer, pos) + field_decoder, field_des = message_set_decoders_by_tag.get( +@@ -1167,11 +1161,6 @@ def _AddMergeFromStringMethod(message_descriptor, cls): + if field_des is None: + if not self._unknown_fields: # pylint: disable=protected-access + self._unknown_fields = [] # pylint: disable=protected-access +- if unknown_field_set is None: +- # pylint: disable=protected-access +- self._unknown_field_set = containers.UnknownFieldSet() +- # pylint: disable=protected-access +- unknown_field_set = self._unknown_field_set + # pylint: disable=protected-access + (tag, _) = decoder._DecodeVarint(tag_bytes, 0) + field_number, wire_type = wire_format.UnpackTag(tag) +@@ -1183,8 +1172,6 @@ def _AddMergeFromStringMethod(message_descriptor, cls): + buffer, new_pos, wire_type) # pylint: disable=protected-access + if new_pos == -1: + return pos +- # pylint: disable=protected-access +- unknown_field_set._add(field_number, wire_type, data) + # TODO: remove _unknown_fields. + new_pos = local_SkipField(buffer, old_pos, end, tag_bytes) + if new_pos == -1: +@@ -1195,7 +1182,7 @@ def _AddMergeFromStringMethod(message_descriptor, cls): + else: + _MaybeAddDecoder(cls, field_des) + field_decoder = field_des._decoders[is_packed] +- pos = field_decoder(buffer, new_pos, end, self, field_dict) ++ pos = field_decoder(buffer, new_pos, end, self, field_dict, current_depth) + if field_des.containing_oneof: + self._UpdateOneofState(field_des) + return pos +@@ -1345,10 +1332,6 @@ def _AddMergeFromMethod(cls): + if not self._unknown_fields: + self._unknown_fields = [] + self._unknown_fields.extend(msg._unknown_fields) +- # pylint: disable=protected-access +- if self._unknown_field_set is None: +- self._unknown_field_set = containers.UnknownFieldSet() +- self._unknown_field_set._extend(msg._unknown_field_set) + + cls.MergeFrom = MergeFrom + +@@ -1375,30 +1358,19 @@ def _Clear(self): + # Clear fields. + self._fields = {} + self._unknown_fields = () +- # pylint: disable=protected-access +- if self._unknown_field_set is not None: +- self._unknown_field_set._clear() +- self._unknown_field_set = None + + self._oneofs = {} + self._Modified() + + + def _UnknownFields(self): +- warnings.warn( +- 'message.UnknownFields() is deprecated. Please use the add one ' +- 'feature unknown_fields.UnknownFieldSet(message) in ' +- 'unknown_fields.py instead.' +- ) +- if self._unknown_field_set is None: # pylint: disable=protected-access +- # pylint: disable=protected-access +- self._unknown_field_set = containers.UnknownFieldSet() +- return self._unknown_field_set # pylint: disable=protected-access ++ raise NotImplementedError('Please use the add-on feaure ' ++ 'unknown_fields.UnknownFieldSet(message) in ' ++ 'unknown_fields.py instead.') + + + def _DiscardUnknownFields(self): + self._unknown_fields = [] +- self._unknown_field_set = None # pylint: disable=protected-access + for field, value in self.ListFields(): + if field.cpp_type == _FieldDescriptor.CPPTYPE_MESSAGE: + if _IsMapField(field): +@@ -1440,7 +1412,6 @@ def _AddMessageMethods(message_descriptor, cls): + _AddWhichOneofMethod(message_descriptor, cls) + # Adds methods which do not depend on cls. + cls.Clear = _Clear +- cls.UnknownFields = _UnknownFields + cls.DiscardUnknownFields = _DiscardUnknownFields + cls._SetListener = _SetListener + +diff --git a/python/google/protobuf/internal/self_recursive.proto b/python/google/protobuf/internal/self_recursive.proto +new file mode 100644 +index 0000000..db4d0c9 +--- /dev/null ++++ b/python/google/protobuf/internal/self_recursive.proto +@@ -0,0 +1,24 @@ ++// Protocol Buffers - Google's data interchange formatMore actions ++// Copyright 2024 Google Inc. All rights reserved. ++// ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file or at ++// https://developers.google.com/open-source/licenses/bsd ++ ++edition = "2023"; ++ ++package google.protobuf.python.internal; ++ ++message SelfRecursive { ++ SelfRecursive sub = 1; ++ int32 i = 2; ++ SelfRecursive sub_group = 3 [features.message_encoding = DELIMITED]; ++} ++ ++message IndirectRecursive { ++ IntermediateRecursive intermediate = 1; ++} ++ ++message IntermediateRecursive { ++ IndirectRecursive indirect = 1; ++} +-- +2.45.2 + diff --git a/SPECS/protobuf/protobuf.spec b/SPECS/protobuf/protobuf.spec index 75b1e31b5e..322f2a9d60 100644 --- a/SPECS/protobuf/protobuf.spec +++ b/SPECS/protobuf/protobuf.spec @@ -1,13 +1,14 @@ Summary: Google's data interchange format Name: protobuf Version: 25.3 -Release: 4%{?dist} +Release: 5%{?dist} License: BSD Vendor: Microsoft Corporation Distribution: Azure Linux Group: Development/Libraries URL: https://developers.google.com/protocol-buffers/ Source0: https://github.com/protocolbuffers/protobuf/releases/download/v%{version}/%{name}-%{version}.tar.gz +Patch0: CVE-2025-4565.patch BuildRequires: curl BuildRequires: libstdc++ BuildRequires: cmake @@ -62,7 +63,7 @@ Provides: %{name}-python3 = %{version}-%{release} This contains protobuf python3 libraries. %prep -%autosetup +%autosetup -p1 %build %{cmake} \ @@ -122,6 +123,9 @@ popd %{python3_sitelib}/* %changelog +* Thu Jun 19 2025 Akhila Guruju - 25.3-5 +- Patch CVE-2025-4565 + * Thu Jul 25 2024 Devin Anderson - 25.3-4 - Bump release to rebuild with latest 'abseil-cpp'. diff --git a/SPECS/python-click/python-click.spec b/SPECS/python-click/python-click.spec index 88316667b2..84391f059d 100644 --- a/SPECS/python-click/python-click.spec +++ b/SPECS/python-click/python-click.spec @@ -8,7 +8,7 @@ comes with good defaults out of the box. Summary: Simple wrapper around optparse for powerful command line utilities Name: python-%{pypi_name} Version: 8.1.7 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD-3-Clause Vendor: Microsoft Corporation Distribution: Azure Linux @@ -17,6 +17,7 @@ Source0: https://github.com/mitsuhiko/click/archive/%{version}/%{name}-%{ BuildArch: noarch %if 0%{?with_check} BuildRequires: python3-pip +BuildRequires: python3-pytest %endif %description %{_description} @@ -39,7 +40,6 @@ BuildRequires: python%{python3_pkgversion}-setuptools %py3_install %check -pip3 install pytest==7.2.2 pip3 install . pytest -v tests @@ -50,6 +50,9 @@ pytest -v tests %{python3_sitelib}/%{pypi_name}-*.egg-info/ %changelog +* Wed May 28 2025 Riken Maharjan - 8.1.7-2 +- Fix Ptest by using ptest version above 7.4.0. Use system pytest. + * Fri Oct 27 2023 CBL-Mariner Servicing Account - 8.1.7-1 - Auto-upgrade to 8.1.7 - Azure Linux 3.0 - package upgrades diff --git a/SPECS/python-junit_xml/python-junit_xml.signatures.json b/SPECS/python-junit_xml/python-junit_xml.signatures.json new file mode 100644 index 0000000000..fbaaba2c5d --- /dev/null +++ b/SPECS/python-junit_xml/python-junit_xml.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "python-junit-xml-ba89b41638df8ad2011c2818672f208a91a5a4a0.tar.gz": "09f6f6570685506be24568c13dc3e9465eb1d5d05ceaa31f9517526c4409370a" + } +} \ No newline at end of file diff --git a/SPECS/python-junit_xml/python-junit_xml.spec b/SPECS/python-junit_xml/python-junit_xml.spec new file mode 100644 index 0000000000..561aa2615a --- /dev/null +++ b/SPECS/python-junit_xml/python-junit_xml.spec @@ -0,0 +1,250 @@ +# Upstream does not tag releases on GitHub (and did not upload a source archive +# to PyPI for version 1.9). +%global commit ba89b41638df8ad2011c2818672f208a91a5a4a0 +%global shortcommit %(c=%{commit}; echo ${c:0:7}) +%global snapdate 20200222 + +Name: python-junit_xml +Summary: Python module for creating JUnit XML test result documents +Version: 1.9^%{snapdate}git%{shortcommit} +Release: 21%{?dist} +Vendor: Microsoft Corporation +Distribution: Azure Linux + +# SPDX +License: MIT +URL: https://github.com/kyrus/python-junit-xml +Source: %{url}/archive/%{commit}/python-junit-xml-%{commit}.tar.gz + +BuildArch: noarch + +BuildRequires: python3-devel +BuildRequires: python3-pip +BuildRequires: python3-six +BuildRequires: python3-wheel + +%global common_description %{expand: +A Python module for creating JUnit XML test result documents that can be read +by tools such as Jenkins or Bamboo. If you are ever working with test tool or +test suite written in Python and want to take advantage of Jenkins’ or Bamboo’s +pretty graphs and test reporting capabilities, this module will let you +generate the XML test reports.} + +%description %{common_description} + + +%package -n python3-junit-xml +Summary: %{summary} + +Requires: python3-six + +# The source package is named python-junit_xml for historical reasons. The +# binary package, python3-junit-xml, is named using the canonical project +# name[1]; see also [2]. +# +# The %%py_provides macro is used to provide an upgrade path from +# python3-junit_xml and to produce the appropriate Provides for the importable +# module[3]. +# +# [1] https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/#_canonical_project_name +# [2] https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/#_library_naming +# [3] https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/#_provides_for_importable_modules + +# Provide an upgrade path +%py_provides python3-junit_xml +Obsoletes: python3-junit_xml < 1.9^20200222gitba89b41-8 + +%description -n python3-junit-xml %{common_description} + + +%prep +%autosetup -n python-junit-xml-%{commit} +# Remove shebang line in non-script source +sed -r -i '1{/^#!/d}' junit_xml/__init__.py +# Do not require pytest-sugar for testing; it is only for prettier output. +sed -r -i 's/^([[:blank:]]+)(pytest-sugar)/\1# \2/' tox.ini + + +%generate_buildrequires +%pyproject_buildrequires -t + + +%build +%pyproject_wheel + + +%install +%pyproject_install +%pyproject_save_files junit_xml + + +%check +# Removing the 'python3-packaging' package. It conflicts with +# the modules installed by "pip3" below. +rpm -e python3-packaging --nodeps + +# Freezing 'pytest' to a known working version as updates tend to introduce regressions. +pip3 install pytest==7.4.3 tox tox-current-env virtualenv +%tox + + +%files -n python3-junit-xml -f %{pyproject_files} +%doc README.rst + + +%changelog +* Wed Jun 25 2025 Pawel Winogrodzki - 1.9^20200222gitba89b41-21 +- Initial CBL-Mariner import from Fedora 42 (license: MIT). +- License verified. +- Manually added run-time dependency on 'python3-six'. + +* Sat Jan 18 2025 Fedora Release Engineering - 1.9^20200222gitba89b41-20 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + +* Sun Aug 25 2024 Benjamin A. Beasley - 1.9^20200222gitba89b41-19 +- Do not require pytest-sugar for testing; it is only for prettier output + +* Fri Jul 19 2024 Fedora Release Engineering - 1.9^20200222gitba89b41-18 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + +* Fri Jun 07 2024 Python Maint - 1.9^20200222gitba89b41-17 +- Rebuilt for Python 3.13 + +* Fri Jan 26 2024 Fedora Release Engineering - 1.9^20200222gitba89b41-15 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Mon Jan 22 2024 Fedora Release Engineering - 1.9^20200222gitba89b41-14 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Mon Dec 18 2023 Benjamin A. Beasley - 1.9^20200222gitba89b41-13 +- Assert that %%pyproject_files contains a license file + +* Fri Jul 21 2023 Fedora Release Engineering - 1.9^20200222gitba89b41-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Wed Jun 14 2023 Python Maint - 1.9^20200222gitba89b41-11 +- Rebuilt for Python 3.12 + +* Thu May 25 2023 Benjamin A. Beasley - 1.9^20200222gitba89b41-10 +- Rename the binary RPM to match the canonical name + +* Thu May 25 2023 Benjamin A. Beasley - 1.9^20200222gitba89b41-9 +- Remove a shebang from a non-script Python source + +* Fri Jan 20 2023 Fedora Release Engineering - 1.9^20200222gitba89b41-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Sat Oct 22 2022 Benjamin A. Beasley - 1.9^20200222gitba89b41-4 +- Confirm License is SPDX MIT + +* Fri Jul 22 2022 Fedora Release Engineering - 1.9^20200222gitba89b41-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Mon Jun 13 2022 Python Maint - 1.9^20200222gitba89b41-2 +- Rebuilt for Python 3.11 + +* Wed Apr 20 2022 Benjamin A. Beasley - 1.9^20200222gitba89b41-1 +- Drop “forge” macros and use “modern” snapshot versioning + +* Fri Jan 21 2022 Fedora Release Engineering - 1.9-18 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Mon Sep 13 2021 Benjamin A. Beasley - 1.9-17 +- Let pyproject-rpm-macros handle the license file + +* Sun Sep 12 2021 Benjamin A. Beasley - 1.9-16 +- Drop BR on pyproject-rpm-macros, now implied by python3-devel + +* Sun Sep 12 2021 Benjamin A. Beasley - 1.9-15 +- Add Python provides for junit-xml name + +* Sun Sep 12 2021 Benjamin A. Beasley - 1.9-14 +- Drop BR on pyproject-rpm-macros, now implied by python3-devel + +* Tue Jul 27 2021 Benjamin A. Beasley - 1.9-13 +- Move %%generate_buildrequires after %%prep to make the spec file easier + to follow + +* Fri Jul 23 2021 Fedora Release Engineering - 1.9-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Fri Jul 09 2021 Benjamin A. Beasley - 1.9-9 +- Merged PR#1; drop patch for RHBZ#1935212 + +* Fri Jun 04 2021 Python Maint - 1.9-8 +- Rebuilt for Python 3.10 + +* Wed May 12 2021 Benjamin A. Beasley - 1.9-7 +- Move “forge” macros to the top of the spec file + +* Tue Mar 16 2021 Benjamin A. Beasley - 1.9-6 +- Drop python3dist(setuptools) BR, redundant with %%pyproject_buildrequires + +* Mon Mar 08 2021 Benjamin A. Beasley - 1.9-5 +- Replace ' with ’ in description + +* Thu Feb 11 2021 Benjamin A. Beasley - 1.9-4 +- Rebuilt for pyproject-rpm-macros-0-38 to fix unowned nested __pycache__ + directories (RHBZ#1925963) + +* Wed Jan 27 2021 Fedora Release Engineering - 1.9-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Thu Jan 14 2021 Benjamin A. Beasley - 1.9-2 +- Drop conditionals for Fedora 32 + +* Thu Jan 14 2021 Benjamin A. Beasley - 1.9-1 +- Update to 1.9 (RHBZ#1486729) + +* Thu Jan 14 2021 Benjamin A. Beasley - 1.8-13 +- Drop EPEL compatibility and unnecessary macros; EPEL7/8 will be supported by + a forked spec file instead of conditional macros +- Use pyproject-rpm-macros, including generated BR’s +- Fix banned %%{python3_sitelib}/* in %%files +- Use %%pytest, %%pypi_source macros +- Update summary and description from upstream + +* Wed Jul 29 2020 Fedora Release Engineering - 1.8-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue May 26 2020 Miro Hrončok - 1.8-11 +- Rebuilt for Python 3.9 + +* Thu Jan 30 2020 Fedora Release Engineering - 1.8-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Wed Sep 11 2019 Adrian Reber - 1.8-9 +- Apply adapted upstream fix for test failures + +* Mon Aug 19 2019 Miro Hrončok - 1.8-8 +- Rebuilt for Python 3.8 + +* Fri Jul 26 2019 Fedora Release Engineering - 1.8-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Sat Feb 02 2019 Fedora Release Engineering - 1.8-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Wed Oct 17 2018 Zbigniew Jędrzejewski-Szmek - 1.8-5 +- Subpackage python2-junit_xml has been removed + See https://fedoraproject.org/wiki/Changes/Mass_Python_2_Package_Removal + +* Sat Jul 14 2018 Fedora Release Engineering - 1.8-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Tue Jun 19 2018 Miro Hrončok - 1.8-3 +- Rebuilt for Python 3.7 + +* Fri Feb 09 2018 Fedora Release Engineering - 1.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Wed Aug 30 2017 James Hogarth - 1.8-1 +- update to 1.8 + +* Thu Jul 27 2017 Fedora Release Engineering - 1.7-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Wed Feb 15 2017 James Hogarth - 1.7-1 +- Initial package + +## END: Generated by rpmautospec diff --git a/SPECS/python-pip/python-pip.spec b/SPECS/python-pip/python-pip.spec index 3c634e5bbc..10bfa241b3 100644 --- a/SPECS/python-pip/python-pip.spec +++ b/SPECS/python-pip/python-pip.spec @@ -5,7 +5,7 @@ A tool for installing and managing Python packages} Summary: A tool for installing and managing Python packages Name: python-pip Version: 24.2 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT AND Python-2.0.1 AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND LGPL-2.1-only AND MPL-2.0 AND (Apache-2.0 OR BSD-2-Clause) Vendor: Microsoft Corporation Distribution: Azure Linux @@ -52,6 +52,9 @@ BuildRequires: python3-wheel %{python3_sitelib}/pip* %changelog +* Mon Jul 07 2025 Kavya Sree Kaitepalli - 24.2-3 +- Bump release to build with asciidoc + * Fri Nov 22 2024 Kavya Sree Kaitepalli - 24.2-2 - Patch for CVE-2024-37891 diff --git a/SPECS/python-requests/CVE-2024-47081.patch b/SPECS/python-requests/CVE-2024-47081.patch new file mode 100644 index 0000000000..3843f9da82 --- /dev/null +++ b/SPECS/python-requests/CVE-2024-47081.patch @@ -0,0 +1,32 @@ +From a0383681fca625f7d6bfdbe1074c884ceaa1f688 Mon Sep 17 00:00:00 2001 +From: jykanase +Date: Tue, 17 Jun 2025 04:52:52 +0000 +Subject: [PATCH] CVE-2024-47081 + +Upstream Patch Reference: https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef +--- + requests/utils.py | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/requests/utils.py b/requests/utils.py +index a367417..502c7bc 100644 +--- a/requests/utils.py ++++ b/requests/utils.py +@@ -228,13 +228,7 @@ def get_netrc_auth(url, raise_errors=False): + return + + ri = urlparse(url) +- +- # Strip port numbers from netloc. This weird `if...encode`` dance is +- # used for Python 3.2, which doesn't support unicode literals. +- splitstr = b":" +- if isinstance(url, str): +- splitstr = splitstr.decode("ascii") +- host = ri.netloc.split(splitstr)[0] ++ host = ri.hostname + + try: + _netrc = netrc(netrc_path).authenticators(host) +-- +2.45.2 + diff --git a/SPECS/python-requests/python-requests.spec b/SPECS/python-requests/python-requests.spec index 6f54f0a2aa..1785d49ce1 100644 --- a/SPECS/python-requests/python-requests.spec +++ b/SPECS/python-requests/python-requests.spec @@ -1,7 +1,7 @@ Summary: Awesome Python HTTP Library That's Actually Usable Name: python-requests Version: 2.31.0 -Release: 2%{?dist} +Release: 3%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -9,6 +9,7 @@ Group: Development/Languages/Python URL: http://python-requests.org Source0: https://github.com/requests/requests/archive/v%{version}/requests-v%{version}.tar.gz#/requests-%{version}.tar.gz Patch0: CVE-2024-35195.patch +Patch1: CVE-2024-47081.patch BuildArch: noarch %description @@ -72,6 +73,9 @@ LANG=en_US.UTF-8 tox -e py%{python3_version_nodots} %{python3_sitelib}/* %changelog +* Tue Jun 17 2025 Jyoti Kanase - 2.31.0-3 +- Add patch for CVE-2024-47081 + * Fri Dec 27 2024 Archana Choudhary - 2.31.0-2 - Add patch for CVE-2024-35195 diff --git a/SPECS/python-setuptools/CVE-2025-47273.patch b/SPECS/python-setuptools/CVE-2025-47273.patch new file mode 100644 index 0000000000..1f0f7070c2 --- /dev/null +++ b/SPECS/python-setuptools/CVE-2025-47273.patch @@ -0,0 +1,64 @@ +From 28da95e0be5197aa84708aa0696c70c42be80439 Mon Sep 17 00:00:00 2001 +From: Mayank Singh +Date: Mon, 26 May 2025 06:42:09 +0000 +Subject: [PATCH] Patch CVE-2025-47273 + +Upstream Patch Reference: https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b +--- + setuptools/package_index.py | 33 +++++++++++++++++++++++++++++---- + 1 file changed, 29 insertions(+), 4 deletions(-) + +diff --git a/setuptools/package_index.py b/setuptools/package_index.py +index cf25f83..d8f350e 100644 +--- a/setuptools/package_index.py ++++ b/setuptools/package_index.py +@@ -813,10 +813,25 @@ class PackageIndex(Environment): + else: + raise DistutilsError("Download error for %s: %s" % (url, v)) from v + +- def _download_url(self, url, tmpdir): +- # Determine download filename +- # +- name, fragment = egg_info_for_url(url) ++ @staticmethod ++ def _resolve_download_filename(url, tmpdir): ++ """ ++ >>> import pathlib ++ >>> du = PackageIndex._resolve_download_filename ++ >>> root = getfixture('tmp_path') ++ >>> url = 'https://files.pythonhosted.org/packages/a9/5a/0db.../setuptools-78.1.0.tar.gz' ++ >>> str(pathlib.Path(du(url, root)).relative_to(root)) ++ 'setuptools-78.1.0.tar.gz' ++ ++ Ensures the target is always in tmpdir. ++ ++ >>> url = 'https://anyhost/%2fhome%2fuser%2f.ssh%2fauthorized_keys' ++ >>> du(url, root) ++ Traceback (most recent call last): ++ ... ++ ValueError: Invalid filename... ++ """ ++ name, _fragment = egg_info_for_url(url) + if name: + while '..' in name: + name = name.replace('..', '.').replace('\\', '_') +@@ -828,6 +843,16 @@ class PackageIndex(Environment): + + filename = os.path.join(tmpdir, name) + ++ # ensure path resolves within the tmpdir ++ if not filename.startswith(str(tmpdir)): ++ raise ValueError(f"Invalid filename {filename}") ++ ++ return filename ++ ++ def _download_url(self, url, tmpdir): ++ # Determine download filename ++ # ++ filename = self._resolve_download_filename(url, tmpdir) + return self._download_vcs(url, filename) or self._download_other(url, filename) + + @staticmethod +-- +2.45.3 + diff --git a/SPECS/python-setuptools/python-setuptools.spec b/SPECS/python-setuptools/python-setuptools.spec index 8ca1bb0c48..e5c3d11dd2 100644 --- a/SPECS/python-setuptools/python-setuptools.spec +++ b/SPECS/python-setuptools/python-setuptools.spec @@ -6,7 +6,7 @@ Setuptools is a fully-featured, actively-maintained, and stable library designed Summary: Easily build and distribute Python packages Name: python-setuptools Version: 69.0.3 -Release: 4%{?dist} +Release: 5%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -14,6 +14,7 @@ Group: Development/Tools URL: https://pypi.python.org/pypi/setuptools Source0: https://pypi.org/packages/source/s/setuptools/setuptools-%{version}.tar.gz Patch0: CVE-2024-6345.patch +Patch1: CVE-2025-47273.patch %description %{_description} @@ -58,6 +59,9 @@ EOF %{python3_sitelib}/setuptools-%{version}.dist-info/* %changelog +* Mon May 26 2025 - 69.0.3-5 +- Fix CVE-2025-47273 with an upstream patch + * Tue Sep 10 2024 - 69.0.3-4 - Fix CVE-2024-6345 with a patch diff --git a/SPECS/python-urllib3/CVE-2025-50181.patch b/SPECS/python-urllib3/CVE-2025-50181.patch new file mode 100644 index 0000000000..ea550e0652 --- /dev/null +++ b/SPECS/python-urllib3/CVE-2025-50181.patch @@ -0,0 +1,194 @@ +From ae6bf09c81cb7d415983ae7a08d805dd47149318 Mon Sep 17 00:00:00 2001 +From: dj_palli +Date: Tue, 24 Jun 2025 20:58:33 +0000 +Subject: [PATCH] Address CVE-2025-50181 + +Upstream patch reference: https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857 + +--- + CHANGES.rst | 2 + + src/urllib3/poolmanager.py | 16 ++++ + test/test_poolmanager.py | 5 +- + test/with_dummyserver/test_poolmanager.py | 102 ++++++++++++++++++++++ + 4 files changed, 123 insertions(+), 2 deletions(-) + +diff --git a/CHANGES.rst b/CHANGES.rst +index 6c37aeb..e6db1de 100644 +--- a/CHANGES.rst ++++ b/CHANGES.rst +@@ -2,6 +2,8 @@ + ================== + + * Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses. ++- Fixed a security issue where restricting the maximum number of followed redirects at the urllib3.PoolManager level via the retries parameter did not work. ++- TODO: add other entries in the release PR. + + 2.0.6 (2023-10-02) + ================== +diff --git a/src/urllib3/poolmanager.py b/src/urllib3/poolmanager.py +index 3c92a14..e2b3a12 100644 +--- a/src/urllib3/poolmanager.py ++++ b/src/urllib3/poolmanager.py +@@ -203,6 +203,22 @@ class PoolManager(RequestMethods): + **connection_pool_kw: typing.Any, + ) -> None: + super().__init__(headers) ++ if "retries" in connection_pool_kw: ++ retries = connection_pool_kw["retries"] ++ if not isinstance(retries, Retry): ++ # When Retry is initialized, raise_on_redirect is based ++ # on a redirect boolean value. ++ # But requests made via a pool manager always set ++ # redirect to False, and raise_on_redirect always ends ++ # up being False consequently. ++ # Here we fix the issue by setting raise_on_redirect to ++ # a value needed by the pool manager without considering ++ # the redirect boolean. ++ raise_on_redirect = retries is not False ++ retries = Retry.from_int(retries, redirect=False) ++ retries.raise_on_redirect = raise_on_redirect ++ connection_pool_kw = connection_pool_kw.copy() ++ connection_pool_kw["retries"] = retries + self.connection_pool_kw = connection_pool_kw + + self.pools: RecentlyUsedContainer[PoolKey, HTTPConnectionPool] +diff --git a/test/test_poolmanager.py b/test/test_poolmanager.py +index 821e218..6693159 100644 +--- a/test/test_poolmanager.py ++++ b/test/test_poolmanager.py +@@ -375,9 +375,10 @@ class TestPoolManager: + + def test_merge_pool_kwargs(self) -> None: + """Assert _merge_pool_kwargs works in the happy case""" +- p = PoolManager(retries=100) ++ retries = retry.Retry(total=100) ++ p = PoolManager(retries=retries) + merged = p._merge_pool_kwargs({"new_key": "value"}) +- assert {"retries": 100, "new_key": "value"} == merged ++ assert {"retries": retries, "new_key": "value"} == merged + + def test_merge_pool_kwargs_none(self) -> None: + """Assert false-y values to _merge_pool_kwargs result in defaults""" +diff --git a/test/with_dummyserver/test_poolmanager.py b/test/with_dummyserver/test_poolmanager.py +index cd842c1..15532bb 100644 +--- a/test/with_dummyserver/test_poolmanager.py ++++ b/test/with_dummyserver/test_poolmanager.py +@@ -81,6 +81,90 @@ class TestPoolManager(HTTPDummyServerTestCase): + assert r.status == 200 + assert r.data == b"Dummy server!" + ++ ++ @pytest.mark.parametrize( ++ "retries", ++ (0, Retry(total=0), Retry(redirect=0), Retry(total=0, redirect=0)), ++ ) ++ def test_redirects_disabled_for_pool_manager_with_0( ++ self, retries: typing.Literal[0] | Retry ++ ) -> None: ++ """ ++ Check handling redirects when retries is set to 0 on the pool ++ manager. ++ """ ++ with PoolManager(retries=retries) as http: ++ with pytest.raises(MaxRetryError): ++ http.request("GET", f"{self.base_url}/redirect") ++ ++ # Setting redirect=True should not change the behavior. ++ with pytest.raises(MaxRetryError): ++ http.request("GET", f"{self.base_url}/redirect", redirect=True) ++ ++ # Setting redirect=False should not make it follow the redirect, ++ # but MaxRetryError should not be raised. ++ response = http.request("GET", f"{self.base_url}/redirect", redirect=False) ++ assert response.status == 303 ++ ++ @pytest.mark.parametrize( ++ "retries", ++ ( ++ False, ++ Retry(total=False), ++ Retry(redirect=False), ++ Retry(total=False, redirect=False), ++ ), ++ ) ++ def test_redirects_disabled_for_pool_manager_with_false( ++ self, retries: typing.Literal[False] | Retry ++ ) -> None: ++ """ ++ Check that setting retries set to False on the pool manager disables ++ raising MaxRetryError and redirect=True does not change the ++ behavior. ++ """ ++ with PoolManager(retries=retries) as http: ++ response = http.request("GET", f"{self.base_url}/redirect") ++ assert response.status == 303 ++ ++ response = http.request("GET", f"{self.base_url}/redirect", redirect=True) ++ assert response.status == 303 ++ ++ response = http.request("GET", f"{self.base_url}/redirect", redirect=False) ++ assert response.status == 303 ++ ++ def test_redirects_disabled_for_individual_request(self) -> None: ++ """ ++ Check handling redirects when they are meant to be disabled ++ on the request level. ++ """ ++ with PoolManager() as http: ++ # Check when redirect is not passed. ++ with pytest.raises(MaxRetryError): ++ http.request("GET", f"{self.base_url}/redirect", retries=0) ++ response = http.request("GET", f"{self.base_url}/redirect", retries=False) ++ assert response.status == 303 ++ ++ # Check when redirect=True. ++ with pytest.raises(MaxRetryError): ++ http.request( ++ "GET", f"{self.base_url}/redirect", retries=0, redirect=True ++ ) ++ response = http.request( ++ "GET", f"{self.base_url}/redirect", retries=False, redirect=True ++ ) ++ assert response.status == 303 ++ ++ # Check when redirect=False. ++ response = http.request( ++ "GET", f"{self.base_url}/redirect", retries=0, redirect=False ++ ) ++ assert response.status == 303 ++ response = http.request( ++ "GET", f"{self.base_url}/redirect", retries=False, redirect=False ++ ) ++ assert response.status == 303 ++ + def test_cross_host_redirect(self) -> None: + with PoolManager() as http: + cross_host_location = f"{self.base_url_alt}/echo?a=b" +@@ -135,6 +219,24 @@ class TestPoolManager(HTTPDummyServerTestCase): + pool = http.connection_from_host(self.host, self.port) + assert pool.num_connections == 1 + ++ # Check when retries are configured for the pool manager. ++ with PoolManager(retries=1) as http: ++ with pytest.raises(MaxRetryError): ++ http.request( ++ "GET", ++ f"{self.base_url}/redirect", ++ fields={"target": f"/redirect?target={self.base_url}/"}, ++ ) ++ ++ # Here we allow more retries for the request. ++ response = http.request( ++ "GET", ++ f"{self.base_url}/redirect", ++ fields={"target": f"/redirect?target={self.base_url}/"}, ++ retries=2, ++ ) ++ assert response.status == 200 ++ + def test_redirect_cross_host_remove_headers(self) -> None: + with PoolManager() as http: + r = http.request( +-- +2.45.2 + diff --git a/SPECS/python-urllib3/python-urllib3.spec b/SPECS/python-urllib3/python-urllib3.spec index 3df3088f02..95048bf773 100644 --- a/SPECS/python-urllib3/python-urllib3.spec +++ b/SPECS/python-urllib3/python-urllib3.spec @@ -1,7 +1,7 @@ Summary: A powerful, sanity-friendly HTTP client for Python. Name: python-urllib3 Version: 2.0.7 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -12,6 +12,7 @@ BuildArch: noarch Patch0: urllib3_test_recent_date.patch Patch1: change-backend-to-flit_core.patch Patch2: CVE-2024-37891.patch +Patch3: CVE-2025-50181.patch %description A powerful, sanity-friendly HTTP client for Python. @@ -83,6 +84,9 @@ skiplist+=" or test_respect_retry_after_header_sleep" %{python3_sitelib}/* %changelog +* Tue Jun 24 2025 Durga Jagadeesh Palli - 2.0.7-2 +- add patch for CVE-2025-50181 + * Wed Jul 10 2024 Sumedh Sharma - 2.0.7-1 - Bump version to fix CVE-2023-43804 & CVE-2023-45803. - Add patch file to fix CVE-2024-37891. diff --git a/SPECS/python3/CVE-2025-4516.patch b/SPECS/python3/CVE-2025-4516.patch new file mode 100644 index 0000000000..2309a9de97 --- /dev/null +++ b/SPECS/python3/CVE-2025-4516.patch @@ -0,0 +1,565 @@ +From ea0bd1feef9013b4afebeda30b6c1aa285b5c344 Mon Sep 17 00:00:00 2001 +From: jykanase +Date: Wed, 21 May 2025 04:09:04 +0000 +Subject: [PATCH] CVE-2025-4516 +Upstream Reference Patch: https://github.com/python/cpython/pull/134337/commits/a75953b347716fff694aa59a7c7c2489fa50d1f5 +--- + Include/cpython/bytesobject.h | 4 ++ + Include/cpython/unicodeobject.h | 13 ++++ + Lib/test/test_codeccallbacks.py | 39 ++++++++++- + Lib/test/test_codecs.py | 52 ++++++++++++--- + ...-05-09-20-22-54.gh-issue-133767.kN2i3Q.rst | 2 + + Objects/bytesobject.c | 54 ++++++++++------ + Objects/unicodeobject.c | 61 ++++++++++++------ + Parser/string_parser.c | 64 +++++++++++++++---- + 8 files changed, 231 insertions(+), 58 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2025-05-09-20-22-54.gh-issue-133767.kN2i3Q.rst + +diff --git a/Include/cpython/bytesobject.h b/Include/cpython/bytesobject.h +index e982031..eef607a 100644 +--- a/Include/cpython/bytesobject.h ++++ b/Include/cpython/bytesobject.h +@@ -25,6 +25,10 @@ PyAPI_FUNC(PyObject*) _PyBytes_FromHex( + int use_bytearray); + + /* Helper for PyBytes_DecodeEscape that detects invalid escape chars. */ ++PyAPI_FUNC(PyObject*) _PyBytes_DecodeEscape2(const char *, Py_ssize_t, ++ const char *, ++ int *, const char **); ++// Export for binary compatibility. + PyAPI_FUNC(PyObject *) _PyBytes_DecodeEscape(const char *, Py_ssize_t, + const char *, const char **); + +diff --git a/Include/cpython/unicodeobject.h b/Include/cpython/unicodeobject.h +index f177cd9..cf38928 100644 +--- a/Include/cpython/unicodeobject.h ++++ b/Include/cpython/unicodeobject.h +@@ -684,6 +684,19 @@ PyAPI_FUNC(PyObject*) _PyUnicode_DecodeUnicodeEscapeStateful( + ); + /* Helper for PyUnicode_DecodeUnicodeEscape that detects invalid escape + chars. */ ++PyAPI_FUNC(PyObject*) _PyUnicode_DecodeUnicodeEscapeInternal2( ++ const char *string, /* Unicode-Escape encoded string */ ++ Py_ssize_t length, /* size of string */ ++ const char *errors, /* error handling */ ++ Py_ssize_t *consumed, /* bytes consumed */ ++ int *first_invalid_escape_char, /* on return, if not -1, contain the first ++ invalid escaped char (<= 0xff) or invalid ++ octal escape (> 0xff) in string. */ ++ const char **first_invalid_escape_ptr); /* on return, if not NULL, may ++ point to the first invalid escaped ++ char in string. ++ May be NULL if errors is not NULL. */ ++// Export for binary compatibility. + PyAPI_FUNC(PyObject*) _PyUnicode_DecodeUnicodeEscapeInternal( + const char *string, /* Unicode-Escape encoded string */ + Py_ssize_t length, /* size of string */ +diff --git a/Lib/test/test_codeccallbacks.py b/Lib/test/test_codeccallbacks.py +index 4991330..d85f609 100644 +--- a/Lib/test/test_codeccallbacks.py ++++ b/Lib/test/test_codeccallbacks.py +@@ -1,6 +1,7 @@ + import codecs + import html.entities + import itertools ++import re + import sys + import unicodedata + import unittest +@@ -1124,7 +1125,7 @@ class CodecCallbackTest(unittest.TestCase): + text = 'abcghi'*n + text.translate(charmap) + +- def test_mutatingdecodehandler(self): ++ def test_mutating_decode_handler(self): + baddata = [ + ("ascii", b"\xff"), + ("utf-7", b"++"), +@@ -1159,6 +1160,42 @@ class CodecCallbackTest(unittest.TestCase): + for (encoding, data) in baddata: + self.assertEqual(data.decode(encoding, "test.mutating"), "\u4242") + ++ def test_mutating_decode_handler_unicode_escape(self): ++ decode = codecs.unicode_escape_decode ++ def mutating(exc): ++ if isinstance(exc, UnicodeDecodeError): ++ r = data.get(exc.object[:exc.end]) ++ if r is not None: ++ exc.object = r[0] + exc.object[exc.end:] ++ return ('\u0404', r[1]) ++ raise AssertionError("don't know how to handle %r" % exc) ++ ++ codecs.register_error('test.mutating2', mutating) ++ data = { ++ br'\x0': (b'\\', 0), ++ br'\x3': (b'xxx\\', 3), ++ br'\x5': (b'x\\', 1), ++ } ++ def check(input, expected, msg): ++ with self.assertWarns(DeprecationWarning) as cm: ++ self.assertEqual(decode(input, 'test.mutating2'), (expected, len(input))) ++ self.assertIn(msg, str(cm.warning)) ++ ++ check(br'\x0n\z', '\u0404\n\\z', r"invalid escape sequence '\z'") ++ check(br'\x0n\501', '\u0404\n\u0141', r"invalid octal escape sequence '\501'") ++ check(br'\x0z', '\u0404\\z', r"invalid escape sequence '\z'") ++ ++ check(br'\x3n\zr', '\u0404\n\\zr', r"invalid escape sequence '\z'") ++ check(br'\x3zr', '\u0404\\zr', r"invalid escape sequence '\z'") ++ check(br'\x3z5', '\u0404\\z5', r"invalid escape sequence '\z'") ++ check(memoryview(br'\x3z5x')[:-1], '\u0404\\z5', r"invalid escape sequence '\z'") ++ check(memoryview(br'\x3z5xy')[:-2], '\u0404\\z5', r"invalid escape sequence '\z'") ++ ++ check(br'\x5n\z', '\u0404\n\\z', r"invalid escape sequence '\z'") ++ check(br'\x5n\501', '\u0404\n\u0141', r"invalid octal escape sequence '\501'") ++ check(br'\x5z', '\u0404\\z', r"invalid escape sequence '\z'") ++ check(memoryview(br'\x5zy')[:-1], '\u0404\\z', r"invalid escape sequence '\z'") ++ + # issue32583 + def test_crashing_decode_handler(self): + # better generating one more character to fill the extra space slot +diff --git a/Lib/test/test_codecs.py b/Lib/test/test_codecs.py +index f683f06..2e64a52 100644 +--- a/Lib/test/test_codecs.py ++++ b/Lib/test/test_codecs.py +@@ -1196,23 +1196,39 @@ class EscapeDecodeTest(unittest.TestCase): + check(br"[\1010]", b"[A0]") + check(br"[\x41]", b"[A]") + check(br"[\x410]", b"[A0]") ++ ++ def test_warnings(self): ++ decode = codecs.escape_decode ++ check = coding_checker(self, decode) + for i in range(97, 123): + b = bytes([i]) + if b not in b'abfnrtvx': +- with self.assertWarns(DeprecationWarning): ++ with self.assertWarnsRegex(DeprecationWarning, ++ r"invalid escape sequence '\\%c'" % i): + check(b"\\" + b, b"\\" + b) +- with self.assertWarns(DeprecationWarning): ++ with self.assertWarnsRegex(DeprecationWarning, ++ r"invalid escape sequence '\\%c'" % (i-32)): + check(b"\\" + b.upper(), b"\\" + b.upper()) +- with self.assertWarns(DeprecationWarning): ++ with self.assertWarnsRegex(DeprecationWarning, ++ r"invalid escape sequence '\\8'"): + check(br"\8", b"\\8") + with self.assertWarns(DeprecationWarning): + check(br"\9", b"\\9") +- with self.assertWarns(DeprecationWarning): ++ with self.assertWarnsRegex(DeprecationWarning, ++ r"invalid escape sequence '\\\xfa'") as cm: + check(b"\\\xfa", b"\\\xfa") + for i in range(0o400, 0o1000): +- with self.assertWarns(DeprecationWarning): ++ with self.assertWarnsRegex(DeprecationWarning, ++ r"invalid octal escape sequence '\\%o'" % i): + check(rb'\%o' % i, bytes([i & 0o377])) + ++ with self.assertWarnsRegex(DeprecationWarning, ++ r"invalid escape sequence '\\z'"): ++ self.assertEqual(decode(br'\x\z', 'ignore'), (b'\\z', 4)) ++ with self.assertWarnsRegex(DeprecationWarning, ++ r"invalid octal escape sequence '\\501'"): ++ self.assertEqual(decode(br'\x\501', 'ignore'), (b'A', 6)) ++ + def test_errors(self): + decode = codecs.escape_decode + self.assertRaises(ValueError, decode, br"\x") +@@ -2479,24 +2495,40 @@ class UnicodeEscapeTest(ReadTest, unittest.TestCase): + check(br"[\x410]", "[A0]") + check(br"\u20ac", "\u20ac") + check(br"\U0001d120", "\U0001d120") ++ ++ def test_decode_warnings(self): ++ decode = codecs.unicode_escape_decode ++ check = coding_checker(self, decode) + for i in range(97, 123): + b = bytes([i]) + if b not in b'abfnrtuvx': +- with self.assertWarns(DeprecationWarning): ++ with self.assertWarnsRegex(DeprecationWarning, ++ r"invalid escape sequence '\\%c'" % i): + check(b"\\" + b, "\\" + chr(i)) + if b.upper() not in b'UN': +- with self.assertWarns(DeprecationWarning): ++ with self.assertWarnsRegex(DeprecationWarning, ++ r"invalid escape sequence '\\%c'" % (i-32)): + check(b"\\" + b.upper(), "\\" + chr(i-32)) +- with self.assertWarns(DeprecationWarning): ++ with self.assertWarnsRegex(DeprecationWarning, ++ r"invalid escape sequence '\\8'"): + check(br"\8", "\\8") + with self.assertWarns(DeprecationWarning): + check(br"\9", "\\9") +- with self.assertWarns(DeprecationWarning): ++ with self.assertWarnsRegex(DeprecationWarning, ++ r"invalid escape sequence '\\\xfa'") as cm: + check(b"\\\xfa", "\\\xfa") + for i in range(0o400, 0o1000): +- with self.assertWarns(DeprecationWarning): ++ with self.assertWarnsRegex(DeprecationWarning, ++ r"invalid octal escape sequence '\\%o'" % i): + check(rb'\%o' % i, chr(i)) + ++ with self.assertWarnsRegex(DeprecationWarning, ++ r"invalid escape sequence '\\z'"): ++ self.assertEqual(decode(br'\x\z', 'ignore'), ('\\z', 4)) ++ with self.assertWarnsRegex(DeprecationWarning, ++ r"invalid octal escape sequence '\\501'"): ++ self.assertEqual(decode(br'\x\501', 'ignore'), ('\u0141', 6)) ++ + def test_decode_errors(self): + decode = codecs.unicode_escape_decode + for c, d in (b'x', 2), (b'u', 4), (b'U', 4): +diff --git a/Misc/NEWS.d/next/Security/2025-05-09-20-22-54.gh-issue-133767.kN2i3Q.rst b/Misc/NEWS.d/next/Security/2025-05-09-20-22-54.gh-issue-133767.kN2i3Q.rst +new file mode 100644 +index 0000000..39d2f1e +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2025-05-09-20-22-54.gh-issue-133767.kN2i3Q.rst +@@ -0,0 +1,2 @@ ++Fix use-after-free in the "unicode-escape" decoder with a non-"strict" error ++handler. +diff --git a/Objects/bytesobject.c b/Objects/bytesobject.c +index f3a978c..dae8412 100644 +--- a/Objects/bytesobject.c ++++ b/Objects/bytesobject.c +@@ -1048,10 +1048,11 @@ _PyBytes_FormatEx(const char *format, Py_ssize_t format_len, + } + + /* Unescape a backslash-escaped string. */ +-PyObject *_PyBytes_DecodeEscape(const char *s, ++PyObject *_PyBytes_DecodeEscape2(const char *s, + Py_ssize_t len, + const char *errors, +- const char **first_invalid_escape) ++ int *first_invalid_escape_char, ++ const char **first_invalid_escape_ptr) + { + int c; + char *p; +@@ -1065,7 +1066,8 @@ PyObject *_PyBytes_DecodeEscape(const char *s, + return NULL; + writer.overallocate = 1; + +- *first_invalid_escape = NULL; ++ *first_invalid_escape_char = -1; ++ *first_invalid_escape_ptr = NULL; + + end = s + len; + while (s < end) { +@@ -1103,9 +1105,10 @@ PyObject *_PyBytes_DecodeEscape(const char *s, + c = (c<<3) + *s++ - '0'; + } + if (c > 0377) { +- if (*first_invalid_escape == NULL) { +- *first_invalid_escape = s-3; /* Back up 3 chars, since we've +- already incremented s. */ ++ if (*first_invalid_escape_char == -1) { ++ *first_invalid_escape_char = c; ++ /* Back up 3 chars, since we've already incremented s. */ ++ *first_invalid_escape_ptr = s - 3; + } + } + *p++ = c; +@@ -1146,9 +1149,10 @@ PyObject *_PyBytes_DecodeEscape(const char *s, + break; + + default: +- if (*first_invalid_escape == NULL) { +- *first_invalid_escape = s-1; /* Back up one char, since we've +- already incremented s. */ ++ if (*first_invalid_escape_char == -1) { ++ *first_invalid_escape_char = (unsigned char)s[-1]; ++ /* Back up one char, since we've already incremented s. */ ++ *first_invalid_escape_ptr = s - 1; + } + *p++ = '\\'; + s--; +@@ -1162,23 +1166,37 @@ PyObject *_PyBytes_DecodeEscape(const char *s, + return NULL; + } + ++// Export for binary compatibility. ++PyObject *_PyBytes_DecodeEscape(const char *s, ++ Py_ssize_t len, ++ const char *errors, ++ const char **first_invalid_escape) ++{ ++ int first_invalid_escape_char; ++ return _PyBytes_DecodeEscape2( ++ s, len, errors, ++ &first_invalid_escape_char, ++ first_invalid_escape); ++} ++ + PyObject *PyBytes_DecodeEscape(const char *s, + Py_ssize_t len, + const char *errors, + Py_ssize_t Py_UNUSED(unicode), + const char *Py_UNUSED(recode_encoding)) + { +- const char* first_invalid_escape; +- PyObject *result = _PyBytes_DecodeEscape(s, len, errors, +- &first_invalid_escape); ++ int first_invalid_escape_char; ++ const char *first_invalid_escape_ptr; ++ PyObject *result = _PyBytes_DecodeEscape2(s, len, errors, ++ &first_invalid_escape_char, ++ &first_invalid_escape_ptr); + if (result == NULL) + return NULL; +- if (first_invalid_escape != NULL) { +- unsigned char c = *first_invalid_escape; +- if ('4' <= c && c <= '7') { ++ if (first_invalid_escape_char != -1) { ++ if (first_invalid_escape_char > 0xff) { + if (PyErr_WarnFormat(PyExc_DeprecationWarning, 1, +- "invalid octal escape sequence '\\%.3s'", +- first_invalid_escape) < 0) ++ "invalid octal escape sequence '\\%o'", ++ first_invalid_escape_char) < 0) + { + Py_DECREF(result); + return NULL; +@@ -1187,7 +1205,7 @@ PyObject *PyBytes_DecodeEscape(const char *s, + else { + if (PyErr_WarnFormat(PyExc_DeprecationWarning, 1, + "invalid escape sequence '\\%c'", +- c) < 0) ++ first_invalid_escape_char) < 0) + { + Py_DECREF(result); + return NULL; +diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c +index 3e5b5d0..c6f6732 100644 +--- a/Objects/unicodeobject.c ++++ b/Objects/unicodeobject.c +@@ -6046,13 +6046,15 @@ PyUnicode_AsUTF16String(PyObject *unicode) + /* --- Unicode Escape Codec ----------------------------------------------- */ + + PyObject * +-_PyUnicode_DecodeUnicodeEscapeInternal(const char *s, ++_PyUnicode_DecodeUnicodeEscapeInternal2(const char *s, + Py_ssize_t size, + const char *errors, + Py_ssize_t *consumed, +- const char **first_invalid_escape) ++ int *first_invalid_escape_char, ++ const char **first_invalid_escape_ptr) + { + const char *starts = s; ++ const char *initial_starts = starts; + _PyUnicodeWriter writer; + const char *end; + PyObject *errorHandler = NULL; +@@ -6061,7 +6063,8 @@ _PyUnicode_DecodeUnicodeEscapeInternal(const char *s, + PyInterpreterState *interp = _PyInterpreterState_Get(); + + // so we can remember if we've seen an invalid escape char or not +- *first_invalid_escape = NULL; ++ *first_invalid_escape_char = -1; ++ *first_invalid_escape_ptr = NULL; + + if (size == 0) { + if (consumed) { +@@ -6149,9 +6152,12 @@ _PyUnicode_DecodeUnicodeEscapeInternal(const char *s, + } + } + if (ch > 0377) { +- if (*first_invalid_escape == NULL) { +- *first_invalid_escape = s-3; /* Back up 3 chars, since we've +- already incremented s. */ ++ if (*first_invalid_escape_char == -1) { ++ *first_invalid_escape_char = ch; ++ if (starts == initial_starts) { ++ /* Back up 3 chars, since we've already incremented s. */ ++ *first_invalid_escape_ptr = s - 3; ++ } + } + } + WRITE_CHAR(ch); +@@ -6252,9 +6258,12 @@ _PyUnicode_DecodeUnicodeEscapeInternal(const char *s, + goto error; + + default: +- if (*first_invalid_escape == NULL) { +- *first_invalid_escape = s-1; /* Back up one char, since we've +- already incremented s. */ ++ if (*first_invalid_escape_char == -1) { ++ *first_invalid_escape_char = c; ++ if (starts == initial_starts) { ++ /* Back up one char, since we've already incremented s. */ ++ *first_invalid_escape_ptr = s - 1; ++ } + } + WRITE_ASCII_CHAR('\\'); + WRITE_CHAR(c); +@@ -6293,24 +6302,40 @@ _PyUnicode_DecodeUnicodeEscapeInternal(const char *s, + return NULL; + } + ++// Export for binary compatibility. ++PyObject * ++_PyUnicode_DecodeUnicodeEscapeInternal(const char *s, ++ Py_ssize_t size, ++ const char *errors, ++ Py_ssize_t *consumed, ++ const char **first_invalid_escape) ++{ ++ int first_invalid_escape_char; ++ return _PyUnicode_DecodeUnicodeEscapeInternal2( ++ s, size, errors, consumed, ++ &first_invalid_escape_char, ++ first_invalid_escape); ++} ++ + PyObject * + _PyUnicode_DecodeUnicodeEscapeStateful(const char *s, + Py_ssize_t size, + const char *errors, + Py_ssize_t *consumed) + { +- const char *first_invalid_escape; +- PyObject *result = _PyUnicode_DecodeUnicodeEscapeInternal(s, size, errors, ++ int first_invalid_escape_char; ++ const char *first_invalid_escape_ptr; ++ PyObject *result = _PyUnicode_DecodeUnicodeEscapeInternal2(s, size, errors, + consumed, +- &first_invalid_escape); ++ &first_invalid_escape_char, ++ &first_invalid_escape_ptr); + if (result == NULL) + return NULL; +- if (first_invalid_escape != NULL) { +- unsigned char c = *first_invalid_escape; +- if ('4' <= c && c <= '7') { ++ if (first_invalid_escape_char != -1) { ++ if (first_invalid_escape_char > 0xff) { + if (PyErr_WarnFormat(PyExc_DeprecationWarning, 1, +- "invalid octal escape sequence '\\%.3s'", +- first_invalid_escape) < 0) ++ "invalid octal escape sequence '\\%o'", ++ first_invalid_escape_char) < 0) + { + Py_DECREF(result); + return NULL; +@@ -6319,7 +6344,7 @@ _PyUnicode_DecodeUnicodeEscapeStateful(const char *s, + else { + if (PyErr_WarnFormat(PyExc_DeprecationWarning, 1, + "invalid escape sequence '\\%c'", +- c) < 0) ++ first_invalid_escape_char) < 0) + { + Py_DECREF(result); + return NULL; +diff --git a/Parser/string_parser.c b/Parser/string_parser.c +index 164f715..4875fae 100644 +--- a/Parser/string_parser.c ++++ b/Parser/string_parser.c +@@ -6,10 +6,12 @@ + #include "pegen.h" + #include "string_parser.h" + ++#include ++ + //// STRING HANDLING FUNCTIONS //// + + static int +-warn_invalid_escape_sequence(Parser *p, const char *first_invalid_escape, Token *t) ++warn_invalid_escape_sequence(Parser *p, const char* buffer, const char *first_invalid_escape, Token *t) + { + if (p->call_invalid_rules) { + // Do not report warnings if we are in the second pass of the parser +@@ -37,6 +39,40 @@ warn_invalid_escape_sequence(Parser *p, const char *first_invalid_escape, Token + } + else { + category = PyExc_DeprecationWarning; ++ } ++ // Calculate the lineno and the col_offset of the invalid escape sequence ++ const char *start = buffer; ++ const char *end = first_invalid_escape; ++ int lineno = t->lineno; ++ int col_offset = t->col_offset; ++ while (start < end) { ++ if (*start == '\n') { ++ lineno++; ++ col_offset = 0; ++ } ++ else { ++ col_offset++; ++ } ++ start++; ++ } ++ // Count the number of quotes in the token ++ char first_quote = 0; ++ if (lineno == t->lineno) { ++ int quote_count = 0; ++ char* tok = PyBytes_AsString(t->bytes); ++ for (int i = 0; i < PyBytes_Size(t->bytes); i++) { ++ if (tok[i] == '\'' || tok[i] == '\"') { ++ if (quote_count == 0) { ++ first_quote = tok[i]; ++ } ++ if (tok[i] == first_quote) { ++ quote_count++; ++ } ++ } else { ++ break; ++ } ++ } ++ col_offset += quote_count; + } + if (PyErr_WarnExplicitObject(category, msg, p->tok->filename, + t->lineno, NULL, NULL) < 0) { +@@ -142,15 +178,18 @@ decode_unicode_with_escapes(Parser *parser, const char *s, size_t len, Token *t) + len = p - buf; + s = buf; + +- const char *first_invalid_escape; +- v = _PyUnicode_DecodeUnicodeEscapeInternal(s, len, NULL, NULL, &first_invalid_escape); ++ int first_invalid_escape_char; ++ const char *first_invalid_escape_ptr; ++ v = _PyUnicode_DecodeUnicodeEscapeInternal2(s, (Py_ssize_t)len, NULL, NULL, ++ &first_invalid_escape_char, ++ &first_invalid_escape_ptr); + + // HACK: later we can simply pass the line no, since we don't preserve the tokens + // when we are decoding the string but we preserve the line numbers. +- if (v != NULL && first_invalid_escape != NULL && t != NULL) { +- if (warn_invalid_escape_sequence(parser, first_invalid_escape, t) < 0) { +- /* We have not decref u before because first_invalid_escape points +- inside u. */ ++ if (v != NULL && first_invalid_escape_ptr != NULL && t != NULL) { ++ if (warn_invalid_escape_sequence(parser, s, first_invalid_escape_ptr, t) < 0) { ++ /* We have not decref u before because first_invalid_escape_ptr ++ points inside u. */ + Py_XDECREF(u); + Py_DECREF(v); + return NULL; +@@ -163,14 +202,17 @@ decode_unicode_with_escapes(Parser *parser, const char *s, size_t len, Token *t) + static PyObject * + decode_bytes_with_escapes(Parser *p, const char *s, Py_ssize_t len, Token *t) + { +- const char *first_invalid_escape; +- PyObject *result = _PyBytes_DecodeEscape(s, len, NULL, &first_invalid_escape); ++ int first_invalid_escape_char; ++ const char *first_invalid_escape_ptr; ++ PyObject *result = _PyBytes_DecodeEscape2(s, len, NULL, ++ &first_invalid_escape_char, ++ &first_invalid_escape_ptr); + if (result == NULL) { + return NULL; + } + +- if (first_invalid_escape != NULL) { +- if (warn_invalid_escape_sequence(p, first_invalid_escape, t) < 0) { ++ if (first_invalid_escape_ptr != NULL) { ++ if (warn_invalid_escape_sequence(p, s, first_invalid_escape_ptr, t) < 0) { + Py_DECREF(result); + return NULL; + } +-- +2.45.2 + diff --git a/SPECS/python3/CVE-2025-4517.patch b/SPECS/python3/CVE-2025-4517.patch new file mode 100644 index 0000000000..6a2f1aa8d3 --- /dev/null +++ b/SPECS/python3/CVE-2025-4517.patch @@ -0,0 +1,1937 @@ +From de671c2e35e383dc483fdfa639856d88a722ee44 Mon Sep 17 00:00:00 2001 +From: jykanase +Date: Mon, 9 Jun 2025 08:45:52 +0000 +Subject: [PATCH] CVE-2025-4517 + +Upstream Reference Patch: https://github.com/python/cpython/commit/19de092debb3d7e832e5672cc2f7b788d35951da +--- + Doc/library/os.path.rst | 33 +- + Doc/library/tarfile.rst | 20 ++ + Doc/whatsnew/3.12.rst | 34 ++ + Lib/genericpath.py | 11 +- + Lib/ntpath.py | 37 ++- + Lib/posixpath.py | 15 +- + Lib/tarfile.py | 161 +++++++-- + Lib/test/test_ntpath.py | 284 ++++++++++++++-- + Lib/test/test_posixpath.py | 289 +++++++++++++--- + Lib/test/test_tarfile.py | 313 ++++++++++++++++-- + ...-06-02-11-32-23.gh-issue-135034.RLGjbp.rst | 6 + + 11 files changed, 1064 insertions(+), 139 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2025-06-02-11-32-23.gh-issue-135034.RLGjbp.rst + +diff --git a/Doc/library/os.path.rst b/Doc/library/os.path.rst +index 51e8908..f5e684f 100644 +--- a/Doc/library/os.path.rst ++++ b/Doc/library/os.path.rst +@@ -377,10 +377,26 @@ the :mod:`glob` module.) + links encountered in the path (if they are supported by the operating + system). + +- If a path doesn't exist or a symlink loop is encountered, and *strict* is +- ``True``, :exc:`OSError` is raised. If *strict* is ``False``, the path is +- resolved as far as possible and any remainder is appended without checking +- whether it exists. ++ By default, the path is evaluated up to the first component that does not ++ exist, is a symlink loop, or whose evaluation raises :exc:`OSError`. ++ All such components are appended unchanged to the existing part of the path. ++ ++ Some errors that are handled this way include "access denied", "not a ++ directory", or "bad argument to internal function". Thus, the ++ resulting path may be missing or inaccessible, may still contain ++ links or loops, and may traverse non-directories. ++ ++ This behavior can be modified by keyword arguments: ++ ++ If *strict* is ``True``, the first error encountered when evaluating the path is ++ re-raised. ++ In particular, :exc:`FileNotFoundError` is raised if *path* does not exist, ++ or another :exc:`OSError` if it is otherwise inaccessible. ++ ++ If *strict* is :py:data:`os.path.ALLOW_MISSING`, errors other than ++ :exc:`FileNotFoundError` are re-raised (as with ``strict=True``). ++ Thus, the returned path will not contain any symbolic links, but the named ++ file and some of its parent directories may be missing. + + .. note:: + This function emulates the operating system's procedure for making a path +@@ -399,6 +415,15 @@ the :mod:`glob` module.) + .. versionchanged:: 3.10 + The *strict* parameter was added. + ++ .. versionchanged:: next ++ The :py:data:`~os.path.ALLOW_MISSING` value for the *strict* parameter ++ was added. ++ ++.. data:: ALLOW_MISSING ++ ++ Special value used for the *strict* argument in :func:`realpath`. ++ ++ .. versionadded:: next + + .. function:: relpath(path, start=os.curdir) + +diff --git a/Doc/library/tarfile.rst b/Doc/library/tarfile.rst +index 0352cdd..a2403b7 100644 +--- a/Doc/library/tarfile.rst ++++ b/Doc/library/tarfile.rst +@@ -249,6 +249,15 @@ The :mod:`tarfile` module defines the following exceptions: + Raised to refuse extracting a symbolic link pointing outside the destination + directory. + ++.. exception:: LinkFallbackError ++ ++ Raised to refuse emulating a link (hard or symbolic) by extracting another ++ archive member, when that member would be rejected by the filter location. ++ The exception that was raised to reject the replacement member is available ++ as :attr:`!BaseException.__context__`. ++ ++ .. versionadded:: next ++ + + The following constants are available at the module level: + +@@ -1039,6 +1048,12 @@ reused in custom filters: + Implements the ``'data'`` filter. + In addition to what ``tar_filter`` does: + ++ - Normalize link targets (:attr:`TarInfo.linkname`) using ++ :func:`os.path.normpath`. ++ Note that this removes internal ``..`` components, which may change the ++ meaning of the link if the path in :attr:`!TarInfo.linkname` traverses ++ symbolic links. ++ + - :ref:`Refuse ` to extract links (hard or soft) + that link to absolute paths, or ones that link outside the destination. + +@@ -1067,6 +1082,10 @@ reused in custom filters: + + Return the modified ``TarInfo`` member. + ++ .. versionchanged:: next ++ ++ Link targets are now normalized. ++ + + .. _tarfile-extraction-refuse: + +@@ -1093,6 +1112,7 @@ Here is an incomplete list of things to consider: + * Extract to a :func:`new temporary directory ` + to prevent e.g. exploiting pre-existing links, and to make it easier to + clean up after a failed extraction. ++* Disallow symbolic links if you do not need the functionality. + * When working with untrusted data, use external (e.g. OS-level) limits on + disk, memory and CPU usage. + * Check filenames against an allow-list of characters +diff --git a/Doc/whatsnew/3.12.rst b/Doc/whatsnew/3.12.rst +index add932b..605ea0b 100644 +--- a/Doc/whatsnew/3.12.rst ++++ b/Doc/whatsnew/3.12.rst +@@ -2312,3 +2312,37 @@ sys + * The previously undocumented special function :func:`sys.getobjects`, + which only exists in specialized builds of Python, may now return objects + from other interpreters than the one it's called in. ++ ++ ++Notable changes in 3.12.10 ++========================== ++ ++os.path ++------- ++ ++* The *strict* parameter to :func:`os.path.realpath` accepts a new value, ++ :data:`os.path.ALLOW_MISSING`. ++ If used, errors other than :exc:`FileNotFoundError` will be re-raised; ++ the resulting path can be missing but it will be free of symlinks. ++ (Contributed by Petr Viktorin for :cve:`2025-4517`.) ++ ++tarfile ++------- ++ ++* :func:`~tarfile.data_filter` now normalizes symbolic link targets in order to ++ avoid path traversal attacks. ++ (Contributed by Petr Viktorin in :gh:`127987` and :cve:`2025-4138`.) ++* :func:`~tarfile.TarFile.extractall` now skips fixing up directory attributes ++ when a directory was removed or replaced by another kind of file. ++ (Contributed by Petr Viktorin in :gh:`127987` and :cve:`2024-12718`.) ++* :func:`~tarfile.TarFile.extract` and :func:`~tarfile.TarFile.extractall` ++ now (re-)apply the extraction filter when substituting a link (hard or ++ symbolic) with a copy of another archive member, and when fixing up ++ directory attributes. ++ The former raises a new exception, :exc:`~tarfile.LinkFallbackError`. ++ (Contributed by Petr Viktorin for :cve:`2025-4330` and :cve:`2024-12718`.) ++* :func:`~tarfile.TarFile.extract` and :func:`~tarfile.TarFile.extractall` ++ no longer extract rejected members when ++ :func:`~tarfile.TarFile.errorlevel` is zero. ++ (Contributed by Matt Prodani and Petr Viktorin in :gh:`112887` ++ and :cve:`2025-4435`.) +diff --git a/Lib/genericpath.py b/Lib/genericpath.py +index 1bd5b38..233f7a3 100644 +--- a/Lib/genericpath.py ++++ b/Lib/genericpath.py +@@ -8,7 +8,7 @@ import stat + + __all__ = ['commonprefix', 'exists', 'getatime', 'getctime', 'getmtime', + 'getsize', 'isdir', 'isfile', 'islink', 'samefile', 'sameopenfile', +- 'samestat'] ++ 'samestat', 'ALLOW_MISSING'] + + + # Does a path exist? +@@ -165,3 +165,12 @@ def _check_arg_types(funcname, *args): + f'os.PathLike object, not {s.__class__.__name__!r}') from None + if hasstr and hasbytes: + raise TypeError("Can't mix strings and bytes in path components") from None ++ ++# A singleton with a true boolean value. ++@object.__new__ ++class ALLOW_MISSING: ++ """Special value for use in realpath().""" ++ def __repr__(self): ++ return 'os.path.ALLOW_MISSING' ++ def __reduce__(self): ++ return self.__class__.__name__ +diff --git a/Lib/ntpath.py b/Lib/ntpath.py +index c05e965..1bef630 100644 +--- a/Lib/ntpath.py ++++ b/Lib/ntpath.py +@@ -30,7 +30,8 @@ __all__ = ["normcase","isabs","join","splitdrive","splitroot","split","splitext" + "ismount", "expanduser","expandvars","normpath","abspath", + "curdir","pardir","sep","pathsep","defpath","altsep", + "extsep","devnull","realpath","supports_unicode_filenames","relpath", +- "samefile", "sameopenfile", "samestat", "commonpath", "isjunction"] ++ "samefile", "sameopenfile", "samestat", "commonpath", "isjunction", ++ "ALLOW_MISSING"] + + def _get_bothseps(path): + if isinstance(path, bytes): +@@ -609,9 +610,10 @@ try: + from nt import _getfinalpathname, readlink as _nt_readlink + except ImportError: + # realpath is a no-op on systems without _getfinalpathname support. +- realpath = abspath ++ def realpath(path, *, strict=False): ++ return abspath(path) + else: +- def _readlink_deep(path): ++ def _readlink_deep(path, ignored_error=OSError): + # These error codes indicate that we should stop reading links and + # return the path we currently have. + # 1: ERROR_INVALID_FUNCTION +@@ -644,7 +646,7 @@ else: + path = old_path + break + path = normpath(join(dirname(old_path), path)) +- except OSError as ex: ++ except ignored_error as ex: + if ex.winerror in allowed_winerror: + break + raise +@@ -653,7 +655,7 @@ else: + break + return path + +- def _getfinalpathname_nonstrict(path): ++ def _getfinalpathname_nonstrict(path, ignored_error=OSError): + # These error codes indicate that we should stop resolving the path + # and return the value we currently have. + # 1: ERROR_INVALID_FUNCTION +@@ -680,17 +682,18 @@ else: + try: + path = _getfinalpathname(path) + return join(path, tail) if tail else path +- except OSError as ex: ++ except ignored_error as ex: + if ex.winerror not in allowed_winerror: + raise + try: + # The OS could not resolve this path fully, so we attempt + # to follow the link ourselves. If we succeed, join the tail + # and return. +- new_path = _readlink_deep(path) ++ new_path = _readlink_deep(path, ++ ignored_error=ignored_error) + if new_path != path: + return join(new_path, tail) if tail else new_path +- except OSError: ++ except ignored_error: + # If we fail to readlink(), let's keep traversing + pass + path, name = split(path) +@@ -721,6 +724,15 @@ else: + if normcase(path) == normcase(devnull): + return '\\\\.\\NUL' + had_prefix = path.startswith(prefix) ++ ++ if strict is ALLOW_MISSING: ++ ignored_error = FileNotFoundError ++ strict = True ++ elif strict: ++ ignored_error = () ++ else: ++ ignored_error = OSError ++ + if not had_prefix and not isabs(path): + path = join(cwd, path) + try: +@@ -728,17 +740,16 @@ else: + initial_winerror = 0 + except ValueError as ex: + # gh-106242: Raised for embedded null characters +- # In strict mode, we convert into an OSError. ++ # In strict modes, we convert into an OSError. + # Non-strict mode returns the path as-is, since we've already + # made it absolute. + if strict: + raise OSError(str(ex)) from None + path = normpath(path) +- except OSError as ex: +- if strict: +- raise ++ except ignored_error as ex: + initial_winerror = ex.winerror +- path = _getfinalpathname_nonstrict(path) ++ path = _getfinalpathname_nonstrict(path, ++ ignored_error=ignored_error) + # The path returned by _getfinalpathname will always start with \\?\ - + # strip off that prefix unless it was already provided on the original + # path. +diff --git a/Lib/posixpath.py b/Lib/posixpath.py +index f1e4237..90a6f54 100644 +--- a/Lib/posixpath.py ++++ b/Lib/posixpath.py +@@ -35,7 +35,7 @@ __all__ = ["normcase","isabs","join","splitdrive","splitroot","split","splitext" + "samefile","sameopenfile","samestat", + "curdir","pardir","sep","pathsep","defpath","altsep","extsep", + "devnull","realpath","supports_unicode_filenames","relpath", +- "commonpath", "isjunction"] ++ "commonpath", "isjunction", "ALLOW_MISSING"] + + + def _get_sep(path): +@@ -438,6 +438,15 @@ def _joinrealpath(path, rest, strict, seen): + sep = '/' + curdir = '.' + pardir = '..' ++ getcwd = os.getcwd ++ if strict is ALLOW_MISSING: ++ ignored_error = FileNotFoundError ++ elif strict: ++ ignored_error = () ++ else: ++ ignored_error = OSError ++ ++ maxlinks = None + + if isabs(rest): + rest = rest[1:] +@@ -460,9 +469,7 @@ def _joinrealpath(path, rest, strict, seen): + newpath = join(path, name) + try: + st = os.lstat(newpath) +- except OSError: +- if strict: +- raise ++ except ignored_error: + is_link = False + else: + is_link = stat.S_ISLNK(st.st_mode) +diff --git a/Lib/tarfile.py b/Lib/tarfile.py +index 0a0f31e..9999a99 100755 +--- a/Lib/tarfile.py ++++ b/Lib/tarfile.py +@@ -752,10 +752,22 @@ class LinkOutsideDestinationError(FilterError): + super().__init__(f'{tarinfo.name!r} would link to {path!r}, ' + + 'which is outside the destination') + ++class LinkFallbackError(FilterError): ++ def __init__(self, tarinfo, path): ++ self.tarinfo = tarinfo ++ self._path = path ++ super().__init__(f'link {tarinfo.name!r} would be extracted as a ' ++ + f'copy of {path!r}, which was rejected') ++ ++# Errors caused by filters -- both "fatal" and "non-fatal" -- that ++# we consider to be issues with the argument, rather than a bug in the ++# filter function ++_FILTER_ERRORS = (FilterError, OSError, ExtractError) ++ + def _get_filtered_attrs(member, dest_path, for_data=True): + new_attrs = {} + name = member.name +- dest_path = os.path.realpath(dest_path) ++ dest_path = os.path.realpath(dest_path, strict=os.path.ALLOW_MISSING) + # Strip leading / (tar's directory separator) from filenames. + # Include os.sep (target OS directory separator) as well. + if name.startswith(('/', os.sep)): +@@ -765,7 +777,8 @@ def _get_filtered_attrs(member, dest_path, for_data=True): + # For example, 'C:/foo' on Windows. + raise AbsolutePathError(member) + # Ensure we stay in the destination +- target_path = os.path.realpath(os.path.join(dest_path, name)) ++ target_path = os.path.realpath(os.path.join(dest_path, name), ++ strict=os.path.ALLOW_MISSING) + if os.path.commonpath([target_path, dest_path]) != dest_path: + raise OutsideDestinationError(member, target_path) + # Limit permissions (no high bits, and go-w) +@@ -803,6 +816,9 @@ def _get_filtered_attrs(member, dest_path, for_data=True): + if member.islnk() or member.issym(): + if os.path.isabs(member.linkname): + raise AbsoluteLinkError(member) ++ normalized = os.path.normpath(member.linkname) ++ if normalized != member.linkname: ++ new_attrs['linkname'] = normalized + if member.issym(): + target_path = os.path.join(dest_path, + os.path.dirname(name), +@@ -810,7 +826,8 @@ def _get_filtered_attrs(member, dest_path, for_data=True): + else: + target_path = os.path.join(dest_path, + member.linkname) +- target_path = os.path.realpath(target_path) ++ target_path = os.path.realpath(target_path, ++ strict=os.path.ALLOW_MISSING) + if os.path.commonpath([target_path, dest_path]) != dest_path: + raise LinkOutsideDestinationError(member, target_path) + return new_attrs +@@ -2291,30 +2308,58 @@ class TarFile(object): + members = self + + for member in members: +- tarinfo = self._get_extract_tarinfo(member, filter_function, path) ++ tarinfo, unfiltered = self._get_extract_tarinfo( ++ member, filter_function, path) + if tarinfo is None: + continue + if tarinfo.isdir(): + # For directories, delay setting attributes until later, + # since permissions can interfere with extraction and + # extracting contents can reset mtime. +- directories.append(tarinfo) ++ directories.append(unfiltered) + self._extract_one(tarinfo, path, set_attrs=not tarinfo.isdir(), +- numeric_owner=numeric_owner) ++ numeric_owner=numeric_owner, ++ filter_function=filter_function) + + # Reverse sort directories. + directories.sort(key=lambda a: a.name, reverse=True) + ++ + # Set correct owner, mtime and filemode on directories. +- for tarinfo in directories: +- dirpath = os.path.join(path, tarinfo.name) ++ for unfiltered in directories: + try: ++ # Need to re-apply any filter, to take the *current* filesystem ++ # state into account. ++ try: ++ tarinfo = filter_function(unfiltered, path) ++ except _FILTER_ERRORS as exc: ++ self._log_no_directory_fixup(unfiltered, repr(exc)) ++ continue ++ if tarinfo is None: ++ self._log_no_directory_fixup(unfiltered, ++ 'excluded by filter') ++ continue ++ dirpath = os.path.join(path, tarinfo.name) ++ try: ++ lstat = os.lstat(dirpath) ++ except FileNotFoundError: ++ self._log_no_directory_fixup(tarinfo, 'missing') ++ continue ++ if not stat.S_ISDIR(lstat.st_mode): ++ # This is no longer a directory; presumably a later ++ # member overwrote the entry. ++ self._log_no_directory_fixup(tarinfo, 'not a directory') ++ continue + self.chown(tarinfo, dirpath, numeric_owner=numeric_owner) + self.utime(tarinfo, dirpath) + self.chmod(tarinfo, dirpath) + except ExtractError as e: + self._handle_nonfatal_error(e) + ++ def _log_no_directory_fixup(self, member, reason): ++ self._dbg(2, "tarfile: Not fixing up directory %r (%s)" % ++ (member.name, reason)) ++ + def extract(self, member, path="", set_attrs=True, *, numeric_owner=False, + filter=None): + """Extract a member from the archive to the current working directory, +@@ -2330,41 +2375,56 @@ class TarFile(object): + String names of common filters are accepted. + """ + filter_function = self._get_filter_function(filter) +- tarinfo = self._get_extract_tarinfo(member, filter_function, path) ++ tarinfo, unfiltered = self._get_extract_tarinfo( ++ member, filter_function, path) + if tarinfo is not None: + self._extract_one(tarinfo, path, set_attrs, numeric_owner) + + def _get_extract_tarinfo(self, member, filter_function, path): +- """Get filtered TarInfo (or None) from member, which might be a str""" ++ """Get (filtered, unfiltered) TarInfos from *member* ++ ++ *member* might be a string. ++ ++ Return (None, None) if not found. ++ """ ++ + if isinstance(member, str): +- tarinfo = self.getmember(member) ++ unfiltered = self.getmember(member) + else: +- tarinfo = member ++ unfiltered = member + +- unfiltered = tarinfo ++ filtered = None + try: +- tarinfo = filter_function(tarinfo, path) ++ filtered = filter_function(unfiltered, path) + except (OSError, FilterError) as e: + self._handle_fatal_error(e) + except ExtractError as e: + self._handle_nonfatal_error(e) +- if tarinfo is None: ++ if filtered is None: + self._dbg(2, "tarfile: Excluded %r" % unfiltered.name) +- return None ++ return None, None ++ + # Prepare the link target for makelink(). +- if tarinfo.islnk(): +- tarinfo = copy.copy(tarinfo) +- tarinfo._link_target = os.path.join(path, tarinfo.linkname) +- return tarinfo ++ if filtered.islnk(): ++ filtered = copy.copy(filtered) ++ filtered._link_target = os.path.join(path, filtered.linkname) ++ return filtered, unfiltered + +- def _extract_one(self, tarinfo, path, set_attrs, numeric_owner): +- """Extract from filtered tarinfo to disk""" ++ def _extract_one(self, tarinfo, path, set_attrs, numeric_owner, ++ filter_function=None): ++ """Extract from filtered tarinfo to disk. ++ ++ filter_function is only used when extracting a *different* ++ member (e.g. as fallback to creating a symlink) ++ """ + self._check("r") + + try: + self._extract_member(tarinfo, os.path.join(path, tarinfo.name), + set_attrs=set_attrs, +- numeric_owner=numeric_owner) ++ numeric_owner=numeric_owner, ++ filter_function=filter_function, ++ extraction_root=path) + except OSError as e: + self._handle_fatal_error(e) + except ExtractError as e: +@@ -2422,9 +2482,13 @@ class TarFile(object): + return None + + def _extract_member(self, tarinfo, targetpath, set_attrs=True, +- numeric_owner=False): +- """Extract the TarInfo object tarinfo to a physical ++ numeric_owner=False, *, filter_function=None, ++ extraction_root=None): ++ """Extract the filtered TarInfo object tarinfo to a physical + file called targetpath. ++ ++ filter_function is only used when extracting a *different* ++ member (e.g. as fallback to creating a symlink) + """ + # Fetch the TarInfo object for the given name + # and build the destination pathname, replacing +@@ -2453,7 +2517,10 @@ class TarFile(object): + elif tarinfo.ischr() or tarinfo.isblk(): + self.makedev(tarinfo, targetpath) + elif tarinfo.islnk() or tarinfo.issym(): +- self.makelink(tarinfo, targetpath) ++ self.makelink_with_filter( ++ tarinfo, targetpath, ++ filter_function=filter_function, ++ extraction_root=extraction_root) + elif tarinfo.type not in SUPPORTED_TYPES: + self.makeunknown(tarinfo, targetpath) + else: +@@ -2536,10 +2603,18 @@ class TarFile(object): + os.makedev(tarinfo.devmajor, tarinfo.devminor)) + + def makelink(self, tarinfo, targetpath): ++ return self.makelink_with_filter(tarinfo, targetpath, None, None) ++ ++ def makelink_with_filter(self, tarinfo, targetpath, ++ filter_function, extraction_root): + """Make a (symbolic) link called targetpath. If it cannot be created + (platform limitation), we try to make a copy of the referenced file + instead of a link. ++ ++ filter_function is only used when extracting a *different* ++ member (e.g. as fallback to creating a link). + """ ++ keyerror_to_extracterror = False + try: + # For systems that support symbolic and hard links. + if tarinfo.issym(): +@@ -2547,18 +2622,38 @@ class TarFile(object): + # Avoid FileExistsError on following os.symlink. + os.unlink(targetpath) + os.symlink(tarinfo.linkname, targetpath) ++ return + else: + if os.path.exists(tarinfo._link_target): + os.link(tarinfo._link_target, targetpath) +- else: +- self._extract_member(self._find_link_target(tarinfo), +- targetpath) ++ return + except symlink_exception: ++ keyerror_to_extracterror = True ++ ++ try: ++ unfiltered = self._find_link_target(tarinfo) ++ except KeyError: ++ if keyerror_to_extracterror: ++ raise ExtractError( ++ "unable to resolve link inside archive") from None ++ else: ++ raise ++ ++ if filter_function is None: ++ filtered = unfiltered ++ else: ++ if extraction_root is None: ++ raise ExtractError( ++ "makelink_with_filter: if filter_function is not None, " ++ + "extraction_root must also not be None") + try: +- self._extract_member(self._find_link_target(tarinfo), +- targetpath) +- except KeyError: +- raise ExtractError("unable to resolve link inside archive") from None ++ filtered = filter_function(unfiltered, extraction_root) ++ except _FILTER_ERRORS as cause: ++ raise LinkFallbackError(tarinfo, unfiltered.name) from cause ++ if filtered is not None: ++ self._extract_member(filtered, targetpath, ++ filter_function=filter_function, ++ extraction_root=extraction_root) + + def chown(self, tarinfo, targetpath, numeric_owner): + """Set owner of targetpath according to tarinfo. If numeric_owner +diff --git a/Lib/test/test_ntpath.py b/Lib/test/test_ntpath.py +index 4924db9..93d7011 100644 +--- a/Lib/test/test_ntpath.py ++++ b/Lib/test/test_ntpath.py +@@ -2,9 +2,11 @@ import inspect + import ntpath + import os + import string ++import subprocess + import sys + import unittest + import warnings ++from ntpath import ALLOW_MISSING + from test.support import cpython_only, os_helper + from test.support import TestFailed, is_emscripten + from test.support.os_helper import FakePath +@@ -76,6 +78,27 @@ def tester(fn, wantResult): + %(str(fn), str(wantResult), repr(gotResult))) + + ++def _parameterize(*parameters): ++ """Simplistic decorator to parametrize a test ++ ++ Runs the decorated test multiple times in subTest, with a value from ++ 'parameters' passed as an extra positional argument. ++ Calls doCleanups() after each run. ++ ++ Not for general use. Intended to avoid indenting for easier backports. ++ ++ See https://discuss.python.org/t/91827 for discussing generalizations. ++ """ ++ def _parametrize_decorator(func): ++ def _parameterized(self, *args, **kwargs): ++ for parameter in parameters: ++ with self.subTest(parameter): ++ func(self, *args, parameter, **kwargs) ++ self.doCleanups() ++ return _parameterized ++ return _parametrize_decorator ++ ++ + class NtpathTestCase(unittest.TestCase): + def assertPathEqual(self, path1, path2): + if path1 == path2 or _norm(path1) == _norm(path2): +@@ -363,6 +386,27 @@ class TestNtpath(NtpathTestCase): + tester("ntpath.realpath('.\\.')", expected) + tester("ntpath.realpath('\\'.join(['.'] * 100))", expected) + ++ def test_realpath_curdir_strict(self): ++ expected = ntpath.normpath(os.getcwd()) ++ tester("ntpath.realpath('.', strict=True)", expected) ++ tester("ntpath.realpath('./.', strict=True)", expected) ++ tester("ntpath.realpath('/'.join(['.'] * 100), strict=True)", expected) ++ tester("ntpath.realpath('.\\.', strict=True)", expected) ++ tester("ntpath.realpath('\\'.join(['.'] * 100), strict=True)", expected) ++ ++ def test_realpath_curdir_missing_ok(self): ++ expected = ntpath.normpath(os.getcwd()) ++ tester("ntpath.realpath('.', strict=ALLOW_MISSING)", ++ expected) ++ tester("ntpath.realpath('./.', strict=ALLOW_MISSING)", ++ expected) ++ tester("ntpath.realpath('/'.join(['.'] * 100), strict=ALLOW_MISSING)", ++ expected) ++ tester("ntpath.realpath('.\\.', strict=ALLOW_MISSING)", ++ expected) ++ tester("ntpath.realpath('\\'.join(['.'] * 100), strict=ALLOW_MISSING)", ++ expected) ++ + def test_realpath_pardir(self): + expected = ntpath.normpath(os.getcwd()) + tester("ntpath.realpath('..')", ntpath.dirname(expected)) +@@ -375,28 +419,59 @@ class TestNtpath(NtpathTestCase): + tester("ntpath.realpath('\\'.join(['..'] * 50))", + ntpath.splitdrive(expected)[0] + '\\') + ++ def test_realpath_pardir_strict(self): ++ expected = ntpath.normpath(os.getcwd()) ++ tester("ntpath.realpath('..', strict=True)", ntpath.dirname(expected)) ++ tester("ntpath.realpath('../..', strict=True)", ++ ntpath.dirname(ntpath.dirname(expected))) ++ tester("ntpath.realpath('/'.join(['..'] * 50), strict=True)", ++ ntpath.splitdrive(expected)[0] + '\\') ++ tester("ntpath.realpath('..\\..', strict=True)", ++ ntpath.dirname(ntpath.dirname(expected))) ++ tester("ntpath.realpath('\\'.join(['..'] * 50), strict=True)", ++ ntpath.splitdrive(expected)[0] + '\\') ++ ++ def test_realpath_pardir_missing_ok(self): ++ expected = ntpath.normpath(os.getcwd()) ++ tester("ntpath.realpath('..', strict=ALLOW_MISSING)", ++ ntpath.dirname(expected)) ++ tester("ntpath.realpath('../..', strict=ALLOW_MISSING)", ++ ntpath.dirname(ntpath.dirname(expected))) ++ tester("ntpath.realpath('/'.join(['..'] * 50), strict=ALLOW_MISSING)", ++ ntpath.splitdrive(expected)[0] + '\\') ++ tester("ntpath.realpath('..\\..', strict=ALLOW_MISSING)", ++ ntpath.dirname(ntpath.dirname(expected))) ++ tester("ntpath.realpath('\\'.join(['..'] * 50), strict=ALLOW_MISSING)", ++ ntpath.splitdrive(expected)[0] + '\\') ++ + @os_helper.skip_unless_symlink + @unittest.skipUnless(HAVE_GETFINALPATHNAME, 'need _getfinalpathname') +- def test_realpath_basic(self): ++ @_parameterize({}, {'strict': True}, {'strict': ALLOW_MISSING}) ++ def test_realpath_basic(self, kwargs): + ABSTFN = ntpath.abspath(os_helper.TESTFN) + open(ABSTFN, "wb").close() + self.addCleanup(os_helper.unlink, ABSTFN) + self.addCleanup(os_helper.unlink, ABSTFN + "1") + + os.symlink(ABSTFN, ABSTFN + "1") +- self.assertPathEqual(ntpath.realpath(ABSTFN + "1"), ABSTFN) +- self.assertPathEqual(ntpath.realpath(os.fsencode(ABSTFN + "1")), ++ self.assertPathEqual(ntpath.realpath(ABSTFN + "1", **kwargs), ABSTFN) ++ self.assertPathEqual(ntpath.realpath(os.fsencode(ABSTFN + "1"), **kwargs), + os.fsencode(ABSTFN)) + + # gh-88013: call ntpath.realpath with binary drive name may raise a + # TypeError. The drive should not exist to reproduce the bug. + drives = {f"{c}:\\" for c in string.ascii_uppercase} - set(os.listdrives()) + d = drives.pop().encode() +- self.assertEqual(ntpath.realpath(d), d) ++ self.assertEqual(ntpath.realpath(d, strict=False), d) + + # gh-106242: Embedded nulls and non-strict fallback to abspath +- self.assertEqual(ABSTFN + "\0spam", +- ntpath.realpath(os_helper.TESTFN + "\0spam", strict=False)) ++ if kwargs: ++ with self.assertRaises(OSError): ++ ntpath.realpath(os_helper.TESTFN + "\0spam", ++ **kwargs) ++ else: ++ self.assertEqual(ABSTFN + "\0spam", ++ ntpath.realpath(os_helper.TESTFN + "\0spam", **kwargs)) + + @os_helper.skip_unless_symlink + @unittest.skipUnless(HAVE_GETFINALPATHNAME, 'need _getfinalpathname') +@@ -408,19 +483,77 @@ class TestNtpath(NtpathTestCase): + self.addCleanup(os_helper.unlink, ABSTFN) + self.assertRaises(FileNotFoundError, ntpath.realpath, ABSTFN, strict=True) + self.assertRaises(FileNotFoundError, ntpath.realpath, ABSTFN + "2", strict=True) ++ ++ @unittest.skipUnless(HAVE_GETFINALPATHNAME, 'need _getfinalpathname') ++ def test_realpath_invalid_paths(self): ++ realpath = ntpath.realpath ++ ABSTFN = ntpath.abspath(os_helper.TESTFN) ++ ABSTFNb = os.fsencode(ABSTFN) ++ path = ABSTFN + '\x00' ++ # gh-106242: Embedded nulls and non-strict fallback to abspath ++ self.assertEqual(realpath(path, strict=False), path) + # gh-106242: Embedded nulls should raise OSError (not ValueError) +- self.assertRaises(OSError, ntpath.realpath, ABSTFN + "\0spam", strict=True) ++ self.assertRaises(OSError, ntpath.realpath, path, strict=True) ++ self.assertRaises(OSError, ntpath.realpath, path, strict=ALLOW_MISSING) ++ path = ABSTFNb + b'\x00' ++ self.assertEqual(realpath(path, strict=False), path) ++ self.assertRaises(OSError, ntpath.realpath, path, strict=True) ++ self.assertRaises(OSError, ntpath.realpath, path, strict=ALLOW_MISSING) ++ path = ABSTFN + '\\nonexistent\\x\x00' ++ self.assertEqual(realpath(path, strict=False), path) ++ self.assertRaises(OSError, ntpath.realpath, path, strict=True) ++ self.assertRaises(OSError, ntpath.realpath, path, strict=ALLOW_MISSING) ++ path = ABSTFNb + b'\\nonexistent\\x\x00' ++ self.assertEqual(realpath(path, strict=False), path) ++ self.assertRaises(OSError, ntpath.realpath, path, strict=True) ++ self.assertRaises(OSError, ntpath.realpath, path, strict=ALLOW_MISSING) ++ path = ABSTFN + '\x00\\..' ++ self.assertEqual(realpath(path, strict=False), os.getcwd()) ++ self.assertEqual(realpath(path, strict=True), os.getcwd()) ++ self.assertEqual(realpath(path, strict=ALLOW_MISSING), os.getcwd()) ++ path = ABSTFNb + b'\x00\\..' ++ self.assertEqual(realpath(path, strict=False), os.getcwdb()) ++ self.assertEqual(realpath(path, strict=True), os.getcwdb()) ++ self.assertEqual(realpath(path, strict=ALLOW_MISSING), os.getcwdb()) ++ path = ABSTFN + '\\nonexistent\\x\x00\\..' ++ self.assertEqual(realpath(path, strict=False), ABSTFN + '\\nonexistent') ++ self.assertRaises(OSError, ntpath.realpath, path, strict=True) ++ self.assertEqual(realpath(path, strict=ALLOW_MISSING), ABSTFN + '\\nonexistent') ++ path = ABSTFNb + b'\\nonexistent\\x\x00\\..' ++ self.assertEqual(realpath(path, strict=False), ABSTFNb + b'\\nonexistent') ++ self.assertRaises(OSError, ntpath.realpath, path, strict=True) ++ self.assertEqual(realpath(path, strict=ALLOW_MISSING), ABSTFNb + b'\\nonexistent') ++ ++ @unittest.skipUnless(HAVE_GETFINALPATHNAME, 'need _getfinalpathname') ++ @_parameterize({}, {'strict': True}, {'strict': ALLOW_MISSING}) ++ def test_realpath_invalid_unicode_paths(self, kwargs): ++ realpath = ntpath.realpath ++ ABSTFN = ntpath.abspath(os_helper.TESTFN) ++ ABSTFNb = os.fsencode(ABSTFN) ++ path = ABSTFNb + b'\xff' ++ self.assertRaises(UnicodeDecodeError, ntpath.realpath, path, **kwargs) ++ self.assertRaises(UnicodeDecodeError, ntpath.realpath, path, **kwargs) ++ path = ABSTFNb + b'\\nonexistent\\\xff' ++ self.assertRaises(UnicodeDecodeError, ntpath.realpath, path, **kwargs) ++ self.assertRaises(UnicodeDecodeError, ntpath.realpath, path, **kwargs) ++ path = ABSTFNb + b'\xff\\..' ++ self.assertRaises(UnicodeDecodeError, ntpath.realpath, path, **kwargs) ++ self.assertRaises(UnicodeDecodeError, ntpath.realpath, path, **kwargs) ++ path = ABSTFNb + b'\\nonexistent\\\xff\\..' ++ self.assertRaises(UnicodeDecodeError, ntpath.realpath, path, **kwargs) ++ self.assertRaises(UnicodeDecodeError, ntpath.realpath, path, **kwargs) + + @os_helper.skip_unless_symlink + @unittest.skipUnless(HAVE_GETFINALPATHNAME, 'need _getfinalpathname') +- def test_realpath_relative(self): ++ @_parameterize({}, {'strict': True}, {'strict': ALLOW_MISSING}) ++ def test_realpath_relative(self, kwargs): + ABSTFN = ntpath.abspath(os_helper.TESTFN) + open(ABSTFN, "wb").close() + self.addCleanup(os_helper.unlink, ABSTFN) + self.addCleanup(os_helper.unlink, ABSTFN + "1") + + os.symlink(ABSTFN, ntpath.relpath(ABSTFN + "1")) +- self.assertPathEqual(ntpath.realpath(ABSTFN + "1"), ABSTFN) ++ self.assertPathEqual(ntpath.realpath(ABSTFN + "1", **kwargs), ABSTFN) + + @os_helper.skip_unless_symlink + @unittest.skipUnless(HAVE_GETFINALPATHNAME, 'need _getfinalpathname') +@@ -572,7 +705,62 @@ class TestNtpath(NtpathTestCase): + + @os_helper.skip_unless_symlink + @unittest.skipUnless(HAVE_GETFINALPATHNAME, 'need _getfinalpathname') +- def test_realpath_symlink_prefix(self): ++ def test_realpath_symlink_loops_raise(self): ++ # Symlink loops raise OSError in ALLOW_MISSING mode ++ ABSTFN = ntpath.abspath(os_helper.TESTFN) ++ self.addCleanup(os_helper.unlink, ABSTFN) ++ self.addCleanup(os_helper.unlink, ABSTFN + "1") ++ self.addCleanup(os_helper.unlink, ABSTFN + "2") ++ self.addCleanup(os_helper.unlink, ABSTFN + "y") ++ self.addCleanup(os_helper.unlink, ABSTFN + "c") ++ self.addCleanup(os_helper.unlink, ABSTFN + "a") ++ self.addCleanup(os_helper.unlink, ABSTFN + "x") ++ ++ os.symlink(ABSTFN, ABSTFN) ++ self.assertRaises(OSError, ntpath.realpath, ABSTFN, strict=ALLOW_MISSING) ++ ++ os.symlink(ABSTFN + "1", ABSTFN + "2") ++ os.symlink(ABSTFN + "2", ABSTFN + "1") ++ self.assertRaises(OSError, ntpath.realpath, ABSTFN + "1", ++ strict=ALLOW_MISSING) ++ self.assertRaises(OSError, ntpath.realpath, ABSTFN + "2", ++ strict=ALLOW_MISSING) ++ self.assertRaises(OSError, ntpath.realpath, ABSTFN + "1\\x", ++ strict=ALLOW_MISSING) ++ ++ # Windows eliminates '..' components before resolving links; ++ # realpath is not expected to raise if this removes the loop. ++ self.assertPathEqual(ntpath.realpath(ABSTFN + "1\\.."), ++ ntpath.dirname(ABSTFN)) ++ self.assertPathEqual(ntpath.realpath(ABSTFN + "1\\..\\x"), ++ ntpath.dirname(ABSTFN) + "\\x") ++ ++ os.symlink(ABSTFN + "x", ABSTFN + "y") ++ self.assertPathEqual(ntpath.realpath(ABSTFN + "1\\..\\" ++ + ntpath.basename(ABSTFN) + "y"), ++ ABSTFN + "x") ++ self.assertRaises( ++ OSError, ntpath.realpath, ++ ABSTFN + "1\\..\\" + ntpath.basename(ABSTFN) + "1", ++ strict=ALLOW_MISSING) ++ ++ os.symlink(ntpath.basename(ABSTFN) + "a\\b", ABSTFN + "a") ++ self.assertRaises(OSError, ntpath.realpath, ABSTFN + "a", ++ strict=ALLOW_MISSING) ++ ++ os.symlink("..\\" + ntpath.basename(ntpath.dirname(ABSTFN)) ++ + "\\" + ntpath.basename(ABSTFN) + "c", ABSTFN + "c") ++ self.assertRaises(OSError, ntpath.realpath, ABSTFN + "c", ++ strict=ALLOW_MISSING) ++ ++ # Test using relative path as well. ++ self.assertRaises(OSError, ntpath.realpath, ntpath.basename(ABSTFN), ++ strict=ALLOW_MISSING) ++ ++ @os_helper.skip_unless_symlink ++ @unittest.skipUnless(HAVE_GETFINALPATHNAME, 'need _getfinalpathname') ++ @_parameterize({}, {'strict': True}, {'strict': ALLOW_MISSING}) ++ def test_realpath_symlink_prefix(self, kwargs): + ABSTFN = ntpath.abspath(os_helper.TESTFN) + self.addCleanup(os_helper.unlink, ABSTFN + "3") + self.addCleanup(os_helper.unlink, "\\\\?\\" + ABSTFN + "3.") +@@ -587,9 +775,9 @@ class TestNtpath(NtpathTestCase): + f.write(b'1') + os.symlink("\\\\?\\" + ABSTFN + "3.", ABSTFN + "3.link") + +- self.assertPathEqual(ntpath.realpath(ABSTFN + "3link"), ++ self.assertPathEqual(ntpath.realpath(ABSTFN + "3link", **kwargs), + ABSTFN + "3") +- self.assertPathEqual(ntpath.realpath(ABSTFN + "3.link"), ++ self.assertPathEqual(ntpath.realpath(ABSTFN + "3.link", **kwargs), + "\\\\?\\" + ABSTFN + "3.") + + # Resolved paths should be usable to open target files +@@ -599,14 +787,17 @@ class TestNtpath(NtpathTestCase): + self.assertEqual(f.read(), b'1') + + # When the prefix is included, it is not stripped +- self.assertPathEqual(ntpath.realpath("\\\\?\\" + ABSTFN + "3link"), ++ self.assertPathEqual(ntpath.realpath("\\\\?\\" + ABSTFN + "3link", **kwargs), + "\\\\?\\" + ABSTFN + "3") +- self.assertPathEqual(ntpath.realpath("\\\\?\\" + ABSTFN + "3.link"), ++ self.assertPathEqual(ntpath.realpath("\\\\?\\" + ABSTFN + "3.link", **kwargs), + "\\\\?\\" + ABSTFN + "3.") + + @unittest.skipUnless(HAVE_GETFINALPATHNAME, 'need _getfinalpathname') + def test_realpath_nul(self): + tester("ntpath.realpath('NUL')", r'\\.\NUL') ++ tester("ntpath.realpath('NUL', strict=False)", r'\\.\NUL') ++ tester("ntpath.realpath('NUL', strict=True)", r'\\.\NUL') ++ tester("ntpath.realpath('NUL', strict=ALLOW_MISSING)", r'\\.\NUL') + + @unittest.skipUnless(HAVE_GETFINALPATHNAME, 'need _getfinalpathname') + @unittest.skipUnless(HAVE_GETSHORTPATHNAME, 'need _getshortpathname') +@@ -630,12 +821,65 @@ class TestNtpath(NtpathTestCase): + + self.assertPathEqual(test_file_long, ntpath.realpath(test_file_short)) + +- with os_helper.change_cwd(test_dir_long): +- self.assertPathEqual(test_file_long, ntpath.realpath("file.txt")) +- with os_helper.change_cwd(test_dir_long.lower()): +- self.assertPathEqual(test_file_long, ntpath.realpath("file.txt")) +- with os_helper.change_cwd(test_dir_short): +- self.assertPathEqual(test_file_long, ntpath.realpath("file.txt")) ++ for kwargs in {}, {'strict': True}, {'strict': ALLOW_MISSING}: ++ with self.subTest(**kwargs): ++ with os_helper.change_cwd(test_dir_long): ++ self.assertPathEqual( ++ test_file_long, ++ ntpath.realpath("file.txt", **kwargs)) ++ with os_helper.change_cwd(test_dir_long.lower()): ++ self.assertPathEqual( ++ test_file_long, ++ ntpath.realpath("file.txt", **kwargs)) ++ with os_helper.change_cwd(test_dir_short): ++ self.assertPathEqual( ++ test_file_long, ++ ntpath.realpath("file.txt", **kwargs)) ++ ++ @unittest.skipUnless(HAVE_GETFINALPATHNAME, 'need _getfinalpathname') ++ def test_realpath_permission(self): ++ # Test whether python can resolve the real filename of a ++ # shortened file name even if it does not have permission to access it. ++ ABSTFN = ntpath.realpath(os_helper.TESTFN) ++ ++ os_helper.unlink(ABSTFN) ++ os_helper.rmtree(ABSTFN) ++ os.mkdir(ABSTFN) ++ self.addCleanup(os_helper.rmtree, ABSTFN) ++ ++ test_file = ntpath.join(ABSTFN, "LongFileName123.txt") ++ test_file_short = ntpath.join(ABSTFN, "LONGFI~1.TXT") ++ ++ with open(test_file, "wb") as f: ++ f.write(b"content") ++ # Automatic generation of short names may be disabled on ++ # NTFS volumes for the sake of performance. ++ # They're not supported at all on ReFS and exFAT. ++ p = subprocess.run( ++ # Try to set the short name manually. ++ ['fsutil.exe', 'file', 'setShortName', test_file, 'LONGFI~1.TXT'], ++ creationflags=subprocess.DETACHED_PROCESS ++ ) ++ ++ if p.returncode: ++ raise unittest.SkipTest('failed to set short name') ++ ++ try: ++ self.assertPathEqual(test_file, ntpath.realpath(test_file_short)) ++ except AssertionError: ++ raise unittest.SkipTest('the filesystem seems to lack support for short filenames') ++ ++ # Deny the right to [S]YNCHRONIZE on the file to ++ # force nt._getfinalpathname to fail with ERROR_ACCESS_DENIED. ++ p = subprocess.run( ++ ['icacls.exe', test_file, '/deny', '*S-1-5-32-545:(S)'], ++ creationflags=subprocess.DETACHED_PROCESS ++ ) ++ ++ if p.returncode: ++ raise unittest.SkipTest('failed to deny access to the test file') ++ ++ self.assertPathEqual(test_file, ntpath.realpath(test_file_short)) + + def test_expandvars(self): + with os_helper.EnvironmentVarGuard() as env: +diff --git a/Lib/test/test_posixpath.py b/Lib/test/test_posixpath.py +index cc4fd2f..7ae54d2 100644 +--- a/Lib/test/test_posixpath.py ++++ b/Lib/test/test_posixpath.py +@@ -3,7 +3,9 @@ import os + import posixpath + import sys + import unittest +-from posixpath import realpath, abspath, dirname, basename ++from functools import partial ++from posixpath import realpath, abspath, dirname, basename, ALLOW_MISSING ++from test import support + from test import test_genericpath + from test.support import import_helper + from test.support import cpython_only, os_helper +@@ -37,6 +39,26 @@ def safe_rmdir(dirname): + except OSError: + pass + ++def _parameterize(*parameters): ++ """Simplistic decorator to parametrize a test ++ ++ Runs the decorated test multiple times in subTest, with a value from ++ 'parameters' passed as an extra positional argument. ++ Does *not* call doCleanups() after each run. ++ ++ Not for general use. Intended to avoid indenting for easier backports. ++ ++ See https://discuss.python.org/t/91827 for discussing generalizations. ++ """ ++ def _parametrize_decorator(func): ++ def _parameterized(self, *args, **kwargs): ++ for parameter in parameters: ++ with self.subTest(parameter): ++ func(self, *args, parameter, **kwargs) ++ return _parameterized ++ return _parametrize_decorator ++ ++ + class PosixPathTest(unittest.TestCase): + + def setUp(self): +@@ -425,32 +447,35 @@ class PosixPathTest(unittest.TestCase): + self.assertEqual(result, expected) + + @skip_if_ABSTFN_contains_backslash +- def test_realpath_curdir(self): +- self.assertEqual(realpath('.'), os.getcwd()) +- self.assertEqual(realpath('./.'), os.getcwd()) +- self.assertEqual(realpath('/'.join(['.'] * 100)), os.getcwd()) ++ @_parameterize({}, {'strict': True}, {'strict': ALLOW_MISSING}) ++ def test_realpath_curdir(self, kwargs): ++ self.assertEqual(realpath('.', **kwargs), os.getcwd()) ++ self.assertEqual(realpath('./.', **kwargs), os.getcwd()) ++ self.assertEqual(realpath('/'.join(['.'] * 100), **kwargs), os.getcwd()) + +- self.assertEqual(realpath(b'.'), os.getcwdb()) +- self.assertEqual(realpath(b'./.'), os.getcwdb()) +- self.assertEqual(realpath(b'/'.join([b'.'] * 100)), os.getcwdb()) ++ self.assertEqual(realpath(b'.', **kwargs), os.getcwdb()) ++ self.assertEqual(realpath(b'./.', **kwargs), os.getcwdb()) ++ self.assertEqual(realpath(b'/'.join([b'.'] * 100), **kwargs), os.getcwdb()) + + @skip_if_ABSTFN_contains_backslash +- def test_realpath_pardir(self): +- self.assertEqual(realpath('..'), dirname(os.getcwd())) +- self.assertEqual(realpath('../..'), dirname(dirname(os.getcwd()))) +- self.assertEqual(realpath('/'.join(['..'] * 100)), '/') ++ @_parameterize({}, {'strict': True}, {'strict': ALLOW_MISSING}) ++ def test_realpath_pardir(self, kwargs): ++ self.assertEqual(realpath('..', **kwargs), dirname(os.getcwd())) ++ self.assertEqual(realpath('../..', **kwargs), dirname(dirname(os.getcwd()))) ++ self.assertEqual(realpath('/'.join(['..'] * 100), **kwargs), '/') + +- self.assertEqual(realpath(b'..'), dirname(os.getcwdb())) +- self.assertEqual(realpath(b'../..'), dirname(dirname(os.getcwdb()))) +- self.assertEqual(realpath(b'/'.join([b'..'] * 100)), b'/') ++ self.assertEqual(realpath(b'..', **kwargs), dirname(os.getcwdb())) ++ self.assertEqual(realpath(b'../..', **kwargs), dirname(dirname(os.getcwdb()))) ++ self.assertEqual(realpath(b'/'.join([b'..'] * 100), **kwargs), b'/') + + @os_helper.skip_unless_symlink + @skip_if_ABSTFN_contains_backslash +- def test_realpath_basic(self): ++ @_parameterize({}, {'strict': ALLOW_MISSING}) ++ def test_realpath_basic(self, kwargs): + # Basic operation. + try: + os.symlink(ABSTFN+"1", ABSTFN) +- self.assertEqual(realpath(ABSTFN), ABSTFN+"1") ++ self.assertEqual(realpath(ABSTFN, **kwargs), ABSTFN+"1") + finally: + os_helper.unlink(ABSTFN) + +@@ -466,15 +491,122 @@ class PosixPathTest(unittest.TestCase): + finally: + os_helper.unlink(ABSTFN) + ++ def test_realpath_invalid_paths(self): ++ path = '/\x00' ++ self.assertRaises(ValueError, realpath, path, strict=False) ++ self.assertRaises(ValueError, realpath, path, strict=True) ++ self.assertRaises(ValueError, realpath, path, strict=ALLOW_MISSING) ++ path = b'/\x00' ++ self.assertRaises(ValueError, realpath, path, strict=False) ++ self.assertRaises(ValueError, realpath, path, strict=True) ++ self.assertRaises(ValueError, realpath, path, strict=ALLOW_MISSING) ++ path = '/nonexistent/x\x00' ++ self.assertRaises(ValueError, realpath, path, strict=False) ++ self.assertRaises(FileNotFoundError, realpath, path, strict=True) ++ self.assertRaises(ValueError, realpath, path, strict=ALLOW_MISSING) ++ path = b'/nonexistent/x\x00' ++ self.assertRaises(ValueError, realpath, path, strict=False) ++ self.assertRaises(FileNotFoundError, realpath, path, strict=True) ++ self.assertRaises(ValueError, realpath, path, strict=ALLOW_MISSING) ++ path = '/\x00/..' ++ self.assertRaises(ValueError, realpath, path, strict=False) ++ self.assertRaises(ValueError, realpath, path, strict=True) ++ self.assertRaises(ValueError, realpath, path, strict=ALLOW_MISSING) ++ path = b'/\x00/..' ++ self.assertRaises(ValueError, realpath, path, strict=False) ++ self.assertRaises(ValueError, realpath, path, strict=True) ++ self.assertRaises(ValueError, realpath, path, strict=ALLOW_MISSING) ++ ++ path = '/nonexistent/x\x00/..' ++ self.assertRaises(ValueError, realpath, path, strict=False) ++ self.assertRaises(FileNotFoundError, realpath, path, strict=True) ++ self.assertRaises(ValueError, realpath, path, strict=ALLOW_MISSING) ++ path = b'/nonexistent/x\x00/..' ++ self.assertRaises(ValueError, realpath, path, strict=False) ++ self.assertRaises(FileNotFoundError, realpath, path, strict=True) ++ self.assertRaises(ValueError, realpath, path, strict=ALLOW_MISSING) ++ ++ path = '/\udfff' ++ if sys.platform == 'win32': ++ self.assertEqual(realpath(path, strict=False), path) ++ self.assertRaises(FileNotFoundError, realpath, path, strict=True) ++ self.assertEqual(realpath(path, strict=ALLOW_MISSING), path) ++ else: ++ self.assertRaises(UnicodeEncodeError, realpath, path, strict=False) ++ self.assertRaises(UnicodeEncodeError, realpath, path, strict=True) ++ self.assertRaises(UnicodeEncodeError, realpath, path, strict=ALLOW_MISSING) ++ path = '/nonexistent/\udfff' ++ if sys.platform == 'win32': ++ self.assertEqual(realpath(path, strict=False), path) ++ self.assertEqual(realpath(path, strict=ALLOW_MISSING), path) ++ else: ++ self.assertRaises(UnicodeEncodeError, realpath, path, strict=False) ++ self.assertRaises(UnicodeEncodeError, realpath, path, strict=ALLOW_MISSING) ++ self.assertRaises(FileNotFoundError, realpath, path, strict=True) ++ path = '/\udfff/..' ++ if sys.platform == 'win32': ++ self.assertEqual(realpath(path, strict=False), '/') ++ self.assertRaises(FileNotFoundError, realpath, path, strict=True) ++ self.assertEqual(realpath(path, strict=ALLOW_MISSING), '/') ++ else: ++ self.assertRaises(UnicodeEncodeError, realpath, path, strict=False) ++ self.assertRaises(UnicodeEncodeError, realpath, path, strict=True) ++ self.assertRaises(UnicodeEncodeError, realpath, path, strict=ALLOW_MISSING) ++ path = '/nonexistent/\udfff/..' ++ if sys.platform == 'win32': ++ self.assertEqual(realpath(path, strict=False), '/nonexistent') ++ self.assertEqual(realpath(path, strict=ALLOW_MISSING), '/nonexistent') ++ else: ++ self.assertRaises(UnicodeEncodeError, realpath, path, strict=False) ++ self.assertRaises(UnicodeEncodeError, realpath, path, strict=ALLOW_MISSING) ++ self.assertRaises(FileNotFoundError, realpath, path, strict=True) ++ ++ path = b'/\xff' ++ if sys.platform == 'win32': ++ self.assertRaises(UnicodeDecodeError, realpath, path, strict=False) ++ self.assertRaises(UnicodeDecodeError, realpath, path, strict=True) ++ self.assertRaises(UnicodeDecodeError, realpath, path, strict=ALLOW_MISSING) ++ else: ++ self.assertEqual(realpath(path, strict=False), path) ++ if support.is_wasi: ++ self.assertRaises(OSError, realpath, path, strict=True) ++ self.assertRaises(OSError, realpath, path, strict=ALLOW_MISSING) ++ else: ++ self.assertRaises(FileNotFoundError, realpath, path, strict=True) ++ self.assertEqual(realpath(path, strict=ALLOW_MISSING), path) ++ path = b'/nonexistent/\xff' ++ if sys.platform == 'win32': ++ self.assertRaises(UnicodeDecodeError, realpath, path, strict=False) ++ self.assertRaises(UnicodeDecodeError, realpath, path, strict=ALLOW_MISSING) ++ else: ++ self.assertEqual(realpath(path, strict=False), path) ++ if support.is_wasi: ++ self.assertRaises(OSError, realpath, path, strict=True) ++ self.assertRaises(OSError, realpath, path, strict=ALLOW_MISSING) ++ else: ++ self.assertRaises(FileNotFoundError, realpath, path, strict=True) ++ + @os_helper.skip_unless_symlink + @skip_if_ABSTFN_contains_backslash +- def test_realpath_relative(self): ++ @_parameterize({}, {'strict': ALLOW_MISSING}) ++ def test_realpath_relative(self, kwargs): + try: + os.symlink(posixpath.relpath(ABSTFN+"1"), ABSTFN) +- self.assertEqual(realpath(ABSTFN), ABSTFN+"1") ++ self.assertEqual(realpath(ABSTFN, **kwargs), ABSTFN+"1") + finally: + os_helper.unlink(ABSTFN) + ++ @os_helper.skip_unless_symlink ++ @skip_if_ABSTFN_contains_backslash ++ @_parameterize({}, {'strict': ALLOW_MISSING}) ++ def test_realpath_missing_pardir(self, kwargs): ++ try: ++ os.symlink(os_helper.TESTFN + "1", os_helper.TESTFN) ++ self.assertEqual( ++ realpath("nonexistent/../" + os_helper.TESTFN, **kwargs), ABSTFN + "1") ++ finally: ++ os_helper.unlink(os_helper.TESTFN) ++ + @os_helper.skip_unless_symlink + @skip_if_ABSTFN_contains_backslash + def test_realpath_symlink_loops(self): +@@ -518,37 +650,38 @@ class PosixPathTest(unittest.TestCase): + + @os_helper.skip_unless_symlink + @skip_if_ABSTFN_contains_backslash +- def test_realpath_symlink_loops_strict(self): ++ @_parameterize({'strict': True}, {'strict': ALLOW_MISSING}) ++ def test_realpath_symlink_loops_strict(self, kwargs): + # Bug #43757, raise OSError if we get into an infinite symlink loop in +- # strict mode. ++ # the strict modes. + try: + os.symlink(ABSTFN, ABSTFN) +- self.assertRaises(OSError, realpath, ABSTFN, strict=True) ++ self.assertRaises(OSError, realpath, ABSTFN, **kwargs) + + os.symlink(ABSTFN+"1", ABSTFN+"2") + os.symlink(ABSTFN+"2", ABSTFN+"1") +- self.assertRaises(OSError, realpath, ABSTFN+"1", strict=True) +- self.assertRaises(OSError, realpath, ABSTFN+"2", strict=True) ++ self.assertRaises(OSError, realpath, ABSTFN+"1", **kwargs) ++ self.assertRaises(OSError, realpath, ABSTFN+"2", **kwargs) + +- self.assertRaises(OSError, realpath, ABSTFN+"1/x", strict=True) +- self.assertRaises(OSError, realpath, ABSTFN+"1/..", strict=True) +- self.assertRaises(OSError, realpath, ABSTFN+"1/../x", strict=True) ++ self.assertRaises(OSError, realpath, ABSTFN+"1/x", **kwargs) ++ self.assertRaises(OSError, realpath, ABSTFN+"1/..", **kwargs) ++ self.assertRaises(OSError, realpath, ABSTFN+"1/../x", **kwargs) + os.symlink(ABSTFN+"x", ABSTFN+"y") + self.assertRaises(OSError, realpath, +- ABSTFN+"1/../" + basename(ABSTFN) + "y", strict=True) ++ ABSTFN+"1/../" + basename(ABSTFN) + "y", **kwargs) + self.assertRaises(OSError, realpath, +- ABSTFN+"1/../" + basename(ABSTFN) + "1", strict=True) ++ ABSTFN+"1/../" + basename(ABSTFN) + "1", **kwargs) + + os.symlink(basename(ABSTFN) + "a/b", ABSTFN+"a") +- self.assertRaises(OSError, realpath, ABSTFN+"a", strict=True) ++ self.assertRaises(OSError, realpath, ABSTFN+"a", **kwargs) + + os.symlink("../" + basename(dirname(ABSTFN)) + "/" + + basename(ABSTFN) + "c", ABSTFN+"c") +- self.assertRaises(OSError, realpath, ABSTFN+"c", strict=True) ++ self.assertRaises(OSError, realpath, ABSTFN+"c", **kwargs) + + # Test using relative path as well. + with os_helper.change_cwd(dirname(ABSTFN)): +- self.assertRaises(OSError, realpath, basename(ABSTFN), strict=True) ++ self.assertRaises(OSError, realpath, basename(ABSTFN), **kwargs) + finally: + os_helper.unlink(ABSTFN) + os_helper.unlink(ABSTFN+"1") +@@ -559,13 +692,14 @@ class PosixPathTest(unittest.TestCase): + + @os_helper.skip_unless_symlink + @skip_if_ABSTFN_contains_backslash +- def test_realpath_repeated_indirect_symlinks(self): ++ @_parameterize({}, {'strict': True}, {'strict': ALLOW_MISSING}) ++ def test_realpath_repeated_indirect_symlinks(self, kwargs): + # Issue #6975. + try: + os.mkdir(ABSTFN) + os.symlink('../' + basename(ABSTFN), ABSTFN + '/self') + os.symlink('self/self/self', ABSTFN + '/link') +- self.assertEqual(realpath(ABSTFN + '/link'), ABSTFN) ++ self.assertEqual(realpath(ABSTFN + '/link', **kwargs), ABSTFN) + finally: + os_helper.unlink(ABSTFN + '/self') + os_helper.unlink(ABSTFN + '/link') +@@ -573,14 +707,15 @@ class PosixPathTest(unittest.TestCase): + + @os_helper.skip_unless_symlink + @skip_if_ABSTFN_contains_backslash +- def test_realpath_deep_recursion(self): ++ @_parameterize({}, {'strict': True}, {'strict': ALLOW_MISSING}) ++ def test_realpath_deep_recursion(self, kwargs): + depth = 10 + try: + os.mkdir(ABSTFN) + for i in range(depth): + os.symlink('/'.join(['%d' % i] * 10), ABSTFN + '/%d' % (i + 1)) + os.symlink('.', ABSTFN + '/0') +- self.assertEqual(realpath(ABSTFN + '/%d' % depth), ABSTFN) ++ self.assertEqual(realpath(ABSTFN + '/%d' % depth, **kwargs), ABSTFN) + + # Test using relative path as well. + with os_helper.change_cwd(ABSTFN): +@@ -592,7 +727,8 @@ class PosixPathTest(unittest.TestCase): + + @os_helper.skip_unless_symlink + @skip_if_ABSTFN_contains_backslash +- def test_realpath_resolve_parents(self): ++ @_parameterize({}, {'strict': ALLOW_MISSING}) ++ def test_realpath_resolve_parents(self, kwargs): + # We also need to resolve any symlinks in the parents of a relative + # path passed to realpath. E.g.: current working directory is + # /usr/doc with 'doc' being a symlink to /usr/share/doc. We call +@@ -603,7 +739,8 @@ class PosixPathTest(unittest.TestCase): + os.symlink(ABSTFN + "/y", ABSTFN + "/k") + + with os_helper.change_cwd(ABSTFN + "/k"): +- self.assertEqual(realpath("a"), ABSTFN + "/y/a") ++ self.assertEqual(realpath("a", **kwargs), ++ ABSTFN + "/y/a") + finally: + os_helper.unlink(ABSTFN + "/k") + safe_rmdir(ABSTFN + "/y") +@@ -611,7 +748,8 @@ class PosixPathTest(unittest.TestCase): + + @os_helper.skip_unless_symlink + @skip_if_ABSTFN_contains_backslash +- def test_realpath_resolve_before_normalizing(self): ++ @_parameterize({}, {'strict': True}, {'strict': ALLOW_MISSING}) ++ def test_realpath_resolve_before_normalizing(self, kwargs): + # Bug #990669: Symbolic links should be resolved before we + # normalize the path. E.g.: if we have directories 'a', 'k' and 'y' + # in the following hierarchy: +@@ -626,10 +764,10 @@ class PosixPathTest(unittest.TestCase): + os.symlink(ABSTFN + "/k/y", ABSTFN + "/link-y") + + # Absolute path. +- self.assertEqual(realpath(ABSTFN + "/link-y/.."), ABSTFN + "/k") ++ self.assertEqual(realpath(ABSTFN + "/link-y/..", **kwargs), ABSTFN + "/k") + # Relative path. + with os_helper.change_cwd(dirname(ABSTFN)): +- self.assertEqual(realpath(basename(ABSTFN) + "/link-y/.."), ++ self.assertEqual(realpath(basename(ABSTFN) + "/link-y/..", **kwargs), + ABSTFN + "/k") + finally: + os_helper.unlink(ABSTFN + "/link-y") +@@ -639,7 +777,8 @@ class PosixPathTest(unittest.TestCase): + + @os_helper.skip_unless_symlink + @skip_if_ABSTFN_contains_backslash +- def test_realpath_resolve_first(self): ++ @_parameterize({}, {'strict': True}, {'strict': ALLOW_MISSING}) ++ def test_realpath_resolve_first(self, kwargs): + # Bug #1213894: The first component of the path, if not absolute, + # must be resolved too. + +@@ -649,13 +788,70 @@ class PosixPathTest(unittest.TestCase): + os.symlink(ABSTFN, ABSTFN + "link") + with os_helper.change_cwd(dirname(ABSTFN)): + base = basename(ABSTFN) +- self.assertEqual(realpath(base + "link"), ABSTFN) +- self.assertEqual(realpath(base + "link/k"), ABSTFN + "/k") ++ self.assertEqual(realpath(base + "link", **kwargs), ABSTFN) ++ self.assertEqual(realpath(base + "link/k", **kwargs), ABSTFN + "/k") + finally: + os_helper.unlink(ABSTFN + "link") + safe_rmdir(ABSTFN + "/k") + safe_rmdir(ABSTFN) + ++ @os_helper.skip_unless_symlink ++ @skip_if_ABSTFN_contains_backslash ++ @unittest.skipIf(os.chmod not in os.supports_follow_symlinks, "Can't set symlink permissions") ++ @unittest.skipIf(sys.platform != "darwin", "only macOS requires read permission to readlink()") ++ @_parameterize({'strict': True}, {'strict': ALLOW_MISSING}) ++ def test_realpath_unreadable_symlink_strict(self, kwargs): ++ try: ++ os.symlink(ABSTFN+"1", ABSTFN) ++ os.chmod(ABSTFN, 0o000, follow_symlinks=False) ++ with self.assertRaises(PermissionError): ++ realpath(ABSTFN, **kwargs) ++ with self.assertRaises(PermissionError): ++ realpath(ABSTFN + '/foo', **kwargs), ++ with self.assertRaises(PermissionError): ++ realpath(ABSTFN + '/../foo', **kwargs) ++ with self.assertRaises(PermissionError): ++ realpath(ABSTFN + '/foo/..', **kwargs) ++ finally: ++ os.chmod(ABSTFN, 0o755, follow_symlinks=False) ++ os.unlink(ABSTFN) ++ ++ @skip_if_ABSTFN_contains_backslash ++ @os_helper.skip_unless_symlink ++ def test_realpath_unreadable_directory(self): ++ try: ++ os.mkdir(ABSTFN) ++ os.mkdir(ABSTFN + '/k') ++ os.chmod(ABSTFN, 0o000) ++ self.assertEqual(realpath(ABSTFN, strict=False), ABSTFN) ++ self.assertEqual(realpath(ABSTFN, strict=True), ABSTFN) ++ self.assertEqual(realpath(ABSTFN, strict=ALLOW_MISSING), ABSTFN) ++ ++ try: ++ os.stat(ABSTFN) ++ except PermissionError: ++ pass ++ else: ++ self.skipTest('Cannot block permissions') ++ ++ self.assertEqual(realpath(ABSTFN + '/k', strict=False), ++ ABSTFN + '/k') ++ self.assertRaises(PermissionError, realpath, ABSTFN + '/k', ++ strict=True) ++ self.assertRaises(PermissionError, realpath, ABSTFN + '/k', ++ strict=ALLOW_MISSING) ++ ++ self.assertEqual(realpath(ABSTFN + '/missing', strict=False), ++ ABSTFN + '/missing') ++ self.assertRaises(PermissionError, realpath, ABSTFN + '/missing', ++ strict=True) ++ self.assertRaises(PermissionError, realpath, ABSTFN + '/missing', ++ strict=ALLOW_MISSING) ++ finally: ++ os.chmod(ABSTFN, 0o755) ++ safe_rmdir(ABSTFN + '/k') ++ safe_rmdir(ABSTFN) ++ + def test_relpath(self): + (real_getcwd, os.getcwd) = (os.getcwd, lambda: r"/home/user/bar") + try: +@@ -835,9 +1031,12 @@ class PathLikeTests(unittest.TestCase): + def test_path_abspath(self): + self.assertPathEqual(self.path.abspath) + +- def test_path_realpath(self): ++ @_parameterize({}, {'strict': True}, {'strict': ALLOW_MISSING}) ++ def test_path_realpath(self, kwargs): + self.assertPathEqual(self.path.realpath) + ++ self.assertPathEqual(partial(self.path.realpath, **kwargs)) ++ + def test_path_relpath(self): + self.assertPathEqual(self.path.relpath) + +diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py +index e28d031..1c598e1 100644 +--- a/Lib/test/test_tarfile.py ++++ b/Lib/test/test_tarfile.py +@@ -2627,7 +2627,8 @@ class MiscTest(unittest.TestCase): + 'PAX_NUMBER_FIELDS', 'stn', 'nts', 'nti', 'itn', 'calc_chksums', + 'copyfileobj', 'filemode', 'EmptyHeaderError', + 'TruncatedHeaderError', 'EOFHeaderError', 'InvalidHeaderError', +- 'SubsequentHeaderError', 'ExFileObject', 'main'} ++ 'SubsequentHeaderError', 'ExFileObject', 'main', ++ "LinkFallbackError"} + support.check__all__(self, tarfile, not_exported=not_exported) + + def test_useful_error_message_when_modules_missing(self): +@@ -2642,6 +2643,31 @@ class MiscTest(unittest.TestCase): + str(excinfo.exception), + ) + ++ @unittest.skipUnless(os_helper.can_symlink(), 'requires symlink support') ++ @unittest.skipUnless(hasattr(os, 'chmod'), "missing os.chmod") ++ @unittest.mock.patch('os.chmod') ++ def test_deferred_directory_attributes_update(self, mock_chmod): ++ # Regression test for gh-127987: setting attributes on arbitrary files ++ tempdir = os.path.join(TEMPDIR, 'test127987') ++ def mock_chmod_side_effect(path, mode, **kwargs): ++ target_path = os.path.realpath(path) ++ if os.path.commonpath([target_path, tempdir]) != tempdir: ++ raise Exception("should not try to chmod anything outside the destination", target_path) ++ mock_chmod.side_effect = mock_chmod_side_effect ++ ++ outside_tree_dir = os.path.join(TEMPDIR, 'outside_tree_dir') ++ with ArchiveMaker() as arc: ++ arc.add('x', symlink_to='.') ++ arc.add('x', type=tarfile.DIRTYPE, mode='?rwsrwsrwt') ++ arc.add('x', symlink_to=outside_tree_dir) ++ ++ os.makedirs(outside_tree_dir) ++ try: ++ arc.open().extractall(path=tempdir, filter='tar') ++ finally: ++ os_helper.rmtree(outside_tree_dir) ++ os_helper.rmtree(tempdir) ++ + + class CommandLineTest(unittest.TestCase): + +@@ -3202,6 +3228,10 @@ class NoneInfoExtractTests(ReadTest): + got_paths = set( + p.relative_to(directory) + for p in pathlib.Path(directory).glob('**/*')) ++ if self.extraction_filter == 'data': ++ # The 'data' filter is expected to reject special files ++ for path in 'ustar/fifotype', 'ustar/blktype', 'ustar/chrtype': ++ got_paths.discard(pathlib.Path(path)) + self.assertEqual(self.control_paths, got_paths) + + @contextmanager +@@ -3428,12 +3458,28 @@ class ArchiveMaker: + self.bio = None + + def add(self, name, *, type=None, symlink_to=None, hardlink_to=None, +- mode=None, size=None, **kwargs): +- """Add a member to the test archive. Call within `with`.""" ++ mode=None, size=None, content=None, **kwargs): ++ """Add a member to the test archive. Call within `with`. ++ ++ Provides many shortcuts: ++ - default `type` is based on symlink_to, hardlink_to, and trailing `/` ++ in name (which is stripped) ++ - size & content defaults are based on each other ++ - content can be str or bytes ++ - mode should be textual ('-rwxrwxrwx') ++ ++ (add more! this is unstable internal test-only API) ++ """ + name = str(name) + tarinfo = tarfile.TarInfo(name).replace(**kwargs) ++ if content is not None: ++ if isinstance(content, str): ++ content = content.encode() ++ size = len(content) + if size is not None: + tarinfo.size = size ++ if content is None: ++ content = bytes(tarinfo.size) + if mode: + tarinfo.mode = _filemode_to_int(mode) + if symlink_to is not None: +@@ -3447,7 +3493,7 @@ class ArchiveMaker: + if type is not None: + tarinfo.type = type + if tarinfo.isreg(): +- fileobj = io.BytesIO(bytes(tarinfo.size)) ++ fileobj = io.BytesIO(content) + else: + fileobj = None + self.tar_w.addfile(tarinfo, fileobj) +@@ -3481,7 +3527,7 @@ class TestExtractionFilters(unittest.TestCase): + destdir = outerdir / 'dest' + + @contextmanager +- def check_context(self, tar, filter): ++ def check_context(self, tar, filter, *, check_flag=True): + """Extracts `tar` to `self.destdir` and allows checking the result + + If an error occurs, it must be checked using `expect_exception` +@@ -3490,27 +3536,40 @@ class TestExtractionFilters(unittest.TestCase): + except the destination directory itself and parent directories of + other files. + When checking directories, do so before their contents. ++ ++ A file called 'flag' is made in outerdir (i.e. outside destdir) ++ before extraction; it should not be altered nor should its contents ++ be read/copied. + """ + with os_helper.temp_dir(self.outerdir): ++ flag_path = self.outerdir / 'flag' ++ flag_path.write_text('capture me') + try: + tar.extractall(self.destdir, filter=filter) + except Exception as exc: + self.raised_exception = exc ++ self.reraise_exception = True + self.expected_paths = set() + else: + self.raised_exception = None ++ self.reraise_exception = False + self.expected_paths = set(self.outerdir.glob('**/*')) + self.expected_paths.discard(self.destdir) ++ self.expected_paths.discard(flag_path) + try: +- yield ++ yield self + finally: + tar.close() +- if self.raised_exception: ++ if self.reraise_exception: + raise self.raised_exception + self.assertEqual(self.expected_paths, set()) ++ if check_flag: ++ self.assertEqual(flag_path.read_text(), 'capture me') ++ else: ++ assert filter == 'fully_trusted' + + def expect_file(self, name, type=None, symlink_to=None, mode=None, +- size=None): ++ size=None, content=None): + """Check a single file. See check_context.""" + if self.raised_exception: + raise self.raised_exception +@@ -3529,26 +3588,45 @@ class TestExtractionFilters(unittest.TestCase): + # The symlink might be the same (textually) as what we expect, + # but some systems change the link to an equivalent path, so + # we fall back to samefile(). +- if expected != got: +- self.assertTrue(got.samefile(expected)) ++ try: ++ if expected != got: ++ self.assertTrue(got.samefile(expected)) ++ except Exception as e: ++ # attach a note, so it's shown even if `samefile` fails ++ e.add_note(f'{expected=}, {got=}') ++ raise + elif type == tarfile.REGTYPE or type is None: + self.assertTrue(path.is_file()) + elif type == tarfile.DIRTYPE: + self.assertTrue(path.is_dir()) + elif type == tarfile.FIFOTYPE: + self.assertTrue(path.is_fifo()) ++ elif type == tarfile.SYMTYPE: ++ self.assertTrue(path.is_symlink()) + else: + raise NotImplementedError(type) + if size is not None: + self.assertEqual(path.stat().st_size, size) ++ if content is not None: ++ self.assertEqual(path.read_text(), content) + for parent in path.parents: + self.expected_paths.discard(parent) + ++ def expect_any_tree(self, name): ++ """Check a directory; forget about its contents.""" ++ tree_path = (self.destdir / name).resolve() ++ self.expect_file(tree_path, type=tarfile.DIRTYPE) ++ self.expected_paths = { ++ p for p in self.expected_paths ++ if tree_path not in p.parents ++ } ++ + def expect_exception(self, exc_type, message_re='.'): + with self.assertRaisesRegex(exc_type, message_re): + if self.raised_exception is not None: + raise self.raised_exception +- self.raised_exception = None ++ self.reraise_exception = False ++ return self.raised_exception + + def test_benign_file(self): + with ArchiveMaker() as arc: +@@ -3633,6 +3711,80 @@ class TestExtractionFilters(unittest.TestCase): + with self.check_context(arc.open(), 'data'): + self.expect_file('parent/evil') + ++ @symlink_test ++ @os_helper.skip_unless_symlink ++ def test_realpath_limit_attack(self): ++ # (CVE-2025-4517) ++ ++ with ArchiveMaker() as arc: ++ # populate the symlinks and dirs that expand in os.path.realpath() ++ # The component length is chosen so that in common cases, the unexpanded ++ # path fits in PATH_MAX, but it overflows when the final symlink ++ # is expanded ++ steps = "abcdefghijklmnop" ++ if sys.platform == 'win32': ++ component = 'd' * 25 ++ elif 'PC_PATH_MAX' in os.pathconf_names: ++ max_path_len = os.pathconf(self.outerdir.parent, "PC_PATH_MAX") ++ path_sep_len = 1 ++ dest_len = len(str(self.destdir)) + path_sep_len ++ component_len = (max_path_len - dest_len) // (len(steps) + path_sep_len) ++ component = 'd' * component_len ++ else: ++ raise NotImplementedError("Need to guess component length for {sys.platform}") ++ path = "" ++ step_path = "" ++ for i in steps: ++ arc.add(os.path.join(path, component), type=tarfile.DIRTYPE, ++ mode='drwxrwxrwx') ++ arc.add(os.path.join(path, i), symlink_to=component) ++ path = os.path.join(path, component) ++ step_path = os.path.join(step_path, i) ++ # create the final symlink that exceeds PATH_MAX and simply points ++ # to the top dir. ++ # this link will never be expanded by ++ # os.path.realpath(strict=False), nor anything after it. ++ linkpath = os.path.join(*steps, "l"*254) ++ parent_segments = [".."] * len(steps) ++ arc.add(linkpath, symlink_to=os.path.join(*parent_segments)) ++ # make a symlink outside to keep the tar command happy ++ arc.add("escape", symlink_to=os.path.join(linkpath, "..")) ++ # use the symlinks above, that are not checked, to create a hardlink ++ # to a file outside of the destination path ++ arc.add("flaglink", hardlink_to=os.path.join("escape", "flag")) ++ # now that we have the hardlink we can overwrite the file ++ arc.add("flaglink", content='overwrite') ++ # we can also create new files as well! ++ arc.add("escape/newfile", content='new') ++ ++ with (self.subTest('fully_trusted'), ++ self.check_context(arc.open(), filter='fully_trusted', ++ check_flag=False)): ++ if sys.platform == 'win32': ++ self.expect_exception((FileNotFoundError, FileExistsError)) ++ elif self.raised_exception: ++ # Cannot symlink/hardlink: tarfile falls back to getmember() ++ self.expect_exception(KeyError) ++ # Otherwise, this block should never enter. ++ else: ++ self.expect_any_tree(component) ++ self.expect_file('flaglink', content='overwrite') ++ self.expect_file('../newfile', content='new') ++ self.expect_file('escape', type=tarfile.SYMTYPE) ++ self.expect_file('a', symlink_to=component) ++ ++ for filter in 'tar', 'data': ++ with self.subTest(filter), self.check_context(arc.open(), filter=filter): ++ exc = self.expect_exception((OSError, KeyError)) ++ if isinstance(exc, OSError): ++ if sys.platform == 'win32': ++ # 3: ERROR_PATH_NOT_FOUND ++ # 5: ERROR_ACCESS_DENIED ++ # 206: ERROR_FILENAME_EXCED_RANGE ++ self.assertIn(exc.winerror, (3, 5, 206)) ++ else: ++ self.assertEqual(exc.errno, errno.ENAMETOOLONG) ++ + @symlink_test + def test_parent_symlink2(self): + # Test interplaying symlinks +@@ -3855,8 +4007,8 @@ class TestExtractionFilters(unittest.TestCase): + arc.add('symlink2', symlink_to=os.path.join( + 'linkdir', 'hardlink2')) + arc.add('targetdir/target', size=3) +- arc.add('linkdir/hardlink', hardlink_to='targetdir/target') +- arc.add('linkdir/hardlink2', hardlink_to='linkdir/symlink') ++ arc.add('linkdir/hardlink', hardlink_to=os.path.join('targetdir', 'target')) ++ arc.add('linkdir/hardlink2', hardlink_to=os.path.join('linkdir', 'symlink')) + + for filter in 'tar', 'data', 'fully_trusted': + with self.check_context(arc.open(), filter): +@@ -3872,6 +4024,129 @@ class TestExtractionFilters(unittest.TestCase): + self.expect_file('linkdir/symlink', size=3) + self.expect_file('symlink2', size=3) + ++ @symlink_test ++ def test_sneaky_hardlink_fallback(self): ++ # (CVE-2025-4330) ++ # Test that when hardlink extraction falls back to extracting members ++ # from the archive, the extracted member is (re-)filtered. ++ with ArchiveMaker() as arc: ++ # Create a directory structure so the c/escape symlink stays ++ # inside the path ++ arc.add("a/t/dummy") ++ # Create b/ directory ++ arc.add("b/") ++ # Point "c" to the bottom of the tree in "a" ++ arc.add("c", symlink_to=os.path.join("a", "t")) ++ # link to non-existant location under "a" ++ arc.add("c/escape", symlink_to=os.path.join("..", "..", ++ "link_here")) ++ # Move "c" to point to "b" ("c/escape" no longer exists) ++ arc.add("c", symlink_to="b") ++ # Attempt to create a hard link to "c/escape". Since it doesn't ++ # exist it will attempt to extract "cescape" but at "boom". ++ arc.add("boom", hardlink_to=os.path.join("c", "escape")) ++ ++ with self.check_context(arc.open(), 'data'): ++ if not os_helper.can_symlink(): ++ # When 'c/escape' is extracted, 'c' is a regular ++ # directory, and 'c/escape' *would* point outside ++ # the destination if symlinks were allowed. ++ self.expect_exception( ++ tarfile.LinkOutsideDestinationError) ++ elif sys.platform == "win32": ++ # On Windows, 'c/escape' points outside the destination ++ self.expect_exception(tarfile.LinkOutsideDestinationError) ++ else: ++ e = self.expect_exception( ++ tarfile.LinkFallbackError, ++ "link 'boom' would be extracted as a copy of " ++ + "'c/escape', which was rejected") ++ self.assertIsInstance(e.__cause__, ++ tarfile.LinkOutsideDestinationError) ++ for filter in 'tar', 'fully_trusted': ++ with self.subTest(filter), self.check_context(arc.open(), filter): ++ if not os_helper.can_symlink(): ++ self.expect_file("a/t/dummy") ++ self.expect_file("b/") ++ self.expect_file("c/") ++ else: ++ self.expect_file("a/t/dummy") ++ self.expect_file("b/") ++ self.expect_file("a/t/escape", symlink_to='../../link_here') ++ self.expect_file("boom", symlink_to='../../link_here') ++ self.expect_file("c", symlink_to='b') ++ ++ @symlink_test ++ def test_exfiltration_via_symlink(self): ++ # (CVE-2025-4138) ++ # Test changing symlinks that result in a symlink pointing outside ++ # the extraction directory, unless prevented by 'data' filter's ++ # normalization. ++ with ArchiveMaker() as arc: ++ arc.add("escape", symlink_to=os.path.join('link', 'link', '..', '..', 'link-here')) ++ arc.add("link", symlink_to='./') ++ ++ for filter in 'tar', 'data', 'fully_trusted': ++ with self.check_context(arc.open(), filter): ++ if os_helper.can_symlink(): ++ self.expect_file("link", symlink_to='./') ++ if filter == 'data': ++ self.expect_file("escape", symlink_to='link-here') ++ else: ++ self.expect_file("escape", ++ symlink_to='link/link/../../link-here') ++ else: ++ # Nothing is extracted. ++ pass ++ ++ @symlink_test ++ def test_chmod_outside_dir(self): ++ # (CVE-2024-12718) ++ # Test that members used for delayed updates of directory metadata ++ # are (re-)filtered. ++ with ArchiveMaker() as arc: ++ # "pwn" is a veeeery innocent symlink: ++ arc.add("a/pwn", symlink_to='.') ++ # But now "pwn" is also a directory, so it's scheduled to have its ++ # metadata updated later: ++ arc.add("a/pwn/", mode='drwxrwxrwx') ++ # Oops, "pwn" is not so innocent any more: ++ arc.add("a/pwn", symlink_to='x/../') ++ # Newly created symlink points to the dest dir, ++ # so it's OK for the "data" filter. ++ arc.add('a/x', symlink_to=('../')) ++ # But now "pwn" points outside the dest dir ++ ++ for filter in 'tar', 'data', 'fully_trusted': ++ with self.check_context(arc.open(), filter) as cc: ++ if not os_helper.can_symlink(): ++ self.expect_file("a/pwn/") ++ elif filter == 'data': ++ self.expect_file("a/x", symlink_to='../') ++ self.expect_file("a/pwn", symlink_to='.') ++ else: ++ self.expect_file("a/x", symlink_to='../') ++ self.expect_file("a/pwn", symlink_to='x/../') ++ if sys.platform != "win32": ++ st_mode = cc.outerdir.stat().st_mode ++ self.assertNotEqual(st_mode & 0o777, 0o777) ++ ++ def test_link_fallback_normalizes(self): ++ # Make sure hardlink fallbacks work for non-normalized paths for all ++ # filters ++ with ArchiveMaker() as arc: ++ arc.add("dir/") ++ arc.add("dir/../afile") ++ arc.add("link1", hardlink_to='dir/../afile') ++ arc.add("link2", hardlink_to='dir/../dir/../afile') ++ ++ for filter in 'tar', 'data', 'fully_trusted': ++ with self.check_context(arc.open(), filter) as cc: ++ self.expect_file("dir/") ++ self.expect_file("afile") ++ self.expect_file("link1") ++ self.expect_file("link2") ++ + def test_modes(self): + # Test how file modes are extracted + # (Note that the modes are ignored on platforms without working chmod) +@@ -3985,7 +4260,7 @@ class TestExtractionFilters(unittest.TestCase): + # The 'tar' filter returns TarInfo objects with the same name/type. + # (It can also fail for particularly "evil" input, but we don't have + # that in the test archive.) +- with tarfile.TarFile.open(tarname) as tar: ++ with tarfile.TarFile.open(tarname, encoding="iso8859-1") as tar: + for tarinfo in tar.getmembers(): + filtered = tarfile.tar_filter(tarinfo, '') + self.assertIs(filtered.name, tarinfo.name) +@@ -3994,7 +4269,7 @@ class TestExtractionFilters(unittest.TestCase): + def test_data_filter(self): + # The 'data' filter either raises, or returns TarInfo with the same + # name/type. +- with tarfile.TarFile.open(tarname) as tar: ++ with tarfile.TarFile.open(tarname, encoding="iso8859-1") as tar: + for tarinfo in tar.getmembers(): + try: + filtered = tarfile.data_filter(tarinfo, '') +@@ -4124,13 +4399,13 @@ class TestExtractionFilters(unittest.TestCase): + # If errorlevel is 0, errors affected by errorlevel are ignored + + with self.check_context(arc.open(errorlevel=0), extracterror_filter): +- self.expect_file('file') ++ pass + + with self.check_context(arc.open(errorlevel=0), filtererror_filter): +- self.expect_file('file') ++ pass + + with self.check_context(arc.open(errorlevel=0), oserror_filter): +- self.expect_file('file') ++ pass + + with self.check_context(arc.open(errorlevel=0), tarerror_filter): + self.expect_exception(tarfile.TarError) +@@ -4141,7 +4416,7 @@ class TestExtractionFilters(unittest.TestCase): + # If 1, all fatal errors are raised + + with self.check_context(arc.open(errorlevel=1), extracterror_filter): +- self.expect_file('file') ++ pass + + with self.check_context(arc.open(errorlevel=1), filtererror_filter): + self.expect_exception(tarfile.FilterError) +diff --git a/Misc/NEWS.d/next/Security/2025-06-02-11-32-23.gh-issue-135034.RLGjbp.rst b/Misc/NEWS.d/next/Security/2025-06-02-11-32-23.gh-issue-135034.RLGjbp.rst +new file mode 100644 +index 0000000..08a0087 +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2025-06-02-11-32-23.gh-issue-135034.RLGjbp.rst +@@ -0,0 +1,6 @@ ++Fixes multiple issues that allowed ``tarfile`` extraction filters ++(``filter="data"`` and ``filter="tar"``) to be bypassed using crafted ++symlinks and hard links. ++ ++Addresses :cve:`2024-12718`, :cve:`2025-4138`, :cve:`2025-4330`, and :cve:`2025-4517`. ++ +-- +2.45.2 + diff --git a/SPECS/python3/CVE-2025-6069.patch b/SPECS/python3/CVE-2025-6069.patch new file mode 100644 index 0000000000..baea85977e --- /dev/null +++ b/SPECS/python3/CVE-2025-6069.patch @@ -0,0 +1,236 @@ +From 52aee1b949095af7c61c4d74ad4d91e1f1ccfa9c Mon Sep 17 00:00:00 2001 +From: jykanase +Date: Tue, 24 Jun 2025 09:31:57 +0000 +Subject: [PATCH] CVE-2025-6069 + +Upstream Patch Reference: https://github.com/python/cpython/commit/6eb6c5dbfb528bd07d77b60fd71fd05d81d45c41 +--- + Lib/html/parser.py | 41 +++++--- + Lib/test/test_htmlparser.py | 94 ++++++++++++++++--- + ...-06-13-15-55-22.gh-issue-135462.KBeJpc.rst | 4 + + 3 files changed, 116 insertions(+), 23 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2025-06-13-15-55-22.gh-issue-135462.KBeJpc.rst + +diff --git a/Lib/html/parser.py b/Lib/html/parser.py +index 13c95c3..ecd5e0f 100644 +--- a/Lib/html/parser.py ++++ b/Lib/html/parser.py +@@ -25,6 +25,7 @@ entityref = re.compile('&([a-zA-Z][-.a-zA-Z0-9]*)[^a-zA-Z0-9]') + charref = re.compile('&#(?:[0-9]+|[xX][0-9a-fA-F]+)[^0-9a-fA-F]') + + starttagopen = re.compile('<[a-zA-Z]') ++endtagopen = re.compile('') + commentclose = re.compile(r'--\s*>') + # Note: +@@ -177,7 +178,7 @@ class HTMLParser(_markupbase.ParserBase): + k = self.parse_pi(i) + elif startswith("', i + 1) +- if k < 0: +- k = rawdata.find('<', i + 1) +- if k < 0: +- k = i + 1 +- else: +- k += 1 +- if self.convert_charrefs and not self.cdata_elem: +- self.handle_data(unescape(rawdata[i:k])) ++ if starttagopen.match(rawdata, i): # < + letter ++ pass ++ elif startswith("'), +- ('comment', '/img'), +- ('endtag', 'html<')]) ++ ('data', '\n')]) + + def test_starttag_junk_chars(self): ++ self._run_check("<", [('data', '<')]) ++ self._run_check("<>", [('data', '<>')]) ++ self._run_check("< >", [('data', '< >')]) ++ self._run_check("< ", [('data', '< ')]) + self._run_check("", []) ++ self._run_check("<$>", [('data', '<$>')]) + self._run_check("", [('comment', '$')]) + self._run_check("", [('endtag', 'a')]) ++ self._run_check("", [('starttag', 'a", [('endtag', 'a'", [('data', "'", []) ++ self._run_check("", [('starttag', 'a$b', [])]) + self._run_check("", [('startendtag', 'a$b', [])]) + self._run_check("", [('starttag', 'a$b', [])]) + self._run_check("", [('startendtag', 'a$b', [])]) ++ self._run_check("", [('endtag', 'a$b')]) + + def test_slashes_in_starttag(self): + self._run_check('', [('startendtag', 'a', [('foo', 'var')])]) +@@ -539,13 +546,56 @@ text + for html, expected in data: + self._run_check(html, expected) + +- def test_broken_comments(self): +- html = ('' ++ def test_eof_in_comments(self): ++ data = [ ++ ('', [('comment', '-!>')]), ++ ('' + '' + '' + '') + expected = [ ++ ('comment', 'ELEMENT br EMPTY'), + ('comment', ' not really a comment '), + ('comment', ' not a comment either --'), + ('comment', ' -- close enough --'), +@@ -600,6 +650,26 @@ text + ('endtag', 'a'), ('data', ' bar & baz')] + ) + ++ @support.requires_resource('cpu') ++ def test_eof_no_quadratic_complexity(self): ++ # Each of these examples used to take about an hour. ++ # Now they take a fraction of a second. ++ def check(source): ++ parser = html.parser.HTMLParser() ++ parser.feed(source) ++ parser.close() ++ n = 120_000 ++ check(" +Date: Mon, 28 Jul 2025 17:37:26 +0200 +Subject: [PATCH] gh-130577: tarfile now validates archives to ensure member + offsets are non-negative (GH-137027) (cherry picked from commit + 7040aa54f14676938970e10c5f74ea93cd56aa38) + +Co-authored-by: Alexander Urieles +Co-authored-by: Gregory P. Smith +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/python/cpython/pull/137171.patch +--- + Lib/tarfile.py | 3 + + Lib/test/test_tarfile.py | 156 ++++++++++++++++++ + ...-07-23-00-35-29.gh-issue-130577.c7EITy.rst | 3 + + 3 files changed, 162 insertions(+) + create mode 100644 Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst + +diff --git a/Lib/tarfile.py b/Lib/tarfile.py +index 9999a99..59d3f6e 100755 +--- a/Lib/tarfile.py ++++ b/Lib/tarfile.py +@@ -1615,6 +1615,9 @@ class TarInfo(object): + """Round up a byte count by BLOCKSIZE and return it, + e.g. _block(834) => 1024. + """ ++ # Only non-negative offsets are allowed ++ if count < 0: ++ raise InvalidHeaderError("invalid offset") + blocks, remainder = divmod(count, BLOCKSIZE) + if remainder: + blocks += 1 +diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py +index 1c598e1..a6925bf 100644 +--- a/Lib/test/test_tarfile.py ++++ b/Lib/test/test_tarfile.py +@@ -50,6 +50,7 @@ bz2name = os.path.join(TEMPDIR, "testtar.tar.bz2") + xzname = os.path.join(TEMPDIR, "testtar.tar.xz") + tmpname = os.path.join(TEMPDIR, "tmp.tar") + dotlessname = os.path.join(TEMPDIR, "testtar") ++SPACE = b" " + + sha256_regtype = ( + "e09e4bc8b3c9d9177e77256353b36c159f5f040531bbd4b024a8f9b9196c71ce" +@@ -4485,6 +4486,161 @@ class OverwriteTests(archiver_tests.OverwriteTests, unittest.TestCase): + ar.extractall(self.testdir, filter='fully_trusted') + + ++class OffsetValidationTests(unittest.TestCase): ++ tarname = tmpname ++ invalid_posix_header = ( ++ # name: 100 bytes ++ tarfile.NUL * tarfile.LENGTH_NAME ++ # mode, space, null terminator: 8 bytes ++ + b"000755" + SPACE + tarfile.NUL ++ # uid, space, null terminator: 8 bytes ++ + b"000001" + SPACE + tarfile.NUL ++ # gid, space, null terminator: 8 bytes ++ + b"000001" + SPACE + tarfile.NUL ++ # size, space: 12 bytes ++ + b"\xff" * 11 + SPACE ++ # mtime, space: 12 bytes ++ + tarfile.NUL * 11 + SPACE ++ # chksum: 8 bytes ++ + b"0011407" + tarfile.NUL ++ # type: 1 byte ++ + tarfile.REGTYPE ++ # linkname: 100 bytes ++ + tarfile.NUL * tarfile.LENGTH_LINK ++ # magic: 6 bytes, version: 2 bytes ++ + tarfile.POSIX_MAGIC ++ # uname: 32 bytes ++ + tarfile.NUL * 32 ++ # gname: 32 bytes ++ + tarfile.NUL * 32 ++ # devmajor, space, null terminator: 8 bytes ++ + tarfile.NUL * 6 + SPACE + tarfile.NUL ++ # devminor, space, null terminator: 8 bytes ++ + tarfile.NUL * 6 + SPACE + tarfile.NUL ++ # prefix: 155 bytes ++ + tarfile.NUL * tarfile.LENGTH_PREFIX ++ # padding: 12 bytes ++ + tarfile.NUL * 12 ++ ) ++ invalid_gnu_header = ( ++ # name: 100 bytes ++ tarfile.NUL * tarfile.LENGTH_NAME ++ # mode, null terminator: 8 bytes ++ + b"0000755" + tarfile.NUL ++ # uid, null terminator: 8 bytes ++ + b"0000001" + tarfile.NUL ++ # gid, space, null terminator: 8 bytes ++ + b"0000001" + tarfile.NUL ++ # size, space: 12 bytes ++ + b"\xff" * 11 + SPACE ++ # mtime, space: 12 bytes ++ + tarfile.NUL * 11 + SPACE ++ # chksum: 8 bytes ++ + b"0011327" + tarfile.NUL ++ # type: 1 byte ++ + tarfile.REGTYPE ++ # linkname: 100 bytes ++ + tarfile.NUL * tarfile.LENGTH_LINK ++ # magic: 8 bytes ++ + tarfile.GNU_MAGIC ++ # uname: 32 bytes ++ + tarfile.NUL * 32 ++ # gname: 32 bytes ++ + tarfile.NUL * 32 ++ # devmajor, null terminator: 8 bytes ++ + tarfile.NUL * 8 ++ # devminor, null terminator: 8 bytes ++ + tarfile.NUL * 8 ++ # padding: 167 bytes ++ + tarfile.NUL * 167 ++ ) ++ invalid_v7_header = ( ++ # name: 100 bytes ++ tarfile.NUL * tarfile.LENGTH_NAME ++ # mode, space, null terminator: 8 bytes ++ + b"000755" + SPACE + tarfile.NUL ++ # uid, space, null terminator: 8 bytes ++ + b"000001" + SPACE + tarfile.NUL ++ # gid, space, null terminator: 8 bytes ++ + b"000001" + SPACE + tarfile.NUL ++ # size, space: 12 bytes ++ + b"\xff" * 11 + SPACE ++ # mtime, space: 12 bytes ++ + tarfile.NUL * 11 + SPACE ++ # chksum: 8 bytes ++ + b"0010070" + tarfile.NUL ++ # type: 1 byte ++ + tarfile.REGTYPE ++ # linkname: 100 bytes ++ + tarfile.NUL * tarfile.LENGTH_LINK ++ # padding: 255 bytes ++ + tarfile.NUL * 255 ++ ) ++ valid_gnu_header = tarfile.TarInfo("filename").tobuf(tarfile.GNU_FORMAT) ++ data_block = b"\xff" * tarfile.BLOCKSIZE ++ ++ def _write_buffer(self, buffer): ++ with open(self.tarname, "wb") as f: ++ f.write(buffer) ++ ++ def _get_members(self, ignore_zeros=None): ++ with open(self.tarname, "rb") as f: ++ with tarfile.open( ++ mode="r", fileobj=f, ignore_zeros=ignore_zeros ++ ) as tar: ++ return tar.getmembers() ++ ++ def _assert_raises_read_error_exception(self): ++ with self.assertRaisesRegex( ++ tarfile.ReadError, "file could not be opened successfully" ++ ): ++ self._get_members() ++ ++ def test_invalid_offset_header_validations(self): ++ for tar_format, invalid_header in ( ++ ("posix", self.invalid_posix_header), ++ ("gnu", self.invalid_gnu_header), ++ ("v7", self.invalid_v7_header), ++ ): ++ with self.subTest(format=tar_format): ++ self._write_buffer(invalid_header) ++ self._assert_raises_read_error_exception() ++ ++ def test_early_stop_at_invalid_offset_header(self): ++ buffer = self.valid_gnu_header + self.invalid_gnu_header + self.valid_gnu_header ++ self._write_buffer(buffer) ++ members = self._get_members() ++ self.assertEqual(len(members), 1) ++ self.assertEqual(members[0].name, "filename") ++ self.assertEqual(members[0].offset, 0) ++ ++ def test_ignore_invalid_archive(self): ++ # 3 invalid headers with their respective data ++ buffer = (self.invalid_gnu_header + self.data_block) * 3 ++ self._write_buffer(buffer) ++ members = self._get_members(ignore_zeros=True) ++ self.assertEqual(len(members), 0) ++ ++ def test_ignore_invalid_offset_headers(self): ++ for first_block, second_block, expected_offset in ( ++ ( ++ (self.valid_gnu_header), ++ (self.invalid_gnu_header + self.data_block), ++ 0, ++ ), ++ ( ++ (self.invalid_gnu_header + self.data_block), ++ (self.valid_gnu_header), ++ 1024, ++ ), ++ ): ++ self._write_buffer(first_block + second_block) ++ members = self._get_members(ignore_zeros=True) ++ self.assertEqual(len(members), 1) ++ self.assertEqual(members[0].name, "filename") ++ self.assertEqual(members[0].offset, expected_offset) ++ ++ + def setUpModule(): + os_helper.unlink(TEMPDIR) + os.makedirs(TEMPDIR) +diff --git a/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst b/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst +new file mode 100644 +index 0000000..342cabb +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst +@@ -0,0 +1,3 @@ ++:mod:`tarfile` now validates archives to ensure member offsets are ++non-negative. (Contributed by Alexander Enrique Urieles Nieto in ++:gh:`130577`.) +-- +2.45.4 + diff --git a/SPECS/python3/python3.spec b/SPECS/python3/python3.spec index bfe6096aa5..27424b1f00 100644 --- a/SPECS/python3/python3.spec +++ b/SPECS/python3/python3.spec @@ -6,7 +6,7 @@ Summary: A high-level scripting language Name: python3 Version: 3.12.9 -Release: 1%{?dist} +Release: 4%{?dist} License: PSF Vendor: Microsoft Corporation Distribution: Azure Linux @@ -17,6 +17,10 @@ Source0: https://www.python.org/ftp/python/%{version}/Python-%{version}.t # It has been removed in Python-3.12.0.tar.xz, but as our packages still require it, we will still provide for now. Source1: https://github.com/python/cpython/blob/3.9/Tools/scripts/pathfix.py Patch0: cgi3.patch +Patch1: CVE-2025-4516.patch +Patch2: CVE-2025-4517.patch +Patch3: CVE-2025-6069.patch +Patch4: CVE-2025-8194.patch BuildRequires: bzip2-devel BuildRequires: expat-devel >= 2.1.0 @@ -169,7 +173,8 @@ rm %{buildroot}%{_bindir}/2to3 rm -rf %{buildroot}%{_bindir}/__pycache__ %check -%{buildroot}%{_bindir}/python3 -m test +# vsock_loopback module needed by `test_socket` is not loaded by default in AzureLinux. +%{buildroot}%{_bindir}/python3 -m test --exclude test_socket %ldconfig_scriptlets @@ -238,6 +243,16 @@ rm -rf %{buildroot}%{_bindir}/__pycache__ %{_libdir}/python%{majmin}/test/* %changelog +* Wed Aug 06 2025 Azure Linux Security Servicing Account - 3.12.9-4 +- Patch for CVE-2025-8194 + +* Tue Jul 01 2025 Jyoti Kanase - 3.12.9-3 +- Patch CVE-2025-6069 +- Fixed the test in %check + +* Tue Jun 10 2025 Jyoti Kanase - 3.12.9-2 +- Patch CVE-2025-4516, CVE-2025-4517, CVE-2024-12718, CVE-2025-4138, CVE-2025-4330, CVE-2025-4330 + * Mon Feb 17 2025 CBL-Mariner Servicing Account - 3.12.9-1 - Auto-upgrade to 3.12.9 - to fix CVE-2025-0938 & CVE-2024-4032 - Clean up the earlier patches not needed anymore diff --git a/SPECS/qemu/qemu.spec b/SPECS/qemu/qemu.spec index 1a6f6dc366..1528fa6457 100644 --- a/SPECS/qemu/qemu.spec +++ b/SPECS/qemu/qemu.spec @@ -446,7 +446,7 @@ Obsoletes: sgabios-bin <= 1:0.20180715git-10.fc38 Summary: QEMU is a FAST! processor emulator Name: qemu Version: 9.1.0 -Release: 2%{?dist} +Release: 3%{?dist} License: Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND FSFAP AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-2.0-or-later WITH GCC-exception-2.0 AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND MIT AND LicenseRef-Fedora-Public-Domain AND CC-BY-3.0 URL: http://www.qemu.org/ @@ -722,11 +722,11 @@ BuildRequires: rutabaga-gfx-ffi-devel %endif %if 0%{?emt} # Builds on centos-stream 9 require python-tomli -BuildRequires: python-tomli +BuildRequires: python3-tomli %endif %if %{user_static} -BuildRequires: glibc-static >= 2.38-10 +BuildRequires: glibc-static >= 2.38-11%{?dist} BuildRequires: glib2-static BuildRequires: zlib-static # -latomic added by GLib 2.81.0, 2024-06-28 @@ -3533,6 +3533,11 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %changelog +* Mon Sep 8 2025 Chee Yang Lee - 9.1.0-3 +- merge from Azure Linux 3.0.20250822-3.0. +- Bump to rebuild with updated glibc +- python-tomli -> python3-tomli + * Mon Aug 4 2025 Tong Liang Chew - 9.1.0-2 - Added 3 patches from Intel Distribution Qemu Commit 29ed545 - Resolved Qemu memory-leak issue. diff --git a/SPECS/qtbase/CVE-2025-5455.patch b/SPECS/qtbase/CVE-2025-5455.patch new file mode 100644 index 0000000000..4d9d774f7a --- /dev/null +++ b/SPECS/qtbase/CVE-2025-5455.patch @@ -0,0 +1,49 @@ +From 25c4ed587ff4b16ea682721ffad16031bb91f03e Mon Sep 17 00:00:00 2001 +From: akhila-guruju +Date: Tue, 15 Jul 2025 06:19:38 +0000 +Subject: [PATCH] Address CVE-2025-5455 + +Upstream patch reference: + 1. https://download.qt.io/official_releases/qt/6.5/CVE-2025-5455-qtbase-6.5.patch + 2. for test: https://codereview.qt-project.org/c/qt/qtbase/+/642006/7/tests/auto/corelib/io/qdataurl/tst_qdataurl.cpp +--- + src/corelib/io/qdataurl.cpp | 9 +++++---- + tests/auto/corelib/io/qdataurl/tst_qdataurl.cpp | 2 ++ + 2 files changed, 7 insertions(+), 4 deletions(-) + +diff --git a/src/corelib/io/qdataurl.cpp b/src/corelib/io/qdataurl.cpp +index 92c6f541..9ace4e1f 100644 +--- a/src/corelib/io/qdataurl.cpp ++++ b/src/corelib/io/qdataurl.cpp +@@ -42,10 +42,11 @@ Q_CORE_EXPORT bool qDecodeDataUrl(const QUrl &uri, QString &mimeType, QByteArray + } + + if (QLatin1StringView{data}.startsWith("charset"_L1, Qt::CaseInsensitive)) { +- qsizetype i = 7; // strlen("charset") +- while (data.at(i) == ' ') +- ++i; +- if (data.at(i) == '=') ++ qsizetype prefixSize = 7; // strlen("charset") ++ QByteArrayView copy(data.constData() + prefixSize, data.size() - prefixSize); ++ while (copy.startsWith(' ')) ++ copy = copy.sliced(1); ++ if (copy.startsWith('=')) + data.prepend("text/plain;"); + } + +diff --git a/tests/auto/corelib/io/qdataurl/tst_qdataurl.cpp b/tests/auto/corelib/io/qdataurl/tst_qdataurl.cpp +index 8cc1b0ae..c1db6d59 100644 +--- a/tests/auto/corelib/io/qdataurl/tst_qdataurl.cpp ++++ b/tests/auto/corelib/io/qdataurl/tst_qdataurl.cpp +@@ -34,6 +34,8 @@ void tst_QDataUrl::decode_data() + "text/plain"_L1, QByteArray::fromPercentEncoding("%E2%88%9A")); + row("everythingIsCaseInsensitive", "Data:texT/PlaiN;charSet=iSo-8859-1;Base64,SGVsbG8=", true, + "texT/PlaiN;charSet=iSo-8859-1"_L1, QByteArrayLiteral("Hello")); ++ row("prematureCharsetEnd", "data:charset,", true, ++ "charset", ""); // nonsense result, but don't crash + } + + void tst_QDataUrl::decode() +-- +2.45.2 + diff --git a/SPECS/qtbase/qtbase.spec b/SPECS/qtbase/qtbase.spec index 74456dd16e..cc7db91a5d 100644 --- a/SPECS/qtbase/qtbase.spec +++ b/SPECS/qtbase/qtbase.spec @@ -35,7 +35,7 @@ Name: qtbase Summary: Qt6 - QtBase components Version: 6.6.3 -Release: 3%{?dist} +Release: 4%{?dist} # See LICENSE.GPL3-EXCEPT.txt, for exception details License: GFDL AND LGPLv3 AND GPLv2 AND GPLv3 with exceptions AND QT License Agreement 4.0 Vendor: Microsoft Corporation @@ -98,6 +98,7 @@ Patch61: qtbase-cxxflag.patch # fix for new mariadb Patch65: qtbase-mysql.patch Patch66: CVE-2025-30348.patch +Patch67: CVE-2025-5455.patch # Do not check any files in %%{_qt_plugindir}/platformthemes/ for requires. # Those themes are there for platform integration. If the required libraries are @@ -702,6 +703,9 @@ fi %{_qt_plugindir}/platformthemes/libqxdgdesktopportal.so %changelog +* Fri Jun 27 2025 Akhila Guruju - 6.6.3-4 +- Patch CVE-2025-5455 + * Wed Mar 26 2025 Jyoti Kanase - 6.6.3-3 - Fix CVE-2025-30348 diff --git a/SPECS/rpm-ostree/rpm-ostree.spec b/SPECS/rpm-ostree/rpm-ostree.spec index 703d6a763a..d88b05c2ad 100644 --- a/SPECS/rpm-ostree/rpm-ostree.spec +++ b/SPECS/rpm-ostree/rpm-ostree.spec @@ -1,7 +1,7 @@ Summary: Commit RPMs to an OSTree repository Name: rpm-ostree Version: 2024.4 -Release: 3%{?dist} +Release: 5%{?dist} License: LGPLv2+ Vendor: Microsoft Corporation Distribution: Azure Linux @@ -178,6 +178,12 @@ make check %{_datadir}/gir-1.0/*-1.0.gir %changelog +* Mon Jul 21 2025 Jyoti Kanase - 2024.4-5 +- Bump release to rebuild with rust + +* Tue Jun 10 2025 Kavya Sree Kaitepalli - 2024.4-4 +- Bump release to rebuild with rust + * Fri May 16 2025 Jyoti Kanase - 2024.4-3 - Patch CVE-2024-2905 diff --git a/SPECS/ruby/CVE-2025-24294.patch b/SPECS/ruby/CVE-2025-24294.patch new file mode 100644 index 0000000000..ca09c37069 --- /dev/null +++ b/SPECS/ruby/CVE-2025-24294.patch @@ -0,0 +1,56 @@ +From 0402b9455a79af510e18bbd60f83427fe30fea86 Mon Sep 17 00:00:00 2001 +From: BinduSri-6522866 +Date: Tue, 15 Jul 2025 07:41:43 +0000 +Subject: [PATCH] Address CVE-2025-24294 + +Upstream Patch reference: https://github.com/ruby/resolv/commit/4c2f71b5e80826506f78417d85b38481c058fb25 +--- + lib/resolv.rb | 6 +++++- + test/resolv/test_dns.rb | 7 +++++++ + 2 files changed, 12 insertions(+), 1 deletion(-) + +diff --git a/lib/resolv.rb b/lib/resolv.rb +index 57fd173..778891c 100644 +--- a/lib/resolv.rb ++++ b/lib/resolv.rb +@@ -1655,6 +1655,7 @@ class Resolv + prev_index = @index + save_index = nil + d = [] ++ size = -1 + while true + raise DecodeError.new("limit exceeded") if @limit <= @index + case @data.getbyte(@index) +@@ -1675,7 +1676,10 @@ class Resolv + end + @index = idx + else +- d << self.get_label ++ l = self.get_label ++ d << l ++ size += 1 + l.string.bytesize ++ raise DecodeError.new("name label data exceed 255 octets") if size > 255 + end + end + end +diff --git a/test/resolv/test_dns.rb b/test/resolv/test_dns.rb +index 20c3408..c25026e 100644 +--- a/test/resolv/test_dns.rb ++++ b/test/resolv/test_dns.rb +@@ -589,6 +589,13 @@ class TestResolvDNS < Test::Unit::TestCase + assert_operator(2**14, :<, m.to_s.length) + end + ++ def test_too_long_address ++ too_long_address_message = [0, 0, 1, 0, 0, 0].pack("n*") + "\x01x" * 129 + [0, 0, 0].pack("cnn") ++ assert_raise_with_message(Resolv::DNS::DecodeError, /name label data exceed 255 octets/) do ++ Resolv::DNS::Message.decode too_long_address_message ++ end ++ end ++ + def assert_no_fd_leak + socket = assert_throw(self) do |tag| + Resolv::DNS.stub(:bind_random_port, ->(s, *) {throw(tag, s)}) do +-- +2.45.3 + diff --git a/SPECS/ruby/CVE-2025-6442.patch b/SPECS/ruby/CVE-2025-6442.patch new file mode 100644 index 0000000000..091180066e --- /dev/null +++ b/SPECS/ruby/CVE-2025-6442.patch @@ -0,0 +1,438 @@ +From ff3ca257883a064cb86d5b4b137cade8403afade Mon Sep 17 00:00:00 2001 +From: Kevin Lockwood +Date: Thu, 26 Jun 2025 16:33:15 -0700 +Subject: [PATCH] [High] Patch ruby for CVE-2025-6442 + +Upstream Patch Link: https://github.com/ruby/webrick/commit/ee60354bcb84ec33b9245e1d1aa6e1f7e8132101.patch +--- + tool/lib/webrick/httprequest.rb | 4 +- + tool/lib/webrick/httputils.rb | 7 +- + tool/test/webrick/test_filehandler.rb | 2 +- + tool/test/webrick/test_httprequest.rb | 146 ++++++++++++++++++++++---- + 4 files changed, 131 insertions(+), 28 deletions(-) + +diff --git a/tool/lib/webrick/httprequest.rb b/tool/lib/webrick/httprequest.rb +index d34eac7..fa3ba6b 100644 +--- a/tool/lib/webrick/httprequest.rb ++++ b/tool/lib/webrick/httprequest.rb +@@ -458,7 +458,7 @@ module WEBrick + end + + @request_time = Time.now +- if /^(\S+)\s+(\S++)(?:\s+HTTP\/(\d+\.\d+))?\r?\n/mo =~ @request_line ++ if /^(\S+) (\S++)(?: HTTP\/(\d+\.\d+))?\r\n/mo =~ @request_line + @request_method = $1 + @unparsed_uri = $2 + @http_version = HTTPVersion.new($3 ? $3 : "0.9") +@@ -471,7 +471,7 @@ module WEBrick + def read_header(socket) + if socket + while line = read_line(socket) +- break if /\A(#{CRLF}|#{LF})\z/om =~ line ++ break if /\A#{CRLF}\z/om =~ line + if (@request_bytes += line.bytesize) > MAX_HEADER_LENGTH + raise HTTPStatus::RequestEntityTooLarge, 'headers too large' + end +diff --git a/tool/lib/webrick/httputils.rb b/tool/lib/webrick/httputils.rb +index e21284e..6b68469 100644 +--- a/tool/lib/webrick/httputils.rb ++++ b/tool/lib/webrick/httputils.rb +@@ -147,16 +147,19 @@ module WEBrick + field = nil + raw.each_line{|line| + case line +- when /^([A-Za-z0-9!\#$%&'*+\-.^_`|~]+):\s*(.*?)\s*\z/om ++ when /^([A-Za-z0-9!\#$%&'*+\-.^_`|~]+):([^\r\n\0]*?)\r\n\z/om + field, value = $1, $2 + field.downcase! + header[field] = [] unless header.has_key?(field) + header[field] << value +- when /^\s+(.*?)\s*\z/om ++ when /^\s+([^\r\n\0]*?)\r\n/om + value = $1 + unless field + raise HTTPStatus::BadRequest, "bad header '#{line}'." + end ++ value = line ++ value.lstrip! ++ value.slice!(-2..-1) + header[field][-1] << " " << value + else + raise HTTPStatus::BadRequest, "bad header '#{line}'." +diff --git a/tool/test/webrick/test_filehandler.rb b/tool/test/webrick/test_filehandler.rb +index 9c5b83e..ed4b378 100644 +--- a/tool/test/webrick/test_filehandler.rb ++++ b/tool/test/webrick/test_filehandler.rb +@@ -33,7 +33,7 @@ class WEBrick::TestFileHandler < Test::Unit::TestCase + Range: #{range_spec} + + END_OF_REQUEST +- return StringIO.new(msg.gsub(/^ {6}/, "")) ++ return StringIO.new(msg.gsub(/^ {6}/, "").gsub("\n", "\r\n")) + end + + def make_range_response(file, range_spec) +diff --git a/tool/test/webrick/test_httprequest.rb b/tool/test/webrick/test_httprequest.rb +index 3c0ea93..84bc2bd 100644 +--- a/tool/test/webrick/test_httprequest.rb ++++ b/tool/test/webrick/test_httprequest.rb +@@ -11,7 +11,7 @@ class TestWEBrickHTTPRequest < Test::Unit::TestCase + + def test_simple_request + msg = <<-_end_of_message_ +-GET / ++GET /\r + _end_of_message_ + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) + req.parse(StringIO.new(msg)) +@@ -24,7 +24,7 @@ GET / + foobar # HTTP/0.9 request don't have header nor entity body. + _end_of_message_ + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) +- req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, "").gsub("\n", "\r\n"))) + assert_equal("GET", req.request_method) + assert_equal("/", req.unparsed_uri) + assert_equal(WEBrick::HTTPVersion.new("0.9"), req.http_version) +@@ -41,7 +41,7 @@ GET / + + _end_of_message_ + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) +- req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, "").gsub("\n", "\r\n"))) + assert_equal("GET", req.request_method) + assert_equal("/", req.unparsed_uri) + assert_equal(WEBrick::HTTPVersion.new("1.0"), req.http_version) +@@ -58,7 +58,7 @@ GET / + + _end_of_message_ + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) +- req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, "").gsub("\n", "\r\n"))) + assert_equal("GET", req.request_method) + assert_equal("/path", req.unparsed_uri) + assert_equal("", req.script_name) +@@ -77,7 +77,7 @@ GET / + _end_of_message_ + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) + assert_raise(WEBrick::HTTPStatus::RequestURITooLarge){ +- req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, "").gsub("\n", "\r\n"))) + } + end + +@@ -93,13 +93,13 @@ GET / + Accept-Language: en;q=0.5, *; q=0 + Accept-Language: ja + Content-Type: text/plain +- Content-Length: 7 ++ Content-Length: 8 + X-Empty-Header: + + foobar + _end_of_message_ + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) +- req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, "").gsub("\n", "\r\n"))) + assert_equal( + URI.parse("http://test.ruby-lang.org:8080/path"), req.request_uri) + assert_equal("test.ruby-lang.org", req.host) +@@ -110,9 +110,9 @@ GET / + req.accept) + assert_equal(%w(gzip compress identity *), req.accept_encoding) + assert_equal(%w(ja en *), req.accept_language) +- assert_equal(7, req.content_length) ++ assert_equal(8, req.content_length) + assert_equal("text/plain", req.content_type) +- assert_equal("foobar\n", req.body) ++ assert_equal("foobar\r\n", req.body) + assert_equal("", req["x-empty-header"]) + assert_equal(nil, req["x-no-header"]) + assert(req.query.empty?) +@@ -121,7 +121,7 @@ GET / + def test_parse_header2() + msg = <<-_end_of_message_ + POST /foo/bar/../baz?q=a HTTP/1.0 +- Content-Length: 9 ++ Content-Length: 10 + User-Agent: + FOO BAR + BAZ +@@ -129,14 +129,14 @@ GET / + hogehoge + _end_of_message_ + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) +- req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, "").gsub("\n", "\r\n"))) + assert_equal("POST", req.request_method) + assert_equal("/foo/baz", req.path) + assert_equal("", req.script_name) + assert_equal("/foo/baz", req.path_info) +- assert_equal("9", req['content-length']) ++ assert_equal("10", req['content-length']) + assert_equal("FOO BAR BAZ", req['user-agent']) +- assert_equal("hogehoge\n", req.body) ++ assert_equal("hogehoge\r\n", req.body) + end + + def test_parse_headers3 +@@ -146,7 +146,7 @@ GET / + + _end_of_message_ + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) +- req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, "").gsub("\n", "\r\n"))) + assert_equal(URI.parse("http://test.ruby-lang.org/path"), req.request_uri) + assert_equal("test.ruby-lang.org", req.host) + assert_equal(80, req.port) +@@ -157,7 +157,7 @@ GET / + + _end_of_message_ + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) +- req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, "").gsub("\n", "\r\n"))) + assert_equal(URI.parse("http://192.168.1.1/path"), req.request_uri) + assert_equal("192.168.1.1", req.host) + assert_equal(80, req.port) +@@ -168,7 +168,7 @@ GET / + + _end_of_message_ + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) +- req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, "").gsub("\n", "\r\n"))) + assert_equal(URI.parse("http://[fe80::208:dff:feef:98c7]/path"), + req.request_uri) + assert_equal("[fe80::208:dff:feef:98c7]", req.host) +@@ -180,7 +180,7 @@ GET / + + _end_of_message_ + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) +- req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, "").gsub("\n", "\r\n"))) + assert_equal(URI.parse("http://192.168.1.1:8080/path"), req.request_uri) + assert_equal("192.168.1.1", req.host) + assert_equal(8080, req.port) +@@ -191,7 +191,7 @@ GET / + + _end_of_message_ + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) +- req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, "").gsub("\n", "\r\n"))) + assert_equal(URI.parse("http://[fe80::208:dff:feef:98c7]:8080/path"), + req.request_uri) + assert_equal("[fe80::208:dff:feef:98c7]", req.host) +@@ -206,7 +206,7 @@ GET / + + _end_of_message_ + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) +- req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, "").gsub("\n", "\r\n"))) + query = req.query + assert_equal("1", query["foo"]) + assert_equal(["1", "2", "3"], query["foo"].to_ary) +@@ -226,7 +226,7 @@ GET / + #{param} + _end_of_message_ + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) +- req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, "").gsub("\n", "\r\n"))) + query = req.query + assert_equal("1", query["foo"]) + assert_equal(["1", "2", "3"], query["foo"].to_ary) +@@ -245,6 +245,7 @@ GET / + + _end_of_message_ + msg.gsub!(/^ {6}/, "") ++ msg.gsub!("\n", "\r\n") + File.open(__FILE__){|io| + while chunk = io.read(100) + msg << chunk.size.to_s(16) << crlf +@@ -276,6 +277,7 @@ GET / + + _end_of_message_ + msg.gsub!(/^ {6}/, "") ++ msg.gsub!("\n", "\r\n") + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) + req.parse(StringIO.new(msg)) + assert_equal("server.example.com", req.server_name) +@@ -296,6 +298,7 @@ GET / + + _end_of_message_ + msg.gsub!(/^ {6}/, "") ++ msg.gsub!("\n", "\r\n") + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) + req.parse(StringIO.new(msg)) + assert_equal("server.example.com", req.server_name) +@@ -318,6 +321,7 @@ GET / + + _end_of_message_ + msg.gsub!(/^ {6}/, "") ++ msg.gsub!("\n", "\r\n") + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) + req.parse(StringIO.new(msg)) + assert_equal("server.example.com", req.server_name) +@@ -340,6 +344,7 @@ GET / + + _end_of_message_ + msg.gsub!(/^ {6}/, "") ++ msg.gsub!("\n", "\r\n") + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) + req.parse(StringIO.new(msg)) + assert_equal("server1.example.com", req.server_name) +@@ -362,6 +367,7 @@ GET / + + _end_of_message_ + msg.gsub!(/^ {6}/, "") ++ msg.gsub!("\n", "\r\n") + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) + req.parse(StringIO.new(msg)) + assert_equal("server1.example.com", req.server_name) +@@ -384,6 +390,7 @@ GET / + + _end_of_message_ + msg.gsub!(/^ {6}/, "") ++ msg.gsub!("\n", "\r\n") + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) + req.parse(StringIO.new(msg)) + assert_equal("server1.example.com", req.server_name) +@@ -401,6 +408,7 @@ GET / + + _end_of_message_ + msg.gsub!(/^ {6}/, "") ++ msg.gsub!("\n", "\r\n") + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) + req.parse(StringIO.new(msg)) + assert req['expect'] +@@ -417,6 +425,7 @@ GET / + + _end_of_message_ + msg.gsub!(/^ {6}/, "") ++ msg.gsub!("\n", "\r\n") + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) + req.parse(StringIO.new(msg)) + assert !req['expect'] +@@ -448,7 +457,7 @@ GET / + _end_of_message_ + assert_raise(WEBrick::HTTPStatus::LengthRequired){ + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) +- req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, "").gsub("\n", "\r\n"))) + req.body + } + +@@ -461,7 +470,7 @@ GET / + _end_of_message_ + assert_raise(WEBrick::HTTPStatus::BadRequest){ + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) +- req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, "").gsub("\n", "\r\n"))) + req.body + } + +@@ -474,11 +483,102 @@ GET / + _end_of_message_ + assert_raise(WEBrick::HTTPStatus::NotImplemented){ + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) +- req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, "").gsub("\n", "\r\n"))) + req.body + } ++ ++ def test_bare_lf_request_line ++ msg = <<-_end_of_message_ ++ GET / HTTP/1.1 ++ Content-Length: 0\r ++ \r ++ _end_of_message_ ++ req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) ++ assert_raise(WEBrick::HTTPStatus::BadRequest){ ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ } ++ end ++ ++ def test_bare_lf_header ++ msg = <<-_end_of_message_ ++ GET / HTTP/1.1\r ++ Content-Length: 0 ++ \r ++ _end_of_message_ ++ req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) ++ assert_raise(WEBrick::HTTPStatus::BadRequest){ ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ } ++ end ++ ++ def test_bare_cr_request_line ++ msg = <<-_end_of_message_ ++ GET / HTTP/1.1\r\r ++ Content-Length: 0\r ++ \r ++ _end_of_message_ ++ req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) ++ assert_raise(WEBrick::HTTPStatus::BadRequest){ ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ } + end + ++ def test_bare_cr_header ++ msg = <<-_end_of_message_ ++ GET / HTTP/1.1\r ++ Content-Type: foo\rbar\r ++ \r ++ _end_of_message_ ++ req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) ++ assert_raise(WEBrick::HTTPStatus::BadRequest){ ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ } ++ end ++ ++ def test_invalid_request_lines ++ msg = <<-_end_of_message_ ++ GET / HTTP/1.1\r ++ Content-Length: 0\r ++ \r ++ _end_of_message_ ++ req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) ++ assert_raise(WEBrick::HTTPStatus::BadRequest){ ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ } ++ ++ msg = <<-_end_of_message_ ++ GET / HTTP/1.1\r ++ Content-Length: 0\r ++ \r ++ _end_of_message_ ++ req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) ++ assert_raise(WEBrick::HTTPStatus::BadRequest){ ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ } ++ ++ msg = <<-_end_of_message_ ++ GET /\r HTTP/1.1\r ++ Content-Length: 0\r ++ \r ++ _end_of_message_ ++ req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) ++ assert_raise(WEBrick::HTTPStatus::BadRequest){ ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ } ++ ++ msg = <<-_end_of_message_ ++ GET / HTTP/1.1 \r ++ Content-Length: 0\r ++ \r ++ _end_of_message_ ++ req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) ++ assert_raise(WEBrick::HTTPStatus::BadRequest){ ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ } ++ end ++ ++ end ++ + def test_eof_raised_when_line_is_nil + assert_raise(WEBrick::HTTPStatus::EOFError) { + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) +-- +2.34.1 + diff --git a/SPECS/ruby/ruby.spec b/SPECS/ruby/ruby.spec index daa4e70b56..bd8ebf8fc2 100644 --- a/SPECS/ruby/ruby.spec +++ b/SPECS/ruby/ruby.spec @@ -87,7 +87,7 @@ Name: ruby # provides should be versioned according to the ruby version. # More info: https://stdgems.org/ Version: %{ruby_version} -Release: 3%{?dist} +Release: 5%{?dist} License: (Ruby OR BSD) AND Public Domain AND MIT AND CC0 AND zlib AND UCD Vendor: Microsoft Corporation Distribution: Azure Linux @@ -110,6 +110,8 @@ Patch3: CVE-2025-25186.patch Patch4: CVE-2025-27219.patch Patch5: CVE-2025-27220.patch Patch6: CVE-2025-27221.patch +Patch7: CVE-2025-6442.patch +Patch8: CVE-2025-24294.patch BuildRequires: openssl-devel # Pkgconfig(yaml-0.1) is needed to build the 'psych' gem. BuildRequires: pkgconfig(yaml-0.1) @@ -414,7 +416,13 @@ sudo -u test make test TESTS="-v" %{_rpmconfigdir}/rubygems.con %changelog -* Tue Mar 15 2025 Kanishk Bansal - 3.3.5-3 +* Tue Jul 15 2025 BinduSri Adabala - 3.3.5-5 +- Patch CVE-2025-24294 + +* Thu Jun 26 2025 Kevin Lockwood - 3.3.5-4 +- Patch CVE-2025-6442 + +* Sat Mar 15 2025 Kanishk Bansal - 3.3.5-3 - Patch CVE-2025-27219, CVE-2025-27220, CVE-2025-27221 * Mon Feb 17 2025 Sreeniavsulu Malavathula - 3.3.5-2 diff --git a/SPECS/rubygem-async-http/rubygem-async-http.signatures.json b/SPECS/rubygem-async-http/rubygem-async-http.signatures.json deleted file mode 100644 index 0f088b0586..0000000000 --- a/SPECS/rubygem-async-http/rubygem-async-http.signatures.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "Signatures": { - "async-http-0.63.0.tar.gz": "9af963a2b685f221c58236655450706dd0b59231440f4e5901a7f32df26e9148" - } -} \ No newline at end of file diff --git a/SPECS/rubygem-async-http/rubygem-async-http.spec b/SPECS/rubygem-async-http/rubygem-async-http.spec deleted file mode 100644 index aa73584c82..0000000000 --- a/SPECS/rubygem-async-http/rubygem-async-http.spec +++ /dev/null @@ -1,53 +0,0 @@ -# Disabled debuginfo package as the autogenerated 'debugfiles.list' file is empty. -# In other words there were no debug symbols to package. -%global debug_package %{nil} -%global gem_name async-http -Summary: A HTTP client and server library -Name: rubygem-%{gem_name} -Version: 0.63.0 -Release: 1%{?dist} -License: MIT -Vendor: Microsoft Corporation -Distribution: Azure Linux -Group: Development/Languages -URL: https://github.com/socketry/async-http -Source0: https://github.com/socketry/async-http/archive/refs/tags/v%{version}.tar.gz#/%{gem_name}-%{version}.tar.gz -BuildRequires: ruby -Requires: rubygem-async -Requires: rubygem-async-io -Requires: rubygem-async-pool -Requires: rubygem-protocol-http -Requires: rubygem-protocol-http1 -Requires: rubygem-protocol-http2 -Provides: rubygem(%{gem_name}) = %{version}-%{release} - -%description -An asynchronous client and server implementation of HTTP/1.0, -HTTP/1.1 and HTTP/2 including TLS. Support for streaming requests -and responses. - -%prep -%setup -q -n %{gem_name}-%{version} -%gemspec_clear_signing - -%build -gem build %{gem_name} - -%install -gem install -V --local --force --install-dir %{buildroot}/%{gemdir} %{gem_name}-%{version}.gem - -%files -%defattr(-,root,root,-) -%{gemdir} - -%changelog -* Mon Jan 29 2024 CBL-Mariner Servicing Account - 0.63.0-1 -- Auto-upgrade to 0.63.0 - Azure Linux 3.0 - package upgrades. - -* Wed Jun 22 2022 Neha Agarwal - 0.56.5-1 -- Update to v0.56.5. -- Build from .tar.gz source. - -* Mon Jan 04 2021 Henry Li - 0.50.13-1 -- License verified -- Original version for CBL-Mariner diff --git a/SPECS/rubygem-async-io/rubygem-async-io.signatures.json b/SPECS/rubygem-async-io/rubygem-async-io.signatures.json deleted file mode 100644 index cf412001e0..0000000000 --- a/SPECS/rubygem-async-io/rubygem-async-io.signatures.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "Signatures": { - "async-io-1.35.0.tar.gz": "0c51170ad99ebc3dd12324ee5b0c53313bc0869081062549e7f4e0698691ed43" - } -} diff --git a/SPECS/rubygem-async-io/rubygem-async-io.spec b/SPECS/rubygem-async-io/rubygem-async-io.spec deleted file mode 100644 index 0cdb4c49f1..0000000000 --- a/SPECS/rubygem-async-io/rubygem-async-io.spec +++ /dev/null @@ -1,44 +0,0 @@ -%global debug_package %{nil} -%global gem_name async-io -Summary: Concurrent wrappers for native Ruby IO & Sockets -Name: rubygem-%{gem_name} -Version: 1.35.0 -Release: 1%{?dist} -License: MIT -Vendor: Microsoft Corporation -Distribution: Azure Linux -Group: Development/Languages -URL: https://github.com/socketry/async-io -Source0: https://github.com/socketry/async-io/archive/refs/tags/v%{version}.tar.gz#/%{gem_name}-%{version}.tar.gz -BuildRequires: ruby -Requires: rubygem-async -Provides: rubygem(%{gem_name}) = %{version}-%{release} - -%description -Async::IO provides builds on async and provides asynchronous -wrappers for IO, Socket, and related classes. - -%prep -%setup -q -n %{gem_name}-%{version} - -%build -gem build %{gem_name} - -%install -gem install -V --local --force --install-dir %{buildroot}/%{gemdir} %{gem_name}-%{version}.gem - -%files -%defattr(-,root,root,-) -%{gemdir} - -%changelog -* Thu Nov 02 2023 CBL-Mariner Servicing Account - 1.35.0-1 -- Auto-upgrade to 1.35.0 - Azure Linux 3.0 - package upgrades - -* Wed Jun 22 2022 Neha Agarwal - 1.33.0-1 -- Update to v1.33.0. -- Build from .tar.gz source. - -* Mon Jan 04 2021 Henry Li - 1.30.1-1 -- License verified -- Original version for CBL-Mariner diff --git a/SPECS/rubygem-async-pool/remove-pem.patch b/SPECS/rubygem-async-pool/remove-pem.patch deleted file mode 100644 index 13e081aef0..0000000000 --- a/SPECS/rubygem-async-pool/remove-pem.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -ruN a/async-pool.gemspec b/async-pool.gemspec ---- a/async-pool.gemspec 2021-09-30 03:11:11.000000000 -0700 -+++ b/async-pool.gemspec 2022-04-09 11:08:39.040169139 -0700 -@@ -10,7 +10,6 @@ - spec.license = "MIT" - - spec.cert_chain = ['release.cert'] -- spec.signing_key = File.expand_path('~/.gem/release.pem') - - spec.homepage = "https://github.com/socketry/async-pool" - diff --git a/SPECS/rubygem-async-pool/rubygem-async-pool.signatures.json b/SPECS/rubygem-async-pool/rubygem-async-pool.signatures.json deleted file mode 100644 index 73fda627f8..0000000000 --- a/SPECS/rubygem-async-pool/rubygem-async-pool.signatures.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "Signatures": { - "async-pool-0.4.0.tar.gz": "baa44734e7407f30a6c3d7106a62d4982bfa78f12f44afb08f6af73da1bc6f15" - } -} diff --git a/SPECS/rubygem-async-pool/rubygem-async-pool.spec b/SPECS/rubygem-async-pool/rubygem-async-pool.spec deleted file mode 100644 index 1ff7ee8999..0000000000 --- a/SPECS/rubygem-async-pool/rubygem-async-pool.spec +++ /dev/null @@ -1,44 +0,0 @@ -%global debug_package %{nil} -%global gem_name async-pool -Summary: Provides support for connection pooling both singleplex and multiplex resources -Name: rubygem-%{gem_name} -Version: 0.4.0 -Release: 1%{?dist} -License: MIT -Vendor: Microsoft Corporation -Distribution: Azure Linux -Group: Development/Languages -URL: https://github.com/socketry/async-pool -Source0: https://github.com/socketry/async-pool/archive/refs/tags/v%{version}.tar.gz#/%{gem_name}-%{version}.tar.gz -Patch0: remove-pem.patch -BuildRequires: ruby -Requires: rubygem-async -Provides: rubygem(%{gem_name}) = %{version}-%{release} - -%description -Provides support for connection pooling both singleplex and multiplex resources. - -%prep -%autosetup -p1 -n %{gem_name}-%{version} - -%build -gem build %{gem_name} - -%install -gem install -V --local --force --install-dir %{buildroot}/%{gemdir} %{gem_name}-%{version}.gem - -%files -%defattr(-,root,root,-) -%{gemdir} - -%changelog -* Thu Nov 02 2023 CBL-Mariner Servicing Account - 0.4.0-1 -- Auto-upgrade to 0.4.0 - Azure Linux 3.0 - package upgrades - -* Wed Jun 22 2022 Neha Agarwal - 0.3.9-1 -- Update to v0.3.9. -- Build from .tar.gz source. - -* Mon Jan 04 2021 Henry Li - 0.3.3-1 -- License verified -- Original version for CBL-Mariner diff --git a/SPECS/rubygem-async/rubygem-async.signatures.json b/SPECS/rubygem-async/rubygem-async.signatures.json deleted file mode 100644 index e08268ad82..0000000000 --- a/SPECS/rubygem-async/rubygem-async.signatures.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "Signatures": { - "async-2.8.0.tar.gz": "4d681ed7b6664610d10ac68e5ef69f77abbe51ca05c116458323e1398f2cc812" - } -} \ No newline at end of file diff --git a/SPECS/rubygem-async/rubygem-async.spec b/SPECS/rubygem-async/rubygem-async.spec deleted file mode 100644 index 5ab87a6ec8..0000000000 --- a/SPECS/rubygem-async/rubygem-async.spec +++ /dev/null @@ -1,49 +0,0 @@ -# Disabled debuginfo package as the autogenerated 'debugfiles.list' file is empty. -# In other words there were no debug symbols to package. -%global debug_package %{nil} -%global gem_name async -Summary: An awesome asynchronous event-driven reactor for Ruby -Name: rubygem-%{gem_name} -Version: 2.8.0 -Release: 1%{?dist} -License: MIT -Vendor: Microsoft Corporation -Distribution: Azure Linux -Group: Development/Languages -URL: https://github.com/socketry/async -Source0: https://github.com/socketry/async/archive/refs/tags/v%{version}.tar.gz#/%{gem_name}-%{version}.tar.gz -BuildRequires: ruby -Requires: rubygem-console -Requires: rubygem-nio4r -Requires: rubygem-timers -Provides: rubygem(%{gem_name}) = %{version}-%{release} - -%description -Async is a composable asynchronous I/O framework -for Ruby based on nio4r and timers. - -%prep -%setup -q -n %{gem_name}-%{version} -%gemspec_clear_signing - -%build -gem build %{gem_name} - -%install -gem install -V --local --force --install-dir %{buildroot}/%{gemdir} %{gem_name}-%{version}.gem - -%files -%defattr(-,root,root,-) -%{gemdir} - -%changelog -* Mon Jan 29 2024 CBL-Mariner Servicing Account - 2.8.0-1 -- Auto-upgrade to 2.8.0 - Azure Linux 3.0 - package upgrades. - -* Wed Jun 22 2022 Neha Agarwal - 1.30.2-1 -- Update to v1.30.2. -- Build from .tar.gz source. - -* Mon Jan 04 2021 Henry Li - 1.27.0-1 -- License verified -- Original version for CBL-Mariner diff --git a/SPECS/rubygem-console/rubygem-console.signatures.json b/SPECS/rubygem-console/rubygem-console.signatures.json deleted file mode 100644 index a4464745d8..0000000000 --- a/SPECS/rubygem-console/rubygem-console.signatures.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "Signatures": { - "console-1.23.3.tar.gz": "0951b3c761226fbe92d8e20a1383ec7ab970a9be73adebbc2d88f66b4e55bffa" - } -} \ No newline at end of file diff --git a/SPECS/rubygem-console/rubygem-console.spec b/SPECS/rubygem-console/rubygem-console.spec deleted file mode 100644 index ad91cf1d0c..0000000000 --- a/SPECS/rubygem-console/rubygem-console.spec +++ /dev/null @@ -1,50 +0,0 @@ -# Disabled debuginfo package as the autogenerated 'debugfiles.list' file is empty. -# In other words there were no debug symbols to package. -%global debug_package %{nil} -%global gem_name console -Summary: Logging for Ruby -Name: rubygem-console -Version: 1.23.3 -Release: 1%{?dist} -License: MIT -Vendor: Microsoft Corporation -Distribution: Azure Linux -Group: Development/Languages -URL: https://socketry.github.io/console/ -Source0: https://github.com/socketry/console/archive/refs/tags/v%{version}.tar.gz#/%{gem_name}-%{version}.tar.gz -BuildRequires: ruby -Requires: rubygem-fiber-local -Provides: rubygem(%{gem_name}) = %{version}-%{release} - -%description -Provides console logging for Ruby applications. -Implements fast, buffered log output. - -%prep -%setup -q -n %{gem_name}-%{version} -%gemspec_clear_signing - -%build -gem build %{gem_name} - -%install -gem install -V --local --force --install-dir %{buildroot}/%{gemdir} %{gem_name}-%{version}.gem - -%files -%defattr(-,root,root,-) -%{gemdir} - -%changelog -* Tue Jan 30 2024 CBL-Mariner Servicing Account - 1.23.3-1 -- Auto-upgrade to 1.23.3 - Azure Linux 3.0 - package upgrades. -- Removed gem signing. - -* Tue Jul 19 2022 Neha Agarwal - 1.10.1-3 -- Add provides. - -* Tue Mar 22 2022 Neha Agarwal - 1.10.1-2 -- Build from .tar.gz source. - -* Wed Jan 06 2021 Henry Li - 1.10.1-1 -- License verified -- Original version for CBL-Mariner diff --git a/SPECS/rubygem-faraday-patron/rubygem-faraday-patron.signatures.json b/SPECS/rubygem-faraday-patron/rubygem-faraday-patron.signatures.json deleted file mode 100644 index 5786071705..0000000000 --- a/SPECS/rubygem-faraday-patron/rubygem-faraday-patron.signatures.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "Signatures": { - "faraday-patron-2.0.1.tar.gz": "554c2954ce8ad848dbbb818f0e4be2a125c66cb6934fbbdcb4f85cccf1cb8e60" - } -} diff --git a/SPECS/rubygem-faraday-patron/rubygem-faraday-patron.spec b/SPECS/rubygem-faraday-patron/rubygem-faraday-patron.spec deleted file mode 100644 index 47afe5ac91..0000000000 --- a/SPECS/rubygem-faraday-patron/rubygem-faraday-patron.spec +++ /dev/null @@ -1,43 +0,0 @@ -# Disabled debuginfo package as the autogenerated 'debugfiles.list' file is empty. -# In other words there were no debug symbols to package. -%global debug_package %{nil} -%global gem_name faraday-patron -Summary: Faraday adapter for Patron -Name: rubygem-%{gem_name} -Version: 2.0.1 -Release: 1%{?dist} -License: MIT -Vendor: Microsoft Corporation -Distribution: Azure Linux -Group: Development/Languages -URL: https://github.com/lostisland/faraday-patron -Source0: https://github.com/lostisland/faraday-patron/archive/refs/tags/v%{version}.tar.gz#/%{gem_name}-%{version}.tar.gz -BuildRequires: git -BuildRequires: ruby -Requires: ruby(release) -Provides: rubygem(%{gem_name}) = %{version}-%{release} - -%description -This gem is a Faraday adapter for the Patron library. Faraday is an HTTP client library that provides a common interface over many adapters. Every adapter is defined into its own gem. This gem defines the adapter for Patron. - -%prep -%autosetup -n %{gem_name}-%{version} - -%build -gem build %{gem_name} - -%install -gem install -V --local --force --install-dir %{buildroot}/%{gemdir} %{gem_name}-%{version}.gem - -%files -%defattr(-,root,root,-) -%license LICENSE.md -%{gemdir} - -%changelog -* Wed Jan 31 2024 Pawel Winogrodzki - 2.0.1-1 -- Upgrading to the latest version. - -* Mon Jun 13 2022 Neha Agarwal - 1.0.0-1 -- License verified -- Original version for CBL-Mariner diff --git a/SPECS/rubygem-introspection/rubygem-introspection.spec b/SPECS/rubygem-introspection/rubygem-introspection.spec index d619b18ef4..3fc3758a84 100644 --- a/SPECS/rubygem-introspection/rubygem-introspection.spec +++ b/SPECS/rubygem-introspection/rubygem-introspection.spec @@ -2,7 +2,7 @@ Summary: Dynamic inspection of the hierarchy of method definitions on a Ruby object Name: rubygem-%{gem_name} Version: 0.0.4 -Release: 13%{?dist} +Release: 14%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -50,12 +50,16 @@ cp Rakefile %{buildroot}%{gem_instdir}/ cp Gemfile %{buildroot}%{gem_instdir}/ %check -pushd .%{gem_instdir} # Disable Bundler. -sed -i '/bundler\/setup/ d' test/test_helper.rb - +# Drop BlankSlate test case. There should be no need for BlankSlate, when +# there is BasicObject available for years. +# https://github.com/floehopper/introspection/issues/11 +sed -i -e '/require.*blankslate/ s/^/#/' \ + -e '/def test_should_cope_with_blankslate_object$/a\\ skip' \ + test/snapshot_test.rb + +sed -i '/require "bundler\/setup"/ d' test/test_helper.rb ruby -Ilib:test -e 'Dir.glob "./test/**/*_test.rb", &method(:require)' -popd %files %license %{gem_instdir}/COPYING.txt @@ -73,6 +77,9 @@ popd %doc %{gem_docdir} %changelog +* Wed May 21 2025 Riken Maharjan - 0.0.4-14 +- Fix ptest by not using bundler and skiping a known failing test case using Fedora 42 (License: MIT) + * Tue Mar 22 2022 Neha Agarwal - 0.0.4-13 - Build from .tar.gz source. diff --git a/SPECS/rubygem-metaclass/rubygem-metaclass.spec b/SPECS/rubygem-metaclass/rubygem-metaclass.spec index 7a5a8b843e..2b7d2d9a0d 100644 --- a/SPECS/rubygem-metaclass/rubygem-metaclass.spec +++ b/SPECS/rubygem-metaclass/rubygem-metaclass.spec @@ -3,7 +3,7 @@ Summary: Adds a metaclass method to all Ruby objects Name: rubygem-%{gem_name} Version: 0.0.4 -Release: 16%{?dist} +Release: 17%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -36,6 +36,7 @@ gem install -V --local --force --install-dir %{buildroot}/%{gemdir} %{gem_name}- %check # test_helper.rb currently references bundler, so it is easier to avoid # its usage at all. +sed -i '/require "bundler\/setup"/ d' test/test_helper.rb ruby -Ilib:test -e 'Dir.glob "./test/**/*_test.rb", &method(:require)' %files @@ -43,6 +44,9 @@ ruby -Ilib:test -e 'Dir.glob "./test/**/*_test.rb", &method(:require)' %{gemdir} %changelog +* Wed May 21 2025 Riken Maharjan - 0.0.4-17 +- Fix ptest by not using bundler + * Tue Jul 19 2022 Neha Agarwal - 0.0.4-16 - Add provides, add missing files, remove doc package diff --git a/SPECS/rubygem-rexml/rubygem-rexml.signatures.json b/SPECS/rubygem-rexml/rubygem-rexml.signatures.json index 7ca57f5a23..acc48d9ac3 100644 --- a/SPECS/rubygem-rexml/rubygem-rexml.signatures.json +++ b/SPECS/rubygem-rexml/rubygem-rexml.signatures.json @@ -1,5 +1,5 @@ { - "Signatures": { - "rexml-3.3.4.tar.gz": "c6ab9da9502b2a5e824925de5f5774d9222c377d0537393f560fba71e0f868c7" - } + "Signatures": { + "rexml-3.3.9.tar.gz": "c382728a4b88e7edf2f6d76ea43f837ecac1e89a76d65b15ba18498b263d3ace" + } } diff --git a/SPECS/rubygem-rexml/rubygem-rexml.spec b/SPECS/rubygem-rexml/rubygem-rexml.spec index 135c0b1b3e..b602f657d4 100644 --- a/SPECS/rubygem-rexml/rubygem-rexml.spec +++ b/SPECS/rubygem-rexml/rubygem-rexml.spec @@ -2,7 +2,7 @@ %global gem_name rexml Summary: REXML is an XML toolkit for Ruby Name: rubygem-%{gem_name} -Version: 3.3.4 +Version: 3.3.9 Release: 1%{?dist} License: BSD Vendor: Microsoft Corporation @@ -34,6 +34,9 @@ gem install -V --local --force --install-dir %{buildroot}/%{gemdir} %{gem_name}- %{gemdir} %changelog +* Wed May 21 2025 CBL-Mariner Servicing Account - 3.3.9-1 +- Auto-upgrade to 3.3.9 - fix CVE-2024-49761 + * Fri Aug 9 2024 Bhagyashri Pathak - 3.3.4-1 - Upgrade to 3.3.4 to resolve CVE-2024-39908 diff --git a/SPECS/rubygem-webrick/CVE-2023-40225-content-length-validation.patch b/SPECS/rubygem-webrick/CVE-2023-40225-content-length-validation.patch new file mode 100644 index 0000000000..926a4bad01 --- /dev/null +++ b/SPECS/rubygem-webrick/CVE-2023-40225-content-length-validation.patch @@ -0,0 +1,69 @@ +From 96c29264519374ee41eaf27933d5049528264e98 Mon Sep 17 00:00:00 2001 +From: Jeremy Evans +Date: Tue, 15 Aug 2023 14:37:59 -0700 +Subject: [PATCH] Raise HTTPStatus::BadRequest for requests with + invalid/duplicate content-length headers + +Addresses CVE-2023-40225. + +Fixes #119 +--- + lib/webrick/httprequest.rb | 8 ++++++++ + test/webrick/test_httprequest.rb | 25 +++++++++++++++++++++++++ + 2 files changed, 33 insertions(+) + +diff --git a/lib/webrick/httprequest.rb b/lib/webrick/httprequest.rb +index 680ac65a..7a1686bc 100644 +--- a/lib/webrick/httprequest.rb ++++ b/lib/webrick/httprequest.rb +@@ -479,6 +479,14 @@ def read_header(socket) + end + end + @header = HTTPUtils::parse_header(@raw_header.join) ++ ++ if (content_length = @header['content-length']) && content_length.length != 0 ++ if content_length.length > 1 ++ raise HTTPStatus::BadRequest, "multiple content-length request headers" ++ elsif !/\A\d+\z/.match?(content_length[0]) ++ raise HTTPStatus::BadRequest, "invalid content-length request header" ++ end ++ end + end + + def parse_uri(str, scheme="http") +diff --git a/test/webrick/test_httprequest.rb b/test/webrick/test_httprequest.rb +index 2ff08d63..90332171 100644 +--- a/test/webrick/test_httprequest.rb ++++ b/test/webrick/test_httprequest.rb +@@ -81,6 +81,31 @@ def test_request_uri_too_large + } + end + ++ def test_invalid_content_length_header ++ ['', ' ', ' +1', ' -1', ' a'].each do |cl| ++ msg = <<-_end_of_message_ ++ GET / HTTP/1.1 ++ Content-Length:#{cl} ++ _end_of_message_ ++ req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) ++ assert_raise(WEBrick::HTTPStatus::BadRequest){ ++ req.parse(StringIO.new(msg.gsub(/^ {8}/, ""))) ++ } ++ end ++ end ++ ++ def test_duplicate_content_length_header ++ msg = <<-_end_of_message_ ++ GET / HTTP/1.1 ++ Content-Length: 1 ++ Content-Length: 2 ++ _end_of_message_ ++ req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) ++ assert_raise(WEBrick::HTTPStatus::BadRequest){ ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ } ++ end ++ + def test_parse_headers + msg = <<-_end_of_message_ + GET /path HTTP/1.1 diff --git a/SPECS/rubygem-webrick/CVE-2025-6442.patch b/SPECS/rubygem-webrick/CVE-2025-6442.patch new file mode 100644 index 0000000000..2b0b40246d --- /dev/null +++ b/SPECS/rubygem-webrick/CVE-2025-6442.patch @@ -0,0 +1,455 @@ +From a3d6b1b66f7daa71c0b2a023df6ad4f457710b7e Mon Sep 17 00:00:00 2001 +From: Kavya Sree Kaitepalli +Date: Wed, 16 Jul 2025 05:43:48 +0000 +Subject: [PATCH] patch CVE-2025-6442 + +patch Reference: https://github.com/ruby/webrick/commit/ee60354bcb84ec33b9245e1d1aa6e1f7e8132101 +--- + lib/webrick/httprequest.rb | 4 +- + lib/webrick/httputils.rb | 8 +- + test/webrick/test_filehandler.rb | 2 +- + test/webrick/test_httprequest.rb | 149 +++++++++++++++++++++++++------ + 4 files changed, 132 insertions(+), 31 deletions(-) + +diff --git a/lib/webrick/httprequest.rb b/lib/webrick/httprequest.rb +index 7a1686b..7a5aed5 100644 +--- a/lib/webrick/httprequest.rb ++++ b/lib/webrick/httprequest.rb +@@ -458,7 +458,7 @@ module WEBrick + end + + @request_time = Time.now +- if /^(\S+)\s+(\S++)(?:\s+HTTP\/(\d+\.\d+))?\r?\n/mo =~ @request_line ++ if /^(\S+) (\S++)(?: HTTP\/(\d+\.\d+))?\r\n/mo =~ @request_line + @request_method = $1 + @unparsed_uri = $2 + @http_version = HTTPVersion.new($3 ? $3 : "0.9") +@@ -471,7 +471,7 @@ module WEBrick + def read_header(socket) + if socket + while line = read_line(socket) +- break if /\A(#{CRLF}|#{LF})\z/om =~ line ++ break if /\A#{CRLF}\z/om =~ line + if (@request_bytes += line.bytesize) > MAX_HEADER_LENGTH + raise HTTPStatus::RequestEntityTooLarge, 'headers too large' + end +diff --git a/lib/webrick/httputils.rb b/lib/webrick/httputils.rb +index 48aa137..3110646 100644 +--- a/lib/webrick/httputils.rb ++++ b/lib/webrick/httputils.rb +@@ -158,16 +158,18 @@ module WEBrick + field = nil + raw.each_line{|line| + case line +- when /^([A-Za-z0-9!\#$%&'*+\-.^_`|~]+):\s*(.*?)\s*\z/om ++ when /^([A-Za-z0-9!\#$%&'*+\-.^_`|~]+):([^\r\n\0]*?)\r\n\z/om + field, value = $1, $2 + field.downcase! + header[field] = [] unless header.has_key?(field) + header[field] << value +- when /^\s+(.*?)\s*\z/om +- value = $1 ++ when /^\s+([^\r\n\0]*?)\r\n/om + unless field + raise HTTPStatus::BadRequest, "bad header '#{line}'." + end ++ value = line ++ value.lstrip! ++ value.slice!(-2..-1) + header[field][-1] << " " << value + else + raise HTTPStatus::BadRequest, "bad header '#{line}'." +diff --git a/test/webrick/test_filehandler.rb b/test/webrick/test_filehandler.rb +index 881fb54..dad3fb0 100644 +--- a/test/webrick/test_filehandler.rb ++++ b/test/webrick/test_filehandler.rb +@@ -33,7 +33,7 @@ class WEBrick::TestFileHandler < Test::Unit::TestCase + Range: #{range_spec} + + END_OF_REQUEST +- return StringIO.new(msg.gsub(/^ {6}/, "")) ++ return StringIO.new(msg.gsub(/^ {6}/, "").gsub("\n", "\r\n")) + end + + def make_range_response(file, range_spec) +diff --git a/test/webrick/test_httprequest.rb b/test/webrick/test_httprequest.rb +index 9033217..a3c0620 100644 +--- a/test/webrick/test_httprequest.rb ++++ b/test/webrick/test_httprequest.rb +@@ -11,7 +11,7 @@ class TestWEBrickHTTPRequest < Test::Unit::TestCase + + def test_simple_request + msg = <<-_end_of_message_ +-GET / ++GET /\r + _end_of_message_ + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) + req.parse(StringIO.new(msg)) +@@ -24,7 +24,7 @@ GET / + foobar # HTTP/0.9 request don't have header nor entity body. + _end_of_message_ + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) +- req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, "").gsub("\n", "\r\n"))) + assert_equal("GET", req.request_method) + assert_equal("/", req.unparsed_uri) + assert_equal(WEBrick::HTTPVersion.new("0.9"), req.http_version) +@@ -41,7 +41,7 @@ GET / + + _end_of_message_ + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) +- req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, "").gsub("\n", "\r\n"))) + assert_equal("GET", req.request_method) + assert_equal("/", req.unparsed_uri) + assert_equal(WEBrick::HTTPVersion.new("1.0"), req.http_version) +@@ -58,7 +58,7 @@ GET / + + _end_of_message_ + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) +- req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, "").gsub("\n", "\r\n"))) + assert_equal("GET", req.request_method) + assert_equal("/path", req.unparsed_uri) + assert_equal("", req.script_name) +@@ -77,7 +77,7 @@ GET / + _end_of_message_ + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) + assert_raise(WEBrick::HTTPStatus::RequestURITooLarge){ +- req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, "").gsub("\n", "\r\n"))) + } + end + +@@ -89,11 +89,101 @@ GET / + _end_of_message_ + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) + assert_raise(WEBrick::HTTPStatus::BadRequest){ +- req.parse(StringIO.new(msg.gsub(/^ {8}/, ""))) ++ req.parse(StringIO.new(msg.gsub(/^ {8}/, "").gsub("\n", "\r\n"))) + } + end + end + ++ def test_bare_lf_request_line ++ msg = <<-_end_of_message_ ++ GET / HTTP/1.1 ++ Content-Length: 0\r ++ \r ++ _end_of_message_ ++ req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) ++ assert_raise(WEBrick::HTTPStatus::BadRequest){ ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ } ++ end ++ ++ def test_bare_lf_header ++ msg = <<-_end_of_message_ ++ GET / HTTP/1.1\r ++ Content-Length: 0 ++ \r ++ _end_of_message_ ++ req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) ++ assert_raise(WEBrick::HTTPStatus::BadRequest){ ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ } ++ end ++ ++ def test_bare_cr_request_line ++ msg = <<-_end_of_message_ ++ GET / HTTP/1.1\r\r ++ Content-Length: 0\r ++ \r ++ _end_of_message_ ++ req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) ++ assert_raise(WEBrick::HTTPStatus::BadRequest){ ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ } ++ end ++ ++ def test_bare_cr_header ++ msg = <<-_end_of_message_ ++ GET / HTTP/1.1\r ++ Content-Type: foo\rbar\r ++ \r ++ _end_of_message_ ++ req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) ++ assert_raise(WEBrick::HTTPStatus::BadRequest){ ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ } ++ end ++ ++ def test_invalid_request_lines ++ msg = <<-_end_of_message_ ++ GET / HTTP/1.1\r ++ Content-Length: 0\r ++ \r ++ _end_of_message_ ++ req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) ++ assert_raise(WEBrick::HTTPStatus::BadRequest){ ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ } ++ ++ msg = <<-_end_of_message_ ++ GET / HTTP/1.1\r ++ Content-Length: 0\r ++ \r ++ _end_of_message_ ++ req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) ++ assert_raise(WEBrick::HTTPStatus::BadRequest){ ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ } ++ ++ msg = <<-_end_of_message_ ++ GET /\r HTTP/1.1\r ++ Content-Length: 0\r ++ \r ++ _end_of_message_ ++ req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) ++ assert_raise(WEBrick::HTTPStatus::BadRequest){ ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ } ++ ++ msg = <<-_end_of_message_ ++ GET / HTTP/1.1 \r ++ Content-Length: 0\r ++ \r ++ _end_of_message_ ++ req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) ++ assert_raise(WEBrick::HTTPStatus::BadRequest){ ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ } ++ end ++ + def test_duplicate_content_length_header + msg = <<-_end_of_message_ + GET / HTTP/1.1 +@@ -102,7 +192,7 @@ GET / + _end_of_message_ + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) + assert_raise(WEBrick::HTTPStatus::BadRequest){ +- req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, "").gsub("\n", "\r\n"))) + } + end + +@@ -118,13 +208,13 @@ GET / + Accept-Language: en;q=0.5, *; q=0 + Accept-Language: ja + Content-Type: text/plain +- Content-Length: 7 ++ Content-Length: 8 + X-Empty-Header: + + foobar + _end_of_message_ + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) +- req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, "").gsub("\n", "\r\n"))) + assert_equal( + URI.parse("http://test.ruby-lang.org:8080/path"), req.request_uri) + assert_equal("test.ruby-lang.org", req.host) +@@ -135,9 +225,9 @@ GET / + req.accept) + assert_equal(%w(gzip compress identity *), req.accept_encoding) + assert_equal(%w(ja en *), req.accept_language) +- assert_equal(7, req.content_length) ++ assert_equal(8, req.content_length) + assert_equal("text/plain", req.content_type) +- assert_equal("foobar\n", req.body) ++ assert_equal("foobar\r\n", req.body) + assert_equal("", req["x-empty-header"]) + assert_equal(nil, req["x-no-header"]) + assert(req.query.empty?) +@@ -146,7 +236,7 @@ GET / + def test_parse_header2() + msg = <<-_end_of_message_ + POST /foo/bar/../baz?q=a HTTP/1.0 +- Content-Length: 9 ++ Content-Length: 10 + User-Agent: + FOO BAR + BAZ +@@ -154,14 +244,14 @@ GET / + hogehoge + _end_of_message_ + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) +- req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, "").gsub("\n", "\r\n"))) + assert_equal("POST", req.request_method) + assert_equal("/foo/baz", req.path) + assert_equal("", req.script_name) + assert_equal("/foo/baz", req.path_info) +- assert_equal("9", req['content-length']) ++ assert_equal("10", req['content-length']) + assert_equal("FOO BAR BAZ", req['user-agent']) +- assert_equal("hogehoge\n", req.body) ++ assert_equal("hogehoge\r\n", req.body) + end + + def test_parse_headers3 +@@ -171,7 +261,7 @@ GET / + + _end_of_message_ + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) +- req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, "").gsub("\n", "\r\n"))) + assert_equal(URI.parse("http://test.ruby-lang.org/path"), req.request_uri) + assert_equal("test.ruby-lang.org", req.host) + assert_equal(80, req.port) +@@ -182,7 +272,7 @@ GET / + + _end_of_message_ + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) +- req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, "").gsub("\n", "\r\n"))) + assert_equal(URI.parse("http://192.168.1.1/path"), req.request_uri) + assert_equal("192.168.1.1", req.host) + assert_equal(80, req.port) +@@ -193,7 +283,7 @@ GET / + + _end_of_message_ + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) +- req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, "").gsub("\n", "\r\n"))) + assert_equal(URI.parse("http://[fe80::208:dff:feef:98c7]/path"), + req.request_uri) + assert_equal("[fe80::208:dff:feef:98c7]", req.host) +@@ -205,7 +295,7 @@ GET / + + _end_of_message_ + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) +- req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, "").gsub("\n", "\r\n"))) + assert_equal(URI.parse("http://192.168.1.1:8080/path"), req.request_uri) + assert_equal("192.168.1.1", req.host) + assert_equal(8080, req.port) +@@ -216,7 +306,7 @@ GET / + + _end_of_message_ + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) +- req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, "").gsub("\n", "\r\n"))) + assert_equal(URI.parse("http://[fe80::208:dff:feef:98c7]:8080/path"), + req.request_uri) + assert_equal("[fe80::208:dff:feef:98c7]", req.host) +@@ -231,7 +321,7 @@ GET / + + _end_of_message_ + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) +- req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, "").gsub("\n", "\r\n"))) + query = req.query + assert_equal("1", query["foo"]) + assert_equal(["1", "2", "3"], query["foo"].to_ary) +@@ -251,7 +341,7 @@ GET / + #{param} + _end_of_message_ + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) +- req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, "").gsub("\n", "\r\n"))) + query = req.query + assert_equal("1", query["foo"]) + assert_equal(["1", "2", "3"], query["foo"].to_ary) +@@ -270,6 +360,7 @@ GET / + + _end_of_message_ + msg.gsub!(/^ {6}/, "") ++ msg.gsub!("\n", "\r\n") + File.open(__FILE__){|io| + while chunk = io.read(100) + msg << chunk.size.to_s(16) << crlf +@@ -301,6 +392,7 @@ GET / + + _end_of_message_ + msg.gsub!(/^ {6}/, "") ++ msg.gsub!("\n", "\r\n") + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) + req.parse(StringIO.new(msg)) + assert_equal("server.example.com", req.server_name) +@@ -321,6 +413,7 @@ GET / + + _end_of_message_ + msg.gsub!(/^ {6}/, "") ++ msg.gsub!("\n", "\r\n") + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) + req.parse(StringIO.new(msg)) + assert_equal("server.example.com", req.server_name) +@@ -343,6 +436,7 @@ GET / + + _end_of_message_ + msg.gsub!(/^ {6}/, "") ++ msg.gsub!("\n", "\r\n") + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) + req.parse(StringIO.new(msg)) + assert_equal("server.example.com", req.server_name) +@@ -365,6 +459,7 @@ GET / + + _end_of_message_ + msg.gsub!(/^ {6}/, "") ++ msg.gsub!("\n", "\r\n") + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) + req.parse(StringIO.new(msg)) + assert_equal("server1.example.com", req.server_name) +@@ -387,6 +482,7 @@ GET / + + _end_of_message_ + msg.gsub!(/^ {6}/, "") ++ msg.gsub!("\n", "\r\n") + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) + req.parse(StringIO.new(msg)) + assert_equal("server1.example.com", req.server_name) +@@ -409,6 +505,7 @@ GET / + + _end_of_message_ + msg.gsub!(/^ {6}/, "") ++ msg.gsub!("\n", "\r\n") + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) + req.parse(StringIO.new(msg)) + assert_equal("server1.example.com", req.server_name) +@@ -426,6 +523,7 @@ GET / + + _end_of_message_ + msg.gsub!(/^ {6}/, "") ++ msg.gsub!("\n", "\r\n") + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) + req.parse(StringIO.new(msg)) + assert req['expect'] +@@ -442,6 +540,7 @@ GET / + + _end_of_message_ + msg.gsub!(/^ {6}/, "") ++ msg.gsub!("\n", "\r\n") + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) + req.parse(StringIO.new(msg)) + assert !req['expect'] +@@ -461,7 +560,7 @@ GET / + _end_of_message_ + assert_raise(WEBrick::HTTPStatus::LengthRequired){ + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) +- req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, "").gsub("\n", "\r\n"))) + req.body + } + +@@ -474,7 +573,7 @@ GET / + _end_of_message_ + assert_raise(WEBrick::HTTPStatus::BadRequest){ + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) +- req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, "").gsub("\n", "\r\n"))) + req.body + } + +@@ -487,7 +586,7 @@ GET / + _end_of_message_ + assert_raise(WEBrick::HTTPStatus::NotImplemented){ + req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP) +- req.parse(StringIO.new(msg.gsub(/^ {6}/, ""))) ++ req.parse(StringIO.new(msg.gsub(/^ {6}/, "").gsub("\n", "\r\n"))) + req.body + } + end +-- +2.45.3 + diff --git a/SPECS/rubygem-webrick/rubygem-webrick.spec b/SPECS/rubygem-webrick/rubygem-webrick.spec index 5d4db196d5..32431475f2 100644 --- a/SPECS/rubygem-webrick/rubygem-webrick.spec +++ b/SPECS/rubygem-webrick/rubygem-webrick.spec @@ -3,14 +3,18 @@ Summary: HTTP server toolkit Name: rubygem-%{gem_name} Version: 1.8.1 -Release: 1%{?dist} +Release: 3%{?dist} License: BSD Vendor: Microsoft Corporation Distribution: Azure Linux URL: https://github.com/ruby/webrick Source0: https://github.com/ruby/webrick/archive/refs/tags/v%{version}.tar.gz#/%{gem_name}-%{version}.tar.gz +Patch0: CVE-2023-40225-content-length-validation.patch +Patch1: CVE-2025-6442.patch BuildRequires: git BuildRequires: ruby +BuildRequires: rubygem-test-unit +BuildRequires: rubygems-devel Provides: rubygem(%{gem_name}) = %{version}-%{release} %description @@ -29,12 +33,34 @@ gem build %{gem_name} %install gem install -V --local --force --install-dir %{buildroot}/%{gemdir} %{gem_name}-%{version}.gem +%check +pushd %{buildroot}%{gem_instdir} +# Symlink the test suite from source directory +ln -sf %{_builddir}/%{gem_name}-%{version}/test . + +# Use --verbose to set $VERBOSE to true. `test_sni` in test/webrick/test_https.rb +# relies on output in $stderr from lib/webrick/ssl.rb that is only written there +# if $VERBOSE is true. +# https://github.com/ruby/webrick/pull/158 +ruby --verbose \ + -Ilib:test:test/lib \ + -rhelper \ + -e 'Dir.glob "./test/**/test_*.rb", &method(:require)' +popd + %files %defattr(-,root,root,-) -%doc %{gemdir}/gems/%{gem_name}-%{version}/LICENSE.txt +%license LICENSE.txt %{gemdir} %changelog +* Wed Jul 16 2025 Kavya Sree Kaitepalli - 1.8.1-3 +- Add %check section +- Add patch to fix failing tests + +* Fri Jun 27 2025 Archana Shettigar - 1.8.1-2 +- Patch for CVE-2025-6442 + * Thu Nov 02 2023 CBL-Mariner Servicing Account - 1.8.1-1 - Auto-upgrade to 1.8.1 - Azure Linux 3.0 - package upgrades diff --git a/SPECS/rust/CVE-2025-4574.patch b/SPECS/rust/CVE-2025-4574.patch new file mode 100644 index 0000000000..39d9ea6143 --- /dev/null +++ b/SPECS/rust/CVE-2025-4574.patch @@ -0,0 +1,59 @@ +From 599103c7aeae04fe9fd25dd4b7254c4cf456693c Mon Sep 17 00:00:00 2001 +From: akhila-guruju +Date: Mon, 2 Jun 2025 09:39:09 +0000 +Subject: [PATCH] Address CVE-2025-4574 + +Upstream Patch reference: https://github.com/crossbeam-rs/crossbeam/commit/6ec74ecae896df5fc239518b45a1bfd258c9db68 + +--- + vendor/crossbeam-channel-0.5.13/.cargo-checksum.json | 2 +- + vendor/crossbeam-channel-0.5.13/src/flavors/list.rs | 2 +- + vendor/crossbeam-channel-0.5.14/.cargo-checksum.json | 2 +- + vendor/crossbeam-channel-0.5.14/src/flavors/list.rs | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/vendor/crossbeam-channel-0.5.13/.cargo-checksum.json b/vendor/crossbeam-channel-0.5.13/.cargo-checksum.json +index 6784db9eb..b0731762f 100644 +--- a/vendor/crossbeam-channel-0.5.13/.cargo-checksum.json ++++ b/vendor/crossbeam-channel-0.5.13/.cargo-checksum.json +@@ -1 +1 @@ +-{"files":{"CHANGELOG.md":"6b520b783f5e0c17c6caa975defb9ed6e0ae1254a6a41a9bcd03d249bc942289","Cargo.lock":"605ed4a922e22b42c8a7b75624dfd55d6f0bc96bf76bbf016b003a2c44ddc29a","Cargo.toml":"0f7a8020ede552c5370c101973e8b77cdf5ce6d41f4b6f7b1420b97491fd1e24","LICENSE-APACHE":"a60eea817514531668d7e00765731449fe14d059d3249e0bc93b36de45f759f2","LICENSE-MIT":"5734ed989dfca1f625b40281ee9f4530f91b2411ec01cb748223e7eb87e201ab","LICENSE-THIRD-PARTY":"b16db96b93b1d7cf7bea533f572091ec6bca3234fbe0a83038be772ff391a44c","README.md":"5dfb91ebb498dec49948a440a53977109ec532388170e567c3c2a0339589aa4c","benches/crossbeam.rs":"96cb1abd23cac3ef8a7174a802e94609926b555bb02c9658c78723d433f1dd92","examples/fibonacci.rs":"4e88fa40048cdc31e9c7bb60347d46f92543d7ddf39cab3b52bfe44affdb6a02","examples/matching.rs":"63c250e164607a7a9f643d46f107bb5da846d49e89cf9069909562d20e530f71","examples/stopwatch.rs":"d02121258f08d56f1eb7997e19bcb9bacb6836cfa0abbba90a9e59d8a50ae5cf","src/channel.rs":"13fbbe12d4ec361855af1c3587fc80aea5f537db8dc44dd4f66c9e2b4ae9f5c1","src/context.rs":"477cc2b7bac7502fd2459288a58cc76f015b1ec8e87b853cda77ccb1808c6334","src/counter.rs":"b8f1e48ec634a7dab8e04c485209161587ecbbd2d57b0825467164d4554c6249","src/err.rs":"44cb2024ee6b0cd6fd24996430e53720769f64b4ac35016bc3e05cb9db48681d","src/flavors/array.rs":"79bc219187c9f40b156b9fe551c1176b66bf73e6d48905b23a2d74c6366a2205","src/flavors/at.rs":"04e07861534f2f7d5b5f884f2f5bc9c008427e6d0afa1c8ad401e1d7e54b57eb","src/flavors/list.rs":"280f55b51cefe9351a52c8d2186de368b688ad06885d083efe7e831726846520","src/flavors/mod.rs":"3d9d43bc38b0adb18c96c995c2bd3421d8e33ab6c30b20c3c467d21d48e485dc","src/flavors/never.rs":"747da857aa1a7601641f23f4930e6ad00ebaf50456d9be5c7aa270e2ecc24dcb","src/flavors/tick.rs":"0916ca3faef30b8cc591137701c456d5fc5b5b49cb1edad1e3a80d35bae222bb","src/flavors/zero.rs":"f9cbc9e035fadce808a4af86a223cfded89990ba1e9acfe731fb17a7fe12b432","src/lib.rs":"5b1c406fd1ce6140feae9000be361858da2aabe7fc9fffd0eafcb88020d2b268","src/select.rs":"7aa8addb82427141b0a4afa16fa4d23a02becab115a0a5a6d6d327728fd0672f","src/select_macro.rs":"522cfc8155825c1f260922c17ea6ef8ae672cf94863750c1a6115db2cbc9fc18","src/utils.rs":"9bd81aeb385a81409a63f4b9edc35444c7fd1d2724725f9c34ad7ca39dd69a18","src/waker.rs":"017f87a120d945502701c0dba79062c7fe55d44e5907cc6f8605b4510c90d529","tests/after.rs":"0154a8e152880db17a20514ecdd49dabc361d3629858d119b9746b5e932c780c","tests/array.rs":"a57ae6264e676f573d7adb5c4b024994e98bc6811352516adb3444f880f7125e","tests/golang.rs":"7b2ef219ba8a21841c133512f3a540f8279a2458304e9bbed7da81d6091ecd82","tests/iter.rs":"25dc02135bbae9d47a30f9047661648e66bdc134e40ba78bc2fbacbb8b3819bc","tests/list.rs":"3d1a4ae23bb6b4767242b8109a8efda26f1d3b28c0f90da3368f8eb9ca0eee37","tests/mpsc.rs":"5fbb5342fa7c9e4bcda5545255e0979dc6b9ba638edee127acf75372c18c925f","tests/never.rs":"ee40c4fc4dd5af4983fae8de6927f52b81174d222c162f745b26c4a6c7108e4f","tests/ready.rs":"4361352fa94254041e6c73e97b13be032c2d51c741f2a50519efe3000cf4dc28","tests/same_channel.rs":"2bab761443671e841e1b2476bd8082d75533a2f6be7946f5dbcee67cdc82dccb","tests/select.rs":"101ea8afd9a40d24c2d2aec29e5f2fdc4faac51aa1d7c9fe077b364f12edd206","tests/select_macro.rs":"4d6d52ad48f385c5b8f5023a590e00e7a4b632e80bd929b6fc89a53f5faee515","tests/thread_locals.rs":"f42fcddca959b3b44cd545b92949d65e33a54332b27f490ec92f9f29b7f8290c","tests/tick.rs":"5f697bd14c48505d932e82065b5302ef668e1cc19cac18e8ac22e0c83c221c1d","tests/zero.rs":"9c5af802d5efb2c711f8242b8905ed29cc2601e48dbd95e41c7e6fbfe2918398"},"package":"33480d6946193aa8033910124896ca395333cae7e2d1113d1fef6c3272217df2"} +\ No newline at end of file ++{"files":{"CHANGELOG.md":"6b520b783f5e0c17c6caa975defb9ed6e0ae1254a6a41a9bcd03d249bc942289","Cargo.lock":"605ed4a922e22b42c8a7b75624dfd55d6f0bc96bf76bbf016b003a2c44ddc29a","Cargo.toml":"0f7a8020ede552c5370c101973e8b77cdf5ce6d41f4b6f7b1420b97491fd1e24","LICENSE-APACHE":"a60eea817514531668d7e00765731449fe14d059d3249e0bc93b36de45f759f2","LICENSE-MIT":"5734ed989dfca1f625b40281ee9f4530f91b2411ec01cb748223e7eb87e201ab","LICENSE-THIRD-PARTY":"b16db96b93b1d7cf7bea533f572091ec6bca3234fbe0a83038be772ff391a44c","README.md":"5dfb91ebb498dec49948a440a53977109ec532388170e567c3c2a0339589aa4c","benches/crossbeam.rs":"96cb1abd23cac3ef8a7174a802e94609926b555bb02c9658c78723d433f1dd92","examples/fibonacci.rs":"4e88fa40048cdc31e9c7bb60347d46f92543d7ddf39cab3b52bfe44affdb6a02","examples/matching.rs":"63c250e164607a7a9f643d46f107bb5da846d49e89cf9069909562d20e530f71","examples/stopwatch.rs":"d02121258f08d56f1eb7997e19bcb9bacb6836cfa0abbba90a9e59d8a50ae5cf","src/channel.rs":"13fbbe12d4ec361855af1c3587fc80aea5f537db8dc44dd4f66c9e2b4ae9f5c1","src/context.rs":"477cc2b7bac7502fd2459288a58cc76f015b1ec8e87b853cda77ccb1808c6334","src/counter.rs":"b8f1e48ec634a7dab8e04c485209161587ecbbd2d57b0825467164d4554c6249","src/err.rs":"44cb2024ee6b0cd6fd24996430e53720769f64b4ac35016bc3e05cb9db48681d","src/flavors/array.rs":"79bc219187c9f40b156b9fe551c1176b66bf73e6d48905b23a2d74c6366a2205","src/flavors/at.rs":"04e07861534f2f7d5b5f884f2f5bc9c008427e6d0afa1c8ad401e1d7e54b57eb","src/flavors/list.rs":"048e31bda49b8d2b7bdbe36cae07065745c69990b6adf73d283b52543429baad","src/flavors/mod.rs":"3d9d43bc38b0adb18c96c995c2bd3421d8e33ab6c30b20c3c467d21d48e485dc","src/flavors/never.rs":"747da857aa1a7601641f23f4930e6ad00ebaf50456d9be5c7aa270e2ecc24dcb","src/flavors/tick.rs":"0916ca3faef30b8cc591137701c456d5fc5b5b49cb1edad1e3a80d35bae222bb","src/flavors/zero.rs":"f9cbc9e035fadce808a4af86a223cfded89990ba1e9acfe731fb17a7fe12b432","src/lib.rs":"5b1c406fd1ce6140feae9000be361858da2aabe7fc9fffd0eafcb88020d2b268","src/select.rs":"7aa8addb82427141b0a4afa16fa4d23a02becab115a0a5a6d6d327728fd0672f","src/select_macro.rs":"522cfc8155825c1f260922c17ea6ef8ae672cf94863750c1a6115db2cbc9fc18","src/utils.rs":"9bd81aeb385a81409a63f4b9edc35444c7fd1d2724725f9c34ad7ca39dd69a18","src/waker.rs":"017f87a120d945502701c0dba79062c7fe55d44e5907cc6f8605b4510c90d529","tests/after.rs":"0154a8e152880db17a20514ecdd49dabc361d3629858d119b9746b5e932c780c","tests/array.rs":"a57ae6264e676f573d7adb5c4b024994e98bc6811352516adb3444f880f7125e","tests/golang.rs":"7b2ef219ba8a21841c133512f3a540f8279a2458304e9bbed7da81d6091ecd82","tests/iter.rs":"25dc02135bbae9d47a30f9047661648e66bdc134e40ba78bc2fbacbb8b3819bc","tests/list.rs":"3d1a4ae23bb6b4767242b8109a8efda26f1d3b28c0f90da3368f8eb9ca0eee37","tests/mpsc.rs":"5fbb5342fa7c9e4bcda5545255e0979dc6b9ba638edee127acf75372c18c925f","tests/never.rs":"ee40c4fc4dd5af4983fae8de6927f52b81174d222c162f745b26c4a6c7108e4f","tests/ready.rs":"4361352fa94254041e6c73e97b13be032c2d51c741f2a50519efe3000cf4dc28","tests/same_channel.rs":"2bab761443671e841e1b2476bd8082d75533a2f6be7946f5dbcee67cdc82dccb","tests/select.rs":"101ea8afd9a40d24c2d2aec29e5f2fdc4faac51aa1d7c9fe077b364f12edd206","tests/select_macro.rs":"4d6d52ad48f385c5b8f5023a590e00e7a4b632e80bd929b6fc89a53f5faee515","tests/thread_locals.rs":"f42fcddca959b3b44cd545b92949d65e33a54332b27f490ec92f9f29b7f8290c","tests/tick.rs":"5f697bd14c48505d932e82065b5302ef668e1cc19cac18e8ac22e0c83c221c1d","tests/zero.rs":"9c5af802d5efb2c711f8242b8905ed29cc2601e48dbd95e41c7e6fbfe2918398"},"package":"33480d6946193aa8033910124896ca395333cae7e2d1113d1fef6c3272217df2"} +diff --git a/vendor/crossbeam-channel-0.5.13/src/flavors/list.rs b/vendor/crossbeam-channel-0.5.13/src/flavors/list.rs +index e7fb6150f..bad76e858 100644 +--- a/vendor/crossbeam-channel-0.5.13/src/flavors/list.rs ++++ b/vendor/crossbeam-channel-0.5.13/src/flavors/list.rs +@@ -596,7 +596,7 @@ impl Channel { + // In that case, just wait until it gets initialized. + while block.is_null() { + backoff.snooze(); +- block = self.head.block.load(Ordering::Acquire); ++ block = self.head.block.swap(ptr::null_mut(), Ordering::AcqRel); + } + } + +diff --git a/vendor/crossbeam-channel-0.5.14/.cargo-checksum.json b/vendor/crossbeam-channel-0.5.14/.cargo-checksum.json +index b6da487d3..5cba471f5 100644 +--- a/vendor/crossbeam-channel-0.5.14/.cargo-checksum.json ++++ b/vendor/crossbeam-channel-0.5.14/.cargo-checksum.json +@@ -1 +1 @@ +-{"files":{"CHANGELOG.md":"4a7e4bc790fa3e9acb9577c489964690aa3a9ef549571fefd9e15362022901c2","Cargo.lock":"a4cbda8f2355ee7e9543e1eb01fb67173c079ae0337146c12fa577a4df81fa83","Cargo.toml":"a61aa427c7e7b3d318db6130cb49e4d1a0a2677853a3f9b6774c0cba93106cf8","LICENSE-APACHE":"a60eea817514531668d7e00765731449fe14d059d3249e0bc93b36de45f759f2","LICENSE-MIT":"5734ed989dfca1f625b40281ee9f4530f91b2411ec01cb748223e7eb87e201ab","LICENSE-THIRD-PARTY":"b16db96b93b1d7cf7bea533f572091ec6bca3234fbe0a83038be772ff391a44c","README.md":"5dfb91ebb498dec49948a440a53977109ec532388170e567c3c2a0339589aa4c","benches/crossbeam.rs":"96cb1abd23cac3ef8a7174a802e94609926b555bb02c9658c78723d433f1dd92","examples/fibonacci.rs":"4e88fa40048cdc31e9c7bb60347d46f92543d7ddf39cab3b52bfe44affdb6a02","examples/matching.rs":"63c250e164607a7a9f643d46f107bb5da846d49e89cf9069909562d20e530f71","examples/stopwatch.rs":"d02121258f08d56f1eb7997e19bcb9bacb6836cfa0abbba90a9e59d8a50ae5cf","src/channel.rs":"13fbbe12d4ec361855af1c3587fc80aea5f537db8dc44dd4f66c9e2b4ae9f5c1","src/context.rs":"0c5f278572d3db33ed3dfba45f62c8db372c9153db0695a5cdecf700c2ba73a5","src/counter.rs":"b8f1e48ec634a7dab8e04c485209161587ecbbd2d57b0825467164d4554c6249","src/err.rs":"44cb2024ee6b0cd6fd24996430e53720769f64b4ac35016bc3e05cb9db48681d","src/flavors/array.rs":"79bc219187c9f40b156b9fe551c1176b66bf73e6d48905b23a2d74c6366a2205","src/flavors/at.rs":"04e07861534f2f7d5b5f884f2f5bc9c008427e6d0afa1c8ad401e1d7e54b57eb","src/flavors/list.rs":"a1269b2a9b83e688cbd4ba2f06f6ce02763ca5dcb3ed27214d0dc64a97de30f6","src/flavors/mod.rs":"3d9d43bc38b0adb18c96c995c2bd3421d8e33ab6c30b20c3c467d21d48e485dc","src/flavors/never.rs":"747da857aa1a7601641f23f4930e6ad00ebaf50456d9be5c7aa270e2ecc24dcb","src/flavors/tick.rs":"0916ca3faef30b8cc591137701c456d5fc5b5b49cb1edad1e3a80d35bae222bb","src/flavors/zero.rs":"f9cbc9e035fadce808a4af86a223cfded89990ba1e9acfe731fb17a7fe12b432","src/lib.rs":"5b1c406fd1ce6140feae9000be361858da2aabe7fc9fffd0eafcb88020d2b268","src/select.rs":"301c765751586204371bedb69162e23bcf7e094cbc37b72203698a18b889550f","src/select_macro.rs":"f30b726dff104b17c2dfbd67b271758d8c06d63ec4811ffab88b2e1dac43e3df","src/utils.rs":"9bd81aeb385a81409a63f4b9edc35444c7fd1d2724725f9c34ad7ca39dd69a18","src/waker.rs":"017f87a120d945502701c0dba79062c7fe55d44e5907cc6f8605b4510c90d529","tests/after.rs":"0154a8e152880db17a20514ecdd49dabc361d3629858d119b9746b5e932c780c","tests/array.rs":"a57ae6264e676f573d7adb5c4b024994e98bc6811352516adb3444f880f7125e","tests/golang.rs":"7b2ef219ba8a21841c133512f3a540f8279a2458304e9bbed7da81d6091ecd82","tests/iter.rs":"25dc02135bbae9d47a30f9047661648e66bdc134e40ba78bc2fbacbb8b3819bc","tests/list.rs":"e71d34f790af290e463707c2336ff221f7841767e961b91747aa00e21df0ad32","tests/mpsc.rs":"5fbb5342fa7c9e4bcda5545255e0979dc6b9ba638edee127acf75372c18c925f","tests/never.rs":"ee40c4fc4dd5af4983fae8de6927f52b81174d222c162f745b26c4a6c7108e4f","tests/ready.rs":"4361352fa94254041e6c73e97b13be032c2d51c741f2a50519efe3000cf4dc28","tests/same_channel.rs":"2bab761443671e841e1b2476bd8082d75533a2f6be7946f5dbcee67cdc82dccb","tests/select.rs":"101ea8afd9a40d24c2d2aec29e5f2fdc4faac51aa1d7c9fe077b364f12edd206","tests/select_macro.rs":"e83bd33b34c47d703abe06420a23868809468516943347bdbfb6af4db0cec65a","tests/thread_locals.rs":"f42fcddca959b3b44cd545b92949d65e33a54332b27f490ec92f9f29b7f8290c","tests/tick.rs":"5f697bd14c48505d932e82065b5302ef668e1cc19cac18e8ac22e0c83c221c1d","tests/zero.rs":"9c5af802d5efb2c711f8242b8905ed29cc2601e48dbd95e41c7e6fbfe2918398"},"package":"06ba6d68e24814cb8de6bb986db8222d3a027d15872cabc0d18817bc3c0e4471"} +\ No newline at end of file ++{"files":{"CHANGELOG.md":"4a7e4bc790fa3e9acb9577c489964690aa3a9ef549571fefd9e15362022901c2","Cargo.lock":"a4cbda8f2355ee7e9543e1eb01fb67173c079ae0337146c12fa577a4df81fa83","Cargo.toml":"a61aa427c7e7b3d318db6130cb49e4d1a0a2677853a3f9b6774c0cba93106cf8","LICENSE-APACHE":"a60eea817514531668d7e00765731449fe14d059d3249e0bc93b36de45f759f2","LICENSE-MIT":"5734ed989dfca1f625b40281ee9f4530f91b2411ec01cb748223e7eb87e201ab","LICENSE-THIRD-PARTY":"b16db96b93b1d7cf7bea533f572091ec6bca3234fbe0a83038be772ff391a44c","README.md":"5dfb91ebb498dec49948a440a53977109ec532388170e567c3c2a0339589aa4c","benches/crossbeam.rs":"96cb1abd23cac3ef8a7174a802e94609926b555bb02c9658c78723d433f1dd92","examples/fibonacci.rs":"4e88fa40048cdc31e9c7bb60347d46f92543d7ddf39cab3b52bfe44affdb6a02","examples/matching.rs":"63c250e164607a7a9f643d46f107bb5da846d49e89cf9069909562d20e530f71","examples/stopwatch.rs":"d02121258f08d56f1eb7997e19bcb9bacb6836cfa0abbba90a9e59d8a50ae5cf","src/channel.rs":"13fbbe12d4ec361855af1c3587fc80aea5f537db8dc44dd4f66c9e2b4ae9f5c1","src/context.rs":"0c5f278572d3db33ed3dfba45f62c8db372c9153db0695a5cdecf700c2ba73a5","src/counter.rs":"b8f1e48ec634a7dab8e04c485209161587ecbbd2d57b0825467164d4554c6249","src/err.rs":"44cb2024ee6b0cd6fd24996430e53720769f64b4ac35016bc3e05cb9db48681d","src/flavors/array.rs":"79bc219187c9f40b156b9fe551c1176b66bf73e6d48905b23a2d74c6366a2205","src/flavors/at.rs":"04e07861534f2f7d5b5f884f2f5bc9c008427e6d0afa1c8ad401e1d7e54b57eb","src/flavors/list.rs":"03eda8e9e36022eb7f15b1d17e182efc56c8a1c4a7db5a60c0acd808012ceae8","src/flavors/mod.rs":"3d9d43bc38b0adb18c96c995c2bd3421d8e33ab6c30b20c3c467d21d48e485dc","src/flavors/never.rs":"747da857aa1a7601641f23f4930e6ad00ebaf50456d9be5c7aa270e2ecc24dcb","src/flavors/tick.rs":"0916ca3faef30b8cc591137701c456d5fc5b5b49cb1edad1e3a80d35bae222bb","src/flavors/zero.rs":"f9cbc9e035fadce808a4af86a223cfded89990ba1e9acfe731fb17a7fe12b432","src/lib.rs":"5b1c406fd1ce6140feae9000be361858da2aabe7fc9fffd0eafcb88020d2b268","src/select.rs":"301c765751586204371bedb69162e23bcf7e094cbc37b72203698a18b889550f","src/select_macro.rs":"f30b726dff104b17c2dfbd67b271758d8c06d63ec4811ffab88b2e1dac43e3df","src/utils.rs":"9bd81aeb385a81409a63f4b9edc35444c7fd1d2724725f9c34ad7ca39dd69a18","src/waker.rs":"017f87a120d945502701c0dba79062c7fe55d44e5907cc6f8605b4510c90d529","tests/after.rs":"0154a8e152880db17a20514ecdd49dabc361d3629858d119b9746b5e932c780c","tests/array.rs":"a57ae6264e676f573d7adb5c4b024994e98bc6811352516adb3444f880f7125e","tests/golang.rs":"7b2ef219ba8a21841c133512f3a540f8279a2458304e9bbed7da81d6091ecd82","tests/iter.rs":"25dc02135bbae9d47a30f9047661648e66bdc134e40ba78bc2fbacbb8b3819bc","tests/list.rs":"e71d34f790af290e463707c2336ff221f7841767e961b91747aa00e21df0ad32","tests/mpsc.rs":"5fbb5342fa7c9e4bcda5545255e0979dc6b9ba638edee127acf75372c18c925f","tests/never.rs":"ee40c4fc4dd5af4983fae8de6927f52b81174d222c162f745b26c4a6c7108e4f","tests/ready.rs":"4361352fa94254041e6c73e97b13be032c2d51c741f2a50519efe3000cf4dc28","tests/same_channel.rs":"2bab761443671e841e1b2476bd8082d75533a2f6be7946f5dbcee67cdc82dccb","tests/select.rs":"101ea8afd9a40d24c2d2aec29e5f2fdc4faac51aa1d7c9fe077b364f12edd206","tests/select_macro.rs":"e83bd33b34c47d703abe06420a23868809468516943347bdbfb6af4db0cec65a","tests/thread_locals.rs":"f42fcddca959b3b44cd545b92949d65e33a54332b27f490ec92f9f29b7f8290c","tests/tick.rs":"5f697bd14c48505d932e82065b5302ef668e1cc19cac18e8ac22e0c83c221c1d","tests/zero.rs":"9c5af802d5efb2c711f8242b8905ed29cc2601e48dbd95e41c7e6fbfe2918398"},"package":"06ba6d68e24814cb8de6bb986db8222d3a027d15872cabc0d18817bc3c0e4471"} +diff --git a/vendor/crossbeam-channel-0.5.14/src/flavors/list.rs b/vendor/crossbeam-channel-0.5.14/src/flavors/list.rs +index 6c15991f9..8f1faaa8b 100644 +--- a/vendor/crossbeam-channel-0.5.14/src/flavors/list.rs ++++ b/vendor/crossbeam-channel-0.5.14/src/flavors/list.rs +@@ -611,7 +611,7 @@ impl Channel { + // In that case, just wait until it gets initialized. + while block.is_null() { + backoff.snooze(); +- block = self.head.block.load(Ordering::Acquire); ++ block = self.head.block.swap(ptr::null_mut(), Ordering::AcqRel); + } + } + +-- +2.45.2 + diff --git a/SPECS/rust/CVE-2025-4574_1.75.patch b/SPECS/rust/CVE-2025-4574_1.75.patch new file mode 100644 index 0000000000..62d16db331 --- /dev/null +++ b/SPECS/rust/CVE-2025-4574_1.75.patch @@ -0,0 +1,36 @@ +From c05fa2106d38a56956928a81b6895f2b864d567d Mon Sep 17 00:00:00 2001 +From: akhila-guruju +Date: Mon, 19 May 2025 12:43:58 +0000 +Subject: [PATCH] Address CVE-2025-4574 + +Upstream Patch reference: https://github.com/crossbeam-rs/crossbeam/commit/6ec74ecae896df5fc239518b45a1bfd258c9db68.patch + +--- + vendor/crossbeam-channel/.cargo-checksum.json | 2 +- + vendor/crossbeam-channel/src/flavors/list.rs | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/vendor/crossbeam-channel/.cargo-checksum.json b/vendor/crossbeam-channel/.cargo-checksum.json +index 378146617..8c8571c63 100644 +--- a/vendor/crossbeam-channel/.cargo-checksum.json ++++ b/vendor/crossbeam-channel/.cargo-checksum.json +@@ -1 +1 @@ +-{"files":{"CHANGELOG.md":"bcaef3a8c2edc691ca40e81865a3a176610706f159d34cf8b45ee4337ebd6369","Cargo.lock":"6695f914942ea8ef6862f7d84731ddbefb0f821cb5964059d4f952729d91c8ec","Cargo.toml":"fe61d89e41142b9b83de137dfbc0e21f3c4249aedefe535241dc85d36cc6e024","LICENSE-APACHE":"a60eea817514531668d7e00765731449fe14d059d3249e0bc93b36de45f759f2","LICENSE-MIT":"5734ed989dfca1f625b40281ee9f4530f91b2411ec01cb748223e7eb87e201ab","LICENSE-THIRD-PARTY":"b16db96b93b1d7cf7bea533f572091ec6bca3234fbe0a83038be772ff391a44c","README.md":"4e16587d8f6a15f2016f256535aa6c9429424672ebdcd03c1a7d964746e46127","benches/crossbeam.rs":"96cb1abd23cac3ef8a7174a802e94609926b555bb02c9658c78723d433f1dd92","examples/fibonacci.rs":"4e88fa40048cdc31e9c7bb60347d46f92543d7ddf39cab3b52bfe44affdb6a02","examples/matching.rs":"63c250e164607a7a9f643d46f107bb5da846d49e89cf9069909562d20e530f71","examples/stopwatch.rs":"d02121258f08d56f1eb7997e19bcb9bacb6836cfa0abbba90a9e59d8a50ae5cf","src/channel.rs":"13fbbe12d4ec361855af1c3587fc80aea5f537db8dc44dd4f66c9e2b4ae9f5c1","src/context.rs":"ff4d39639ddf16aaab582d4a5f3d10ef2c71afe1abbf4e60f3d9d2ddbd72c230","src/counter.rs":"c49a9f44587888850edeb62f7c8ecd1acecb39c836834254ff3ac934c478440a","src/err.rs":"44cb2024ee6b0cd6fd24996430e53720769f64b4ac35016bc3e05cb9db48681d","src/flavors/array.rs":"508e54587fc8d9e8dfacd16446a601e33838d7bb1dfd9d7ccc3e65315b66b35a","src/flavors/at.rs":"04e07861534f2f7d5b5f884f2f5bc9c008427e6d0afa1c8ad401e1d7e54b57eb","src/flavors/list.rs":"b3820f2d5c063cbccd658317af991885f68dfbbece483807d4ea36070ff5efba","src/flavors/mod.rs":"3d9d43bc38b0adb18c96c995c2bd3421d8e33ab6c30b20c3c467d21d48e485dc","src/flavors/never.rs":"747da857aa1a7601641f23f4930e6ad00ebaf50456d9be5c7aa270e2ecc24dcb","src/flavors/tick.rs":"0916ca3faef30b8cc591137701c456d5fc5b5b49cb1edad1e3a80d35bae222bb","src/flavors/zero.rs":"7458eb0ece475dc5093b4f2cde13f6de57e4f70291258850de4fa3c951c8f594","src/lib.rs":"3a65706d4124844ffc4c8cb1f8cc779631ec94f449f85cbb68364ad3619404f1","src/select.rs":"966fb1abb05f900b84a00ff2bd99b4934aafc793d9083ad4f31c551cc9f6aa5f","src/select_macro.rs":"283acd04870356b0c4d3d4046c5070638b562c9ffb8fa29c1a5b90a2509bf3af","src/utils.rs":"d99c66d668c2e232b488f0121826ceac07a875c9ad48bc053e138320d2b20cf4","src/waker.rs":"6839108d1c9357b3c0c1c162c8b4633ff5ac4f756e95e677ac1293e7df942635","tests/after.rs":"0154a8e152880db17a20514ecdd49dabc361d3629858d119b9746b5e932c780c","tests/array.rs":"a57ae6264e676f573d7adb5c4b024994e98bc6811352516adb3444f880f7125e","tests/golang.rs":"7b2ef219ba8a21841c133512f3a540f8279a2458304e9bbed7da81d6091ecd82","tests/iter.rs":"25dc02135bbae9d47a30f9047661648e66bdc134e40ba78bc2fbacbb8b3819bc","tests/list.rs":"3d1a4ae23bb6b4767242b8109a8efda26f1d3b28c0f90da3368f8eb9ca0eee37","tests/mpsc.rs":"d1e185c6290240132a34aa91221271225959f8652d7fc4ceb546ee9712361176","tests/never.rs":"ee40c4fc4dd5af4983fae8de6927f52b81174d222c162f745b26c4a6c7108e4f","tests/ready.rs":"3b4c42d01b01f27e994f6a147e6f56187c23679408f216e180211fdc4f9805cc","tests/same_channel.rs":"2bab761443671e841e1b2476bd8082d75533a2f6be7946f5dbcee67cdc82dccb","tests/select.rs":"ce12a8e0284fb9ccf6c1543bec309d9054193e6d942663aed19aa8499ef69c43","tests/select_macro.rs":"597d526fbd021ce70619d9172c931439f778ee3034ec1479aea461b65971a81a","tests/thread_locals.rs":"25ab70a8dcd8a0da9173e5476e17dcc8916caa5b68207d9c403655deaa8e8f4a","tests/tick.rs":"5f697bd14c48505d932e82065b5302ef668e1cc19cac18e8ac22e0c83c221c1d","tests/zero.rs":"9c5af802d5efb2c711f8242b8905ed29cc2601e48dbd95e41c7e6fbfe2918398"},"package":"a33c2bf77f2df06183c3aa30d1e96c0695a313d4f9c453cc3762a6db39f99200"} +\ No newline at end of file ++{"files":{"CHANGELOG.md":"bcaef3a8c2edc691ca40e81865a3a176610706f159d34cf8b45ee4337ebd6369","Cargo.lock":"6695f914942ea8ef6862f7d84731ddbefb0f821cb5964059d4f952729d91c8ec","Cargo.toml":"fe61d89e41142b9b83de137dfbc0e21f3c4249aedefe535241dc85d36cc6e024","LICENSE-APACHE":"a60eea817514531668d7e00765731449fe14d059d3249e0bc93b36de45f759f2","LICENSE-MIT":"5734ed989dfca1f625b40281ee9f4530f91b2411ec01cb748223e7eb87e201ab","LICENSE-THIRD-PARTY":"b16db96b93b1d7cf7bea533f572091ec6bca3234fbe0a83038be772ff391a44c","README.md":"4e16587d8f6a15f2016f256535aa6c9429424672ebdcd03c1a7d964746e46127","benches/crossbeam.rs":"96cb1abd23cac3ef8a7174a802e94609926b555bb02c9658c78723d433f1dd92","examples/fibonacci.rs":"4e88fa40048cdc31e9c7bb60347d46f92543d7ddf39cab3b52bfe44affdb6a02","examples/matching.rs":"63c250e164607a7a9f643d46f107bb5da846d49e89cf9069909562d20e530f71","examples/stopwatch.rs":"d02121258f08d56f1eb7997e19bcb9bacb6836cfa0abbba90a9e59d8a50ae5cf","src/channel.rs":"13fbbe12d4ec361855af1c3587fc80aea5f537db8dc44dd4f66c9e2b4ae9f5c1","src/context.rs":"ff4d39639ddf16aaab582d4a5f3d10ef2c71afe1abbf4e60f3d9d2ddbd72c230","src/counter.rs":"c49a9f44587888850edeb62f7c8ecd1acecb39c836834254ff3ac934c478440a","src/err.rs":"44cb2024ee6b0cd6fd24996430e53720769f64b4ac35016bc3e05cb9db48681d","src/flavors/array.rs":"508e54587fc8d9e8dfacd16446a601e33838d7bb1dfd9d7ccc3e65315b66b35a","src/flavors/at.rs":"04e07861534f2f7d5b5f884f2f5bc9c008427e6d0afa1c8ad401e1d7e54b57eb","src/flavors/list.rs":"9f440c7a37c011f720c76e956a9c8e9669b2375fbe9079af4f79944fa081a192","src/flavors/mod.rs":"3d9d43bc38b0adb18c96c995c2bd3421d8e33ab6c30b20c3c467d21d48e485dc","src/flavors/never.rs":"747da857aa1a7601641f23f4930e6ad00ebaf50456d9be5c7aa270e2ecc24dcb","src/flavors/tick.rs":"0916ca3faef30b8cc591137701c456d5fc5b5b49cb1edad1e3a80d35bae222bb","src/flavors/zero.rs":"7458eb0ece475dc5093b4f2cde13f6de57e4f70291258850de4fa3c951c8f594","src/lib.rs":"3a65706d4124844ffc4c8cb1f8cc779631ec94f449f85cbb68364ad3619404f1","src/select.rs":"966fb1abb05f900b84a00ff2bd99b4934aafc793d9083ad4f31c551cc9f6aa5f","src/select_macro.rs":"283acd04870356b0c4d3d4046c5070638b562c9ffb8fa29c1a5b90a2509bf3af","src/utils.rs":"d99c66d668c2e232b488f0121826ceac07a875c9ad48bc053e138320d2b20cf4","src/waker.rs":"6839108d1c9357b3c0c1c162c8b4633ff5ac4f756e95e677ac1293e7df942635","tests/after.rs":"0154a8e152880db17a20514ecdd49dabc361d3629858d119b9746b5e932c780c","tests/array.rs":"a57ae6264e676f573d7adb5c4b024994e98bc6811352516adb3444f880f7125e","tests/golang.rs":"7b2ef219ba8a21841c133512f3a540f8279a2458304e9bbed7da81d6091ecd82","tests/iter.rs":"25dc02135bbae9d47a30f9047661648e66bdc134e40ba78bc2fbacbb8b3819bc","tests/list.rs":"3d1a4ae23bb6b4767242b8109a8efda26f1d3b28c0f90da3368f8eb9ca0eee37","tests/mpsc.rs":"d1e185c6290240132a34aa91221271225959f8652d7fc4ceb546ee9712361176","tests/never.rs":"ee40c4fc4dd5af4983fae8de6927f52b81174d222c162f745b26c4a6c7108e4f","tests/ready.rs":"3b4c42d01b01f27e994f6a147e6f56187c23679408f216e180211fdc4f9805cc","tests/same_channel.rs":"2bab761443671e841e1b2476bd8082d75533a2f6be7946f5dbcee67cdc82dccb","tests/select.rs":"ce12a8e0284fb9ccf6c1543bec309d9054193e6d942663aed19aa8499ef69c43","tests/select_macro.rs":"597d526fbd021ce70619d9172c931439f778ee3034ec1479aea461b65971a81a","tests/thread_locals.rs":"25ab70a8dcd8a0da9173e5476e17dcc8916caa5b68207d9c403655deaa8e8f4a","tests/tick.rs":"5f697bd14c48505d932e82065b5302ef668e1cc19cac18e8ac22e0c83c221c1d","tests/zero.rs":"9c5af802d5efb2c711f8242b8905ed29cc2601e48dbd95e41c7e6fbfe2918398"},"package":"a33c2bf77f2df06183c3aa30d1e96c0695a313d4f9c453cc3762a6db39f99200"} +diff --git a/vendor/crossbeam-channel/src/flavors/list.rs b/vendor/crossbeam-channel/src/flavors/list.rs +index 230edd8d2..4caa109c5 100644 +--- a/vendor/crossbeam-channel/src/flavors/list.rs ++++ b/vendor/crossbeam-channel/src/flavors/list.rs +@@ -592,7 +592,7 @@ impl Channel { + // In that case, just wait until it gets initialized. + while block.is_null() { + backoff.snooze(); +- block = self.head.block.load(Ordering::Acquire); ++ block = self.head.block.swap(ptr::null_mut(), Ordering::AcqRel); + } + } + unsafe { +-- +2.45.2 + diff --git a/SPECS/rust/CVE-2025-53605.patch b/SPECS/rust/CVE-2025-53605.patch new file mode 100644 index 0000000000..bc13020a55 --- /dev/null +++ b/SPECS/rust/CVE-2025-53605.patch @@ -0,0 +1,127 @@ +From f06992f46771c0a092593b9ebf7afd48740b3ed6 Mon Sep 17 00:00:00 2001 +From: esrauchg <140440793+esrauchg@users.noreply.github.com> +Date: Sun, 9 Mar 2025 17:23:01 -0400 +Subject: [PATCH] Apply depth limit to unknown groups (#756) + +* Fix issue where a deeply nested unknown group could cause arbitrarily recursion depth. + +* Add drop(os) to fix tests + +* Check err message on recursion limit exceeded. + +* Run formatter + +* Fix test with .unwrap_err() + +Upstream Patch Reference: https://github.com/stepancheg/rust-protobuf/commit/f06992f46771c0a092593b9ebf7afd48740b3ed6.patch +--- + vendor/protobuf-3.7.1/.cargo-checksum.json | 2 +- + .../src/coded_input_stream/mod.rs | 71 +++++++++++++++---- + 2 files changed, 60 insertions(+), 13 deletions(-) + +diff --git a/vendor/protobuf-3.7.1/.cargo-checksum.json b/vendor/protobuf-3.7.1/.cargo-checksum.json +index 4a85cefd8..305d4f167 100644 +--- a/vendor/protobuf-3.7.1/.cargo-checksum.json ++++ b/vendor/protobuf-3.7.1/.cargo-checksum.json +@@ -1 +1 @@ +-{"files":{"Cargo.toml":"96cda32a56ae7f781b2142812f054e6f31435b30a2f0b2386346cbf277186920","LICENSE.txt":"7f2fa80a60e84f8dc0747abb0e42342f83bded04a20461a636b47c0331b92ddf","README.md":"14dbb3068c031afbd44010a4ff0c8146aa7e02f6051579177767f218fff9cd38","build.rs":"347d9aa6d4b102b6e83c65aeef89b1e1752536bd8ef80fc834a2c78d5cb2ff80","regenerate.sh":"df3bc8537c038fd356367e5af433c284dd5b76505c35f6f89deab0f099a3e3e0","src/byteorder.rs":"9e6b481be82182ac99ff9704468b4d64656fb922f90c54ca83a8d7ca1dfd2e3a","src/cached_size.rs":"895788d7356a1fcd0f2d7446996066f8c53a0f36032174a97273997e65440fa0","src/chars.rs":"816a0af0b830ecd43028e40295fe0bf9eb79263f00fee01678c75d4ac5b7e908","src/coded_input_stream/buf_read_iter.rs":"2cba31136e56dd63c9a17d1bf4627f430b2ed3ddb35abf4479f57bcb912cdb4e","src/coded_input_stream/buf_read_or_reader.rs":"2bf3befcfce8c97faae7563084a7d93931afc5b886419e491111c15b4139058e","src/coded_input_stream/input_buf.rs":"cf71e63d3aef90188c55b6d42aa7cad47bcba16b27e687e44a15bd45e65b8737","src/coded_input_stream/input_source.rs":"8ce41ec8d147d03adf2dbd27ae0fa0b6e33400b62a9c945ab7aa2224bf43a863","src/coded_input_stream/mod.rs":"ee6c11ddd3e224c6d91afe2574b3033525e9d164a15c8ec771cc8ea89de9ded6","src/coded_output_stream/buffer.rs":"cafbbb3f02df26c98a4e5556e99a5a2ce811ffea4c49ba982532a6d9a53ec7d8","src/coded_output_stream/mod.rs":"06289bfaa7971ef275b1017d8b5d4197b864fc881f83d0ed073a28fca894a0ba","src/coded_output_stream/output_target.rs":"ab28889b824b91688cb5c17cf79bdbec96aeeea59f22946b9f359b957cc40580","src/coded_output_stream/with.rs":"47541db9f4f51cacd406571f02d6abe8f4837413c7cecbe511fc0c24ef2384f2","src/descriptor.rs":"4b3f1a458d5e105c01c03671bce753b564fcddefabe36ab41f986ac070a33614","src/doctest_pb.rs":"74ffeba6811126ab8ed076e8d3debbb634f8f9bba3bd77f9c288e88d7937591a","src/enum_full.rs":"ca658951c42ef539ce6221d8f1b1e5005a1a14393460078c40611bb7091629d0","src/enum_or_unknown.rs":"3088b9d139f296284a44d4f9da9c75476dfa00168358328f46b1c52c73572521","src/enums.rs":"e0af03e21b48d3bb44d06a7971229e8e5ee6c8230323534f774f4874de3c9760","src/error.rs":"1839b319f456b56e2bb3c59f119f4c0bec53a02d52c92619b887bfdb1656183b","src/ext.rs":"b5c43e19ca56612e81560e520831da1746520be7944e506e44e07356b1415bbf","src/fixed.rs":"40b32b11dd53f0dc3de2c73f9003c6c0f762cf802e30e16beb5a22a18f8f2f50","src/lazy.rs":"b202a8cd252b11b013983f27c1ed5eac046674ed156a4e5e63357e15ead746df","src/lib.rs":"f22f0d3c3372cc68450071bb2abf8a1542d0f3348f5ec1133e9b785445494f56","src/message.rs":"a112b1d5c769d866a586a4c9af9245fa8029991563d2ff33c47e9d4c2b32fef7","src/message_dyn.rs":"c2d06029139a1ef09409227c0c501dd361b485ff1e4fcbf1d2b0cb579cd80fba","src/message_field.rs":"8456bcc3118a0f62d8eb3e5495be678ad75f5164e5dc67658667c7611e2099d9","src/message_full.rs":"4bbbb917a86aa3b14f63e93db41522c78223036b6e7d219769927059ff70205e","src/misc.rs":"1679b6f8b5c2b4375e71835fb7ca83a4de6db498f092abf5ab3a9f5eaccf0d5a","src/oneof.rs":"de5a694a56931308fc1a790678aaaf8b67d7c6b56c9f7b2fde36a14312863e05","src/oneof_full.rs":"b9d5d95db115b1ebf6e7c222373008d4f9f86e21347ddf50ef23f8cd11b8f777","src/owning_ref.rs":"1face1307d85ef98f5b9752eb45de47884c3ce68d31cec315ebfac6559ab501f","src/plugin.rs":"5bbb2aaecc59c590755e0fe972c4f231d506bbc1893d5f3e800d2e69ce805ec0","src/reflect/acc/mod.rs":"23500dd605f11f8def7d0f858a00cf1c85a7b95c293bc125ba0804a949b35162","src/reflect/acc/v2/map.rs":"46dab64d941e61fd61aa3794b2fab60bbd588a21ca9f1a378cdc022bbdfb60a1","src/reflect/acc/v2/mod.rs":"86639cfa45e3b2d08020c289001d87910fa972e9fb6a28a38880ccee51002a0c","src/reflect/acc/v2/repeated.rs":"07b62beb3bb81d1fa1de486c7cdce20ae2f4f46c2e93ed6f104b41d3a3a5beba","src/reflect/acc/v2/singular/mod.rs":"85bace3cf99fe0b05dce61bf19433077cf29506c6641b001935064fd37ab658f","src/reflect/acc/v2/singular/oneof.rs":"f70db73a0316185b8ae43b82cd29665d1140d920e7d28bb789a438eb06f9c62a","src/reflect/dynamic/map.rs":"565376a2db71cf607cb692b984acb41d16dfb04df59c9ad0eca8ba1fc85017cc","src/reflect/dynamic/mod.rs":"3ee7a82dbd5410d10eee44fdf3ae8b5f198185d7ff4a608f10a668eba6af3a73","src/reflect/dynamic/optional.rs":"db923e3d343f869c2bf4f157559686251ff9744dfd0560ba1d1b1b46ae1b81fd","src/reflect/dynamic/repeated.rs":"61a7c698b59280564a1deb7200884875a8844120058c3d69ea4d6aa5f6c4266e","src/reflect/enums/generated.rs":"44e5dbe08a1a15067744580c87c6d09f66dc364f2791fc1ecab919e1dacdec09","src/reflect/enums/mod.rs":"aed1b29e4e42f34b26476a6013e64b7ec8876cfa53633583a751c344fd3ab34c","src/reflect/error.rs":"532a9c117606e8597a40d60b3efebc9371c4f746919cc611aaaddf105cbb3608","src/reflect/field/dynamic.rs":"8e81f7b6f684ed58287eb2de20f3abb8dabb062601715421d3d1e4c041101602","src/reflect/field/index.rs":"4aeef75560e52bf865718f9323fc5b2b2318a6e4bb66fadc57f4875999cf15b3","src/reflect/field/mod.rs":"6c646e59e64e327a961e680f5b189cdb1d540b61b26cd345d623456a4f764a22","src/reflect/field/protobuf_field_type.rs":"6ec9ca95c25a9c9fe70fad51b1221676e9d3d5a6daac37d5633379471d8c4257","src/reflect/field/runtime_field_type.rs":"26166bb9d48caa0287dfe6235937e5bd647692ca75e8ee4855d0e198f9a79d73","src/reflect/file/building.rs":"53806efda5872c32f63f55582b767be8becff1d7bfb4ed0c11947c912ad55a75","src/reflect/file/dynamic.rs":"3e26271c31816dae043eb70c9990a6fc621c9b5241a555d968f731dfd4762489","src/reflect/file/fds.rs":"9a369eaea05a000710bf977cce28d3fad1463f8ffa42df35e4f5ac5de306f9e6","src/reflect/file/generated.rs":"88f3d88ddbcfa01812398ddc5c350c54cc42b15d99223a642574f55d4d6cdf69","src/reflect/file/index.rs":"3d53af11b39b164b488e3850c3a5be5ae4628c172b4475e4ae5b993225bdeae9","src/reflect/file/mod.rs":"b7aa1c4154677630b843c81d35c60f1374d00d44d3477e6e899e18cb7ae97db1","src/reflect/file/syntax.rs":"8d6d6c3a7bbf9217df3550410a9ba1eb9c08295aa410cc5d2e65efe1eec3ca3a","src/reflect/find_message_or_enum.rs":"e8b10159819cce4414da7681cb3ce0b4e62a45adf4e3e7933a3c1b4f8e97cfb8","src/reflect/map/empty.rs":"230cbcda25bfd3c6f348043eef032252b8a0d86a0c71d93d6206adc59d688732","src/reflect/map/generated.rs":"f1b332e97d267c3272b26be03bee80fe9420bb6fc203ae6f3f9dd3044d564778","src/reflect/map/mod.rs":"7648fa897f4a8acf1ab48b8bba8f165cb4b09a46125e645d600a7b9ced55e1a2","src/reflect/message/generated.rs":"c76f5e887534bc9648dd105718f79bb93465549d57b25c4a00957e603749721c","src/reflect/message/is_initialized_is_always_true.rs":"af716e9d0ce233fda9c7dee13814c24c188ea195cf907d81f74fb198ef2760ae","src/reflect/message/message_ref.rs":"80472f804a4dd3b91f6fec4451639ca356f2b33c502775e0fd6b2c3bfbe1be0a","src/reflect/message/mod.rs":"5ef7f5ecdc2de7c0789b8558711a976e2376fcaae67975a10d9f1bd4179703e5","src/reflect/mod.rs":"620cab65b696a13144ed54d589ca8c4176ecb8127b2ba2a294806f649c0fbd9f","src/reflect/name.rs":"0377dcf871ca5add5e168a3bff04d9f01fe5970db4dfb66272def6484dc7d54b","src/reflect/oneof/generated.rs":"c02b7cd7415f52366f6092559643869812db842bd1c383ce7d8759e519ab453a","src/reflect/oneof/mod.rs":"55c906888e89a7bfd1f8865cced5078905b512f3ce9af20d16614fdf5791c31d","src/reflect/optional/mod.rs":"5dada97750209aeddf1506eea0a59d709aeb3e44bae5443214e0c2950c870952","src/reflect/protobuf_type_box.rs":"5ed50bdefa5eebe8bf0547cb37def38d814653ac7a0d401eb4f05b8a72ebf509","src/reflect/reflect_eq.rs":"1352d0be16ff7dc2089d499b3fbcf40d501406e8648649092aa2cb21f207aac0","src/reflect/repeated/drain_iter.rs":"0f065e5ef884ee90189594b8a92d814c40a4b3ff80ed659f2f8a0ac56795011d","src/reflect/repeated/iter.rs":"f7f7bf56347850f567612feab9542c4658f251ce74b7b8fb7ed6612cb85584f0","src/reflect/repeated/mod.rs":"6084482af4936340e1bfd43ff8d06351c3d0316f26cb9f8b73bd8c16f3e9df98","src/reflect/repeated/transmute.rs":"ecd5b5b2772670b030a6d96b47b54bf8500ec0996920ef0db7d5f4b6f338c493","src/reflect/repeated/vec_downcast.rs":"7f4c2997d313f45bc46a097fad7c579d663c642cba425a7851f590282d58309d","src/reflect/rt/mod.rs":"4f0266be9bd092a6ee49a1f3453ff08eabfcebb65473b6c8552a260ac7a4817b","src/reflect/rt/v2.rs":"3faa866b4aa766875062071eb6db36c7c42a3d9145f66162a85aac91e200e354","src/reflect/runtime_type_box.rs":"6d8988ed25218f13da61db5dbbefa621df3fd7f1141669854c6ec9571b3eee6c","src/reflect/runtime_types.rs":"07b8eeac30f666c890ccac14c5076b77d010abf322b8f23883032e2ad003476e","src/reflect/service/index.rs":"4a41f90b6c8b3f5c8349075aec84fcbb90ab3028451d2ba40cb83257ff4d90c7","src/reflect/service/mod.rs":"1d0b5b3d9cd1968731971137ca320a91591ee9ca45828d3e4284da87397044f6","src/reflect/type_dynamic.rs":"76c9e764978c66444a4ffb5b558cbce241d1e1123c5dd6eb250f56b48b7b0a5c","src/reflect/types.rs":"fb6a18354a7a8fa7dc6a4db51793af8a5c41680bc49c1d157145a21a75f5f3e4","src/reflect/value/mod.rs":"56f7ff8c4541108fff20f83f7f12ef173ce398e642b482dc3a4cf92c9e1cea17","src/reflect/value/value_box.rs":"1037d01c52a4f0432e42a2c023f5c68ed458ed60b196597ca78f81b6207ecb83","src/reflect/value/value_ref.rs":"7a3490eb4918ee725ad59219b0fc5810b231eaf2ddf798ab75085b4acc145b2e","src/rt/map.rs":"c4bd4246181a43dc9cf1735ec5882955af595fba8ef839a06e0e1df399848520","src/rt/message.rs":"c9b9b3b8f25b6813b8ca2411f015ae80b2abba377d44f9f9b9c05cb45366229a","src/rt/mod.rs":"db610d871d8fb022ba4634199896534ecb3d6ad22c7e2cabbf4d7ad79e1c8c66","src/rt/packed.rs":"be2fae85812c39d815bcb0463e3ea67774770c25014b764b8712dd2b90d360c6","src/rt/repeated.rs":"213d08349efb21bc02fb5abd1d1c3f039ae1d4368f53f548cdf1999897c60f1c","src/rt/singular.rs":"2c982de7a686a8d0c430ce690297a524e892a70bca33d288c6e9b912d19e994c","src/rt/unknown_or_group.rs":"a0bf9af0bdb6ee4261bdc9d5136288e3d17f7de611b7f61943caf6d8eb38367d","src/rustproto.rs":"4a49fac5c9caaca991dd5505c154941e8f94708c254269119e64cf053f7aaea9","src/special.rs":"2f64cfbb0659249cf4a951cefb51b1a17ddf85785eb868b68af7546cd31a5101","src/text_format/mod.rs":"da0aeb839963afcba1923b68a06264185a927cef3f3075ca958c11fa1e780535","src/text_format/parse.rs":"c7be3464fa8f6624ed2001b450e999f93bea5f6118132b7f372110c7af5e5e71","src/text_format/print.rs":"7bd28696ce2a98f9520e2303b0f70fe1d46b045d550f55064a3b524b58f9dfab","src/timestamp.rs":"f0590e19fd7740bdc65a0dc6f9d73bf55559638515ca7849481022288a9bee43","src/unknown.rs":"fd6091ad04dadbde5793ea42af50fa51cf2e7737696029a9e0d1f001f0c1423d","src/varint/decode.rs":"5e9fdf9fb5fe82ddc223feaf5867c0a081bd67731635f88cb9a5b1faeeb79f82","src/varint/encode.rs":"bc0969a152aff774976216f9f2bdbc273a24da07d57b8e3ec96ebe691d4559c1","src/varint/generic.rs":"98e31da80c278cff672ddc8231241cc789ad6de138fa6ca6c0483ff1783f4957","src/varint/mod.rs":"643b5b2443b4e103fc4eeac7844dcda4b9c6b2bab3cfe9fba00145ccea9a4505","src/well_known_types/any.rs":"7db9c4f0df3f0809821e09bb0bd2ddaa07ff4471be005fc02f2be9828a1aedd1","src/well_known_types/api.rs":"80bf5fe39c7263a440d5c1bec8bb6c5a0dd274f73c3f702c4e223cfdf02f74eb","src/well_known_types/duration.rs":"33c4039d594eb8df4a35f1bae1ad2a5dc36a5bf167369d99faf480cc7e1cb284","src/well_known_types/empty.rs":"47f56d10483e9c6c3e276e54d877e70aaf3b2a57c269a636dd9948d0e4ff419f","src/well_known_types/field_mask.rs":"7b4d883c03ec89d83b919271d03273def230c30caae36b7247cba1b325ccc551","src/well_known_types/mod.rs":"b141483834c860b221d0946a584389ebcefc2c5f7692ce1f95869c9f83ff2c16","src/well_known_types/source_context.rs":"fbec3ec4e1e59be865d0b7cb4d3b08aa197b46ca27fc3d90ed7da30514df6355","src/well_known_types/struct_.rs":"00bfebd64c851a7e0b0b26d3fc1319fd072975cb84169066b5aa00a4871ac6c8","src/well_known_types/timestamp.rs":"bc8b3a27f7b1ec134aa5a9d1187b63e02d5d2e72b153a9b6153e0b7a078c003e","src/well_known_types/type_.rs":"789fa7e0ec2fe7fc5f68a06636ade107fc305780b597c7c9687dbe3560252514","src/well_known_types/wrappers.rs":"56cbbf290be81ce7d62fd33b883015ef3de2abc1d5f8c683e38e96397f1d056d","src/well_known_types_util/any.rs":"2b2e5cdf1d413bc13485bfc78c84d8403168d6b1a6dbc10d585bf10326120c81","src/well_known_types_util/duration.rs":"e0d9de89f8c7c4b2075f23c2a4451dfec4ae1f28c9784ea39a626a8c3aa9e005","src/well_known_types_util/mod.rs":"81fb1c0721602ffe91c4587f727457b59c8697863e3f853cd9569db5cee973e9","src/well_known_types_util/timestamp.rs":"f55906fef3190fa1786ed736ded16f3ac6de2095cb974af5a476c2a2f91260b3","src/wire_format.rs":"f1d09b0bd1e4c5e4072b5c943e749f7b727737bd08a6d82f81d4f2a60e2ab94e","src/zigzag.rs":"0dcbdf54d4bc8141fdc64d074e6f6f7633bbb66cc782cd4bd6d343ce0569c3de"},"package":"a3a7c64d9bf75b1b8d981124c14c179074e8caa7dfe7b6a12e6222ddcd0c8f72"} +\ No newline at end of file ++{"files":{"Cargo.toml":"96cda32a56ae7f781b2142812f054e6f31435b30a2f0b2386346cbf277186920","LICENSE.txt":"7f2fa80a60e84f8dc0747abb0e42342f83bded04a20461a636b47c0331b92ddf","README.md":"14dbb3068c031afbd44010a4ff0c8146aa7e02f6051579177767f218fff9cd38","build.rs":"347d9aa6d4b102b6e83c65aeef89b1e1752536bd8ef80fc834a2c78d5cb2ff80","regenerate.sh":"df3bc8537c038fd356367e5af433c284dd5b76505c35f6f89deab0f099a3e3e0","src/byteorder.rs":"9e6b481be82182ac99ff9704468b4d64656fb922f90c54ca83a8d7ca1dfd2e3a","src/cached_size.rs":"895788d7356a1fcd0f2d7446996066f8c53a0f36032174a97273997e65440fa0","src/chars.rs":"816a0af0b830ecd43028e40295fe0bf9eb79263f00fee01678c75d4ac5b7e908","src/coded_input_stream/buf_read_iter.rs":"2cba31136e56dd63c9a17d1bf4627f430b2ed3ddb35abf4479f57bcb912cdb4e","src/coded_input_stream/buf_read_or_reader.rs":"2bf3befcfce8c97faae7563084a7d93931afc5b886419e491111c15b4139058e","src/coded_input_stream/input_buf.rs":"cf71e63d3aef90188c55b6d42aa7cad47bcba16b27e687e44a15bd45e65b8737","src/coded_input_stream/input_source.rs":"8ce41ec8d147d03adf2dbd27ae0fa0b6e33400b62a9c945ab7aa2224bf43a863","src/coded_input_stream/mod.rs":"9c9eef558aec08a5071303896703aae82a1fa1358d50784e836319e9dcdd2789","src/coded_output_stream/buffer.rs":"cafbbb3f02df26c98a4e5556e99a5a2ce811ffea4c49ba982532a6d9a53ec7d8","src/coded_output_stream/mod.rs":"06289bfaa7971ef275b1017d8b5d4197b864fc881f83d0ed073a28fca894a0ba","src/coded_output_stream/output_target.rs":"ab28889b824b91688cb5c17cf79bdbec96aeeea59f22946b9f359b957cc40580","src/coded_output_stream/with.rs":"47541db9f4f51cacd406571f02d6abe8f4837413c7cecbe511fc0c24ef2384f2","src/descriptor.rs":"4b3f1a458d5e105c01c03671bce753b564fcddefabe36ab41f986ac070a33614","src/doctest_pb.rs":"74ffeba6811126ab8ed076e8d3debbb634f8f9bba3bd77f9c288e88d7937591a","src/enum_full.rs":"ca658951c42ef539ce6221d8f1b1e5005a1a14393460078c40611bb7091629d0","src/enum_or_unknown.rs":"3088b9d139f296284a44d4f9da9c75476dfa00168358328f46b1c52c73572521","src/enums.rs":"e0af03e21b48d3bb44d06a7971229e8e5ee6c8230323534f774f4874de3c9760","src/error.rs":"1839b319f456b56e2bb3c59f119f4c0bec53a02d52c92619b887bfdb1656183b","src/ext.rs":"b5c43e19ca56612e81560e520831da1746520be7944e506e44e07356b1415bbf","src/fixed.rs":"40b32b11dd53f0dc3de2c73f9003c6c0f762cf802e30e16beb5a22a18f8f2f50","src/lazy.rs":"b202a8cd252b11b013983f27c1ed5eac046674ed156a4e5e63357e15ead746df","src/lib.rs":"f22f0d3c3372cc68450071bb2abf8a1542d0f3348f5ec1133e9b785445494f56","src/message.rs":"a112b1d5c769d866a586a4c9af9245fa8029991563d2ff33c47e9d4c2b32fef7","src/message_dyn.rs":"c2d06029139a1ef09409227c0c501dd361b485ff1e4fcbf1d2b0cb579cd80fba","src/message_field.rs":"8456bcc3118a0f62d8eb3e5495be678ad75f5164e5dc67658667c7611e2099d9","src/message_full.rs":"4bbbb917a86aa3b14f63e93db41522c78223036b6e7d219769927059ff70205e","src/misc.rs":"1679b6f8b5c2b4375e71835fb7ca83a4de6db498f092abf5ab3a9f5eaccf0d5a","src/oneof.rs":"de5a694a56931308fc1a790678aaaf8b67d7c6b56c9f7b2fde36a14312863e05","src/oneof_full.rs":"b9d5d95db115b1ebf6e7c222373008d4f9f86e21347ddf50ef23f8cd11b8f777","src/owning_ref.rs":"1face1307d85ef98f5b9752eb45de47884c3ce68d31cec315ebfac6559ab501f","src/plugin.rs":"5bbb2aaecc59c590755e0fe972c4f231d506bbc1893d5f3e800d2e69ce805ec0","src/reflect/acc/mod.rs":"23500dd605f11f8def7d0f858a00cf1c85a7b95c293bc125ba0804a949b35162","src/reflect/acc/v2/map.rs":"46dab64d941e61fd61aa3794b2fab60bbd588a21ca9f1a378cdc022bbdfb60a1","src/reflect/acc/v2/mod.rs":"86639cfa45e3b2d08020c289001d87910fa972e9fb6a28a38880ccee51002a0c","src/reflect/acc/v2/repeated.rs":"07b62beb3bb81d1fa1de486c7cdce20ae2f4f46c2e93ed6f104b41d3a3a5beba","src/reflect/acc/v2/singular/mod.rs":"85bace3cf99fe0b05dce61bf19433077cf29506c6641b001935064fd37ab658f","src/reflect/acc/v2/singular/oneof.rs":"f70db73a0316185b8ae43b82cd29665d1140d920e7d28bb789a438eb06f9c62a","src/reflect/dynamic/map.rs":"565376a2db71cf607cb692b984acb41d16dfb04df59c9ad0eca8ba1fc85017cc","src/reflect/dynamic/mod.rs":"3ee7a82dbd5410d10eee44fdf3ae8b5f198185d7ff4a608f10a668eba6af3a73","src/reflect/dynamic/optional.rs":"db923e3d343f869c2bf4f157559686251ff9744dfd0560ba1d1b1b46ae1b81fd","src/reflect/dynamic/repeated.rs":"61a7c698b59280564a1deb7200884875a8844120058c3d69ea4d6aa5f6c4266e","src/reflect/enums/generated.rs":"44e5dbe08a1a15067744580c87c6d09f66dc364f2791fc1ecab919e1dacdec09","src/reflect/enums/mod.rs":"aed1b29e4e42f34b26476a6013e64b7ec8876cfa53633583a751c344fd3ab34c","src/reflect/error.rs":"532a9c117606e8597a40d60b3efebc9371c4f746919cc611aaaddf105cbb3608","src/reflect/field/dynamic.rs":"8e81f7b6f684ed58287eb2de20f3abb8dabb062601715421d3d1e4c041101602","src/reflect/field/index.rs":"4aeef75560e52bf865718f9323fc5b2b2318a6e4bb66fadc57f4875999cf15b3","src/reflect/field/mod.rs":"6c646e59e64e327a961e680f5b189cdb1d540b61b26cd345d623456a4f764a22","src/reflect/field/protobuf_field_type.rs":"6ec9ca95c25a9c9fe70fad51b1221676e9d3d5a6daac37d5633379471d8c4257","src/reflect/field/runtime_field_type.rs":"26166bb9d48caa0287dfe6235937e5bd647692ca75e8ee4855d0e198f9a79d73","src/reflect/file/building.rs":"53806efda5872c32f63f55582b767be8becff1d7bfb4ed0c11947c912ad55a75","src/reflect/file/dynamic.rs":"3e26271c31816dae043eb70c9990a6fc621c9b5241a555d968f731dfd4762489","src/reflect/file/fds.rs":"9a369eaea05a000710bf977cce28d3fad1463f8ffa42df35e4f5ac5de306f9e6","src/reflect/file/generated.rs":"88f3d88ddbcfa01812398ddc5c350c54cc42b15d99223a642574f55d4d6cdf69","src/reflect/file/index.rs":"3d53af11b39b164b488e3850c3a5be5ae4628c172b4475e4ae5b993225bdeae9","src/reflect/file/mod.rs":"b7aa1c4154677630b843c81d35c60f1374d00d44d3477e6e899e18cb7ae97db1","src/reflect/file/syntax.rs":"8d6d6c3a7bbf9217df3550410a9ba1eb9c08295aa410cc5d2e65efe1eec3ca3a","src/reflect/find_message_or_enum.rs":"e8b10159819cce4414da7681cb3ce0b4e62a45adf4e3e7933a3c1b4f8e97cfb8","src/reflect/map/empty.rs":"230cbcda25bfd3c6f348043eef032252b8a0d86a0c71d93d6206adc59d688732","src/reflect/map/generated.rs":"f1b332e97d267c3272b26be03bee80fe9420bb6fc203ae6f3f9dd3044d564778","src/reflect/map/mod.rs":"7648fa897f4a8acf1ab48b8bba8f165cb4b09a46125e645d600a7b9ced55e1a2","src/reflect/message/generated.rs":"c76f5e887534bc9648dd105718f79bb93465549d57b25c4a00957e603749721c","src/reflect/message/is_initialized_is_always_true.rs":"af716e9d0ce233fda9c7dee13814c24c188ea195cf907d81f74fb198ef2760ae","src/reflect/message/message_ref.rs":"80472f804a4dd3b91f6fec4451639ca356f2b33c502775e0fd6b2c3bfbe1be0a","src/reflect/message/mod.rs":"5ef7f5ecdc2de7c0789b8558711a976e2376fcaae67975a10d9f1bd4179703e5","src/reflect/mod.rs":"620cab65b696a13144ed54d589ca8c4176ecb8127b2ba2a294806f649c0fbd9f","src/reflect/name.rs":"0377dcf871ca5add5e168a3bff04d9f01fe5970db4dfb66272def6484dc7d54b","src/reflect/oneof/generated.rs":"c02b7cd7415f52366f6092559643869812db842bd1c383ce7d8759e519ab453a","src/reflect/oneof/mod.rs":"55c906888e89a7bfd1f8865cced5078905b512f3ce9af20d16614fdf5791c31d","src/reflect/optional/mod.rs":"5dada97750209aeddf1506eea0a59d709aeb3e44bae5443214e0c2950c870952","src/reflect/protobuf_type_box.rs":"5ed50bdefa5eebe8bf0547cb37def38d814653ac7a0d401eb4f05b8a72ebf509","src/reflect/reflect_eq.rs":"1352d0be16ff7dc2089d499b3fbcf40d501406e8648649092aa2cb21f207aac0","src/reflect/repeated/drain_iter.rs":"0f065e5ef884ee90189594b8a92d814c40a4b3ff80ed659f2f8a0ac56795011d","src/reflect/repeated/iter.rs":"f7f7bf56347850f567612feab9542c4658f251ce74b7b8fb7ed6612cb85584f0","src/reflect/repeated/mod.rs":"6084482af4936340e1bfd43ff8d06351c3d0316f26cb9f8b73bd8c16f3e9df98","src/reflect/repeated/transmute.rs":"ecd5b5b2772670b030a6d96b47b54bf8500ec0996920ef0db7d5f4b6f338c493","src/reflect/repeated/vec_downcast.rs":"7f4c2997d313f45bc46a097fad7c579d663c642cba425a7851f590282d58309d","src/reflect/rt/mod.rs":"4f0266be9bd092a6ee49a1f3453ff08eabfcebb65473b6c8552a260ac7a4817b","src/reflect/rt/v2.rs":"3faa866b4aa766875062071eb6db36c7c42a3d9145f66162a85aac91e200e354","src/reflect/runtime_type_box.rs":"6d8988ed25218f13da61db5dbbefa621df3fd7f1141669854c6ec9571b3eee6c","src/reflect/runtime_types.rs":"07b8eeac30f666c890ccac14c5076b77d010abf322b8f23883032e2ad003476e","src/reflect/service/index.rs":"4a41f90b6c8b3f5c8349075aec84fcbb90ab3028451d2ba40cb83257ff4d90c7","src/reflect/service/mod.rs":"1d0b5b3d9cd1968731971137ca320a91591ee9ca45828d3e4284da87397044f6","src/reflect/type_dynamic.rs":"76c9e764978c66444a4ffb5b558cbce241d1e1123c5dd6eb250f56b48b7b0a5c","src/reflect/types.rs":"fb6a18354a7a8fa7dc6a4db51793af8a5c41680bc49c1d157145a21a75f5f3e4","src/reflect/value/mod.rs":"56f7ff8c4541108fff20f83f7f12ef173ce398e642b482dc3a4cf92c9e1cea17","src/reflect/value/value_box.rs":"1037d01c52a4f0432e42a2c023f5c68ed458ed60b196597ca78f81b6207ecb83","src/reflect/value/value_ref.rs":"7a3490eb4918ee725ad59219b0fc5810b231eaf2ddf798ab75085b4acc145b2e","src/rt/map.rs":"c4bd4246181a43dc9cf1735ec5882955af595fba8ef839a06e0e1df399848520","src/rt/message.rs":"c9b9b3b8f25b6813b8ca2411f015ae80b2abba377d44f9f9b9c05cb45366229a","src/rt/mod.rs":"db610d871d8fb022ba4634199896534ecb3d6ad22c7e2cabbf4d7ad79e1c8c66","src/rt/packed.rs":"be2fae85812c39d815bcb0463e3ea67774770c25014b764b8712dd2b90d360c6","src/rt/repeated.rs":"213d08349efb21bc02fb5abd1d1c3f039ae1d4368f53f548cdf1999897c60f1c","src/rt/singular.rs":"2c982de7a686a8d0c430ce690297a524e892a70bca33d288c6e9b912d19e994c","src/rt/unknown_or_group.rs":"a0bf9af0bdb6ee4261bdc9d5136288e3d17f7de611b7f61943caf6d8eb38367d","src/rustproto.rs":"4a49fac5c9caaca991dd5505c154941e8f94708c254269119e64cf053f7aaea9","src/special.rs":"2f64cfbb0659249cf4a951cefb51b1a17ddf85785eb868b68af7546cd31a5101","src/text_format/mod.rs":"da0aeb839963afcba1923b68a06264185a927cef3f3075ca958c11fa1e780535","src/text_format/parse.rs":"c7be3464fa8f6624ed2001b450e999f93bea5f6118132b7f372110c7af5e5e71","src/text_format/print.rs":"7bd28696ce2a98f9520e2303b0f70fe1d46b045d550f55064a3b524b58f9dfab","src/timestamp.rs":"f0590e19fd7740bdc65a0dc6f9d73bf55559638515ca7849481022288a9bee43","src/unknown.rs":"fd6091ad04dadbde5793ea42af50fa51cf2e7737696029a9e0d1f001f0c1423d","src/varint/decode.rs":"5e9fdf9fb5fe82ddc223feaf5867c0a081bd67731635f88cb9a5b1faeeb79f82","src/varint/encode.rs":"bc0969a152aff774976216f9f2bdbc273a24da07d57b8e3ec96ebe691d4559c1","src/varint/generic.rs":"98e31da80c278cff672ddc8231241cc789ad6de138fa6ca6c0483ff1783f4957","src/varint/mod.rs":"643b5b2443b4e103fc4eeac7844dcda4b9c6b2bab3cfe9fba00145ccea9a4505","src/well_known_types/any.rs":"7db9c4f0df3f0809821e09bb0bd2ddaa07ff4471be005fc02f2be9828a1aedd1","src/well_known_types/api.rs":"80bf5fe39c7263a440d5c1bec8bb6c5a0dd274f73c3f702c4e223cfdf02f74eb","src/well_known_types/duration.rs":"33c4039d594eb8df4a35f1bae1ad2a5dc36a5bf167369d99faf480cc7e1cb284","src/well_known_types/empty.rs":"47f56d10483e9c6c3e276e54d877e70aaf3b2a57c269a636dd9948d0e4ff419f","src/well_known_types/field_mask.rs":"7b4d883c03ec89d83b919271d03273def230c30caae36b7247cba1b325ccc551","src/well_known_types/mod.rs":"b141483834c860b221d0946a584389ebcefc2c5f7692ce1f95869c9f83ff2c16","src/well_known_types/source_context.rs":"fbec3ec4e1e59be865d0b7cb4d3b08aa197b46ca27fc3d90ed7da30514df6355","src/well_known_types/struct_.rs":"00bfebd64c851a7e0b0b26d3fc1319fd072975cb84169066b5aa00a4871ac6c8","src/well_known_types/timestamp.rs":"bc8b3a27f7b1ec134aa5a9d1187b63e02d5d2e72b153a9b6153e0b7a078c003e","src/well_known_types/type_.rs":"789fa7e0ec2fe7fc5f68a06636ade107fc305780b597c7c9687dbe3560252514","src/well_known_types/wrappers.rs":"56cbbf290be81ce7d62fd33b883015ef3de2abc1d5f8c683e38e96397f1d056d","src/well_known_types_util/any.rs":"2b2e5cdf1d413bc13485bfc78c84d8403168d6b1a6dbc10d585bf10326120c81","src/well_known_types_util/duration.rs":"e0d9de89f8c7c4b2075f23c2a4451dfec4ae1f28c9784ea39a626a8c3aa9e005","src/well_known_types_util/mod.rs":"81fb1c0721602ffe91c4587f727457b59c8697863e3f853cd9569db5cee973e9","src/well_known_types_util/timestamp.rs":"f55906fef3190fa1786ed736ded16f3ac6de2095cb974af5a476c2a2f91260b3","src/wire_format.rs":"f1d09b0bd1e4c5e4072b5c943e749f7b727737bd08a6d82f81d4f2a60e2ab94e","src/zigzag.rs":"0dcbdf54d4bc8141fdc64d074e6f6f7633bbb66cc782cd4bd6d343ce0569c3de"},"package":"a3a7c64d9bf75b1b8d981124c14c179074e8caa7dfe7b6a12e6222ddcd0c8f72"} +diff --git a/vendor/protobuf-3.7.1/src/coded_input_stream/mod.rs b/vendor/protobuf-3.7.1/src/coded_input_stream/mod.rs +index a979df19c..dc8029c51 100644 +--- a/vendor/protobuf-3.7.1/src/coded_input_stream/mod.rs ++++ b/vendor/protobuf-3.7.1/src/coded_input_stream/mod.rs +@@ -511,6 +511,13 @@ impl<'a> CodedInputStream<'a> { + } + + fn skip_group(&mut self) -> crate::Result<()> { ++ self.incr_recursion()?; ++ let ret = self.skip_group_no_depth_check(); ++ self.decr_recursion(); ++ ret ++ } ++ ++ fn skip_group_no_depth_check(&mut self) -> crate::Result<()> { + while !self.eof()? { + let wire_type = self.read_tag_unpack()?.1; + if wire_type == WireType::EndGroup { +@@ -631,19 +638,16 @@ impl<'a> CodedInputStream<'a> { + /// Read message, do not check if message is initialized + pub fn merge_message(&mut self, message: &mut M) -> crate::Result<()> { + self.incr_recursion()?; +- struct DecrRecursion<'a, 'b>(&'a mut CodedInputStream<'b>); +- impl<'a, 'b> Drop for DecrRecursion<'a, 'b> { +- fn drop(&mut self) { +- self.0.decr_recursion(); +- } +- } +- +- let mut decr = DecrRecursion(self); ++ let ret = self.merge_message_no_depth_check(message); ++ self.decr_recursion(); ++ ret ++ } + +- let len = decr.0.read_raw_varint64()?; +- let old_limit = decr.0.push_limit(len)?; +- message.merge_from(&mut decr.0)?; +- decr.0.pop_limit(old_limit); ++ fn merge_message_no_depth_check(&mut self, message: &mut M) -> crate::Result<()> { ++ let len = self.read_raw_varint64()?; ++ let old_limit = self.push_limit(len)?; ++ message.merge_from(self)?; ++ self.pop_limit(old_limit); + Ok(()) + } + +@@ -982,4 +986,47 @@ mod test { + ); + assert_eq!("field 3", input.read_string().unwrap()); + } ++ ++ #[test] ++ fn test_shallow_nested_unknown_groups() { ++ // Test skip_group() succeeds on a start group tag 50 times ++ // followed by end group tag 50 times. We should be able to ++ // successfully skip the outermost group. ++ let mut vec = Vec::new(); ++ let mut os = CodedOutputStream::new(&mut vec); ++ for _ in 0..50 { ++ os.write_tag(1, WireType::StartGroup).unwrap(); ++ } ++ for _ in 0..50 { ++ os.write_tag(1, WireType::EndGroup).unwrap(); ++ } ++ drop(os); ++ ++ let mut input = CodedInputStream::from_bytes(&vec); ++ assert!(input.skip_group().is_ok()); ++ } ++ ++ #[test] ++ fn test_deeply_nested_unknown_groups() { ++ // Create an output stream that has groups nested recursively 1000 ++ // deep, and try to skip the group. ++ // This should fail the default depth limit of 100 which ensures we ++ // don't blow the stack on adversial input. ++ let mut vec = Vec::new(); ++ let mut os = CodedOutputStream::new(&mut vec); ++ for _ in 0..1000 { ++ os.write_tag(1, WireType::StartGroup).unwrap(); ++ } ++ for _ in 0..1000 { ++ os.write_tag(1, WireType::EndGroup).unwrap(); ++ } ++ drop(os); ++ ++ let mut input = CodedInputStream::from_bytes(&vec); ++ assert!(input ++ .skip_group() ++ .unwrap_err() ++ .to_string() ++ .contains("Over recursion limit")); ++ } + } +-- +2.45.2 + diff --git a/SPECS/rust/CVE-2025-53605_1.75.patch b/SPECS/rust/CVE-2025-53605_1.75.patch new file mode 100644 index 0000000000..acc02c6244 --- /dev/null +++ b/SPECS/rust/CVE-2025-53605_1.75.patch @@ -0,0 +1,128 @@ +From f06992f46771c0a092593b9ebf7afd48740b3ed6 Mon Sep 17 00:00:00 2001 +From: esrauchg <140440793+esrauchg@users.noreply.github.com> +Date: Sun, 9 Mar 2025 17:23:01 -0400 +Subject: [PATCH] Apply depth limit to unknown groups (#756) + +* Fix issue where a deeply nested unknown group could cause arbitrarily recursion depth. + +* Add drop(os) to fix tests + +* Check err message on recursion limit exceeded. + +* Run formatter + +* Fix test with .unwrap_err() + +Upstream Patch Reference: https://github.com/stepancheg/rust-protobuf/commit/f06992f46771c0a092593b9ebf7afd48740b3ed6.patch +--- + + vendor/protobuf/.cargo-checksum.json | 2 +- + vendor/protobuf/src/coded_input_stream/mod.rs | 71 +++++++++++++++---- + 2 files changed, 60 insertions(+), 13 deletions(-) + +diff --git a/vendor/protobuf/.cargo-checksum.json b/vendor/protobuf/.cargo-checksum.json +index 8bc959c50..3d8881b49 100644 +--- a/vendor/protobuf/.cargo-checksum.json ++++ b/vendor/protobuf/.cargo-checksum.json +@@ -1 +1 @@ +-{"files":{"Cargo.toml":"6f1e9e9629c49f82691a02216d23fc558b25a13587af27c56758ed28ff4ae55e","LICENSE.txt":"97647e63047ef75a82ee2928b335df94f45c87e08777dc033393c73294f3a57a","README.md":"a192b942572b5f097e320bf320498b1447fb2f66e7b31ce1ada9d09840255195","benches/coded_input_stream.rs":"4a97758265ebffd6158a84f33f6d3fa7f1449fc4c38094735fac92b2121407a8","benches/coded_output_stream.rs":"43f5ae7444f4f2585aba5b3fd70ff240ed46c72d17d31a4cdbb73013d3c21592","benches/write.rs":"1c8f95a110b465b3f24004bfd7231dd7cf37c2c2ea1ced21919b3c8d80d6b325","build.rs":"d469e5252740987d089efca1875aa554fc6501b152019ac4203d3b5439272441","regenerate.sh":"1fbc73e6a89504821b0b1fefcd621ba022b3c3c33a7aa7aa77bc4ce32cba46ef","src/byteorder.rs":"9e6b481be82182ac99ff9704468b4d64656fb922f90c54ca83a8d7ca1dfd2e3a","src/cached_size.rs":"895788d7356a1fcd0f2d7446996066f8c53a0f36032174a97273997e65440fa0","src/chars.rs":"816a0af0b830ecd43028e40295fe0bf9eb79263f00fee01678c75d4ac5b7e908","src/coded_input_stream/buf_read_iter.rs":"da0b7601f3a05090462350086398a135be8977e0f5889c5315ef0525058d73b8","src/coded_input_stream/buf_read_or_reader.rs":"2bf3befcfce8c97faae7563084a7d93931afc5b886419e491111c15b4139058e","src/coded_input_stream/input_buf.rs":"cf71e63d3aef90188c55b6d42aa7cad47bcba16b27e687e44a15bd45e65b8737","src/coded_input_stream/input_source.rs":"b620f2f95784f390574eb469b79d2f63f86c5453470bef6121201f2a5db125be","src/coded_input_stream/mod.rs":"ee6c11ddd3e224c6d91afe2574b3033525e9d164a15c8ec771cc8ea89de9ded6","src/coded_output_stream/buffer.rs":"cafbbb3f02df26c98a4e5556e99a5a2ce811ffea4c49ba982532a6d9a53ec7d8","src/coded_output_stream/mod.rs":"da38c42311823235ce1ecc0efed83ca5f4c02d1460dfae39efaf0a39cdaa14d9","src/coded_output_stream/output_target.rs":"ab28889b824b91688cb5c17cf79bdbec96aeeea59f22946b9f359b957cc40580","src/coded_output_stream/with.rs":"47541db9f4f51cacd406571f02d6abe8f4837413c7cecbe511fc0c24ef2384f2","src/descriptor.rs":"bbae5b8e7e47e4938c18f832cfce4d26b16fb76f6e6db8d6bfcff66b16bac76e","src/doctest_pb.rs":"6c529d6606e3e21e68d4f746a90b31b1207db8bbc107486e390154490a232849","src/enum_full.rs":"ca658951c42ef539ce6221d8f1b1e5005a1a14393460078c40611bb7091629d0","src/enum_or_unknown.rs":"3088b9d139f296284a44d4f9da9c75476dfa00168358328f46b1c52c73572521","src/enums.rs":"b055cb673aba97c446d9d7c58dfeca977d6c6cc50d819c8cef128da0ef7e62f3","src/error.rs":"1839b319f456b56e2bb3c59f119f4c0bec53a02d52c92619b887bfdb1656183b","src/ext.rs":"b5c43e19ca56612e81560e520831da1746520be7944e506e44e07356b1415bbf","src/fixed.rs":"40b32b11dd53f0dc3de2c73f9003c6c0f762cf802e30e16beb5a22a18f8f2f50","src/lazy.rs":"b202a8cd252b11b013983f27c1ed5eac046674ed156a4e5e63357e15ead746df","src/lib.rs":"8b52bf3f782797fa81b522902851150f0e84ab1245bc39347b0014cef9e57b7e","src/message.rs":"a112b1d5c769d866a586a4c9af9245fa8029991563d2ff33c47e9d4c2b32fef7","src/message_dyn.rs":"c2d06029139a1ef09409227c0c501dd361b485ff1e4fcbf1d2b0cb579cd80fba","src/message_field.rs":"a4f35ebaef7912196e35d585832ccb318f23a0c0aa646de88de6d62079a3063f","src/message_full.rs":"4bbbb917a86aa3b14f63e93db41522c78223036b6e7d219769927059ff70205e","src/misc.rs":"1679b6f8b5c2b4375e71835fb7ca83a4de6db498f092abf5ab3a9f5eaccf0d5a","src/oneof.rs":"de5a694a56931308fc1a790678aaaf8b67d7c6b56c9f7b2fde36a14312863e05","src/oneof_full.rs":"b9d5d95db115b1ebf6e7c222373008d4f9f86e21347ddf50ef23f8cd11b8f777","src/owning_ref.rs":"1face1307d85ef98f5b9752eb45de47884c3ce68d31cec315ebfac6559ab501f","src/plugin.rs":"cfc80fa6541885906b8f21f6a7d2c7d0e83b3f1121093a24e2e55d59f6e1ec02","src/reflect/acc/mod.rs":"23500dd605f11f8def7d0f858a00cf1c85a7b95c293bc125ba0804a949b35162","src/reflect/acc/v2/map.rs":"070d17351d175227cc6b4bd580e1a0e12ea60b483bc67e666ac55526c81a56c2","src/reflect/acc/v2/mod.rs":"86639cfa45e3b2d08020c289001d87910fa972e9fb6a28a38880ccee51002a0c","src/reflect/acc/v2/repeated.rs":"dee457a69c0aae5a6c1cdc1a71300e586dbf7cb845eab5d6c4b64563513bb012","src/reflect/acc/v2/singular/mod.rs":"85bace3cf99fe0b05dce61bf19433077cf29506c6641b001935064fd37ab658f","src/reflect/acc/v2/singular/oneof.rs":"f70db73a0316185b8ae43b82cd29665d1140d920e7d28bb789a438eb06f9c62a","src/reflect/dynamic/map.rs":"da992d492e21e5824e3f96b366dc78b3f546b9de8f66f799f9af32ce74cc5f3f","src/reflect/dynamic/mod.rs":"3ee7a82dbd5410d10eee44fdf3ae8b5f198185d7ff4a608f10a668eba6af3a73","src/reflect/dynamic/optional.rs":"db923e3d343f869c2bf4f157559686251ff9744dfd0560ba1d1b1b46ae1b81fd","src/reflect/dynamic/repeated.rs":"61a7c698b59280564a1deb7200884875a8844120058c3d69ea4d6aa5f6c4266e","src/reflect/enums/generated.rs":"44e5dbe08a1a15067744580c87c6d09f66dc364f2791fc1ecab919e1dacdec09","src/reflect/enums/mod.rs":"aed1b29e4e42f34b26476a6013e64b7ec8876cfa53633583a751c344fd3ab34c","src/reflect/error.rs":"532a9c117606e8597a40d60b3efebc9371c4f746919cc611aaaddf105cbb3608","src/reflect/field/dynamic.rs":"8e81f7b6f684ed58287eb2de20f3abb8dabb062601715421d3d1e4c041101602","src/reflect/field/index.rs":"4aeef75560e52bf865718f9323fc5b2b2318a6e4bb66fadc57f4875999cf15b3","src/reflect/field/mod.rs":"067a91d59a464042c1c9d266382696b4aaf3960e898e4e2378ff065ce3f23de2","src/reflect/field/protobuf_field_type.rs":"6ec9ca95c25a9c9fe70fad51b1221676e9d3d5a6daac37d5633379471d8c4257","src/reflect/field/runtime_field_type.rs":"26166bb9d48caa0287dfe6235937e5bd647692ca75e8ee4855d0e198f9a79d73","src/reflect/file/building.rs":"53806efda5872c32f63f55582b767be8becff1d7bfb4ed0c11947c912ad55a75","src/reflect/file/dynamic.rs":"3e26271c31816dae043eb70c9990a6fc621c9b5241a555d968f731dfd4762489","src/reflect/file/fds.rs":"9a369eaea05a000710bf977cce28d3fad1463f8ffa42df35e4f5ac5de306f9e6","src/reflect/file/generated.rs":"88f3d88ddbcfa01812398ddc5c350c54cc42b15d99223a642574f55d4d6cdf69","src/reflect/file/index.rs":"3d53af11b39b164b488e3850c3a5be5ae4628c172b4475e4ae5b993225bdeae9","src/reflect/file/mod.rs":"b7aa1c4154677630b843c81d35c60f1374d00d44d3477e6e899e18cb7ae97db1","src/reflect/file/syntax.rs":"8d6d6c3a7bbf9217df3550410a9ba1eb9c08295aa410cc5d2e65efe1eec3ca3a","src/reflect/find_message_or_enum.rs":"e8b10159819cce4414da7681cb3ce0b4e62a45adf4e3e7933a3c1b4f8e97cfb8","src/reflect/map/empty.rs":"e8429213086d1f417e8e9785d6353cb6e751e7d76dcce1fcb32c302a7ee0d156","src/reflect/map/generated.rs":"0dd72936b32428cedb4f26250ba6d1c1814a1bb40fd6de423d997e50eb04e914","src/reflect/map/mod.rs":"fc444fd4924423c94dbb983d82baf7d9464d8f90cc51449ce104ed728e32dfd7","src/reflect/message/generated.rs":"c76f5e887534bc9648dd105718f79bb93465549d57b25c4a00957e603749721c","src/reflect/message/is_initialized_is_always_true.rs":"af716e9d0ce233fda9c7dee13814c24c188ea195cf907d81f74fb198ef2760ae","src/reflect/message/message_ref.rs":"80472f804a4dd3b91f6fec4451639ca356f2b33c502775e0fd6b2c3bfbe1be0a","src/reflect/message/mod.rs":"5ef7f5ecdc2de7c0789b8558711a976e2376fcaae67975a10d9f1bd4179703e5","src/reflect/mod.rs":"620cab65b696a13144ed54d589ca8c4176ecb8127b2ba2a294806f649c0fbd9f","src/reflect/name.rs":"0377dcf871ca5add5e168a3bff04d9f01fe5970db4dfb66272def6484dc7d54b","src/reflect/oneof/generated.rs":"c02b7cd7415f52366f6092559643869812db842bd1c383ce7d8759e519ab453a","src/reflect/oneof/mod.rs":"ce662622c10557f4f9bf9ddb04943136f8c74d16009d97496965262dbdf5e2ac","src/reflect/optional/mod.rs":"5dada97750209aeddf1506eea0a59d709aeb3e44bae5443214e0c2950c870952","src/reflect/protobuf_type_box.rs":"5ed50bdefa5eebe8bf0547cb37def38d814653ac7a0d401eb4f05b8a72ebf509","src/reflect/reflect_eq.rs":"1352d0be16ff7dc2089d499b3fbcf40d501406e8648649092aa2cb21f207aac0","src/reflect/repeated/drain_iter.rs":"0f065e5ef884ee90189594b8a92d814c40a4b3ff80ed659f2f8a0ac56795011d","src/reflect/repeated/iter.rs":"f7f7bf56347850f567612feab9542c4658f251ce74b7b8fb7ed6612cb85584f0","src/reflect/repeated/mod.rs":"6084482af4936340e1bfd43ff8d06351c3d0316f26cb9f8b73bd8c16f3e9df98","src/reflect/repeated/transmute.rs":"ecd5b5b2772670b030a6d96b47b54bf8500ec0996920ef0db7d5f4b6f338c493","src/reflect/repeated/vec_downcast.rs":"7f4c2997d313f45bc46a097fad7c579d663c642cba425a7851f590282d58309d","src/reflect/rt/mod.rs":"4f0266be9bd092a6ee49a1f3453ff08eabfcebb65473b6c8552a260ac7a4817b","src/reflect/rt/v2.rs":"d1d7419f5d9d7a80748ded5f67488a7855491416a8cba024ab66a48be0d4ea4c","src/reflect/runtime_type_box.rs":"6d8988ed25218f13da61db5dbbefa621df3fd7f1141669854c6ec9571b3eee6c","src/reflect/runtime_types.rs":"3ae8764ba089ad59a951b1bc14d85c0d37ef61a85572a478d9c1bc4464798fb1","src/reflect/service/index.rs":"4a41f90b6c8b3f5c8349075aec84fcbb90ab3028451d2ba40cb83257ff4d90c7","src/reflect/service/mod.rs":"1d0b5b3d9cd1968731971137ca320a91591ee9ca45828d3e4284da87397044f6","src/reflect/type_dynamic.rs":"37d8443a95616acd5f499bc473d74d5831a1e60cb349b8baf35860352b16f2c3","src/reflect/types.rs":"bdaf23d44bd2e214e3c85543febe16aef5da45d2608fef1dfa4ea6252cf62cb0","src/reflect/value/mod.rs":"56f7ff8c4541108fff20f83f7f12ef173ce398e642b482dc3a4cf92c9e1cea17","src/reflect/value/value_box.rs":"1037d01c52a4f0432e42a2c023f5c68ed458ed60b196597ca78f81b6207ecb83","src/reflect/value/value_ref.rs":"7a3490eb4918ee725ad59219b0fc5810b231eaf2ddf798ab75085b4acc145b2e","src/rt/map.rs":"c4bd4246181a43dc9cf1735ec5882955af595fba8ef839a06e0e1df399848520","src/rt/message.rs":"c9b9b3b8f25b6813b8ca2411f015ae80b2abba377d44f9f9b9c05cb45366229a","src/rt/mod.rs":"db610d871d8fb022ba4634199896534ecb3d6ad22c7e2cabbf4d7ad79e1c8c66","src/rt/packed.rs":"be2fae85812c39d815bcb0463e3ea67774770c25014b764b8712dd2b90d360c6","src/rt/repeated.rs":"213d08349efb21bc02fb5abd1d1c3f039ae1d4368f53f548cdf1999897c60f1c","src/rt/singular.rs":"2c982de7a686a8d0c430ce690297a524e892a70bca33d288c6e9b912d19e994c","src/rt/unknown_or_group.rs":"a0bf9af0bdb6ee4261bdc9d5136288e3d17f7de611b7f61943caf6d8eb38367d","src/rustproto.rs":"ea9f86c6d0356c75db76d50da06c29647c8d2895bb6dcf7e91eccc6535f6c770","src/special.rs":"25e6afb4edfbcfd103a287dcdd1233ccb08ee91efce9471e3d5d370f040973c2","src/text_format/mod.rs":"da0aeb839963afcba1923b68a06264185a927cef3f3075ca958c11fa1e780535","src/text_format/parse.rs":"c7be3464fa8f6624ed2001b450e999f93bea5f6118132b7f372110c7af5e5e71","src/text_format/print.rs":"55edf1f69cc0a66c538949d399e1ae015b8cf46c911863bd4d5b5dc520b56f91","src/timestamp.rs":"f0590e19fd7740bdc65a0dc6f9d73bf55559638515ca7849481022288a9bee43","src/unknown.rs":"fd6091ad04dadbde5793ea42af50fa51cf2e7737696029a9e0d1f001f0c1423d","src/varint/decode.rs":"5e9fdf9fb5fe82ddc223feaf5867c0a081bd67731635f88cb9a5b1faeeb79f82","src/varint/encode.rs":"43c1d67932aca6ea61a368f34233fff88d5d6253f5ebad842cbf69f26245e16d","src/varint/generic.rs":"98e31da80c278cff672ddc8231241cc789ad6de138fa6ca6c0483ff1783f4957","src/varint/mod.rs":"643b5b2443b4e103fc4eeac7844dcda4b9c6b2bab3cfe9fba00145ccea9a4505","src/well_known_types/any.rs":"296ea00846a7e6cce30d02cc2159ec8a147a85c80a73f10b0deada956b2d94e2","src/well_known_types/api.rs":"d67b5e61949514c1350e9041ea612e32360126869b5982b2bffa389cefa30c07","src/well_known_types/duration.rs":"f7f1f07408457647e8ad070fa9acae6c4ea8efa2681541d6e9a436a785add7b1","src/well_known_types/empty.rs":"aa772e9729f81e64c73f1c9481c757bd953d5068e030723b9cf494b227c8d24b","src/well_known_types/field_mask.rs":"e2ea9cb068a2a914d198b86e8511d011aa699d34dfe5f9c0a58f3fec202c5c7c","src/well_known_types/mod.rs":"b141483834c860b221d0946a584389ebcefc2c5f7692ce1f95869c9f83ff2c16","src/well_known_types/source_context.rs":"3429dd5468d0c1587c7b78369c722b8fe12dee7e2c1691bff94ab57a82ba13c2","src/well_known_types/struct_.rs":"56090799d326296b89bee1476550d480b264123997d3cb0c8d518a688818feb9","src/well_known_types/timestamp.rs":"446345055a17e34797b06ddc0830ba61ff62f750004bed2a4aae1ec8bea5f71e","src/well_known_types/type_.rs":"07418c82a4ae2683aa0c1f7abc3ac57a9523b0c62506bc075b9213f3c5c98397","src/well_known_types/wrappers.rs":"ac4dda7cde8b14a19d1fd4a22a857894f14f771a6c2383d50295f2e9a9d2c3fb","src/well_known_types_util/any.rs":"2b2e5cdf1d413bc13485bfc78c84d8403168d6b1a6dbc10d585bf10326120c81","src/well_known_types_util/duration.rs":"e0d9de89f8c7c4b2075f23c2a4451dfec4ae1f28c9784ea39a626a8c3aa9e005","src/well_known_types_util/mod.rs":"81fb1c0721602ffe91c4587f727457b59c8697863e3f853cd9569db5cee973e9","src/well_known_types_util/timestamp.rs":"f55906fef3190fa1786ed736ded16f3ac6de2095cb974af5a476c2a2f91260b3","src/wire_format.rs":"649bd310711e9464d8827eb16754ba8921dd6ebc209f78033fdee11dded8b689","src/zigzag.rs":"0dcbdf54d4bc8141fdc64d074e6f6f7633bbb66cc782cd4bd6d343ce0569c3de"},"package":"4ee4a7d8b91800c8f167a6268d1a1026607368e1adc84e98fe044aeb905302f7"} +\ No newline at end of file ++{"files":{"Cargo.toml":"6f1e9e9629c49f82691a02216d23fc558b25a13587af27c56758ed28ff4ae55e","LICENSE.txt":"97647e63047ef75a82ee2928b335df94f45c87e08777dc033393c73294f3a57a","README.md":"a192b942572b5f097e320bf320498b1447fb2f66e7b31ce1ada9d09840255195","benches/coded_input_stream.rs":"4a97758265ebffd6158a84f33f6d3fa7f1449fc4c38094735fac92b2121407a8","benches/coded_output_stream.rs":"43f5ae7444f4f2585aba5b3fd70ff240ed46c72d17d31a4cdbb73013d3c21592","benches/write.rs":"1c8f95a110b465b3f24004bfd7231dd7cf37c2c2ea1ced21919b3c8d80d6b325","build.rs":"d469e5252740987d089efca1875aa554fc6501b152019ac4203d3b5439272441","regenerate.sh":"1fbc73e6a89504821b0b1fefcd621ba022b3c3c33a7aa7aa77bc4ce32cba46ef","src/byteorder.rs":"9e6b481be82182ac99ff9704468b4d64656fb922f90c54ca83a8d7ca1dfd2e3a","src/cached_size.rs":"895788d7356a1fcd0f2d7446996066f8c53a0f36032174a97273997e65440fa0","src/chars.rs":"816a0af0b830ecd43028e40295fe0bf9eb79263f00fee01678c75d4ac5b7e908","src/coded_input_stream/buf_read_iter.rs":"da0b7601f3a05090462350086398a135be8977e0f5889c5315ef0525058d73b8","src/coded_input_stream/buf_read_or_reader.rs":"2bf3befcfce8c97faae7563084a7d93931afc5b886419e491111c15b4139058e","src/coded_input_stream/input_buf.rs":"cf71e63d3aef90188c55b6d42aa7cad47bcba16b27e687e44a15bd45e65b8737","src/coded_input_stream/input_source.rs":"b620f2f95784f390574eb469b79d2f63f86c5453470bef6121201f2a5db125be","src/coded_input_stream/mod.rs":"9c9eef558aec08a5071303896703aae82a1fa1358d50784e836319e9dcdd2789","src/coded_output_stream/buffer.rs":"cafbbb3f02df26c98a4e5556e99a5a2ce811ffea4c49ba982532a6d9a53ec7d8","src/coded_output_stream/mod.rs":"da38c42311823235ce1ecc0efed83ca5f4c02d1460dfae39efaf0a39cdaa14d9","src/coded_output_stream/output_target.rs":"ab28889b824b91688cb5c17cf79bdbec96aeeea59f22946b9f359b957cc40580","src/coded_output_stream/with.rs":"47541db9f4f51cacd406571f02d6abe8f4837413c7cecbe511fc0c24ef2384f2","src/descriptor.rs":"bbae5b8e7e47e4938c18f832cfce4d26b16fb76f6e6db8d6bfcff66b16bac76e","src/doctest_pb.rs":"6c529d6606e3e21e68d4f746a90b31b1207db8bbc107486e390154490a232849","src/enum_full.rs":"ca658951c42ef539ce6221d8f1b1e5005a1a14393460078c40611bb7091629d0","src/enum_or_unknown.rs":"3088b9d139f296284a44d4f9da9c75476dfa00168358328f46b1c52c73572521","src/enums.rs":"b055cb673aba97c446d9d7c58dfeca977d6c6cc50d819c8cef128da0ef7e62f3","src/error.rs":"1839b319f456b56e2bb3c59f119f4c0bec53a02d52c92619b887bfdb1656183b","src/ext.rs":"b5c43e19ca56612e81560e520831da1746520be7944e506e44e07356b1415bbf","src/fixed.rs":"40b32b11dd53f0dc3de2c73f9003c6c0f762cf802e30e16beb5a22a18f8f2f50","src/lazy.rs":"b202a8cd252b11b013983f27c1ed5eac046674ed156a4e5e63357e15ead746df","src/lib.rs":"8b52bf3f782797fa81b522902851150f0e84ab1245bc39347b0014cef9e57b7e","src/message.rs":"a112b1d5c769d866a586a4c9af9245fa8029991563d2ff33c47e9d4c2b32fef7","src/message_dyn.rs":"c2d06029139a1ef09409227c0c501dd361b485ff1e4fcbf1d2b0cb579cd80fba","src/message_field.rs":"a4f35ebaef7912196e35d585832ccb318f23a0c0aa646de88de6d62079a3063f","src/message_full.rs":"4bbbb917a86aa3b14f63e93db41522c78223036b6e7d219769927059ff70205e","src/misc.rs":"1679b6f8b5c2b4375e71835fb7ca83a4de6db498f092abf5ab3a9f5eaccf0d5a","src/oneof.rs":"de5a694a56931308fc1a790678aaaf8b67d7c6b56c9f7b2fde36a14312863e05","src/oneof_full.rs":"b9d5d95db115b1ebf6e7c222373008d4f9f86e21347ddf50ef23f8cd11b8f777","src/owning_ref.rs":"1face1307d85ef98f5b9752eb45de47884c3ce68d31cec315ebfac6559ab501f","src/plugin.rs":"cfc80fa6541885906b8f21f6a7d2c7d0e83b3f1121093a24e2e55d59f6e1ec02","src/reflect/acc/mod.rs":"23500dd605f11f8def7d0f858a00cf1c85a7b95c293bc125ba0804a949b35162","src/reflect/acc/v2/map.rs":"070d17351d175227cc6b4bd580e1a0e12ea60b483bc67e666ac55526c81a56c2","src/reflect/acc/v2/mod.rs":"86639cfa45e3b2d08020c289001d87910fa972e9fb6a28a38880ccee51002a0c","src/reflect/acc/v2/repeated.rs":"dee457a69c0aae5a6c1cdc1a71300e586dbf7cb845eab5d6c4b64563513bb012","src/reflect/acc/v2/singular/mod.rs":"85bace3cf99fe0b05dce61bf19433077cf29506c6641b001935064fd37ab658f","src/reflect/acc/v2/singular/oneof.rs":"f70db73a0316185b8ae43b82cd29665d1140d920e7d28bb789a438eb06f9c62a","src/reflect/dynamic/map.rs":"da992d492e21e5824e3f96b366dc78b3f546b9de8f66f799f9af32ce74cc5f3f","src/reflect/dynamic/mod.rs":"3ee7a82dbd5410d10eee44fdf3ae8b5f198185d7ff4a608f10a668eba6af3a73","src/reflect/dynamic/optional.rs":"db923e3d343f869c2bf4f157559686251ff9744dfd0560ba1d1b1b46ae1b81fd","src/reflect/dynamic/repeated.rs":"61a7c698b59280564a1deb7200884875a8844120058c3d69ea4d6aa5f6c4266e","src/reflect/enums/generated.rs":"44e5dbe08a1a15067744580c87c6d09f66dc364f2791fc1ecab919e1dacdec09","src/reflect/enums/mod.rs":"aed1b29e4e42f34b26476a6013e64b7ec8876cfa53633583a751c344fd3ab34c","src/reflect/error.rs":"532a9c117606e8597a40d60b3efebc9371c4f746919cc611aaaddf105cbb3608","src/reflect/field/dynamic.rs":"8e81f7b6f684ed58287eb2de20f3abb8dabb062601715421d3d1e4c041101602","src/reflect/field/index.rs":"4aeef75560e52bf865718f9323fc5b2b2318a6e4bb66fadc57f4875999cf15b3","src/reflect/field/mod.rs":"067a91d59a464042c1c9d266382696b4aaf3960e898e4e2378ff065ce3f23de2","src/reflect/field/protobuf_field_type.rs":"6ec9ca95c25a9c9fe70fad51b1221676e9d3d5a6daac37d5633379471d8c4257","src/reflect/field/runtime_field_type.rs":"26166bb9d48caa0287dfe6235937e5bd647692ca75e8ee4855d0e198f9a79d73","src/reflect/file/building.rs":"53806efda5872c32f63f55582b767be8becff1d7bfb4ed0c11947c912ad55a75","src/reflect/file/dynamic.rs":"3e26271c31816dae043eb70c9990a6fc621c9b5241a555d968f731dfd4762489","src/reflect/file/fds.rs":"9a369eaea05a000710bf977cce28d3fad1463f8ffa42df35e4f5ac5de306f9e6","src/reflect/file/generated.rs":"88f3d88ddbcfa01812398ddc5c350c54cc42b15d99223a642574f55d4d6cdf69","src/reflect/file/index.rs":"3d53af11b39b164b488e3850c3a5be5ae4628c172b4475e4ae5b993225bdeae9","src/reflect/file/mod.rs":"b7aa1c4154677630b843c81d35c60f1374d00d44d3477e6e899e18cb7ae97db1","src/reflect/file/syntax.rs":"8d6d6c3a7bbf9217df3550410a9ba1eb9c08295aa410cc5d2e65efe1eec3ca3a","src/reflect/find_message_or_enum.rs":"e8b10159819cce4414da7681cb3ce0b4e62a45adf4e3e7933a3c1b4f8e97cfb8","src/reflect/map/empty.rs":"e8429213086d1f417e8e9785d6353cb6e751e7d76dcce1fcb32c302a7ee0d156","src/reflect/map/generated.rs":"0dd72936b32428cedb4f26250ba6d1c1814a1bb40fd6de423d997e50eb04e914","src/reflect/map/mod.rs":"fc444fd4924423c94dbb983d82baf7d9464d8f90cc51449ce104ed728e32dfd7","src/reflect/message/generated.rs":"c76f5e887534bc9648dd105718f79bb93465549d57b25c4a00957e603749721c","src/reflect/message/is_initialized_is_always_true.rs":"af716e9d0ce233fda9c7dee13814c24c188ea195cf907d81f74fb198ef2760ae","src/reflect/message/message_ref.rs":"80472f804a4dd3b91f6fec4451639ca356f2b33c502775e0fd6b2c3bfbe1be0a","src/reflect/message/mod.rs":"5ef7f5ecdc2de7c0789b8558711a976e2376fcaae67975a10d9f1bd4179703e5","src/reflect/mod.rs":"620cab65b696a13144ed54d589ca8c4176ecb8127b2ba2a294806f649c0fbd9f","src/reflect/name.rs":"0377dcf871ca5add5e168a3bff04d9f01fe5970db4dfb66272def6484dc7d54b","src/reflect/oneof/generated.rs":"c02b7cd7415f52366f6092559643869812db842bd1c383ce7d8759e519ab453a","src/reflect/oneof/mod.rs":"ce662622c10557f4f9bf9ddb04943136f8c74d16009d97496965262dbdf5e2ac","src/reflect/optional/mod.rs":"5dada97750209aeddf1506eea0a59d709aeb3e44bae5443214e0c2950c870952","src/reflect/protobuf_type_box.rs":"5ed50bdefa5eebe8bf0547cb37def38d814653ac7a0d401eb4f05b8a72ebf509","src/reflect/reflect_eq.rs":"1352d0be16ff7dc2089d499b3fbcf40d501406e8648649092aa2cb21f207aac0","src/reflect/repeated/drain_iter.rs":"0f065e5ef884ee90189594b8a92d814c40a4b3ff80ed659f2f8a0ac56795011d","src/reflect/repeated/iter.rs":"f7f7bf56347850f567612feab9542c4658f251ce74b7b8fb7ed6612cb85584f0","src/reflect/repeated/mod.rs":"6084482af4936340e1bfd43ff8d06351c3d0316f26cb9f8b73bd8c16f3e9df98","src/reflect/repeated/transmute.rs":"ecd5b5b2772670b030a6d96b47b54bf8500ec0996920ef0db7d5f4b6f338c493","src/reflect/repeated/vec_downcast.rs":"7f4c2997d313f45bc46a097fad7c579d663c642cba425a7851f590282d58309d","src/reflect/rt/mod.rs":"4f0266be9bd092a6ee49a1f3453ff08eabfcebb65473b6c8552a260ac7a4817b","src/reflect/rt/v2.rs":"d1d7419f5d9d7a80748ded5f67488a7855491416a8cba024ab66a48be0d4ea4c","src/reflect/runtime_type_box.rs":"6d8988ed25218f13da61db5dbbefa621df3fd7f1141669854c6ec9571b3eee6c","src/reflect/runtime_types.rs":"3ae8764ba089ad59a951b1bc14d85c0d37ef61a85572a478d9c1bc4464798fb1","src/reflect/service/index.rs":"4a41f90b6c8b3f5c8349075aec84fcbb90ab3028451d2ba40cb83257ff4d90c7","src/reflect/service/mod.rs":"1d0b5b3d9cd1968731971137ca320a91591ee9ca45828d3e4284da87397044f6","src/reflect/type_dynamic.rs":"37d8443a95616acd5f499bc473d74d5831a1e60cb349b8baf35860352b16f2c3","src/reflect/types.rs":"bdaf23d44bd2e214e3c85543febe16aef5da45d2608fef1dfa4ea6252cf62cb0","src/reflect/value/mod.rs":"56f7ff8c4541108fff20f83f7f12ef173ce398e642b482dc3a4cf92c9e1cea17","src/reflect/value/value_box.rs":"1037d01c52a4f0432e42a2c023f5c68ed458ed60b196597ca78f81b6207ecb83","src/reflect/value/value_ref.rs":"7a3490eb4918ee725ad59219b0fc5810b231eaf2ddf798ab75085b4acc145b2e","src/rt/map.rs":"c4bd4246181a43dc9cf1735ec5882955af595fba8ef839a06e0e1df399848520","src/rt/message.rs":"c9b9b3b8f25b6813b8ca2411f015ae80b2abba377d44f9f9b9c05cb45366229a","src/rt/mod.rs":"db610d871d8fb022ba4634199896534ecb3d6ad22c7e2cabbf4d7ad79e1c8c66","src/rt/packed.rs":"be2fae85812c39d815bcb0463e3ea67774770c25014b764b8712dd2b90d360c6","src/rt/repeated.rs":"213d08349efb21bc02fb5abd1d1c3f039ae1d4368f53f548cdf1999897c60f1c","src/rt/singular.rs":"2c982de7a686a8d0c430ce690297a524e892a70bca33d288c6e9b912d19e994c","src/rt/unknown_or_group.rs":"a0bf9af0bdb6ee4261bdc9d5136288e3d17f7de611b7f61943caf6d8eb38367d","src/rustproto.rs":"ea9f86c6d0356c75db76d50da06c29647c8d2895bb6dcf7e91eccc6535f6c770","src/special.rs":"25e6afb4edfbcfd103a287dcdd1233ccb08ee91efce9471e3d5d370f040973c2","src/text_format/mod.rs":"da0aeb839963afcba1923b68a06264185a927cef3f3075ca958c11fa1e780535","src/text_format/parse.rs":"c7be3464fa8f6624ed2001b450e999f93bea5f6118132b7f372110c7af5e5e71","src/text_format/print.rs":"55edf1f69cc0a66c538949d399e1ae015b8cf46c911863bd4d5b5dc520b56f91","src/timestamp.rs":"f0590e19fd7740bdc65a0dc6f9d73bf55559638515ca7849481022288a9bee43","src/unknown.rs":"fd6091ad04dadbde5793ea42af50fa51cf2e7737696029a9e0d1f001f0c1423d","src/varint/decode.rs":"5e9fdf9fb5fe82ddc223feaf5867c0a081bd67731635f88cb9a5b1faeeb79f82","src/varint/encode.rs":"43c1d67932aca6ea61a368f34233fff88d5d6253f5ebad842cbf69f26245e16d","src/varint/generic.rs":"98e31da80c278cff672ddc8231241cc789ad6de138fa6ca6c0483ff1783f4957","src/varint/mod.rs":"643b5b2443b4e103fc4eeac7844dcda4b9c6b2bab3cfe9fba00145ccea9a4505","src/well_known_types/any.rs":"296ea00846a7e6cce30d02cc2159ec8a147a85c80a73f10b0deada956b2d94e2","src/well_known_types/api.rs":"d67b5e61949514c1350e9041ea612e32360126869b5982b2bffa389cefa30c07","src/well_known_types/duration.rs":"f7f1f07408457647e8ad070fa9acae6c4ea8efa2681541d6e9a436a785add7b1","src/well_known_types/empty.rs":"aa772e9729f81e64c73f1c9481c757bd953d5068e030723b9cf494b227c8d24b","src/well_known_types/field_mask.rs":"e2ea9cb068a2a914d198b86e8511d011aa699d34dfe5f9c0a58f3fec202c5c7c","src/well_known_types/mod.rs":"b141483834c860b221d0946a584389ebcefc2c5f7692ce1f95869c9f83ff2c16","src/well_known_types/source_context.rs":"3429dd5468d0c1587c7b78369c722b8fe12dee7e2c1691bff94ab57a82ba13c2","src/well_known_types/struct_.rs":"56090799d326296b89bee1476550d480b264123997d3cb0c8d518a688818feb9","src/well_known_types/timestamp.rs":"446345055a17e34797b06ddc0830ba61ff62f750004bed2a4aae1ec8bea5f71e","src/well_known_types/type_.rs":"07418c82a4ae2683aa0c1f7abc3ac57a9523b0c62506bc075b9213f3c5c98397","src/well_known_types/wrappers.rs":"ac4dda7cde8b14a19d1fd4a22a857894f14f771a6c2383d50295f2e9a9d2c3fb","src/well_known_types_util/any.rs":"2b2e5cdf1d413bc13485bfc78c84d8403168d6b1a6dbc10d585bf10326120c81","src/well_known_types_util/duration.rs":"e0d9de89f8c7c4b2075f23c2a4451dfec4ae1f28c9784ea39a626a8c3aa9e005","src/well_known_types_util/mod.rs":"81fb1c0721602ffe91c4587f727457b59c8697863e3f853cd9569db5cee973e9","src/well_known_types_util/timestamp.rs":"f55906fef3190fa1786ed736ded16f3ac6de2095cb974af5a476c2a2f91260b3","src/wire_format.rs":"649bd310711e9464d8827eb16754ba8921dd6ebc209f78033fdee11dded8b689","src/zigzag.rs":"0dcbdf54d4bc8141fdc64d074e6f6f7633bbb66cc782cd4bd6d343ce0569c3de"},"package":"4ee4a7d8b91800c8f167a6268d1a1026607368e1adc84e98fe044aeb905302f7"} +diff --git a/vendor/protobuf/src/coded_input_stream/mod.rs b/vendor/protobuf/src/coded_input_stream/mod.rs +index a979df19c..dc8029c51 100644 +--- a/vendor/protobuf/src/coded_input_stream/mod.rs ++++ b/vendor/protobuf/src/coded_input_stream/mod.rs +@@ -511,6 +511,13 @@ impl<'a> CodedInputStream<'a> { + } + + fn skip_group(&mut self) -> crate::Result<()> { ++ self.incr_recursion()?; ++ let ret = self.skip_group_no_depth_check(); ++ self.decr_recursion(); ++ ret ++ } ++ ++ fn skip_group_no_depth_check(&mut self) -> crate::Result<()> { + while !self.eof()? { + let wire_type = self.read_tag_unpack()?.1; + if wire_type == WireType::EndGroup { +@@ -631,19 +638,16 @@ impl<'a> CodedInputStream<'a> { + /// Read message, do not check if message is initialized + pub fn merge_message(&mut self, message: &mut M) -> crate::Result<()> { + self.incr_recursion()?; +- struct DecrRecursion<'a, 'b>(&'a mut CodedInputStream<'b>); +- impl<'a, 'b> Drop for DecrRecursion<'a, 'b> { +- fn drop(&mut self) { +- self.0.decr_recursion(); +- } +- } +- +- let mut decr = DecrRecursion(self); ++ let ret = self.merge_message_no_depth_check(message); ++ self.decr_recursion(); ++ ret ++ } + +- let len = decr.0.read_raw_varint64()?; +- let old_limit = decr.0.push_limit(len)?; +- message.merge_from(&mut decr.0)?; +- decr.0.pop_limit(old_limit); ++ fn merge_message_no_depth_check(&mut self, message: &mut M) -> crate::Result<()> { ++ let len = self.read_raw_varint64()?; ++ let old_limit = self.push_limit(len)?; ++ message.merge_from(self)?; ++ self.pop_limit(old_limit); + Ok(()) + } + +@@ -982,4 +986,47 @@ mod test { + ); + assert_eq!("field 3", input.read_string().unwrap()); + } ++ ++ #[test] ++ fn test_shallow_nested_unknown_groups() { ++ // Test skip_group() succeeds on a start group tag 50 times ++ // followed by end group tag 50 times. We should be able to ++ // successfully skip the outermost group. ++ let mut vec = Vec::new(); ++ let mut os = CodedOutputStream::new(&mut vec); ++ for _ in 0..50 { ++ os.write_tag(1, WireType::StartGroup).unwrap(); ++ } ++ for _ in 0..50 { ++ os.write_tag(1, WireType::EndGroup).unwrap(); ++ } ++ drop(os); ++ ++ let mut input = CodedInputStream::from_bytes(&vec); ++ assert!(input.skip_group().is_ok()); ++ } ++ ++ #[test] ++ fn test_deeply_nested_unknown_groups() { ++ // Create an output stream that has groups nested recursively 1000 ++ // deep, and try to skip the group. ++ // This should fail the default depth limit of 100 which ensures we ++ // don't blow the stack on adversial input. ++ let mut vec = Vec::new(); ++ let mut os = CodedOutputStream::new(&mut vec); ++ for _ in 0..1000 { ++ os.write_tag(1, WireType::StartGroup).unwrap(); ++ } ++ for _ in 0..1000 { ++ os.write_tag(1, WireType::EndGroup).unwrap(); ++ } ++ drop(os); ++ ++ let mut input = CodedInputStream::from_bytes(&vec); ++ assert!(input ++ .skip_group() ++ .unwrap_err() ++ .to_string() ++ .contains("Over recursion limit")); ++ } + } +-- +2.45.2 + diff --git a/SPECS/rust/rust-1.75.spec b/SPECS/rust/rust-1.75.spec index 4210c1db52..b3b7a57b79 100644 --- a/SPECS/rust/rust-1.75.spec +++ b/SPECS/rust/rust-1.75.spec @@ -9,7 +9,7 @@ Summary: Rust Programming Language Name: rust Version: 1.75.0 -Release: 14%{?dist} +Release: 17%{?dist} License: (ASL 2.0 OR MIT) AND BSD AND CC-BY-3.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -44,6 +44,8 @@ Source7: https://static.rust-lang.org/dist/%{release_date}/rust-std-%{sta Patch0: CVE-2023-45853.patch Patch1: CVE-2024-32884.patch Patch2: CVE-2024-31852.patch +Patch3: CVE-2025-4574_1.75.patch +Patch4: CVE-2025-53605_1.75.patch BuildRequires: binutils BuildRequires: cmake @@ -62,7 +64,8 @@ BuildRequires: python3 # make sure rust depends on system zlib BuildRequires: zlib-devel %if 0%{?with_check} -BuildRequires: glibc-static >= 2.38-10%{?dist} +BuildRequires: glibc-static >= 2.38-11%{?dist} +BuildRequires: sudo %endif # rustc uses a C compiler to invoke the linker, and links to glibc in most cases Requires: binutils @@ -133,7 +136,10 @@ ln -s %{_topdir}/BUILD/rustc-%{version}-src/build/x86_64-unknown-linux-gnu/stage ln -s %{_topdir}/BUILD/rustc-%{version}-src/vendor/ /root/vendor # remove rustdoc ui flaky test issue-98690.rs (which is tagged with 'unstable-options') rm -v ./tests/rustdoc-ui/issue-98690.* -%make_build check +useradd -m -d /home/test test +chown -R test:test . +sudo -u test %make_build check +userdel -r test %install USER=root SUDO_USER=root %make_install @@ -174,6 +180,17 @@ rm %{buildroot}%{_bindir}/*.old %{_mandir}/man1/* %changelog +* Mon Jul 21 2025 Jyoti Kanase - 1.75.0-17 +- Add patch for CVE-2025-53605 + +* Tue Jun 10 2025 Kavya Sree Kaitepalli kkaitepalli@microsoft.com - 1.75.0-16 +- Run %check as non root user to fix ptests +- Patch CVE-2025-4574 + +* Thu May 22 2025 Kanishk Bansal - 1.75.0-15 +- Bump to rebuild with updated glibc + + * Mon May 12 2025 Andrew Phelps anphel@microsoft.com - 1.75.0-14 - Bump to rebuild with updated glibc diff --git a/SPECS/rust/rust.signatures.json b/SPECS/rust/rust.signatures.json index 6f1467ab9c..d88781170a 100644 --- a/SPECS/rust/rust.signatures.json +++ b/SPECS/rust/rust.signatures.json @@ -1,12 +1,12 @@ { "Signatures": { - "cargo-1.84.0-aarch64-unknown-linux-gnu.tar.xz": "68d4ad239b6d1e810e7b8591636dc408cb2c1e89661329fed906febf9c0a9d98", - "cargo-1.84.0-x86_64-unknown-linux-gnu.tar.xz": "6c2371488db92a09cd50a1b4045c022f3cf2c643285b3b21105ab5f9b64fd6b6", - "rust-std-1.84.0-aarch64-unknown-linux-gnu.tar.xz": "023f0b6153b23ac0e9686c2ab95bc393ee3e295b166bb36de3b4dfb53e3913e0", - "rust-std-1.84.0-x86_64-unknown-linux-gnu.tar.xz": "770237080b9310d126350c3bd70820bd91064c2e96c29ab5f2e002b31b5bd067", - "rustc-1.84.0-aarch64-unknown-linux-gnu.tar.xz": "9f5650aece53e083b933a57e5a8e0e2db4479f52ec897d5b6d0f77be6cd50498", - "rustc-1.84.0-x86_64-unknown-linux-gnu.tar.xz": "a1737d86f80b31a6d48a6726726275dc068ecb930c9635b13aa59999486de837", - "rustc-1.85.0-src-cargo.tar.gz": "aebfabef6090c81fff583d6172fbb4cf1d42d203df7ce6a9bba349abc3fc086c", - "rustc-1.85.0-src.tar.xz": "d542c397217b5ba5bac7eb274f5ca62d031f61842c3ba4cc5328c709c38ea1e7" + "cargo-1.85.0-aarch64-unknown-linux-gnu.tar.xz": "cdebe48b066d512d664c13441e8fae2d0f67106c2080aa44289d98b24192b8bc", + "cargo-1.85.0-x86_64-unknown-linux-gnu.tar.xz": "0aff33b57b0e0b102d762a2b53042846c1ca346cff4b7bd96b5c03c9e8e51d81", + "rust-std-1.85.0-aarch64-unknown-linux-gnu.tar.xz": "8af1d793f7820e9ad0ee23247a9123542c3ea23f8857a018651c7788af9bc5b7", + "rust-std-1.85.0-x86_64-unknown-linux-gnu.tar.xz": "285e105d25ebdf501341238d4c0594ecdda50ec9078f45095f793a736b1f1ac2", + "rustc-1.85.0-aarch64-unknown-linux-gnu.tar.xz": "e742b768f67303010b002b515f6613c639e69ffcc78cd0857d6fe7989e9880f6", + "rustc-1.85.0-x86_64-unknown-linux-gnu.tar.xz": "7436f13797475082cd87aa65547449e01659d6a810b4cd5f8aedc48bb9f89dfb", + "rustc-1.86.0-src-cargo.tar.gz": "65af8d68e71d9ee7849d680434bffc527125442da38bba9a14bb3c12abef0595", + "rustc-1.86.0-src.tar.xz": "d939eada065dc827a9d4dbb55bd48533ad14c16e7f0a42e70147029c82a7707b" } } \ No newline at end of file diff --git a/SPECS/rust/rust.spec b/SPECS/rust/rust.spec index 6582db0ef0..32fb8472b5 100644 --- a/SPECS/rust/rust.spec +++ b/SPECS/rust/rust.spec @@ -3,13 +3,13 @@ # Release date and version of stage 0 compiler can be found in "src/stage0" inside the extracted "Source0". # Look for "date:" and "rustc:". -%define release_date 2025-01-09 -%define stage0_version 1.84.0 +%define release_date 2025-02-20 +%define stage0_version 1.85.0 Summary: Rust Programming Language Name: rust -Version: 1.85.0 -Release: 2%{?dist} +Version: 1.86.0 +Release: 4%{?dist} License: (ASL 2.0 OR MIT) AND BSD AND CC-BY-3.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -41,9 +41,8 @@ Source4: https://static.rust-lang.org/dist/%{release_date}/rust-std-%{sta Source5: https://static.rust-lang.org/dist/%{release_date}/cargo-%{stage0_version}-aarch64-unknown-linux-gnu.tar.xz Source6: https://static.rust-lang.org/dist/%{release_date}/rustc-%{stage0_version}-aarch64-unknown-linux-gnu.tar.xz Source7: https://static.rust-lang.org/dist/%{release_date}/rust-std-%{stage0_version}-aarch64-unknown-linux-gnu.tar.xz -# These ci tests are expecting rust source to be git repository, since we are using a tarball -# we are missing git metadata so these tests are failing, hence ignoring these tests -Patch0: Ignore_failing_ci_tests.patch +Patch0: CVE-2025-4574.patch +Patch1: CVE-2025-53605.patch BuildRequires: binutils BuildRequires: cmake # make sure rust relies on curl from CBL-Mariner (instead of using its vendored flavor) @@ -61,7 +60,7 @@ BuildRequires: python3 # make sure rust depends on system zlib BuildRequires: zlib-devel %if 0%{?with_check} -BuildRequires: glibc-static >= 2.38-10%{?dist} +BuildRequires: glibc-static >= 2.38-11%{?dist} BuildRequires: sudo %endif # rustc uses a C compiler to invoke the linker, and links to glibc in most cases @@ -141,7 +140,7 @@ userdel -r test %install USER=root SUDO_USER=root %make_install mv %{buildroot}%{_docdir}/cargo/LICENSE-THIRD-PARTY . -rm %{buildroot}%{_docdir}/rustc/{COPYRIGHT,LICENSE-APACHE,LICENSE-MIT} +rm %{buildroot}%{_docdir}/rustc/{COPYRIGHT-library.html,COPYRIGHT.html} rm %{buildroot}%{_docdir}/cargo/{LICENSE-APACHE,LICENSE-MIT} rm %{buildroot}%{_docdir}/clippy/{LICENSE-APACHE,LICENSE-MIT} rm %{buildroot}%{_docdir}/rustfmt/{LICENSE-APACHE,LICENSE-MIT} @@ -169,6 +168,7 @@ rm %{buildroot}%{_docdir}/docs/html/.lock %files doc %license LICENSE-APACHE LICENSE-MIT LICENSE-THIRD-PARTY COPYRIGHT +%license %{_docdir}/rustc/licenses/* %doc %{_docdir}/rustc/README.md %doc %{_docdir}/cargo/* %doc %{_docdir}/rustfmt/* @@ -180,6 +180,19 @@ rm %{buildroot}%{_docdir}/docs/html/.lock %{_mandir}/man1/* %changelog +* Mon Jul 21 2025 Jyoti Kanase - 1.86.0-4 +- patch for CVE-2025-53605 + +* Fri Jun 13 2025 Kavya Sree Kaitepalli - 1.86.0-3 +- Patch CVE-2025-4574 + +* Thu May 22 2025 Kanishk Bansal - 1.86.0-2 +- Bump to rebuild with updated glibc + + +* Tue May 13 2025 Kavya Sree Kaitepalli - 1.86.0-1 +- Upgrade to 1.86.0 + * Mon May 12 2025 Andrew Phelps - 1.85.0-2 - Bump to rebuild with updated glibc diff --git a/SPECS/sdbus-cpp/sdbus-cpp.spec b/SPECS/sdbus-cpp/sdbus-cpp.spec index 10a24f514a..62616a439e 100644 --- a/SPECS/sdbus-cpp/sdbus-cpp.spec +++ b/SPECS/sdbus-cpp/sdbus-cpp.spec @@ -1,7 +1,7 @@ Summary: sdbus-cpp Name: sdbus-cpp Version: 1.3.0 -Release: 1%{?dist} +Release: 2%{?dist} License: LGPLv2+ Vendor: Microsoft Corporation Distribution: Azure Linux @@ -47,11 +47,9 @@ cd build cmake --build . --target install rm -rf %{buildroot}%{_docdir} -%post --p /sbin/ldconfig +%post -p /sbin/ldconfig -%postun --p /sbin/ldconfig +%postun -p /sbin/ldconfig %files %defattr(-,root,root) @@ -66,6 +64,9 @@ rm -rf %{buildroot}%{_docdir} %{_libdir}/pkgconfig/*.pc %changelog +* Wed Apr 23 2025 Sam Meluch - 1.3.0-2 +- Fix -p for ldconfig in post and postun scripts. + * Fri Oct 27 2023 CBL-Mariner Servicing Account - 1.3.0-1 - Auto-upgrade to 1.3.0 - Azure Linux 3.0 - package upgrades diff --git a/SPECS/sqlite/CVE-2022-46908.patch b/SPECS/sqlite/CVE-2022-46908.patch deleted file mode 100644 index 9d4511c19b..0000000000 --- a/SPECS/sqlite/CVE-2022-46908.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 7052d3ee4076f7f69902d32d4947765e41e6e0eb Mon Sep 17 00:00:00 2001 -From: Daniel McIlvaney -Date: Tue, 13 Dec 2022 20:00:29 -0800 -Subject: [PATCH] Rework patch cefc032473ac5ad2 to apply to released sources. - -Signed-off-by: Daniel McIlvaney ---- - shell.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/shell.c b/shell.c -index e66ae08..d423278 100644 ---- a/shell.c -+++ b/shell.c -@@ -12921,7 +12921,7 @@ static int safeModeAuth( - "zipfile", - "zipfile_cds", - }; -- UNUSED_PARAMETER(zA2); -+ UNUSED_PARAMETER(zA1); - UNUSED_PARAMETER(zA3); - UNUSED_PARAMETER(zA4); - switch( op ){ -@@ -12936,7 +12936,7 @@ static int safeModeAuth( - case SQLITE_FUNCTION: { - int i; - for(i=0; i +Date: Thu, 24 Jul 2025 10:43:07 +0000 +Subject: [PATCH] Patch CVE-2025-6965 + +Upstream Patch Reference: https://www.sqlite.org/src/vpatch?from=c9ddd15b0197e6e5&to=5508b56fd24016c1 +--- + sqlite3.c | 25 +++++++++++++++++++++---- + 1 file changed, 21 insertions(+), 4 deletions(-) + +diff --git a/sqlite3.c b/sqlite3.c +index 8f9309a..dd0c5f4 100644 +--- a/sqlite3.c ++++ b/sqlite3.c +@@ -14867,6 +14867,9 @@ typedef INT16_TYPE LogEst; + #define LARGEST_INT64 (0xffffffff|(((i64)0x7fffffff)<<32)) + #define LARGEST_UINT64 (0xffffffff|(((u64)0xffffffff)<<32)) + #define SMALLEST_INT64 (((i64)-1) - LARGEST_INT64) ++#define SMXV(n) ((((i64)1)<<(sizeof(n)*8-1))-1) ++#define UMXV(n) ((((i64)1)<<(sizeof(n)*8))-1) ++ + + /* + ** Round up a number to the next larger multiple of 8. This is used +@@ -18637,7 +18640,7 @@ struct AggInfo { + ** from source tables rather than from accumulators */ + u8 useSortingIdx; /* In direct mode, reference the sorting index rather + ** than the source table */ +- u16 nSortingColumn; /* Number of columns in the sorting index */ ++ u32 nSortingColumn; /* Number of columns in the sorting index */ + int sortingIdx; /* Cursor number of the sorting index */ + int sortingIdxPTab; /* Cursor number of pseudo-table */ + int iFirstReg; /* First register in range for aCol[] and aFunc[] */ +@@ -18646,8 +18649,8 @@ struct AggInfo { + Table *pTab; /* Source table */ + Expr *pCExpr; /* The original expression */ + int iTable; /* Cursor number of the source table */ +- i16 iColumn; /* Column number within the source table */ +- i16 iSorterColumn; /* Column number in the sorting index */ ++ int iColumn; /* Column number within the source table */ ++ int iSorterColumn; /* Column number in the sorting index */ + } *aCol; + int nColumn; /* Number of used entries in aCol[] */ + int nAccumulator; /* Number of columns that show through to the output. +@@ -114514,7 +114517,9 @@ static void findOrCreateAggInfoColumn( + ){ + struct AggInfo_col *pCol; + int k; ++ int mxTerm = pParse->db->aLimit[SQLITE_LIMIT_COLUMN]; + ++ assert( mxTerm <= SMXV(i16) ); + assert( pAggInfo->iFirstReg==0 ); + pCol = pAggInfo->aCol; + for(k=0; knColumn; k++, pCol++){ +@@ -114532,6 +114537,10 @@ static void findOrCreateAggInfoColumn( + assert( pParse->db->mallocFailed ); + return; + } ++ if( k>mxTerm ){ ++ sqlite3ErrorMsg(pParse, "more than %d aggregate terms", mxTerm); ++ k = mxTerm; ++ } + pCol = &pAggInfo->aCol[k]; + assert( ExprUseYTab(pExpr) ); + pCol->pTab = pExpr->y.pTab; +@@ -114565,6 +114574,7 @@ fix_up_expr: + if( pExpr->op==TK_COLUMN ){ + pExpr->op = TK_AGG_COLUMN; + } ++ assert( k <= SMXV(pExpr->iAgg) ); + pExpr->iAgg = (i16)k; + } + +@@ -114648,13 +114658,19 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){ + ** function that is already in the pAggInfo structure + */ + struct AggInfo_func *pItem = pAggInfo->aFunc; ++ int mxTerm = pParse->db->aLimit[SQLITE_LIMIT_COLUMN]; ++ assert( mxTerm <= SMXV(i16) ); + for(i=0; inFunc; i++, pItem++){ + if( pItem->pFExpr==pExpr ) break; + if( sqlite3ExprCompare(0, pItem->pFExpr, pExpr, -1)==0 ){ + break; + } + } +- if( i>=pAggInfo->nFunc ){ ++ if( i>mxTerm ){ ++ sqlite3ErrorMsg(pParse, "more than %d aggregate terms", mxTerm); ++ i = mxTerm; ++ assert( inFunc ); ++ }else if( i>=pAggInfo->nFunc ){ + /* pExpr is original. Make a new entry in pAggInfo->aFunc[] + */ + u8 enc = ENC(pParse->db); +@@ -114706,6 +114722,7 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){ + */ + assert( !ExprHasProperty(pExpr, EP_TokenOnly|EP_Reduced) ); + ExprSetVVAProperty(pExpr, EP_NoReduce); ++ assert( i <= SMXV(pExpr->iAgg) ); + pExpr->iAgg = (i16)i; + pExpr->pAggInfo = pAggInfo; + return WRC_Prune; +-- +2.45.4 + diff --git a/SPECS/sqlite/sqlite.spec b/SPECS/sqlite/sqlite.spec index cb3f85a814..4f5e81d318 100644 --- a/SPECS/sqlite/sqlite.spec +++ b/SPECS/sqlite/sqlite.spec @@ -2,7 +2,7 @@ Summary: A portable, high level programming interface to various calling conventions Name: sqlite Version: 3.44.0 -Release: 1%{?dist} +Release: 2%{?dist} License: Public Domain Vendor: Microsoft Corporation Distribution: Azure Linux @@ -11,7 +11,7 @@ URL: https://www.sqlite.org Source0: https://www.sqlite.org/2023/%{name}-autoconf-%{sourcever}.tar.gz # CVE-2015-3717 applies to versions shipped in iOS and OS X Patch0: CVE-2015-3717.nopatch -#Patch1: CVE-2022-46908.patch +Patch1: CVE-2025-6965.patch Requires: sqlite-libs = %{version}-%{release} Provides: sqlite3 @@ -82,6 +82,10 @@ make %{?_smp_mflags} check %{_libdir}/libsqlite3.so.0.8.6 %changelog +* Thu Jul 24 2025 Madhur Aggarwal - 3.44.0-2 +- Patch CVE-2025-6965 +- remove unused patch file from SPEC folder. + * Fri Nov 10 2023 Andrew Phelps - 3.44.0-1 - Upgrade to version 3.44.0 diff --git a/SPECS/strongswan/0001-Extending-timeout-for-test-cases-with-multiple-read-.patch b/SPECS/strongswan/0001-Extending-timeout-for-test-cases-with-multiple-read-.patch index 69049e5b8c..a3396db856 100644 --- a/SPECS/strongswan/0001-Extending-timeout-for-test-cases-with-multiple-read-.patch +++ b/SPECS/strongswan/0001-Extending-timeout-for-test-cases-with-multiple-read-.patch @@ -1,6 +1,6 @@ -From 7c38995d360d4abf2d919fd08428f5cb2c1b015e Mon Sep 17 00:00:00 2001 -From: Pawel -Date: Mon, 5 Oct 2020 06:34:43 -0700 +From 115eca353c55587ff6dacdadf22075904adf92d6 Mon Sep 17 00:00:00 2001 +From: Mayank Singh +Date: Thu, 22 May 2025 11:27:30 +0000 Subject: [PATCH] Extending timeout for test cases with multiple read/writes. --- @@ -8,10 +8,10 @@ Subject: [PATCH] Extending timeout for test cases with multiple read/writes. 1 file changed, 1 insertion(+) diff --git a/src/libstrongswan/tests/suites/test_settings.c b/src/libstrongswan/tests/suites/test_settings.c -index e060960..df3b4ef 100644 +index 8ef026b..a7b2b98 100644 --- a/src/libstrongswan/tests/suites/test_settings.c +++ b/src/libstrongswan/tests/suites/test_settings.c -@@ -1731,6 +1731,7 @@ Suite *settings_suite_create() +@@ -1743,6 +1743,7 @@ Suite *settings_suite_create() suite_add_tcase(s, tc); tc = tcase_create("valid/invalid data"); @@ -20,5 +20,5 @@ index e060960..df3b4ef 100644 tcase_add_test(tc, test_valid); tcase_add_test(tc, test_invalid); -- -2.17.1 +2.45.3 diff --git a/SPECS/strongswan/strongswan-5.6.0-uintptr_t.patch b/SPECS/strongswan/strongswan-5.6.0-uintptr_t.patch new file mode 100644 index 0000000000..dbf90aac61 --- /dev/null +++ b/SPECS/strongswan/strongswan-5.6.0-uintptr_t.patch @@ -0,0 +1,12 @@ +diff -Naur strongswan-5.6.0-orig/src/libstrongswan/utils/utils/memory.h strongswan-5.6.0/src/libstrongswan/utils/utils/memory.h +--- strongswan-5.6.0-orig/src/libstrongswan/utils/utils/memory.h 2017-08-14 02:48:41.000000000 -0400 ++++ strongswan-5.6.0/src/libstrongswan/utils/utils/memory.h 2017-09-12 01:15:29.690527667 -0400 +@@ -14,6 +14,8 @@ + * for more details. + */ + ++#include /* for uintptr_t */ ++ + /** + * @defgroup memory_i memory + * @{ @ingroup utils_i diff --git a/SPECS/strongswan/strongswan-5.9.7-error-no-format.patch b/SPECS/strongswan/strongswan-5.9.7-error-no-format.patch new file mode 100644 index 0000000000..52a8f60756 --- /dev/null +++ b/SPECS/strongswan/strongswan-5.9.7-error-no-format.patch @@ -0,0 +1,12 @@ +diff --git a/configure.ac b/configure.ac +index f9e6e55c2..247d055d8 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1480,7 +1480,6 @@ else + fi + # disable some warnings, whether explicitly enabled above or by default + # these are not compatible with our custom printf specifiers +-WARN_CFLAGS="$WARN_CFLAGS -Wno-format" + WARN_CFLAGS="$WARN_CFLAGS -Wno-format-security" + # we generally use comments, but GCC doesn't seem to recognize many of them + WARN_CFLAGS="$WARN_CFLAGS -Wno-implicit-fallthrough" diff --git a/SPECS/strongswan/strongswan-6.0.0-gcc15.patch b/SPECS/strongswan/strongswan-6.0.0-gcc15.patch new file mode 100644 index 0000000000..abc7f37413 --- /dev/null +++ b/SPECS/strongswan/strongswan-6.0.0-gcc15.patch @@ -0,0 +1,109 @@ +From cf7fb47788dfb83bb5d8bd0bffdb582e381a2f0a Mon Sep 17 00:00:00 2001 +From: Thomas Egerer +Date: Fri, 6 Sep 2024 13:29:40 +0200 +Subject: [PATCH] array: Don't use realloc() with zero size in array_compress() + +The behavior of realloc(3) with zero size was apparently implementation +defined. While glibc documents the behavior as equivalent to free(3), +that might not apply to other C libraries. With C17, this behavior has +been deprecated, and with C23, the behavior is now undefined. It's also +why valgrind warns about this use. + +Hence, when array_compress() would call realloc() with a zero size, we +now call free() explicitly and set the pointer to NULL. + +Signed-off-by: Thomas Egerer +--- + src/libstrongswan/collections/array.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/src/libstrongswan/collections/array.c b/src/libstrongswan/collections/array.c +index 8acc8051d53..8b6c6d7397e 100644 +--- a/src/libstrongswan/collections/array.c ++++ b/src/libstrongswan/collections/array.c +@@ -197,7 +197,17 @@ void array_compress(array_t *array) + } + if (tail) + { +- array->data = realloc(array->data, get_size(array, array->count)); ++ size_t size = get_size(array, array->count); ++ ++ if (size) ++ { ++ array->data = realloc(array->data, size); ++ } ++ else ++ { ++ free(array->data); ++ array->data = NULL; ++ } + array->tail = 0; + } + } +--- + +From f1f0bd9de60e2697a712e72b7ae9f79763a0901d Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Thu, 9 Jan 2025 16:05:39 +0100 +Subject: [PATCH] ctr: Remove parameter-less constructor prototype + +Useless and causes a compiler warning/error: + + error: a function declaration without a prototype is deprecated in all versions of C and is treated as a zero-parameter prototype in C23, conflicting with a subsequent declaration [-Werror,-Wdeprecated-non-prototype] +--- + src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h b/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h +index e9421a1be9f..3814465e48b 100644 +--- a/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h ++++ b/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h +@@ -37,11 +37,6 @@ struct ctr_ipsec_crypter_t { + crypter_t crypter; + }; + +-/** +- * Create a ctr_ipsec_crypter instance. +- */ +-ctr_ipsec_crypter_t *ctr_ipsec_crypter_create(); +- + /** + * Create a ctr_ipsec_crypter instance. + * +--- + +From 227d7ef9a24b8c62d6965c1c1690252bde7c698d Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Fri, 10 Jan 2025 15:43:11 +0100 +Subject: [PATCH] tnc-imv: Add missing argument to IMV recommendations + constructor + +This avoids the following warning/error: + +tnc_imv_manager.c:244:39: error: passing arguments to 'tnc_imv_recommendations_create' without a prototype is deprecated in all versions of C and is not supported in C23 [-Werror,-Wdeprecated-non-prototype] + 244 | return tnc_imv_recommendations_create(this->imvs); + | ^ +--- + src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.h | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.h b/src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.h +index f7178876cfd..60272978ad3 100644 +--- a/src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.h ++++ b/src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.h +@@ -27,8 +27,11 @@ + #include + + /** +- * Create an IMV empty recommendations instance ++ * Create an empty IMV recommendations instance ++ * ++ * @param imv_list list of IMVs that could provide recommendations ++ * @return created instance + */ +-recommendations_t *tnc_imv_recommendations_create(); ++recommendations_t *tnc_imv_recommendations_create(linked_list_t *imv_list); + + #endif /** TNC_IMV_RECOMMENDATIONS_H_ @}*/ +--- + diff --git a/SPECS/strongswan/strongswan-6.0.1-gcc15.patch b/SPECS/strongswan/strongswan-6.0.1-gcc15.patch new file mode 100644 index 0000000000..1c16168109 --- /dev/null +++ b/SPECS/strongswan/strongswan-6.0.1-gcc15.patch @@ -0,0 +1,597 @@ +From a7b5de569082398a14b7e571498e55d005903aaf Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Fri, 21 Feb 2025 17:18:35 +0100 +Subject: [PATCH] pki: Fix signature of help() to match that of a callback in + command_t + +--- + src/pki/command.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/pki/command.c b/src/pki/command.c +index accec5fe51b..6e6bf041e18 100644 +--- a/src/pki/command.c ++++ b/src/pki/command.c +@@ -265,7 +265,7 @@ int command_usage(char *error) + /** + * Show usage information + */ +-static int help(int c, char *v[]) ++static int help() + { + return command_usage(NULL); + } +--- + +From 38d89f57f0771d3cc7b2ab70849584685ada2bc0 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Fri, 21 Feb 2025 16:47:34 +0100 +Subject: [PATCH] charon-nm: Use CALLBACK macro for callback job's cancel + implementation + +Casting to this specific function type doesn't work anymore if C23 is +used as the types mismatch. +--- + src/charon-nm/nm/nm_backend.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/charon-nm/nm/nm_backend.c b/src/charon-nm/nm/nm_backend.c +index aefd3f95688..8ee1785212e 100644 +--- a/src/charon-nm/nm/nm_backend.c ++++ b/src/charon-nm/nm/nm_backend.c +@@ -78,7 +78,8 @@ static job_requeue_t run(nm_backend_t *this) + /** + * Cancel the GLib Main Event Loop + */ +-static bool cancel(nm_backend_t *this) ++CALLBACK(cancel, bool, ++ nm_backend_t *this) + { + if (this->loop) + { +@@ -152,7 +153,7 @@ static bool nm_backend_init() + + lib->processor->queue_job(lib->processor, + (job_t*)callback_job_create_with_prio((callback_job_cb_t)run, this, +- NULL, (callback_job_cancel_t)cancel, JOB_PRIO_CRITICAL)); ++ NULL, cancel, JOB_PRIO_CRITICAL)); + return TRUE; + } + +--- + +From d5d2568ff0e88d364dadf50b67bf17050763cf98 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Fri, 21 Feb 2025 16:45:57 +0100 +Subject: [PATCH] callback-job: Replace return_false() in constructors with + dedicated function + +Besides being clearer, this fixes issues with GCC 15. The latter uses +C23 by default, which changes the meaning of function declarations +without parameters such as + + bool return false(); + +Instead of "this function takes an unknown number of arguments", this +now equals (void), that is, "this function takes no arguments". So we +run into incompatible pointer type warnings all over when using such +functions. They could be cast to (void*) but this seems the cleaner +solution for this use case. +--- + src/charon-cmd/cmd/cmd_connection.c | 2 +- + .../jni/libandroidbridge/backend/android_dns_proxy.c | 2 +- + .../jni/libandroidbridge/backend/android_service.c | 6 +++--- + src/libcharon/network/receiver.c | 2 +- + src/libcharon/network/sender.c | 2 +- + .../plugins/bypass_lan/bypass_lan_listener.c | 4 ++-- + .../plugins/eap_radius/eap_radius_accounting.c | 2 +- + src/libcharon/plugins/eap_radius/eap_radius_plugin.c | 2 +- + src/libcharon/plugins/ha/ha_ctl.c | 2 +- + src/libcharon/plugins/ha/ha_dispatcher.c | 2 +- + src/libcharon/plugins/ha/ha_segments.c | 6 +++--- + .../kernel_libipsec/kernel_libipsec_esp_handler.c | 2 +- + .../plugins/kernel_libipsec/kernel_libipsec_router.c | 2 +- + src/libcharon/plugins/smp/smp.c | 4 ++-- + src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c | 2 +- + src/libcharon/plugins/uci/uci_control.c | 2 +- + src/libipsec/ipsec_event_relay.c | 2 +- + src/libipsec/ipsec_processor.c | 4 ++-- + src/libpttls/pt_tls_dispatcher.c | 2 +- + src/libstrongswan/networking/streams/stream_service.c | 2 +- + src/libstrongswan/processing/jobs/callback_job.c | 10 +++++++++- + src/libstrongswan/processing/jobs/callback_job.h | 11 ++++++++++- + src/libstrongswan/processing/scheduler.c | 3 ++- + src/libstrongswan/processing/watcher.c | 4 ++-- + src/libtls/tests/suites/test_socket.c | 2 +- + 25 files changed, 51 insertions(+), 33 deletions(-) + +diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c +index 8e8d8236e52..e220e33a62a 100644 +--- a/src/charon-cmd/cmd/cmd_connection.c ++++ b/src/charon-cmd/cmd/cmd_connection.c +@@ -585,7 +585,7 @@ cmd_connection_t *cmd_connection_create() + lib->processor->queue_job(lib->processor, + (job_t*)callback_job_create_with_prio( + (callback_job_cb_t)initiate, this, NULL, +- (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL)); ++ callback_job_cancel_thread, JOB_PRIO_CRITICAL)); + + return &this->public; + } +diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c +index e79d5974409..480d1d622d5 100644 +--- a/src/libcharon/network/receiver.c ++++ b/src/libcharon/network/receiver.c +@@ -737,7 +737,7 @@ receiver_t *receiver_create() + + lib->processor->queue_job(lib->processor, + (job_t*)callback_job_create_with_prio((callback_job_cb_t)receive_packets, +- this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL)); ++ this, NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL)); + + return &this->public; + } +diff --git a/src/libcharon/network/sender.c b/src/libcharon/network/sender.c +index 4543766d62e..3fcd17f1b63 100644 +--- a/src/libcharon/network/sender.c ++++ b/src/libcharon/network/sender.c +@@ -216,7 +216,7 @@ sender_t * sender_create() + + lib->processor->queue_job(lib->processor, + (job_t*)callback_job_create_with_prio((callback_job_cb_t)send_packets, +- this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL)); ++ this, NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL)); + + return &this->public; + } +diff --git a/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c b/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c +index db7abd8146b..c9aed3666fc 100644 +--- a/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c ++++ b/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c +@@ -227,7 +227,7 @@ METHOD(kernel_listener_t, roam, bool, + { + lib->processor->queue_job(lib->processor, + (job_t*)callback_job_create((callback_job_cb_t)update_bypass, this, +- NULL, (callback_job_cancel_t)return_false)); ++ NULL, callback_job_cancel_thread)); + return TRUE; + } + +@@ -269,7 +269,7 @@ METHOD(bypass_lan_listener_t, reload_interfaces, void, + this->mutex->unlock(this->mutex); + lib->processor->queue_job(lib->processor, + (job_t*)callback_job_create((callback_job_cb_t)update_bypass, this, +- NULL, (callback_job_cancel_t)return_false)); ++ NULL, callback_job_cancel_thread)); + } + + METHOD(bypass_lan_listener_t, destroy, void, +diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c +index f833dc3c0b4..2f29d080764 100644 +--- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c ++++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c +@@ -706,7 +706,7 @@ static void schedule_interim(private_eap_radius_accounting_t *this, + (job_t*)callback_job_create_with_prio( + (callback_job_cb_t)send_interim, + data, (void*)destroy_interim_data, +- (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL), tv); ++ callback_job_cancel_thread, JOB_PRIO_CRITICAL), tv); + } + } + +diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c +index 5051542615a..55d5e032cea 100644 +--- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c ++++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c +@@ -445,7 +445,7 @@ void eap_radius_handle_timeout(ike_sa_id_t *id) + lib->processor->queue_job(lib->processor, + (job_t*)callback_job_create_with_prio( + (callback_job_cb_t)delete_all_async, NULL, NULL, +- (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL)); ++ callback_job_cancel_thread, JOB_PRIO_CRITICAL)); + } + else if (id) + { +diff --git a/src/libcharon/plugins/ha/ha_ctl.c b/src/libcharon/plugins/ha/ha_ctl.c +index 8859bae166b..3d2ac7de84d 100644 +--- a/src/libcharon/plugins/ha/ha_ctl.c ++++ b/src/libcharon/plugins/ha/ha_ctl.c +@@ -199,6 +199,6 @@ ha_ctl_t *ha_ctl_create(ha_segments_t *segments, ha_cache_t *cache) + + lib->processor->queue_job(lib->processor, + (job_t*)callback_job_create_with_prio((callback_job_cb_t)dispatch_fifo, +- this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL)); ++ this, NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL)); + return &this->public; + } +diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c +index 5de26a65a27..83be91ab159 100644 +--- a/src/libcharon/plugins/ha/ha_dispatcher.c ++++ b/src/libcharon/plugins/ha/ha_dispatcher.c +@@ -1184,7 +1184,7 @@ ha_dispatcher_t *ha_dispatcher_create(ha_socket_t *socket, + ); + lib->processor->queue_job(lib->processor, + (job_t*)callback_job_create_with_prio((callback_job_cb_t)dispatch, this, +- NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL)); ++ NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL)); + + return &this->public; + } +diff --git a/src/libcharon/plugins/ha/ha_segments.c b/src/libcharon/plugins/ha/ha_segments.c +index afb76b39ea2..32d9ee40717 100644 +--- a/src/libcharon/plugins/ha/ha_segments.c ++++ b/src/libcharon/plugins/ha/ha_segments.c +@@ -316,7 +316,7 @@ static void start_watchdog(private_ha_segments_t *this) + this->heartbeat_active = TRUE; + lib->processor->queue_job(lib->processor, + (job_t*)callback_job_create_with_prio((callback_job_cb_t)watchdog, this, +- NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL)); ++ NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL)); + } + + METHOD(ha_segments_t, handle_status, void, +@@ -404,7 +404,7 @@ static void start_heartbeat(private_ha_segments_t *this) + { + lib->processor->queue_job(lib->processor, + (job_t*)callback_job_create_with_prio((callback_job_cb_t)send_status, +- this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL)); ++ this, NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL)); + } + + /** +@@ -451,7 +451,7 @@ static void start_autobalance(private_ha_segments_t *this) + DBG1(DBG_CFG, "scheduling HA autobalance every %ds", this->autobalance); + lib->scheduler->schedule_job(lib->scheduler, + (job_t*)callback_job_create_with_prio((callback_job_cb_t)autobalance, +- this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL), ++ this, NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL), + this->autobalance); + } + +diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_esp_handler.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_esp_handler.c +index 095ad67b4b0..c18e266e4d1 100644 +--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_esp_handler.c ++++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_esp_handler.c +@@ -337,7 +337,7 @@ kernel_libipsec_esp_handler_t *kernel_libipsec_esp_handler_create() + } + lib->processor->queue_job(lib->processor, + (job_t*)callback_job_create(send_esp, this, NULL, +- (callback_job_cancel_t)return_false)); ++ callback_job_cancel_thread)); + return &this->public; + } + +diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c +index 74746e251de..07adc70be3e 100644 +--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c ++++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c +@@ -364,7 +364,7 @@ kernel_libipsec_router_t *kernel_libipsec_router_create() + charon->receiver->add_esp_cb(charon->receiver, receiver_esp_cb, NULL); + lib->processor->queue_job(lib->processor, + (job_t*)callback_job_create((callback_job_cb_t)handle_plain, this, +- NULL, (callback_job_cancel_t)return_false)); ++ NULL, callback_job_cancel_thread)); + + router = &this->public; + return &this->public; +diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c +index 6ca9f13997e..85ff5830bc5 100644 +--- a/src/libcharon/plugins/smp/smp.c ++++ b/src/libcharon/plugins/smp/smp.c +@@ -710,7 +710,7 @@ static job_requeue_t dispatch(private_smp_t *this) + fdp = malloc_thing(int); + *fdp = fd; + job = callback_job_create((callback_job_cb_t)process, fdp, free, +- (callback_job_cancel_t)return_false); ++ callback_job_cancel_thread); + lib->processor->queue_job(lib->processor, (job_t*)job); + + return JOB_REQUEUE_DIRECT; +@@ -800,7 +800,7 @@ plugin_t *smp_plugin_create() + + lib->processor->queue_job(lib->processor, + (job_t*)callback_job_create_with_prio((callback_job_cb_t)dispatch, this, +- NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL)); ++ NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL)); + + return &this->public.plugin; + } +diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c b/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c +index 30aeb116dec..da317a894d9 100644 +--- a/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c ++++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c +@@ -210,7 +210,7 @@ METHOD(tnc_pdp_connections_t, add, void, + /* schedule timeout checking */ + lib->scheduler->schedule_job_ms(lib->scheduler, + (job_t*)callback_job_create((callback_job_cb_t)check_timeouts, +- this, NULL, (callback_job_cancel_t)return_false), ++ this, NULL, callback_job_cancel_thread), + this->timeout * 1000); + + dbg_nas_user(nas_id, user_name, FALSE, "created"); +diff --git a/src/libcharon/plugins/uci/uci_control.c b/src/libcharon/plugins/uci/uci_control.c +index b033c832c8c..8074005ee57 100644 +--- a/src/libcharon/plugins/uci/uci_control.c ++++ b/src/libcharon/plugins/uci/uci_control.c +@@ -296,7 +296,7 @@ uci_control_t *uci_control_create() + { + lib->processor->queue_job(lib->processor, + (job_t*)callback_job_create_with_prio((callback_job_cb_t)receive, +- this, NULL, (callback_job_cancel_t)return_false, ++ this, NULL, callback_job_cancel_thread, + JOB_PRIO_CRITICAL)); + } + return &this->public; +diff --git a/src/libipsec/ipsec_event_relay.c b/src/libipsec/ipsec_event_relay.c +index 0f10795d168..802146eef21 100644 +--- a/src/libipsec/ipsec_event_relay.c ++++ b/src/libipsec/ipsec_event_relay.c +@@ -230,7 +230,7 @@ ipsec_event_relay_t *ipsec_event_relay_create() + + lib->processor->queue_job(lib->processor, + (job_t*)callback_job_create((callback_job_cb_t)handle_events, this, +- NULL, (callback_job_cancel_t)return_false)); ++ NULL, callback_job_cancel_thread)); + + return &this->public; + } +diff --git a/src/libipsec/ipsec_processor.c b/src/libipsec/ipsec_processor.c +index 2572b088089..8549fefe261 100644 +--- a/src/libipsec/ipsec_processor.c ++++ b/src/libipsec/ipsec_processor.c +@@ -336,9 +336,9 @@ ipsec_processor_t *ipsec_processor_create() + + lib->processor->queue_job(lib->processor, + (job_t*)callback_job_create((callback_job_cb_t)process_inbound, this, +- NULL, (callback_job_cancel_t)return_false)); ++ NULL, callback_job_cancel_thread)); + lib->processor->queue_job(lib->processor, + (job_t*)callback_job_create((callback_job_cb_t)process_outbound, this, +- NULL, (callback_job_cancel_t)return_false)); ++ NULL, callback_job_cancel_thread)); + return &this->public; + } +diff --git a/src/libpttls/pt_tls_dispatcher.c b/src/libpttls/pt_tls_dispatcher.c +index a134bee238f..c7e42b277e1 100644 +--- a/src/libpttls/pt_tls_dispatcher.c ++++ b/src/libpttls/pt_tls_dispatcher.c +@@ -156,7 +156,7 @@ METHOD(pt_tls_dispatcher_t, dispatch, void, + lib->processor->queue_job(lib->processor, + (job_t*)callback_job_create_with_prio((callback_job_cb_t)handle, + connection, (void*)cleanup, +- (callback_job_cancel_t)return_false, ++ callback_job_cancel_thread, + JOB_PRIO_CRITICAL)); + } + } +diff --git a/src/libstrongswan/networking/streams/stream_service.c b/src/libstrongswan/networking/streams/stream_service.c +index 5b709a2247d..c85a0664351 100644 +--- a/src/libstrongswan/networking/streams/stream_service.c ++++ b/src/libstrongswan/networking/streams/stream_service.c +@@ -221,7 +221,7 @@ static bool watch(private_stream_service_t *this, int fd, watcher_event_t event) + + lib->processor->queue_job(lib->processor, + (job_t*)callback_job_create_with_prio((void*)accept_async, data, +- (void*)destroy_async_data, (callback_job_cancel_t)return_false, ++ (void*)destroy_async_data, callback_job_cancel_thread, + this->prio)); + } + else +diff --git a/src/libstrongswan/processing/jobs/callback_job.c b/src/libstrongswan/processing/jobs/callback_job.c +index cb2a0aba5b9..3ab40b947c9 100644 +--- a/src/libstrongswan/processing/jobs/callback_job.c ++++ b/src/libstrongswan/processing/jobs/callback_job.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (C) 2009-2012 Tobias Brunner ++ * Copyright (C) 2009-2025 Tobias Brunner + * Copyright (C) 2007-2011 Martin Willi + * + * Copyright (C) secunet Security Networks AG +@@ -131,3 +131,11 @@ callback_job_t *callback_job_create(callback_job_cb_t cb, void *data, + return callback_job_create_with_prio(cb, data, cleanup, cancel, + JOB_PRIO_MEDIUM); + } ++ ++/* ++ * Described in header ++ */ ++bool callback_job_cancel_thread(void *data) ++{ ++ return FALSE; ++} +diff --git a/src/libstrongswan/processing/jobs/callback_job.h b/src/libstrongswan/processing/jobs/callback_job.h +index 0f1ae212d87..fda86887944 100644 +--- a/src/libstrongswan/processing/jobs/callback_job.h ++++ b/src/libstrongswan/processing/jobs/callback_job.h +@@ -1,5 +1,5 @@ + /* +- * Copyright (C) 2012 Tobias Brunner ++ * Copyright (C) 2012-2025 Tobias Brunner + * Copyright (C) 2007-2011 Martin Willi + * + * Copyright (C) secunet Security Networks AG +@@ -62,6 +62,15 @@ typedef void (*callback_job_cleanup_t)(void *data); + */ + typedef bool (*callback_job_cancel_t)(void *data); + ++/** ++ * Default implementation of callback_job_cancel_t that simply returns FALSE ++ * to force cancellation of the thread by the processor. ++ * ++ * @param data ignored argument ++ * @return always returns FALSE ++ */ ++bool callback_job_cancel_thread(void *data); ++ + /** + * Class representing an callback Job. + * +diff --git a/src/libstrongswan/processing/scheduler.c b/src/libstrongswan/processing/scheduler.c +index c5e5dd83e70..76d98ddff51 100644 +--- a/src/libstrongswan/processing/scheduler.c ++++ b/src/libstrongswan/processing/scheduler.c +@@ -329,7 +329,8 @@ scheduler_t * scheduler_create() + this->heap = (event_t**)calloc(this->heap_size + 1, sizeof(event_t*)); + + job = callback_job_create_with_prio((callback_job_cb_t)schedule, this, +- NULL, return_false, JOB_PRIO_CRITICAL); ++ NULL, callback_job_cancel_thread, ++ JOB_PRIO_CRITICAL); + lib->processor->queue_job(lib->processor, (job_t*)job); + + return &this->public; +diff --git a/src/libstrongswan/processing/watcher.c b/src/libstrongswan/processing/watcher.c +index 1200d670959..a86ec0910d1 100644 +--- a/src/libstrongswan/processing/watcher.c ++++ b/src/libstrongswan/processing/watcher.c +@@ -291,7 +291,7 @@ static void notify(private_watcher_t *this, entry_t *entry, + + this->jobs->insert_last(this->jobs, + callback_job_create_with_prio((void*)notify_async, data, +- (void*)notify_end, (callback_job_cancel_t)return_false, ++ (void*)notify_end, callback_job_cancel_thread, + JOB_PRIO_CRITICAL)); + } + +@@ -559,7 +559,7 @@ METHOD(watcher_t, add, void, + + lib->processor->queue_job(lib->processor, + (job_t*)callback_job_create_with_prio((void*)watch, this, +- NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL)); ++ NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL)); + } + else + { +diff --git a/src/libtls/tests/suites/test_socket.c b/src/libtls/tests/suites/test_socket.c +index 91ee58b975f..c17d0a8873e 100644 +--- a/src/libtls/tests/suites/test_socket.c ++++ b/src/libtls/tests/suites/test_socket.c +@@ -587,7 +587,7 @@ static void start_echo_server(echo_server_config_t *config) + + lib->processor->queue_job(lib->processor, (job_t*) + callback_job_create((void*)serve_echo, config, NULL, +- (callback_job_cancel_t)return_false)); ++ callback_job_cancel_thread)); + } + + /** +--- + +From 11978ddd39e800b5f35f721d726e8a4cb7e4ec0f Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Fri, 21 Feb 2025 17:00:44 +0100 +Subject: [PATCH] Cast uses of return_*(), nop() and enumerator_create_empty() + +As described in the previous commit, GCC 15 uses C23 by default and that +changes the meaning of such argument-less function declarations. So +whenever we assign such a function to a pointer that expects a function +with arguments it causes an incompatible pointer type warning. We +could define dedicated functions/callbacks whenever necessary, but this +seems like the simpler approach for now (especially since most uses of +these functions have already been cast). +--- + src/charon-nm/nm/nm_handler.c | 2 +- + src/libcharon/encoding/payloads/encrypted_payload.c | 2 +- + src/libcharon/plugins/android_dns/android_dns_handler.c | 2 +- + src/libcharon/plugins/ha/ha_attribute.c | 2 +- + src/libcharon/plugins/updown/updown_handler.c | 2 +- + src/libstrongswan/utils/identification.c | 6 +++--- + 6 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/src/charon-nm/nm/nm_handler.c b/src/charon-nm/nm/nm_handler.c +index d7331ad72f6..39d0190ac9e 100644 +--- a/src/charon-nm/nm/nm_handler.c ++++ b/src/charon-nm/nm/nm_handler.c +@@ -195,7 +195,7 @@ nm_handler_t *nm_handler_create() + .public = { + .handler = { + .handle = _handle, +- .release = nop, ++ .release = (void*)nop, + .create_attribute_enumerator = _create_attribute_enumerator, + }, + .create_enumerator = _create_enumerator, +diff --git a/src/libcharon/encoding/payloads/encrypted_payload.c b/src/libcharon/encoding/payloads/encrypted_payload.c +index 676d00b7a29..4821c6108ed 100644 +--- a/src/libcharon/encoding/payloads/encrypted_payload.c ++++ b/src/libcharon/encoding/payloads/encrypted_payload.c +@@ -1023,7 +1023,7 @@ encrypted_fragment_payload_t *encrypted_fragment_payload_create() + .get_length = _frag_get_length, + .add_payload = _frag_add_payload, + .remove_payload = (void*)return_null, +- .generate_payloads = nop, ++ .generate_payloads = (void*)nop, + .set_transform = _frag_set_transform, + .get_transform = _frag_get_transform, + .encrypt = _frag_encrypt, +diff --git a/src/libcharon/plugins/android_dns/android_dns_handler.c b/src/libcharon/plugins/android_dns/android_dns_handler.c +index 78f4f702aec..14d2ff99aa3 100644 +--- a/src/libcharon/plugins/android_dns/android_dns_handler.c ++++ b/src/libcharon/plugins/android_dns/android_dns_handler.c +@@ -191,7 +191,7 @@ METHOD(enumerator_t, enumerate_dns, bool, + VA_ARGS_VGET(args, type, data); + *type = INTERNAL_IP4_DNS; + *data = chunk_empty; +- this->venumerate = return_false; ++ this->venumerate = (void*)return_false; + return TRUE; + } + +diff --git a/src/libcharon/plugins/ha/ha_attribute.c b/src/libcharon/plugins/ha/ha_attribute.c +index b865a4b829b..103d1a93784 100644 +--- a/src/libcharon/plugins/ha/ha_attribute.c ++++ b/src/libcharon/plugins/ha/ha_attribute.c +@@ -381,7 +381,7 @@ ha_attribute_t *ha_attribute_create(ha_kernel_t *kernel, ha_segments_t *segments + .provider = { + .acquire_address = _acquire_address, + .release_address = _release_address, +- .create_attribute_enumerator = enumerator_create_empty, ++ .create_attribute_enumerator = (void*)enumerator_create_empty, + }, + .reserve = _reserve, + .destroy = _destroy, +diff --git a/src/libcharon/plugins/updown/updown_handler.c b/src/libcharon/plugins/updown/updown_handler.c +index 36eb15615a4..3707e1e658c 100644 +--- a/src/libcharon/plugins/updown/updown_handler.c ++++ b/src/libcharon/plugins/updown/updown_handler.c +@@ -220,7 +220,7 @@ updown_handler_t *updown_handler_create() + .handler = { + .handle = _handle, + .release = _release, +- .create_attribute_enumerator = enumerator_create_empty, ++ .create_attribute_enumerator = (void*)enumerator_create_empty, + }, + .create_dns_enumerator = _create_dns_enumerator, + .destroy = _destroy, +diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identifi 100 5229 100 5229 0 0 26091 0 --:--:-- --:--:-- --:--:-- 26145 +cation.c +index d31955b3806..58a05052dc1 100644 +--- a/src/libstrongswan/utils/identification.c ++++ b/src/libstrongswan/utils/identification.c +@@ -1625,7 +1625,7 @@ static private_identification_t *identification_create(id_type_t type) + this->public.hash = _hash_binary; + this->public.equals = _equals_binary; + this->public.matches = _matches_any; +- this->public.contains_wildcards = return_true; ++ this->public.contains_wildcards = (void*)return_true; + break; + case ID_FQDN: + case ID_RFC822_ADDR: +@@ -1660,13 +1660,13 @@ static private_identification_t *identification_create(id_type_t type) + this->public.hash = _hash_binary; + this->public.equals = _equals_binary; + this->public.matches = _matches_range; +- this->public.contains_wildcards = return_false; ++ this->public.contains_wildcards = (void*)return_false; + break; + default: + this->public.hash = _hash_binary; + this->public.equals = _equals_binary; + this->public.matches = _matches_binary; +- this->public.contains_wildcards = return_false; ++ this->public.contains_wildcards = (void*)return_false; + break; + } + return this; +--- diff --git a/SPECS/strongswan/strongswan-fix-make-check.patch b/SPECS/strongswan/strongswan-fix-make-check.patch index f7ab03ec4b..87a7054a29 100644 --- a/SPECS/strongswan/strongswan-fix-make-check.patch +++ b/SPECS/strongswan/strongswan-fix-make-check.patch @@ -1,6 +1,18 @@ ---- a/src/libstrongswan/tests/suites/test_rsa.c 2018-05-28 17:00:17.000000000 +0530 -+++ b/src/libstrongswan/tests/suites/test_rsa.c 2018-12-06 23:39:25.390434910 +0530 -@@ -5179,11 +5179,6 @@ +From efe7b6b9e93dfb50b23aac1f72a796310cad2be1 Mon Sep 17 00:00:00 2001 +From: Mayank Singh +Date: Thu, 22 May 2025 11:25:06 +0000 +Subject: [PATCH] fix make check patch + +--- + src/libstrongswan/tests/suites/test_rsa.c | 5 ----- + src/libstrongswan/tests/suites/test_utils.c | 1 - + 2 files changed, 6 deletions(-) + +diff --git a/src/libstrongswan/tests/suites/test_rsa.c b/src/libstrongswan/tests/suites/test_rsa.c +index 7bc02f3..48cc68e 100644 +--- a/src/libstrongswan/tests/suites/test_rsa.c ++++ b/src/libstrongswan/tests/suites/test_rsa.c +@@ -5560,11 +5560,6 @@ Suite *rsa_suite_create() gen_count = min(1, gen_count); } @@ -12,13 +24,18 @@ tc = tcase_create("load"); tcase_add_loop_test(tc, test_load, 0, countof(keys)); suite_add_tcase(s, tc); ---- a/src/libstrongswan/tests/suites/test_utils.c 2018-05-28 17:00:17.000000000 +0530 -+++ b/src/libstrongswan/tests/suites/test_utils.c 2018-12-06 23:38:19.150438228 +0530 -@@ -1051,7 +1051,6 @@ +diff --git a/src/libstrongswan/tests/suites/test_utils.c b/src/libstrongswan/tests/suites/test_utils.c +index bbaca6d..bf80a8f 100644 +--- a/src/libstrongswan/tests/suites/test_utils.c ++++ b/src/libstrongswan/tests/suites/test_utils.c +@@ -1391,7 +1391,6 @@ Suite *utils_suite_create() suite_add_tcase(s, tc); tc = tcase_create("printf_hooks"); - tcase_add_loop_test(tc, test_time_printf_hook, 0, countof(time_data)); tcase_add_loop_test(tc, test_time_delta_printf_hook, 0, countof(time_delta_data)); suite_add_tcase(s, tc); + +-- +2.45.3 diff --git a/SPECS/strongswan/strongswan.signatures.json b/SPECS/strongswan/strongswan.signatures.json index 16b5853ed6..e599130b0e 100644 --- a/SPECS/strongswan/strongswan.signatures.json +++ b/SPECS/strongswan/strongswan.signatures.json @@ -1,5 +1,6 @@ { - "Signatures": { - "strongswan-5.9.12.tar.bz2": "5e6018b07cbe9f72c044c129955a13be3e2f799ceb53f53a4459da6a922b95e5" - } -} + "Signatures": { + "strongswan-5.9.14.tar.bz2": "728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678", + "tmpfiles-strongswan.conf": "940d91e3082906a5594fac1527ab0149d71662a23096475e804f1fd98d5c51a2" + } +} \ No newline at end of file diff --git a/SPECS/strongswan/strongswan.spec b/SPECS/strongswan/strongswan.spec index 93cd35bcca..15c33fd16d 100644 --- a/SPECS/strongswan/strongswan.spec +++ b/SPECS/strongswan/strongswan.spec @@ -1,116 +1,1072 @@ -Summary: The OpenSource IPsec-based VPN Solution +%global _hardened_build 1 +#%%define prerelease dr1 + +%bcond_without python3 +%bcond_without perl +%bcond_without check + +%bcond_with network_man +%bcond_with tss_trousers + +%global forgeurl0 https://github.com/strongswan/strongswan + Name: strongswan -Version: 5.9.12 -Release: 1%{?dist} -License: GPLv2+ +Version: 5.9.14 +Release: 7%{?dist} +Summary: An OpenSource IPsec-based VPN and TNC solution +# Automatically converted from old format: GPLv2+ - review is highly recommended. +License: GPL-2.0-or-later Vendor: Microsoft Corporation Distribution: Azure Linux -Group: System Environment/Security URL: https://www.strongswan.org/ -Source0: https://download.strongswan.org/%{name}-%{version}.tar.bz2 -Patch0: strongswan-fix-make-check.patch -Patch1: 0001-Extending-timeout-for-test-cases-with-multiple-read-.patch +VCS: git:%{forgeurl0} +Source0: https://download.strongswan.org/strongswan-%{version}%{?prerelease}.tar.bz2 +Source3: tmpfiles-strongswan.conf +Patch0: strongswan-5.6.0-uintptr_t.patch +# https://github.com/strongswan/strongswan/issues/1198 +Patch1: strongswan-5.9.7-error-no-format.patch +# C23 fixes included in 6.0.1 +Patch2: strongswan-6.0.0-gcc15.patch +# C23 fixed merged but not yet released +Patch3: strongswan-6.0.1-gcc15.patch +Patch4: strongswan-fix-make-check.patch +Patch5: 0001-Extending-timeout-for-test-cases-with-multiple-read-.patch + BuildRequires: autoconf +BuildRequires: automake +BuildRequires: gnupg2 +BuildRequires: libtool +BuildRequires: make +BuildRequires: gcc +BuildRequires: systemd +BuildRequires: systemd-devel +BuildRequires: systemd-rpm-macros BuildRequires: gmp-devel +BuildRequires: libcurl-devel +BuildRequires: openldap-devel +BuildRequires: openssl-devel + +BuildRequires: sqlite-devel +BuildRequires: gettext-devel +BuildRequires: libxml2-devel +BuildRequires: pam-devel +BuildRequires: json-c-devel +BuildRequires: libgcrypt-devel +BuildRequires: iptables-devel +BuildRequires: libcap-devel +BuildRequires: tpm2-tss-devel +BuildRequires: pkgconfig(gthread-2.0) +Recommends: tpm2-tools + +%if %{with python3} +BuildRequires: python3-devel +BuildRequires: python3-setuptools +BuildRequires: python3-pytest +%endif + +%if %{with perl} +BuildRequires: perl-devel perl-generators +BuildRequires: perl(ExtUtils::MakeMaker) +%endif + +%if %{with tss_trousers} +BuildRequires: trousers-devel +%endif + +%if %{with network_man} +#BuildRequires: NetworkManager-libnm-devel +%endif +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd %description -strongSwan is a complete IPsec implementation for Linux 2.6, 3.x, and 4.x kernels. +The strongSwan IPsec implementation supports both the IKEv1 and IKEv2 key +exchange protocols in conjunction with the native NETKEY IPsec stack of the +Linux kernel. + +%package libipsec +Summary: Strongswan's libipsec backend +%description libipsec +The kernel-libipsec plugin provides an IPsec backend that works entirely +in userland, using TUN devices and its own IPsec implementation libipsec. + +%if %{with network_man} +%package charon-nm +Summary: NetworkManager plugin for Strongswan +Requires: dbus +Obsoletes: strongswan-NetworkManager < 0:5.0.4-5 +Conflicts: strongswan-NetworkManager < 0:5.0.4-5 +Conflicts: NetworkManager-strongswan < 1.4.2-1 +%description charon-nm +NetworkManager plugin integrates a subset of Strongswan capabilities +to NetworkManager. +%endif + +%package sqlite +Summary: SQLite support for strongSwan +Requires: strongswan = %{version}-%{release} +%description sqlite +The sqlite plugin adds an SQLite database backend to strongSwan. + +%package tnc-imcvs +Summary: Trusted network connect (TNC)'s IMC/IMV functionality +Requires: strongswan = %{version}-%{release} +Requires: strongswan-sqlite = %{version}-%{release} +%description tnc-imcvs +This package provides Trusted Network Connect's (TNC) architecture support. +It includes support for TNC client and server (IF-TNCCS), IMC and IMV message +exchange (IF-M), interface between IMC/IMV and TNC client/server (IF-IMC +and IF-IMV). It also includes PTS based IMC/IMV for TPM based remote +attestation, SWID IMC/IMV, and OS IMC/IMV. It's IMC/IMV dynamic libraries +modules can be used by any third party TNC Client/Server implementation +possessing a standard IF-IMC/IMV interface. In addition, it implements +PT-TLS to support TNC over TLS. + +%if %{with python3} +%package -n python3-vici +Summary: Strongswan Versatile IKE Configuration Interface python bindings +BuildArch: noarch +%description -n python3-vici +VICI is an attempt to improve the situation for system integrators by providing +a stable IPC interface, allowing external tools to query, configure +and control the IKE daemon. + +The Versatile IKE Configuration Interface (VICI) python bindings provides module +for Strongswan runtime configuration from python applications. + +%endif + +%if %{with perl} +%package -n perl-vici +Summary: Strongswan Versatile IKE Configuration Interface perl bindings +BuildArch: noarch +%description -n perl-vici +VICI is an attempt to improve the situation for system integrators by providing +a stable IPC interface, allowing external tools to query, configure +and control the IKE daemon. + +The Versatile IKE Configuration Interface (VICI) perl bindings provides module +for Strongswan runtime configuration from perl applications. +%endif + +# TODO: make also ruby-vici + %prep -%autosetup -p1 +%autosetup -n %{name}-%{version}%{?prerelease} -p1 %build -# Disabling "format-security" warning, not compatible with strongswan custom printf specifiers -export CCFLAGS="%{optflags}" -export CFLAGS="$CFLAGS -Wno-format-security" -%configure -sed -i '/stdlib.h/a #include ' src/libstrongswan/utils/utils.h && -make %{?_smp_mflags} +# only for snapshots +autoreconf -fiv + +# --with-ipsecdir moves internal commands to /usr/libexec/strongswan +# --bindir moves 'pki' command to /usr/libexec/strongswan +# See: http://wiki.strongswan.org/issues/552 +# too broken to enable: --enable-sha3 --enable-rdrand --enable-connmark --enable-forecast +%configure --disable-static \ + --with-ipsec-script=strongswan \ + --sysconfdir=%{_sysconfdir}/strongswan \ + --with-ipsecdir=%{_libexecdir}/strongswan \ + --bindir=%{_libexecdir}/strongswan \ + --with-ipseclibdir=%{_libdir}/strongswan \ + --with-piddir=%{_rundir}/strongswan \ + --with-nm-ca-dir=%{_sysconfdir}/strongswan/ipsec.d/cacerts/ \ + --enable-bypass-lan \ + --enable-tss-tss2 \ + --enable-systemd \ + --enable-openssl \ + --enable-unity \ + --enable-ctr \ + --enable-ccm \ + --enable-gcm \ + --enable-chapoly \ + --enable-md4 \ + --enable-gcrypt \ + --enable-newhope \ + --enable-xauth-eap \ + --enable-xauth-pam \ + --enable-xauth-noauth \ + --enable-eap-identity \ + --enable-eap-md5 \ + --enable-eap-gtc \ + --enable-eap-tls \ + --enable-eap-ttls \ + --enable-eap-peap \ + --enable-eap-mschapv2 \ + --enable-eap-tnc \ + --enable-eap-sim \ + --enable-eap-sim-file \ + --enable-eap-aka \ + --enable-eap-aka-3gpp \ + --enable-eap-aka-3gpp2 \ + --enable-eap-dynamic \ + --enable-eap-radius \ + --enable-ext-auth \ + --enable-ipseckey \ + --enable-pkcs11 \ + --enable-tpm \ + --enable-farp \ + --enable-dhcp \ + --enable-ha \ + --enable-led \ + --enable-sql \ + --enable-sqlite \ + --enable-tnc-ifmap \ + --enable-tnc-pdp \ + --enable-tnc-imc \ + --enable-tnc-imv \ + --enable-tnccs-20 \ + --enable-tnccs-11 \ + --enable-tnccs-dynamic \ + --enable-imc-test \ + --enable-imv-test \ + --enable-imc-scanner \ + --enable-imv-scanner \ + --enable-imc-attestation \ + --enable-imv-attestation \ + --enable-imv-os \ + --enable-imc-os \ + --enable-imc-swima \ + --enable-imv-swima \ + --enable-imc-hcd \ + --enable-imv-hcd \ + --enable-curl \ + --enable-cmd \ + --enable-acert \ + --enable-vici \ + --enable-swanctl \ + --enable-duplicheck \ +%ifarch x86_64 %{ix86} + --enable-aesni \ +%endif +%if %{with python3} + PYTHON=%{python3} --enable-python-eggs \ +%endif +%if %{with perl} + --enable-perl-cpan \ +%endif +%if %{with check} + --enable-test-vectors \ +%endif +%if %{with tss_trousers} + --enable-tss-trousers \ + --enable-aikgen \ +%endif + --enable-kernel-libipsec \ + --with-capabilities=libcap \ + CPPFLAGS="-DSTARTER_ALLOW_NON_ROOT" +# TODO: --enable-python-eggs-install not python3 ready + +# disable certain plugins in the daemon configuration by default +for p in bypass-lan; do + echo -e "\ncharon.plugins.${p}.load := no" >> conf/plugins/${p}.opt +done + +# ensure manual page is regenerated with local configuration +rm -f src/ipsec/_ipsec.8 + +%make_build + +pushd src/libcharon/plugins/vici + +%if %{with python3} + pushd python + %make_build + sed -e "s,/var/run/charon.vici,%{_rundir}/strongswan/charon.vici," -i vici/session.py + #py3_build + popd +%endif + +%if %{with perl} + pushd perl/Vici-Session/ + perl Makefile.PL INSTALLDIRS=vendor + %make_build + popd +%endif + +popd %install -[ %{buildroot} != "/"] && rm -rf %{buildroot}/* -make DESTDIR=%{buildroot} install -find %{buildroot} -name '*.la' -delete -find %{buildroot} -name '*.a' -delete +%make_install + + +pushd src/libcharon/plugins/vici +%if %{with python3} + pushd python + # TODO: --enable-python-eggs breaks our previous build. Do it now + # propose better way to upstream + %py3_build + %py3_install + popd +%endif +%if %{with perl} + %make_install -C perl/Vici-Session + rm -f %{buildroot}{%{perl_archlib}/perllocal.pod,%{perl_vendorarch}/auto/Vici/Session/.packlist} +%endif +popd +# prefix man pages +for i in %{buildroot}%{_mandir}/*/*; do + if echo "$i" | grep -vq '/strongswan[^\/]*$'; then + mv "$i" "`echo "$i" | sed -re 's|/([^/]+)$|/strongswan_\1|'`" + fi +done +find %{buildroot} -type f -name '*.la' -delete +# delete unwanted library files - no consumers, so no -devel package +rm %{buildroot}%{_libdir}/strongswan/*.so +# fix config permissions +chmod 644 %{buildroot}%{_sysconfdir}/strongswan/strongswan.conf + +# Create ipsec.d directory tree. +install -d -m 700 %{buildroot}%{_sysconfdir}/strongswan/ipsec.d +for i in aacerts acerts certs cacerts crls ocspcerts private reqs; do + install -d -m 700 %{buildroot}%{_sysconfdir}/strongswan/ipsec.d/${i} +done +install -d -m 0700 %{buildroot}%{_rundir}/strongswan +install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan.conf +install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.conf + %check -make check +%if %{with check} + # Seen some tests hang. Ensure we do not block builder forever + #export TESTS_VERBOSITY=1 + timeout 600 %make_build check +%endif +%if %{with python} + pushd src/libcharon/plugins/vici + %pytest + popd +%endif +: + +%post +%systemd_post strongswan.service strongswan-starter.service -%post -p /sbin/ldconfig -%postun -p /sbin/ldconfig +%preun +%systemd_preun strongswan.service strongswan-starter.service + +%postun +%systemd_postun_with_restart strongswan.service strongswan-starter.service %files -%defattr(-,root,root) -%license LICENSE -%{_sysconfdir}/* -%{_bindir}/* -%{_sbindir}/* -%{_libdir}/ipsec/* -%{_libexecdir}/* -%{_mandir}/man[158]/* -%{_datadir}/strongswan/* +%doc README NEWS TODO ChangeLog +%license COPYING +%dir %attr(0755,root,root) %{_sysconfdir}/strongswan +%config(noreplace) %{_sysconfdir}/strongswan/* +%dir %{_libdir}/strongswan +%exclude %{_libdir}/strongswan/imcvs +%dir %{_libdir}/strongswan/plugins +%dir %{_libexecdir}/strongswan +%{_unitdir}/strongswan.service +%{_unitdir}/strongswan-starter.service +%{_sbindir}/charon-cmd +%{_sbindir}/charon-systemd +%{_sbindir}/strongswan +%{_sbindir}/swanctl +%{_libdir}/strongswan/*.so.* +%exclude %{_libdir}/strongswan/libimcv.so.* +%exclude %{_libdir}/strongswan/libtnccs.so.* +%exclude %{_libdir}/strongswan/libipsec.so.* +%{_libdir}/strongswan/plugins/*.so +%exclude %{_libdir}/strongswan/plugins/libstrongswan-sqlite.so +%exclude %{_libdir}/strongswan/plugins/libstrongswan-*tnc*.so +%exclude %{_libdir}/strongswan/plugins/libstrongswan-kernel-libipsec.so +%{_libexecdir}/strongswan/* +%exclude %{_libexecdir}/strongswan/attest +%exclude %{_libexecdir}/strongswan/pt-tls-client +%exclude %dir %{_datadir}/strongswan/swidtag +%{_mandir}/man?/*.gz +%{_datadir}/strongswan/templates/config/ +%{_datadir}/strongswan/templates/database/ +%attr(0755,root,root) %dir %{_rundir}/strongswan +%attr(0644,root,root) %{_tmpfilesdir}/strongswan.conf +%attr(0644,root,root) %{_tmpfilesdir}/strongswan-starter.conf + +%files sqlite +%{_libdir}/strongswan/plugins/libstrongswan-sqlite.so + +%files tnc-imcvs +%{_sbindir}/sw-collector +%{_sbindir}/sec-updater +%dir %{_libdir}/strongswan/imcvs +%dir %{_libdir}/strongswan/plugins +%{_libdir}/strongswan/libimcv.so.* +%{_libdir}/strongswan/libtnccs.so.* +%{_libdir}/strongswan/plugins/libstrongswan-*tnc*.so +%{_libexecdir}/strongswan/attest +%{_libexecdir}/strongswan/pt-tls-client +%dir %{_datadir}/strongswan/swidtag +%{_datadir}/strongswan/swidtag/*.swidtag + +%files libipsec +%{_libdir}/strongswan/libipsec.so.* +%{_libdir}/strongswan/plugins/libstrongswan-kernel-libipsec.so + +%if %{with network_man} +%files charon-nm +%doc COPYING +%{_datadir}/dbus-1/system.d/nm-strongswan-service.conf +%{_libexecdir}/strongswan/charon-nm +%endif + +%if %{with python3} +%files -n python3-vici +%license COPYING +%doc src/libcharon/plugins/vici/python/README.rst +%{python3_sitelib}/vici +%{python3_sitelib}/vici-%{version}-py*.egg-info +%endif + +%if %{with perl} +%license COPYING +%files -n perl-vici +%{perl_vendorlib}/Vici +%endif %changelog -* Thu May 02 2024 CBL-Mariner Servicing Account - 5.9.12-1 -- Auto-upgrade to 5.9.12 - address CVE-2023-41913 +* Fri May 23 2025 Mayank Singh - 5.9.14-7 +- Initial Azure Linux import from Fedora 42 (license: MIT). +- License verified + +* Sun Jan 19 2025 Fedora Release Engineering - 5.9.14-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + +* Sat Jul 27 2024 Michel Lind - 5.9.14-5 +- Depend on openssl-devel-engine since we still use this deprecated feature (rhbz#2295335) + +* Fri Jul 26 2024 Miroslav Suchý - 5.9.14-4 +- convert license to SPDX + +* Sat Jul 20 2024 Fedora Release Engineering - 5.9.14-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + +* Fri Jun 07 2024 Python Maint - 5.9.14-2 +- Rebuilt for Python 3.13 + +* Fri May 31 2024 Paul Wouters - 5.9.14-1 +- Resolves: rhbz#2254560 CVE-2023-41913 buffer overflow and possible RCE +- Resolved: rhbz#2250666 Update to 5.9.14 (IKEv2 OCSP extensions, seqno/regno overflow handling +- Update to 5.9.13 (OCSP nonce set regression configuration option charon.ocsp_nonce_len) +- Update to 5.9.12 (CVE-2023-41913 fix, various IKEv2 fixes) + +* Sat Jan 27 2024 Fedora Release Engineering - 5.9.11-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Sat Jul 22 2023 Fedora Release Engineering - 5.9.11-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Fri Jul 14 2023 Paul Wouters - 5.9.10-2 +- Rebuilt for Python 3.12 + +* Thu Mar 02 2023 Paul Wouters - 5.9.9-2 +- Use configure paths in manual pages (#2106120) + +* Sun Jan 15 2023 Petr Menšík - 5.9.9-1 +- Update to 5.9.9 (#2157850) + +* Thu Dec 08 2022 Jitka Plesnikova - 5.9.8-2 +- Add BR perl-generators to automatically generates run-time dependencies + for installed Perl files + +* Sun Oct 16 2022 Arne Reiter - 5.9.8-1 +- Resolves rhbz#2112274 strongswan-5.9.8 is available +- Patch1 removes CFLAGS -Wno-format which interferes with -Werror=format-security +- Add BuildRequire for autoconf and automake, now required for release +- Remove obsolete patches + +* Sat Jul 23 2022 Fedora Release Engineering - 5.9.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Wed Jun 22 2022 Arne Reiter - 5.9.6-1 +- Resolves rhbz#2080070 strongswan-5.9.6 is available +- Fixed missing format string in enum_flags_to_string() + +* Mon Jun 13 2022 Python Maint - 5.9.5-4 +- Rebuilt for Python 3.11 + +* Fri Feb 25 2022 Arne Reiter - 5.9.5-3 +- Resolves: rhbz#2048108 - segfault at 18 ip 00007f4c7c0d841c sp 00007ffe49f61b70 error 4 in libc.so.6 + +* Tue Jan 25 2022 Paul Wouters - 5.9.5-2 +- Use newly published/cleaned strongswan gpg key + +* Mon Jan 24 2022 Paul Wouters - 5.9.5-1 +- Resolves rhbz#2044361 strongswan-5.9.5 is available (CVE-2021-45079) + +* Sat Jan 22 2022 Fedora Release Engineering - 5.9.4-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Thu Dec 16 2021 Neal Gompa - 5.9.4-4 +- Disable TPM/TSS 1.2 support for F36+ / RHEL9+ +- Resolves: rhbz#2033299 Drop TPM/TSS 1.2 support (trousers) + +* Thu Nov 11 2021 Petr Menšík - 5.9.4-3 +- Resolves rhbz#1419441 Add python and perl vici bindings +- Adds optional tests run + +* Tue Nov 09 2021 Paul Wouters - 5.9.4-2 +- Resolves rhbz#2018547 'strongswan restart' breaks ipsec started with strongswan-starter +- Return to using tmpfiles, but extend to cover strongswan-starter service too +- Cleanup old patches + +* Wed Oct 20 2021 Paul Wouters - 5.9.4-1 +- Resolves: rhbz#2015165 strongswan-5.9.4 is available +- Resolves: rhbz#2015611 CVE-2021-41990 strongswan: gmp plugin: integer overflow via a crafted certificate with an RSASSA-PSS signature +- Resolves: rhbz#2015614 CVE-2021-41991 strongswan: integer overflow when replacing certificates in cache +- Add BuildRequire for tpm2-tss-devel and weak dependency for tpm2-tools + +* Tue Sep 14 2021 Sahana Prasad - 5.9.3-4 +- Rebuilt with OpenSSL 3.0.0 + +* Fri Jul 23 2021 Fedora Release Engineering - 5.9.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Sat Jul 10 2021 Björn Esser - 5.9.3-2 +- Rebuild for versioned symbols in json-c + +* Tue Jul 06 2021 Paul Wouters - 5.9.3-1 +- Resolves: rhbz#1979574 strongswan-5.9.3 is available +- Make strongswan main dir world readable so apps can find strongswan.conf + +* Thu Jun 03 2021 Paul Wouters - 5.9.2-1 +- Resolves: rhbz#1896545 strongswan-5.9.2 is available + +* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 5.9.1-2 +- Rebuilt for updated systemd-rpm-macros + See https://pagure.io/fesco/issue/2583. + +* Fri Feb 12 2021 Paul Wouters - 5.9.1-1 +- Resolves: rhbz#1896545 strongswan-5.9.1 is available + +* Thu Feb 11 2021 Davide Cavalca - 5.9.0-4 +- Build with with capabilities support +- Resolves: rhbz#1911572 StrongSwan not configured with libcap support + +* Wed Jan 27 2021 Fedora Release Engineering - 5.9.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Thu Oct 22 12:43:48 EDT 2020 Paul Wouters - 5.9.0-2 +- Resolves: rhbz#1886759 charon looking for certificates in the wrong place + +* Mon Sep 28 12:36:45 EDT 2020 Paul Wouters - 5.9.0-1 +- Resolves: rhbz#1861747 strongswan-5.9.0 is available +- Remove --enable-fips-mode=2, which defaults strongswan to FIPS only. + (use fips_mode = 2 in plugins {} openssl {} in strongswan.conf to enable FIPS) + +* Sat Aug 01 2020 Fedora Release Engineering - 5.8.4-5 +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Jul 29 2020 Fedora Release Engineering - 5.8.4-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Apr 21 2020 Björn Esser - 5.8.4-3 +- Rebuild (json-c) + +* Sun Apr 12 2020 Mikhail Zabaluev - 5.8.4-2 +- Patch0: Add RuntimeDirectory options to service files (#1789263) + +* Sun Apr 12 2020 Mikhail Zabaluev - 5.8.4-1 +- Updated to 5.8.4 +- Patch4 has been applied upstream + +* Sat Feb 22 2020 Mikhail Zabaluev - 5.8.2-5 +- Patch to declare a global variable with extern (#1800117) + +* Mon Feb 10 2020 Paul Wouters - 5.8.2-4 +- use tmpfile to ensure rundir is present + +* Fri Jan 31 2020 Fedora Release Engineering - 5.8.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Sat Dec 28 2019 Paul Wouters - 5.8.2-2 +- Use /run/strongswan as rundir to support strongswans in namespaces + +* Tue Dec 17 2019 Mikhail Zabaluev - 5.8.2-1 +- Update to 5.8.2 (#1784457) +- The D-Bus config file moved under datadir + +* Mon Sep 02 2019 Mikhail Zabaluev - 5.8.1-1 +- Update to 5.8.1 (#1711920) +- No more separate strongswan-swanctl.service to start out of order (#1775548) +- Added strongswan-starter.service + +* Sat Jul 27 2019 Fedora Release Engineering - 5.7.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Sun Feb 03 2019 Fedora Release Engineering - 5.7.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Wed Jan 09 2019 Paul Wouters - 5.7.2-1 +- Updated to 5.7.2 + +* Thu Oct 04 2018 Mikhail Zabaluev - 5.7.1-1 +- Updated to 5.7.1 +- Resolves rhbz#1635872 CVE-2018-16152 +- Resolves rhbz#1635875 CVE-2018-16151 + +* Thu Aug 23 2018 Mikhail Zabaluev - 5.6.3-3 +- Add plugin bypass-lan, disabled by default +- Resolves rhbz#1554479 Update to strongswan-charon-nm fails + +* Sat Jul 14 2018 Fedora Release Engineering - 5.6.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Tue May 29 2018 Mikhail Zabaluev - 5.6.3-1 +- New version 5.6.3 + +* Thu May 24 2018 Paul Wouters - 5.6.2-6 +- Resolves rhbz#1581868 CVE-2018-5388 strongswan: buffer underflow in stroke_socket.c + +* Thu May 24 2018 Paul Wouters - 5.6.2-5 +- Resolves rhbz#1574939 IKEv2 VPN connections fail to use DNS servers provided by the server +- Resolves rhbz#1449875 Strongswan on epel built without the sql plugin but with the sqlite plugin + +* Sun May 20 2018 Mikhail Zabaluev - 5.6.2-3 +- Move eap-radius, sqlite, and pkcs7 plugins out of tnc-imcvs, added package + sqlite (#1579945) + +* Tue Mar 06 2018 Björn Esser - 5.6.2-2 +- Rebuilt for libjson-c.so.4 (json-c v0.13.1) + +* Wed Feb 21 2018 Lubomir Rintel - 5.6.2-1 +- Updated to 5.6.2 (Dropped libnm-glib use in charon-nm) + +* Fri Feb 09 2018 Fedora Release Engineering - 5.6.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Fri Dec 22 2017 Paul Wouters - 5.6.1-1 +- Updated to 5.6.1 (RSA-PSS support) + +* Sun Dec 10 2017 Björn Esser - 5.6.0-3 +- Rebuilt for libjson-c.so.3 + +* Fri Dec 01 2017 Lubomir Rintel - 5.6.0-2 +- Fix the placement of charon-nm D-Bus policy + +* Sat Sep 09 2017 Paul Wouters - 5.6.0-1 +- Updated to 5.6.0 +- Fixup configure arguments, enabled a bunch of new features +- Added new BuildRequires: +- Fixup Obsolete/Conflicts, use license macro +- Don't require autoconf/autotools for non-snapshots +- Remove macro overuse, remove fedora/rhel checks and sysvinit support +- Make listings/grouping of all plugins/libs to reduce file listing + +* Thu Aug 03 2017 Fedora Release Engineering - 5.5.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 5.5.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Mon Jun 12 2017 Paul Wouters - 5.5.3-1 +- Updated to 5.5.3 + +* Sat May 27 2017 Paul Wouters - 5.5.2-1 +- Updated to 5.5.2 + +* Sat Feb 11 2017 Fedora Release Engineering - 5.5.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Sep 15 2016 Pavel Šimerda - 5.5.0-2 +- Resolves: #1367796 - Enable the unity plugin + +* Mon Aug 08 2016 Pavel Šimerda - 5.5.0-1 +- New version 5.5.0 + +* Wed Jun 22 2016 Pavel Šimerda +- Enable IKEv2 GCM (requires gcrypt module as well) - merged from f22 by Paul Wouters + +* Wed Jun 22 2016 Pavel Šimerda - 5.4.0-1 +- New version 5.4.0 + +* Thu Mar 03 2016 Pavel Šimerda - 5.3.5-1 +- New version 5.3.5 + +* Fri Feb 05 2016 Fedora Release Engineering - 5.3.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Fri Jan 15 2016 Paul Wouters - 5.3.3-2 +- Enable IKEv2 GCM (requires gcrypt module as well) + +* Tue Sep 29 2015 Pavel Šimerda - 5.3.3-1 +- new version 5.3.3 + +* Thu Sep 24 2015 Pavel Šimerda - 5.3.2-3 +- Resolves: #1264598 - strongswan: many configuration files are not protected + +* Fri Jun 19 2015 Fedora Release Engineering - 5.3.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Tue Jun 09 2015 Pavel Šimerda +- new version 5.3.2 + +* Fri Jun 05 2015 Pavel Šimerda - 5.3.1-1 +- new version 5.3.1 + +* Tue Mar 31 2015 Pavel Šimerda - 5.3.0-1 +- new version 5.3.0 + +* Fri Feb 20 2015 Avesh Agarwal - 5.2.2-2 +- Fixes strongswan swanctl service issue rhbz#1193106 + +* Tue Jan 06 2015 Pavel Šimerda - 5.2.2-1 +- new version 5.2.2 + +* Thu Dec 18 2014 Avesh Agarwal - 5.2.2-0.2.dr1 +- Enabled ccm, and ctr plugins as it seems enabling just openssl does + not work for using ccm and ctr algos. + +* Mon Dec 8 2014 Avesh Agarwal - 5.2.2-0.1.dr1 +- New strongswan developer release 5.2.2dr1 + +* Mon Nov 24 2014 Avesh Agarwal - 5.2.1-2 +- 1167331: Enabled native systemd support. +- Does not disable old systemd, starter, ipsec.conf support yet. + +* Thu Oct 30 2014 Avesh Agarwal - 5.2.1-1 +- New upstream release 5.2.1 + +* Thu Oct 16 2014 Avesh Agarwal - 5.2.1-0.2.rc1 +- New upstream release candidate 5.2.1rc1 + +* Fri Oct 10 2014 Pavel Šimerda - 5.2.1-1 +- new version 5.2.1dr1 + +* Thu Sep 25 2014 Pavel Šimerda - 5.2.0-7 +- use upstream patch for json/json-c dependency + +* Thu Sep 25 2014 Pavel Šimerda - 5.2.0-6 +- Resolves: #1146145 - Strongswan is compiled without xauth-noauth plugin + +* Mon Aug 18 2014 Fedora Release Engineering - 5.2.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Tue Aug 05 2014 Pavel Šimerda - 5.2.0-4 +- Resolves: #1081804 - enable Kernel IPSec support + +* Wed Jul 30 2014 Pavel Šimerda - 5.2.0-3 +- rebuilt + +* Tue Jul 29 2014 Pavel Šimerda - 5.2.0-2 +- fix json-c dependency + +* Tue Jul 15 2014 Avesh Agarwal - 5.2.0-1 +- New upstream release 5.2.0 +- The Attestation IMC/IMV pair supports the IMA-NG + measurement format +- Aikgen tool to generate an Attestation Identity Key bound + to a TPM +- Swanctl tool to provide a portable, complete IKE + configuration and control interface for the command + line using vici interface with libvici library +- PT-EAP transport protocol (RFC 7171) for TNC +- Enabled support for acert for checking X509 attribute certificate +- Updated patches, removed selinux patch as upstream has fixed it + in this release. +- Updated spec file with minor cleanups + +* Thu Jun 26 2014 Pavel Šimerda - 5.2.0-0.4.dr6 +- improve prerelease macro + +* Thu Jun 26 2014 Pavel Šimerda - 5.2.0-0.3 +- Resolves: #1111895 - bump to 5.2.0dr6 + +* Thu Jun 12 2014 Pavel Šimerda - 5.2.0-0.2 +- Related: #1087437 - remove or upstream all patches not specific to fedora/epel + +* Thu Jun 12 2014 Pavel Šimerda - 5.2.0-0.1.dr5 +- fix the pre-release version according to guidelines before it gets branched + +* Fri Jun 06 2014 Pavel Šimerda - 5.2.0dr5-1 +- new version 5.2.0dr5 +- add json-c-devel to build deps + +* Mon May 26 2014 Pavel Šimerda - 5.2.0dr4-3 +- merge two related patches + +* Mon May 26 2014 Pavel Šimerda - 5.2.0dr4-2 +- clean up the patches a bit + +* Thu May 22 2014 Avesh Agarwal - 5.2.0dr4-1 +- New upstream developer release 5.2.0dr4 +- Attestation IMV/IMC supports IMA-NG measurement format now +- Aikgen tool to generate an Attestation Identity Key bound + to a TPM +- PT-EAP transport protocol (RFC 7171) for TNC +- vici plugin provides IKE Configuration Interface for charon +- Enabled support for acert for checking X509 attribute certificate +- Updated patches +- Updated spec file with minor cleanups + +* Tue Apr 15 2014 Pavel Šimerda - 5.1.3-1 +- new version 5.1.3 + +* Mon Apr 14 2014 Pavel Šimerda - 5.1.3rc1-1 +- new version 5.1.3rc1 + +* Mon Mar 24 2014 Pavel Šimerda - 5.1.2-4 +- #1069928 - updated libexec patch. + +* Tue Mar 18 2014 Pavel Šimerda - 5.1.2-3 +- fixed el6 initscript +- fixed pki directory location + +* Fri Mar 14 2014 Pavel Šimerda - 5.1.2-2 +- clean up the specfile a bit +- replace the initscript patch with an individual initscript +- patch to build for epel6 + +* Mon Mar 03 2014 Pavel Šimerda - 5.1.2-1 +- #1071353 - bump to 5.1.2 +- #1071338 - strongswan is compiled without xauth-pam plugin +- remove obsolete patches +- sent all patches upstream +- added comments to all patches +- don't touch the config with sed + +* Thu Feb 20 2014 Avesh Agarwal - 5.1.1-6 +- Fixed full hardening for strongswan (full relro and PIE). + The previous macros had a typo and did not work + (see bz#1067119). +- Fixed tnc package description to reflect the current state of + the package. +- Fixed pki binary and moved it to /usr/libexece/strongswan as + others binaries are there too. + +* Wed Feb 19 2014 Pavel Šimerda - 5.1.1-5 +- #903638 - SELinux is preventing /usr/sbin/xtables-multi from 'read' accesses on the chr_file /dev/random + +* Thu Jan 09 2014 Pavel Šimerda - 5.1.1-4 +- Removed redundant patches and *.spec commands caused by branch merging + +* Wed Jan 08 2014 Pavel Šimerda - 5.1.1-3 +- rebuilt + +* Mon Dec 2 2013 Avesh Agarwal - 5.1.1-2 +- Resolves: 973315 +- Resolves: 1036844 + +* Fri Nov 1 2013 Avesh Agarwal - 5.1.1-1 +- Support for PT-TLS (RFC 6876) +- Support for SWID IMC/IMV +- Support for command line IKE client charon-cmd +- Changed location of pki to /usr/bin +- Added swid tags files +- Added man pages for pki and charon-cmd +- Renamed pki to strongswan-pki to avoid conflict with + pki-core/pki-tools package. +- Update local patches +- Fixes CVE-2013-6075 +- Fixes CVE-2013-6076 +- Fixed autoconf/automake issue as configure.ac got changed + and it required running autoreconf during the build process. +- added strongswan signature file to the sources. + +* Thu Sep 12 2013 Avesh Agarwal - 5.1.0-3 +- Fixed initialization crash of IMV and IMC particularly + attestation imv/imc as libstrongswas was not getting + initialized. + +* Fri Aug 30 2013 Avesh Agarwal - 5.1.0-2 +- Enabled fips support +- Enabled TNC's ifmap support +- Enabled TNC's pdp support +- Fixed hardocded package name in this spec file + +* Wed Aug 7 2013 Avesh Agarwal - 5.1.0-1 +- rhbz#981429: New upstream release +- Fixes CVE-2013-5018: rhbz#991216, rhbz#991215 +- Fixes rhbz#991859 failed to build in rawhide +- Updated local patches and removed which are not needed +- Fixed errors around charon-nm +- Added plugins libstrongswan-pkcs12.so, libstrongswan-rc2.so, + libstrongswan-sshkey.so +- Added utility imv_policy_manager + +* Thu Jul 25 2013 Jamie Nguyen - 5.0.4-5 +- rename strongswan-NetworkManager to strongswan-charon-nm +- fix enable_nm macro + +* Mon Jul 15 2013 Jamie Nguyen - 5.0.4-4 +- %%files tries to package some of the shared objects as directories (#984437) +- fix broken systemd unit file (#984300) +- fix rpmlint error: description-line-too-long +- fix rpmlint error: macro-in-comment +- fix rpmlint error: spelling-error Summary(en_US) fuctionality +- depend on 'systemd' instead of 'systemd-units' +- use new systemd scriptlet macros +- NetworkManager subpackage should have a copy of the license (#984490) +- enable hardened_build as this package meets the PIE criteria (#984429) +- invocation of "ipsec _updown iptables" is broken as ipsec is renamed + to strongswan in this package (#948306) +- invocation of "ipsec scepclient" is broken as ipsec is renamed + to strongswan in this package +- add /etc/strongswan/ipsec.d and missing subdirectories +- conditionalize building of strongswan-NetworkManager subpackage as the + version of NetworkManager in EL6 is too old (#984497) + +* Fri Jun 28 2013 Avesh Agarwal - 5.0.4-3 +- Patch to fix a major crash issue when Freeradius loads + attestatiom-imv and does not initialize libstrongswan which + causes crash due to calls to PTS algorithms probing APIs. + So this patch fixes the order of initialization. This issues + does not occur with charon because libstrongswan gets + initialized earlier. +- Patch that allows to outputs errors when there are permission + issues when accessing strongswan.conf. +- Patch to make loading of modules configurable when libimcv + is used in stand alone mode without charon with freeradius + and wpa_supplicant. + +* Tue Jun 11 2013 Avesh Agarwal - 5.0.4-2 +- Enabled TNCCS 1.1 protocol +- Fixed libxm2-devel build dependency +- Patch to fix the issue with loading of plugins + +* Wed May 1 2013 Avesh Agarwal - 5.0.4-1 +- New upstream release +- Fixes for CVE-2013-2944 +- Enabled support for OS IMV/IMC +- Created and applied a patch to disable ECP in fedora, because + Openssl in Fedora does not allow ECP_256 and ECP_384. It makes + it non-compliant to TCG's PTS standard, but there is no choice + right now. see redhat bz # 319901. +- Enabled Trousers support for TPM based operations. + +* Sat Apr 20 2013 Pavel Šimerda - 5.0.3-2 +- Rebuilt for a single specfile for rawhide/f19/f18/el6 + +* Fri Apr 19 2013 Avesh Agarwal - 5.0.3-1 +- New upstream release +- Enabled curl and eap-identity plugins +- Enabled support for eap-radius plugin. + +* Thu Apr 18 2013 Pavel Šimerda - 5.0.2-3 +- Add gettext-devel to BuildRequires because of epel6 +- Remove unnecessary comments + +* Tue Mar 19 2013 Avesh Agarwal - 5.0.2-2 +- Enabled support for eap-radius plugin. + +* Mon Mar 11 2013 Avesh Agarwal - 5.0.2-1 +- Update to upstream release 5.0.2 +- Created sub package strongswan-tnc-imcvs that provides trusted network + connect's IMC and IMV funtionality. Specifically it includes PTS + based IMC/IMV for TPM based remote attestation and scanner and test + IMCs and IMVs. The Strongswan's IMC/IMV dynamic libraries can be used + by any third party TNC Client/Server implementation possessing a + standard IF-IMC/IMV interface. + +* Fri Feb 15 2013 Fedora Release Engineering - 5.0.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Thu Oct 04 2012 Pavel Šimerda - 5.0.1-1 +- Update to release 5.0.1 + +* Thu Oct 04 2012 Pavel Šimerda - 5.0.0-4.git20120619 +- Add plugins to interoperate with Windows 7 and Android (#862472) + (contributed by Haim Gelfenbeyn) + +* Sat Jul 21 2012 Fedora Release Engineering - 5.0.0-3.git20120619 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Sun Jul 08 2012 Pavel Šimerda - 5.0.0-2.git20120619 +- Fix configure substitutions in initscripts -* Fri Oct 27 2023 CBL-Mariner Servicing Account - 5.9.11-1 -- Auto-upgrade to 5.9.11 - Azure Linux 3.0 - package upgrades +* Wed Jul 04 2012 Pavel Šimerda - 5.0.0-1.git20120619 +- Update to current upstream release +- Comment out all stuff that is only needed for git builds +- Remove renaming patch from git +- Improve init patch used for EPEL -* Wed Sep 20 2023 Jon Slobodzian - 5.9.10-2 -- Recompile with stack-protection fixed gcc version (CVE-2023-4039) +* Thu Jun 21 2012 Pavel Šimerda - 5.0.0-0.3.git20120619 +- Build with openssl plugin enabled -* Wed Apr 26 2023 CBL-Mariner Servicing Account - 5.9.10-1 -- Auto-upgrade to 5.9.10 - Fix: Upgrade strongswan to fix CVE-2023-26463 +* Wed Jun 20 2012 Pavel Šimerda - 5.0.0-0.2.git20120619 +- Add README.Fedora with link to 4.6 to 5.0 migration information -* Thu Dec 08 2022 Henry Beberman - 5.9.8-1 -- Updated to version 5.9.8 to fix CVE-2022-40617 +* Tue Jun 19 2012 Pavel Šimerda - 5.0.0-0.1.git20120619 +- Snapshot of upcoming major release +- Move patches and renaming upstream + http://wiki.strongswan.org/issues/194 + http://wiki.strongswan.org/issues/195 +- Notified upstream about manpage issues -* Tue Apr 12 2022 Nicolas Guibourge - 5.9.5-1 -- Updated to version 5.9.5 to fix CVE-2021-45079. +* Tue Jun 19 2012 Pavel Šimerda - 4.6.4-2 +- Make initscript patch more distro-neutral +- Add links to bugreports for patches -* Mon Jan 03 2022 Neha Agarwal - 5.9.3-1 -- Updated to version 5.9.3. +* Fri Jun 01 2012 Pavel Šimerda - 4.6.4-1 +- New upstream version (CVE-2012-2388) -* Thu Dec 16 2021 Pawel Winogrodzki - 5.7.2-4 -- Removing the explicit %%clean stage. +* Sat May 26 2012 Pavel Šimerda - 4.6.3-2 +- Add --enable-nm to configure +- Add NetworkManager-devel to BuildRequires +- Add NetworkManager-glib-devel to BuildRequires +- Add strongswan-NetworkManager package -* Mon Oct 05 2020 Pawel Winogrodzki 5.7.2-3 -- Adding a patch to extend the timeout for the ''valid/invalid data' test case. -- Switching to %%autosetup. +* Sat May 26 2012 Pavel Šimerda - 4.6.3-1 +- New version of Strongswan +- Support for RFC 3110 DNSKEY (see upstream changelog) +- Fix corrupt scriptlets -* Sat May 09 2020 Nick Samson 5.7.2-2 -- Added %%license line automatically +* Fri Mar 30 2012 Pavel Šimerda - 4.6.2-2 +- #808612 - strongswan binary renaming side-effect -* Wed Mar 18 2020 Henry Beberman 5.7.2-1 -- Update to 5.7.2. Remove CVE patch fixed in 5.7.0. License verified. +* Sun Feb 26 2012 Pavel Šimerda - 4.6.2-1 +- New upstream version +- Changed from .tar.gz to .tar.bz2 +- Added libstrongswan-pkcs8.so -* Tue Sep 03 2019 Mateusz Malisz 5.6.3-4 -- Initial CBL-Mariner import from Photon (license: Apache2). +* Wed Feb 15 2012 Pavel Šimerda - 4.6.1-8 +- Fix initscript's status function -* Fri Dec 21 2018 Keerthana K 5.6.3-3 -- Fix for CVE-2018-16151 and CVE-2018-16152. +* Wed Feb 15 2012 Pavel Šimerda - 4.6.1-7 +- Expand tabs in config files for better readability +- Add sysvinit script for epel6 -* Thu Dec 06 2018 Keerthana K 5.6.3-2 -- Fixed make check failures. +* Wed Feb 15 2012 Pavel Šimerda - 4.6.1-6 +- Fix program name in systemd unit file -* Mon Sep 17 2018 Tapas Kundu 5.6.3-1 -- Updated to 5.6.3 release +* Tue Feb 14 2012 Pavel Šimerda - 4.6.1-5 +- Improve fedora/epel conditionals -* Thu Aug 16 2018 Tapas Kundu 5.5.2-5 -- Fix for CVE-2018-10811 +* Sat Jan 21 2012 Pavel Šimerda - 4.6.1-4 +- Protect configuration directory from ordinary users +- Add still missing directory /etc/strongswan -* Mon Jul 23 2018 Ajay Kaher 5.5.2-4 -- Fix CVE-2018-5388 +* Fri Jan 20 2012 Pavel Šimerda - 4.6.1-3 +- Change directory structure to avoid clashes with Openswan +- Prefixed all manpages with 'strongswan_' +- Every file now includes 'strongswan' somewhere in its path +- Removed conflict with Openswan +- Finally fix permissions on strongswan.conf -* Tue Oct 10 2017 Dheeraj Shetty 5.5.2-3 -- Fix CVE-2017-11185 CVE-2017-9022 and CVE-2017-9023 +* Fri Jan 20 2012 Pavel Šimerda - 4.6.1-2 +- Change license tag from GPL to GPLv2+ +- Change permissions on /etc/strongswan.conf to 644 +- Rename ipsec.8 manpage to strongswan.8 +- Fix empty scriptlets for non-fedora builds +- Add ldconfig scriptlet +- Add missing directories and files -* Thu Aug 24 2017 Alexey Makhalov 5.5.2-2 -- Fix compilation issue for glibc-2.26 +* Sun Jan 01 2012 Pavel Šimerda 5.5.2-1 -- Update to version 5.5.2 +* Sun Jan 01 2012 Pavel Šimerda 5.5.1-1 -- Initial build. +* Sat Dec 10 2011 Pavel Šimerda - 4.6.0-2 +- Experimental build for development diff --git a/SPECS/strongswan/tmpfiles-strongswan.conf b/SPECS/strongswan/tmpfiles-strongswan.conf new file mode 100644 index 0000000000..e228ac97ec --- /dev/null +++ b/SPECS/strongswan/tmpfiles-strongswan.conf @@ -0,0 +1 @@ +D /run/strongswan 0755 root root - diff --git a/SPECS/sudo/CVE-2025-32462.patch b/SPECS/sudo/CVE-2025-32462.patch new file mode 100644 index 0000000000..55a285521f --- /dev/null +++ b/SPECS/sudo/CVE-2025-32462.patch @@ -0,0 +1,109 @@ +# Local Privilege Escalation via host option + +Sudo's host (`-h` or `--host`) option is intended to be used in +conjunction with the list option (`-l` or `--list`) to list a user's +sudo privileges on a host other than the current one. However, due +to a bug it was not restricted to listing privileges and could be +used when running a command via `sudo` or editing a file with +`sudoedit`. Depending on the rules present in the sudoers file +this could allow a local privilege escalation attack. + +## Sudo versions affected: + +Sudo versions 1.8.8 to 1.9.17 inclusive are affected. + +## CVE ID: + +This vulnerability has been assigned +[CVE-2025-32462](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32462) +in the [Common Vulnerabilities and Exposures](https://cve.mitre.org/) database. + +## Details: + +The intent of sudo's `-h` (`--host`) option is to make it possible +to list a user's sudo privileges for a host other than the current +one. It was only intended be used with in conjunction with the +`-l` (`--list`) option. + +The bug effectively makes the hostname portion of a sudoers rule +irrelevant since the user can set the host to be used when evaluating +the rules themselves. A user must still be listed in the sudoers +file, but they do not needed to have an entry for the current host. + +For example, given the sudoers rule: + +``` plain +alice cerebus = ALL +``` + +user __alice__ would be able to run `sudo -h cerebus id` on any host, +not just _cerebus_. For example: + +``` plain +alice@hades$ sudo -l +Sorry, user alice may not run sudo on hades. + +alice@hades$ sudo -l -h cerebus +User alice may run the following commands on cerebus: + (root) ALL + +alice@hades$ sudo -h cerebus id +uid=0(root) gid=0(root) groups=0(root) +``` + +## Impact: + +Sudoers files that include rules where the host field is not the +current host or _ALL_ are affected. This primarily affects sites +that use a common sudoers file that is distributed to multiple +machines. Sites that use LDAP-based sudoers (including SSSD) are +similarly impacted. + +For example, a sudoers rule such as: + +``` plain +bob ALL = ALL +``` + +is not affected since the host _ALL_ already matches any hosts, +but a rule like: + +``` plain +alice cerebus = ALL +``` + +could allow user __alice__ to run any command even if the current +host is not _cerebus_. + +## Fix: + +The bug is fixed in sudo 1.9.17p1. + +## Credit: + +Thanks to Rich Mirch from Stratascale Cyber Research Unit (CRU) for +reporting and analyzing the bug. + +diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c +index 70a0c1a52..ad2fa2f61 100644 +--- a/plugins/sudoers/sudoers.c ++++ b/plugins/sudoers/sudoers.c +@@ -350,6 +350,18 @@ sudoers_check_common(struct sudoers_context *ctx, int pwflag) + time_t now; + debug_decl(sudoers_check_common, SUDOERS_DEBUG_PLUGIN); + ++ /* The user may only specify a host for "sudo -l". */ ++ if (!ISSET(ctx->mode, MODE_LIST|MODE_CHECK)) { ++ if (strcmp(ctx->runas.host, ctx->user.host) != 0) { ++ log_warningx(ctx, SLOG_NO_STDERR|SLOG_AUDIT, ++ N_("user not allowed to set remote host for command")); ++ sudo_warnx("%s", ++ U_("a remote host may only be specified when listing privileges.")); ++ ret = false; ++ goto done; ++ } ++ } ++ + /* If given the -P option, set the "preserve_groups" flag. */ + if (ISSET(ctx->mode, MODE_PRESERVE_GROUPS)) + def_preserve_groups = true; diff --git a/SPECS/sudo/CVE-2025-32463.patch b/SPECS/sudo/CVE-2025-32463.patch new file mode 100644 index 0000000000..9574ff4e8f --- /dev/null +++ b/SPECS/sudo/CVE-2025-32463.patch @@ -0,0 +1,3634 @@ +# Local Privilege Escalation via chroot option + +An attacker can leverage sudo's `-R` (`--chroot`) option to run +arbitrary commands as root, even if they are not listed in the +sudoers file. + +## Sudo versions affected: + +Sudo versions 1.9.14 to 1.9.17 inclusive are affected. + +## CVE ID: + +This vulnerability has been assigned +[CVE-2025-32463](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32463) +in the [Common Vulnerabilities and Exposures](https://cve.mitre.org/) database. + +## Details: + +Sudo's `-R` (`--chroot`) option is intended to allow the user to +run a command with a user-selected root directory if the sudoers +file allows it. A change was made in sudo 1.9.14 to resolve paths +via `chroot()` using the user-specified root directory while the +sudoers file was still being evaluated. It is possible for an +attacker to trick sudo into loading an arbitrary shared library by +creating an `/etc/nsswitch.conf` file under the user-specified root +directory. + +The change in sudo 1.9.14 has been reverted in sudo 1.9.17p1 and +the chroot feature has been marked as deprecated. It will be removed +entirely in a future sudo release. Because of the way sudo resolves +commands, supporting a user-specified chroot directory is error-prone +and this feature does not appear to be widely used. + +## Impact: + +On systems that support `/etc/nsswitch.conf` a user may be +able to run arbitrary commands as root. + +## Fix: + +The bug is fixed in sudo 1.9.17p1. + +## Credit: + +Thanks to Rich Mirch from Stratascale Cyber Research Unit (CRU) for +reporting and analyzing the bug. + +diff --git a/MANIFEST b/MANIFEST +index 2a9f8353a..c1869afa8 100644 +--- a/MANIFEST ++++ b/MANIFEST +@@ -687,8 +687,6 @@ plugins/sudoers/mkdefaults + plugins/sudoers/parse.h + plugins/sudoers/parse_ldif.c + plugins/sudoers/parser_warnx.c +-plugins/sudoers/pivot.c +-plugins/sudoers/pivot.h + plugins/sudoers/po/README + plugins/sudoers/po/ast.mo + plugins/sudoers/po/ast.po +diff --git a/plugins/sudoers/Makefile.in b/plugins/sudoers/Makefile.in +index 40fe0870f..2ae2fb12e 100644 +--- a/plugins/sudoers/Makefile.in ++++ b/plugins/sudoers/Makefile.in +@@ -189,11 +189,11 @@ SUDOERS_OBJS = $(AUTH_OBJS) audit.lo boottime.lo check.lo check_util.lo \ + display.lo editor.lo env.lo sudoers_hooks.lo env_pattern.lo \ + file.lo find_path.lo fmtsudoers.lo gc.lo goodpath.lo \ + group_plugin.lo interfaces.lo iolog.lo iolog_path_escapes.lo \ +- locale.lo log_client.lo logging.lo lookup.lo pivot.lo \ +- policy.lo prompt.lo serialize_list.lo set_perms.lo \ +- sethost.lo starttime.lo strlcpy_unesc.lo strvec_join.lo \ +- sudo_nss.lo sudoers.lo sudoers_cb.lo sudoers_ctx_free.lo \ +- timestamp.lo unesc_str.lo @SUDOERS_OBJS@ ++ locale.lo log_client.lo logging.lo lookup.lo policy.lo \ ++ prompt.lo serialize_list.lo set_perms.lo sethost.lo \ ++ starttime.lo strlcpy_unesc.lo strvec_join.lo sudo_nss.lo \ ++ sudoers.lo sudoers_cb.lo sudoers_ctx_free.lo timestamp.lo \ ++ unesc_str.lo @SUDOERS_OBJS@ + + SUDOERS_IOBJS = $(SUDOERS_OBJS:.lo=.i) + +@@ -727,9 +727,9 @@ afs.lo: $(authdir)/afs.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ + $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/timestamp.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(authdir)/afs.c + afs.i: $(authdir)/afs.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ +@@ -737,9 +737,9 @@ afs.i: $(authdir)/afs.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ + $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/timestamp.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(authdir)/afs.c > $@ + afs.plog: afs.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(authdir)/afs.c --i-file afs.i --output-file $@ +@@ -749,10 +749,9 @@ aix_auth.lo: $(authdir)/aix_auth.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(authdir)/aix_auth.c + aix_auth.i: $(authdir)/aix_auth.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ +@@ -760,10 +759,9 @@ aix_auth.i: $(authdir)/aix_auth.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(authdir)/aix_auth.c > $@ + aix_auth.plog: aix_auth.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(authdir)/aix_auth.c --i-file aix_auth.i --output-file $@ +@@ -773,10 +771,9 @@ alias.lo: $(srcdir)/alias.c $(devdir)/def_data.h $(devdir)/gram.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/redblack.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/redblack.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/alias.c + alias.i: $(srcdir)/alias.c $(devdir)/def_data.h $(devdir)/gram.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ +@@ -784,10 +781,9 @@ alias.i: $(srcdir)/alias.c $(devdir)/def_data.h $(devdir)/gram.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/redblack.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/redblack.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/alias.c > $@ + alias.plog: alias.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/alias.c --i-file alias.i --output-file $@ +@@ -799,8 +795,8 @@ audit.lo: $(srcdir)/audit.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_ssl_compat.h \ + $(incdir)/sudo_util.h $(srcdir)/bsm_audit.h $(srcdir)/defaults.h \ + $(srcdir)/linux_audit.h $(srcdir)/log_client.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/solaris_audit.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/parse.h $(srcdir)/solaris_audit.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/audit.c + audit.i: $(srcdir)/audit.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ +@@ -811,8 +807,8 @@ audit.i: $(srcdir)/audit.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_ssl_compat.h \ + $(incdir)/sudo_util.h $(srcdir)/bsm_audit.h $(srcdir)/defaults.h \ + $(srcdir)/linux_audit.h $(srcdir)/log_client.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/solaris_audit.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/parse.h $(srcdir)/solaris_audit.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/audit.c > $@ + audit.plog: audit.i +@@ -824,7 +820,7 @@ b64_decode.lo: $(srcdir)/b64_decode.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/b64_decode.c +@@ -835,7 +831,7 @@ b64_decode.i: $(srcdir)/b64_decode.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/b64_decode.c > $@ +@@ -848,7 +844,7 @@ b64_encode.o: $(srcdir)/b64_encode.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/b64_encode.c +@@ -859,7 +855,7 @@ b64_encode.i: $(srcdir)/b64_encode.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/b64_encode.c > $@ +@@ -871,10 +867,9 @@ boottime.lo: $(srcdir)/boottime.c $(devdir)/def_data.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/boottime.c + boottime.i: $(srcdir)/boottime.c $(devdir)/def_data.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ +@@ -882,10 +877,9 @@ boottime.i: $(srcdir)/boottime.c $(devdir)/def_data.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/boottime.c > $@ + boottime.plog: boottime.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/boottime.c --i-file boottime.i --output-file $@ +@@ -895,8 +889,8 @@ bsdauth.lo: $(authdir)/bsdauth.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(authdir)/bsdauth.c + bsdauth.i: $(authdir)/bsdauth.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ +@@ -905,8 +899,8 @@ bsdauth.i: $(authdir)/bsdauth.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(authdir)/bsdauth.c > $@ + bsdauth.plog: bsdauth.i +@@ -918,9 +912,9 @@ bsm_audit.lo: $(srcdir)/bsm_audit.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/bsm_audit.h $(srcdir)/defaults.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/bsm_audit.c + bsm_audit.i: $(srcdir)/bsm_audit.c $(devdir)/def_data.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ +@@ -929,9 +923,9 @@ bsm_audit.i: $(srcdir)/bsm_audit.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/bsm_audit.h $(srcdir)/defaults.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/bsm_audit.c > $@ + bsm_audit.plog: bsm_audit.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/bsm_audit.c --i-file bsm_audit.i --output-file $@ +@@ -942,9 +936,9 @@ canon_path.lo: $(srcdir)/canon_path.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/redblack.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/redblack.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/canon_path.c + canon_path.i: $(srcdir)/canon_path.c $(devdir)/def_data.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ +@@ -953,9 +947,9 @@ canon_path.i: $(srcdir)/canon_path.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/redblack.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/redblack.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/canon_path.c > $@ + canon_path.plog: canon_path.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/canon_path.c --i-file canon_path.i --output-file $@ +@@ -964,20 +958,18 @@ check.lo: $(srcdir)/check.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(srcdir)/timestamp.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/check.c + check.i: $(srcdir)/check.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_compat.h $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(srcdir)/timestamp.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/check.c > $@ + check.plog: check.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/check.c --i-file check.i --output-file $@ +@@ -988,9 +980,9 @@ check_addr.o: $(srcdir)/regress/parser/check_addr.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/interfaces.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/regress/parser/check_addr.c + check_addr.i: $(srcdir)/regress/parser/check_addr.c $(devdir)/def_data.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ +@@ -999,9 +991,9 @@ check_addr.i: $(srcdir)/regress/parser/check_addr.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/interfaces.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/regress/parser/check_addr.c > $@ + check_addr.plog: check_addr.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/regress/parser/check_addr.c --i-file check_addr.i --output-file $@ +@@ -1012,10 +1004,9 @@ check_aliases.o: $(srcdir)/check_aliases.c $(devdir)/def_data.h \ + $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/check_aliases.c + check_aliases.i: $(srcdir)/check_aliases.c $(devdir)/def_data.h \ + $(devdir)/gram.h $(incdir)/compat/stdbool.h \ +@@ -1024,10 +1015,9 @@ check_aliases.i: $(srcdir)/check_aliases.c $(devdir)/def_data.h \ + $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/check_aliases.c > $@ + check_aliases.plog: check_aliases.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/check_aliases.c --i-file check_aliases.i --output-file $@ +@@ -1062,9 +1052,9 @@ check_editor.o: $(srcdir)/regress/editor/check_editor.c $(devdir)/def_data.c \ + $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/regress/editor/check_editor.c + check_editor.i: $(srcdir)/regress/editor/check_editor.c $(devdir)/def_data.c \ + $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ +@@ -1073,9 +1063,9 @@ check_editor.i: $(srcdir)/regress/editor/check_editor.c $(devdir)/def_data.c \ + $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/regress/editor/check_editor.c > $@ + check_editor.plog: check_editor.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/regress/editor/check_editor.c --i-file check_editor.i --output-file $@ +@@ -1086,7 +1076,7 @@ check_env_pattern.o: $(srcdir)/regress/env_match/check_env_pattern.c \ + $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ ++ $(srcdir)/logging.h $(srcdir)/parse.h \ + $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h +@@ -1098,7 +1088,7 @@ check_env_pattern.i: $(srcdir)/regress/env_match/check_env_pattern.c \ + $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ ++ $(srcdir)/logging.h $(srcdir)/parse.h \ + $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h +@@ -1113,7 +1103,7 @@ check_exptilde.o: $(srcdir)/regress/exptilde/check_exptilde.c \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/regress/exptilde/check_exptilde.c +@@ -1125,7 +1115,7 @@ check_exptilde.i: $(srcdir)/regress/exptilde/check_exptilde.c \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/regress/exptilde/check_exptilde.c > $@ +@@ -1167,7 +1157,7 @@ check_iolog_plugin.o: $(srcdir)/regress/iolog_plugin/check_iolog_plugin.c \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_iolog.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ ++ $(srcdir)/logging.h $(srcdir)/parse.h \ + $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h +@@ -1180,7 +1170,7 @@ check_iolog_plugin.i: $(srcdir)/regress/iolog_plugin/check_iolog_plugin.c \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_iolog.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ ++ $(srcdir)/logging.h $(srcdir)/parse.h \ + $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h +@@ -1196,9 +1186,9 @@ check_serialize_list.lo: \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h \ + $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/regress/serialize_list/check_serialize_list.c + check_serialize_list.i: \ + $(srcdir)/regress/serialize_list/check_serialize_list.c \ +@@ -1209,9 +1199,9 @@ check_serialize_list.i: \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h \ + $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/regress/serialize_list/check_serialize_list.c > $@ + check_serialize_list.plog: check_serialize_list.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/regress/serialize_list/check_serialize_list.c --i-file check_serialize_list.i --output-file $@ +@@ -1250,7 +1240,7 @@ check_unesc.o: $(srcdir)/regress/unescape/check_unesc.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/regress/unescape/check_unesc.c +@@ -1261,7 +1251,7 @@ check_unesc.i: $(srcdir)/regress/unescape/check_unesc.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/regress/unescape/check_unesc.c > $@ +@@ -1274,7 +1264,7 @@ check_util.lo: $(srcdir)/check_util.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/check_util.c +@@ -1285,7 +1275,7 @@ check_util.i: $(srcdir)/check_util.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/check_util.c > $@ +@@ -1299,8 +1289,8 @@ cvtsudoers.o: $(srcdir)/cvtsudoers.c $(devdir)/def_data.h $(devdir)/gram.h \ + $(incdir)/sudo_lbuf.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/cvtsudoers.h $(srcdir)/defaults.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/redblack.h \ +- $(srcdir)/strlist.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/parse.h $(srcdir)/redblack.h $(srcdir)/strlist.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(srcdir)/sudoers_version.h \ + $(srcdir)/testsudoers_pwutil.h $(srcdir)/tsgetgrpw.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h +@@ -1313,8 +1303,8 @@ cvtsudoers.i: $(srcdir)/cvtsudoers.c $(devdir)/def_data.h $(devdir)/gram.h \ + $(incdir)/sudo_lbuf.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/cvtsudoers.h $(srcdir)/defaults.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/redblack.h \ +- $(srcdir)/strlist.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/parse.h $(srcdir)/redblack.h $(srcdir)/strlist.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(srcdir)/sudoers_version.h \ + $(srcdir)/testsudoers_pwutil.h $(srcdir)/tsgetgrpw.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h +@@ -1329,9 +1319,9 @@ cvtsudoers_csv.o: $(srcdir)/cvtsudoers_csv.c $(devdir)/def_data.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/cvtsudoers.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/strlist.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/strlist.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/cvtsudoers_csv.c + cvtsudoers_csv.i: $(srcdir)/cvtsudoers_csv.c $(devdir)/def_data.h \ + $(devdir)/gram.h $(incdir)/compat/stdbool.h \ +@@ -1341,9 +1331,9 @@ cvtsudoers_csv.i: $(srcdir)/cvtsudoers_csv.c $(devdir)/def_data.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/cvtsudoers.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/strlist.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/strlist.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/cvtsudoers_csv.c > $@ + cvtsudoers_csv.plog: cvtsudoers_csv.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/cvtsudoers_csv.c --i-file cvtsudoers_csv.i --output-file $@ +@@ -1356,7 +1346,7 @@ cvtsudoers_json.o: $(srcdir)/cvtsudoers_json.c $(devdir)/def_data.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/cvtsudoers.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/strlist.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/strlist.h $(srcdir)/sudo_nss.h \ + $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/cvtsudoers_json.c +@@ -1369,7 +1359,7 @@ cvtsudoers_json.i: $(srcdir)/cvtsudoers_json.c $(devdir)/def_data.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/cvtsudoers.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/strlist.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/strlist.h $(srcdir)/sudo_nss.h \ + $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/cvtsudoers_json.c > $@ +@@ -1383,11 +1373,11 @@ cvtsudoers_ldif.o: $(srcdir)/cvtsudoers_ldif.c $(devdir)/def_data.h \ + $(incdir)/sudo_lbuf.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/cvtsudoers.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/redblack.h $(srcdir)/strlist.h \ +- $(srcdir)/sudo_ldap.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/redblack.h \ ++ $(srcdir)/strlist.h $(srcdir)/sudo_ldap.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/cvtsudoers_ldif.c + cvtsudoers_ldif.i: $(srcdir)/cvtsudoers_ldif.c $(devdir)/def_data.h \ + $(devdir)/gram.h $(incdir)/compat/stdbool.h \ +@@ -1397,11 +1387,11 @@ cvtsudoers_ldif.i: $(srcdir)/cvtsudoers_ldif.c $(devdir)/def_data.h \ + $(incdir)/sudo_lbuf.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/cvtsudoers.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/redblack.h $(srcdir)/strlist.h \ +- $(srcdir)/sudo_ldap.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/redblack.h \ ++ $(srcdir)/strlist.h $(srcdir)/sudo_ldap.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/cvtsudoers_ldif.c > $@ + cvtsudoers_ldif.plog: cvtsudoers_ldif.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/cvtsudoers_ldif.c --i-file cvtsudoers_ldif.i --output-file $@ +@@ -1413,7 +1403,7 @@ cvtsudoers_merge.o: $(srcdir)/cvtsudoers_merge.c $(devdir)/def_data.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/cvtsudoers.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/redblack.h $(srcdir)/strlist.h \ ++ $(srcdir)/redblack.h $(srcdir)/strlist.h \ + $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h +@@ -1426,7 +1416,7 @@ cvtsudoers_merge.i: $(srcdir)/cvtsudoers_merge.c $(devdir)/def_data.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/cvtsudoers.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/redblack.h $(srcdir)/strlist.h \ ++ $(srcdir)/redblack.h $(srcdir)/strlist.h \ + $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h +@@ -1440,11 +1430,10 @@ cvtsudoers_pwutil.o: $(srcdir)/cvtsudoers_pwutil.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/cvtsudoers.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/pwutil.h $(srcdir)/strlist.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pwutil.h \ ++ $(srcdir)/strlist.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/cvtsudoers_pwutil.c + cvtsudoers_pwutil.i: $(srcdir)/cvtsudoers_pwutil.c $(devdir)/def_data.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ +@@ -1453,11 +1442,10 @@ cvtsudoers_pwutil.i: $(srcdir)/cvtsudoers_pwutil.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/cvtsudoers.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/pwutil.h $(srcdir)/strlist.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pwutil.h \ ++ $(srcdir)/strlist.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/cvtsudoers_pwutil.c > $@ + cvtsudoers_pwutil.plog: cvtsudoers_pwutil.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/cvtsudoers_pwutil.c --i-file cvtsudoers_pwutil.i --output-file $@ +@@ -1467,9 +1455,9 @@ dce.lo: $(authdir)/dce.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ + $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/timestamp.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(authdir)/dce.c + dce.i: $(authdir)/dce.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ +@@ -1477,9 +1465,9 @@ dce.i: $(authdir)/dce.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ + $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/timestamp.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(authdir)/dce.c > $@ + dce.plog: dce.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(authdir)/dce.c --i-file dce.i --output-file $@ +@@ -1490,10 +1478,9 @@ defaults.lo: $(srcdir)/defaults.c $(devdir)/def_data.c $(devdir)/def_data.h \ + $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ + $(incdir)/sudo_iolog.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/defaults.c + defaults.i: $(srcdir)/defaults.c $(devdir)/def_data.c $(devdir)/def_data.h \ + $(devdir)/gram.h $(incdir)/compat/stdbool.h \ +@@ -1502,10 +1489,9 @@ defaults.i: $(srcdir)/defaults.c $(devdir)/def_data.c $(devdir)/def_data.h \ + $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ + $(incdir)/sudo_iolog.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/defaults.c > $@ + defaults.plog: defaults.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/defaults.c --i-file defaults.i --output-file $@ +@@ -1530,9 +1516,9 @@ display.lo: $(srcdir)/display.c $(devdir)/def_data.h $(devdir)/gram.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_lbuf.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/display.c + display.i: $(srcdir)/display.c $(devdir)/def_data.h $(devdir)/gram.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ +@@ -1541,9 +1527,9 @@ display.i: $(srcdir)/display.c $(devdir)/def_data.h $(devdir)/gram.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_lbuf.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/display.c > $@ + display.plog: display.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/display.c --i-file display.i --output-file $@ +@@ -1553,9 +1539,9 @@ editor.lo: $(srcdir)/editor.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/editor.c + editor.i: $(srcdir)/editor.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_compat.h $(incdir)/sudo_conf.h \ +@@ -1563,9 +1549,9 @@ editor.i: $(srcdir)/editor.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/editor.c > $@ + editor.plog: editor.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/editor.c --i-file editor.i --output-file $@ +@@ -1574,18 +1560,18 @@ env.lo: $(srcdir)/env.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/env.c + env.i: $(srcdir)/env.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_compat.h $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/env.c > $@ + env.plog: env.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/env.c --i-file env.i --output-file $@ +@@ -1596,7 +1582,7 @@ env_pattern.lo: $(srcdir)/env_pattern.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/env_pattern.c +@@ -1607,7 +1593,7 @@ env_pattern.i: $(srcdir)/env_pattern.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/env_pattern.c > $@ +@@ -1619,8 +1605,8 @@ exptilde.lo: $(srcdir)/exptilde.c $(devdir)/def_data.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/pwutil.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pwutil.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/exptilde.c +@@ -1630,8 +1616,8 @@ exptilde.i: $(srcdir)/exptilde.c $(devdir)/def_data.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/pwutil.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pwutil.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/exptilde.c > $@ +@@ -1644,9 +1630,8 @@ file.lo: $(srcdir)/file.c $(devdir)/def_data.h $(devdir)/gram.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_lbuf.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/file.c + file.i: $(srcdir)/file.c $(devdir)/def_data.h $(devdir)/gram.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ +@@ -1655,9 +1640,8 @@ file.i: $(srcdir)/file.c $(devdir)/def_data.h $(devdir)/gram.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_lbuf.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/file.c > $@ + file.plog: file.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/file.c --i-file file.i --output-file $@ +@@ -1668,9 +1652,9 @@ filedigest.lo: $(srcdir)/filedigest.c $(devdir)/def_data.h \ + $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/filedigest.c + filedigest.i: $(srcdir)/filedigest.c $(devdir)/def_data.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ +@@ -1679,9 +1663,9 @@ filedigest.i: $(srcdir)/filedigest.c $(devdir)/def_data.h \ + $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/filedigest.c > $@ + filedigest.plog: filedigest.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/filedigest.c --i-file filedigest.i --output-file $@ +@@ -1692,7 +1676,7 @@ find_path.lo: $(srcdir)/find_path.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/find_path.c +@@ -1703,7 +1687,7 @@ find_path.i: $(srcdir)/find_path.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/find_path.c > $@ +@@ -1716,9 +1700,9 @@ fmtsudoers.lo: $(srcdir)/fmtsudoers.c $(devdir)/def_data.h $(devdir)/gram.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_lbuf.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/fmtsudoers.c + fmtsudoers.i: $(srcdir)/fmtsudoers.c $(devdir)/def_data.h $(devdir)/gram.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ +@@ -1727,9 +1711,9 @@ fmtsudoers.i: $(srcdir)/fmtsudoers.c $(devdir)/def_data.h $(devdir)/gram.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_lbuf.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/fmtsudoers.c > $@ + fmtsudoers.plog: fmtsudoers.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/fmtsudoers.c --i-file fmtsudoers.i --output-file $@ +@@ -1741,7 +1725,7 @@ fmtsudoers_cvt.lo: $(srcdir)/fmtsudoers_cvt.c $(devdir)/def_data.h \ + $(incdir)/sudo_lbuf.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/fmtsudoers_cvt.c +@@ -1753,7 +1737,7 @@ fmtsudoers_cvt.i: $(srcdir)/fmtsudoers_cvt.c $(devdir)/def_data.h \ + $(incdir)/sudo_lbuf.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/fmtsudoers_cvt.c > $@ +@@ -1768,7 +1752,7 @@ fuzz_policy.o: $(srcdir)/regress/fuzz/fuzz_policy.c $(devdir)/def_data.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/auth/sudo_auth.h $(srcdir)/defaults.h \ + $(srcdir)/interfaces.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/regress/fuzz/fuzz_policy.c +@@ -1781,7 +1765,7 @@ fuzz_policy.i: $(srcdir)/regress/fuzz/fuzz_policy.c $(devdir)/def_data.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/auth/sudo_auth.h $(srcdir)/defaults.h \ + $(srcdir)/interfaces.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/regress/fuzz/fuzz_policy.c > $@ +@@ -1794,10 +1778,9 @@ fuzz_stubs.o: $(srcdir)/regress/fuzz/fuzz_stubs.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/interfaces.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(srcdir)/timestamp.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/regress/fuzz/fuzz_stubs.c + fuzz_stubs.i: $(srcdir)/regress/fuzz/fuzz_stubs.c $(devdir)/def_data.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ +@@ -1806,10 +1789,9 @@ fuzz_stubs.i: $(srcdir)/regress/fuzz/fuzz_stubs.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/interfaces.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(srcdir)/timestamp.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/regress/fuzz/fuzz_stubs.c > $@ + fuzz_stubs.plog: fuzz_stubs.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/regress/fuzz/fuzz_stubs.c --i-file fuzz_stubs.i --output-file $@ +@@ -1820,10 +1802,9 @@ fuzz_sudoers.o: $(srcdir)/regress/fuzz/fuzz_sudoers.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/interfaces.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/regress/fuzz/fuzz_sudoers.c + fuzz_sudoers.i: $(srcdir)/regress/fuzz/fuzz_sudoers.c $(devdir)/def_data.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ +@@ -1832,10 +1813,9 @@ fuzz_sudoers.i: $(srcdir)/regress/fuzz/fuzz_sudoers.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/interfaces.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/regress/fuzz/fuzz_sudoers.c > $@ + fuzz_sudoers.plog: fuzz_sudoers.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/regress/fuzz/fuzz_sudoers.c --i-file fuzz_sudoers.i --output-file $@ +@@ -1846,7 +1826,7 @@ fuzz_sudoers_ldif.o: $(srcdir)/regress/fuzz/fuzz_sudoers_ldif.c \ + $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ ++ $(srcdir)/logging.h $(srcdir)/parse.h \ + $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h +@@ -1858,7 +1838,7 @@ fuzz_sudoers_ldif.i: $(srcdir)/regress/fuzz/fuzz_sudoers_ldif.c \ + $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ ++ $(srcdir)/logging.h $(srcdir)/parse.h \ + $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h +@@ -1871,8 +1851,8 @@ fwtk.lo: $(authdir)/fwtk.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(authdir)/fwtk.c + fwtk.i: $(authdir)/fwtk.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ +@@ -1881,8 +1861,8 @@ fwtk.i: $(authdir)/fwtk.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(authdir)/fwtk.c > $@ + fwtk.plog: fwtk.i +@@ -1892,8 +1872,8 @@ gc.lo: $(srcdir)/gc.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/gc.c + gc.i: $(srcdir)/gc.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ +@@ -1901,8 +1881,8 @@ gc.i: $(srcdir)/gc.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/gc.c > $@ + gc.plog: gc.i +@@ -1932,7 +1912,7 @@ getspwuid.lo: $(srcdir)/getspwuid.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/getspwuid.c +@@ -1943,7 +1923,7 @@ getspwuid.i: $(srcdir)/getspwuid.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/getspwuid.c > $@ +@@ -1955,10 +1935,9 @@ goodpath.lo: $(srcdir)/goodpath.c $(devdir)/def_data.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/goodpath.c + goodpath.i: $(srcdir)/goodpath.c $(devdir)/def_data.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ +@@ -1966,10 +1945,9 @@ goodpath.i: $(srcdir)/goodpath.c $(devdir)/def_data.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/goodpath.c > $@ + goodpath.plog: goodpath.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/goodpath.c --i-file goodpath.i --output-file $@ +@@ -1979,9 +1957,8 @@ gram.lo: $(devdir)/gram.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(srcdir)/toke.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/toke.h $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(devdir)/gram.c + gram.i: $(devdir)/gram.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_compat.h $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \ +@@ -1989,9 +1966,8 @@ gram.i: $(devdir)/gram.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(srcdir)/toke.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/toke.h $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(devdir)/gram.c > $@ + gram.plog: gram.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(devdir)/gram.c --i-file gram.i --output-file $@ +@@ -2002,10 +1978,9 @@ group_plugin.lo: $(srcdir)/group_plugin.c $(devdir)/def_data.h \ + $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/group_plugin.c + group_plugin.i: $(srcdir)/group_plugin.c $(devdir)/def_data.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ +@@ -2014,10 +1989,9 @@ group_plugin.i: $(srcdir)/group_plugin.c $(devdir)/def_data.h \ + $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/group_plugin.c > $@ + group_plugin.plog: group_plugin.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/group_plugin.c --i-file group_plugin.i --output-file $@ +@@ -2028,9 +2002,9 @@ interfaces.lo: $(srcdir)/interfaces.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/interfaces.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/interfaces.c + interfaces.i: $(srcdir)/interfaces.c $(devdir)/def_data.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ +@@ -2039,9 +2013,9 @@ interfaces.i: $(srcdir)/interfaces.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/interfaces.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/interfaces.c > $@ + interfaces.plog: interfaces.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/interfaces.c --i-file interfaces.i --output-file $@ +@@ -2053,8 +2027,8 @@ iolog.lo: $(srcdir)/iolog.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_ssl_compat.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/log_client.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/strlist.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/parse.h $(srcdir)/strlist.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/iolog.c + iolog.i: $(srcdir)/iolog.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ +@@ -2065,8 +2039,8 @@ iolog.i: $(srcdir)/iolog.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_ssl_compat.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/log_client.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/strlist.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/parse.h $(srcdir)/strlist.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/iolog.c > $@ + iolog.plog: iolog.i +@@ -2078,7 +2052,7 @@ iolog_path_escapes.lo: $(srcdir)/iolog_path_escapes.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_iolog.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ ++ $(srcdir)/logging.h $(srcdir)/parse.h \ + $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h +@@ -2090,7 +2064,7 @@ iolog_path_escapes.i: $(srcdir)/iolog_path_escapes.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_iolog.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ ++ $(srcdir)/logging.h $(srcdir)/parse.h \ + $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h +@@ -2103,8 +2077,8 @@ kerb5.lo: $(authdir)/kerb5.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(authdir)/kerb5.c + kerb5.i: $(authdir)/kerb5.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ +@@ -2113,8 +2087,8 @@ kerb5.i: $(authdir)/kerb5.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(authdir)/kerb5.c > $@ + kerb5.plog: kerb5.i +@@ -2125,8 +2099,8 @@ ldap.lo: $(srcdir)/ldap.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_lbuf.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_ldap.h $(srcdir)/sudo_ldap_conf.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/sudo_ldap.h $(srcdir)/sudo_ldap_conf.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/ldap.c + ldap.i: $(srcdir)/ldap.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ +@@ -2135,8 +2109,8 @@ ldap.i: $(srcdir)/ldap.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_lbuf.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_ldap.h $(srcdir)/sudo_ldap_conf.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/sudo_ldap.h $(srcdir)/sudo_ldap_conf.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/ldap.c > $@ + ldap.plog: ldap.i +@@ -2148,7 +2122,7 @@ ldap_conf.lo: $(srcdir)/ldap_conf.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_lbuf.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_ldap.h \ ++ $(srcdir)/parse.h $(srcdir)/sudo_ldap.h \ + $(srcdir)/sudo_ldap_conf.h $(srcdir)/sudo_nss.h \ + $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h +@@ -2160,7 +2134,7 @@ ldap_conf.i: $(srcdir)/ldap_conf.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_lbuf.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_ldap.h \ ++ $(srcdir)/parse.h $(srcdir)/sudo_ldap.h \ + $(srcdir)/sudo_ldap_conf.h $(srcdir)/sudo_nss.h \ + $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h +@@ -2174,10 +2148,10 @@ ldap_innetgr.lo: $(srcdir)/ldap_innetgr.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_ldap.h \ +- $(srcdir)/sudo_ldap_conf.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/sudo_ldap.h $(srcdir)/sudo_ldap_conf.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/ldap_innetgr.c + ldap_innetgr.i: $(srcdir)/ldap_innetgr.c $(devdir)/def_data.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ +@@ -2186,10 +2160,10 @@ ldap_innetgr.i: $(srcdir)/ldap_innetgr.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_ldap.h \ +- $(srcdir)/sudo_ldap_conf.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/sudo_ldap.h $(srcdir)/sudo_ldap_conf.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/ldap_innetgr.c > $@ + ldap_innetgr.plog: ldap_innetgr.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/ldap_innetgr.c --i-file ldap_innetgr.i --output-file $@ +@@ -2201,10 +2175,9 @@ ldap_util.lo: $(srcdir)/ldap_util.c $(devdir)/def_data.h $(devdir)/gram.h \ + $(incdir)/sudo_lbuf.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/interfaces.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_ldap.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/parse.h $(srcdir)/sudo_ldap.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/ldap_util.c + ldap_util.i: $(srcdir)/ldap_util.c $(devdir)/def_data.h $(devdir)/gram.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ +@@ -2214,10 +2187,9 @@ ldap_util.i: $(srcdir)/ldap_util.c $(devdir)/def_data.h $(devdir)/gram.h \ + $(incdir)/sudo_lbuf.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/interfaces.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_ldap.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/parse.h $(srcdir)/sudo_ldap.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/ldap_util.c > $@ + ldap_util.plog: ldap_util.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/ldap_util.c --i-file ldap_util.i --output-file $@ +@@ -2228,10 +2200,9 @@ linux_audit.lo: $(srcdir)/linux_audit.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/linux_audit.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/linux_audit.c + linux_audit.i: $(srcdir)/linux_audit.c $(devdir)/def_data.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ +@@ -2240,10 +2211,9 @@ linux_audit.i: $(srcdir)/linux_audit.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/linux_audit.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/linux_audit.c > $@ + linux_audit.plog: linux_audit.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/linux_audit.c --i-file linux_audit.i --output-file $@ +@@ -2274,9 +2244,9 @@ log_client.lo: $(srcdir)/log_client.c $(devdir)/def_data.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_ssl_compat.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h \ + $(srcdir)/log_client.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/strlist.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/strlist.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/log_client.c + log_client.i: $(srcdir)/log_client.c $(devdir)/def_data.h \ + $(incdir)/compat/getaddrinfo.h $(incdir)/compat/stdbool.h \ +@@ -2289,9 +2259,9 @@ log_client.i: $(srcdir)/log_client.c $(devdir)/def_data.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_ssl_compat.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h \ + $(srcdir)/log_client.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/strlist.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/strlist.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/log_client.c > $@ + log_client.plog: log_client.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/log_client.c --i-file log_client.i --output-file $@ +@@ -2304,8 +2274,8 @@ logging.lo: $(srcdir)/logging.c $(devdir)/def_data.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_ssl_compat.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/log_client.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/strlist.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/parse.h $(srcdir)/strlist.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/logging.c + logging.i: $(srcdir)/logging.c $(devdir)/def_data.h \ +@@ -2317,8 +2287,8 @@ logging.i: $(srcdir)/logging.c $(devdir)/def_data.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_ssl_compat.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/log_client.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/strlist.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/parse.h $(srcdir)/strlist.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/logging.c > $@ + logging.plog: logging.i +@@ -2329,8 +2299,8 @@ lookup.lo: $(srcdir)/lookup.c $(devdir)/def_data.h $(devdir)/gram.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/lookup.c + lookup.i: $(srcdir)/lookup.c $(devdir)/def_data.h $(devdir)/gram.h \ +@@ -2339,8 +2309,8 @@ lookup.i: $(srcdir)/lookup.c $(devdir)/def_data.h $(devdir)/gram.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/lookup.c > $@ + lookup.plog: lookup.i +@@ -2351,8 +2321,8 @@ match.lo: $(srcdir)/match.c $(devdir)/def_data.h $(devdir)/gram.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/match.c + match.i: $(srcdir)/match.c $(devdir)/def_data.h $(devdir)/gram.h \ +@@ -2361,8 +2331,8 @@ match.i: $(srcdir)/match.c $(devdir)/def_data.h $(devdir)/gram.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/match.c > $@ + match.plog: match.i +@@ -2374,9 +2344,9 @@ match_addr.lo: $(srcdir)/match_addr.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/interfaces.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/match_addr.c + match_addr.i: $(srcdir)/match_addr.c $(devdir)/def_data.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ +@@ -2385,9 +2355,9 @@ match_addr.i: $(srcdir)/match_addr.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/interfaces.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/match_addr.c > $@ + match_addr.plog: match_addr.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/match_addr.c --i-file match_addr.i --output-file $@ +@@ -2399,10 +2369,9 @@ match_command.lo: $(srcdir)/match_command.c $(devdir)/def_data.h \ + $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/match_command.c + match_command.i: $(srcdir)/match_command.c $(devdir)/def_data.h \ + $(devdir)/gram.h $(incdir)/compat/fnmatch.h \ +@@ -2412,10 +2381,9 @@ match_command.i: $(srcdir)/match_command.c $(devdir)/def_data.h \ + $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/match_command.c > $@ + match_command.plog: match_command.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/match_command.c --i-file match_command.i --output-file $@ +@@ -2427,7 +2395,7 @@ match_digest.lo: $(srcdir)/match_digest.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/match_digest.c +@@ -2439,7 +2407,7 @@ match_digest.i: $(srcdir)/match_digest.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/match_digest.c > $@ +@@ -2469,9 +2437,8 @@ pam.lo: $(authdir)/pam.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ + $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(authdir)/pam.c + pam.i: $(authdir)/pam.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ +@@ -2479,9 +2446,8 @@ pam.i: $(authdir)/pam.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ + $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(authdir)/pam.c > $@ + pam.plog: pam.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(authdir)/pam.c --i-file pam.i --output-file $@ +@@ -2492,8 +2458,8 @@ parse_ldif.o: $(srcdir)/parse_ldif.c $(devdir)/def_data.h $(devdir)/gram.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/redblack.h $(srcdir)/strlist.h \ +- $(srcdir)/sudo_ldap.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/redblack.h $(srcdir)/strlist.h $(srcdir)/sudo_ldap.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/parse_ldif.c +@@ -2504,8 +2470,8 @@ parse_ldif.i: $(srcdir)/parse_ldif.c $(devdir)/def_data.h $(devdir)/gram.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/redblack.h $(srcdir)/strlist.h \ +- $(srcdir)/sudo_ldap.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/redblack.h $(srcdir)/strlist.h $(srcdir)/sudo_ldap.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/parse_ldif.c > $@ +@@ -2518,7 +2484,7 @@ parser_warnx.lo: $(srcdir)/parser_warnx.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/parser_warnx.c +@@ -2529,7 +2495,7 @@ parser_warnx.i: $(srcdir)/parser_warnx.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/parser_warnx.c > $@ +@@ -2541,8 +2507,8 @@ passwd.lo: $(authdir)/passwd.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(authdir)/passwd.c + passwd.i: $(authdir)/passwd.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ +@@ -2551,32 +2517,12 @@ passwd.i: $(authdir)/passwd.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(authdir)/passwd.c > $@ + passwd.plog: passwd.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(authdir)/passwd.c --i-file passwd.i --output-file $@ +-pivot.lo: $(srcdir)/pivot.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ +- $(incdir)/sudo_compat.h $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \ +- $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ +- $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ +- $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h +- $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/pivot.c +-pivot.i: $(srcdir)/pivot.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ +- $(incdir)/sudo_compat.h $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \ +- $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ +- $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ +- $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h +- $(CPP) $(CPPFLAGS) $(srcdir)/pivot.c > $@ +-pivot.plog: pivot.i +- rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/pivot.c --i-file pivot.i --output-file $@ + policy.lo: $(srcdir)/policy.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_compat.h $(incdir)/sudo_conf.h \ + $(incdir)/sudo_debug.h $(incdir)/sudo_eventlog.h \ +@@ -2584,10 +2530,10 @@ policy.lo: $(srcdir)/policy.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/auth/sudo_auth.h \ + $(srcdir)/defaults.h $(srcdir)/interfaces.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(srcdir)/sudoers_version.h $(srcdir)/timestamp.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(srcdir)/sudoers_version.h \ ++ $(srcdir)/timestamp.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/policy.c + policy.i: $(srcdir)/policy.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_compat.h $(incdir)/sudo_conf.h \ +@@ -2596,10 +2542,10 @@ policy.i: $(srcdir)/policy.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/auth/sudo_auth.h \ + $(srcdir)/defaults.h $(srcdir)/interfaces.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(srcdir)/sudoers_version.h $(srcdir)/timestamp.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(srcdir)/sudoers_version.h \ ++ $(srcdir)/timestamp.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/policy.c > $@ + policy.plog: policy.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/policy.c --i-file policy.i --output-file $@ +@@ -2609,9 +2555,9 @@ prompt.lo: $(srcdir)/prompt.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/prompt.c + prompt.i: $(srcdir)/prompt.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_compat.h $(incdir)/sudo_conf.h \ +@@ -2619,9 +2565,9 @@ prompt.i: $(srcdir)/prompt.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/prompt.c > $@ + prompt.plog: prompt.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/prompt.c --i-file prompt.i --output-file $@ +@@ -2631,10 +2577,9 @@ pwutil.lo: $(srcdir)/pwutil.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/pwutil.h \ +- $(srcdir)/redblack.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/parse.h $(srcdir)/pwutil.h $(srcdir)/redblack.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/pwutil.c + pwutil.i: $(srcdir)/pwutil.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_compat.h $(incdir)/sudo_conf.h \ +@@ -2642,10 +2587,9 @@ pwutil.i: $(srcdir)/pwutil.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/pwutil.h \ +- $(srcdir)/redblack.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/parse.h $(srcdir)/pwutil.h $(srcdir)/redblack.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/pwutil.c > $@ + pwutil.plog: pwutil.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/pwutil.c --i-file pwutil.i --output-file $@ +@@ -2656,9 +2600,9 @@ pwutil_impl.lo: $(srcdir)/pwutil_impl.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/pwutil.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/pwutil.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/pwutil_impl.c + pwutil_impl.i: $(srcdir)/pwutil_impl.c $(devdir)/def_data.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ +@@ -2667,9 +2611,9 @@ pwutil_impl.i: $(srcdir)/pwutil_impl.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/pwutil.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/pwutil.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/pwutil_impl.c > $@ + pwutil_impl.plog: pwutil_impl.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/pwutil_impl.c --i-file pwutil_impl.i --output-file $@ +@@ -2679,8 +2623,8 @@ redblack.lo: $(srcdir)/redblack.c $(devdir)/def_data.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/redblack.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/redblack.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/redblack.c +@@ -2690,8 +2634,8 @@ redblack.i: $(srcdir)/redblack.c $(devdir)/def_data.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/redblack.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/redblack.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/redblack.c > $@ +@@ -2704,7 +2648,7 @@ resolve_cmnd.lo: $(srcdir)/resolve_cmnd.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/resolve_cmnd.c +@@ -2715,7 +2659,7 @@ resolve_cmnd.i: $(srcdir)/resolve_cmnd.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/resolve_cmnd.c > $@ +@@ -2727,8 +2671,8 @@ rfc1938.lo: $(authdir)/rfc1938.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(authdir)/rfc1938.c + rfc1938.i: $(authdir)/rfc1938.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ +@@ -2737,8 +2681,8 @@ rfc1938.i: $(authdir)/rfc1938.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(authdir)/rfc1938.c > $@ + rfc1938.plog: rfc1938.i +@@ -2750,9 +2694,9 @@ secureware.lo: $(authdir)/secureware.c $(authdir)/sudo_auth.h \ + $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(authdir)/secureware.c + secureware.i: $(authdir)/secureware.c $(authdir)/sudo_auth.h \ + $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ +@@ -2761,9 +2705,9 @@ secureware.i: $(authdir)/secureware.c $(authdir)/sudo_auth.h \ + $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(authdir)/secureware.c > $@ + secureware.plog: secureware.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(authdir)/secureware.c --i-file secureware.i --output-file $@ +@@ -2773,10 +2717,9 @@ securid5.lo: $(authdir)/securid5.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(authdir)/securid5.c + securid5.i: $(authdir)/securid5.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ +@@ -2784,10 +2727,9 @@ securid5.i: $(authdir)/securid5.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(authdir)/securid5.c > $@ + securid5.plog: securid5.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(authdir)/securid5.c --i-file securid5.i --output-file $@ +@@ -2798,7 +2740,7 @@ serialize_list.lo: $(srcdir)/serialize_list.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/serialize_list.c +@@ -2809,7 +2751,7 @@ serialize_list.i: $(srcdir)/serialize_list.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/serialize_list.c > $@ +@@ -2822,7 +2764,7 @@ set_perms.lo: $(srcdir)/set_perms.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/set_perms.c +@@ -2833,7 +2775,7 @@ set_perms.i: $(srcdir)/set_perms.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/set_perms.c > $@ +@@ -2845,8 +2787,8 @@ sethost.lo: $(srcdir)/sethost.c $(devdir)/def_data.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/sethost.c + sethost.i: $(srcdir)/sethost.c $(devdir)/def_data.h \ +@@ -2855,8 +2797,8 @@ sethost.i: $(srcdir)/sethost.c $(devdir)/def_data.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/sethost.c > $@ + sethost.plog: sethost.i +@@ -2867,9 +2809,8 @@ sia.lo: $(authdir)/sia.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ + $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(authdir)/sia.c + sia.i: $(authdir)/sia.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ +@@ -2877,9 +2818,8 @@ sia.i: $(authdir)/sia.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ + $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(authdir)/sia.c > $@ + sia.plog: sia.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(authdir)/sia.c --i-file sia.i --output-file $@ +@@ -2890,10 +2830,9 @@ solaris_audit.lo: $(srcdir)/solaris_audit.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/solaris_audit.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/solaris_audit.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/solaris_audit.c + solaris_audit.i: $(srcdir)/solaris_audit.c $(devdir)/def_data.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ +@@ -2902,10 +2841,9 @@ solaris_audit.i: $(srcdir)/solaris_audit.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/solaris_audit.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/solaris_audit.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/solaris_audit.c > $@ + solaris_audit.plog: solaris_audit.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/solaris_audit.c --i-file solaris_audit.i --output-file $@ +@@ -2915,9 +2853,9 @@ sssd.lo: $(srcdir)/sssd.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_lbuf.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_ldap.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/sudo_ldap.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/sssd.c + sssd.i: $(srcdir)/sssd.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_compat.h $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \ +@@ -2925,9 +2863,9 @@ sssd.i: $(srcdir)/sssd.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_lbuf.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_ldap.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/sudo_ldap.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/sssd.c > $@ + sssd.plog: sssd.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/sssd.c --i-file sssd.i --output-file $@ +@@ -2938,7 +2876,7 @@ starttime.lo: $(srcdir)/starttime.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/starttime.c +@@ -2949,7 +2887,7 @@ starttime.i: $(srcdir)/starttime.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/starttime.c > $@ +@@ -2962,7 +2900,7 @@ strlcpy_unesc.lo: $(srcdir)/strlcpy_unesc.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/strlcpy_unesc.c +@@ -2973,7 +2911,7 @@ strlcpy_unesc.i: $(srcdir)/strlcpy_unesc.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/strlcpy_unesc.c > $@ +@@ -2998,7 +2936,7 @@ strvec_join.lo: $(srcdir)/strvec_join.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/strvec_join.c +@@ -3009,7 +2947,7 @@ strvec_join.i: $(srcdir)/strvec_join.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/strvec_join.c > $@ +@@ -3021,9 +2959,8 @@ stubs.o: $(srcdir)/stubs.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ + $(srcdir)/interfaces.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/stubs.c + stubs.i: $(srcdir)/stubs.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_compat.h $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \ +@@ -3031,9 +2968,8 @@ stubs.i: $(srcdir)/stubs.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ + $(srcdir)/interfaces.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/stubs.c > $@ + stubs.plog: stubs.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/stubs.c --i-file stubs.i --output-file $@ +@@ -3047,10 +2983,9 @@ sudo_auth.lo: $(authdir)/sudo_auth.c $(authdir)/sudo_auth.h \ + $(srcdir)/ins_2001.h $(srcdir)/ins_classic.h \ + $(srcdir)/ins_csops.h $(srcdir)/ins_goons.h \ + $(srcdir)/ins_python.h $(srcdir)/insults.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(srcdir)/timestamp.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(authdir)/sudo_auth.c + sudo_auth.i: $(authdir)/sudo_auth.c $(authdir)/sudo_auth.h \ + $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ +@@ -3062,10 +2997,9 @@ sudo_auth.i: $(authdir)/sudo_auth.c $(authdir)/sudo_auth.h \ + $(srcdir)/ins_2001.h $(srcdir)/ins_classic.h \ + $(srcdir)/ins_csops.h $(srcdir)/ins_goons.h \ + $(srcdir)/ins_python.h $(srcdir)/insults.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(srcdir)/timestamp.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(authdir)/sudo_auth.c > $@ + sudo_auth.plog: sudo_auth.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(authdir)/sudo_auth.c --i-file sudo_auth.i --output-file $@ +@@ -3075,10 +3009,9 @@ sudo_nss.lo: $(srcdir)/sudo_nss.c $(devdir)/def_data.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/sudo_nss.c + sudo_nss.i: $(srcdir)/sudo_nss.c $(devdir)/def_data.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ +@@ -3086,10 +3019,9 @@ sudo_nss.i: $(srcdir)/sudo_nss.c $(devdir)/def_data.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/sudo_nss.c > $@ + sudo_nss.plog: sudo_nss.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/sudo_nss.c --i-file sudo_nss.i --output-file $@ +@@ -3114,8 +3046,8 @@ sudoers.lo: $(srcdir)/sudoers.c $(devdir)/def_data.h \ + $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ + $(incdir)/sudo_iolog.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(srcdir)/timestamp.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/sudoers.c +@@ -3126,8 +3058,8 @@ sudoers.i: $(srcdir)/sudoers.c $(devdir)/def_data.h \ + $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ + $(incdir)/sudo_iolog.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(srcdir)/timestamp.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/sudoers.c > $@ +@@ -3141,7 +3073,7 @@ sudoers_cb.lo: $(srcdir)/sudoers_cb.c $(devdir)/def_data.h \ + $(incdir)/sudo_iolog.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/sudoers_cb.c +@@ -3153,7 +3085,7 @@ sudoers_cb.i: $(srcdir)/sudoers_cb.c $(devdir)/def_data.h \ + $(incdir)/sudo_iolog.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/sudoers_cb.c > $@ +@@ -3166,7 +3098,7 @@ sudoers_ctx_free.lo: $(srcdir)/sudoers_ctx_free.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ + $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/sudoers_ctx_free.c +@@ -3177,7 +3109,7 @@ sudoers_ctx_free.i: $(srcdir)/sudoers_ctx_free.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ + $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/sudoers_ctx_free.c > $@ +@@ -3190,7 +3122,7 @@ sudoers_debug.lo: $(srcdir)/sudoers_debug.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/sudoers_debug.c +@@ -3201,7 +3133,7 @@ sudoers_debug.i: $(srcdir)/sudoers_debug.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/sudoers_debug.c > $@ +@@ -3214,7 +3146,7 @@ sudoers_hooks.lo: $(srcdir)/sudoers_hooks.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/sudoers_hooks.c +@@ -3225,7 +3157,7 @@ sudoers_hooks.i: $(srcdir)/sudoers_hooks.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/sudoers_hooks.c > $@ +@@ -3261,7 +3193,7 @@ testsudoers.o: $(srcdir)/testsudoers.c $(devdir)/def_data.h $(devdir)/gram.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h \ + $(srcdir)/interfaces.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(srcdir)/testsudoers_pwutil.h \ + $(srcdir)/toke.h $(srcdir)/tsgetgrpw.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h +@@ -3274,7 +3206,7 @@ testsudoers.i: $(srcdir)/testsudoers.c $(devdir)/def_data.h $(devdir)/gram.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h \ + $(srcdir)/interfaces.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(srcdir)/testsudoers_pwutil.h \ + $(srcdir)/toke.h $(srcdir)/tsgetgrpw.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h +@@ -3288,7 +3220,7 @@ testsudoers_pwutil.o: $(srcdir)/testsudoers_pwutil.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/pwutil.h \ ++ $(srcdir)/parse.h $(srcdir)/pwutil.h \ + $(srcdir)/pwutil_impl.c $(srcdir)/sudo_nss.h \ + $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(srcdir)/testsudoers_pwutil.h $(srcdir)/tsgetgrpw.h \ +@@ -3301,7 +3233,7 @@ testsudoers_pwutil.i: $(srcdir)/testsudoers_pwutil.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h \ +- $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/pwutil.h \ ++ $(srcdir)/parse.h $(srcdir)/pwutil.h \ + $(srcdir)/pwutil_impl.c $(srcdir)/sudo_nss.h \ + $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(srcdir)/testsudoers_pwutil.h $(srcdir)/tsgetgrpw.h \ +@@ -3328,7 +3260,7 @@ timestamp.lo: $(srcdir)/timestamp.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/timestamp.c +@@ -3339,7 +3271,7 @@ timestamp.i: $(srcdir)/timestamp.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/timestamp.c > $@ +@@ -3351,8 +3283,8 @@ timestr.lo: $(srcdir)/timestr.c $(devdir)/def_data.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/timestr.c + timestr.i: $(srcdir)/timestr.c $(devdir)/def_data.h \ +@@ -3361,8 +3293,8 @@ timestr.i: $(srcdir)/timestr.c $(devdir)/def_data.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/timestr.c > $@ + timestr.plog: timestr.i +@@ -3374,9 +3306,8 @@ toke.lo: $(devdir)/toke.c $(devdir)/def_data.h $(devdir)/gram.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_lbuf.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(srcdir)/toke.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/toke.h $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(devdir)/toke.c + toke.i: $(devdir)/toke.c $(devdir)/def_data.h $(devdir)/gram.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ +@@ -3385,9 +3316,8 @@ toke.i: $(devdir)/toke.c $(devdir)/def_data.h $(devdir)/gram.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_lbuf.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(srcdir)/toke.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/toke.h $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(devdir)/toke.c > $@ + toke.plog: toke.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(devdir)/toke.c --i-file toke.i --output-file $@ +@@ -3398,7 +3328,7 @@ toke_util.lo: $(srcdir)/toke_util.c $(devdir)/def_data.h $(devdir)/gram.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(srcdir)/toke.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/toke_util.c +@@ -3409,7 +3339,7 @@ toke_util.i: $(srcdir)/toke_util.c $(devdir)/def_data.h $(devdir)/gram.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(srcdir)/toke.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/toke_util.c > $@ +@@ -3420,20 +3350,18 @@ tsdump.o: $(srcdir)/tsdump.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(srcdir)/timestamp.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/tsdump.c + tsdump.i: $(srcdir)/tsdump.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_compat.h $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(srcdir)/timestamp.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/tsdump.c > $@ + tsdump.plog: tsdump.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/tsdump.c --i-file tsdump.i --output-file $@ +@@ -3443,10 +3371,10 @@ tsgetgrpw.o: $(srcdir)/tsgetgrpw.c $(devdir)/def_data.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(srcdir)/tsgetgrpw.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/tsgetgrpw.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/tsgetgrpw.c + tsgetgrpw.i: $(srcdir)/tsgetgrpw.c $(devdir)/def_data.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ +@@ -3454,10 +3382,10 @@ tsgetgrpw.i: $(srcdir)/tsgetgrpw.c $(devdir)/def_data.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(srcdir)/tsgetgrpw.h \ +- $(top_builddir)/config.h $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(srcdir)/tsgetgrpw.h $(top_builddir)/config.h \ ++ $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/tsgetgrpw.c > $@ + tsgetgrpw.plog: tsgetgrpw.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/tsgetgrpw.c --i-file tsgetgrpw.i --output-file $@ +@@ -3480,7 +3408,7 @@ unesc_str.lo: $(srcdir)/unesc_str.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/unesc_str.c +@@ -3491,7 +3419,7 @@ unesc_str.i: $(srcdir)/unesc_str.c $(devdir)/def_data.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/unesc_str.c > $@ +@@ -3504,10 +3432,9 @@ visudo.o: $(srcdir)/visudo.c $(devdir)/def_data.h $(devdir)/gram.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ + $(srcdir)/interfaces.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/redblack.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(srcdir)/sudoers_version.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/redblack.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(srcdir)/sudoers_version.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/visudo.c + visudo.i: $(srcdir)/visudo.c $(devdir)/def_data.h $(devdir)/gram.h \ + $(incdir)/compat/getopt.h $(incdir)/compat/stdbool.h \ +@@ -3516,10 +3443,9 @@ visudo.i: $(srcdir)/visudo.c $(devdir)/def_data.h $(devdir)/gram.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ + $(srcdir)/interfaces.h $(srcdir)/logging.h $(srcdir)/parse.h \ +- $(srcdir)/pivot.h $(srcdir)/redblack.h $(srcdir)/sudo_nss.h \ +- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ +- $(srcdir)/sudoers_version.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/redblack.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ ++ $(srcdir)/sudoers_debug.h $(srcdir)/sudoers_version.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/visudo.c > $@ + visudo.plog: visudo.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/visudo.c --i-file visudo.i --output-file $@ +@@ -3529,10 +3455,9 @@ visudo_cb.o: $(srcdir)/visudo_cb.c $(devdir)/def_data.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/visudo_cb.c + visudo_cb.i: $(srcdir)/visudo_cb.c $(devdir)/def_data.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ +@@ -3540,10 +3465,9 @@ visudo_cb.i: $(srcdir)/visudo_cb.c $(devdir)/def_data.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ +- $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \ +- $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ +- $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ +- $(top_builddir)/pathnames.h ++ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ ++ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ ++ $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(CPP) $(CPPFLAGS) $(srcdir)/visudo_cb.c > $@ + visudo_cb.plog: visudo_cb.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/visudo_cb.c --i-file visudo_cb.i --output-file $@ +diff --git a/plugins/sudoers/editor.c b/plugins/sudoers/editor.c +index db1e3e0a9..0c4221bc4 100644 +--- a/plugins/sudoers/editor.c ++++ b/plugins/sudoers/editor.c +@@ -147,7 +147,7 @@ resolve_editor(const char *ed, size_t edlen, int nfiles, char * const *files, + goto oom; + + /* If we can't find the editor in the user's PATH, give up. */ +- if (find_path(editor, &editor_path, &user_editor_sb, getenv("PATH"), ++ if (find_path(editor, &editor_path, &user_editor_sb, getenv("PATH"), NULL, + false, allowlist) != FOUND) { + errno = ENOENT; + goto bad; +diff --git a/plugins/sudoers/find_path.c b/plugins/sudoers/find_path.c +index 9b9661538..0cc931f38 100644 +--- a/plugins/sudoers/find_path.c ++++ b/plugins/sudoers/find_path.c +@@ -43,14 +43,14 @@ + * On failure, returns false. + */ + static bool +-cmnd_allowed(char *cmnd, size_t cmnd_size, struct stat *cmnd_sbp, +- char * const *allowlist) ++cmnd_allowed(char *cmnd, size_t cmnd_size, const char *runchroot, ++ struct stat *cmnd_sbp, char * const *allowlist) + { + const char *cmnd_base; + char * const *al; + debug_decl(cmnd_allowed, SUDOERS_DEBUG_UTIL); + +- if (!sudo_goodpath(cmnd, cmnd_sbp)) ++ if (!sudo_goodpath(cmnd, runchroot, cmnd_sbp)) + debug_return_bool(false); + + if (allowlist == NULL) +@@ -67,7 +67,7 @@ cmnd_allowed(char *cmnd, size_t cmnd_size, struct stat *cmnd_sbp, + if (strcmp(cmnd_base, base) != 0) + continue; + +- if (sudo_goodpath(path, &sb) && ++ if (sudo_goodpath(path, runchroot, &sb) && + sb.st_dev == cmnd_sbp->st_dev && sb.st_ino == cmnd_sbp->st_ino) { + /* Overwrite cmnd with safe version from allowlist. */ + if (strlcpy(cmnd, path, cmnd_size) < cmnd_size) +@@ -87,7 +87,8 @@ cmnd_allowed(char *cmnd, size_t cmnd_size, struct stat *cmnd_sbp, + */ + int + find_path(const char *infile, char **outfile, struct stat *sbp, +- const char *path, bool ignore_dot, char * const *allowlist) ++ const char *path, const char *runchroot, bool ignore_dot, ++ char * const *allowlist) + { + char command[PATH_MAX]; + const char *cp, *ep, *pathend; +@@ -108,7 +109,8 @@ find_path(const char *infile, char **outfile, struct stat *sbp, + errno = ENAMETOOLONG; + debug_return_int(NOT_FOUND_ERROR); + } +- found = cmnd_allowed(command, sizeof(command), sbp, allowlist); ++ found = cmnd_allowed(command, sizeof(command), runchroot, sbp, ++ allowlist); + goto done; + } + +@@ -137,7 +139,8 @@ find_path(const char *infile, char **outfile, struct stat *sbp, + errno = ENAMETOOLONG; + debug_return_int(NOT_FOUND_ERROR); + } +- found = cmnd_allowed(command, sizeof(command), sbp, allowlist); ++ found = cmnd_allowed(command, sizeof(command), runchroot, ++ sbp, allowlist); + if (found) + break; + } +@@ -151,7 +154,8 @@ find_path(const char *infile, char **outfile, struct stat *sbp, + errno = ENAMETOOLONG; + debug_return_int(NOT_FOUND_ERROR); + } +- found = cmnd_allowed(command, sizeof(command), sbp, allowlist); ++ found = cmnd_allowed(command, sizeof(command), runchroot, ++ sbp, allowlist); + if (found && ignore_dot) + debug_return_int(NOT_FOUND_DOT); + } +diff --git a/plugins/sudoers/goodpath.c b/plugins/sudoers/goodpath.c +index b2d412ded..1515e1c29 100644 +--- a/plugins/sudoers/goodpath.c ++++ b/plugins/sudoers/goodpath.c +@@ -39,13 +39,25 @@ + * Verify that path is a normal file and executable by root. + */ + bool +-sudo_goodpath(const char *path, struct stat *sbp) ++sudo_goodpath(const char *path, const char *runchroot, struct stat *sbp) + { + bool ret = false; +- struct stat sb; + debug_decl(sudo_goodpath, SUDOERS_DEBUG_UTIL); + + if (path != NULL) { ++ char pathbuf[PATH_MAX]; ++ struct stat sb; ++ ++ if (runchroot != NULL) { ++ /* XXX - handle symlinks and '..' in path outside chroot */ ++ const int len = ++ snprintf(pathbuf, sizeof(pathbuf), "%s%s", runchroot, path); ++ if (len >= ssizeof(pathbuf)) { ++ errno = ENAMETOOLONG; ++ goto done; ++ } ++ path = pathbuf; // -V507 ++ } + if (sbp == NULL) + sbp = &sb; + +@@ -57,5 +69,6 @@ sudo_goodpath(const char *path, struct stat *sbp) + errno = EACCES; + } + } ++done: + debug_return_bool(ret); + } +diff --git a/plugins/sudoers/match_command.c b/plugins/sudoers/match_command.c +index bd3660332..a479ceec3 100644 +--- a/plugins/sudoers/match_command.c ++++ b/plugins/sudoers/match_command.c +@@ -122,14 +122,26 @@ command_args_match(struct sudoers_context *ctx, const char *sudoers_cmnd, + * Returns true on success, else false. + */ + static bool +-do_stat(int fd, const char *path, struct stat *sb) ++do_stat(int fd, const char *path, const char *runchroot, struct stat *sb) + { ++ char pathbuf[PATH_MAX]; + bool ret; + debug_decl(do_stat, SUDOERS_DEBUG_MATCH); + + if (fd != -1) { + ret = fstat(fd, sb) == 0; + } else { ++ /* Make path relative to the new root, if any. */ ++ if (runchroot != NULL) { ++ /* XXX - handle symlinks and '..' in path outside chroot */ ++ const int len = ++ snprintf(pathbuf, sizeof(pathbuf), "%s%s", runchroot, path); ++ if (len >= ssizeof(pathbuf)) { ++ errno = ENAMETOOLONG; ++ debug_return_bool(false); ++ } ++ path = pathbuf; ++ } + ret = stat(path, sb) == 0; + } + debug_return_bool(ret); +@@ -158,15 +170,29 @@ is_script(int fd) + * Returns false on error, else true. + */ + static bool +-open_cmnd(const char *path, const struct command_digest_list *digests, int *fdp) ++open_cmnd(const char *path, const char *runchroot, ++ const struct command_digest_list *digests, int *fdp) + { + int fd; ++ char pathbuf[PATH_MAX]; + debug_decl(open_cmnd, SUDOERS_DEBUG_MATCH); + + /* Only open the file for fdexec or for digest matching. */ + if (def_fdexec != always && TAILQ_EMPTY(digests)) + debug_return_bool(true); + ++ /* Make path relative to the new root, if any. */ ++ if (runchroot != NULL) { ++ /* XXX - handle symlinks and '..' in path outside chroot */ ++ const int len = ++ snprintf(pathbuf, sizeof(pathbuf), "%s%s", runchroot, path); ++ if (len >= ssizeof(pathbuf)) { ++ errno = ENAMETOOLONG; ++ debug_return_bool(false); ++ } ++ path = pathbuf; ++ } ++ + fd = open(path, O_RDONLY|O_NONBLOCK); + # ifdef O_EXEC + if (fd == -1 && errno == EACCES && TAILQ_EMPTY(digests)) { +@@ -185,7 +211,7 @@ open_cmnd(const char *path, const struct command_digest_list *digests, int *fdp) + } + + static void +-set_cmnd_fd(struct sudoers_context *ctx, int fd, int real_root) ++set_cmnd_fd(struct sudoers_context *ctx, int fd) + { + debug_decl(set_cmnd_fd, SUDOERS_DEBUG_MATCH); + +@@ -200,19 +226,11 @@ set_cmnd_fd(struct sudoers_context *ctx, int fd, int real_root) + } else if (is_script(fd)) { + char fdpath[PATH_MAX]; + struct stat sb; +- int error, flags; ++ int flags; + + /* We can only use fexecve() on a script if /dev/fd/N exists. */ +- if (real_root != -1) { +- /* Path relative to old root directory. */ +- (void)snprintf(fdpath, sizeof(fdpath), "dev/fd/%d", fd); +- error = fstatat(real_root, fdpath, &sb, 0); +- } else { +- /* Absolute path. */ +- (void)snprintf(fdpath, sizeof(fdpath), "/dev/fd/%d", fd); +- error = stat(fdpath, &sb); +- } +- if (error != 0) { ++ (void)snprintf(fdpath, sizeof(fdpath), "/dev/fd/%d", fd); ++ if (stat(fdpath, &sb) != 0) { + /* Missing /dev/fd file, can't use fexecve(). */ + close(fd); + fd = -1; +@@ -238,14 +256,28 @@ set_cmnd_fd(struct sudoers_context *ctx, int fd, int real_root) + */ + static int + command_matches_dir(struct sudoers_context *ctx, const char *sudoers_dir, +- size_t dlen, int real_root, const struct command_digest_list *digests) ++ size_t dlen, const char *runchroot, ++ const struct command_digest_list *digests) + { + struct stat sudoers_stat; +- char path[PATH_MAX]; ++ char path[PATH_MAX], sdbuf[PATH_MAX]; ++ size_t chrootlen = 0; + int len, fd = -1; + int ret = DENY; + debug_decl(command_matches_dir, SUDOERS_DEBUG_MATCH); + ++ /* Make sudoers_dir relative to the new root, if any. */ ++ if (runchroot != NULL) { ++ /* XXX - handle symlinks and '..' in path outside chroot */ ++ len = snprintf(sdbuf, sizeof(sdbuf), "%s%s", runchroot, sudoers_dir); ++ if (len >= ssizeof(sdbuf)) { ++ errno = ENAMETOOLONG; ++ debug_return_bool(false); ++ } ++ sudoers_dir = sdbuf; ++ chrootlen = strlen(runchroot); ++ } ++ + /* Compare the canonicalized directories, if possible. */ + if (ctx->user.cmnd_dir != NULL) { + char *resolved = canon_path(sudoers_dir); +@@ -264,18 +296,19 @@ command_matches_dir(struct sudoers_context *ctx, const char *sudoers_dir, + goto done; + + /* Open the file for fdexec or for digest matching. */ +- if (!open_cmnd(path, digests, &fd)) ++ if (!open_cmnd(path, NULL, digests, &fd)) + goto done; +- if (!do_stat(fd, path, &sudoers_stat)) ++ if (!do_stat(fd, path, NULL, &sudoers_stat)) + goto done; + + if (ctx->user.cmnd_stat == NULL || + (ctx->user.cmnd_stat->st_dev == sudoers_stat.st_dev && + ctx->user.cmnd_stat->st_ino == sudoers_stat.st_ino)) { +- if (digest_matches(fd, path, digests) != ALLOW) ++ /* path is already relative to runchroot */ ++ if (digest_matches(fd, path, NULL, digests) != ALLOW) + goto done; + free(ctx->runas.cmnd); +- if ((ctx->runas.cmnd = strdup(path)) == NULL) { ++ if ((ctx->runas.cmnd = strdup(path + chrootlen)) == NULL) { + sudo_warnx(U_("%s: %s"), __func__, + U_("unable to allocate memory")); + } +@@ -295,7 +328,8 @@ done: + */ + static int + command_matches_dir(struct sudoers_context *ctx, const char *sudoers_dir, +- size_t dlen, int real_root, const struct command_digest_list *digests) ++ size_t dlen, const char *runchroot, ++ const struct command_digest_list *digests) + { + int fd = -1; + debug_decl(command_matches_dir, SUDOERS_DEBUG_MATCH); +@@ -309,11 +343,11 @@ command_matches_dir(struct sudoers_context *ctx, const char *sudoers_dir, + goto bad; + + /* Open the file for fdexec or for digest matching. */ +- if (!open_cmnd(ctx->user.cmnd, digests, &fd)) ++ if (!open_cmnd(ctx->user.cmnd, runchroot, digests, &fd)) + goto bad; +- if (digest_matches(fd, ctx->user.cmnd, digests) != ALLOW) ++ if (digest_matches(fd, ctx->user.cmnd, runchroot, digests) != ALLOW) + goto bad; +- set_cmnd_fd(ctx, fd, real_root); ++ set_cmnd_fd(ctx, fd); + + debug_return_int(ALLOW); + bad: +@@ -324,7 +358,7 @@ bad: + #endif /* SUDOERS_NAME_MATCH */ + + static int +-command_matches_all(struct sudoers_context *ctx, int real_root, ++command_matches_all(struct sudoers_context *ctx, const char *runchroot, + const struct command_digest_list *digests) + { + #ifndef SUDOERS_NAME_MATCH +@@ -336,10 +370,10 @@ command_matches_all(struct sudoers_context *ctx, int real_root, + if (strchr(ctx->user.cmnd, '/') != NULL) { + #ifndef SUDOERS_NAME_MATCH + /* Open the file for fdexec or for digest matching. */ +- bool open_error = !open_cmnd(ctx->user.cmnd, digests, &fd); ++ bool open_error = !open_cmnd(ctx->user.cmnd, runchroot, digests, &fd); + + /* A non-existent file is not an error for "sudo ALL". */ +- if (do_stat(fd, ctx->user.cmnd, &sb)) { ++ if (do_stat(fd, ctx->user.cmnd, runchroot, &sb)) { + if (open_error) { + /* File exists but we couldn't open it above? */ + goto bad; +@@ -347,14 +381,14 @@ command_matches_all(struct sudoers_context *ctx, int real_root, + } + #else + /* Open the file for fdexec or for digest matching. */ +- (void)open_cmnd(ctx->user.cmnd, digests, &fd); ++ (void)open_cmnd(ctx->user.cmnd, runchroot, digests, &fd); + #endif + } + + /* Check digest of ctx->user.cmnd since we have no sudoers_cmnd for ALL. */ +- if (digest_matches(fd, ctx->user.cmnd, digests) != ALLOW) ++ if (digest_matches(fd, ctx->user.cmnd, runchroot, digests) != ALLOW) + goto bad; +- set_cmnd_fd(ctx, fd, real_root); ++ set_cmnd_fd(ctx, fd); + + /* No need to set ctx->runas.cmnd for ALL. */ + debug_return_int(ALLOW); +@@ -366,7 +400,7 @@ bad: + + static int + command_matches_fnmatch(struct sudoers_context *ctx, const char *sudoers_cmnd, +- const char *sudoers_args, int real_root, ++ const char *sudoers_args, const char *runchroot, + const struct command_digest_list *digests) + { + const char *cmnd = ctx->user.cmnd; +@@ -384,6 +418,7 @@ command_matches_fnmatch(struct sudoers_context *ctx, const char *sudoers_cmnd, + * c) there are args in sudoers and on command line and they match + * else return DENY. + * ++ * Neither sudoers_cmnd nor user_cmnd are relative to runchroot. + * We do not attempt to match a relative path unless there is a + * canonicalized version. + */ +@@ -402,16 +437,16 @@ command_matches_fnmatch(struct sudoers_context *ctx, const char *sudoers_cmnd, + + if (command_args_match(ctx, sudoers_cmnd, sudoers_args) == ALLOW) { + /* Open the file for fdexec or for digest matching. */ +- if (!open_cmnd(cmnd, digests, &fd)) ++ if (!open_cmnd(cmnd, runchroot, digests, &fd)) + goto bad; + #ifndef SUDOERS_NAME_MATCH +- if (!do_stat(fd, cmnd, &sb)) ++ if (!do_stat(fd, cmnd, runchroot, &sb)) + goto bad; + #endif + /* Check digest of cmnd since sudoers_cmnd is a pattern. */ +- if (digest_matches(fd, cmnd, digests) != ALLOW) ++ if (digest_matches(fd, cmnd, runchroot, digests) != ALLOW) + goto bad; +- set_cmnd_fd(ctx, fd, real_root); ++ set_cmnd_fd(ctx, fd); + + /* No need to set ctx->runas.cmnd since cmnd matches sudoers_cmnd */ + debug_return_int(ALLOW); +@@ -424,7 +459,7 @@ bad: + + static int + command_matches_regex(struct sudoers_context *ctx, const char *sudoers_cmnd, +- const char *sudoers_args, int real_root, ++ const char *sudoers_args, const char *runchroot, + const struct command_digest_list *digests) + { + const char *cmnd = ctx->user.cmnd; +@@ -441,6 +476,8 @@ command_matches_regex(struct sudoers_context *ctx, const char *sudoers_cmnd, + * b) there are no args on command line and none required by sudoers OR + * c) there are args in sudoers and on command line and they match + * else return DENY. ++ * ++ * Neither sudoers_cmnd nor user_cmnd are relative to runchroot. + */ + if (cmnd[0] != '/' || regex_matches(sudoers_cmnd, cmnd) != ALLOW) { + /* No match, retry using the canonicalized path (if possible). */ +@@ -457,16 +494,16 @@ command_matches_regex(struct sudoers_context *ctx, const char *sudoers_cmnd, + + if (command_args_match(ctx, sudoers_cmnd, sudoers_args) == ALLOW) { + /* Open the file for fdexec or for digest matching. */ +- if (!open_cmnd(cmnd, digests, &fd)) ++ if (!open_cmnd(cmnd, runchroot, digests, &fd)) + goto bad; + #ifndef SUDOERS_NAME_MATCH +- if (!do_stat(fd, cmnd, &sb)) ++ if (!do_stat(fd, cmnd, runchroot, &sb)) + goto bad; + #endif + /* Check digest of cmnd since sudoers_cmnd is a pattern. */ +- if (digest_matches(fd, cmnd, digests) != ALLOW) ++ if (digest_matches(fd, cmnd, runchroot, digests) != ALLOW) + goto bad; +- set_cmnd_fd(ctx, fd, real_root); ++ set_cmnd_fd(ctx, fd); + + /* No need to set ctx->runas.cmnd since cmnd matches sudoers_cmnd */ + debug_return_int(ALLOW); +@@ -480,17 +517,31 @@ bad: + #ifndef SUDOERS_NAME_MATCH + static int + command_matches_glob(struct sudoers_context *ctx, const char *sudoers_cmnd, +- const char *sudoers_args, int real_root, ++ const char *sudoers_args, const char *runchroot, + const struct command_digest_list *digests) + { + struct stat sudoers_stat; + bool bad_digest = false; + char **ap, *base, *cp; ++ char pathbuf[PATH_MAX]; + int fd = -1; +- size_t dlen; ++ size_t dlen, chrootlen = 0; + glob_t gl; + debug_decl(command_matches_glob, SUDOERS_DEBUG_MATCH); + ++ /* Make sudoers_cmnd relative to the new root, if any. */ ++ if (runchroot != NULL) { ++ /* XXX - handle symlinks and '..' in path outside chroot */ ++ const int len = ++ snprintf(pathbuf, sizeof(pathbuf), "%s%s", runchroot, sudoers_cmnd); ++ if (len >= ssizeof(pathbuf)) { ++ errno = ENAMETOOLONG; ++ debug_return_bool(false); ++ } ++ sudoers_cmnd = pathbuf; ++ chrootlen = strlen(runchroot); ++ } ++ + /* + * First check to see if we can avoid the call to glob(3). + * Short circuit if there are no meta chars in the command itself +@@ -522,19 +573,21 @@ command_matches_glob(struct sudoers_context *ctx, const char *sudoers_cmnd, + close(fd); + fd = -1; + } ++ /* Remove the runchroot, if any. */ ++ cp += chrootlen; + + if (strcmp(cp, ctx->user.cmnd) != 0) + continue; + /* Open the file for fdexec or for digest matching. */ +- if (!open_cmnd(cp, digests, &fd)) ++ if (!open_cmnd(cp, runchroot, digests, &fd)) + continue; +- if (!do_stat(fd, cp, &sudoers_stat)) ++ if (!do_stat(fd, cp, runchroot, &sudoers_stat)) + continue; + if (ctx->user.cmnd_stat == NULL || + (ctx->user.cmnd_stat->st_dev == sudoers_stat.st_dev && + ctx->user.cmnd_stat->st_ino == sudoers_stat.st_ino)) { + /* There could be multiple matches, check digest early. */ +- if (digest_matches(fd, cp, digests) != ALLOW) { ++ if (digest_matches(fd, cp, runchroot, digests) != ALLOW) { + bad_digest = true; + continue; + } +@@ -558,11 +611,13 @@ command_matches_glob(struct sudoers_context *ctx, const char *sudoers_cmnd, + close(fd); + fd = -1; + } ++ /* Remove the runchroot, if any. */ ++ cp += chrootlen; + + /* If it ends in '/' it is a directory spec. */ + dlen = strlen(cp); + if (cp[dlen - 1] == '/') { +- if (command_matches_dir(ctx, cp, dlen, real_root, digests) == ALLOW) { ++ if (command_matches_dir(ctx, cp, dlen, runchroot, digests) == ALLOW) { + globfree(&gl); + debug_return_int(ALLOW); + } +@@ -593,14 +648,14 @@ command_matches_glob(struct sudoers_context *ctx, const char *sudoers_cmnd, + } + + /* Open the file for fdexec or for digest matching. */ +- if (!open_cmnd(cp, digests, &fd)) ++ if (!open_cmnd(cp, runchroot, digests, &fd)) + continue; +- if (!do_stat(fd, cp, &sudoers_stat)) ++ if (!do_stat(fd, cp, runchroot, &sudoers_stat)) + continue; + if (ctx->user.cmnd_stat == NULL || + (ctx->user.cmnd_stat->st_dev == sudoers_stat.st_dev && + ctx->user.cmnd_stat->st_ino == sudoers_stat.st_ino)) { +- if (digest_matches(fd, cp, digests) != ALLOW) ++ if (digest_matches(fd, cp, runchroot, digests) != ALLOW) + continue; + free(ctx->runas.cmnd); + if ((ctx->runas.cmnd = strdup(cp)) == NULL) { +@@ -617,7 +672,7 @@ done: + if (cp != NULL) { + if (command_args_match(ctx, sudoers_cmnd, sudoers_args) == ALLOW) { + /* ctx->runas.cmnd was set above. */ +- set_cmnd_fd(ctx, fd, real_root); ++ set_cmnd_fd(ctx, fd); + debug_return_int(ALLOW); + } + } +@@ -628,7 +683,7 @@ done: + + static int + command_matches_normal(struct sudoers_context *ctx, const char *sudoers_cmnd, +- const char *sudoers_args, int real_root, ++ const char *sudoers_args, const char *runchroot, + const struct command_digest_list *digests) + { + struct stat sudoers_stat; +@@ -641,7 +696,7 @@ command_matches_normal(struct sudoers_context *ctx, const char *sudoers_cmnd, + dlen = strlen(sudoers_cmnd); + if (sudoers_cmnd[dlen - 1] == '/') { + debug_return_int(command_matches_dir(ctx, sudoers_cmnd, dlen, +- real_root, digests)); ++ runchroot, digests)); + } + + /* Only proceed if ctx->user.cmnd_base and basename(sudoers_cmnd) match */ +@@ -672,7 +727,7 @@ command_matches_normal(struct sudoers_context *ctx, const char *sudoers_cmnd, + } + + /* Open the file for fdexec or for digest matching. */ +- if (!open_cmnd(sudoers_cmnd, digests, &fd)) ++ if (!open_cmnd(sudoers_cmnd, runchroot, digests, &fd)) + goto bad; + + /* +@@ -682,7 +737,7 @@ command_matches_normal(struct sudoers_context *ctx, const char *sudoers_cmnd, + * c) there are args in sudoers and on command line and they match + * d) there is a digest and it matches + */ +- if (ctx->user.cmnd_stat != NULL && do_stat(fd, sudoers_cmnd, &sudoers_stat)) { ++ if (ctx->user.cmnd_stat != NULL && do_stat(fd, sudoers_cmnd, runchroot, &sudoers_stat)) { + if (ctx->user.cmnd_stat->st_dev != sudoers_stat.st_dev || + ctx->user.cmnd_stat->st_ino != sudoers_stat.st_ino) + goto bad; +@@ -693,7 +748,7 @@ command_matches_normal(struct sudoers_context *ctx, const char *sudoers_cmnd, + } + if (command_args_match(ctx, sudoers_cmnd, sudoers_args) != ALLOW) + goto bad; +- if (digest_matches(fd, sudoers_cmnd, digests) != ALLOW) { ++ if (digest_matches(fd, sudoers_cmnd, runchroot, digests) != ALLOW) { + /* XXX - log functions not available but we should log very loudly */ + goto bad; + } +@@ -702,7 +757,7 @@ command_matches_normal(struct sudoers_context *ctx, const char *sudoers_cmnd, + sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); + goto bad; + } +- set_cmnd_fd(ctx, fd, real_root); ++ set_cmnd_fd(ctx, fd); + debug_return_int(ALLOW); + bad: + if (fd != -1) +@@ -712,16 +767,16 @@ bad: + #else /* SUDOERS_NAME_MATCH */ + static int + command_matches_glob(struct sudoers_context *ctx, const char *sudoers_cmnd, +- const char *sudoers_args, int real_root, ++ const char *sudoers_args, const char *runchroot, + const struct command_digest_list *digests) + { +- return command_matches_fnmatch(ctx, sudoers_cmnd, sudoers_args, real_root, ++ return command_matches_fnmatch(ctx, sudoers_cmnd, sudoers_args, runchroot, + digests); + } + + static int + command_matches_normal(struct sudoers_context *ctx, const char *sudoers_cmnd, +- const char *sudoers_args, int real_root, ++ const char *sudoers_args, const char *runchroot, + const struct command_digest_list *digests) + { + size_t dlen; +@@ -731,16 +786,16 @@ command_matches_normal(struct sudoers_context *ctx, const char *sudoers_cmnd, + /* If it ends in '/' it is a directory spec. */ + dlen = strlen(sudoers_cmnd); + if (sudoers_cmnd[dlen - 1] == '/') { +- debug_return_int(command_matches_dir(ctx, sudoers_cmnd, dlen, real_root, ++ debug_return_int(command_matches_dir(ctx, sudoers_cmnd, dlen, runchroot, + digests)); + } + + if (strcmp(ctx->user.cmnd, sudoers_cmnd) == 0) { + if (command_args_match(ctx, sudoers_cmnd, sudoers_args) == ALLOW) { + /* Open the file for fdexec or for digest matching. */ +- if (!open_cmnd(ctx->user.cmnd, digests, &fd)) ++ if (!open_cmnd(ctx->user.cmnd, runchroot, digests, &fd)) + goto bad; +- if (digest_matches(fd, ctx->user.cmnd, digests) != ALLOW) ++ if (digest_matches(fd, ctx->user.cmnd, runchroot, digests) != ALLOW) + goto bad; + + /* Successful match. */ +@@ -750,7 +805,7 @@ command_matches_normal(struct sudoers_context *ctx, const char *sudoers_cmnd, + U_("unable to allocate memory")); + goto bad; + } +- set_cmnd_fd(ctx, fd, real_root); ++ set_cmnd_fd(ctx, fd); + debug_return_int(ALLOW); + } + } +@@ -771,11 +826,8 @@ command_matches(struct sudoers_context *ctx, const char *sudoers_cmnd, + const char *sudoers_args, const char *runchroot, struct cmnd_info *info, + const struct command_digest_list *digests) + { +- struct sudoers_pivot pivot_state = SUDOERS_PIVOT_INITIALIZER; + char *saved_user_cmnd = NULL; + struct stat saved_user_stat; +- bool reset_cmnd = false; +- int real_root = -1; + int ret = DENY; + debug_decl(command_matches, SUDOERS_DEBUG_MATCH); + +@@ -793,18 +845,6 @@ command_matches(struct sudoers_context *ctx, const char *sudoers_cmnd, + runchroot = def_runchroot; + } else { + /* Rule-specific runchroot, must reset cmnd and cmnd_stat. */ +- reset_cmnd = true; +- } +- +- /* Pivot root. */ +- if (runchroot != NULL) { +- if (!pivot_root(runchroot, &pivot_state)) +- goto done; +- real_root = pivot_state.saved_root; +- } +- +- if (reset_cmnd) { +- /* Rule-specific runchroot, set cmnd and cmnd_stat after pivot. */ + int status; + + /* Save old ctx->user.cmnd first, set_cmnd_path() will free it. */ +@@ -812,7 +852,7 @@ command_matches(struct sudoers_context *ctx, const char *sudoers_cmnd, + ctx->user.cmnd = NULL; + if (ctx->user.cmnd_stat != NULL) + saved_user_stat = *ctx->user.cmnd_stat; +- status = set_cmnd_path(ctx, NULL); ++ status = set_cmnd_path(ctx, runchroot); + if (status != FOUND) { + ctx->user.cmnd = saved_user_cmnd; + saved_user_cmnd = NULL; +@@ -823,13 +863,13 @@ command_matches(struct sudoers_context *ctx, const char *sudoers_cmnd, + + if (sudoers_cmnd == NULL) { + sudoers_cmnd = "ALL"; +- ret = command_matches_all(ctx, real_root, digests); ++ ret = command_matches_all(ctx, runchroot, digests); + goto done; + } + + /* Check for regular expressions first. */ + if (sudoers_cmnd[0] == '^') { +- ret = command_matches_regex(ctx, sudoers_cmnd, sudoers_args, real_root, ++ ret = command_matches_regex(ctx, sudoers_cmnd, sudoers_args, runchroot, + digests); + goto done; + } +@@ -860,20 +900,16 @@ command_matches(struct sudoers_context *ctx, const char *sudoers_cmnd, + */ + if (def_fast_glob) { + ret = command_matches_fnmatch(ctx, sudoers_cmnd, sudoers_args, +- real_root, digests); ++ runchroot, digests); + } else { + ret = command_matches_glob(ctx, sudoers_cmnd, sudoers_args, +- real_root, digests); ++ runchroot, digests); + } + } else { + ret = command_matches_normal(ctx, sudoers_cmnd, sudoers_args, +- real_root, digests); ++ runchroot, digests); + } + done: +- /* Restore root. */ +- if (runchroot != NULL) +- (void)unpivot_root(&pivot_state); +- + /* Restore ctx->user.cmnd and ctx->user.cmnd_stat. */ + if (saved_user_cmnd != NULL) { + if (info != NULL) { +diff --git a/plugins/sudoers/match_digest.c b/plugins/sudoers/match_digest.c +index c988837c6..476fdd866 100644 +--- a/plugins/sudoers/match_digest.c ++++ b/plugins/sudoers/match_digest.c +@@ -40,13 +40,14 @@ + #include + + int +-digest_matches(int fd, const char *path, ++digest_matches(int fd, const char *path, const char *runchroot, + const struct command_digest_list *digests) + { + unsigned int digest_type = SUDO_DIGEST_INVALID; + unsigned char *file_digest = NULL; + unsigned char *sudoers_digest = NULL; + struct command_digest *digest; ++ char pathbuf[PATH_MAX]; + size_t digest_len; + int matched = DENY; + int fd2 = -1; +@@ -66,6 +67,17 @@ digest_matches(int fd, const char *path, + fd = fd2; + } + ++ if (runchroot != NULL) { ++ /* XXX - handle symlinks and '..' in path outside chroot */ ++ const int len = ++ snprintf(pathbuf, sizeof(pathbuf), "%s%s", runchroot, path); ++ if (len >= ssizeof(pathbuf)) { ++ errno = ENAMETOOLONG; ++ debug_return_bool(false); ++ } ++ path = pathbuf; ++ } ++ + TAILQ_FOREACH(digest, digests, entries) { + /* Compute file digest if needed. */ + if (digest->digest_type != digest_type) { +diff --git a/plugins/sudoers/parse.h b/plugins/sudoers/parse.h +index 0e89fa105..33654c075 100644 +--- a/plugins/sudoers/parse.h ++++ b/plugins/sudoers/parse.h +@@ -418,7 +418,7 @@ int addr_matches(char *n); + int command_matches(struct sudoers_context *ctx, const char *sudoers_cmnd, const char *sudoers_args, const char *runchroot, struct cmnd_info *info, const struct command_digest_list *digests); + + /* match_digest.c */ +-int digest_matches(int fd, const char *path, const struct command_digest_list *digests); ++int digest_matches(int fd, const char *path, const char *runchroot, const struct command_digest_list *digests); + + /* match.c */ + struct group; +diff --git a/plugins/sudoers/pivot.c b/plugins/sudoers/pivot.c +deleted file mode 100644 +index 59423f917..000000000 +--- a/plugins/sudoers/pivot.c ++++ /dev/null +@@ -1,87 +0,0 @@ +-/* +- * SPDX-License-Identifier: ISC +- * +- * Copyright (c) 2023 Todd C. Miller +- * +- * Permission to use, copy, modify, and distribute this software for any +- * purpose with or without fee is hereby granted, provided that the above +- * copyright notice and this permission notice appear in all copies. +- * +- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +- */ +- +-/* +- * This is an open source non-commercial project. Dear PVS-Studio, please check it. +- * PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com +- */ +- +-#include +- +-#include +-#include +-#include +- +-#include +- +-/* +- * Pivot to a new root directory, storing the old root and old cwd +- * in state. Changes current working directory to the new root. +- * Returns true on success, else false. +- */ +-bool +-pivot_root(const char *new_root, struct sudoers_pivot *state) +-{ +- debug_decl(pivot_root, SUDOERS_DEBUG_UTIL); +- +- state->saved_root = open("/", O_RDONLY); +- state->saved_cwd = open(".", O_RDONLY); +- if (state->saved_root == -1 || state->saved_cwd == -1 || chroot(new_root) == -1) { +- if (state->saved_root != -1) { +- close(state->saved_root); +- state->saved_root = -1; +- } +- if (state->saved_cwd != -1) { +- close(state->saved_cwd); +- state->saved_cwd = -1; +- } +- debug_return_bool(false); +- } +- debug_return_bool(chdir("/") == 0); +-} +- +-/* +- * Pivot back to the stored root directory and restore the old cwd. +- * Returns true on success, else false. +- */ +-bool +-unpivot_root(struct sudoers_pivot *state) +-{ +- bool ret = true; +- debug_decl(unpivot_root, SUDOERS_DEBUG_UTIL); +- +- /* Order is important: restore old root, *then* change cwd. */ +- if (state->saved_root != -1) { +- if (fchdir(state->saved_root) == -1 || chroot(".") == -1) { +- sudo_warn("%s", U_("unable to restore root directory")); +- ret = false; +- } +- close(state->saved_root); +- state->saved_root = -1; +- } +- if (state->saved_cwd != -1) { +- if (fchdir(state->saved_cwd) == -1) { +- sudo_warn("%s", U_("unable to restore current working directory")); +- ret = false; +- } +- close(state->saved_cwd); +- state->saved_cwd = -1; +- } +- +- debug_return_bool(ret); +-} +diff --git a/plugins/sudoers/pivot.h b/plugins/sudoers/pivot.h +deleted file mode 100644 +index b03993ea1..000000000 +--- a/plugins/sudoers/pivot.h ++++ /dev/null +@@ -1,32 +0,0 @@ +-/* +- * SPDX-License-Identifier: ISC +- * +- * Copyright (c) 2023 Todd C. Miller +- * +- * Permission to use, copy, modify, and distribute this software for any +- * purpose with or without fee is hereby granted, provided that the above +- * copyright notice and this permission notice appear in all copies. +- * +- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +- */ +- +-#ifndef SUDOERS_PIVOT_H +-#define SUDOERS_PIVOT_H +- +-#define SUDOERS_PIVOT_INITIALIZER { -1, -1 } +- +-struct sudoers_pivot { +- int saved_root; +- int saved_cwd; +-}; +- +-bool pivot_root(const char *new_root, struct sudoers_pivot *state); +-bool unpivot_root(struct sudoers_pivot *state); +- +-#endif /* SUDOERS_PIVOT_H */ +diff --git a/plugins/sudoers/regress/editor/check_editor.c b/plugins/sudoers/regress/editor/check_editor.c +index 65e00c077..d28bb111e 100644 +--- a/plugins/sudoers/regress/editor/check_editor.c ++++ b/plugins/sudoers/regress/editor/check_editor.c +@@ -80,7 +80,8 @@ sudo_dso_public int main(int argc, char *argv[]); + /* STUB */ + int + find_path(const char *infile, char **outfile, struct stat *sbp, +- const char *path, bool ignore_dot, char * const *allowlist) ++ const char *path, const char *runchroot, bool ignore_dot, ++ char * const *allowlist) + { + if (infile[0] == '/') { + *outfile = strdup(infile); +diff --git a/plugins/sudoers/regress/fuzz/fuzz_policy.c b/plugins/sudoers/regress/fuzz/fuzz_policy.c +index 0b01e4e20..1321c42bd 100644 +--- a/plugins/sudoers/regress/fuzz/fuzz_policy.c ++++ b/plugins/sudoers/regress/fuzz/fuzz_policy.c +@@ -832,7 +832,8 @@ display_privs(struct sudoers_context *ctx, const struct sudo_nss_list *snl, + /* STUB */ + int + find_path(const char *infile, char **outfile, struct stat *sbp, +- const char *path, bool ignore_dot, char * const *allowlist) ++ const char *path, const char *runchroot, bool ignore_dot, ++ char * const *allowlist) + { + switch (pass) { + case PASS_CHECK_NOT_FOUND: +@@ -855,9 +856,9 @@ find_path(const char *infile, char **outfile, struct stat *sbp, + /* STUB */ + int + resolve_cmnd(struct sudoers_context *ctx, const char *infile, char **outfile, +- const char *path) ++ const char *path, const char *runchroot) + { +- return find_path(infile, outfile, NULL, path, false, NULL); ++ return find_path(infile, outfile, NULL, path, NULL, false, NULL); + } + + /* STUB */ +diff --git a/plugins/sudoers/regress/fuzz/fuzz_stubs.c b/plugins/sudoers/regress/fuzz/fuzz_stubs.c +index ce47bf562..c86ca330e 100644 +--- a/plugins/sudoers/regress/fuzz/fuzz_stubs.c ++++ b/plugins/sudoers/regress/fuzz/fuzz_stubs.c +@@ -57,18 +57,6 @@ init_eventlog_config(void) + return; + } + +-bool +-pivot_root(const char *new_root, struct sudoers_pivot *state) +-{ +- return true; +-} +- +-bool +-unpivot_root(struct sudoers_pivot *state) +-{ +- return true; +-} +- + int + group_plugin_query(const char *user, const char *group, const struct passwd *pw) + { +diff --git a/plugins/sudoers/resolve_cmnd.c b/plugins/sudoers/resolve_cmnd.c +index 24e34de0a..3a84ff884 100644 +--- a/plugins/sudoers/resolve_cmnd.c ++++ b/plugins/sudoers/resolve_cmnd.c +@@ -34,7 +34,7 @@ + */ + int + resolve_cmnd(struct sudoers_context *ctx, const char *infile, +- char **outfile, const char *path) ++ char **outfile, const char *path, const char *runchroot) + { + int ret = NOT_FOUND_ERROR; + debug_decl(resolve_cmnd, SUDOERS_DEBUG_UTIL); +@@ -42,7 +42,7 @@ resolve_cmnd(struct sudoers_context *ctx, const char *infile, + if (!set_perms(ctx, PERM_RUNAS)) + goto done; + ret = find_path(infile, outfile, ctx->user.cmnd_stat, path, +- def_ignore_dot, NULL); ++ runchroot, def_ignore_dot, NULL); + if (!restore_perms()) + goto done; + if (ret == NOT_FOUND) { +@@ -50,7 +50,7 @@ resolve_cmnd(struct sudoers_context *ctx, const char *infile, + if (!set_perms(ctx, PERM_USER)) + goto done; + ret = find_path(infile, outfile, ctx->user.cmnd_stat, path, +- def_ignore_dot, NULL); ++ runchroot, def_ignore_dot, NULL); + if (!restore_perms()) + goto done; + } +diff --git a/plugins/sudoers/stubs.c b/plugins/sudoers/stubs.c +index b8bc10435..e7a1c2977 100644 +--- a/plugins/sudoers/stubs.c ++++ b/plugins/sudoers/stubs.c +@@ -94,17 +94,3 @@ init_eventlog_config(void) + { + return; + } +- +-/* STUB */ +-bool +-pivot_root(const char *new_root, struct sudoers_pivot *state) +-{ +- return true; +-} +- +-/* STUB */ +-bool +-unpivot_root(struct sudoers_pivot *state) +-{ +- return true; +-} +diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c +index ad2fa2f61..1a8031740 100644 +--- a/plugins/sudoers/sudoers.c ++++ b/plugins/sudoers/sudoers.c +@@ -1092,7 +1092,6 @@ init_vars(struct sudoers_context *ctx, char * const envp[]) + int + set_cmnd_path(struct sudoers_context *ctx, const char *runchroot) + { +- struct sudoers_pivot pivot_state = SUDOERS_PIVOT_INITIALIZER; + const char *cmnd_in; + char *cmnd_out = NULL; + char *path = ctx->user.path; +@@ -1111,13 +1110,7 @@ set_cmnd_path(struct sudoers_context *ctx, const char *runchroot) + if (def_secure_path && !user_is_exempt(ctx)) + path = def_secure_path; + +- /* Pivot root. */ +- if (runchroot != NULL) { +- if (!pivot_root(runchroot, &pivot_state)) +- goto error; +- } +- +- ret = resolve_cmnd(ctx, cmnd_in, &cmnd_out, path); ++ ret = resolve_cmnd(ctx, cmnd_in, &cmnd_out, path, runchroot); + if (ret == FOUND) { + char *slash = strrchr(cmnd_out, '/'); + if (slash != NULL) { +@@ -1134,14 +1127,8 @@ set_cmnd_path(struct sudoers_context *ctx, const char *runchroot) + else + ctx->user.cmnd = cmnd_out; + +- /* Restore root. */ +- if (runchroot != NULL) +- (void)unpivot_root(&pivot_state); +- + debug_return_int(ret); + error: +- if (runchroot != NULL) +- (void)unpivot_root(&pivot_state); + free(cmnd_out); + debug_return_int(NOT_FOUND_ERROR); + } +diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h +index 106a1e8c2..414293eda 100644 +--- a/plugins/sudoers/sudoers.h ++++ b/plugins/sudoers/sudoers.h +@@ -49,7 +49,6 @@ + #include + #include + #include +-#include + + /* + * Info passed in from the sudo front-end. +@@ -314,15 +313,16 @@ struct stat; + * Function prototypes + */ + /* goodpath.c */ +-bool sudo_goodpath(const char *path, struct stat *sbp); ++bool sudo_goodpath(const char *path, const char *runchroot, struct stat *sbp); + + /* findpath.c */ + int find_path(const char *infile, char **outfile, struct stat *sbp, +- const char *path, bool ignore_dot, char * const *allowlist); ++ const char *path, const char *runchroot, bool ignore_dot, ++ char * const *allowlist); + + /* resolve_cmnd.c */ + int resolve_cmnd(struct sudoers_context *ctx, const char *infile, +- char **outfile, const char *path); ++ char **outfile, const char *path, const char *runchroot); + + /* check.c */ + int check_user(struct sudoers_context *ctx, unsigned int validated, unsigned int mode); +diff --git a/plugins/sudoers/testsudoers.c b/plugins/sudoers/testsudoers.c +index f79a0bfa5..006ab36ad 100644 +--- a/plugins/sudoers/testsudoers.c ++++ b/plugins/sudoers/testsudoers.c +@@ -604,18 +604,6 @@ init_eventlog_config(void) + return; + } + +-bool +-pivot_root(const char *new_root, struct sudoers_pivot *state) +-{ +- return true; +-} +- +-bool +-unpivot_root(struct sudoers_pivot *state) +-{ +- return true; +-} +- + int + set_cmnd_path(struct sudoers_context *ctx, const char *runchroot) + { diff --git a/SPECS/sudo/sudo.signatures.json b/SPECS/sudo/sudo.signatures.json index 4734ce1e53..1c08791272 100644 --- a/SPECS/sudo/sudo.signatures.json +++ b/SPECS/sudo/sudo.signatures.json @@ -1,5 +1,5 @@ { - "Signatures": { - "sudo-1.9.15p5.tar.gz": "558d10b9a1991fb3b9fa7fa7b07ec4405b7aefb5b3cb0b0871dbc81e3a88e558" - } + "Signatures": { + "sudo-1.9.17.tar.gz": "3f212c69d534d5822b492d099abb02a593f91ca99f5afde5cb9bd3e1dcdad069" + } } \ No newline at end of file diff --git a/SPECS/sudo/sudo.spec b/SPECS/sudo/sudo.spec index 5db0e11735..d12d5e407c 100644 --- a/SPECS/sudo/sudo.spec +++ b/SPECS/sudo/sudo.spec @@ -1,6 +1,6 @@ Summary: Sudo Name: sudo -Version: 1.9.15p5 +Version: 1.9.17 Release: 1%{?dist} License: ISC URL: https://www.sudo.ws/ @@ -8,6 +8,8 @@ Group: System Environment/Security Vendor: Microsoft Corporation Distribution: Azure Linux Source0: https://www.sudo.ws/sudo/dist/%{name}-%{version}.tar.gz +Patch0: CVE-2025-32462.patch +Patch1: CVE-2025-32463.patch BuildRequires: audit-devel BuildRequires: man-db BuildRequires: openssl-devel @@ -99,6 +101,10 @@ fi %exclude /etc/sudoers.dist %changelog +* Fri Jun 27 2025 Pawel Winogrodzki - 1.9.17-1 +- Upgrade to version 1.9.17. +- Patching CVEs: 2025-32462 and 2025-32463. + * Thu Jan 25 2024 Thien Trung Vuong - 1.9.15p5-1 - Auto-upgrade to 1.9.15p5 - Update to latest version - Remove NETGROUP_QUERY patch - upstream fix is added in 1.9.15p5 diff --git a/SPECS/supermin/supermin.spec b/SPECS/supermin/supermin.spec index 332f74d971..0f26db9b1b 100644 --- a/SPECS/supermin/supermin.spec +++ b/SPECS/supermin/supermin.spec @@ -21,7 +21,7 @@ Summary: Tool for creating supermin appliances Name: supermin Version: 5.3.4 -Release: 6%{?dist} +Release: 7%{?dist} License: GPLv2+ Vendor: Intel Corporation Distribution: Edge Microvisor Toolkit @@ -54,7 +54,7 @@ BuildRequires: systemd-udev %if %{with dietlibc} BuildRequires: dietlibc-devel %else -BuildRequires: glibc-static >= 2.38-10%{?dist} +BuildRequires: glibc-static >= 2.38-11%{?dist} %endif %if 0%{?with_check} @@ -129,6 +129,10 @@ make check || { %{_rpmconfigdir}/supermin-find-requires %changelog +* Mon Sep 8 2025 Chee Yang Lee - 5.3.4-7 +- merge from Azure Linux 3.0.20250822-3.0. +- Bump to rebuild with updated glibc + * Fri May 30 2025 Ranjan Dutta - 5.3.4-6 - merge from Azure Linux 3.0.20250521-3.0 - Bump to rebuild with updated glibc diff --git a/SPECS/sysbench/CVE-2024-25176.patch b/SPECS/sysbench/CVE-2024-25176.patch new file mode 100644 index 0000000000..a4d84d021d --- /dev/null +++ b/SPECS/sysbench/CVE-2024-25176.patch @@ -0,0 +1,28 @@ +From 6d48b3888b46553d021d3d43e5cbbd86a5fa0a94 Mon Sep 17 00:00:00 2001 +From: Azure Linux Security Servicing Account + +Date: Thu, 17 Jul 2025 08:42:39 +0000 +Subject: [PATCH] Fix CVE CVE-2024-25176 in sysbench + +Upstream Patch Reference: https://github.com/LuaJIT/LuaJIT/commit/343ce0edaf3906a62022936175b2f5410024cbfc.patch +--- + third_party/luajit/luajit/src/lj_strfmt_num.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/third_party/luajit/luajit/src/lj_strfmt_num.c b/third_party/luajit/luajit/src/lj_strfmt_num.c +index 9271f68..1d4fc7c 100644 +--- a/third_party/luajit/luajit/src/lj_strfmt_num.c ++++ b/third_party/luajit/luajit/src/lj_strfmt_num.c +@@ -454,7 +454,8 @@ static char *lj_strfmt_wfnum(SBuf *sb, SFormat sf, lua_Number n, char *p) + prec--; + if (!i) { + if (ndlo == ndhi) { prec = 0; break; } +- lj_strfmt_wuint9(tail, nd[++ndlo]); ++ ndlo = (ndlo + 1) & 0x3f; ++ lj_strfmt_wuint9(tail, nd[ndlo]); + i = 9; + } + } +-- +2.45.3 + diff --git a/SPECS/sysbench/CVE-2024-25178.patch b/SPECS/sysbench/CVE-2024-25178.patch new file mode 100644 index 0000000000..12e4bcd640 --- /dev/null +++ b/SPECS/sysbench/CVE-2024-25178.patch @@ -0,0 +1,26 @@ +From 9c8487d3b1aa90b6bd801bdda1b9843159088aaf Mon Sep 17 00:00:00 2001 +From: Azure Linux Security Servicing Account + +Date: Thu, 17 Jul 2025 08:42:47 +0000 +Subject: [PATCH] Fix CVE CVE-2024-25178 in sysbench + +Upstream Patch Reference: https://github.com/LuaJIT/LuaJIT/commit/defe61a56751a0db5f00ff3ab7b8f45436ba74c8.patch +--- + third_party/luajit/luajit/src/lj_debug.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/third_party/luajit/luajit/src/lj_debug.c b/third_party/luajit/luajit/src/lj_debug.c +index 8319fa1..fc1f15a 100644 +--- a/third_party/luajit/luajit/src/lj_debug.c ++++ b/third_party/luajit/luajit/src/lj_debug.c +@@ -63,6 +63,7 @@ static BCPos debug_framepc(lua_State *L, GCfunc *fn, cTValue *nextframe) + if (cf == NULL || (char *)cframe_pc(cf) == (char *)cframe_L(cf)) + return NO_BCPOS; + ins = cframe_pc(cf); /* Only happens during error/hook handling. */ ++ if (!ins) return NO_BCPOS; + } else { + if (frame_islua(nextframe)) { + ins = frame_pc(nextframe); +-- +2.45.3 + diff --git a/SPECS/sysbench/sysbench.spec b/SPECS/sysbench/sysbench.spec index cad314f809..3d632c5532 100644 --- a/SPECS/sysbench/sysbench.spec +++ b/SPECS/sysbench/sysbench.spec @@ -1,7 +1,7 @@ Summary: Scriptable database and system performance benchmark Name: sysbench Version: 1.0.20 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2+ Group: Applications/System URL: https://github.com/akopytov/sysbench/ @@ -11,6 +11,8 @@ Source0: https://github.com/akopytov/%{name}/archive/%{version}/%{name}-% Patch0: enable-python3.patch Patch1: CVE-2019-19391.patch Patch2: sysbench-1.0.20-fix_deprecated_egrep_call.patch +Patch3: CVE-2024-25178.patch +Patch4: CVE-2024-25176.patch BuildRequires: automake BuildRequires: libaio-devel @@ -64,6 +66,9 @@ rm -f %{buildroot}%{_docdir}/sysbench/manual.html %{_datadir}/%{name} %changelog +* Thu Jul 17 2025 Azure Linux Security Servicing Account - 1.0.20-6 +- Patch for CVE-2024-25178, CVE-2024-25176 + * Wed Apr 02 2025 Kanishk Bansal - 1.0.20-5 - Fix ptest by adding a patch to replace deprecated egrep with grep -E. diff --git a/SPECS/systemd-bootstrap/CVE-2023-7008.patch b/SPECS/systemd-bootstrap/CVE-2023-7008.patch new file mode 100644 index 0000000000..91ca454906 --- /dev/null +++ b/SPECS/systemd-bootstrap/CVE-2023-7008.patch @@ -0,0 +1,36 @@ +From cbed44badf00e62b639e1cf04955080fcc8fc35a Mon Sep 17 00:00:00 2001 +From: akhila-guruju +Date: Thu, 22 May 2025 10:35:31 +0000 +Subject: [PATCH] Address CVE-2023-7008 + +Upstream Patch reference: https://github.com/systemd/systemd-stable/commit/4ada1290584745ab6643eece9e1756a8c0e079ca + +--- + src/resolve/resolved-dns-transaction.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c +index 2ee45ff..5507fd9 100644 +--- a/src/resolve/resolved-dns-transaction.c ++++ b/src/resolve/resolved-dns-transaction.c +@@ -2781,7 +2781,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord * + if (r == 0) + continue; + +- return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED); ++ return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED); + } + + return true; +@@ -2808,7 +2808,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord * + /* We found the transaction that was supposed to find the SOA RR for us. It was + * successful, but found no RR for us. This means we are not at a zone cut. In this + * case, we require authentication if the SOA lookup was authenticated too. */ +- return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED); ++ return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED); + } + + return true; +-- +2.45.2 + diff --git a/SPECS/systemd-bootstrap/fix-journald-audit-logging.patch b/SPECS/systemd-bootstrap/fix-journald-audit-logging.patch index b802ead2c6..6acb9c371b 100644 --- a/SPECS/systemd-bootstrap/fix-journald-audit-logging.patch +++ b/SPECS/systemd-bootstrap/fix-journald-audit-logging.patch @@ -29,4 +29,4 @@ index a8e3b175ac49..ea535a27af7f 100644 + map_all_fields(p, map_fields_kernel, "_AUDIT_FIELD_", true, iovec, &n, n + N_IOVEC_AUDIT_FIELDS); server_dispatch_message(s, iovec, n, ELEMENTSOF(iovec), NULL, NULL, LOG_NOTICE, 0); - \ No newline at end of file + diff --git a/SPECS/systemd-bootstrap/systemd-bootstrap.spec b/SPECS/systemd-bootstrap/systemd-bootstrap.spec index d2e891f537..35e3a74a1c 100644 --- a/SPECS/systemd-bootstrap/systemd-bootstrap.spec +++ b/SPECS/systemd-bootstrap/systemd-bootstrap.spec @@ -1,7 +1,7 @@ Summary: Bootstrap version of systemd. Workaround for systemd circular dependency. Name: systemd-bootstrap Version: 250.3 -Release: 18%{?dist} +Release: 19%{?dist} License: LGPLv2+ AND GPLv2+ AND MIT Vendor: Intel Corporation Distribution: Edge Microvisor Toolkit @@ -50,6 +50,7 @@ Patch9: add-bcachefs-magic.patch # 5. Repeat from 2. as needed until it builds # 6. Build both systemd and systemd-bootstrap, validate the contents of systemd-rpm-macros and system-bootstrap-rpm-macros are identical Patch10: use-255-macros.patch +Patch11: CVE-2023-7008.patch BuildRequires: docbook-dtd-xml BuildRequires: docbook-style-xsl BuildRequires: gettext @@ -287,6 +288,10 @@ fi %{_datadir}/pkgconfig/udev.pc %changelog +* Mon Sep 8 2025 Lee Chee Yang - 250.3-19 +- merge from Azure Linux 3.0.20250822-3.0. +- Patch CVE-2023-7008 + * Wed Feb 26 2025 Anuj Mittal - 250.3-18 - Backport patches to fix build with kernel headers 6.12.12 diff --git a/SPECS/systemd/systemd.spec b/SPECS/systemd/systemd.spec index f791f2f5d0..bc21faf06b 100644 --- a/SPECS/systemd/systemd.spec +++ b/SPECS/systemd/systemd.spec @@ -50,7 +50,7 @@ Version: 255 # determine the build information from local checkout Version: %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/') %endif -Release: 29%{?dist} +Release: 30%{?dist} # FIXME - hardcode to 'stable' for now as that's what we have in our blobstore %global stable 1 @@ -156,7 +156,7 @@ Patch0900: do-not-test-openssl-sm3.patch Patch0901: networkd-default-use-domains.patch Patch0902: CVE-2023-7008.patch -%ifarch %{ix86} x86_64 +%ifarch %{ix86} x86_64 aarch64 %global want_bootloader 1 %endif @@ -251,6 +251,9 @@ BuildRequires: python3dist(zstd) %if 0%{?want_bootloader} BuildRequires: python3dist(pyelftools) %endif +%if 0%{?with_check} +BuildRequires: python3dist(pyflakes) +%endif # gzip and lzma are provided by the stdlib BuildRequires: firewalld-filesystem BuildRequires: libseccomp-devel @@ -914,7 +917,11 @@ python3 %{SOURCE2} %buildroot %{!?want_bootloader:--no-bootloader} %if 0%{?want_bootloader} mkdir -p %{buildroot}/boot/efi/EFI/BOOT +%ifarch x86_64 cp %{buildroot}/usr/lib/systemd/boot/efi/systemd-bootx64.efi %{buildroot}/boot/efi/EFI/BOOT/grubx64.efi +%elifarch aarch64 +cp %{buildroot}/usr/lib/systemd/boot/efi/systemd-bootaa64.efi %{buildroot}/boot/efi/EFI/BOOT/grubaa64.efi +%endif %endif %check @@ -1201,7 +1208,11 @@ fi %if 0%{?want_bootloader} %files ukify -f .file-list-ukify %files boot -f .file-list-boot +%ifarch x86_64 /boot/efi/EFI/BOOT/grubx64.efi +%elifarch aarch64 +/boot/efi/EFI/BOOT/grubaa64.efi +%endif %endif %files container -f .file-list-container @@ -1237,6 +1248,11 @@ rm -f %{name}.lang # %autochangelog. So we need to continue manually maintaining the # changelog here. %changelog +* Mon Sep 8 2025 Lee Chee Yang - 255-30 +- merge from Azure Linux 3.0.20250822-3.0 +- enable building ukify and sd-boot on arm64 +- enable pyflakes buildrequires which is needed for ukify testing + * Fri May 30 2025 Ranjan Dutta - 255-29 - merge from Azure Linux 3.0.20250521-3.0 - Bumping 'Release' tag to match the 'signed' version of the spec. diff --git a/SPECS/tini/tini.spec b/SPECS/tini/tini.spec index 8547a37a8f..eccdabbe92 100644 --- a/SPECS/tini/tini.spec +++ b/SPECS/tini/tini.spec @@ -1,7 +1,7 @@ Summary: A tiny but valid init for containers Name: tini Version: 0.19.0 -Release: 20%{?dist} +Release: 21%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -13,7 +13,7 @@ BuildRequires: diffutils BuildRequires: file BuildRequires: gcc BuildRequires: glibc-devel -BuildRequires: glibc-static >= 2.38-10%{?dist} +BuildRequires: glibc-static >= 2.38-11%{?dist} BuildRequires: kernel-headers BuildRequires: make BuildRequires: sed @@ -66,6 +66,9 @@ ln -s %{_bindir}/tini-static %{buildroot}%{_bindir}/docker-init %{_bindir}/docker-init %changelog +* Thu May 22 2025 Kanishk Bansal - 0.19.0-21 +- Bump to rebuild with updated glibc + * Mon May 12 2025 Andrew Phelps anphel@microsoft.com - 0.19.0-20 - Bump to rebuild with updated glibc diff --git a/SPECS/valkey/CVE-2025-27151.patch b/SPECS/valkey/CVE-2025-27151.patch new file mode 100644 index 0000000000..ed8ec84d12 --- /dev/null +++ b/SPECS/valkey/CVE-2025-27151.patch @@ -0,0 +1,30 @@ +From 992e828dc6f1a20b27780892a97ced9dbdd6e75c Mon Sep 17 00:00:00 2001 +From: SumitJenaHCL +Date: Tue, 17 Jun 2025 17:46:43 +0000 +Subject: [PATCH] Patch CVE-2025-27151 + +Upstream Patch Reference: https://github.com/valkey-io/valkey/commit/73696bf6e2cf754acc3ec24eaf9ca6b879bfc5d7 +--- + src/valkey-check-aof.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/valkey-check-aof.c b/src/valkey-check-aof.c +index bc71d36..c43c30b 100644 +--- a/src/valkey-check-aof.c ++++ b/src/valkey-check-aof.c +@@ -556,6 +556,12 @@ int redis_check_aof_main(int argc, char **argv) { + goto invalid_args; + } + ++ /* Check if filepath is longer than PATH_MAX */ ++ if (strnlen(filepath, PATH_MAX + 1) > PATH_MAX) { ++ printf("Error: filepath is too long (exceeds PATH_MAX)\n"); ++ goto invalid_args; ++ } ++ + /* In the glibc implementation dirname may modify their argument. */ + memcpy(temp_filepath, filepath, strlen(filepath) + 1); + dirpath = dirname(temp_filepath); +-- +2.45.2 + diff --git a/SPECS/valkey/CVE-2025-49112.patch b/SPECS/valkey/CVE-2025-49112.patch new file mode 100644 index 0000000000..0342cde65c --- /dev/null +++ b/SPECS/valkey/CVE-2025-49112.patch @@ -0,0 +1,26 @@ +From db21a4e55a3afe71923141bcbecbbc74920d5259 Mon Sep 17 00:00:00 2001 +From: SumitJenaHCL +Date: Wed, 11 Jun 2025 11:29:35 +0530 +Subject: [PATCH] Patch CVE-2025-49112 + +Upstream Patch Reference: https://github.com/valkey-io/valkey/commit/374718b2a365ca69f715d542709b7d71540b1387 +--- + src/networking.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/networking.c b/src/networking.c +index ab2df89..abb0126 100644 +--- a/src/networking.c ++++ b/src/networking.c +@@ -842,7 +842,7 @@ void setDeferredReply(client *c, void *node, const char *s, size_t length) { + * - It has enough room already allocated + * - And not too large (avoid large memmove) + * - And the client is not in a pending I/O state */ +- if (ln->prev != NULL && (prev = listNodeValue(ln->prev)) && prev->size - prev->used > 0 && ++ if (ln->prev != NULL && (prev = listNodeValue(ln->prev)) && prev->used < prev->size && + c->io_write_state != CLIENT_PENDING_IO) { + size_t len_to_copy = prev->size - prev->used; + if (len_to_copy > length) len_to_copy = length; +-- +2.48.1 + diff --git a/SPECS/valkey/valkey.signatures.json b/SPECS/valkey/valkey.signatures.json index d6613c7aa1..fbee7c20b8 100644 --- a/SPECS/valkey/valkey.signatures.json +++ b/SPECS/valkey/valkey.signatures.json @@ -1,5 +1,5 @@ { - "Signatures": { - "valkey-8.0.3.tar.gz": "9141b6a91572e714fae8bc01e5031828ac6a8eb8e012e6836673d18dbfe4a47b" - } -} + "Signatures": { + "valkey-8.0.4.tar.gz": "55c12a25f67ef19b615c76b6cb0c92d12753d76eb8d38b31d30e299c3490cdf2" + } +} \ No newline at end of file diff --git a/SPECS/valkey/valkey.spec b/SPECS/valkey/valkey.spec index 6dab90e7ec..d050ab53f8 100644 --- a/SPECS/valkey/valkey.spec +++ b/SPECS/valkey/valkey.spec @@ -1,6 +1,6 @@ Summary: advanced key-value store Name: valkey -Version: 8.0.3 +Version: 8.0.4 Release: 1%{?dist} License: BSD Vendor: Microsoft Corporation @@ -10,6 +10,8 @@ URL: https://valkey.io/ Source0: https://github.com/valkey-io/valkey/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz Patch0: valkey-conf.patch Patch1: disable-mem-defrag-tests.patch +Patch2: CVE-2025-49112.patch +Patch3: CVE-2025-27151.patch BuildRequires: gcc BuildRequires: make BuildRequires: openssl-devel @@ -84,6 +86,15 @@ exit 0 %config(noreplace) %attr(0640, %{name}, %{name}) %{_sysconfdir}/valkey.conf %changelog +* Tue Jul 22 2025 Kevin Lockwood - 8.0.4-1 +- Upgrade to 8.0.4 to fix CVE-2025-32023, CVE-2025-48367 + +* Wed Jun 18 2025 Sumit Jena - 8.0.3-3 +- Fix CVE-2025-27151 + +* Thu Jun 12 2025 Sumit Jena - 8.0.3-2 +- Fix CVE-2025-49112 + * Mon Apr 28 2025 CBL-Mariner Servicing Account - 8.0.3-1 - Auto-upgrade to 8.0.3 - for CVE-2025-21605 diff --git a/SPECS/vim/vim.signatures.json b/SPECS/vim/vim.signatures.json index b4386cf852..f8f5d52a4b 100644 --- a/SPECS/vim/vim.signatures.json +++ b/SPECS/vim/vim.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { "macros.vim": "98d2e285e93e339defc13ef1dc4fa76f24e3fca6282e4196a3dae45de778eab8", - "vim-9.1.1198.tar.gz": "ce85c04b1b1dc1258635d4887d84681aa6b637b0ca15364898d9b27e2a747057" + "vim-9.1.1552.tar.gz": "66400ef982ba96496a4c02c5861bf5ecb317fdfccc750342111a4548f714721d" } } diff --git a/SPECS/vim/vim.spec b/SPECS/vim/vim.spec index 98a1d984d1..7fa633b63a 100644 --- a/SPECS/vim/vim.spec +++ b/SPECS/vim/vim.spec @@ -1,7 +1,7 @@ %define debug_package %{nil} Summary: Text editor Name: vim -Version: 9.1.1198 +Version: 9.1.1552 Release: 1%{?dist} License: Vim Vendor: Microsoft Corporation @@ -153,7 +153,6 @@ fi %{_datarootdir}/vim/vim*/lang/*.vim %doc %{_datarootdir}/vim/vim*/lang/*.txt %lang(af) %{_datarootdir}/vim/vim*/lang/af/LC_MESSAGES/vim.mo -%lang(am) %{_datarootdir}/vim/vim*/lang/am/LC_MESSAGES/vim.mo %lang(ca) %{_datarootdir}/vim/vim*/lang/ca/LC_MESSAGES/vim.mo %lang(cs) %{_datarootdir}/vim/vim*/lang/cs/LC_MESSAGES/vim.mo %lang(de) %{_datarootdir}/vim/vim*/lang/de/LC_MESSAGES/vim.mo @@ -164,6 +163,7 @@ fi %lang(fr) %{_datarootdir}/vim/vim*/lang/fr/LC_MESSAGES/vim.mo %lang(ga) %{_datarootdir}/vim/vim*/lang/ga/LC_MESSAGES/vim.mo %lang(hu) %{_datarootdir}/vim/vim*/lang/hu/LC_MESSAGES/vim.mo +%lang(hy) %{_datarootdir}/vim/vim*/lang/hy/LC_MESSAGES/vim.mo %lang(it) %{_datarootdir}/vim/vim*/lang/it/LC_MESSAGES/vim.mo %lang(ja) %{_datarootdir}/vim/vim*/lang/ja/LC_MESSAGES/vim.mo %lang(ko.UTF-8) %{_datarootdir}/vim/vim*/lang/ko.UTF-8/LC_MESSAGES/vim.mo @@ -221,6 +221,9 @@ fi %{_rpmconfigdir}/macros.d/macros.vim %changelog +* Wed Jul 16 2025 Jyoti Kanase - 9.1.1552-1 +- Upgrade to 9.1.1552 - for CVE-2025-53905 and CVE-2025-53906 + * Mon Mar 17 2025 CBL-Mariner Servicing Account - 9.1.1198-1 - Auto-upgrade to 9.1.1198 - for CVE-2025-29768 diff --git a/SPECS/virtiofsd/virtiofsd.spec b/SPECS/virtiofsd/virtiofsd.spec index c8a4590acc..274b72d1fc 100644 --- a/SPECS/virtiofsd/virtiofsd.spec +++ b/SPECS/virtiofsd/virtiofsd.spec @@ -22,7 +22,7 @@ Name: virtiofsd # Version to be kept in sync with the `asset.virtiofsd.version` field from # https://github.com/microsoft/kata-containers/blob/msft-main/versions.yaml Version: 1.8.0 -Release: 3%{?dist} +Release: 5%{?dist} Summary: vhost-user virtio-fs device backend written in Rust Group: Development/Libraries/Rust License: Apache-2.0 @@ -75,6 +75,12 @@ cargo test --release %{_datadir}/qemu/vhost-user/50-qemu-virtiofsd.json %changelog +* Mon Jul 21 2025 Jyoti Kanase - 1.8.0-5 +- Bump release to rebuild with rust + +* Tue Jun 10 2025 Kavya Sree Kaitepalli - 1.8.0-4 +- Bump release to rebuild with rust + * Mon May 05 2025 Archana Choudhary - 1.8.0-3 - Patch for CVE-2024-43806 * Mon Apr 21 2025 Kavya Sree Kaitepalli - 1.8.0-2 diff --git a/SPECS/xorg-x11-server-Xwayland/CVE-2025-49175.patch b/SPECS/xorg-x11-server-Xwayland/CVE-2025-49175.patch new file mode 100644 index 0000000000..2d2b34430d --- /dev/null +++ b/SPECS/xorg-x11-server-Xwayland/CVE-2025-49175.patch @@ -0,0 +1,89 @@ +From 0885e0b26225c90534642fe911632ec0779eebee Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Fri, 28 Mar 2025 09:43:52 +0100 +Subject: [PATCH] render: Avoid 0 or less animated cursors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Upstream Patch Link: https://gitlab.freedesktop.org/xorg/xserver/-/commit/0885e0b26225c90534642fe911632ec0779eebee.patch + +Animated cursors use a series of cursors that the client can set. + +By default, the Xserver assumes at least one cursor is specified +while a client may actually pass no cursor at all. + +That causes an out-of-bound read creating the animated cursor and a +crash of the Xserver: + + | Invalid read of size 8 + | at 0x5323F4: AnimCursorCreate (animcur.c:325) + | by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817) + | by 0x52DC80: ProcRenderDispatch (render.c:1999) + | by 0x4A1E9D: Dispatch (dispatch.c:560) + | by 0x4B0169: dix_main (main.c:284) + | by 0x4287F5: main (stubmain.c:34) + | Address 0x59aa010 is 0 bytes after a block of size 0 alloc'd + | at 0x48468D3: reallocarray (vg_replace_malloc.c:1803) + | by 0x52D3DA: ProcRenderCreateAnimCursor (render.c:1802) + | by 0x52DC80: ProcRenderDispatch (render.c:1999) + | by 0x4A1E9D: Dispatch (dispatch.c:560) + | by 0x4B0169: dix_main (main.c:284) + | by 0x4287F5: main (stubmain.c:34) + | + | Invalid read of size 2 + | at 0x5323F7: AnimCursorCreate (animcur.c:325) + | by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817) + | by 0x52DC80: ProcRenderDispatch (render.c:1999) + | by 0x4A1E9D: Dispatch (dispatch.c:560) + | by 0x4B0169: dix_main (main.c:284) + | by 0x4287F5: main (stubmain.c:34) + | Address 0x8 is not stack'd, malloc'd or (recently) free'd + +To avoid the issue, check the number of cursors specified and return a +BadValue error in both the proc handler (early) and the animated cursor +creation (as this is a public function) if there is 0 or less cursor. + +CVE-2025-49175 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: Olivier Fourdan +Reviewed-by: José Expósito +Part-of: +--- + render/animcur.c | 3 +++ + render/render.c | 2 ++ + 2 files changed, 5 insertions(+) + +diff --git a/render/animcur.c b/render/animcur.c +index f906cd8130..1194cee7e7 100644 +--- a/render/animcur.c ++++ b/render/animcur.c +@@ -305,6 +305,9 @@ AnimCursorCreate(CursorPtr *cursors, CARD32 *deltas, int ncursor, + int rc = BadAlloc, i; + AnimCurPtr ac; + ++ if (ncursor <= 0) ++ return BadValue; ++ + for (i = 0; i < screenInfo.numScreens; i++) + if (!GetAnimCurScreen(screenInfo.screens[i])) + return BadImplementation; +diff --git a/render/render.c b/render/render.c +index 113f6e0c5a..fe9f03c8c8 100644 +--- a/render/render.c ++++ b/render/render.c +@@ -1799,6 +1799,8 @@ ProcRenderCreateAnimCursor(ClientPtr client) + ncursor = + (client->req_len - + (bytes_to_int32(sizeof(xRenderCreateAnimCursorReq)))) >> 1; ++ if (ncursor <= 0) ++ return BadValue; + cursors = xallocarray(ncursor, sizeof(CursorPtr) + sizeof(CARD32)); + if (!cursors) + return BadAlloc; +-- +GitLab + diff --git a/SPECS/xorg-x11-server-Xwayland/CVE-2025-49177.patch b/SPECS/xorg-x11-server-Xwayland/CVE-2025-49177.patch new file mode 100644 index 0000000000..612557a77a --- /dev/null +++ b/SPECS/xorg-x11-server-Xwayland/CVE-2025-49177.patch @@ -0,0 +1,39 @@ +From fec15c9463b629600306a25fb01801353b6a9bf6 Mon Sep 17 00:00:00 2001 +From: Kevin Lockwood +Date: Mon, 23 Jun 2025 15:22:44 -0700 +Subject: [PATCH] [Medium] Patch xorg-x11-server-Xwayland for CVE-2025-49177 + +Upstream Patch Link: https://gitlab.freedesktop.org/xorg/xserver/-/commit/ab02fb96b1c701c3bb47617d965522c34befa6af.patch + +Part-of: + +Only edit to the upstream patch was because the patcher could not find +where to position a hunk +--- + xfixes/disconnect.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/xfixes/disconnect.c b/xfixes/disconnect.c +index e412942..b3529af 100644 +--- a/xfixes/disconnect.c ++++ b/xfixes/disconnect.c +@@ -69,6 +69,7 @@ ProcXFixesSetClientDisconnectMode(ClientPtr client) + ClientDisconnectPtr pDisconnect = GetClientDisconnect(client); + + REQUEST(xXFixesSetClientDisconnectModeReq); ++ REQUEST_SIZE_MATCH(xXFixesSetClientDisconnectModeReq); + + pDisconnect->disconnect_mode = stuff->disconnect_mode; + +@@ -82,7 +83,7 @@ SProcXFixesSetClientDisconnectMode(ClientPtr client) + + swaps(&stuff->length); + +- REQUEST_AT_LEAST_SIZE(xXFixesSetClientDisconnectModeReq); ++ REQUEST_SIZE_MATCH(xXFixesSetClientDisconnectModeReq); + + swapl(&stuff->disconnect_mode); + +-- +2.34.1 + diff --git a/SPECS/xorg-x11-server-Xwayland/CVE-2025-49178.patch b/SPECS/xorg-x11-server-Xwayland/CVE-2025-49178.patch new file mode 100644 index 0000000000..af08641dde --- /dev/null +++ b/SPECS/xorg-x11-server-Xwayland/CVE-2025-49178.patch @@ -0,0 +1,47 @@ +From d55c54cecb5e83eaa2d56bed5cc4461f9ba318c2 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Mon, 28 Apr 2025 10:46:03 +0200 +Subject: [PATCH] os: Account for bytes to ignore when sharing input buffer + +Upstream Patch Link: https://gitlab.freedesktop.org/xorg/xserver/-/commit/d55c54cecb5e83eaa2d56bed5cc4461f9ba318c2.patch + +When reading requests from the clients, the input buffer might be shared +and used between different clients. + +If a given client sends a full request with non-zero bytes to ignore, +the bytes to ignore may still be non-zero even though the request is +full, in which case the buffer could be shared with another client who's +request will not be processed because of those bytes to ignore, leading +to a possible hang of the other client request. + +To avoid the issue, make sure we have zero bytes to ignore left in the +input request when sharing the input buffer with another client. + +CVE-2025-49178 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: +--- + os/io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/os/io.c b/os/io.c +index 3e39c10e6f..e7b76b9cea 100644 +--- a/os/io.c ++++ b/os/io.c +@@ -441,7 +441,7 @@ ReadRequestFromClient(ClientPtr client) + */ + + gotnow -= needed; +- if (!gotnow) ++ if (!gotnow && !oci->ignoreBytes) + AvailableInput = oc; + if (move_header) { + if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) { +-- +GitLab + diff --git a/SPECS/xorg-x11-server-Xwayland/CVE-2025-49179.patch b/SPECS/xorg-x11-server-Xwayland/CVE-2025-49179.patch new file mode 100644 index 0000000000..ab398fe561 --- /dev/null +++ b/SPECS/xorg-x11-server-Xwayland/CVE-2025-49179.patch @@ -0,0 +1,41 @@ +From dcf8726020de572e28ae4f9b0b40be2a6ea27a2c Mon Sep 17 00:00:00 2001 +From: Kevin Lockwood +Date: Mon, 23 Jun 2025 14:21:55 -0700 +Subject: [PATCH] Patch xorg-x11-server-Xwayland for CVE-2025-49179 + +Upstream Patch Link: https://gitlab.freedesktop.org/xorg/xserver/-/commit/2bde9ca49a8fd9a1e6697d5e7ef837870d66f5d4.patch + +Part-of: +--- + record/record.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/record/record.c b/record/record.c +index ca9254c..311ec1a 100644 +--- a/record/record.c ++++ b/record/record.c +@@ -46,6 +46,7 @@ and Jim Haggerty of Metheus. + #include "swaprep.h" + #include "inputstr.h" + #include "scrnintstr.h" ++#include "include/opaque.h" + + #include + #include +@@ -1299,6 +1300,13 @@ RecordSanityCheckRegisterClients(RecordContextPtr pContext, ClientPtr client, + int i; + XID recordingClient; + ++ /* LimitClients is 2048 at max, way less that MAXINT */ ++ if (stuff->nClients > LimitClients) ++ return BadValue; ++ ++ if (stuff->nRanges > (MAXINT - 4 * stuff->nClients) / SIZEOF(xRecordRange)) ++ return BadValue; ++ + if (((client->req_len << 2) - SIZEOF(xRecordRegisterClientsReq)) != + 4 * stuff->nClients + SIZEOF(xRecordRange) * stuff->nRanges) + return BadLength; +-- +2.34.1 + diff --git a/SPECS/xorg-x11-server-Xwayland/CVE-2025-49180.patch b/SPECS/xorg-x11-server-Xwayland/CVE-2025-49180.patch new file mode 100644 index 0000000000..8c63a282c9 --- /dev/null +++ b/SPECS/xorg-x11-server-Xwayland/CVE-2025-49180.patch @@ -0,0 +1,42 @@ +From 3c3a4b767b16174d3213055947ea7f4f88e10ec6 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Tue, 20 May 2025 15:18:19 +0200 +Subject: [PATCH] randr: Check for overflow in RRChangeProviderProperty() + +Upstream Patch Link: https://gitlab.freedesktop.org/xorg/xserver/-/commit/3c3a4b767b16174d3213055947ea7f4f88e10ec6.patch + +A client might send a request causing an integer overflow when computing +the total size to allocate in RRChangeProviderProperty(). + +To avoid the issue, check that total length in bytes won't exceed the +maximum integer value. + +CVE-2025-49180 + +This issue was discovered by Nils Emmerich and +reported by Julian Suleder via ERNW Vulnerability Disclosure. + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Part-of: +--- + randr/rrproviderproperty.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c +index 69f66ed278..0c3dcd1bc5 100644 +--- a/randr/rrproviderproperty.c ++++ b/randr/rrproviderproperty.c +@@ -182,7 +182,8 @@ RRChangeProviderProperty(RRProviderPtr provider, Atom property, Atom type, + + if (mode == PropModeReplace || len > 0) { + void *new_data = NULL, *old_data = NULL; +- ++ if (total_len > MAXINT / size_in_bytes) ++ return BadValue; + total_size = total_len * size_in_bytes; + new_value.data = (void *) malloc(total_size); + if (!new_value.data && total_size) { +-- +GitLab + diff --git a/SPECS/xorg-x11-server-Xwayland/xorg-x11-server-Xwayland.spec b/SPECS/xorg-x11-server-Xwayland/xorg-x11-server-Xwayland.spec index 28b3d88a5a..4f494a4e87 100644 --- a/SPECS/xorg-x11-server-Xwayland/xorg-x11-server-Xwayland.spec +++ b/SPECS/xorg-x11-server-Xwayland/xorg-x11-server-Xwayland.spec @@ -11,7 +11,7 @@ Distribution: Azure Linux Summary: Xwayland Name: xorg-x11-server-Xwayland Version: 24.1.6 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT URL: http://www.x.org @@ -87,7 +87,13 @@ BuildRequires: pkgconfig(xcb-aux) BuildRequires: pkgconfig(xcb-image) BuildRequires: pkgconfig(xcb-keysyms) BuildRequires: pkgconfig(xcb-renderutil) - + +Patch0: CVE-2025-49175.patch +Patch1: CVE-2025-49177.patch +Patch2: CVE-2025-49178.patch +Patch3: CVE-2025-49179.patch +Patch4: CVE-2025-49180.patch + %description Xwayland is an X server for running X clients under Wayland. @@ -137,6 +143,13 @@ desktop-file-validate %{buildroot}%{_datadir}/applications/*.desktop %{_libdir}/pkgconfig/xwayland.pc %changelog +* Mon Jun 23 2025 Kevin Lockwood - 24.1.6-2 +- Add patch for CVE-2025-49175 +- Add patch for CVE-2025-49177 +- Add patch for CVE-2025-49178 +- Add patch for CVE-2025-49179 +- Add patch for CVE-2025-49180 + * Tue Mar 04 2025 CBL-Mariner Servicing Account - 24.1.6-1 - Auto-upgrade to 24.1.6 - to fix CVE-2025-26594, CVE-2025-26595, CVE-2025-26596, CVE-2025-26597, CVE-2025-26598, CVE-2025-26599, CVE-2025-26600, CVE-2025-26601[High] - Remove older applied patch for CVE-2024-9632 diff --git a/SPECS/yasm/CVE-2024-22653.patch b/SPECS/yasm/CVE-2024-22653.patch new file mode 100644 index 0000000000..ffc7125f8e --- /dev/null +++ b/SPECS/yasm/CVE-2024-22653.patch @@ -0,0 +1,28 @@ +From 9aee6978378817664714350b597073efabfdef12 Mon Sep 17 00:00:00 2001 +From: archana25-ms +Date: Mon, 23 Jun 2025 08:51:40 +0000 +Subject: [PATCH] Address CVE-2024-22653 +Upstream Patch Reference: https://patch-diff.githubusercontent.com/raw/yasm/yasm/pull/263.diff + +--- + libyasm/section.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/libyasm/section.c b/libyasm/section.c +index ba582bf..1c1ba71 100644 +--- a/libyasm/section.c ++++ b/libyasm/section.c +@@ -611,6 +611,10 @@ yasm_bytecode * + yasm_section_bcs_append(yasm_section *sect, yasm_bytecode *bc) + { + if (bc) { ++ if (!sect) { ++ yasm_error_set(YASM_ERROR_VALUE, "Attempt to append bytecode to a NULL section or with a NULL bytecode"); ++ return NULL; ++ } + if (bc->callback) { + bc->section = sect; /* record parent section */ + STAILQ_INSERT_TAIL(§->bcs, bc, link); +-- +2.45.3 + diff --git a/SPECS/yasm/yasm.spec b/SPECS/yasm/yasm.spec index 6da9d3eba6..2b0a8c2b44 100644 --- a/SPECS/yasm/yasm.spec +++ b/SPECS/yasm/yasm.spec @@ -1,7 +1,7 @@ Summary: Modular Assembler Name: yasm Version: 1.3.0 -Release: 16%{?dist} +Release: 17%{?dist} License: BSD and (GPLv2+ or Artistic or LGPLv2+) and LGPLv2 URL: https://yasm.tortall.net/ Vendor: Microsoft Corporation @@ -12,6 +12,7 @@ Patch2: CVE-2023-31975.patch Patch3: CVE-2021-33454.patch Patch4: CVE-2023-51258.patch Patch5: CVE-2023-37732.patch +Patch6: CVE-2024-22653.patch BuildRequires: gcc BuildRequires: bison @@ -76,6 +77,9 @@ make install DESTDIR=%{buildroot} %changelog +* Mon Jun 23 2025 Archana Shettigar - 1.3.0-17 +- Patch CVE-2024-22653 + * Wed May 14 2025 Akhila Guruju - 1.3.0-16 - Patch CVE-2023-51258 and CVE-2023-37732 diff --git a/cgmanifest.json b/cgmanifest.json index 60c75d29f3..e10e034bdc 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -235,8 +235,8 @@ "type": "other", "other": { "name": "ansible", - "version": "2.17.0", - "downloadUrl": "https://github.com/ansible/ansible/archive/refs/tags/v2.17.0.tar.gz" + "version": "2.17.11", + "downloadUrl": "https://github.com/ansible/ansible/archive/refs/tags/v2.17.11.tar.gz" } } }, @@ -875,8 +875,8 @@ "type": "other", "other": { "name": "azl-otel-collector", - "version": "0.124.0", - "downloadUrl": "https://github.com/microsoft/azl-otel-collector/archive/refs/tags/v0.124.0.tar.gz" + "version": "0.127.0", + "downloadUrl": "https://github.com/microsoft/azl-otel-collector/archive/refs/tags/v0.127.0.tar.gz" } } }, @@ -920,6 +920,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "azurelinux-image-tools", + "version": "0.18.0", + "downloadUrl": "https://github.com/microsoft/azure-linux-image-tools/archive/refs/tags/v0.18.0.tar.gz" + } + } + }, { "component": { "type": "other", @@ -1117,8 +1127,8 @@ "type": "other", "other": { "name": "bind", - "version": "9.20.5", - "downloadUrl": "https://ftp.isc.org/isc/bind9/9.20.5/bind-9.20.5.tar.xz" + "version": "9.20.11", + "downloadUrl": "https://ftp.isc.org/isc/bind9/9.20.11/bind-9.20.11.tar.xz" } } }, @@ -1162,16 +1172,6 @@ } } }, - { - "component": { - "type": "other", - "other": { - "name": "blobfuse2", - "version": "2.3.2", - "downloadUrl": "https://github.com/Azure/azure-storage-fuse/archive/blobfuse2-2.3.2.tar.gz" - } - } - }, { "component": { "type": "other", @@ -1267,8 +1267,8 @@ "type": "other", "other": { "name": "bpftrace", - "version": "0.20.3", - "downloadUrl": "https://github.com/iovisor/bpftrace/archive/refs/tags/v0.20.3.tar.gz" + "version": "0.23.5", + "downloadUrl": "https://github.com/bpftrace/bpftrace/archive/refs/tags/v0.23.5.tar.gz" } } }, @@ -1487,8 +1487,18 @@ "type": "other", "other": { "name": "cassandra", - "version": "4.0.10", - "downloadUrl": "https://archive.apache.org/dist/cassandra/4.0.10/apache-cassandra-4.0.10-src.tar.gz" + "version": "5.0.0", + "downloadUrl": "https://archive.apache.org/dist/cassandra/5.0.0/apache-cassandra-5.0.0-src.tar.gz" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "cassandra-driver", + "version": "3.29.2", + "downloadUrl": "https://github.com/datastax/python-driver/archive/refs/tags/3.29.2.tar.gz" } } }, @@ -1748,7 +1758,7 @@ "other": { "name": "cim-schema", "version": "2.54.1", - "downloadUrl": "http://www.dmtf.org/standards/cim/cim_schema_v2541/cim_schema_2.54.1Experimental-MOFs.zip" + "downloadUrl": "https://www.dmtf.org/standards/cim/cim_schema_v2541/cim_schema_2.54.1Experimental-MOFs.zip" } } }, @@ -1767,8 +1777,8 @@ "type": "other", "other": { "name": "cjose", - "version": "0.6.1", - "downloadUrl": "https://github.com/cisco/cjose/archive/0.6.1/cjose-0.6.1.tar.gz" + "version": "0.6.2.2", + "downloadUrl": "https://github.com/OpenIDC/cjose/releases/download/v0.6.2.2/cjose-0.6.2.2.tar.gz" } } }, @@ -1797,8 +1807,8 @@ "type": "other", "other": { "name": "clamav", - "version": "1.0.7", - "downloadUrl": "https://github.com/Cisco-Talos/clamav/archive/refs/tags/clamav-1.0.7.tar.gz" + "version": "1.0.9", + "downloadUrl": "https://github.com/Cisco-Talos/clamav/archive/refs/tags/clamav-1.0.9.tar.gz" } } }, @@ -1807,8 +1817,8 @@ "type": "other", "other": { "name": "clang", - "version": "18.1.2", - "downloadUrl": "https://github.com/llvm/llvm-project/archive/refs/tags/llvmorg-18.1.2.tar.gz" + "version": "18.1.8", + "downloadUrl": "https://github.com/llvm/llvm-project/archive/refs/tags/llvmorg-18.1.8.tar.gz" } } }, @@ -2047,8 +2057,8 @@ "type": "other", "other": { "name": "compiler-rt", - "version": "18.1.2", - "downloadUrl": "https://github.com/llvm/llvm-project/archive/refs/tags/llvmorg-18.1.2.tar.gz" + "version": "18.1.8", + "downloadUrl": "https://github.com/llvm/llvm-project/archive/refs/tags/llvmorg-18.1.8.tar.gz" } } }, @@ -2102,16 +2112,6 @@ } } }, - { - "component": { - "type": "other", - "other": { - "name": "containerd", - "version": "1.7.13", - "downloadUrl": "https://github.com/containerd/containerd/archive/v1.7.13.tar.gz" - } - } - }, { "component": { "type": "other", @@ -2132,16 +2132,6 @@ } } }, - { - "component": { - "type": "other", - "other": { - "name": "containernetworking-plugins", - "version": "1.6.1", - "downloadUrl": "https://github.com/containernetworking/plugins/archive/v1.6.1.tar.gz" - } - } - }, { "component": { "type": "other", @@ -2292,6 +2282,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "cqlsh", + "version": "6.1.2", + "downloadUrl": "https://files.pythonhosted.org/packages/source/c/cqlsh/cqlsh-6.1.2.tar.gz" + } + } + }, { "component": { "type": "other", @@ -2502,6 +2502,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "dasel", + "version": "2.8.1", + "downloadUrl": "https://github.com/TomWright/dasel/archive/refs/tags/v2.8.1.tar.gz" + } + } + }, { "component": { "type": "other", @@ -2537,8 +2547,8 @@ "type": "other", "other": { "name": "dbus-python", - "version": "1.2.16", - "downloadUrl": "https://dbus.freedesktop.org/releases/dbus-python/dbus-python-1.2.16.tar.gz" + "version": "1.3.2", + "downloadUrl": "https://dbus.freedesktop.org/releases/dbus-python/dbus-python-1.3.2.tar.gz" } } }, @@ -3348,8 +3358,8 @@ "type": "other", "other": { "name": "elinks", - "version": "0.16.0", - "downloadUrl": "https://github.com/rkd77/elinks/releases/download/v0.16.0/elinks-0.16.0.tar.xz" + "version": "0.17.0", + "downloadUrl": "https://github.com/rkd77/elinks/releases/download/v0.17.0/elinks-0.17.0.tar.xz" } } }, @@ -3438,8 +3448,8 @@ "type": "other", "other": { "name": "erlang", - "version": "26.2.5.11", - "downloadUrl": "https://github.com/erlang/otp/archive/OTP-26.2.5.11/otp-OTP-26.2.5.11.tar.gz" + "version": "26.2.5.13", + "downloadUrl": "https://github.com/erlang/otp/archive/OTP-26.2.5.13/otp-OTP-26.2.5.13.tar.gz" } } }, @@ -3588,8 +3598,8 @@ "type": "other", "other": { "name": "facter", - "version": "4.2.13", - "downloadUrl": "https://downloads.puppetlabs.com/facter/facter-4.2.13.gem" + "version": "4.8.0", + "downloadUrl": "https://downloads.puppetlabs.com/facter/facter-4.8.0.gem" } } }, @@ -3920,8 +3930,8 @@ "type": "other", "other": { "name": "foomatic-db", - "version": "4.0", - "downloadUrl": "https://azurelinuxsrcstorage.blob.core.windows.net/sources/core/foomatic-db-4.0-20201104.tar.gz" + "version": "4.0.20250707", + "downloadUrl": "https://www.openprinting.org/download/foomatic/foomatic-db-4.0-20250707.tar.gz" } } }, @@ -3970,8 +3980,8 @@ "type": "other", "other": { "name": "freeradius", - "version": "3.2.3", - "downloadUrl": "ftp://ftp.freeradius.org/pub/radius/freeradius-server-3.2.3.tar.bz2" + "version": "3.2.5", + "downloadUrl": "https://github.com/FreeRADIUS/freeradius-server/releases/download/release_3_2_5/freeradius-server-3.2.5.tar.bz2" } } }, @@ -4450,8 +4460,8 @@ "type": "other", "other": { "name": "git", - "version": "2.45.3", - "downloadUrl": "https://github.com/git/git/archive/refs/tags/v2.45.3.tar.gz" + "version": "2.45.4", + "downloadUrl": "https://github.com/git/git/archive/refs/tags/v2.45.4.tar.gz" } } }, @@ -4690,8 +4700,8 @@ "type": "other", "other": { "name": "gnupg2", - "version": "2.4.4", - "downloadUrl": "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.4.tar.bz2" + "version": "2.4.7", + "downloadUrl": "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.7.tar.bz2" } } }, @@ -4750,8 +4760,8 @@ "type": "other", "other": { "name": "golang", - "version": "1.23.9", - "downloadUrl": "https://github.com/microsoft/go/releases/download/v1.23.9-1/go1.23.9-20250506.5.src.tar.gz" + "version": "1.23.12", + "downloadUrl": "https://github.com/microsoft/go/releases/download/v1.23.12-1/go1.23.12-20250806.6.src.tar.gz" } } }, @@ -4760,8 +4770,8 @@ "type": "other", "other": { "name": "golang", - "version": "1.24.4", - "downloadUrl": "https://github.com/microsoft/go/releases/download/v1.24.4-1/go1.24.4-20250605.5.src.tar.gz" + "version": "1.24.6", + "downloadUrl": "https://github.com/microsoft/go/releases/download/v1.24.6-1/go1.24.6-20250806.4.src.tar.gz" } } }, @@ -5375,16 +5385,6 @@ } } }, - { - "component": { - "type": "other", - "other": { - "name": "helm", - "version": "3.18.3", - "downloadUrl": "https://github.com/helm/helm/archive/refs/tags/v3.18.3.tar.gz" - } - } - }, { "component": { "type": "other", @@ -5520,8 +5520,8 @@ "type": "other", "other": { "name": "httpd", - "version": "2.4.62", - "downloadUrl": "https://archive.apache.org/dist/httpd/httpd-2.4.62.tar.bz2" + "version": "2.4.65", + "downloadUrl": "https://archive.apache.org/dist/httpd/httpd-2.4.65.tar.bz2" } } }, @@ -6690,8 +6690,8 @@ "type": "other", "other": { "name": "hyperv-daemons", - "version": "6.6.85.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.85.1.tar.gz" + "version": "6.6.96.2", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.96.2.tar.gz" } } }, @@ -7170,8 +7170,8 @@ "type": "other", "other": { "name": "ibus", - "version": "1.5.22", - "downloadUrl": "https://github.com/ibus/ibus/releases/download/1.5.22/ibus-1.5.22.tar.gz" + "version": "1.5.31", + "downloadUrl": "https://github.com/ibus/ibus/releases/download/1.5.31/ibus-1.5.31.tar.gz" } } }, @@ -8181,8 +8181,8 @@ "type": "other", "other": { "name": "jimtcl", - "version": "0.78", - "downloadUrl": "https://github.com/msteveb/jimtcl/archive/0.78/jimtcl-0.78.tar.gz" + "version": "0.83", + "downloadUrl": "https://github.com/msteveb/jimtcl/archive/0.83/jimtcl-0.83.tar.gz" } } }, @@ -8231,8 +8231,8 @@ "type": "other", "other": { "name": "jose", - "version": "10", - "downloadUrl": "https://github.com/latchset/jose/releases/download/v10/jose-10.tar.bz2" + "version": "14", + "downloadUrl": "https://github.com/latchset/jose/releases/download/v14/jose-14.tar.xz" } } }, @@ -8411,8 +8411,8 @@ "type": "other", "other": { "name": "kata-containers", - "version": "3.15.0.aks0", - "downloadUrl": "https://github.com/microsoft/kata-containers/archive/refs/tags/3.15.0.aks0.tar.gz" + "version": "3.18.0.kata0", + "downloadUrl": "https://github.com/microsoft/kata-containers/archive/refs/tags/3.18.0.kata0.tar.gz" } } }, @@ -8501,8 +8501,8 @@ "type": "other", "other": { "name": "kernel-64k", - "version": "6.6.85.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.85.1.tar.gz" + "version": "6.6.96.2", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.96.2.tar.gz" } } }, @@ -8521,8 +8521,8 @@ "type": "other", "other": { "name": "kernel-ipe", - "version": "6.6.82.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.82.1.tar.gz" + "version": "6.6.96.2", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.96.2.tar.gz" } } }, @@ -8531,8 +8531,8 @@ "type": "other", "other": { "name": "kernel-lpg-innovate", - "version": "6.6.85.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/lpg-innovate/6.6.85.1.tar.gz" + "version": "6.6.89.2", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/lpg-innovate/6.6.89.2.tar.gz" } } }, @@ -9011,8 +9011,8 @@ "type": "other", "other": { "name": "libappstream-glib", - "version": "0.8.2", - "downloadUrl": "http://people.freedesktop.org/~hughsient/appstream-glib/releases/appstream-glib-0.8.2.tar.xz" + "version": "0.8.3", + "downloadUrl": "https://people.freedesktop.org/~hughsient/appstream-glib/releases/appstream-glib-0.8.3.tar.xz" } } }, @@ -9111,8 +9111,8 @@ "type": "other", "other": { "name": "libbpf", - "version": "1.2.2", - "downloadUrl": "https://github.com/libbpf/libbpf/archive/v1.2.2.tar.gz" + "version": "1.5.0", + "downloadUrl": "https://github.com/libbpf/libbpf/archive/v1.5.0.tar.gz" } } }, @@ -9351,8 +9351,8 @@ "type": "other", "other": { "name": "libcxx", - "version": "18.1.2", - "downloadUrl": "https://github.com/llvm/llvm-project/archive/refs/tags/llvmorg-18.1.2.tar.gz" + "version": "18.1.8", + "downloadUrl": "https://github.com/llvm/llvm-project/archive/refs/tags/llvmorg-18.1.8.tar.gz" } } }, @@ -9651,8 +9651,8 @@ "type": "other", "other": { "name": "libetonyek", - "version": "0.1.9", - "downloadUrl": "http://dev-www.libreoffice.org/src/libetonyek/libetonyek-0.1.9.tar.xz" + "version": "0.1.12", + "downloadUrl": "https://dev-www.libreoffice.org/src/libetonyek/libetonyek-0.1.12.tar.xz" } } }, @@ -9781,8 +9781,8 @@ "type": "other", "other": { "name": "libgcrypt", - "version": "1.10.2", - "downloadUrl": "https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.10.2.tar.bz2" + "version": "1.10.3", + "downloadUrl": "https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.10.3.tar.bz2" } } }, @@ -9901,8 +9901,8 @@ "type": "other", "other": { "name": "libgpg-error", - "version": "1.47", - "downloadUrl": "https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.47.tar.bz2" + "version": "1.48", + "downloadUrl": "https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.48.tar.bz2" } } }, @@ -10781,8 +10781,8 @@ "type": "other", "other": { "name": "libnvidia-container", - "version": "1.17.4", - "downloadUrl": "https://github.com/NVIDIA/libnvidia-container/archive/v1.17.4.tar.gz" + "version": "1.17.8", + "downloadUrl": "https://github.com/NVIDIA/libnvidia-container/archive/v1.17.8.tar.gz" } } }, @@ -11051,8 +11051,8 @@ "type": "other", "other": { "name": "libproxy", - "version": "0.4.17", - "downloadUrl": "https://github.com/libproxy/libproxy/archive/refs/tags/0.4.17.tar.gz" + "version": "0.5.8", + "downloadUrl": "https://github.com/libproxy/libproxy/archive/refs/tags/0.5.8.tar.gz" } } }, @@ -11461,8 +11461,8 @@ "type": "other", "other": { "name": "libsrtp", - "version": "2.3.0", - "downloadUrl": "https://github.com/cisco/libsrtp/archive/v2.3.0.tar.gz" + "version": "2.6.0", + "downloadUrl": "https://github.com/cisco/libsrtp/archive/v2.6.0.tar.gz" } } }, @@ -12501,8 +12501,8 @@ "type": "other", "other": { "name": "lilv", - "version": "0.24.14", - "downloadUrl": "https://download.drobilla.net/lilv-0.24.14.tar.bz2" + "version": "0.24.26", + "downloadUrl": "https://download.drobilla.net/lilv-0.24.26.tar.xz" } } }, @@ -12551,8 +12551,8 @@ "type": "other", "other": { "name": "lld", - "version": "18.1.2", - "downloadUrl": "https://github.com/llvm/llvm-project/archive/refs/tags/llvmorg-18.1.2.tar.gz" + "version": "18.1.8", + "downloadUrl": "https://github.com/llvm/llvm-project/archive/refs/tags/llvmorg-18.1.8.tar.gz" } } }, @@ -12571,8 +12571,8 @@ "type": "other", "other": { "name": "lldb", - "version": "18.1.2", - "downloadUrl": "https://github.com/llvm/llvm-project/archive/refs/tags/llvmorg-18.1.2.tar.gz" + "version": "18.1.8", + "downloadUrl": "https://github.com/llvm/llvm-project/archive/refs/tags/llvmorg-18.1.8.tar.gz" } } }, @@ -12601,8 +12601,8 @@ "type": "other", "other": { "name": "llvm", - "version": "18.1.2", - "downloadUrl": "https://github.com/llvm/llvm-project/archive/refs/tags/llvmorg-18.1.2.tar.gz" + "version": "18.1.8", + "downloadUrl": "https://github.com/llvm/llvm-project/archive/refs/tags/llvmorg-18.1.8.tar.gz" } } }, @@ -12636,16 +12636,6 @@ } } }, - { - "component": { - "type": "other", - "other": { - "name": "local-path-provisioner", - "version": "0.0.24", - "downloadUrl": "https://github.com/rancher/local-path-provisioner/archive/refs/tags/v0.0.24.tar.gz" - } - } - }, { "component": { "type": "other", @@ -13262,7 +13252,7 @@ "other": { "name": "mariadb", "version": "10.11.11", - "downloadUrl": "https://github.com/MariaDB/server/archive/mariadb-10.11.11.tar.gz" + "downloadUrl": "https://downloads.mariadb.org/interstitial/mariadb-10.11.11/source/mariadb-10.11.11.tar.gz" } } }, @@ -14142,8 +14132,8 @@ "type": "other", "other": { "name": "mysql", - "version": "8.0.41", - "downloadUrl": "https://dev.mysql.com/get/Downloads/MySQL-8.0/mysql-boost-8.0.41.tar.gz" + "version": "8.0.43", + "downloadUrl": "https://dev.mysql.com/get/Downloads/MySQL-8.0/mysql-boost-8.0.43.tar.gz" } } }, @@ -14737,16 +14727,6 @@ } } }, - { - "component": { - "type": "other", - "other": { - "name": "node-problem-detector", - "version": "0.8.20", - "downloadUrl": "https://github.com/kubernetes/node-problem-detector/archive/refs/tags/v0.8.20.tar.gz" - } - } - }, { "component": { "type": "other", @@ -14942,8 +14922,8 @@ "type": "other", "other": { "name": "nvidia-container-toolkit", - "version": "1.17.4", - "downloadUrl": "https://github.com/NVIDIA/nvidia-container-toolkit/archive/v1.17.4.tar.gz" + "version": "1.17.8", + "downloadUrl": "https://github.com/NVIDIA/nvidia-container-toolkit/archive/v1.17.8.tar.gz" } } }, @@ -16263,8 +16243,8 @@ "type": "other", "other": { "name": "papi", - "version": "5.7.0", - "downloadUrl": "http://icl.cs.utk.edu/projects/papi/downloads/papi-5.7.0.tar.gz" + "version": "7.1.0", + "downloadUrl": "https://icl.cs.utk.edu/projects/papi/downloads/papi-7.1.0.tar.gz" } } }, @@ -16273,8 +16253,8 @@ "type": "other", "other": { "name": "paps", - "version": "0.6.8", - "downloadUrl": "http://downloads.sourceforge.net/paps/paps-0.6.8.tar.gz" + "version": "0.8.0", + "downloadUrl": "https://github.com/dov/paps/releases/download/v0.8.0/paps-0.8.0.tar.gz" } } }, @@ -16668,16 +16648,6 @@ } } }, - { - "component": { - "type": "other", - "other": { - "name": "perl-BDB", - "version": "1.92", - "downloadUrl": "https://cpan.metacpan.org/authors/id/M/ML/MLEHMANN/BDB-1.92.tar.gz" - } - } - }, { "component": { "type": "other", @@ -18813,8 +18783,8 @@ "type": "other", "other": { "name": "perl-Locale-Maketext-Gettext", - "version": "1.30", - "downloadUrl": "https://cpan.metacpan.org/authors/id/I/IM/IMACAT/Locale-Maketext-Gettext-1.30.tar.gz" + "version": "1.32", + "downloadUrl": "https://cpan.metacpan.org/authors/id/I/IM/IMACAT/Locale-Maketext-Gettext-1.32.tar.gz" } } }, @@ -21078,6 +21048,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "perl-Type-Tiny", + "version": "2.008002", + "downloadUrl": "https://cpan.metacpan.org/authors/id/T/TO/TOBYINK/Type-Tiny-2.008002.tar.gz" + } + } + }, { "component": { "type": "other", @@ -21553,8 +21533,8 @@ "type": "other", "other": { "name": "php", - "version": "8.3.19", - "downloadUrl": "https://www.php.net/distributions/php-8.3.19.tar.xz" + "version": "8.3.23", + "downloadUrl": "https://www.php.net/distributions/php-8.3.23.tar.xz" } } }, @@ -21973,8 +21953,8 @@ "type": "other", "other": { "name": "postgresql", - "version": "16.7", - "downloadUrl": "https://ftp.postgresql.org/pub/source/v16.7/postgresql-16.7.tar.bz2" + "version": "16.10", + "downloadUrl": "https://ftp.postgresql.org/pub/source/v16.10/postgresql-16.10.tar.bz2" } } }, @@ -22003,8 +21983,8 @@ "type": "other", "other": { "name": "ppp", - "version": "2.4.7", - "downloadUrl": "ftp://ftp.samba.org/pub/ppp/ppp-2.4.7.tar.gz" + "version": "2.5.0", + "downloadUrl": "https://github.com/paulusmack/ppp/archive/ppp-2.5.0.tar.gz" } } }, @@ -22068,16 +22048,6 @@ } } }, - { - "component": { - "type": "other", - "other": { - "name": "prometheus", - "version": "2.45.4", - "downloadUrl": "https://github.com/prometheus/prometheus/archive/refs/tags/v2.45.4.tar.gz" - } - } - }, { "component": { "type": "other", @@ -22343,8 +22313,8 @@ "type": "other", "other": { "name": "PyGreSQL", - "version": "5.2.2", - "downloadUrl": "https://github.com/PyGreSQL/PyGreSQL/archive/5.2.2/PyGreSQL-5.2.2.tar.gz" + "version": "6.0.1", + "downloadUrl": "https://github.com/PyGreSQL/PyGreSQL/archive/refs/tags/6.0.1.tar.gz" } } }, @@ -23398,6 +23368,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "python-geomet", + "version": "1.1.0", + "downloadUrl": "https://github.com/geomet/geomet/archive/refs/tags/1.1.0.tar.gz" + } + } + }, { "component": { "type": "other", @@ -23768,6 +23748,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "python-junit_xml", + "version": "1.9^20200222gitba89b41", + "downloadUrl": "https://github.com/kyrus/python-junit-xml/archive/ba89b41638df8ad2011c2818672f208a91a5a4a0/python-junit-xml-ba89b41638df8ad2011c2818672f208a91a5a4a0.tar.gz" + } + } + }, { "component": { "type": "other", @@ -25548,16 +25538,6 @@ } } }, - { - "component": { - "type": "other", - "other": { - "name": "python-sphinxygen", - "version": "1.0.2", - "downloadUrl": "https://gitlab.com/drobilla/sphinxygen/-/archive/v1.0.2/sphinxygen-v1.0.2.tar.gz" - } - } - }, { "component": { "type": "other", @@ -26343,8 +26323,8 @@ "type": "other", "other": { "name": "qpdf", - "version": "10.1.0", - "downloadUrl": "http://downloads.sourceforge.net/sourceforge/qpdf/qpdf-10.1.0.tar.gz" + "version": "11.9.1", + "downloadUrl": "https://github.com/qpdf/qpdf/releases/download/v11.9.1/qpdf-11.9.1.tar.gz" } } }, @@ -27029,46 +27009,6 @@ } } }, - { - "component": { - "type": "other", - "other": { - "name": "rubygem-async", - "version": "2.8.0", - "downloadUrl": "https://github.com/socketry/async/archive/refs/tags/v2.8.0.tar.gz" - } - } - }, - { - "component": { - "type": "other", - "other": { - "name": "rubygem-async-http", - "version": "0.63.0", - "downloadUrl": "https://github.com/socketry/async-http/archive/refs/tags/v0.63.0.tar.gz" - } - } - }, - { - "component": { - "type": "other", - "other": { - "name": "rubygem-async-io", - "version": "1.35.0", - "downloadUrl": "https://github.com/socketry/async-io/archive/refs/tags/v1.35.0.tar.gz" - } - } - }, - { - "component": { - "type": "other", - "other": { - "name": "rubygem-async-pool", - "version": "0.4.0", - "downloadUrl": "https://github.com/socketry/async-pool/archive/refs/tags/v0.4.0.tar.gz" - } - } - }, { "component": { "type": "other", @@ -27119,16 +27059,6 @@ } } }, - { - "component": { - "type": "other", - "other": { - "name": "rubygem-console", - "version": "1.23.3", - "downloadUrl": "https://github.com/socketry/console/archive/refs/tags/v1.23.3.tar.gz" - } - } - }, { "component": { "type": "other", @@ -27299,16 +27229,6 @@ } } }, - { - "component": { - "type": "other", - "other": { - "name": "rubygem-faraday-patron", - "version": "2.0.1", - "downloadUrl": "https://github.com/lostisland/faraday-patron/archive/refs/tags/v2.0.1.tar.gz" - } - } - }, { "component": { "type": "other", @@ -27774,8 +27694,8 @@ "type": "other", "other": { "name": "rubygem-rexml", - "version": "3.3.4", - "downloadUrl": "https://github.com/ruby/rexml/archive/refs/tags/v3.3.4.tar.gz" + "version": "3.3.9", + "downloadUrl": "https://github.com/ruby/rexml/archive/refs/tags/v3.3.9.tar.gz" } } }, @@ -28074,8 +27994,18 @@ "type": "other", "other": { "name": "rust", - "version": "1.85.0", - "downloadUrl": "https://static.rust-lang.org/dist/rustc-1.85.0-src.tar.xz" + "version": "1.75.0", + "downloadUrl": "https://static.rust-lang.org/dist/rustc-1.75.0-src.tar.xz" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "rust", + "version": "1.86.0", + "downloadUrl": "https://static.rust-lang.org/dist/rustc-1.86.0-src.tar.xz" } } }, @@ -28393,9 +28323,9 @@ "component": { "type": "other", "other": { - "name": "SDL", - "version": "1.2.15", - "downloadUrl": "https://github.com/libsdl-org/SDL-1.2/archive/refs/tags/release-1.2.15.tar.gz" + "name": "sdl12-compat", + "version": "1.2.68", + "downloadUrl": "https://github.com/libsdl-org/sdl12-compat/archive/release-1.2.68/sdl12-compat-1.2.68.tar.gz" } } }, @@ -28404,8 +28334,8 @@ "type": "other", "other": { "name": "SDL2", - "version": "2.24.0", - "downloadUrl": "https://www.libsdl.org/release/SDL2-2.24.0.tar.gz" + "version": "2.30.9", + "downloadUrl": "https://www.libsdl.org/release/SDL2-2.30.9.tar.gz" } } }, @@ -28474,8 +28404,8 @@ "type": "other", "other": { "name": "serd", - "version": "0.30.2", - "downloadUrl": "https://download.drobilla.net/serd-0.30.2.tar.bz2" + "version": "0.32.4", + "downloadUrl": "https://download.drobilla.net/serd-0.32.4.tar.xz" } } }, @@ -28856,8 +28786,8 @@ "type": "other", "other": { "name": "sord", - "version": "0.16.4", - "downloadUrl": "https://download.drobilla.net/sord-0.16.4.tar.bz2" + "version": "0.16.18", + "downloadUrl": "https://download.drobilla.net/sord-0.16.18.tar.xz" } } }, @@ -29076,8 +29006,8 @@ "type": "other", "other": { "name": "sratom", - "version": "0.6.10", - "downloadUrl": "https://download.drobilla.net/sratom-0.6.10.tar.bz2" + "version": "0.6.16", + "downloadUrl": "https://download.drobilla.net/sratom-0.6.16.tar.xz" } } }, @@ -29176,8 +29106,8 @@ "type": "other", "other": { "name": "strongswan", - "version": "5.9.12", - "downloadUrl": "https://download.strongswan.org/strongswan-5.9.12.tar.bz2" + "version": "5.9.14", + "downloadUrl": "https://download.strongswan.org/strongswan-5.9.14.tar.bz2" } } }, @@ -29226,8 +29156,8 @@ "type": "other", "other": { "name": "sudo", - "version": "1.9.15p5", - "downloadUrl": "https://www.sudo.ws/sudo/dist/sudo-1.9.15p5.tar.gz" + "version": "1.9.17", + "downloadUrl": "https://www.sudo.ws/sudo/dist/sudo-1.9.17.tar.gz" } } }, @@ -29306,8 +29236,8 @@ "type": "other", "other": { "name": "SymCrypt-OpenSSL", - "version": "1.8.1", - "downloadUrl": "https://github.com/microsoft/SymCrypt-OpenSSL/archive/v1.8.1.tar.gz" + "version": "1.9.1", + "downloadUrl": "https://github.com/microsoft/SymCrypt-OpenSSL/archive/v1.9.1.tar.gz" } } }, @@ -29456,8 +29386,8 @@ "type": "other", "other": { "name": "tang", - "version": "14", - "downloadUrl": "https://github.com/latchset/tang/archive/refs/tags/v14.tar.gz" + "version": "15", + "downloadUrl": "https://github.com/latchset/tang/releases/download/v15/tang-15.tar.xz" } } }, @@ -29471,6 +29401,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "tardev-snapshotter", + "version": "3.2.0.tardev1", + "downloadUrl": "https://github.com/microsoft/kata-containers/archive/refs/tags/3.2.0.tardev1.tar.gz" + } + } + }, { "component": { "type": "other", @@ -30236,8 +30176,8 @@ "type": "other", "other": { "name": "usbguard", - "version": "1.1.0", - "downloadUrl": "https://github.com/USBGuard/usbguard/releases/download/usbguard-1.1.0/usbguard-1.1.0.tar.gz" + "version": "1.1.3", + "downloadUrl": "https://github.com/USBGuard/usbguard/releases/download/usbguard-1.1.3/usbguard-1.1.3.tar.gz" } } }, @@ -30406,8 +30346,8 @@ "type": "other", "other": { "name": "valkey", - "version": "8.0.3", - "downloadUrl": "https://github.com/valkey-io/valkey/archive/refs/tags/8.0.3.tar.gz" + "version": "8.0.4", + "downloadUrl": "https://github.com/valkey-io/valkey/archive/refs/tags/8.0.4.tar.gz" } } }, @@ -30456,8 +30396,8 @@ "type": "other", "other": { "name": "vim", - "version": "9.1.1198", - "downloadUrl": "https://github.com/vim/vim/archive/v9.1.1198.tar.gz" + "version": "9.1.1552", + "downloadUrl": "https://github.com/vim/vim/archive/v9.1.1552.tar.gz" } } }, @@ -30746,8 +30686,8 @@ "type": "other", "other": { "name": "wireshark", - "version": "4.0.8", - "downloadUrl": "https://wireshark.org/download/src/wireshark-4.0.8.tar.xz" + "version": "4.4.7", + "downloadUrl": "https://wireshark.org/download/src/wireshark-4.4.7.tar.xz" } } }, @@ -30848,7 +30788,7 @@ "other": { "name": "xalan-j2", "version": "2.7.2", - "downloadUrl": "http://www.apache.org/dist/xalan/xalan-j/source/xalan-j_2_7_2-src.tar.gz" + "downloadUrl": "https://archive.apache.org/dist/xalan/xalan-j/source/xalan-j_2_7_2-src.tar.gz" } } }, @@ -31964,6 +31904,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "zix", + "version": "0.6.2", + "downloadUrl": "https://download.drobilla.net/zix-0.6.2.tar.xz" + } + } + }, { "component": { "type": "other", diff --git a/toolkit/Makefile b/toolkit/Makefile index 759b698370..93d79f7e62 100644 --- a/toolkit/Makefile +++ b/toolkit/Makefile @@ -135,6 +135,9 @@ SRPMS_DIR ?= $(OUT_DIR)/SRPMS IMAGES_DIR ?= $(OUT_DIR)/images PRECACHER_SNAPSHOT ?= $(rpms_snapshot) +# Turning on non-fatal mode by default. The precacher is not critical to the build +# if the user is depending on failures from the precacher, it can be turned off with this option or with the tool directly. +PRECACHER_NON_FATAL ?= y # External source server SOURCE_URL ?= https://files-rs.edgeorchestration.intel.com/files-edge-orch/microvisor/sources diff --git a/toolkit/imageconfigs/baremetal-amd64.yaml b/toolkit/imageconfigs/baremetal-amd64.yaml new file mode 100644 index 0000000000..1e99c541fb --- /dev/null +++ b/toolkit/imageconfigs/baremetal-amd64.yaml @@ -0,0 +1,66 @@ +storage: + bootType: efi + + disks: + - partitionTableType: gpt + maxSize: 1024M + partitions: + - id: esp + type: esp + size: 8M + + - id: rootfs + type: root + size: grow + + filesystems: + - deviceId: esp + type: fat32 + mountPoint: + path: /boot/efi + options: umask=0077 + + - deviceId: rootfs + type: ext4 + mountPoint: + path: / + +os: + bootloader: + resetType: hard-reset + + hostname: azure-linux + + kernelCommandLine: + extraCommandLine: + - console=tty0 + - console=ttyS0 + - rd.info + - log_buf_len=1M + + selinux: + mode: enforcing + + packages: + remove: + - dracut-hostonly + + installLists: + - packagelists/baremetal-packages.yaml + - packagelists/base-image-packages.yaml + - packagelists/cloud-init-packages.yaml + - packagelists/selinux.yaml + +scripts: + finalizeCustomization: + - path: scripts/cleanup.sh + - path: scripts/set_os_release_variant_entries.sh + arguments: + - --variant-id + - baremetal + - --variant + - Bare Metal Image + +output: + image: + format: vhdx diff --git a/toolkit/imageconfigs/baremetal-arm64.yaml b/toolkit/imageconfigs/baremetal-arm64.yaml new file mode 100644 index 0000000000..1e99c541fb --- /dev/null +++ b/toolkit/imageconfigs/baremetal-arm64.yaml @@ -0,0 +1,66 @@ +storage: + bootType: efi + + disks: + - partitionTableType: gpt + maxSize: 1024M + partitions: + - id: esp + type: esp + size: 8M + + - id: rootfs + type: root + size: grow + + filesystems: + - deviceId: esp + type: fat32 + mountPoint: + path: /boot/efi + options: umask=0077 + + - deviceId: rootfs + type: ext4 + mountPoint: + path: / + +os: + bootloader: + resetType: hard-reset + + hostname: azure-linux + + kernelCommandLine: + extraCommandLine: + - console=tty0 + - console=ttyS0 + - rd.info + - log_buf_len=1M + + selinux: + mode: enforcing + + packages: + remove: + - dracut-hostonly + + installLists: + - packagelists/baremetal-packages.yaml + - packagelists/base-image-packages.yaml + - packagelists/cloud-init-packages.yaml + - packagelists/selinux.yaml + +scripts: + finalizeCustomization: + - path: scripts/cleanup.sh + - path: scripts/set_os_release_variant_entries.sh + arguments: + - --variant-id + - baremetal + - --variant + - Bare Metal Image + +output: + image: + format: vhdx diff --git a/toolkit/imageconfigs/files/imagecustomizer/isoinstaller/README.txt b/toolkit/imageconfigs/files/imagecustomizer/isoinstaller/README.txt new file mode 100644 index 0000000000..57defbe840 --- /dev/null +++ b/toolkit/imageconfigs/files/imagecustomizer/isoinstaller/README.txt @@ -0,0 +1,53 @@ +The ISO installer uses an attended_config.json file, generated by the toolkit from a configuration file, +to facilitate OS installation. Imagecustomizer relies on the ISO installer and requires all necessary files +including imager, liveinstaller, package list files, and attended_config.json to be present for ISO creation. +Currently, manual intervention is necessary to update attended_config.json for Azure Linux 64k ISO (attended_config_aarch64_64k.json). +Please note, each package json file should be included under both the ISO and OS sections in the imageconfigs/full-64k-arm64.yaml file. +This will ensure generation of all required RPM packages for ISO installer. +In the future, the Image Customizer tool will support fully automated end-to-end creation of the installer iso. +For guidance on configuring attended_config_aarch64_64k.json, users should reference toolkit/imageconfigs/full-aarch64.json. +Image Customizer tool requires that all necessary RPM packages for the target OS installation are available in the /RPMS directory. +To obtain RPM packages from PMC, users may refer to the following sample post-installation script, which should be updated in +`imageconfigs/postinstallscripts/imagecustomizer/isoinstaller_postinstalltask.sh`. + +# Sample post installation script for retrieving RPM Packages from PMC for Arm64 64K ISO Installer +# isoinstaller_postinstalltask.sh + +# Create RPMS directory +mkdir /RPMS + +# Path to the main config JSON +CONFIG_JSON="/config/attended_config.json" +CONFIG_DIR="$(dirname "$CONFIG_JSON")" + +echo "CONFIG_DIR: $CONFIG_DIR" +echo "CONFIG_JSON: $CONFIG_JSON" + +# Find all package list files referenced in the config +pkglist_files=( $(jq -r '.SystemConfigs[].PackageLists[]' "$CONFIG_JSON") ) + +# Recursively parse and add each package and it dependencies to RPMS folder +for pkglist in "${pkglist_files[@]}"; do + # Make path relative to config file directory + full_path="$CONFIG_DIR/$pkglist" + if [[ -f "$full_path" ]]; then + tdnf -y install --downloadonly --alldeps --nogpgcheck --downloaddir /RPMS $(jq -r '.packages[]' "$full_path") + fi +done + +# Get kernel packages from KernelOptions (if present) +tdnf -y install --downloadonly --alldeps --nogpgcheck --downloaddir /RPMS $(jq -r '.SystemConfigs[] | select(.KernelOptions) | .KernelOptions[]' "$CONFIG_JSON") + + +# Create local ISO repo for RPMS directory +createrepo /RPMS + +# RPM packages are generated under rootfs RPMS folder. +# Hence update baseurl path +sed -i 's|baseurl=file:///mnt/cdrom/RPMS|baseurl=file:///RPMS|' /etc/yum.repos.d/mariner-iso.repo + +# RPM packages should be installed from ISO local repo +# Remove PMC official base repo from ISO +rm -r /etc/yum.repos.d/azurelinux-official-base.rep + +# end of isoinstaller_postinstalltask.sh diff --git a/toolkit/imageconfigs/files/imagecustomizer/isoinstaller/attended_config_aarch64_64k.json b/toolkit/imageconfigs/files/imagecustomizer/isoinstaller/attended_config_aarch64_64k.json new file mode 100644 index 0000000000..20af5d2cdb --- /dev/null +++ b/toolkit/imageconfigs/files/imagecustomizer/isoinstaller/attended_config_aarch64_64k.json @@ -0,0 +1,172 @@ +{ + "Disks": null, + "SystemConfigs": [ + { + "IsDefault": false, + "IsKickStartBoot": false, + "IsIsoInstall": true, + "BootType": "", + "EnableGrubMkconfig": true, + "EnableSystemdFirstboot": false, + "Hostname": "", + "Name": "Azure Linux Full", + "PackageLists": [ + "packages/hyperv-packages.json", + "packages/developer-packages.json", + "packages/virtualization-host-packages.json", + "packages/core-packages-image-aarch64.json", + "packages/core-tools-packages.json", + "packages/selinux-full.json", + "packages/virt-guest-packages.json", + "packages/ssh-server.json" + ], + "Packages": null, + "KernelOptions": { + "default": "kernel-64k" + }, + "KernelCommandLine": { + "CGroup": "", + "ImaPolicy": null, + "SELinux": "permissive", + "SELinuxPolicy": "", + "EnableFIPS": false, + "ExtraCommandLine": "efi_mmap_nr_slack_slots=256" + }, + "AdditionalFiles": { + "additionalfiles/99-dhcp-en.network": [ + { + "Path": "/etc/systemd/network/99-dhcp-en.network", + "Permissions": null + } + ] + }, + "PartitionSettings": null, + "PreInstallScripts": null, + "PostInstallScripts": null, + "FinalizeImageScripts": null, + "Networks": null, + "PackageRepos": null, + "Groups": null, + "Users": null, + "Encryption": { + "Enable": false, + "Password": "" + }, + "RemoveRpmDb": false, + "PreserveTdnfCache": false, + "EnableHidepid": false, + "DisableRpmDocs": false, + "OverrideRpmLocales": "" + }, + { + "IsDefault": false, + "IsKickStartBoot": false, + "IsIsoInstall": true, + "BootType": "", + "EnableGrubMkconfig": true, + "EnableSystemdFirstboot": false, + "Hostname": "", + "Name": "Azure Linux Core", + "PackageLists": [ + "packages/hyperv-packages.json", + "packages/core-packages-image-aarch64.json", + "packages/virt-guest-packages.json", + "packages/ssh-server.json" + ], + "Packages": null, + "KernelOptions": { + "default": "kernel-64k" + }, + "KernelCommandLine": { + "CGroup": "", + "ImaPolicy": null, + "SELinux": "", + "SELinuxPolicy": "", + "EnableFIPS": false, + "ExtraCommandLine": "efi_mmap_nr_slack_slots=256" + }, + "AdditionalFiles": { + "additionalfiles/99-dhcp-en.network": [ + { + "Path": "/etc/systemd/network/99-dhcp-en.network", + "Permissions": null + } + ] + }, + "PartitionSettings": null, + "PreInstallScripts": null, + "PostInstallScripts": null, + "FinalizeImageScripts": null, + "Networks": null, + "PackageRepos": null, + "Groups": null, + "Users": null, + "Encryption": { + "Enable": false, + "Password": "" + }, + "RemoveRpmDb": false, + "PreserveTdnfCache": false, + "EnableHidepid": false, + "DisableRpmDocs": false, + "OverrideRpmLocales": "" + } + ], + "DefaultSystemConfig": { + "IsDefault": false, + "IsKickStartBoot": false, + "IsIsoInstall": true, + "BootType": "", + "EnableGrubMkconfig": true, + "EnableSystemdFirstboot": false, + "Hostname": "", + "Name": "Azure Linux Full", + "PackageLists": [ + "packages/hyperv-packages.json", + "packages/developer-packages.json", + "packages/virtualization-host-packages.json", + "packages/core-packages-image-aarch64.json", + "packages/core-tools-packages.json", + "packages/selinux-full.json", + "packages/virt-guest-packages.json", + "packages/ssh-server.json" + ], + "Packages": null, + "KernelOptions": { + "default": "kernel-64k" + }, + "KernelCommandLine": { + "CGroup": "", + "ImaPolicy": null, + "SELinux": "permissive", + "SELinuxPolicy": "", + "EnableFIPS": false, + "ExtraCommandLine": "efi_mmap_nr_slack_slots=256" + }, + "AdditionalFiles": { + "additionalfiles/99-dhcp-en.network": [ + { + "Path": "/etc/systemd/network/99-dhcp-en.network", + "Permissions": null + } + ] + }, + "PartitionSettings": null, + "PreInstallScripts": null, + "PostInstallScripts": null, + "FinalizeImageScripts": null, + "Networks": null, + "PackageRepos": null, + "Groups": null, + "Users": null, + "Encryption": { + "Enable": false, + "Password": "" + }, + "RemoveRpmDb": false, + "PreserveTdnfCache": false, + "EnableHidepid": false, + "DisableRpmDocs": false, + "OverrideRpmLocales": "" + } +} diff --git a/toolkit/imageconfigs/files/linuxguard/cloud.cfg b/toolkit/imageconfigs/files/linuxguard/cloud.cfg new file mode 100644 index 0000000000..ce096f3e00 --- /dev/null +++ b/toolkit/imageconfigs/files/linuxguard/cloud.cfg @@ -0,0 +1,97 @@ +# The top level settings are used as module +# and base configuration. + +# A set of users which may be applied and/or used by various modules +# when a 'default' entry is found it will reference the 'default_user' +# from the distro configuration specified below +users: + - default + +# If this is set, 'root' will not be able to ssh in and they +# will get a message to login instead as the default $user +# disable_root: false + +# This will cause the set+update hostname module to not operate (if true) +# preserve_hostname: false + +# If you use datasource_list array, keep array items in a single line. +# If you use multi line array, ds-identify script won't read array items. +# Example datasource config +# datasource: +# Ec2: +# metadata_urls: [ 'blah.com' ] +# timeout: 5 # (defaults to 50 seconds) +# max_wait: 10 # (defaults to 120 seconds) + +# The modules that run in the 'init' stage +cloud_init_modules: +# - seed_random +# - bootcmd +# - write_files +# - growpart +# - resizefs +# - disk_setup +# - mounts + - set_hostname +# - update_hostname +# - update_etc_hosts +# - ca_certs +# - rsyslog + - users_groups + - ssh +# - set_passwords + +# The modules that run in the 'config' stage +# cloud_config_modules: +# - ssh_import_id +# - keyboard +# - locale +# - spacewalk +# - yum_add_repo +# - ntp +# - timezone +# - disable_ec2_metadata +# - runcmd + +# The modules that run in the 'final' stage +# cloud_final_modules: +# - package_update_upgrade_install +# - write_files_deferred +# - puppet +# - chef +# - ansible +# - mcollective +# - salt_minion +# - reset_rmc +# - scripts_vendor +# - scripts_per_once +# - scripts_per_boot +# - scripts_per_instance +# - scripts_user +# - ssh_authkey_fingerprints +# - keys_to_console +# - install_hotplug +# - phone_home +# - final_message +# - power_state_change + +# System and/or distro specific settings +# (not accessible to handlers/transforms) +system_info: + # This will affect which distro class gets used + distro: azurelinux + # Default user name + that default users groups (if added/used) + default_user: + name: azurelinux + lock_passwd: True + gecos: Azure Linux + groups: [wheel] + sudo: ["ALL=(ALL) NOPASSWD:ALL"] + shell: /bin/bash + # network: + # renderers: ['networkd'] + # # Other config here will be given to the distro class and/or path classes + # paths: + # cloud_dir: /var/lib/cloud/ + # templates_dir: /etc/cloud/templates/ + ssh_svcname: sshd \ No newline at end of file diff --git a/toolkit/imageconfigs/files/linuxguard/selinux-ci-uki.semanage b/toolkit/imageconfigs/files/linuxguard/selinux-ci-uki.semanage new file mode 100644 index 0000000000..7a38656aa2 --- /dev/null +++ b/toolkit/imageconfigs/files/linuxguard/selinux-ci-uki.semanage @@ -0,0 +1,20 @@ +boolean -D +login -D +interface -D +user -D +port -D +node -D +fcontext -D +module -D +ibendport -D +ibpkey -D +permissive -D +boolean -m -1 cloudinit_manage_non_security +boolean -m -1 container_mounton_non_security +boolean -m -1 init_mounton_non_security +login -m -s ci_unconfined_u -r 's0' root +login -m -s ci_unconfined_u -r 's0' __default__ +fcontext -a -f f -t bin_t -r 's0' '/etc/grub\.d/.*' +fcontext -a -f f -t fsadm_exec_t -r 's0' '/usr/bin/lsblk' +fcontext -a -f f -t bin_t -r 's0' '/usr/share/netplan/netplan\.script' +fcontext -a -e /etc/selinux /usr/etc/selinux diff --git a/toolkit/imageconfigs/files/osguard-ci/config.toml b/toolkit/imageconfigs/files/osguard-ci/config.toml new file mode 100644 index 0000000000..cc6c0852ec --- /dev/null +++ b/toolkit/imageconfigs/files/osguard-ci/config.toml @@ -0,0 +1,58 @@ +version = 2 +# Explicitly defining no adjustment to Linux OOM Killer +oom_score = 0 +[plugins."io.containerd.grpc.v1.cri"] + # Enable SELinux labeling support for pods and containers + enable_selinux = true + # Use same infra container image as AKS does for pod sandboxes + sandbox_image = "mcr.microsoft.com/oss/kubernetes/pause:3.6" + [plugins."io.containerd.grpc.v1.cri".containerd] + # Set default snapshotter to erofs-snapshotter + snapshotter = "erofs" + # Allow snapshot annotations + disable_snapshot_annotations = false + # Explicitly define using runc for runtime + default_runtime_name = "runc" + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] + # Set default snapshotter to erofs for this runtime + snapshotter = "erofs" + # Explicitly define using runc v2 shim + runtime_type = "io.containerd.runc.v2" + # Section is configured by AKS but not strictly required in general + # [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options] + # BinaryName = "/usr/bin/runc" + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.untrusted] + # Explicitly define using runc v2 shim for runtime named "untrusted" + runtime_type = "io.containerd.runc.v2" + # Section is configured in AKS but not strictly required in general + # [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.untrusted.options] + # BinaryName = "/usr/bin/runc" + # Section is configured in AKS but not strictly required in general + # [plugins."io.containerd.grpc.v1.cri".registry] + # config_path = "/etc/containerd/certs.d" + # Section is configured in AKS but not strictly required in general + # [plugins."io.containerd.grpc.v1.cri".registry.headers] + # X-Meta-Source-Client = ["azure/aks"] + [plugins."io.containerd.grpc.v1.cri".cni] + # Set default locations for cni binary and config files + bin_dir = "/usr/libexec/cni" + conf_dir = "/etc/cni/net.d" + conf_template = "" +# Section is configured in AKS but not strictly required in general +# [metrics] + # address = "0.0.0.0:10257" + +[plugins."io.containerd.snapshotter.v1.erofs"] + # Optional: Additional mount options for overlayfs + ovl_mount_options = [] + # Enable dm-verity integrity verification in erofs layers + enable_dmverity = true + +[plugins."io.containerd.service.v1.diff-service"] + default = ["erofs"] + +[plugins."io.containerd.differ.v1.erofs"] + # Using well-known UUID for reproducibility of erofs container layers + mkfs_options = ["--sort=none", "-T 0", "--mkfs-time", "-Uc1b9d5a2-f162-11cf-9ece-0020afc76f16"] + # Enable use of tar index to more efficiently handle OCI image layers + enable_tar_index = true diff --git a/toolkit/imageconfigs/files/osguard/10-repart.conf b/toolkit/imageconfigs/files/osguard/10-repart.conf new file mode 100644 index 0000000000..e2041d7ff1 --- /dev/null +++ b/toolkit/imageconfigs/files/osguard/10-repart.conf @@ -0,0 +1 @@ +add_dracutmodules+=" systemd-repart " diff --git a/toolkit/imageconfigs/files/osguard/additional-repo-files.repo b/toolkit/imageconfigs/files/osguard/additional-repo-files.repo new file mode 100644 index 0000000000..f5cabbf27e --- /dev/null +++ b/toolkit/imageconfigs/files/osguard/additional-repo-files.repo @@ -0,0 +1,19 @@ +[azurelinux-cloud-native] +name=Azure Linux Cloud Native $releasever $basearch +baseurl=https://packages.microsoft.com/azurelinux/$releasever/prod/cloud-native/$basearch +gpgkey=file:///etc/pki/rpm-gpg/MICROSOFT-RPM-GPG-KEY +gpgcheck=1 +repo_gpgcheck=1 +enabled=1 +skip_if_unavailable=True +sslverify=1 + +[azurelinux-official-extended] +name=Azure Linux Official Extended $releasever $basearch +baseurl=https://packages.microsoft.com/azurelinux/$releasever/prod/extended/$basearch +gpgkey=file:///etc/pki/rpm-gpg/MICROSOFT-RPM-GPG-KEY +gpgcheck=1 +repo_gpgcheck=1 +enabled=1 +skip_if_unavailable=True +sslverify=1 diff --git a/toolkit/imageconfigs/files/osguard/chrony.conf b/toolkit/imageconfigs/files/osguard/chrony.conf new file mode 100644 index 0000000000..af0c2baa53 --- /dev/null +++ b/toolkit/imageconfigs/files/osguard/chrony.conf @@ -0,0 +1,57 @@ +# CLOUD_IMG: This file was created/modified by the Cloud Image build process +# Welcome to the chrony configuration file. See chrony.conf(5) for more +# information about usable directives. +# Include configuration files found in /etc/chrony.conf.d. +confdir /etc/chrony.conf.d +# This will use (up to): +# - 4 sources from ntp.ubuntu.com which some are ipv6 enabled +# - 2 sources from 2.ubuntu.pool.ntp.org which is ipv6 enabled as well +# - 1 source from [01].ubuntu.pool.ntp.org each (ipv4 only atm) +# This means by default, up to 6 dual-stack and up to 2 additional IPv4-only +# sources will be used. +# At the same time it retains some protection against one of the entries being +# down (compare to just using one of the lines). See (LP: #1754358) for the +# discussion. +# +# About using servers from the NTP Pool Project in general see (LP: #104525). +# Approved by Ubuntu Technical Board on 2011-02-08. +# See http://www.pool.ntp.org/join.html for more information. +#pool ntp.ubuntu.com iburst maxsources 4 +#pool 0.ubuntu.pool.ntp.org iburst maxsources 1 +#pool 1.ubuntu.pool.ntp.org iburst maxsources 1 +#pool 2.ubuntu.pool.ntp.org iburst maxsources 2 +# Use time sources from DHCP. +sourcedir /run/chrony-dhcp +# This directive specify the location of the file containing ID/key pairs for +# NTP authentication. +keyfile /etc/chrony.keys +# This directive specify the file into which chronyd will store the rate +# information. +driftfile /var/lib/chrony/drift +# Save NTS keys and cookies. +ntsdumpdir /var/lib/chrony +# Uncomment the following line to turn logging on. +#log tracking measurements statistics +# Log files location. +logdir /var/log/chrony +# Stop bad estimates upsetting machine clock. +maxupdateskew 100.0 +# This directive enables kernel synchronisation (every 11 minutes) of the +# real-time clock. Note that it can’t be used along with the 'rtcfile' directive. +rtcsync +# Step the system clock instead of slewing it if the adjustment is larger than +# one second, with no limit to how many clock updates have occurred. +makestep 1.0 -1 +# Get TAI-UTC offset and leap seconds from the system tz database. +# This directive must be commented out when using time sources serving +# leap-smeared time. +leapsectz right/UTC +# Azure hosts are synchronized to internal Microsoft time servers that +# take their time from Microsoft-owned Stratum 1 devices. The Hyper-V +# drivers surface this time source as a PTP-based time source in the +# guest. This configures chrony to use it. This also causes chronyd +# to require the /dev/ptp_hyperv device; chronyd will fail to start if +# it is not present. If this line is removed (so chronyd no longer +# uses the /dev/ptp_hyperv device), also remove (or comment out) the +# /etc/systemd/system/chronyd.service.d/wait-for-ptp-hyperv.conf file. +refclock PHC /dev/ptp_hyperv poll 3 dpoll -2 offset 0 diff --git a/toolkit/imageconfigs/files/osguard/cloud.cfg b/toolkit/imageconfigs/files/osguard/cloud.cfg new file mode 100644 index 0000000000..f54126de33 --- /dev/null +++ b/toolkit/imageconfigs/files/osguard/cloud.cfg @@ -0,0 +1,99 @@ +# The top level settings are used as module +# and base configuration. + +# A set of users which may be applied and/or used by various modules +# when a 'default' entry is found it will reference the 'default_user' +# from the distro configuration specified below +# users: +# - default + +# If this is set, 'root' will not be able to ssh in and they +# will get a message to login instead as the default $user +# disable_root: false + +# This will cause the set+update hostname module to not operate (if true) +# preserve_hostname: false + +# If you use datasource_list array, keep array items in a single line. +# If you use multi line array, ds-identify script won't read array items. +# Example datasource config +datasource: + Azure: + apply_network_config: false +# Ec2: +# metadata_urls: [ 'blah.com' ] +# timeout: 5 # (defaults to 50 seconds) +# max_wait: 10 # (defaults to 120 seconds) + +# The modules that run in the 'init' stage +cloud_init_modules: +# - seed_random +# - bootcmd +# - write_files +# - growpart +# - resizefs + - disk_setup + - mounts + - set_hostname +# - update_hostname +# - update_etc_hosts +# - ca_certs +# - rsyslog +# - users_groups +# - ssh +# - set_passwords + +# The modules that run in the 'config' stage +# cloud_config_modules: +# - ssh_import_id +# - keyboard +# - locale +# - spacewalk +# - yum_add_repo +# - ntp +# - timezone +# - disable_ec2_metadata +# - runcmd + +# The modules that run in the 'final' stage +# cloud_final_modules: +# - package_update_upgrade_install +# - write_files_deferred +# - puppet +# - chef +# - ansible +# - mcollective +# - salt_minion +# - reset_rmc +# - scripts_vendor +# - scripts_per_once +# - scripts_per_boot +# - scripts_per_instance +# - scripts_user +# - ssh_authkey_fingerprints +# - keys_to_console +# - install_hotplug +# - phone_home +# - final_message +# - power_state_change + +# System and/or distro specific settings +# (not accessible to handlers/transforms) +# system_info: +# # This will affect which distro class gets used +# distro: azurelinux +# # Default user name + that default users groups (if added/used) +# default_user: +# name: azurelinux +# lock_passwd: True +# gecos: Azure Linux +# groups: [wheel] +# sudo: ["ALL=(ALL) NOPASSWD:ALL"] +# shell: /bin/bash +# # network: +# # renderers: ['networkd'] +# # # Other config here will be given to the distro class and/or path classes +# # paths: +# # cloud_dir: /var/lib/cloud/ +# # templates_dir: /etc/cloud/templates/ +# ssh_svcname: sshd diff --git a/toolkit/imageconfigs/files/osguard/repart.d/10-esp.conf b/toolkit/imageconfigs/files/osguard/repart.d/10-esp.conf new file mode 100644 index 0000000000..d0cf3f965f --- /dev/null +++ b/toolkit/imageconfigs/files/osguard/repart.d/10-esp.conf @@ -0,0 +1,5 @@ +[Partition] +Type=esp +Label=esp +SizeMinBytes=512M +SizeMaxBytes=512M diff --git a/toolkit/imageconfigs/files/osguard/repart.d/11-boot-a.conf b/toolkit/imageconfigs/files/osguard/repart.d/11-boot-a.conf new file mode 100644 index 0000000000..ab47b5f1ee --- /dev/null +++ b/toolkit/imageconfigs/files/osguard/repart.d/11-boot-a.conf @@ -0,0 +1,5 @@ +[Partition] +Type=linux-generic +Label=boot-a +SizeMinBytes=100M +SizeMaxBytes=100M diff --git a/toolkit/imageconfigs/files/osguard/repart.d/12-usr-a.conf b/toolkit/imageconfigs/files/osguard/repart.d/12-usr-a.conf new file mode 100644 index 0000000000..e4f13f8e87 --- /dev/null +++ b/toolkit/imageconfigs/files/osguard/repart.d/12-usr-a.conf @@ -0,0 +1,5 @@ +[Partition] +Type=linux-generic +Label=usr-a +SizeMinBytes=1G +SizeMaxBytes=1G diff --git a/toolkit/imageconfigs/files/osguard/repart.d/13-usr-hash-a.conf b/toolkit/imageconfigs/files/osguard/repart.d/13-usr-hash-a.conf new file mode 100644 index 0000000000..76b320ae55 --- /dev/null +++ b/toolkit/imageconfigs/files/osguard/repart.d/13-usr-hash-a.conf @@ -0,0 +1,5 @@ +[Partition] +Type=usr-verity +Label=usr-hash-a +SizeMinBytes=128M +SizeMaxBytes=128M diff --git a/toolkit/imageconfigs/files/osguard/repart.d/14-root-a.conf b/toolkit/imageconfigs/files/osguard/repart.d/14-root-a.conf new file mode 100644 index 0000000000..ac15b7a5db --- /dev/null +++ b/toolkit/imageconfigs/files/osguard/repart.d/14-root-a.conf @@ -0,0 +1,6 @@ +[Partition] +Type=root +Label=root-a +SizeMinBytes=12G +Weight=1000 +GrowFileSystem=true diff --git a/toolkit/imageconfigs/files/osguard/repart.d/15-boot-b.conf b/toolkit/imageconfigs/files/osguard/repart.d/15-boot-b.conf new file mode 100644 index 0000000000..d2888de5c5 --- /dev/null +++ b/toolkit/imageconfigs/files/osguard/repart.d/15-boot-b.conf @@ -0,0 +1,5 @@ +[Partition] +Type=linux-generic +Label=boot-b +SizeMinBytes=100M +SizeMaxBytes=100M diff --git a/toolkit/imageconfigs/files/osguard/repart.d/16-usr-b.conf b/toolkit/imageconfigs/files/osguard/repart.d/16-usr-b.conf new file mode 100644 index 0000000000..1563e76320 --- /dev/null +++ b/toolkit/imageconfigs/files/osguard/repart.d/16-usr-b.conf @@ -0,0 +1,5 @@ +[Partition] +Type=linux-generic +Label=usr-b +SizeMinBytes=1G +SizeMaxBytes=1G diff --git a/toolkit/imageconfigs/files/osguard/repart.d/17-usr-hash-b.conf b/toolkit/imageconfigs/files/osguard/repart.d/17-usr-hash-b.conf new file mode 100644 index 0000000000..d20874a383 --- /dev/null +++ b/toolkit/imageconfigs/files/osguard/repart.d/17-usr-hash-b.conf @@ -0,0 +1,5 @@ +[Partition] +Type=usr-verity +Label=usr-hash-b +SizeMinBytes=128M +SizeMaxBytes=128M diff --git a/toolkit/imageconfigs/files/osguard/repart.d/18-root-b.conf b/toolkit/imageconfigs/files/osguard/repart.d/18-root-b.conf new file mode 100644 index 0000000000..ed3b81d113 --- /dev/null +++ b/toolkit/imageconfigs/files/osguard/repart.d/18-root-b.conf @@ -0,0 +1,6 @@ +[Partition] +Type=root +Label=root-b +SizeMinBytes=12G +Weight=1000 +GrowFileSystem=true diff --git a/toolkit/imageconfigs/files/osguard/resolv-uplink-override.service b/toolkit/imageconfigs/files/osguard/resolv-uplink-override.service new file mode 100644 index 0000000000..a7095011bb --- /dev/null +++ b/toolkit/imageconfigs/files/osguard/resolv-uplink-override.service @@ -0,0 +1,11 @@ +[Unit] +Description=Symlink /etc/resolv.conf to /run/systemd/resolve/resolv.conf +After=systemd-networkd.service + +[Service] +Type=oneshot +ExecStart=/usr/bin/ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf +RemainAfterExit=no + +[Install] +RequiredBy=network-online.target kubelet.service diff --git a/toolkit/imageconfigs/files/osguard/selinux-ci-uki.semanage b/toolkit/imageconfigs/files/osguard/selinux-ci-uki.semanage new file mode 100644 index 0000000000..7a38656aa2 --- /dev/null +++ b/toolkit/imageconfigs/files/osguard/selinux-ci-uki.semanage @@ -0,0 +1,20 @@ +boolean -D +login -D +interface -D +user -D +port -D +node -D +fcontext -D +module -D +ibendport -D +ibpkey -D +permissive -D +boolean -m -1 cloudinit_manage_non_security +boolean -m -1 container_mounton_non_security +boolean -m -1 init_mounton_non_security +login -m -s ci_unconfined_u -r 's0' root +login -m -s ci_unconfined_u -r 's0' __default__ +fcontext -a -f f -t bin_t -r 's0' '/etc/grub\.d/.*' +fcontext -a -f f -t fsadm_exec_t -r 's0' '/usr/bin/lsblk' +fcontext -a -f f -t bin_t -r 's0' '/usr/share/netplan/netplan\.script' +fcontext -a -e /etc/selinux /usr/etc/selinux diff --git a/toolkit/imageconfigs/full-64k-arm64.yaml b/toolkit/imageconfigs/full-64k-arm64.yaml new file mode 100644 index 0000000000..8002c0d513 --- /dev/null +++ b/toolkit/imageconfigs/full-64k-arm64.yaml @@ -0,0 +1,148 @@ +storage: + bootType: efi + disks: + - partitionTableType: gpt + maxSize: 8G + partitions: + - id: esp + type: esp + size: 9M + - id: boot + size: 200M + - id: root + size: grow + filesystems: + - deviceId: esp + type: fat32 + mountPoint: + path: /boot/efi + options: umask=0077 + - deviceId: boot + type: ext4 + mountPoint: + path: /boot + - deviceId: root + type: ext4 + mountPoint: + path: / +os: + bootloader: + resetType: hard-reset + + kernelCommandLine: + extraCommandLine: + - efi_mmap_nr_slack_slots=256 + - console=tty0 + - console=ttyS0,115200n8 + + packages: + install: + - kernel-64k + - kernel-64k-drivers-accessibility + - kernel-64k-drivers-sound + - createrepo_c + - jq + # iso required packages + - squashfs-tools + - tar + - device-mapper + - curl + + installLists: + - packagelists/isoinstaller-64k-packages.yaml + + remove: + - kernel + + additionalFiles: + - source: ../out/tools/imager + destination: /installer/imager + - source: ../out/tools/liveinstaller + destination: /installer/liveinstaller + - source: ../resources/imageconfigs/additionalfiles/iso_initrd/init + destination: /init + - source: ../resources/imageconfigs/additionalfiles/iso_initrd/installer/calamares-EULA.txt + destination: /etc/calamares/azl-eula + - source: ../resources/imageconfigs/additionalfiles/iso_initrd/installer/terminal-EULA.txt + destination: /installer/EULA.txt + - source: ../resources/imageconfigs/additionalfiles/iso_initrd/root/asoundrc + destination: /root/.asoundrc + - source: ../resources/imageconfigs/additionalfiles/iso_initrd/root/runliveinstaller + destination: /root/runliveinstaller + - source: ../resources/imageconfigs/additionalfiles/iso_initrd/root/silence.wav + destination: /root/silence.wav + - source: ../resources/imageconfigs/additionalfiles/iso_initrd/usr/lib/mariner/terminfo/mariner-installer + destination: /usr/lib/mariner/terminfo/m/mariner-installer + - source: ../resources/imageconfigs/additionalfiles/iso_initrd/usr/lib/systemd/system/getty@.service + destination: /usr/lib/systemd/system/getty@.service + - source: ../resources/imageconfigs/additionalfiles/iso_initrd/usr/lib/systemd/system/serial-getty@.service + destination: /usr/lib/systemd/system/serial-getty@.service + - source: ../resources/manifests/image/local.repo + destination: /etc/yum.repos.d/mariner-iso.repo + - source: additionalconfigs/99-dhcp-en.network + destination: /config/additionalfiles/99-dhcp-en.network + - source: packagelists/hyperv-packages.json + destination: /config/packages/hyperv-packages.json + - source: packagelists/developer-packages.json + destination: /config/packages/developer-packages.json + - source: packagelists/virtualization-host-packages.json + destination: /config/packages/virtualization-host-packages.json + - source: packagelists/core-packages-image-aarch64.json + destination: /config/packages/core-packages-image-aarch64.json + - source: packagelists/core-tools-packages.json + destination: /config/packages/core-tools-packages.json + - source: packagelists/selinux-full.json + destination: /config/packages/selinux-full.json + - source: packagelists/virt-guest-packages.json + destination: /config/packages/virt-guest-packages.json + - source: packagelists/ssh-server.json + destination: /config/packages/ssh-server.json + - source: files/imagecustomizer/isoinstaller/attended_config_aarch64_64k.json + destination: /config/attended_config.json + + additionalDirs: + - source: ./installer-pkgs + destination: /RPMS + + users: + - name: root + passwordExpiresDays: 99999 + startupCommand: /root/runliveinstaller + +scripts: + postCustomization: + - path: postinstallscripts/imagecustomizer/isoinstaller_postinstalltask.sh + finalizeCustomization: + - path: scripts/set_os_release_variant_entries.sh + arguments: + - --variant-id + - full-64k + - --variant + - ISO installer for 64k Kernel + +iso: + additionalFiles: + - source: additionalconfigs/99-dhcp-en.network + destination: /config/additionalfiles/99-dhcp-en.network + - source: packagelists/hyperv-packages.json + destination: /config/packages/hyperv-packages.json + - source: packagelists/developer-packages.json + destination: /config/packages/developer-packages.json + - source: packagelists/virtualization-host-packages.json + destination: /config/packages/virtualization-host-packages.json + - source: packagelists/core-packages-image-aarch64.json + destination: /config/packages/core-packages-image-aarch64.json + - source: packagelists/core-tools-packages.json + destination: /config/packages/core-tools-packages.json + - source: packagelists/selinux-full.json + destination: /config/packages/selinux-full.json + - source: packagelists/virt-guest-packages.json + destination: /config/packages/virt-guest-packages.json + - source: packagelists/ssh-server.json + destination: /config/packages/ssh-server.json + - source: files/imagecustomizer/isoinstaller/attended_config_aarch64_64k.json + destination: /config/attended_config.json + +output: + image: + format: iso diff --git a/toolkit/imageconfigs/hyperv-guest-amd64.yaml b/toolkit/imageconfigs/hyperv-guest-amd64.yaml new file mode 100644 index 0000000000..d205380f30 --- /dev/null +++ b/toolkit/imageconfigs/hyperv-guest-amd64.yaml @@ -0,0 +1,55 @@ +storage: + bootType: efi + + disks: + - partitionTableType: gpt + maxSize: 4096M + partitions: + - id: esp + type: esp + size: 8M + + - id: rootfs + type: root + size: grow + + filesystems: + - deviceId: esp + type: fat32 + mountPoint: + path: /boot/efi + options: umask=0077 + + - deviceId: rootfs + type: ext4 + mountPoint: + path: / + +os: + bootloader: + resetType: hard-reset + + hostname: azurelinux + + packages: + remove: + - dracut-hostonly + + installLists: + - packagelists/hyperv-packages.yaml + - packagelists/core-packages-image.yaml + - packagelists/cloud-init-packages.yaml + - packagelists/virt-guest-packages.yaml + +scripts: + finalizeCustomization: + - path: scripts/set_os_release_variant_entries.sh + arguments: + - --variant-id + - hyperv-guest + - --variant + - Hyper-V Guest Image + +output: + image: + format: vhdx diff --git a/toolkit/imageconfigs/hyperv-guest-arm64.yaml b/toolkit/imageconfigs/hyperv-guest-arm64.yaml new file mode 100644 index 0000000000..d205380f30 --- /dev/null +++ b/toolkit/imageconfigs/hyperv-guest-arm64.yaml @@ -0,0 +1,55 @@ +storage: + bootType: efi + + disks: + - partitionTableType: gpt + maxSize: 4096M + partitions: + - id: esp + type: esp + size: 8M + + - id: rootfs + type: root + size: grow + + filesystems: + - deviceId: esp + type: fat32 + mountPoint: + path: /boot/efi + options: umask=0077 + + - deviceId: rootfs + type: ext4 + mountPoint: + path: / + +os: + bootloader: + resetType: hard-reset + + hostname: azurelinux + + packages: + remove: + - dracut-hostonly + + installLists: + - packagelists/hyperv-packages.yaml + - packagelists/core-packages-image.yaml + - packagelists/cloud-init-packages.yaml + - packagelists/virt-guest-packages.yaml + +scripts: + finalizeCustomization: + - path: scripts/set_os_release_variant_entries.sh + arguments: + - --variant-id + - hyperv-guest + - --variant + - Hyper-V Guest Image + +output: + image: + format: vhdx diff --git a/toolkit/imageconfigs/linuxguard-amd64.yaml b/toolkit/imageconfigs/linuxguard-amd64.yaml new file mode 100644 index 0000000000..b195567fe0 --- /dev/null +++ b/toolkit/imageconfigs/linuxguard-amd64.yaml @@ -0,0 +1,217 @@ +storage: + bootType: efi + + disks: + - partitionTableType: gpt + partitions: + - id: esp + type: esp + label: esp + size: 512M + + - id: boot-a + type: linux-generic + size: 1G + + - id: boot-b + type: linux-generic + size: 1G + + - id: root-a + type: root + size: 4G + + - id: root-b + type: root + size: 4G + + - id: usr-a + type: linux-generic + size: 1G + + - id: usr-b + type: linux-generic + size: 1G + + - id: usr-hash-a + type: usr-verity + size: 128M + + - id: usr-hash-b + type: usr-verity + size: 128M + + - id: trident + type: linux-generic + label: trident + size: 512M + + - id: home + type: linux-generic + label: home + size: 128M + + verity: + - id: usrverity + name: usr + dataDeviceId: usr-a + hashDeviceId: usr-hash-a + dataDeviceMountIdType: uuid + hashDeviceMountIdType: uuid + hashSignaturePath: /boot/usr.hash.sig + + filesystems: + - deviceId: esp + type: fat32 + mountPoint: + idType: part-label + path: /boot/efi + options: nodev,noexec,umask=0077 + + - deviceId: boot-a + type: ext4 + mountPoint: + idType: uuid + path: /boot + options: nodev,noexec,nosuid + + - deviceId: root-a + type: ext4 + mountPoint: + path: / + options: nodev,nosuid + + - deviceId: usrverity + type: ext4 + mountPoint: + path: /usr + options: nodev,ro + + - deviceId: trident + type: ext4 + mountPoint: + idType: part-label + path: /var/lib/trident + options: nodev,noexec,nosuid + + - deviceId: home + type: ext4 + mountPoint: + idType: part-label + path: /home + options: nodev,noexec,nosuid + +os: + bootloader: + resetType: hard-reset + hostname: azure-linux-guard + + selinux: + mode: enforcing + + uki: + kernels: auto + kernelCommandLine: + extraCommandLine: + - console=tty0 + - console=tty1 + - console=ttyS0 + - rd.luks=0 + - rd.hostonly=0 + - ipe.enforce=0 + - net.ifnames=1 + + packages: + remove: + - dracut-hostonly # Not used for UKI images + - grub2-efi-binary # Replaced by systemd-boot + - kernel # Replaced by kernel-ipe + install: + - openssh-server + - syslog + - WALinuxAgent + # OS + - device-mapper + - kernel-ipe + # servicing + # - trident + # - trident-service + - veritysetup + # OCI + - cni + - containerd2 + - cri-tools + # - erofs-utils + # - notation + # - tardev-snapshotter + # UKI + - systemd-boot + # hyperv + - dracut-hyperv + - hyperv-daemons + # cloud-init + - cloud-init + # selinux + - checkpolicy + - libselinux + - policycoreutils-python-utils + - secilc + - selinux-policy + - selinux-policy-ci + - selinux-policy-modules + - setools-console + + additionalFiles: + # SELinux customizations + - source: files/linuxguard/selinux-ci-uki.semanage + destination: /etc/selinux/targeted/selinux-ci.semanage + # Cloud-init configuration + - source: files/linuxguard/cloud.cfg + destination: /etc/cloud/cloud.cfg + permissions: "644" + + services: + enable: + - sshd + - systemd-networkd + - systemd-resolved + +scripts: + postCustomization: + # Various performance tuning steps + - path: scripts/common/performance-tuning.sh + # Config AzureLinuxAgent + - path: scripts/common/azlinuxagentconfig.sh + # Disable unused SELinux policy modules and configure SELinux policy for CI + - path: scripts/common/selinux-ci-config.py + interpreter: /usr/bin/python3 + # Ensure the /etc/machine-id is cleared before the first boot + - path: scripts/common/cleanup-machineid.sh + # Move CNI binaries from /opt to /usr for IPE + - path: scripts/common/prepare_trusted_cni_plugins.sh + # Move iptables scripts from /etc to /usr for IPE + - path: scripts/common/move-iptables-scripts-to-usr.sh + # Disable exec and suid on /tmp + - path: scripts/common/tmp-no-exec.sh + # Remove ImportCredential from getty services to avoid boot log warnings + - path: scripts/common/remove-getty-import-credential.sh + # Set OS release variant entries + - path: scripts/set_os_release_variant_entries.sh + arguments: + - --variant-id + - linuxguard + - --variant + - Linux Guard Image + +output: + artifacts: + items: + - verity-hash + - ukis + path: ./output + image: + format: vhd + +previewFeatures: + - output-artifacts + - uki diff --git a/toolkit/imageconfigs/marketplace-gen1-amd64.yaml b/toolkit/imageconfigs/marketplace-gen1-amd64.yaml new file mode 100644 index 0000000000..575bf03310 --- /dev/null +++ b/toolkit/imageconfigs/marketplace-gen1-amd64.yaml @@ -0,0 +1,76 @@ +storage: + bootType: legacy + + disks: + - partitionTableType: gpt + maxSize: 5000M + partitions: + - id: reserved + type: bios-grub + size: 8M + + - id: boot + type: xbootldr + size: 500M + + - id: rootfs + type: root + size: grow + + filesystems: + - deviceId: boot + type: ext4 + mountPoint: + path: /boot + + - deviceId: rootfs + type: ext4 + mountPoint: + path: / + +os: + bootloader: + resetType: hard-reset + + hostname: azurelinux + + kernelCommandLine: + extraCommandLine: + - console=ttyS0 + + packages: + remove: + - dracut-hostonly + + installLists: + - packagelists/azurevm-packages.yaml + - packagelists/core-packages-image.yaml + - packagelists/hyperv-packages.yaml + - packagelists/marketplace-tools-packages.yaml + + additionalFiles: + - source: additionalconfigs/51-ptp-hyperv.rules + destination: /etc/udev/rules.d/51-ptp-hyperv.rules + + - source: additionalconfigs/chrony.cfg + destination: /etc/chrony.conf + + - source: additionalconfigs/cloud-init.cfg + destination: /etc/cloud/cloud.cfg + + - source: additionalconfigs/wait-for-ptp-hyperv.conf + destination: /etc/systemd/system/chronyd.service.d/wait-for-ptp-hyperv.conf + +scripts: + finalizeCustomization: + - path: additionalconfigs/configure-systemd-networkd.sh + - path: scripts/set_os_release_variant_entries.sh + arguments: + - --variant-id + - marketplace-gen1 + - --variant + - Marketplace (Gen1) Image + +output: + image: + format: vhd diff --git a/toolkit/imageconfigs/marketplace-gen2-amd64.yaml b/toolkit/imageconfigs/marketplace-gen2-amd64.yaml new file mode 100644 index 0000000000..756e7c6408 --- /dev/null +++ b/toolkit/imageconfigs/marketplace-gen2-amd64.yaml @@ -0,0 +1,82 @@ +storage: + bootType: efi + + disks: + - partitionTableType: gpt + maxSize: 5000M + partitions: + - id: esp + type: esp + size: 64M + + - id: boot + type: xbootldr + size: 500M + + - id: rootfs + type: root + size: grow + + filesystems: + - deviceId: esp + type: fat32 + mountPoint: + path: /boot/efi + options: umask=0077 + + - deviceId: boot + type: ext4 + mountPoint: + path: /boot + + - deviceId: rootfs + type: ext4 + mountPoint: + path: / + +os: + bootloader: + resetType: hard-reset + + hostname: azurelinux + + kernelCommandLine: + extraCommandLine: + - console=ttyS0 + + packages: + remove: + - dracut-hostonly + + installLists: + - packagelists/azurevm-packages.yaml + - packagelists/core-packages-image.yaml + - packagelists/hyperv-packages.yaml + - packagelists/marketplace-tools-packages.yaml + + additionalFiles: + - source: additionalconfigs/51-ptp-hyperv.rules + destination: /etc/udev/rules.d/51-ptp-hyperv.rules + + - source: additionalconfigs/chrony.cfg + destination: /etc/chrony.conf + + - source: additionalconfigs/cloud-init.cfg + destination: /etc/cloud/cloud.cfg + + - source: additionalconfigs/wait-for-ptp-hyperv.conf + destination: /etc/systemd/system/chronyd.service.d/wait-for-ptp-hyperv.conf + +scripts: + finalizeCustomization: + - path: additionalconfigs/configure-systemd-networkd.sh + - path: scripts/set_os_release_variant_entries.sh + arguments: + - --variant-id + - marketplace-gen2 + - --variant + - Marketplace (Gen2) Image + +output: + image: + format: vhd diff --git a/toolkit/imageconfigs/marketplace-gen2-arm64.yaml b/toolkit/imageconfigs/marketplace-gen2-arm64.yaml new file mode 100644 index 0000000000..7c2a302ebd --- /dev/null +++ b/toolkit/imageconfigs/marketplace-gen2-arm64.yaml @@ -0,0 +1,85 @@ +storage: + bootType: efi + + disks: + - partitionTableType: gpt + maxSize: 5000M + partitions: + - id: esp + type: esp + size: 64M + + - id: boot + type: xbootldr + size: 500M + + - id: rootfs + type: root + size: grow + + filesystems: + - deviceId: esp + type: fat32 + mountPoint: + path: /boot/efi + options: umask=0077 + + - deviceId: boot + type: ext4 + mountPoint: + path: /boot + + - deviceId: rootfs + type: ext4 + mountPoint: + path: / + +os: + bootloader: + resetType: hard-reset + + hostname: azurelinux + + kernelCommandLine: + extraCommandLine: + - console=tty1 + - console=ttyAMA0 + - earlycon=pl011,0xeffec000 + - initcall_blacklist=arm_pmu_acpi_init + + packages: + remove: + - dracut-hostonly + + installLists: + - packagelists/azurevm-packages.yaml + - packagelists/core-packages-image.yaml + - packagelists/hyperv-packages.yaml + - packagelists/marketplace-tools-packages.yaml + + additionalFiles: + - source: additionalconfigs/51-ptp-hyperv.rules + destination: /etc/udev/rules.d/51-ptp-hyperv.rules + + - source: additionalconfigs/chrony.cfg + destination: /etc/chrony.conf + + - source: additionalconfigs/cloud-init.cfg + destination: /etc/cloud/cloud.cfg + + - source: additionalconfigs/wait-for-ptp-hyperv.conf + destination: /etc/systemd/system/chronyd.service.d/wait-for-ptp-hyperv.conf + +scripts: + finalizeCustomization: + - path: additionalconfigs/configure-systemd-networkd.sh + - path: scripts/set_os_release_variant_entries.sh + arguments: + - --variant-id + - marketplace-gen2 + - --variant + - Marketplace (Gen2) Image + +output: + image: + format: vhd diff --git a/toolkit/imageconfigs/minimal-os-aarch64.json b/toolkit/imageconfigs/minimal-os-aarch64.json new file mode 100644 index 0000000000..f42063b715 --- /dev/null +++ b/toolkit/imageconfigs/minimal-os-aarch64.json @@ -0,0 +1,55 @@ +{ + "Disks": [ + { + "PartitionTableType": "gpt", + "MaxSize": 600, + "Artifacts": [ + { + "Name": "minimal-os", + "Type": "vhdx" + } + ], + "Partitions": [ + { + "ID": "boot", + "Flags": [ + "esp", + "boot" + ], + "Start": 1, + "End": 9, + "FsType": "fat32" + }, + { + "ID": "rootfs", + "Start": 9, + "End": 0, + "FsType": "ext4" + } + ] + } + ], + "SystemConfigs": [ + { + "Name": "Standard", + "BootType": "efi", + "PartitionSettings": [ + { + "ID": "boot", + "MountPoint": "/boot/efi", + "MountOptions": "umask=0077" + }, + { + "ID": "rootfs", + "MountPoint": "/" + } + ], + "PackageLists": [ + "packagelists/minimal-os-packages.json" + ], + "KernelOptions": { + "default": "kernel" + } + } + ] +} diff --git a/toolkit/imageconfigs/osguard-amd64.yaml b/toolkit/imageconfigs/osguard-amd64.yaml new file mode 100644 index 0000000000..6127150610 --- /dev/null +++ b/toolkit/imageconfigs/osguard-amd64.yaml @@ -0,0 +1,203 @@ +# This file was automatically generated by merge_yaml.py +# Sources: base=templates/osguard-base.yaml delta=templates/osguard-no-ci-delta.yaml + +storage: + bootType: efi + disks: + - partitionTableType: gpt + maxSize: 40G + partitions: + - id: esp + type: esp + label: esp + size: 512M + - id: boot-a + type: linux-generic + label: boot-a + size: 100M + - id: usr-a + type: linux-generic + size: 1G + - id: usr-hash-a + type: usr-verity + size: 128M + - id: root-a + type: root + label: root-a + size: 12G + verity: + - id: usrverity + name: usr + dataDeviceId: usr-a + hashDeviceId: usr-hash-a + dataDeviceMountIdType: uuid + hashDeviceMountIdType: uuid + hashSignaturePath: /boot/usr.hash.sig + filesystems: + - deviceId: esp + type: fat32 + mountPoint: + idType: part-label + path: /boot/efi + options: nodev,noexec,umask=0077 + - deviceId: boot-a + type: ext4 + mountPoint: + idType: uuid + path: /boot + options: nodev,noexec,nosuid + - deviceId: usrverity + type: ext4 + mountPoint: + path: /usr + options: nodev,ro + - deviceId: root-a + type: ext4 + mountPoint: + path: / + options: nodev,nosuid,x-systemd.growfs,x-initrd.mount +os: + bootloader: + resetType: hard-reset + hostname: azure-linux-os-guard + selinux: + mode: permissive + uki: + kernels: auto + kernelCommandLine: + extraCommandLine: + - console=tty0 + - console=tty1 + - console=ttyS0 + - rd.luks=0 + - rd.hostonly=0 + - fips=1 + - net.ifnames=1 + - ipe.enforce=0 + packages: + remove: + - dracut-hostonly + - grub2-efi-binary + - kernel + install: + - syslog + - WALinuxAgent + - device-mapper + - kernel-ipe + - cni + - containerd2 + - cri-tools + - systemd-boot + - dracut-hyperv + - hyperv-daemons + - cloud-init + - checkpolicy + - libselinux + - policycoreutils-python-utils + - secilc + - selinux-policy + - selinux-policy-ci + - selinux-policy-modules + - setools-console + - systemd-ukify + - systemd-boot + - efibootmgr + - lvm2 + - veritysetup + - selinux-policy + - selinux-policy-modules + - gptfdisk + - curl + - bind-utils + - tar + - wget + - blobfuse2 + - ca-certificates + - chrony + - cifs-utils + - cloud-init-azure-kvp + - conntrack-tools + - cracklib + - ebtables + - ethtool + - fuse + - inotify-tools + - iotop + - iproute + - ipset + - iptables + - iscsi-initiator-utils + - jq + - logrotate + - lsof + - netplan + - nftables + - nmap-ncat + - nfs-utils + - oras + - pam + - psmisc + - rsyslog + - socat + - sysstat + - traceroute + - util-linux + - xz + - zip + additionalDirs: + - source: files/osguard/repart.d + destination: /etc/repart.d + childFilePermissions: 644 + additionalFiles: + - source: files/osguard/selinux-ci-uki.semanage + destination: /etc/selinux/targeted/selinux-ci.semanage + - source: files/osguard/cloud.cfg + destination: /etc/cloud/cloud.cfg + permissions: '644' + - source: files/osguard/10-repart.conf + destination: /etc/dracut.conf.d/10-repart.conf + permissions: '644' + - source: files/osguard/chrony.conf + destination: /etc/chrony.conf + permissions: '644' + - source: files/osguard/resolv-uplink-override.service + destination: /etc/systemd/system/resolv-uplink-override.service + permissions: '600' + services: + disable: + - sshd + enable: + - systemd-networkd + - systemd-resolved + modules: + - name: iptable_nat + loadMode: always +scripts: + postCustomization: + - path: scripts/common/performance-tuning.sh + - path: scripts/common/azlinuxagentconfig.sh + - path: scripts/common/selinux-ci-config.py + interpreter: /usr/bin/python3 + - path: scripts/common/cleanup-machineid.sh + - path: scripts/common/prepare_trusted_cni_plugins.sh + - path: scripts/common/move-iptables-scripts-to-usr.sh + - path: scripts/common/tmp-no-exec.sh + - path: scripts/common/remove-getty-import-credential.sh + - path: scripts/osguard/create-empty-certs-dir.sh + - path: scripts/set_os_release_variant_entries.sh + arguments: + - --variant-id + - osguard + - --variant + - OS Guard Image +output: + artifacts: + items: + - verity-hash + - ukis + path: ./output + image: + format: vhdx +previewFeatures: +- output-artifacts +- uki diff --git a/toolkit/imageconfigs/osguard-ci-amd64.yaml b/toolkit/imageconfigs/osguard-ci-amd64.yaml new file mode 100644 index 0000000000..f79ab9d44d --- /dev/null +++ b/toolkit/imageconfigs/osguard-ci-amd64.yaml @@ -0,0 +1,209 @@ +# This file was automatically generated by merge_yaml.py +# Sources: base=templates/osguard-base.yaml delta=templates/osguard-ci-delta.yaml + +storage: + bootType: efi + disks: + - partitionTableType: gpt + maxSize: 40G + partitions: + - id: esp + type: esp + label: esp + size: 512M + - id: boot-a + type: linux-generic + label: boot-a + size: 100M + - id: usr-a + type: linux-generic + size: 1G + - id: usr-hash-a + type: usr-verity + size: 128M + - id: root-a + type: root + label: root-a + size: 12G + verity: + - id: usrverity + name: usr + dataDeviceId: usr-a + hashDeviceId: usr-hash-a + dataDeviceMountIdType: uuid + hashDeviceMountIdType: uuid + hashSignaturePath: /boot/usr.hash.sig + filesystems: + - deviceId: esp + type: fat32 + mountPoint: + idType: part-label + path: /boot/efi + options: nodev,noexec,umask=0077 + - deviceId: boot-a + type: ext4 + mountPoint: + idType: uuid + path: /boot + options: nodev,noexec,nosuid + - deviceId: usrverity + type: ext4 + mountPoint: + path: /usr + options: nodev,ro + - deviceId: root-a + type: ext4 + mountPoint: + path: / + options: nodev,nosuid,x-systemd.growfs,x-initrd.mount +os: + bootloader: + resetType: hard-reset + hostname: azure-linux-os-guard + selinux: + mode: enforcing + uki: + kernels: auto + kernelCommandLine: + extraCommandLine: + - console=tty0 + - console=tty1 + - console=ttyS0 + - rd.luks=0 + - rd.hostonly=0 + - fips=1 + - net.ifnames=1 + - dm_verity.require_signatures=1 + packages: + remove: + - dracut-hostonly + - grub2-efi-binary + - kernel + install: + - syslog + - WALinuxAgent + - device-mapper + - kernel-ipe + - cni + - containerd2 + - cri-tools + - systemd-boot + - dracut-hyperv + - hyperv-daemons + - cloud-init + - checkpolicy + - libselinux + - policycoreutils-python-utils + - secilc + - selinux-policy + - selinux-policy-ci + - selinux-policy-modules + - setools-console + - systemd-ukify + - systemd-boot + - efibootmgr + - lvm2 + - veritysetup + - selinux-policy + - selinux-policy-modules + - gptfdisk + - curl + - bind-utils + - tar + - wget + - blobfuse2 + - ca-certificates + - chrony + - cifs-utils + - cloud-init-azure-kvp + - conntrack-tools + - cracklib + - ebtables + - ethtool + - fuse + - inotify-tools + - iotop + - iproute + - ipset + - iptables + - iscsi-initiator-utils + - jq + - logrotate + - lsof + - netplan + - nftables + - nmap-ncat + - nfs-utils + - oras + - pam + - psmisc + - rsyslog + - socat + - sysstat + - traceroute + - util-linux + - xz + - zip + - erofs-utils + additionalDirs: + - source: files/osguard/repart.d + destination: /etc/repart.d + childFilePermissions: 644 + additionalFiles: + - source: files/osguard/selinux-ci-uki.semanage + destination: /etc/selinux/targeted/selinux-ci.semanage + - source: files/osguard/cloud.cfg + destination: /etc/cloud/cloud.cfg + permissions: '644' + - source: files/osguard/10-repart.conf + destination: /etc/dracut.conf.d/10-repart.conf + permissions: '644' + - source: files/osguard/chrony.conf + destination: /etc/chrony.conf + permissions: '644' + - source: files/osguard/resolv-uplink-override.service + destination: /etc/systemd/system/resolv-uplink-override.service + permissions: '600' + - source: files/osguard-ci/config.toml + destination: /etc/containerd/config.toml + permissions: '644' + services: + disable: + - sshd + enable: + - systemd-networkd + - systemd-resolved + modules: + - name: iptable_nat + loadMode: always + - name: erofs + loadMode: always +scripts: + postCustomization: + - path: scripts/common/performance-tuning.sh + - path: scripts/common/azlinuxagentconfig.sh + - path: scripts/common/selinux-ci-config.py + interpreter: /usr/bin/python3 + - path: scripts/common/cleanup-machineid.sh + - path: scripts/common/prepare_trusted_cni_plugins.sh + - path: scripts/common/move-iptables-scripts-to-usr.sh + - path: scripts/common/tmp-no-exec.sh + - path: scripts/common/remove-getty-import-credential.sh + - path: scripts/osguard/create-empty-certs-dir.sh + - path: scripts/set_os_release_variant_entries.sh + arguments: + - --variant-id + - osguard-ci + - --variant + - OS Guard Code Integrity Image +output: + artifacts: + items: + - verity-hash + - ukis + path: ./output + image: + format: vhdx +previewFeatures: +- output-artifacts +- uki diff --git a/toolkit/imageconfigs/packagelists/azurevm-packages.yaml b/toolkit/imageconfigs/packagelists/azurevm-packages.yaml new file mode 100644 index 0000000000..3346cc55a5 --- /dev/null +++ b/toolkit/imageconfigs/packagelists/azurevm-packages.yaml @@ -0,0 +1,15 @@ +packages: +- cloud-init +- cloud-init-azure-kvp +- cloud-utils-growpart +- dhcpcd +- dracut-hyperv +- grubby +- hyperv-daemons +- netplan +- openssh-server +- python3 +- rsyslog +- sgx-backwards-compatibility +- WALinuxAgent +- wireless-regdb diff --git a/toolkit/imageconfigs/packagelists/baremetal-packages.yaml b/toolkit/imageconfigs/packagelists/baremetal-packages.yaml new file mode 100644 index 0000000000..bef446a9b0 --- /dev/null +++ b/toolkit/imageconfigs/packagelists/baremetal-packages.yaml @@ -0,0 +1,2 @@ +packages: +- dracut-megaraid diff --git a/toolkit/imageconfigs/packagelists/base-image-packages.yaml b/toolkit/imageconfigs/packagelists/base-image-packages.yaml new file mode 100644 index 0000000000..b1d12e7bb1 --- /dev/null +++ b/toolkit/imageconfigs/packagelists/base-image-packages.yaml @@ -0,0 +1,26 @@ +packages: +- azurelinux-release +- azurelinux-repos +- azurelinux-repos-ms-non-oss +- azurelinux-repos-ms-oss +- bash +- ca-certificates +- chrony +- cronie-anacron +- cryptsetup +- dbus +- dracut-hostonly +- dracut-vrf +- e2fsprogs +- filesystem +- grub2-efi-binary +- logrotate +- openssh-server +- procps-ng +- shim +- sudo +- systemd +- tdnf +- tdnf-plugin-repogpgcheck +- util-linux +- zlib diff --git a/toolkit/imageconfigs/packagelists/cloud-init-packages.yaml b/toolkit/imageconfigs/packagelists/cloud-init-packages.yaml new file mode 100644 index 0000000000..145f918bc9 --- /dev/null +++ b/toolkit/imageconfigs/packagelists/cloud-init-packages.yaml @@ -0,0 +1,3 @@ +packages: +- cloud-init +- cloud-utils-growpart diff --git a/toolkit/imageconfigs/packagelists/core-packages-image.yaml b/toolkit/imageconfigs/packagelists/core-packages-image.yaml new file mode 100644 index 0000000000..9c9af5ea2f --- /dev/null +++ b/toolkit/imageconfigs/packagelists/core-packages-image.yaml @@ -0,0 +1,10 @@ +packages: +- ca-certificates +- core-packages-base-image +- cronie-anacron +- dracut-hostonly +- dracut-vrf +- grub2-efi-binary +- logrotate +- shadow-utils +- shim diff --git a/toolkit/imageconfigs/packagelists/hyperv-packages.yaml b/toolkit/imageconfigs/packagelists/hyperv-packages.yaml new file mode 100644 index 0000000000..576a15e646 --- /dev/null +++ b/toolkit/imageconfigs/packagelists/hyperv-packages.yaml @@ -0,0 +1,3 @@ +packages: +- dracut-hyperv +- hyperv-daemons diff --git a/toolkit/imageconfigs/packagelists/isoinstaller-64k-packages.yaml b/toolkit/imageconfigs/packagelists/isoinstaller-64k-packages.yaml new file mode 100644 index 0000000000..c44eccc0c8 --- /dev/null +++ b/toolkit/imageconfigs/packagelists/isoinstaller-64k-packages.yaml @@ -0,0 +1,71 @@ +packages: +- alsa-lib +- attr +- awk +- azurelinux-release +- bash +- bzip2 +- cifs-utils +- coreutils +- cpio +- cracklib +- cracklib-dicts +- cryptsetup +- curl +- dbus +- dosfstools +- dracut +- e2fsprogs +- efibootmgr +- efivar +- espeak-ng +- expat +- file +- filesystem +- findutils +- glib +- glibc +- gmp +- gptfdisk +- grep +- grub2-efi-binary +- gzip +- haveged +- less +- libcap +- libgcc +- libstdc++ +- linux-firmware +- lvm2 +- lua +- lz4 +- ncurses +- ncurses-term +- nspr +- nss +- openssl +- pam +- parted +- pcaudiolib +- pkg-config +- popt +- readline +- rpm +- sed +- shadow-utils +- shim +- squashfs-tools +- sqlite +- systemd +- systemd-networkd +- systemd-resolved +- tar +- tdnf +- udev +- usbutils +- util-linux +- vim +- words +- xfsprogs +- xz +- zlib diff --git a/toolkit/imageconfigs/packagelists/marketplace-tools-packages.yaml b/toolkit/imageconfigs/packagelists/marketplace-tools-packages.yaml new file mode 100644 index 0000000000..592eef46d4 --- /dev/null +++ b/toolkit/imageconfigs/packagelists/marketplace-tools-packages.yaml @@ -0,0 +1,3 @@ +packages: +- dnf +- wget diff --git a/toolkit/imageconfigs/packagelists/qemu-guest-packages.yaml b/toolkit/imageconfigs/packagelists/qemu-guest-packages.yaml new file mode 100644 index 0000000000..c72bdad53e --- /dev/null +++ b/toolkit/imageconfigs/packagelists/qemu-guest-packages.yaml @@ -0,0 +1,3 @@ +packages: +- dracut-virtio +- qemu-guest-agent diff --git a/toolkit/imageconfigs/packagelists/selinux.yaml b/toolkit/imageconfigs/packagelists/selinux.yaml new file mode 100644 index 0000000000..05c2079da7 --- /dev/null +++ b/toolkit/imageconfigs/packagelists/selinux.yaml @@ -0,0 +1,2 @@ +packages: +- selinux-policy diff --git a/toolkit/imageconfigs/packagelists/virt-guest-packages.yaml b/toolkit/imageconfigs/packagelists/virt-guest-packages.yaml new file mode 100644 index 0000000000..6fd680b041 --- /dev/null +++ b/toolkit/imageconfigs/packagelists/virt-guest-packages.yaml @@ -0,0 +1,4 @@ +packages: +- dracut-hyperv +- dracut-virtio +- dracut-xen diff --git a/toolkit/imageconfigs/postinstallscripts/imagecustomizer/isoinstaller_postinstalltask.sh b/toolkit/imageconfigs/postinstallscripts/imagecustomizer/isoinstaller_postinstalltask.sh new file mode 100755 index 0000000000..748c4e4e91 --- /dev/null +++ b/toolkit/imageconfigs/postinstallscripts/imagecustomizer/isoinstaller_postinstalltask.sh @@ -0,0 +1,15 @@ +#!/bin/bash +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +set -exuo pipefail + +# Create local ISO repo for RPMS directory +createrepo /RPMS + +# RPM packages are generated under rootfs RPMS folder. +# Hence update baseurl path +sed -i 's|baseurl=file:///mnt/cdrom/RPMS|baseurl=file:///RPMS|' /etc/yum.repos.d/mariner-iso.repo + +# RPM packages should be installed from ISO local repo +# Remove PMC official base repo from ISO +rm -r /etc/yum.repos.d/azurelinux-official-base.repo diff --git a/toolkit/imageconfigs/qemu-guest-amd64.yaml b/toolkit/imageconfigs/qemu-guest-amd64.yaml new file mode 100644 index 0000000000..14b2a9615f --- /dev/null +++ b/toolkit/imageconfigs/qemu-guest-amd64.yaml @@ -0,0 +1,60 @@ +storage: + bootType: efi + + disks: + - partitionTableType: gpt + maxSize: 1024M + partitions: + - id: esp + type: esp + size: 8M + + - id: rootfs + type: root + size: grow + + filesystems: + - deviceId: esp + type: fat32 + mountPoint: + path: /boot/efi + options: umask=0077 + + - deviceId: rootfs + type: ext4 + mountPoint: + path: / + +os: + bootloader: + resetType: hard-reset + + hostname: azure-linux + + kernelCommandLine: + extraCommandLine: + - console=tty0 + - console=ttyS0 + + packages: + remove: + - dracut-hostonly + + installLists: + - packagelists/base-image-packages.yaml + - packagelists/cloud-init-packages.yaml + - packagelists/qemu-guest-packages.yaml + +scripts: + finalizeCustomization: + - path: scripts/cleanup.sh + - path: scripts/set_os_release_variant_entries.sh + arguments: + - --variant-id + - qemu-guest + - --variant + - QEMU Guest Image + +output: + image: + format: vhdx diff --git a/toolkit/imageconfigs/qemu-guest-arm64.yaml b/toolkit/imageconfigs/qemu-guest-arm64.yaml new file mode 100644 index 0000000000..14b2a9615f --- /dev/null +++ b/toolkit/imageconfigs/qemu-guest-arm64.yaml @@ -0,0 +1,60 @@ +storage: + bootType: efi + + disks: + - partitionTableType: gpt + maxSize: 1024M + partitions: + - id: esp + type: esp + size: 8M + + - id: rootfs + type: root + size: grow + + filesystems: + - deviceId: esp + type: fat32 + mountPoint: + path: /boot/efi + options: umask=0077 + + - deviceId: rootfs + type: ext4 + mountPoint: + path: / + +os: + bootloader: + resetType: hard-reset + + hostname: azure-linux + + kernelCommandLine: + extraCommandLine: + - console=tty0 + - console=ttyS0 + + packages: + remove: + - dracut-hostonly + + installLists: + - packagelists/base-image-packages.yaml + - packagelists/cloud-init-packages.yaml + - packagelists/qemu-guest-packages.yaml + +scripts: + finalizeCustomization: + - path: scripts/cleanup.sh + - path: scripts/set_os_release_variant_entries.sh + arguments: + - --variant-id + - qemu-guest + - --variant + - QEMU Guest Image + +output: + image: + format: vhdx diff --git a/toolkit/imageconfigs/scripts/common/azlinuxagentconfig.sh b/toolkit/imageconfigs/scripts/common/azlinuxagentconfig.sh new file mode 100755 index 0000000000..4021d9b781 --- /dev/null +++ b/toolkit/imageconfigs/scripts/common/azlinuxagentconfig.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash + +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +sed -i "/AutoUpdate.Enabled/d" /etc/waagent.conf +sed -i "/AutoUpdate.UpdateToLatestVersion=y/c\AutoUpdate.UpdateToLatestVersion=n" /etc/waagent.conf +if ! grep -q "AutoUpdate.UpdateToLatestVersion=n" /etc/waagent.conf; then + sed -i "$ a AutoUpdate.UpdateToLatestVersion=n" /etc/waagent.conf +fi diff --git a/toolkit/imageconfigs/scripts/common/cleanup-machineid.sh b/toolkit/imageconfigs/scripts/common/cleanup-machineid.sh new file mode 100755 index 0000000000..2b8287ebe0 --- /dev/null +++ b/toolkit/imageconfigs/scripts/common/cleanup-machineid.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +cat /dev/null > /etc/machine-id diff --git a/toolkit/imageconfigs/scripts/common/move-iptables-scripts-to-usr.sh b/toolkit/imageconfigs/scripts/common/move-iptables-scripts-to-usr.sh new file mode 100755 index 0000000000..3dc754da11 --- /dev/null +++ b/toolkit/imageconfigs/scripts/common/move-iptables-scripts-to-usr.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +set -euxo pipefail + +# Move iptables scripts to /usr/libexec/iptables, as /etc will be locked down by +# IPE and also is mounted with noexec. + +START_SOURCE="/etc/systemd/scripts/iptables" +STOP_SOURCE="/etc/systemd/scripts/iptables.stop" + +START_TARGET="/usr/libexec/iptables/iptables" +STOP_TARGET="/usr/libexec/iptables/iptables.stop" + +mkdir -p /usr/libexec/iptables + +mv "$START_SOURCE" "$START_TARGET" +mv "$STOP_SOURCE" "$STOP_TARGET" + +# Create symlinks for compatibility +ln -s "$START_TARGET" "$START_SOURCE" +ln -s "$STOP_TARGET" "$STOP_SOURCE" diff --git a/toolkit/imageconfigs/scripts/common/performance-tuning.sh b/toolkit/imageconfigs/scripts/common/performance-tuning.sh new file mode 100755 index 0000000000..79257c60d4 --- /dev/null +++ b/toolkit/imageconfigs/scripts/common/performance-tuning.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +set -euxo pipefail + +# Remove the dracut-cmdline-ask service because it isn't used and slows down +# the boot time. +rm /usr/lib/dracut/modules.d/98dracut-systemd/dracut-cmdline-ask.service diff --git a/toolkit/imageconfigs/scripts/common/prepare_trusted_cni_plugins.sh b/toolkit/imageconfigs/scripts/common/prepare_trusted_cni_plugins.sh new file mode 100755 index 0000000000..50300ef9d2 --- /dev/null +++ b/toolkit/imageconfigs/scripts/common/prepare_trusted_cni_plugins.sh @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +set -eux + +CNI_BIN_DIR="/opt/cni/bin" +CNI_TRUSTED_DIR="/usr/libexec/cni" + +mkdir -p "$CNI_TRUSTED_DIR" + +# Copy all plugins to trusted dir +for plugin in "$CNI_BIN_DIR"/*; do + name=$(basename "$plugin") + target="$CNI_TRUSTED_DIR/$name" + + rm -f "$target" + cp "$plugin" "$target" +done diff --git a/toolkit/imageconfigs/scripts/common/remove-getty-import-credential.sh b/toolkit/imageconfigs/scripts/common/remove-getty-import-credential.sh new file mode 100755 index 0000000000..423c9d737e --- /dev/null +++ b/toolkit/imageconfigs/scripts/common/remove-getty-import-credential.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +set -euxo pipefail + +# Reported upstream as https://github.com/util-linux/util-linux/issues/2896, +# requires systemd updated to v256. The workaround is to remove the ImportCredential lines. +sed -i /ImportCredential=/d /usr/lib/systemd/system/getty@.service +sed -i /ImportCredential=/d /usr/lib/systemd/system/serial-getty@.service diff --git a/toolkit/imageconfigs/scripts/common/selinux-ci-config.py b/toolkit/imageconfigs/scripts/common/selinux-ci-config.py new file mode 100755 index 0000000000..641e2e0118 --- /dev/null +++ b/toolkit/imageconfigs/scripts/common/selinux-ci-config.py @@ -0,0 +1,135 @@ +#!/usr/bin/python3 + +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +import os +from semanage import ( + semanage_module_key_create, + semanage_module_key_set_name, + semanage_module_set_enabled, +) +import seobject +import shutil +import subprocess + +# import SELinux policy CI customizations. This is installed by MIC +subprocess.run( + ["semanage", "import", "-f", "/etc/selinux/targeted/selinux-ci.semanage"], + check=True, +) + +# +# Module disabling done by script instead of 'semanage import' so new +# modules are disabled by default +# + +ENABLED_MODULES: set[str] = { + "base", + "application", + "authlogin", + "azureci", + "azureci_deletions", + "azureci_prod", # enables SELinux and IPE lockout + "bootloader", + "brctl", + "clock", + "cloudinit", + "container", + "container_compat", + "crio", + "cron", + "chronyd", + "dbus", + "dmesg", + "docker", # handles docker and containerd + "fstools", + "getty", + "gpg", + "hostname", + "hotfix", + "hypervkvp", + "init", # systemd + "iptables", + "irqbalance", + "kerberos", + "kdump", + "kubernetes", + "locallogin", + "logging", + "libraries", + "logrotate", + "lvm", # includes dm, cryptsetup, etc. + "miscfiles", + "modutils", + "mount", + "mta", + "netlabel", + "netutils", + "ntp", + "oddjob", + "openvswitch", + "podman", # there is a hard dependency for this in crio + "policykit", + "qemu", + "rdisc", + "rngd", + "rpm", + "sasl", + "selinuxutil", + "setrans", + "setroubleshoot", + "shutdown", + "slocate", + "ssh", + "su", + "sudo", + "sysnetwork", + "systemd", + "tpm2", + "trident", + "udev", + "userdomain", + "usermanage", + "uuidd", + "virt", + "xdg", # required by systemd +} + +records = seobject.moduleRecords() +handle = records.get_handle("targeted") + +# name, disabled, priority, hll name +modules: set[str] = set(name for name, _, _, _ in records.get_all()) +modules_to_disable: set[str] = modules - ENABLED_MODULES +modules_to_enable: set[str] = modules - modules_to_disable +missing_modules: set[str] = ENABLED_MODULES - modules + +for name in modules_to_disable: + rc, key = semanage_module_key_create(handle) + if rc < 0: + raise RuntimeError(f"Failed to create module key for {name}") + + semanage_module_key_set_name(handle, key, name) + semanage_module_set_enabled(handle, key, 0) + +if missing_modules: + print(f"Warning: missing modules from enabling list: {', '.join(missing_modules)}") + +# if this script is re-ran with a new enabled module, this is needed +for name in modules_to_enable: + rc, key = semanage_module_key_create(handle) + if rc < 0: + raise RuntimeError(f"Failed to create module key for {name}") + + semanage_module_key_set_name(handle, key, name) + semanage_module_set_enabled(handle, key, 1) + +records.commit() + +# Move policy to /usr +if not os.path.isdir("/usr/etc/selinux"): + os.makedirs("/usr/etc", exist_ok=True) + shutil.move("/etc/selinux", "/usr/etc/selinux") + # add backwards compatibility for /etc/selinux + os.symlink("../usr/etc/selinux", "/etc/selinux") diff --git a/toolkit/imageconfigs/scripts/common/tmp-no-exec.sh b/toolkit/imageconfigs/scripts/common/tmp-no-exec.sh new file mode 100755 index 0000000000..f5bdfbf5bb --- /dev/null +++ b/toolkit/imageconfigs/scripts/common/tmp-no-exec.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +set -euxo pipefail + +sed -i 's/^Options=/Options=noexec,nosuid,/' /usr/lib/systemd/system/tmp.mount diff --git a/toolkit/imageconfigs/scripts/osguard/create-empty-certs-dir.sh b/toolkit/imageconfigs/scripts/osguard/create-empty-certs-dir.sh new file mode 100755 index 0000000000..9d0866edd7 --- /dev/null +++ b/toolkit/imageconfigs/scripts/osguard/create-empty-certs-dir.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# Script to create the ca-certificates directory to allow safe migration +# from Ubuntu hosts to Azure Linux hosts and avoid a creation of this directory +# at runtime under /usr + +# Create the ca-certificates directory +mkdir -p /usr/local/share/ca-certificates diff --git a/toolkit/imageconfigs/scripts/set_os_release_variant_entries.sh b/toolkit/imageconfigs/scripts/set_os_release_variant_entries.sh new file mode 100755 index 0000000000..8e59ab557f --- /dev/null +++ b/toolkit/imageconfigs/scripts/set_os_release_variant_entries.sh @@ -0,0 +1,106 @@ +#!/bin/bash +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +set -euo pipefail + +DEFAULT_OS_RELEASE_FILE="/etc/os-release" + +FLAG_VARIANT_ID="" +FLAG_VARIANT="" +FLAG_OS_RELEASE_FILE="$DEFAULT_OS_RELEASE_FILE" + +exit_help() { + local error_message="" + if [[ $# -gt 0 ]]; then + error_message="$1" + fi + + echo "Usage: $0 [flags]" + echo "" + echo "This script sets the VARIANT and VARIANT_ID entries in the os-release file." + echo "" + echo "See https://www.freedesktop.org/software/systemd/man/latest/os-release.html for more information and the" + echo "latest details on these entries." + echo "" + echo "Flags:" + echo " -h, --help" + echo " Show this help message and exit." + echo "" + echo " -i VARIANT_ID, --variant-id VARIANT_ID" + echo " Value of VARIANT_ID to set in the os-release file. It must be a lower-case string (no spaces or other" + echo " characters outside of 0-9, a-z, '.', '_' and '-')." + echo "" + echo " -n VARIANT, --variant VARIANT" + echo " Value of VARIANT to set in the os-release file. It will be enclosed in double quotes if it contains" + echo " anything outside of A-Z, a-z, 0-9." + echo "" + echo " -o OS_RELEASE, --os-release OS_RELEASE Path to the os-release file (default: '$DEFAULT_OS_RELEASE_FILE')" + + if [[ -n "$error_message" ]]; then + echo "" + echo "Error: $error_message" + fi + + exit 1 +} + +parse_flags() { + while [[ $# -gt 0 ]]; do + local flag="$1" + shift + case "$flag" in + -h|--help) exit_help;; + -i|--variant-id) FLAG_VARIANT_ID="$1"; shift;; + -n|--variant) FLAG_VARIANT="$1"; shift;; + -o|--os-release) FLAG_OS_RELEASE_FILE="$1"; shift;; + -*) echo "Error: Unknown flag: $flag" >&2; exit_help;; + *) echo "Error: Unknown argument: $flag" >&2; exit_help;; + esac + done + + if [[ -z "$FLAG_VARIANT_ID" ]]; then + exit_help "--variant-id is required" + fi + + if [[ "$FLAG_VARIANT_ID" =~ [^a-z0-9._-] ]]; then + exit_help "Value of VARIANT_ID must be a lower-case string (no spaces or other characters outside of 0-9, a-z, '.', '_' and '-')." + fi + + if [[ -z "$FLAG_VARIANT" ]]; then + exit_help "--variant is required" + fi + + if [[ "$FLAG_VARIANT" =~ \" ]]; then + exit_help "Value of VARIANT cannot contain double quotes" + fi + + # This script only double-quotes, even though systemd also specifies that values may be single-quoted. + if [[ "$FLAG_VARIANT" =~ [^A-Za-z0-9] ]]; then + FLAG_VARIANT="\"$FLAG_VARIANT\"" + fi + + if [[ ! -e "$FLAG_OS_RELEASE_FILE" ]]; then + exit_help "OS release file '$FLAG_OS_RELEASE_FILE' does not exist" + fi +} + +set_os_release_entry() { + local key="$1" + local value="$2" + + if grep -q "^$key=" $FLAG_OS_RELEASE_FILE; then + sed -i "s/^$key=.*/$key=$value/" $FLAG_OS_RELEASE_FILE + else + echo "$key=$value" >> $FLAG_OS_RELEASE_FILE + fi +} + +main() { + parse_flags "$@" + + set_os_release_entry "VARIANT_ID" "$FLAG_VARIANT_ID" + set_os_release_entry "VARIANT" "$FLAG_VARIANT" +} + +main "$@" diff --git a/toolkit/imageconfigs/templates/osguard-base.yaml b/toolkit/imageconfigs/templates/osguard-base.yaml new file mode 100644 index 0000000000..7242ac173f --- /dev/null +++ b/toolkit/imageconfigs/templates/osguard-base.yaml @@ -0,0 +1,239 @@ +storage: + bootType: efi + + disks: + - partitionTableType: gpt + maxSize: 40G + partitions: + - id: esp + type: esp + label: esp + size: 512M + + - id: boot-a + type: linux-generic + label: boot-a + size: 100M + + - id: usr-a + type: linux-generic + size: 1G + + - id: usr-hash-a + type: usr-verity + size: 128M + + - id: root-a + type: root + label: root-a + size: 12G + + verity: + - id: usrverity + name: usr + dataDeviceId: usr-a + hashDeviceId: usr-hash-a + dataDeviceMountIdType: uuid + hashDeviceMountIdType: uuid + hashSignaturePath: /boot/usr.hash.sig + + filesystems: + - deviceId: esp + type: fat32 + mountPoint: + idType: part-label + path: /boot/efi + options: nodev,noexec,umask=0077 + + - deviceId: boot-a + type: ext4 + mountPoint: + idType: uuid + path: /boot + options: nodev,noexec,nosuid + + - deviceId: usrverity + type: ext4 + mountPoint: + path: /usr + options: nodev,ro + + - deviceId: root-a + type: ext4 + mountPoint: + path: / + options: nodev,nosuid,x-systemd.growfs,x-initrd.mount + +os: + bootloader: + resetType: hard-reset + hostname: azure-linux-os-guard + + selinux: + mode: permissive + + uki: + kernels: auto + + kernelCommandLine: + extraCommandLine: + - console=tty0 + - console=tty1 + - console=ttyS0 + - rd.luks=0 + - rd.hostonly=0 + - fips=1 + - net.ifnames=1 + + packages: + remove: + - dracut-hostonly # Not used for UKI images + - grub2-efi-binary # Replaced by systemd-boot + - kernel # Replaced by kernel-ipe + install: + - syslog + - WALinuxAgent + # OS + - device-mapper + - kernel-ipe + # OCI + - cni + - containerd2 + - cri-tools + # UKI + - systemd-boot + # hyperv + - dracut-hyperv + - hyperv-daemons + # cloud-init + - cloud-init + # selinux + - checkpolicy + - libselinux + - policycoreutils-python-utils + - secilc + - selinux-policy + - selinux-policy-ci + - selinux-policy-modules + - setools-console + + # === System packages === + - systemd-ukify + - systemd-boot + - efibootmgr + - lvm2 + - veritysetup + - selinux-policy + - selinux-policy-modules + - gptfdisk + - curl + - bind-utils + - tar + - wget + # =====AKS===== + - blobfuse2 + - ca-certificates + - chrony + - cifs-utils + - cloud-init-azure-kvp + - conntrack-tools + - cracklib + - ebtables + - ethtool + - fuse + - inotify-tools + - iotop + - iproute + - ipset + - iptables + - iscsi-initiator-utils + - jq + - logrotate + - lsof + - netplan + - nftables + - nmap-ncat + - nfs-utils + - oras + - pam + - psmisc + - rsyslog + - socat + - sysstat + - traceroute + - util-linux + - xz + - zip + + additionalDirs: + - source: files/osguard/repart.d + destination: /etc/repart.d + childFilePermissions: 644 + + additionalFiles: + # SELinux customizations + - source: files/osguard/selinux-ci-uki.semanage + destination: /etc/selinux/targeted/selinux-ci.semanage + # Cloud-init configuration + - source: files/osguard/cloud.cfg + destination: /etc/cloud/cloud.cfg + permissions: "644" + # Include systemd-repart in the initrd + - source: files/osguard/10-repart.conf + destination: /etc/dracut.conf.d/10-repart.conf + permissions: "644" + # Set chrony to use /dev/ptp_hyperv + - source: files/osguard/chrony.conf + destination: /etc/chrony.conf + permissions: "644" + # Fix systemd resolved caching + - source: files/osguard/resolv-uplink-override.service + destination: /etc/systemd/system/resolv-uplink-override.service + permissions: "600" + + services: + disable: + - sshd + enable: + - systemd-networkd + - systemd-resolved + + modules: + # Explicitly enable iptable_nat for prometheus + - name: iptable_nat + loadMode: always + +scripts: + postCustomization: + # Various performance tuning steps + - path: scripts/common/performance-tuning.sh + # Config AzureLinuxAgent + - path: scripts/common/azlinuxagentconfig.sh + # Disable unused SELinux policy modules and configure SELinux policy for CI + - path: scripts/common/selinux-ci-config.py + interpreter: /usr/bin/python3 + # Ensure the /etc/machine-id is cleared before the first boot + - path: scripts/common/cleanup-machineid.sh + # Move CNI binaries from /opt to /usr for IPE + - path: scripts/common/prepare_trusted_cni_plugins.sh + # Move iptables scripts from /etc to /usr for IPE + - path: scripts/common/move-iptables-scripts-to-usr.sh + # Disable exec and suid on /tmp + - path: scripts/common/tmp-no-exec.sh + # Remove ImportCredential from getty services to avoid boot log warnings + - path: scripts/common/remove-getty-import-credential.sh + # Set OS release variant entries + - path: scripts/osguard/create-empty-certs-dir.sh + +output: + artifacts: + items: + - verity-hash + - ukis + path: ./output + image: + format: vhdx + +previewFeatures: + - output-artifacts + - uki diff --git a/toolkit/imageconfigs/templates/osguard-ci-delta.yaml b/toolkit/imageconfigs/templates/osguard-ci-delta.yaml new file mode 100644 index 0000000000..2262220930 --- /dev/null +++ b/toolkit/imageconfigs/templates/osguard-ci-delta.yaml @@ -0,0 +1,48 @@ +# The OS Guard Code Integrity image variant extends code integrity features +# beyond the host binaries, to include container images and their layers. This +# is achieved through configuring containerd to use erofs-snapshotter with +# dm-verity support and requiring dm-verity signature verification. On container +# execution, IPE will only allow the execution of containers that are dm-verity +# verified. +# +# This file defines the delta (differences) to apply to the osguard-base.yaml +# template in order to generate the OS Guard Code Integrity (CI) image variant. +# This template is merged with the base template by the +# generate-osguard-imageconfigs.sh script to produce osguard-ci-amd64.yaml +# Only settings that differ from the base should be included here. +os: + # Ensure SELinux is in Enforcing Mode for OS Guard Code Integrity image. + selinux: + mode: enforcing + kernelCommandLine: + extraCommandLine: + # Enforce signatures for all dm-verity volumes on the system. This + # verification is needed in conjunction with our dm-verity-enabled + # erofs-snapshotter to ensure erofs container layers, which are + # dm-verity volumes, are signed by a trusted entity + - dm_verity.require_signatures=1 + packages: + install: + # For containerd erofs-snapshotter to function, supply its userland + # utilities + - erofs-utils + modules: + # Ensure the erofs kernel module is always loaded so containerd + # erofs-snapshotter can use it. + - name: erofs + loadMode: always + additionalFiles: + # Place custom containerd config that configures erofs-snapshotter as the + # default snapshotter when setting up container images + - source: files/osguard-ci/config.toml + destination: /etc/containerd/config.toml + permissions: "644" +scripts: + postCustomization: + # Tag this image variant with its specific variant-id + - path: scripts/set_os_release_variant_entries.sh + arguments: + - --variant-id + - osguard-ci + - --variant + - OS Guard Code Integrity Image diff --git a/toolkit/imageconfigs/templates/osguard-no-ci-delta.yaml b/toolkit/imageconfigs/templates/osguard-no-ci-delta.yaml new file mode 100644 index 0000000000..28f67ecf57 --- /dev/null +++ b/toolkit/imageconfigs/templates/osguard-no-ci-delta.yaml @@ -0,0 +1,12 @@ +os: + kernelCommandLine: + extraCommandLine: + - ipe.enforce=0 +scripts: + postCustomization: + - path: scripts/set_os_release_variant_entries.sh + arguments: + - --variant-id + - osguard + - --variant + - OS Guard Image diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 08880d40cc..8c7ff2c10b 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -1,20 +1,20 @@ filesystem-1.1-21.azl3.aarch64.rpm -kernel-headers-6.6.78.1-3.azl3.noarch.rpm -glibc-2.38-9.azl3.aarch64.rpm -glibc-devel-2.38-9.azl3.aarch64.rpm -glibc-i18n-2.38-9.azl3.aarch64.rpm -glibc-iconv-2.38-9.azl3.aarch64.rpm -glibc-lang-2.38-9.azl3.aarch64.rpm -glibc-locales-all-2.38-9.azl3.aarch64.rpm -glibc-nscd-2.38-9.azl3.aarch64.rpm -glibc-tools-2.38-9.azl3.aarch64.rpm +kernel-headers-6.6.96.2-1.azl3.noarch.rpm +glibc-2.38-11.azl3.aarch64.rpm +glibc-devel-2.38-11.azl3.aarch64.rpm +glibc-i18n-2.38-11.azl3.aarch64.rpm +glibc-iconv-2.38-11.azl3.aarch64.rpm +glibc-lang-2.38-11.azl3.aarch64.rpm +glibc-locales-all-2.38-11.azl3.aarch64.rpm +glibc-nscd-2.38-11.azl3.aarch64.rpm +glibc-tools-2.38-11.azl3.aarch64.rpm zlib-1.3.1-1.azl3.aarch64.rpm zlib-devel-1.3.1-1.azl3.aarch64.rpm file-5.45-1.azl3.aarch64.rpm file-devel-5.45-1.azl3.aarch64.rpm file-libs-5.45-1.azl3.aarch64.rpm -binutils-2.41-5.azl3.aarch64.rpm -binutils-devel-2.41-5.azl3.aarch64.rpm +binutils-2.41-7.azl3.aarch64.rpm +binutils-devel-2.41-7.azl3.aarch64.rpm gmp-6.3.0-1.azl3.aarch64.rpm gmp-devel-6.3.0-1.azl3.aarch64.rpm mpfr-4.2.1-1.azl3.aarch64.rpm @@ -73,11 +73,11 @@ libcap-ng-devel-0.8.4-1.azl3.aarch64.rpm util-linux-2.40.2-1.azl3.aarch64.rpm util-linux-devel-2.40.2-1.azl3.aarch64.rpm util-linux-libs-2.40.2-1.azl3.aarch64.rpm -tar-1.35-1.azl3.aarch64.rpm -xz-5.4.4-1.azl3.aarch64.rpm -xz-devel-5.4.4-1.azl3.aarch64.rpm -xz-lang-5.4.4-1.azl3.aarch64.rpm -xz-libs-5.4.4-1.azl3.aarch64.rpm +tar-1.35-2.azl3.aarch64.rpm +xz-5.4.4-2.azl3.aarch64.rpm +xz-devel-5.4.4-2.azl3.aarch64.rpm +xz-lang-5.4.4-2.azl3.aarch64.rpm +xz-libs-5.4.4-2.azl3.aarch64.rpm zstd-1.5.5-2.azl3.aarch64.rpm zstd-devel-1.5.5-2.azl3.aarch64.rpm zstd-libs-1.5.5-2.azl3.aarch64.rpm @@ -88,83 +88,83 @@ bison-3.8.2-1.azl3.aarch64.rpm popt-1.19-1.azl3.aarch64.rpm popt-devel-1.19-1.azl3.aarch64.rpm popt-lang-1.19-1.azl3.aarch64.rpm -sqlite-3.44.0-1.azl3.aarch64.rpm -sqlite-devel-3.44.0-1.azl3.aarch64.rpm -sqlite-libs-3.44.0-1.azl3.aarch64.rpm -elfutils-0.189-4.azl3.aarch64.rpm -elfutils-default-yama-scope-0.189-4.azl3.noarch.rpm -elfutils-devel-0.189-4.azl3.aarch64.rpm -elfutils-devel-static-0.189-4.azl3.aarch64.rpm -elfutils-libelf-0.189-4.azl3.aarch64.rpm -elfutils-libelf-devel-0.189-4.azl3.aarch64.rpm -elfutils-libelf-devel-static-0.189-4.azl3.aarch64.rpm -elfutils-libelf-lang-0.189-4.azl3.aarch64.rpm -expat-2.6.3-2.azl3.aarch64.rpm -expat-devel-2.6.3-2.azl3.aarch64.rpm -expat-libs-2.6.3-2.azl3.aarch64.rpm +sqlite-3.44.0-2.azl3.aarch64.rpm +sqlite-devel-3.44.0-2.azl3.aarch64.rpm +sqlite-libs-3.44.0-2.azl3.aarch64.rpm +elfutils-0.189-5.azl3.aarch64.rpm +elfutils-default-yama-scope-0.189-5.azl3.noarch.rpm +elfutils-devel-0.189-5.azl3.aarch64.rpm +elfutils-devel-static-0.189-5.azl3.aarch64.rpm +elfutils-libelf-0.189-5.azl3.aarch64.rpm +elfutils-libelf-devel-0.189-5.azl3.aarch64.rpm +elfutils-libelf-devel-static-0.189-5.azl3.aarch64.rpm +elfutils-libelf-lang-0.189-5.azl3.aarch64.rpm +expat-2.6.4-1.azl3.aarch64.rpm +expat-devel-2.6.4-1.azl3.aarch64.rpm +expat-libs-2.6.4-1.azl3.aarch64.rpm libpipeline-1.5.7-1.azl3.aarch64.rpm libpipeline-devel-1.5.7-1.azl3.aarch64.rpm gdbm-1.23-1.azl3.aarch64.rpm gdbm-devel-1.23-1.azl3.aarch64.rpm gdbm-lang-1.23-1.azl3.aarch64.rpm -perl-B-1.88-506.azl3.aarch64.rpm -perl-Carp-1.54-506.azl3.noarch.rpm -perl-Class-Struct-0.68-506.azl3.noarch.rpm -perl-Data-Dumper-2.188-506.azl3.aarch64.rpm -perl-DynaLoader-1.54-506.azl3.aarch64.rpm -perl-Encode-3.19-506.azl3.aarch64.rpm -perl-Errno-1.37-506.azl3.aarch64.rpm -perl-Exporter-5.77-506.azl3.noarch.rpm -perl-Fcntl-1.15-506.azl3.aarch64.rpm -perl-File-Basename-2.86-506.azl3.noarch.rpm -perl-File-Compare-1.100.700-506.azl3.noarch.rpm -perl-File-Copy-2.41-506.azl3.noarch.rpm -perl-File-Path-2.18-506.azl3.noarch.rpm -perl-File-Temp-0.231.100-506.azl3.noarch.rpm -perl-File-stat-1.13-506.azl3.noarch.rpm -perl-FileHandle-2.05-506.azl3.noarch.rpm -perl-Getopt-Long-2.54-506.azl3.noarch.rpm -perl-Getopt-Std-1.13-506.azl3.noarch.rpm -perl-HTTP-Tiny-0.086-506.azl3.noarch.rpm -perl-I18N-Langinfo-0.22-506.azl3.aarch64.rpm -perl-IO-1.52-506.azl3.aarch64.rpm -perl-IPC-Open3-1.22-506.azl3.noarch.rpm -perl-MIME-Base64-3.16-506.azl3.aarch64.rpm -perl-POSIX-2.13-506.azl3.aarch64.rpm -perl-PathTools-3.89-506.azl3.aarch64.rpm -perl-Pod-Escapes-1.07-506.azl3.noarch.rpm -perl-Pod-Perldoc-3.28.01-506.azl3.noarch.rpm -perl-Pod-Simple-3.43-506.azl3.noarch.rpm -perl-Pod-Usage-2.03-506.azl3.noarch.rpm -perl-Scalar-List-Utils-1.63-506.azl3.aarch64.rpm -perl-SelectSaver-1.02-506.azl3.noarch.rpm -perl-Socket-2.036-506.azl3.aarch64.rpm -perl-Storable-3.32-506.azl3.aarch64.rpm -perl-Symbol-1.09-506.azl3.noarch.rpm -perl-Term-ANSIColor-5.01-506.azl3.noarch.rpm -perl-Term-Cap-1.18-506.azl3.noarch.rpm -perl-Text-ParseWords-3.31-506.azl3.noarch.rpm -perl-Text-Tabs+Wrap-2021.0814-506.azl3.noarch.rpm -perl-Thread-Queue-3.14-506.azl3.noarch.rpm -perl-Time-Local-1.300-506.azl3.noarch.rpm -perl-Unicode-Normalize-1.32-506.azl3.aarch64.rpm -perl-base-2.27-506.azl3.noarch.rpm -perl-constant-1.33-506.azl3.noarch.rpm -perl-if-0.61.000-506.azl3.noarch.rpm -perl-interpreter-5.38.2-506.azl3.aarch64.rpm -perl-libs-5.38.2-506.azl3.aarch64.rpm -perl-locale-1.10-506.azl3.noarch.rpm -perl-macros-5.38.2-506.azl3.noarch.rpm -perl-mro-1.28-506.azl3.aarch64.rpm -perl-overload-1.37-506.azl3.noarch.rpm -perl-overloading-0.02-506.azl3.noarch.rpm -perl-parent-0.241-506.azl3.noarch.rpm -perl-podlators-5.01-506.azl3.noarch.rpm -perl-subs-1.04-506.azl3.noarch.rpm -perl-threads-2.36-506.azl3.aarch64.rpm -perl-threads-shared-1.68-506.azl3.aarch64.rpm -perl-vars-1.05-506.azl3.noarch.rpm -perl-5.38.2-506.azl3.aarch64.rpm +perl-B-1.88-509.azl3.aarch64.rpm +perl-Carp-1.54-509.azl3.noarch.rpm +perl-Class-Struct-0.68-509.azl3.noarch.rpm +perl-Data-Dumper-2.188-509.azl3.aarch64.rpm +perl-DynaLoader-1.54-509.azl3.aarch64.rpm +perl-Encode-3.19-509.azl3.aarch64.rpm +perl-Errno-1.37-509.azl3.aarch64.rpm +perl-Exporter-5.77-509.azl3.noarch.rpm +perl-Fcntl-1.15-509.azl3.aarch64.rpm +perl-File-Basename-2.86-509.azl3.noarch.rpm +perl-File-Compare-1.100.700-509.azl3.noarch.rpm +perl-File-Copy-2.41-509.azl3.noarch.rpm +perl-File-Path-2.18-509.azl3.noarch.rpm +perl-File-Temp-0.231.100-509.azl3.noarch.rpm +perl-File-stat-1.13-509.azl3.noarch.rpm +perl-FileHandle-2.05-509.azl3.noarch.rpm +perl-Getopt-Long-2.54-509.azl3.noarch.rpm +perl-Getopt-Std-1.13-509.azl3.noarch.rpm +perl-HTTP-Tiny-0.086-509.azl3.noarch.rpm +perl-I18N-Langinfo-0.22-509.azl3.aarch64.rpm +perl-IO-1.52-509.azl3.aarch64.rpm +perl-IPC-Open3-1.22-509.azl3.noarch.rpm +perl-MIME-Base64-3.16-509.azl3.aarch64.rpm +perl-POSIX-2.13-509.azl3.aarch64.rpm +perl-PathTools-3.89-509.azl3.aarch64.rpm +perl-Pod-Escapes-1.07-509.azl3.noarch.rpm +perl-Pod-Perldoc-3.28.01-509.azl3.noarch.rpm +perl-Pod-Simple-3.43-509.azl3.noarch.rpm +perl-Pod-Usage-2.03-509.azl3.noarch.rpm +perl-Scalar-List-Utils-1.63-509.azl3.aarch64.rpm +perl-SelectSaver-1.02-509.azl3.noarch.rpm +perl-Socket-2.036-509.azl3.aarch64.rpm +perl-Storable-3.32-509.azl3.aarch64.rpm +perl-Symbol-1.09-509.azl3.noarch.rpm +perl-Term-ANSIColor-5.01-509.azl3.noarch.rpm +perl-Term-Cap-1.18-509.azl3.noarch.rpm +perl-Text-ParseWords-3.31-509.azl3.noarch.rpm +perl-Text-Tabs+Wrap-2021.0814-509.azl3.noarch.rpm +perl-Thread-Queue-3.14-509.azl3.noarch.rpm +perl-Time-Local-1.300-509.azl3.noarch.rpm +perl-Unicode-Normalize-1.32-509.azl3.aarch64.rpm +perl-base-2.27-509.azl3.noarch.rpm +perl-constant-1.33-509.azl3.noarch.rpm +perl-if-0.61.000-509.azl3.noarch.rpm +perl-interpreter-5.38.2-509.azl3.aarch64.rpm +perl-libs-5.38.2-509.azl3.aarch64.rpm +perl-locale-1.10-509.azl3.noarch.rpm +perl-macros-5.38.2-509.azl3.noarch.rpm +perl-mro-1.28-509.azl3.aarch64.rpm +perl-overload-1.37-509.azl3.noarch.rpm +perl-overloading-0.02-509.azl3.noarch.rpm +perl-parent-0.241-509.azl3.noarch.rpm +perl-podlators-5.01-509.azl3.noarch.rpm +perl-subs-1.04-509.azl3.noarch.rpm +perl-threads-2.36-509.azl3.aarch64.rpm +perl-threads-shared-1.68-509.azl3.aarch64.rpm +perl-vars-1.05-509.azl3.noarch.rpm +perl-5.38.2-509.azl3.aarch64.rpm texinfo-7.0.3-1.azl3.aarch64.rpm gtk-doc-1.33.2-1.azl3.noarch.rpm autoconf-2.72-2.azl3.noarch.rpm @@ -175,8 +175,8 @@ openssl-devel-3.3.3-2.azl3.aarch64.rpm openssl-libs-3.3.3-2.azl3.aarch64.rpm openssl-perl-3.3.3-2.azl3.aarch64.rpm openssl-static-3.3.3-2.azl3.aarch64.rpm -libcap-2.69-3.azl3.aarch64.rpm -libcap-devel-2.69-3.azl3.aarch64.rpm +libcap-2.69-5.azl3.aarch64.rpm +libcap-devel-2.69-5.azl3.aarch64.rpm debugedit-5.0-2.azl3.aarch64.rpm libarchive-3.7.7-2.azl3.aarch64.rpm libarchive-devel-3.7.7-2.azl3.aarch64.rpm @@ -191,10 +191,10 @@ cpio-lang-2.14-1.azl3.aarch64.rpm e2fsprogs-libs-1.47.0-2.azl3.aarch64.rpm e2fsprogs-1.47.0-2.azl3.aarch64.rpm e2fsprogs-devel-1.47.0-2.azl3.aarch64.rpm -libsolv-0.7.28-2.azl3.aarch64.rpm -libsolv-devel-0.7.28-2.azl3.aarch64.rpm -libssh2-1.11.0-1.azl3.aarch64.rpm -libssh2-devel-1.11.0-1.azl3.aarch64.rpm +libsolv-0.7.28-3.azl3.aarch64.rpm +libsolv-devel-0.7.28-3.azl3.aarch64.rpm +libssh2-1.11.1-1.azl3.aarch64.rpm +libssh2-devel-1.11.1-1.azl3.aarch64.rpm krb5-1.21.3-2.azl3.aarch64.rpm krb5-devel-1.21.3-2.azl3.aarch64.rpm nghttp2-1.61.0-2.azl3.aarch64.rpm @@ -203,12 +203,12 @@ curl-8.11.1-3.azl3.aarch64.rpm curl-devel-8.11.1-3.azl3.aarch64.rpm curl-libs-8.11.1-3.azl3.aarch64.rpm createrepo_c-1.0.3-1.azl3.aarch64.rpm -libxml2-2.11.5-4.azl3.aarch64.rpm -libxml2-devel-2.11.5-4.azl3.aarch64.rpm +libxml2-2.11.5-6.azl3.aarch64.rpm +libxml2-devel-2.11.5-6.azl3.aarch64.rpm docbook-dtd-xml-4.5-11.azl3.noarch.rpm docbook-style-xsl-1.79.1-14.azl3.noarch.rpm -libsepol-3.6-1.azl3.aarch64.rpm -glib-2.78.6-1.azl3.aarch64.rpm +libsepol-3.6-2.azl3.aarch64.rpm +glib-2.78.6-3.azl3.aarch64.rpm libltdl-2.4.7-1.azl3.aarch64.rpm libltdl-devel-2.4.7-1.azl3.aarch64.rpm lua-5.4.6-1.azl3.aarch64.rpm @@ -221,15 +221,15 @@ tdnf-devel-3.5.8-7.azl3.aarch64.rpm tdnf-plugin-repogpgcheck-3.5.8-7.azl3.aarch64.rpm libassuan-2.5.6-1.azl3.aarch64.rpm libassuan-devel-2.5.6-1.azl3.aarch64.rpm -libgpg-error-1.47-1.azl3.aarch64.rpm -libgcrypt-1.10.2-1.azl3.aarch64.rpm +libgpg-error-1.48-1.azl3.aarch64.rpm +libgcrypt-1.10.3-1.azl3.aarch64.rpm libksba-1.6.4-1.azl3.aarch64.rpm libksba-devel-1.6.4-1.azl3.aarch64.rpm libxslt-1.1.43-1.azl3.aarch64.rpm npth-1.6-4.azl3.aarch64.rpm pinentry-1.2.1-1.azl3.aarch64.rpm -gnupg2-2.4.4-2.azl3.aarch64.rpm -gnupg2-lang-2.4.4-2.azl3.aarch64.rpm +gnupg2-2.4.7-1.azl3.aarch64.rpm +gnupg2-lang-2.4.7-1.azl3.aarch64.rpm gpgme-1.23.2-2.azl3.aarch64.rpm azurelinux-repos-shared-3.0-5.azl3.noarch.rpm azurelinux-repos-3.0-5.azl3.noarch.rpm @@ -243,11 +243,11 @@ ca-certificates-tools-3.0.0-8.azl3.noarch.rpm ca-certificates-base-3.0.0-8.azl3.noarch.rpm ca-certificates-3.0.0-8.azl3.noarch.rpm dwz-0.14-2.azl3.aarch64.rpm -unzip-6.0-21.azl3.aarch64.rpm -python3-3.12.9-1.azl3.aarch64.rpm -python3-devel-3.12.9-1.azl3.aarch64.rpm -python3-libs-3.12.9-1.azl3.aarch64.rpm -python3-setuptools-69.0.3-4.azl3.noarch.rpm +unzip-6.0-22.azl3.aarch64.rpm +python3-3.12.9-4.azl3.aarch64.rpm +python3-devel-3.12.9-4.azl3.aarch64.rpm +python3-libs-3.12.9-4.azl3.aarch64.rpm +python3-setuptools-69.0.3-5.azl3.noarch.rpm python3-pygments-2.7.4-2.azl3.noarch.rpm which-2.21-8.azl3.aarch64.rpm libselinux-3.6-3.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index f637097a25..cbc39e56a6 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -1,20 +1,20 @@ filesystem-1.1-21.emt3.x86_64.rpm kernel-headers-6.12.44-1.emt3.noarch.rpm -glibc-2.38-10.emt3.x86_64.rpm -glibc-devel-2.38-10.emt3.x86_64.rpm -glibc-i18n-2.38-10.emt3.x86_64.rpm -glibc-iconv-2.38-10.emt3.x86_64.rpm -glibc-lang-2.38-10.emt3.x86_64.rpm -glibc-locales-all-2.38-10.emt3.x86_64.rpm -glibc-nscd-2.38-10.emt3.x86_64.rpm -glibc-tools-2.38-10.emt3.x86_64.rpm +glibc-2.38-11.emt3.x86_64.rpm +glibc-devel-2.38-11.emt3.x86_64.rpm +glibc-i18n-2.38-11.emt3.x86_64.rpm +glibc-iconv-2.38-11.emt3.x86_64.rpm +glibc-lang-2.38-11.emt3.x86_64.rpm +glibc-locales-all-2.38-11.emt3.x86_64.rpm +glibc-nscd-2.38-11.emt3.x86_64.rpm +glibc-tools-2.38-11.emt3.x86_64.rpm zlib-1.3.1-1.emt3.x86_64.rpm zlib-devel-1.3.1-1.emt3.x86_64.rpm file-5.45-1.emt3.x86_64.rpm file-devel-5.45-1.emt3.x86_64.rpm file-libs-5.45-1.emt3.x86_64.rpm -binutils-2.41-5.emt3.x86_64.rpm -binutils-devel-2.41-5.emt3.x86_64.rpm +binutils-2.41-7.emt3.x86_64.rpm +binutils-devel-2.41-7.emt3.x86_64.rpm gmp-6.3.0-1.emt3.x86_64.rpm gmp-devel-6.3.0-1.emt3.x86_64.rpm mpfr-4.2.1-1.emt3.x86_64.rpm @@ -88,17 +88,17 @@ bison-3.8.2-1.emt3.x86_64.rpm popt-1.19-1.emt3.x86_64.rpm popt-devel-1.19-1.emt3.x86_64.rpm popt-lang-1.19-1.emt3.x86_64.rpm -sqlite-3.44.0-1.emt3.x86_64.rpm -sqlite-devel-3.44.0-1.emt3.x86_64.rpm -sqlite-libs-3.44.0-1.emt3.x86_64.rpm -elfutils-0.189-6.emt3.x86_64.rpm -elfutils-default-yama-scope-0.189-6.emt3.noarch.rpm -elfutils-devel-0.189-6.emt3.x86_64.rpm -elfutils-devel-static-0.189-6.emt3.x86_64.rpm -elfutils-libelf-0.189-6.emt3.x86_64.rpm -elfutils-libelf-devel-0.189-6.emt3.x86_64.rpm -elfutils-libelf-devel-static-0.189-6.emt3.x86_64.rpm -elfutils-libelf-lang-0.189-6.emt3.x86_64.rpm +sqlite-3.44.0-2.emt3.x86_64.rpm +sqlite-devel-3.44.0-2.emt3.x86_64.rpm +sqlite-libs-3.44.0-2.emt3.x86_64.rpm +elfutils-0.189-7.emt3.x86_64.rpm +elfutils-default-yama-scope-0.189-7.emt3.noarch.rpm +elfutils-devel-0.189-7.emt3.x86_64.rpm +elfutils-devel-static-0.189-7.emt3.x86_64.rpm +elfutils-libelf-0.189-7.emt3.x86_64.rpm +elfutils-libelf-devel-0.189-7.emt3.x86_64.rpm +elfutils-libelf-devel-static-0.189-7.emt3.x86_64.rpm +elfutils-libelf-lang-0.189-7.emt3.x86_64.rpm expat-2.6.4-1.emt3.x86_64.rpm expat-devel-2.6.4-1.emt3.x86_64.rpm expat-libs-2.6.4-1.emt3.x86_64.rpm @@ -107,64 +107,64 @@ libpipeline-devel-1.5.7-1.emt3.x86_64.rpm gdbm-1.23-1.emt3.x86_64.rpm gdbm-devel-1.23-1.emt3.x86_64.rpm gdbm-lang-1.23-1.emt3.x86_64.rpm -perl-B-1.88-507.emt3.x86_64.rpm -perl-Carp-1.54-507.emt3.noarch.rpm -perl-Class-Struct-0.68-507.emt3.noarch.rpm -perl-Data-Dumper-2.188-507.emt3.x86_64.rpm -perl-DynaLoader-1.54-507.emt3.x86_64.rpm -perl-Encode-3.19-507.emt3.x86_64.rpm -perl-Errno-1.37-507.emt3.x86_64.rpm -perl-Exporter-5.77-507.emt3.noarch.rpm -perl-Fcntl-1.15-507.emt3.x86_64.rpm -perl-File-Basename-2.86-507.emt3.noarch.rpm -perl-File-Compare-1.100.700-507.emt3.noarch.rpm -perl-File-Copy-2.41-507.emt3.noarch.rpm -perl-File-Path-2.18-507.emt3.noarch.rpm -perl-File-Temp-0.231.100-507.emt3.noarch.rpm -perl-File-stat-1.13-507.emt3.noarch.rpm -perl-FileHandle-2.05-507.emt3.noarch.rpm -perl-Getopt-Long-2.54-507.emt3.noarch.rpm -perl-Getopt-Std-1.13-507.emt3.noarch.rpm -perl-HTTP-Tiny-0.086-507.emt3.noarch.rpm -perl-I18N-Langinfo-0.22-507.emt3.x86_64.rpm -perl-IO-1.52-507.emt3.x86_64.rpm -perl-IPC-Open3-1.22-507.emt3.noarch.rpm -perl-MIME-Base64-3.16-507.emt3.x86_64.rpm -perl-POSIX-2.13-507.emt3.x86_64.rpm -perl-PathTools-3.89-507.emt3.x86_64.rpm -perl-Pod-Escapes-1.07-507.emt3.noarch.rpm -perl-Pod-Perldoc-3.28.01-507.emt3.noarch.rpm -perl-Pod-Simple-3.43-507.emt3.noarch.rpm -perl-Pod-Usage-2.03-507.emt3.noarch.rpm -perl-Scalar-List-Utils-1.63-507.emt3.x86_64.rpm -perl-SelectSaver-1.02-507.emt3.noarch.rpm -perl-Socket-2.036-507.emt3.x86_64.rpm -perl-Storable-3.32-507.emt3.x86_64.rpm -perl-Symbol-1.09-507.emt3.noarch.rpm -perl-Term-ANSIColor-5.01-507.emt3.noarch.rpm -perl-Term-Cap-1.18-507.emt3.noarch.rpm -perl-Text-ParseWords-3.31-507.emt3.noarch.rpm -perl-Text-Tabs+Wrap-2021.0814-507.emt3.noarch.rpm -perl-Thread-Queue-3.14-507.emt3.noarch.rpm -perl-Time-Local-1.300-507.emt3.noarch.rpm -perl-Unicode-Normalize-1.32-507.emt3.x86_64.rpm -perl-base-2.27-507.emt3.noarch.rpm -perl-constant-1.33-507.emt3.noarch.rpm -perl-if-0.61.000-507.emt3.noarch.rpm -perl-interpreter-5.38.2-507.emt3.x86_64.rpm -perl-libs-5.38.2-507.emt3.x86_64.rpm -perl-locale-1.10-507.emt3.noarch.rpm -perl-macros-5.38.2-507.emt3.noarch.rpm -perl-mro-1.28-507.emt3.x86_64.rpm -perl-overload-1.37-507.emt3.noarch.rpm -perl-overloading-0.02-507.emt3.noarch.rpm -perl-parent-0.241-507.emt3.noarch.rpm -perl-podlators-5.01-507.emt3.noarch.rpm -perl-subs-1.04-507.emt3.noarch.rpm -perl-threads-2.36-507.emt3.x86_64.rpm -perl-threads-shared-1.68-507.emt3.x86_64.rpm -perl-vars-1.05-507.emt3.noarch.rpm -perl-5.38.2-507.emt3.x86_64.rpm +perl-B-1.88-509.emt3.x86_64.rpm +perl-Carp-1.54-509.emt3.noarch.rpm +perl-Class-Struct-0.68-509.emt3.noarch.rpm +perl-Data-Dumper-2.188-509.emt3.x86_64.rpm +perl-DynaLoader-1.54-509.emt3.x86_64.rpm +perl-Encode-3.19-509.emt3.x86_64.rpm +perl-Errno-1.37-509.emt3.x86_64.rpm +perl-Exporter-5.77-509.emt3.noarch.rpm +perl-Fcntl-1.15-509.emt3.x86_64.rpm +perl-File-Basename-2.86-509.emt3.noarch.rpm +perl-File-Compare-1.100.700-509.emt3.noarch.rpm +perl-File-Copy-2.41-509.emt3.noarch.rpm +perl-File-Path-2.18-509.emt3.noarch.rpm +perl-File-Temp-0.231.100-509.emt3.noarch.rpm +perl-File-stat-1.13-509.emt3.noarch.rpm +perl-FileHandle-2.05-509.emt3.noarch.rpm +perl-Getopt-Long-2.54-509.emt3.noarch.rpm +perl-Getopt-Std-1.13-509.emt3.noarch.rpm +perl-HTTP-Tiny-0.086-509.emt3.noarch.rpm +perl-I18N-Langinfo-0.22-509.emt3.x86_64.rpm +perl-IO-1.52-509.emt3.x86_64.rpm +perl-IPC-Open3-1.22-509.emt3.noarch.rpm +perl-MIME-Base64-3.16-509.emt3.x86_64.rpm +perl-POSIX-2.13-509.emt3.x86_64.rpm +perl-PathTools-3.89-509.emt3.x86_64.rpm +perl-Pod-Escapes-1.07-509.emt3.noarch.rpm +perl-Pod-Perldoc-3.28.01-509.emt3.noarch.rpm +perl-Pod-Simple-3.43-509.emt3.noarch.rpm +perl-Pod-Usage-2.03-509.emt3.noarch.rpm +perl-Scalar-List-Utils-1.63-509.emt3.x86_64.rpm +perl-SelectSaver-1.02-509.emt3.noarch.rpm +perl-Socket-2.036-509.emt3.x86_64.rpm +perl-Storable-3.32-509.emt3.x86_64.rpm +perl-Symbol-1.09-509.emt3.noarch.rpm +perl-Term-ANSIColor-5.01-509.emt3.noarch.rpm +perl-Term-Cap-1.18-509.emt3.noarch.rpm +perl-Text-ParseWords-3.31-509.emt3.noarch.rpm +perl-Text-Tabs+Wrap-2021.0814-509.emt3.noarch.rpm +perl-Thread-Queue-3.14-509.emt3.noarch.rpm +perl-Time-Local-1.300-509.emt3.noarch.rpm +perl-Unicode-Normalize-1.32-509.emt3.x86_64.rpm +perl-base-2.27-509.emt3.noarch.rpm +perl-constant-1.33-509.emt3.noarch.rpm +perl-if-0.61.000-509.emt3.noarch.rpm +perl-interpreter-5.38.2-509.emt3.x86_64.rpm +perl-libs-5.38.2-509.emt3.x86_64.rpm +perl-locale-1.10-509.emt3.noarch.rpm +perl-macros-5.38.2-509.emt3.noarch.rpm +perl-mro-1.28-509.emt3.x86_64.rpm +perl-overload-1.37-509.emt3.noarch.rpm +perl-overloading-0.02-509.emt3.noarch.rpm +perl-parent-0.241-509.emt3.noarch.rpm +perl-podlators-5.01-509.emt3.noarch.rpm +perl-subs-1.04-509.emt3.noarch.rpm +perl-threads-2.36-509.emt3.x86_64.rpm +perl-threads-shared-1.68-509.emt3.x86_64.rpm +perl-vars-1.05-509.emt3.noarch.rpm +perl-5.38.2-509.emt3.x86_64.rpm texinfo-7.0.3-1.emt3.x86_64.rpm gtk-doc-1.33.2-1.emt3.noarch.rpm autoconf-2.72-2.emt3.noarch.rpm @@ -175,8 +175,8 @@ openssl-devel-3.3.3-2.emt3.x86_64.rpm openssl-libs-3.3.3-2.emt3.x86_64.rpm openssl-perl-3.3.3-2.emt3.x86_64.rpm openssl-static-3.3.3-2.emt3.x86_64.rpm -libcap-2.69-4.emt3.x86_64.rpm -libcap-devel-2.69-4.emt3.x86_64.rpm +libcap-2.69-5.emt3.x86_64.rpm +libcap-devel-2.69-5.emt3.x86_64.rpm debugedit-5.0-2.emt3.x86_64.rpm libarchive-3.7.7-2.emt3.x86_64.rpm libarchive-devel-3.7.7-2.emt3.x86_64.rpm @@ -203,12 +203,12 @@ curl-8.11.1-3.emt3.x86_64.rpm curl-devel-8.11.1-3.emt3.x86_64.rpm curl-libs-8.11.1-3.emt3.x86_64.rpm createrepo_c-1.0.3-1.emt3.x86_64.rpm -libxml2-2.11.5-5.emt3.x86_64.rpm -libxml2-devel-2.11.5-5.emt3.x86_64.rpm +libxml2-2.11.5-6.emt3.x86_64.rpm +libxml2-devel-2.11.5-6.emt3.x86_64.rpm docbook-dtd-xml-4.5-11.emt3.noarch.rpm docbook-style-xsl-1.79.1-14.emt3.noarch.rpm libsepol-3.6-2.emt3.x86_64.rpm -glib-2.78.6-1.emt3.x86_64.rpm +glib-2.78.6-3.emt3.x86_64.rpm libltdl-2.4.7-1.emt3.x86_64.rpm libltdl-devel-2.4.7-1.emt3.x86_64.rpm lua-5.4.6-1.emt3.x86_64.rpm @@ -221,15 +221,15 @@ tdnf-devel-3.5.8-10.emt3.x86_64.rpm tdnf-plugin-repogpgcheck-3.5.8-10.emt3.x86_64.rpm libassuan-2.5.6-1.emt3.x86_64.rpm libassuan-devel-2.5.6-1.emt3.x86_64.rpm -libgpg-error-1.47-1.emt3.x86_64.rpm -libgcrypt-1.10.2-1.emt3.x86_64.rpm +libgpg-error-1.48-1.emt3.x86_64.rpm +libgcrypt-1.10.3-1.emt3.x86_64.rpm libksba-1.6.4-1.emt3.x86_64.rpm libksba-devel-1.6.4-1.emt3.x86_64.rpm libxslt-1.1.43-1.emt3.x86_64.rpm npth-1.6-4.emt3.x86_64.rpm pinentry-1.2.1-1.emt3.x86_64.rpm -gnupg2-2.4.4-2.emt3.x86_64.rpm -gnupg2-lang-2.4.4-2.emt3.x86_64.rpm +gnupg2-2.4.7-1.emt3.x86_64.rpm +gnupg2-lang-2.4.7-1.emt3.x86_64.rpm gpgme-1.23.2-2.emt3.x86_64.rpm edge-rpm-macros-3.0-2.emt3.noarch.rpm edge-check-macros-3.0-2.emt3.noarch.rpm @@ -244,10 +244,10 @@ ca-certificates-base-3.0.0-9.emt3.noarch.rpm ca-certificates-3.0.0-9.emt3.noarch.rpm dwz-0.14-2.emt3.x86_64.rpm unzip-6.0-22.emt3.x86_64.rpm -python3-3.12.9-1.emt3.x86_64.rpm -python3-devel-3.12.9-1.emt3.x86_64.rpm -python3-libs-3.12.9-1.emt3.x86_64.rpm -python3-setuptools-69.0.3-4.emt3.noarch.rpm +python3-3.12.9-4.emt3.x86_64.rpm +python3-devel-3.12.9-4.emt3.x86_64.rpm +python3-libs-3.12.9-4.emt3.x86_64.rpm +python3-setuptools-69.0.3-5.emt3.noarch.rpm python3-pygments-2.7.4-2.emt3.noarch.rpm which-2.21-8.emt3.x86_64.rpm libselinux-3.6-3.emt3.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 922dfef534..81379d314b 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -1,6 +1,6 @@ acl-2.3.1-2.emt3.x86_64.rpm acl-debuginfo-2.3.1-2.emt3.x86_64.rpm -asciidoc-10.2.0-2.emt3.noarch.rpm +asciidoc-10.2.0-3.emt3.noarch.rpm attr-2.5.2-1.emt3.x86_64.rpm attr-debuginfo-2.5.2-1.emt3.x86_64.rpm audit-3.1.2-1.emt3.x86_64.rpm @@ -13,10 +13,10 @@ bash-5.2.15-3.emt3.x86_64.rpm bash-debuginfo-5.2.15-3.emt3.x86_64.rpm bash-devel-5.2.15-3.emt3.x86_64.rpm bash-lang-5.2.15-3.emt3.x86_64.rpm -binutils-2.41-5.emt3.x86_64.rpm -binutils-aarch64-linux-gnu-2.41-5.emt3.x86_64.rpm -binutils-debuginfo-2.41-5.emt3.x86_64.rpm -binutils-devel-2.41-5.emt3.x86_64.rpm +binutils-2.41-7.emt3.x86_64.rpm +binutils-aarch64-linux-gnu-2.41-7.emt3.x86_64.rpm +binutils-debuginfo-2.41-7.emt3.x86_64.rpm +binutils-devel-2.41-7.emt3.x86_64.rpm bison-3.8.2-1.emt3.x86_64.rpm bison-debuginfo-3.8.2-1.emt3.x86_64.rpm bzip2-1.0.8-1.emt3.x86_64.rpm @@ -35,8 +35,8 @@ check-debuginfo-0.15.2-1.emt3.x86_64.rpm chkconfig-1.25-1.emt3.x86_64.rpm chkconfig-debuginfo-1.25-1.emt3.x86_64.rpm chkconfig-lang-1.25-1.emt3.x86_64.rpm -cmake-3.30.3-6.emt3.x86_64.rpm -cmake-debuginfo-3.30.3-6.emt3.x86_64.rpm +cmake-3.30.3-8.emt3.x86_64.rpm +cmake-debuginfo-3.30.3-8.emt3.x86_64.rpm coreutils-9.4-6.emt3.x86_64.rpm coreutils-debuginfo-9.4-6.emt3.x86_64.rpm coreutils-lang-9.4-6.emt3.x86_64.rpm @@ -51,7 +51,7 @@ cracklib-lang-2.9.11-1.emt3.x86_64.rpm createrepo_c-1.0.3-1.emt3.x86_64.rpm createrepo_c-debuginfo-1.0.3-1.emt3.x86_64.rpm createrepo_c-devel-1.0.3-1.emt3.x86_64.rpm -cross-binutils-common-2.41-5.emt3.noarch.rpm +cross-binutils-common-2.41-7.emt3.noarch.rpm cross-gcc-common-13.2.0-7.emt3.noarch.rpm curl-8.11.1-3.emt3.x86_64.rpm curl-debuginfo-8.11.1-3.emt3.x86_64.rpm @@ -75,15 +75,15 @@ edge-check-macros-3.0-2.emt3.noarch.rpm edge-repos-3.0-4.emt3.noarch.rpm edge-repos-shared-3.0-4.emt3.noarch.rpm edge-rpm-macros-3.0-2.emt3.noarch.rpm -elfutils-0.189-6.emt3.x86_64.rpm -elfutils-debuginfo-0.189-6.emt3.x86_64.rpm -elfutils-default-yama-scope-0.189-6.emt3.noarch.rpm -elfutils-devel-0.189-6.emt3.x86_64.rpm -elfutils-devel-static-0.189-6.emt3.x86_64.rpm -elfutils-libelf-0.189-6.emt3.x86_64.rpm -elfutils-libelf-devel-0.189-6.emt3.x86_64.rpm -elfutils-libelf-devel-static-0.189-6.emt3.x86_64.rpm -elfutils-libelf-lang-0.189-6.emt3.x86_64.rpm +elfutils-0.189-7.emt3.x86_64.rpm +elfutils-debuginfo-0.189-7.emt3.x86_64.rpm +elfutils-default-yama-scope-0.189-7.emt3.noarch.rpm +elfutils-devel-0.189-7.emt3.x86_64.rpm +elfutils-devel-static-0.189-7.emt3.x86_64.rpm +elfutils-libelf-0.189-7.emt3.x86_64.rpm +elfutils-libelf-devel-0.189-7.emt3.x86_64.rpm +elfutils-libelf-devel-static-0.189-7.emt3.x86_64.rpm +elfutils-libelf-lang-0.189-7.emt3.x86_64.rpm expat-2.6.4-1.emt3.x86_64.rpm expat-debuginfo-2.6.4-1.emt3.x86_64.rpm expat-devel-2.6.4-1.emt3.x86_64.rpm @@ -114,27 +114,27 @@ gdbm-lang-1.23-1.emt3.x86_64.rpm gettext-0.22-1.emt3.x86_64.rpm gettext-debuginfo-0.22-1.emt3.x86_64.rpm gfortran-13.2.0-7.emt3.x86_64.rpm -glib-2.78.6-1.emt3.x86_64.rpm -glibc-2.38-10.emt3.x86_64.rpm -glibc-debuginfo-2.38-10.emt3.x86_64.rpm -glibc-devel-2.38-10.emt3.x86_64.rpm -glibc-i18n-2.38-10.emt3.x86_64.rpm -glibc-iconv-2.38-10.emt3.x86_64.rpm -glibc-lang-2.38-10.emt3.x86_64.rpm -glibc-locales-all-2.38-10.emt3.x86_64.rpm -glibc-nscd-2.38-10.emt3.x86_64.rpm -glibc-static-2.38-10.emt3.x86_64.rpm -glibc-tools-2.38-10.emt3.x86_64.rpm -glib-debuginfo-2.78.6-1.emt3.x86_64.rpm -glib-devel-2.78.6-1.emt3.x86_64.rpm -glib-doc-2.78.6-1.emt3.noarch.rpm -glib-schemas-2.78.6-1.emt3.x86_64.rpm +glib-2.78.6-3.emt3.x86_64.rpm +glibc-2.38-11.emt3.x86_64.rpm +glibc-debuginfo-2.38-11.emt3.x86_64.rpm +glibc-devel-2.38-11.emt3.x86_64.rpm +glibc-i18n-2.38-11.emt3.x86_64.rpm +glibc-iconv-2.38-11.emt3.x86_64.rpm +glibc-lang-2.38-11.emt3.x86_64.rpm +glibc-locales-all-2.38-11.emt3.x86_64.rpm +glibc-nscd-2.38-11.emt3.x86_64.rpm +glibc-static-2.38-11.emt3.x86_64.rpm +glibc-tools-2.38-11.emt3.x86_64.rpm +glib-debuginfo-2.78.6-3.emt3.x86_64.rpm +glib-devel-2.78.6-3.emt3.x86_64.rpm +glib-doc-2.78.6-3.emt3.noarch.rpm +glib-schemas-2.78.6-3.emt3.x86_64.rpm gmp-6.3.0-1.emt3.x86_64.rpm gmp-debuginfo-6.3.0-1.emt3.x86_64.rpm gmp-devel-6.3.0-1.emt3.x86_64.rpm -gnupg2-2.4.4-2.emt3.x86_64.rpm -gnupg2-debuginfo-2.4.4-2.emt3.x86_64.rpm -gnupg2-lang-2.4.4-2.emt3.x86_64.rpm +gnupg2-2.4.7-1.emt3.x86_64.rpm +gnupg2-debuginfo-2.4.7-1.emt3.x86_64.rpm +gnupg2-lang-2.4.7-1.emt3.x86_64.rpm gperf-3.1-5.emt3.x86_64.rpm gperf-debuginfo-3.1-5.emt3.x86_64.rpm gpgme-1.23.2-2.emt3.x86_64.rpm @@ -170,9 +170,9 @@ libassuan-devel-2.5.6-1.emt3.x86_64.rpm libattr-2.5.2-1.emt3.x86_64.rpm libattr-devel-2.5.2-1.emt3.x86_64.rpm libbacktrace-static-13.2.0-7.emt3.x86_64.rpm -libcap-2.69-4.emt3.x86_64.rpm -libcap-debuginfo-2.69-4.emt3.x86_64.rpm -libcap-devel-2.69-4.emt3.x86_64.rpm +libcap-2.69-5.emt3.x86_64.rpm +libcap-debuginfo-2.69-5.emt3.x86_64.rpm +libcap-devel-2.69-5.emt3.x86_64.rpm libcap-ng-0.8.4-1.emt3.x86_64.rpm libcap-ng-debuginfo-0.8.4-1.emt3.x86_64.rpm libcap-ng-devel-0.8.4-1.emt3.x86_64.rpm @@ -182,15 +182,15 @@ libffi-devel-3.4.4-1.emt3.x86_64.rpm libgcc-13.2.0-7.emt3.x86_64.rpm libgcc-atomic-13.2.0-7.emt3.x86_64.rpm libgcc-devel-13.2.0-7.emt3.x86_64.rpm -libgcrypt-1.10.2-1.emt3.x86_64.rpm -libgcrypt-debuginfo-1.10.2-1.emt3.x86_64.rpm -libgcrypt-devel-1.10.2-1.emt3.x86_64.rpm +libgcrypt-1.10.3-1.emt3.x86_64.rpm +libgcrypt-debuginfo-1.10.3-1.emt3.x86_64.rpm +libgcrypt-devel-1.10.3-1.emt3.x86_64.rpm libgomp-13.2.0-7.emt3.x86_64.rpm libgomp-devel-13.2.0-7.emt3.x86_64.rpm -libgpg-error-1.47-1.emt3.x86_64.rpm -libgpg-error-debuginfo-1.47-1.emt3.x86_64.rpm -libgpg-error-devel-1.47-1.emt3.x86_64.rpm -libgpg-error-lang-1.47-1.emt3.x86_64.rpm +libgpg-error-1.48-1.emt3.x86_64.rpm +libgpg-error-debuginfo-1.48-1.emt3.x86_64.rpm +libgpg-error-devel-1.48-1.emt3.x86_64.rpm +libgpg-error-lang-1.48-1.emt3.x86_64.rpm libksba-1.6.4-1.emt3.x86_64.rpm libksba-debuginfo-1.6.4-1.emt3.x86_64.rpm libksba-devel-1.6.4-1.emt3.x86_64.rpm @@ -235,9 +235,9 @@ libtool-debuginfo-2.4.7-1.emt3.x86_64.rpm libxcrypt-4.4.36-2.emt3.x86_64.rpm libxcrypt-debuginfo-4.4.36-2.emt3.x86_64.rpm libxcrypt-devel-4.4.36-2.emt3.x86_64.rpm -libxml2-2.11.5-5.emt3.x86_64.rpm -libxml2-debuginfo-2.11.5-5.emt3.x86_64.rpm -libxml2-devel-2.11.5-5.emt3.x86_64.rpm +libxml2-2.11.5-6.emt3.x86_64.rpm +libxml2-debuginfo-2.11.5-6.emt3.x86_64.rpm +libxml2-devel-2.11.5-6.emt3.x86_64.rpm libxslt-1.1.43-1.emt3.x86_64.rpm libxslt-debuginfo-1.1.43-1.emt3.x86_64.rpm libxslt-devel-1.1.43-1.emt3.x86_64.rpm @@ -291,10 +291,10 @@ p11-kit-debuginfo-0.25.0-1.emt3.x86_64.rpm p11-kit-devel-0.25.0-1.emt3.x86_64.rpm p11-kit-server-0.25.0-1.emt3.x86_64.rpm p11-kit-trust-0.25.0-1.emt3.x86_64.rpm -pam-1.5.3-4.emt3.x86_64.rpm -pam-debuginfo-1.5.3-4.emt3.x86_64.rpm -pam-devel-1.5.3-4.emt3.x86_64.rpm -pam-lang-1.5.3-4.emt3.x86_64.rpm +pam-1.5.3-5.emt3.x86_64.rpm +pam-debuginfo-1.5.3-5.emt3.x86_64.rpm +pam-devel-1.5.3-5.emt3.x86_64.rpm +pam-lang-1.5.3-5.emt3.x86_64.rpm patch-2.7.6-9.emt3.x86_64.rpm patch-debuginfo-2.7.6-9.emt3.x86_64.rpm pcre2-10.42-3.emt3.x86_64.rpm @@ -303,207 +303,207 @@ pcre2-devel-10.42-3.emt3.x86_64.rpm pcre2-devel-static-10.42-3.emt3.x86_64.rpm pcre2-doc-10.42-3.emt3.noarch.rpm pcre2-tools-10.42-3.emt3.x86_64.rpm -perl-5.38.2-507.emt3.x86_64.rpm -perl-Archive-Tar-2.40-507.emt3.noarch.rpm -perl-Attribute-Handlers-1.03-507.emt3.noarch.rpm -perl-autodie-2.36-507.emt3.noarch.rpm -perl-AutoLoader-5.74-507.emt3.noarch.rpm -perl-AutoSplit-5.74-507.emt3.noarch.rpm -perl-autouse-1.11-507.emt3.noarch.rpm -perl-B-1.88-507.emt3.x86_64.rpm -perl-base-2.27-507.emt3.noarch.rpm -perl-Benchmark-1.24-507.emt3.noarch.rpm -perl-bignum-0.66-507.emt3.noarch.rpm -perl-blib-1.07-507.emt3.noarch.rpm -perl-Carp-1.54-507.emt3.noarch.rpm -perl-Class-Struct-0.68-507.emt3.noarch.rpm -perl-Compress-Raw-Bzip2-2.204-507.emt3.x86_64.rpm -perl-Compress-Raw-Zlib-2.204-507.emt3.x86_64.rpm -perl-Config-Extensions-0.03-507.emt3.noarch.rpm -perl-Config-Perl-V-0.36-507.emt3.noarch.rpm -perl-constant-1.33-507.emt3.noarch.rpm -perl-CPAN-2.36-507.emt3.noarch.rpm -perl-CPAN-Meta-2.150010-507.emt3.noarch.rpm -perl-CPAN-Meta-Requirements-2.140-507.emt3.noarch.rpm -perl-CPAN-Meta-YAML-0.018-507.emt3.noarch.rpm -perl-Data-Dumper-2.188-507.emt3.x86_64.rpm +perl-5.38.2-509.emt3.x86_64.rpm +perl-Archive-Tar-2.40-509.emt3.noarch.rpm +perl-Attribute-Handlers-1.03-509.emt3.noarch.rpm +perl-autodie-2.36-509.emt3.noarch.rpm +perl-AutoLoader-5.74-509.emt3.noarch.rpm +perl-AutoSplit-5.74-509.emt3.noarch.rpm +perl-autouse-1.11-509.emt3.noarch.rpm +perl-B-1.88-509.emt3.x86_64.rpm +perl-base-2.27-509.emt3.noarch.rpm +perl-Benchmark-1.24-509.emt3.noarch.rpm +perl-bignum-0.66-509.emt3.noarch.rpm +perl-blib-1.07-509.emt3.noarch.rpm +perl-Carp-1.54-509.emt3.noarch.rpm +perl-Class-Struct-0.68-509.emt3.noarch.rpm +perl-Compress-Raw-Bzip2-2.204-509.emt3.x86_64.rpm +perl-Compress-Raw-Zlib-2.204-509.emt3.x86_64.rpm +perl-Config-Extensions-0.03-509.emt3.noarch.rpm +perl-Config-Perl-V-0.36-509.emt3.noarch.rpm +perl-constant-1.33-509.emt3.noarch.rpm +perl-CPAN-2.36-509.emt3.noarch.rpm +perl-CPAN-Meta-2.150010-509.emt3.noarch.rpm +perl-CPAN-Meta-Requirements-2.140-509.emt3.noarch.rpm +perl-CPAN-Meta-YAML-0.018-509.emt3.noarch.rpm +perl-Data-Dumper-2.188-509.emt3.x86_64.rpm perl-DBD-SQLite-1.74-2.emt3.x86_64.rpm perl-DBD-SQLite-debuginfo-1.74-2.emt3.x86_64.rpm perl-DBI-1.643-3.emt3.x86_64.rpm perl-DBI-debuginfo-1.643-3.emt3.x86_64.rpm perl-DBIx-Simple-1.37-7.emt3.noarch.rpm -perl-DBM_Filter-0.06-507.emt3.noarch.rpm -perl-debugger-1.60-507.emt3.noarch.rpm -perl-debuginfo-5.38.2-507.emt3.x86_64.rpm -perl-deprecate-0.04-507.emt3.noarch.rpm -perl-devel-5.38.2-507.emt3.x86_64.rpm -perl-Devel-Peek-1.33-507.emt3.x86_64.rpm -perl-Devel-PPPort-3.71-507.emt3.x86_64.rpm -perl-Devel-SelfStubber-1.06-507.emt3.noarch.rpm -perl-diagnostics-1.39-507.emt3.noarch.rpm -perl-Digest-1.20-507.emt3.noarch.rpm -perl-Digest-MD5-2.58-507.emt3.x86_64.rpm -perl-Digest-SHA-6.04-507.emt3.x86_64.rpm -perl-DirHandle-1.05-507.emt3.noarch.rpm -perl-doc-5.38.2-507.emt3.noarch.rpm -perl-Dumpvalue-2.27-507.emt3.noarch.rpm -perl-DynaLoader-1.54-507.emt3.x86_64.rpm -perl-Encode-3.19-507.emt3.x86_64.rpm -perl-Encode-devel-3.19-507.emt3.noarch.rpm -perl-encoding-3.00-507.emt3.x86_64.rpm -perl-encoding-warnings-0.14-507.emt3.noarch.rpm -perl-English-1.11-507.emt3.noarch.rpm -perl-Env-1.06-507.emt3.noarch.rpm -perl-Errno-1.37-507.emt3.x86_64.rpm -perl-experimental-0.031-507.emt3.noarch.rpm -perl-Exporter-5.77-507.emt3.noarch.rpm -perl-ExtUtils-CBuilder-0.280238-507.emt3.noarch.rpm -perl-ExtUtils-Command-7.70-507.emt3.noarch.rpm -perl-ExtUtils-Constant-0.25-507.emt3.noarch.rpm -perl-ExtUtils-Embed-1.35-507.emt3.noarch.rpm -perl-ExtUtils-Install-2.22-507.emt3.noarch.rpm -perl-ExtUtils-MakeMaker-7.70-507.emt3.noarch.rpm -perl-ExtUtils-Manifest-1.73-507.emt3.noarch.rpm -perl-ExtUtils-Miniperl-1.13-507.emt3.noarch.rpm -perl-ExtUtils-MM-Utils-7.44-507.emt3.noarch.rpm -perl-ExtUtils-ParseXS-3.51-507.emt3.noarch.rpm -perl-Fcntl-1.15-507.emt3.x86_64.rpm +perl-DBM_Filter-0.06-509.emt3.noarch.rpm +perl-debugger-1.60-509.emt3.noarch.rpm +perl-debuginfo-5.38.2-509.emt3.x86_64.rpm +perl-deprecate-0.04-509.emt3.noarch.rpm +perl-devel-5.38.2-509.emt3.x86_64.rpm +perl-Devel-Peek-1.33-509.emt3.x86_64.rpm +perl-Devel-PPPort-3.71-509.emt3.x86_64.rpm +perl-Devel-SelfStubber-1.06-509.emt3.noarch.rpm +perl-diagnostics-1.39-509.emt3.noarch.rpm +perl-Digest-1.20-509.emt3.noarch.rpm +perl-Digest-MD5-2.58-509.emt3.x86_64.rpm +perl-Digest-SHA-6.04-509.emt3.x86_64.rpm +perl-DirHandle-1.05-509.emt3.noarch.rpm +perl-doc-5.38.2-509.emt3.noarch.rpm +perl-Dumpvalue-2.27-509.emt3.noarch.rpm +perl-DynaLoader-1.54-509.emt3.x86_64.rpm +perl-Encode-3.19-509.emt3.x86_64.rpm +perl-Encode-devel-3.19-509.emt3.noarch.rpm +perl-encoding-3.00-509.emt3.x86_64.rpm +perl-encoding-warnings-0.14-509.emt3.noarch.rpm +perl-English-1.11-509.emt3.noarch.rpm +perl-Env-1.06-509.emt3.noarch.rpm +perl-Errno-1.37-509.emt3.x86_64.rpm +perl-experimental-0.031-509.emt3.noarch.rpm +perl-Exporter-5.77-509.emt3.noarch.rpm +perl-ExtUtils-CBuilder-0.280238-509.emt3.noarch.rpm +perl-ExtUtils-Command-7.70-509.emt3.noarch.rpm +perl-ExtUtils-Constant-0.25-509.emt3.noarch.rpm +perl-ExtUtils-Embed-1.35-509.emt3.noarch.rpm +perl-ExtUtils-Install-2.22-509.emt3.noarch.rpm +perl-ExtUtils-MakeMaker-7.70-509.emt3.noarch.rpm +perl-ExtUtils-Manifest-1.73-509.emt3.noarch.rpm +perl-ExtUtils-Miniperl-1.13-509.emt3.noarch.rpm +perl-ExtUtils-MM-Utils-7.44-509.emt3.noarch.rpm +perl-ExtUtils-ParseXS-3.51-509.emt3.noarch.rpm +perl-Fcntl-1.15-509.emt3.x86_64.rpm perl-Fedora-VSP-0.001-20.emt3.noarch.rpm -perl-fields-2.27-507.emt3.noarch.rpm -perl-File-Basename-2.86-507.emt3.noarch.rpm -perl-FileCache-1.10-507.emt3.noarch.rpm -perl-File-Compare-1.100.700-507.emt3.noarch.rpm -perl-File-Copy-2.41-507.emt3.noarch.rpm -perl-File-DosGlob-1.12-507.emt3.x86_64.rpm -perl-File-Fetch-1.04-507.emt3.noarch.rpm -perl-File-Find-1.43-507.emt3.noarch.rpm -perl-FileHandle-2.05-507.emt3.noarch.rpm -perl-File-Path-2.18-507.emt3.noarch.rpm -perl-File-stat-1.13-507.emt3.noarch.rpm -perl-File-Temp-0.231.100-507.emt3.noarch.rpm -perl-filetest-1.03-507.emt3.noarch.rpm -perl-Filter-1.64-507.emt3.x86_64.rpm -perl-Filter-Simple-0.96-507.emt3.noarch.rpm -perl-FindBin-1.53-507.emt3.noarch.rpm -perl-GDBM_File-1.24-507.emt3.x86_64.rpm +perl-fields-2.27-509.emt3.noarch.rpm +perl-File-Basename-2.86-509.emt3.noarch.rpm +perl-FileCache-1.10-509.emt3.noarch.rpm +perl-File-Compare-1.100.700-509.emt3.noarch.rpm +perl-File-Copy-2.41-509.emt3.noarch.rpm +perl-File-DosGlob-1.12-509.emt3.x86_64.rpm +perl-File-Fetch-1.04-509.emt3.noarch.rpm +perl-File-Find-1.43-509.emt3.noarch.rpm +perl-FileHandle-2.05-509.emt3.noarch.rpm +perl-File-Path-2.18-509.emt3.noarch.rpm +perl-File-stat-1.13-509.emt3.noarch.rpm +perl-File-Temp-0.231.100-509.emt3.noarch.rpm +perl-filetest-1.03-509.emt3.noarch.rpm +perl-Filter-1.64-509.emt3.x86_64.rpm +perl-Filter-Simple-0.96-509.emt3.noarch.rpm +perl-FindBin-1.53-509.emt3.noarch.rpm +perl-GDBM_File-1.24-509.emt3.x86_64.rpm perl-generators-1.15-2.emt3.noarch.rpm -perl-Getopt-Long-2.54-507.emt3.noarch.rpm -perl-Getopt-Std-1.13-507.emt3.noarch.rpm -perl-Hash-Util-0.30-507.emt3.x86_64.rpm -perl-Hash-Util-FieldHash-1.26-507.emt3.x86_64.rpm -perl-HTTP-Tiny-0.086-507.emt3.noarch.rpm -perl-I18N-Collate-1.02-507.emt3.noarch.rpm -perl-I18N-Langinfo-0.22-507.emt3.x86_64.rpm -perl-I18N-LangTags-0.45-507.emt3.noarch.rpm -perl-if-0.61.000-507.emt3.noarch.rpm -perl-interpreter-5.38.2-507.emt3.x86_64.rpm -perl-IO-1.52-507.emt3.x86_64.rpm -perl-IO-Compress-2.204-507.emt3.noarch.rpm -perl-IO-Socket-IP-0.41-507.emt3.noarch.rpm -perl-IO-Zlib-1.14-507.emt3.noarch.rpm -perl-IPC-Cmd-1.04-507.emt3.noarch.rpm -perl-IPC-Open3-1.22-507.emt3.noarch.rpm -perl-IPC-SysV-2.09-507.emt3.x86_64.rpm -perl-JSON-PP-4.16-507.emt3.noarch.rpm -perl-less-0.03-507.emt3.noarch.rpm -perl-lib-0.65-507.emt3.x86_64.rpm +perl-Getopt-Long-2.54-509.emt3.noarch.rpm +perl-Getopt-Std-1.13-509.emt3.noarch.rpm +perl-Hash-Util-0.30-509.emt3.x86_64.rpm +perl-Hash-Util-FieldHash-1.26-509.emt3.x86_64.rpm +perl-HTTP-Tiny-0.086-509.emt3.noarch.rpm +perl-I18N-Collate-1.02-509.emt3.noarch.rpm +perl-I18N-Langinfo-0.22-509.emt3.x86_64.rpm +perl-I18N-LangTags-0.45-509.emt3.noarch.rpm +perl-if-0.61.000-509.emt3.noarch.rpm +perl-interpreter-5.38.2-509.emt3.x86_64.rpm +perl-IO-1.52-509.emt3.x86_64.rpm +perl-IO-Compress-2.204-509.emt3.noarch.rpm +perl-IO-Socket-IP-0.41-509.emt3.noarch.rpm +perl-IO-Zlib-1.14-509.emt3.noarch.rpm +perl-IPC-Cmd-1.04-509.emt3.noarch.rpm +perl-IPC-Open3-1.22-509.emt3.noarch.rpm +perl-IPC-SysV-2.09-509.emt3.x86_64.rpm +perl-JSON-PP-4.16-509.emt3.noarch.rpm +perl-less-0.03-509.emt3.noarch.rpm +perl-lib-0.65-509.emt3.x86_64.rpm perl-libintl-perl-1.33-1.emt3.x86_64.rpm perl-libintl-perl-debuginfo-1.33-1.emt3.x86_64.rpm -perl-libnet-3.15-507.emt3.noarch.rpm -perl-libnetcfg-5.38.2-507.emt3.noarch.rpm -perl-libs-5.38.2-507.emt3.x86_64.rpm -perl-locale-1.10-507.emt3.noarch.rpm -perl-Locale-Maketext-1.33-507.emt3.noarch.rpm -perl-Locale-Maketext-Simple-0.21-507.emt3.noarch.rpm -perl-macros-5.38.2-507.emt3.noarch.rpm -perl-Math-BigInt-1.9998.37-507.emt3.noarch.rpm -perl-Math-BigInt-FastCalc-0.501.300-507.emt3.x86_64.rpm -perl-Math-BigRat-0.2624-507.emt3.noarch.rpm -perl-Math-Complex-1.62-507.emt3.noarch.rpm -perl-Memoize-1.16-507.emt3.noarch.rpm -perl-meta-notation-5.38.2-507.emt3.noarch.rpm -perl-MIME-Base64-3.16-507.emt3.x86_64.rpm -perl-Module-CoreList-5.20231129-507.emt3.noarch.rpm -perl-Module-CoreList-tools-5.20231129-507.emt3.noarch.rpm -perl-Module-Load-0.36-507.emt3.noarch.rpm -perl-Module-Load-Conditional-0.74-507.emt3.noarch.rpm -perl-Module-Loaded-0.08-507.emt3.noarch.rpm -perl-Module-Metadata-1.000037-507.emt3.noarch.rpm -perl-mro-1.28-507.emt3.x86_64.rpm -perl-NDBM_File-1.16-507.emt3.x86_64.rpm -perl-Net-1.03-507.emt3.noarch.rpm -perl-Net-Ping-2.76-507.emt3.noarch.rpm -perl-NEXT-0.69-507.emt3.noarch.rpm +perl-libnet-3.15-509.emt3.noarch.rpm +perl-libnetcfg-5.38.2-509.emt3.noarch.rpm +perl-libs-5.38.2-509.emt3.x86_64.rpm +perl-locale-1.10-509.emt3.noarch.rpm +perl-Locale-Maketext-1.33-509.emt3.noarch.rpm +perl-Locale-Maketext-Simple-0.21-509.emt3.noarch.rpm +perl-macros-5.38.2-509.emt3.noarch.rpm +perl-Math-BigInt-1.9998.37-509.emt3.noarch.rpm +perl-Math-BigInt-FastCalc-0.501.300-509.emt3.x86_64.rpm +perl-Math-BigRat-0.2624-509.emt3.noarch.rpm +perl-Math-Complex-1.62-509.emt3.noarch.rpm +perl-Memoize-1.16-509.emt3.noarch.rpm +perl-meta-notation-5.38.2-509.emt3.noarch.rpm +perl-MIME-Base64-3.16-509.emt3.x86_64.rpm +perl-Module-CoreList-5.20231129-509.emt3.noarch.rpm +perl-Module-CoreList-tools-5.20231129-509.emt3.noarch.rpm +perl-Module-Load-0.36-509.emt3.noarch.rpm +perl-Module-Load-Conditional-0.74-509.emt3.noarch.rpm +perl-Module-Loaded-0.08-509.emt3.noarch.rpm +perl-Module-Metadata-1.000037-509.emt3.noarch.rpm +perl-mro-1.28-509.emt3.x86_64.rpm +perl-NDBM_File-1.16-509.emt3.x86_64.rpm +perl-Net-1.03-509.emt3.noarch.rpm +perl-Net-Ping-2.76-509.emt3.noarch.rpm +perl-NEXT-0.69-509.emt3.noarch.rpm perl-Object-Accessor-0.48-10.emt3.noarch.rpm -perl-ODBM_File-1.18-507.emt3.x86_64.rpm -perl-Opcode-1.64-507.emt3.x86_64.rpm -perl-open-1.13-507.emt3.noarch.rpm -perl-overload-1.37-507.emt3.noarch.rpm -perl-overloading-0.02-507.emt3.noarch.rpm -perl-Params-Check-0.38-507.emt3.noarch.rpm -perl-parent-0.241-507.emt3.noarch.rpm -perl-PathTools-3.89-507.emt3.x86_64.rpm -perl-perlfaq-5.20210520-507.emt3.noarch.rpm -perl-PerlIO-via-QuotedPrint-0.10-507.emt3.noarch.rpm -perl-Perl-OSType-1.010-507.emt3.noarch.rpm -perl-ph-5.38.2-507.emt3.x86_64.rpm -perl-Pod-Checker-1.75-507.emt3.noarch.rpm -perl-Pod-Escapes-1.07-507.emt3.noarch.rpm -perl-Pod-Functions-1.14-507.emt3.noarch.rpm -perl-Pod-Html-1.34-507.emt3.noarch.rpm -perl-podlators-5.01-507.emt3.noarch.rpm -perl-Pod-Perldoc-3.28.01-507.emt3.noarch.rpm -perl-Pod-Simple-3.43-507.emt3.noarch.rpm -perl-Pod-Usage-2.03-507.emt3.noarch.rpm -perl-POSIX-2.13-507.emt3.x86_64.rpm -perl-Safe-2.44-507.emt3.noarch.rpm -perl-Scalar-List-Utils-1.63-507.emt3.x86_64.rpm -perl-Search-Dict-1.07-507.emt3.noarch.rpm -perl-SelectSaver-1.02-507.emt3.noarch.rpm -perl-SelfLoader-1.26-507.emt3.noarch.rpm -perl-sigtrap-1.10-507.emt3.noarch.rpm -perl-Socket-2.036-507.emt3.x86_64.rpm -perl-sort-2.05-507.emt3.noarch.rpm -perl-Storable-3.32-507.emt3.x86_64.rpm -perl-subs-1.04-507.emt3.noarch.rpm -perl-Symbol-1.09-507.emt3.noarch.rpm -perl-Sys-Hostname-1.25-507.emt3.x86_64.rpm -perl-Sys-Syslog-0.36-507.emt3.x86_64.rpm -perl-Term-ANSIColor-5.01-507.emt3.noarch.rpm -perl-Term-Cap-1.18-507.emt3.noarch.rpm -perl-Term-Complete-1.403-507.emt3.noarch.rpm -perl-Term-ReadLine-1.17-507.emt3.noarch.rpm -perl-Test-1.31-507.emt3.noarch.rpm -perl-Test-Harness-3.44-507.emt3.noarch.rpm -perl-tests-5.38.2-507.emt3.x86_64.rpm -perl-Test-Simple-1.302194-507.emt3.noarch.rpm +perl-ODBM_File-1.18-509.emt3.x86_64.rpm +perl-Opcode-1.64-509.emt3.x86_64.rpm +perl-open-1.13-509.emt3.noarch.rpm +perl-overload-1.37-509.emt3.noarch.rpm +perl-overloading-0.02-509.emt3.noarch.rpm +perl-Params-Check-0.38-509.emt3.noarch.rpm +perl-parent-0.241-509.emt3.noarch.rpm +perl-PathTools-3.89-509.emt3.x86_64.rpm +perl-perlfaq-5.20210520-509.emt3.noarch.rpm +perl-PerlIO-via-QuotedPrint-0.10-509.emt3.noarch.rpm +perl-Perl-OSType-1.010-509.emt3.noarch.rpm +perl-ph-5.38.2-509.emt3.x86_64.rpm +perl-Pod-Checker-1.75-509.emt3.noarch.rpm +perl-Pod-Escapes-1.07-509.emt3.noarch.rpm +perl-Pod-Functions-1.14-509.emt3.noarch.rpm +perl-Pod-Html-1.34-509.emt3.noarch.rpm +perl-podlators-5.01-509.emt3.noarch.rpm +perl-Pod-Perldoc-3.28.01-509.emt3.noarch.rpm +perl-Pod-Simple-3.43-509.emt3.noarch.rpm +perl-Pod-Usage-2.03-509.emt3.noarch.rpm +perl-POSIX-2.13-509.emt3.x86_64.rpm +perl-Safe-2.44-509.emt3.noarch.rpm +perl-Scalar-List-Utils-1.63-509.emt3.x86_64.rpm +perl-Search-Dict-1.07-509.emt3.noarch.rpm +perl-SelectSaver-1.02-509.emt3.noarch.rpm +perl-SelfLoader-1.26-509.emt3.noarch.rpm +perl-sigtrap-1.10-509.emt3.noarch.rpm +perl-Socket-2.036-509.emt3.x86_64.rpm +perl-sort-2.05-509.emt3.noarch.rpm +perl-Storable-3.32-509.emt3.x86_64.rpm +perl-subs-1.04-509.emt3.noarch.rpm +perl-Symbol-1.09-509.emt3.noarch.rpm +perl-Sys-Hostname-1.25-509.emt3.x86_64.rpm +perl-Sys-Syslog-0.36-509.emt3.x86_64.rpm +perl-Term-ANSIColor-5.01-509.emt3.noarch.rpm +perl-Term-Cap-1.18-509.emt3.noarch.rpm +perl-Term-Complete-1.403-509.emt3.noarch.rpm +perl-Term-ReadLine-1.17-509.emt3.noarch.rpm +perl-Test-1.31-509.emt3.noarch.rpm +perl-Test-Harness-3.44-509.emt3.noarch.rpm +perl-tests-5.38.2-509.emt3.x86_64.rpm +perl-Test-Simple-1.302194-509.emt3.noarch.rpm perl-Test-Warnings-0.032-2.emt3.noarch.rpm -perl-Text-Abbrev-1.02-507.emt3.noarch.rpm -perl-Text-Balanced-2.06-507.emt3.noarch.rpm -perl-Text-ParseWords-3.31-507.emt3.noarch.rpm -perl-Text-Tabs+Wrap-2021.0814-507.emt3.noarch.rpm +perl-Text-Abbrev-1.02-509.emt3.noarch.rpm +perl-Text-Balanced-2.06-509.emt3.noarch.rpm +perl-Text-ParseWords-3.31-509.emt3.noarch.rpm +perl-Text-Tabs+Wrap-2021.0814-509.emt3.noarch.rpm perl-Text-Template-1.61-2.emt3.noarch.rpm -perl-Thread-3.05-507.emt3.noarch.rpm -perl-Thread-Queue-3.14-507.emt3.noarch.rpm -perl-threads-2.36-507.emt3.x86_64.rpm -perl-Thread-Semaphore-2.13-507.emt3.noarch.rpm -perl-threads-shared-1.68-507.emt3.x86_64.rpm -perl-Tie-4.6-507.emt3.noarch.rpm -perl-Tie-File-1.07-507.emt3.noarch.rpm -perl-Tie-Memoize-1.1-507.emt3.noarch.rpm -perl-Tie-RefHash-1.40-507.emt3.noarch.rpm -perl-Time-1.03-507.emt3.noarch.rpm -perl-Time-HiRes-1.9775-507.emt3.x86_64.rpm -perl-Time-Local-1.300-507.emt3.noarch.rpm -perl-Time-Piece-1.3401-507.emt3.x86_64.rpm -perl-Unicode-Collate-1.31-507.emt3.x86_64.rpm -perl-Unicode-Normalize-1.32-507.emt3.x86_64.rpm -perl-Unicode-UCD-0.78-507.emt3.noarch.rpm -perl-User-pwent-1.04-507.emt3.noarch.rpm -perl-utils-5.38.2-507.emt3.noarch.rpm -perl-vars-1.05-507.emt3.noarch.rpm -perl-version-0.99.29-507.emt3.noarch.rpm -perl-vmsish-1.04-507.emt3.noarch.rpm +perl-Thread-3.05-509.emt3.noarch.rpm +perl-Thread-Queue-3.14-509.emt3.noarch.rpm +perl-threads-2.36-509.emt3.x86_64.rpm +perl-Thread-Semaphore-2.13-509.emt3.noarch.rpm +perl-threads-shared-1.68-509.emt3.x86_64.rpm +perl-Tie-4.6-509.emt3.noarch.rpm +perl-Tie-File-1.07-509.emt3.noarch.rpm +perl-Tie-Memoize-1.1-509.emt3.noarch.rpm +perl-Tie-RefHash-1.40-509.emt3.noarch.rpm +perl-Time-1.03-509.emt3.noarch.rpm +perl-Time-HiRes-1.9775-509.emt3.x86_64.rpm +perl-Time-Local-1.300-509.emt3.noarch.rpm +perl-Time-Piece-1.3401-509.emt3.x86_64.rpm +perl-Unicode-Collate-1.31-509.emt3.x86_64.rpm +perl-Unicode-Normalize-1.32-509.emt3.x86_64.rpm +perl-Unicode-UCD-0.78-509.emt3.noarch.rpm +perl-User-pwent-1.04-509.emt3.noarch.rpm +perl-utils-5.38.2-509.emt3.noarch.rpm +perl-vars-1.05-509.emt3.noarch.rpm +perl-version-0.99.29-509.emt3.noarch.rpm +perl-vmsish-1.04-509.emt3.noarch.rpm perl-XML-Parser-2.47-1.emt3.x86_64.rpm perl-XML-Parser-debuginfo-2.47-1.emt3.x86_64.rpm pinentry-1.2.1-1.emt3.x86_64.rpm @@ -522,31 +522,31 @@ procps-ng-devel-4.0.4-1.emt3.x86_64.rpm procps-ng-lang-4.0.4-1.emt3.x86_64.rpm pyproject-rpm-macros-1.12.0-2.emt3.noarch.rpm pyproject-srpm-macros-1.12.0-2.emt3.noarch.rpm -python3-3.12.9-1.emt3.x86_64.rpm +python3-3.12.9-4.emt3.x86_64.rpm python3-audit-3.1.2-1.emt3.x86_64.rpm python3-cracklib-2.9.11-1.emt3.x86_64.rpm -python3-curses-3.12.9-1.emt3.x86_64.rpm +python3-curses-3.12.9-4.emt3.x86_64.rpm python3-Cython-3.0.5-2.emt3.x86_64.rpm -python3-debuginfo-3.12.9-1.emt3.x86_64.rpm -python3-devel-3.12.9-1.emt3.x86_64.rpm +python3-debuginfo-3.12.9-4.emt3.x86_64.rpm +python3-devel-3.12.9-4.emt3.x86_64.rpm python3-flit-core-3.9.0-1.emt3.noarch.rpm python3-gpg-1.23.2-2.emt3.x86_64.rpm python3-jinja2-3.1.2-3.emt3.noarch.rpm python3-libcap-ng-0.8.4-1.emt3.x86_64.rpm -python3-libs-3.12.9-1.emt3.x86_64.rpm -python3-libxml2-2.11.5-5.emt3.x86_64.rpm +python3-libs-3.12.9-4.emt3.x86_64.rpm +python3-libxml2-2.11.5-6.emt3.x86_64.rpm python3-lxml-4.9.3-1.emt3.x86_64.rpm python3-magic-5.45-1.emt3.noarch.rpm python3-markupsafe-2.1.3-1.emt3.x86_64.rpm python3-newt-0.52.23-1.emt3.x86_64.rpm python3-packaging-23.2-3.emt3.noarch.rpm -python3-pip-24.2-2.emt3.noarch.rpm +python3-pip-24.2-3.emt3.noarch.rpm python3-pygments-2.7.4-2.emt3.noarch.rpm python3-rpm-4.18.2-1.emt3.x86_64.rpm python3-rpm-generators-14-11.emt3.noarch.rpm -python3-setuptools-69.0.3-4.emt3.noarch.rpm -python3-test-3.12.9-1.emt3.x86_64.rpm -python3-tools-3.12.9-1.emt3.x86_64.rpm +python3-setuptools-69.0.3-5.emt3.noarch.rpm +python3-test-3.12.9-4.emt3.x86_64.rpm +python3-tools-3.12.9-4.emt3.x86_64.rpm python3-wheel-0.43.0-1.emt3.noarch.rpm python-markupsafe-debuginfo-2.1.3-1.emt3.x86_64.rpm python-wheel-wheel-0.43.0-1.emt3.noarch.rpm @@ -566,17 +566,17 @@ sed-lang-4.9-1.emt3.x86_64.rpm slang-2.3.3-1.emt3.x86_64.rpm slang-debuginfo-2.3.3-1.emt3.x86_64.rpm slang-devel-2.3.3-1.emt3.x86_64.rpm -sqlite-3.44.0-1.emt3.x86_64.rpm -sqlite-debuginfo-3.44.0-1.emt3.x86_64.rpm -sqlite-devel-3.44.0-1.emt3.x86_64.rpm -sqlite-libs-3.44.0-1.emt3.x86_64.rpm +sqlite-3.44.0-2.emt3.x86_64.rpm +sqlite-debuginfo-3.44.0-2.emt3.x86_64.rpm +sqlite-devel-3.44.0-2.emt3.x86_64.rpm +sqlite-libs-3.44.0-2.emt3.x86_64.rpm swig-4.2.1-1.emt3.x86_64.rpm swig-debuginfo-4.2.1-1.emt3.x86_64.rpm -systemd-bootstrap-250.3-18.emt3.x86_64.rpm -systemd-bootstrap-debuginfo-250.3-18.emt3.x86_64.rpm -systemd-bootstrap-devel-250.3-18.emt3.x86_64.rpm -systemd-bootstrap-libs-250.3-18.emt3.x86_64.rpm -systemd-bootstrap-rpm-macros-250.3-18.emt3.noarch.rpm +systemd-bootstrap-250.3-19.emt3.x86_64.rpm +systemd-bootstrap-debuginfo-250.3-19.emt3.x86_64.rpm +systemd-bootstrap-devel-250.3-19.emt3.x86_64.rpm +systemd-bootstrap-libs-250.3-19.emt3.x86_64.rpm +systemd-bootstrap-rpm-macros-250.3-19.emt3.noarch.rpm tar-1.35-2.emt3.x86_64.rpm tar-debuginfo-1.35-2.emt3.x86_64.rpm tdnf-3.5.8-10.emt3.x86_64.rpm diff --git a/toolkit/scripts/check_entangled_specs.py b/toolkit/scripts/check_entangled_specs.py index 1114ce4e51..bf99258b59 100755 --- a/toolkit/scripts/check_entangled_specs.py +++ b/toolkit/scripts/check_entangled_specs.py @@ -136,21 +136,6 @@ ]) ] -# OOT kernel module specs to match the `last-known-kernel` with kernel-headers `version` -oot_kmodule_matching_groups = [ - frozenset([ - "SPECS/fwctl/fwctl.spec", - "SPECS/iser/iser.spec", - "SPECS/isert/isert.spec", - "SPECS/knem/knem.spec", - "SPECS/mft_kernel/mft_kernel.spec", - "SPECS/mlnx-nfsrdma/mlnx-nfsrdma.spec", - "SPECS/mlnx-ofa_kernel/mlnx-ofa_kernel.spec", - "SPECS/srp/srp.spec", - "SPECS/xpmem/xpmem.spec" - ]) -] - def print_verbose(message: str): "Print 'message' to stdout if global variable 'verbose' is true." if verbose: @@ -193,8 +178,7 @@ def check_matches(base_path: str): groups_to_check = [({'mstflintver':{}}, mstflintver_matching_groups), ({'sdkver':{}}, sdkver_matching_groups), ({'epoch':{}, 'version':{}, 'release':{}}, version_release_matching_groups), - ({'epoch':{}, 'version':{}}, version_matching_groups), - ({'last-known-kernel' : kernel_version_release}, oot_kmodule_matching_groups)] + ({'epoch':{}, 'version':{}}, version_matching_groups)] check_result = [] for check_args in groups_to_check: diff --git a/toolkit/scripts/check_spec_guidelines.py b/toolkit/scripts/check_spec_guidelines.py index c23e1d1548..9160ee2f6b 100755 --- a/toolkit/scripts/check_spec_guidelines.py +++ b/toolkit/scripts/check_spec_guidelines.py @@ -40,7 +40,7 @@ LICENSE_REGEX = re.compile(r"\b(license verified|verified license)\b", re.IGNORECASE) -VALID_RELEASE_TAG_REGEX = re.compile(r"^[1-9]\d*%\{\?dist\}$") +VALID_RELEASE_TAG_REGEX = re.compile(r"^(%\{release_prefix\})?[1-9]\d*(%\{release_suffix\})?%\{\?dist\}$") VALID_SOURCE_ATTRIBUTIONS_ONE_PER_LINE = "\n".join( f"- {key}: '{value}'" for key, value in VALID_SOURCE_ATTRIBUTIONS.items() @@ -104,11 +104,17 @@ def check_release_tag(spec_path: str): if VALID_RELEASE_TAG_REGEX.match(spec.release) is None: print(f""" -ERROR: invalid 'Release' tag. +ERROR: invalid 'Release' tag '{spec.release}'. Accepted format is: - '[number]%{{?dist}}' (example: 10%{{?dist}}) + '(%{{release_prefix}})?[number](%{{release_suffix}})?%{{?dist}}' + + Examples: + + - 10%{{?dist}} + - %{{release_prefix}}10%{{?dist}} + - 10%{{release_suffix}}%{{?dist}} """) return False diff --git a/toolkit/scripts/generate-osguard-imageconfigs.sh b/toolkit/scripts/generate-osguard-imageconfigs.sh new file mode 100755 index 0000000000..81cdd3189c --- /dev/null +++ b/toolkit/scripts/generate-osguard-imageconfigs.sh @@ -0,0 +1,166 @@ +#!/usr/bin/env bash +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +# Generates osguard image configurations by merging base + delta YAML templates. +# This script can be run from any directory - it automatically finds the +# required files based on its own location. +# +# Usage: +# ./generate-osguard-imageconfigs.sh +# ./generate-osguard-imageconfigs.sh test +# test: generate into a temporary directory and compare all configured +# outputs with the committed defaults, failing if they differ +# (ignores the '# Sources:' header). +# +# To add a new output: +# 1) Create a base and delta template under "$TPL_DIR". +# 2) Add a new entry to GEN_JOBS in the form: +# "||" +# Example: +# GEN_JOBS+=("osguard-base.yaml|osguard-myvariant-delta.yaml|osguard-myvariant-amd64.yaml") +# +# Optional env: +# PYTHON - Python executable to use (default: python3) +# +set -euo pipefail + +# This script determines paths based on its own location, making it +# CWD-independent. + +PYTHON_BIN=${PYTHON:-python3} + +# Determine the script's directory and calculate paths relative to it +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +OUT_DIR_DEFAULT="$SCRIPT_DIR/../imageconfigs" +TPL_DIR="$SCRIPT_DIR/../imageconfigs/templates" +MERGE_YAML_PATH="$SCRIPT_DIR/merge_yaml.py" + +# Ensure merge_yaml.py is available +if [[ ! -f "$MERGE_YAML_PATH" ]]; then + echo "Error: merge_yaml.py not found at expected location: $MERGE_YAML_PATH" >&2 + echo "Expected structure: toolkit/scripts/merge_yaml.py" >&2 + exit 2 +fi + +# Validate that the template directory exists +if [[ ! -d "$TPL_DIR" ]]; then + echo "Error: Template directory not found: $TPL_DIR" >&2 + echo "Expected structure: toolkit/imageconfigs/templates/" >&2 + exit 2 +fi + + +# List of generation jobs: +# "||" +# Add new entries here to support additional outputs. +GEN_JOBS=( + "osguard-base.yaml|osguard-no-ci-delta.yaml|osguard-amd64.yaml" + "osguard-base.yaml|osguard-ci-delta.yaml|osguard-ci-amd64.yaml" +) + +run_generate() { + local out_dir="$1" + mkdir -p "$out_dir" + echo "Generating osguard configs..." + echo "Output directory: $out_dir" + + local wrote_any=false + local entry base_fn delta_fn out_fn base_path delta_path out_path + for entry in "${GEN_JOBS[@]}"; do + IFS='|' read -r base_fn delta_fn out_fn <<<"$entry" + + if [[ -z "$base_fn" || -z "$delta_fn" || -z "$out_fn" ]]; then + echo "Error: GEN_JOBS entry must be 'base|delta|output', got: '$entry'" >&2 + exit 2 + fi + + # Enforce that base and delta live under TPL_DIR + if [[ "$base_fn" = /* || "$delta_fn" = /* ]]; then + echo "Error: base and delta template filenames must be relative to TPL_DIR ($TPL_DIR). Entry: '$entry'" >&2 + exit 2 + fi + base_path="$TPL_DIR/$base_fn" + delta_path="$TPL_DIR/$delta_fn" + out_path="$out_dir/$out_fn" + + # Validate base exists + if [[ ! -f "$base_path" ]]; then + echo "Error: Base template not found: $base_path (job: $entry)" >&2 + exit 2 + fi + # Warn if delta missing and skip + if [[ ! -f "$delta_path" ]]; then + echo "Warning: Delta template not found, skipping: $delta_path" >&2 + continue + fi + + "$PYTHON_BIN" "$MERGE_YAML_PATH" "$base_path" "$delta_path" -o "$out_path" + echo " Wrote: $out_path" + wrote_any=true + done + + if [[ "$wrote_any" != true ]]; then + echo "Error: No outputs were generated. Check templates list and paths." >&2 + exit 3 + fi +} + +run_test() { + echo "Running test: generate into temp dir and compare with defaults (ignoring '# Sources:' header)" + local tmp_out_dir + tmp_out_dir="$(mktemp -d)" + run_generate "$tmp_out_dir" + + local entry base_fn delta_fn out_fn generated_file default_file filt_gen filt_def any_diff=false + for entry in "${GEN_JOBS[@]}"; do + IFS='|' read -r base_fn delta_fn out_fn <<<"$entry" + if [[ -z "$base_fn" || -z "$delta_fn" || -z "$out_fn" ]]; then + echo "Error: GEN_JOBS entry must be 'base|delta|output', got: '$entry'" >&2 + exit 2 + fi + generated_file="$tmp_out_dir/$out_fn" + default_file="$OUT_DIR_DEFAULT/$out_fn" + + if [[ ! -f "$default_file" ]]; then + echo "Warning: Default file to compare not found, skipping: $default_file" >&2 + continue + fi + + echo "Comparing:" + echo " Generated: $generated_file" + echo " Default: $default_file" + + filt_gen="$(mktemp)" + filt_def="$(mktemp)" + grep -v '^# Sources:' "$generated_file" > "$filt_gen" + grep -v '^# Sources:' "$default_file" > "$filt_def" + + if ! diff -u "$filt_gen" "$filt_def"; then + any_diff=true + fi + done + + if [[ "$any_diff" == true ]]; then + echo "Error: One or more generated imageconfigs differ from the committed defaults." >&2 + exit 1 + fi + echo "Success: All generated imageconfigs match the committed defaults." +} + +main() { + case "${1:-}" in + "" ) + run_generate "$OUT_DIR_DEFAULT" + ;; + test|--test ) + run_test + ;; + * ) + echo "Usage: $0 [test]" >&2 + exit 2 + ;; + esac +} + +main "$@" diff --git a/toolkit/scripts/generate-repartd.sh b/toolkit/scripts/generate-repartd.sh new file mode 100755 index 0000000000..4133d7fee5 --- /dev/null +++ b/toolkit/scripts/generate-repartd.sh @@ -0,0 +1,65 @@ +#!/bin/bash +# Regenerate files/repart.d/* based on the disks section of the osguard config.yaml +# Requires: yq (https://github.com/mikefarah/yq) + +set -euo pipefail + +CONFIG="$(dirname "$0")/../imageconfigs/osguard-amd64.yaml" +REPART_DIR="$(dirname "$0")/../imageconfigs/files/osguard/repart.d" + +mkdir -p "$REPART_DIR" +rm -f "$REPART_DIR"/*.conf + +emit_partition() { + local num="$1" part="$2" type="$3" label="$4" size="$5" + type_out="$type" + + # Ensure label is never null + if [[ -z "$label" || "$label" == "null" ]]; then + label="$part" + fi + + if [[ "$part" =~ ^root-(a|b)$ ]]; then + cat > "$REPART_DIR/$(printf '%02d' $num)-${part}.conf" < "$REPART_DIR/$(printf '%02d' $num)-${part}.conf" < Any: + """Recursively merge delta into base and return the merged structure. + + Rules: + - If both values are dict-like: merge keys recursively. + - If both values are list-like: append (concatenate) delta items to base. + - Otherwise: return delta (override). + + This function does not mutate the input objects; it constructs and returns + a merged copy. + """ + + # Mapping -> Mapping: recursive merge + if isinstance(base, dict) and isinstance(delta, dict): + result: MutableMapping[str, Any] = {} + # Start with base keys to preserve base ordering where possible + for k in base: + result[k] = base[k] + for k, v in delta.items(): + if k in result: + result[k] = deep_merge(result[k], v) + else: + result[k] = v + return result + + # Sequence (list) -> Sequence: append (concatenate) + if isinstance(base, list) and isinstance(delta, list): + return list(base) + list(delta) + + # Fallback: override with delta + return delta + + +def _load_yaml(path: str) -> Any: + if yaml is None: + sys.stderr.write( + "PyYAML is required. Install with: pip install pyyaml\n" + ) + with io.open(path, "r", encoding="utf-8") as f: + try: + return yaml.safe_load(f) if yaml else None + except Exception as e: + raise SystemExit(f"Failed to parse YAML '{path}': {e}") + + +def _dump_yaml(data: Any, path: str | None, header: str | None = None) -> None: + if yaml is None: + sys.stderr.write( + "PyYAML is required. Install with: pip install pyyaml\n" + ) + # If PyYAML missing, fall back to printing Python repr to help debugging + if path in (None, "-"): + if header: + print(header) + if not header.endswith("\n"): + print() + else: + # Ensure a blank line after header for readability + print() + print(repr(data)) + return + with io.open(path, "w", encoding="utf-8") as f: + if header: + f.write(header) + if not header.endswith("\n"): + f.write("\n") + f.write("\n") + f.write(repr(data)) + return + + out_stream = sys.stdout if path in (None, "-") else io.open(path, "w", encoding="utf-8") + close_stream = path not in (None, "-") + try: + if header: + out_stream.write(header) + if not header.endswith("\n"): + out_stream.write("\n") + out_stream.write("\n") + yaml.safe_dump( + data, + out_stream, # type: ignore[arg-type] + default_flow_style=False, + sort_keys=False, + allow_unicode=True, + indent=2, + ) + finally: + if close_stream: + out_stream.close() # type: ignore[union-attr] + + +def parse_args(argv: Sequence[str]) -> argparse.Namespace: + p = argparse.ArgumentParser(description="Deep-merge two YAML files") + p.add_argument("base", help="Path to base YAML file") + p.add_argument("delta", help="Path to delta YAML file to apply on top of base") + p.add_argument( + "-o", + "--output", + help="Output YAML file path (default: stdout)", + default="-", + ) + return p.parse_args(argv) + + +def main(argv: Sequence[str] | None = None) -> int: + ns = parse_args(sys.argv[1:] if argv is None else argv) + + base_data = _load_yaml(ns.base) + delta_data = _load_yaml(ns.delta) + + merged = deep_merge(base_data, delta_data) + + # Compute header paths relative to the output file location when possible + if ns.output not in (None, "-"): + out_dir = os.path.dirname(os.path.abspath(ns.output)) or "." + base_path = os.path.relpath(os.path.abspath(ns.base), start=out_dir) + delta_path = os.path.relpath(os.path.abspath(ns.delta), start=out_dir) + else: + base_path = ns.base + delta_path = ns.delta + + header = ( + "# This file was automatically generated by merge_yaml.py\n" + f"# Sources: base={base_path} delta={delta_path}" + ) + _dump_yaml(merged, ns.output, header=header) + return 0 + + +if __name__ == "__main__": + raise SystemExit(main()) diff --git a/toolkit/scripts/precache.mk b/toolkit/scripts/precache.mk index 0f9cedf88a..b69485887e 100644 --- a/toolkit/scripts/precache.mk +++ b/toolkit/scripts/precache.mk @@ -49,6 +49,7 @@ $(STATUS_FLAGS_DIR)/precache.flag: $(go-precacher) $(chroot_worker) $(PRECACHER_ $(if $(filter y,$(ENABLE_CPU_PROFILE)),--enable-cpu-prof) \ $(if $(filter y,$(ENABLE_MEM_PROFILE)),--enable-mem-prof) \ $(if $(filter y,$(ENABLE_TRACE)),--enable-trace) \ + $(if $(filter y,$(PRECACHER_NON_FATAL)),--non-fatal-mode) \ --timestamp-file=$(TIMESTAMP_DIR)/precacher.jsonl && \ if [ ! -f $@ ] || [ -s "$(precache_downloaded_files)" ]; then \ touch $@; \ diff --git a/toolkit/scripts/tests/test_merge_yaml.py b/toolkit/scripts/tests/test_merge_yaml.py new file mode 100644 index 0000000000..d139923205 --- /dev/null +++ b/toolkit/scripts/tests/test_merge_yaml.py @@ -0,0 +1,39 @@ +#!/usr/bin/env python3 +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +import os +import sys +import unittest + +# Ensure the scripts directory is on sys.path so we can import merge_yaml +CURRENT_DIR = os.path.dirname(__file__) +SCRIPTS_DIR = os.path.abspath(os.path.join(CURRENT_DIR, "..")) +if SCRIPTS_DIR not in sys.path: + sys.path.insert(0, SCRIPTS_DIR) + +from merge_yaml import deep_merge + + +class TestDeepMerge(unittest.TestCase): + def test_merge_scalars(self): + self.assertEqual(deep_merge(1, 2), 2) + self.assertEqual(deep_merge("a", "b"), "b") + + def test_merge_lists_append(self): + self.assertEqual(deep_merge([1, 2], [3, 4]), [1, 2, 3, 4]) + self.assertEqual(deep_merge([], [1]), [1]) + + def test_merge_dicts_recursive(self): + base = {"a": 1, "b": {"x": 1, "y": 2}, "c": [1, 2]} + delta = {"b": {"y": 3, "z": 4}, "c": [3], "d": 5} + expected = {"a": 1, "b": {"x": 1, "y": 3, "z": 4}, "c": [1, 2, 3], "d": 5} + self.assertEqual(deep_merge(base, delta), expected) + + def test_merge_mismatched_types(self): + self.assertEqual(deep_merge({"a": 1}, [1, 2]), [1, 2]) + self.assertEqual(deep_merge([1, 2], {"a": 1}), {"a": 1}) + + +if __name__ == "__main__": + unittest.main() diff --git a/toolkit/tools/internal/azureblobstorage/azureblobstorage.go b/toolkit/tools/internal/azureblobstorage/azureblobstorage.go index 4959a4698e..edfc8bfd69 100644 --- a/toolkit/tools/internal/azureblobstorage/azureblobstorage.go +++ b/toolkit/tools/internal/azureblobstorage/azureblobstorage.go @@ -19,7 +19,7 @@ import ( const ( AnonymousAccess = 0 ServicePrincipalAccess = 1 - ManagedIdentityAccess = 2 + AzureCLIAccess = 2 ) type AzureBlobStorage struct { @@ -36,13 +36,13 @@ func (abs *AzureBlobStorage) Upload( localFile, err := os.OpenFile(localFileName, os.O_RDONLY, 0) if err != nil { - return fmt.Errorf("Failed to open local file for upload:\n%w", err) + return fmt.Errorf("failed to open local file for upload:\n%w", err) } defer localFile.Close() _, err = abs.theClient.UploadFile(ctx, containerName, blobName, localFile, nil) if err != nil { - return fmt.Errorf("Failed to upload local file to blob:\n%w", err) + return fmt.Errorf("failed to upload local file to blob:\n%w", err) } uploadEndTime := time.Now() @@ -80,7 +80,7 @@ func (abs *AzureBlobStorage) Download( _, err = abs.theClient.DownloadFile(ctx, containerName, blobName, localFile, nil) if err != nil { - return fmt.Errorf("Failed to download blob to local file:\n%w", err) + return fmt.Errorf("failed to download blob to local file:\n%w", err) } downloadEndTime := time.Now() @@ -97,7 +97,7 @@ func (abs *AzureBlobStorage) Delete( deleteStartTime := time.Now() _, err = abs.theClient.DeleteBlob(ctx, containerName, blobName, nil) if err != nil { - return fmt.Errorf("Failed to delete blob:\n%w", err) + return fmt.Errorf("failed to delete blob:\n%w", err) } deleteEndTime := time.Now() logger.Log.Infof(" delete time: %v", deleteEndTime.Sub(deleteStartTime)) @@ -106,49 +106,45 @@ func (abs *AzureBlobStorage) Delete( } func Create(tenantId string, userName string, password string, storageAccount string, authenticationType int) (abs *AzureBlobStorage, err error) { - url := "https://" + storageAccount + ".blob.core.windows.net/" abs = &AzureBlobStorage{} - if authenticationType == AnonymousAccess { - + switch authenticationType { + case AnonymousAccess: abs.theClient, err = azblob.NewClientWithNoCredential(url, nil) if err != nil { - return nil, fmt.Errorf("Unable to init azure blob storage read-only client:\n%w", err) + return nil, fmt.Errorf("unable to init azure blob storage read-only client:\n%w", err) } return abs, nil - } else if authenticationType == ServicePrincipalAccess { - + case ServicePrincipalAccess: credential, err := azidentity.NewClientSecretCredential(tenantId, userName, password, nil) if err != nil { - return nil, fmt.Errorf("Unable to init azure service principal identity:\n%w", err) + return nil, fmt.Errorf("unable to init azure service principal identity:\n%w", err) } abs.theClient, err = azblob.NewClient(url, credential, nil) if err != nil { - return nil, fmt.Errorf("Unable to init azure blob storage read-write client:\n%w", err) + return nil, fmt.Errorf("unable to init azure blob storage read-write client:\n%w", err) } return abs, nil - } else if authenticationType == ManagedIdentityAccess { - - credential, err := azidentity.NewDefaultAzureCredential(nil) + case AzureCLIAccess: + credential, err := azidentity.NewAzureCLICredential(nil) if err != nil { - return nil, fmt.Errorf("Unable to init azure managed identity:\n%w", err) + return nil, fmt.Errorf("unable to init azure managed identity:\n%w", err) } abs.theClient, err = azblob.NewClient(url, credential, nil) if err != nil { - return nil, fmt.Errorf("Unable to init azure blob storage read-write client:\n%w", err) + return nil, fmt.Errorf("unable to init azure blob storage read-write client:\n%w", err) } return abs, nil - } - return nil, errors.New("Unknown authentication type.") + return nil, errors.New("unknown authentication type") } diff --git a/toolkit/tools/internal/ccachemanager/ccachemanager.go b/toolkit/tools/internal/ccachemanager/ccachemanager.go index fe93abb312..3b2a7899be 100644 --- a/toolkit/tools/internal/ccachemanager/ccachemanager.go +++ b/toolkit/tools/internal/ccachemanager/ccachemanager.go @@ -454,7 +454,7 @@ func CreateManager(rootDir string, configFileName string) (m *CCacheManager, err logger.Log.Infof(" creating blob storage client...") accessType := azureblobstorage.AnonymousAccess if configuration.RemoteStoreConfig.UploadEnabled { - accessType = azureblobstorage.ManagedIdentityAccess + accessType = azureblobstorage.AzureCLIAccess } azureBlobStorage, err := azureblobstorage.Create(configuration.RemoteStoreConfig.TenantId, configuration.RemoteStoreConfig.UserName, configuration.RemoteStoreConfig.Password, configuration.RemoteStoreConfig.StorageAccount, accessType) diff --git a/toolkit/tools/internal/network/network.go b/toolkit/tools/internal/network/network.go index 9a0df5733f..1ec26d5d7e 100644 --- a/toolkit/tools/internal/network/network.go +++ b/toolkit/tools/internal/network/network.go @@ -23,7 +23,7 @@ import ( const ( // Default upper bound on a single network operation, across all retries. - DefaultTimeout = time.Minute * 10 + DefaultTimeout = time.Minute * 20 ) // ErrDownloadFileInvalidResponse404 is returned when the download response is 404. diff --git a/toolkit/tools/precacher/precacher.go b/toolkit/tools/precacher/precacher.go index b74ce3a92e..49fde6edf8 100644 --- a/toolkit/tools/precacher/precacher.go +++ b/toolkit/tools/precacher/precacher.go @@ -62,6 +62,7 @@ var ( buildDir = app.Flag("worker-dir", "Directory to store chroot while running repo query.").Required().String() concurrentNetOps = app.Flag("concurrent-net-ops", "Number of concurrent network operations to perform.").Default(defaultNetOpsCount).Uint() + nonFatalMode = app.Flag("non-fatal-mode", "Run in non-fatal mode, where errors are logged but do not cause the program to exit with a non-zero code.").Bool() ) func main() { @@ -80,13 +81,23 @@ func main() { rpmSnapshot, err := rpmSnapshotFromFile(*snapshot) if err != nil { - logger.PanicOnError(err) + if *nonFatalMode { + logger.Log.Errorf("%s", err) + return + } else { + logger.FatalOnError(err) + } } for _, url := range *repoUrls { singleRepo := []string{url} packagesAvailableFromRepos, err := repoutils.GetAllRepoData(singleRepo, *repoFiles, *workerTar, *buildDir, *repoUrlsFile) if err != nil { - logger.PanicOnError(err) + if *nonFatalMode { + logger.Log.Errorf("%s", err) + return + } else { + logger.FatalOnError(err) + } } logger.Log.Infof("Found %d available packages", len(packagesAvailableFromRepos)) @@ -98,13 +109,22 @@ func main() { downloadedPackages, err := downloadMissingPackages(rpmSnapshot, packagesAvailableFromRepos, *outDir, *concurrentNetOps) if err != nil { - logger.PanicOnError(err) + logger.Log.Warnf("Package download failed") + logger.Log.Warnf("Missing package download failed: %s", err) + // reset the error to nil so we can still write the summary file + // packages which are not able to be downloaded are not considered a failure of the tool, just a failure to download some packages + err = nil } logger.Log.Infof("Downloaded %d packages into the cache", len(downloadedPackages)) err = writeSummaryFile(*outputSummaryFile, downloadedPackages) if err != nil { - logger.PanicOnError(err) + if *nonFatalMode { + logger.Log.Errorf("%s", err) + return + } else { + logger.FatalOnError(err) + } } } }