From 9c611011c43efa11714b55fa14640e75faea3605 Mon Sep 17 00:00:00 2001 From: Panu Matilainen Date: Mon, 9 Sep 2013 14:58:21 +0300 Subject: [PATCH] - fix build-time double-free on file capability processing (#956190) - fix relocation related regression on file sanity check (#1001553) - fix segfault on empty -p scriptlet body (#1004062) - fix source url, once again --- rpm-4.11.1-caps-double-free.patch | 19 +++++++++++++++++++ rpm-4.11.1-empty-lua-script.patch | 23 +++++++++++++++++++++++ rpm-4.11.1-file-triplet-check.patch | 27 +++++++++++++++++++++++++++ rpm.spec | 16 ++++++++++++++-- 4 files changed, 83 insertions(+), 2 deletions(-) create mode 100644 rpm-4.11.1-caps-double-free.patch create mode 100644 rpm-4.11.1-empty-lua-script.patch create mode 100644 rpm-4.11.1-file-triplet-check.patch diff --git a/rpm-4.11.1-caps-double-free.patch b/rpm-4.11.1-caps-double-free.patch new file mode 100644 index 0000000..e5d9051 --- /dev/null +++ b/rpm-4.11.1-caps-double-free.patch @@ -0,0 +1,19 @@ +commit 65eec62cb7796dad6fbf1d5436251e176449f522 +Author: Panu Matilainen +Date: Thu Aug 29 16:32:32 2013 +0300 + + Fix double-free on %caps() wildcard %files entry (RhBug:956190) + +diff --git a/build/files.c b/build/files.c +index 20f452f..eed5696 100644 +--- a/build/files.c ++++ b/build/files.c +@@ -1448,7 +1448,7 @@ static rpmRC addFile(FileList fl, const char * diskPath, + } + + if (fl->cur.caps) { +- flp->caps = fl->cur.caps; ++ flp->caps = xstrdup(fl->cur.caps); + } else { + flp->caps = xstrdup(""); + } diff --git a/rpm-4.11.1-empty-lua-script.patch b/rpm-4.11.1-empty-lua-script.patch new file mode 100644 index 0000000..2c4a590 --- /dev/null +++ b/rpm-4.11.1-empty-lua-script.patch @@ -0,0 +1,23 @@ +commit 5f3598a700e8e028f9140682262869ca319597ee +Author: Panu Matilainen +Date: Fri Sep 6 16:31:25 2013 +0300 + + Fix segfault executing a -p scriptlet without a body (RhBug:1004062) + + - There are any number of places where this could be fixed, but + to keep the behavior similar to eg /bin/sh scriptlet without a body, + just turn a non-existent script into an empty string. + +diff --git a/rpmio/rpmlua.c b/rpmio/rpmlua.c +index 0576318..921cc37 100644 +--- a/rpmio/rpmlua.c ++++ b/rpmio/rpmlua.c +@@ -526,6 +526,8 @@ int rpmluaRunScript(rpmlua _lua, const char *script, const char *name) + int ret = 0; + if (name == NULL) + name = ""; ++ if (script == NULL) ++ script = ""; + if (luaL_loadbuffer(L, script, strlen(script), name) != 0) { + rpmlog(RPMLOG_ERR, _("invalid syntax in lua script: %s\n"), + lua_tostring(L, -1)); diff --git a/rpm-4.11.1-file-triplet-check.patch b/rpm-4.11.1-file-triplet-check.patch new file mode 100644 index 0000000..10c5dcc --- /dev/null +++ b/rpm-4.11.1-file-triplet-check.patch @@ -0,0 +1,27 @@ +commit 65c7cc17664358051f0358de272e616dd88ab624 +Author: Panu Matilainen +Date: Tue Aug 27 15:15:40 2013 +0300 + + Relax the filename triplet sanity check a bit (RhBug:1001553) + + - At least unowned directories can cause orphans to be left around + in RPMTAG_DIRNAMES, in which case its possible for number of + dirnames to be larger than the number of basenames. This is + arguably a bug in the relocation code but doesn't seem worth + the trouble... so just relax the check to simply permit non-empty + dirnames array, the index bound checking is far more important. + +diff --git a/lib/rpmfi.c b/lib/rpmfi.c +index 30663d0..00506ce 100644 +--- a/lib/rpmfi.c ++++ b/lib/rpmfi.c +@@ -1128,7 +1128,8 @@ static int indexSane(rpmtd xd, rpmtd yd, rpmtd zd) + uint32_t zc = rpmtdCount(zd); + + /* check that the amount of data in each is sane */ +- if (xc > 0 && yc > 0 && yc <= xc && zc == xc) { ++ /* normally yc <= xc but larger values are not fatal (RhBug:1001553) */ ++ if (xc > 0 && yc > 0 && zc == xc) { + uint32_t * i; + /* ...and that the indexes are within bounds */ + while ((i = rpmtdNextUint32(zd))) { diff --git a/rpm.spec b/rpm.spec index 1fd9007..e9f2333 100644 --- a/rpm.spec +++ b/rpm.spec @@ -21,10 +21,10 @@ Summary: The RPM package management system Name: rpm Version: %{rpmver} -Release: %{?snapver:0.%{snapver}.}6%{?dist} +Release: %{?snapver:0.%{snapver}.}7%{?dist} Group: System Environment/Base Url: http://www.rpm.org/ -Source0: http://rpm.org/releases/testing/%{name}-%{srcver}.tar.bz2 +Source0: http://rpm.org/releases/rpm-4.11.x/%{name}-%{srcver}.tar.bz2 %if %{with int_bdb} Source1: db-%{bdbver}.tar.gz %else @@ -50,6 +50,9 @@ Patch6: rpm-4.9.0-armhfp-logic.patch Patch100: rpm-4.11.x-filter-soname-deps.patch Patch101: rpm-4.11.1-instprefix.patch Patch102: rpm-4.11.x-do-not-filter-ld64.patch +Patch103: rpm-4.11.1-file-triplet-check.patch +Patch104: rpm-4.11.1-caps-double-free.patch +Patch105: rpm-4.11.1-empty-lua-script.patch # These are not yet upstream Patch301: rpm-4.6.0-niagara.patch @@ -251,6 +254,9 @@ packages on a system. %patch100 -p1 -b .filter-soname-deps %patch101 -p1 -b .instprefix %patch102 -p1 -b .dont-filter-ld64 +%patch103 -p1 -b .file-triplet-check +%patch104 -p1 -b .caps-double-free +%patch105 -p1 -b .empty-lua-script %patch301 -p1 -b .niagara %patch302 -p1 -b .geode @@ -507,6 +513,12 @@ exit 0 %doc COPYING doc/librpm/html/* %changelog +* Mon Sep 09 2013 Matilainen - 4.11.1-7 +- fix build-time double-free on file capability processing (#956190) +- fix relocation related regression on file sanity check (#1001553) +- fix segfault on empty -p scriptlet body (#1004062) +- fix source url, once again + * Wed Aug 21 2013 Panu Matilainen - 4.11.1-6 - add python3 sub-package, based on patch by Bohuslav Kabrda