- Fix references to go sources in debuginfo packages

- resolves: #1184221

.gitignore

@@ -10,3 +10,5 @@
 /rpm-4.11.1-rc1.tar.bz2
 /rpm-4.11.1-rc2.tar.bz2
 /rpm-4.11.1.tar.bz2
+/rpm-4.11.2.tar.bz2
+/rpm-4.11.3.tar.bz2

rpm-4.11.0.1-setuppy-fixes.patch

@@ -1,61 +0,0 @@
---- rpm-4.11.0.1/python/setup.py.in.setuppy-fixes	2012-11-07 13:55:24.000000000 +0100
-+++ rpm-4.11.0.1/python/setup.py.in	2013-04-03 14:16:48.149931703 +0200
-@@ -1,13 +1,19 @@
- #!/usr/bin/env python
- 
- from distutils.core import setup, Extension
-+import os
- import subprocess
- from glob import glob
- 
- def pkgconfig(what):
-     out = []
-     cmd = 'pkg-config %s %s' % (what, '@PACKAGE_NAME@')
--    pcout = subprocess.check_output(cmd.split()).decode()
-+    env = dict(os.environ, **{'PKG_CONFIG_PATH': '..'})
-+    proc = subprocess.Popen(cmd.split(),
-+                            stdout=subprocess.PIPE,
-+                            stderr=subprocess.PIPE,
-+                            env=env)
-+    pcout = proc.communicate()[0].decode()
-     for token in pcout.split():
-         out.append(token[2:])
-     return out
-@@ -18,7 +24,8 @@
-         srcs.extend(glob('%s*.c' % n))
-     return srcs
- 
--cflags = ['-std=c99']
-+cflags = ['-std=c99', '-I../include']
-+additional_link_args = ['-Wl,-L../rpmio/.libs', '-Wl,-L../lib/.libs', '-Wl,-L../build/.libs', '-Wl,-L../sign/.libs']
- 
- rpmmod = Extension('rpm._rpm',
-                    sources = mksources([
-@@ -28,21 +35,24 @@
-                              ]),
-                    include_dirs = pkgconfig('--cflags'),
-                    libraries = pkgconfig('--libs'),
--                   extra_compile_args = cflags
-+                   extra_compile_args = cflags,
-+                   extra_link_args = additional_link_args
-                   )
- 
- rpmbuild_mod = Extension('rpm._rpmb',
-                    sources = mksources(['rpmbmodule', 'spec']),
-                    include_dirs = pkgconfig('--cflags'),
-                    libraries = pkgconfig('--libs') + ['rpmbuild'],
--                   extra_compile_args = cflags
-+                   extra_compile_args = cflags,
-+                   extra_link_args = additional_link_args
-                   )
- 
- rpmsign_mod = Extension('rpm._rpms',
-                    sources = mksources(['rpmbmodule']),
-                    include_dirs = pkgconfig('--cflags'),
-                    libraries = pkgconfig('--libs') + ['rpmsign'],
--                   extra_compile_args = cflags
-+                   extra_compile_args = cflags,
-+                   extra_link_args = additional_link_args
-                   )
- 
- setup(name='@PACKAGE_NAME@-python',

rpm-4.11.1-caps-double-free.patch

@@ -1,19 +0,0 @@
-commit 65eec62cb7796dad6fbf1d5436251e176449f522
-Author: Panu Matilainen <pmatilai@redhat.com>
-Date:   Thu Aug 29 16:32:32 2013 +0300
-
-    Fix double-free on %caps() wildcard %files entry (RhBug:956190)
-
-diff --git a/build/files.c b/build/files.c
-index 20f452f..eed5696 100644
---- a/build/files.c
-+++ b/build/files.c
-@@ -1448,7 +1448,7 @@ static rpmRC addFile(FileList fl, const char * diskPath,
- 	}
- 
- 	if (fl->cur.caps) {
--	    flp->caps = fl->cur.caps;
-+	    flp->caps = xstrdup(fl->cur.caps);
- 	} else {
- 	    flp->caps = xstrdup("");
- 	}

rpm-4.11.1-empty-lua-script.patch

@@ -1,23 +0,0 @@
-commit 5f3598a700e8e028f9140682262869ca319597ee
-Author: Panu Matilainen <pmatilai@redhat.com>
-Date:   Fri Sep 6 16:31:25 2013 +0300
-
-    Fix segfault executing a -p <lua> scriptlet without a body (RhBug:1004062)
-    
-    - There are any number of places where this could be fixed, but
-      to keep the behavior similar to eg /bin/sh scriptlet without a body,
-      just turn a non-existent script into an empty string.
-
-diff --git a/rpmio/rpmlua.c b/rpmio/rpmlua.c
-index 0576318..921cc37 100644
---- a/rpmio/rpmlua.c
-+++ b/rpmio/rpmlua.c
-@@ -526,6 +526,8 @@ int rpmluaRunScript(rpmlua _lua, const char *script, const char *name)
-     int ret = 0;
-     if (name == NULL)
- 	name = "<lua>";
-+    if (script == NULL)
-+	script = "";
-     if (luaL_loadbuffer(L, script, strlen(script), name) != 0) {
- 	rpmlog(RPMLOG_ERR, _("invalid syntax in lua script: %s\n"),
- 		 lua_tostring(L, -1));

rpm-4.11.1-file-triplet-check.patch

@@ -1,27 +0,0 @@
-commit 65c7cc17664358051f0358de272e616dd88ab624
-Author: Panu Matilainen <pmatilai@redhat.com>
-Date:   Tue Aug 27 15:15:40 2013 +0300
-
-    Relax the filename triplet sanity check a bit (RhBug:1001553)
-    
-    - At least unowned directories can cause orphans to be left around
-      in RPMTAG_DIRNAMES, in which case its possible for number of
-      dirnames to be larger than the number of basenames. This is
-      arguably a bug in the relocation code but doesn't seem worth
-      the trouble... so just relax the check to simply permit non-empty
-      dirnames array, the index bound checking is far more important.
-
-diff --git a/lib/rpmfi.c b/lib/rpmfi.c
-index 30663d0..00506ce 100644
---- a/lib/rpmfi.c
-+++ b/lib/rpmfi.c
-@@ -1128,7 +1128,8 @@ static int indexSane(rpmtd xd, rpmtd yd, rpmtd zd)
-     uint32_t zc = rpmtdCount(zd);
- 
-     /* check that the amount of data in each is sane */
--    if (xc > 0 && yc > 0 && yc <= xc && zc == xc) {
-+    /* normally yc <= xc but larger values are not fatal (RhBug:1001553) */
-+    if (xc > 0 && yc > 0 && zc == xc) {
- 	uint32_t * i;
- 	/* ...and that the indexes are within bounds */
- 	while ((i = rpmtdNextUint32(zd))) {

rpm-4.11.1-instprefix.patch

@@ -1,55 +0,0 @@
-commit 1ac9e84d9a4a04df7c8f659a8df676fc4f8544f0
-Author: Panu Matilainen <pmatilai@redhat.com>
-Date:   Fri Jul 5 10:27:18 2013 +0300
-
-    Ensure relocatable packages always get install-prefix(es) set (RhBug:979443)
-    
-    - Scriptlets from relocatable packages should always run with
-      $RPM_INSTALL_PREFIX* defined, whether actually being relocated or not.
-    - Fixes regression introduced by the optimization in commit
-      5d3018c4ed476b1b7ac18e2573af517f872cb303. We always need to call
-      addPrefixes() but return early from rpmRelocateFileList() when
-      no relocations are taking place, fixing the performance regression
-      introduced all the way back in cb8241dda783f7e8c143b08fecf57fe89a39c3a6
-      which is what 5d3018c4ed476b1b7ac18e2573af517f872cb303 was trying
-      to fix. Pooh :)
-    
-    (cherry picked from commit 88d24b14a8e0e33e768cb74a3487acf0925b012a)
-
-diff --git a/lib/rpmfi.c b/lib/rpmfi.c
-index 0bfb5dd..185deae 100644
---- a/lib/rpmfi.c
-+++ b/lib/rpmfi.c
-@@ -793,7 +793,8 @@ static int addPrefixes(Header h, rpmRelocation *relocations, int numRelocations)
- 	headerPutStringArray(h, RPMTAG_INSTPREFIXES, actualRelocations, numActual);
-     }
-     free(actualRelocations);
--    return numActual;
-+    /* When any relocations are present there'll be more work to do */
-+    return 1;
- }
- 
- static void saveRelocs(Header h, rpmtd bnames, rpmtd dnames, rpmtd dindexes)
-@@ -835,7 +836,8 @@ void rpmRelocateFileList(rpmRelocation *relocations, int numRelocations,
-     int i, j;
-     struct rpmtd_s bnames, dnames, dindexes, fmodes;
- 
--    addPrefixes(h, relocations, numRelocations);
-+    if (!addPrefixes(h, relocations, numRelocations))
-+	return;
- 
-     if (!_printed) {
- 	_printed = 1;
-diff --git a/lib/rpmte.c b/lib/rpmte.c
-index 6afd69e..87fb391 100644
---- a/lib/rpmte.c
-+++ b/lib/rpmte.c
-@@ -98,7 +98,7 @@ static rpmfi getFI(rpmte p, Header h)
- 				      (RPMFI_NOHEADER | RPMFI_FLAGS_ERASE);
- 
-     /* relocate stuff in header if necessary */
--    if (rpmteType(p) == TR_ADDED && rpmfsFC(p->fs) > 0 && p->nrelocs) {
-+    if (rpmteType(p) == TR_ADDED && rpmfsFC(p->fs) > 0) {
- 	if (!headerIsSource(h) && !headerIsEntry(h, RPMTAG_ORIGBASENAMES)) {
- 	    rpmRelocateFileList(p->relocs, p->nrelocs, p->fs, h);
- 	}

rpm-4.11.1-sepdebugcrcfix.patch

@@ -11,84 +11,6 @@
  endif
  endif
  
---- rpm-4.11.1-rc1-orig/Makefile.in	2013-06-10 08:38:51.000000000 +0200
-+++ rpm-4.11.1-rc1/Makefile.in	2013-06-24 18:34:06.342894002 +0200
-@@ -74,7 +74,8 @@ bin_PROGRAMS = rpm2cpio$(EXEEXT) rpmbuil
- 	rpmgraph$(EXEEXT)
- rpmlibexec_PROGRAMS = $(am__EXEEXT_1) rpmdeps$(EXEEXT)
- @LIBDWARF_TRUE@@LIBELF_TRUE@am__append_6 = scripts/find-debuginfo.sh
--@LIBDWARF_TRUE@@LIBELF_TRUE@am__append_7 = debugedit elfdeps
-+@LIBDWARF_TRUE@@LIBELF_TRUE@am__append_7 = debugedit elfdeps \
-+@LIBDWARF_TRUE@@LIBELF_TRUE@	sepdebugcrcfix
- @DOXYGEN_TRUE@@HACKINGDOCS_TRUE@am__append_8 = doc/hacking/html/index.html
- @DOXYGEN_TRUE@am__append_9 = doc/librpm/html/index.html
- @WITH_INTERNAL_DB_TRUE@am__append_10 = db.h
-@@ -110,7 +111,8 @@ am__installdirs = "$(DESTDIR)$(bindir)"
- 	"$(DESTDIR)$(rpmconfigdir)" "$(DESTDIR)$(rpmvardir)" \
- 	"$(DESTDIR)$(pkgincludedir)" "$(DESTDIR)$(pkgincludedir)"
- @LIBDWARF_TRUE@@LIBELF_TRUE@am__EXEEXT_1 = debugedit$(EXEEXT) \
--@LIBDWARF_TRUE@@LIBELF_TRUE@	elfdeps$(EXEEXT)
-+@LIBDWARF_TRUE@@LIBELF_TRUE@	elfdeps$(EXEEXT) \
-+@LIBDWARF_TRUE@@LIBELF_TRUE@	sepdebugcrcfix$(EXEEXT)
- PROGRAMS = $(bin_PROGRAMS) $(rpmbin_PROGRAMS) $(rpmlibexec_PROGRAMS)
- am__debugedit_SOURCES_DIST = tools/debugedit.c tools/hashtab.c \
- 	tools/hashtab.h
-@@ -157,6 +159,11 @@ am_rpmspec_OBJECTS = rpmspec-rpmspec.$(O
- rpmspec_OBJECTS = $(am_rpmspec_OBJECTS)
- rpmspec_DEPENDENCIES = libcliutils.la build/librpmbuild.la \
- 	lib/librpm.la rpmio/librpmio.la
-+am__sepdebugcrcfix_SOURCES_DIST = tools/sepdebugcrcfix.c
-+@LIBDWARF_TRUE@@LIBELF_TRUE@am_sepdebugcrcfix_OBJECTS =  \
-+@LIBDWARF_TRUE@@LIBELF_TRUE@	tools/sepdebugcrcfix.$(OBJEXT)
-+sepdebugcrcfix_OBJECTS = $(am_sepdebugcrcfix_OBJECTS)
-+sepdebugcrcfix_DEPENDENCIES =
- am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
- am__vpath_adj = case $$p in \
-     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-@@ -223,12 +230,12 @@ SOURCES = $(libcliutils_la_SOURCES) $(de
- 	$(elfdeps_SOURCES) $(rpm_SOURCES) $(rpm2cpio_SOURCES) \
- 	$(rpmbuild_SOURCES) $(rpmdb_SOURCES) $(rpmdeps_SOURCES) \
- 	$(rpmgraph_SOURCES) $(rpmkeys_SOURCES) $(rpmsign_SOURCES) \
--	$(rpmspec_SOURCES)
-+	$(rpmspec_SOURCES) $(sepdebugcrcfix_SOURCES)
- DIST_SOURCES = $(libcliutils_la_SOURCES) $(am__debugedit_SOURCES_DIST) \
- 	$(am__elfdeps_SOURCES_DIST) $(rpm_SOURCES) $(rpm2cpio_SOURCES) \
- 	$(rpmbuild_SOURCES) $(rpmdb_SOURCES) $(rpmdeps_SOURCES) \
- 	$(rpmgraph_SOURCES) $(rpmkeys_SOURCES) $(rpmsign_SOURCES) \
--	$(rpmspec_SOURCES)
-+	$(rpmspec_SOURCES) $(am__sepdebugcrcfix_SOURCES_DIST)
- RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
- 	html-recursive info-recursive install-data-recursive \
- 	install-dvi-recursive install-exec-recursive \
-@@ -636,6 +643,8 @@ rpm2cpio_LDADD = lib/librpm.la rpmio/lib
- @LIBDWARF_TRUE@@LIBELF_TRUE@elfdeps_LDADD = rpmio/librpmio.la \
- @LIBDWARF_TRUE@@LIBELF_TRUE@	@WITH_LIBELF_LIB@ @WITH_POPT_LIB@ \
- @LIBDWARF_TRUE@@LIBELF_TRUE@	$(am__empty)
-+@LIBDWARF_TRUE@@LIBELF_TRUE@sepdebugcrcfix_SOURCES = tools/sepdebugcrcfix.c
-+@LIBDWARF_TRUE@@LIBELF_TRUE@sepdebugcrcfix_LDADD = @WITH_LIBELF_LIB@
- rpmdeps_SOURCES = tools/rpmdeps.c
- rpmdeps_LDADD = lib/librpm.la rpmio/librpmio.la build/librpmbuild.la @WITH_POPT_LIB@
- rpmgraph_SOURCES = tools/rpmgraph.c
-@@ -903,6 +912,11 @@ rpmsign$(EXEEXT): $(rpmsign_OBJECTS) $(r
- rpmspec$(EXEEXT): $(rpmspec_OBJECTS) $(rpmspec_DEPENDENCIES) $(EXTRA_rpmspec_DEPENDENCIES) 
- 	@rm -f rpmspec$(EXEEXT)
- 	$(AM_V_CCLD)$(LINK) $(rpmspec_OBJECTS) $(rpmspec_LDADD) $(LIBS)
-+tools/sepdebugcrcfix.$(OBJEXT): tools/$(am__dirstamp) \
-+	tools/$(DEPDIR)/$(am__dirstamp)
-+sepdebugcrcfix$(EXEEXT): $(sepdebugcrcfix_OBJECTS) $(sepdebugcrcfix_DEPENDENCIES) $(EXTRA_sepdebugcrcfix_DEPENDENCIES) 
-+	@rm -f sepdebugcrcfix$(EXEEXT)
-+	$(AM_V_CCLD)$(LINK) $(sepdebugcrcfix_OBJECTS) $(sepdebugcrcfix_LDADD) $(LIBS)
- install-dist_binSCRIPTS: $(dist_bin_SCRIPTS)
- 	@$(NORMAL_INSTALL)
- 	@list='$(dist_bin_SCRIPTS)'; test -n "$(bindir)" || list=; \
-@@ -994,6 +1008,7 @@ distclean-compile:
- @AMDEP_TRUE@@am__include@ @am__quote@tools/$(DEPDIR)/hashtab.Po@am__quote@
- @AMDEP_TRUE@@am__include@ @am__quote@tools/$(DEPDIR)/rpmdeps.Po@am__quote@
- @AMDEP_TRUE@@am__include@ @am__quote@tools/$(DEPDIR)/rpmgraph.Po@am__quote@
-+@AMDEP_TRUE@@am__include@ @am__quote@tools/$(DEPDIR)/sepdebugcrcfix.Po@am__quote@
- 
- .c.o:
- @am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
 --- rpm-4.11.1-rc1-orig/scripts/find-debuginfo.sh	2013-06-24 17:20:55.407538301 +0200
 +++ rpm-4.11.1-rc1/scripts/find-debuginfo.sh	2013-06-24 18:34:41.270897302 +0200
 @@ -114,10 +114,12 @@ done

rpm-4.11.2-double-separator-warning.patch

@@ -0,0 +1,17 @@
+diff -up rpm-4.11.2/build/parseReqs.c.double-sep-warning rpm-4.11.2/build/parseReqs.c
+--- rpm-4.11.2/build/parseReqs.c.double-sep-warning	2014-02-18 08:59:32.692891895 +0200
++++ rpm-4.11.2/build/parseReqs.c	2014-02-18 09:00:17.572769945 +0200
+@@ -166,8 +166,11 @@ rpmRC parseRCPOT(rpmSpec spec, Package p
+ 	    if (rpmCharCheck(spec, EVR, ve-v, ".-_+:%{}~")) goto exit;
+ 
+             /* While ':' and '-' are valid, only one of each is valid. */
+-	    if (checkSep(EVR, '-', &emsg) || checkSep(EVR, ':', &emsg))
+-		goto exit;
++	    if (checkSep(EVR, '-', &emsg) || checkSep(EVR, ':', &emsg)) {
++		rpmlog(RPMLOG_WARNING, _("line %d: %s: %s\n"),
++		       spec->lineNum, emsg, spec->line);
++		emsg = _free(emsg);
++	    }
+ 
+ 	    re = ve;	/* ==> next token after EVR string starts here */
+ 	} else

rpm-4.11.3-armhfp.patch

@@ -1,7 +1,7 @@
-diff -uNr rpm-4.9.0-orig//macros.in rpm-4.9.0/macros.in
---- rpm-4.9.0-orig//macros.in	2011-08-05 12:23:04.000000000 -0500
-+++ rpm-4.9.0/macros.in	2011-08-05 12:25:13.000000000 -0500
-@@ -1032,7 +1032,7 @@
+diff -up rpm-4.11.3/macros.in.armhfp rpm-4.11.3/macros.in
+--- rpm-4.11.3/macros.in.armhfp	2014-09-05 16:09:00.595885788 +0300
++++ rpm-4.11.3/macros.in	2014-09-05 16:09:00.602885768 +0300
+@@ -999,7 +999,7 @@ done \
  
  #------------------------------------------------------------------------------
  # arch macro for all supported ARM processors
@@ -10,19 +10,19 @@ diff -uNr rpm-4.9.0-orig//macros.in rpm-4.9.0/macros.in
  
  #------------------------------------------------------------------------------
  # arch macro for all supported Sparc processors
-diff -uNr rpm-4.9.0-orig//rpmrc.in rpm-4.9.0/rpmrc.in
---- rpm-4.9.0-orig//rpmrc.in	2011-08-05 12:23:04.000000000 -0500
-+++ rpm-4.9.0/rpmrc.in	2011-08-05 12:26:34.000000000 -0500
-@@ -66,6 +66,8 @@
+diff -up rpm-4.11.3/rpmrc.in.armhfp rpm-4.11.3/rpmrc.in
+--- rpm-4.11.3/rpmrc.in.armhfp	2014-09-05 16:09:00.590885802 +0300
++++ rpm-4.11.3/rpmrc.in	2014-09-05 16:09:00.602885768 +0300
+@@ -68,6 +68,8 @@ optflags: armv5tel -O2 -g -march=armv5te
  optflags: armv5tejl -O2 -g -march=armv5te
  optflags: armv6l -O2 -g -march=armv6
  optflags: armv7l -O2 -g -march=armv7
 +optflags: armv7hl -O2 -g -march=armv7-a -mfloat-abi=hard -mfpu=vfpv3-d16
 +optflags: armv7hnl -O2 -g -march=armv7-a -mfloat-abi=hard -mfpu=neon
  
- optflags: atarist -O2 -g -fomit-frame-pointer
- optflags: atariste -O2 -g -fomit-frame-pointer
-@@ -140,6 +142,8 @@
+ optflags: m68k -O2 -g -fomit-frame-pointer
+ 
+@@ -185,6 +187,8 @@ arch_canon:     armv5tel: armv5tel 	12
  arch_canon:     armv5tejl: armv5tejl 	12
  arch_canon:     armv6l: armv6l 	12
  arch_canon:     armv7l: armv7l 	12
@@ -31,25 +31,25 @@ diff -uNr rpm-4.9.0-orig//rpmrc.in rpm-4.9.0/rpmrc.in
  
  arch_canon:	m68kmint: m68kmint	13
  arch_canon:	atarist: m68kmint	13
-@@ -248,6 +252,8 @@
+@@ -298,6 +302,8 @@ buildarchtranslate: armv5tel: armv5tel
  buildarchtranslate: armv5tejl: armv5tejl
  buildarchtranslate: armv6l: armv6l
  buildarchtranslate: armv7l: armv7l
 +buildarchtranslate: armv7hl: armv7hl
 +buildarchtranslate: armv7hnl: armv7hnl
  
- buildarchtranslate: atarist: m68kmint
- buildarchtranslate: atariste: m68kmint
-@@ -336,6 +342,8 @@
+ buildarchtranslate: m68k: m68k
+ 
+@@ -392,6 +398,8 @@ arch_compat: armv5tel: armv4tl
  arch_compat: armv4tl: armv4l
  arch_compat: armv4l: armv3l
  arch_compat: armv3l: noarch
 +arch_compat: armv7hnl: armv7hl
 +arch_compat: armv7hl: noarch
  
- arch_compat: atarist: m68kmint noarch
- arch_compat: atariste: m68kmint noarch
-@@ -441,6 +449,9 @@
+ arch_compat: m68k: noarch
+ 
+@@ -505,6 +513,9 @@ buildarch_compat: armv4tl: armv4l
  buildarch_compat: armv4l: armv3l
  buildarch_compat: armv3l: noarch
  

rpm-4.11.x-CVE-2013-6435.patch

@@ -0,0 +1,22 @@
+--- rpm-4.11.1/lib/fsm.c.orig	2014-11-13 13:38:56.742934031 +0100
++++ rpm-4.11.1/lib/fsm.c	2014-11-13 13:42:13.036380024 +0100
+@@ -726,12 +726,17 @@
+ {
+     FD_t wfd = NULL;
+     const struct stat * st = &fsm->sb;
+-    rpm_loff_t left = st->st_size;
++    rpm_loff_t left = rpmfiFSizeIndex(fsmGetFi(fsm), fsm->ix);
+     const unsigned char * fidigest = NULL;
+     pgpHashAlgo digestalgo = 0;
+     int rc = 0;
+ 
+-    wfd = Fopen(fsm->path, "w.ufdio");
++    /* Create the file with 000 permissions. */
++    {
++	mode_t old_umask = umask(0777);
++	wfd = Fopen(fsm->path, "w.ufdio");
++	umask(old_umask);
++    }                      
+     if (Ferror(wfd)) {
+ 	rc = CPIOERR_OPEN_FAILED;
+ 	goto exit;

rpm-4.11.x-CVE-2014-8118.patch

@@ -0,0 +1,12 @@
+--- rpm-4.11.1.orig/lib/cpio.c	2014-11-28 12:21:50.444158675 +0100
++++ rpm-4.11.1/lib/cpio.c	2014-11-28 12:22:53.776453253 +0100
+@@ -296,6 +296,9 @@
+     st->st_rdev = makedev(major, minor);
+ 
+     GET_NUM_FIELD(hdr.namesize, nameSize);
++    if (nameSize <= 0 || nameSize > 4096) {
++        return CPIOERR_BAD_HEADER;
++    }
+ 
+     *path = xmalloc(nameSize + 1);
+     read = Fread(*path, nameSize, 1, cpio->fd);

rpm-4.12.0-golang-debuginfo.patch

@@ -0,0 +1,36 @@
+From 363c015da5cbf315df267dc53580290984039804 Mon Sep 17 00:00:00 2001
+From: Jan Kratochvil <jan.kratochvil@redhat.com>
+Date: Wed, 15 Apr 2015 09:51:08 +0200
+Subject: [PATCH] Make sure references to go sources in debuginfo packages go
+ to the installed path and not the source file in the build environment.
+
+ - Resolves: rhbz#1184221
+---
+ tools/debugedit.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/debugedit.c b/tools/debugedit.c
+index 0f85885..cf89312 100644
+--- a/tools/debugedit.c
++++ b/tools/debugedit.c
+@@ -480,7 +480,7 @@ edit_dwarf2_line (DSO *dso, uint32_t off, char *comp_dir, int phase)
+   unsigned char *endcu, *endprol;
+   unsigned char opcode_base;
+   uint32_t value, dirt_cnt;
+-  size_t comp_dir_len = strlen (comp_dir);
++  size_t comp_dir_len = !comp_dir ? 0 : strlen (comp_dir);
+   size_t abs_file_cnt = 0, abs_dir_cnt = 0;
+ 
+   if (phase != 0)
+@@ -950,7 +950,7 @@ edit_attributes (DSO *dso, unsigned char *ptr, struct abbrev_tag *t, int phase)
+ 	}
+     }
+ 
+-  if (found_list_offs && comp_dir)
++  if (found_list_offs)
+     edit_dwarf2_line (dso, list_offs, comp_dir, phase);
+ 
+   free (comp_dir);
+-- 
+2.1.0
+

rpm-4.9.0-armhfp-logic.patch

@@ -1,7 +1,7 @@
-diff -up rpm-4.9.1.3/lib/rpmrc.c.armhfp-logic rpm-4.9.1.3/lib/rpmrc.c
---- rpm-4.9.1.3/lib/rpmrc.c.armhfp-logic	2012-04-19 17:11:32.728750591 +0200
-+++ rpm-4.9.1.3/lib/rpmrc.c	2012-04-19 17:11:32.754738455 +0200
-@@ -743,6 +743,56 @@ static int is_sun4v()
+diff -up rpm-4.11.1/lib/rpmrc.c.armhfp-logic rpm-4.11.1/lib/rpmrc.c
+--- rpm-4.11.1/lib/rpmrc.c.armhfp-logic	2013-10-01 14:59:12.841041726 +0300
++++ rpm-4.11.1/lib/rpmrc.c	2013-10-01 14:59:12.856041684 +0300
+@@ -733,6 +733,56 @@ static int is_sun4v()
  }
  #endif
  
@@ -58,8 +58,8 @@ diff -up rpm-4.9.1.3/lib/rpmrc.c.armhfp-logic rpm-4.9.1.3/lib/rpmrc.c
  
  #	if defined(__linux__) && defined(__i386__)
  #include <setjmp.h>
-@@ -1220,6 +1270,22 @@ static void defaultMachine(const char **
-         }
+@@ -1136,6 +1186,22 @@ static void defaultMachine(const char **
+ #	endif	/* __ORDER_BIG_ENDIAN__ */
  #	endif	/* ppc64*-linux */
  
 +#	if defined(__linux__) && defined(__arm__)

rpm.spec

@@ -11,7 +11,7 @@
 
 %define rpmhome /usr/lib/rpm
 
-%define rpmver 4.11.1
+%define rpmver 4.11.3
 %define srcver %{rpmver}%{?snapver:-%{snapver}}
 
 %define bdbname libdb
@@ -21,7 +21,7 @@
 Summary: The RPM package management system
 Name: rpm
 Version: %{rpmver}
-Release: %{?snapver:0.%{snapver}.}7%{?dist}
+Release: %{?snapver:0.%{snapver}.}3%{?dist}
 Group: System Environment/Base
 Url: http://www.rpm.org/
 Source0: http://rpm.org/releases/rpm-4.11.x/%{name}-%{srcver}.tar.bz2
@@ -41,18 +41,20 @@ Patch2: rpm-4.9.90-fedora-specspo.patch
 Patch3: rpm-4.9.90-no-man-dirs.patch
 # gnupg2 comes installed by default, avoid need to drag in gnupg too
 Patch4: rpm-4.8.1-use-gpg2.patch
-Patch5: rpm-4.9.90-armhfp.patch
+Patch5: rpm-4.11.3-armhfp.patch
 #conditionally applied patch for arm hardware floating point
 Patch6: rpm-4.9.0-armhfp-logic.patch
 
+# Fedora has big package stacks based on broken dependency EVRs, reduce the
+# double separator error into an error on released versions (#1065563)
+Patch10: rpm-4.11.2-double-separator-warning.patch
+
 # Patches already in upstream
-# Filter soname dependencies by name
+# Filter soname dependencies by name (these are upstream but not in 4.11.x)
 Patch100: rpm-4.11.x-filter-soname-deps.patch
-Patch101: rpm-4.11.1-instprefix.patch
 Patch102: rpm-4.11.x-do-not-filter-ld64.patch
-Patch103: rpm-4.11.1-file-triplet-check.patch
-Patch104: rpm-4.11.1-caps-double-free.patch
-Patch105: rpm-4.11.1-empty-lua-script.patch
+# Fix golang debuginfo packages
+Patch103: rpm-4.12.0-golang-debuginfo.patch
 
 # These are not yet upstream
 Patch301: rpm-4.6.0-niagara.patch
@@ -65,8 +67,11 @@ Patch305: rpm-4.10.0-dwz-debuginfo.patch
 Patch306: rpm-4.10.0-minidebuginfo.patch
 # Fix CRC32 after dwz (#971119)
 Patch307: rpm-4.11.1-sepdebugcrcfix.patch
-# To be upstreamed in slightly different form
-Patch308: rpm-4.11.0.1-setuppy-fixes.patch
+# Fix race condidition where unchecked data is exposed in the file system
+Patch308: rpm-4.11.x-CVE-2013-6435.patch
+# Add check against malicious CPIO file name size
+Patch309: rpm-4.11.x-CVE-2014-8118.patch
+
 # Temporary Patch to provide support for updates
 Patch400: rpm-4.10.90-rpmlib-filesystem-check.patch
 
@@ -118,6 +123,8 @@ BuildRequires: xz-devel%{_isa} >= 4.999.8
 %endif
 # Only required by sepdebugcrcfix patch
 BuildRequires: binutils-devel
+# Couple of patches change makefiles so, require for now...
+BuildRequires: automake libtool
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -251,12 +258,10 @@ packages on a system.
 %patch3 -p1 -b .no-man-dirs
 %patch4 -p1 -b .use-gpg2
 
+%patch10 -p1 -b .double-sep-warning
+
 %patch100 -p1 -b .filter-soname-deps
-%patch101 -p1 -b .instprefix
 %patch102 -p1 -b .dont-filter-ld64
-%patch103 -p1 -b .file-triplet-check
-%patch104 -p1 -b .caps-double-free
-%patch105 -p1 -b .empty-lua-script
 
 %patch301 -p1 -b .niagara
 %patch302 -p1 -b .geode
@@ -264,7 +269,8 @@ packages on a system.
 %patch305 -p1 -b .dwz-debuginfo
 %patch306 -p1 -b .minidebuginfo
 %patch307 -p1 -b .sepdebugcrcfix
-%patch308 -p1 -b .setuppy-fixes
+%patch308 -p1 -b .chmod
+%patch309 -p1 -b .namesize
 
 %patch400 -p1 -b .rpmlib-filesystem-check
 
@@ -287,6 +293,8 @@ CPPFLAGS="$CPPFLAGS `pkg-config --cflags nss`"
 CFLAGS="$RPM_OPT_FLAGS"
 export CPPFLAGS CFLAGS LDFLAGS
 
+autoreconf -i -f
+
 # Using configure macro has some unwanted side-effects on rpm platform
 # setup, use the old-fashioned way for now only defining minimal paths.
 ./configure \
@@ -513,6 +521,25 @@ exit 0
 %doc COPYING doc/librpm/html/*
 
 %changelog
+* Wed Apr 15 2015 Florian Festi <ffesti@rpm.org> - 4.12.0.1-3
+- Fix references to sources in golang debuginfo packages (#1184221)
+
+* Fri Dec 12 2014 Lubos Kardos <lkardos@redhat.com> - 4.11.3-2
+- Add check against malicious CPIO file name size (#1168715)
+- Fixes CVE-2014-8118
+- Fix race condidition where unchecked data is exposed in the file system
+  (#1039811)
+- Fixes CVE-2013-6435
+
+* Fri Sep 05 2014 Panu Matilainen <pmatilai@redhat.com> - 4.11.3-1
+- update to 4.11.3 (http://rpm.org/wiki/Releases/4.11.3)
+
+* Tue Feb 18 2014 Panu Matilainen <pmatilai@redhat.com> - 4.11.2-2
+- reduce the double separator spec parse error into a warning (#1065563)
+
+* Thu Feb 13 2014 Panu Matilainen <pmatilai@redhat.com> - 4.11.2-1
+- update to 4.11.2 (http://rpm.org/wiki/Releases/4.11.2)
+
 * Mon Sep 09 2013 Matilainen <pmatilai@redhat.com> - 4.11.1-7
 - fix build-time double-free on file capability processing (#956190)
 - fix relocation related regression on file sanity check (#1001553)

sources

@@ -1 +1 @@
-e53c59768676b21b0924d251b21df7c6  rpm-4.11.1.tar.bz2
+2e3e7919c5b59d2c5aa8207ad2014d3b  rpm-4.11.3.tar.bz2