Adding STAGE2 bootstrap recipe

- resolves: #1231247

0001-Fix-find-debuginfo.sh-for-ELF-with-file-warnings.patch

@@ -0,0 +1,37 @@
+From 4f58e5abcb336292f78bc6d54e1140b4fdded30b Mon Sep 17 00:00:00 2001
+From: Pascal Terjan <pterjan@mandriva.org>
+Date: Sat, 14 Feb 2015 21:58:19 +0000
+Subject: [PATCH] Fix find-debuginfo.sh for ELF with file warnings
+
+Since the fix for CVE-2014-9620, file will print a "warning" that it
+only processed 256 notes:
+
+$ file -N libjvm.so
+libjvm.so: ELF 64-bit LSB shared object, x86-64, version 1 (GNU/Linux), dynamically linked, BuildID[sha1]=63ece24db1a29f9df8231337f741664e0b10fc7f, not stripped, too many notes (256)
+
+And this leads to those messages and a failure:
+stat: cannot stat 'libjvm.so,': No such file or directory
+stat: cannot stat 'too': No such file or directory
+stat: cannot stat 'many': No such file or directory
+stat: cannot stat 'notes': No such file or directory
+stat: cannot stat '(256)': No such file or directory
+---
+ scripts/find-debuginfo.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/find-debuginfo.sh b/scripts/find-debuginfo.sh
+index 57449f7..264fad5 100644
+--- a/scripts/find-debuginfo.sh
++++ b/scripts/find-debuginfo.sh
+@@ -205,7 +205,7 @@ $strict || strict_error=WARNING
+ find "$RPM_BUILD_ROOT" ! -path "${debugdir}/*.debug" -type f \
+      		     \( -perm -0100 -or -perm -0010 -or -perm -0001 \) \
+ 		     -print |
+-file -N -f - | sed -n -e 's/^\(.*\):[ 	]*.*ELF.*, not stripped/\1/p' |
++file -N -f - | sed -n -e 's/^\(.*\):[ 	]*.*ELF.*, not stripped.*/\1/p' |
+ xargs --no-run-if-empty stat -c '%h %D_%i %n' |
+ while read nlinks inum f; do
+   get_debugfn "$f"
+-- 
+2.3.0
+

STAGE2-rpm

@@ -0,0 +1,34 @@
+#requires popt
+#requires nss-softokn
+#requires nss
+#requires file
+#requires libarchive
+#requires libdb4
+#requires redhat-rpm-config
+#requires lua
+#requires autoconf
+#requires pkgconfig
+
+
+(cd $SRC/rpm-*/ && autoreconf -vif)
+
+mcd $BUILDDIR/rpm
+
+$SRC/rpm-*/configure $TCONFIGARGS \
+	--build=${TARGET} \
+	--host=${TARGET} \
+	--target=${TARGET} \
+	CPPFLAGS="-I/usr/include/nspr -I/usr/include/nss3 -DPACKAGE -DPACKAGE_VERSION" \
+	--libdir=/usr/lib${SUFFIX} \
+	--with-external-db \
+	--disable-static \
+	--with-lua \
+	--localstatedir=/var
+
+make $J
+make $J install
+
+mkdir -p /etc/rpm
+mkdir -p /var/lib/rpm
+
+rpm --initdb

rpm-4.12.0-golang-debuginfo.patch

@@ -0,0 +1,36 @@
+From 363c015da5cbf315df267dc53580290984039804 Mon Sep 17 00:00:00 2001
+From: Jan Kratochvil <jan.kratochvil@redhat.com>
+Date: Wed, 15 Apr 2015 09:51:08 +0200
+Subject: [PATCH] Make sure references to go sources in debuginfo packages go
+ to the installed path and not the source file in the build environment.
+
+ - Resolves: rhbz#1184221
+---
+ tools/debugedit.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/debugedit.c b/tools/debugedit.c
+index 0f85885..cf89312 100644
+--- a/tools/debugedit.c
++++ b/tools/debugedit.c
+@@ -480,7 +480,7 @@ edit_dwarf2_line (DSO *dso, uint32_t off, char *comp_dir, int phase)
+   unsigned char *endcu, *endprol;
+   unsigned char opcode_base;
+   uint32_t value, dirt_cnt;
+-  size_t comp_dir_len = strlen (comp_dir);
++  size_t comp_dir_len = !comp_dir ? 0 : strlen (comp_dir);
+   size_t abs_file_cnt = 0, abs_dir_cnt = 0;
+ 
+   if (phase != 0)
+@@ -950,7 +950,7 @@ edit_attributes (DSO *dso, unsigned char *ptr, struct abbrev_tag *t, int phase)
+ 	}
+     }
+ 
+-  if (found_list_offs && comp_dir)
++  if (found_list_offs)
+     edit_dwarf2_line (dso, list_offs, comp_dir, phase);
+ 
+   free (comp_dir);
+-- 
+2.1.0
+

rpm-4.12.0-whatrecommends.patch

@@ -0,0 +1,157 @@
+diff --git a/doc/rpm.8 b/doc/rpm.8
+index e583009..283e8ac 100644
+--- a/doc/rpm.8
++++ b/doc/rpm.8
+@@ -58,6 +58,8 @@ rpm \- RPM Package Manager
+  [\fB--hdrid \fISHA1\fB\fR] [\fB--pkgid \fIMD5\fB\fR] [\fB--tid \fITID\fB\fR]
+  [\fB--querybynumber \fIHDRNUM\fB\fR] [\fB--triggeredby \fIPACKAGE_NAME\fB\fR]
+  [\fB--whatprovides \fICAPABILITY\fB\fR] [\fB--whatrequires \fICAPABILITY\fB\fR]
++ [\fB--whatrecommends \fICAPABILITY\fB\fR] [\fB--whatsuggests \fICAPABILITY\fB\fR]
++ [\fB--whatsupplements \fICAPABILITY\fB\fR] [\fB--whatenhances \fICAPABILITY\fB\fR]
+ 
+ .SS "query-options"
+ .PP
+@@ -588,6 +590,18 @@ Query all packages that provide the \fICAPABILITY\fR capability.
+ .TP
+ \fB--whatrequires \fICAPABILITY\fB\fR
+ Query all packages that require \fICAPABILITY\fR for proper functioning.
++.TP
++\fB--whatrecommends \fICAPABILITY\fB\fR
++Query all packages that recommend \fICAPABILITY\fR.
++.TP
++\fB--whatsuggests \fICAPABILITY\fB\fR
++Query all packages that suggest \fICAPABILITY\fR.
++.TP
++\fB--whatsupplements \fICAPABILITY\fB\fR
++Query all packages that supplement \fICAPABILITY\fR.
++.TP
++\fB--whatenhances \fICAPABILITY\fB\fR
++Query all packages that enhance \fICAPABILITY\fR.
+ .SS "PACKAGE QUERY OPTIONS:"
+ .PP
+ .TP
+diff --git a/lib/poptQV.c b/lib/poptQV.c
+index 3db17b0..80edce7 100644
+--- a/lib/poptQV.c
++++ b/lib/poptQV.c
+@@ -21,6 +21,10 @@ struct rpmQVKArguments_s rpmQVKArgs;
+ #define POPT_QUERYBYPKGID	-1007
+ #define POPT_QUERYBYHDRID	-1008
+ #define POPT_QUERYBYTID		-1010
++#define POPT_WHATRECOMMENDS	-1011
++#define POPT_WHATSUGGESTS	-1012
++#define POPT_WHATSUPPLEMENTS	-1013
++#define POPT_WHATENHANCES	-1014
+ 
+ /* ========== Query/Verify/Signature source args */
+ static void rpmQVSourceArgCallback( poptContext con,
+@@ -45,6 +49,10 @@ static void rpmQVSourceArgCallback( poptContext con,
+     case 'p': qva->qva_source |= RPMQV_RPM; break;
+     case POPT_WHATPROVIDES: qva->qva_source |= RPMQV_WHATPROVIDES; break;
+     case POPT_WHATREQUIRES: qva->qva_source |= RPMQV_WHATREQUIRES; break;
++    case POPT_WHATRECOMMENDS: qva->qva_source |= RPMQV_WHATRECOMMENDS; break;
++    case POPT_WHATSUGGESTS: qva->qva_source |= RPMQV_WHATSUGGESTS; break;
++    case POPT_WHATSUPPLEMENTS: qva->qva_source |= RPMQV_WHATSUPPLEMENTS; break;
++    case POPT_WHATENHANCES: qva->qva_source |= RPMQV_WHATENHANCES; break;
+     case POPT_TRIGGEREDBY: qva->qva_source |= RPMQV_TRIGGEREDBY; break;
+     case POPT_QUERYBYPKGID: qva->qva_source |= RPMQV_PKGID; break;
+     case POPT_QUERYBYHDRID: qva->qva_source |= RPMQV_HDRID; break;
+@@ -93,6 +101,14 @@ struct poptOption rpmQVSourcePoptTable[] = {
+ 	N_("query/verify the package(s) which require a dependency"), "CAPABILITY" },
+  { "whatprovides", '\0', 0, 0, POPT_WHATPROVIDES, 
+ 	N_("query/verify the package(s) which provide a dependency"), "CAPABILITY" },
++ { "whatrecommends", '\0', 0, 0, POPT_WHATRECOMMENDS,
++	N_("query/verify the package(s) which recommends a dependency"), "CAPABILITY" },
++ { "whatsuggests", '\0', 0, 0, POPT_WHATSUGGESTS,
++	N_("query/verify the package(s) which suggests a dependency"), "CAPABILITY" },
++ { "whatsupplements", '\0', 0, 0, POPT_WHATSUPPLEMENTS,
++	N_("query/verify the package(s) which supplements a dependency"), "CAPABILITY" },
++ { "whatenhances", '\0', 0, 0, POPT_WHATENHANCES,
++	N_("query/verify the package(s) which enhances a dependency"), "CAPABILITY" },
+ 
+  { "noglob", '\0', POPT_BIT_SET|POPT_ARGFLAG_DOC_HIDDEN, &giFlags, RPMGI_NOGLOB,
+ 	N_("do not glob arguments"), NULL},
+diff --git a/lib/query.c b/lib/query.c
+index 896ebe3..b15b99b 100644
+--- a/lib/query.c
++++ b/lib/query.c
+@@ -384,6 +384,34 @@ static rpmdbMatchIterator initQueryIterator(QVA_t qva, rpmts ts, const char * ar
+ 	}
+ 	break;
+ 
++    case RPMQV_WHATRECOMMENDS:
++	mi = rpmtsInitIterator(ts, RPMDBI_RECOMMENDNAME, arg, 0);
++	if (mi == NULL) {
++	    rpmlog(RPMLOG_NOTICE, _("no package recommends %s\n"), arg);
++	}
++	break;
++
++    case RPMQV_WHATSUGGESTS:
++	mi = rpmtsInitIterator(ts, RPMDBI_SUGGESTNAME, arg, 0);
++	if (mi == NULL) {
++	    rpmlog(RPMLOG_NOTICE, _("no package suggests %s\n"), arg);
++	}
++	break;
++
++    case RPMQV_WHATSUPPLEMENTS:
++	mi = rpmtsInitIterator(ts, RPMDBI_SUPPLEMENTNAME, arg, 0);
++	if (mi == NULL) {
++	    rpmlog(RPMLOG_NOTICE, _("no package supplements %s\n"), arg);
++	}
++	break;
++
++    case RPMQV_WHATENHANCES:
++	mi = rpmtsInitIterator(ts, RPMDBI_ENHANCENAME, arg, 0);
++	if (mi == NULL) {
++	    rpmlog(RPMLOG_NOTICE, _("no package enhances %s\n"), arg);
++	}
++	break;
++
+     case RPMQV_WHATPROVIDES:
+ 	if (arg[0] != '/' && arg[0] != '.') {
+ 	    mi = rpmtsInitIterator(ts, RPMDBI_PROVIDENAME, arg, 0);
+diff --git a/lib/rpmcli.h b/lib/rpmcli.h
+index 48e8250..4adb3d1 100644
+--- a/lib/rpmcli.h
++++ b/lib/rpmcli.h
+@@ -91,6 +91,10 @@ enum rpmQVSources_e {
+     RPMQV_HDRID,	/*!< ... from header id (immutable header SHA1). */
+     RPMQV_TID,		/*!< ... from install transaction id (time stamp). */
+     RPMQV_SPECSRPM,	/*!< ... from spec file source (query only). */
++    RPMQV_WHATRECOMMENDS,	/*!< ... from recommends db search. */
++    RPMQV_WHATSUGGESTS,		/*!< ... from suggests db search. */
++    RPMQV_WHATSUPPLEMENTS,	/*!< ... from supplements db search. */
++    RPMQV_WHATENHANCES,		/*!< ... from enhances db search. */
+ };
+ 
+ typedef rpmFlags rpmQVSources;
+diff --git a/lib/rpmdb.c b/lib/rpmdb.c
+index b6d3247..baa1974 100644
+--- a/lib/rpmdb.c
++++ b/lib/rpmdb.c
+@@ -493,6 +493,10 @@ static rpmdb newRpmdb(const char * root, const char * home,
+ 	RPMDBI_INSTALLTID,
+ 	RPMDBI_SIGMD5,
+ 	RPMDBI_SHA1HEADER,
++	RPMDBI_RECOMMENDNAME,
++	RPMDBI_SUGGESTNAME,
++	RPMDBI_SUPPLEMENTNAME,
++	RPMDBI_ENHANCENAME,
+     };
+ 
+     if (!(db_home && db_home[0] != '%')) {
+diff --git a/lib/rpmtag.h b/lib/rpmtag.h
+index 12a2a50..1dc1c2b 100644
+--- a/lib/rpmtag.h
++++ b/lib/rpmtag.h
+@@ -353,6 +353,10 @@ typedef enum rpmDbiTag_e {
+     RPMDBI_SIGMD5		= RPMTAG_SIGMD5,
+     RPMDBI_SHA1HEADER		= RPMTAG_SHA1HEADER,
+     RPMDBI_INSTFILENAMES	= RPMTAG_INSTFILENAMES,
++    RPMDBI_RECOMMENDNAME	= RPMTAG_RECOMMENDNAME,
++    RPMDBI_SUGGESTNAME		= RPMTAG_SUGGESTNAME,
++    RPMDBI_SUPPLEMENTNAME	= RPMTAG_SUPPLEMENTNAME,
++    RPMDBI_ENHANCENAME		= RPMTAG_ENHANCENAME,
+ } rpmDbiTag;
+ 
+ /** \ingroup signature

rpm-4.12.0.x-CVE-2013-6435.patch

@@ -0,0 +1,16 @@
+--- rpm-4.12.0.1/lib/fsm.c.orig	2014-12-12 16:05:51.683430313 +0100
++++ rpm-4.12.0.1/lib/fsm.c	2014-12-12 16:08:28.046025597 +0100
+@@ -215,7 +215,12 @@ static int expandRegular(rpmfi fi, const
+     FD_t wfd = NULL;
+     int rc = 0;
+ 
+-    wfd = Fopen(dest, "w.ufdio");
++    /* Create the file with 000 permissions. */
++    {
++	mode_t old_umask = umask(0777);
++	wfd = Fopen(dest, "w.ufdio");
++	umask(old_umask);
++    }
+     if (Ferror(wfd)) {
+ 	rc = RPMERR_OPEN_FAILED;
+ 	goto exit;

rpm-4.12.0.x-CVE-2014-8118.patch

@@ -0,0 +1,14 @@
+diff --git a/lib/cpio.c b/lib/cpio.c
+index 253ff0f..600633a 100644
+--- a/lib/cpio.c
++++ b/lib/cpio.c
+@@ -399,6 +399,9 @@ int rpmcpioHeaderRead(rpmcpio_t cpio, char ** path, int * fx)
+ 
+     GET_NUM_FIELD(hdr.filesize, fsize);
+     GET_NUM_FIELD(hdr.namesize, nameSize);
++    if (nameSize <= 0 || nameSize > 4096) {
++	 return RPMERR_BAD_HEADER;
++    }
+ 
+     char name[nameSize + 1];
+     read = Fread(name, nameSize, 1, cpio->fd);

rpm.spec

@@ -27,7 +27,7 @@
 Summary: The RPM package management system
 Name: rpm
 Version: %{rpmver}
-Release: %{?snapver:0.%{snapver}.}3%{?dist}
+Release: %{?snapver:0.%{snapver}.}8%{?dist}
 Group: System Environment/Base
 Url: http://www.rpm.org/
 Source0: http://rpm.org/releases/rpm-4.12.x/%{name}-%{srcver}.tar.bz2
@@ -56,6 +56,12 @@ Patch100: rpm-4.12.0-tslock-nowait.patch
 Patch101: rpm-4.12.0-payload-ghost.patch
 # Unbreak size tag generation on big-endian systems
 Patch102: rpm-4.12.0-archive-endian.patch
+# find-debuginfo.sh fails on ELF with more than 256 notes
+# http://www.rpm.org/ticket/887
+Patch103: 0001-Fix-find-debuginfo.sh-for-ELF-with-file-warnings.patch
+# Fix golang debuginfo packages
+Patch104: rpm-4.12.0-golang-debuginfo.patch
+Patch105: rpm-4.12.0-whatrecommends.patch
 
 # These are not yet upstream
 Patch302: rpm-4.7.1-geode-i686.patch
@@ -67,6 +73,10 @@ Patch305: rpm-4.10.0-dwz-debuginfo.patch
 Patch306: rpm-4.10.0-minidebuginfo.patch
 # Fix CRC32 after dwz (#971119)
 Patch307: rpm-4.11.1-sepdebugcrcfix.patch
+# Fix race condidition where unchecked data is exposed in the file system
+Patch308: rpm-4.12.0.x-CVE-2013-6435.patch
+# Add check against malicious CPIO file name size
+Patch309: rpm-4.12.0.x-CVE-2014-8118.patch
 
 # Partially GPL/LGPL dual-licensed and some bits with BSD
 # SourceLicense: (GPLv2+ and LGPLv2+ with exceptions) and BSD 
@@ -292,6 +302,13 @@ Requires: rpm-libs%{_isa} = %{version}-%{release}
 ln -s db-%{bdbver} db
 %endif
 
+# Do autoreconf in prep for bootstraping
+CPPFLAGS="$CPPFLAGS `pkg-config --cflags nss`"
+CFLAGS="$RPM_OPT_FLAGS %{?sanitizer_flags}"
+export CPPFLAGS CFLAGS LDFLAGS
+
+autoreconf -i -f
+
 %build
 %if %{without int_bdb}
 #CPPFLAGS=-I%{_includedir}/db%{bdbver} 
@@ -301,8 +318,6 @@ CPPFLAGS="$CPPFLAGS `pkg-config --cflags nss`"
 CFLAGS="$RPM_OPT_FLAGS %{?sanitizer_flags}"
 export CPPFLAGS CFLAGS LDFLAGS
 
-autoreconf -i -f
-
 # Using configure macro has some unwanted side-effects on rpm platform
 # setup, use the old-fashioned way for now only defining minimal paths.
 ./configure \
@@ -534,6 +549,25 @@ exit 0
 %doc doc/librpm/html/*
 
 %changelog
+* Wed Jul 15 2015 Florian Festi <ffesti@rpm.org> - 4.12.0.1-8
+- move autoreconf into prep section
+
+* Fri Jun 12 2015 Florian Festi <ffesti@rpm.org> - 4.12.0.1-7
+- Add --whatrecommends and friends (#1231247)
+
+* Wed Apr 15 2015 Florian Festi <ffesti@rpm.org> - 4.12.0.1-6
+- Fix references to sources in golang debuginfo packages (#1184221)
+
+* Tue Mar 03 2015 Florian Festi <ffesti@redhat.com> - 4.12.0.1-5
+- Include upstream patch to fix find-debuginfo (http://www.rpm.org/ticket/887).
+
+* Fri Dec 12 2014 Lubos Kardos <lkardos@redhat.com> - 4.12.0.1-4
+- Add check against malicious CPIO file name size (#1168715)
+- Fixes CVE-2014-8118
+- Fix race condidition where unchecked data is exposed in the file system
+  (#1039811)
+- Fixes CVE-2013-6435
+
 * Tue Oct 28 2014 Panu Matilainen <pmatilai@redhat.com> - 4.12.0.1-3
 - Skip ghost files in payload (#1156497)
 - Fix size and archice size tag generation on big-endian systems