From e481423cfbb04c8c699ca2a7cd187a28324ae4d3 Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Fri, 29 Mar 2024 15:55:21 +0300 Subject: [PATCH] import librepo-1.14.2-5.el8 --- .gitignore | 1 + .librepo.metadata | 1 + ...ision-for-timestamp-of-checksum-cach.patch | 72 +++ ...x-alloc-free-mismatches-from-covscan.patch | 296 +++++++++ SOURCES/0003-More-covscan-fixes.patch | 578 ++++++++++++++++++ ...intf-instead-of-manually-calculating.patch | 51 ++ ...ee_full-to-free-LRMetadataTarget-err.patch | 55 ++ ...essage-when-using-non-existing-TMPDI.patch | 29 + ...t-creation-SELinux-labels-on-GnuPG-d.patch | 226 +++++++ SPECS/librepo.spec | 312 ++++++++++ 10 files changed, 1621 insertions(+) create mode 100644 .gitignore create mode 100644 .librepo.metadata create mode 100644 SOURCES/0001-Use-nanosec-precision-for-timestamp-of-checksum-cach.patch create mode 100644 SOURCES/0002-Fix-alloc-free-mismatches-from-covscan.patch create mode 100644 SOURCES/0003-More-covscan-fixes.patch create mode 100644 SOURCES/0004-Use-g_strdup_vprintf-instead-of-manually-calculating.patch create mode 100644 SOURCES/0005-Use-g_list_free_full-to-free-LRMetadataTarget-err.patch create mode 100644 SOURCES/0006-Detailed-error-message-when-using-non-existing-TMPDI.patch create mode 100644 SOURCES/0007-PGP-Set-a-default-creation-SELinux-labels-on-GnuPG-d.patch create mode 100644 SPECS/librepo.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e33fbd3 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/librepo-1.14.2.tar.gz diff --git a/.librepo.metadata b/.librepo.metadata new file mode 100644 index 0000000..10c6055 --- /dev/null +++ b/.librepo.metadata @@ -0,0 +1 @@ +c9f39d7497d310ae220df2dfbd8e95f347e2bc8c SOURCES/librepo-1.14.2.tar.gz diff --git a/SOURCES/0001-Use-nanosec-precision-for-timestamp-of-checksum-cach.patch b/SOURCES/0001-Use-nanosec-precision-for-timestamp-of-checksum-cach.patch new file mode 100644 index 0000000..b59688e --- /dev/null +++ b/SOURCES/0001-Use-nanosec-precision-for-timestamp-of-checksum-cach.patch @@ -0,0 +1,72 @@ +From e6f48ae9bff7b5dc8027d043aa1bffa53d507a42 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ale=C5=A1=20Mat=C4=9Bj?= +Date: Thu, 5 May 2022 12:44:27 +0200 +Subject: [PATCH] Use nanosec precision for timestamp of checksum cache + (RhBug:2077864) + += changelog = +msg: Use nanosec precision for timestamp of checksum cache +type: bugfix +resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2077864 +--- + librepo/checksum.c | 7 +++++-- + tests/test_checksum.c | 6 +++++- + 2 files changed, 10 insertions(+), 3 deletions(-) + +diff --git a/librepo/checksum.c b/librepo/checksum.c +index 6bba53c..d82cb5c 100644 +--- a/librepo/checksum.c ++++ b/librepo/checksum.c +@@ -18,6 +18,7 @@ + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + ++#define _POSIX_C_SOURCE 200809L + #include + #include + #include +@@ -217,16 +218,18 @@ lr_checksum_fd_compare(LrChecksumType type, + return FALSE; + } + +- time_t timestamp = -1; ++ long long timestamp = -1; + + if (caching) { + struct stat st; + if (fstat(fd, &st) == 0) { + timestamp = st.st_mtime; ++ timestamp *= 1000000000; //convert sec timestamp to nanosec timestamp ++ timestamp += st.st_mtim.tv_nsec; + } + } + +- _cleanup_free_ gchar *timestamp_str = g_strdup_printf("%lli", (long long)timestamp); ++ _cleanup_free_ gchar *timestamp_str = g_strdup_printf("%lli", timestamp); + const char *type_str = lr_checksum_type_to_str(type); + _cleanup_free_ gchar *timestamp_key = g_strconcat(XATTR_CHKSUM_PREFIX, "mtime", NULL); + _cleanup_free_ gchar *checksum_key = g_strconcat(XATTR_CHKSUM_PREFIX, type_str, NULL); +diff --git a/tests/test_checksum.c b/tests/test_checksum.c +index cd28cd1..548f588 100644 +--- a/tests/test_checksum.c ++++ b/tests/test_checksum.c +@@ -1,3 +1,4 @@ ++#define _POSIX_C_SOURCE 200809L + #define _GNU_SOURCE + #include + #include +@@ -150,7 +151,10 @@ START_TEST(test_cached_checksum_matches) + // stored timestamp matches the file mtime + ret = stat(filename, &st); + ck_assert_int_eq(ret, 0); +- mtime_str = g_strdup_printf("%lli", (long long) st.st_mtime); ++ long long timestamp = st.st_mtime; ++ timestamp *= 1000000000; //convert sec timestamp to nanosec timestamp ++ timestamp += st.st_mtim.tv_nsec; ++ mtime_str = g_strdup_printf("%lli", timestamp); + attr_ret = GETXATTR(filename, timestamp_key, &buf, sizeof(buf)-1); + ck_assert(attr_ret != -1); + buf[attr_ret] = 0; +-- +2.36.1 + diff --git a/SOURCES/0002-Fix-alloc-free-mismatches-from-covscan.patch b/SOURCES/0002-Fix-alloc-free-mismatches-from-covscan.patch new file mode 100644 index 0000000..bc78723 --- /dev/null +++ b/SOURCES/0002-Fix-alloc-free-mismatches-from-covscan.patch @@ -0,0 +1,296 @@ +From 493226f298b3d81e4b01d9f2c64a1cc2eb3049e4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Hr=C3=A1zk=C3=BD?= +Date: Fri, 15 Jul 2022 17:16:12 +0200 +Subject: [PATCH] Fix alloc / free mismatches from covscan + +--- + librepo/checksum.c | 6 +++--- + librepo/downloader.c | 2 +- + librepo/lrmirrorlist.c | 2 +- + librepo/package_downloader.c | 2 +- + librepo/repoconf.c | 2 +- + librepo/repoutil_yum.c | 4 ++-- + librepo/util.c | 6 +++--- + tests/test_checksum.c | 4 ++-- + tests/test_gpg.c | 2 +- + tests/test_main.c | 2 +- + tests/test_util.c | 24 ++++++++++++------------ + 11 files changed, 28 insertions(+), 28 deletions(-) + +diff --git a/librepo/checksum.c b/librepo/checksum.c +index d82cb5c..4831ddc 100644 +--- a/librepo/checksum.c ++++ b/librepo/checksum.c +@@ -205,8 +205,6 @@ lr_checksum_fd_compare(LrChecksumType type, + gchar **calculated, + GError **err) + { +- _cleanup_free_ gchar *checksum = NULL; +- + assert(fd >= 0); + assert(!err || *err == NULL); + +@@ -262,7 +260,7 @@ lr_checksum_fd_compare(LrChecksumType type, + } + } + +- checksum = lr_checksum_fd(type, fd, err); ++ char *checksum = lr_checksum_fd(type, fd, err); + if (!checksum) + return FALSE; + +@@ -274,6 +272,7 @@ lr_checksum_fd_compare(LrChecksumType type, + } else { + g_set_error(err, LR_CHECKSUM_ERROR, LRE_FILE, + "fsync failed: %s", strerror(errno)); ++ lr_free(checksum); + return FALSE; + } + } +@@ -287,6 +286,7 @@ lr_checksum_fd_compare(LrChecksumType type, + if (calculated) + *calculated = g_strdup(checksum); + ++ lr_free(checksum); + return TRUE; + } + +diff --git a/librepo/downloader.c b/librepo/downloader.c +index f4e8ba2..84739a9 100644 +--- a/librepo/downloader.c ++++ b/librepo/downloader.c +@@ -1974,7 +1974,7 @@ list_of_checksums_to_str(GSList *checksums) + tmp = g_strconcat(expected, chksum->value, "(", + chtype_str ? chtype_str : "UNKNOWN", + ") ", NULL); +- free(expected); ++ g_free(expected); + expected = tmp; + } + +diff --git a/librepo/lrmirrorlist.c b/librepo/lrmirrorlist.c +index c7e51b3..91cdc4b 100644 +--- a/librepo/lrmirrorlist.c ++++ b/librepo/lrmirrorlist.c +@@ -156,7 +156,7 @@ lr_lrmirrorlist_append_metalink(LrInternalMirrorlist *list, + LrInternalMirror *mirror = lr_lrmirror_new(url_copy, urlvars); + mirror->preference = metalinkurl->preference; + mirror->protocol = lr_detect_protocol(mirror->url); +- lr_free(url_copy); ++ g_free(url_copy); + list = g_slist_append(list, mirror); + + //g_debug("%s: Appending URL: %s", __func__, mirror->url); +diff --git a/librepo/package_downloader.c b/librepo/package_downloader.c +index adea459..353cac8 100644 +--- a/librepo/package_downloader.c ++++ b/librepo/package_downloader.c +@@ -173,7 +173,7 @@ lr_packagetarget_free(LrPackageTarget *target) + if (!target) + return; + g_string_chunk_free(target->chunk); +- g_free(target); ++ lr_free(target); + } + + gboolean +diff --git a/librepo/repoconf.c b/librepo/repoconf.c +index 948259e..34dbab4 100644 +--- a/librepo/repoconf.c ++++ b/librepo/repoconf.c +@@ -146,7 +146,7 @@ lr_yum_repoconfs_free(LrYumRepoConfs *repos) + return; + g_slist_free_full(repos->repos, (GDestroyNotify) lr_yum_repoconf_free); + g_slist_free_full(repos->files, (GDestroyNotify) lr_yum_repofile_free); +- g_free(repos); ++ lr_free(repos); + } + + GSList * +diff --git a/librepo/repoutil_yum.c b/librepo/repoutil_yum.c +index 02e796f..bb09ff5 100644 +--- a/librepo/repoutil_yum.c ++++ b/librepo/repoutil_yum.c +@@ -105,11 +105,11 @@ lr_repoutil_yum_parse_repomd(const char *in_path, + if (fd < 0) { + g_set_error(err, LR_REPOUTIL_YUM_ERROR, LRE_IO, + "open(%s, O_RDONLY) error: %s", path, g_strerror(errno)); +- lr_free(path); ++ g_free(path); + return FALSE; + } + +- lr_free(path); ++ g_free(path); + + ret = lr_yum_repomd_parse_file(repomd, fd, NULL, NULL, err); + close(fd); +diff --git a/librepo/util.c b/librepo/util.c +index 8ba7120..204572d 100644 +--- a/librepo/util.c ++++ b/librepo/util.c +@@ -170,7 +170,7 @@ lr_gettmpdir(void) + { + char *template = g_build_filename(g_get_tmp_dir(), "librepo-tmpdir-XXXXXX", NULL); + if (!mkdtemp(template)) { +- lr_free(template); ++ g_free(template); + return NULL; + } + return template; +@@ -206,7 +206,7 @@ lr_pathconcat(const char *first, ...) + + qmark_section = strchr(first, '?'); + +- res = lr_malloc(total_len + separator_len + 1); ++ res = g_malloc(total_len + separator_len + 1); + + next = first; + va_start(args, first); +@@ -273,7 +273,7 @@ lr_pathconcat(const char *first, ...) + assert(offset <= total_len); + + if (offset == 0) { +- lr_free(res); ++ g_free(res); + return g_strdup(first); + } + +diff --git a/tests/test_checksum.c b/tests/test_checksum.c +index 548f588..264782c 100644 +--- a/tests/test_checksum.c ++++ b/tests/test_checksum.c +@@ -295,8 +295,8 @@ START_TEST(test_cached_checksum_clear) + cleanup: + close(fd); + lr_free(filename); +- lr_free(timestamp_key); +- lr_free(checksum_key); ++ g_free(timestamp_key); ++ g_free(checksum_key); + } + END_TEST + +diff --git a/tests/test_gpg.c b/tests/test_gpg.c +index fd322e3..0af423a 100644 +--- a/tests/test_gpg.c ++++ b/tests/test_gpg.c +@@ -110,7 +110,7 @@ START_TEST(test_gpg_check_signature) + lr_free(_data_path); + lr_free(signature_path); + lr_free(_signature_path); +- lr_free(tmp_home_path); ++ g_free(tmp_home_path); + } + END_TEST + +diff --git a/tests/test_main.c b/tests/test_main.c +index 1076062..b323ce5 100644 +--- a/tests/test_main.c ++++ b/tests/test_main.c +@@ -39,7 +39,7 @@ init_test_globals(struct TestGlobals_s *tg, const char *testdata_dir) + static void + free_test_globals(struct TestGlobals_s *tg) + { +- lr_free(tg->tmpdir); ++ g_free(tg->tmpdir); + lr_free(tg->testdata_dir); + } + +diff --git a/tests/test_util.c b/tests/test_util.c +index 595b0fe..d082445 100644 +--- a/tests/test_util.c ++++ b/tests/test_util.c +@@ -54,7 +54,7 @@ START_TEST(test_gettmpdir) + char *tmp_dir = lr_gettmpdir(); + ck_assert_ptr_nonnull(tmp_dir); + ck_assert_int_eq(rmdir(tmp_dir), 0); +- lr_free(tmp_dir); ++ g_free(tmp_dir); + } + END_TEST + +@@ -126,7 +126,7 @@ START_TEST(test_remove_dir) + ck_assert_int_eq(rc, 0); + ck_assert_int_ne(unlink(tmp_file), 0); + ck_assert_int_ne(rmdir(tmp_dir), 0); +- lr_free(tmp_dir); ++ g_free(tmp_dir); + lr_free(tmp_file); + } + END_TEST +@@ -141,61 +141,61 @@ START_TEST(test_url_without_path) + new_url = lr_url_without_path(""); + ck_assert_ptr_nonnull(new_url); + ck_assert_str_eq(new_url, ""); +- lr_free(new_url); ++ g_free(new_url); + new_url = NULL; + + new_url = lr_url_without_path("hostname"); + ck_assert_ptr_nonnull(new_url); + ck_assert_str_eq(new_url, "hostname"); +- lr_free(new_url); ++ g_free(new_url); + new_url = NULL; + + new_url = lr_url_without_path("hostname/foo/bar/"); + ck_assert_ptr_nonnull(new_url); + ck_assert_str_eq(new_url, "hostname"); +- lr_free(new_url); ++ g_free(new_url); + new_url = NULL; + + new_url = lr_url_without_path("hostname:80"); + ck_assert_ptr_nonnull(new_url); + ck_assert_str_eq(new_url, "hostname:80"); +- lr_free(new_url); ++ g_free(new_url); + new_url = NULL; + + new_url = lr_url_without_path("hostname:80/foo/bar"); + ck_assert_ptr_nonnull(new_url); + ck_assert_str_eq(new_url, "hostname:80"); +- lr_free(new_url); ++ g_free(new_url); + new_url = NULL; + + new_url = lr_url_without_path("http://hostname:80/"); + ck_assert_ptr_nonnull(new_url); + ck_assert_str_eq(new_url, "http://hostname:80"); +- lr_free(new_url); ++ g_free(new_url); + new_url = NULL; + + new_url = lr_url_without_path("http://hostname:80/foo/bar"); + ck_assert_ptr_nonnull(new_url); + ck_assert_str_eq(new_url, "http://hostname:80"); +- lr_free(new_url); ++ g_free(new_url); + new_url = NULL; + + new_url = lr_url_without_path("ftp://foo.hostname:80/foo/bar"); + ck_assert_ptr_nonnull(new_url); + ck_assert_str_eq(new_url, "ftp://foo.hostname:80"); +- lr_free(new_url); ++ g_free(new_url); + new_url = NULL; + + new_url = lr_url_without_path("file:///home/foobar"); + ck_assert_ptr_nonnull(new_url); + ck_assert_str_eq(new_url, "file://"); +- lr_free(new_url); ++ g_free(new_url); + new_url = NULL; + + new_url = lr_url_without_path("file:/home/foobar"); + ck_assert_ptr_nonnull(new_url); + ck_assert_str_eq(new_url, "file://"); +- lr_free(new_url); ++ g_free(new_url); + new_url = NULL; + } + END_TEST +-- +2.37.1 + diff --git a/SOURCES/0003-More-covscan-fixes.patch b/SOURCES/0003-More-covscan-fixes.patch new file mode 100644 index 0000000..e18f3e8 --- /dev/null +++ b/SOURCES/0003-More-covscan-fixes.patch @@ -0,0 +1,578 @@ +From 678803b825fea10e4915a300f0e2fc990b7c99fd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Hr=C3=A1zk=C3=BD?= +Date: Thu, 21 Jul 2022 10:11:17 +0200 +Subject: [PATCH] More covscan fixes + +--- + librepo/metadata_downloader.c | 18 +++++++++--------- + librepo/metalink.c | 2 +- + librepo/repomd.c | 2 +- + librepo/xmlparser.c | 4 ++-- + librepo/xmlparser_internal.h | 2 +- + librepo/yum.c | 32 ++++++++++++++++---------------- + tests/test_checksum.c | 10 +++++----- + tests/test_downloader.c | 16 ++++++++-------- + tests/test_metalink.c | 18 +++++++++--------- + tests/test_mirrorlist.c | 6 +++--- + tests/test_util.c | 16 ++++++++-------- + 11 files changed, 63 insertions(+), 63 deletions(-) + +diff --git a/librepo/metadata_downloader.c b/librepo/metadata_downloader.c +index be6fe68..9e7d7e5 100644 +--- a/librepo/metadata_downloader.c ++++ b/librepo/metadata_downloader.c +@@ -192,7 +192,7 @@ handle_failure(LrMetadataTarget *target, + GSList **paths, + GError *err) + { +- lr_metadatatarget_append_error(target, err->message, NULL); ++ lr_metadatatarget_append_error(target, err->message); + fillInvalidationValues(fd_list, paths); + g_error_free(err); + } +@@ -221,13 +221,13 @@ create_repomd_xml_download_targets(GSList *targets, + handle = target->handle; + + if (!handle->urls && !handle->mirrorlisturl && !handle->metalinkurl) { +- lr_metadatatarget_append_error(target, "No LRO_URLS, LRO_MIRRORLISTURL nor LRO_METALINKURL specified", NULL); ++ lr_metadatatarget_append_error(target, "No LRO_URLS, LRO_MIRRORLISTURL nor LRO_METALINKURL specified"); + fillInvalidationValues(fd_list, paths); + continue; + } + + if (handle->repotype != LR_YUMREPO) { +- lr_metadatatarget_append_error(target, "Bad LRO_REPOTYPE specified", NULL); ++ lr_metadatatarget_append_error(target, "Bad LRO_REPOTYPE specified"); + fillInvalidationValues(fd_list, paths); + continue; + } +@@ -242,14 +242,14 @@ create_repomd_xml_download_targets(GSList *targets, + if (!lr_handle_prepare_internal_mirrorlist(handle, + handle->fastestmirror, + &err)) { +- lr_metadatatarget_append_error(target, "Cannot prepare internal mirrorlist: %s", err->message, NULL); ++ lr_metadatatarget_append_error(target, "Cannot prepare internal mirrorlist: %s", err->message); + fillInvalidationValues(fd_list, paths); + g_error_free(err); + continue; + } + + if (mkdir(handle->destdir, S_IRWXU) == -1 && errno != EEXIST) { +- lr_metadatatarget_append_error(target, "Cannot create tmpdir: %s %s", handle->destdir, g_strerror(errno), NULL); ++ lr_metadatatarget_append_error(target, "Cannot create tmpdir: %s %s", handle->destdir, g_strerror(errno)); + fillInvalidationValues(fd_list, paths); + g_error_free(err); + continue; +@@ -335,12 +335,12 @@ process_repomd_xml(GSList *targets, + handle->gnupghomedir = g_strdup(target->gnupghomedir); + + if (target->download_target->rcode != LRE_OK) { +- lr_metadatatarget_append_error(target, (char *) lr_strerror(target->download_target->rcode), NULL); ++ lr_metadatatarget_append_error(target, (char *) lr_strerror(target->download_target->rcode)); + goto fail; + } + + if (!lr_check_repomd_xml_asc_availability(handle, target->repo, fd_value, path->data, &error)) { +- lr_metadatatarget_append_error(target, error->message, NULL); ++ lr_metadatatarget_append_error(target, error->message); + g_error_free(error); + goto fail; + } +@@ -349,7 +349,7 @@ process_repomd_xml(GSList *targets, + ret = lr_yum_repomd_parse_file(target->repomd, fd_value, lr_xml_parser_warning_logger, + "Repomd xml parser", &error); + if (!ret) { +- lr_metadatatarget_append_error(target, "Parsing unsuccessful: %s", error->message, NULL); ++ lr_metadatatarget_append_error(target, "Parsing unsuccessful: %s", error->message); + g_error_free(error); + goto fail; + } +@@ -377,7 +377,7 @@ lr_metadata_download_cleanup(GSList *download_targets) + LrDownloadTarget *download_target = elem->data; + LrMetadataTarget *target = download_target->userdata; + if (download_target->err) +- lr_metadatatarget_append_error(target, download_target->err, NULL); ++ lr_metadatatarget_append_error(target, download_target->err); + + if (target->err != NULL) { + ret = FALSE; +diff --git a/librepo/metalink.c b/librepo/metalink.c +index 0f939de..1f839a9 100644 +--- a/librepo/metalink.c ++++ b/librepo/metalink.c +@@ -504,7 +504,7 @@ lr_metalink_parse_file(LrMetalink *metalink, + + // Parsing + +- ret = lr_xml_parser_generic(parser, pd, fd, &tmp_err); ++ ret = lr_xml_parser_generic(&parser, pd, fd, &tmp_err); + if (tmp_err) { + g_propagate_error(err, tmp_err); + goto err; +diff --git a/librepo/repomd.c b/librepo/repomd.c +index f0fd2ad..2905749 100644 +--- a/librepo/repomd.c ++++ b/librepo/repomd.c +@@ -570,7 +570,7 @@ lr_yum_repomd_parse_file(LrYumRepoMd *repomd, + + // Parsing + +- ret = lr_xml_parser_generic(parser, pd, fd, &tmp_err); ++ ret = lr_xml_parser_generic(&parser, pd, fd, &tmp_err); + if (tmp_err) + g_propagate_error(err, tmp_err); + +diff --git a/librepo/xmlparser.c b/librepo/xmlparser.c +index 793c272..88d16aa 100644 +--- a/librepo/xmlparser.c ++++ b/librepo/xmlparser.c +@@ -143,7 +143,7 @@ lr_xml_parser_strtoll(LrParserData *pd, + } + + gboolean +-lr_xml_parser_generic(XmlParser parser, ++lr_xml_parser_generic(XmlParser *parser, + LrParserData *pd, + int fd, + GError **err) +@@ -151,7 +151,7 @@ lr_xml_parser_generic(XmlParser parser, + /* Note: This function uses .err members of LrParserData! */ + + gboolean ret = TRUE; +- xmlParserCtxtPtr ctxt = xmlCreatePushParserCtxt(&parser, pd, NULL, 0, NULL); ++ xmlParserCtxtPtr ctxt = xmlCreatePushParserCtxt(parser, pd, NULL, 0, NULL); + ctxt->linenumbers = 1; + + assert(ctxt); +diff --git a/librepo/xmlparser_internal.h b/librepo/xmlparser_internal.h +index c9bacac..25a48a5 100644 +--- a/librepo/xmlparser_internal.h ++++ b/librepo/xmlparser_internal.h +@@ -159,7 +159,7 @@ lr_xml_parser_strtoll(LrParserData *pd, + /** Generic parser. + */ + gboolean +-lr_xml_parser_generic(XmlParser parser, ++lr_xml_parser_generic(XmlParser *parser, + LrParserData *pd, + int fd, + GError **err); +diff --git a/librepo/yum.c b/librepo/yum.c +index 3b287cd..56bca3e 100644 +--- a/librepo/yum.c ++++ b/librepo/yum.c +@@ -335,7 +335,7 @@ lr_prepare_repodata_dir(LrHandle *handle, + return FALSE; + } + } +- lr_free(path_to_repodata); ++ g_free(path_to_repodata); + + return TRUE; + } +@@ -356,7 +356,7 @@ lr_store_mirrorlist_files(LrHandle *handle, + g_debug("%s: Cannot create: %s", __func__, ml_file_path); + g_set_error(err, LR_YUM_ERROR, LRE_IO, + "Cannot create %s: %s", ml_file_path, g_strerror(errno)); +- lr_free(ml_file_path); ++ g_free(ml_file_path); + return FALSE; + } + rc = lr_copy_content(handle->mirrorlist_fd, fd); +@@ -366,7 +366,7 @@ lr_store_mirrorlist_files(LrHandle *handle, + g_set_error(err, LR_YUM_ERROR, LRE_IO, + "Cannot copy content of mirrorlist file %s: %s", + ml_file_path, g_strerror(errno)); +- lr_free(ml_file_path); ++ g_free(ml_file_path); + return FALSE; + } + repo->mirrorlist = ml_file_path; +@@ -391,7 +391,7 @@ lr_copy_metalink_content(LrHandle *handle, + g_debug("%s: Cannot create: %s", __func__, ml_file_path); + g_set_error(err, LR_YUM_ERROR, LRE_IO, + "Cannot create %s: %s", ml_file_path, g_strerror(errno)); +- lr_free(ml_file_path); ++ g_free(ml_file_path); + return FALSE; + } + rc = lr_copy_content(handle->metalink_fd, fd); +@@ -401,7 +401,7 @@ lr_copy_metalink_content(LrHandle *handle, + g_set_error(err, LR_YUM_ERROR, LRE_IO, + "Cannot copy content of metalink file %s: %s", + ml_file_path, g_strerror(errno)); +- lr_free(ml_file_path); ++ g_free(ml_file_path); + return FALSE; + } + repo->metalink = ml_file_path; +@@ -422,7 +422,7 @@ lr_prepare_repomd_xml_file(LrHandle *handle, + if (fd == -1) { + g_set_error(err, LR_YUM_ERROR, LRE_IO, + "Cannot open %s: %s", *path, g_strerror(errno)); +- lr_free(*path); ++ g_free(*path); + return -1; + } + +@@ -458,13 +458,13 @@ lr_check_repomd_xml_asc_availability(LrHandle *handle, + g_debug("%s: Cannot open: %s", __func__, signature); + g_set_error(err, LR_YUM_ERROR, LRE_IO, + "Cannot open %s: %s", signature, g_strerror(errno)); +- lr_free(signature); ++ g_free(signature); + return FALSE; + } + + url = lr_pathconcat(handle->used_mirror, "repodata/repomd.xml.asc", NULL); + ret = lr_download_url(handle, url, fd_sig, &tmp_err); +- lr_free(url); ++ g_free(url); + close(fd_sig); + if (!ret) { + // Error downloading signature +@@ -474,7 +474,7 @@ lr_check_repomd_xml_asc_availability(LrHandle *handle, + "repository does not support GPG verification: %s", tmp_err->message); + g_clear_error(&tmp_err); + unlink(signature); +- lr_free(signature); ++ g_free(signature); + return FALSE; + } else { + // Signature downloaded +@@ -483,7 +483,7 @@ lr_check_repomd_xml_asc_availability(LrHandle *handle, + path, + handle->gnupghomedir, + &tmp_err); +- lr_free(signature); ++ g_free(signature); + if (!ret) { + g_debug("%s: GPG signature verification failed: %s", + __func__, tmp_err->message); +@@ -680,7 +680,7 @@ prepare_repo_download_std_target(LrHandle *handle, + __func__, *path, g_strerror(errno)); + g_set_error(err, LR_YUM_ERROR, LRE_IO, + "Cannot create/open %s: %s", *path, g_strerror(errno)); +- lr_free(*path); ++ g_free(*path); + g_slist_free_full(*targets, (GDestroyNotify) lr_downloadtarget_free); + return FALSE; + } +@@ -713,7 +713,7 @@ prepare_repo_download_zck_target(LrHandle *handle, + __func__, *path, g_strerror(errno)); + g_set_error(err, LR_YUM_ERROR, LRE_IO, + "Cannot create/open %s: %s", *path, g_strerror(errno)); +- lr_free(*path); ++ g_free(*path); + g_slist_free_full(*targets, (GDestroyNotify) lr_downloadtarget_free); + return FALSE; + } +@@ -778,7 +778,7 @@ prepare_repo_download_targets(LrHandle *handle, + char *dest_dir = realpath(handle->destdir, NULL); + path = lr_pathconcat(handle->destdir, record->location_href, NULL); + char *requested_dir = realpath(dirname(path), NULL); +- lr_free(path); ++ g_free(path); + if (!g_str_has_prefix(requested_dir, dest_dir)) { + g_debug("%s: Invalid path: %s", __func__, location_href); + g_set_error(err, LR_YUM_ERROR, LRE_IO, "Invalid path: %s", location_href); +@@ -850,7 +850,7 @@ prepare_repo_download_targets(LrHandle *handle, + + /* Because path may already exists in repo (while update) */ + lr_yum_repo_update(repo, record->type, path); +- lr_free(path); ++ g_free(path); + } + + return TRUE; +@@ -1130,7 +1130,7 @@ lr_yum_use_local_load_base(LrHandle *handle, + repo->mirrorlist = mrl_fn; + } else { + repo->mirrorlist = NULL; +- lr_free(mrl_fn); ++ g_free(mrl_fn); + } + } + +@@ -1142,7 +1142,7 @@ lr_yum_use_local_load_base(LrHandle *handle, + repo->metalink = mtl_fn; + } else { + repo->metalink = NULL; +- lr_free(mtl_fn); ++ g_free(mtl_fn); + } + } + +diff --git a/tests/test_checksum.c b/tests/test_checksum.c +index 264782c..efac88b 100644 +--- a/tests/test_checksum.c ++++ b/tests/test_checksum.c +@@ -87,7 +87,7 @@ START_TEST(test_checksum_fd) + test_checksum(file, LR_CHECKSUM_SHA512, CHKS_VAL_01_SHA512); + + ck_assert_msg(remove(file) == 0, "Cannot delete temporary test file"); +- lr_free(file); ++ g_free(file); + } + END_TEST + +@@ -235,9 +235,9 @@ START_TEST(test_cached_checksum_value) + ck_assert(attr_ret == -1); // Cached checksum should not exists + + lr_free(calculated); +- lr_free(filename); +- lr_free(timestamp_key); +- lr_free(checksum_key); ++ g_free(filename); ++ g_free(timestamp_key); ++ g_free(checksum_key); + lr_free(mtime_str); + } + END_TEST +@@ -294,7 +294,7 @@ START_TEST(test_cached_checksum_clear) + ck_assert(attr_ret != -1); + cleanup: + close(fd); +- lr_free(filename); ++ g_free(filename); + g_free(timestamp_key); + g_free(checksum_key); + } +diff --git a/tests/test_downloader.c b/tests/test_downloader.c +index 34958ab..a3fff20 100644 +--- a/tests/test_downloader.c ++++ b/tests/test_downloader.c +@@ -52,7 +52,7 @@ START_TEST(test_downloader_single_file) + tmpfn1 = lr_pathconcat(test_globals.tmpdir, "single_file_XXXXXX", NULL); + + fd1 = mkstemp(tmpfn1); +- lr_free(tmpfn1); ++ g_free(tmpfn1); + ck_assert_int_ge(fd1, 0); + + t1 = lr_downloadtarget_new(handle, "index.html", NULL, fd1, NULL, NULL, +@@ -97,7 +97,7 @@ START_TEST(test_downloader_single_file_2) + tmpfn1 = lr_pathconcat(test_globals.tmpdir, "single_file_2_XXXXXX", NULL); + + fd1 = mkstemp(tmpfn1); +- lr_free(tmpfn1); ++ g_free(tmpfn1); + ck_assert_int_ge(fd1, 0); + + t1 = lr_downloadtarget_new(NULL, "http://seznam.cz/index.html", NULL, +@@ -154,8 +154,8 @@ START_TEST(test_downloader_two_files) + + fd1 = mkstemp(tmpfn1); + fd2 = mkstemp(tmpfn2); +- lr_free(tmpfn1); +- lr_free(tmpfn2); ++ g_free(tmpfn1); ++ g_free(tmpfn2); + ck_assert_int_ge(fd1, 0); + ck_assert_int_ge(fd2, 0); + +@@ -223,9 +223,9 @@ START_TEST(test_downloader_three_files_with_error) + fd1 = mkstemp(tmpfn1); + fd2 = mkstemp(tmpfn2); + fd3 = mkstemp(tmpfn3); +- lr_free(tmpfn1); +- lr_free(tmpfn2); +- lr_free(tmpfn3); ++ g_free(tmpfn1); ++ g_free(tmpfn2); ++ g_free(tmpfn3); + ck_assert_int_ge(fd1, 0); + ck_assert_int_ge(fd2, 0); + ck_assert_int_ge(fd3, 0); +@@ -329,7 +329,7 @@ START_TEST(test_downloader_checksum) + tmpfn1 = lr_pathconcat(test_globals.tmpdir, "single_file_XXXXXX", NULL); + + fd1 = mkstemp(tmpfn1); +- lr_free(tmpfn1); ++ g_free(tmpfn1); + ck_assert_int_ge(fd1, 0); + + checksum = lr_downloadtargetchecksum_new(LR_CHECKSUM_SHA512, +diff --git a/tests/test_metalink.c b/tests/test_metalink.c +index e425742..1440125 100644 +--- a/tests/test_metalink.c ++++ b/tests/test_metalink.c +@@ -48,7 +48,7 @@ START_TEST(test_metalink_good_01) + path = lr_pathconcat(test_globals.testdata_dir, METALINK_DIR, + "metalink_good_01", NULL); + fd = open(path, O_RDONLY); +- lr_free(path); ++ g_free(path); + ck_assert_int_ge(fd, 0); + ml = lr_metalink_init(); + ck_assert_ptr_nonnull(ml); +@@ -160,7 +160,7 @@ START_TEST(test_metalink_good_02) + path = lr_pathconcat(test_globals.testdata_dir, METALINK_DIR, + "metalink_good_02", NULL); + fd = open(path, O_RDONLY); +- lr_free(path); ++ g_free(path); + ck_assert_int_ge(fd, 0); + ml = lr_metalink_init(); + ck_assert_ptr_nonnull(ml); +@@ -206,7 +206,7 @@ START_TEST(test_metalink_good_03) + path = lr_pathconcat(test_globals.testdata_dir, METALINK_DIR, + "metalink_good_03", NULL); + fd = open(path, O_RDONLY); +- lr_free(path); ++ g_free(path); + ck_assert_int_ge(fd, 0); + ml = lr_metalink_init(); + ck_assert_ptr_nonnull(ml); +@@ -250,7 +250,7 @@ START_TEST(test_metalink_bad_01) + path = lr_pathconcat(test_globals.testdata_dir, METALINK_DIR, + "metalink_bad_01", NULL); + fd = open(path, O_RDONLY); +- lr_free(path); ++ g_free(path); + ck_assert_int_ge(fd, 0); + ml = lr_metalink_init(); + ck_assert_ptr_nonnull(ml); +@@ -371,7 +371,7 @@ START_TEST(test_metalink_bad_02) + path = lr_pathconcat(test_globals.testdata_dir, METALINK_DIR, + "metalink_bad_02", NULL); + fd = open(path, O_RDONLY); +- lr_free(path); ++ g_free(path); + ck_assert_int_ge(fd, 0); + ml = lr_metalink_init(); + ck_assert_ptr_nonnull(ml); +@@ -395,7 +395,7 @@ START_TEST(test_metalink_really_bad_01) + path = lr_pathconcat(test_globals.testdata_dir, METALINK_DIR, + "metalink_really_bad_01", NULL); + fd = open(path, O_RDONLY); +- lr_free(path); ++ g_free(path); + ck_assert_int_ge(fd, 0); + ml = lr_metalink_init(); + ck_assert_ptr_nonnull(ml); +@@ -419,7 +419,7 @@ START_TEST(test_metalink_really_bad_02) + path = lr_pathconcat(test_globals.testdata_dir, METALINK_DIR, + "metalink_really_bad_02", NULL); + fd = open(path, O_RDONLY); +- lr_free(path); ++ g_free(path); + ck_assert_int_ge(fd, 0); + ml = lr_metalink_init(); + ck_assert_ptr_nonnull(ml); +@@ -443,7 +443,7 @@ START_TEST(test_metalink_really_bad_03) + path = lr_pathconcat(test_globals.testdata_dir, METALINK_DIR, + "metalink_really_bad_03", NULL); + fd = open(path, O_RDONLY); +- lr_free(path); ++ g_free(path); + ck_assert_int_ge(fd, 0); + ml = lr_metalink_init(); + ck_assert_ptr_nonnull(ml); +@@ -470,7 +470,7 @@ START_TEST(test_metalink_with_alternates) + path = lr_pathconcat(test_globals.testdata_dir, METALINK_DIR, + "metalink_with_alternates", NULL); + fd = open(path, O_RDONLY); +- lr_free(path); ++ g_free(path); + ck_assert_int_ge(fd, 0); + ml = lr_metalink_init(); + ck_assert_ptr_nonnull(ml); +diff --git a/tests/test_mirrorlist.c b/tests/test_mirrorlist.c +index cc00b7f..ec924b6 100644 +--- a/tests/test_mirrorlist.c ++++ b/tests/test_mirrorlist.c +@@ -35,7 +35,7 @@ START_TEST(test_mirrorlist_01) + path = lr_pathconcat(test_globals.testdata_dir, MIRRORLIST_DIR, + "mirrorlist_01", NULL); + fd = open(path, O_RDONLY); +- lr_free(path); ++ g_free(path); + ck_assert_int_ge(fd, 0); + ml = lr_mirrorlist_init(); + ck_assert_ptr_nonnull(ml); +@@ -68,7 +68,7 @@ START_TEST(test_mirrorlist_02) + path = lr_pathconcat(test_globals.testdata_dir, MIRRORLIST_DIR, + "mirrorlist_02", NULL); + fd = open(path, O_RDONLY); +- lr_free(path); ++ g_free(path); + ck_assert_int_ge(fd, 0); + ml = lr_mirrorlist_init(); + ck_assert_ptr_nonnull(ml); +@@ -92,7 +92,7 @@ START_TEST(test_mirrorlist_03) + path = lr_pathconcat(test_globals.testdata_dir, MIRRORLIST_DIR, + "mirrorlist_03", NULL); + fd = open(path, O_RDONLY); +- lr_free(path); ++ g_free(path); + ck_assert_int_ge(fd, 0); + ml = lr_mirrorlist_init(); + ck_assert_ptr_nonnull(ml); +diff --git a/tests/test_util.c b/tests/test_util.c +index d082445..96e82aa 100644 +--- a/tests/test_util.c ++++ b/tests/test_util.c +@@ -68,43 +68,43 @@ START_TEST(test_pathconcat) + path = lr_pathconcat("", NULL); + ck_assert_ptr_nonnull(path); + ck_assert_str_eq(path, ""); +- lr_free(path); ++ g_free(path); + path = NULL; + + path = lr_pathconcat("/tmp", "foo///", "bar", NULL); + ck_assert_ptr_nonnull(path); + ck_assert_str_eq(path, "/tmp/foo/bar"); +- lr_free(path); ++ g_free(path); + path = NULL; + + path = lr_pathconcat("foo", "bar/", NULL); + ck_assert_ptr_nonnull(path); + ck_assert_str_eq(path, "foo/bar"); +- lr_free(path); ++ g_free(path); + path = NULL; + + path = lr_pathconcat("foo", "/bar/", NULL); + ck_assert_ptr_nonnull(path); + ck_assert_str_eq(path, "foo/bar"); +- lr_free(path); ++ g_free(path); + path = NULL; + + path = lr_pathconcat("foo", "bar", "", NULL); + ck_assert_ptr_nonnull(path); + ck_assert_str_eq(path, "foo/bar/"); +- lr_free(path); ++ g_free(path); + path = NULL; + + path = lr_pathconcat("http://host.net", "path/to/somewhere", NULL); + ck_assert_ptr_nonnull(path); + ck_assert_str_eq(path, "http://host.net/path/to/somewhere"); +- lr_free(path); ++ g_free(path); + path = NULL; + + path = lr_pathconcat("http://host.net?hello=1", "path/to/", "somewhere", NULL); + ck_assert_ptr_nonnull(path); + ck_assert_str_eq(path, "http://host.net/path/to/somewhere?hello=1"); +- lr_free(path); ++ g_free(path); + path = NULL; + } + END_TEST +@@ -127,7 +127,7 @@ START_TEST(test_remove_dir) + ck_assert_int_ne(unlink(tmp_file), 0); + ck_assert_int_ne(rmdir(tmp_dir), 0); + g_free(tmp_dir); +- lr_free(tmp_file); ++ g_free(tmp_file); + } + END_TEST + +-- +2.37.1 + diff --git a/SOURCES/0004-Use-g_strdup_vprintf-instead-of-manually-calculating.patch b/SOURCES/0004-Use-g_strdup_vprintf-instead-of-manually-calculating.patch new file mode 100644 index 0000000..b2c07e7 --- /dev/null +++ b/SOURCES/0004-Use-g_strdup_vprintf-instead-of-manually-calculating.patch @@ -0,0 +1,51 @@ +From dc640e127f4c678c9dfbda776994972600d53e56 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Hr=C3=A1zk=C3=BD?= +Date: Tue, 16 Aug 2022 13:44:22 +0200 +Subject: [PATCH] Use g_strdup_vprintf() instead of manually calculating + allocation space + +Fixes an error introduced in d2508e206514bdbf841ee72f4971336766c16fe1 by +removing trailing NULLs, on which the size calculation code was relying. + +Instead of this incosistent argument iteration, use g_strdup_vprintf(), +which allocates the new string correctly. +--- + librepo/metadata_downloader.c | 19 ++----------------- + 1 file changed, 2 insertions(+), 17 deletions(-) + +diff --git a/librepo/metadata_downloader.c b/librepo/metadata_downloader.c +index 9e7d7e5..92a462b 100644 +--- a/librepo/metadata_downloader.c ++++ b/librepo/metadata_downloader.c +@@ -98,26 +98,11 @@ void + lr_metadatatarget_append_error(LrMetadataTarget *target, char *format, ...) + { + va_list valist; +- size_t length = strlen(format); +- char *error_message = NULL; +- +- va_start(valist, format); +- while (1) { +- char *arg = va_arg(valist, char*); +- if (arg == NULL) +- break; +- +- length += strlen(arg); +- } +- length += RESERVE; +- va_end(valist); +- + va_start(valist, format); +- error_message = malloc(length * sizeof(char)); +- vsnprintf(error_message, length, format, valist); ++ gchar *error_message = g_strdup_vprintf(format, valist); + va_end(valist); + +- target->err = g_list_append(target->err, (gpointer) error_message); ++ target->err = g_list_append(target->err, error_message); + } + + static gboolean +-- +2.37.1 + diff --git a/SOURCES/0005-Use-g_list_free_full-to-free-LRMetadataTarget-err.patch b/SOURCES/0005-Use-g_list_free_full-to-free-LRMetadataTarget-err.patch new file mode 100644 index 0000000..48deaa7 --- /dev/null +++ b/SOURCES/0005-Use-g_list_free_full-to-free-LRMetadataTarget-err.patch @@ -0,0 +1,55 @@ +From a5305e7f957666c92040fa0134d69d9fbeb5db70 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Hr=C3=A1zk=C3=BD?= +Date: Tue, 16 Aug 2022 15:41:44 +0200 +Subject: [PATCH] Use g_list_free_full() to free LRMetadataTarget::err + +Fixes a memory leak where the char * items in the list were not freed. +--- + CMakeLists.txt | 2 +- + librepo.spec | 2 +- + librepo/metadata_downloader.c | 3 +-- + 3 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index a45d5c4..b4007e3 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -28,7 +28,7 @@ set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} "${CMAKE_SOURCE_DIR}/cmake/Modules/") + # Find necessare libraries + + FIND_PACKAGE(PkgConfig) +-PKG_CHECK_MODULES(GLIB2 glib-2.0 REQUIRED) ++PKG_CHECK_MODULES(GLIB2 glib-2.0>=2.28 REQUIRED) + PKG_SEARCH_MODULE(LIBCRYPTO REQUIRED libcrypto openssl) + PKG_CHECK_MODULES(LIBXML2 libxml-2.0 REQUIRED) + FIND_PACKAGE(CURL 7.52.0 REQUIRED) +diff --git a/librepo.spec b/librepo.spec +index 5a733b2..88d6d6d 100644 +--- a/librepo.spec ++++ b/librepo.spec +@@ -23,7 +23,7 @@ BuildRequires: cmake + BuildRequires: gcc + BuildRequires: check-devel + BuildRequires: doxygen +-BuildRequires: pkgconfig(glib-2.0) ++BuildRequires: pkgconfig(glib-2.0) >= 2.28 + BuildRequires: gpgme-devel + BuildRequires: libattr-devel + BuildRequires: libcurl-devel >= %{libcurl_version} +diff --git a/librepo/metadata_downloader.c b/librepo/metadata_downloader.c +index 92a462b..cda1e40 100644 +--- a/librepo/metadata_downloader.c ++++ b/librepo/metadata_downloader.c +@@ -89,8 +89,7 @@ lr_metadatatarget_free(LrMetadataTarget *target) + if (!target) + return; + g_string_chunk_free(target->chunk); +- if (target->err != NULL) +- g_list_free(target->err); ++ g_list_free_full(target->err, g_free); + g_free(target); + } + +-- +2.37.1 + diff --git a/SOURCES/0006-Detailed-error-message-when-using-non-existing-TMPDI.patch b/SOURCES/0006-Detailed-error-message-when-using-non-existing-TMPDI.patch new file mode 100644 index 0000000..2fc17a8 --- /dev/null +++ b/SOURCES/0006-Detailed-error-message-when-using-non-existing-TMPDI.patch @@ -0,0 +1,29 @@ +From a69522533248093c11f11f964a3d42cb08bf7822 Mon Sep 17 00:00:00 2001 +From: Jan Kolarik +Date: Mon, 22 Aug 2022 08:18:04 +0200 +Subject: [PATCH] Detailed error message when using non-existing TMPDIR + (RhBug:2019993) + += changelog = +type: bugfix +resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2019993 +--- + librepo/util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/librepo/util.c b/librepo/util.c +index 204572d..f4aa512 100644 +--- a/librepo/util.c ++++ b/librepo/util.c +@@ -158,7 +158,7 @@ lr_gettmpfile(void) + template = g_build_filename(g_get_tmp_dir(), "librepo-tmp-XXXXXX", NULL); + fd = mkstemp(template); + if (fd < 0) { +- perror("Cannot create temporary file - mkstemp"); ++ fprintf(stderr, "Cannot create temporary file - mkstemp '%s': %s\n", template, strerror(errno)); + exit(1); + } + unlink(template); +-- +2.37.1 + diff --git a/SOURCES/0007-PGP-Set-a-default-creation-SELinux-labels-on-GnuPG-d.patch b/SOURCES/0007-PGP-Set-a-default-creation-SELinux-labels-on-GnuPG-d.patch new file mode 100644 index 0000000..69ccf77 --- /dev/null +++ b/SOURCES/0007-PGP-Set-a-default-creation-SELinux-labels-on-GnuPG-d.patch @@ -0,0 +1,226 @@ +From 08f02ded6de50949fa4ba650fa562643278e5093 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Thu, 12 Oct 2023 15:55:43 +0200 +Subject: [PATCH] PGP: Set a default creation SELinux labels on GnuPG + directories +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This is another way how to fix mismatching SELinux context on +/run/user directories without moving the directories to +/run/gnupg/user. + +librepo used to precreate the directory in /run/user to make sure +a GnuPG agent executed by GPGME library places its socket there. + +The directories there are normally created and removed by systemd +(logind PAM session). librepo created them for a case when a package +manager is invoked out of systemd session, before the super user logs +in. E.g. by a timer job to cache repository metadata. + +A problem was when this out-of-session process was a SELinux-confined +process creating files with its own SELinux label different from a DNF +program. Then the directory was created with a SELinux label different +from the one expected by systemd and when logging out a corresponding +user, the mismatching label clashed with systemd. + +This patch fixes the issue by choosing a SELinux label of those +directories to the label defined in a default SELinux file context +database. + +This patch adds a new -DENABLE_SELINUX=OFF CMake option to disable the +new dependency on libselinux. A default behavior is to support SELinux +only if GPGME backend is selected with -DUSE_GPGME=ON. + +https://issues.redhat.com/browse/RHEL-10720 +Signed-off-by: Petr Písař +--- + CMakeLists.txt | 8 ++++++ + librepo.spec | 9 +++++- + librepo/CMakeLists.txt | 4 +++ + librepo/gpg.c | 64 ++++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 84 insertions(+), 1 deletion(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index b4007e3..1a107bc 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -5,6 +5,7 @@ OPTION (ENABLE_TESTS "Build test?" ON) + OPTION (ENABLE_DOCS "Build docs?" ON) + OPTION (WITH_ZCHUNK "Build with zchunk support" ON) + OPTION (ENABLE_PYTHON "Build Python bindings" ON) ++OPTION (ENABLE_SELINUX "Restore SELinux labels on GnuPG directories" ON) + + INCLUDE (${CMAKE_SOURCE_DIR}/VERSION.cmake) + SET (VERSION "${LIBREPO_MAJOR}.${LIBREPO_MINOR}.${LIBREPO_PATCH}") +@@ -33,6 +34,9 @@ PKG_SEARCH_MODULE(LIBCRYPTO REQUIRED libcrypto openssl) + PKG_CHECK_MODULES(LIBXML2 libxml-2.0 REQUIRED) + FIND_PACKAGE(CURL 7.52.0 REQUIRED) + FIND_PACKAGE(Gpgme REQUIRED) ++IF (ENABLE_SELINUX) ++ PKG_CHECK_MODULES(SELINUX REQUIRED libselinux) ++ENDIF(ENABLE_SELINUX) + + + IF (WITH_ZCHUNK) +@@ -63,6 +67,10 @@ ENDIF (NOT CURL_FOUND) + INCLUDE_DIRECTORIES(${LIBXML2_INCLUDE_DIRS}) + INCLUDE_DIRECTORIES(${CURL_INCLUDE_DIR}) + #INCLUDE_DIRECTORIES(${CHECK_INCLUDE_DIR}) ++IF (ENABLE_SELINUX) ++ INCLUDE_DIRECTORIES(${SELINUX_INCLUDE_DIRS}) ++ ADD_DEFINITIONS(-DENABLE_SELINUX=1) ++ENDIF (ENABLE_SELINUX) + + include (GNUInstallDirs) + # Python stuff +diff --git a/librepo.spec b/librepo.spec +index 88d6d6d..ae87425 100644 +--- a/librepo.spec ++++ b/librepo.spec +@@ -8,6 +8,8 @@ + %bcond_without zchunk + %endif + ++%bcond_without selinux ++ + %global dnf_conflict 2.8.8 + + Name: librepo +@@ -29,6 +31,9 @@ BuildRequires: libattr-devel + BuildRequires: libcurl-devel >= %{libcurl_version} + BuildRequires: pkgconfig(libxml-2.0) + BuildRequires: pkgconfig(libcrypto) ++%if %{with selinux} ++BuildRequires: pkgconfig(libselinux) ++%endif + BuildRequires: pkgconfig(openssl) + %if %{with zchunk} + BuildRequires: pkgconfig(zck) >= 0.9.11 +@@ -66,7 +71,9 @@ Python 3 bindings for the librepo library. + %autosetup -p1 + + %build +-%cmake %{!?with_zchunk:-DWITH_ZCHUNK=OFF} ++%cmake \ ++ %{!?with_zchunk:-DWITH_ZCHUNK=OFF} \ ++ -DENABLE_SELINUX=%{?with_selinux:ON}%{!?with_selinux:OFF} + %cmake_build + + %check +diff --git a/librepo/CMakeLists.txt b/librepo/CMakeLists.txt +index 4f00a5e..e759692 100644 +--- a/librepo/CMakeLists.txt ++++ b/librepo/CMakeLists.txt +@@ -53,6 +53,10 @@ TARGET_LINK_LIBRARIES(librepo + ${GPGME_VANILLA_LIBRARIES} + ${GLIB2_LIBRARIES} + ) ++IF (ENABLE_SELINUX) ++ TARGET_LINK_LIBRARIES(librepo ${SELINUX_LIBRARIES}) ++ENDIF(ENABLE_SELINUX) ++ + IF (WITH_ZCHUNK) + TARGET_LINK_LIBRARIES(librepo ${ZCHUNKLIB_LIBRARIES}) + ENDIF (WITH_ZCHUNK) +diff --git a/librepo/gpg.c b/librepo/gpg.c +index a134d44..e4b6589 100644 +--- a/librepo/gpg.c ++++ b/librepo/gpg.c +@@ -28,6 +28,11 @@ + #include + #include + ++#if ENABLE_SELINUX ++#include ++#include ++#endif ++ + #include "rcodes.h" + #include "util.h" + #include "gpg.h" +@@ -44,6 +49,14 @@ + * Previous solution was to send the agent a "KILLAGENT" message, but that + * would cause a race condition with calling gpgme_release(), see [2], [3]. + * ++ * Current solution with precreating /run/user/$UID showed problematic when ++ * this library was used out of an systemd-logind session. Then ++ * /run/user/$UID, normally maintained by systemd, was assigned a SELinux ++ * label unexpected by systemd causing errors on a user logout [4]. ++ * ++ * We remedy it by choosing the label according to a default file context ++ * policy (ENABLE_SELINUX macro). ++ * + * Since the agent doesn't clean up its sockets properly, by creating this + * directory we make sure they are in a place that is not causing trouble with + * container images. +@@ -51,14 +64,65 @@ + * [1] https://bugzilla.redhat.com/show_bug.cgi?id=1650266 + * [2] https://bugzilla.redhat.com/show_bug.cgi?id=1769831 + * [3] https://github.com/rpm-software-management/microdnf/issues/50 ++ * [4] https://issues.redhat.com/browse/RHEL-10720 + */ + void ensure_socket_dir_exists() { + char dirname[32]; ++#if ENABLE_SELINUX ++ char *old_default_context = NULL; ++ int old_default_context_was_retrieved = 0; ++ struct selabel_handle *labeling_handle = NULL; ++ ++ /* A purpose of this piece of code is to deal with applications whose ++ * security policy overrides a file context for temporary files but don't ++ * know that librepo executes GnuPG which expects a default file context. */ ++ if (0 == getfscreatecon(&old_default_context)) { ++ old_default_context_was_retrieved = 1; ++ } else { ++ g_debug("Failed to retrieve a default SELinux context"); ++ } ++ labeling_handle = selabel_open(SELABEL_CTX_FILE, NULL, 0); ++ if (labeling_handle == NULL) { ++ g_debug("Failed to open a SELinux labeling handle: %s", strerror(errno)); ++ } ++#endif ++ + snprintf(dirname, sizeof(dirname), "/run/user/%u", getuid()); ++ ++#if ENABLE_SELINUX ++ if (labeling_handle != NULL) { ++ char *new_default_context = NULL; ++ if (selabel_lookup(labeling_handle, &new_default_context, dirname, 0700)) { ++ /* Here we could hard-code "system_u:object_r:user_tmp_t:s0", but ++ * that value should be really defined in default file context ++ * SELinux policy. Only log that the policy is incomplete. */ ++ g_debug("Failed to look up a default SELinux label for \"%s\"", dirname); ++ } else { ++ if (setfscreatecon(new_default_context)) { ++ g_debug("Failed to set default SELinux context to \"%s\"", ++ new_default_context); ++ } ++ freecon(new_default_context); ++ } ++ } ++#endif ++ + int res = mkdir(dirname, 0700); + if (res != 0 && errno != EEXIST) { + g_debug("Failed to create \"%s\": %d - %s\n", dirname, errno, strerror(errno)); + } ++ ++#if ENABLE_SELINUX ++ if (labeling_handle != NULL) { ++ selabel_close(labeling_handle); ++ } ++ if (old_default_context_was_retrieved) { ++ if (setfscreatecon(old_default_context)) { ++ g_debug("Failed to restore a default SELinux context"); ++ } ++ } ++ freecon(old_default_context); ++#endif + } + + gboolean +-- +2.41.0 + diff --git a/SPECS/librepo.spec b/SPECS/librepo.spec new file mode 100644 index 0000000..d0a5833 --- /dev/null +++ b/SPECS/librepo.spec @@ -0,0 +1,312 @@ +%global libcurl_version 7.52.0 + +%undefine __cmake_in_source_build + +%if 0%{?rhel} +%bcond_with zchunk +%else +%bcond_without zchunk +%endif + +%bcond_without selinux + +%global dnf_conflict 2.8.8 + +Name: librepo +Version: 1.14.2 +Release: 5%{?dist} +Summary: Repodata downloading library + +License: LGPLv2+ +URL: https://github.com/rpm-software-management/librepo +Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz + +Patch0001: 0001-Use-nanosec-precision-for-timestamp-of-checksum-cach.patch +Patch0002: 0002-Fix-alloc-free-mismatches-from-covscan.patch +Patch0003: 0003-More-covscan-fixes.patch +Patch0004: 0004-Use-g_strdup_vprintf-instead-of-manually-calculating.patch +Patch0005: 0005-Use-g_list_free_full-to-free-LRMetadataTarget-err.patch +Patch0006: 0006-Detailed-error-message-when-using-non-existing-TMPDI.patch +Patch0007: 0007-PGP-Set-a-default-creation-SELinux-labels-on-GnuPG-d.patch + +BuildRequires: cmake +BuildRequires: gcc +BuildRequires: check-devel +BuildRequires: doxygen +BuildRequires: pkgconfig(glib-2.0) +BuildRequires: gpgme-devel +BuildRequires: libattr-devel +BuildRequires: libcurl-devel >= %{libcurl_version} +BuildRequires: pkgconfig(libxml-2.0) +BuildRequires: pkgconfig(libcrypto) +%if %{with selinux} +BuildRequires: pkgconfig(libselinux) +%endif +BuildRequires: pkgconfig(openssl) +%if %{with zchunk} +BuildRequires: pkgconfig(zck) >= 0.9.11 +%endif +Requires: libcurl%{?_isa} >= %{libcurl_version} + +%description +A library providing C and Python (libcURL like) API to downloading repository +metadata. + +%package devel +Summary: Repodata downloading library +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description devel +Development files for librepo. + +%package -n python3-%{name} +Summary: Python 3 bindings for the librepo library +%{?python_provide:%python_provide python3-%{name}} +BuildRequires: python3-devel +BuildRequires: python3-gpg +BuildRequires: python3-pyxattr +BuildRequires: python3-requests +BuildRequires: python3-sphinx +Requires: %{name}%{?_isa} = %{version}-%{release} +# Obsoletes Fedora 27 package +Obsoletes: platform-python-%{name} < %{version}-%{release} +Conflicts: python3-dnf < %{dnf_conflict} + +%description -n python3-%{name} +Python 3 bindings for the librepo library. + +%prep +%autosetup -p1 + +%build +%cmake \ + %{!?with_zchunk:-DWITH_ZCHUNK=OFF} \ + -DENABLE_SELINUX=%{?with_selinux:ON}%{!?with_selinux:OFF} +%cmake_build + +%check +%ctest + +%install +%cmake_install + +%if 0%{?rhel} && 0%{?rhel} <= 7 +%post -p /sbin/ldconfig +%postun -p /sbin/ldconfig +%else +%ldconfig_scriptlets +%endif + +%files +%license COPYING +%doc README.md +%{_libdir}/%{name}.so.* + +%files devel +%{_libdir}/%{name}.so +%{_libdir}/pkgconfig/%{name}.pc +%{_includedir}/%{name}/ + +%files -n python3-%{name} +%{python3_sitearch}/%{name}/ + +%changelog +* Thu Oct 12 2023 Petr Pisar - 1.14.2-5 +- Set default SELinux labels on GnuPG directories (RHEL-10720) + +* Mon Sep 12 2022 Lukas Hrazky - 1.14.2-4 +- Fix termination of va_list in lr_metadatatarget_append_error() +- Detailed error message when using non-existing TMPDIR + +* Mon Jul 25 2022 Lukas Hrazky - 1.14.2-3 +- Fix covscan issues + +* Tue Jul 12 2022 Lukas Hrazky - 1.14.2-2 +- Use nanosec precision for timestamp of checksum cache + +* Tue Nov 09 2021 Pavla Kratochvilova - 1.14.2-1 +- Update to 1.14.2 +- Reduce time to load metadata +- Fix resource leaks and memory leaks +- Remove build dependency on python3-flask + +* Fri Jun 25 2021 Marek Blaha - 1.14.0-2 +- Recover from fsync fail on read-only filesystem (RhBug:1956361) + +* Fri Apr 30 2021 Pavla Kratochvilova - 1.14.0-1 +- Update to 1.14.0 +- Fix the key string parsing in url_substitution +- When zchunk enabled and not using HTTP/S protocol, download the whole file (RhBug:1886706) +- Add an option LRO_SSLVERIFYSTATUS to check TLS certificate revocation status (using OCSP stapling) (RhBug:1814383) +- Fix: lr_perform() - Avoid 100% CPU usage +- Add support for working with certificates used with proxy +- Reposync does not re-download unchanged packages (RhBug:1931904) +- Fix memory leaks + +* Tue Dec 15 2020 Marek Blaha - 1.12.0-3 +- Add support for pkcs11 certificate and key for repository authorization (RhBug:1859495) + +* Mon Aug 17 2020 Ales Matej - 1.12.0-2 +- Validate paths read from repomd.xml (RhBug:1866505) + +* Wed Jun 03 2020 Nicola Sella - 1.12.0-1 +- Update to 1.12.0 +- Decode package URL when using for local filename (RhBug:1817130) +- Fix memory leak in lr_download_metadata() and lr_yum_download_remote() +- Download sources work when at least one of specified is working (RhBug:1775184) +- Enable building on OSX + +* Fri Apr 03 2020 Ales Matej - 1.11.3-1 + - Update to 1.11.3 + - Prefer mirrorlist/metalink over baseurl (RhBug:1775184) + - Fix calling Python API without holding GIL (RhBug:1788918) + - Do not unref LrErr_Exception on exit (RhBug:1778854) + +* Fri Dec 06 2019 Lukas Hrazky - 1.11.0-2 + - Create a directory for gpg sockets in /run/user/ (RhBug:1769831,1771012) + +* Tue Nov 12 2019 Ales Matej - 1.11.0-1 + - Update to 1.11.0 + - Retry mirrorlist/metalink downloads several times (RhBug:1741931) + - Improve variable substitutions in URLs and add ${variable} support + +* Tue Oct 22 2019 Ales Matej - 1.10.6-1 +- Update to 1.10.6 +- Imporove handling of xattr to re-download damadged files (RhBug:1690894) +- Rephrase repository GPG check error message (RhBug:1741442) +- Add sleep before next try when all mirrors were tried (RhBug:1741931) +- Raise logging level of error messages (RhBug:1737709) +- Handle webservers that don't support ranges when downloading zck +- Define LRO_SUPPORTS_CACHEDIR only with zchunk (RhBug:1726141) +- Allow to use mirrors multiple times for a target (RhBug:1678588) +- Allow to try baseurl multiple times (RhBug:1678588) + +* Fri Sep 06 2019 Marek Blaha - 1.10.3-3 +- Backport patch: Fix: Verification of checksum from file attr + +* Wed Jul 31 2019 Pavla Kratochvilova - 1.10.3-2 +- Backport patch: Define LRO_SUPPORTS_CACHEDIR only with zchunk (RhBug:1726141,1719830) + +* Tue Jun 11 2019 Pavla Kratochvilova - 1.10.3-1 +- Update to 1.10.3 +- Exit gpg-agent after repokey import (RhBug:1650266) + +* Mon May 13 2019 Pavla Kratochvilova - 1.10.1-1 +- Update to 1.10.1 +- Reduce download delays +- Add an option to preserve timestamps of the downloaded files (RhBug:1688537) +- Append the '?' part of repo URL after the path +- Fix memory leaks + +* Tue Sep 25 2018 Jaroslav Mracek - 1.9.2-1 +- Update to 1.9.2 +- Bug 1626495 - major performance regression with libcurl-7.61.1 + +* Mon Aug 13 2018 Daniel Mach - 1.9.1-1 +- Update to 1.9.1 + +* Fri Jul 13 2018 Fedora Release Engineering - 1.9.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri Jun 29 2018 Jaroslav Mracek - 1.9.0-3 +- Rebuilt for Python 3.7 + +* Tue Jun 26 2018 Igor Gnatenko - 1.9.0-2 +- Fix ldconfig_scriptlets once more + +* Tue Jun 26 2018 Jaroslav Mracek - 1.9.0-1 +- Update to 1.9.0 + +* Mon Jun 18 2018 Miro Hrončok - 1.8.1-9 +- Rebuilt for Python 3.7 + +* Fri Jun 15 2018 Miro Hrončok - 1.8.1-8 +- Bootstrap for Python 3.7 + +* Thu Feb 08 2018 Igor Gnatenko - 1.8.1-7 +- Add if conditionals around pyxattr + +* Wed Feb 07 2018 Iryna Shcherbina - 1.8.1-6 +- Update Python 2 dependency declarations to new packaging standards + (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) + +* Wed Jan 31 2018 Igor Gnatenko - 1.8.1-5 +- Switch to %%ldconfig_scriptlets + +* Tue Nov 07 2017 Igor Gnatenko - 1.8.1-4 +- Use better Obsoletes for platform-python + +* Sat Nov 04 2017 Igor Gnatenko - 1.8.1-3 +- Fix typo in Obsoletes + +* Fri Nov 03 2017 Igor Gnatenko - 1.8.1-2 +- Remove platform-python subpackage + +* Fri Sep 15 2017 Igor Gnatenko - 1.8.1-1 +- Update to 1.8.1 + +* Fri Sep 01 2017 Igor Gnatenko - 1.8.0-2 +- Disable platform python on old releases + +* Wed Aug 23 2017 Igor Gnatenko - 1.8.0-1 +- Update to 1.8.0 + +* Fri Aug 18 2017 Tomas Orsava - 1.7.20-9 +- Added Patch 0 to fix a tearDown failure in the test suite + +* Thu Aug 10 2017 Petr Viktorin - 1.7.20-8 +- Add subpackage for platform-python (https://fedoraproject.org/wiki/Changes/Platform_Python_Stack) + +* Thu Aug 03 2017 Fedora Release Engineering - 1.7.20-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 1.7.20-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Feb 10 2017 Fedora Release Engineering - 1.7.20-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Tue Dec 13 2016 Charalampos Stratakis - 1.7.20-4 +- Enable tests + +* Tue Dec 13 2016 Charalampos Stratakis - 1.7.20-3 +- Rebuild for Python 3.6 +- Disable tests for now + +* Sat Dec 10 2016 Igor Gnatenko - 1.7.20-2 +- Rebuild for gpgme 1.18 + +* Thu Aug 25 2016 Tomas Mlcoch - 1.7.20-1 +- Tests: Disable test_download_packages_with_resume_02 test +- Update build utils to match new fedora spec schema + +* Wed Aug 24 2016 Tomas Mlcoch - 1.7.19-1 +- Add yumrecord substitution mechanism (mluscon) +- Fix a memory leak in signature verification (cwalters) + +* Tue Aug 09 2016 Igor Gnatenko - 1.7.18-4 +- Add %%{?system_python_abi} +- Trim ton of changelog + +* Tue Jul 19 2016 Fedora Release Engineering - 1.7.18-3 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages + +* Thu Apr 07 2016 Igor Gnatenko - 1.7.18-2 +- Adopt to new packaging guidelines +- Cleanups in spec file + +* Fri Mar 4 2016 Tomas Mlcoch - 1.7.18-1 +- Add new option LRO_FTPUSEEPSV +- Update AUTHORS +- downloader prepare_next_transfer(): simplify long line +- downloader prepare_next_transfer(): add missing error check +- downloader prepare_next_transfer(): cleanup error path +- downloader prepare_next_transfer() - fix memory leak on error path (Alan Jenkins) +- handle: Don't use proxy cache for downloads of metalink/mirrorlist +- handle: Don't set CURLOPT_HTTPHEADER into curl handle immediately when specified +- downloader: Implement logic for no_cache param in LrDownloadTarget (RhBug: 1297762) +- Add no_cache param to LrDownloadTarget and lr_downloadtarget_new() +- New test: always try to download from the fastest mirror (Alexander Todorov) +- Doc: Fixed minor doc typo (Philippe Ombredanne) +- Doc: Other updates +- Doc: Update default values in doc to reflect reality