From 952478b2ba1e8d0da12013ce4fb637713af8672d Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Thu, 26 Dec 2024 03:31:47 +0300 Subject: [PATCH] import p11-kit-0.25.3-3.el9_5 --- .gitignore | 5 +- .p11-kit.metadata | 5 +- SOURCES/001-static-analysis.patch | 298 ++++++++++++++++++ SOURCES/p11-kit-0.24.1.tar.xz.sig | Bin 566 -> 0 bytes .../p11-kit-0.25.5-trust-file-length.patch | 73 +++++ SPECS/p11-kit.spec | 39 ++- 6 files changed, 407 insertions(+), 13 deletions(-) create mode 100644 SOURCES/001-static-analysis.patch delete mode 100644 SOURCES/p11-kit-0.24.1.tar.xz.sig create mode 100644 SOURCES/p11-kit-0.25.5-trust-file-length.patch diff --git a/.gitignore b/.gitignore index cb51732..8c951cf 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ -SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg -SOURCES/p11-kit-0.24.1.tar.xz +SOURCES/p11-kit-0.25.3.tar.xz +SOURCES/p11-kit-0.25.3.tar.xz.sig +SOURCES/p11-kit-release-keyring.gpg diff --git a/.p11-kit.metadata b/.p11-kit.metadata index c80beb8..e4756ad 100644 --- a/.p11-kit.metadata +++ b/.p11-kit.metadata @@ -1,2 +1,3 @@ -526f07b62624739ba318a171bab3352af91d0134 SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg -4d5c35c8c2d6ee12ed69ab58221d6d515c570089 SOURCES/p11-kit-0.24.1.tar.xz +796f3b69cad054a52e04f520459beaaab936b99f SOURCES/p11-kit-0.25.3.tar.xz +4133131840ef3f9609403fe391ce414878bcb9f1 SOURCES/p11-kit-0.25.3.tar.xz.sig +6fecd5be3ee12d07f6f61a65e18523ee03e0f925 SOURCES/p11-kit-release-keyring.gpg diff --git a/SOURCES/001-static-analysis.patch b/SOURCES/001-static-analysis.patch new file mode 100644 index 0000000..a86486a --- /dev/null +++ b/SOURCES/001-static-analysis.patch @@ -0,0 +1,298 @@ +From 58cd1c05e001a4fe250c15f3599e79974bc509e3 Mon Sep 17 00:00:00 2001 +From: Zoltan Fridrich +Date: Thu, 16 Nov 2023 10:12:14 +0100 +Subject: [PATCH] Fix issues found by static analysis + +Signed-off-by: Zoltan Fridrich +--- + common/frob-getprogname.c | 4 ++-- + common/test.c | 4 +--- + p11-kit/generate-keypair.c | 25 +++++++++---------------- + p11-kit/import-object.c | 22 +++++----------------- + p11-kit/lists.c | 1 + + p11-kit/print-config.c | 4 +++- + p11-kit/rpc-client.c | 6 ++++-- + p11-kit/test-uri.c | 4 ++-- + trust/test-trust.c | 2 +- + 9 files changed, 28 insertions(+), 44 deletions(-) + +diff --git a/common/frob-getprogname.c b/common/frob-getprogname.c +index ead658cc8..46e3b7fd3 100644 +--- a/common/frob-getprogname.c ++++ b/common/frob-getprogname.c +@@ -76,14 +76,14 @@ main (int argc, + execv (BUILDDIR "/common/frob-getprogname" EXEEXT, args); + } else { + int status; +- char buffer[1024]; ++ char buffer[1024] = { 0 }; + size_t offset = 0; + ssize_t nread; + char *p; + + close (pfds[1]); + while (1) { +- nread = read (pfds[0], buffer + offset, sizeof(buffer) - offset); ++ nread = read (pfds[0], buffer + offset, sizeof(buffer) - offset - 1); + if (nread < 0) { + perror ("read"); + exit (EXIT_FAILURE); +diff --git a/common/test.c b/common/test.c +index 3ed98da01..6cdbd1fa2 100644 +--- a/common/test.c ++++ b/common/test.c +@@ -272,7 +272,6 @@ p11_testx (void (* function) (void *), + test_item item = { TEST, }; + va_list va; + +- item.type = TEST; + item.x.test.func = function; + item.x.test.argument = argument; + +@@ -287,9 +286,8 @@ void + p11_fixture (void (* setup) (void *), + void (* teardown) (void *)) + { +- test_item item; ++ test_item item = { FIXTURE, }; + +- item.type = FIXTURE; + item.x.fix.setup = setup; + item.x.fix.teardown = teardown; + +diff --git a/p11-kit/generate-keypair.c b/p11-kit/generate-keypair.c +index 49dc11830..695103d1d 100644 +--- a/p11-kit/generate-keypair.c ++++ b/p11-kit/generate-keypair.c +@@ -351,7 +351,7 @@ int + p11_kit_generate_keypair (int argc, + char *argv[]) + { +- int opt, ret = 2; ++ int opt, ret; + char *label = NULL; + CK_ULONG bits = 0; + const uint8_t *ec_params = NULL; +@@ -396,31 +396,27 @@ p11_kit_generate_keypair (int argc, + while ((opt = p11_tool_getopt (argc, argv, options)) != -1) { + switch (opt) { + case opt_label: +- label = strdup (optarg); +- if (label == NULL) { +- p11_message (_("failed to allocate memory")); +- goto cleanup; +- } ++ label = optarg; + break; + case opt_type: + mechanism = get_mechanism (optarg); + if (mechanism.mechanism == CKA_INVALID) { + p11_message (_("unknown mechanism type: %s"), optarg); +- goto cleanup; ++ return 2; + } + break; + case opt_bits: + bits = strtol (optarg, NULL, 10); + if (bits == 0) { + p11_message (_("failed to parse bits value: %s"), optarg); +- goto cleanup; ++ return 2; + } + break; + case opt_curve: + ec_params = get_ec_params (optarg, &ec_params_len); + if (ec_params == NULL) { + p11_message (_("unknown curve name: %s"), optarg); +- goto cleanup; ++ return 2; + } + break; + case opt_login: +@@ -434,10 +430,9 @@ p11_kit_generate_keypair (int argc, + break; + case opt_help: + p11_tool_usage (usages, options); +- ret = 0; +- goto cleanup; ++ return 0; + case '?': +- goto cleanup; ++ return 2; + default: + assert_not_reached (); + break; +@@ -449,11 +444,11 @@ p11_kit_generate_keypair (int argc, + + if (argc != 1) { + p11_tool_usage (usages, options); +- goto cleanup; ++ return 2; + } + + if (!check_args (mechanism.mechanism, bits, ec_params)) +- goto cleanup; ++ return 2; + + #ifdef OS_UNIX + /* Register a fallback PIN callback that reads from terminal. +@@ -464,11 +459,9 @@ p11_kit_generate_keypair (int argc, + + ret = generate_keypair (*argv, label, mechanism, bits, ec_params, ec_params_len, login); + +-cleanup: + #ifdef OS_UNIX + p11_kit_pin_unregister_callback ("tty", p11_pin_tty_callback, NULL); + #endif +- free (label); + + return ret; + } +diff --git a/p11-kit/import-object.c b/p11-kit/import-object.c +index 270a0e027..feee07659 100644 +--- a/p11-kit/import-object.c ++++ b/p11-kit/import-object.c +@@ -500,7 +500,7 @@ int + p11_kit_import_object (int argc, + char *argv[]) + { +- int opt, ret = 2; ++ int opt, ret; + char *label = NULL; + char *file = NULL; + bool login = false; +@@ -536,18 +536,10 @@ p11_kit_import_object (int argc, + while ((opt = p11_tool_getopt (argc, argv, options)) != -1) { + switch (opt) { + case opt_label: +- label = strdup (optarg); +- if (label == NULL) { +- p11_message (_("failed to allocate memory")); +- goto cleanup; +- } ++ label = optarg; + break; + case opt_file: +- file = strdup (optarg); +- if (file == NULL) { +- p11_message (_("failed to allocate memory")); +- goto cleanup; +- } ++ file = optarg; + break; + case opt_login: + login = true; +@@ -574,12 +566,12 @@ p11_kit_import_object (int argc, + + if (argc != 1) { + p11_tool_usage (usages, options); +- goto cleanup; ++ return 2; + } + + if (file == NULL) { + p11_message (_("no file specified")); +- goto cleanup; ++ return 2; + } + + #ifdef OS_UNIX +@@ -595,10 +587,6 @@ p11_kit_import_object (int argc, + p11_kit_pin_unregister_callback ("tty", p11_pin_tty_callback, NULL); + #endif + +-cleanup: +- free (label); +- free (file); +- + return ret; + } + +diff --git a/p11-kit/lists.c b/p11-kit/lists.c +index df58beb3f..007bb0f12 100644 +--- a/p11-kit/lists.c ++++ b/p11-kit/lists.c +@@ -295,6 +295,7 @@ print_modules (void) + if (rv != CKR_OK) { + p11_message (_("couldn't load module info: %s"), + p11_kit_strerror (rv)); ++ p11_kit_modules_finalize_and_release (module_list); + return 1; + } + +diff --git a/p11-kit/print-config.c b/p11-kit/print-config.c +index 173b55feb..29daf3871 100644 +--- a/p11-kit/print-config.c ++++ b/p11-kit/print-config.c +@@ -74,8 +74,10 @@ print_config (void) + P11_PACKAGE_CONFIG_MODULES, + P11_SYSTEM_CONFIG_MODULES, + P11_USER_CONFIG_MODULES); +- if (modules_conf == NULL) ++ if (modules_conf == NULL) { ++ p11_dict_free (global_conf); + return 1; ++ } + + printf ("[global]\n"); + p11_dict_iterate (global_conf, &i); +diff --git a/p11-kit/rpc-client.c b/p11-kit/rpc-client.c +index fb39103eb..19b628b1a 100644 +--- a/p11-kit/rpc-client.c ++++ b/p11-kit/rpc-client.c +@@ -173,6 +173,8 @@ call_done (rpc_client *module, + p11_rpc_message *msg, + CK_RV ret) + { ++ p11_buffer *buf; ++ + assert (module != NULL); + assert (msg != NULL); + +@@ -189,9 +191,9 @@ call_done (rpc_client *module, + + /* We used the same buffer for input/output, so this frees both */ + assert (msg->input == msg->output); +- p11_rpc_buffer_free (msg->input); +- ++ buf = msg->input; + p11_rpc_message_clear (msg); ++ p11_rpc_buffer_free (buf); + + return ret; + } +diff --git a/p11-kit/test-uri.c b/p11-kit/test-uri.c +index 32e8da703..18b7a108a 100644 +--- a/p11-kit/test-uri.c ++++ b/p11-kit/test-uri.c +@@ -1019,7 +1019,7 @@ test_uri_get_set_unrecognized (void) + static void + test_uri_match_token (void) + { +- CK_TOKEN_INFO token; ++ CK_TOKEN_INFO token = { 0 }; + P11KitUri *uri; + int ret; + +@@ -1056,7 +1056,7 @@ test_uri_match_token (void) + static void + test_uri_match_module (void) + { +- CK_INFO info; ++ CK_INFO info = { 0 }; + P11KitUri *uri; + int ret; + +diff --git a/trust/test-trust.c b/trust/test-trust.c +index 29b2797b5..3b27a1f31 100644 +--- a/trust/test-trust.c ++++ b/trust/test-trust.c +@@ -258,7 +258,7 @@ test_check_symlink_msg (const char *file, + if (asprintf (&filename, "%s/%s", directory, name) < 0) + assert_not_reached (); + +- if (readlink (filename, buf, sizeof (buf)) < 0) ++ if (readlink (filename, buf, sizeof (buf) - 1) < 0) + p11_test_fail (file, line, function, "Couldn't read symlink: %s", filename); + + if (strcmp (destination, buf) != 0) diff --git a/SOURCES/p11-kit-0.24.1.tar.xz.sig b/SOURCES/p11-kit-0.24.1.tar.xz.sig deleted file mode 100644 index bfc093a7692f3e40039a2f4a8deab7160234168e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 566 zcmV-60?GY}0y6{v0SEvc79j*iA|=DLZ#0LW$VqJ01%!^*=9qB>0%7HW-~b8<5Y`2R zj@Raxaj2sY|9exNS+()9>7uSw+;C}vXJc8WK^f<4Wg4Y19YfDJ1ywxW)z#;lW@UCL?lmULiO_>uZC`i*4|y|s-%quUhVCk2 zB_|$(HwPs~|D`|n^o00L3MBe1fWrf5#}+QZ%(>xyz-bRoLJTs)gFy$M|7$p-w;+dqt^DHa2opxRzQ$WweDInelzrI EpIe9=Z2$lO diff --git a/SOURCES/p11-kit-0.25.5-trust-file-length.patch b/SOURCES/p11-kit-0.25.5-trust-file-length.patch new file mode 100644 index 0000000..d84f858 --- /dev/null +++ b/SOURCES/p11-kit-0.25.5-trust-file-length.patch @@ -0,0 +1,73 @@ +From a8b94642dbe6d52aa7a7805fbb60b64c4cfd7245 Mon Sep 17 00:00:00 2001 +From: Zoltan Fridrich +Date: Thu, 3 Oct 2024 11:34:14 +0200 +Subject: [PATCH] trust: don't create file names longer then 255 + +Signed-off-by: Zoltan Fridrich +--- + trust/save.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/trust/save.c b/trust/save.c +index 057a9c5e3..acabcbf6d 100644 +--- a/trust/save.c ++++ b/trust/save.c +@@ -61,6 +61,8 @@ + #define O_DIRECTORY 0 + #endif + ++#define MAX_FILE_NAME 255 ++ + struct _p11_save_file { + char *bare; + char *extension; +@@ -414,12 +416,23 @@ make_unique_name (const char *bare, + p11_buffer buf; + int ret; + int i; ++ int bare_len, ext_len, diff; + + assert (bare != NULL); + assert (check != NULL); + + p11_buffer_init_null (&buf, 0); + ++ /* ++ * Make sure the name will not be longer then MAX_FILE_NAME ++ */ ++ bare_len = strlen (bare); ++ ext_len = extension ? strlen (extension) : 0; ++ diff = bare_len + ext_len + sizeof (unique) - MAX_FILE_NAME; ++ if (diff > 0) ++ bare_len -= diff; ++ return_val_if_fail (bare_len > 0, NULL); ++ + for (i = 0; true; i++) { + + p11_buffer_reset (&buf, 64); +@@ -431,7 +444,7 @@ make_unique_name (const char *bare, + * provided by the caller. + */ + case 0: +- p11_buffer_add (&buf, bare, -1); ++ p11_buffer_add (&buf, bare, bare_len); + break; + + /* +@@ -448,14 +461,14 @@ make_unique_name (const char *bare, + /* fall through */ + + default: +- p11_buffer_add (&buf, bare, -1); ++ p11_buffer_add (&buf, bare, bare_len); + snprintf (unique, sizeof (unique), ".%d", i); + p11_buffer_add (&buf, unique, -1); + break; + } + + if (extension) +- p11_buffer_add (&buf, extension, -1); ++ p11_buffer_add (&buf, extension, ext_len); + + return_val_if_fail (p11_buffer_ok (&buf), NULL); + diff --git a/SPECS/p11-kit.spec b/SPECS/p11-kit.spec index 122f870..7705aa8 100644 --- a/SPECS/p11-kit.spec +++ b/SPECS/p11-kit.spec @@ -1,17 +1,20 @@ # This spec file has been automatically updated -Version: 0.24.1 -Release: 2%{?dist} +Version: 0.25.3 +Release: 3%{?dist} Name: p11-kit Summary: Library for loading and sharing PKCS#11 modules -License: BSD +License: BSD-3-Clause URL: http://p11-glue.freedesktop.org/p11-kit.html Source0: https://github.com/p11-glue/p11-kit/releases/download/%{version}/p11-kit-%{version}.tar.xz Source1: https://github.com/p11-glue/p11-kit/releases/download/%{version}/p11-kit-%{version}.tar.xz.sig -Source2: gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg +Source2: https://p11-glue.github.io/p11-glue/p11-kit/p11-kit-release-keyring.gpg Source3: trust-extract-compat Source4: p11-kit-client.service +Patch: 001-static-analysis.patch +Patch: p11-kit-0.25.5-trust-file-length.patch + BuildRequires: gcc BuildRequires: libtasn1-devel >= 2.3 BuildRequires: libffi-devel @@ -23,6 +26,7 @@ BuildRequires: bash-completion # Work around for https://bugzilla.redhat.com/show_bug.cgi?id=1497147 # Remove this once it is fixed BuildRequires: pkgconfig(glib-2.0) +BuildRequires: pkgconfig(systemd) BuildRequires: gnupg2 BuildRequires: /usr/bin/xsltproc @@ -44,8 +48,8 @@ developing applications that use %{name}. %package trust Summary: System trust module from %{name} Requires: %{name}%{?_isa} = %{version}-%{release} -Requires(post): %{_sbindir}/update-alternatives -Requires(postun): %{_sbindir}/update-alternatives +Requires(post): %{_sbindir}/alternatives +Requires(postun): %{_sbindir}/alternatives Conflicts: nss < 3.14.3-9 %description trust @@ -99,13 +103,12 @@ install -p -m 644 %{SOURCE4} $RPM_BUILD_ROOT%{_userunitdir} %post trust -%{_sbindir}/update-alternatives --install %{_libdir}/libnssckbi.so \ - %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so 30 +%{_sbindir}/alternatives --install %{_libdir}/libnssckbi.so %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so 30 %postun trust if [ $1 -eq 0 ] ; then # package removal - %{_sbindir}/update-alternatives --remove %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so + %{_sbindir}/alternatives --remove %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so fi @@ -152,6 +155,24 @@ fi %changelog +* Fri Oct 25 2024 Zoltan Fridrich - 0.25.3-3 +- Fix regression in trust where file creation fails for long cert labels + Resolves: RHEL-64917 + +* Thu Nov 23 2023 Zoltan Fridrich - 0.25.3-2 +- Fix issues found by static analysis + Related: RHEL-14834 + +* Wed Nov 15 2023 Zoltan Fridrich - 0.25.3-1 +- Update to new upstream release 0.25.3 + Resolves: RHEL-14834 + +* Wed Nov 8 2023 Zoltan Fridrich - 0.25.2-1 +- Update to new upstream release 0.25.2 + Resolves: RHEL-14834 +- Add IBM specific mechanisms and attributes + Resolves: RHEL-10570 + * Tue Feb 1 2022 Daiki Ueno - 0.24.1-2 - Replace "black list" with "blocklist" in -trust subpackage description (#2026457)