diff --git a/.gitignore b/.gitignore index baf56a9..217ac92 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/rpm-ostree-2024.3.tar.xz +SOURCES/rpm-ostree-2024.7.tar.xz diff --git a/.rpm-ostree.metadata b/.rpm-ostree.metadata index 70ef8b8..46fc895 100644 --- a/.rpm-ostree.metadata +++ b/.rpm-ostree.metadata @@ -1 +1 @@ -dc6e0ea9f33f162b5ca2d1ea1cb79ec7f9f7d71c SOURCES/rpm-ostree-2024.3.tar.xz +d9cceab814a10d116e41911a00ca5d5134715da1 SOURCES/rpm-ostree-2024.7.tar.xz diff --git a/SOURCES/0001-cliwrap-rpm-mark-eval-E-as-safe.patch b/SOURCES/0001-cliwrap-rpm-mark-eval-E-as-safe.patch deleted file mode 100644 index ae137d0..0000000 --- a/SOURCES/0001-cliwrap-rpm-mark-eval-E-as-safe.patch +++ /dev/null @@ -1,56 +0,0 @@ -From d02993e30078db2a04820065ccbf22bd56d0d064 Mon Sep 17 00:00:00 2001 -From: Jonathan Lebon -Date: Thu, 22 Feb 2024 14:44:50 -0500 -Subject: [PATCH] cliwrap/rpm: mark `--eval`/`-E` as safe - -This is sometimes used in scripts to query aspects of the host system. -E.g. this is used by Fedora's pkg-config: - -https://src.fedoraproject.org/rpms/pkgconf/blob/95c0bbee/f/pkg-config.in#_6 - -This in turn gets hit by kdump which runs dracut which has modules that -runs `pkgconf` to query some directory paths. ---- - rust/src/cliwrap/rpm.rs | 19 +++++++++++++++++++ - 1 file changed, 19 insertions(+) - -diff --git a/rust/src/cliwrap/rpm.rs b/rust/src/cliwrap/rpm.rs -index c6ed5901..3332f76c 100644 ---- a/rust/src/cliwrap/rpm.rs -+++ b/rust/src/cliwrap/rpm.rs -@@ -19,6 +19,12 @@ fn new_rpm_app() -> Command { - .long("version") - .action(clap::ArgAction::Version), - ) -+ .arg( -+ Arg::new("eval") -+ .long("eval") -+ .short('E') -+ .action(clap::ArgAction::Set), -+ ) - .arg( - Arg::new("package") - .help("package") -@@ -130,6 +136,19 @@ mod tests { - Ok(()) - } - -+ #[test] -+ fn test_eval() -> Result<()> { -+ assert_eq!( -+ disposition(SystemHostType::OstreeHost, &["-E", "%{_target_cpu}"])?, -+ RunDisposition::Ok -+ ); -+ assert_eq!( -+ disposition(SystemHostType::OstreeHost, &["--eval=%{_target_cpu}}"])?, -+ RunDisposition::Ok -+ ); -+ Ok(()) -+ } -+ - #[test] - fn test_query_file() -> Result<()> { - assert_eq!( --- -2.43.2 - diff --git a/SOURCES/0001-core-Fix-Coverity-WRAPPER_ESCAPE.patch b/SOURCES/0001-core-Fix-Coverity-WRAPPER_ESCAPE.patch new file mode 100644 index 0000000..79b8567 --- /dev/null +++ b/SOURCES/0001-core-Fix-Coverity-WRAPPER_ESCAPE.patch @@ -0,0 +1,33 @@ +From 96ddae1acba59cf5249dcfff1157e44b5ed69650 Mon Sep 17 00:00:00 2001 +From: Colin Walters +Date: Thu, 15 Aug 2024 11:41:43 -0400 +Subject: [PATCH 1/1] core: Fix Coverity WRAPPER_ESCAPE + +This should fix: + +``` +32. rpm-ostree-2024.7/src/libpriv/rpmostree-core.cxx:1786:15: use_after_free: Using internal representation of destroyed object temporary of type "std::string". +``` + +Signed-off-by: Colin Walters +--- + src/libpriv/rpmostree-core.cxx | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/libpriv/rpmostree-core.cxx b/src/libpriv/rpmostree-core.cxx +index a2de7262..615e2636 100644 +--- a/src/libpriv/rpmostree-core.cxx ++++ b/src/libpriv/rpmostree-core.cxx +@@ -1782,7 +1782,8 @@ rpmostree_context_prepare (RpmOstreeContext *self, gboolean enable_filelists, + auto pkg = ""; + for (auto &pkg_str : packages) + { +- pkg = std::string (pkg_str).c_str (); ++ auto pkg_buf = std::string (pkg_str); ++ pkg = pkg_buf.c_str (); + char *query = strchr ((char *)pkg, '/'); + if (query) + { +-- +2.46.0 + diff --git a/SPECS/rpm-ostree.spec b/SPECS/rpm-ostree.spec index 6a25918..9cb0a99 100644 --- a/SPECS/rpm-ostree.spec +++ b/SPECS/rpm-ostree.spec @@ -3,15 +3,15 @@ Summary: Hybrid image/package system Name: rpm-ostree -Version: 2024.3 -Release: 1%{?dist} +Version: 2024.7 +Release: 2%{?dist} License: LGPLv2+ URL: https://github.com/coreos/rpm-ostree # This tarball is generated via "cd packaging && make -f Makefile.dist-packaging dist-snapshot" # in the upstream git. It also contains vendored Rust sources. Source0: https://github.com/coreos/rpm-ostree/releases/download/v%{version}/rpm-ostree-%{version}.tar.xz -Patch0: 0001-cliwrap-rpm-mark-eval-E-as-safe.patch +Patch0: 0001-core-Fix-Coverity-WRAPPER_ESCAPE.patch ExclusiveArch: %{rust_arches} @@ -231,6 +231,13 @@ $PYTHON autofiles.py > files.devel \ '%{_datadir}/gtk-doc/html/*' \ '%{_datadir}/gir-1.0/*-1.0.gir' +%post +# Only enable on rpm-ostree based systems and manually force unit enablement to +# explicitly ignore presets for this security fix +if [ -e /run/ostree-booted ]; then + ln -snf /usr/lib/systemd/system/rpm-ostree-fix-shadow-mode.service /usr/lib/systemd/system/multi-user.target.wants/ +fi + %files -f files %doc COPYING.GPL COPYING.LGPL LICENSE README.md @@ -239,6 +246,33 @@ $PYTHON autofiles.py > files.devel \ %files devel -f files.devel %changelog +* Thu Aug 15 2024 Joseph Marrero - 2024.7-2 +- Backport https://github.com/coreos/rpm-ostree/pull/5051 + Resolves: #RHEL-53871 + +* Tue Aug 09 2024 Joseph Marrero - 2024.7-1 +- Rebase to 2024.7 + Resolves: #RHEL-53871 + +* Tue May 21 2024 Joseph Marrero - 2024.5-1 +- Rebase to 2024.6 + Resolves: #RHEL-29339 + +* Mon Apr 15 2024 Joseph Marrero - 2024.5-1 +- Rebase to 2024.5 + Adds fix for https://github.com/coreos/rpm-ostree/security/advisories/GHSA-2m76-cwhg-7wv6 + Resolves: #RHEL-30415 + +* Tue Apr 09 2024 Joseph Marrero - 2024.4-4 +- Backport https://github.com/coreos/rpm-ostree/security/advisories/GHSA-2m76-cwhg-7wv6 + +* Thu Mar 21 2024 Colin Walters - 2024.4-3 +- Backport patch to fix https://issues.redhat.com/browse/RHEL-29559 + +* Fri Mar 15 2024 Colin Walters - 2024.4-2 +- https://github.com/coreos/rpm-ostree/releases/tag/v2024.4 + Resolves: #RHEL-29339 + * Sun Feb 25 2024 Joseph Marrero - 2024.3-1 - https://github.com/coreos/rpm-ostree/releases/tag/v2024.3 Backport https://github.com/coreos/rpm-ostree/commit/fe586621e5014d14f92b913338171a02ed29e6cc