import rpm-ostree-2024.7-2.el9

.gitignore

@@ -1 +1 @@
-SOURCES/rpm-ostree-2024.3.tar.xz
+SOURCES/rpm-ostree-2024.7.tar.xz

.rpm-ostree.metadata

@@ -1 +1 @@
-dc6e0ea9f33f162b5ca2d1ea1cb79ec7f9f7d71c SOURCES/rpm-ostree-2024.3.tar.xz
+d9cceab814a10d116e41911a00ca5d5134715da1 SOURCES/rpm-ostree-2024.7.tar.xz

SOURCES/0001-cliwrap-rpm-mark-eval-E-as-safe.patch

@@ -1,56 +0,0 @@
-From d02993e30078db2a04820065ccbf22bd56d0d064 Mon Sep 17 00:00:00 2001
-From: Jonathan Lebon <jonathan@jlebon.com>
-Date: Thu, 22 Feb 2024 14:44:50 -0500
-Subject: [PATCH] cliwrap/rpm: mark `--eval`/`-E` as safe
-
-This is sometimes used in scripts to query aspects of the host system.
-E.g. this is used by Fedora's pkg-config:
-
-https://src.fedoraproject.org/rpms/pkgconf/blob/95c0bbee/f/pkg-config.in#_6
-
-This in turn gets hit by kdump which runs dracut which has modules that
-runs `pkgconf` to query some directory paths.
----
- rust/src/cliwrap/rpm.rs | 19 +++++++++++++++++++
- 1 file changed, 19 insertions(+)
-
-diff --git a/rust/src/cliwrap/rpm.rs b/rust/src/cliwrap/rpm.rs
-index c6ed5901..3332f76c 100644
---- a/rust/src/cliwrap/rpm.rs
-+++ b/rust/src/cliwrap/rpm.rs
-@@ -19,6 +19,12 @@ fn new_rpm_app() -> Command {
-                 .long("version")
-                 .action(clap::ArgAction::Version),
-         )
-+        .arg(
-+            Arg::new("eval")
-+                .long("eval")
-+                .short('E')
-+                .action(clap::ArgAction::Set),
-+        )
-         .arg(
-             Arg::new("package")
-                 .help("package")
-@@ -130,6 +136,19 @@ mod tests {
-         Ok(())
-     }
- 
-+    #[test]
-+    fn test_eval() -> Result<()> {
-+        assert_eq!(
-+            disposition(SystemHostType::OstreeHost, &["-E", "%{_target_cpu}"])?,
-+            RunDisposition::Ok
-+        );
-+        assert_eq!(
-+            disposition(SystemHostType::OstreeHost, &["--eval=%{_target_cpu}}"])?,
-+            RunDisposition::Ok
-+        );
-+        Ok(())
-+    }
-+
-     #[test]
-     fn test_query_file() -> Result<()> {
-         assert_eq!(
--- 
-2.43.2
-

SOURCES/0001-core-Fix-Coverity-WRAPPER_ESCAPE.patch

@@ -0,0 +1,33 @@
+From 96ddae1acba59cf5249dcfff1157e44b5ed69650 Mon Sep 17 00:00:00 2001
+From: Colin Walters <walters@verbum.org>
+Date: Thu, 15 Aug 2024 11:41:43 -0400
+Subject: [PATCH 1/1] core: Fix Coverity WRAPPER_ESCAPE
+
+This should fix:
+
+```
+32. rpm-ostree-2024.7/src/libpriv/rpmostree-core.cxx:1786:15: use_after_free: Using internal representation of destroyed object temporary of type "std::string".
+```
+
+Signed-off-by: Colin Walters <walters@verbum.org>
+---
+ src/libpriv/rpmostree-core.cxx | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/libpriv/rpmostree-core.cxx b/src/libpriv/rpmostree-core.cxx
+index a2de7262..615e2636 100644
+--- a/src/libpriv/rpmostree-core.cxx
++++ b/src/libpriv/rpmostree-core.cxx
+@@ -1782,7 +1782,8 @@ rpmostree_context_prepare (RpmOstreeContext *self, gboolean enable_filelists,
+           auto pkg = "";
+           for (auto &pkg_str : packages)
+             {
+-              pkg = std::string (pkg_str).c_str ();
++              auto pkg_buf = std::string (pkg_str);
++              pkg = pkg_buf.c_str ();
+               char *query = strchr ((char *)pkg, '/');
+               if (query)
+                 {
+-- 
+2.46.0
+

SPECS/rpm-ostree.spec

@@ -3,15 +3,15 @@
 
 Summary: Hybrid image/package system
 Name: rpm-ostree
-Version: 2024.3
+Version: 2024.7
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: LGPLv2+
 URL: https://github.com/coreos/rpm-ostree
 # This tarball is generated via "cd packaging && make -f Makefile.dist-packaging dist-snapshot"
 # in the upstream git.  It also contains vendored Rust sources.
 Source0: https://github.com/coreos/rpm-ostree/releases/download/v%{version}/rpm-ostree-%{version}.tar.xz
 
-Patch0: 0001-cliwrap-rpm-mark-eval-E-as-safe.patch
+Patch0: 0001-core-Fix-Coverity-WRAPPER_ESCAPE.patch
 
 ExclusiveArch: %{rust_arches}
 
@@ -231,6 +231,13 @@ $PYTHON autofiles.py > files.devel \
   '%{_datadir}/gtk-doc/html/*' \
   '%{_datadir}/gir-1.0/*-1.0.gir'
 
+%post
+# Only enable on rpm-ostree based systems and manually force unit enablement to
+# explicitly ignore presets for this security fix
+if [ -e /run/ostree-booted ]; then
+    ln -snf /usr/lib/systemd/system/rpm-ostree-fix-shadow-mode.service  /usr/lib/systemd/system/multi-user.target.wants/
+fi
+
 %files -f files
 %doc COPYING.GPL COPYING.LGPL LICENSE README.md
 
@@ -239,6 +246,33 @@ $PYTHON autofiles.py > files.devel \
 %files devel -f files.devel
 
 %changelog
+* Thu Aug 15 2024 Joseph Marrero <jmarrero@fedoraproject.org> - 2024.7-2
+- Backport https://github.com/coreos/rpm-ostree/pull/5051
+  Resolves: #RHEL-53871
+
+* Tue Aug 09 2024 Joseph Marrero <jmarrero@fedoraproject.org> - 2024.7-1
+- Rebase to 2024.7
+  Resolves: #RHEL-53871
+
+* Tue May 21 2024 Joseph Marrero <jmarrero@fedoraproject.org> - 2024.5-1
+- Rebase to 2024.6
+  Resolves: #RHEL-29339
+
+* Mon Apr 15 2024 Joseph Marrero <jmarrero@fedoraproject.org> - 2024.5-1
+- Rebase to 2024.5
+  Adds fix for https://github.com/coreos/rpm-ostree/security/advisories/GHSA-2m76-cwhg-7wv6
+  Resolves: #RHEL-30415
+
+* Tue Apr 09 2024 Joseph Marrero <jmarrero@fedoraproject.org> - 2024.4-4
+- Backport https://github.com/coreos/rpm-ostree/security/advisories/GHSA-2m76-cwhg-7wv6
+
+* Thu Mar 21 2024 Colin Walters <walters@verbum.org> - 2024.4-3
+- Backport patch to fix https://issues.redhat.com/browse/RHEL-29559
+
+* Fri Mar 15 2024 Colin Walters <walters@verbum.org> - 2024.4-2
+- https://github.com/coreos/rpm-ostree/releases/tag/v2024.4
+  Resolves: #RHEL-29339
+
 * Sun Feb 25 2024 Joseph Marrero <jmarrero@fedoraproject.org> - 2024.3-1
 - https://github.com/coreos/rpm-ostree/releases/tag/v2024.3
   Backport https://github.com/coreos/rpm-ostree/commit/fe586621e5014d14f92b913338171a02ed29e6cc