From cf1ac7c7b72d54384285c0489a29c2047221a9b3 Mon Sep 17 00:00:00 2001 From: eaglegai Date: Thu, 15 Jul 2021 14:30:26 +0800 Subject: [PATCH] remove recommends rpm-plugins-systemd-inhibit and backport community patches --- ...check-if-path-exists-fixes-dead-code.patch | 35 ++++ ...-key-string-when-verifing-signatures.patch | 87 +++++++++ Pass-the-package-to-rpmkeys-stdin.patch | 56 ++++++ ...ch-ValueError-if-pkg-is-from-cmdline.patch | 25 +++ ...g-rpm-sprintf-output-varies-too-much.patch | 51 +++++ Use-rpmkeys-alone-to-verify-signature.patch | 174 ++++++++++++++++++ ...kage-signature-with-_pkgverify_level.patch | 80 ++++++++ dnf-rpm-miscutils.py-fix-usage-of-_.patch | 36 ++++ dnf.spec | 27 ++- 9 files changed, 566 insertions(+), 5 deletions(-) create mode 100644 Add-missing-check-if-path-exists-fixes-dead-code.patch create mode 100644 Check-for-specific-key-string-when-verifing-signatures.patch create mode 100644 Pass-the-package-to-rpmkeys-stdin.patch create mode 100644 Prevent-traceback-catch-ValueError-if-pkg-is-from-cmdline.patch create mode 100644 Remove-key-regex-matching-rpm-sprintf-output-varies-too-much.patch create mode 100644 Use-rpmkeys-alone-to-verify-signature.patch create mode 100644 Use-rpmkeys-to-verify-package-signature-with-_pkgverify_level.patch create mode 100644 dnf-rpm-miscutils.py-fix-usage-of-_.patch diff --git a/Add-missing-check-if-path-exists-fixes-dead-code.patch b/Add-missing-check-if-path-exists-fixes-dead-code.patch new file mode 100644 index 0000000..4552d75 --- /dev/null +++ b/Add-missing-check-if-path-exists-fixes-dead-code.patch @@ -0,0 +1,35 @@ +From e74a5fa5d23ab7903709faebf20449461d7c7575 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ale=C5=A1=20Mat=C4=9Bj?= +Date: Mon, 12 Apr 2021 09:02:42 +0200 +Subject: [PATCH] Add missing check if path exists, fixes dead code + +CVE-2021-3445 +RhBug:1915990 + +Related: CVE-2021-3421, CVE-2021-20271 +--- + dnf/rpm/miscutils.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/dnf/rpm/miscutils.py b/dnf/rpm/miscutils.py +index 24456f3..235aaf2 100644 +--- a/dnf/rpm/miscutils.py ++++ b/dnf/rpm/miscutils.py +@@ -30,12 +30,12 @@ logger = logging.getLogger('dnf') + + def _verifyPkgUsingRpmkeys(package, installroot): + rpmkeys_binary = '/usr/bin/rpmkeys' +- if not rpmkeys_binary: ++ if not os.path.isfile(rpmkeys_binary): + rpmkeys_binary = which("rpmkeys") + logger.info(_('Using rpmkeys executable from {path} to verify signature for package: {package}.').format( + path=rpmkeys_binary, package=package)) + +- if not rpmkeys_binary: ++ if not os.path.isfile(rpmkeys_binary): + logger.critical(_('Cannot find rpmkeys executable to verify signatures.')) + return 0 + +-- +1.8.3.1 + diff --git a/Check-for-specific-key-string-when-verifing-signatures.patch b/Check-for-specific-key-string-when-verifing-signatures.patch new file mode 100644 index 0000000..51897f3 --- /dev/null +++ b/Check-for-specific-key-string-when-verifing-signatures.patch @@ -0,0 +1,87 @@ +From 4268176cce2ca6e216dd543ce3bfae7f58b15b53 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ale=C5=A1=20Mat=C4=9Bj?= +Date: Tue, 30 Mar 2021 08:18:42 +0200 +Subject: [PATCH] Check for specific key string when verifing signatures + +Also improves handling of return values and exceptions. +The function can't return 0 when the signature is malformed. + +Credit for the original patch goes to Demi Marie Obenour: @DemiMarie + += changelog = +msg: Check for specific key string when verifing signatures +type: security +resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1915990 + +CVE-2021-3445 +RhBug:1915990 + +Related: CVE-2021-3421, CVE-2021-20271 +--- + dnf/rpm/miscutils.py | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/dnf/rpm/miscutils.py b/dnf/rpm/miscutils.py +index 9038f98..07451bb 100644 +--- a/dnf/rpm/miscutils.py ++++ b/dnf/rpm/miscutils.py +@@ -18,6 +18,7 @@ from __future__ import unicode_literals + + import rpm + import os ++import re + + from dnf.i18n import ucd + +@@ -30,7 +31,7 @@ def checkSig(ts, package): + return 3 if the key is not trusted + return 4 if the pkg is not gpg or pgp signed""" + +- value = 0 ++ value = 4 + currentflags = ts.setVSFlags(0) + fdno = os.open(package, os.O_RDONLY) + try: +@@ -38,10 +39,12 @@ def checkSig(ts, package): + except rpm.error as e: + if str(e) == "public key not available": + value = 1 +- if str(e) == "public key not trusted": ++ elif str(e) == "public key not trusted": + value = 3 +- if str(e) == "error reading package header": ++ elif str(e) == "error reading package header": + value = 2 ++ else: ++ raise ValueError('Unexpected error value %r from ts.hdrFromFdno when checking signature.' % str(e)) + else: + # checks signature from an hdr + string = '%|DSAHEADER?{%{DSAHEADER:pgpsig}}:{%|RSAHEADER?{%{RSAHEADER:pgpsig}}:' \ +@@ -49,17 +52,20 @@ def checkSig(ts, package): + try: + siginfo = hdr.sprintf(string) + siginfo = ucd(siginfo) ++ rpm_pgpsig_format_regex = re.compile(r'[0-9]{2}:[0-9]{2}:[0-9]{2} [0-9]{4}, Key ID [0-9a-f]{16}\Z') ++ + if siginfo == '(none)': + value = 4 ++ elif rpm_pgpsig_format_regex.search(siginfo): ++ value = 0 ++ else: ++ raise ValueError('Unexpected return value %r from hdr.sprintf when checking signature.' % siginfo) + except UnicodeDecodeError: + pass + + del hdr + +- try: +- os.close(fdno) +- except OSError as e: # if we're not opened, don't scream about it +- pass ++ os.close(fdno) + + ts.setVSFlags(currentflags) # put things back like they were before + return value +-- +1.8.3.1 + diff --git a/Pass-the-package-to-rpmkeys-stdin.patch b/Pass-the-package-to-rpmkeys-stdin.patch new file mode 100644 index 0000000..455059d --- /dev/null +++ b/Pass-the-package-to-rpmkeys-stdin.patch @@ -0,0 +1,56 @@ +From 134b095b0833956cadfc02a9a1e7ca1344cd5aaa Mon Sep 17 00:00:00 2001 +From: Demi Marie Obenour +Date: Tue, 27 Apr 2021 21:07:19 -0400 +Subject: [PATCH] Pass the package to rpmkeys stdin + +This avoids having to compute the expected stdout value, which will +always be the constant "-: digests signatures OK\n". +--- + dnf/rpm/miscutils.py | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/dnf/rpm/miscutils.py b/dnf/rpm/miscutils.py +index 7e33d4c..5f2621c 100644 +--- a/dnf/rpm/miscutils.py ++++ b/dnf/rpm/miscutils.py +@@ -29,7 +29,8 @@ from shutil import which + logger = logging.getLogger('dnf') + + +-def _verifyPkgUsingRpmkeys(package, installroot): ++def _verifyPkgUsingRpmkeys(package, installroot, fdno): ++ os.lseek(fdno, 0, os.SEEK_SET) + rpmkeys_binary = '/usr/bin/rpmkeys' + if not os.path.isfile(rpmkeys_binary): + rpmkeys_binary = which("rpmkeys") +@@ -40,15 +41,16 @@ def _verifyPkgUsingRpmkeys(package, installroot): + logger.critical(_('Cannot find rpmkeys executable to verify signatures.')) + return 0 + +- args = ('rpmkeys', '--checksig', '--root', installroot, '--define', '_pkgverify_level all', '--', package) ++ args = ('rpmkeys', '--checksig', '--root', installroot, '--define', '_pkgverify_level all', '-') + with subprocess.Popen( + args=args, + executable=rpmkeys_binary, + env={'LC_ALL': 'C'}, ++ stdin=fdno, + stdout=subprocess.PIPE, + cwd='/') as p: + data, err = p.communicate() +- if p.returncode != 0 or data != (package.encode('ascii', 'strict') + b': digests signatures OK\n'): ++ if p.returncode != 0 or data != b'-: digests signatures OK\n': + return 0 + else: + return 1 +@@ -85,7 +87,7 @@ def checkSig(ts, package): + + if siginfo == '(none)': + value = 4 +- elif "Key ID" in siginfo and _verifyPkgUsingRpmkeys(package, ts.ts.rootDir): ++ elif "Key ID" in siginfo and _verifyPkgUsingRpmkeys(package, ts.ts.rootDir, fdno): + value = 0 + else: + raise ValueError('Unexpected return value %r from hdr.sprintf when checking signature.' % siginfo) +-- +1.8.3.1 + diff --git a/Prevent-traceback-catch-ValueError-if-pkg-is-from-cmdline.patch b/Prevent-traceback-catch-ValueError-if-pkg-is-from-cmdline.patch new file mode 100644 index 0000000..a0b963d --- /dev/null +++ b/Prevent-traceback-catch-ValueError-if-pkg-is-from-cmdline.patch @@ -0,0 +1,25 @@ +From 643780709fbc62a58da3f71d32ee3e7399a8cdcc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ale=C5=A1=20Mat=C4=9Bj?= +Date: Mon, 29 Mar 2021 09:26:16 +0200 +Subject: [PATCH] Prevent traceback (catch ValueError) if pkg is from cmdline + +--- + dnf/cli/cli.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/dnf/cli/cli.py b/dnf/cli/cli.py +index c2c04c9..6576997 100644 +--- a/dnf/cli/cli.py ++++ b/dnf/cli/cli.py +@@ -292,7 +292,7 @@ class BaseCli(dnf.Base): + fn = lambda x, y, z: self.output.userconfirm() + try: + self._get_key_for_package(po, fn) +- except dnf.exceptions.Error as e: ++ except (dnf.exceptions.Error, ValueError) as e: + error_messages.append(str(e)) + + else: +-- +1.8.3.1 + diff --git a/Remove-key-regex-matching-rpm-sprintf-output-varies-too-much.patch b/Remove-key-regex-matching-rpm-sprintf-output-varies-too-much.patch new file mode 100644 index 0000000..9d9c695 --- /dev/null +++ b/Remove-key-regex-matching-rpm-sprintf-output-varies-too-much.patch @@ -0,0 +1,51 @@ +From a9b5c39787e97e9955e6de1c6f25da93bc0a4c02 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ale=C5=A1=20Mat=C4=9Bj?= +Date: Mon, 12 Apr 2021 07:31:15 +0200 +Subject: [PATCH] Remove key regex matching, rpm sprintf output varies too much + +Depending on locale it can return: +`RSA/SHA256, Fri 19 Feb 2021 12:14:18 AM CET, Key ID db4639719867c58f` +vs +`RSA/SHA256, Fri Feb 19 00:14:18 2021, Key ID db4639719867c58f` +(with LC_ALL=C.UTF-8) + +We only check presence of the signature header to distinguish between +signed and unsigned RPMs. The actual signature validation is done by +calling rpmkeys in _verifyPkgUsingRpmkeys(). + +CVE-2021-3445 +RhBug:1915990 + +Related: CVE-2021-3421, CVE-2021-20271 +--- + dnf/rpm/miscutils.py | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/dnf/rpm/miscutils.py b/dnf/rpm/miscutils.py +index 49d3717..24456f3 100644 +--- a/dnf/rpm/miscutils.py ++++ b/dnf/rpm/miscutils.py +@@ -18,7 +18,6 @@ from __future__ import unicode_literals + + import rpm + import os +-import re + import subprocess + import logging + +@@ -82,11 +81,10 @@ def checkSig(ts, package): + try: + siginfo = hdr.sprintf(string) + siginfo = ucd(siginfo) +- rpm_pgpsig_format_regex = re.compile(r'[0-9]{2}:[0-9]{2}:[0-9]{2} [0-9]{4}, Key ID [0-9a-f]{16}\Z') + + if siginfo == '(none)': + value = 4 +- elif rpm_pgpsig_format_regex.search(siginfo) and _verifyPkgUsingRpmkeys(package, ts.ts.rootDir): ++ elif "Key ID" in siginfo and _verifyPkgUsingRpmkeys(package, ts.ts.rootDir): + value = 0 + else: + raise ValueError('Unexpected return value %r from hdr.sprintf when checking signature.' % siginfo) +-- +1.8.3.1 + diff --git a/Use-rpmkeys-alone-to-verify-signature.patch b/Use-rpmkeys-alone-to-verify-signature.patch new file mode 100644 index 0000000..41b4d46 --- /dev/null +++ b/Use-rpmkeys-alone-to-verify-signature.patch @@ -0,0 +1,174 @@ +From a21880fbac479968546304beeeae3ed3bb899373 Mon Sep 17 00:00:00 2001 +From: Demi Marie Obenour +Date: Fri, 9 Apr 2021 13:03:03 -0400 +Subject: [PATCH] Use rpmkeys alone to verify signature + +This avoids having to actually parse the package to check its signature, +which reduces attack surface. If the output of rpmkeys cannot be +parsed, we assume the package is corrupt (the most likely cause). +--- + dnf/rpm/miscutils.py | 126 +++++++++++++++++++++++++++------------------------ + 1 file changed, 66 insertions(+), 60 deletions(-) + +diff --git a/dnf/rpm/miscutils.py b/dnf/rpm/miscutils.py +index 5f2621c..9d5b286 100644 +--- a/dnf/rpm/miscutils.py ++++ b/dnf/rpm/miscutils.py +@@ -13,47 +13,84 @@ + # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + # Copyright 2003 Duke University + +-from __future__ import print_function, absolute_import +-from __future__ import unicode_literals ++from __future__ import print_function, absolute_import, unicode_literals + +-import rpm + import os + import subprocess + import logging +- +-from dnf.i18n import ucd +-from dnf.i18n import _ + from shutil import which + ++from dnf.i18n import _ + +-logger = logging.getLogger('dnf') ++_logger = logging.getLogger('dnf') ++_rpmkeys_binary = None + ++def _find_rpmkeys_binary(): ++ global _rpmkeys_binary ++ if _rpmkeys_binary is None: ++ _rpmkeys_binary = which("rpmkeys") ++ _logger.debug(_('Using rpmkeys executable at %s to verify signatures'), ++ _rpmkeys_binary) ++ return _rpmkeys_binary + +-def _verifyPkgUsingRpmkeys(package, installroot, fdno): +- os.lseek(fdno, 0, os.SEEK_SET) +- rpmkeys_binary = '/usr/bin/rpmkeys' +- if not os.path.isfile(rpmkeys_binary): +- rpmkeys_binary = which("rpmkeys") +- logger.info(_('Using rpmkeys executable from {path} to verify signature for package: {package}.').format( +- path=rpmkeys_binary, package=package)) ++def _process_rpm_output(data): ++ # No signatures or digests = corrupt package. ++ # There is at least one line for -: and another (empty) entry after the ++ # last newline. ++ if len(data) < 3 or data[0] != b'-:' or data[-1]: ++ return 2 ++ seen_sig, missing_key, not_trusted, not_signed = False, False, False, False ++ for i in data[1:-1]: ++ if b': BAD' in i: ++ return 2 ++ elif i.endswith(b': NOKEY'): ++ missing_key = True ++ elif i.endswith(b': NOTTRUSTED'): ++ not_trusted = True ++ elif i.endswith(b': NOTFOUND'): ++ not_signed = True ++ elif not i.endswith(b': OK'): ++ return 2 ++ if not_trusted: ++ return 3 ++ elif missing_key: ++ return 1 ++ elif not_signed: ++ return 4 ++ # we still check return code, so this is safe ++ return 0 + +- if not os.path.isfile(rpmkeys_binary): +- logger.critical(_('Cannot find rpmkeys executable to verify signatures.')) +- return 0 ++def _verifyPackageUsingRpmkeys(package, installroot): ++ rpmkeys_binary = _find_rpmkeys_binary() ++ if rpmkeys_binary is None or not os.path.isfile(rpmkeys_binary): ++ _logger.critical(_('Cannot find rpmkeys executable to verify signatures.')) ++ return 2 + +- args = ('rpmkeys', '--checksig', '--root', installroot, '--define', '_pkgverify_level all', '-') ++ # "--define=_pkgverify_level all" enforces signature checking; ++ # "--define=_pkgverify_flags 0x0" ensures that all signatures and digests ++ # are checked. ++ args = ('rpmkeys', '--checksig', '--root', installroot, '--verbose', ++ '--define=_pkgverify_level all', '--define=_pkgverify_flags 0x0', ++ '-') + with subprocess.Popen( + args=args, + executable=rpmkeys_binary, + env={'LC_ALL': 'C'}, +- stdin=fdno, + stdout=subprocess.PIPE, +- cwd='/') as p: +- data, err = p.communicate() +- if p.returncode != 0 or data != b'-: digests signatures OK\n': +- return 0 +- else: +- return 1 ++ cwd='/', ++ stdin=package) as p: ++ data = p.communicate()[0] ++ returncode = p.returncode ++ if type(returncode) is not int: ++ raise AssertionError('Popen set return code to non-int') ++ # rpmkeys can return something other than 0 or 1 in the case of a ++ # fatal error (OOM, abort() called, SIGSEGV, etc) ++ if returncode >= 2 or returncode < 0: ++ return 2 ++ ret = _process_rpm_output(data.split(b'\n')) ++ if ret: ++ return ret ++ return 2 if returncode else 0 + + def checkSig(ts, package): + """Takes a transaction set and a package, check it's sigs, +@@ -63,40 +100,9 @@ def checkSig(ts, package): + return 3 if the key is not trusted + return 4 if the pkg is not gpg or pgp signed""" + +- value = 4 +- currentflags = ts.setVSFlags(0) +- fdno = os.open(package, os.O_RDONLY) ++ fdno = os.open(package, os.O_RDONLY|os.O_NOCTTY|os.O_CLOEXEC) + try: +- hdr = ts.hdrFromFdno(fdno) +- except rpm.error as e: +- if str(e) == "public key not available": +- value = 1 +- elif str(e) == "public key not trusted": +- value = 3 +- elif str(e) == "error reading package header": +- value = 2 +- else: +- raise ValueError('Unexpected error value %r from ts.hdrFromFdno when checking signature.' % str(e)) +- else: +- # checks signature from an hdr +- string = '%|DSAHEADER?{%{DSAHEADER:pgpsig}}:{%|RSAHEADER?{%{RSAHEADER:pgpsig}}:' \ +- '{%|SIGGPG?{%{SIGGPG:pgpsig}}:{%|SIGPGP?{%{SIGPGP:pgpsig}}:{(none)}|}|}|}|' +- try: +- siginfo = hdr.sprintf(string) +- siginfo = ucd(siginfo) +- +- if siginfo == '(none)': +- value = 4 +- elif "Key ID" in siginfo and _verifyPkgUsingRpmkeys(package, ts.ts.rootDir, fdno): +- value = 0 +- else: +- raise ValueError('Unexpected return value %r from hdr.sprintf when checking signature.' % siginfo) +- except UnicodeDecodeError: +- pass +- +- del hdr +- +- os.close(fdno) +- +- ts.setVSFlags(currentflags) # put things back like they were before ++ value = _verifyPackageUsingRpmkeys(fdno, ts.ts.rootDir) ++ finally: ++ os.close(fdno) + return value +-- +1.8.3.1 + diff --git a/Use-rpmkeys-to-verify-package-signature-with-_pkgverify_level.patch b/Use-rpmkeys-to-verify-package-signature-with-_pkgverify_level.patch new file mode 100644 index 0000000..db2c817 --- /dev/null +++ b/Use-rpmkeys-to-verify-package-signature-with-_pkgverify_level.patch @@ -0,0 +1,80 @@ +From 4747e369c1b5b406688ff0be5447ebd0c29575a6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ale=C5=A1=20Mat=C4=9Bj?= +Date: Tue, 30 Mar 2021 08:19:37 +0200 +Subject: [PATCH] Use rpmkeys to verify package signature with _pkgverify_level + +rpm doesn't provide any API how to check package signature with +_pkgverify_level signature therefore we call rpmkeys binary. + +Credit for the original patch goes to Demi Marie Obenour: @DemiMarie + += changelog = +msg: Use rpmkeys binary to verify package signature +type: security +resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1915990 + +CVE-2021-3445 +RhBug:1915990 + +Related: CVE-2021-3421, CVE-2021-20271 +--- + dnf/rpm/miscutils.py | 32 +++++++++++++++++++++++++++++++- + 1 file changed, 31 insertions(+), 1 deletion(-) + +diff --git a/dnf/rpm/miscutils.py b/dnf/rpm/miscutils.py +index 07451bb..49d3717 100644 +--- a/dnf/rpm/miscutils.py ++++ b/dnf/rpm/miscutils.py +@@ -19,10 +19,40 @@ from __future__ import unicode_literals + import rpm + import os + import re ++import subprocess ++import logging + + from dnf.i18n import ucd ++from shutil import which + + ++logger = logging.getLogger('dnf') ++ ++ ++def _verifyPkgUsingRpmkeys(package, installroot): ++ rpmkeys_binary = '/usr/bin/rpmkeys' ++ if not rpmkeys_binary: ++ rpmkeys_binary = which("rpmkeys") ++ logger.info(_('Using rpmkeys executable from {path} to verify signature for package: {package}.').format( ++ path=rpmkeys_binary, package=package)) ++ ++ if not rpmkeys_binary: ++ logger.critical(_('Cannot find rpmkeys executable to verify signatures.')) ++ return 0 ++ ++ args = ('rpmkeys', '--checksig', '--root', installroot, '--define', '_pkgverify_level all', '--', package) ++ with subprocess.Popen( ++ args=args, ++ executable=rpmkeys_binary, ++ env={'LC_ALL': 'C'}, ++ stdout=subprocess.PIPE, ++ cwd='/') as p: ++ data, _ = p.communicate() ++ if p.returncode != 0 or data != (package.encode('ascii', 'strict') + b': digests signatures OK\n'): ++ return 0 ++ else: ++ return 1 ++ + def checkSig(ts, package): + """Takes a transaction set and a package, check it's sigs, + return 0 if they are all fine +@@ -56,7 +86,7 @@ def checkSig(ts, package): + + if siginfo == '(none)': + value = 4 +- elif rpm_pgpsig_format_regex.search(siginfo): ++ elif rpm_pgpsig_format_regex.search(siginfo) and _verifyPkgUsingRpmkeys(package, ts.ts.rootDir): + value = 0 + else: + raise ValueError('Unexpected return value %r from hdr.sprintf when checking signature.' % siginfo) +-- +1.8.3.1 + diff --git a/dnf-rpm-miscutils.py-fix-usage-of-_.patch b/dnf-rpm-miscutils.py-fix-usage-of-_.patch new file mode 100644 index 0000000..97605c4 --- /dev/null +++ b/dnf-rpm-miscutils.py-fix-usage-of-_.patch @@ -0,0 +1,36 @@ +From 8823feb5f42f8c579fdab80d9e22112b88d0ad2b Mon Sep 17 00:00:00 2001 +From: Alexander Kanavin +Date: Tue, 4 May 2021 22:03:30 +0200 +Subject: [PATCH] dnf/rpm/miscutils.py: fix usage of _() + +Specifically: +- an import of _ was missing +- _ was reused for a different purpose +--- + dnf/rpm/miscutils.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/dnf/rpm/miscutils.py b/dnf/rpm/miscutils.py +index 235aaf2..7e33d4c 100644 +--- a/dnf/rpm/miscutils.py ++++ b/dnf/rpm/miscutils.py +@@ -22,6 +22,7 @@ import subprocess + import logging + + from dnf.i18n import ucd ++from dnf.i18n import _ + from shutil import which + + +@@ -46,7 +47,7 @@ def _verifyPkgUsingRpmkeys(package, installroot): + env={'LC_ALL': 'C'}, + stdout=subprocess.PIPE, + cwd='/') as p: +- data, _ = p.communicate() ++ data, err = p.communicate() + if p.returncode != 0 or data != (package.encode('ascii', 'strict') + b': digests signatures OK\n'): + return 0 + else: +-- +1.8.3.1 + diff --git a/dnf.spec b/dnf.spec index 10ba94d..18251db 100644 --- a/dnf.spec +++ b/dnf.spec @@ -1,14 +1,23 @@ %global py3pluginpath %{python3_sitelib}/%{name}-plugins +%global relate_libdnf_version 0.48.0-3 Name: dnf Version: 4.2.23 -Release: 5 +Release: 6 Summary: A software package manager that manages packages on Linux distributions. License: GPLv2+ and GPLv2 and GPL URL: https://github.com/rpm-software-management/dnf Source0: https://github.com/rpm-software-management/dnf/archive/%{version}/%{name}-%{version}.tar.gz Patch0: Fix-module-remove-all-when-no-match.patch +Patch1: Prevent-traceback-catch-ValueError-if-pkg-is-from-cmdline.patch +Patch2: Check-for-specific-key-string-when-verifing-signatures.patch +Patch3: Use-rpmkeys-to-verify-package-signature-with-_pkgverify_level.patch +Patch4: Remove-key-regex-matching-rpm-sprintf-output-varies-too-much.patch +Patch5: Add-missing-check-if-path-exists-fixes-dead-code.patch +Patch6: dnf-rpm-miscutils.py-fix-usage-of-_.patch +Patch7: Pass-the-package-to-rpmkeys-stdin.patch +Patch8: Use-rpmkeys-alone-to-verify-signature.patch BuildArch: noarch BuildRequires: cmake gettext systemd bash-completion python3-sphinx @@ -43,12 +52,12 @@ It supports RPMs, modules and comps groups & environments. Summary: Python 3 interface to DNF %{?python_provide:%python_provide python3-%{name}} BuildRequires: python3-devel python3-hawkey >= 0.48.0 python3-libdnf >= 0.48.0 -BuildRequires: python3-libcomps >= 0.1.8 python3-libdnf libmodulemd >= 1.4.0 +BuildRequires: python3-libcomps >= 0.1.8 libmodulemd >= 1.4.0 BuildRequires: python3-nose python3-gpg python3-rpm >= 4.14.0 Requires: python3-gpg %{name}-data = %{version}-%{release} libmodulemd >= 1.4.0 -Requires: python3-hawkey >= 0.48.0 python3-libdnf >= 0.48.0 -Requires: python3-libcomps >= 0.1.8 python3-libdnf python3-rpm >= 4.14.0 -Recommends: python3-unbound rpm-plugin-systemd-inhibit +Requires: python3-hawkey >= 0.48.0 python3-libdnf >= %{relate_libdnf_version} +Requires: python3-libcomps >= 0.1.8 python3-rpm >= 4.14.0 +Recommends: python3-unbound Obsoletes: python2-%{name} %description -n python3-%{name} @@ -199,6 +208,14 @@ popd %{_mandir}/man8/%{name}-automatic.8* %changelog +* Thu Jul 15 2021 gaihuiying - 4.2.23-6 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:remove recommends rpm-plugins-systemd-inhibit + backport community patches and fix CVE-2021-3445 + delete duplicate python3-libdnf dependency + * Tue Mar 30 2021 gaihuiying - 4.2.23-5 - Type:bugfix - ID:NA