!65 [sync] PR-63: Revert a does not work judge function

From: @openeuler-sync-bot 
Reviewed-by: @wk333 
Signed-off-by: @wk333

0001-cms_common-Fixed-Segmentation-fault.patch

@@ -0,0 +1,27 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nicolas Frayer <nfrayer@redhat.com>
+Date: Mon, 20 Feb 2023 15:26:20 +0100
+Subject: [PATCH] cms_common: Fixed Segmentation fault
+
+When running efikeygen, the binary crashes with a segfault due
+to dereferencing a **ptr instead of a *ptr.
+
+Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
+(cherry picked from commit 227435af461f38fc4abeafe02884675ad4b1feb4)
+---
+ src/cms_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/cms_common.c b/src/cms_common.c
+index 24576f2..89d946a 100644
+--- a/src/cms_common.c
++++ b/src/cms_common.c
+@@ -956,7 +956,7 @@ find_certificate_by_issuer_and_sn(cms_context *cms,
+ 	if (!ias)
+ 		cnreterr(-1, cms, "invalid issuer and serial number");
+ 
+-	return find_certificate_by_callback(cms, match_issuer_and_serial, &ias, cert);
++	return find_certificate_by_callback(cms, match_issuer_and_serial, ias, cert);
+ }
+ 
+ int

0002-revert-a-dose-not-work-feature-12f1671.patch

@@ -0,0 +1,47 @@
+From 4d2f5853379d2d1f3afe1954df746b075926de88 Mon Sep 17 00:00:00 2001
+From: wang--ge <wang__ge@126.com>
+Date: Fri, 6 Dec 2024 16:14:51 +0800
+Subject: [PATCH] revert a dose not work feature 12f1671
+
+---
+ src/cms_common.c | 17 ++---------------
+ 1 file changed, 2 insertions(+), 15 deletions(-)
+
+diff --git a/src/cms_common.c b/src/cms_common.c
+index 228d0ab..85c9205 100644
+--- a/src/cms_common.c
++++ b/src/cms_common.c
+@@ -406,8 +406,6 @@ static SECStatus
+ is_valid_cert_without_private_key(CERTCertificate *cert, void *data)
+ {
+ 	struct validity_cbdata *cbd = (struct validity_cbdata *)data;
+-	PK11SlotInfo *slot = cbd->slot;
+-	SECKEYPrivateKey *privkey = NULL;
+ 	int errnum;
+ 
+ 	errnum = PORT_GetError();
+@@ -422,19 +420,8 @@ is_valid_cert_without_private_key(CERTCertificate *cert, void *data)
+ 		return SECFailure;
+ 	}
+ 
+-	privkey = PK11_FindPrivateKeyFromCert(slot, cert, cbd->cms);
+-	if (privkey == NULL) {
+-		if (cbd->cert)
+-			CERT_DestroyCertificate(cbd->cert);
+-		PORT_SetError(0);
+-		cbd->cert = CERT_DupCertificate(cert);
+-		CERT_DestroyCertificate(cert);
+-		return SECSuccess;
+-	} else {
+-		SECKEY_DestroyPrivateKey(privkey);
+-		CERT_DestroyCertificate(cert);
+-	}
+-	return SECFailure;
++	cbd->cert = cert;
++	return SECSuccess;
+ }
+ 
+ int
+-- 
+2.43.0
+

Bugfix-Free-resources-if-certificate-cannot-be-found.patch

@@ -1,39 +0,0 @@
-From d8ea40d773dc1bcd90d8fc3b1f71ce49044ccef0 Mon Sep 17 00:00:00 2001
-From: Chenxi Mao <chenxi.mao@suse.com>
-Date: Tue, 13 Dec 2022 22:12:29 +0800
-Subject: [PATCH 1/1] Free resources if certificate cannot be found
-
-In find_certificate_by_callback, function return -1 directly without
-free resource if node is null, that will lead to nss shut down failed.
-
-The error message as below:
-could not shut down NSS: NSS could not shutdown. Objects are still in use.
-
-To fix this issue, free all resources before function return -1.
-
-Signed-off-by: Chenxi Mao <chenxi.mao@suse.com>
----
- src/cms_common.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/src/cms_common.c b/src/cms_common.c
-index 1c54c90..24576f2 100644
---- a/src/cms_common.c
-+++ b/src/cms_common.c
-@@ -878,8 +878,12 @@ find_certificate_by_callback(cms_context *cms,
- 		}
- 	}
- 
--	if (!node)
-+	if (!node) {
-+		PK11_DestroySlotListElement(slots, &psle);
-+		PK11_FreeSlotList(slots);
-+		CERT_DestroyCertList(certlist);
- 		cnreterr(-1, cms, "Could not find certificate");
-+	}
- 
- 	*cert = CERT_DupCertificate(node->cert);
- 
--- 
-2.33.0
-

Feature-pesign-support-SM2-signature-algorithm.patch

@@ -1,7 +1,7 @@
 From 6c47b45347c946221a8acc3ea3a6a9cfcd734756 Mon Sep 17 00:00:00 2001
 From: godcansee <liu332084460@foxmail.com>
 Date: Sun, 2 Oct 2022 04:33:40 +0800
-Subject: [PATCH 2/2] pesign support SM2 signature algorithm.
+Subject: pesign support SM2 signature algorithm.
 
 Co-authored-by:Huaxin Lu <luhuaxin1@huawei.com>
 ---

Feature-pesign-support-SM3-digest-algorithm.patch

@@ -1,18 +1,19 @@
-From fa5e86eca363b8d2bcf23feedcc86fdd076be7d4 Mon Sep 17 00:00:00 2001
-From: godcansee <liu332084460@foxmail.com>
-Date: Sun, 2 Oct 2022 04:23:35 +0800
-Subject: [PATCH 1/2] pesign support SM3 digest algorithm.
+From 2e14b6a91835095720db3ce62949c725e1e44cf1 Mon Sep 17 00:00:00 2001
+From: jinlun <jinlun@huawei.com>
+Date: Mon, 11 Sep 2023 19:24:37 +0800
+Subject: [PATCH] pesign support SM3 digest algorithm.
 
 ---
  src/cms_common.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
+ src/cms_common.h | 2 +-
+ 2 files changed, 10 insertions(+), 1 deletion(-)
 
 diff --git a/src/cms_common.c b/src/cms_common.c
-index d13b2cb..7b6dc0e 100644
+index 228d0ab..7b5abc5 100644
 --- a/src/cms_common.c
 +++ b/src/cms_common.c
-@@ -68,6 +68,15 @@ static struct digest_param digest_params[] = {
- 	 .size = 20
+@@ -56,6 +56,15 @@ const struct digest_param digest_params[] = {
+ 		.size = 20
  	},
  #endif
 +#if defined(CKM_SM2_WITH_SM3) || defined(CKM_NSS_SM2_WITH_SM3)
@@ -25,8 +26,21 @@ index d13b2cb..7b6dc0e 100644
 +	},
 +#endif
  };
- static int n_digest_params = sizeof (digest_params) / sizeof (digest_params[0]);
+ const unsigned int n_digest_params = sizeof (digest_params) / sizeof (digest_params[0]);
  
+diff --git a/src/cms_common.h b/src/cms_common.h
+index 35a128a..73c596f 100644
+--- a/src/cms_common.h
++++ b/src/cms_common.h
+@@ -76,7 +76,7 @@ struct digest_param {
+ 	int size;
+ };
+ 
+-extern const struct digest_param digest_params[2];
++extern const struct digest_param digest_params[3];
+ extern const unsigned int n_digest_params;
+ 
+ typedef struct pk12_file {
 -- 
-2.33.0
+2.27.0
 

Fix-CVE-2022-3560.patch

@@ -1,80 +0,0 @@
-From d8a8c259994d0278c59b30b41758a8dd0abff998 Mon Sep 17 00:00:00 2001
-From: Robbie Harwood <rharwood@redhat.com>
-Date: Wed, 18 Jan 2023 14:00:22 -0500
-Subject: [PATCH] Use normal file permissions instead of ACLs
-
-Fixes a symlink attack that can't be mitigated using getfacl/setfacl.
-
-pesign-authorize is now deprecated and will be removed in a future
-release.
-
-Resolves: CVE-2022-3560
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
----
- src/pesign-authorize.in | 50 +++--------------------------------------
- 1 file changed, 3 insertions(+), 47 deletions(-)
-
-diff --git a/src/pesign-authorize.in b/src/pesign-authorize.in
-index 69797d5..b4e89e0 100644
---- a/src/pesign-authorize.in
-+++ b/src/pesign-authorize.in
-@@ -2,56 +2,12 @@
- set -e
- set -u
- 
--#
--# With /run/pesign/socket on tmpfs, a simple way of restoring the
--# acls for specific users is useful
--#
--#  Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
--#
--
- # License: GPLv2
--declare -a fileusers=()
--declare -a dirusers=()
--while read -r user ; do
--	dirusers[${#dirusers[@]}]=-m
--	dirusers[${#dirusers[@]}]="u:$user:rwx"
--	fileusers[${#fileusers[@]}]=-m
--	fileusers[${#fileusers[@]}]="u:$user:rw"
--done </etc/pesign/users
--
--declare -a filegroups=()
--declare -a dirgroups=()
--while read -r group ; do
--	dirgroups[${#dirgroups[@]}]=-m
--	dirgroups[${#dirgroups[@]}]="g:$group:rwx"
--	filegroups[${#filegroups[@]}]=-m
--	filegroups[${#filegroups[@]}]="g:$group:rw"
--done </etc/pesign/groups
--
--update_subdir() {
--	subdir=$1 && shift
- 
--	setfacl -bk "${subdir}"
--	setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
--	for x in "${subdir}"* ; do
--		if [ -d "${x}" ]; then
--			setfacl -bk "${x}"
--			setfacl "${dirusers[@]}" "${dirgroups[@]}" "${x}"
--			update_subdir "${x}/"
--		elif [ -e "${x}" ]; then
--			setfacl -bk "${x}"
--			setfacl "${fileusers[@]}" "${filegroups[@]}" "${x}"
--		else
--			:;
--		fi
--	done
--}
-+# This script is deprecated and will be removed in a future release.
- 
- sleep 3
- for x in @@RUNDIR@@pesign/ /etc/pki/pesign/ ; do
--	if [ -d "${x}" ]; then
--		update_subdir "${x}"
--	else
--		:;
--	fi
-+	chown -R pesign:pesign "${x}" || true
-+	chmod -R ug+rwX "${x}" || true
- done

Fix-build-error-of-gcc-version-too-low.patch

@@ -4,36 +4,14 @@ Date: Mon, 7 Nov 2022 20:41:08 +0800
 Subject: [PATCH] fix build error of gcc version too low
 
 ---
- src/daemon.c   | 3 ---
  src/password.c | 3 ---
- 2 files changed, 6 deletions(-)
+ 1 file changed, 3 deletions(-)
 
-diff --git a/src/daemon.c b/src/daemon.c
-index 0a66deb..c5061bd 100644
---- a/src/daemon.c
-+++ b/src/daemon.c
-@@ -920,8 +920,6 @@ do_shutdown(context *ctx, int nsockets, struct pollfd *pollfds)
- 
- /* GCC -fanalyzer has trouble with realloc
-  * https://bugzilla.redhat.com/show_bug.cgi?id=2047926 */
--#pragma GCC diagnostic push
--#pragma GCC diagnostic ignored "-Wanalyzer-use-of-uninitialized-value"
- static int
- handle_events(context *ctx)
- {
-@@ -1000,7 +998,6 @@ shutdown:
- 	}
- 	return 0;
- }
--#pragma GCC diagnostic pop
- 
- static int
- get_uid_and_gid(context *ctx, char **homedir)
 diff --git a/src/password.c b/src/password.c
-index 05add9a..0f359d2 100644
+index ac1866e..3436ea2 100644
 --- a/src/password.c
 +++ b/src/password.c
-@@ -304,14 +304,11 @@ SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg)
+@@ -312,14 +312,11 @@ SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg)
  
  		/* Workaround for -fanalzer/reallocarray() bug
  		 * https://bugzilla.redhat.com/show_bug.cgi?id=2047926 */
@@ -47,7 +25,7 @@ index 05add9a..0f359d2 100644
 -#pragma GCC diagnostic pop
  
  		span = strspn(start, whitespace_and_eol_chars);
- 		dprintf("whitespace span is %zd", span);
+ 		dbgprintf("whitespace span is %zd", span);
 -- 
-2.27.0
+2.39.1
 

Remove-unused-i-option-in-authvar.patch

@@ -0,0 +1,16 @@
+diff -Nur a/src/authvar.c b/src/authvar.c
+--- a/src/authvar.c	2022-03-09 01:46:30.000000000 +0800
++++ b/src/authvar.c	2023-05-31 16:47:15.329069974 +0800
+@@ -324,12 +324,6 @@
+ 		 .arg = &ctx.valuefile,
+ 		 .descrip = "read value from <file>",
+ 		 .argDescrip = "<file>" },
+-		{.longName = "import",
+-		 .shortName = 'i',
+-		 .argInfo = POPT_ARG_STRING,
+-		 .arg = &ctx.importfile,
+-		 .descrip = "import variable from <file>",
+-		 .argDescrip = "<file>" },
+ 		{.longName = "export",
+ 		 .shortName = 'e',
+ 		 .argInfo = POPT_ARG_STRING,

pesign.spec

@@ -1,11 +1,11 @@
 %global macrosdir %(d=%{_rpmconfigdir}/macros.d; [ -d $d ] || d=%{_sysconfdir}/rpm; echo $d)
 Name:          pesign
 Summary:       Signing utility for UEFI binaries
-Version:       115
-Release:       4
+Version:       116
+Release:       5
 License:       GPLv2
 URL:           https://github.com/rhboot/pesign
-Source0:       https://github.com/rhboot/pesign/archive/refs/tags/115.tar.gz
+Source0:       https://github.com/rhboot/pesign/archive/refs/tags/116.tar.gz
 Source1:       certs.tar.xz
 Source2:       pesign.py
 Source3:       euleros-certs.tar.bz2
@@ -17,13 +17,13 @@ BuildRequires: nss-devel >= 3.13.6-1 efivar-devel >= 31-1 libuuid-devel tar xz
 BuildRequires: python3-rpm-macros python3 systemd python3-devel gcc mandoc
 
 Patch0001:     Bugfix-cms_common-fix-cert-match-check.patch
-Patch0002:     Bugfix-Free-resources-if-certificate-cannot-be-found.patch
+Patch0002:     0001-cms_common-Fixed-Segmentation-fault.patch
+Patch0003:     0002-revert-a-dose-not-work-feature-12f1671.patch
 
-# Feature: support SM2 and SM3
 Patch9000:     Feature-pesign-support-SM3-digest-algorithm.patch
 Patch9001:     Feature-pesign-support-SM2-signature-algorithm.patch
 Patch9002:     Fix-build-error-of-gcc-version-too-low.patch
-Patch9003:     Fix-CVE-2022-3560.patch
+Patch9004:     Remove-unused-i-option-in-authvar.patch
 
 %description
 pesign is a command line tool for manipulating signatures and
@@ -50,7 +50,11 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} INSTALLROOT=%{buildroot} install_system
 install -D etc/pki/pesign/* %{buildroot}%{_sysconfdir}/pki/pesign/
 install -D etc/pki/pesign-rh-test/* %{buildroot}%{_sysconfdir}/pki/pesign-rh-test/
 mv euleros-certs/etc/pki/pesign/euleros-pesign-db %{buildroot}/etc/pki/pesign/
-install -D %{buildroot}%{_sysconfdir}/rpm/macros.pesign %{buildroot}%{macrosdir}/macros.pesign
+if [ %{macrosdir} != %{_sysconfdir}/rpm ]; then
+	mkdir -p %{buildroot}%{macrosdir}
+	mv %{buildroot}%{_sysconfdir}/rpm/macros.pesign %{buildroot}%{macrosdir}
+	rmdir %{buildroot}%{_sysconfdir}/rpm
+fi
 rm -vf %{buildroot}/usr/share/doc/pesign-%{version}/COPYING
 install -d -m 0755 %{buildroot}%{python3_sitelib}/mockbuild/plugins/
 install -m 0755 %{SOURCE2} %{buildroot}%{python3_sitelib}/mockbuild/plugins/
@@ -84,22 +88,34 @@ exit 0
 %config(noreplace)/%{_sysconfdir}/pesign/*
 %{_sysconfdir}/popt.d/pesign.popt
 %{macrosdir}/macros.pesign
-%dir %attr(0775,pesign,pesign) /etc/pki/pesign/euleros-pesign-db
-%attr(0644,pesign,pesign) /etc/pki/pesign/euleros-pesign-db/*
 %ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/socket
 %ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/pesign.pid
 %{_tmpfilesdir}/pesign.conf
 %{_unitdir}/pesign.service
 %{python3_sitelib}/mockbuild/plugins/*/pesign.*
 %{python3_sitelib}/mockbuild/plugins/pesign.*
-%exclude /boot
 %exclude %{_sysconfdir}/rpm
 
 %files help
-%doc README TODO
+%doc README.md TODO
 %{_mandir}/man*/*
 
 %changelog
+* Fri Dec 06 2024 Ge Wang <wang__ge@126.com> - 116-5
+- Revert a dose not work feature 12f1671
+
+* Tue May 07 2024 xu_ping <707078654@qq.com> - 116-4
+- Remove unused i option in authvar 
+
+* Wed Apr 24 2024 xu_ping <707078654@qq.com> - 116-3
+- Modify permissions for macros.pesign.
+
+* Mon Sep 11 2023 jinlun <jinlun@huawei.com> - 116-2
+- fix the algorithm flag for sm2,sm3
+
+* Thu May 04 2023 chenchen <chen_aka_jan@163.com> - 116-1
+- Update to 116
+
 * Tue Feb 14 2023 luopihui <luopihui@ncti-gba.cn> - 115-4
 - Fix CVE-2022-3560