diff --git a/backport-rpm2cpio.sh-only-read-needed-bytes-of-file-magic.patch b/backport-rpm2cpio.sh-only-read-needed-bytes-of-file-magic.patch new file mode 100644 index 0000000..490ec44 --- /dev/null +++ b/backport-rpm2cpio.sh-only-read-needed-bytes-of-file-magic.patch @@ -0,0 +1,27 @@ +From 8f922eb38a096640e586ba0eda96adc093b74fc4 Mon Sep 17 00:00:00 2001 +From: Florian Festi +Date: Wed, 3 Aug 2022 17:19:02 +0200 +Subject: [PATCH] rpm2cpio.sh: only read needed bytes of file magic + +As we look at the first 4 bytes anyway there is no reason to read more. +Reading more also hits a bug in bash on aarch64 (rhbz#2115206). +--- + scripts/rpm2cpio.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/rpm2cpio.sh b/scripts/rpm2cpio.sh +index 74aeed8..cea0da2 100755 +--- a/scripts/rpm2cpio.sh ++++ b/scripts/rpm2cpio.sh +@@ -43,7 +43,7 @@ calcsize() { + offset=$(($offset + $rsize)) + } + +-case "$(_dd 0 bs=8 count=1 | tr -d '\0')" in ++case "$(_dd 0 bs=4 count=1 | tr -d '\0')" in + "$(printf '\355\253\356\333')"*) ;; # '\xed\xab\xee\xdb' + *) fatal "File doesn't look like rpm: $pkg" ;; + esac +-- +1.8.3.1 + diff --git a/backport-rpm2cpio.sh-strip-null-bytes-with-tr.patch b/backport-rpm2cpio.sh-strip-null-bytes-with-tr.patch new file mode 100644 index 0000000..5cdef02 --- /dev/null +++ b/backport-rpm2cpio.sh-strip-null-bytes-with-tr.patch @@ -0,0 +1,35 @@ +From d499887c9261fdab4d03ea29316ea5e8fc646bd3 Mon Sep 17 00:00:00 2001 +From: Florian Festi +Date: Fri, 1 Jul 2022 14:49:09 +0200 +Subject: [PATCH] rpm2cpio.sh: strip null bytes with tr + +to avoid warnings +--- + scripts/rpm2cpio.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/scripts/rpm2cpio.sh b/scripts/rpm2cpio.sh +index f77d5f8..59e8bc5 100755 +--- a/scripts/rpm2cpio.sh ++++ b/scripts/rpm2cpio.sh +@@ -43,7 +43,7 @@ calcsize() { + offset=$(($offset + $rsize)) + } + +-case "$(_dd 0 bs=8 count=1)" in ++case "$(_dd 0 bs=8 count=1 | tr -d '\0')" in + "$(printf '\355\253\356\333')"*) ;; # '\xed\xab\xee\xdb' + *) fatal "File doesn't look like rpm: $pkg" ;; + esac +@@ -54,7 +54,7 @@ sigsize=$rsize + calcsize $(($offset + (8 - ($sigsize % 8)) % 8)) + hdrsize=$rsize + +-case "$(_dd $offset bs=3 count=1)" in ++case "$(_dd $offset bs=3 count=1 | tr -d '\0')" in + "$(printf '\102\132')"*) _dd $offset | bunzip2 ;; # '\x42\x5a' + "$(printf '\037\213')"*) _dd $offset | gunzip ;; # '\x1f\x8b' + "$(printf '\375\067')"*) _dd $offset | xzcat ;; # '\xfd\x37' +-- +1.8.3.1 + diff --git a/rpm.spec b/rpm.spec index 6496bfc..005bbe9 100644 --- a/rpm.spec +++ b/rpm.spec @@ -1,6 +1,6 @@ Name: rpm Version: 4.17.0 -Release: 11 +Release: 12 Summary: RPM Package Manager License: GPLv2+ URL: http://www.rpm.org/ @@ -77,6 +77,8 @@ Patch6042: backport-Convert-the-file-creation-steps-the-at-family-of-cal.patch Patch6043: backport-Bury-rpmio-FD-use-to-fsmUnpack.patch Patch6044: backport-Return-descriptor-of-created-file-from-fsmMkfile.patch Patch6045: backport-CVE-2021-35938.patch +Patch6046: backport-rpm2cpio.sh-strip-null-bytes-with-tr.patch +Patch6047: backport-rpm2cpio.sh-only-read-needed-bytes-of-file-magic.patch BuildRequires: gcc autoconf automake libtool make gawk popt-devel openssl-devel readline-devel BuildRequires: zlib-devel zstd-devel >= 1.3.8 xz-devel bzip2-devel libarchive-devel ima-evm-utils-devel @@ -346,6 +348,9 @@ make check || (cat tests/rpmtests.log; exit 0) %{_mandir}/man1/gendiff.1* %changelog +* Fri Sep 09 2022 renhongxun - 4.17.0-12 +- sync patches from upstream + * Wed Aug 31 2022 Hongxun Ren - 4.17.0-11 - fix CVE-2021-35937 CVE-2021-35938 CVE-2021-35939