| Message ID | 20230227032020.6248-1-vkumbhar@mvista.com |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [kirkstone] rpm: update 4.17.1 -> 4.18 | expand |
You have to backport the fix I'm afraid. Stable releases do not allow major upgrades like that. Alex On Mon, 27 Feb 2023 at 04:20, vkumbhar <vkumbhar@mvista.com> wrote: > > (From OE-Core rev: 5bef402da334595ed9302b8bca1acdf5e88bfe11) > > This will fix #CVE-2021-35938 rpm: races with chown/chmod/capabilities calls during installation > > upstream branch=rpm-4.18: git://github.com/rpm-software-management/rpm > > Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> > --- > ...When-cross-installing-execute-package-scriptlets-wit.patch | 2 +- > .../rpm/files/0001-tools-Add-error.h-for-non-glibc-case.patch | 3 +-- > meta/recipes-devtools/rpm/{rpm_4.17.1.bb => rpm_4.18.bb} | 4 ++-- > 3 files changed, 4 insertions(+), 5 deletions(-) > rename meta/recipes-devtools/rpm/{rpm_4.17.1.bb => rpm_4.18.bb} (99%) > > diff --git a/meta/recipes-devtools/rpm/files/0001-When-cross-installing-execute-package-scriptlets-wit.patch b/meta/recipes-devtools/rpm/files/0001-When-cross-installing-execute-package-scriptlets-wit.patch > index 2a0069cafe..13d01faa0e 100644 > --- a/meta/recipes-devtools/rpm/files/0001-When-cross-installing-execute-package-scriptlets-wit.patch > +++ b/meta/recipes-devtools/rpm/files/0001-When-cross-installing-execute-package-scriptlets-wit.patch > @@ -53,7 +53,7 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> > > if (rc != RPMRC_FAIL) { > if (script_type & RPMSCRIPTLET_EXEC) { > -- rc = runExtScript(plugins, prefixes, script->descr, lvl, scriptFd, &args, script->body, arg1, arg2, &script->nextFileFunc); > +- rc = runExtScript(plugins, prefixes, script->descr, lvl, scriptFd, &args, script->body, arg1, arg2, script->nextFileFunc); > + if (getenv("RPM_NO_CHROOT_FOR_SCRIPTS") != NULL) { > + rpmChrootOut(); > + rc = runExtScript(plugins, prefixes, script->descr, lvl, scriptFd, &args, script->body, arg1, arg2, &script->nextFileFunc); > diff --git a/meta/recipes-devtools/rpm/files/0001-tools-Add-error.h-for-non-glibc-case.patch b/meta/recipes-devtools/rpm/files/0001-tools-Add-error.h-for-non-glibc-case.patch > index 9783396639..cab54c3fb6 100644 > --- a/meta/recipes-devtools/rpm/files/0001-tools-Add-error.h-for-non-glibc-case.patch > +++ b/meta/recipes-devtools/rpm/files/0001-tools-Add-error.h-for-non-glibc-case.patch > @@ -20,11 +20,10 @@ diff --git a/tools/elfdeps.c b/tools/elfdeps.c > index d205935bb..3a8945b33 100644 > --- a/tools/elfdeps.c > +++ b/tools/elfdeps.c > -@@ -5,10 +5,14 @@ > +@@ +5,14 @@ > #include <unistd.h> > #include <stdlib.h> > #include <fcntl.h> > --#include <error.h> > #include <errno.h> > #include <popt.h> > #include <gelf.h> > diff --git a/meta/recipes-devtools/rpm/rpm_4.17.1.bb b/meta/recipes-devtools/rpm/rpm_4.18.bb > similarity index 99% > rename from meta/recipes-devtools/rpm/rpm_4.17.1.bb > rename to meta/recipes-devtools/rpm/rpm_4.18.bb > index 9b6446f265..724dbbe70a 100644 > --- a/meta/recipes-devtools/rpm/rpm_4.17.1.bb > +++ b/meta/recipes-devtools/rpm/rpm_4.18.bb > @@ -24,7 +24,7 @@ HOMEPAGE = "http://www.rpm.org" > LICENSE = "GPL-2.0-only" > LIC_FILES_CHKSUM = "file://COPYING;md5=c4eec0c20c6034b9407a09945b48a43f" > > -SRC_URI = "git://github.com/rpm-software-management/rpm;branch=rpm-4.17.x;protocol=https \ > +SRC_URI = "git://github.com/rpm-software-management/rpm;branch=rpm-4.18.x;protocol=https \ > file://environment.d-rpm.sh \ > file://0001-Do-not-add-an-unsatisfiable-dependency-when-building.patch \ > file://0001-Do-not-read-config-files-from-HOME.patch \ > @@ -43,7 +43,7 @@ SRC_URI = "git://github.com/rpm-software-management/rpm;branch=rpm-4.17.x;protoc > " > > PE = "1" > -SRCREV = "5bef402da334595ed9302b8bca1acdf5e88bfe11" > +SRCREV = "ea0d77c52e176e2876fdb1d07ad41e9e2635a93e" > > S = "${WORKDIR}/git" > > -- > 2.25.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#177769): https://lists.openembedded.org/g/openembedded-core/message/177769 > Mute This Topic: https://lists.openembedded.org/mt/97259257/1686489 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kanavin@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Okay Sure, I will backport the fix only instead of upgrading. -Thanks, Vivek On Mon, Feb 27, 2023 at 2:51 PM Alexander Kanavin <alex.kanavin@gmail.com> wrote: > You have to backport the fix I'm afraid. Stable releases do not allow > major upgrades like that. > > Alex > > On Mon, 27 Feb 2023 at 04:20, vkumbhar <vkumbhar@mvista.com> wrote: > > > > (From OE-Core rev: 5bef402da334595ed9302b8bca1acdf5e88bfe11) > > > > This will fix #CVE-2021-35938 rpm: races with chown/chmod/capabilities > calls during installation > > > > upstream branch=rpm-4.18: git://github.com/rpm-software-management/rpm > > > > Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> > > --- > > ...When-cross-installing-execute-package-scriptlets-wit.patch | 2 +- > > .../rpm/files/0001-tools-Add-error.h-for-non-glibc-case.patch | 3 +-- > > meta/recipes-devtools/rpm/{rpm_4.17.1.bb => rpm_4.18.bb} | 4 ++-- > > 3 files changed, 4 insertions(+), 5 deletions(-) > > rename meta/recipes-devtools/rpm/{rpm_4.17.1.bb => rpm_4.18.bb} (99%) > > > > diff --git > a/meta/recipes-devtools/rpm/files/0001-When-cross-installing-execute-package-scriptlets-wit.patch > b/meta/recipes-devtools/rpm/files/0001-When-cross-installing-execute-package-scriptlets-wit.patch > > index 2a0069cafe..13d01faa0e 100644 > > --- > a/meta/recipes-devtools/rpm/files/0001-When-cross-installing-execute-package-scriptlets-wit.patch > > +++ > b/meta/recipes-devtools/rpm/files/0001-When-cross-installing-execute-package-scriptlets-wit.patch > > @@ -53,7 +53,7 @@ Signed-off-by: Alexander Kanavin < > alex.kanavin@gmail.com> > > > > if (rc != RPMRC_FAIL) { > > if (script_type & RPMSCRIPTLET_EXEC) { > > -- rc = runExtScript(plugins, prefixes, script->descr, lvl, > scriptFd, &args, script->body, arg1, arg2, &script->nextFileFunc); > > +- rc = runExtScript(plugins, prefixes, script->descr, lvl, > scriptFd, &args, script->body, arg1, arg2, script->nextFileFunc); > > + if (getenv("RPM_NO_CHROOT_FOR_SCRIPTS") != NULL) { > > + rpmChrootOut(); > > + rc = runExtScript(plugins, prefixes, script->descr, lvl, > scriptFd, &args, script->body, arg1, arg2, &script->nextFileFunc); > > diff --git > a/meta/recipes-devtools/rpm/files/0001-tools-Add-error.h-for-non-glibc-case.patch > b/meta/recipes-devtools/rpm/files/0001-tools-Add-error.h-for-non-glibc-case.patch > > index 9783396639..cab54c3fb6 100644 > > --- > a/meta/recipes-devtools/rpm/files/0001-tools-Add-error.h-for-non-glibc-case.patch > > +++ > b/meta/recipes-devtools/rpm/files/0001-tools-Add-error.h-for-non-glibc-case.patch > > @@ -20,11 +20,10 @@ diff --git a/tools/elfdeps.c b/tools/elfdeps.c > > index d205935bb..3a8945b33 100644 > > --- a/tools/elfdeps.c > > +++ b/tools/elfdeps.c > > -@@ -5,10 +5,14 @@ > > +@@ +5,14 @@ > > #include <unistd.h> > > #include <stdlib.h> > > #include <fcntl.h> > > --#include <error.h> > > #include <errno.h> > > #include <popt.h> > > #include <gelf.h> > > diff --git a/meta/recipes-devtools/rpm/rpm_4.17.1.bb > b/meta/recipes-devtools/rpm/rpm_4.18.bb > > similarity index 99% > > rename from meta/recipes-devtools/rpm/rpm_4.17.1.bb > > rename to meta/recipes-devtools/rpm/rpm_4.18.bb > > index 9b6446f265..724dbbe70a 100644 > > --- a/meta/recipes-devtools/rpm/rpm_4.17.1.bb > > +++ b/meta/recipes-devtools/rpm/rpm_4.18.bb > > @@ -24,7 +24,7 @@ HOMEPAGE = "http://www.rpm.org" > > LICENSE = "GPL-2.0-only" > > LIC_FILES_CHKSUM = "file://COPYING;md5=c4eec0c20c6034b9407a09945b48a43f" > > > > -SRC_URI = "git:// > github.com/rpm-software-management/rpm;branch=rpm-4.17.x;protocol=https \ > > +SRC_URI = "git:// > github.com/rpm-software-management/rpm;branch=rpm-4.18.x;protocol=https \ > > file://environment.d-rpm.sh \ > > > file://0001-Do-not-add-an-unsatisfiable-dependency-when-building.patch \ > > file://0001-Do-not-read-config-files-from-HOME.patch \ > > @@ -43,7 +43,7 @@ SRC_URI = "git:// > github.com/rpm-software-management/rpm;branch=rpm-4.17.x;protoc > > " > > > > PE = "1" > > -SRCREV = "5bef402da334595ed9302b8bca1acdf5e88bfe11" > > +SRCREV = "ea0d77c52e176e2876fdb1d07ad41e9e2635a93e" > > > > S = "${WORKDIR}/git" > > > > -- > > 2.25.1 > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#177769): > https://lists.openembedded.org/g/openembedded-core/message/177769 > > Mute This Topic: https://lists.openembedded.org/mt/97259257/1686489 > > Group Owner: openembedded-core+owner@lists.openembedded.org > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > alex.kanavin@gmail.com] > > -=-=-=-=-=-=-=-=-=-=-=- > > >
diff --git a/meta/recipes-devtools/rpm/files/0001-When-cross-installing-execute-package-scriptlets-wit.patch b/meta/recipes-devtools/rpm/files/0001-When-cross-installing-execute-package-scriptlets-wit.patch index 2a0069cafe..13d01faa0e 100644 --- a/meta/recipes-devtools/rpm/files/0001-When-cross-installing-execute-package-scriptlets-wit.patch +++ b/meta/recipes-devtools/rpm/files/0001-When-cross-installing-execute-package-scriptlets-wit.patch @@ -53,7 +53,7 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> if (rc != RPMRC_FAIL) { if (script_type & RPMSCRIPTLET_EXEC) { -- rc = runExtScript(plugins, prefixes, script->descr, lvl, scriptFd, &args, script->body, arg1, arg2, &script->nextFileFunc); +- rc = runExtScript(plugins, prefixes, script->descr, lvl, scriptFd, &args, script->body, arg1, arg2, script->nextFileFunc); + if (getenv("RPM_NO_CHROOT_FOR_SCRIPTS") != NULL) { + rpmChrootOut(); + rc = runExtScript(plugins, prefixes, script->descr, lvl, scriptFd, &args, script->body, arg1, arg2, &script->nextFileFunc); diff --git a/meta/recipes-devtools/rpm/files/0001-tools-Add-error.h-for-non-glibc-case.patch b/meta/recipes-devtools/rpm/files/0001-tools-Add-error.h-for-non-glibc-case.patch index 9783396639..cab54c3fb6 100644 --- a/meta/recipes-devtools/rpm/files/0001-tools-Add-error.h-for-non-glibc-case.patch +++ b/meta/recipes-devtools/rpm/files/0001-tools-Add-error.h-for-non-glibc-case.patch @@ -20,11 +20,10 @@ diff --git a/tools/elfdeps.c b/tools/elfdeps.c index d205935bb..3a8945b33 100644 --- a/tools/elfdeps.c +++ b/tools/elfdeps.c -@@ -5,10 +5,14 @@ +@@ +5,14 @@ #include <unistd.h> #include <stdlib.h> #include <fcntl.h> --#include <error.h> #include <errno.h> #include <popt.h> #include <gelf.h> diff --git a/meta/recipes-devtools/rpm/rpm_4.17.1.bb b/meta/recipes-devtools/rpm/rpm_4.18.bb similarity index 99% rename from meta/recipes-devtools/rpm/rpm_4.17.1.bb rename to meta/recipes-devtools/rpm/rpm_4.18.bb index 9b6446f265..724dbbe70a 100644 --- a/meta/recipes-devtools/rpm/rpm_4.17.1.bb +++ b/meta/recipes-devtools/rpm/rpm_4.18.bb @@ -24,7 +24,7 @@ HOMEPAGE = "http://www.rpm.org" LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://COPYING;md5=c4eec0c20c6034b9407a09945b48a43f" -SRC_URI = "git://github.com/rpm-software-management/rpm;branch=rpm-4.17.x;protocol=https \ +SRC_URI = "git://github.com/rpm-software-management/rpm;branch=rpm-4.18.x;protocol=https \ file://environment.d-rpm.sh \ file://0001-Do-not-add-an-unsatisfiable-dependency-when-building.patch \ file://0001-Do-not-read-config-files-from-HOME.patch \ @@ -43,7 +43,7 @@ SRC_URI = "git://github.com/rpm-software-management/rpm;branch=rpm-4.17.x;protoc " PE = "1" -SRCREV = "5bef402da334595ed9302b8bca1acdf5e88bfe11" +SRCREV = "ea0d77c52e176e2876fdb1d07ad41e9e2635a93e" S = "${WORKDIR}/git"
(From OE-Core rev: 5bef402da334595ed9302b8bca1acdf5e88bfe11) This will fix #CVE-2021-35938 rpm: races with chown/chmod/capabilities calls during installation upstream branch=rpm-4.18: git://github.com/rpm-software-management/rpm Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> --- ...When-cross-installing-execute-package-scriptlets-wit.patch | 2 +- .../rpm/files/0001-tools-Add-error.h-for-non-glibc-case.patch | 3 +-- meta/recipes-devtools/rpm/{rpm_4.17.1.bb => rpm_4.18.bb} | 4 ++-- 3 files changed, 4 insertions(+), 5 deletions(-) rename meta/recipes-devtools/rpm/{rpm_4.17.1.bb => rpm_4.18.bb} (99%)