From 6821ee2eede3a04d221de474e45327c8927d7254 Mon Sep 17 00:00:00 2001 From: Mingli Yu Date: Fri, 23 Apr 2021 13:41:03 +0800 Subject: rpm: Upgrade to 4.16.1.3 Fixes some security vulnerabilities such as CVE-2021-3421 and CVE-2021-20271. Rebase 0001-Do-not-hardcode-lib-rpm-as-the-installation-path-for.patch to avoid fuzz warnings. (From OE-Core rev: 532698a83261e3ce53f03d5b063a6978a7592bd1) Signed-off-by: Mingli Yu Signed-off-by: Richard Purdie Signed-off-by: Anuj Mittal (cherry picked from commit 25fe972c4aa6ea640b1cdcd1624108f70e539586) Signed-off-by: Anuj Mittal Signed-off-by: Richard Purdie --- ...code-lib-rpm-as-the-installation-path-for.patch | 8 +- meta/recipes-devtools/rpm/rpm_4.16.1.2.bb | 195 --------------------- meta/recipes-devtools/rpm/rpm_4.16.1.3.bb | 195 +++++++++++++++++++++ 3 files changed, 199 insertions(+), 199 deletions(-) delete mode 100644 meta/recipes-devtools/rpm/rpm_4.16.1.2.bb create mode 100644 meta/recipes-devtools/rpm/rpm_4.16.1.3.bb (limited to 'meta') diff --git a/meta/recipes-devtools/rpm/files/0001-Do-not-hardcode-lib-rpm-as-the-installation-path-for.patch b/meta/recipes-devtools/rpm/files/0001-Do-not-hardcode-lib-rpm-as-the-installation-path-for.patch index 38d755205c..d8fcc16729 100644 --- a/meta/recipes-devtools/rpm/files/0001-Do-not-hardcode-lib-rpm-as-the-installation-path-for.patch +++ b/meta/recipes-devtools/rpm/files/0001-Do-not-hardcode-lib-rpm-as-the-installation-path-for.patch @@ -1,4 +1,4 @@ -From 9bbe3f8564705aafcdcc5f2f033f9241a97f47c6 Mon Sep 17 00:00:00 2001 +From 7b2dd83d8fcd06af8e583b53da79ed0033793d46 Mon Sep 17 00:00:00 2001 From: Alexander Kanavin Date: Mon, 27 Feb 2017 09:43:30 +0200 Subject: [PATCH] Do not hardcode "lib/rpm" as the installation path for @@ -14,7 +14,7 @@ Signed-off-by: Alexander Kanavin 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/configure.ac b/configure.ac -index 6c78568e4..76b1d40e4 100644 +index fe35a90fa..b2faec6f3 100644 --- a/configure.ac +++ b/configure.ac @@ -966,7 +966,7 @@ else @@ -40,7 +40,7 @@ index 35c8cf9df..9d8b2825c 100644 %_infodir %{_datadir}/info %_mandir %{_datadir}/man diff --git a/rpm.am b/rpm.am -index cd40a16be..e6941e09f 100644 +index 8e1dc2184..3d889ec86 100644 --- a/rpm.am +++ b/rpm.am @@ -1,10 +1,10 @@ @@ -55,4 +55,4 @@ index cd40a16be..e6941e09f 100644 +rpmconfigdir = $(libdir)/rpm # Libtool version (current-revision-age) for all our libraries - rpm_version_info = 10:2:1 + rpm_version_info = 10:3:1 diff --git a/meta/recipes-devtools/rpm/rpm_4.16.1.2.bb b/meta/recipes-devtools/rpm/rpm_4.16.1.2.bb deleted file mode 100644 index d369c706a2..0000000000 --- a/meta/recipes-devtools/rpm/rpm_4.16.1.2.bb +++ /dev/null @@ -1,195 +0,0 @@ -SUMMARY = "The RPM package management system" -DESCRIPTION = "The RPM Package Manager (RPM) is a powerful command line driven \ -package management system capable of installing, uninstalling, \ -verifying, querying, and updating software packages. Each software \ -package consists of an archive of files along with information about \ -the package like its version, a description, etc." - -SUMMARY_${PN}-dev = "Development files for manipulating RPM packages" -DESCRIPTION_${PN}-dev = "This package contains the RPM C library and header files. These \ -development files will simplify the process of writing programs that \ -manipulate RPM packages and databases. These files are intended to \ -simplify the process of creating graphical package managers or any \ -other tools that need an intimate knowledge of RPM packages in order \ -to function." - -SUMMARY_python3-rpm = "Python bindings for apps which will manupulate RPM packages" -DESCRIPTION_python3-rpm = "The python3-rpm package contains a module that permits applications \ -written in the Python programming language to use the interface \ -supplied by the RPM Package Manager libraries." - -HOMEPAGE = "http://www.rpm.org" - -# libraries are also LGPL - how to express this? -LICENSE = "GPL-2.0" -LIC_FILES_CHKSUM = "file://COPYING;md5=c4eec0c20c6034b9407a09945b48a43f" - -SRC_URI = "git://github.com/rpm-software-management/rpm;branch=rpm-4.16.x \ - file://environment.d-rpm.sh \ - file://0001-Do-not-add-an-unsatisfiable-dependency-when-building.patch \ - file://0001-Do-not-read-config-files-from-HOME.patch \ - file://0001-When-cross-installing-execute-package-scriptlets-wit.patch \ - file://0001-Do-not-reset-the-PATH-environment-variable-before-ru.patch \ - file://0002-Add-support-for-prefixing-etc-from-RPM_ETCCONFIGDIR-.patch \ - file://0001-Do-not-hardcode-lib-rpm-as-the-installation-path-for.patch \ - file://0001-Fix-build-with-musl-C-library.patch \ - file://0001-Add-a-color-setting-for-mips64_n32-binaries.patch \ - file://0011-Do-not-require-that-ELF-binaries-are-executable-to-b.patch \ - file://0001-perl-disable-auto-reqs.patch \ - file://0001-rpm-rpmio.c-restrict-virtual-memory-usage-if-limit-s.patch \ - file://0016-rpmscript.c-change-logging-level-around-scriptlets-t.patch \ - file://0001-lib-transaction.c-fix-file-conflicts-for-MIPS64-N32.patch \ - file://0001-tools-Add-error.h-for-non-glibc-case.patch \ - " - -PE = "1" -SRCREV = "278883a704ea36c97974d0f2d65d41abe78b0e2a" - -S = "${WORKDIR}/git" - -DEPENDS = "libgcrypt db file popt xz bzip2 elfutils python3" -DEPENDS_append_class-native = " file-replacement-native bzip2-replacement-native" - -inherit autotools gettext pkgconfig python3native -export PYTHON_ABI - -AUTOTOOLS_AUXDIR = "${S}/build-aux" - -# OE-core patches autoreconf to additionally run gnu-configize, which fails with this recipe -EXTRA_AUTORECONF_append = " --exclude=gnu-configize" - -EXTRA_OECONF_append = " --without-lua --enable-python --with-crypto=libgcrypt" -EXTRA_OECONF_append_libc-musl = " --disable-nls --disable-openmp" - -# --sysconfdir prevents rpm from attempting to access machine-specific configuration in sysroot/etc; we need to have it in rootfs -# --localstatedir prevents rpm from writing its database to native sysroot when building images -# Forcibly disable plugins for native/nativesdk, as the inhibit and prioreset -# plugins both behave badly inside builds. -EXTRA_OECONF_append_class-native = " --sysconfdir=/etc --localstatedir=/var --disable-plugins" -EXTRA_OECONF_append_class-nativesdk = " --sysconfdir=/etc --disable-plugins" - -BBCLASSEXTEND = "native nativesdk" - -PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'inhibit', '', d)}" -# The inhibit plugin serves no purpose outside of the target -PACKAGECONFIG_remove_class-native = "inhibit" -PACKAGECONFIG_remove_class-nativesdk = "inhibit" - -PACKAGECONFIG[imaevm] = "--with-imaevm,,ima-evm-utils" -PACKAGECONFIG[inhibit] = "--enable-inhibit-plugin,--disable-inhibit-plugin,dbus" -PACKAGECONFIG[rpm2archive] = "--with-archive,--without-archive,libarchive" - -ASNEEDED = "" - -# Direct rpm-native to read configuration from our sysroot, not the one it was compiled in -# libmagic also has sysroot path contamination, so override it - -WRAPPER_TOOLS = " \ - ${bindir}/rpm \ - ${bindir}/rpm2archive \ - ${bindir}/rpm2cpio \ - ${bindir}/rpmbuild \ - ${bindir}/rpmdb \ - ${bindir}/rpmgraph \ - ${bindir}/rpmkeys \ - ${bindir}/rpmsign \ - ${bindir}/rpmspec \ - ${libdir}/rpm/rpmdeps \ -" - -do_configure_prepend() { - mkdir -p ${S}/build-aux -} - -do_install_append_class-native() { - for tool in ${WRAPPER_TOOLS}; do - test -x ${D}$tool && create_wrapper ${D}$tool \ - RPM_CONFIGDIR=${STAGING_LIBDIR_NATIVE}/rpm \ - RPM_ETCCONFIGDIR=${STAGING_DIR_NATIVE} \ - MAGIC=${STAGING_DIR_NATIVE}${datadir_native}/misc/magic.mgc \ - RPM_NO_CHROOT_FOR_SCRIPTS=1 - done -} - -do_install_append_class-nativesdk() { - for tool in ${WRAPPER_TOOLS}; do - test -x ${D}$tool && create_wrapper ${D}$tool \ - RPM_CONFIGDIR='`dirname $''realpath`'/${@os.path.relpath(d.getVar('libdir'), d.getVar('bindir'))}/rpm \ - RPM_ETCCONFIGDIR='$'{RPM_ETCCONFIGDIR-'`dirname $''realpath`'/${@os.path.relpath(d.getVar('sysconfdir'), d.getVar('bindir'))}/..} \ - MAGIC='`dirname $''realpath`'/${@os.path.relpath(d.getVar('datadir'), d.getVar('bindir'))}/misc/magic.mgc \ - RPM_NO_CHROOT_FOR_SCRIPTS=1 - done - - rm -rf ${D}/var - - mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d - install -m 644 ${WORKDIR}/environment.d-rpm.sh ${D}${SDKPATHNATIVE}/environment-setup.d/rpm.sh -} - -# Rpm's make install creates var/tmp which clashes with base-files packaging -do_install_append_class-target() { - rm -rf ${D}/var -} - -do_install_append () { - sed -i -e 's:${HOSTTOOLS_DIR}/::g' \ - ${D}/${libdir}/rpm/macros - - sed -i -e 's|/usr/bin/python|${USRBINPATH}/env ${PYTHON_PN}|' \ - ${D}${libdir}/rpm/pythondistdeps.py -} - -FILES_${PN} += "${libdir}/rpm-plugins/*.so \ - " -FILES_${PN}_append_class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/rpm.sh" - -FILES_${PN}-dev += "${libdir}/rpm-plugins/*.la \ - " -PACKAGE_BEFORE_PN += "${PN}-build ${PN}-sign ${PN}-archive" - -RRECOMMENDS_${PN} += "rpm-build rpm-sign rpm-archive" - -FILES_${PN}-build = "\ - ${bindir}/rpmbuild \ - ${bindir}/gendiff \ - ${bindir}/rpmspec \ - ${libdir}/librpmbuild.so.* \ - ${libdir}/rpm/brp-* \ - ${libdir}/rpm/check-* \ - ${libdir}/rpm/debugedit \ - ${libdir}/rpm/sepdebugcrcfix \ - ${libdir}/rpm/find-debuginfo.sh \ - ${libdir}/rpm/find-lang.sh \ - ${libdir}/rpm/*provides* \ - ${libdir}/rpm/*requires* \ - ${libdir}/rpm/*deps* \ - ${libdir}/rpm/*.prov \ - ${libdir}/rpm/*.req \ - ${libdir}/rpm/config.* \ - ${libdir}/rpm/mkinstalldirs \ - ${libdir}/rpm/macros.p* \ - ${libdir}/rpm/fileattrs/* \ -" - -FILES_${PN}-sign = "\ - ${bindir}/rpmsign \ - ${libdir}/librpmsign.so.* \ -" - -FILES_${PN}-archive = "\ - ${bindir}/rpm2archive \ -" - -PACKAGES += "python3-rpm" -PROVIDES += "python3-rpm" -FILES_python3-rpm = "${PYTHON_SITEPACKAGES_DIR}/rpm/*" - -RDEPENDS_${PN}-build = "bash perl python3-core" - -PACKAGE_PREPROCESS_FUNCS += "rpm_package_preprocess" - -# Do not specify a sysroot when compiling on a target. -rpm_package_preprocess () { - sed -i -e 's:--sysroot[^ ]*::g' \ - ${PKGD}/${libdir}/rpm/macros -} diff --git a/meta/recipes-devtools/rpm/rpm_4.16.1.3.bb b/meta/recipes-devtools/rpm/rpm_4.16.1.3.bb new file mode 100644 index 0000000000..7c03b41fc8 --- /dev/null +++ b/meta/recipes-devtools/rpm/rpm_4.16.1.3.bb @@ -0,0 +1,195 @@ +SUMMARY = "The RPM package management system" +DESCRIPTION = "The RPM Package Manager (RPM) is a powerful command line driven \ +package management system capable of installing, uninstalling, \ +verifying, querying, and updating software packages. Each software \ +package consists of an archive of files along with information about \ +the package like its version, a description, etc." + +SUMMARY_${PN}-dev = "Development files for manipulating RPM packages" +DESCRIPTION_${PN}-dev = "This package contains the RPM C library and header files. These \ +development files will simplify the process of writing programs that \ +manipulate RPM packages and databases. These files are intended to \ +simplify the process of creating graphical package managers or any \ +other tools that need an intimate knowledge of RPM packages in order \ +to function." + +SUMMARY_python3-rpm = "Python bindings for apps which will manupulate RPM packages" +DESCRIPTION_python3-rpm = "The python3-rpm package contains a module that permits applications \ +written in the Python programming language to use the interface \ +supplied by the RPM Package Manager libraries." + +HOMEPAGE = "http://www.rpm.org" + +# libraries are also LGPL - how to express this? +LICENSE = "GPL-2.0" +LIC_FILES_CHKSUM = "file://COPYING;md5=c4eec0c20c6034b9407a09945b48a43f" + +SRC_URI = "git://github.com/rpm-software-management/rpm;branch=rpm-4.16.x \ + file://environment.d-rpm.sh \ + file://0001-Do-not-add-an-unsatisfiable-dependency-when-building.patch \ + file://0001-Do-not-read-config-files-from-HOME.patch \ + file://0001-When-cross-installing-execute-package-scriptlets-wit.patch \ + file://0001-Do-not-reset-the-PATH-environment-variable-before-ru.patch \ + file://0002-Add-support-for-prefixing-etc-from-RPM_ETCCONFIGDIR-.patch \ + file://0001-Do-not-hardcode-lib-rpm-as-the-installation-path-for.patch \ + file://0001-Fix-build-with-musl-C-library.patch \ + file://0001-Add-a-color-setting-for-mips64_n32-binaries.patch \ + file://0011-Do-not-require-that-ELF-binaries-are-executable-to-b.patch \ + file://0001-perl-disable-auto-reqs.patch \ + file://0001-rpm-rpmio.c-restrict-virtual-memory-usage-if-limit-s.patch \ + file://0016-rpmscript.c-change-logging-level-around-scriptlets-t.patch \ + file://0001-lib-transaction.c-fix-file-conflicts-for-MIPS64-N32.patch \ + file://0001-tools-Add-error.h-for-non-glibc-case.patch \ + " + +PE = "1" +SRCREV = "3659b8a04f5b8bacf6535e0124e7fe23f15286bd" + +S = "${WORKDIR}/git" + +DEPENDS = "libgcrypt db file popt xz bzip2 elfutils python3" +DEPENDS_append_class-native = " file-replacement-native bzip2-replacement-native" + +inherit autotools gettext pkgconfig python3native +export PYTHON_ABI + +AUTOTOOLS_AUXDIR = "${S}/build-aux" + +# OE-core patches autoreconf to additionally run gnu-configize, which fails with this recipe +EXTRA_AUTORECONF_append = " --exclude=gnu-configize" + +EXTRA_OECONF_append = " --without-lua --enable-python --with-crypto=libgcrypt" +EXTRA_OECONF_append_libc-musl = " --disable-nls --disable-openmp" + +# --sysconfdir prevents rpm from attempting to access machine-specific configuration in sysroot/etc; we need to have it in rootfs +# --localstatedir prevents rpm from writing its database to native sysroot when building images +# Forcibly disable plugins for native/nativesdk, as the inhibit and prioreset +# plugins both behave badly inside builds. +EXTRA_OECONF_append_class-native = " --sysconfdir=/etc --localstatedir=/var --disable-plugins" +EXTRA_OECONF_append_class-nativesdk = " --sysconfdir=/etc --disable-plugins" + +BBCLASSEXTEND = "native nativesdk" + +PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'inhibit', '', d)}" +# The inhibit plugin serves no purpose outside of the target +PACKAGECONFIG_remove_class-native = "inhibit" +PACKAGECONFIG_remove_class-nativesdk = "inhibit" + +PACKAGECONFIG[imaevm] = "--with-imaevm,,ima-evm-utils" +PACKAGECONFIG[inhibit] = "--enable-inhibit-plugin,--disable-inhibit-plugin,dbus" +PACKAGECONFIG[rpm2archive] = "--with-archive,--without-archive,libarchive" + +ASNEEDED = "" + +# Direct rpm-native to read configuration from our sysroot, not the one it was compiled in +# libmagic also has sysroot path contamination, so override it + +WRAPPER_TOOLS = " \ + ${bindir}/rpm \ + ${bindir}/rpm2archive \ + ${bindir}/rpm2cpio \ + ${bindir}/rpmbuild \ + ${bindir}/rpmdb \ + ${bindir}/rpmgraph \ + ${bindir}/rpmkeys \ + ${bindir}/rpmsign \ + ${bindir}/rpmspec \ + ${libdir}/rpm/rpmdeps \ +" + +do_configure_prepend() { + mkdir -p ${S}/build-aux +} + +do_install_append_class-native() { + for tool in ${WRAPPER_TOOLS}; do + test -x ${D}$tool && create_wrapper ${D}$tool \ + RPM_CONFIGDIR=${STAGING_LIBDIR_NATIVE}/rpm \ + RPM_ETCCONFIGDIR=${STAGING_DIR_NATIVE} \ + MAGIC=${STAGING_DIR_NATIVE}${datadir_native}/misc/magic.mgc \ + RPM_NO_CHROOT_FOR_SCRIPTS=1 + done +} + +do_install_append_class-nativesdk() { + for tool in ${WRAPPER_TOOLS}; do + test -x ${D}$tool && create_wrapper ${D}$tool \ + RPM_CONFIGDIR='`dirname $''realpath`'/${@os.path.relpath(d.getVar('libdir'), d.getVar('bindir'))}/rpm \ + RPM_ETCCONFIGDIR='$'{RPM_ETCCONFIGDIR-'`dirname $''realpath`'/${@os.path.relpath(d.getVar('sysconfdir'), d.getVar('bindir'))}/..} \ + MAGIC='`dirname $''realpath`'/${@os.path.relpath(d.getVar('datadir'), d.getVar('bindir'))}/misc/magic.mgc \ + RPM_NO_CHROOT_FOR_SCRIPTS=1 + done + + rm -rf ${D}/var + + mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d + install -m 644 ${WORKDIR}/environment.d-rpm.sh ${D}${SDKPATHNATIVE}/environment-setup.d/rpm.sh +} + +# Rpm's make install creates var/tmp which clashes with base-files packaging +do_install_append_class-target() { + rm -rf ${D}/var +} + +do_install_append () { + sed -i -e 's:${HOSTTOOLS_DIR}/::g' \ + ${D}/${libdir}/rpm/macros + + sed -i -e 's|/usr/bin/python|${USRBINPATH}/env ${PYTHON_PN}|' \ + ${D}${libdir}/rpm/pythondistdeps.py +} + +FILES_${PN} += "${libdir}/rpm-plugins/*.so \ + " +FILES_${PN}_append_class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/rpm.sh" + +FILES_${PN}-dev += "${libdir}/rpm-plugins/*.la \ + " +PACKAGE_BEFORE_PN += "${PN}-build ${PN}-sign ${PN}-archive" + +RRECOMMENDS_${PN} += "rpm-build rpm-sign rpm-archive" + +FILES_${PN}-build = "\ + ${bindir}/rpmbuild \ + ${bindir}/gendiff \ + ${bindir}/rpmspec \ + ${libdir}/librpmbuild.so.* \ + ${libdir}/rpm/brp-* \ + ${libdir}/rpm/check-* \ + ${libdir}/rpm/debugedit \ + ${libdir}/rpm/sepdebugcrcfix \ + ${libdir}/rpm/find-debuginfo.sh \ + ${libdir}/rpm/find-lang.sh \ + ${libdir}/rpm/*provides* \ + ${libdir}/rpm/*requires* \ + ${libdir}/rpm/*deps* \ + ${libdir}/rpm/*.prov \ + ${libdir}/rpm/*.req \ + ${libdir}/rpm/config.* \ + ${libdir}/rpm/mkinstalldirs \ + ${libdir}/rpm/macros.p* \ + ${libdir}/rpm/fileattrs/* \ +" + +FILES_${PN}-sign = "\ + ${bindir}/rpmsign \ + ${libdir}/librpmsign.so.* \ +" + +FILES_${PN}-archive = "\ + ${bindir}/rpm2archive \ +" + +PACKAGES += "python3-rpm" +PROVIDES += "python3-rpm" +FILES_python3-rpm = "${PYTHON_SITEPACKAGES_DIR}/rpm/*" + +RDEPENDS_${PN}-build = "bash perl python3-core" + +PACKAGE_PREPROCESS_FUNCS += "rpm_package_preprocess" + +# Do not specify a sysroot when compiling on a target. +rpm_package_preprocess () { + sed -i -e 's:--sysroot[^ ]*::g' \ + ${PKGD}/${libdir}/rpm/macros +} -- cgit v1.2.3-54-g00ecf