diff --git a/0001-Fix-UAF-in-comps_objmrtree_unite-function.patch b/0001-Fix-UAF-in-comps_objmrtree_unite-function.patch new file mode 100644 index 0000000000000000000000000000000000000000..56c14dd686ad1209c62b0b7a501e8f735b62120a --- /dev/null +++ b/0001-Fix-UAF-in-comps_objmrtree_unite-function.patch @@ -0,0 +1,89 @@ +From e3a5d056633677959ad924a51758876d415e7046 Mon Sep 17 00:00:00 2001 +From: Riccardo Schirone +Date: Mon, 21 Jan 2019 18:11:42 +0100 +Subject: [PATCH] Fix UAF in comps_objmrtree_unite function + +The added field is not used at all in many places and it is probably the +left-over of some copy-paste. +--- + libcomps/src/comps_mradix.c | 2 -- + libcomps/src/comps_objmradix.c | 2 -- + libcomps/src/comps_objradix.c | 2 -- + libcomps/src/comps_radix.c | 1 - + 4 files changed, 7 deletions(-) + +diff --git a/libcomps/src/comps_mradix.c b/libcomps/src/comps_mradix.c +index 8ef9640..dfdee8e 100644 +--- a/libcomps/src/comps_mradix.c ++++ b/libcomps/src/comps_mradix.c +@@ -177,7 +177,6 @@ void comps_mrtree_unite(COMPS_MRTree *rt1, COMPS_MRTree *rt2) { + struct Pair { + COMPS_HSList * subnodes; + char * key; +- char added; + } *pair, *parent_pair; + + pair = malloc(sizeof(struct Pair)); +@@ -195,7 +194,6 @@ void comps_mrtree_unite(COMPS_MRTree *rt1, COMPS_MRTree *rt2) { + parent_pair = (struct Pair*) it->data; + free(it); + +- pair->added = 0; + for (it = tmp_subnodes->first; it != NULL; it=it->next) { + pair = malloc(sizeof(struct Pair)); + pair->subnodes = ((COMPS_MRTreeData*)it->data)->subnodes; +diff --git a/libcomps/src/comps_objmradix.c b/libcomps/src/comps_objmradix.c +index 9a2038b..22ad262 100644 +--- a/libcomps/src/comps_objmradix.c ++++ b/libcomps/src/comps_objmradix.c +@@ -285,7 +285,6 @@ void comps_objmrtree_unite(COMPS_ObjMRTree *rt1, COMPS_ObjMRTree *rt2) { + struct Pair { + COMPS_HSList * subnodes; + char * key; +- char added; + } *pair, *parent_pair; + + pair = malloc(sizeof(struct Pair)); +@@ -303,7 +302,6 @@ void comps_objmrtree_unite(COMPS_ObjMRTree *rt1, COMPS_ObjMRTree *rt2) { + parent_pair = (struct Pair*) it->data; + free(it); + +- pair->added = 0; + for (it = tmp_subnodes->first; it != NULL; it=it->next) { + pair = malloc(sizeof(struct Pair)); + pair->subnodes = ((COMPS_ObjMRTreeData*)it->data)->subnodes; +diff --git a/libcomps/src/comps_objradix.c b/libcomps/src/comps_objradix.c +index c657b75..840592a 100644 +--- a/libcomps/src/comps_objradix.c ++++ b/libcomps/src/comps_objradix.c +@@ -697,7 +697,6 @@ void comps_objrtree_unite(COMPS_ObjRTree *rt1, COMPS_ObjRTree *rt2) { + struct Pair { + COMPS_HSList * subnodes; + char * key; +- char added; + } *pair, *parent_pair; + + pair = malloc(sizeof(struct Pair)); +@@ -716,7 +715,6 @@ void comps_objrtree_unite(COMPS_ObjRTree *rt1, COMPS_ObjRTree *rt2) { + //printf("key-part:%s\n", parent_pair->key); + free(it); + +- //pair->added = 0; + for (it = tmp_subnodes->first; it != NULL; it=it->next) { + pair = malloc(sizeof(struct Pair)); + pair->subnodes = ((COMPS_ObjRTreeData*)it->data)->subnodes; +diff --git a/libcomps/src/comps_radix.c b/libcomps/src/comps_radix.c +index ada4fda..05dcaf2 100644 +--- a/libcomps/src/comps_radix.c ++++ b/libcomps/src/comps_radix.c +@@ -529,7 +529,6 @@ void comps_rtree_unite(COMPS_RTree *rt1, COMPS_RTree *rt2) { + struct Pair { + COMPS_HSList * subnodes; + char * key; +- char added; + } *pair, *parent_pair; + + pair = malloc(sizeof(struct Pair)); +-- +libgit2 0.28.2 + diff --git a/0002-Python_ADDITIONAL_VERSIONS.patch b/0002-Python_ADDITIONAL_VERSIONS.patch new file mode 100644 index 0000000000000000000000000000000000000000..09b8eb6006cbd147ceee8150e039f587248f79d1 --- /dev/null +++ b/0002-Python_ADDITIONAL_VERSIONS.patch @@ -0,0 +1,21 @@ +diff -Naur a/libcomps/src/python/CMakeLists.txt b/libcomps/src/python/CMakeLists.txt +--- a/libcomps/src/python/CMakeLists.txt 2019-03-11 08:09:27.000000000 +0100 ++++ b/libcomps/src/python/CMakeLists.txt 2019-11-13 11:42:40.918533734 +0100 +@@ -1,6 +1,6 @@ +-include(tests/tests.cmake) + #include(pycopy.cmake) + include(pversion.cmake) ++include(tests/tests.cmake) + set(pycopy "py${pversion}-copy") + + set (pycomps_TESTSDIR "${CMAKE_CURRENT_SOURCE_DIR}/tests/") +diff -Naur a/libcomps/src/python/pversion.cmake b/libcomps/src/python/pversion.cmake +--- a/libcomps/src/python/pversion.cmake 2019-03-11 08:09:27.000000000 +0100 ++++ b/libcomps/src/python/pversion.cmake 2019-11-13 09:56:12.127189225 +0100 +@@ -7,5 +7,6 @@ + set(pversion 2) + else() + message("Building for python3") ++ set(Python_ADDITIONAL_VERSIONS 3.4 3.5 3.6 3.7 3.8) + set(pversion 3) + endif() diff --git a/libcomps-0.1.8.tar.gz b/libcomps-0.1.8.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..e8b73d4a384bd125fcce9525e32d28266e3c5ba5 Binary files /dev/null and b/libcomps-0.1.8.tar.gz differ diff --git a/libcomps.spec b/libcomps.spec new file mode 100644 index 0000000000000000000000000000000000000000..0389abf8450669272b68d83c0416e6e050ed6871 --- /dev/null +++ b/libcomps.spec @@ -0,0 +1,312 @@ +%bcond_without python3 + +Name: libcomps +Version: 0.1.8 +Release: 14%{?dist} +Summary: Comps XML file manipulation library + +License: GPLv2+ +URL: https://github.com/rpm-software-management/libcomps +Source0: %{url}/archive/%{name}-%{version}/%{name}-%{version}.tar.gz +Patch1: 0001-Fix-UAF-in-comps_objmrtree_unite-function.patch +Patch2: 0002-Python_ADDITIONAL_VERSIONS.patch + +BuildRequires: cmake +BuildRequires: gcc +BuildRequires: libxml2-devel +BuildRequires: check-devel +BuildRequires: expat-devel + +%description +Libcomps is library for structure-like manipulation with content of +comps XML files. Supports read/write XML file, structure(s) modification. + +%package devel +Summary: Development files for libcomps library +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description devel +Development files for libcomps library. + +%package doc +Summary: Documentation files for libcomps library +Requires: %{name} = %{version}-%{release} +BuildArch: noarch +BuildRequires: doxygen + +%description doc +Documentation files for libcomps library. + +%package -n python-%{name}-doc +Summary: Documentation files for python bindings libcomps library +Requires: %{name} = %{version}-%{release} +BuildArch: noarch +BuildRequires: python-sphinx + +%description -n python-%{name}-doc +Documentation files for python bindings libcomps library. + +%package -n python2-%{name} +Summary: Python 2 bindings for libcomps library +%{?python_provide:%python_provide python2-%{name}} +BuildRequires: python2-devel +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description -n python2-%{name} +Python 2 bindings for libcomps library. + +%if %{with python3} +%package -n python3-%{name} +Summary: Python 3 bindings for libcomps library +BuildRequires: python3-devel +%{?python_provide:%python_provide python3-%{name}} +Requires: %{name}%{?_isa} = %{version}-%{release} +Obsoletes: platform-python-%{name} < %{version}-%{release} + +%description -n python3-%{name} +Python3 bindings for libcomps library. +%endif + +%prep +%autosetup -n %{name}-%{name}-%{version} -p1 + +mkdir build + +%if %{with python3} +mkdir build-py3 +%endif + +%build +pushd build + %cmake ../libcomps/ -DPYTHON_DESIRED:STRING=2 + %make_build + make %{?_smp_mflags} docs + make %{?_smp_mflags} pydocs +popd + +%if %{with python3} +pushd build-py3 + %cmake ../libcomps/ -DPYTHON_DESIRED:STRING=3 + %make_build +popd +%endif + +%install +pushd build + %make_install +popd + +%if %{with python3} +pushd build-py3 + %make_install +popd +%endif + +%check +pushd build + make test +popd +%if %{with python3} +pushd build-py3 + make pytest +popd +%endif + +%post -p /sbin/ldconfig +%postun -p /sbin/ldconfig + +%files +%license COPYING +%doc README.md +%{_libdir}/%{name}.so.* + +%files devel +%{_libdir}/%{name}.so +%{_includedir}/%{name}/ + +%files doc +%doc build/docs/libcomps-doc/html + +%files -n python-%{name}-doc +%doc build/src/python/docs/html + +%files -n python2-%{name} +%{python2_sitearch}/%{name}/ + +%if %{with python3} +%files -n python3-%{name} +%{python3_sitearch}/%{name}/ +%endif + +%changelog +* Wed Nov 27 2019 Ales Matej - 0.1.8-14 +- Add Python 3 bindings + +* Tue Oct 08 2019 Pavla Kratochvilova - 0.1.8-13 +- Fix UAF in comps_objmrtree_unite function (RhBug:1668683) + +* Mon Jun 11 2018 Marek Blaha - 0.1.8-12 +- Build for RHEL 7 +- Do not use %%ldconfig_scriptlets + +* Wed Feb 07 2018 Fedora Release Engineering - 0.1.8-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Wed Jan 31 2018 Igor Gnatenko - 0.1.8-10 +- Switch to %%ldconfig_scriptlets + +* Tue Nov 07 2017 Igor Gnatenko - 0.1.8-9 +- Use better Obsoletes for platform-python + +* Fri Nov 03 2017 Igor Gnatenko - 0.1.8-8 +- Remove platform-python subpackage + +* Fri Sep 01 2017 Igor Gnatenko - 0.1.8-7 +- Disable platform python on old releases + +* Thu Aug 10 2017 Lumír Balhar - 0.1.8-6 +- Add Platform Python subpackage (https://fedoraproject.org/wiki/Changes/Platform_Python_Stack) + +* Thu Aug 03 2017 Fedora Release Engineering - 0.1.8-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 0.1.8-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Feb 10 2017 Fedora Release Engineering - 0.1.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Tue Dec 13 2016 Stratakis Charalampos - 0.1.8-2 +- Rebuild for Python 3.6 + +* Thu Sep 22 2016 Igor Gnatenko - 0.1.8-1 +- Update to 0.1.8 + +* Tue Aug 09 2016 Igor Gnatenko - 0.1.7-6 +- Add %%{?system_python_abi} + +* Tue Jul 19 2016 Fedora Release Engineering - 0.1.7-5 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages + +* Tue Apr 12 2016 Igor Gnatenko - 0.1.7-4 +- Adopt to new packaging guidelines +- Use %%license macro +- Fix file ownerships + +* Thu Feb 04 2016 Fedora Release Engineering - 0.1.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Oct 14 2015 Robert Kuska - 0.1.7-2 +- Rebuilt for Python3.5 rebuild + +* Thu Jul 02 2015 Jindrich Luza 0.1.7 +- added langpacks to union process +- comps DOCTYPE read-write-read fix +- support biarchonly attribute +- fixed rhbz#1073885 rhbz#1073890 rhbz#1073907 rhbz#1073979 +- fix rhbz#1073079 +- comps_*_match() now support fnmatching +- added libpycomps.MATCH_IGNORECASE as matching flag +- added group.packages_match +- added comps.groups_match, comps.categories_match, comps.entironments_match +- PyCOMPS_Package hash +- cmake-2.6, python-2.6, RHEL-6 compatible +- '_arch' attribute change to 'arch' +- empty 'arch' attribute will be ommited from output from now + +* Wed Jan 29 2014 Jindrich Luza 0.1.6 +- version bumped +- added libcomps.MDict.keys() +- libcomps.MDict.values() +- libcomps.MDict.items() +- libcomps.MDict.clear() +- libcomps.MDict.update() +- libcomps.MDict.copy() +- COMPS_List replaced with COMPS_HSList +- added missing basearchonly to DocGroupPackage +- python3/CMakeLists.txt fixed +- added explicit attributes support for xml options +- added arch_filter test for python +- insert method in libcomps.Sequence +- Unioning is now accomplished with replace x append policy +- Weaker package equality check (comparing only name now) +- Fixed leeks in unioning +- modified test_merge_comps test_libcomps +- dictionaries are now storing keys in alphabetical order +- comps parser redesigned +- change python/tests directory composition +- added elem attributes check in parser +- xml output '_arch' attribute support +- parser and xml output defaults options for specify defaults values +- comps object validation in python +- added validity checker before append/set object to list (python only) +- .validate() method +- added libcomps.Dict.keys +- libcomps.Dict.values +- libcomps.Dict.items +- libcomps.Dict.clear +- libcomps.Dict.update +- libcomps.Dict.copy +- added xml output options (comps.xml_str([options = {}]), comps.xml_f(options = {})) + +* Wed Oct 23 2013 Jindrich Luza 0.1.4-4 +- group.uservisible is true by default now. +- fixed comps_mobjradix parent node problem +- implemented bindings for blacklist, whiteout and langpacks +- COMPS_Logger redesigned + +* Tue Oct 08 2013 Jindrich Luza 0.1.5 +- version bump +- PyCOMPS_Sequence.__getitem__["objectid"] implemented for libcomps.GroupList, libcomps.CategoryList, libcomps.EnvList +- added missing files +- missing display_order fix for libcomps.Environment + +* Tue Oct 01 2013 Jindrich Luza 0.1.4 +- added missing files +- architectural redesign finished +- fixed #1003986 by Gustavo Luiz Duarte guidelines (but not tested on ppc) +- fixed bug #1000449 +- fixed bug #1000442 +- added GroupId.default test +- some minor unreported bugs discovered during testing fixed +- finished default attribute support in groupid object +- Comps.get_last_parse_errors and Comps.get_last_parse_log has been renamed +- as Comps.get_last_errors and Comps.get_last_log +- version bumped. Python bindings is now easier. +- added missing files + +* Tue Aug 20 2013 Jindrich Luza 0.1.3 +- finished default attribute support in groupid object +- Comps.get_last_parse_errors and Comps.get_last_parse_log has been renamed +- as Comps.get_last_errors and Comps.get_last_log +- finished default attribute support in groupid object +- Comps.get_last_parse_errors and Comps.get_last_parse_log has been renamed +- as Comps.get_last_errors and Comps.get_last_log + +* Thu Jul 18 2013 Jindrich Luza 0.1.2 +- automatic changelog system +- fixed issue #14 +- libcomps.Dict is now behave more like python dict. Implemented iter(libcomps.Dict) +- libcomps.iteritems() and libcomps.itervalues() +- remaked error reporting system. +- libcomps.Comps.fromxml_f and libcomps.Comps.fromxml_str now return +- -1, 0 or 1. 0 means parse procedure completed without any problem, +- 1 means there's some errors or warnings but not fatal. -1 indicates +- fatal error problem (some results maybe given, but probably incomplete +- and invalid) +- errors catched during parsing can be obtained by calling +- libcomps.Comps.get_last_parse_errors +- all log is given by +- libcomps.Comps.get_last_parse_log +- prop system complete +- fixed issue 1 +- fixed issue 3 +- added support +- new prop system in progress.... +- separated doc package +- some minor fixes in CMakeFiles +- improved integrated tests + +* Tue Jun 25 2013 Jindrich Luza 0.1.1-1 +- Automatic commit of package [libcomps] release [0.1.1-1]. +