diff --git a/Avoid-segfaulting-when-the-kernel-is-ahead-of-libcap.patch b/Avoid-segfaulting-when-the-kernel-is-ahead-of-libcap.patch deleted file mode 100644 index 4cfdf76210225c5a1fe036baf1f86df4fcd65202..0000000000000000000000000000000000000000 --- a/Avoid-segfaulting-when-the-kernel-is-ahead-of-libcap.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 2f72ffb7c9f28fbd143010dd68730b73ad1596f4 Mon Sep 17 00:00:00 2001 -From: "Andrew G. Morgan" -Date: Sat, 2 May 2020 17:10:25 -0700 -Subject: [PATCH] Avoid segfaulting when the kernel is ahead of libcap. - -Fixes bug report from Heiner Kallweit: - - https://bugzilla.kernel.org/show_bug.cgi?id=207549 - -This bug was triggered when the kernel being run knows about -more capabilities than the running build of libcap does. The -issue is that in two places libcap assumed that _cap_names[] -was long enough to name cap_max_bits() worth of capabilities. - -Signed-off-by: Andrew G. Morgan ---- - libcap/cap_text.c | 14 +++++++++----- - 1 file changed, 9 insertions(+), 5 deletions(-) - -diff --git a/libcap/cap_text.c b/libcap/cap_text.c -index 00fbbc6..8ea4b05 100644 ---- a/libcap/cap_text.c -+++ b/libcap/cap_text.c -@@ -57,8 +57,9 @@ static char const *namcmp(char const *str, char const *nam) - } - - /* -- * forceall forces all of the named capabilities to be assigned the -- * masked value, and zeroed otherwise. -+ * forceall forces all of the kernel named capabilities to be assigned -+ * the masked value, and zeroed otherwise. Note, if the kernel is ahead -+ * of libcap, the upper bits will be referred to by number. - */ - static void forceall(__u32 *flat, __u32 value, unsigned blks) - { -@@ -112,13 +113,16 @@ static int lookupname(char const **strp) - } - #else /* ie., ndef GPERF_DOWNCASE */ - char const *s; -- unsigned n; -- -- for (n = cap_max_bits(); n--; ) -+ unsigned n = cap_max_bits(); -+ if (n > __CAP_BITS) { -+ n = __CAP_BITS; -+ } -+ while (n--) { - if (_cap_names[n] && (s = namcmp(str.constp, _cap_names[n]))) { - *strp = s; - return n; - } -+ } - #endif /* def GPERF_DOWNCASE */ - - return -1; /* No definition available */ --- -2.27.GIT - diff --git a/backport-capsh-better-error-handling-for-integer-parsing.patch b/backport-capsh-better-error-handling-for-integer-parsing.patch deleted file mode 100644 index 57506e69cfc88d33a942202f1c4535f2710c0f3c..0000000000000000000000000000000000000000 --- a/backport-capsh-better-error-handling-for-integer-parsing.patch +++ /dev/null @@ -1,141 +0,0 @@ -From 9c4997d6592e5daf046a6968ac83cf615c51fbe1 Mon Sep 17 00:00:00 2001 -From: "Andrew G. Morgan" -Date: Sat, 6 Nov 2021 08:45:06 -0700 -Subject: [PATCH] capsh: better error handling for integer parsing. - -Bug reported by meitingli: - - https://bugzilla.kernel.org/show_bug.cgi?id=214911 - -Signed-off-by: Andrew G. Morgan ---- - progs/capsh.c | 49 ++++++++++++++++++++++++++++++++++++++++--------- - 1 file changed, 40 insertions(+), 9 deletions(-) - -diff --git a/progs/capsh.c b/progs/capsh.c -index 2295359..4f568c3 100644 ---- a/progs/capsh.c -+++ b/progs/capsh.c -@@ -40,6 +40,35 @@ - - #define MAX_GROUPS 100 /* max number of supplementary groups for user */ - -+/* parse a non-negative integer with some error handling */ -+static unsigned long nonneg_uint(const char *text, const char *prefix, int *ok) -+{ -+ char *remains; -+ unsigned long value; -+ ssize_t len = strlen(text); -+ -+ if (len == 0 || *text == '-') { -+ goto fail; -+ } -+ value = strtoul(text, &remains, 0); -+ if (*remains) { -+ goto fail; -+ } -+ if (ok != NULL) { -+ *ok = 1; -+ } -+ return value; -+ -+fail: -+ if (ok == NULL) { -+ fprintf(stderr, "%s: want non-negative integer, got \"%s\"\n", -+ prefix, text); -+ exit(1); -+ } -+ *ok = 0; -+ return 0; -+} -+ - static char *binary(unsigned long value) - { - static char string[8*sizeof(unsigned long) + 1]; -@@ -667,7 +696,7 @@ int main(int argc, char *argv[], char *envp[]) - unsigned value; - int set; - -- value = strtoul(argv[i]+7, NULL, 0); -+ value = nonneg_uint(argv[i]+7, "invalid --keep value", NULL); - set = prctl(PR_SET_KEEPCAPS, value); - if (set < 0) { - fprintf(stderr, "prctl(PR_SET_KEEPCAPS, %u) failed: %s\n", -@@ -724,7 +753,7 @@ int main(int argc, char *argv[], char *envp[]) - } else if (!strncmp("--secbits=", argv[i], 10)) { - unsigned value; - int status; -- value = strtoul(argv[i]+10, NULL, 0); -+ value = nonneg_uint(argv[i]+10, "invalid --secbits value", NULL); - status = cap_set_secbits(value); - if (status < 0) { - fprintf(stderr, "failed to set securebits to 0%o/0x%x\n", -@@ -737,8 +766,9 @@ int main(int argc, char *argv[], char *envp[]) - fprintf(stderr, "already forked\n"); - exit(1); - } -- value = strtoul(argv[i]+10, NULL, 0); -+ value = nonneg_uint(argv[i]+10, "invalid --forkfor value", NULL); - if (value == 0) { -+ fprintf(stderr, "require non-zero --forkfor value\n"); - goto usage; - } - child = fork(); -@@ -753,7 +783,8 @@ int main(int argc, char *argv[], char *envp[]) - pid_t result; - unsigned value; - -- value = strtoul(argv[i]+9, NULL, 0); -+ value = nonneg_uint(argv[i]+9, "invalid --killit signo value", -+ NULL); - if (!child) { - fprintf(stderr, "no forked process to kill\n"); - exit(1); -@@ -779,7 +810,7 @@ int main(int argc, char *argv[], char *envp[]) - unsigned value; - int status; - -- value = strtoul(argv[i]+6, NULL, 0); -+ value = nonneg_uint(argv[i]+6, "invalid --uid value", NULL); - status = setuid(value); - if (status < 0) { - fprintf(stderr, "Failed to set uid=%u: %s\n", -@@ -790,7 +821,7 @@ int main(int argc, char *argv[], char *envp[]) - unsigned value; - int status; - -- value = strtoul(argv[i]+10, NULL, 0); -+ value = nonneg_uint(argv[i]+10, "invalid --cap-uid value", NULL); - status = cap_setuid(value); - if (status < 0) { - fprintf(stderr, "Failed to cap_setuid(%u): %s\n", -@@ -801,7 +832,7 @@ int main(int argc, char *argv[], char *envp[]) - unsigned value; - int status; - -- value = strtoul(argv[i]+6, NULL, 0); -+ value = nonneg_uint(argv[i]+6, "invalid --gid value", NULL); - status = setgid(value); - if (status < 0) { - fprintf(stderr, "Failed to set gid=%u: %s\n", -@@ -1009,7 +1040,7 @@ int main(int argc, char *argv[], char *envp[]) - } else if (!strncmp("--is-uid=", argv[i], 9)) { - unsigned value; - uid_t uid; -- value = strtoul(argv[i]+9, NULL, 0); -+ value = nonneg_uint(argv[i]+9, "invalid --is-uid value", NULL); - uid = getuid(); - if (uid != value) { - fprintf(stderr, "uid: got=%d, want=%d\n", uid, value); -@@ -1018,7 +1049,7 @@ int main(int argc, char *argv[], char *envp[]) - } else if (!strncmp("--is-gid=", argv[i], 9)) { - unsigned value; - gid_t gid; -- value = strtoul(argv[i]+9, NULL, 0); -+ value = nonneg_uint(argv[i]+9, "invalid --is-gid value", NULL); - gid = getgid(); - if (gid != value) { - fprintf(stderr, "gid: got=%d, want=%d\n", gid, value); --- -1.8.3.1 - diff --git a/backport-setcap-clean-up-error-handling-of-the-ns-rootid-argument.patch b/backport-setcap-clean-up-error-handling-of-the-ns-rootid-argument.patch deleted file mode 100644 index 11ee31629605f149cc7a204d6b41e37140851149..0000000000000000000000000000000000000000 --- a/backport-setcap-clean-up-error-handling-of-the-ns-rootid-argument.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 8e1e967bc8d99a3233d51f67f6b88620cdff78dc Mon Sep 17 00:00:00 2001 -From: "Andrew G. Morgan" -Date: Sat, 6 Nov 2021 08:02:20 -0700 -Subject: [PATCH] setcap: clean up error handling of the ns rootid argument. - -Bug reported by Artem S. Tashkinov: - -https://bugzilla.kernel.org/show_bug.cgi?id=214909 - -Signed-off-by: Andrew G. Morgan ---- - progs/setcap.c | 35 ++++++++++++++++++++++++++++++----- - 1 file changed, 30 insertions(+), 5 deletions(-) - -diff --git a/progs/setcap.c b/progs/setcap.c -index 442685d..fe985cd 100644 ---- a/progs/setcap.c -+++ b/progs/setcap.c -@@ -22,6 +22,35 @@ static void usage(void) - exit(1); - } - -+/* parse a positive integer with some error handling */ -+static unsigned long pos_uint(const char *text, const char *prefix, int *ok) -+{ -+ char *remains; -+ unsigned long value; -+ ssize_t len = strlen(text); -+ -+ if (len == 0 || *text == '-') { -+ goto fail; -+ } -+ value = strtoul(text, &remains, 0); -+ if (*remains || value == 0) { -+ goto fail; -+ } -+ if (ok != NULL) { -+ *ok = 1; -+ } -+ return value; -+ -+fail: -+ if (ok == NULL) { -+ fprintf(stderr, "%s: want positive integer, got \"%s\"\n", -+ prefix, text); -+ exit(1); -+ } -+ *ok = 0; -+ return 0; -+} -+ - #define MAXCAP 2048 - - static int read_caps(int quiet, const char *filename, char *buffer) -@@ -93,11 +122,7 @@ int main(int argc, char **argv) - exit(1); - } - --argc; -- rootid = (uid_t) atoi(*++argv); -- if (rootid+1 < 2) { -- fprintf(stderr, "invalid rootid!=0 of '%s'", *argv); -- exit(1); -- } -+ rootid = (uid_t) pos_uint(*++argv, "bad ns rootid", NULL); - continue; - } - --- -1.8.3.1 - diff --git a/libcap-2.32.tar.gz b/libcap-2.32.tar.gz deleted file mode 100644 index 1f258334f23f3d1be596f4a162f475ffa88d1493..0000000000000000000000000000000000000000 Binary files a/libcap-2.32.tar.gz and /dev/null differ diff --git a/libcap-2.61.tar.gz b/libcap-2.61.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..1b13c60c32f5fb0359708dd27c584bb036053db3 Binary files /dev/null and b/libcap-2.61.tar.gz differ diff --git a/libcap-buildflags.patch b/libcap-buildflags.patch index 63e6d639fb6fc8ee53f3e13b52de6204d88d98f5..c13c4a1271731fbe2ff813c33ddfdda3864ca637 100644 --- a/libcap-buildflags.patch +++ b/libcap-buildflags.patch @@ -1,34 +1,29 @@ From 11bdd43001c41d96769e437498bc57e8665ada2f Mon Sep 17 00:00:00 2001 From: zhangchenfeng Date: Fri, 17 Apr 2020 10:21:28 +0800 -Subject: [PATCH] bcap-2.32-buildflags +Subject: [PATCH] libcap-2.61-buildflags --- Make.Rules | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Make.Rules b/Make.Rules -index f02c770..b5d682b 100644 +index 70d5829..2160012 100644 --- a/Make.Rules +++ b/Make.Rules -@@ -50,7 +50,7 @@ KERNEL_HEADERS := $(topdir)/libcap/include/uapi - IPATH += -fPIC -I$(KERNEL_HEADERS) -I$(topdir)/libcap/include - - CC := gcc --CFLAGS := -O2 -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -+CFLAGS := $(RPM_OPT_FLAGS) -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 - BUILD_CC := $(CC) - BUILD_CFLAGS := $(CFLAGS) $(IPATH) - AR := ar -@@ -61,7 +61,7 @@ WARNINGS=-Wall -Wwrite-strings \ - -Wstrict-prototypes -Wmissing-prototypes \ - -Wnested-externs -Winline -Wshadow - LD=$(CC) -Wl,-x -shared --LDFLAGS := #-g -+LDFLAGS := $(RPM_LD_FLAGS) #-g - LIBCAPLIB := -L$(topdir)/libcap -lcap - LIBPSXLIB := -L$(topdir)/libcap -lpsx -lpthread +@@ -81,10 +81,10 @@ WARNINGS=-Wall -Wwrite-strings -Wpointer-arith -Wcast-qual -Wcast-align \ + -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs \ + -Winline -Wshadow -Wunreachable-code + COPTS ?= -O2 +-CFLAGS ?= $(COPTS) $(DEBUG) ++CFLAGS ?= $(RPM_OPT_FLAGS) $(DEBUG) + CFLAGS += $(WARNINGS) + CPPFLAGS += -Dlinux $(DEFINES) $(LIBCAP_INCLUDES) +-LDFLAGS ?= # -g ++LDFLAGS ?= $(RPM_OPT_FLAGS) + BUILD_CC ?= $(CC) + BUILD_LD ?= $(BUILD_CC) -Wl,-x -shared -- 1.8.3.1 diff --git a/libcap.spec b/libcap.spec index 787737f01dd5d71e8d28f384f048410be0c084b2..ee2fedb521f62c5a185c0c438141db08f9de96f7 100644 --- a/libcap.spec +++ b/libcap.spec @@ -1,15 +1,12 @@ Name: libcap -Version: 2.32 -Release: 3 +Version: 2.61 +Release: 1 Summary: A library for getting and setting POSIX.1e draft 15 capabilities License: GPLv2 URL: https://sites.google.com/site/fullycapable Source0: https://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/%{name}-%{version}.tar.gz Patch0: libcap-buildflags.patch -Patch1: Avoid-segfaulting-when-the-kernel-is-ahead-of-libcap.patch -Patch2: backport-capsh-better-error-handling-for-integer-parsing.patch -Patch3: backport-setcap-clean-up-error-handling-of-the-ns-rootid-argument.patch BuildRequires: libattr-devel pam-devel perl-interpreter gcc @@ -40,6 +37,9 @@ mkdir -p %{buildroot}/%{_mandir}/man{2,3,8} mv -f doc/*.3 %{buildroot}/%{_mandir}/man3/ chmod +x %{buildroot}/%{_libdir}/*.so.* +%check +%make_build COPTS="%{optflags}" test + %pre %preun @@ -70,6 +70,9 @@ chmod +x %{buildroot}/%{_libdir}/*.so.* %{_mandir}/man8/*.gz %changelog +* Fri Dec 24 2021 yixiangzhike - 2.61-1 +- update to 2.61 + * Mon Nov 8 2021 yixiangzhike - 2.32-3 - capsh better error handling for integer parsing - setcap clean up error handling of the ns rootid argument