diff options
Diffstat (limited to 'app-admin/augeas/files')
-rw-r--r-- | app-admin/augeas/files/augeas-0.10.0-gets.patch | 15 | ||||
-rw-r--r-- | app-admin/augeas/files/augeas-0.10.0-libxml2-pkgconfig.patch | 24 | ||||
-rw-r--r-- | app-admin/augeas/files/augeas-0.10.0-test.patch | 56 | ||||
-rw-r--r-- | app-admin/augeas/files/augeas-0.10.0-test2.patch | 49 | ||||
-rw-r--r-- | app-admin/augeas/files/cve-2017-7555.patch | 159 | ||||
-rw-r--r-- | app-admin/augeas/files/cve-bunch-of-them-symlink.patch | 76 |
6 files changed, 379 insertions, 0 deletions
diff --git a/app-admin/augeas/files/augeas-0.10.0-gets.patch b/app-admin/augeas/files/augeas-0.10.0-gets.patch new file mode 100644 index 000000000000..5f754955be6c --- /dev/null +++ b/app-admin/augeas/files/augeas-0.10.0-gets.patch @@ -0,0 +1,15 @@ + gnulib/lib/stdio.in.h | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/gnulib/lib/stdio.in.h b/gnulib/lib/stdio.in.h +index 9091497..fa7e3fb 100644 +--- a/gnulib/lib/stdio.in.h ++++ b/gnulib/lib/stdio.in.h +@@ -162,7 +162,6 @@ _GL_WARN_ON_USE (fflush, "fflush is not always POSIX compliant - " + so any use of gets warrants an unconditional warning. Assume it is + always declared, since it is required by C89. */ + #undef gets +-_GL_WARN_ON_USE (gets, "gets is a security hole - use fgets instead"); + + #if @GNULIB_FOPEN@ + # if @REPLACE_FOPEN@ diff --git a/app-admin/augeas/files/augeas-0.10.0-libxml2-pkgconfig.patch b/app-admin/augeas/files/augeas-0.10.0-libxml2-pkgconfig.patch new file mode 100644 index 000000000000..aaa418670154 --- /dev/null +++ b/app-admin/augeas/files/augeas-0.10.0-libxml2-pkgconfig.patch @@ -0,0 +1,24 @@ +From b41deef293841da50a236023bad486ea3f57e4dc Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" <rjones@redhat.com> +Date: Sat, 3 Dec 2011 14:21:50 +0000 +Subject: [PATCH] pkg-config: Augeas requires libxml2. + +--- + augeas.pc.in | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/augeas.pc.in b/augeas.pc.in +index c97847d..9e166db 100644 +--- a/augeas.pc.in ++++ b/augeas.pc.in +@@ -6,6 +6,6 @@ includedir=@includedir@ + Name: augeas + Version: @VERSION@ + Description: Augeas configuration editing library +-Requires: ++Requires.private: libxml-2.0 + Libs: -L${libdir} -laugeas @LIBS@ + Cflags: -I${includedir} +-- +1.7.6 + diff --git a/app-admin/augeas/files/augeas-0.10.0-test.patch b/app-admin/augeas/files/augeas-0.10.0-test.patch new file mode 100644 index 000000000000..e2630014f29a --- /dev/null +++ b/app-admin/augeas/files/augeas-0.10.0-test.patch @@ -0,0 +1,56 @@ +From 075f8d35497fb36d9193e5364c055049c66fa5eb Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel <lubo.rintel@gooddata.com> +Date: Mon, 9 Jan 2012 18:52:11 +0100 +Subject: [PATCH 1/2] Allow JSON number literals to be followed by whitespace + +Add a test case. + +Fixes https://fedorahosted.org/augeas/ticket/247 +--- + AUTHORS | 1 + + lenses/json.aug | 2 +- + lenses/tests/test_json.aug | 3 +++ + 3 files changed, 5 insertions(+), 1 deletions(-) + +diff --git a/AUTHORS b/AUTHORS +index df63f95..e7870f2 100644 +--- a/AUTHORS ++++ b/AUTHORS +@@ -44,6 +44,7 @@ Contributions by: + Bill Pemberton <wfp5p@virginia.edu> + Alan Pevec <apevec@redhat.com> + Robin Lee Powell <rlpowell@digitalkingdom.org> ++ Lubomir Rintel <lubo.rintel@gooddata.com> + Roman Rakus <rrakus@redhat.com> + Satoru SATOH <satoru.satoh@gmail.com> + Nicolas Valcárcel Scerpella <nvalcarcel@ubuntu.com> +diff --git a/lenses/json.aug b/lenses/json.aug +index c22ad90..6ceab09 100644 +--- a/lenses/json.aug ++++ b/lenses/json.aug +@@ -29,7 +29,7 @@ let str_store = + let q = del "\"" "\"" in + q . store /[^"]*/ . q . ws (* " Emacs, relax *) + +-let number = [ label "number" . store /-?[0-9]+(\.[0-9]+)?([eE][+-]?[0-9]+)?/ ] ++let number = [ label "number" . store /-?[0-9]+(\.[0-9]+)?([eE][+-]?[0-9]+)?/ . ws ] + let str = [ label "string" . str_store ] + + let const (r:regexp) = [ label "const" . store r . ws ] +diff --git a/lenses/tests/test_json.aug b/lenses/tests/test_json.aug +index 0bcd25d..d8b7fa8 100644 +--- a/lenses/tests/test_json.aug ++++ b/lenses/tests/test_json.aug +@@ -8,6 +8,9 @@ test lns get "true" = { "const" = "true" } + + test lns get "3.141" = { "number" = "3.141" } + ++test lns get "{ \"key\" : 666 }" = ++ { "dict" { "entry" = "key" { "number" = "666" } } } ++ + test lns get "[true, 0, \"yo\"]" = + { "array" { "const" = "true" } { "number" = "0" } { "string" = "yo" } } + +-- +1.7.7.5 + diff --git a/app-admin/augeas/files/augeas-0.10.0-test2.patch b/app-admin/augeas/files/augeas-0.10.0-test2.patch new file mode 100644 index 000000000000..743ccfdce1fc --- /dev/null +++ b/app-admin/augeas/files/augeas-0.10.0-test2.patch @@ -0,0 +1,49 @@ +From 100a7b38222a63c6435a72b4974b55f39a28989e Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel <lubo.rintel@gooddata.com> +Date: Mon, 9 Jan 2012 19:24:41 +0100 +Subject: [PATCH 2/2] Correctly parse empty object and arrays in JSON + +Add a test case. +Fix from David Lutterkort <lutter@redhat.com>. + +https://fedorahosted.org/augeas/ticket/248 +--- + lenses/json.aug | 4 ++-- + lenses/tests/test_json.aug | 5 +++++ + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/lenses/json.aug b/lenses/json.aug +index 6ceab09..2645806 100644 +--- a/lenses/json.aug ++++ b/lenses/json.aug +@@ -37,9 +37,9 @@ let const (r:regexp) = [ label "const" . store r . ws ] + let value0 = str | number | const /true|false|null/ + + let fix_value (value:lens) = +- let array = [ label "array" . lbrack . Build.opt_list value comma . rbrack ] in ++ let array = [ label "array" . lbrack . (Build.opt_list value comma)? . rbrack ] in + let pair = [ label "entry" . str_store . colon . value ] in +- let obj = [ label "dict" . lbrace . Build.opt_list pair comma . rbrace ] in ++ let obj = [ label "dict" . lbrace . (Build.opt_list pair comma)? . rbrace ] in + (str | number | obj | array | const /true|false|null/) + + (* Typecheck finitely deep nesting *) +diff --git a/lenses/tests/test_json.aug b/lenses/tests/test_json.aug +index d8b7fa8..aec7d4c 100644 +--- a/lenses/tests/test_json.aug ++++ b/lenses/tests/test_json.aug +@@ -30,6 +30,11 @@ test lns get "{ \"0\": true, \"1\":false }" = + test lns get "{\"menu\": \"entry one\"}" = + { "dict" { "entry" = "menu" { "string" = "entry one" } } } + ++test lns get "[ ]" = ++ { "array" } ++ ++test lns get "{}" = ++ { "dict" } + + let s = "{\"menu\": { + \"id\": \"file\", +-- +1.7.7.5 + diff --git a/app-admin/augeas/files/cve-2017-7555.patch b/app-admin/augeas/files/cve-2017-7555.patch new file mode 100644 index 000000000000..aaacdc2674c0 --- /dev/null +++ b/app-admin/augeas/files/cve-2017-7555.patch @@ -0,0 +1,159 @@ +From 4cca923b732990bec0c699b2e69911c2221b2498 Mon Sep 17 00:00:00 2001 +From: David Lutterkort <lutter@watzmann.net> +Date: Fri, 4 Aug 2017 17:13:52 -0700 +Subject: [PATCH] * src/pathx.c (parse_name): correctly handle trailing + whitespace in names + +When a name ended in whitespace, we incorrectly assumed it was always ok to +trim that whitespace. That is not true if that whitespace is escaped, +i.e. if the path expression is something like '/x\ '. In that case, the +name really needs to be literally 'x ', i.e., we can not trim that +whitespace. + +The incorrect behavior led to turning '/x\ ' first into 'x\' and then, +because we assume that '\' is always followed by a character inside the +string, when we removed the escaping '\', we would read beyond the end of +the intermediate string result; if we were lucky, that would lead to a +crash, otherwise we'd continue with junk. + +We now make sure that escaped whitespace at the end of a string does not +get stripped, avoiding all these headaches. + +Fixes RHBZ https://bugzilla.redhat.com/show_bug.cgi?id=1475621 +--- + src/pathx.c | 27 +++++++++++++++++++------ + tests/test-xpath.c | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 80 insertions(+), 6 deletions(-) + +diff --git a/src/pathx.c b/src/pathx.c +index d292cb30..9a2f9c76 100644 +--- a/src/pathx.c ++++ b/src/pathx.c +@@ -1710,6 +1710,16 @@ int pathx_escape_name(const char *in, char **out) { + return 0; + } + ++/* Return true if POS is preceded by an odd number of backslashes, i.e., if ++ * POS is escaped. Stop the search when we get to START */ ++static bool backslash_escaped(const char *pos, const char *start) { ++ bool result=false; ++ while (pos-- > start && *pos == '\\') { ++ result = !result; ++ } ++ return result; ++} ++ + /* + * NameNoWS ::= [^][|/\= \t\n] | \\. + * NameWS ::= [^][|/\=] | \\. +@@ -1719,11 +1729,14 @@ static char *parse_name(struct state *state) { + const char *s = state->pos; + char *result; + ++ /* Advance state->pos until it points to the first character that is ++ * not part of a name. */ + while (*state->pos != '\0' && strchr(name_follow, *state->pos) == NULL) { +- /* This is a hack: since we allow spaces in names, we need to avoid +- * gobbling up stuff that is in follow(Name), e.g. 'or' so that +- * things like [name1 or name2] still work. +- */ ++ /* Since we allow spaces in names, we need to avoid gobbling up ++ * stuff that is in follow(Name), e.g. 'or' so that things like ++ * [name1 or name2] still work. In other words, we'll parse 'x frob ++ * y' as one name, but for 'x or y', we consider 'x' a name in its ++ * own right. */ + if (STREQLEN(state->pos, " or ", strlen(" or ")) || + STREQLEN(state->pos, " and ", strlen(" and "))) + break; +@@ -1738,10 +1751,12 @@ static char *parse_name(struct state *state) { + state->pos += 1; + } + +- /* Strip trailing white space */ ++ /* Strip trailing white space. Make sure we respect escaped whitespace ++ * and don't strip it as in "x\\ " */ + if (state->pos > s) { + state->pos -= 1; +- while (isspace(*state->pos) && state->pos >= s) ++ while (isspace(*state->pos) && state->pos > s ++ && !backslash_escaped(state->pos, s)) + state->pos -= 1; + state->pos += 1; + } +diff --git a/tests/test-xpath.c b/tests/test-xpath.c +index 3e418e5f..82986474 100644 +--- a/tests/test-xpath.c ++++ b/tests/test-xpath.c +@@ -355,6 +355,62 @@ static int test_wrong_regexp_flag(struct augeas *aug) { + return -1; + } + ++static int test_trailing_ws_in_name(struct augeas *aug) { ++ int r; ++ ++ printf("%-30s ... ", "trailing_ws_in_name"); ++ ++ /* We used to incorrectly lop escaped whitespace off the end of a ++ * name. Make sure that we really create a tree node with label 'x ' ++ * with the below set, and look for it in a number of ways to ensure we ++ * are not lopping off trailing whitespace. */ ++ r = aug_set(aug, "/ws\\ ", "1"); ++ if (r < 0) { ++ fprintf(stderr, "failed to set '/ws ': %d\n", r); ++ goto fail; ++ } ++ /* We did not create a node with label 'ws' */ ++ r = aug_get(aug, "/ws", NULL); ++ if (r != 0) { ++ fprintf(stderr, "created '/ws' instead: %d\n", r); ++ goto fail; ++ } ++ ++ /* We did not create a node with label 'ws\t' (this also checks that we ++ * don't create something like 'ws\\' by dropping the last whitespace ++ * character. */ ++ r = aug_get(aug, "/ws\\\t", NULL); ++ if (r != 0) { ++ fprintf(stderr, "found '/ws\\t': %d\n", r); ++ goto fail; ++ } ++ ++ /* But we did create 'ws ' */ ++ r = aug_get(aug, "/ws\\ ", NULL); ++ if (r != 1) { ++ fprintf(stderr, "could not find '/ws ': %d\n", r); ++ goto fail; ++ } ++ ++ /* If the whitespace is preceded by an even number of '\\' chars, ++ * whitespace must be stripped */ ++ r = aug_set(aug, "/nows\\\\ ", "1"); ++ if (r < 0) { ++ fprintf(stderr, "set of '/nows' failed: %d\n", r); ++ goto fail; ++ } ++ r = aug_get(aug, "/nows\\\\", NULL); ++ if (r != 1) { ++ fprintf(stderr, "could not get '/nows\\'\n"); ++ goto fail; ++ } ++ printf("PASS\n"); ++ return 0; ++ fail: ++ printf("FAIL\n"); ++ return -1; ++} ++ + static int run_tests(struct test *tests, int argc, char **argv) { + char *lensdir; + struct augeas *aug = NULL; +@@ -398,6 +454,9 @@ static int run_tests(struct test *tests, int argc, char **argv) { + + if (test_wrong_regexp_flag(aug) < 0) + result = EXIT_FAILURE; ++ ++ if (test_trailing_ws_in_name(aug) < 0) ++ result = EXIT_FAILURE; + } + aug_close(aug); + free(lensdir); diff --git a/app-admin/augeas/files/cve-bunch-of-them-symlink.patch b/app-admin/augeas/files/cve-bunch-of-them-symlink.patch new file mode 100644 index 000000000000..3bd1d95ae42d --- /dev/null +++ b/app-admin/augeas/files/cve-bunch-of-them-symlink.patch @@ -0,0 +1,76 @@ +From 051c73a9a7ffe9e525f6f0a1b8f5198ff8cc6752 Mon Sep 17 00:00:00 2001 +From: Dominic Cleal <dcleal@redhat.com> +Date: Sat, 11 Aug 2012 20:39:14 +0100 +Subject: [PATCH] Fix regression in permissions of created files + +Commit 16387744 changed temporary file creation to use mkstemp, resulting in +new files being created with 0600 permissions. For brand new files created +through Augeas, their permissions stayed at 0600 rather than being set by the +umask as before. + + * src/transform.c (transform_save): chmod after creating new files to + permissions implied by the umask +--- + src/transform.c | 10 ++++++++++ + tests/test-preserve.sh | 15 ++++++++++++++- + 2 files changed, 24 insertions(+), 1 deletion(-) + +diff --git a/src/transform.c b/src/transform.c +index a3acd10..1ca3d5f 100644 +--- a/src/transform.c ++++ b/src/transform.c +@@ -1096,6 +1096,16 @@ int transform_save(struct augeas *aug, struct tree *xfm, + err_status = "xfer_attrs"; + goto done; + } ++ } else { ++ /* Since mkstemp is used, the temp file will have secure permissions ++ * instead of those implied by umask, so change them for new files */ ++ mode_t curumsk = umask(022); ++ umask(curumsk); ++ ++ if (fchmod(fileno(fp), 0666 - curumsk) < 0) { ++ err_status = "create_chmod"; ++ return -1; ++ } + } + + if (tree != NULL) +diff --git a/tests/test-preserve.sh b/tests/test-preserve.sh +index 042dab9..9719ac6 100755 +--- a/tests/test-preserve.sh ++++ b/tests/test-preserve.sh +@@ -59,9 +59,12 @@ if [ $selinux = yes -a xetc_t != "x$act_con" ] ; then + exit 1 + fi + +-# Check that we create new files without error ++# Check that we create new files without error and with permissions implied ++# from the umask + init_dirs + ++oldumask=$(umask) ++umask 0002 + $AUGTOOL > /dev/null <<EOF + set /files/etc/hosts/1/ipaddr 127.0.0.1 + set /files/etc/hosts/1/canonical host.example.com +@@ -71,6 +74,16 @@ if [ $? != 0 ] ; then + echo "augtool failed on new file" + exit 1 + fi ++if [ ! -e $hosts ]; then ++ echo "augtool didn't create new /etc/hosts file" ++ exit 1 ++fi ++act_mode=$(ls -l $hosts | cut -b 1-10) ++if [ x-rw-rw-r-- != "x$act_mode" ] ; then ++ echo "Expected mode 0664 due to $(umask) umask but got $act_mode" ++ exit 1 ++fi ++umask $oldumask + + # Check that we create new files without error when backups are requested + init_dirs +-- +1.8.5.1 + |