rpm: Upgrade to 4.18.0-rc1 to resolve CVE-2021-3521, CVE-2021-35938 and CVE-2021-35939 (#3697)

* Patch rpm CVE-2021-3521 and CVE-2021-35938

SPECS/grubby/0014-Fix-build-RPM-418.patch

@@ -0,0 +1,24 @@
+From d678047ee92332c3a2055be838311a5ac0913927 Mon Sep 17 00:00:00 2001
+From: Daniel McIlvaney <damcilva@microsoft.com>
+Date: Sun, 11 Sep 2022 11:42:54 -0700
+Subject: [PATCH] Include missing rpm 4.18.0 header rpmstring.h
+
+---
+ rpm-sort.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/rpm-sort.c b/rpm-sort.c
+index f196356..b048c07 100644
+--- a/rpm-sort.c
++++ b/rpm-sort.c
+@@ -7,6 +7,7 @@
+ #include <assert.h>
+ #include <argp.h>
+ #include <rpm/rpmlib.h>
++#include <rpm/rpmstring.h>
+ #include <err.h>
+ 
+ typedef enum {
+-- 
+2.17.1
+

SPECS/grubby/grubby.spec

@@ -1,7 +1,7 @@
 Summary:        Command line tool for updating bootloader configs
 Name:           grubby
 Version:        8.40
-Release:        43%{?dist}
+Release:        44%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -28,6 +28,7 @@ Patch0010:      0010-Fix-GCC-warnings-about-possible-string-truncations-a.patch
 Patch0011:      0011-Fix-stringop-overflow-warning.patch
 Patch0012:      0012-Fix-maybe-uninitialized-warning.patch
 Patch0013:      0013-Fix-build-RPM-416.patch
+Patch0014:      0014-Fix-build-RPM-418.patch
 
 BuildRequires:  gcc
 BuildRequires:  glib2-devel
@@ -117,6 +118,9 @@ current boot environment.
 %{_mandir}/man8/*.8*
 
 %changelog
+* Sun Sep 11 2022 Daniel McIlvaney <damcilva@microsoft.com> - 8.40.44
+- Support rpm 4.18.0
+
 * Wed Apr 27 2022 Pawel Winogrodzki <pawelwi@microsoft.com> - 8.40-43
 - Removing redundant "#Source0" comment.
 

SPECS/openscap/openscap.spec

@@ -1,13 +1,14 @@
 Summary:        Open Source Security Compliance Solution
 Name:           openscap
 Version:        1.3.5
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          System Environment/Libraries
 URL:            https://www.open-scap.org
 Source0:        https://github.com/OpenSCAP/openscap/releases/download/%{version}/%{name}-%{version}.tar.gz
+Patch0:         support_rpm_418.patch
 BuildRequires:  bzip2-devel
 BuildRequires:  cmake
 BuildRequires:  curl-devel
@@ -63,7 +64,7 @@ Requires:       openscap = %{version}-%{release}
 Python 3 bindings for %{name}.
 
 %prep
-%autosetup
+%autosetup -p1
 mkdir build
 
 %build
@@ -115,6 +116,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %{python3_sitelib}/*
 
 %changelog
+* Sun Sep 11 2022 Daniel McIlvaney <damcilva@microsoft.com> - 1.3.5-3
+- Backport fix to support rpm 4.18.0 versions which moved headers around
+
 * Tue Dec 07 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.3.5-2
 - Using "xmlsec1" instead of "libxmlsec1" as dependency.
 - Fixing building Perl binding for new version.

SPECS/openscap/support_rpm_418.patch

@@ -0,0 +1,58 @@
+From 8dec1bb5e9546e75ae6e7b7cf94cf00197ce3e5d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Tue, 24 May 2022 12:15:44 +0200
+Subject: [PATCH] Use correct includes
+
+rpmvercmp is defined in rpm/rpmver.h
+risdigit is defined in rpm/rpmstring.h
+
+Resolves: rhbz#2080210
+---
+ cmake/FindRPM.cmake                    | 3 +++
+ config.h.in                            | 1 +
+ src/OVAL/results/oval_cmp_evr_string.c | 5 +++++
+ 3 files changed, 9 insertions(+)
+
+diff --git a/cmake/FindRPM.cmake b/cmake/FindRPM.cmake
+index a666942eae..369d153fcc 100644
+--- a/cmake/FindRPM.cmake
++++ b/cmake/FindRPM.cmake
+@@ -30,6 +30,9 @@ set(RPM_VERSION ${RPM_PKGCONF_VERSION})
+ if(RPM_VERSION)
+ 	string(COMPARE GREATER "4.6" ${RPM_VERSION} RPM46_FOUND)
+ 	string(COMPARE GREATER "4.7" ${RPM_VERSION} RPM47_FOUND)
++	if(NOT (RPM_VERSION VERSION_LESS "4.18"))
++		set(RPM418_FOUND 1)
++	endif()
+ endif()
+ 
+ # Set the include dir variables and the libraries and let libfind_process do the rest.
+diff --git a/config.h.in b/config.h.in
+index 1b72855822..bb1428afc8 100644
+--- a/config.h.in
++++ b/config.h.in
+@@ -44,6 +44,7 @@
+ #cmakedefine HAVE_RPMVERCMP
+ #cmakedefine RPM46_FOUND
+ #cmakedefine RPM47_FOUND
++#cmakedefine RPM418_FOUND
+ 
+ #cmakedefine BZIP2_FOUND
+ 
+diff --git a/src/OVAL/results/oval_cmp_evr_string.c b/src/OVAL/results/oval_cmp_evr_string.c
+index 3bfc8ce5f9..3ba0fa0cbd 100644
+--- a/src/OVAL/results/oval_cmp_evr_string.c
++++ b/src/OVAL/results/oval_cmp_evr_string.c
+@@ -37,7 +37,12 @@
+ #include "common/_error.h"
+ 
+ #ifdef HAVE_RPMVERCMP
++#ifdef RPM418_FOUND
++#include <rpm/rpmver.h>
++#include <rpm/rpmstring.h>
++#else
+ #include <rpm/rpmlib.h>
++#endif
+ #else
+ #ifdef OS_WINDOWS
+ #include <malloc.h>

SPECS/rpm/fix_RPM_GNUC_DEPRECATED_headers.patch

@@ -0,0 +1,50 @@
+From 1d35f0bc63c7bf9b558233b51bbec480238c44b9 Mon Sep 17 00:00:00 2001
+From: Daniel McIlvaney <damcilva@microsoft.com>
+Date: Sun, 11 Sep 2022 11:18:28 -0700
+Subject: [PATCH] Include RPM_GNUC_DEPRECATED before use in headers
+
+---
+ include/rpm/rpmfc.h      | 1 +
+ include/rpm/rpmkeyring.h | 1 +
+ include/rpm/rpmsq.h      | 1 +
+ 3 files changed, 3 insertions(+)
+
+diff --git a/include/rpm/rpmfc.h b/include/rpm/rpmfc.h
+index dfc5841ed..1e80511f6 100644
+--- a/include/rpm/rpmfc.h
++++ b/include/rpm/rpmfc.h
+@@ -7,6 +7,7 @@
+  */
+ 
+ #include <rpm/rpmtypes.h>
++#include <rpm/rpmutil.h>
+ #include <rpm/argv.h>	/* for ARGV_t */
+ #include <rpm/rpmspec.h>	/* for Package */
+ 
+diff --git a/include/rpm/rpmkeyring.h b/include/rpm/rpmkeyring.h
+index ac1c0a6b3..1f597d240 100644
+--- a/include/rpm/rpmkeyring.h
++++ b/include/rpm/rpmkeyring.h
+@@ -9,6 +9,7 @@
+ 
+ #include <rpm/rpmtypes.h>
+ #include <rpm/rpmpgp.h>
++#include <rpm/rpmutil.h>
+ 
+ #ifdef __cplusplus
+ extern "C" {
+diff --git a/include/rpm/rpmsq.h b/include/rpm/rpmsq.h
+index 048d9788c..50f9be327 100644
+--- a/include/rpm/rpmsq.h
++++ b/include/rpm/rpmsq.h
+@@ -7,6 +7,7 @@
+  * Signal Queue API (obsolete, do not use)
+  */
+ #include <rpm/rpmsw.h>
++#include <rpm/rpmutil.h>
+ #include <signal.h>
+ 
+ #ifdef __cplusplus
+-- 
+2.17.1
+

SPECS/rpm/remove-docs-from-makefile.patch

@@ -1,24 +1,26 @@
---- rpm-rpm-4.17.0-release/Makefile.am	2021-09-03 02:41:20.000000000 -0700
-+++ rpm-rpm-4.17.0-release/Makefile2	2021-09-23 15:21:16.362202512 -0700
-@@ -27,7 +27,7 @@
+diff --git a/Makefile.am b/Makefile.am
+index 7e7d4163d..4904dd591 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -26,7 +26,7 @@ EXTRA_DIST = ChangeLog CREDITS INSTALL \
+ BUILT_SOURCES =
  
  SUBDIRS = po misc
- SUBDIRS += luaext
 -SUBDIRS += rpmio lib sign build scripts fileattrs docs .
 +SUBDIRS += rpmio lib sign build scripts fileattrs .
  
  if ENABLE_PYTHON
  SUBDIRS += python
-@@ -41,7 +41,7 @@
+@@ -40,7 +40,7 @@ if HAVE_FAKECHROOT
  SUBDIRS += tests
  endif
  
--DIST_SUBDIRS = po misc luaext rpmio lib sign build python scripts fileattrs docs tests plugins
-+DIST_SUBDIRS = po misc luaext rpmio lib sign build python scripts fileattrs tests plugins
+-DIST_SUBDIRS = po misc rpmio lib sign build python scripts fileattrs docs tests plugins
++DIST_SUBDIRS = po misc rpmio lib sign build python scripts fileattrs tests plugins
  
  pkgconfigdir = $(libdir)/pkgconfig
  
-@@ -249,24 +249,6 @@
+@@ -259,24 +259,6 @@ uninstall-local:
  
  MAINTAINERCLEANFILES = ChangeLog
  
@@ -42,4 +44,4 @@
 -
  .PHONY: ci
  ci:
- 	podman build -t rpm -f ci/Dockerfile .
+ 	podman build -t rpm -f $(top_srcdir)/ci/Dockerfile $(top_srcdir)

SPECS/rpm/rpm.signatures.json

@@ -5,6 +5,6 @@
   "python.attr": "32eebee98c24edcc9524b4553cf05c0ec6707828fe14f76d250e294568e7091a",
   "pythondeps.sh": "1cc7665252eb845c7e4741ff3e832c78f54ffb05552f1cdb2d43d2c0cbf7c07d",
   "pythondistdeps.py": "f73f01bb78daa75d25d6581a6da40cf6f946654c5e9d166676036367307186d1",
-  "rpm-4.17.0-release.tar.gz": "2d8274d212b859b3ac90b276d462467ae2f8165143ef9f9e7ebfab77b1c7e272"
+  "rpm-4.18.0.tar.bz2": "2a17152d7187ab30edf2c2fb586463bdf6388de7b5837480955659e5e9054554"
  }
 }

SPECS/rpm/rpm.spec

@@ -1,13 +1,13 @@
 Summary:        Package manager
 Name:           rpm
-Version:        4.17.0
-Release:        9%{?dist}
+Version:        4.18.0
+Release:        1%{?dist}
 License:        GPLv2+ AND LGPLv2+ AND BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Applications/System
 URL:            https://rpm.org
-Source0:        https://github.com/rpm-software-management/rpm/archive/%{name}-%{version}-release.tar.gz
+Source0:        http://ftp.rpm.org/releases/%{name}-%(echo %{version} | cut -d'.' -f1-2).x/%{name}-%{version}.tar.bz2
 Source1:        brp-strip-debug-symbols
 Source2:        brp-strip-unneeded
 # The license for the files below is the same as for RPM as they have originally came from rpm.
@@ -15,17 +15,20 @@ Source2:        brp-strip-unneeded
 Source3:        https://git.centos.org/rpms/python-rpm-generators/raw/c8s/f/SOURCES/python.attr
 Source4:        https://git.centos.org/rpms/python-rpm-generators/raw/c8s/f/SOURCES/pythondeps.sh
 Source5:        https://git.centos.org/rpms/python-rpm-generators/raw/c8s/f/SOURCES/pythondistdeps.py
+Patch0:         remove-docs-from-makefile.patch
+Patch1:         define-RPM_LD_FLAGS.patch
+Patch2:         fix_RPM_GNUC_DEPRECATED_headers.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  debugedit
 BuildRequires:  elfutils-devel
-BuildRequires:  openssl-devel
 BuildRequires:  file-devel
 BuildRequires:  gettext
 BuildRequires:  libarchive-devel
 BuildRequires:  libcap-devel
 BuildRequires:  libselinux-devel
 BuildRequires:  lua-devel
+BuildRequires:  openssl-devel
 BuildRequires:  popt-devel
 BuildRequires:  python3-devel
 BuildRequires:  sqlite-devel
@@ -37,9 +40,6 @@ Requires:       libselinux
 Requires:       lua-libs
 Requires:       rpm-libs = %{version}-%{release}
 
-Patch0: remove-docs-from-makefile.patch
-Patch1: define-RPM_LD_FLAGS.patch
-
 %description
 RPM package manager
 
@@ -114,7 +114,7 @@ Provides:       %{name}-python3 = %{version}-%{release}
 Python3 rpm.
 
 %prep
-%autosetup -n rpm-%{name}-%{version}-release -p1
+%autosetup -n %{name}-%{version} -p1
 
 %build
 # pass -L opts to gcc as well to prioritize it over standard libs
@@ -205,6 +205,7 @@ popd
 %{_libdir}/rpm/rpm.daily
 %{_libdir}/rpm/rpm.log
 %{_libdir}/rpm/rpm.supp
+%{_libdir}/rpm/rpmuncompress
 %{_libdir}/rpm/rpm2cpio.sh
 %{_libdir}/rpm/tgpg
 %{_libdir}/rpm/platform
@@ -231,10 +232,12 @@ popd
 
 %files build
 %{_bindir}/rpmbuild
+%{_bindir}/rpmlua
 %{_bindir}/rpmsign
 %{_bindir}/rpmspec
 %{_libdir}/rpm/macros.*
 %{_libdir}/rpm/find-lang.sh
+%{_libdir}/rpm/rpm_macros_provides.sh
 %{_libdir}/rpm/find-provides
 %{_libdir}/rpm/find-requires
 %{_libdir}/rpm/brp-*
@@ -278,6 +281,9 @@ popd
 %{python3_sitelib}/*
 
 %changelog
+* Wed Sep 21 2022 Daniel McIlvaney <damcilva@microsoft.com> - 4.18.0-1
+- Update to 4.18.0 to resolve CVE-2021-35938, CVE-2021-35939, and CVE-2021-3521
+
 * Mon Jul 18 2022 Nan Liu <liunan@microsoft.com> - 4.17.0-9
 - Add missing dependencies to rpmbuild (sed and util-linux)
 

cgmanifest.json

@@ -23235,8 +23235,8 @@
         "type": "other",
         "other": {
           "name": "rpm",
-          "version": "4.17.0",
-          "downloadUrl": "https://github.com/rpm-software-management/rpm/archive/rpm-4.17.0-release.tar.gz"
+          "version": "4.18.0",
+          "downloadUrl": "http://ftp.rpm.org/releases/rpm-4.18.x/rpm-4.18.0.tar.bz2"
         }
       }
     },

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -175,12 +175,12 @@ libcap-devel-2.60-1.cm2.aarch64.rpm
 debugedit-5.0-1.cm2.aarch64.rpm
 libarchive-3.6.1-1.cm2.aarch64.rpm
 libarchive-devel-3.6.1-1.cm2.aarch64.rpm
-rpm-4.17.0-9.cm2.aarch64.rpm
-rpm-build-4.17.0-9.cm2.aarch64.rpm
-rpm-build-libs-4.17.0-9.cm2.aarch64.rpm
-rpm-devel-4.17.0-9.cm2.aarch64.rpm
-rpm-lang-4.17.0-9.cm2.aarch64.rpm
-rpm-libs-4.17.0-9.cm2.aarch64.rpm
+rpm-4.18.0-1.cm2.aarch64.rpm
+rpm-build-4.18.0-1.cm2.aarch64.rpm
+rpm-build-libs-4.18.0-1.cm2.aarch64.rpm
+rpm-devel-4.18.0-1.cm2.aarch64.rpm
+rpm-lang-4.18.0-1.cm2.aarch64.rpm
+rpm-libs-4.18.0-1.cm2.aarch64.rpm
 cpio-2.13-4.cm2.aarch64.rpm
 cpio-lang-2.13-4.cm2.aarch64.rpm
 e2fsprogs-libs-1.46.5-3.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -175,12 +175,12 @@ libcap-devel-2.60-1.cm2.x86_64.rpm
 debugedit-5.0-1.cm2.x86_64.rpm
 libarchive-3.6.1-1.cm2.x86_64.rpm
 libarchive-devel-3.6.1-1.cm2.x86_64.rpm
-rpm-4.17.0-9.cm2.x86_64.rpm
-rpm-build-4.17.0-9.cm2.x86_64.rpm
-rpm-build-libs-4.17.0-9.cm2.x86_64.rpm
-rpm-devel-4.17.0-9.cm2.x86_64.rpm
-rpm-lang-4.17.0-9.cm2.x86_64.rpm
-rpm-libs-4.17.0-9.cm2.x86_64.rpm
+rpm-4.18.0-1.cm2.x86_64.rpm
+rpm-build-4.18.0-1.cm2.x86_64.rpm
+rpm-build-libs-4.18.0-1.cm2.x86_64.rpm
+rpm-devel-4.18.0-1.cm2.x86_64.rpm
+rpm-lang-4.18.0-1.cm2.x86_64.rpm
+rpm-libs-4.18.0-1.cm2.x86_64.rpm
 cpio-2.13-4.cm2.x86_64.rpm
 cpio-lang-2.13-4.cm2.x86_64.rpm
 e2fsprogs-libs-1.46.5-3.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -518,20 +518,20 @@ python3-markupsafe-2.1.0-1.cm2.aarch64.rpm
 python3-newt-0.52.21-4.cm2.aarch64.rpm
 python3-pip-3.9.14-1.cm2.noarch.rpm
 python3-pygments-2.4.2-7.cm2.noarch.rpm
-python3-rpm-4.17.0-9.cm2.aarch64.rpm
+python3-rpm-4.18.0-1.cm2.aarch64.rpm
 python3-setuptools-3.9.14-1.cm2.noarch.rpm
 python3-test-3.9.14-1.cm2.aarch64.rpm
 python3-tools-3.9.14-1.cm2.aarch64.rpm
 readline-8.1-1.cm2.aarch64.rpm
 readline-debuginfo-8.1-1.cm2.aarch64.rpm
 readline-devel-8.1-1.cm2.aarch64.rpm
-rpm-4.17.0-9.cm2.aarch64.rpm
-rpm-build-4.17.0-9.cm2.aarch64.rpm
-rpm-build-libs-4.17.0-9.cm2.aarch64.rpm
-rpm-debuginfo-4.17.0-9.cm2.aarch64.rpm
-rpm-devel-4.17.0-9.cm2.aarch64.rpm
-rpm-lang-4.17.0-9.cm2.aarch64.rpm
-rpm-libs-4.17.0-9.cm2.aarch64.rpm
+rpm-4.18.0-1.cm2.aarch64.rpm
+rpm-build-4.18.0-1.cm2.aarch64.rpm
+rpm-build-libs-4.18.0-1.cm2.aarch64.rpm
+rpm-debuginfo-4.18.0-1.cm2.aarch64.rpm
+rpm-devel-4.18.0-1.cm2.aarch64.rpm
+rpm-lang-4.18.0-1.cm2.aarch64.rpm
+rpm-libs-4.18.0-1.cm2.aarch64.rpm
 sed-4.8-2.cm2.aarch64.rpm
 sed-debuginfo-4.8-2.cm2.aarch64.rpm
 sed-lang-4.8-2.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -518,20 +518,20 @@ python3-markupsafe-2.1.0-1.cm2.x86_64.rpm
 python3-newt-0.52.21-4.cm2.x86_64.rpm
 python3-pip-3.9.14-1.cm2.noarch.rpm
 python3-pygments-2.4.2-7.cm2.noarch.rpm
-python3-rpm-4.17.0-9.cm2.x86_64.rpm
+python3-rpm-4.18.0-1.cm2.x86_64.rpm
 python3-setuptools-3.9.14-1.cm2.noarch.rpm
 python3-test-3.9.14-1.cm2.x86_64.rpm
 python3-tools-3.9.14-1.cm2.x86_64.rpm
 readline-8.1-1.cm2.x86_64.rpm
 readline-debuginfo-8.1-1.cm2.x86_64.rpm
 readline-devel-8.1-1.cm2.x86_64.rpm
-rpm-4.17.0-9.cm2.x86_64.rpm
-rpm-build-4.17.0-9.cm2.x86_64.rpm
-rpm-build-libs-4.17.0-9.cm2.x86_64.rpm
-rpm-debuginfo-4.17.0-9.cm2.x86_64.rpm
-rpm-devel-4.17.0-9.cm2.x86_64.rpm
-rpm-lang-4.17.0-9.cm2.x86_64.rpm
-rpm-libs-4.17.0-9.cm2.x86_64.rpm
+rpm-4.18.0-1.cm2.x86_64.rpm
+rpm-build-4.18.0-1.cm2.x86_64.rpm
+rpm-build-libs-4.18.0-1.cm2.x86_64.rpm
+rpm-debuginfo-4.18.0-1.cm2.x86_64.rpm
+rpm-devel-4.18.0-1.cm2.x86_64.rpm
+rpm-lang-4.18.0-1.cm2.x86_64.rpm
+rpm-libs-4.18.0-1.cm2.x86_64.rpm
 sed-4.8-2.cm2.x86_64.rpm
 sed-debuginfo-4.8-2.cm2.x86_64.rpm
 sed-lang-4.8-2.cm2.x86_64.rpm