folkslinux
/
VMware-Photon-OS
mirror of https://github.com/vmware/photon.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

rsync: fix CVE-2022-29154 

Introduce new package xxhash

Change-Id: Ibf14445da4e140ffc6a1f2520d0450a5503f48c3
Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/17163
Tested-by: gerrit-photon <photon-checkins@vmware.com>
This commit is contained in:
Shreenidhi Shedi 2022-08-03 16:43:37 +05:30
parent 6f77bd4f48
commit 1842fc0397
4 changed files with 630 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

402
SPECS/rsync/CVE-2022-29154-1.patch Normal file
View File

@ -0,0 +1,402 @@
From 5bba70e008da9c6347a8af00d8160e7667bc7ba0 Mon Sep 17 00:00:00 2001
From: Wayne Davison <wayne@opencoder.net>
Date: Sun, 31 Jul 2022 16:55:34 -0700
Subject: [PATCH] Some extra file-list safety checks.
[sshedi: ported changes of rsync.1.md to v3.2.4]
Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
---
exclude.c | 130 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
flist.c | 17 ++++++-
io.c | 4 ++
main.c | 7 ++-
receiver.c | 11 +++--
rsync.1.md | 42 ++++++++++++++++-
6 files changed, 201 insertions(+), 10 deletions(-)
diff --git a/exclude.c b/exclude.c
index 39073a0..b670c8b 100644
--- a/exclude.c
+++ b/exclude.c
@@ -27,16 +27,22 @@ extern int am_server;
extern int am_sender;
extern int eol_nulls;
extern int io_error;
+extern int xfer_dirs;
+extern int recurse;
extern int local_server;
extern int prune_empty_dirs;
extern int ignore_perishable;
+extern int old_style_args;
+extern int relative_paths;
extern int delete_mode;
extern int delete_excluded;
extern int cvs_exclude;
extern int sanitize_paths;
extern int protocol_version;
+extern int list_only;
extern int module_id;
+extern char *filesfrom_host;
extern char curr_dir[MAXPATHLEN];
extern unsigned int curr_dir_len;
extern unsigned int module_dirlen;
@@ -44,8 +50,10 @@ extern unsigned int module_dirlen;
filter_rule_list filter_list = { .debug_type = "" };
filter_rule_list cvs_filter_list = { .debug_type = " [global CVS]" };
filter_rule_list daemon_filter_list = { .debug_type = " [daemon]" };
+filter_rule_list implied_filter_list = { .debug_type = " [implied]" };
int saw_xattr_filter = 0;
+int trust_sender_filter = 0;
/* Need room enough for ":MODS " prefix plus some room to grow. */
#define MAX_RULE_PREFIX (16)
@@ -292,6 +300,125 @@ static void add_rule(filter_rule_list *listp, const char *pat, unsigned int pat_
}
}
+/* Each arg the client sends to the remote sender turns into an implied include
+ * that the receiver uses to validate the file list from the sender. */
+void add_implied_include(const char *arg)
+{
+ filter_rule *rule;
+ int arg_len, saw_wild = 0, backslash_cnt = 0;
+ int slash_cnt = 1; /* We know we're adding a leading slash. */
+ const char *cp;
+ char *p;
+ if (old_style_args || list_only || filesfrom_host != NULL)
+ return;
+ if (relative_paths) {
+ cp = strstr(arg, "/./");
+ if (cp)
+ arg = cp+3;
+ } else {
+ if ((cp = strrchr(arg, '/')) != NULL)
+ arg = cp + 1;
+ }
+ arg_len = strlen(arg);
+ if (arg_len) {
+ if (strpbrk(arg, "*[?")) {
+ /* We need to add room to escape backslashes if wildcard chars are present. */
+ cp = arg;
+ while ((cp = strchr(cp, '\\')) != NULL) {
+ arg_len++;
+ cp++;
+ }
+ saw_wild = 1;
+ }
+ arg_len++; /* Leave room for the prefixed slash */
+ rule = new0(filter_rule);
+ if (!implied_filter_list.head)
+ implied_filter_list.head = implied_filter_list.tail = rule;
+ else {
+ rule->next = implied_filter_list.head;
+ implied_filter_list.head = rule;
+ }
+ rule->rflags = FILTRULE_INCLUDE + (saw_wild ? FILTRULE_WILD : 0);
+ p = rule->pattern = new_array(char, arg_len + 1);
+ *p++ = '/';
+ cp = arg;
+ while (*cp) {
+ switch (*cp) {
+ case '\\':
+ backslash_cnt++;
+ if (saw_wild)
+ *p++ = '\\';
+ *p++ = *cp++;
+ break;
+ case '/':
+ if (p[-1] == '/') /* This is safe because of the initial slash. */
+ break;
+ if (relative_paths) {
+ filter_rule const *ent;
+ int found = 0;
+ *p = '\0';
+ for (ent = implied_filter_list.head; ent; ent = ent->next) {
+ if (ent != rule && strcmp(ent->pattern, rule->pattern) == 0)
+ found = 1;
+ }
+ if (!found) {
+ filter_rule *R_rule = new0(filter_rule);
+ R_rule->rflags = FILTRULE_INCLUDE + (saw_wild ? FILTRULE_WILD : 0);
+ R_rule->pattern = strdup(rule->pattern);
+ R_rule->u.slash_cnt = slash_cnt;
+ R_rule->next = implied_filter_list.head;
+ implied_filter_list.head = R_rule;
+ }
+ }
+ slash_cnt++;
+ *p++ = *cp++;
+ break;
+ default:
+ *p++ = *cp++;
+ break;
+ }
+ }
+ *p = '\0';
+ rule->u.slash_cnt = slash_cnt;
+ arg = (const char *)rule->pattern;
+ }
+
+ if (recurse || xfer_dirs) {
+ /* Now create a rule with an added "/" & "**" or "*" at the end */
+ rule = new0(filter_rule);
+ if (recurse)
+ rule->rflags = FILTRULE_INCLUDE | FILTRULE_WILD | FILTRULE_WILD2;
+ else
+ rule->rflags = FILTRULE_INCLUDE | FILTRULE_WILD;
+ /* A +4 in the len leaves enough room for / * * \0 or / * \0 \0 */
+ if (!saw_wild && backslash_cnt) {
+ /* We are appending a wildcard, so now the backslashes need to be escaped. */
+ p = rule->pattern = new_array(char, arg_len + backslash_cnt + 3 + 1);
+ cp = arg;
+ while (*cp) {
+ if (*cp == '\\')
+ *p++ = '\\';
+ *p++ = *cp++;
+ }
+ } else {
+ p = rule->pattern = new_array(char, arg_len + 3 + 1);
+ if (arg_len) {
+ memcpy(p, arg, arg_len);
+ p += arg_len;
+ }
+ }
+ if (p[-1] != '/')
+ *p++ = '/';
+ *p++ = '*';
+ if (recurse)
+ *p++ = '*';
+ *p = '\0';
+ rule->u.slash_cnt = slash_cnt + 1;
+ rule->next = implied_filter_list.head;
+ implied_filter_list.head = rule;
+ }
+}
+
/* This frees any non-inherited items, leaving just inherited items on the list. */
static void pop_filter_list(filter_rule_list *listp)
{
@@ -718,7 +845,7 @@ static void report_filter_result(enum logcode code, char const *name,
: name_flags & NAME_IS_DIR ? "directory"
: "file";
rprintf(code, "[%s] %sing %s %s because of pattern %s%s%s\n",
- w, actions[*w!='s'][!(ent->rflags & FILTRULE_INCLUDE)],
+ w, actions[*w=='g'][!(ent->rflags & FILTRULE_INCLUDE)],
t, name, ent->pattern,
ent->rflags & FILTRULE_DIRECTORY ? "/" : "", type);
}
@@ -890,6 +1017,7 @@ static filter_rule *parse_rule_tok(const char **rulestr_ptr,
}
switch (ch) {
case ':':
+ trust_sender_filter = 1;
rule->rflags |= FILTRULE_PERDIR_MERGE
| FILTRULE_FINISH_SETUP;
/* FALL THROUGH */
diff --git a/flist.c b/flist.c
index 1ba306b..0e6bf78 100644
--- a/flist.c
+++ b/flist.c
@@ -73,6 +73,7 @@ extern int need_unsorted_flist;
extern int sender_symlink_iconv;
extern int output_needs_newline;
extern int sender_keeps_checksum;
+extern int trust_sender_filter;
extern int unsort_ndx;
extern uid_t our_uid;
extern struct stats stats;
@@ -83,8 +84,7 @@ extern char curr_dir[MAXPATHLEN];
extern struct chmod_mode_struct *chmod_modes;
-extern filter_rule_list filter_list;
-extern filter_rule_list daemon_filter_list;
+extern filter_rule_list filter_list, implied_filter_list, daemon_filter_list;
#ifdef ICONV_OPTION
extern int filesfrom_convert;
@@ -986,6 +986,19 @@ static struct file_struct *recv_file_entry(int f, struct file_list *flist, int x
exit_cleanup(RERR_UNSUPPORTED);
}
+ if (*thisname != '.' || thisname[1] != '\0') {
+ int filt_flags = S_ISDIR(mode) ? NAME_IS_DIR : NAME_IS_FILE;
+ if (!trust_sender_filter /* a per-dir filter rule means we must trust the sender's filtering */
+ && filter_list.head && check_filter(&filter_list, FINFO, thisname, filt_flags) < 0) {
+ rprintf(FERROR, "ERROR: rejecting excluded file-list name: %s\n", thisname);
+ exit_cleanup(RERR_PROTOCOL);
+ }
+ if (implied_filter_list.head && check_filter(&implied_filter_list, FINFO, thisname, filt_flags) <= 0) {
+ rprintf(FERROR, "ERROR: rejecting unrequested file-list name: %s\n", thisname);
+ exit_cleanup(RERR_PROTOCOL);
+ }
+ }
+
if (inc_recurse && S_ISDIR(mode)) {
if (one_file_system) {
/* Room to save the dir's device for -x */
diff --git a/io.c b/io.c
index cf94cee..a6e3ed3 100644
--- a/io.c
+++ b/io.c
@@ -419,6 +419,7 @@ static void forward_filesfrom_data(void)
while (s != eob) {
if (*s++ == '\0') {
ff_xb.len = s - sob - 1;
+ add_implied_include(sob);
if (iconvbufs(ic_send, &ff_xb, &iobuf.out, flags) < 0)
exit_cleanup(RERR_PROTOCOL); /* impossible? */
write_buf(iobuf.out_fd, s-1, 1); /* Send the '\0'. */
@@ -450,9 +451,12 @@ static void forward_filesfrom_data(void)
char *f = ff_xb.buf + ff_xb.pos;
char *t = ff_xb.buf;
char *eob = f + len;
+ char *cur = t;
/* Eliminate any multi-'\0' runs. */
while (f != eob) {
if (!(*t++ = *f++)) {
+ add_implied_include(cur);
+ cur = t;
while (f != eob && *f == '\0')
f++;
}
diff --git a/main.c b/main.c
index 58920a2..5a7fbdd 100644
--- a/main.c
+++ b/main.c
@@ -89,6 +89,7 @@ extern int backup_dir_len;
extern int basis_dir_cnt;
extern int default_af_hint;
extern int stdout_format_has_i;
+extern int trust_sender_filter;
extern struct stats stats;
extern char *stdout_format;
extern char *logfile_format;
@@ -104,7 +105,7 @@ extern char curr_dir[MAXPATHLEN];
extern char backup_dir_buf[MAXPATHLEN];
extern char *basis_dir[MAX_BASIS_DIRS+1];
extern struct file_list *first_flist;
-extern filter_rule_list daemon_filter_list;
+extern filter_rule_list daemon_filter_list, implied_filter_list;
uid_t our_uid;
gid_t our_gid;
@@ -635,6 +636,7 @@ static pid_t do_cmd(char *cmd, char *machine, char *user, char **remote_argv, in
#ifdef ICONV_CONST
setup_iconv();
#endif
+ trust_sender_filter = 1;
} else if (local_server) {
/* If the user didn't request --[no-]whole-file, force
* it on, but only if we're not batch processing. */
@@ -1500,6 +1502,8 @@ static int start_client(int argc, char *argv[])
char *dummy_host;
int dummy_port = rsync_port;
int i;
+ if (filesfrom_fd < 0)
+ add_implied_include(remote_argv[0]);
/* For remote source, any extra source args must have either
* the same hostname or an empty hostname. */
for (i = 1; i < remote_argc; i++) {
@@ -1523,6 +1527,7 @@ static int start_client(int argc, char *argv[])
if (!rsync_port && !*arg) /* Turn an empty arg into a dot dir. */
arg = ".";
remote_argv[i] = arg;
+ add_implied_include(arg);
}
}
diff --git a/receiver.c b/receiver.c
index b3a69da..93cf8ef 100644
--- a/receiver.c
+++ b/receiver.c
@@ -593,10 +593,13 @@ int recv_files(int f_in, int f_out, char *local_name)
if (DEBUG_GTE(RECV, 1))
rprintf(FINFO, "recv_files(%s)\n", fname);
- if (daemon_filter_list.head && (*fname != '.' || fname[1] != '\0')
- && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0) {
- rprintf(FERROR, "attempt to hack rsync failed.\n");
- exit_cleanup(RERR_PROTOCOL);
+ if (daemon_filter_list.head && (*fname != '.' || fname[1] != '\0')) {
+ int filt_flags = S_ISDIR(file->mode) ? NAME_IS_DIR : NAME_IS_FILE;
+ if (check_filter(&daemon_filter_list, FLOG, fname, filt_flags) < 0) {
+ rprintf(FERROR, "ERROR: rejecting file transfer request for daemon excluded file: %s\n",
+ fname);
+ exit_cleanup(RERR_PROTOCOL);
+ }
}
#ifdef SUPPORT_XATTRS
diff --git a/rsync.1.md b/rsync.1.md
index 313025d..e65086a 100644
--- a/rsync.1.md
+++ b/rsync.1.md
@@ -296,6 +296,33 @@ separate the files into different rsync calls, or consider using
[`--delay-updates`](#opt) (which doesn't affect the sorted transfer order, but
does make the final file-updating phase happen much more rapidly).
+## MULTI-HOST SECURITY
+
+Rsync takes steps to ensure that the file requests that are shared in a
+transfer are protected against various security issues. Most of the potential
+problems arise on the receiving side where rsync takes steps to ensure that the
+list of files being transferred remains within the bounds of what was
+requested.
+
+Toward this end, rsync 3.1.2 and later have aborted when a file list contains
+an absolute or relative path that tries to escape out of the top of the
+transfer. Also, beginning with version 3.2.5, rsync does two more safety
+checks of the file list to (1) ensure that no extra source arguments were added
+into the transfer other than those that the client requested and (2) ensure
+that the file list obeys the exclude rules that we sent to the sender.
+
+For those that don't yet have a 3.2.5 client rsync, it is safest to do a copy
+into a dedicated destination directory for the remote files rather than
+requesting the remote content get mixed in with other local content. For
+example, doing an rsync copy into your home directory is potentially unsafe on
+an older rsync if the remote rsync is being controlled by a bad actor:
+
+> rsync -aiv host1:dir1 ~
+
+A safer command would be:
+
+> rsync -aiv host1:dir1 ~/host1-files
+
## EXAMPLES
Here are some examples of how I use rsync.
@@ -2323,6 +2350,12 @@ your home directory (remove the '=' for that).
behavior. The environment is always overridden by manually specified
positive or negative options (the negative is `--no-old-args`).
+ Note that this option also disables the extra safety check added in 3.2.5
+ that ensures that a remote sender isn't including extra top-level items in
+ the file-list that you didn't request. This side-effect is necessary
+ because we can't know for sure what names to expect when the remote shell
+ is interpreting the args.
+
This option conflicts with the [`--protect-args`](#opt) option.
0. `--protect-args`, `-s`
@@ -3754,8 +3787,13 @@ available rule prefixes:
0. `exclude, '-'` specifies an exclude pattern.
0. `include, '+'` specifies an include pattern.
-0. `merge, '.'` specifies a merge-file to read for more rules.
-0. `dir-merge, ':'` specifies a per-directory merge-file.
+0. `merge, '.'` specifies a merge-file on the client side to read for more
+ rules.
+0. `dir-merge, ':'` specifies a per-directory merge-file. Using this kind of
+ filter rule requires that you trust the sending side's filter checking, and
+ thus it disables the receiver's verification of the file-list names against
+ the filter rules (since only the sender can know for sure if it obeyed all
+ the filter rules when some are per-dir merged from the sender's files).
0. `hide, 'H'` specifies a pattern for hiding files from the transfer.
0. `show, 'S'` files that match the pattern are not hidden.
0. `protect, 'P'` specifies a pattern for protecting files from deletion.
--
2.25.1

112
SPECS/rsync/CVE-2022-29154-2.patch Normal file
View File

@ -0,0 +1,112 @@
From 7e5424b806e8eea053016268ad186276e9083b77 Mon Sep 17 00:00:00 2001
From: Wayne Davison <wayne@opencoder.net>
Date: Mon, 1 Aug 2022 07:00:51 -0700
Subject: [PATCH] More improvements to file-list checking
- Avoid implied rules on generator and (with extra certainty) on server
- Add -R implied-directory path elements as directory includes
- Log about extra file-list checking using a new --debug=FILTER3 level
---
exclude.c | 21 ++++++++++++++++-----
main.c | 1 +
options.c | 2 +-
3 files changed, 18 insertions(+), 6 deletions(-)
diff --git a/exclude.c b/exclude.c
index b670c8ba..2d740a83 100644
--- a/exclude.c
+++ b/exclude.c
@@ -25,6 +25,7 @@
extern int am_server;
extern int am_sender;
+extern int am_generator;
extern int eol_nulls;
extern int io_error;
extern int xfer_dirs;
@@ -309,7 +310,7 @@ void add_implied_include(const char *arg)
int slash_cnt = 1; /* We know we're adding a leading slash. */
const char *cp;
char *p;
- if (old_style_args || list_only || filesfrom_host != NULL)
+ if (am_server || old_style_args || list_only || filesfrom_host != NULL)
return;
if (relative_paths) {
cp = strstr(arg, "/./");
@@ -363,11 +364,16 @@ void add_implied_include(const char *arg)
}
if (!found) {
filter_rule *R_rule = new0(filter_rule);
- R_rule->rflags = FILTRULE_INCLUDE + (saw_wild ? FILTRULE_WILD : 0);
+ R_rule->rflags = FILTRULE_INCLUDE | FILTRULE_DIRECTORY
+ | (saw_wild ? FILTRULE_WILD : 0);
R_rule->pattern = strdup(rule->pattern);
R_rule->u.slash_cnt = slash_cnt;
R_rule->next = implied_filter_list.head;
implied_filter_list.head = R_rule;
+ if (DEBUG_GTE(FILTER, 3)) {
+ rprintf(FINFO, "[%s] add_implied_include(%s/)\n",
+ who_am_i(), rule->pattern);
+ }
}
}
slash_cnt++;
@@ -381,6 +387,8 @@ void add_implied_include(const char *arg)
*p = '\0';
rule->u.slash_cnt = slash_cnt;
arg = (const char *)rule->pattern;
+ if (DEBUG_GTE(FILTER, 3))
+ rprintf(FINFO, "[%s] add_implied_include(%s)\n", who_am_i(), rule->pattern);
}
if (recurse || xfer_dirs) {
@@ -416,6 +424,8 @@ void add_implied_include(const char *arg)
rule->u.slash_cnt = slash_cnt + 1;
rule->next = implied_filter_list.head;
implied_filter_list.head = rule;
+ if (DEBUG_GTE(FILTER, 3))
+ rprintf(FINFO, "[%s] add_implied_include(%s)\n", who_am_i(), rule->pattern);
}
}
@@ -833,11 +843,12 @@ static void report_filter_result(enum logcode code, char const *name,
filter_rule const *ent,
int name_flags, const char *type)
{
+ int log_level = am_sender || am_generator ? 1 : 3;
+
/* If a trailing slash is present to match only directories,
* then it is stripped out by add_rule(). So as a special
- * case we add it back in here. */
-
- if (DEBUG_GTE(FILTER, 1)) {
+ * case we add it back in the log output. */
+ if (DEBUG_GTE(FILTER, log_level)) {
static char *actions[2][2]
= { {"show", "hid"}, {"risk", "protect"} };
const char *w = who_am_i();
diff --git a/main.c b/main.c
index 5a7fbdd7..fa263d27 100644
--- a/main.c
+++ b/main.c
@@ -1078,6 +1078,7 @@ static int do_recv(int f_in, int f_out, char *local_name)
}
am_generator = 1;
+ implied_filter_list.head = implied_filter_list.tail = NULL;
flist_receiving_enabled = True;
io_end_multiplex_in(MPLX_SWITCHING);
diff --git a/options.c b/options.c
index 93bdb237..9731a144 100644
--- a/options.c
+++ b/options.c
@@ -293,7 +293,7 @@ static struct output_struct debug_words[COUNT_DEBUG+1] = {
DEBUG_WORD(DELTASUM, W_SND|W_REC, "Debug delta-transfer checksumming (levels 1-4)"),
DEBUG_WORD(DUP, W_REC, "Debug weeding of duplicate names"),
DEBUG_WORD(EXIT, W_CLI|W_SRV, "Debug exit events (levels 1-3)"),
- DEBUG_WORD(FILTER, W_SND|W_REC, "Debug filter actions (levels 1-2)"),
+ DEBUG_WORD(FILTER, W_SND|W_REC, "Debug filter actions (levels 1-3)"),
DEBUG_WORD(FLIST, W_SND|W_REC, "Debug file-list operations (levels 1-4)"),
DEBUG_WORD(FUZZY, W_REC, "Debug fuzzy scoring (levels 1-2)"),
DEBUG_WORD(GENR, W_REC, "Debug generator functions"),

35
SPECS/rsync/rsync.spec
View File

@ -1,7 +1,7 @@
Summary: Fast incremental file transfer.
Name: rsync
Version: 3.2.4
Release: 2%{?dist}
Release: 3%{?dist}
License: GPLv3+
URL: https://rsync.samba.org
Group: Appication/Internet
@ -11,27 +11,44 @@ Distribution: Photon
Source0: https://download.samba.org/pub/rsync/src/%{name}-%{version}.tar.gz
%define sha512 %{name}=96318e2754fbddf84d16df671c721e577766969dfa415925c4dc1be2e4e60a51246623747a8aec0c6e9c0824e6aa7335235ccd07f3d6fd901f8cf28e2d6e91b6
Patch0: CVE-2022-29154-1.patch
Patch1: CVE-2022-29154-2.patch
BuildRequires: zlib-devel
BuildRequires: systemd
BuildRequires: lz4-devel
BuildRequires: systemd-devel
BuildRequires: xxhash-devel
Requires: xxhash
Requires: lz4
Requires: zlib
Requires: systemd
%description
Rsync is a fast and extraordinarily versatile file copying tool.
It can copy locally, to/from another host over any remote shell, or to/from a remote rsync daemon.
It offers a large number of options that control every aspect of its behavior and permit very flexible specification of the set of files to be copied.
It is famous for its delta-transfer algorithm, which reduces the amount of data sent over the network by sending only the differences between the source files and the existing files in the destination.
Rsync is widely used for backups and mirroring and as an improved copy command for everyday use.
It can copy locally, to/from another host over any remote shell,
or to/from a remote rsync daemon.
It offers a large number of options that control every aspect of its
behavior and permit very flexible specification of the set of files
to be copied. It is famous for its delta-transfer algorithm, which
reduces the amount of data sent over the network by sending only the
differences between the source files and the existing files in the
destination.
Rsync is widely used for backups and mirroring and as an improved
copy command for everyday use.
%prep
%autosetup -p1
%build
%configure --with-included-zlib=no --disable-xxhash --disable-zstd
%configure \
--with-included-zlib=no \
--enable-xxhash \
--enable-zstd \
--enable-lz4 \
--enable-ipv6
%make_build
%install
@ -44,10 +61,10 @@ cat << EOF >> %{buildroot}%{_unitdir}/rsyncd.service
[Unit]
Description=Rsync Server
After=local-fs.target
ConditionPathExists=/etc/rsyncd.conf
ConditionPathExists=%{_sysconfdir}/rsyncd.conf
[Service]
ExecStart=%{_bindir}/rsync --daemon --no-detach
ExecStart=%{_bindir}/%{name} --daemon --no-detach
[Install]
WantedBy=multi-user.target
@ -71,6 +88,8 @@ make %{?_smp_mflags} check
%exclude %dir %{_libdir}/debug
%changelog
* Wed Aug 03 2022 Shreenidhi Shedi <sshedi@vmware.com> 3.2.4-3
- Fix CVE-2022-29154
* Sun May 29 2022 Shreenidhi Shedi <sshedi@vmware.com> 3.2.4-2
- Fix binary path
* Tue Apr 19 2022 Gerrit Photon <photon-checkins@vmware.com> 3.2.4-1

89
SPECS/xxhash/xxhash.spec Normal file
View File

@ -0,0 +1,89 @@
Name: xxhash
Version: 0.8.1
Release: 1%{?dist}
Summary: Extremely fast hash algorithm
License: BSD and GPLv2+
URL: http://www.xxhash.com
Group: System Environment/Security
Vendor: VMware, Inc.
Distribution: Photon
Source0: https://github.com/Cyan4973/xxHash/archive/v%{version}/%{name}-%{version}.tar.gz
%define sha512 %{name}=12feedd6a1859ef55e27218dbd6dcceccbb5a4da34cd80240d2f7d44cd246c7afdeb59830c2d5b90189bb5159293532208bf5bb622250102e12d6e1bad14a193
BuildRequires: make
BuildRequires: gcc
Requires: %{name}-libs = %{version}-%{release}
%description
xxHash is an Extremely fast Hash algorithm, running at RAM speed
limits. It successfully completes the SMHasher test suite which
evaluates collision, dispersion and randomness qualities of hash
functions. Code is highly portable, and hashes are identical on all
platforms (little / big endian).
%package libs
Summary: Extremely fast hash algorithm - library
License: BSD
%description libs
xxHash is an Extremely fast Hash algorithm, running at RAM speed
limits. It successfully completes the SMHasher test suite which
evaluates collision, dispersion and randomness qualities of hash
functions. Code is highly portable, and hashes are identical on all
platforms (little / big endian).
%package devel
Summary: Extremely fast hash algorithm - development files
License: BSD
Requires: %{name} = %{version}-%{release}
%description devel
Development files for the xxhash library
%prep
%autosetup -p1 -n xxHash-%{version}
%build
%make_build
%install
%make_install PREFIX=%{_prefix} LIBDIR=%{_libdir}
%if 0%{?with_check}
%check
make check %{?_smp_mflags}
make test-xxhsum-c %{?_smp_mflags}
%endif
%post libs
/sbin/ldconfig
%postun libs
/sbin/ldconfig
%files
%defattr(-,root,root)
%{_bindir}/xxh*sum
%{_mandir}/man1/xxh*sum.1*
%license cli/COPYING
%doc cli/README.md
%files libs
%defattr(-,root,root)
%{_libdir}/libxxhash.so.*
%license LICENSE
%doc README.md
%files devel
%defattr(-,root,root)
%{_includedir}/xxhash.h
%{_includedir}/xxh3.h
%{_libdir}/libxxhash.so
%{_libdir}/libxxhash.a
%{_libdir}/pkgconfig/libxxhash.pc
%changelog
* Wed Aug 03 2022 Shreenidhi Shedi <sshedi@vmware.com> 0.8.1-1
- Initial version. Needed for rsync