diff --git a/CVE-2019-13313-1.patch b/CVE-2019-13313-1.patch deleted file mode 100644 index 16811f156786393b8040517166f73c2d96dc9b6c..0000000000000000000000000000000000000000 --- a/CVE-2019-13313-1.patch +++ /dev/null @@ -1,170 +0,0 @@ -From 08fb8316b4ac42fe74c1fa5ca0ac593222cdf81a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= -Date: Wed, 3 Jul 2019 14:55:24 +0200 -Subject: [PATCH 1/2] tools,install-script: Add --config-file (-f) option -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Let's add a new option so users can set their config from a file, -instead of directly passing the values via command-line. - -CVE-2019-13313 -Libosinfo: osinfo-install-script option leaks password via command line -argument. 'osinfo-install-script' is used to generate a script for -automated guest installations. It accepts user and admin passwords via -command line arguments, thus leaking them via process listing. - -Signed-off-by: Fabiano Fidêncio -Reviewed-by: Daniel P. Berrangé ---- - tools/osinfo-install-script.c | 103 +++++++++++++++++++++++++++++++++++++++++- - 1 file changed, 102 insertions(+), 1 deletion(-) - -diff --git a/tools/osinfo-install-script.c b/tools/osinfo-install-script.c -index 15af48d..af58440 100644 ---- a/tools/osinfo-install-script.c -+++ b/tools/osinfo-install-script.c -@@ -37,6 +37,34 @@ static gboolean list_profile = FALSE; - static gboolean list_inj_method = FALSE; - static gboolean quiet = FALSE; - -+static const gchar *configs[] = { -+ OSINFO_INSTALL_CONFIG_PROP_HARDWARE_ARCH, -+ OSINFO_INSTALL_CONFIG_PROP_L10N_TIMEZONE, -+ OSINFO_INSTALL_CONFIG_PROP_L10N_LANGUAGE, -+ OSINFO_INSTALL_CONFIG_PROP_L10N_KEYBOARD, -+ OSINFO_INSTALL_CONFIG_PROP_ADMIN_PASSWORD, -+ OSINFO_INSTALL_CONFIG_PROP_USER_PASSWORD, -+ OSINFO_INSTALL_CONFIG_PROP_USER_LOGIN, -+ OSINFO_INSTALL_CONFIG_PROP_USER_REALNAME, -+ OSINFO_INSTALL_CONFIG_PROP_USER_AUTOLOGIN, -+ OSINFO_INSTALL_CONFIG_PROP_USER_ADMIN, -+ OSINFO_INSTALL_CONFIG_PROP_REG_LOGIN, -+ OSINFO_INSTALL_CONFIG_PROP_REG_PASSWORD, -+ OSINFO_INSTALL_CONFIG_PROP_REG_PRODUCTKEY, -+ OSINFO_INSTALL_CONFIG_PROP_HOSTNAME, -+ OSINFO_INSTALL_CONFIG_PROP_TARGET_DISK, -+ OSINFO_INSTALL_CONFIG_PROP_SCRIPT_DISK, -+ OSINFO_INSTALL_CONFIG_PROP_AVATAR_LOCATION, -+ OSINFO_INSTALL_CONFIG_PROP_AVATAR_DISK, -+ OSINFO_INSTALL_CONFIG_PROP_PRE_INSTALL_DRIVERS_DISK, -+ OSINFO_INSTALL_CONFIG_PROP_PRE_INSTALL_DRIVERS_LOCATION, -+ OSINFO_INSTALL_CONFIG_PROP_POST_INSTALL_DRIVERS_DISK, -+ OSINFO_INSTALL_CONFIG_PROP_POST_INSTALL_DRIVERS_LOCATION, -+ OSINFO_INSTALL_CONFIG_PROP_DRIVER_SIGNING, -+ OSINFO_INSTALL_CONFIG_PROP_INSTALLATION_URL, -+ NULL -+}; -+ - static OsinfoInstallConfig *config; - - static gboolean handle_config(const gchar *option_name G_GNUC_UNUSED, -@@ -65,6 +93,47 @@ static gboolean handle_config(const gchar *option_name G_GNUC_UNUSED, - } - - -+static gboolean handle_config_file(const gchar *option_name G_GNUC_UNUSED, -+ const gchar *value, -+ gpointer data G_GNUC_UNUSED, -+ GError **error) -+{ -+ GKeyFile *key_file = NULL; -+ gchar *val = NULL; -+ gsize i; -+ gboolean ret = FALSE; -+ -+ key_file = g_key_file_new(); -+ if (!g_key_file_load_from_file(key_file, value, G_KEY_FILE_NONE, error)) -+ goto error; -+ -+ for (i = 0; configs[i] != NULL; i++) { -+ val = g_key_file_get_string(key_file, "install-script", configs[i], error); -+ if (val == NULL) { -+ if (g_error_matches(*error, G_KEY_FILE_ERROR, -+ G_KEY_FILE_ERROR_KEY_NOT_FOUND)) { -+ g_clear_error(error); -+ continue; -+ } -+ -+ goto error; -+ } -+ -+ osinfo_entity_set_param(OSINFO_ENTITY(config), -+ configs[i], -+ val); -+ g_free(val); -+ } -+ -+ ret = TRUE; -+ -+error: -+ g_key_file_unref(key_file); -+ -+ return ret; -+} -+ -+ - static GOptionEntry entries[] = - { - { "profile", 'p', 0, G_OPTION_ARG_STRING, (void*)&profile, -@@ -78,6 +147,9 @@ static GOptionEntry entries[] = - { "config", 'c', 0, G_OPTION_ARG_CALLBACK, - handle_config, - N_("Set configuration parameter"), "key=value" }, -+ { "config-file", 'f', 0, G_OPTION_ARG_CALLBACK, -+ handle_config_file, -+ N_("Set configuration parameters"), "file:///path/to/config/file" }, - { "list-config", '\0', 0, G_OPTION_ARG_NONE, (void*)&list_config, - N_("List configuration parameters"), NULL }, - { "list-profiles", '\0', 0, G_OPTION_ARG_NONE, (void*)&list_profile, -@@ -448,6 +520,15 @@ script. Defaults to C, but can also be C. - - Set the configuration parameter C to C. - -+=item B<--config-file=config-file> -+ -+Set the configurations parameters according to the config-file passed. -+ -+Note that use of --config-file is strongly recommended if the user or -+admin passwords need to be set. Providing passwords directly using -+B<--config=> is insecure as the password is visible to all processes -+and users on the same host. -+ - =back - - =head1 CONFIGURATION KEYS -@@ -510,9 +591,29 @@ The software registration user password - - =back - -+=head1 CONFIGURATION FILE FORMAT -+ -+The configuration file must consist in a file which contains a -+`install-script` group and, under this group, C=C -+pairs, as shown below: -+ -+[install-script] -+l10n-timezone=GMT -+l10n-keyboard=uk -+l10n-language=en_GB -+admin-password=123456 -+user-login=berrange -+user-password=123456 -+user-realname="Daniel P Berrange" -+ - =head1 EXAMPLE USAGE - --The following usage generates a Fedora 16 kickstart script -+The following usages generates a Fedora 16 kickstart script -+ -+ # osinfo-install-script \ -+ --profile jeos \ -+ --config-file /path/to/config/file \ -+ fedora16 - - # osinfo-install-script \ - --profile jeos \ --- -1.8.3.1 - diff --git a/CVE-2019-13313-2.patch b/CVE-2019-13313-2.patch deleted file mode 100644 index a14536ad6ef59b5c3e5f79e4736f4a360bc4d038..0000000000000000000000000000000000000000 --- a/CVE-2019-13313-2.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 3654abee6ead9f11f8bb9ba8fc71efd6fa4dabbc Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= -Date: Wed, 3 Jul 2019 14:59:07 +0200 -Subject: [PATCH 2/2] tools,install-script: Deprecate --config - {user,admin}-password -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Let's deprecate user-password and admin-password options of --config and -also warn out whenever they're passed to osinfo-install-script. - -CVE-2019-13313 -Libosinfo: osinfo-install-script option leaks password via command line -argument. 'osinfo-install-script' is used to generate a script for -automated guest installations. It accepts user and admin passwords via -command line arguments, thus leaking them via process listing. - -Signed-off-by: Fabiano Fidêncio -Reviewed-by: Daniel P. Berrangé ---- - tools/osinfo-install-script.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/tools/osinfo-install-script.c b/tools/osinfo-install-script.c -index af58440..c0528e7 100644 ---- a/tools/osinfo-install-script.c -+++ b/tools/osinfo-install-script.c -@@ -85,6 +85,12 @@ static gboolean handle_config(const gchar *option_name G_GNUC_UNUSED, - val++; - key = g_strndup(value, len); - -+ if (g_str_equal(key, OSINFO_INSTALL_CONFIG_PROP_USER_PASSWORD) || -+ g_str_equal(key, OSINFO_INSTALL_CONFIG_PROP_ADMIN_PASSWORD)) { -+ g_warning("When setting user or admin password, use --config-file " -+ "instead.\n"); -+ } -+ - osinfo_entity_set_param(OSINFO_ENTITY(config), - key, - val); -@@ -556,10 +562,14 @@ The local language - =item C - - The administrator password -+This option has been deprecated, use B<--config-file> -+for setting the admin password. - - =item C - - The user password -+This option has been deprecated, use B<--config-file> -+for setting the user password. - - =item C - --- -1.8.3.1 - diff --git a/bugfix-do-not-raise-error-on-unknown-osinfo-db-directory.patch b/bugfix-do-not-raise-error-on-unknown-osinfo-db-directory.patch deleted file mode 100644 index a3f3254e69b4cb765e67a0373284b80b1d3505c2..0000000000000000000000000000000000000000 --- a/bugfix-do-not-raise-error-on-unknown-osinfo-db-directory.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 3e61b6ccfc2dcb88cc155b7ca33cbe34f20a25b9 Mon Sep 17 00:00:00 2001 -From: huangkaibin -Date: Fri, 20 Jul 2018 15:54:54 +0800 -Subject: [PATCH] libosinfo: Do not raise error on unknown osinfo db directory. - -When an osinfo directory can not be acccessed by the running user, -g_file_query_info will return a type of G_FILE_TYPE_UNKNOWN, and -osinfo_loader_find_files will raise an error and abort the application. -This patch fix this problem by just ignoring this unknown osinfo directory. ---- - osinfo/osinfo_loader.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/osinfo/osinfo_loader.c b/osinfo/osinfo_loader.c -index 46bc633..4c30e6c 100644 ---- a/osinfo/osinfo_loader.c -+++ b/osinfo/osinfo_loader.c -@@ -35,6 +35,7 @@ - #include - #include - #include -+#include - #include "ignore-value.h" - #include "osinfo_install_script_private.h" - #include "osinfo_device_driver_private.h" -@@ -2061,8 +2062,14 @@ - } - g_object_unref(ents); - g_list_free(children); -+ } else if (type == G_FILE_TYPE_UNKNOWN) { -+ g_warning("File type unknown. path: %s, errno:%d.", g_file_get_path(file), errno); - } else { -- OSINFO_ERROR(&error, "Unexpected file type"); -+ char *error_msg; -+ error_msg = g_strdup_printf("Unexpected file type. type: %d, path: %s, errno:%d.", -+ type, g_file_get_path(file), errno); -+ OSINFO_ERROR(&error, error_msg); -+ free(error_msg); - g_propagate_error(err, error); - } - } --- -1.8.3.1 - diff --git a/libosinfo-1.2.0.tar.gz b/libosinfo-1.2.0.tar.gz deleted file mode 100644 index 0406d0f2bffc440f014382797c70c3ad294b00eb..0000000000000000000000000000000000000000 Binary files a/libosinfo-1.2.0.tar.gz and /dev/null differ diff --git a/libosinfo-1.8.0.tar.xz b/libosinfo-1.8.0.tar.xz new file mode 100644 index 0000000000000000000000000000000000000000..de032e7e89c30dc0ab6b80391f0bd4a1aabbc561 Binary files /dev/null and b/libosinfo-1.8.0.tar.xz differ diff --git a/libosinfo.spec b/libosinfo.spec index bc3e1fd5a6b59e3e6a02ba0f76ddc8992b034cec..6d2dbe6ce589db1eedd53d869eec19dff56e078a 100644 --- a/libosinfo.spec +++ b/libosinfo.spec @@ -1,12 +1,12 @@ Name: libosinfo -Version: 1.2.0 -Release: 10 +Version: 1.8.0 +Release: 1 Summary: A library for managing OS information for virtualization License: LGPLv2+ URL: https://libosinfo.org/ -Source: https://releases.pagure.org/%{name}/%{name}-%{version}.tar.gz +Source: https://releases.pagure.org/%{name}/%{name}-%{version}.tar.xz -BuildRequires: hwdata gobject-introspection-devel osinfo-db +BuildRequires: hwdata gobject-introspection-devel osinfo-db meson cmake libsoup-devel gtk-doc BuildRequires: libcurl-devel intltool glib2-devel BuildRequires: perl-podlators vala vala-tools BuildRequires: libxml2-devel >= 2.6.0 @@ -15,11 +15,8 @@ Requires: hwdata osinfo-db-tools Requires: osinfo-db >= 20180920-1 Patch0001: 0001-db-Force-anchored-patterns-when-matching-regex.patch -Patch6000: CVE-2019-13313-1.patch -Patch6001: CVE-2019-13313-2.patch Patch6002: fix-build-error-for-CVE-2019-13313.patch -Patch9000: bugfix-do-not-raise-error-on-unknown-osinfo-db-directory.patch Provides: %{name}-vala Obsoletes: %{name}-vala @@ -53,23 +50,20 @@ Language support for libosindo. %autosetup -n %{name}-%{version} -p1 %build -%configure \ - --enable-introspection=yes \ - --enable-vala=yes -%make_build V=1 -chmod a-x examples/*.js examples/*.py +%meson \ + -Denble-gtk-doc=true \ + -Denble-tests=true \ + -Denble-introspection=enabled \ + -Denble-vala=enabled +%meson_build %install rm -rf %{buildroot} -%make_install +%meson_install %find_lang %{name} %check -if ! make check -then - cat tests/test-suite.log || true - exit 1 -fi +%meson_test %ldconfig_scriptlets @@ -80,6 +74,7 @@ fi %{_libdir}/%{name}-1.0.so.* %{_libdir}/girepository-1.0/Libosinfo-1.0.typelib %{_datadir}/vala/vapi/libosinfo-1.0.vapi +%{_datadir}/vala/vapi/libosinfo-1.0.deps %doc AUTHORS ChangeLog COPYING.LIB NEWS README %exclude %{_libdir}/*.la @@ -91,8 +86,6 @@ fi %{_libdir}/pkgconfig/%{name}-1.0.pc %{_datadir}/gir-1.0/Libosinfo-1.0.gir %{_datadir}/gtk-doc/html/Libosinfo -%doc examples/demo.js -%doc examples/demo.py %files help %{_mandir}/man1/osinfo-detect.1* @@ -102,6 +95,10 @@ fi %files lang -f %{name}.lang %changelog + +* Tue Feb 2 2021 liudabo - 1.8.0-1 +- upgrade version to 1.8.0 + * Sat Sep 5 2020 shixuantong - 1.2.0-10 - Type: bugfix - ID: NA