diff --git a/0.4.0.tar.gz b/0.4.0.tar.gz deleted file mode 100644 index 56b094fc115558943e4b4443ee4194dedae1d683..0000000000000000000000000000000000000000 Binary files a/0.4.0.tar.gz and /dev/null differ diff --git a/0.6.0.tar.gz b/0.6.0.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..b63521a01d728844925ee7ade875f92a1577a7a2 Binary files /dev/null and b/0.6.0.tar.gz differ diff --git a/0001-Avoid-taking-pointer-to-packed-struct.patch b/0001-Avoid-taking-pointer-to-packed-struct.patch deleted file mode 100644 index d784a1bf0b29a979164ccfbdd02f69bf80960941..0000000000000000000000000000000000000000 --- a/0001-Avoid-taking-pointer-to-packed-struct.patch +++ /dev/null @@ -1,117 +0,0 @@ -From 19e8c9071b3d9306ca7b7329b313b31f86c2936d Mon Sep 17 00:00:00 2001 -From: Harry Youd -Date: Wed, 31 Jul 2019 19:44:53 +0100 -Subject: [PATCH] Avoid taking pointer to packed struct -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Fixes: -error: taking address of packed member of ‘struct ’ may result in an unaligned pointer value [-Werror=address-of-packed-member] ---- - src/mokutil.c | 38 ++++++++++++++++++++++---------------- - 1 file changed, 22 insertions(+), 16 deletions(-) - -diff --git a/src/mokutil.c b/src/mokutil.c -index e2d567d..8892613 100644 ---- a/src/mokutil.c -+++ b/src/mokutil.c -@@ -270,20 +270,22 @@ build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num) - return NULL; - } - -- if ((efi_guid_cmp (&CertList->SignatureType, &efi_guid_x509_cert) != 0) && -- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha1) != 0) && -- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha224) != 0) && -- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha256) != 0) && -- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha384) != 0) && -- (efi_guid_cmp (&CertList->SignatureType, &efi_guid_sha512) != 0)) { -+ efi_guid_t sigtype = CertList->SignatureType; -+ -+ if ((efi_guid_cmp (&sigtype, &efi_guid_x509_cert) != 0) && -+ (efi_guid_cmp (&sigtype, &efi_guid_sha1) != 0) && -+ (efi_guid_cmp (&sigtype, &efi_guid_sha224) != 0) && -+ (efi_guid_cmp (&sigtype, &efi_guid_sha256) != 0) && -+ (efi_guid_cmp (&sigtype, &efi_guid_sha384) != 0) && -+ (efi_guid_cmp (&sigtype, &efi_guid_sha512) != 0)) { - dbsize -= CertList->SignatureListSize; - CertList = (EFI_SIGNATURE_LIST *)((uint8_t *) CertList + - CertList->SignatureListSize); - continue; - } - -- if ((efi_guid_cmp (&CertList->SignatureType, &efi_guid_x509_cert) != 0) && -- (CertList->SignatureSize != signature_size (&CertList->SignatureType))) { -+ if ((efi_guid_cmp (&sigtype, &efi_guid_x509_cert) != 0) && -+ (CertList->SignatureSize != signature_size (&sigtype))) { - dbsize -= CertList->SignatureListSize; - CertList = (EFI_SIGNATURE_LIST *)((uint8_t *) CertList + - CertList->SignatureListSize); -@@ -312,7 +314,7 @@ build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num) - } - - list[count].header = CertList; -- if (efi_guid_cmp (&CertList->SignatureType, &efi_guid_x509_cert) == 0) { -+ if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) == 0) { - /* X509 certificate */ - list[count].mok_size = CertList->SignatureSize - - sizeof(efi_guid_t); -@@ -442,10 +444,11 @@ list_keys (uint8_t *data, size_t data_size) - - for (unsigned int i = 0; i < mok_num; i++) { - printf ("[key %d]\n", i+1); -- if (efi_guid_cmp (&list[i].header->SignatureType, &efi_guid_x509_cert) == 0) { -+ efi_guid_t sigtype = list[i].header->SignatureType; -+ if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) == 0) { - print_x509 ((char *)list[i].mok, list[i].mok_size); - } else { -- print_hash_array (&list[i].header->SignatureType, -+ print_hash_array (&sigtype, - list[i].mok, list[i].mok_size); - } - if (i < mok_num - 1) -@@ -523,7 +526,8 @@ delete_data_from_list (const efi_guid_t *var_guid, const char *var_name, - remain = total; - for (unsigned int i = 0; i < mok_num; i++) { - remain -= list[i].header->SignatureListSize; -- if (efi_guid_cmp (&list[i].header->SignatureType, type) != 0) -+ efi_guid_t sigtype = list[i].header->SignatureType; -+ if (efi_guid_cmp (&sigtype, type) != 0) - continue; - - sig_list_size = list[i].header->SignatureListSize; -@@ -1057,7 +1061,8 @@ is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size - } - - for (unsigned int i = 0; i < node_num; i++) { -- if (efi_guid_cmp (&list[i].header->SignatureType, type) != 0) -+ efi_guid_t sigtype = list[i].header->SignatureType; -+ if (efi_guid_cmp (&sigtype, type) != 0) - continue; - - if (efi_guid_cmp (type, &efi_guid_x509_cert) == 0) { -@@ -1510,8 +1515,8 @@ issue_hash_request (const char *hash_str, MokRequest req, - goto error; - /* Check if there is a signature list with the same type */ - for (unsigned int i = 0; i < mok_num; i++) { -- if (efi_guid_cmp (&mok_list[i].header->SignatureType, -- &hash_type) == 0) { -+ efi_guid_t sigtype = mok_list[i].header->SignatureType; -+ if (efi_guid_cmp (&sigtype, &hash_type) == 0) { - merge_ind = i; - list_size -= sizeof(EFI_SIGNATURE_LIST); - break; -@@ -1678,8 +1683,9 @@ export_db_keys (const DBName db_name) - for (unsigned i = 0; i < mok_num; i++) { - off_t offset = 0; - ssize_t write_size; -+ efi_guid_t sigtype = list[i].header->SignatureType; - -- if (efi_guid_cmp (&list[i].header->SignatureType, &efi_guid_x509_cert) != 0) -+ if (efi_guid_cmp (&sigtype, &efi_guid_x509_cert) != 0) - continue; - - /* Dump X509 certificate to files */ --- -1.8.3.1 - diff --git a/0001-Show-usage-instead-of-aborting-on-bad-flags.patch b/0001-Show-usage-instead-of-aborting-on-bad-flags.patch new file mode 100644 index 0000000000000000000000000000000000000000..3a096cdbf53674e84924b9e9dab6a42eabea1025 --- /dev/null +++ b/0001-Show-usage-instead-of-aborting-on-bad-flags.patch @@ -0,0 +1,33 @@ +From 82694cb1ce3b29c3705c25ae4cea3d07fe57b558 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 17 May 2022 11:23:28 -0400 +Subject: [PATCH 1/5] Show usage instead of aborting on bad flags + +Aborting here just confuses users and is sufficiently unexpected to +cause the filing of bugs. + +Related: https://bugzilla.redhat.com/show_bug.cgi?id=2087066 +Signed-off-by: Robbie Harwood +--- + src/mokutil.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index 5d725c9..e8228af 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -2087,10 +2087,9 @@ main (int argc, char *argv[]) + goto out; + case 'h': + case '?': ++ default: + command |= HELP; + break; +- default: +- abort (); + } + } + +-- +2.33.0 + diff --git a/0002-mokutil-bugfix-del-unused-opt-s.patch b/0002-mokutil-bugfix-del-unused-opt-s.patch new file mode 100644 index 0000000000000000000000000000000000000000..33ca04e890399436efa898ca95ed240f54f423e1 --- /dev/null +++ b/0002-mokutil-bugfix-del-unused-opt-s.patch @@ -0,0 +1,28 @@ +From 04791c29e198b18808bca519267e31c8d3786a08 Mon Sep 17 00:00:00 2001 +From: gaoyusong +Date: Mon, 30 May 2022 17:54:47 +0800 +Subject: [PATCH 2/5] mokutil bugfix: del unused opt "-s" + +The -s option can cause unexcepted result. + +Signed-off-by: gaoyusong +--- + src/mokutil.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index e8228af..6982ade 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -1851,7 +1851,7 @@ main (int argc, char *argv[]) + }; + + int option_index = 0; +- c = getopt_long (argc, argv, "cd:f:g::hi:lmpst:xDNPXv", ++ c = getopt_long (argc, argv, "cd:f:g::hi:lmpt:xDNPXv", + long_options, &option_index); + + if (c == -1) +-- +2.33.0 + diff --git a/0003-Fix-leak-of-list-in-delete_data_from_req_var.patch b/0003-Fix-leak-of-list-in-delete_data_from_req_var.patch new file mode 100644 index 0000000000000000000000000000000000000000..bc7c7587e89c071b6e0254ff599382b3c5538141 --- /dev/null +++ b/0003-Fix-leak-of-list-in-delete_data_from_req_var.patch @@ -0,0 +1,30 @@ +From d978c18f61b877afaab45a82d260b525423b8248 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Thu, 2 Jun 2022 12:56:31 -0400 +Subject: [PATCH 3/5] Fix leak of list in delete_data_from_req_var() + +Signed-off-by: Robbie Harwood +--- + src/util.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/util.c b/src/util.c +index 621869f..6cd0302 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -295,8 +295,10 @@ delete_data_from_req_var (const MokRequest req, const efi_guid_t *type, + } + + /* the key or hash is not in this list */ +- if (start == NULL) +- return 0; ++ if (start == NULL) { ++ ret = 0; ++ goto done; ++ } + + /* all keys are removed */ + if (total == 0) { +-- +2.33.0 + diff --git a/0004-Fix-leak-of-fd-in-mok_get_variable.patch b/0004-Fix-leak-of-fd-in-mok_get_variable.patch new file mode 100644 index 0000000000000000000000000000000000000000..91d07043a4d8c89b3b4d63c638be38c4ea65ae63 --- /dev/null +++ b/0004-Fix-leak-of-fd-in-mok_get_variable.patch @@ -0,0 +1,72 @@ +From e498f6460ff5aea6a7cd61a33087d03e88a2f52a Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Thu, 2 Jun 2022 13:00:22 -0400 +Subject: [PATCH 4/5] Fix leak of fd in mok_get_variable() + +On success, it was never closed. Refactor the code to use a single +egress path so its closure is clear. + +Signed-off-by: Robbie Harwood +--- + src/util.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git a/src/util.c b/src/util.c +index 6cd0302..f7fc033 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -57,22 +57,21 @@ mok_get_variable(const char *name, uint8_t **datap, size_t *data_sizep) + return fd; + + rc = fstat(fd, &sb); +- if (rc < 0) { +-err_close: +- close(fd); +- return rc; +- } ++ if (rc < 0) ++ goto done; + + if (sb.st_size == 0) { + errno = ENOENT; + rc = -1; +- goto err_close; ++ goto done; + } + + bufsz = sb.st_size; + buf = calloc(1, bufsz); +- if (!buf) +- goto err_close; ++ if (!buf) { ++ rc = -1; ++ goto done; ++ } + + while (pos < bufsz) { + ssz = read(fd, &buf[pos], bufsz - pos); +@@ -82,15 +81,18 @@ err_close: + errno == EINTR) + continue; + free(buf); +- goto err_close; ++ rc = -1; ++ goto done; + } + + pos += ssz; + } + *datap = buf; + *data_sizep = pos; +- +- return 0; ++ rc = 0; ++done: ++ close(fd); ++ return rc; + } + + MokListNode* +-- +2.33.0 + diff --git a/mokutil.spec b/mokutil.spec index edb0276441b1b0e198b92ceefc13f8777b7f8794..22d4cda627b05e5674db1151e2071d43a58bd715 100644 --- a/mokutil.spec +++ b/mokutil.spec @@ -1,6 +1,6 @@ Name: mokutil -Version: 0.4.0 -Release: 3 +Version: 0.6.0 +Release: 1 Epoch: 1 Summary: Tools for manipulating machine owner keys License: GPLv3+ @@ -11,7 +11,10 @@ BuildRequires:gcc autoconf automake gnu-efi openssl-devel openssl efivar-devel > Conflicts: shim < 0.8-1 Obsoletes: mokutil < 0.2.0 -Patch0000: 0001-Avoid-taking-pointer-to-packed-struct.patch +Patch0000: 0001-Show-usage-instead-of-aborting-on-bad-flags.patch +Patch0001: 0002-mokutil-bugfix-del-unused-opt-s.patch +Patch0002: 0003-Fix-leak-of-list-in-delete_data_from_req_var.patch +Patch0003: 0004-Fix-leak-of-fd-in-mok_get_variable.patch %description The utility to manipulate machines owner keys which managed in shim. @@ -59,6 +62,9 @@ make check %{_mandir}/man1/* %changelog +* Tue Aug 2 2022 gaoyusong - 1:0.6.0-1 +- DESC: Update to 0.6.0 with latest bug fix + * Fri Jul 30 2021 chenyanpanHW - 0.4.0-3 - DESC: delete -Sgit from %autosetup, and delete BuildRequires git git