diff --git a/backport-Avoid-Python-reference-leaks.patch b/backport-Avoid-Python-reference-leaks.patch new file mode 100644 index 0000000000000000000000000000000000000000..96fc9ca06fe0a3fffff28e3378debf698986c6d6 --- /dev/null +++ b/backport-Avoid-Python-reference-leaks.patch @@ -0,0 +1,64 @@ +From 70db7976d6ca0e6a4140269f21a66c14f6c177ab Mon Sep 17 00:00:00 2001 +From: Karolina Surma +Date: Thu, 29 May 2025 17:31:45 +0200 +Subject: [PATCH] Avoid Python reference leaks + +--- + python/rpmarchive-py.c | 11 +++++++++-- + python/rpmfiles-py.c | 1 + + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/python/rpmarchive-py.c b/python/rpmarchive-py.c +index b8b9515cf..294fabcf2 100644 +--- a/python/rpmarchive-py.c ++++ b/python/rpmarchive-py.c +@@ -138,12 +138,16 @@ static PyObject *rpmarchive_readto(rpmarchiveObject *s, + return NULL; + } + +- if (s->archive == NULL) ++ if (s->archive == NULL) { ++ Py_DECREF(fdo); + return rpmarchive_closed(); ++ } ++ + + Py_BEGIN_ALLOW_THREADS + rc = rpmfiArchiveReadToFile(s->archive, rpmfdGetFd(fdo), nodigest); + Py_END_ALLOW_THREADS ++ Py_DECREF(fdo); + + if (rc) + return rpmarchive_error(rc); +@@ -163,12 +167,15 @@ static PyObject *rpmarchive_writeto(rpmarchiveObject *s, + return NULL; + } + +- if (s->archive == NULL) ++ if (s->archive == NULL) { ++ Py_DECREF(fdo); + return rpmarchive_closed(); ++ } + + Py_BEGIN_ALLOW_THREADS + rc = rpmfiArchiveWriteFile(s->archive, rpmfdGetFd(fdo)); + Py_END_ALLOW_THREADS ++ Py_DECREF(fdo); + + if (rc) + return rpmarchive_error(rc); +diff --git a/python/rpmfiles-py.c b/python/rpmfiles-py.c +index 2c0845d7b..fb40a7b3e 100644 +--- a/python/rpmfiles-py.c ++++ b/python/rpmfiles-py.c +@@ -464,6 +464,7 @@ static PyObject *rpmfiles_archive(rpmfilesObject *s, + } else { + archive = rpmfiNewArchiveReader(fd, s->files, RPMFI_ITER_READ_ARCHIVE); + } ++ Py_DECREF(fdo); + + return rpmarchive_Wrap(&rpmarchive_Type, s->files, archive); + } +-- +2.33.0 + diff --git a/backport-Check-RPATH-and-RUNPATH-separately-in-check-rpaths.patch b/backport-Check-RPATH-and-RUNPATH-separately-in-check-rpaths.patch new file mode 100644 index 0000000000000000000000000000000000000000..777a0944724f7d99adec00c4f89140929f8cc2e5 --- /dev/null +++ b/backport-Check-RPATH-and-RUNPATH-separately-in-check-rpaths.patch @@ -0,0 +1,60 @@ +From 65178e0cc3d1f5b64613fd046d1070b13f266e51 Mon Sep 17 00:00:00 2001 +From: Florian Festi +Date: Fri, 28 Mar 2025 11:19:35 +0100 +Subject: [PATCH] Check RPATH and RUNPATH separately in check-rpaths + +5417bff optimized rpath checking to only run readelf once. This breaks +in the (rare) cases when a binary has both a RPATH and RUNPATH entry. + +Move the readelf call out of the check_rpath function so both can be +processed separately while still only readelf once. + +Use simpler (and correct) calculation of $lower from before 5417bff. + +Test library from https://github.com/fitzsim/add-runpath-to-rpath-elf + +Resolves: #3667 +--- + scripts/check-rpaths-worker | 10 ++++++---- + 1 files changed, 6 insertions(+), 4 deletions(-) + create mode 100644 tests/data/misc/libboth-rpath-and-runpath.so + +diff --git a/scripts/check-rpaths-worker b/scripts/check-rpaths-worker +index 26f74f0c8..fcc8198c2 100755 +--- a/scripts/check-rpaths-worker ++++ b/scripts/check-rpaths-worker +@@ -94,9 +94,10 @@ function msg() + + function check_rpath() { + pos=0 +- rpath=$(DEBUGINFOD_URLS="" readelf -W -d "$1" 2>/dev/null | LANG=C grep -E "\((RPATH|RUNPATH)\).*:") || return 0 ++ rpath=$(echo "$1" | LANG=C grep -E "\(($2)\).*:") || return 0 + rpath_orig="$rpath" +- rpath=$(echo "$rpath" | LANG=C sed -e "s!.*\(RPATH\|RUNPATH\).*: \[\(.*\)\]!\2!p;d") ++ rpath=$(echo "$rpath" | LANG=C sed -e "s!.*\($2\).*: \[\(.*\)\]!\2!p;d") ++ lower=$(echo $2 | awk '{print tolower($0)}') + + tmp=aux:$rpath:/lib/aux || : + IFS=: +@@ -106,7 +107,6 @@ function check_rpath() { + + allow_ORIGIN=1 + for j; do +- lower=$(echo $rpath_orig | grep -E -o "RPATH|RUNPATH" | awk '{print tolower($0)}') + new_allow_ORIGIN=0 + + if test -z "$j"; then +@@ -159,7 +159,9 @@ function check_rpath() { + old_IFS=$IFS + + for i; do +- check_rpath $i ++ paths=$(DEBUGINFOD_URLS="" readelf -W -d "$i" 2>/dev/null | LANG=C grep -E "\((RPATH|RUNPATH)\).*:") || continue ++ check_rpath "$paths" RPATH ++ check_rpath "$paths" RUNPATH + done + + test -z "$fail" +-- +2.33.0 + diff --git a/backport-Ensure-header-object-is-cleaned-even-in-case-of-an-e.patch b/backport-Ensure-header-object-is-cleaned-even-in-case-of-an-e.patch new file mode 100644 index 0000000000000000000000000000000000000000..7f720361560de9144a13f8e629111ddf5aba3732 --- /dev/null +++ b/backport-Ensure-header-object-is-cleaned-even-in-case-of-an-e.patch @@ -0,0 +1,36 @@ +From 09a680763efef03151cfaf07dc71b6502b148138 Mon Sep 17 00:00:00 2001 +From: Karolina Surma +Date: Thu, 26 Jun 2025 18:00:05 +0200 +Subject: [PATCH] Ensure header object is cleaned even in case of an error + +rpmReadPackageFile can set h even in case rpmrc is an error, which +resulted in memory leaks. +--- + python/rpmts-py.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/python/rpmts-py.c b/python/rpmts-py.c +index b1575f34e..21f6ef00f 100644 +--- a/python/rpmts-py.c ++++ b/python/rpmts-py.c +@@ -406,7 +406,7 @@ rpmts_HdrFromFdno(rpmtsObject * s, PyObject *arg) + { + PyObject *ho = NULL; + rpmfdObject *fdo = NULL; +- Header h; ++ Header h = NULL; + rpmRC rpmrc; + + if (!PyArg_Parse(arg, "O&:HdrFromFdno", rpmfdFromPyObject, &fdo)) +@@ -425,7 +425,7 @@ rpmts_HdrFromFdno(rpmtsObject * s, PyObject *arg) + Py_END_ALLOW_THREADS; + Py_XDECREF(fdo); + +- if (rpmrc == RPMRC_OK) { ++ if (h) { + ho = hdr_Wrap(&hdr_Type, h); + } else { + Py_INCREF(Py_None); +-- +2.33.0 + diff --git a/rpm.spec b/rpm.spec index 535bb12dd4b9313dc7e435a9cac3051419ab92bf..133f549e5f8baf919f22bd3ee6e958560ee19384 100644 --- a/rpm.spec +++ b/rpm.spec @@ -1,6 +1,6 @@ Name: rpm Version: 4.18.2 -Release: 25 +Release: 28 Summary: RPM Package Manager License: GPL-2.0-or-later URL: https://rpm.org/ @@ -67,6 +67,9 @@ Patch6044: backport-Fix-race-condition-in-rpmioMkpath.patch Patch6045: backport-Ignore-EPERM-for-root-when-setting-IMA-signature-xat.patch Patch6046: backport-Fix-a-copy-paste-help-description-of-rpmbuild-rf-and.patch Patch6047: backport-Return-1-from-fdSize-for-non-regular-files.patch +Patch6048: backport-Check-RPATH-and-RUNPATH-separately-in-check-rpaths.patch +Patch6049: backport-Avoid-Python-reference-leaks.patch +Patch6050: backport-Ensure-header-object-is-cleaned-even-in-case-of-an-e.patch Patch9000: Add-digest-list-plugin.patch Patch9001: Add-IMA-digest-list-support.patch @@ -356,6 +359,15 @@ make clean %exclude %{_mandir}/man8/rpmspec.8* %changelog +* Thu Aug 14 2025 fuanan - 4.18.2-28 +- sync patches from upstream + +* Wed Aug 13 2025 fuanan - 4.18.2-27 +- revert 'backport Remove checks during parsing of packages' + +* Fri Jul 18 2025 andy - 4.18.2-26 +- backport Remove checks during parsing of packages + * Wed Jul 2 2025 andy - 4.18.2-25 - sync patches form upstream