diff --git a/0002-Sharness-Fix-dup-of-failing-check-when-run-by-root.patch b/0002-Sharness-Fix-dup-of-failing-check-when-run-by-root.patch new file mode 100644 index 0000000000000000000000000000000000000000..c47079eb879cb5570bb91116b93d4d4214b269c0 --- /dev/null +++ b/0002-Sharness-Fix-dup-of-failing-check-when-run-by-root.patch @@ -0,0 +1,67 @@ +From f7333277c2709b147e2f2a3ab357ec3a195fb1f5 Mon Sep 17 00:00:00 2001 +From: Chris Dunlap +Date: Fri, 4 Dec 2020 21:31:34 -0800 +Subject: [PATCH 2/4] Sharness: Fix dup of failing check when run by root + +When the test suite is run by root, the following two failures occur in +"0103-munged-security-logfile.t": + + 10 - logfile not writable by user failure + 31 - logfile failure writes single message to stderr + +This second test, "logfile failure writes single message to stderr", +checks for a regression of a duplicate error message being written to +stderr by forcing an expected failure -- namely, setting the logfile +perms to 0400 and expecting an error when opening the logfile because +the user does not have write-permissions. This expected failure is +the check being performed in the first test, "logfile not writable +by user failure". + +Fix the test for "logfile failure writes single message to stderr" +by forcing a different error that is not affected by root privileges. +In particular, set the logfile perms to 0602 which will fail because +the logfile is now writable by other; this will fail regardless of +whether or not the user is root. + +Tested: +- Arch Linux +- CentOS Stream 8, 8.3.2011, 7.9.2009, 6.10 +- Debian sid, 10.8, 9.13, 8.11, 7.11, 6.0.10, 5.0.10, 4.0 +- Fedora 33, 32, 31 +- FreeBSD 12.2, 11.4 +- NetBSD 9.1, 9.0, 8.1 +- OpenBSD 6.8, 6.7, 6.6 +- openSUSE 15.2, 15.1 +- Raspberry Pi OS (Raspbian 10) [armv7l] +- Ubuntu 20.10, 20.04.2 LTS, 18.04.5 LTS, 16.04.7 LTS, 14.04.6 LTS, 12.04.5 LTS +--- + t/0103-munged-security-logfile.t | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/t/0103-munged-security-logfile.t b/t/0103-munged-security-logfile.t +index fafd973..40b59a6 100755 +--- a/t/0103-munged-security-logfile.t ++++ b/t/0103-munged-security-logfile.t +@@ -343,14 +343,16 @@ test_expect_success 'logfile dir writable by other with sticky bit' ' + chmod 0755 "${MUNGE_LOGDIR}" + ' + +-# Check for a regression of a duplicate error message being written to stderr +-# for a failure to open the logfile. ++# Check for a regression of a duplicate error message being written to stderr. ++# To generate an error, test for the logfile being writable by other since this ++# will not be affected by root privileges. ++# + ## + test_expect_success 'logfile failure writes single message to stderr' ' + local ERR NUM && + rm -f "${MUNGE_LOGFILE}" && + touch "${MUNGE_LOGFILE}" && +- chmod 0400 "${MUNGE_LOGFILE}" && ++ chmod 0602 "${MUNGE_LOGFILE}" && + test_must_fail munged_start_daemon t-keep-logfile 2>err.$$ && + cat err.$$ && + ERR=$(sed -n -e "s/.*Error: //p" err.$$ | sort | uniq -c | sort -n -r) && +-- +2.30.0 + diff --git a/0003-Sharness-Fix-EACCES-failure-succeeding-for-root.patch b/0003-Sharness-Fix-EACCES-failure-succeeding-for-root.patch new file mode 100644 index 0000000000000000000000000000000000000000..a6bc3f84d7a35e8e5b9ad86a92dc357aff599c69 --- /dev/null +++ b/0003-Sharness-Fix-EACCES-failure-succeeding-for-root.patch @@ -0,0 +1,67 @@ +From 014cff3c0ba16fc645eeceeb16eb6be8132c59fd Mon Sep 17 00:00:00 2001 +From: Chris Dunlap +Date: Fri, 4 Dec 2020 23:50:39 -0800 +Subject: [PATCH 3/4] Sharness: Fix EACCES failure succeeding for root + +When the test suite is run by root, the following failure occurs in +"0103-munged-security-logfile.t": + + 10 - logfile not writable by user failure + +This sets the logfile perms to 0400 to check for an error when the +logfile is not writable by the user. However, root will not get a +"permission denied" error here. Consequently, the expected failure +erroneously succeeds. + +Add a check for whether the test is being run by the root user, and +set the ROOT prerequisite when this is true. Furthermore, add the +!ROOT prereq to the above test so it will be skipped when run by root. + +Tested: +- Arch Linux +- CentOS Stream 8, 8.3.2011, 7.9.2009, 6.10 +- Debian sid, 10.8, 9.13, 8.11, 7.11, 6.0.10, 5.0.10, 4.0 +- Fedora 33, 32, 31 +- FreeBSD 12.2, 11.4 +- NetBSD 9.1, 9.0, 8.1 +- OpenBSD 6.8, 6.7, 6.6 +- openSUSE 15.2, 15.1 +- Raspberry Pi OS (Raspbian 10) [armv7l] +- Ubuntu 20.10, 20.04.2 LTS, 18.04.5 LTS, 16.04.7 LTS, 14.04.6 LTS, 12.04.5 LTS +--- + t/0103-munged-security-logfile.t | 4 +++- + t/sharness.d/10-root.sh | 6 ++++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + create mode 100644 t/sharness.d/10-root.sh + +diff --git a/t/0103-munged-security-logfile.t b/t/0103-munged-security-logfile.t +index 40b59a6..9e951b9 100755 +--- a/t/0103-munged-security-logfile.t ++++ b/t/0103-munged-security-logfile.t +@@ -118,8 +118,10 @@ test_expect_success 'logfile non-regular-file override failure' ' + ' + + # Check for an error when the logfile is not writable by user. ++# Skip this test if running as root since the root user will not get the ++# expected EACCESS failure. + ## +-test_expect_success 'logfile not writable by user failure' ' ++test_expect_success !ROOT 'logfile not writable by user failure' ' + rm -f "${MUNGE_LOGFILE}" && + touch "${MUNGE_LOGFILE}" && + chmod 0400 "${MUNGE_LOGFILE}" && +diff --git a/t/sharness.d/10-root.sh b/t/sharness.d/10-root.sh +new file mode 100644 +index 0000000..5a2fd28 +--- /dev/null ++++ b/t/sharness.d/10-root.sh +@@ -0,0 +1,6 @@ ++## ++# Is the test being run by the root user? ++## ++if test "$(id -u)" = 0; then ++ test_set_prereq ROOT ++fi +-- +2.30.0 + diff --git a/0004-HKDF-Fix-big-endian-bug-caused-by-size_t-ptr-cast.patch b/0004-HKDF-Fix-big-endian-bug-caused-by-size_t-ptr-cast.patch new file mode 100644 index 0000000000000000000000000000000000000000..8a56ab22486af82c5cdd521597e6729037407b5a --- /dev/null +++ b/0004-HKDF-Fix-big-endian-bug-caused-by-size_t-ptr-cast.patch @@ -0,0 +1,146 @@ +From 2ad81007d2371f536af9e231490357c928eca53a Mon Sep 17 00:00:00 2001 +From: Chris Dunlap +Date: Wed, 2 Dec 2020 09:50:27 -0800 +Subject: [PATCH 4/4] HKDF: Fix big-endian bug caused by size_t ptr cast + +When Fedora updated to 0.5.14 and added the new test suite to their +rpm spec's %check, munge successfully built but its test suite failed +on s390x for hkdf_test: + +> FAIL: hkdf_test +> =============== +> Failed to finalize HKDF MAC ctx for extraction + +This is caused by the cast of prklenp from a size_t * to an int * +in _hkdf_extract(). + +On s390x, memory ordering is big-endian and size_t is an alias for +unsigned long. Thus, a ptr to an 8-byte size_t was being cast to a +ptr to a 4-byte int. + +This worked on little-endian systems (of which all my test systems +had been) since the least-significant byte is stored at the smallest +memory address (the little end), and the stored value always fit +within 4 bytes. But on big-endian systems, the least-significant +byte is stored at the largest memory address (the big end) which +differs for 4-byte and 8-byte values. + +Remove the cast by using an int variable as an intermediary. + +Reference: +- https://fedoraproject.org/wiki/Architectures/s390x#Notes_for_application_developers_and_package_maintainers +- https://bugzilla.redhat.com/show_bug.cgi?id=1923337 +- https://bugs.launchpad.net/bugs/1915457 +- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982564 + +Tested: +- Arch Linux +- CentOS Stream 8, 8.3.2011, 7.9.2009, 6.10 +- Debian sid, 10.8, 9.13, 8.11, 7.11, 6.0.10, 5.0.10, 4.0 +- Fedora 33 [s390x, x86_64], 32, 31 +- FreeBSD 12.2, 11.4 +- NetBSD 9.1, 9.0, 8.1 +- OpenBSD 6.8, 6.7, 6.6 +- openSUSE 15.2, 15.1 +- Raspberry Pi OS (Raspbian 10) [armv7l] +- Ubuntu 20.10, 20.04.2 LTS, 18.04.5 LTS, 16.04.7 LTS, 14.04.6 LTS, 12.04.5 LTS + +Closes #91 +--- + src/common/hkdf.c | 30 ++++++++++++++++++++++++++---- + 1 file changed, 26 insertions(+), 4 deletions(-) + +diff --git a/src/common/hkdf.c b/src/common/hkdf.c +index ac7ab6f..364f3e0 100644 +--- a/src/common/hkdf.c ++++ b/src/common/hkdf.c +@@ -32,6 +32,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -316,6 +317,7 @@ _hkdf_extract (hkdf_ctx_t *ctxp, void *prk, size_t *prklenp) + { + mac_ctx mac_ctx; + int mac_ctx_is_initialized = 0; ++ int prklen; + int rv = 0; + + assert (ctxp != NULL); +@@ -325,6 +327,14 @@ _hkdf_extract (hkdf_ctx_t *ctxp, void *prk, size_t *prklenp) + assert (prklenp != NULL); + assert (*prklenp > 0); + ++ /* Convert prklen size_t to int for the call to mac_final() since the parm ++ * is being passed as a ptr, and size of size_t and int may differ. ++ * *prklenp must be representable as an int because it was assigned ++ * (via ctxp->mdlen) by mac_size() which returns an int. ++ */ ++ assert (*prklenp <= INT_MAX); ++ prklen = (int) *prklenp; ++ + /* Compute the pseudorandom key. + * prk = HMAC (salt, ikm) + */ +@@ -340,7 +350,7 @@ _hkdf_extract (hkdf_ctx_t *ctxp, void *prk, size_t *prklenp) + log_msg (LOG_ERR, "Failed to update HKDF MAC ctx for extraction"); + goto err; + } +- rv = mac_final (&mac_ctx, prk, (int *) prklenp); ++ rv = mac_final (&mac_ctx, prk, &prklen); + if (rv == -1) { + log_msg (LOG_ERR, "Failed to finalize HKDF MAC ctx for extraction"); + goto err; +@@ -352,6 +362,12 @@ err: + return -1; + } + } ++ /* Update [prklenp] on success. ++ */ ++ if (rv >= 0) { ++ assert (prklen >= 0); ++ *prklenp = (size_t) prklen; ++ } + return rv; + } + +@@ -371,7 +387,7 @@ _hkdf_expand (hkdf_ctx_t *ctxp, const void *prk, size_t prklen, + unsigned char *dstptr; + size_t dstlen; + unsigned char *okm = NULL; +- size_t okmlen; ++ int okmlen; + int num_rounds; + const int max_rounds = 255; + unsigned char round; +@@ -390,8 +406,14 @@ _hkdf_expand (hkdf_ctx_t *ctxp, const void *prk, size_t prklen, + + /* Allocate buffer for output keying material. + * The buffer size is equal to the size of the hash function output. ++ * Note that okmlen must be an int (and not size_t) for the call to ++ * mac_final() since the parm is being passed as a ptr, and size of ++ * size_t and int may differ. ++ * ctxp->mdlen must be representable as an int because it was assigned ++ * by mac_size() which returns an int. + */ +- okmlen = ctxp->mdlen; ++ assert (ctxp->mdlen <= INT_MAX); ++ okmlen = (int) ctxp->mdlen; + okm = calloc (1, okmlen); + if (okm == NULL) { + rv = -1; +@@ -448,7 +470,7 @@ _hkdf_expand (hkdf_ctx_t *ctxp, const void *prk, size_t prklen, + "for expansion round #%u", round); + goto err; + } +- rv = mac_final (&mac_ctx, okm, (int *) &okmlen); ++ rv = mac_final (&mac_ctx, okm, &okmlen); + if (rv == -1) { + log_msg (LOG_ERR, + "Failed to finalize HKDF MAC ctx " +-- +2.30.0 + diff --git a/munge-0.5.13.tar.xz b/munge-0.5.13.tar.xz deleted file mode 100644 index 0dc717097d02edbf1d0a19c8e40c5752b9f11b3e..0000000000000000000000000000000000000000 Binary files a/munge-0.5.13.tar.xz and /dev/null differ diff --git a/munge-0.5.14.tar.xz b/munge-0.5.14.tar.xz new file mode 100644 index 0000000000000000000000000000000000000000..cacf24bb3ba00c70b7b6b1ad7a3f3bfdef3b3156 Binary files /dev/null and b/munge-0.5.14.tar.xz differ diff --git a/munge.spec b/munge.spec index 4e1c233a8f6eae7de411518c986c6aef9d557d93..8d6003a380f636b4f358a8ee40acc31e6b5a91aa 100644 --- a/munge.spec +++ b/munge.spec @@ -1,5 +1,5 @@ Name: munge -Version: 0.5.13 +Version: 0.5.14 Release: 1 Summary: Enables uid & gid authentication across a host cluster License: GPLv3+ and LGPLv3+ @@ -7,6 +7,9 @@ URL: https://dun.github.io/munge/ Source0: https://github.com/dun/munge/releases/download/munge-%{version}/munge-%{version}.tar.xz Source1: create-munge-key Source2: munge.logrotate +Patch1: 0002-Sharness-Fix-dup-of-failing-check-when-run-by-root.patch +Patch2: 0003-Sharness-Fix-EACCES-failure-succeeding-for-root.patch +Patch3: 0004-HKDF-Fix-big-endian-bug-caused-by-size_t-ptr-cast.patch BuildRequires: gcc systemd-units zlib-devel bzip2-devel libgcrypt-devel Requires: munge-libs = %{version}-%{release} Requires(pre): shadow-utils @@ -37,6 +40,9 @@ Runtime libraries for using MUNGE. %prep %setup -q +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 cp -p %{SOURCE1} create-munge-key cp -p %{SOURCE2} munge.logrotate @@ -52,7 +58,6 @@ make install DESTDIR=%{buildroot} install -p -m 755 create-munge-key %{buildroot}/%{_sbindir}/create-munge-key install -p -D -m 644 munge.logrotate %{buildroot}/%{_sysconfdir}/logrotate.d/munge rm %{buildroot}/%{_sysconfdir}/sysconfig/munge -rm %{buildroot}/%{_initddir}/munge rm %{buildroot}/%{_libdir}/libmunge.la chmod 700 %{buildroot}%{_var}/lib/munge %{buildroot}%{_var}/log/munge chmod 700 %{buildroot}%{_sysconfdir}/munge @@ -80,22 +85,23 @@ exit 0 %{_bindir}/remunge %{_bindir}/unmunge %{_sbindir}/munged +%{_sbindir}/mungekey %{_sbindir}/create-munge-key %{_mandir}/man1/munge.1.gz %{_mandir}/man1/remunge.1.gz %{_mandir}/man1/unmunge.1.gz %{_mandir}/man7/munge.7.gz %{_mandir}/man8/munged.8.gz +%{_mandir}/man8/mungekey.8.gz %{_unitdir}/munge.service %attr(0700,munge,munge) %dir %{_var}/log/munge %attr(0700,munge,munge) %dir %{_sysconfdir}/munge %attr(0755,munge,munge) %dir %{_var}/run/munge/ %attr(0644,munge,munge) %ghost %{_var}/run/munge/munged.pid %attr(0700,munge,munge) %dir %{_var}/lib/munge -%config(noreplace) %{_tmpfilesdir}/munge.conf %config(noreplace) %{_sysconfdir}/logrotate.d/munge %doc AUTHORS -%doc JARGON META NEWS QUICKSTART README +%doc JARGON NEWS QUICKSTART README %doc doc %files libs @@ -124,5 +130,8 @@ exit 0 %{_mandir}/man3/munge_strerror.3.gz %changelog +* Tue Jan 18 2022 SimpleUpdate Robot - 0.5.14-1 +- Upgrade to version 0.5.14 + * Mon Sep 7 2020 luoshengwei - 0.5.13-1 - package init