packages/pesign
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:c51eeea0e46d76dd3386ffce8183b8358c3765fd
Branches Tags
packages:main
...
compare: packages:ef908597c4be3b718d7004e2d3a9017c0c37c29b
Branches Tags
packages:main

12 Commits
c51eeea0e4 ... ef908597c4

Author SHA1 Message Date
openeuler-ci-bot
ef908597c4
!53 Remove unused i option in authvar 
From: @cherry530 
Reviewed-by: @wk333 
Signed-off-by: @wk333
 2024-05-07 07:42:01 +00:00
root
ac450355bd Remove unused i option in authvar 
Signed-off-by: cherry530 <707078654@qq.com>
 2024-05-07 15:16:41 +08:00
openeuler-ci-bot
6a77d3896d
!35 [sync] PR-34: CVE-2022-3560 
From: @openeuler-sync-bot 
Reviewed-by: @caodongxia 
Signed-off-by: @caodongxia
 2023-02-15 13:27:40 +00:00
phluo
261093b9f6 Fix CVE-2022-3560 
(cherry picked from commit 083c7c618bc1115a86e77fab98c7f48e6cf66632)
 2023-02-15 18:01:25 +08:00
openeuler-ci-bot
865615ccc3 !13 Fix build nss patch 
From: @baizg1107
Reviewed-by: @small_leek
Signed-off-by: @small_leek
 2020-10-13 10:59:58 +08:00
baizg1107
a111a4d456 Fix build nss patch add. 2020-10-10 14:18:18 +08:00
openeuler-ci-bot
e3ea84a3af !6 remove cert 
Merge pull request !6 from small_leek/xsl
 2020-06-05 11:22:28 +08:00
root
a99dfcf148 remove cert 2020-06-05 10:58:47 +08:00
root
466c022933 remove cert 2020-06-05 10:55:54 +08:00
openeuler-ci-bot
56fc341968 !3 add yaml 
Merge pull request !3 from jackie_wu123/master
 2020-05-09 15:40:47 +08:00
jackie_wu123
5c7bfd0973 add yaml 2020-05-08 11:30:41 +08:00
jackie_wu123
71b3da888d add yaml 2020-05-08 11:20:30 +08:00
8 changed files with 146 additions and 17 deletions
Show Stats Expand all files Collapse all files

0
pesign-0.113.tar.gz → 113.tar.gz
View File

61
Fix-CVE-2022-3560.patch Normal file
View File

@ -0,0 +1,61 @@
--- a/src/pesign-authorize 2023-02-14 16:34:30.937317398 +0800
+++ b/src/pesign-authorize 2023-02-14 16:36:55.343001392 +0800
@@ -2,55 +2,11 @@
set -e
set -u
-#
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
-# acls for specific users is useful
-#
-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
-#
-
# License: GPLv2
-declare -a fileusers=()
-declare -a dirusers=()
-for user in $(cat /etc/pesign/users); do
- dirusers[${#dirusers[@]}]=-m
- dirusers[${#dirusers[@]}]="u:$user:rwx"
- fileusers[${#fileusers[@]}]=-m
- fileusers[${#fileusers[@]}]="u:$user:rw"
-done
-
-declare -a filegroups=()
-declare -a dirgroups=()
-for group in $(cat /etc/pesign/groups); do
- dirgroups[${#dirgroups[@]}]=-m
- dirgroups[${#dirgroups[@]}]="g:$group:rwx"
- filegroups[${#filegroups[@]}]=-m
- filegroups[${#filegroups[@]}]="g:$group:rw"
-done
-
-update_subdir() {
- subdir=$1 && shift
- setfacl -bk "${subdir}"
- setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
- for x in "${subdir}"* ; do
- if [ -d "${x}" ]; then
- setfacl -bk ${x}
- setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}
- update_subdir "${x}/"
- elif [ -e "${x}" ]; then
- setfacl -bk ${x}
- setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}
- else
- :;
- fi
- done
-}
+# This script is deprecated and will be removed in a future release.
for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
- if [ -d "${x}" ]; then
- update_subdir "${x}"
- else
- :;
- fi
+ chown -R pesign:pesign "${x}" || true
+ chmod -R ug+rwX "${x}" || true
done

42
Fix-the-build-with-nss-3.44.patch Normal file
View File

@ -0,0 +1,42 @@
From b535d1ac5cbcdf18a97d97a92581e38080d9e521 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 May 2019 11:28:38 -0400
Subject: [PATCH] efikeygen: Fix the build with nss 3.44
NSS 3.44 adds some certificate types, which changes a type and makes
some encoding stuff weird. As a result, we get:
gcc8 -I/wrkdirs/usr/ports/sysutils/pesign/work/pesign-0.110/include -O2 -pipe -fstack-protector-strong -Wl,-rpath=/usr/local/lib/gcc8 -isystem /usr/local/include -fno-strict-aliasing -g -O0 -g -O0 -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function -I../include/ -I/usr/local/include/nss -I/usr/local/include/nss/nss -I/usr/local/include/nspr -Werror -fPIC -isystem /usr/local/include -DCONFIG_amd64 -DCONFIG_amd64 -c efikeygen.c -o efikeygen.o
In file included from /usr/local/include/nss/nss/cert.h:22,
from efikeygen.c:39:
efikeygen.c: In function 'add_cert_type':
/usr/local/include/nss/nss/certt.h:445:5: error: unsigned conversion from 'int' to 'unsigned char' changes value from '496' to '240' [-Werror=overflow]
(NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \
^
efikeygen.c:208:23: note: in expansion of macro 'NS_CERT_TYPE_APP'
unsigned char type = NS_CERT_TYPE_APP;
^~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
This is fixed by just making it an int.
Fixes github issue #48.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/efikeygen.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/efikeygen.c b/src/efikeygen.c
index ede76ef..2cd953e 100644
--- a/src/efikeygen.c
+++ b/src/efikeygen.c
@@ -208,7 +208,7 @@ static int
add_cert_type(cms_context *cms, void *extHandle, int is_ca)
{
SECItem bitStringValue;
- unsigned char type = NS_CERT_TYPE_APP;
+ int type = NS_CERT_TYPE_APP;
if (is_ca)
type |= NS_CERT_TYPE_SSL_CA |

16
Remove-unused-i-option-in-authvar.patch Normal file
View File

@ -0,0 +1,16 @@
diff -Nur a/src/authvar.c b/src/authvar.c
--- a/src/authvar.c 2022-03-09 01:46:30.000000000 +0800
+++ b/src/authvar.c 2023-05-31 16:47:15.329069974 +0800
@@ -324,12 +324,6 @@
.arg = &ctx.valuefile,
.descrip = "read value from <file>",
.argDescrip = "<file>" },
- {.longName = "import",
- .shortName = 'i',
- .argInfo = POPT_ARG_STRING,
- .arg = &ctx.importfile,
- .descrip = "import variable from <file>",
- .argDescrip = "<file>" },
{.longName = "export",
.shortName = 'e',
.argInfo = POPT_ARG_STRING,

BIN
certs.tar.xz
View File

Binary file not shown.

BIN
euleros-certs.tar.bz2
View File

Binary file not shown.

40
pesign.spec
View File

@ -2,13 +2,11 @@
Name: pesign
Summary: Signing utility for UEFI binaries
Version: 0.113
Release: 1
Release: 6
License: GPLv2
URL: https://github.com/vathpela/pesign
Source0: pesign-%{version}.tar.gz
Source1: certs.tar.xz
Source2: pesign.py
Source3: euleros-certs.tar.bz2
Source0: https://github.com/rhboot/pesign/archive/113.tar.gz
Source1: pesign.py
Obsoletes: pesign-rh-test-certs <= 0.111-7
Requires: nspr nss nss-util popt rpm
Requires(pre): shadow-utils
@ -16,6 +14,9 @@ BuildRequires: nspr nss nss-util popt-devel nss-tools nspr-devel >= 4.9.2-1
BuildRequires: nss-devel >= 3.13.6-1 efivar-devel >= 31-1 libuuid-devel tar xz
BuildRequires: python3-rpm-macros python3 systemd python3-devel
Patch0001: Fix-the-build-with-nss-3.44.patch
Patch0002: Fix-CVE-2022-3560.patch
Patch0003: Remove-unused-i-option-in-authvar.patch
%description
pesign is a command line tool for manipulating signatures and
cryptographic digests of UEFI applications.
@ -28,8 +29,7 @@ Requires: %{name} = %{version}-%{release}
Files for help with pesign.
%prep
%autosetup -n %{name}-113 -p1 -T -b 0 -D -c -a 1
tar -jxf %{SOURCE3}
%autosetup -n %{name}-113 -p1 -T -b 0 -D -c
%build
make PREFIX=%{_prefix} LIBDIR=%{_libdir}
@ -38,13 +38,10 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir}
mkdir -p %{buildroot}/%{_libdir}
make PREFIX=%{_prefix} LIBDIR=%{_libdir} INSTALLROOT=%{buildroot} install
make PREFIX=%{_prefix} LIBDIR=%{_libdir} INSTALLROOT=%{buildroot} install_systemd
install -D etc/pki/pesign/* %{buildroot}%{_sysconfdir}/pki/pesign/
install -D etc/pki/pesign-rh-test/* %{buildroot}%{_sysconfdir}/pki/pesign-rh-test/
mv euleros-certs/etc/pki/pesign/euleros-pesign-db %{buildroot}/etc/pki/pesign/
install -D %{buildroot}%{_sysconfdir}/rpm/macros.pesign %{buildroot}%{macrosdir}/macros.pesign
rm -vf %{buildroot}/usr/share/doc/pesign-113/COPYING
install -d -m 0755 %{buildroot}%{python3_sitelib}/mockbuild/plugins/
install -m 0755 %{SOURCE2} %{buildroot}%{python3_sitelib}/mockbuild/plugins/
install -m 0755 %{SOURCE1} %{buildroot}%{python3_sitelib}/mockbuild/plugins/
%pre
getent group pesign >/dev/null || groupadd -r pesign
@ -66,17 +63,11 @@ exit 0
%doc COPYING
%{_bindir}/*
%dir %{_libexecdir}/pesign/
%dir %attr(0770,pesign,pesign) %{_sysconfdir}/pki/pesign/
%config(noreplace) %attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/*
%dir %attr(0775,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/
%config(noreplace) %attr(0664,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/*
%{_libexecdir}/pesign/pesign-authorize
%config(noreplace)/%{_sysconfdir}/pesign/*
%{_sysconfdir}/popt.d/pesign.popt
%{macrosdir}/macros.pesign
%dir %attr(0770, pesign, pesign) %{_localstatedir}/run/%{name}
%dir %attr(0775,pesign,pesign) /etc/pki/pesign/euleros-pesign-db
%attr(0644,pesign,pesign) /etc/pki/pesign/euleros-pesign-db/*
%ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/socket
%ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/pesign.pid
%{_tmpfilesdir}/pesign.conf
@ -91,6 +82,21 @@ exit 0
%{_mandir}/man*/*
%changelog
* Tue May 07 2024 xu_ping <707078654@qq.com> - 0.113-6
- Remove unused i option in authvar
* Wed Feb 15 2023 luopihui <luopihui@ncti-gba.cn> - 0.113-5
- Fix CVE-2022-3560
* Sat Oct 10 2020 baizhonggui <baizhonggui@huawei.com> - 0.113-4
- Fix the build with nss 3.44
* Thu Sep 10 2020 baizhonggui <baizhonggui@huawei.com> - 0.113-3
- Modify source0 and replace package
* Fri Jun 5 2020 Senlin Xia <xiasenlin1@huawei.com> - 0.113-2
- remove certs
* Mon Jan 13 2020 openEuler Buildteam <buildteam@openeuler.org> - 0.113-1
- Type:bugfix
- Id:NA

4
pesign.yaml Normal file
View File

@ -0,0 +1,4 @@
version_control: github
src_repo: vathpela/pesign
tag_prefix: ^v
seperator: .