Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package rpmlint for openSUSE:Factory checked in at 2026-01-14 16:19:22 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rpmlint (Old) and /work/SRC/openSUSE:Factory/.rpmlint.new.1928 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rpmlint" Wed Jan 14 16:19:22 2026 rev:521 rq:1326381 version:2.8.0+git20260109.9de011f4 Changes: -------- --- /work/SRC/openSUSE:Factory/rpmlint/rpmlint.changes 2025-12-20 21:46:45.343841076 +0100 +++ /work/SRC/openSUSE:Factory/.rpmlint.new.1928/rpmlint.changes 2026-01-14 16:19:27.219956069 +0100 @@ -1,0 +2,15 @@ +Fri Jan 09 17:21:54 UTC 2026 - Filippo Bonazzi <[email protected]> + +- Update to version 2.8.0+git20260109.9de011f4: + * systemd-tmpfiles: whitelist dracut /boot/dracut cleanup entry (bsc#1256380) + * configs/openSUSE: whitelist Foomuuri D-Bus and sysctl files (bsc#1254385) + * systemd-tmpfiles: add aaa_base /var/adm dirs (bsc#1255794) + * DBusPolicyCheck: Catch unsafe wildcard allow lists in policies (bsc#1215247) + +------------------------------------------------------------------- +Wed Jan 07 13:52:34 UTC 2026 - Wolfgang Frisch <[email protected]> + +- Update to version 2.8.0+git20260107.d0f65b36: + * permissions-whitelist: update postfix (bsc#1254597) + +------------------------------------------------------------------- Old: ---- rpmlint-2.8.0+git20251215.35efabff.tar.xz New: ---- rpmlint-2.8.0+git20260109.9de011f4.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rpmlint.spec ++++++ --- /var/tmp/diff_new_pack.V0FYkQ/_old 2026-01-14 16:19:29.072031651 +0100 +++ /var/tmp/diff_new_pack.V0FYkQ/_new 2026-01-14 16:19:29.076031788 +0100 @@ -1,7 +1,7 @@ # # spec file for package rpmlint # -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -23,7 +23,7 @@ %define name_suffix -%{flavor} %endif Name: rpmlint%{name_suffix} -Version: 2.8.0+git20251215.35efabff +Version: 2.8.0+git20260109.9de011f4 Release: 0 Summary: RPM file correctness checker License: GPL-2.0-or-later ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.V0FYkQ/_old 2026-01-14 16:19:29.144034118 +0100 +++ /var/tmp/diff_new_pack.V0FYkQ/_new 2026-01-14 16:19:29.152034392 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/rpm-software-management/rpmlint.git</param> - <param name="changesrevision">35efabffa85d648a2bd33c65c57a6de1671bc691</param></service></servicedata> + <param name="changesrevision">9de011f4dbec6936783006eef782642d87b6369c</param></service></servicedata> (No newline at EOF) ++++++ rpmlint-2.8.0+git20251215.35efabff.tar.xz -> rpmlint-2.8.0+git20260109.9de011f4.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rpmlint-2.8.0+git20251215.35efabff/configs/openSUSE/dbus-services.toml new/rpmlint-2.8.0+git20260109.9de011f4/configs/openSUSE/dbus-services.toml --- old/rpmlint-2.8.0+git20251215.35efabff/configs/openSUSE/dbus-services.toml 2025-12-15 09:41:15.000000000 +0100 +++ new/rpmlint-2.8.0+git20260109.9de011f4/configs/openSUSE/dbus-services.toml 2026-01-09 11:03:02.000000000 +0100 @@ -1483,3 +1483,23 @@ path = "/usr/share/dbus-1/system.d/org.kde.smb4k.mounthelper.conf" digester = "xml" hash = "c67705447819baeede72d3f1efd4f1df22f86b5916af1cdf64e542630821539e" + +[[FileDigestGroup]] +package = "foomuuri" +note = "Firewall management via D-Bus" +bug = "bsc#1254385" +type = "dbus" +[[FileDigestGroup.digests]] +path = "/usr/share/dbus-1/system.d/fi.foobar.Foomuuri1.conf" +digester = "xml" +hash = "f94635f00f0cc1c8622a9a36677e91736fe37221d7a9ab05484ac238e16790aa" + +[[FileDigestGroup]] +package = "foomuuri-firewalld" +note = "Firewall management via D-Bus (firewalld drop-in)" +bug = "bsc#1254385" +type = "dbus" +[[FileDigestGroup.digests]] +path = "/usr/share/dbus-1/system.d/fi.foobar.Foomuuri-FirewallD.conf" +digester = "xml" +hash = "a4d61b04ab65225d2e11f60a3fcaf2705ae9ce9dcea9c5d814d7be6724403250" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rpmlint-2.8.0+git20251215.35efabff/configs/openSUSE/opensuse.toml new/rpmlint-2.8.0+git20260109.9de011f4/configs/openSUSE/opensuse.toml --- old/rpmlint-2.8.0+git20251215.35efabff/configs/openSUSE/opensuse.toml 2025-12-15 09:41:15.000000000 +0100 +++ new/rpmlint-2.8.0+git20260109.9de011f4/configs/openSUSE/opensuse.toml 2026-01-09 11:03:02.000000000 +0100 @@ -266,6 +266,7 @@ "dbus-file-ghost", "dbus-file-unauthorized", "dbus-file-symlink", + "dbus-policy-allow-wildcard", "device-mismatched-attrs", "device-unauthorized-file", "non-position-independent-executable", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rpmlint-2.8.0+git20251215.35efabff/configs/openSUSE/permissions-whitelist.toml new/rpmlint-2.8.0+git20260109.9de011f4/configs/openSUSE/permissions-whitelist.toml --- old/rpmlint-2.8.0+git20251215.35efabff/configs/openSUSE/permissions-whitelist.toml 2025-12-15 09:41:15.000000000 +0100 +++ new/rpmlint-2.8.0+git20260109.9de011f4/configs/openSUSE/permissions-whitelist.toml 2026-01-09 11:03:02.000000000 +0100 @@ -19,20 +19,20 @@ type = "permissions" [[FileDigestGroup.digests]] path = "/etc/permissions.d/postfix" -hash = "6233f37dc93ae05d476bbeb03ffa6de4d006893a9d5c91d38afb66506d224e9d" +hash = "6f2e5d01189c05662083125ae3addab8b7273f6a57eae8369bc34b08a9a1d638" [[FileDigestGroup.digests]] path = "/etc/permissions.d/postfix.paranoid" -hash = "d5e51380e7ec868a42d336c868fc012ab95cac771d95361504cc6040b8d86221" +hash = "54d194477fc688076940c93bfd201680b5cc0fd6079bba10bd0101fb986a2231" [[FileDigestGroup]] package = "postfix-bdb" type = "permissions" [[FileDigestGroup.digests]] path = "/etc/permissions.d/postfix" -hash = "6233f37dc93ae05d476bbeb03ffa6de4d006893a9d5c91d38afb66506d224e9d" +hash = "6f2e5d01189c05662083125ae3addab8b7273f6a57eae8369bc34b08a9a1d638" [[FileDigestGroup.digests]] path = "/etc/permissions.d/postfix.paranoid" -hash = "d5e51380e7ec868a42d336c868fc012ab95cac771d95361504cc6040b8d86221" +hash = "54d194477fc688076940c93bfd201680b5cc0fd6079bba10bd0101fb986a2231" [[FileDigestGroup]] package = "sendmail" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rpmlint-2.8.0+git20251215.35efabff/configs/openSUSE/scoring-strict.override.toml new/rpmlint-2.8.0+git20260109.9de011f4/configs/openSUSE/scoring-strict.override.toml --- old/rpmlint-2.8.0+git20251215.35efabff/configs/openSUSE/scoring-strict.override.toml 2025-12-15 09:41:15.000000000 +0100 +++ new/rpmlint-2.8.0+git20260109.9de011f4/configs/openSUSE/scoring-strict.override.toml 2026-01-09 11:03:02.000000000 +0100 @@ -8,6 +8,7 @@ dbus-file-parse-error = 10000 dbus-file-unauthorized = 10000 dbus-file-symlink = 10000 +dbus-policy-allow-wildcard = 10000 device-mismatched-attrs = 10000 device-unauthorized-file = 10000 invalid-license = 100000 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rpmlint-2.8.0+git20251215.35efabff/configs/openSUSE/scoring.toml new/rpmlint-2.8.0+git20260109.9de011f4/configs/openSUSE/scoring.toml --- old/rpmlint-2.8.0+git20251215.35efabff/configs/openSUSE/scoring.toml 2025-12-15 09:41:15.000000000 +0100 +++ new/rpmlint-2.8.0+git20260109.9de011f4/configs/openSUSE/scoring.toml 2026-01-09 11:03:02.000000000 +0100 @@ -82,6 +82,7 @@ dbus-file-parse-error = 10 dbus-file-unauthorized = 10 dbus-file-symlink = 10 +dbus-policy-allow-wildcard = 10 sudoers-file-digest-mismatch = 10 sudoers-file-ghost = 10 sudoers-file-unauthorized = 10 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rpmlint-2.8.0+git20251215.35efabff/configs/openSUSE/sysctl-whitelist.toml new/rpmlint-2.8.0+git20260109.9de011f4/configs/openSUSE/sysctl-whitelist.toml --- old/rpmlint-2.8.0+git20251215.35efabff/configs/openSUSE/sysctl-whitelist.toml 2025-12-15 09:41:15.000000000 +0100 +++ new/rpmlint-2.8.0+git20260109.9de011f4/configs/openSUSE/sysctl-whitelist.toml 2026-01-09 11:03:02.000000000 +0100 @@ -195,3 +195,13 @@ path = "/usr/lib/sysctl.d/health-checker.conf" digester = "shell" hash = "40838811f1f8ec4f4b19ce8f049f63ab616f92a1d0a8190e29d0bbf6fe43e66a" + +[[FileDigestGroup]] +package = "foomuuri" +note = "networking stack and firewall related settings" +bug = "bsc#1254385" +type = "sysctl" +[[FileDigestGroup.digests]] +path = "/usr/lib/sysctl.d/50-foomuuri.conf" +digester = "shell" +hash = "c5077daeb66bbb4b6f2f160c799950547adf52c9454545080eefef244424e669" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rpmlint-2.8.0+git20251215.35efabff/configs/openSUSE/systemd-tmpfiles.toml new/rpmlint-2.8.0+git20260109.9de011f4/configs/openSUSE/systemd-tmpfiles.toml --- old/rpmlint-2.8.0+git20251215.35efabff/configs/openSUSE/systemd-tmpfiles.toml 2025-12-15 09:41:15.000000000 +0100 +++ new/rpmlint-2.8.0+git20260109.9de011f4/configs/openSUSE/systemd-tmpfiles.toml 2026-01-09 11:03:02.000000000 +0100 @@ -125,3 +125,22 @@ entries = [ "d /var/samba/spool 1777 root root" ] + +[[SystemdTmpfilesWhitelist]] +package = "aaa_base-extras" +bugs = ["bsc#1255794"] +note = "Regular directories in /var/adm/backup" +path = "/usr/lib/tmpfiles.d/adm-backup.conf" +entries = [ + "d /var/adm/backup/rpmdb 0755 root root -", + "d /var/adm/backup/sysconfig 0755 root root -" +] + +[[SystemdTmpfilesWhitelist]] +package = "dracut-tools" +bugs = ["bsc#1256380"] +note = "Regular directory in /boot/dracut" +path = "/usr/lib/tmpfiles.d/dracut.conf" +entries = [ + "D /boot/dracut - - - -" +] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rpmlint-2.8.0+git20251215.35efabff/rpmlint/checks/DBusPolicyCheck.py new/rpmlint-2.8.0+git20260109.9de011f4/rpmlint/checks/DBusPolicyCheck.py --- old/rpmlint-2.8.0+git20251215.35efabff/rpmlint/checks/DBusPolicyCheck.py 2025-12-15 09:41:15.000000000 +0100 +++ new/rpmlint-2.8.0+git20260109.9de011f4/rpmlint/checks/DBusPolicyCheck.py 2026-01-09 11:03:02.000000000 +0100 @@ -47,6 +47,33 @@ allow.hasAttribute('receive_interface')): self.output.add_info('W', pkg, 'dbus-policy-allow-receive', allow.toxml(), f) + # to prevent bugs like bsc#1220215, scan for any attributes like + # send_destination="*" and reject them + + for key, val in allow.attributes.items(): + # Ignore member settings, these can have valid use cases for + # wildcards. + if key == 'send_member': + continue + + # Otherwise inspect all attributes starting with 'send_', + # there's quite a lot of them and most support an asterisk as + # value. + # + # In theory there could be valid use cases when this is not in + # context="default" but restricted to some specific, powerful + # user account or group, but at the moment no such example is + # known. + # + # According to documentation only a single "*" may appear or a + # fixed string, nothing like "org.*". We are still checking + # for appearance of any wildcard in the string; there should + # not be any valid use cases for an asterisk appearing there + # and this way we might catch some additional cases of weird + # things going on. + if key.startswith('send_') and '*' in val: + self.output.add_info('E', pkg, 'dbus-policy-allow-wildcard', allow.toxml(), f) + return send_policy_seen def _check_deny_policy_element(self, pkg, f, policy): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rpmlint-2.8.0+git20251215.35efabff/rpmlint/descriptions/DBusPolicyCheck.toml new/rpmlint-2.8.0+git20260109.9de011f4/rpmlint/descriptions/DBusPolicyCheck.toml --- old/rpmlint-2.8.0+git20251215.35efabff/rpmlint/descriptions/DBusPolicyCheck.toml 2025-12-15 09:41:15.000000000 +0100 +++ new/rpmlint-2.8.0+git20260109.9de011f4/rpmlint/descriptions/DBusPolicyCheck.toml 2026-01-09 11:03:02.000000000 +0100 @@ -13,3 +13,8 @@ dbus-parsing-exception=""" A python exception was raised which prevents further analysis of the DBus rule file.""" +dbus-policy-allow-wildcard=""" +'allow' directives with wildcard send_<category>="*" attributes are not +allowed, since they affect the complete system bus, not only a specific +service. Use a more specific setting like +send_destination="org.freedesktop.Accounts".""" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rpmlint-2.8.0+git20251215.35efabff/test/files/systemd/org.freedesktop.NetworkManager.conf new/rpmlint-2.8.0+git20260109.9de011f4/test/files/systemd/org.freedesktop.NetworkManager.conf --- old/rpmlint-2.8.0+git20251215.35efabff/test/files/systemd/org.freedesktop.NetworkManager.conf 2025-12-15 09:41:15.000000000 +0100 +++ new/rpmlint-2.8.0+git20260109.9de011f4/test/files/systemd/org.freedesktop.NetworkManager.conf 2026-01-09 11:03:02.000000000 +0100 @@ -120,6 +120,7 @@ send_interface="org.freedesktop.NetworkManager.Settings"/> <allow send_destination="org.freedesktop.NetworkManager" send_interface="org.freedesktop.NetworkManager.Settings.Connection"/> + <allow send_destination="*"/> <!-- Agents; secured with PolicyKit. Any process can talk to the AgentManager API, but only NetworkManager can talk diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rpmlint-2.8.0+git20251215.35efabff/test/test_dbus_policy.py new/rpmlint-2.8.0+git20260109.9de011f4/test/test_dbus_policy.py --- old/rpmlint-2.8.0+git20251215.35efabff/test/test_dbus_policy.py 2025-12-15 09:41:15.000000000 +0100 +++ new/rpmlint-2.8.0+git20260109.9de011f4/test/test_dbus_policy.py 2026-01-09 11:03:02.000000000 +0100 @@ -24,3 +24,4 @@ assert 'W: dbus-policy-allow-receive <allow receive_sender="foo"/>' in out assert 'E: dbus-policy-deny-without-destination <deny send_interface="org.freedesktop.NetworkManager.Settings" send_member="ReloadConnections"/>' in out assert 'E: dbus-policy-missing-allow /etc/dbus-1/system.d/org.freedesktop.NetworkManager2.conf' in out + assert 'E: dbus-policy-allow-wildcard <allow send_destination="*"/> /etc/dbus-1/system.d/org.freedesktop.NetworkManager.conf' in out
