Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package secvarctl for openSUSE:Factory checked in at 2024-02-14 23:19:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/secvarctl (Old) and /work/SRC/openSUSE:Factory/.secvarctl.new.1815 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "secvarctl" Wed Feb 14 23:19:27 2024 rev:8 rq:1146544 version:1.0.0+git0.73d91fa Changes: -------- --- /work/SRC/openSUSE:Factory/secvarctl/secvarctl.changes 2023-12-17 21:34:34.890503988 +0100 +++ /work/SRC/openSUSE:Factory/.secvarctl.new.1815/secvarctl.changes 2024-02-14 23:19:33.674032038 +0100 @@ -1,0 +2,8 @@ +Wed Feb 14 09:46:08 UTC 2024 - msucha...@suse.com + +- Update to version v1.0.0 (jsc#PED-5449): + * guest/generate: fix multiple input/output format specifier argument parsing + * guest/read: fix segfault in read -c caused by empty variable name + * guest/verify: only print default PK in get_current_esl_data if verbose is set + +------------------------------------------------------------------- @@ -4 +12 @@ -- Update to version 1.0.0~rc3 (jsc#PED-5449): +- Update to version 1.0.0~rc3: Old: ---- secvarctl-1.0.0~rc3+git0.6f4d730.tar.gz New: ---- secvarctl-1.0.0+git0.73d91fa.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ secvarctl.spec ++++++ --- /var/tmp/diff_new_pack.OHPYcz/_old 2024-02-14 23:19:34.182050353 +0100 +++ /var/tmp/diff_new_pack.OHPYcz/_new 2024-02-14 23:19:34.186050497 +0100 @@ -1,7 +1,7 @@ # # spec file for package secvarctl # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,7 +18,7 @@ %global make_parms OPENSSL=1 DEBUG=1 Name: secvarctl -Version: 1.0.0~rc3+git0.6f4d730 +Version: 1.0.0+git0.73d91fa Release: 0 Summary: Suite of tools to manipulate and generate Secure Boot variables on POWER License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.OHPYcz/_old 2024-02-14 23:19:34.210051362 +0100 +++ /var/tmp/diff_new_pack.OHPYcz/_new 2024-02-14 23:19:34.214051506 +0100 @@ -2,9 +2,9 @@ <service name="tar_scm" mode="disabled"> <param name="scm">git</param> <param name="url">https://github.com/open-power/secvarctl.git</param> - <param name="revision">guest-devel</param> - <param name="versionrewrite-pattern">v(.*)-(rc.*)</param> - <param name="versionrewrite-replacement">\1~\2</param> + <param name="revision">main</param> + <param name="versionrewrite-pattern">v(.*)</param> + <param name="versionrewrite-replacement">\1</param> <param name="versionformat">@PARENT_TAG@+git@TAG_OFFSET@.%h</param> <param name="changesgenerate">enable</param> </service> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.OHPYcz/_old 2024-02-14 23:19:34.230052083 +0100 +++ /var/tmp/diff_new_pack.OHPYcz/_new 2024-02-14 23:19:34.234052227 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/open-power/secvarctl.git</param> - <param name="changesrevision">6f4d730e0d797d9add247bf5285ba51458fbda89</param></service></servicedata> + <param name="changesrevision">73d91faeca1677218d034b117fb6bd3603319fb8</param></service></servicedata> (No newline at EOF) ++++++ secvarctl-1.0.0~rc3+git0.6f4d730.tar.gz -> secvarctl-1.0.0+git0.73d91fa.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/secvarctl-1.0.0~rc3+git0.6f4d730/backends/guest/guest_svc_generate.c new/secvarctl-1.0.0+git0.73d91fa/backends/guest/guest_svc_generate.c --- old/secvarctl-1.0.0~rc3+git0.6f4d730/backends/guest/guest_svc_generate.c 2023-12-08 21:04:16.000000000 +0100 +++ new/secvarctl-1.0.0+git0.73d91fa/backends/guest/guest_svc_generate.c 2024-02-06 18:13:02.000000000 +0100 @@ -483,6 +483,19 @@ args->append_flag = 1; break; case ARGP_KEY_ARG: + /* there should only be one format specifier, error if another is supplied */ + if (args->input_form && args->output_form) { + prlog(PR_ERR, "ERROR: unknown additional positional argument %s\n", arg); + rc = ARG_PARSE_FAIL; + break; + } + /* both forms should be either set or NULL, this should never be reached. */ + if (!args->input_form ^ !args->output_form) { + prlog(PR_ERR, + "ERROR: only one of input_form/output_form is set, this should not happen\n"); + rc = ARG_PARSE_FAIL; + break; + } /* check if reset key is desired */ if (!strcmp(arg, "reset")) { args->input_form = "reset"; @@ -493,14 +506,22 @@ /* else set input and output formats */ args->input_form = strtok(arg, ":"); args->output_form = strtok(NULL, ":"); + + /* verify both input and output forms are parsed correctly, error otherwise */ + if (!args->input_form || !args->output_form) { + prlog(PR_ERR, + "ERROR: '%s' is not in the correct '<input_format>:<output_format>' form, see usage...\n", + arg); + rc = ARG_PARSE_FAIL; + } break; case ARGP_KEY_SUCCESS: /* check that all essential args are given and valid */ if (args->help_flag) break; else if (args->input_form == NULL || args->output_form == NULL) - prlog(PR_ERR, "ERROR: incorrect '<input_format>:<output_format>', see " - "usage...\n"); + prlog(PR_ERR, + "ERROR: invalid or missing '<input_format>:<output_format>', see usage...\n"); else if (args->time && validate_time(args->time)) prlog(PR_ERR, "invalid timestamp flag '-t YYYY-MM-DDThh:mm:ss' , " "see usage...\n"); @@ -523,13 +544,6 @@ if (rc) prlog(PR_ERR, "failed during argument parsing\n"); - // Special case, filter out appends on PK - if (args->append_flag > 0 && args->variable_name != NULL && - strcmp(PK_VARIABLE, args->variable_name) == 0) { - prlog(PR_ERR, "ERROR: PK does not support the append flag\n"); - rc = ARG_PARSE_FAIL; - } - return rc; } @@ -668,6 +682,14 @@ rc = ARG_PARSE_FAIL; goto out; } + + /* special case, filter out appends on PK */ + if (args.append_flag > 0 && args.variable_name != NULL && + strcmp(PK_VARIABLE, args.variable_name) == 0) { + prlog(PR_ERR, "ERROR: PK does not support the append flag\n"); + rc = ARG_PARSE_FAIL; + goto out; + } prlog(PR_INFO, "input file is %s of type %s , output file is %s of type %s\n", args.input_file, args.input_form, args.output_file, args.output_form); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/secvarctl-1.0.0~rc3+git0.6f4d730/backends/guest/guest_svc_read.c new/secvarctl-1.0.0+git0.73d91fa/backends/guest/guest_svc_read.c --- old/secvarctl-1.0.0~rc3+git0.6f4d730/backends/guest/guest_svc_read.c 2023-12-08 21:04:16.000000000 +0100 +++ new/secvarctl-1.0.0+git0.73d91fa/backends/guest/guest_svc_read.c 2024-02-06 18:13:02.000000000 +0100 @@ -126,7 +126,7 @@ rc = validate_x509_certificate(x509); if (rc) prlog(PR_ERR, "ERROR: x509 certificate is invalid (%d)\n", rc); - else if (is_trustedcadb_variable(variable_name)) { + else if (variable_name && is_trustedcadb_variable(variable_name)) { if (!crypto_x509_is_CA(x509)) { prlog(PR_ERR, "ERROR: it is not CA certificate\n"); rc = CERT_FAIL; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/secvarctl-1.0.0~rc3+git0.6f4d730/test/Makefile new/secvarctl-1.0.0+git0.73d91fa/test/Makefile --- old/secvarctl-1.0.0~rc3+git0.6f4d730/test/Makefile 2023-12-08 21:04:16.000000000 +0100 +++ new/secvarctl-1.0.0+git0.73d91fa/test/Makefile 2024-02-06 18:13:02.000000000 +0100 @@ -14,6 +14,8 @@ HOST_BACKEND = 1 GUEST_BACKEND = 1 +export ASAN_OPTIONS = abort_on_error=1 + define test_host @$(py) host_tests.py @$(py) host_generate_tests.py diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/secvarctl-1.0.0~rc3+git0.6f4d730/test/common.py new/secvarctl-1.0.0+git0.73d91fa/test/common.py --- old/secvarctl-1.0.0~rc3+git0.6f4d730/test/common.py 2023-12-08 21:04:16.000000000 +0100 +++ new/secvarctl-1.0.0+git0.73d91fa/test/common.py 2024-02-06 18:13:02.000000000 +0100 @@ -1,6 +1,7 @@ import unittest import subprocess import os +import signal SECTOOLS = os.environ.get("SECVAR_TOOL", "../bin/secvarctl-dbg") SECVARPATH = "/sys/firmware/secvar/vars/" @@ -31,7 +32,11 @@ print(f"Error in command '{' '.join(args)}") raise e - return CommandOutput(out) + ret = CommandOutput(out) + if out.returncode < 0: + sig = signal.Signals(-out.returncode).name + self.assertTrue(out.returncode >= 0, msg=f"Command exited via signal {sig}: '{' '.join(args)}'\n{ret}'") + return ret def assertCmd(self, args, expected: bool): tmp_assert, msg = { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/secvarctl-1.0.0~rc3+git0.6f4d730/test/guest_tests.py new/secvarctl-1.0.0+git0.73d91fa/test/guest_tests.py --- old/secvarctl-1.0.0~rc3+git0.6f4d730/test/guest_tests.py 2023-12-08 21:04:16.000000000 +0100 +++ new/secvarctl-1.0.0+git0.73d91fa/test/guest_tests.py 2024-02-06 18:13:02.000000000 +0100 @@ -92,7 +92,7 @@ if file.endswith(".auth"): auth_files.append(test_dir[1] + file) for file in os.listdir(test_dir[2]): - if file.endswith(".cert"): + if file.endswith(".crt"): cert_files.append(test_dir[2] + file) for file in os.listdir(test_dir[4]): if file.endswith(".pkcs7"): @@ -172,6 +172,23 @@ # f.write(f"POWER SECVAR LOCATION( {SECVARPATH} ) DOES NOT EXIST SO NO TESTS RAN\n") # f.close() + def test_malformed_generate(self): + cert = cert_files[0] # arbitrarily use the first cert for testing + + # Generate without a inform:outform should fail + cmd = list(filter(lambda x: x, generate_esl("db", "", cert, "foo.esl"))) + self.assertCmdFalse(cmd) + + # Generate with bad inform:output should fail + cmd.append("beans") + self.assertCmdFalse(cmd) + cmd.pop(-1) + + # Generate with more than one inform:outform should also fail + cmd.append("c:e") + cmd.append("c:e") + self.assertCmdFalse(cmd) + def test_generate_esl_files(self): for var_name in variables: esl_file = gen_dir + var_name + ".esl"