Comment 1 Li-Wen Hsu 2022-10-24 07:19:31 UTC

Over to maintainer

Comment 2 Alexey Dokuchaev 2022-10-24 07:28:30 UTC

Created attachment 237574 [details]
4.17.0 -> 4.18.0 update diff

Patch that allows the port to build and package, not well tested.  Lua version is checked as 5.2+ by the configure script, yet the port demands 5.3+, didn't look into this either.

Comment 3 Li-Wen Hsu 2022-10-24 07:31:22 UTC

(In reply to Brian Zou from comment #0)
Can you help to test if the patch works for you?

Comment 4 Rodrigo Osorio 2022-11-19 17:40:55 UTC

(In reply to Alexey Dokuchaev from comment #2)

Hi Alexey,

If you refers to lua version define in USES, the change was introduced
by myself last year in commit 468b96cf50e2b1ee6d555a0e6582e8a1d7f41eef
when upgrading to 4.17.0. Changelog[1] suggest that Lua 5.3 was a
"hard requirement" on build process.

By the way I'm really missing real RPM uses cases to validate if a new
version work. I asked many times if peoples using RPM4 can provide some
but at this point I had no response.

Cheers,
-- rodrigo

[1] https://rpm.org/wiki/Releases/4.17.0

Comment 5 Alexey Dokuchaev 2022-11-19 18:27:53 UTC

(In reply to Rodrigo Osorio from comment #4)
> If you refers to lua version define in USES
Yes, to that.

> Changelog[1] suggest that Lua 5.3 was a "hard requirement" on build
> process.
Interesting.  Apparently they've lowered it back to 5.2.  This is from the configure script for version 4.17.0:

  ($PKG_CONFIG --exists --print-errors "lua >= 5.3") 2>&5
  ac_status=$?
  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
  test $ac_status = 0; }; then
  pkg_cv_LUA_CFLAGS=`$PKG_CONFIG --cflags "lua >= 5.3" 2>/dev/null`
                      test "x$?" != "x0" && pkg_failed=yes

And this is the same place in 4.18.0:

  ($PKG_CONFIG --exists --print-errors "lua >= 5.2") 2>&5
  ac_status=$?
  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
  test $ac_status = 0; }; then
  pkg_cv_LUA_CFLAGS=`$PKG_CONFIG --cflags "lua >= 5.2" 2>/dev/null`
                      test "x$?" != "x0" && pkg_failed=yes

Finding the commit that changed 5.3 -> 5.2 is left as an exercise to the reader. :-)  I'll just say that 4.18.0 builds fine with default USES+=lua, which is currently 5.2.

> By the way I'm really missing real RPM uses cases to validate if a new
> version work.
Doesn't its use by the /usr/ports/Mk/Uses/linux.mk provide enough test coverage?

Comment 6 Alexey Dokuchaev 2022-11-19 18:33:31 UTC

(In reply to Alexey Dokuchaev from comment #5)
> Doesn't its use by the /usr/ports/Mk/Uses/linux.mk provide enough test
> coverage?
Answering myself, perhaps not 100% enough, as it only uses rpm2archive program.

I may try building some of my .srpm's but admittedly I think that most people on FreeBSD hardly use rpm4 as much as those on GNU/Linux.

Comment 7 Rodrigo Osorio 2022-11-20 11:21:52 UTC

(In reply to Alexey Dokuchaev from comment #5)

The reason why they move back to 5.2 is because they decide not
to use 5.3 specific lua_rotate call, so 5.2 works again.

This is the message in the INSTALL:
---------------------------------------------------------------
Use lua_replace instead of lua_rotate
    
lua_rotate works but is somewhat the wrong tool if we just
want to set a specific stack element. Use lua_replace instead.
This has the added advantage that the code works again with
lua version 5.2 (not that it matters much).
---------------------------------------------------------------

Moving back to 5.2 can be disturbing for users upgrading RPM,
so since both 5.2 and 5.3 works maybe we can use the 5.2-5.3 syntax ?

Sounds reasonable for you ?

Comment 8 Alexey Dokuchaev 2022-11-20 15:41:52 UTC

> Moving back to 5.2 can be disturbing for users upgrading RPM
Or maybe no one will notice, or mends it by themselves. ;-)

> so since both 5.2 and 5.3 works maybe we can use the 5.2-5.3 syntax?
With lua:54 it builds fine as well.  I'm generally not a big fan of pinning specific versions of anything, but if you do believe that plain (versionless) USES+=lua might negatively affect people upon upgrade and 5.2-5.3 range would help to mitigate it, so be it.

Comment 9 Rodrigo Osorio 2022-11-21 17:19:02 UTC

Created attachment 238219 [details]
amended rpm4 4.18.0 patch

This is Brian Zou amended patch who fix Lua version for this port.
if everyone agrees on it I will commit it as is.

Comment 10 Alexey Dokuchaev 2022-11-22 05:48:12 UTC

(In reply to Rodrigo Osorio from comment #9)
> This is Brian Zou amended patch who fix Lua version for this port.
How does this "fix" suppose to work, exactly?  I don't see these variables referenced anywhere:

$ grep -R USE_LUA /usr/ports/Mk
$ grep -R WANT_LUA_VER /usr/ports/Mk
$ _

So, basically, the functional part is USES+=lua (versionless).  Yes, I agree with that, but those two lines can be safely dropped.

Comment 11 Alexey Dokuchaev 2022-11-22 06:01:56 UTC

(In reply to Rodrigo Osorio from comment #7)
> Moving back to 5.2 can be disturbing for users upgrading RPM.
Actually, it won't.  Multiple Lua versions can be installed simultaneously, there's no conflict.  Older version used 5.3, new would use 5.2.  If 5.3 is no longer needed by any other port, "pkg autoremove" should clean it up.

> Sounds reasonable for you?
I'd again suggest dropping any weird and likely-not-really-working version dances and just use USES+=lua.

Comment 12 commit-hook 2022-12-01 14:15:35 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=bfee83e3a0be489b8e54d647ca4d1add4cf5c9be

commit bfee83e3a0be489b8e54d647ca4d1add4cf5c9be
Author:     Rodrigo Osorio <rodrigo@FreeBSD.org>
AuthorDate: 2022-12-01 13:39:16 +0000
Commit:     Rodrigo Osorio <rodrigo@FreeBSD.org>
CommitDate: 2022-12-01 14:03:36 +0000

    security/vuxml: Record rpm4 vulnerability.

    Add multiple CVE fixed in latest rpm4 version.
    PR:             267291

 security/vuxml/vuln/2022.xml | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

Comment 13 commit-hook 2022-12-01 14:15:36 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=22f3de494a13dd291e45c2e11b19adc37d70bb15

commit 22f3de494a13dd291e45c2e11b19adc37d70bb15
Author:     Rodrigo Osorio <rodrigo@FreeBSD.org>
AuthorDate: 2022-11-23 16:09:28 +0000
Commit:     Rodrigo Osorio <rodrigo@FreeBSD.org>
CommitDate: 2022-12-01 14:03:36 +0000

    archivers/rpm4: update to version 4.18.0

    Major changes:
        * Add a new Sequoia-based OpenPGP backend
        * Documentation updates
        * Fix intermediate symlinks not verified (CVE-2021-35939)
        * Fix subkey binding signatures not checked on PGP public keys (CVE-2021-3521)
        * Refactor file and directory operations to use fd-based APIs throughout (CVE-2021-35938)
        * Unbreak lua 2 for extensions

    Full release note: https://rpm.org/wiki/Releases/4.18.0.html

    Also remove version requirement for Lua dependency in port, we just use lua.

    PR:                     267291
    Reported by:    Brian Zou <zoujiaqing@gmail.com>
    Security:       CVE-2021-35939
    Security:       CVE-2021-3521
    Security:       CVE-2021-35938

 archivers/rpm4/Makefile                                | 12 ++++++------
 archivers/rpm4/distinfo                                |  6 +++---
 archivers/rpm4/files/patch-luaext_lrexlib.c (gone)     | 11 -----------
 archivers/rpm4/files/patch-misc_fts.c                  | 16 ++++++++--------
 archivers/rpm4/files/patch-tools_rpmuncompress.c (new) |  9 +++++++++
 archivers/rpm4/pkg-plist                               | 18 +++++++++++++-----
 audio/spotifyd/files/extra-patch.Cargo.toml (new)      | 11 +++++++++++
 7 files changed, 50 insertions(+), 33 deletions(-)

Comment 14 Rodrigo Osorio 2022-12-01 14:17:56 UTC

Thanks Brian for your submission.

@danfe : I finally follow your suggestion and just use USES+=lua