Bug 905420

Summary: pesign-repackage seems to mess up RPM scriptlets
Product: [openSUSE] openSUSE Tumbleweed Reporter: Dominique Leuenberger <dimstar>
Component: OtherAssignee: Michal Marek <mmarek>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: dimstar, glin, maint-coord, mlatimer, msvec
Version: 201411*   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 904373    

Description Dominique Leuenberger 2014-11-13 23:44:13 UTC 
The package open-vm-tools creates regular packages as well as some KMPs.

The 'normal' package building works, including the verification of all the rpm scriptlets.

Once pesign-repackage passed over the RPM, the scripts seem no longer to be fully in place.

This results, in this case, that brp aborts the build as the suid binary, packaged in open-vm-tools-desktop, is not properly handled by set_permissions/verify_permissions.

Considering that all is fine until pesign-repackage touches it, I'm assuming there is something wrong here.
Comment 1 Gary Ching-Pang Lin 2014-11-14 09:26:42 UTC 
Hi Michal,

Could you check pesign-obs-integration?
The scripts probably have to handle the suid binaries.
Comment 2 Dominique Leuenberger 2014-12-22 15:14:46 UTC 
do we have any update on this issue? We are blocked by getting updates for open-vm-tools out of the door simply because we can't package it up (it slipped in the 132 main release, as the kmp was accidentally disabled - now it's enabled, but can't be built, as the mainpackage, without a kmp, contains some magic scripts which seem to get lost)
Comment 3 Gary Ching-Pang Lin 2014-12-24 03:35:00 UTC 
A possible workaround is to split the kmp from the open-vm-tools. pesign-repackages is pulled in by kernel-source and it's for kernel/kmp and EFI files, so a separate spec could work around the issue.
Comment 4 Michal Marek 2015-01-07 14:05:55 UTC 
Which of the scriptlets is not handled correctly? pesign-gen-repackage-spec does copy the verify scriptlet (or at least tries to):

# specfile scriptlet => rpm tag name
my %script2tag = (
	pre          => "prein",
	post         => "postin",
	preun        => "preun",
	postun       => "postun",
	pretrans     => "pretrans",
	posttrans    => "posttrans",
	verifyscript => "verifyscript",
	# FIXME: triggers
);

(In reply to Gary Lin from comment #3)
> A possible workaround is to split the kmp from the open-vm-tools.

Yeah, this would be a good idea.
Comment 5 Dominique Leuenberger 2015-01-07 14:11:43 UTC 
It must have been the verify or post scriptlets, as the regular build kept on complaining that the permissions were not handled properly.

I have since changed the build of open-vm-tools to build the KMPs separated from the rest of the project t0 get over this issue.
Comment 6 Michal Marek 2015-01-07 14:31:46 UTC 
OK. BTW, which exact version of the package was failing and where? Before your change, the Factory package had

# Only build KMP on versions below 13.1
%if 0%{?suse_version} < 1310
%suse_kernel_module_package -n vmware-guest -p %{SOURCE98} xen um
%endif

so the KMP was not built either.
Comment 7 Dominique Leuenberger 2015-01-07 14:48:49 UTC 
the devel project had the failures also:

https://build.opensuse.org/package/show/Virtualization:VMware/open-vm-tools?expand=0&rev=277

that was with enabled KMPs, but not the fixes needed for Kernel 3.18 (so you'd have to test against openSUSE 13.2)

Easiest would be to simply branch rev 277 to reproduce
Comment 8 Michal Marek 2015-01-14 15:37:10 UTC 
rev 277 is not testable, because

$ osc co -r277  Virtualization:VMware open-vm-tools
A    Virtualization:VMware
A    Virtualization:VMware/open-vm-tools

The link in this package is currently broken. Checking
out the last working version instead; please use 'osc pull'
to merge the conflicts.
Comment 9 Michal Marek 2015-01-22 14:29:00 UTC 
I can reproduce this now with the current spec file edited to build both the tools and modules.
Comment 10 Michal Marek 2015-01-22 14:57:09 UTC 
The verify script is fine, but the %verify(not mode) attribute of vmware-user-suid-wrapper is missing.
Comment 11 Michal Marek 2015-01-22 20:23:05 UTC 
Fixed with https://github.com/openSUSE/pesign-obs-integration/commit/8480eb1392d730527387f54883dc694f333dbc56 and submitted to Base:System. I'd like to release an update for openSUSE-13.2, SLE12 and SLE11 SP3.
Comment 12 Swamp Workflow Management 2015-01-23 13:07:49 UTC 
openSUSE-RU-2015:0128-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 905420
CVE References: 
Sources used:
openSUSE 13.2 (src):    open-vm-tools-9.4.6-4.4.1
Comment 15 Benjamin Brunner 2015-02-12 13:01:21 UTC 
For openSUSE the update is already released. Removing needinfo.
Comment 16 Michal Marek 2015-02-18 13:27:47 UTC 
Packages have been submitted.
Comment 17 Swamp Workflow Management 2015-09-17 14:09:50 UTC 
SUSE-RU-2015:1568-1: An update that has one recommended fix can now be installed.

Category: recommended (low)
Bug References: 905420
CVE References: 
Sources used:
SUSE Linux Enterprise Server 12 (src):    pesign-obs-integration-10.0-29.1
SUSE Linux Enterprise Desktop 12 (src):    pesign-obs-integration-10.0-29.1
Comment 19 Swamp Workflow Management 2016-01-07 16:15:47 UTC 
SUSE-RU-2016:0051-1: An update that has one recommended fix can now be installed.

Category: recommended (low)
Bug References: 905420
CVE References: 
Sources used:
SUSE Linux Enterprise Server for VMWare 11-SP3 (src):    pesign-obs-integration-10.0-0.24.3
SUSE Linux Enterprise Server 11-SP4 (src):    pesign-obs-integration-10.0-0.24.3
SUSE Linux Enterprise Server 11-SP3 (src):    pesign-obs-integration-10.0-0.24.3
SUSE Linux Enterprise Desktop 11-SP4 (src):    pesign-obs-integration-10.0-0.24.3
SUSE Linux Enterprise Desktop 11-SP3 (src):    pesign-obs-integration-10.0-0.24.3