diff --git a/.files b/.files
index 2a25bc4..284cf7b 100644
Binary files a/.files and b/.files differ
diff --git a/.rev b/.rev
index b46dfe8..1b5ddd2 100644
--- a/.rev
+++ b/.rev
@@ -2130,4 +2130,12 @@ Note that this will require adding `Preinstall: libzstd1` to the `openSUSE:Facto
dimstar_suse
Revert to previous revision
+
+ 37a9f2b7f34cba3f96d14d66da73d28e
+ 4.14.2.1
+
+ dimstar_suse
+
+ 732635
+
diff --git a/.servicemark b/.servicemark
deleted file mode 100644
index eb092f2..0000000
--- a/.servicemark
+++ /dev/null
@@ -1 +0,0 @@
-cff15c27d04c640e3d7b4a0190e37b16
diff --git a/0001-Stop-papering-over-the-security-disaster-known-as-pr.patch b/0001-Stop-papering-over-the-security-disaster-known-as-pr.patch
new file mode 100644
index 0000000..107a9d2
--- /dev/null
+++ b/0001-Stop-papering-over-the-security-disaster-known-as-pr.patch
@@ -0,0 +1,275 @@
+From 5bc138a7663e471edad24cc662366bc743d3d3e0 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen
+Date: Fri, 10 May 2019 13:10:00 +0300
+Subject: [PATCH 1/2] Stop papering over the security disaster known as prelink
+
+Back in the turn of the century somebody thought it was a neat idea
+to completely compromise system security to improve program start-up
+start-up times a wee bit. Since then, people have thankfully started
+coming to their senses and removed prelink from distros entirely.
+
+Lets stop papering over the security disaster: we obviously cannot
+stop people from using prelink, but instead of trying to undo the
+damage for verification purposes, we'll now report such a system as
+compromised. Which is how it should be, IMNSHO.
+
+This eliminates a whole lot of extra junk from each and every file
+digest calculation that we do, so it might even show up on somebodys
+performance charts. It also gets rid of libelf dependency outside
+librpmbuild, which is a nice little bonus.
+
+Inspired by a patch to eliminate a rendundant double open of regular
+files in rpmDoDigest() from Denys Vlasenko, taken a little further...
+---
+ macros.in | 10 ---
+ rpmio/Makefile.am | 1 -
+ rpmio/rpmfileutil.c | 176 +++-----------------------------------------
+ 3 files changed, 9 insertions(+), 178 deletions(-)
+
+diff --git a/macros.in b/macros.in
+index a6069ee4d..32c453479 100644
+--- a/macros.in
++++ b/macros.in
+@@ -685,16 +685,6 @@ package or when debugging this package.\
+ # gpg --batch --no-verbose --verify --no-secmem-warning \
+ # %{__signature_filename} %{__plaintext_filename}
+ #
+-# XXX rpm-4.1 verifies prelinked libraries using a prelink undo helper.
+-# Normally this macro is defined in /etc/rpm/macros.prelink, installed
+-# with the prelink package. If the macro is undefined, then prelinked
+-# shared libraries contents are MD5 digest verified (as usual), rather
+-# than MD5 verifying the output of the prelink undo helper.
+-#
+-# Note: The 2nd token is used as argv[0] and "library" is a
+-# placeholder that will be deleted and replaced with the appropriate
+-# library file path.
+-#%__prelink_undo_cmd /usr/sbin/prelink prelink -y library
+
+ # Horowitz Key Protocol server configuration
+ #
+diff --git a/rpmio/Makefile.am b/rpmio/Makefile.am
+index 6024ae4e2..cedd784de 100644
+--- a/rpmio/Makefile.am
++++ b/rpmio/Makefile.am
+@@ -42,7 +42,6 @@ librpmio_la_LIBADD = \
+ @WITH_OPENSSL_LIB@ \
+ @WITH_BZ2_LIB@ \
+ @WITH_ZLIB_LIB@ \
+- @WITH_LIBELF_LIB@ \
+ @WITH_POPT_LIB@ \
+ @WITH_LZMA_LIB@ \
+ $(ZSTD_LIBS) \
+diff --git a/rpmio/rpmfileutil.c b/rpmio/rpmfileutil.c
+index 98f19e8a6..4349c64a7 100644
+--- a/rpmio/rpmfileutil.c
++++ b/rpmio/rpmfileutil.c
+@@ -1,18 +1,5 @@
+ #include "system.h"
+
+-#if HAVE_GELF_H
+-
+-#include
+-
+-#if !defined(DT_GNU_PRELINKED)
+-#define DT_GNU_PRELINKED 0x6ffffdf5
+-#endif
+-#if !defined(DT_GNU_LIBLIST)
+-#define DT_GNU_LIBLIST 0x6ffffef9
+-#endif
+-
+-#endif
+-
+ #include
+ #include
+ #include
+@@ -34,178 +21,33 @@
+ static const char *rpm_config_dir = NULL;
+ static pthread_once_t configDirSet = PTHREAD_ONCE_INIT;
+
+-static int is_prelinked(int fdno)
+-{
+- int prelinked = 0;
+-#if HAVE_GELF_H && HAVE_LIBELF
+- Elf *elf = NULL;
+- Elf_Scn *scn = NULL;
+- Elf_Data *data = NULL;
+- GElf_Ehdr ehdr;
+- GElf_Shdr shdr;
+- GElf_Dyn dyn;
+-
+- (void) elf_version(EV_CURRENT);
+-
+- if ((elf = elf_begin (fdno, ELF_C_READ, NULL)) == NULL ||
+- elf_kind(elf) != ELF_K_ELF || gelf_getehdr(elf, &ehdr) == NULL ||
+- !(ehdr.e_type == ET_DYN || ehdr.e_type == ET_EXEC))
+- goto exit;
+-
+- while (!prelinked && (scn = elf_nextscn(elf, scn)) != NULL) {
+- (void) gelf_getshdr(scn, &shdr);
+- if (shdr.sh_type != SHT_DYNAMIC || shdr.sh_entsize == 0)
+- continue;
+- while (!prelinked && (data = elf_getdata (scn, data)) != NULL) {
+- int maxndx = data->d_size / shdr.sh_entsize;
+-
+- for (int ndx = 0; ndx < maxndx; ++ndx) {
+- (void) gelf_getdyn (data, ndx, &dyn);
+- if (!(dyn.d_tag == DT_GNU_PRELINKED || dyn.d_tag == DT_GNU_LIBLIST))
+- continue;
+- prelinked = 1;
+- break;
+- }
+- }
+- }
+-
+-exit:
+- if (elf) (void) elf_end(elf);
+-#endif
+- return prelinked;
+-}
+-
+-static int open_dso(const char * path, pid_t * pidp, rpm_loff_t *fsizep)
+-{
+- static const char * cmd = NULL;
+- static int initted = 0;
+- int fdno;
+-
+- if (!initted) {
+- cmd = rpmExpand("%{?__prelink_undo_cmd}", NULL);
+- initted++;
+- }
+-
+- if (pidp) *pidp = 0;
+-
+- if (fsizep) {
+- struct stat sb, * st = &sb;
+- if (stat(path, st) < 0)
+- return -1;
+- *fsizep = st->st_size;
+- }
+-
+- fdno = open(path, O_RDONLY);
+- if (fdno < 0)
+- return fdno;
+-
+- if (!(cmd && *cmd))
+- return fdno;
+-
+- if (pidp != NULL && is_prelinked(fdno)) {
+- int pipes[2];
+- pid_t pid;
+-
+- close(fdno);
+- pipes[0] = pipes[1] = -1;
+- if (pipe(pipes) < 0)
+- return -1;
+-
+- pid = fork();
+- if (pid < 0) {
+- close(pipes[0]);
+- close(pipes[1]);
+- return -1;
+- }
+-
+- if (pid == 0) {
+- ARGV_t av, lib;
+- int dfd;
+- argvSplit(&av, cmd, " ");
+-
+- close(pipes[0]);
+- dfd = dup2(pipes[1], STDOUT_FILENO);
+- close(pipes[1]);
+- if (dfd >= 0 && (lib = argvSearch(av, "library", NULL)) != NULL) {
+- *lib = (char *) path;
+- unsetenv("MALLOC_CHECK_");
+- execve(av[0], av+1, environ);
+- }
+- _exit(127); /* not normally reached */
+- } else {
+- *pidp = pid;
+- fdno = pipes[0];
+- close(pipes[1]);
+- }
+- }
+-
+- return fdno;
+-}
+-
+ int rpmDoDigest(int algo, const char * fn,int asAscii,
+ unsigned char * digest, rpm_loff_t * fsizep)
+ {
+- const char * path;
+- urltype ut = urlPath(fn, &path);
+ unsigned char * dig = NULL;
+ size_t diglen, buflen = 32 * BUFSIZ;
+ unsigned char *buf = xmalloc(buflen);
+- FD_t fd;
+ rpm_loff_t fsize = 0;
+- pid_t pid = 0;
+ int rc = 0;
+- int fdno;
+
+- fdno = open_dso(path, &pid, &fsize);
+- if (fdno < 0) {
+- rc = 1;
+- goto exit;
+- }
++ FD_t fd = Fopen(fn, "r.ufdio");
+
+- switch (ut) {
+- case URL_IS_PATH:
+- case URL_IS_UNKNOWN:
+- case URL_IS_HTTPS:
+- case URL_IS_HTTP:
+- case URL_IS_FTP:
+- case URL_IS_HKP:
+- case URL_IS_DASH:
+- default:
+- /* Either use the pipe to prelink -y or open the URL. */
+- fd = (pid != 0) ? fdDup(fdno) : Fopen(fn, "r.ufdio");
+- (void) close(fdno);
+- if (fd == NULL || Ferror(fd)) {
+- rc = 1;
+- if (fd != NULL)
+- (void) Fclose(fd);
+- break;
+- }
+-
++ if (fd) {
+ fdInitDigest(fd, algo, 0);
+- fsize = 0;
+ while ((rc = Fread(buf, sizeof(*buf), buflen, fd)) > 0)
+ fsize += rc;
+ fdFiniDigest(fd, algo, (void **)&dig, &diglen, asAscii);
+- if (dig == NULL || Ferror(fd))
+- rc = 1;
+-
+- (void) Fclose(fd);
+- break;
++ Fclose(fd);
+ }
+
+- /* Reap the prelink -y helper. */
+- if (pid) {
+- int status;
+- (void) waitpid(pid, &status, 0);
+- if (!WIFEXITED(status) || WEXITSTATUS(status))
+- rc = 1;
++ if (dig == NULL || Ferror(fd)) {
++ rc = 1;
++ } else {
++ memcpy(digest, dig, diglen);
++ if (fsizep)
++ *fsizep = fsize;
+ }
+
+-exit:
+- if (fsizep)
+- *fsizep = fsize;
+- if (!rc)
+- memcpy(digest, dig, diglen);
+ dig = _free(dig);
+ free(buf);
+
+--
+2.20.1
+
diff --git a/0002-Fix-use-after-free-introduced-in-0f21bdd0d7b2c45564d.patch b/0002-Fix-use-after-free-introduced-in-0f21bdd0d7b2c45564d.patch
new file mode 100644
index 0000000..c83b846
--- /dev/null
+++ b/0002-Fix-use-after-free-introduced-in-0f21bdd0d7b2c45564d.patch
@@ -0,0 +1,39 @@
+From a35fbd503d944fa1d2a0e893d2ca97f244299b35 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen
+Date: Tue, 14 May 2019 13:55:52 +0300
+Subject: [PATCH 2/2] Fix use-after-free introduced in
+ 0f21bdd0d7b2c45564ddb5a24bbebd530867bd54
+
+Unlike typical fooFree() functions in rpm, Fclose() doesn't set the
+pointer to NULL so there's a use-after-free in checking for Ferror()
+that segfaults and stuff. Delay Fclose() until the end so we actually
+catch io errors too, that was another thing that went missing in
+commit 0f21bdd0d7b2c45564ddb5a24bbebd530867bd54 (although it would've
+probably caused an error via null digest instead)
+---
+ rpmio/rpmfileutil.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/rpmio/rpmfileutil.c b/rpmio/rpmfileutil.c
+index 4349c64a7..16a954a10 100644
+--- a/rpmio/rpmfileutil.c
++++ b/rpmio/rpmfileutil.c
+@@ -37,7 +37,6 @@ int rpmDoDigest(int algo, const char * fn,int asAscii,
+ while ((rc = Fread(buf, sizeof(*buf), buflen, fd)) > 0)
+ fsize += rc;
+ fdFiniDigest(fd, algo, (void **)&dig, &diglen, asAscii);
+- Fclose(fd);
+ }
+
+ if (dig == NULL || Ferror(fd)) {
+@@ -50,6 +49,7 @@ int rpmDoDigest(int algo, const char * fn,int asAscii,
+
+ dig = _free(dig);
+ free(buf);
++ Fclose(fd);
+
+ return rc;
+ }
+--
+2.20.1
+
diff --git a/rpm.changes b/rpm.changes
index f05069a..d50138f 100644
--- a/rpm.changes
+++ b/rpm.changes
@@ -1,4 +1,27 @@
-------------------------------------------------------------------
+Wed Aug 28 11:17:12 UTC 2019 - Fabian Vogt
+
+- Split librpmbuild into a separate subpackage, it's pulled in by
+ python-rpm
+
+-------------------------------------------------------------------
+Fri Aug 23 07:19:03 UTC 2019 - Martin Liška
+
+- Add set-flto=auto-by-default.patch in order to utilize -flto=auto.
+
+-------------------------------------------------------------------
+Tue Aug 6 08:49:50 UTC 2019 - Fabian Vogt
+
+- Move more into rpm-build subpackage:
+ * brp- and -check scripts
+ * .prov and .req files, with *find* scripts
+ * elfdeps, debugedit and sepdebugcrcfix
+ * librpmbuild and dependents
+- Add upstream patches which remove libelf dep from librpmio and plugins:
+ * 0001-Stop-papering-over-the-security-disaster-known-as-pr.patch
+ * 0002-Fix-use-after-free-introduced-in-0f21bdd0d7b2c45564d.patch
+
+-------------------------------------------------------------------
Fri Jun 7 15:03:15 UTC 2019 - Jan Engelhardt
- Enable decompression and creation of zstd-based payloads.
diff --git a/rpm.spec b/rpm.spec
index e535741..a352b15 100644
--- a/rpm.spec
+++ b/rpm.spec
@@ -19,6 +19,8 @@
#Compat macro for new _fillupdir macro introduced in Nov 2017
%{?!_fillupdir:%define _fillupdir /var/adm/fillup-templates}
+%global librpmsover 8
+
Name: rpm
BuildRequires: binutils
BuildRequires: bzip2
@@ -133,6 +135,9 @@ Patch118: dwz-compression.patch
Patch119: getncpus.diff
Patch120: rpmfc-push-name-epoch-version-release-macro-before-invoking-depgens.patch
Patch121: adopt-language-specific-build_fooflags-macros-from-F.patch
+Patch122: 0001-Stop-papering-over-the-security-disaster-known-as-pr.patch
+Patch123: 0002-Fix-use-after-free-introduced-in-0f21bdd0d7b2c45564d.patch
+Patch124: set-flto=auto-by-default.patch
Patch6464: auto-config-update-aarch64-ppc64le.diff
Patch6465: auto-config-update-riscv64.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -149,6 +154,15 @@ is easy to update packages. RPM keeps track of all these manipulations
in a central database. This way it is possible to get an overview of
all installed packages. RPM also supports database queries.
+%package -n librpmbuild%{librpmsover}
+Summary: Library for building RPM packages
+# Was part of rpm before
+Group: System/Libraries
+Conflicts: rpm < %{version}
+
+%description -n librpmbuild%{librpmsover}
+Thie package contains a library with functions for building RPM packages.
+
%package devel
Summary: Development files for librpm
Group: Development/Libraries/C and C++
@@ -233,6 +247,9 @@ rm -f rpmdb/db.h
%patch -P 109 -P 114 -P 117 -P 118
%patch -P 119 -P 120
%patch121 -p1
+%patch122 -p1
+%patch123 -p1
+%patch124 -p1
%ifarch aarch64 ppc64le riscv64
%patch6464
@@ -399,13 +416,23 @@ fi
/etc/rpm
/bin/rpm
/usr/bin/*
- %exclude /usr/bin/rpmbuild
+ %exclude /usr/bin/rpmbuild
+ %exclude %{_libdir}/librpmbuild.so.*
+ %exclude /usr/lib/rpm/elfdeps
+ %exclude /usr/lib/rpm/rpmdeps
+ %exclude /usr/lib/rpm/debugedit
+ %exclude /usr/lib/rpm/sepdebugcrcfix
+ %exclude /usr/bin/rpmspec
+ %exclude /usr/lib/rpm/*.prov
+ %exclude /usr/lib/rpm/*.req
+ %exclude /usr/lib/rpm/brp-*
+ %exclude /usr/lib/rpm/check-*
+ %exclude /usr/lib/rpm/*find*
/usr/sbin/rpmconfigcheck
/usr/lib/systemd/system/rpmconfigcheck.service
/usr/lib/rpm
%{_libdir}/rpm-plugins
%{_libdir}/librpm.so.*
- %{_libdir}/librpmbuild.so.*
%{_libdir}/librpmio.so.*
%{_libdir}/librpmsign.so.*
%doc %{_mandir}/man[18]/*.[18]*
@@ -421,9 +448,23 @@ fi
%dir %attr(755,root,root) /usr/src/packages/RPMS/*
%{_fillupdir}/sysconfig.services-rpm
+%files -n librpmbuild%{librpmsover}
+%{_libdir}/librpmbuild.so.%{librpmsover}
+%{_libdir}/librpmbuild.so.%{librpmsover}.*
+
%files build
%defattr(-,root,root)
/usr/bin/rpmbuild
+/usr/lib/rpm/elfdeps
+/usr/lib/rpm/rpmdeps
+/usr/lib/rpm/debugedit
+/usr/lib/rpm/sepdebugcrcfix
+/usr/bin/rpmspec
+/usr/lib/rpm/*.prov
+/usr/lib/rpm/*.req
+/usr/lib/rpm/brp-*
+/usr/lib/rpm/check-*
+/usr/lib/rpm/*find*
%files devel
%defattr(644,root,root,755)
diff --git a/set-flto=auto-by-default.patch b/set-flto=auto-by-default.patch
new file mode 100644
index 0000000..e8fcc4f
--- /dev/null
+++ b/set-flto=auto-by-default.patch
@@ -0,0 +1,13 @@
+diff --git a/platform.in b/platform.in
+index fa3921f..cff01e1 100644
+--- a/platform.in
++++ b/platform.in
+@@ -60,7 +60,7 @@
+ %_smp_mflags -j%{_smp_build_ncpus}
+
+ # Enable LTO optimization with a maximal parallelism
+-%_lto_cflags -flto=%{_smp_build_ncpus}
++%_lto_cflags -flto=auto
+
+ #==============================================================================
+ # ---- Build policy macros.