Revert RPM 6.0.0 patch

Signed-off-by: Michal Srb <michal@redhat.com>
a-a-save-container-data: validate input
2025-12-04 21:20:32 +01:00 · 2025-12-04 20:46:04 +01:00
4 changed files with 55 additions and 3 deletions
--- a/.gitignore
+++ b/.gitignore
@ -85,3 +85,5 @@ abrt-1.1.13.tar.gz
 /abrt-2.17.4.tar.gz
 /abrt-2.17.5.tar.gz
 /abrt-2.17.6.tar.gz
+/abrt-2.17.7.tar.gz
+/abrt-2.17.8.tar.gz
--- a/0001-Revert-Use-rpmPubkeyKeyIDAsHex-to-obtain-the-gpg-key.patch
+++ b/0001-Revert-Use-rpmPubkeyKeyIDAsHex-to-obtain-the-gpg-key.patch
@ -0,0 +1,45 @@
+From cf1ececd9378fc14125c929833043f26e8f3486d Mon Sep 17 00:00:00 2001
+From: Michal Srb <michal@redhat.com>
+Date: Thu, 4 Dec 2025 21:14:52 +0100
+Subject: [PATCH] Revert "Use rpmPubkeyKeyIDAsHex() to obtain the gpg key in
+ hex format"
+
+This reverts commit 0158baaaba86b2c37b03922c2875a666ecc9b687.
+---
+ src/daemon/rpm.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/daemon/rpm.c b/src/daemon/rpm.c
+index 1b745f70..524dc749 100644
+--- a/src/daemon/rpm.c
+++ b/src/daemon/rpm.c
+@@ -90,7 +90,7 @@ void rpm_destroy()
+     rpmFreeRpmrc();
+ #endif
+ 
+-    g_list_free_full(g_steal_pointer(&list_fingerprints), g_free);
+    g_list_free_full(g_steal_pointer(&list_fingerprints), free);
+ }
+ 
+ 
+@@ -113,7 +113,7 @@ void rpm_load_gpgkey(const char* filename)
+     pubkey = rpmPubkeyNew(pkt, pklen);
+     if (pubkey != NULL)
+     {
+-        fingerprint = g_strdup(rpmPubkeyKeyIDAsHex(pubkey));
+        fingerprint = rpmhex(pubkey->keyid, sizeof(pubkey->keyid));
+         if (fingerprint != NULL)
+             list_fingerprints = g_list_append(list_fingerprints, fingerprint);
+ 
+@@ -123,7 +123,7 @@ void rpm_load_gpgkey(const char* filename)
+             rpmPubkey subkey = subkeys[i];
+             if (subkey != NULL)
+             {
+-                fingerprint = g_strdup(rpmPubkeyKeyIDAsHex(subkey));
+                fingerprint = rpmhex(subkey->keyid, sizeof(subkey->keyid));
+                 if (fingerprint != NULL)
+                     list_fingerprints = g_list_append(list_fingerprints, fingerprint);
+             }
+-- 
+2.52.0
+
--- a/abrt.spec
+++ b/abrt.spec
@ -56,11 +56,12 @@

 Summary: Automatic bug detection and reporting tool
 Name: abrt
-Version: 2.17.6
-Release: 3%{?dist}
+Version: 2.17.8
+Release: 1%{?dist}
 License: GPL-2.0-or-later
 URL: https://abrt.readthedocs.org/
 Source: https://github.com/abrt/%{name}/archive/%{version}/%{name}-%{version}.tar.gz
+Patch001: 0001-Revert-Use-rpmPubkeyKeyIDAsHex-to-obtain-the-gpg-key.patch
 BuildRequires: git-core
 BuildRequires: %{dbus_devel}
 BuildRequires: hostname
@ -986,6 +987,10 @@ killall abrt-dbus >/dev/null 2>&1 || :
 %config(noreplace) %{_sysconfdir}/profile.d/abrt-console-notification.sh

 %changelog
+* Thu Dec 04 2025 Michal Srb <michal@redhat.com> - 2.17.8-1
+- a-a-save-container-data: validate input
+- Resolves: CVE-2025-12744
+
 * Wed Nov 20 2024 David Abdurachmanov <davidlt@rivosinc.com> - 2.17.6-3
 - Disable Requires for kexec-tools on riscv64 (not supported)

--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (abrt-2.17.6.tar.gz) = 1e3729187c609f72e6d72c91815fc74e9ff8bed14dd678c093e4c47eafecb4e00fbe0b185e3a1ece614b994302c35de6a171449d5e80157a4fee16ccc7e60277
+SHA512 (abrt-2.17.8.tar.gz) = 90b74229412e0186bfa109ee940a60c9f3c0f7ce8c1216acad6f05619a1bb591e7f0bae87363143a05034312c9f14fe5ace341b84f680780ceb93a1e624705b3
Author	SHA1	Message	Date
Michal Srb	3e0750ab4b	Revert RPM 6.0.0 patch Signed-off-by: Michal Srb <michal@redhat.com>	2025-12-04 21:20:32 +01:00
Michal Srb	484142c1a3	a-a-save-container-data: validate input Resolves: CVE-2025-12744 Signed-off-by: Michal Srb <michal@redhat.com>	2025-12-04 20:46:04 +01:00