CVE-2023-5557.patch

@@ -1,126 +0,0 @@
-From 8523cc78c18d13f1b2f278ac86a5031b95bc739e Mon Sep 17 00:00:00 2001
-From: technology208 <technology@208suo.com>
-Date: Mon, 20 May 2024 16:32:52 +0800
-Subject: [PATCH] CreatePatch
-
----
- .../tracker-seccomp.c                         | 23 +++++++++++++++++++
- src/tracker-extract/tracker-extract.c         |  5 ----
- src/tracker-extract/tracker-main.c            | 19 +++++++++++----
- 3 files changed, 38 insertions(+), 9 deletions(-)
-
-diff --git a/src/libtracker-miners-common/tracker-seccomp.c b/src/libtracker-miners-common/tracker-seccomp.c
-index 01887e8..a2b7ed9 100644
---- a/src/libtracker-miners-common/tracker-seccomp.c
-+++ b/src/libtracker-miners-common/tracker-seccomp.c
-@@ -100,6 +100,7 @@ tracker_seccomp_init (void)
- 	ALLOW_RULE (lstat);
- 	ALLOW_RULE (lstat64);
- 	ALLOW_RULE (statx);
-+        ALLOW_RULE (fstatfs);
- 	ALLOW_RULE (access);
- 	ALLOW_RULE (getdents);
- 	ALLOW_RULE (getdents64);
-@@ -168,6 +169,23 @@ tracker_seccomp_init (void)
- 	ALLOW_RULE (getpeername);
- 	ALLOW_RULE (shutdown);
- 
-+       ERROR_RULE (inotify_init1, EINVAL);
-+       ERROR_RULE (inotify_init, EINVAL);
-+
-+       ERROR_RULE (mkdir, EPERM);
-+       ERROR_RULE (rename, EPERM);
-+       ERROR_RULE (unlink, EPERM);
-+       ERROR_RULE (ioctl, EBADF);
-+       ERROR_RULE (bind, EACCES);
-+       ERROR_RULE (setsockopt, EBADF);
-+       ERROR_RULE (sched_getattr, EPERM);
-+
-+       /* Allow prlimit64, only if no new limits are being set */
-+       if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(prlimit64), 1,
-+                             SCMP_CMP(2, SCMP_CMP_EQ, 0)) < 0)
-+               goto out;
-+
-+
- 	/* Special requirements for socket/socketpair, only on AF_UNIX/AF_LOCAL */
- 	if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 1,
- 	                      SCMP_CMP(0, SCMP_CMP_EQ, AF_UNIX)) < 0)
-@@ -175,6 +193,11 @@ tracker_seccomp_init (void)
- 	if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 1,
- 	                      SCMP_CMP(0, SCMP_CMP_EQ, AF_LOCAL)) < 0)
- 		goto out;
-+
-+       if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(socket), 1,
-+                             SCMP_CMP(0, SCMP_CMP_EQ, AF_NETLINK)) < 0)
-+               goto out;
-+
- 	if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair), 1,
- 	                      SCMP_CMP(0, SCMP_CMP_EQ, AF_UNIX)) < 0)
- 		goto out;
-diff --git a/src/tracker-extract/tracker-extract.c b/src/tracker-extract/tracker-extract.c
-index 3406164..209c76b 100644
---- a/src/tracker-extract/tracker-extract.c
-+++ b/src/tracker-extract/tracker-extract.c
-@@ -30,8 +30,6 @@
- #include <gio/gunixinputstream.h>
- #include <gio/gunixfdlist.h>
- 
--#include <libtracker-miners-common/tracker-common.h>
--
- #include <libtracker-extract/tracker-extract.h>
- 
- #include "tracker-extract.h"
-@@ -523,9 +521,6 @@ get_metadata (TrackerExtractTask *task)
- static gpointer
- single_thread_get_metadata (GAsyncQueue *queue)
- {
--	if (!tracker_seccomp_init ())
--		g_assert_not_reached ();
--
- 	while (TRUE) {
- 		TrackerExtractTask *task;
- 
-diff --git a/src/tracker-extract/tracker-main.c b/src/tracker-extract/tracker-main.c
-index 2a646cc..484be22 100644
---- a/src/tracker-extract/tracker-main.c
-+++ b/src/tracker-extract/tracker-main.c
-@@ -292,7 +292,7 @@ get_cache_dir (TrackerDomainOntology *domain_ontology)
- }
- 
- int
--main (int argc, char *argv[])
-+do_main (int argc, char *argv[])
- {
- 	GOptionContext *context;
- 	GError *error = NULL;
-@@ -311,9 +311,6 @@ main (int argc, char *argv[])
- 	bind_textdomain_codeset (GETTEXT_PACKAGE, "UTF-8");
- 	textdomain (GETTEXT_PACKAGE);
- 
--	/* This makes sure we don't steal all the system's resources */
--	initialize_priority_and_scheduling ();
--
- 	/* Translators: this message will appear immediately after the  */
- 	/* usage string - Usage: COMMAND [OPTION]... <THIS_MESSAGE>     */
- 	context = g_option_context_new (_("— Extract file meta data"));
-@@ -487,3 +484,17 @@ main (int argc, char *argv[])
- 
- 	return EXIT_SUCCESS;
- }
-+
-+int
-+main (int argc, char *argv[])
-+{
-+       /* This function is untouchable! Add things to do_main() */
-+
-+       /* This makes sure we don't steal all the system's resources */
-+       initialize_priority_and_scheduling ();
-+
-+       if (!tracker_seccomp_init ())
-+               g_assert_not_reached ();
-+
-+       return do_main (argc, argv);
-+}
--- 
-2.33.0
-

libtracker-miners-common-Add-more-seccomp-rules.patch

@@ -1,40 +0,0 @@
-From cf68500238be78599e5ada480345af47e3359abf Mon Sep 17 00:00:00 2001
-From: wangshuo <wangshuo@kylinos.cn>
-Date: Mon, 13 Jan 2025 14:35:41 +0800
-Subject: [PATCH] libtracker-miners-common: Add more seccomp rules
-
-Fix the SIGSYS coredump issue that occurs when executing the /usr/libexec/tracker-extract-3 command:
-__GI___access (file=0xffffb936fc78 "/.flatpak-info", type=type@entry=0) at ../sysdeps/unix/sysv/linux/access.c:29
-__GI___mkdir (path=path@entry=0xaaaaaab37980 "/root/.cache/tracker3/files/errors", mode=mode@entry=448) at ../sysdeps/unix/sysv/linux/generic/mkdir.c:31
-
-See also:
-https://gitlab.gnome.org/GNOME/localsearch/-/commit/30b24e9d379458b66f2465422821a66bec3a749b
-https://gitlab.gnome.org/GNOME/localsearch/-/commit/2c45c7024b96dd9f989b0dd0258574e323ce032c
-https://gitlab.gnome.org/GNOME/localsearch/-/issues/128
----
- src/libtracker-miners-common/tracker-seccomp.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/src/libtracker-miners-common/tracker-seccomp.c b/src/libtracker-miners-common/tracker-seccomp.c
-index a2b7ed9..32c24e2 100644
---- a/src/libtracker-miners-common/tracker-seccomp.c
-+++ b/src/libtracker-miners-common/tracker-seccomp.c
-@@ -102,6 +102,7 @@ tracker_seccomp_init (void)
- 	ALLOW_RULE (statx);
-         ALLOW_RULE (fstatfs);
- 	ALLOW_RULE (access);
-+	ALLOW_RULE (faccessat);
- 	ALLOW_RULE (getdents);
- 	ALLOW_RULE (getdents64);
- 	ALLOW_RULE (readlink);
-@@ -173,6 +174,7 @@ tracker_seccomp_init (void)
-        ERROR_RULE (inotify_init, EINVAL);
- 
-        ERROR_RULE (mkdir, EPERM);
-+       ERROR_RULE (mkdirat, EPERM);
-        ERROR_RULE (rename, EPERM);
-        ERROR_RULE (unlink, EPERM);
-        ERROR_RULE (ioctl, EBADF);
--- 
-2.27.0
-

tracker-miners-3.0.5-sw.patch

@@ -1,13 +0,0 @@
-diff -Naur tracker-miners-3.0.5.org/src/libtracker-miners-common/tracker-ioprio.c tracker-miners-3.0.5.sw/src/libtracker-miners-common/tracker-ioprio.c
---- tracker-miners-3.0.5.org/src/libtracker-miners-common/tracker-ioprio.c	2022-06-14 15:00:54.220000000 +0000
-+++ tracker-miners-3.0.5.sw/src/libtracker-miners-common/tracker-ioprio.c	2022-06-14 15:01:54.590000000 +0000
-@@ -62,6 +62,9 @@
- #elif defined(__ia64__)
- #define __NR_ioprio_set                 1274
- #define __NR_ioprio_get                 1275
-+#elif defined(__sw_64__)
-+#define __NR_ioprio_set                 442
-+#define __NR_ioprio_get                 443
- #elif defined(__alpha__)
- #define __NR_ioprio_set                 442
- #define __NR_ioprio_get                 443

tracker3-miners.conf

@@ -1 +0,0 @@
-/usr/lib64/tracker-miners-3.0

tracker3-miners.spec

@@ -2,16 +2,12 @@
 
 Name:           tracker3-miners
 Version:        3.0.5
-Release:        6
+Release:        1
 Summary:        One of two parts of tracker mainly contains the indexer daemon and tools. 
 
 License:        GPLv2+ and LGPLv2+
 URL:            https://wiki.gnome.org/Projects/Tracker
 Source0:        https://download.gnome.org/sources/tracker-miners/3.0/tracker-miners-%{version}.tar.xz
-Source1: 	tracker3-miners.conf
-Patch1:         tracker-miners-3.0.5-sw.patch
-Patch2:         CVE-2023-5557.patch
-Patch3:         libtracker-miners-common-Add-more-seccomp-rules.patch
 
 BuildRequires:  asciidoc libxslt coreutils glib2 glib2-devel gcc giflib-devel meson systemd
 BuildRequires:  pkgconfig(tracker-sparql-3.0) pkgconfig(tracker-testutils-3.0)
@@ -24,7 +20,7 @@ BuildRequires:	pkgconfig(libexif) pkgconfig(libgsf-1) pkgconfig(libgxps)
 BuildRequires:	pkgconfig(libiptcdata) pkgconfig(libjpeg) pkgconfig(libosinfo-1.0) pkgconfig(libpng)
 BuildRequires:	pkgconfig(libseccomp) pkgconfig(libtiff-4) pkgconfig(libxml-2.0) pkgconfig(poppler-glib)
 BuildRequires:	pkgconfig(totem-plparser) pkgconfig(upower-glib) pkgconfig(libnm)
-BuildRequires:	pkgconfig(enca) pkgconfig(systemd) chrpath
+BuildRequires:	pkgconfig(enca) pkgconfig(systemd)
 
 %{?systemd_requires}
 Requires:       tracker3%{?_isa}
@@ -55,32 +51,20 @@ this is for version 3 series.
 %meson_install
 
 %find_lang tracker3-miners
-chrpath -d %{buildroot}%{_libexecdir}/tracker-*
-chrpath -d %{buildroot}%{_libexecdir}/tracker3/*
-chrpath -d %{buildroot}%{_libdir}/tracker-miners-3.0/libtracker-miner-3.0.so
-
-install -d %{buildroot}%{_sysconfdir}/ld.so.conf.d
-install -m 0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
-%ifarch sw_64
-sed -i 's/lib64/lib/g' %{buildroot}%{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
-%endif
 
 %post
 %systemd_user_post %{systemd_units}
-/sbin/ldconfig
 
 %preun
 %systemd_user_preun %{systemd_units}
 
 %postun
 %systemd_user_postun_with_restart %{systemd_units}
-/sbin/ldconfig
 
 %files -f tracker3-miners.lang
 %license COPYING*
 %doc AUTHORS NEWS README.md
 %config(noreplace) %{_sysconfdir}/xdg/autostart/tracker-miner-fs-3.desktop
-%{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
 %{_libdir}/tracker-miners-3.0/
 %{_libexecdir}/tracker*
 %{_datadir}/dbus-1/interfaces/org.freedesktop.Tracker3.Miner*.xml
@@ -92,24 +76,5 @@ sed -i 's/lib64/lib/g' %{buildroot}%{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.
 
 
 %changelog
-* Mon Jan 13 2025 wangshuo <wangshuo@kylinos.cn> - 3.0.5-6
-- Type:bugfix
-- ID:NA
-- SUG:NA
-- DESC:Fix the SIGSYS coredump issue that occurs when executing
--      the /usr/libexec/tracker-extract-3 command
-
-* Mon May 20 2024 technology208 <technology@208suo.com> - 3.0.5-5
-- fix CVE-2023-5557
-
-* Wed Oct 26 2022 wuzx<wuzx1226@qq.com> - 3.0.5-4
-- Add sw64 architecture
-
-* Thu Sep 23 2021 weijin deng <weijin.deng@turbolinux.com.cn> - 3.0.5-3
-- Add dynamic library search path with file
-
-* Thu Sep 09 2021 sunguoshuai <sunguoshuai@huawei.com> - 3.0.5-2
-- del rpath in some binaries
-
 * Thu Jun 17 2021 weijin deng <weijin.deng@turbolinux.com.cn> - 3.0.5-1
 - Package init with version 3.0.5