Bug 1839074

Summary: not applied patches are useless
Product: [Fedora] Fedora Reporter: Harald Reindl <h.reindl>
Component: pure-ftpdAssignee: Ondřej Lysoněk <olysonek>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 31CC: aurelien, gregswift, jaromir.capik, mi, msehnout, olysonek
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-25 19:18:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Harald Reindl 2020-05-22 12:40:19 UTC 
%changelog
* Wed May 06 2020 OndÅej LysonÄk <olysonek> - 1.0.49-5
- Fix CVE-2020-9365 and CVE-2020-9274
- Resolves: rhbz#1828688
- Resolves: rhbz#1831059

it resolves nothing because they are never applied

[harry@srv-rhsoft:/downloads]$ cat pure-ftpd.spec | grep -i patch
Patch0:     0001-modify-pam.patch
Patch1:     0002-fedora-specific-config-file.patch
# Upstream patch:
Patch2:     0001-listdir-reuse-a-single-buffer-to-store-every-file-na.patch
# Upstream patch:
Patch3: 0001-diraliases-always-set-the-tail-of-the-list-to-NULL.patch
# Upstream patch:
Patch4: 0001-pure_strcmp-len-s2-can-be-len-s1.patch
- Apply upstream patch to increase the size limit of the process's data segment
- Dropped patch 0003-Allow-having-both-options-and-config-file-on-command.patch
- add patch for x86_64 support
- rediff config patch
Comment 1 Harald Reindl 2020-05-22 12:43:56 UTC 
in other words without something like this yiu are don't fix anything by just add patches to the spec file and src.rpm

%prep
%setup -q
%patch1 -p1
%patch2 -p1
%patch3 -p1
Comment 2 Ondřej Lysoněk 2020-05-25 07:38:45 UTC 
I appreciate you reviewing other people's work, but have you actually checked that the patches are not applied? We're using '%autosetup -S git', which means that the patches get applied automatically using git.
Comment 3 Harald Reindl 2020-05-25 12:07:12 UTC 
well, i maintain pure-ftpd at my own for years, noticed some patches while upstream is still at "pure-ftpd-1.0.49.tar.gz 03-Apr-2019 11:03" and "borrowed" them, typically i look at %prep which are really used given that not everything bundeled with the src.rpm is applied or sometimes patches are applied conditional

not a friend of too much magic bot, wel, ok