Bug 2217771
| Summary: | sd-bus authentication failure against gdbus service | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Martin Pitt <mpitt> |
| Component: | glib2 | Assignee: | Michael Catanzaro <mcatanza> |
| Status: | CLOSED ERRATA | QA Contact: | Tomas Pelka <tpelka> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 9.3 | CC: | jkoten, tpelka |
| Target Milestone: | rc | Keywords: | OtherQA, Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | glib2-2.68.4-11.el9 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-11-07 08:53:12 UTC | Type: | Enhancement |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2183545 | ||
|
Description
Martin Pitt
2023-06-27 04:57:16 UTC
> If there are conflicts on applying it,
There are not:
git checkout 2.68.4
git cherry-pick 8f02681f6e2130c52f27c1edb4febb1443e97d94
works cleanly.
Sure. Notes for myself, in case I have to re-do it: git clone https://gitlab.gnome.org/GNOME/glib cd glib git submodule update --init --recursive Build glib2 in podman run -it --name c9s -v ./glib/:/glib quay.io/centos/centos:stream9 dnf install 'dnf-command(builddep)' dnf builddep --enablerepo=crb glib2 meson b Prepare the rhel4edge VM with installing cockpit-bridge with pybridge: printf '[Service]\nEnvironment=LD_LIBRARY_PATH=/usr/local/lib64\n' > /etc/systemd/system/rpm-ostreed.service.d/override.conf Iterate with git clean -ffdx; git show 8f02681f6e2130c52f27c1edb4febb1443e97d94 | patch -p0 && podman exec -it c9s sh -ec 'cd /glib; rm -rf b; meson b; nice meson install -C b --destdir i' && rsync -rlvP --delete b/i/usr/local/lib64 c:/usr/local/ && ssh c systemctl stop rpm-ostreed && git reset --hard Initial coarse-grained bisect: * 2.74.4 fails, 2.47.7 works (as expected from https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3300); that's good, it means this is within glib2, and not also in the older libsystemd * 2.68.4 + cherry-pick 8f02681f6e213 fails (should be the same as in the build above, confirming that it was done correctly) * 2.70.5 + cherry-pick 8f02681f6e213 fails * 2.72.4 + cherry-pick 8f02681f6e213 fails * 2.73.3 + cherry-pick 8f02681f6e213 works * 2.73.0 + cherry-pick 8f02681f6e213 fails `git log 2.73.0..2.73.3 gio/gdbusauth.c` has just a handful commits, and there's a high chance that it's related to this bug: * 764f071909: fails * 3f532af65c: fails * e0a0749268: conflicty; but applies after 18886d43d2 and 7d7b52edbda3; however, it doesn't build, and that commit is obviously broken (probably a commit series in a PR which wasn't cleanly separated) * 32b226d1b1: with this additional commit it builds again, but fails 😢 So I started a git bisect between 2.73.0 and 2.73.3 which points to https://gitlab.gnome.org/GNOME/glib/-/commit/3f532af65c9. That is correct in the sense that building 3f532af65c9 works and 3f532af65c9^ fails. But I already tried to cherry-pick that commit above. So again, like the original commit, it seems to be necessary but not sufficient. So I'll dig some more. Got it: It needs all five of these: https://gitlab.gnome.org/GNOME/glib/-/commit/764f071909df gdbusauth: empty DATA does not need a trailing space https://gitlab.gnome.org/GNOME/glib/-/commit/a7d2e727eefc GDBusServer: If no initial response for EXTERNAL, send a challenge https://gitlab.gnome.org/GNOME/glib/-/commit/b51e3ab09e39 GDBusServer: Accept empty authorization identity for EXTERNAL mechanism https://gitlab.gnome.org/GNOME/glib/-/commit/3f532af65c98 gdbusauth: Represent empty data block as DATA\r\n, with no space https://gitlab.gnome.org/GNOME/glib/-/commit/8f02681f6e21 gdbus: Never buffer reads during server authentication (The last one was the one you already backported). These cherry-pick and build cleanly on top of 2.68.4, and fix sd-bus talking to rpm-ostree. Are these acceptable? Thanks! (In reply to Martin Pitt from comment #7) > Are these acceptable? Yes. I'll try a new build. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Low: glib2 security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:6631 |