Skip to content

[autobackport: sssd-2-12] Use macro rather than shell expansion for string processing in spec file#8524

Merged
thalman merged 2 commits intoSSSD:sssd-2-12from
sssd-bot:SSSD-sssd-backport-pr8511-to-sssd-2-12
Mar 16, 2026
Merged

[autobackport: sssd-2-12] Use macro rather than shell expansion for string processing in spec file#8524
thalman merged 2 commits intoSSSD:sssd-2-12from
sssd-bot:SSSD-sssd-backport-pr8511-to-sssd-2-12

Conversation

@sssd-bot
Copy link
Contributor

@sssd-bot sssd-bot commented Mar 16, 2026

This is an automatic backport of PR#8511 Use macro rather than shell expansion for string processing in spec file to branch sssd-2-12, created by @nforro.

Please make sure this backport is correct.

Note

The commits were cherry-picked without conflicts.

You can push changes to this pull request

git remote add sssd-bot git@github.com:sssd-bot/sssd.git
git fetch sssd-bot refs/heads/SSSD-sssd-backport-pr8511-to-sssd-2-12
git checkout SSSD-sssd-backport-pr8511-to-sssd-2-12
git push sssd-bot SSSD-sssd-backport-pr8511-to-sssd-2-12 --force

Original commits
f9697d4 - Use macro rather than shell expansion for string processing in spec file
caa0ec2 - Add a default for %samba_package_version

Backported commits

  • 1a57a38 - Use macro rather than shell expansion for string processing in spec file
  • 1e1d106 - Add a default for %samba_package_version

Original Pull Request Body

We've hardened security in Packit Service and shell expansions in spec files are now rejected as they can be used to execute arbitrary code. There is no need to use shell expansion for string processing, there is an existing macro for this very purpose.

@sssd-bot sssd-bot requested a review from thalman March 16, 2026 10:21
gemini-code-assist[bot]
gemini-code-assist bot reviewed Mar 16, 2026
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request significantly improves the security and robustness of the sssd.spec.in file. The replacement of shell expansion with the %{gsub} RPM macro directly addresses a security vulnerability by preventing arbitrary code execution during the build process. Furthermore, the addition of a default value for samba_package_version enhances the reliability of the spec file, ensuring that the build does not fail if the Samba development package version cannot be determined.

thalman
thalman approved these changes Mar 16, 2026
View reviewed changes
Copy link
Contributor

@thalman thalman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Build failure in rawhide is not connected with the change

nforro added 2 commits March 16, 2026 13:36
@nforro @sssd-bot
Use macro rather than shell expansion for string processing in spec file
182f522 
Signed-off-by: Nikola Forró <nforro@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit f9697d4)
@nforro @sssd-bot
Add a default for %samba_package_version
1a7abe7 
Signed-off-by: Nikola Forró <nforro@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit caa0ec2)
@sssd-bot
Copy link
Contributor Author

sssd-bot commented Mar 16, 2026

The pull request was accepted by @thalman with the following PR CI status:

🟢 rpm-build:centos-stream-10-x86_64:upstream (success)
🟢 rpm-build:fedora-42-x86_64:upstream (success)
🟢 rpm-build:fedora-43-x86_64:upstream (success)
🟢 rpm-build:fedora-44-x86_64:upstream (success)
🔴 rpm-build:fedora-rawhide-x86_64:upstream (failure)
🟢 Build / freebsd (success)
🟢 Build / make-distcheck (success)

There are unsuccessful or unfinished checks. Make sure that the failures are not related to this pull request before merging.

@sssd-bot sssd-bot force-pushed the SSSD-sssd-backport-pr8511-to-sssd-2-12 branch from 1e1d106 to 1a7abe7 Compare March 16, 2026 13:36
@thalman
Copy link
Contributor

thalman commented Mar 16, 2026

Build failure in rawhide is not connected with the change

@thalman thalman merged commit 33ba4ba into SSSD:sssd-2-12 Mar 16, 2026
7 of 8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thalman thalman thalman approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@thalman thalman

Labels

Accepted

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sssd-bot @thalman @nforro