installplatform | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 verbose installplatform
    Just make installplatform to ease debugging problems with creatin platform files.

macros.in | 4 3 + 1 - 0 !
1 file changed, 3 insertions(+), 1 deletion(-)

 move default rpmdb path to user home

configure.ac | 2 2 + 0 - 0 !
lib/poptI.c | 5 5 + 0 - 0 !
lib/rpmprob.h | 1 1 + 0 - 0 !
rpm.c | 8 8 + 0 - 0 !
4 files changed, 16 insertions(+)

 rpm is not default package manager on debian
 In Debian, rpm should be used to install packages, but rather as a tool to
 work with rpm packages or as a helper in alien. Because of this we protect
 complain, when user tries to install a package. This warning can be hidden 
 by --force-debian.

doc/manual/builddependencies | 2 1 + 1 - 0 !
macros.in | 2 1 + 1 - 0 !
platform.in | 2 1 + 1 - 0 !
3 files changed, 3 insertions(+), 3 deletions(-)

 fix installation directories
 - Do not install rpm to /bin/.
 - Setup default directories so that source RPMs rebuilt on Debian get
   the right directories and also that builds occur in /usr/src/rpm
 - Fix statedir and init.d patch

scripts/vpkg-provides.sh | 24 12 + 12 - 0 !
1 file changed, 12 insertions(+), 12 deletions(-)

 use the debian standard (and safe) mechanism of generating temporary files

autogen.sh | 24 24 + 0 - 0 !
1 file changed, 24 insertions(+)

 delete some crap after running autogen.

configure.ac | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 in debian, lua library is called lua5.2.

lib/depends.c | 107 106 + 1 - 0 !
1 file changed, 106 insertions(+), 1 deletion(-)

 add fedora compatible rpm builtin provides

scripts/pythondistdeps.py | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 pythondistdeps.py: use python3 in shebang

tools/debugedit.c | 775 413 + 362 - 0 !
1 file changed, 413 insertions(+), 362 deletions(-)

---

tools/debugedit.c | 884 682 + 202 - 0 !
1 file changed, 682 insertions(+), 202 deletions(-)

---

lib/package.c | 117 57 + 60 - 0 !
1 file changed, 57 insertions(+), 60 deletions(-)

 be much more careful about copying data from the signature header
 Only look for known tags, and ensure correct type and size where known
 before copying over. Bump the old arbitrary 16k count limit to 16M limit
 though, it's not inconceivable that a package could have that many files.
 While at it, ensure none of these tags exist in the main header,
 which would confuse us greatly.
 .
 This is optimized for backporting ease, upstream can remove redundancies
 and further improve checking later.
 .
 Reported and initial patches by Demi Marie Obenour.
 .
 Fixes: RhBug:1935049, RhBug:1933867, RhBug:1935035, RhBug:1934125, ...
 .
 Fixes: CVE-2021-3421, CVE-2021-20271
 .
 NOTE (Debian): the upstream patch was modified to remove the references to
 RPMSIGTAG_VERITYSIGNATURES and RPMSIGTAG_VERITYSIGNATUREALGO, which were
 introduced in upstream changes later than our version.
 .
 This Debian patch combines the upstream patch with two follow-up commits:

lib/header.c | 48 31 + 17 - 0 !
1 file changed, 31 insertions(+), 17 deletions(-)

 hdrblobinit() needs bounds checks too
 Users can pass untrusted data to hdrblobInit() and it must be robust
 against this.

lib/package.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 do not make the xlatetags symbol public.