DLPX-85006 CVE-2022-48303 found in virtualization affected package ta…

…r_1.30+dfsg-7ubuntu0.20.04.2 (#277)
delphix · Mar 8, 2023 · b4c376f · b4c376f
1 parent ea43653
commit b4c376f
Show file tree

Hide file tree

Showing 2 changed files with 74 additions and 0 deletions.
diff --git a/package-lists/build/main.pkgs b/package-lists/build/main.pkgs
@@ -23,6 +23,7 @@ libkdumpfile
 make-jpkg
 makedumpfile
 masking
+misc-debs
 nfs-utils
 performance-diagnostics
 ptools

diff --git a/packages/misc-debs/config.sh b/packages/misc-debs/config.sh
@@ -0,0 +1,73 @@
+#!/usr/bin/env bash
+#
+# Copyright 2021, 2023 Delphix
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# shellcheck disable=SC2034
+
+DEFAULT_PACKAGE_GIT_URL=none
+SKIP_COPYRIGHTS_CHECK=true
+
+#
+# IMPORTANT NOTE
+# --------------
+#
+# Debian packages (debs) that are not built from source by linux-pkg can be
+# added to this "meta-package". As a general rule, pre-built debs should only
+# be added here when they have been fetched from a trusted third-party
+# package archive.
+#
+# Here are some valid reasons for adding new debs here:
+# - There are bugs with a recent version of a package provided by Ubuntu and
+#   we want to pin an older version of that package.
+# - Ubuntu provides a version of a package that is too old, and the package's
+#   maintainers provide a more recent version of the package. Note that in this
+#   case, you may also look into adding the maintainer's archive to the
+#   linux-package-mirror PPAs list.
+#
+# To add a new deb here, upload that deb to the linux-pkg/misc-debs directory
+# in artifcatory and note the deb's SHA256. Be explicit on where this deb
+# was fetched from and why it was added to this list.
+#
+# When removing debs from this list, you should not remove them from artifactory
+# as they would used when rebuilding older releases.
+#
+
+function fetch() {
+	logmust cd "$WORKDIR/artifacts"
+
+	local debs=(
+		"tar_1.30+dfsg-7ubuntu0.20.04.3_amd64.deb a3b1212570b10c192b3d49cffb68f909146d4b72a7104f213f4426c7e41d0e49"
+	)
+
+	local url="http://artifactory.delphix.com/artifactory/linux-pkg/misc-debs"
+
+	echo "Fetched debs:" >BUILD_INFO
+	local entry
+	for entry in "${debs[@]}"; do
+		local deb sha256
+		deb=$(echo "$entry" | awk '{print $1}')
+		sha256=$(echo "$entry" | awk '{print $2}')
+		[[ -n "$deb" && -n "$sha256" ]] || die "Invalid entry '$entry'"
+
+		logmust fetch_file_from_artifactory "$url/$deb" "$sha256"
+
+		echo "$entry" >>BUILD_INFO
+	done
+}
+
+function build() {
+	return
+	# Nothing to do, all the logic is done in fetch().
+}