From ef4485c6a0cb45da635a23e89bea8615361c8c2c Mon Sep 17 00:00:00 2001 From: Andrew Phelps Date: Thu, 5 Dec 2024 13:45:04 -0800 Subject: [PATCH 01/55] Documentation: Add references to ARM64 3.0 ISO (#11327) --- README.md | 2 +- .../docs/security/iso-image-verification.md | 27 +++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index dac96479232..f05c1487e13 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,7 @@ Instructions for building Azure Linux 3.0 may be found here: [Toolkit Documentat ### ISO -To try Azure Linux Download the ISO here: [Azure Linux 3.0 x86_64 ISO](https://aka.ms/azurelinux-3.0-x86_64.iso) +To try Azure Linux Download the ISO here: [Azure Linux 3.0 x86_64 ISO](https://aka.ms/azurelinux-3.0-x86_64.iso) / [Azure Linux 3.0 aarch64 ISO](https://aka.ms/azurelinux-3.0-aarch64.iso) Before using a downloaded ISO, [verify the checksum and signature of the image](toolkit/docs/security/iso-image-verification.md). diff --git a/toolkit/docs/security/iso-image-verification.md b/toolkit/docs/security/iso-image-verification.md index 4559da5e77f..4c7e4b37d97 100644 --- a/toolkit/docs/security/iso-image-verification.md +++ b/toolkit/docs/security/iso-image-verification.md @@ -2,6 +2,7 @@ It is strongly recommended that the integrity of the image is verified after downloading it. This is a two-step process. First, ensure that the checksum file has not been tampered with by verifying the signature against Azure Linux's RPM signing public key. Second, check that the ISO image was not corrupted during the download. The following bash script shows the commands necessary to download the iso image and check the signature: +# x86_64 ISO verification: ```bash # Download the necessary files wget https://aka.ms/AzureLinux-3.0-x86_64.iso @@ -26,3 +27,29 @@ gpg --verify "$SIGNATURE_FILE" "$CHECKSUM_FILE" dos2unix "$CHECKSUM_FILE" sha256sum --check "$CHECKSUM_FILE" ``` + +# aarch64 ISO verification: +```bash +# Download the necessary files +wget https://aka.ms/AzureLinux-3.0-aarch64.iso +wget https://aka.ms/azurelinux-3.0-aarch64-iso-checksum +wget https://aka.ms/azurelinux-3.0-aarch64-iso-checksum-signature +wget https://raw.githubusercontent.com/microsoft/azurelinux/3.0/SPECS/azurelinux-repos/MICROSOFT-RPM-GPG-KEY + +# Set Variables for the checksum and signature file names +CHECKSUM_FILE="azurelinux-3.0-aarch64-iso-checksum" +SIGNATURE_FILE="azurelinux-3.0-aarch64-iso-checksum-signature" + +# Import the RPM signing public key into the local GPG keystore +gpg --import MICROSOFT-RPM-GPG-KEY + +# Verify that the checksum file was produced by the Azure Linux team +# The output of this command should contain the following string: +# 'Good signature from "Azure Linux RPM Release Signing "' +gpg --verify "$SIGNATURE_FILE" "$CHECKSUM_FILE" + +# Verify that the ISO image checksum matches the expected checksum +# We need to fix the line endings on the signature file to get sha256sum to accept it +dos2unix "$CHECKSUM_FILE" +sha256sum --check "$CHECKSUM_FILE" +``` From a607759f06c7da6bba08525e47d85306fac1f6e0 Mon Sep 17 00:00:00 2001 From: reuben olinsky Date: Mon, 9 Dec 2024 09:49:00 -0800 Subject: [PATCH 02/55] build: update PR auto-label policy (#11288) Update GitHub resource management policies to auto-apply labels to PRs. --- .github/policies/resourceManagement.yml | 67 +++++++++++++++++-------- 1 file changed, 47 insertions(+), 20 deletions(-) diff --git a/.github/policies/resourceManagement.yml b/.github/policies/resourceManagement.yml index ad8ef417626..d104f8e857c 100644 --- a/.github/policies/resourceManagement.yml +++ b/.github/policies/resourceManagement.yml @@ -13,34 +13,37 @@ configuration: - payloadType: Pull_Request then: - if: - - includesModifiedFiles: - files: - - SPECS/ - - SPECS-EXTENDED/ - - SPECS-SIGNED/ + - filesMatchPattern: + pattern: "^(SPECS|SPECS-EXTENDED|SPECS-SIGNED)/" + matchAny: true then: - addLabel: label: Packaging - if: - - includesModifiedFiles: - files: - - toolkit/docs/ + - filesMatchPattern: + pattern: "^SPECS-EXTENDED/" + matchAny: true + then: + - addLabel: + label: specs-extended + - if: + - filesMatchPattern: + pattern: "^toolkit/docs/" + matchAny: true then: - addLabel: label: documentation - if: - - includesModifiedFiles: - files: - - toolkit/tools/ - - toolkit/scripts/ + - filesMatchPattern: + pattern: "^toolkit/(tools|scripts)/" + matchAny: true then: - addLabel: label: Tools - if: - - includesModifiedFiles: - files: - - toolkit/imageconfigs/ - - toolkit/tools/imagegen/configuration + - filesMatchPattern: + pattern: "^toolkit/(imageconfigs|tools/imagegen/configuration)/" + matchAny: true then: - addLabel: label: Schema @@ -69,16 +72,40 @@ configuration: then: - if: - targetsBranch: - branch: 1.0-dev + branch: main then: - addLabel: - label: 1.0-dev + label: main - if: - targetsBranch: - branch: main + branch: 2.0 then: - addLabel: - label: main + label: 2.0 + - if: + - targetsBranch: + branch: 3.0-dev + then: + - addLabel: + label: 3.0-dev + - if: + - targetsBranch: + branch: 3.0 + then: + - addLabel: + label: 3.0 + - if: + - targetsBranch: + branch: fasttrack/2.0 + then: + - addLabel: + label: fasttrack/2.0 + - if: + - targetsBranch: + branch: fasttrack/3.0 + then: + - addLabel: + label: fasttrack/3.0 description: onFailure: onSuccess: From abf249d8e50e6d1f8b8e3365f68d09894d47c3b7 Mon Sep 17 00:00:00 2001 From: Pawel Winogrodzki Date: Mon, 9 Dec 2024 10:56:18 -0800 Subject: [PATCH 03/55] Cache clean-up fix. (#11249) --- SPECS/ca-certificates/certdata2pem.py | 0 toolkit/scripts/pkggen.mk | 24 +++++++++++++++++++----- toolkit/scripts/utils.mk | 4 ++-- 3 files changed, 21 insertions(+), 7 deletions(-) mode change 100644 => 100755 SPECS/ca-certificates/certdata2pem.py diff --git a/SPECS/ca-certificates/certdata2pem.py b/SPECS/ca-certificates/certdata2pem.py old mode 100644 new mode 100755 diff --git a/toolkit/scripts/pkggen.mk b/toolkit/scripts/pkggen.mk index d714e29124a..aaed4f211f5 100644 --- a/toolkit/scripts/pkggen.mk +++ b/toolkit/scripts/pkggen.mk @@ -202,7 +202,23 @@ ifeq ($(PRECACHE),y) $(cached_file): $(STATUS_FLAGS_DIR)/precache.flag endif -$(cached_file): $(graph_file) $(go-graphpkgfetcher) $(chroot_worker) $(pkggen_local_repo) $(depend_REPO_LIST) $(REPO_LIST) $(cached_remote_rpms) $(TOOLCHAIN_MANIFEST) $(toolchain_rpms) $(depend_EXTRA_BUILD_LAYERS) $(depend_REPO_SNAPSHOT_TIME) $(STATUS_FLAGS_DIR)/build_packages_cache_cleanup.flag +ifneq ($(strip $(PACKAGE_CACHE_SUMMARY)$(REPO_SNAPSHOT_TIME)),) +# We MUST clear the RPM package cache ONLY in the following scenarios: +# - the package cache summary file is used and has changed or +# - the repo snapshot time is used and has changed. +# +# These scenario are meant to build with a specific set of RPMs, so we must +# avoid contamination from previous builds. +# +# For other scenarios the cache is allowed to contain a mixture of packages and +# we allow the tooling to figure out the appropriate ones to use during the build. +# +# IMPORTANT: update the '$(STATUS_FLAGS_DIR)/build_packages_cache_cleanup.flag' target +# in tandem with updates to this one. +$(cached_file): $(STATUS_FLAGS_DIR)/build_packages_cache_cleanup.flag +endif + +$(cached_file): $(graph_file) $(go-graphpkgfetcher) $(chroot_worker) $(pkggen_local_repo) $(depend_REPO_LIST) $(REPO_LIST) $(cached_remote_rpms) $(TOOLCHAIN_MANIFEST) $(toolchain_rpms) $(depend_EXTRA_BUILD_LAYERS) $(depend_PACKAGE_CACHE_SUMMARY) $(depend_REPO_SNAPSHOT_TIME) mkdir -p $(remote_rpms_cache_dir) && \ $(go-graphpkgfetcher) \ --input=$(graph_file) \ @@ -265,10 +281,8 @@ clean-compress-rpms: clean-compress-srpms: rm -rf $(srpms_archive) -# We need to clear the rpm package cache if we have a snapshot time. The filenames will all be -# the same, but the actual .rpm files may be fundamentally different. -$(STATUS_FLAGS_DIR)/build_packages_cache_cleanup.flag: $(depend_REPO_SNAPSHOT_TIME) - @echo "REPO_SNAPSHOT_TIME has changed, sanitizing rpm cache" +$(STATUS_FLAGS_DIR)/build_packages_cache_cleanup.flag: $(depend_PACKAGE_CACHE_SUMMARY) $(depend_REPO_SNAPSHOT_TIME) + @echo "Either 'PACKAGE_CACHE_SUMMARY' or 'REPO_SNAPSHOT_TIME' has changed, sanitizing rpm cache" @if [ -d "$(remote_rpms_cache_dir)" ]; then \ find "$(remote_rpms_cache_dir)" -type f -name '*.rpm' -delete; \ fi diff --git a/toolkit/scripts/utils.mk b/toolkit/scripts/utils.mk index 4cc53c4f874..197d0a76a43 100644 --- a/toolkit/scripts/utils.mk +++ b/toolkit/scripts/utils.mk @@ -55,10 +55,10 @@ endef ######## VARIABLE DEPENDENCY TRACKING ######## # List of variables to watch for changes. -watch_vars=PACKAGE_BUILD_LIST PACKAGE_REBUILD_LIST PACKAGE_IGNORE_LIST REPO_LIST CONFIG_FILE STOP_ON_PKG_FAIL TOOLCHAIN_ARCHIVE REBUILD_TOOLCHAIN SRPM_PACK_LIST SPECS_DIR MAX_CASCADING_REBUILDS RUN_CHECK TEST_RUN_LIST TEST_RERUN_LIST TEST_IGNORE_LIST EXTRA_BUILD_LAYERS LICENSE_CHECK_MODE VALIDATE_TOOLCHAIN_GPG REPO_SNAPSHOT_TIME +watch_vars=PACKAGE_BUILD_LIST PACKAGE_REBUILD_LIST PACKAGE_IGNORE_LIST REPO_LIST CONFIG_FILE STOP_ON_PKG_FAIL TOOLCHAIN_ARCHIVE REBUILD_TOOLCHAIN SRPM_PACK_LIST SPECS_DIR MAX_CASCADING_REBUILDS RUN_CHECK TEST_RUN_LIST TEST_RERUN_LIST TEST_IGNORE_LIST EXTRA_BUILD_LAYERS LICENSE_CHECK_MODE VALIDATE_TOOLCHAIN_GPG REPO_SNAPSHOT_TIME PACKAGE_CACHE_SUMMARY # Current list: $(depend_PACKAGE_BUILD_LIST) $(depend_PACKAGE_REBUILD_LIST) $(depend_PACKAGE_IGNORE_LIST) $(depend_REPO_LIST) $(depend_CONFIG_FILE) $(depend_STOP_ON_PKG_FAIL) # $(depend_TOOLCHAIN_ARCHIVE) $(depend_REBUILD_TOOLCHAIN) $(depend_SRPM_PACK_LIST) $(depend_SPECS_DIR) $(depend_EXTRA_BUILD_LAYERS) $(depend_MAX_CASCADING_REBUILDS) $(depend_RUN_CHECK) $(depend_TEST_RUN_LIST) -# $(depend_TEST_RERUN_LIST) $(depend_TEST_IGNORE_LIST) $(depend_LICENSE_CHECK_MODE) $(depend_VALIDATE_TOOLCHAIN_GPG) $(depend_REPO_SNAPSHOT_TIME) +# $(depend_TEST_RERUN_LIST) $(depend_TEST_IGNORE_LIST) $(depend_LICENSE_CHECK_MODE) $(depend_VALIDATE_TOOLCHAIN_GPG) $(depend_REPO_SNAPSHOT_TIME) $(depend_PACKAGE_CACHE_SUMMARY) .PHONY: variable_depends_on_phony clean-variable_depends_on_phony setfacl_always_run_phony clean: clean-variable_depends_on_phony From dc51bea3da0018f74dd7de4d9247b59dbdb8db94 Mon Sep 17 00:00:00 2001 From: Ankita Pareek <56152556+Ankita13-code@users.noreply.github.com> Date: Wed, 11 Dec 2024 01:35:59 +0530 Subject: [PATCH 04/55] TDX: Enable CONFIG_INTEL_TDX_GUEST, CONFIG_TDX_GUEST_DRIVER (#10955) Signed-off-by: ankita Signed-off-by: Ankita Pareek Co-authored-by: ankita --- SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec | 5 ++++- SPECS-SIGNED/kernel-signed/kernel-signed.spec | 5 ++++- SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec | 5 ++++- SPECS/kernel-64k/kernel-64k.spec | 5 ++++- SPECS/kernel-headers/kernel-headers.spec | 5 ++++- SPECS/kernel/config | 3 ++- SPECS/kernel/kernel-uki.spec | 5 ++++- SPECS/kernel/kernel.signatures.json | 2 +- SPECS/kernel/kernel.spec | 5 ++++- toolkit/resources/manifests/package/pkggen_core_aarch64.txt | 2 +- toolkit/resources/manifests/package/pkggen_core_x86_64.txt | 2 +- toolkit/resources/manifests/package/toolchain_aarch64.txt | 2 +- toolkit/resources/manifests/package/toolchain_x86_64.txt | 4 ++-- 13 files changed, 36 insertions(+), 14 deletions(-) diff --git a/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec b/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec index b0111d170d2..1e881bfe37b 100644 --- a/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec +++ b/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec @@ -7,7 +7,7 @@ Summary: Signed Linux Kernel for %{buildarch} systems Name: kernel-64k-signed-%{buildarch} Version: 6.6.57.1 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -105,6 +105,9 @@ echo "initrd of kernel %{uname_r} removed" >&2 %exclude /module_info.ld %changelog +* Mon Nov 25 2024 Ankita Pareek - 6.6.57.1-6 +- Bump release to match kernel + * Thu Nov 07 2024 Rachel Menge - 6.6.57.1-5 - Original version for Azure Linux - Starting with release 5 to align with kernel release. diff --git a/SPECS-SIGNED/kernel-signed/kernel-signed.spec b/SPECS-SIGNED/kernel-signed/kernel-signed.spec index 14c6ac12d4a..81d8d68ba96 100644 --- a/SPECS-SIGNED/kernel-signed/kernel-signed.spec +++ b/SPECS-SIGNED/kernel-signed/kernel-signed.spec @@ -10,7 +10,7 @@ Summary: Signed Linux Kernel for %{buildarch} systems Name: kernel-signed-%{buildarch} Version: 6.6.57.1 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -145,6 +145,9 @@ echo "initrd of kernel %{uname_r} removed" >&2 %exclude /module_info.ld %changelog +* Mon Nov 25 2024 Ankita Pareek - 6.6.57.1-6 +- Bump release to match kernel + * Mon Nov 25 2024 Chris Co - 6.6.57.1-5 - Bump release to match kernel diff --git a/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec b/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec index 08983f26a80..8189674d8b7 100644 --- a/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec +++ b/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec @@ -6,7 +6,7 @@ Summary: Signed Unified Kernel Image for %{buildarch} systems Name: kernel-uki-signed-%{buildarch} Version: 6.6.57.1 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -68,6 +68,9 @@ popd /boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi %changelog +* Mon Nov 25 2024 Ankita Pareek - 6.6.57.1-6 +- Bump release to match kernel + * Mon Nov 25 2024 Chris Co - 6.6.57.1-5 - Bump release to match kernel diff --git a/SPECS/kernel-64k/kernel-64k.spec b/SPECS/kernel-64k/kernel-64k.spec index 199000195e7..f91783075cd 100644 --- a/SPECS/kernel-64k/kernel-64k.spec +++ b/SPECS/kernel-64k/kernel-64k.spec @@ -25,7 +25,7 @@ Summary: Linux Kernel Name: kernel-64k Version: 6.6.57.1 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -370,6 +370,9 @@ echo "initrd of kernel %{uname_r} removed" >&2 %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Mon Nov 25 2024 Ankita Pareek - 6.6.57.1-6 +- Bump release to match kernel + * Thu Nov 07 2024 Rachel Menge - 6.6.57.1-5 - Initial CBL-Mariner import from Photon (license: Apache2). - Starting with release 5 to align with kernel release. diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec index 330136d2c8f..3d645e24499 100644 --- a/SPECS/kernel-headers/kernel-headers.spec +++ b/SPECS/kernel-headers/kernel-headers.spec @@ -14,7 +14,7 @@ Summary: Linux API header files Name: kernel-headers Version: 6.6.57.1 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -75,6 +75,9 @@ done %endif %changelog +* Mon Nov 25 2024 Ankita Pareek - 6.6.57.1-6 +- Bump release to match kernel + * Mon Nov 25 2024 Chris Co - 6.6.57.1-5 - Bump release to match kernel diff --git a/SPECS/kernel/config b/SPECS/kernel/config index 0eecab7d127..b225406e6b8 100644 --- a/SPECS/kernel/config +++ b/SPECS/kernel/config @@ -380,7 +380,7 @@ CONFIG_ARCH_CPUIDLE_HALTPOLL=y CONFIG_PARAVIRT_CLOCK=y # CONFIG_JAILHOUSE_GUEST is not set # CONFIG_ACRN_GUEST is not set -# CONFIG_INTEL_TDX_GUEST is not set +CONFIG_INTEL_TDX_GUEST=y # CONFIG_MK8 is not set # CONFIG_MPSC is not set # CONFIG_MCORE2 is not set @@ -6157,6 +6157,7 @@ CONFIG_VMGENID=y # CONFIG_NITRO_ENCLAVES is not set # CONFIG_EFI_SECRET is not set CONFIG_SEV_GUEST=y +CONFIG_TDX_GUEST_DRIVER=m CONFIG_VIRTIO_ANCHOR=y CONFIG_VIRTIO=y CONFIG_VIRTIO_PCI_LIB=y diff --git a/SPECS/kernel/kernel-uki.spec b/SPECS/kernel/kernel-uki.spec index 5a0322b8ec6..eafde865252 100644 --- a/SPECS/kernel/kernel-uki.spec +++ b/SPECS/kernel/kernel-uki.spec @@ -13,7 +13,7 @@ Summary: Unified Kernel Image Name: kernel-uki Version: 6.6.57.1 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -70,6 +70,9 @@ cp %{buildroot}/boot/vmlinuz-uki-%{kernelver}.efi %{buildroot}/boot/efi/EFI/Linu /boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi %changelog +* Mon Nov 25 2024 Ankita Pareek - 6.6.57.1-6 +- Bump release to match kernel + * Mon Nov 25 2024 Chris Co - 6.6.57.1-5 - Bump release to match kernel diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json index 5b05220a50a..eda9fcf8ddd 100644 --- a/SPECS/kernel/kernel.signatures.json +++ b/SPECS/kernel/kernel.signatures.json @@ -1,7 +1,7 @@ { "Signatures": { "azurelinux-ca-20230216.pem": "d545401163c75878319f01470455e6bc18a5968e39dd964323225e3fe308849b", - "config": "53cf68442824f43df68ee1105d1fe428474da2cc723610114d0409ad15a424d1", + "config": "651f9cab61a3eb370f7e6451d2115cce2c5f137f5d7e5f28234b5d07bf841d0f", "config_aarch64": "bfb4b4344045354a2ba518d11ae81fe5e3d45e9b11253ca2e199792543a9d624", "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985", "cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98", diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec index 02f40d57d19..6e132d92c6c 100644 --- a/SPECS/kernel/kernel.spec +++ b/SPECS/kernel/kernel.spec @@ -30,7 +30,7 @@ Summary: Linux Kernel Name: kernel Version: 6.6.57.1 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -424,6 +424,9 @@ echo "initrd of kernel %{uname_r} removed" >&2 %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Mon Nov 25 2024 Ankita Pareek - 6.6.57.1-6 +- Enable CONFIG_INTEL_TDX_GUEST and CONFIG_TDX_GUEST_DRIVER + * Mon Nov 25 2024 Chris Co - 6.6.57.1-5 - Enable ICE ethernet driver diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index f4643843a8d..3ab3b3d6642 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -1,5 +1,5 @@ filesystem-1.1-21.azl3.aarch64.rpm -kernel-headers-6.6.57.1-5.azl3.noarch.rpm +kernel-headers-6.6.57.1-6.azl3.noarch.rpm glibc-2.38-8.azl3.aarch64.rpm glibc-devel-2.38-8.azl3.aarch64.rpm glibc-i18n-2.38-8.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 6fd3c5ffec3..3871203b17b 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -1,5 +1,5 @@ filesystem-1.1-21.azl3.x86_64.rpm -kernel-headers-6.6.57.1-5.azl3.noarch.rpm +kernel-headers-6.6.57.1-6.azl3.noarch.rpm glibc-2.38-8.azl3.x86_64.rpm glibc-devel-2.38-8.azl3.x86_64.rpm glibc-i18n-2.38-8.azl3.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index c89eb87d70d..b3838e476e7 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -156,7 +156,7 @@ intltool-0.51.0-7.azl3.noarch.rpm itstool-2.0.7-1.azl3.noarch.rpm kbd-2.2.0-2.azl3.aarch64.rpm kbd-debuginfo-2.2.0-2.azl3.aarch64.rpm -kernel-headers-6.6.57.1-5.azl3.noarch.rpm +kernel-headers-6.6.57.1-6.azl3.noarch.rpm kmod-30-1.azl3.aarch64.rpm kmod-debuginfo-30-1.azl3.aarch64.rpm kmod-devel-30-1.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index fb2f79e3070..e15f53cd0d3 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -161,8 +161,8 @@ intltool-0.51.0-7.azl3.noarch.rpm itstool-2.0.7-1.azl3.noarch.rpm kbd-2.2.0-2.azl3.x86_64.rpm kbd-debuginfo-2.2.0-2.azl3.x86_64.rpm -kernel-cross-headers-6.6.57.1-5.azl3.noarch.rpm -kernel-headers-6.6.57.1-5.azl3.noarch.rpm +kernel-cross-headers-6.6.57.1-6.azl3.noarch.rpm +kernel-headers-6.6.57.1-6.azl3.noarch.rpm kmod-30-1.azl3.x86_64.rpm kmod-debuginfo-30-1.azl3.x86_64.rpm kmod-devel-30-1.azl3.x86_64.rpm From 63d05a5422d6be40bff39c2c728a717a56330465 Mon Sep 17 00:00:00 2001 From: Tobias Brick <39196763+tobiasb-ms@users.noreply.github.com> Date: Tue, 10 Dec 2024 13:51:01 -0800 Subject: [PATCH 05/55] make install_dependencies work with file dependencies (#11054) In a containerized-rpmbuild environment, the function install_dependencies will install all BuildRequires dependencies from a spec file. However, it wasn't able to handle file dependencies like BuildRequires: %{_bindir}/cmp, which requires looking up the package that provides the file. This change uses tdnf repoquery to get the appropriate package. I also added usage of jq in that function, so I added it to the list of packages we always install (it's useful anyway), and did a minor refactor of how we do that. --- .../containerized-build/create_container_build.sh | 5 +++-- .../containerized-build/resources/azl.Dockerfile | 6 +++--- .../resources/setup_functions.sh | 14 ++++++++++++++ 3 files changed, 20 insertions(+), 5 deletions(-) diff --git a/toolkit/scripts/containerized-build/create_container_build.sh b/toolkit/scripts/containerized-build/create_container_build.sh index 70c360c5f94..7eb72dd2c30 100755 --- a/toolkit/scripts/containerized-build/create_container_build.sh +++ b/toolkit/scripts/containerized-build/create_container_build.sh @@ -84,6 +84,7 @@ script_dir=$(realpath $(dirname "${BASH_SOURCE[0]}")) topdir=/usr/src/azl enable_local_repo=false keep_container="--rm" +packages_to_install="azurelinux-release vim git jq" while (( "$#")); do case "$1" in @@ -92,7 +93,7 @@ while (( "$#")); do -p ) repo_path="$(realpath $2)"; shift 2 ;; -mo ) extra_mounts="$2"; shift 2 ;; -b ) build_mount_dir="$(realpath $2)"; shift 2;; - -ep ) extra_packages="$2"; shift 2;; + -ep ) packages_to_install="${packages_to_install} $2"; shift 2;; -r ) enable_local_repo=true; shift ;; -k ) keep_container=""; shift ;; -q ) STD_OUT_REDIRECT=/dev/null; shift ;; @@ -268,7 +269,7 @@ docker build -q \ --build-arg enable_local_repo="$enable_local_repo" \ --build-arg azl_repo="$repo_path" \ --build-arg mode="$mode" \ - --build-arg extra_packages="$extra_packages" \ + --build-arg packages_to_install="$packages_to_install" \ . echo "docker_image_tag is ${docker_image_tag}" diff --git a/toolkit/scripts/containerized-build/resources/azl.Dockerfile b/toolkit/scripts/containerized-build/resources/azl.Dockerfile index 1eda1907483..3b1ecbefdc3 100644 --- a/toolkit/scripts/containerized-build/resources/azl.Dockerfile +++ b/toolkit/scripts/containerized-build/resources/azl.Dockerfile @@ -4,7 +4,7 @@ ARG version ARG enable_local_repo ARG azl_repo ARG mode -ARG extra_packages +ARG packages_to_install LABEL containerized-rpmbuild=$azl_repo/build COPY resources/local_repo /etc/yum.repos.d/local_repo.disabled_repo @@ -23,5 +23,5 @@ RUN if [[ "${mode}" == "build" ]]; then echo "cd /usr/src/azl || { echo \"ERROR: RUN if [[ "${mode}" == "test" ]]; then echo "cd /mnt || { echo \"ERROR: Could not change directory to /mnt \"; exit 1; }" >> /root/.bashrc; fi # Install packages from bashrc so we can use the previously setup tdnf defaults. -RUN echo "echo installing packages azurelinux-release vim git ${extra_packages}" >> /root/.bashrc && \ - echo "tdnf install --releasever=${version} -qy azurelinux-release vim git ${extra_packages}" >> /root/.bashrc +RUN echo "echo installing packages ${packages_to_install}" >> /root/.bashrc && \ + echo "tdnf install --releasever=${version} -qy ${packages_to_install}" >> /root/.bashrc diff --git a/toolkit/scripts/containerized-build/resources/setup_functions.sh b/toolkit/scripts/containerized-build/resources/setup_functions.sh index 21d5f5ce8a5..4ea299465e9 100644 --- a/toolkit/scripts/containerized-build/resources/setup_functions.sh +++ b/toolkit/scripts/containerized-build/resources/setup_functions.sh @@ -158,6 +158,20 @@ install_dependencies() { # Get the list of dependencies from the spec file. mapfile -t dep_list < <(rpmspec -q --buildrequires $spec_file) + # Replace the dependencies with the package providing them. + for i in "${!dep_list[@]}" + do + # if the dependency is a file, find the package that provides it + if [[ ${dep_list[$i]} == /* ]]; then + package=$(tdnf repoquery --file "${dep_list[$i]}" --json | jq -r 'map(.Name) | unique | .[]') + if [ -z "$package" ]; then + echo "Could not find package providing '${dep_list[$i]}'." >/dev/stderr + return 1 + else + dep_list[$i]=$package + fi + fi + done # Install all the dependencies. tdnf install -y "${dep_list[@]}" || exit_code=$? done From 02fe186d1ee8583df3a58b069d4b7a27d608b689 Mon Sep 17 00:00:00 2001 From: Daniel McIlvaney Date: Fri, 13 Dec 2024 15:43:08 -0800 Subject: [PATCH 06/55] Release bump systemd-boot to use new keys (#11439) --- .../systemd-boot-signed/systemd-boot-signed.spec | 9 ++++++++- SPECS/systemd/systemd.spec | 5 ++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec b/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec index 59a3ed26055..6178a71997b 100644 --- a/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec +++ b/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec @@ -14,7 +14,7 @@ Version: 255 # determine the build information from local checkout Version: %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/') %endif -Release: 18%{?dist} +Release: 19%{?dist} License: LGPL-2.1-or-later AND MIT AND GPL-2.0-or-later Vendor: Microsoft Corporation Distribution: Azure Linux @@ -53,6 +53,9 @@ Provides: version(systemd-boot)%{_isa} = %version Obsoletes: systemd-udev < 252.2^ Conflicts: grub2-efi-binary +Recommends: shim >= 15.8-3 +Conflicts: shim < 15.8-3 + %description -n systemd-boot systemd-boot (short: sd-boot) is a simple UEFI boot manager. It provides a graphical menu to select the entry to boot and an editor for the kernel command @@ -90,6 +93,10 @@ popd /boot/efi/EFI/BOOT/grubx64.efi %changelog +* Thu Dec 12 2024 Daniel McIlvaney - 255-19 +- Version bump to force signing with new Azure Linux secure boot key +- Add confilcts/recommends on shim to ensure the keys match + * Fri Sep 13 2024 Thien Trung Vuong - 255-18 - Update sd-boot install location diff --git a/SPECS/systemd/systemd.spec b/SPECS/systemd/systemd.spec index 291aa6bbbb4..bf0b98fa483 100644 --- a/SPECS/systemd/systemd.spec +++ b/SPECS/systemd/systemd.spec @@ -50,7 +50,7 @@ Version: 255 # determine the build information from local checkout Version: %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/') %endif -Release: 18%{?dist} +Release: 19%{?dist} # FIXME - hardcode to 'stable' for now as that's what we have in our blobstore %global stable 1 @@ -1216,6 +1216,9 @@ rm -f %{name}.lang # %autochangelog. So we need to continue manually maintaining the # changelog here. %changelog +* Thu Dec 12 2024 Daniel McIlvaney - 255-19 +- Version bump to force signing with new Azure Linux secure boot key + * Fri Sep 13 2024 Thien Trung Vuong - 255-18 - Install systemd-boot binary to ESP From c36b4284da0a05cd24ae2faab38f3e2b8c3890ec Mon Sep 17 00:00:00 2001 From: Daniel McIlvaney Date: Fri, 13 Dec 2024 15:43:08 -0800 Subject: [PATCH 07/55] Release bump systemd-boot to use new keys (#11439) --- .../systemd-boot-signed/systemd-boot-signed.spec | 9 ++++++++- SPECS/systemd/systemd.spec | 5 ++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec b/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec index 59a3ed26055..6178a71997b 100644 --- a/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec +++ b/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec @@ -14,7 +14,7 @@ Version: 255 # determine the build information from local checkout Version: %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/') %endif -Release: 18%{?dist} +Release: 19%{?dist} License: LGPL-2.1-or-later AND MIT AND GPL-2.0-or-later Vendor: Microsoft Corporation Distribution: Azure Linux @@ -53,6 +53,9 @@ Provides: version(systemd-boot)%{_isa} = %version Obsoletes: systemd-udev < 252.2^ Conflicts: grub2-efi-binary +Recommends: shim >= 15.8-3 +Conflicts: shim < 15.8-3 + %description -n systemd-boot systemd-boot (short: sd-boot) is a simple UEFI boot manager. It provides a graphical menu to select the entry to boot and an editor for the kernel command @@ -90,6 +93,10 @@ popd /boot/efi/EFI/BOOT/grubx64.efi %changelog +* Thu Dec 12 2024 Daniel McIlvaney - 255-19 +- Version bump to force signing with new Azure Linux secure boot key +- Add confilcts/recommends on shim to ensure the keys match + * Fri Sep 13 2024 Thien Trung Vuong - 255-18 - Update sd-boot install location diff --git a/SPECS/systemd/systemd.spec b/SPECS/systemd/systemd.spec index 291aa6bbbb4..bf0b98fa483 100644 --- a/SPECS/systemd/systemd.spec +++ b/SPECS/systemd/systemd.spec @@ -50,7 +50,7 @@ Version: 255 # determine the build information from local checkout Version: %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/') %endif -Release: 18%{?dist} +Release: 19%{?dist} # FIXME - hardcode to 'stable' for now as that's what we have in our blobstore %global stable 1 @@ -1216,6 +1216,9 @@ rm -f %{name}.lang # %autochangelog. So we need to continue manually maintaining the # changelog here. %changelog +* Thu Dec 12 2024 Daniel McIlvaney - 255-19 +- Version bump to force signing with new Azure Linux secure boot key + * Fri Sep 13 2024 Thien Trung Vuong - 255-18 - Install systemd-boot binary to ESP From 05db65dc8565a8226a4d0d919f0bd13e760c12a3 Mon Sep 17 00:00:00 2001 From: George Mileka Date: Tue, 17 Dec 2024 11:14:14 -0800 Subject: [PATCH 08/55] Enable selinux for liveos iso flow (#11198) --- ...-configuration-for-overlayfs-folders.patch | 38 +++ .../90overlayfs/azl-configure-selinux.sh | 34 +++ SPECS/dracut/dracut.signatures.json | 1 + SPECS/dracut/dracut.spec | 9 +- .../0038-enable-liveos-iso-flow.patch | 223 ++++++++++++++++++ SPECS/selinux-policy/selinux-policy.spec | 8 +- 6 files changed, 310 insertions(+), 3 deletions(-) create mode 100644 SPECS/dracut/0016-Handle-SELinux-configuration-for-overlayfs-folders.patch create mode 100644 SPECS/dracut/90overlayfs/azl-configure-selinux.sh create mode 100644 SPECS/selinux-policy/0038-enable-liveos-iso-flow.patch diff --git a/SPECS/dracut/0016-Handle-SELinux-configuration-for-overlayfs-folders.patch b/SPECS/dracut/0016-Handle-SELinux-configuration-for-overlayfs-folders.patch new file mode 100644 index 00000000000..082bb7968b7 --- /dev/null +++ b/SPECS/dracut/0016-Handle-SELinux-configuration-for-overlayfs-folders.patch @@ -0,0 +1,38 @@ +From 6fe401628d5671cf2f7683e4e0a04b9dcefb0180 Mon Sep 17 00:00:00 2001 +From: George Mileka +Date: Mon, 25 Nov 2024 16:27:41 -0800 +Subject: [PATCH] Handle SELinux configuration for overlayfs folders. + +When SELinux is enabled, the root folder '/' is expected to be marked +'root_t' - otherwise, SELinux will deny access calls. + +When an overlay is created for the root folder, it is created using +the lower and upper folders. The upper folder is created on tmpfs, +and subsequently getted the 'tmpfs_t' assigned by inheritence. +When the root overlay is created, it inherits the 'tmpfs_t'. + +Now, we have a conflict between what SELinux expects ('root_t') and +what we ended-up with ('tmpfs_t') leading to denials and failing to +complete the boot successfully. + +This patch injects a script ('azl-configure-sellinux.sh') that will +run after Dracut's SELinux module runs, and assigns the right SELinux +types (i.e. 'root_t') to the overlay folders. That way, when pivoting +takes place, the visible root folder has the right SELinux labeling. +--- + modules.d/90overlayfs/module-setup.sh | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/modules.d/90overlayfs/module-setup.sh b/modules.d/90overlayfs/module-setup.sh +index dae20093..919df4f5 100755 +--- a/modules.d/90overlayfs/module-setup.sh ++++ b/modules.d/90overlayfs/module-setup.sh +@@ -17,4 +17,5 @@ install() { + inst_hook pre-mount 01 "$moddir/prepare-overlayfs.sh" + inst_hook mount 01 "$moddir/mount-overlayfs.sh" # overlay on top of block device + inst_hook pre-pivot 10 "$moddir/mount-overlayfs.sh" # overlay on top of network device (e.g. nfs) ++ inst_hook pre-pivot 70 "$moddir/azl-configure-selinux.sh" + } +-- +2.34.1 + diff --git a/SPECS/dracut/90overlayfs/azl-configure-selinux.sh b/SPECS/dracut/90overlayfs/azl-configure-selinux.sh new file mode 100644 index 00000000000..3670b00ed69 --- /dev/null +++ b/SPECS/dracut/90overlayfs/azl-configure-selinux.sh @@ -0,0 +1,34 @@ +#!/bin/sh +type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh + +# If SELinux is disabled exit now +getarg "selinux=0" > /dev/null && return 0 + +SELINUX="enforcing" +# shellcheck disable=SC1090 +[ -e "$NEWROOT/etc/selinux/config" ] && . "$NEWROOT/etc/selinux/config" +[ "$SELINUX" == "disabled" ] && return 0 + +getargbool 0 rd.live.overlay.overlayfs && overlayfs="yes" + +if [ -n "$overlayfs" ]; then + + # Get the current root folder context + rootDirContext=$($NEWROOT/usr/sbin/matchpathcon -f $NEWROOT/etc/selinux/targeted/contexts/files/file_contexts -m dir /) + + # Parse the context to extract the root folder '/' context type. + # The line should be on the form: "/ system_u:object_r:root_t:s0" + + # Split folder and context + IFS='\t' read -r _ selinuxContext <<< "$rootDirContext" + echo "root folder context: ($selinuxContext)" + + # Split context and extract its type + IFS=':' read -r _ _ contextType _ <<< "$selinuxContext" + echo "root folder label : ($contextType)" + + # Set the type on the target folders + [ -e /sysroot ] && chcon -t $contextType /sysroot + [ -e /run/overlayfs ] && chcon -t $contextType /run/overlayfs + [ -e /run/ovlwork ] && chcon -t $contextType /run/ovlwork +fi diff --git a/SPECS/dracut/dracut.signatures.json b/SPECS/dracut/dracut.signatures.json index adc514e9058..65ce41c8701 100644 --- a/SPECS/dracut/dracut.signatures.json +++ b/SPECS/dracut/dracut.signatures.json @@ -6,6 +6,7 @@ "00-vrf.conf": "e2885a4b090d8ca3771e60ce6dcd8b849e28ce5002a5c7b71ff796a92deb2810", "00-xen.conf": "8b7a89b7716cb40a9c0d681caed6994d81ff4dfad4fe50cea15cd47b885dc5a6", "50-noxattr.conf": "61d95f05890ac6ee3355d0a386dd5645d82b7a4202d90305d997fd18c6d139dd", + "azl-configure-selinux.sh": "5f526509910fccdc2dffad4ef5070740847195510e3faefff39b831c9d28a439", "azl-liveos-artifacts-download.service": "888be8c82297cccd510d7f963611c2360ae67559826b2b474da6d9935237de64", "azl-liveos-artifacts-download.sh": "f21dc68de8c81d8a8128e7a9d7be45d25978f0b5e47a4cf1a2d97b1e171ec045", "dracut-102.tar.gz": "601b175cbf4d2ee902bb7bda3af8826ae2ca060c1af880f6da5a833413f4ec70", diff --git a/SPECS/dracut/dracut.spec b/SPECS/dracut/dracut.spec index ade311b548c..f6a3b8568bd 100644 --- a/SPECS/dracut/dracut.spec +++ b/SPECS/dracut/dracut.spec @@ -4,7 +4,7 @@ Summary: dracut to create initramfs Name: dracut Version: 102 -Release: 7%{?dist} +Release: 8%{?dist} # The entire source code is GPLv2+ # except install/* which is LGPLv2+ License: GPLv2+ AND LGPLv2+ @@ -30,6 +30,7 @@ Source11: 50-noxattr.conf # code reviews given that they are new to Dracut. Source12: 90livenet/azl-liveos-artifacts-download.service Source13: 90livenet/azl-liveos-artifacts-download.sh +Source14: 90overlayfs/azl-configure-selinux.sh # allow-liveos-overlay-no-user-confirmation-prompt.patch has been introduced by # the Azure Linux team to allow skipping the user confirmation prompt during @@ -53,6 +54,7 @@ Patch: 0012-fix-dracut-functions-avoid-awk-in-get_maj_min.patch Patch: 0013-revert-fix-crypt-unlock-encrypted-devices-by-default.patch Patch: 0014-fix-systemd-pcrphase-in-hostonly-mode-do-not-try-to-include-systemd-pcrphase.patch Patch: 0015-fix-systemd-pcrphase-make-tpm2-tss-an-optional-dependency.patch +Patch: 0016-Handle-SELinux-configuration-for-overlayfs-folders.patch BuildRequires: bash BuildRequires: kmod-devel @@ -205,6 +207,8 @@ install -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/dracut.conf.d/50-noxattr. install -m 0644 %{SOURCE12} %{buildroot}%{dracutlibdir}/modules.d/90livenet/azl-liveos-artifacts-download.service install -m 0755 %{SOURCE13} %{buildroot}%{dracutlibdir}/modules.d/90livenet/azl-liveos-artifacts-download.sh +install -m 0755 %{SOURCE14} %{buildroot}%{dracutlibdir}/modules.d/90overlayfs/azl-configure-selinux.sh + mkdir -p %{buildroot}%{dracutlibdir}/modules.d/20overlayfs/ install -p -m 0755 %{SOURCE4} %{buildroot}%{dracutlibdir}/modules.d/20overlayfs/ install -p -m 0755 %{SOURCE5} %{buildroot}%{dracutlibdir}/modules.d/20overlayfs/ @@ -310,6 +314,9 @@ ln -srv %{buildroot}%{_bindir}/%{name} %{buildroot}%{_sbindir}/%{name} %dir %{_sharedstatedir}/%{name}/overlay %changelog +* Mon Dec 09 2024 George Mileka - 102-8 +- Augment overlayfs with selinux handling. + * Thu Oct 31 2024 George Mileka - 102-7 - Augment livenet module with a download daemon. diff --git a/SPECS/selinux-policy/0038-enable-liveos-iso-flow.patch b/SPECS/selinux-policy/0038-enable-liveos-iso-flow.patch new file mode 100644 index 00000000000..3d7d3cc9a92 --- /dev/null +++ b/SPECS/selinux-policy/0038-enable-liveos-iso-flow.patch @@ -0,0 +1,223 @@ +From 43b44054474cf139ee11afa386f0d4e5b2204a07 Mon Sep 17 00:00:00 2001 +From: George Mileka +Date: Fri, 6 Dec 2024 14:21:18 -0800 +Subject: [PATCH] Enable LiveOS ISO Flow + +In the LiveOS ISO flow, when selinux is enabled, initrd loads the +default selinux policy from the rootfs, then transitions to the +the rootfs where the final OS processes are started. + +The problem is that selinux denies many of these processes access +to a number of resources (mostly file descriptors, but here is also +access to the boot media, and other resources). + +This patch allows these failing processes access to the resources +they need. +--- + policy/modules/admin/usermanage.te | 2 ++ + policy/modules/apps/loadkeys.te | 2 ++ + policy/modules/kernel/devices.if | 18 ++++++++++++++++++ + policy/modules/kernel/kernel.if | 19 +++++++++++++++++++ + policy/modules/kernel/kernel.te | 1 + + policy/modules/system/authlogin.te | 1 + + policy/modules/system/getty.te | 2 ++ + policy/modules/system/init.te | 7 +++++++ + policy/modules/system/locallogin.te | 1 + + policy/modules/system/selinuxutil.te | 2 ++ + policy/modules/system/udev.te | 2 ++ + 11 files changed, 57 insertions(+) + +diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te +index 57a9848bc..ef24fb85b 100644 +--- a/policy/modules/admin/usermanage.te ++++ b/policy/modules/admin/usermanage.te +@@ -317,6 +317,7 @@ allow passwd_t self:shm create_shm_perms; + allow passwd_t self:sem create_sem_perms; + allow passwd_t self:msgq create_msgq_perms; + allow passwd_t self:msg { send receive }; ++allow passwd_t kernel_t:fd use; + + allow passwd_t crack_db_t:dir list_dir_perms; + read_lnk_files_pattern(passwd_t, crack_db_t, crack_db_t) +@@ -492,6 +493,7 @@ allow useradd_t self:unix_dgram_socket create_socket_perms; + allow useradd_t self:unix_stream_socket create_stream_socket_perms; + allow useradd_t self:unix_dgram_socket sendto; + allow useradd_t self:unix_stream_socket connectto; ++allow useradd_t kernel_t:fd use; + + # for getting the number of groups + kernel_read_kernel_sysctls(useradd_t) +diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te +index 2263e9dba..61d098341 100644 +--- a/policy/modules/apps/loadkeys.te ++++ b/policy/modules/apps/loadkeys.te +@@ -21,6 +21,8 @@ allow loadkeys_t self:capability { dac_override dac_read_search setuid sys_tty_c + allow loadkeys_t self:fifo_file rw_fifo_file_perms; + allow loadkeys_t self:unix_stream_socket { connect create }; + ++kernel_getattr_unlabeled_dirs(loadkeys_t) ++kernel_use_fds(loadkeys_t) + kernel_read_system_state(loadkeys_t) + + init_use_fds(loadkeys_t) +diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if +index 35e14a021..13026d7a0 100644 +--- a/policy/modules/kernel/devices.if ++++ b/policy/modules/kernel/devices.if +@@ -2206,6 +2206,24 @@ interface(`dev_setattr_input_dev',` + allow $1 event_device_t:chr_file setattr; + ') + ++######################################## ++## ++## Get the attributes of the event devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_input_dev',` ++ gen_require(` ++ type event_device_t; ++ ') ++ ++ allow $1 event_device_t:chr_file read_chr_file_perms; ++') ++ + ######################################## + ## + ## Read input event devices (/dev/input). +diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if +index 1d696a07c..90583facf 100644 +--- a/policy/modules/kernel/kernel.if ++++ b/policy/modules/kernel/kernel.if +@@ -330,6 +330,25 @@ interface(`kernel_stream_connect',` + allow $1 kernel_t:unix_stream_socket connectto; + ') + ++######################################## ++## ++## Connect to kernel using a unix ++## domain stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_stream_read_write',` ++ gen_require(` ++ type kernel_t; ++ ') ++ ++ allow $1 kernel_t:unix_stream_socket { rw_socket_perms }; ++') ++ + ######################################## + ## + ## Getattr on kernel unix datagram sockets. +diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te +index ea08036b6..59c1afeaf 100644 +--- a/policy/modules/kernel/kernel.te ++++ b/policy/modules/kernel/kernel.te +@@ -238,6 +238,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) + # + + allow kernel_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }; ++allow kernel_t self:capability2 checkpoint_restore; + allow kernel_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; + allow kernel_t self:shm create_shm_perms; + allow kernel_t self:sem create_sem_perms; +diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te +index 9dfef7a0c..791be68c2 100644 +--- a/policy/modules/system/authlogin.te ++++ b/policy/modules/system/authlogin.te +@@ -116,6 +116,7 @@ allow chkpwd_t self:process { getattr signal }; + dontaudit chkpwd_t self:process getcap; + + allow chkpwd_t shadow_t:file read_file_perms; ++allow chkpwd_t kernel_t:fd use; + files_list_etc(chkpwd_t) + + kernel_dontaudit_search_kernel_sysctl(chkpwd_t) +diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te +index a900226bf..360f7c67f 100644 +--- a/policy/modules/system/getty.te ++++ b/policy/modules/system/getty.te +@@ -37,6 +37,8 @@ dontaudit getty_t self:capability sys_tty_config; + allow getty_t self:capability2 checkpoint_restore; + allow getty_t self:process { getpgid getsession setpgid signal_perms }; + allow getty_t self:fifo_file rw_fifo_file_perms; ++allow getty_t kernel_t:fd use; ++allow getty_t tmpfs_t:dir search; + + read_files_pattern(getty_t, getty_conf_t, getty_conf_t) + read_lnk_files_pattern(getty_t, getty_conf_t, getty_conf_t) +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index 9ec685c74..a1d90762b 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -1542,12 +1542,19 @@ optional_policy(` + zebra_read_config(initrc_t) + ') + ++######################################## ++# ++# Rules applied to all system processes ++# ++kernel_use_fds(systemprocess) ++ + ######################################## + # + # Rules applied to all daemons + # + + domain_dontaudit_use_interactive_fds(daemon) ++kernel_use_fds(daemon) + + # daemons started from init will + # inherit fds from init for the console +diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te +index 8330be8a9..9f2f160a4 100644 +--- a/policy/modules/system/locallogin.te ++++ b/policy/modules/system/locallogin.te +@@ -47,6 +47,7 @@ allow local_login_t self:sem create_sem_perms; + allow local_login_t self:msgq create_msgq_perms; + allow local_login_t self:msg { send receive }; + allow local_login_t self:key { search write link }; ++allow local_login_t kernel_t:fd use; + + allow local_login_t local_login_lock_t:file manage_file_perms; + files_lock_filetrans(local_login_t, local_login_lock_t, file) +diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te +index 8e521e583..c7fb76550 100644 +--- a/policy/modules/system/selinuxutil.te ++++ b/policy/modules/system/selinuxutil.te +@@ -119,6 +119,8 @@ type setfiles_t alias restorecon_t, can_relabelto_binary_policy; + type setfiles_exec_t alias restorecon_exec_t; + init_system_domain(setfiles_t, setfiles_exec_t) + domain_obj_id_change_exemption(setfiles_t) ++dev_read_input_dev(setfiles_t) ++kernel_stream_read_write(setfiles_t) + + ######################################## + # +diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te +index 8af0d90e0..a7bb89658 100644 +--- a/policy/modules/system/udev.te ++++ b/policy/modules/system/udev.te +@@ -57,6 +57,8 @@ allow udev_t self:rawip_socket create_socket_perms; + # rdma_rename + allow udev_t self:netlink_rdma_socket create_socket_perms; + ++fs_getattr_iso9660_files(udev_t) ++ + ifdef(`init_systemd',` + # systemd-vconsole-setup will be called by udev during virtual terminal initialization + allow udev_t self:capability sys_tty_config; +-- +2.34.1 + diff --git a/SPECS/selinux-policy/selinux-policy.spec b/SPECS/selinux-policy/selinux-policy.spec index 8389a1a3166..7fd00e11c04 100644 --- a/SPECS/selinux-policy/selinux-policy.spec +++ b/SPECS/selinux-policy/selinux-policy.spec @@ -9,7 +9,7 @@ Summary: SELinux policy Name: selinux-policy Version: %{refpolicy_major}.%{refpolicy_minor} -Release: 8%{?dist} +Release: 9%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -56,6 +56,7 @@ Patch34: 0034-systemd-Fix-dac_override-use-in-systemd-machine-id-s.patch Patch35: 0035-rpm-Run-systemd-sysctl-from-post.patch Patch36: 0036-fstools-Add-additional-perms-for-cloud-utils-growpar.patch Patch37: 0037-docker-Fix-dockerc-typo-in-container_engine_executab.patch +Patch38: 0038-enable-liveos-iso-flow.patch BuildRequires: bzip2 BuildRequires: checkpolicy >= %{CHECKPOLICYVER} BuildRequires: m4 @@ -327,11 +328,14 @@ exit 0 selinuxenabled && semodule -nB exit 0 %changelog +* Wed Nov 20 2024 George Mileka - 2.20240226-9 +- Enable SELinux for LiveOS ISO. + * Wed Sep 11 2024 Chris PeBenito - 2.20240226-8 - Add additional required permissions for cloud-utils-growpart. - Cherry-pick upstream fix for typo in docker module. -* Mon Aug 13 2024 Chris PeBenito - 2.20240226-7 +* Tue Aug 13 2024 Chris PeBenito - 2.20240226-7 - Change policy composition so the base module only consits of policy modules that must be in the base. This will allow dowstream users to disable or override the individual policy modules. From e78ca4244463f730512f595af0c8cf778d8cde89 Mon Sep 17 00:00:00 2001 From: Bala Date: Wed, 18 Dec 2024 11:30:07 +0530 Subject: [PATCH 09/55] Provide an option not to auto-clean toolchain during daily-build (#11279) --- toolkit/docs/building/building.md | 8 ++++++++ toolkit/scripts/daily_build.mk | 2 ++ toolkit/scripts/toolchain.mk | 2 ++ 3 files changed, 12 insertions(+) diff --git a/toolkit/docs/building/building.md b/toolkit/docs/building/building.md index 35069f0195c..64e6eca98f4 100644 --- a/toolkit/docs/building/building.md +++ b/toolkit/docs/building/building.md @@ -589,6 +589,14 @@ also augment the URL list. > Use the daily build sources for the given date. `lkg` will use the last known good build. +##### `DAILY_BUILD_SKIP_TOOLCHAIN_AUTO_CLEANUP=`**`n`** *(default)* + +> Delete the already downloaded toolchain RPMs and freshly download from LKG repo + +##### `DAILY_BUILD_SKIP_TOOLCHAIN_AUTO_CLEANUP=`**`y`** + +> Don't delete the already download tolchain RPMs to save time. Use only if are sure about this behaviour. + #### `DISABLE_UPSTREAM_REPOS=...` ##### `DISABLE_UPSTREAM_REPOS=`**`n`** *(default)* diff --git a/toolkit/scripts/daily_build.mk b/toolkit/scripts/daily_build.mk index d990a6ca09c..418d2d6b22f 100644 --- a/toolkit/scripts/daily_build.mk +++ b/toolkit/scripts/daily_build.mk @@ -24,6 +24,8 @@ DAILY_BUILD_ID ?= DAILY_BUILD_ID_UPDATE_MANIFESTS ?= y ##help:var:DAILY_BUILD_REPO={path to daily.repo}=Path to the daily build repo file to use. DAILY_BUILD_REPO ?= +##help:var:DAILY_BUILD_SKIP_TOOLCHAIN_AUTO_CLEANUP={y,n}=Skip Deleting all downloaded toolchain RPMs when using a daily build. +DAILY_BUILD_SKIP_TOOLCHAIN_AUTO_CLEANUP ?= n daily_lkg_workdir = $(BUILD_DIR)/daily_build_id diff --git a/toolkit/scripts/toolchain.mk b/toolkit/scripts/toolchain.mk index 18f551e088c..2d1aec34e16 100644 --- a/toolkit/scripts/toolchain.mk +++ b/toolkit/scripts/toolchain.mk @@ -94,8 +94,10 @@ clean-toolchain-rpms: # We leave the directory structure in place since docker based builds using re-usable chroots will have mounted the # toolchain subdirectories into the chroots. Removing the directories would break the mounts. $(STATUS_FLAGS_DIR)/toolchain_auto_cleanup.flag: $(STATUS_FLAGS_DIR)/daily_build_id.flag $(depend_VALIDATE_TOOLCHAIN_GPG) +ifeq ($(SKIP_TOOLCHAIN_AUTO_CLEANUP),n) @echo "Daily build ID or validation mode changed, sanitizing toolchain" find $(TOOLCHAIN_RPMS_DIR) -type f -name '*.rpm' -exec rm -f {} + +endif touch $@ copy-toolchain-rpms: From 9068013a0c0d4f14987b4799efcae03945df4d25 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Wed, 18 Dec 2024 06:26:33 -0800 Subject: [PATCH 10/55] [AUTO-CHERRYPICK] gh: Upgrade to 2.62.0 to address HIGH CVE-2024-52308; add generate-tarball.sh script for auto-upgrading support - branch 3.0-dev (#11373) Co-authored-by: Vince Perri <5596945+vinceaperri@users.noreply.github.com> --- ...ve-in-TestMigrationWriteErrors-when-.patch | 88 +++++++++ SPECS/gh/generate_source_tarball.sh | 168 ++++++++++++++++++ SPECS/gh/gh.signatures.json | 4 +- SPECS/gh/gh.spec | 30 ++-- cgmanifest.json | 4 +- 5 files changed, 270 insertions(+), 24 deletions(-) create mode 100644 SPECS/gh/0001-Fix-false-negative-in-TestMigrationWriteErrors-when-.patch create mode 100755 SPECS/gh/generate_source_tarball.sh diff --git a/SPECS/gh/0001-Fix-false-negative-in-TestMigrationWriteErrors-when-.patch b/SPECS/gh/0001-Fix-false-negative-in-TestMigrationWriteErrors-when-.patch new file mode 100644 index 00000000000..a3dc44dc3ee --- /dev/null +++ b/SPECS/gh/0001-Fix-false-negative-in-TestMigrationWriteErrors-when-.patch @@ -0,0 +1,88 @@ +From 82441ca6f9736bc542e699c8cbf46f80542ed618 Mon Sep 17 00:00:00 2001 +From: Vince Perri <5596945+vinceaperri@users.noreply.github.com> +Date: Tue, 19 Nov 2024 23:29:08 +0000 +Subject: [PATCH] Fix false-negative in TestMigrationWriteErrors when root + +--- + internal/config/migrate_test.go | 44 ++++++++++++++++++++++++++++++++- + 1 file changed, 43 insertions(+), 1 deletion(-) + +diff --git a/internal/config/migrate_test.go b/internal/config/migrate_test.go +index 783f605..7557149 100644 +--- a/internal/config/migrate_test.go ++++ b/internal/config/migrate_test.go +@@ -6,13 +6,20 @@ import ( + "io" + "os" + "path/filepath" ++ "syscall" + "testing" ++ "unsafe" + + ghmock "github.com/cli/cli/v2/internal/gh/mock" + ghConfig "github.com/cli/go-gh/v2/pkg/config" + "github.com/stretchr/testify/require" + ) + ++const ( ++ FS_IOC_SETFLAGS = 0x40086602 ++ FS_IMMUTABLE_FL = 0x00000010 ++) ++ + func TestMigrationAppliedSuccessfully(t *testing.T) { + readConfig := StubWriteConfig(t) + +@@ -215,6 +222,9 @@ func TestMigrationWriteErrors(t *testing.T) { + + // Then the error is wrapped and bubbled + require.ErrorContains(t, err, tt.wantErrContains) ++ ++ // Make the file writeable again so we can clean up ++ makeFileWriteable(t, filepath.Join(tempDir, tt.unwriteableFile)) + }) + } + } +@@ -226,7 +236,39 @@ func makeFileUnwriteable(t *testing.T, file string) { + require.NoError(t, err) + f.Close() + +- require.NoError(t, os.Chmod(file, 0000)) ++ if os.Geteuid() == 0 { ++ fd, err := syscall.Open(file, syscall.O_RDONLY, 0) ++ require.NoError(t, err) ++ defer syscall.Close(fd) ++ ++ var flags uint ++ _, _, errno := syscall.Syscall(syscall.SYS_IOCTL, uintptr(fd), uintptr(FS_IOC_SETFLAGS), uintptr(unsafe.Pointer(&flags))) ++ require.Zero(t, errno) ++ ++ flags |= FS_IMMUTABLE_FL ++ _, _, errno = syscall.Syscall(syscall.SYS_IOCTL, uintptr(fd), uintptr(FS_IOC_SETFLAGS), uintptr(unsafe.Pointer(&flags))) ++ require.Zero(t, errno) ++ } else { ++ require.NoError(t, os.Chmod(file, 0000)) ++ } ++} ++ ++func makeFileWriteable(t *testing.T, file string) { ++ t.Helper() ++ ++ if os.Geteuid() == 0 { ++ fd, err := syscall.Open(file, syscall.O_RDONLY, 0) ++ require.NoError(t, err) ++ defer syscall.Close(fd) ++ ++ var flags uint ++ _, _, errno := syscall.Syscall(syscall.SYS_IOCTL, uintptr(fd), uintptr(FS_IOC_SETFLAGS), uintptr(unsafe.Pointer(&flags))) ++ require.Zero(t, errno) ++ ++ flags &^= FS_IMMUTABLE_FL ++ _, _, errno = syscall.Syscall(syscall.SYS_IOCTL, uintptr(fd), uintptr(FS_IOC_SETFLAGS), uintptr(unsafe.Pointer(&flags))) ++ require.Zero(t, errno) ++ } + } + + func mockMigration(doFunc func(config *ghConfig.Config) error) *ghmock.MigrationMock { +-- +2.34.1 + diff --git a/SPECS/gh/generate_source_tarball.sh b/SPECS/gh/generate_source_tarball.sh new file mode 100755 index 00000000000..cc04d4b5189 --- /dev/null +++ b/SPECS/gh/generate_source_tarball.sh @@ -0,0 +1,168 @@ +#!/bin/bash +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# +# This script downloads the source tarball and uses it to generate the +# vendor tarball for the gh package. It also updates the package's +# signatures.json file for both tarballs, although it doesn't account for +# version changes. +# +# Notes: +# - You require GNU tar version 1.28+. +# - The additional options passed to tar enable generation of a tarball +# with the same hash every time regardless of the environment. See: +# https://reproducible-builds.org/docs/archives/ +# - For the value of "--mtime" we use the date "2021-04-26 00:00Z" to +# simplify future updates. +set -eu + +# get_spec_value extracts the parsed value of a tag from a spec file. +# - spec: The path to the spec file. +# - tag: The tag whose value is extracted. +# The extracted value is returned via stdout. +get_spec_value() { + local spec="$1" + local tag="$2" + local tmp=$(mktemp) + rpmspec -P "$spec" > "$tmp" + grep -E "^${tag}:" "$tmp" | sed -E "s/^$tag:\s*//" + rm "$tmp" +} + +# set_signature_value adds or updates the value of a signature in the +# signatures.json file. +# - signatures_json: The path to the signatures.json file. +# - path: The path to the file whose signature is updated. +set_signature_value() { + local signatures_json="$1" + local path="$2" + local name=$(basename "$path") + local sum=$(sha256sum "$path" | cut -d' ' -f1) + signatures_tmp=$(mktemp) + jq --indent 1 ".Signatures.\"$name\" = \"$sum\"" "$signatures_json" > "$signatures_tmp" + mv "$signatures_tmp" "$signatures_json" +} + +exit_usage() { + echo "Usage: $0 [flags]" + echo "" + echo "Flags:" + echo " --srcTarball src tarball file. If not provided, it will be downloaded according to the spec file." + echo " --outFolder folder where to copy the new tarball(s). If not provided, the tarballs will be copied to the same folder as the script." + echo " --pkgVersion package version. If not provided, it will be extracted from the spec file." + echo " --setSignature set the signature of the tarball(s) in the signatures.json file." + exit 2 +} + +arg_out_folder="" +arg_src_tarball="" +arg_pkg_version="" +arg_set_signatures=0 +while [[ $# -gt 0 ]]; do + case $1 in + -h|--help) + exit_usage + ;; + --outFolder) + # Convert to absolute path + arg_out_folder=$(readlink -f "$2") + shift + ;; + --srcTarball) + arg_src_tarball="$2" + shift + ;; + --pkgVersion) + arg_pkg_version="$2" + shift + ;; + --setSignature) + arg_set_signatures=1 + ;; + -*) + echo "Error: Unknown option: $1" + exit_usage + ;; + *) + echo "Error: Unknown argument: $1" + exit_usage + ;; + esac + + shift +done + +script_dir=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd) + +out_folder="$arg_out_folder" +if [[ -z "$out_folder" ]]; then + out_folder="$script_dir" +elif [[ ! -d "$out_folder" ]]; then + echo "Error: The output folder does not exist." + exit 1 +fi + +spec_file=$(ls "$script_dir"/*.spec) + +src_tarball="$arg_src_tarball" +if [[ -z "$src_tarball" ]]; then + src_url=$(get_spec_value "$spec_file" "Source0") + if [[ -z "$src_url" ]]; then + echo "Error: Unable to determine the source0 URL from the spec file." + exit 1 + fi + + src_tarball_name=$(echo "$src_url" | grep -oP '(?<=#/)[^/]+') + if [[ -z "$src_tarball_name" ]]; then + echo "Error: Unable to determine the source0 tarball name from the source URL." + exit 1 + fi + + src_tarball="$script_dir/$src_tarball_name" + if [[ ! -f "$src_tarball" ]]; then + wget -O "$src_tarball" "$src_url" + fi +elif [[ ! -f "$src_tarball" ]]; then + echo "Error: The source tarball file does not exist." + exit 1 +fi + +pkg_name=$(get_spec_value "$spec_file" "Name") +if [[ -z "$pkg_name" ]]; then + echo "Error: Unable to determine the package name from the spec file." + exit 1 +fi + +pkg_version="$arg_pkg_version" +if [[ -z "$pkg_version" ]]; then + pkg_version=$(get_spec_value "$spec_file" "Version") + if [[ -z "$pkg_version" ]]; then + echo "Error: Unable to determine the package version from the spec file." + exit 1 + fi +fi + +# Extract the source tarball and generate the vendor tarball. +source_dir=$(mktemp -d) +trap "rm -rf '$source_dir'" EXIT +tar -C "$source_dir" -xf "$src_tarball" +cd "$source_dir"/* +go mod vendor +vendor_tarball="$out_folder/$pkg_name-$pkg_version-vendor.tar.gz" +tar --sort=name \ + --mtime="2021-04-26 00:00Z" \ + --owner=0 \ + --group=0 \ + --numeric-owner \ + --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \ + -c \ + -f "$vendor_tarball" \ + vendor + +if [[ $arg_set_signatures -eq 1 ]]; then + signatures_file=$(ls "$script_dir"/*.signatures.json) + set_signature_value "$signatures_file" "$src_tarball" + set_signature_value "$signatures_file" "$vendor_tarball" +fi + +echo "Vendor tarball generated: $vendor_tarball" diff --git a/SPECS/gh/gh.signatures.json b/SPECS/gh/gh.signatures.json index 4ed8112994e..b5ec83df14b 100644 --- a/SPECS/gh/gh.signatures.json +++ b/SPECS/gh/gh.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { - "cli-2.43.1.tar.gz": "1ea3f451fb7002c1fb95a7fab21e9ab16591058492628fe264c5878e79ec7c90", - "gh-2.43.1-vendor.tar.gz": "27791885c92900deae2baec254ada1d64d4dfabcfece5886a214f3279eb119f0" + "gh-2.62.0.tar.gz": "8b0d44a7fccd0c768d5ef7c3fbd274851b5752084e47761f146852de6539193e", + "gh-2.62.0-vendor.tar.gz": "2b39f75a9a45aa5e7b8d95e6b5fd7a11a7504e6cd7c92e904027f129abe48599" } } diff --git a/SPECS/gh/gh.spec b/SPECS/gh/gh.spec index a58348b95fd..a427d4ed703 100644 --- a/SPECS/gh/gh.spec +++ b/SPECS/gh/gh.spec @@ -1,33 +1,20 @@ Summary: GitHub official command line tool Name: gh -Version: 2.43.1 -Release: 2%{?dist} +Version: 2.62.0 +Release: 1%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux Group: Applications/Tools URL: https://github.com/cli/cli -Source0: https://github.com/cli/cli/archive/refs/tags/v%{version}.tar.gz#/cli-%{version}.tar.gz -# Below is a manually created tarball, no download link. +Source0: https://github.com/cli/cli/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz + +# Below is a manually created tarball, no download link. It is generated by running ./generate_source_tarball.sh. # We're using pre-populated Go modules from this tarball, since network is disabled during build time. -# How to re-build this file: -# 1. wget https://github.com/cli/cli/archive/refs/tags/v%{version}.tar.gz -O cli-%%{version}.tar.gz -# 2. tar -xf cli-%%{version}.tar.gz -# 3. cd cli-%%{version} -# 4. go mod vendor -# 5. tar --sort=name \ -# --mtime="2021-04-26 00:00Z" \ -# --owner=0 --group=0 --numeric-owner \ -# --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \ -# -cf %%{name}-%%{version}-vendor.tar.gz vendor -# -# NOTES: -# - You require GNU tar version 1.28+. -# - The additional options enable generation of a tarball with the same hash every time regardless of the environment. -# See: https://reproducible-builds.org/docs/archives/ -# - For the value of "--mtime" use the date "2021-04-26 00:00Z" to simplify future updates. Source1: %{name}-%{version}-vendor.tar.gz +Patch0: 0001-Fix-false-negative-in-TestMigrationWriteErrors-when-.patch + BuildRequires: golang < 1.23 BuildRequires: git Requires: git @@ -70,6 +57,9 @@ make test %{_datadir}/zsh/site-functions/_gh %changelog +* Mon Nov 18 2024 Vince Perri - 2.62.0-1 +- Update to v2.62.0 + * Tue Oct 15 2024 Muhammad Falak - 2.43.1-2 - Pin golang version to <= 1.22 diff --git a/cgmanifest.json b/cgmanifest.json index 66a68e721c3..ca4564d91ed 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -4270,8 +4270,8 @@ "type": "other", "other": { "name": "gh", - "version": "2.43.1", - "downloadUrl": "https://github.com/cli/cli/archive/refs/tags/v2.43.1.tar.gz" + "version": "2.62.0", + "downloadUrl": "https://github.com/cli/cli/archive/refs/tags/v2.62.0.tar.gz" } } }, From db38c4e655c59fb70273cbc243e4d908a49368e2 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Wed, 18 Dec 2024 06:26:56 -0800 Subject: [PATCH 11/55] [AUTO-CHERRYPICK] Fix CVE-2024-52338 in ceph and libarrow for 3.0 - branch 3.0-dev (#11374) Co-authored-by: bhagyapathak --- SPECS/ceph/CVE-2024-52338.patch | 131 +++++++++++++++++++++++++ SPECS/ceph/ceph.spec | 7 +- SPECS/libarrow/CVE-2024-52338.patch | 145 ++++++++++++++++++++++++++++ SPECS/libarrow/libarrow.spec | 6 +- 4 files changed, 286 insertions(+), 3 deletions(-) create mode 100644 SPECS/ceph/CVE-2024-52338.patch create mode 100644 SPECS/libarrow/CVE-2024-52338.patch diff --git a/SPECS/ceph/CVE-2024-52338.patch b/SPECS/ceph/CVE-2024-52338.patch new file mode 100644 index 00000000000..42f7cc85b47 --- /dev/null +++ b/SPECS/ceph/CVE-2024-52338.patch @@ -0,0 +1,131 @@ +diff --git a/src/arrow/r/R/metadata.R b/src/arrow/r/R/metadata.R +index 768abeda7..82d54f7ce 100644 +--- a/src/arrow/r/R/metadata.R ++++ b/src/arrow/r/R/metadata.R +@@ -22,7 +22,7 @@ + # drop problems attributes (most likely from readr) + x[["attributes"]][["problems"]] <- NULL + +- out <- serialize(x, NULL, ascii = TRUE) ++ out <- serialize(safe_r_metadata(x, on_save = TRUE), NULL, ascii = TRUE) + + # if the metadata is over 100 kB, compress + if (option_compress_metadata() && object.size(out) > 100000) { +@@ -35,22 +35,104 @@ + rawToChar(out) + } + +-.unserialize_arrow_r_metadata <- function(x) { +- tryCatch( +- expr = { +- out <- unserialize(charToRaw(x)) ++.deserialize_arrow_r_metadata <- function(x) { ++ tryCatch(unserialize_r_metadata(x), ++ error = function(e) { ++ if (getOption("arrow.debug", FALSE)) { ++ print(conditionMessage(e)) ++ } ++ warning("Invalid metadata$r", call. = FALSE) ++ NULL ++ } ++ ) ++} + +- # if this is still raw, try decompressing +- if (is.raw(out)) { +- out <- unserialize(memDecompress(out, type = "gzip")) ++unserialize_r_metadata <- function(x) { ++ # Check that this is ASCII serialized data (as in, what we wrote) ++ if (!identical(substr(unclass(x), 1, 1), "A")) { ++ stop("Invalid serialized data") ++ } ++ out <- safe_unserialize(charToRaw(x)) ++ # If it's still raw, decompress and unserialize again ++ if (is.raw(out)) { ++ decompressed <- memDecompress(out, type = "gzip") ++ if (!identical(rawToChar(decompressed[1]), "A")) { ++ stop("Invalid serialized compressed data") ++ } ++ out <- safe_unserialize(decompressed) ++ } ++ if (!is.list(out)) { ++ stop("Invalid serialized data: must be a list") ++ } ++ safe_r_metadata(out) ++} ++safe_unserialize <- function(x) { ++ # By capturing the data in a list, we can inspect it for promises without ++ # triggering their evaluation. ++ out <- list(unserialize(x)) ++ if (typeof(out[[1]]) == "promise") { ++ stop("Serialized data contains a promise object") ++ } ++ out[[1]] ++} ++safe_r_metadata <- function(metadata, on_save = FALSE) { ++ # This function recurses through the metadata list and checks that all ++ # elements are of types that are allowed in R metadata. ++ # If it finds an element that is not allowed, it removes it. ++ # ++ # This function is used both when saving and loading metadata. ++ # @param on_save: If TRUE, the function will not warn if it removes elements: ++ # we're just cleaning up the metadata for saving. If FALSE, it means we're ++ # loading the metadata, and we'll warn if we find invalid elements. ++ # ++ # When loading metadata, you can optionally keep the invalid elements by ++ # setting `options(arrow.unsafe_metadata = TRUE)`. It will still check ++ # for invalid elements and warn if any are found, though. ++ # This variable will be used to store the types of elements that were removed, ++ # if any, so we can give an informative warning if needed. ++ types_removed <- c() ++ # Internal function that we'll recursively apply, ++ # and mutate the `types_removed` variable outside of it. ++ check_r_metadata_types_recursive <- function(x) { ++ allowed_types <- c("character", "double", "integer", "logical", "complex", "list", "NULL") ++ if (is.list(x)) { ++ types <- map_chr(x, typeof) ++ x[types == "list"] <- map(x[types == "list"], check_r_metadata_types_recursive) ++ ok <- types %in% allowed_types ++ if (!all(ok)) { ++ # Record the invalid types, then remove the offending elements ++ types_removed <<- c(types_removed, setdiff(types, allowed_types)) ++ x <- x[ok] + } +- out +- }, +- error = function(e) { +- warning("Invalid metadata$r", call. = FALSE) +- NULL + } +- ) ++ x ++ } ++ new <- check_r_metadata_types_recursive(metadata) ++ # On save: don't warn, just save the filtered metadata ++ if (on_save) { ++ return(new) ++ } ++ # On load: warn if any elements were removed ++ if (length(types_removed)) { ++ types_msg <- paste("Type:", oxford_paste(unique(types_removed))) ++ if (getOption("arrow.unsafe_metadata", FALSE)) { ++ # We've opted-in to unsafe metadata, so warn but return the original metadata ++ rlang::warn( ++ "R metadata may have unsafe or invalid elements", ++ body = c("i" = types_msg) ++ ) ++ new <- metadata ++ } else { ++ rlang::warn( ++ "Potentially unsafe or invalid elements have been discarded from R metadata.", ++ body = c( ++ "i" = types_msg, ++ ">" = "If you trust the source, you can set `options(arrow.unsafe_metadata = TRUE)` to preserve them." ++ ) ++ ) ++ } ++ } ++ new + } + + #' @importFrom rlang trace_back diff --git a/SPECS/ceph/ceph.spec b/SPECS/ceph/ceph.spec index 69597db52d1..06d7c026466 100644 --- a/SPECS/ceph/ceph.spec +++ b/SPECS/ceph/ceph.spec @@ -5,7 +5,7 @@ Summary: User space components of the Ceph file system Name: ceph Version: 18.2.2 -Release: 1%{?dist} +Release: 2%{?dist} License: LGPLv2 and LGPLv3 and CC-BY-SA and GPLv2 and Boost and BSD and MIT and Public Domain and GPLv3 and ASL-2.0 URL: https://ceph.io/ Vendor: Microsoft Corporation @@ -13,7 +13,7 @@ Distribution: Azure Linux Source0: https://download.ceph.com/tarballs/%{name}-%{version}.tar.gz Patch0: 0034-src-pybind-rbd-rbd.pyx.patch Patch1: 0032-cmake-modules-BuildBoost.cmake.patch - +Patch2: CVE-2024-52338.patch # # Copyright (C) 2004-2019 The Ceph Project Developers. See COPYING file # at the top-level directory of this distribution and at @@ -2000,6 +2000,9 @@ exit 0 %changelog +* Wed Dec 4 2024 Bhagyashri Pathak - 18.2.2-2 +- Fix for CVE-2024-52338 + * Thu May 23 2024 CBL-Mariner Servicing Account - 18.2.2-1 - Auto-upgrade to 18.2.2 - CVE patches diff --git a/SPECS/libarrow/CVE-2024-52338.patch b/SPECS/libarrow/CVE-2024-52338.patch new file mode 100644 index 00000000000..3ed94d3550d --- /dev/null +++ b/SPECS/libarrow/CVE-2024-52338.patch @@ -0,0 +1,145 @@ +diff --git a/r/R/extension.R b/r/R/extension.R +index 59a0212..3529144 100644 +--- a/r/R/extension.R ++++ b/r/R/extension.R +@@ -429,7 +429,7 @@ VctrsExtensionType <- R6Class("VctrsExtensionType", + paste0(capture.output(print(self$ptype())), collapse = "\n") + }, + deserialize_instance = function() { +- private$.ptype <- unserialize(self$extension_metadata()) ++ private$.ptype <- safe_r_metadata(safe_unserialize(self$extension_metadata())) + }, + ExtensionEquals = function(other) { + inherits(other, "VctrsExtensionType") && identical(self$ptype(), other$ptype()) +diff --git a/r/R/metadata.R b/r/R/metadata.R +index 3ae2db4..28eecf4 100644 +--- a/r/R/metadata.R ++++ b/r/R/metadata.R +@@ -30,7 +30,7 @@ + } + } + +- out <- serialize(x, NULL, ascii = TRUE) ++ out <- serialize(safe_r_metadata(x, on_save = TRUE), NULL, ascii = TRUE) + + # if the metadata is over 100 kB, compress + if (option_compress_metadata() && object.size(out) > 100000) { +@@ -44,23 +44,106 @@ + } + + .deserialize_arrow_r_metadata <- function(x) { +- tryCatch( +- expr = { +- out <- unserialize(charToRaw(x)) ++ tryCatch(unserialize_r_metadata(x), ++ error = function(e) { ++ if (getOption("arrow.debug", FALSE)) { ++ print(conditionMessage(e)) ++ } ++ warning("Invalid metadata$r", call. = FALSE) ++ NULL ++ } ++ ) ++} + +- # if this is still raw, try decompressing +- if (is.raw(out)) { +- out <- unserialize(memDecompress(out, type = "gzip")) ++unserialize_r_metadata <- function(x) { ++ # Check that this is ASCII serialized data (as in, what we wrote) ++ if (!identical(substr(unclass(x), 1, 1), "A")) { ++ stop("Invalid serialized data") ++ } ++ out <- safe_unserialize(charToRaw(x)) ++ # If it's still raw, decompress and unserialize again ++ if (is.raw(out)) { ++ decompressed <- memDecompress(out, type = "gzip") ++ if (!identical(rawToChar(decompressed[1]), "A")) { ++ stop("Invalid serialized compressed data") ++ } ++ out <- safe_unserialize(decompressed) ++ } ++ if (!is.list(out)) { ++ stop("Invalid serialized data: must be a list") ++ } ++ safe_r_metadata(out) ++} ++safe_unserialize <- function(x) { ++ # By capturing the data in a list, we can inspect it for promises without ++ # triggering their evaluation. ++ out <- list(unserialize(x)) ++ if (typeof(out[[1]]) == "promise") { ++ stop("Serialized data contains a promise object") ++ } ++ out[[1]] ++} ++safe_r_metadata <- function(metadata, on_save = FALSE) { ++ # This function recurses through the metadata list and checks that all ++ # elements are of types that are allowed in R metadata. ++ # If it finds an element that is not allowed, it removes it. ++ # ++ # This function is used both when saving and loading metadata. ++ # @param on_save: If TRUE, the function will not warn if it removes elements: ++ # we're just cleaning up the metadata for saving. If FALSE, it means we're ++ # loading the metadata, and we'll warn if we find invalid elements. ++ # ++ # When loading metadata, you can optionally keep the invalid elements by ++ # setting `options(arrow.unsafe_metadata = TRUE)`. It will still check ++ # for invalid elements and warn if any are found, though. ++ # This variable will be used to store the types of elements that were removed, ++ # if any, so we can give an informative warning if needed. ++ types_removed <- c() ++ # Internal function that we'll recursively apply, ++ # and mutate the `types_removed` variable outside of it. ++ check_r_metadata_types_recursive <- function(x) { ++ allowed_types <- c("character", "double", "integer", "logical", "complex", "list", "NULL") ++ if (is.list(x)) { ++ types <- map_chr(x, typeof) ++ x[types == "list"] <- map(x[types == "list"], check_r_metadata_types_recursive) ++ ok <- types %in% allowed_types ++ if (!all(ok)) { ++ # Record the invalid types, then remove the offending elements ++ types_removed <<- c(types_removed, setdiff(types, allowed_types)) ++ x <- x[ok] + } +- out +- }, +- error = function(e) { +- warning("Invalid metadata$r", call. = FALSE) +- NULL + } +- ) ++ x ++ } ++ new <- check_r_metadata_types_recursive(metadata) ++ # On save: don't warn, just save the filtered metadata ++ if (on_save) { ++ return(new) ++ } ++ # On load: warn if any elements were removed ++ if (length(types_removed)) { ++ types_msg <- paste("Type:", oxford_paste(unique(types_removed))) ++ if (getOption("arrow.unsafe_metadata", FALSE)) { ++ # We've opted-in to unsafe metadata, so warn but return the original metadata ++ rlang::warn( ++ "R metadata may have unsafe or invalid elements", ++ body = c("i" = types_msg) ++ ) ++ new <- metadata ++ } else { ++ rlang::warn( ++ "Potentially unsafe or invalid elements have been discarded from R metadata.", ++ body = c( ++ "i" = types_msg, ++ ">" = "If you trust the source, you can set `options(arrow.unsafe_metadata = TRUE)` to preserve them." ++ ) ++ ) ++ } ++ } ++ new + } + ++ + #' @importFrom rlang trace_back + apply_arrow_r_metadata <- function(x, r_metadata) { + if (is.null(r_metadata)) { diff --git a/SPECS/libarrow/libarrow.spec b/SPECS/libarrow/libarrow.spec index 82ddf659733..915f7e5244a 100644 --- a/SPECS/libarrow/libarrow.spec +++ b/SPECS/libarrow/libarrow.spec @@ -13,7 +13,7 @@ Name: libarrow Version: 15.0.0 -Release: 6%{?dist} +Release: 7%{?dist} Summary: A toolbox for accelerated data interchange and in-memory processing License: Apache-2.0 URL: https://arrow.apache.org/ @@ -23,6 +23,7 @@ Vendor: Microsoft Corporation Distribution: Azure Linux Source0: https://github.com/apache/arrow/archive/refs/tags/apache-arrow-%{version}.tar.gz#/libarrow-%{version}.tar.gz Patch0001: 0001-python-pyproject.toml.patch +Patch0002: CVE-2024-52338.patch # Apache ORC (liborc) has numerous compile errors and apparently assumes # a 64-bit build and runtime environment. This is only consumer of the liborc @@ -246,6 +247,9 @@ popd %{_libdir}/pkgconfig/parquet*.pc %changelog +* Wed Dec 4 2024 Bhagyashri Pathak - 15.0.0-7 +- Patch to fix CVE-2024-52338 + * Thu Jul 25 2024 Devin Anderson - 15.0.0-6 - Bump release to rebuild with latest 'abseil-cpp'. - Fix 'rpm' warning about macro expansion inside a comment. From 3e4aa13c839b0f819ec32aa94866d04ed00683f4 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Wed, 18 Dec 2024 06:27:26 -0800 Subject: [PATCH 12/55] [AUTO-CHERRYPICK] moby-engine: Fix CVE-2024-36620, CVE-2024-36621, CVE-2024-36623 for 3.0 - branch 3.0-dev (#11375) Co-authored-by: Adit Jha <111916775+aditjha-msft@users.noreply.github.com> --- SPECS/moby-engine/CVE-2024-36620.patch | 33 +++++++++++ SPECS/moby-engine/CVE-2024-36621.patch | 76 ++++++++++++++++++++++++++ SPECS/moby-engine/CVE-2024-36623.patch | 45 +++++++++++++++ SPECS/moby-engine/moby-engine.spec | 8 ++- 4 files changed, 161 insertions(+), 1 deletion(-) create mode 100644 SPECS/moby-engine/CVE-2024-36620.patch create mode 100644 SPECS/moby-engine/CVE-2024-36621.patch create mode 100644 SPECS/moby-engine/CVE-2024-36623.patch diff --git a/SPECS/moby-engine/CVE-2024-36620.patch b/SPECS/moby-engine/CVE-2024-36620.patch new file mode 100644 index 00000000000..2f2ca221177 --- /dev/null +++ b/SPECS/moby-engine/CVE-2024-36620.patch @@ -0,0 +1,33 @@ +From ab570ab3d62038b3d26f96a9bb585d0b6095b9b4 Mon Sep 17 00:00:00 2001 +From: Christopher Petito <47751006+krissetto@users.noreply.github.com> +Date: Fri, 19 Apr 2024 10:44:30 +0000 +Subject: [PATCH] nil dereference fix on image history Created value + +Issue was caused by the changes here https://github.com/moby/moby/pull/45504 +First released in v25.0.0-beta.1 + +Signed-off-by: Christopher Petito <47751006+krissetto@users.noreply.github.com> +--- + daemon/images/image_history.go | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/daemon/images/image_history.go b/daemon/images/image_history.go +index 1617f8be62906..f621ceae13bc6 100644 +--- a/daemon/images/image_history.go ++++ b/daemon/images/image_history.go +@@ -43,9 +43,14 @@ func (i *ImageService) ImageHistory(ctx context.Context, name string) ([]*image. + layerCounter++ + } + ++ var created int64 ++ if h.Created != nil { ++ created = h.Created.Unix() ++ } ++ + history = append([]*image.HistoryResponseItem{{ + ID: "", +- Created: h.Created.Unix(), ++ Created: created, + CreatedBy: h.CreatedBy, + Comment: h.Comment, + Size: layerSize, diff --git a/SPECS/moby-engine/CVE-2024-36621.patch b/SPECS/moby-engine/CVE-2024-36621.patch new file mode 100644 index 00000000000..2f9fe886fdc --- /dev/null +++ b/SPECS/moby-engine/CVE-2024-36621.patch @@ -0,0 +1,76 @@ +From 37545cc644344dcb576cba67eb7b6f51a463d31e Mon Sep 17 00:00:00 2001 +From: Tonis Tiigi +Date: Wed, 6 Mar 2024 23:11:32 -0800 +Subject: [PATCH] builder-next: fix missing lock in ensurelayer + +When this was called concurrently from the moby image +exporter there could be a data race where a layer was +written to the refs map when it was already there. + +In that case the reference count got mixed up and on +release only one of these layers was actually released. + +Signed-off-by: Tonis Tiigi +--- + .../builder-next/adapters/snapshot/layer.go | 3 +++ + .../adapters/snapshot/snapshot.go | 19 +++++++++++-------- + 2 files changed, 14 insertions(+), 8 deletions(-) + +diff --git a/builder/builder-next/adapters/snapshot/layer.go b/builder/builder-next/adapters/snapshot/layer.go +index 73120ea70b2ee..fc83058339c7b 100644 +--- a/builder/builder-next/adapters/snapshot/layer.go ++++ b/builder/builder-next/adapters/snapshot/layer.go +@@ -22,6 +22,9 @@ func (s *snapshotter) GetDiffIDs(ctx context.Context, key string) ([]layer.DiffI + } + + func (s *snapshotter) EnsureLayer(ctx context.Context, key string) ([]layer.DiffID, error) { ++ s.layerCreateLocker.Lock(key) ++ defer s.layerCreateLocker.Unlock(key) ++ + diffIDs, err := s.GetDiffIDs(ctx, key) + if err != nil { + return nil, err +diff --git a/builder/builder-next/adapters/snapshot/snapshot.go b/builder/builder-next/adapters/snapshot/snapshot.go +index a0d28ad984ba4..510ffefb49406 100644 +--- a/builder/builder-next/adapters/snapshot/snapshot.go ++++ b/builder/builder-next/adapters/snapshot/snapshot.go +@@ -17,6 +17,7 @@ import ( + "github.com/moby/buildkit/identity" + "github.com/moby/buildkit/snapshot" + "github.com/moby/buildkit/util/leaseutil" ++ "github.com/moby/locker" + "github.com/opencontainers/go-digest" + "github.com/pkg/errors" + bolt "go.etcd.io/bbolt" +@@ -51,10 +52,11 @@ type checksumCalculator interface { + type snapshotter struct { + opt Opt + +- refs map[string]layer.Layer +- db *bolt.DB +- mu sync.Mutex +- reg graphIDRegistrar ++ refs map[string]layer.Layer ++ db *bolt.DB ++ mu sync.Mutex ++ reg graphIDRegistrar ++ layerCreateLocker *locker.Locker + } + + // NewSnapshotter creates a new snapshotter +@@ -71,10 +73,11 @@ func NewSnapshotter(opt Opt, prevLM leases.Manager, ns string) (snapshot.Snapsho + } + + s := &snapshotter{ +- opt: opt, +- db: db, +- refs: map[string]layer.Layer{}, +- reg: reg, ++ opt: opt, ++ db: db, ++ refs: map[string]layer.Layer{}, ++ reg: reg, ++ layerCreateLocker: locker.New(), + } + + slm := newLeaseManager(s, prevLM) diff --git a/SPECS/moby-engine/CVE-2024-36623.patch b/SPECS/moby-engine/CVE-2024-36623.patch new file mode 100644 index 00000000000..6018f33abc2 --- /dev/null +++ b/SPECS/moby-engine/CVE-2024-36623.patch @@ -0,0 +1,45 @@ +From 5689dabfb357b673abdb4391eef426f297d7d1bb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= +Date: Thu, 22 Feb 2024 18:01:40 +0100 +Subject: [PATCH] pkg/streamformatter: Make `progressOutput` concurrency safe +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Sync access to the underlying `io.Writer` with a mutex. + +Signed-off-by: Paweł Gronowski +--- + pkg/streamformatter/streamformatter.go | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/pkg/streamformatter/streamformatter.go b/pkg/streamformatter/streamformatter.go +index b0456e580dc9d..098df6b5236b9 100644 +--- a/pkg/streamformatter/streamformatter.go ++++ b/pkg/streamformatter/streamformatter.go +@@ -5,6 +5,7 @@ import ( + "encoding/json" + "fmt" + "io" ++ "sync" + + "github.com/docker/docker/pkg/jsonmessage" + "github.com/docker/docker/pkg/progress" +@@ -109,6 +110,7 @@ type progressOutput struct { + sf formatProgress + out io.Writer + newLines bool ++ mu sync.Mutex + } + + // WriteProgress formats progress information from a ProgressReader. +@@ -120,6 +122,9 @@ func (out *progressOutput) WriteProgress(prog progress.Progress) error { + jsonProgress := jsonmessage.JSONProgress{Current: prog.Current, Total: prog.Total, HideCounts: prog.HideCounts, Units: prog.Units} + formatted = out.sf.formatProgress(prog.ID, prog.Action, &jsonProgress, prog.Aux) + } ++ ++ out.mu.Lock() ++ defer out.mu.Unlock() + _, err := out.out.Write(formatted) + if err != nil { + return err diff --git a/SPECS/moby-engine/moby-engine.spec b/SPECS/moby-engine/moby-engine.spec index dc57d983520..789167f9e9c 100644 --- a/SPECS/moby-engine/moby-engine.spec +++ b/SPECS/moby-engine/moby-engine.spec @@ -3,7 +3,7 @@ Summary: The open-source application container engine Name: moby-engine Version: 25.0.3 -Release: 7%{?dist} +Release: 8%{?dist} License: ASL 2.0 Group: Tools/Container URL: https://mobyproject.org @@ -19,6 +19,9 @@ Patch1: enable-docker-proxy-libexec-search.patch Patch2: CVE-2024-41110.patch Patch3: CVE-2024-29018.patch Patch4: CVE-2024-24786.patch +Patch5: CVE-2024-36621.patch +Patch6: CVE-2024-36620.patch +Patch7: CVE-2024-36623.patch %{?systemd_requires} @@ -114,6 +117,9 @@ fi %{_unitdir}/* %changelog +* Wed Dec 04 2024 Adit Jha - 25.0.3-8 +- Fix CVE-2024-36620, CVE-2024-36621, and CVE-2024-36623 with patches + * Mon Nov 25 2024 Bala - 25.0.3-7 - Fix CVE-2024-24786 by patching From c7d5e2613b709c124dab36c3b13ba23d9b5823da Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Wed, 18 Dec 2024 06:28:19 -0800 Subject: [PATCH 13/55] [AUTO-CHERRYPICK] Patch avahi for multiple CVEs - branch 3.0-dev (#11376) Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com> --- SPECS/avahi/CVE-2023-38469.patch | 43 +++++++++++++ SPECS/avahi/CVE-2023-38470.patch | 51 ++++++++++++++++ SPECS/avahi/CVE-2023-38471.patch | 63 +++++++++++++++++++ SPECS/avahi/CVE-2023-38472.patch | 40 ++++++++++++ SPECS/avahi/CVE-2023-38473.patch | 101 +++++++++++++++++++++++++++++++ SPECS/avahi/avahi.spec | 14 ++++- 6 files changed, 311 insertions(+), 1 deletion(-) create mode 100644 SPECS/avahi/CVE-2023-38469.patch create mode 100644 SPECS/avahi/CVE-2023-38470.patch create mode 100644 SPECS/avahi/CVE-2023-38471.patch create mode 100644 SPECS/avahi/CVE-2023-38472.patch create mode 100644 SPECS/avahi/CVE-2023-38473.patch diff --git a/SPECS/avahi/CVE-2023-38469.patch b/SPECS/avahi/CVE-2023-38469.patch new file mode 100644 index 00000000000..58583f58428 --- /dev/null +++ b/SPECS/avahi/CVE-2023-38469.patch @@ -0,0 +1,43 @@ +From c89fd5f2e85052f1f8b74ddeff38235932236889 Mon Sep 17 00:00:00 2001 +From: Kanishk-Bansal +Date: Wed, 27 Nov 2024 08:48:59 +0000 +Subject: [PATCH] Fix CVE patch + +--- + avahi-core/rr.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/avahi-core/rr.c b/avahi-core/rr.c +index 7fa0bee..b03a24c 100644 +--- a/avahi-core/rr.c ++++ b/avahi-core/rr.c +@@ -32,6 +32,7 @@ + #include + #include + ++#include "dns.h" + #include "rr.h" + #include "log.h" + #include "util.h" +@@ -688,11 +689,17 @@ int avahi_record_is_valid(AvahiRecord *r) { + case AVAHI_DNS_TYPE_TXT: { + + AvahiStringList *strlst; ++ size_t used = 0; + +- for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) ++ for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) { + if (strlst->size > 255 || strlst->size <= 0) + return 0; + ++ used += 1+strlst->size; ++ if (used > AVAHI_DNS_RDATA_MAX) ++ return 0; ++ } ++ + return 1; + } + } +-- +2.45.2 + diff --git a/SPECS/avahi/CVE-2023-38470.patch b/SPECS/avahi/CVE-2023-38470.patch new file mode 100644 index 00000000000..e3ab0783944 --- /dev/null +++ b/SPECS/avahi/CVE-2023-38470.patch @@ -0,0 +1,51 @@ +From cc5f44eb015384d8c764646c48b9da80f811446c Mon Sep 17 00:00:00 2001 +From: Kanishk-Bansal +Date: Mon, 2 Dec 2024 10:25:43 +0000 +Subject: [PATCH] Fix CVE-2023-38470 + +--- + avahi-common/domain-test.c | 14 ++++++++++++++ + avahi-common/domain.c | 2 +- + 2 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/avahi-common/domain-test.c b/avahi-common/domain-test.c +index cf763ec..3acc1c1 100644 +--- a/avahi-common/domain-test.c ++++ b/avahi-common/domain-test.c +@@ -45,6 +45,20 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) { + printf("%s\n", s = avahi_normalize_name_strdup("fo\\\\o\\..f oo.")); + avahi_free(s); + ++ printf("%s\n", s = avahi_normalize_name_strdup(".")); ++ avahi_free(s); ++ ++ s = avahi_normalize_name_strdup(",.=.}.=.?-.}.=.?.?.}.}.?.?.?.z.?.?.}.}." ++ "}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.}.}.}" ++ ".?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.?.zM.?`" ++ "?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}??.}.}.?.?." ++ "?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.?`?.}.}.}." ++ "??.?.zM.?`?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}?" ++ "?.}.}.?.?.?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM." ++ "?`?.}.}.}.?.?.?.r.=.=.?.?`.?.?}.}.}.?.?.?.r.=.?.}.=.?.?." ++ "}.?.?.?.}.=.?.?.}"); ++ assert(s == NULL); ++ + printf("%i\n", avahi_domain_equal("\\065aa bbb\\.\\046cc.cc\\\\.dee.fff.", "Aaa BBB\\.\\.cc.cc\\\\.dee.fff")); + printf("%i\n", avahi_domain_equal("A", "a")); + +diff --git a/avahi-common/domain.c b/avahi-common/domain.c +index 3b1ab68..e66d241 100644 +--- a/avahi-common/domain.c ++++ b/avahi-common/domain.c +@@ -201,7 +201,7 @@ char *avahi_normalize_name(const char *s, char *ret_s, size_t size) { + } + + if (!empty) { +- if (size < 1) ++ if (size < 2) + return NULL; + + *(r++) = '.'; +-- +2.45.2 + diff --git a/SPECS/avahi/CVE-2023-38471.patch b/SPECS/avahi/CVE-2023-38471.patch new file mode 100644 index 00000000000..00c414826e8 --- /dev/null +++ b/SPECS/avahi/CVE-2023-38471.patch @@ -0,0 +1,63 @@ +From 48467feda7135e3fa2392294387601f88a06f001 Mon Sep 17 00:00:00 2001 +From: Kanishk-Bansal +Date: Mon, 2 Dec 2024 10:49:17 +0000 +Subject: [PATCH] Fix CVE-2023-38471 patch + +--- + avahi-core/server.c | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +diff --git a/avahi-core/server.c b/avahi-core/server.c +index e507750..40f1d68 100644 +--- a/avahi-core/server.c ++++ b/avahi-core/server.c +@@ -1295,7 +1295,11 @@ static void update_fqdn(AvahiServer *s) { + } + + int avahi_server_set_host_name(AvahiServer *s, const char *host_name) { +- char *hn = NULL; ++ char label_escaped[AVAHI_LABEL_MAX*4+1]; ++ char label[AVAHI_LABEL_MAX]; ++ char *hn = NULL, *h; ++ size_t len; ++ + assert(s); + + AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME); +@@ -1305,17 +1309,28 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) { + else + hn = avahi_normalize_name_strdup(host_name); + +- hn[strcspn(hn, ".")] = 0; ++ h = hn; ++ if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) { ++ avahi_free(h); ++ return AVAHI_ERR_INVALID_HOST_NAME; ++ } ++ ++ avahi_free(h); ++ ++ h = label_escaped; ++ len = sizeof(label_escaped); ++ if (!avahi_escape_label(label, strlen(label), &h, &len)) ++ return AVAHI_ERR_INVALID_HOST_NAME; + +- if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) { +- avahi_free(hn); ++ if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION) + return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE); +- } + + withdraw_host_rrs(s); + + avahi_free(s->host_name); +- s->host_name = hn; ++ s->host_name = avahi_strdup(label_escaped); ++ if (!s->host_name) ++ return AVAHI_ERR_NO_MEMORY; + + update_fqdn(s); + +-- +2.45.2 + diff --git a/SPECS/avahi/CVE-2023-38472.patch b/SPECS/avahi/CVE-2023-38472.patch new file mode 100644 index 00000000000..741168dbab0 --- /dev/null +++ b/SPECS/avahi/CVE-2023-38472.patch @@ -0,0 +1,40 @@ +From 2cc17a0febc2c1f70db147d9d56861f3520bacad Mon Sep 17 00:00:00 2001 +From: Kanishk-Bansal +Date: Mon, 2 Dec 2024 04:44:07 +0000 +Subject: [PATCH] Fix CVE patch + +--- + avahi-client/client-test.c | 3 +++ + avahi-daemon/dbus-entry-group.c | 2 +- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/avahi-client/client-test.c b/avahi-client/client-test.c +index 7d04a6a..57750a4 100644 +--- a/avahi-client/client-test.c ++++ b/avahi-client/client-test.c +@@ -258,6 +258,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) { + printf("%s\n", avahi_strerror(avahi_entry_group_add_service (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "Lathiat's Site", "_http._tcp", NULL, NULL, 80, "foo=bar", NULL))); + printf("add_record: %d\n", avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "\5booya", 6)); + ++ error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0); ++ assert(error != AVAHI_OK); ++ + avahi_entry_group_commit (group); + + domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u"); +diff --git a/avahi-daemon/dbus-entry-group.c b/avahi-daemon/dbus-entry-group.c +index 4e879a5..aa23d4b 100644 +--- a/avahi-daemon/dbus-entry-group.c ++++ b/avahi-daemon/dbus-entry-group.c +@@ -340,7 +340,7 @@ DBusHandlerResult avahi_dbus_msg_entry_group_impl(DBusConnection *c, DBusMessage + if (!(r = avahi_record_new_full (name, clazz, type, ttl))) + return avahi_dbus_respond_error(c, m, AVAHI_ERR_NO_MEMORY, NULL); + +- if (avahi_rdata_parse (r, rdata, size) < 0) { ++ if (!rdata || avahi_rdata_parse (r, rdata, size) < 0) { + avahi_record_unref (r); + return avahi_dbus_respond_error(c, m, AVAHI_ERR_INVALID_RDATA, NULL); + } +-- +2.45.2 + diff --git a/SPECS/avahi/CVE-2023-38473.patch b/SPECS/avahi/CVE-2023-38473.patch new file mode 100644 index 00000000000..a59479fb686 --- /dev/null +++ b/SPECS/avahi/CVE-2023-38473.patch @@ -0,0 +1,101 @@ +From e6348a0e1f1f42547dce80135afea806125654cc Mon Sep 17 00:00:00 2001 +From: Kanishk-Bansal +Date: Mon, 2 Dec 2024 09:20:54 +0000 +Subject: [PATCH] Fix CVE-2023-38473 + +--- + avahi-common/alternative-test.c | 3 +++ + avahi-common/alternative.c | 27 +++++++++++++++++++-------- + 2 files changed, 22 insertions(+), 8 deletions(-) + +diff --git a/avahi-common/alternative-test.c b/avahi-common/alternative-test.c +index 9255435..681fc15 100644 +--- a/avahi-common/alternative-test.c ++++ b/avahi-common/alternative-test.c +@@ -31,6 +31,9 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) { + const char* const test_strings[] = { + "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", + "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXüüüüüüü", ++ ").", ++ "\\.", ++ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\\", + "gurke", + "-", + " #", +diff --git a/avahi-common/alternative.c b/avahi-common/alternative.c +index b3d39f0..a094e6d 100644 +--- a/avahi-common/alternative.c ++++ b/avahi-common/alternative.c +@@ -49,15 +49,20 @@ static void drop_incomplete_utf8(char *c) { + } + + char *avahi_alternative_host_name(const char *s) { ++ char label[AVAHI_LABEL_MAX], alternative[AVAHI_LABEL_MAX*4+1]; ++ char *alt, *r, *ret; + const char *e; +- char *r; ++ size_t len; + + assert(s); + + if (!avahi_is_valid_host_name(s)) + return NULL; + +- if ((e = strrchr(s, '-'))) { ++ if (!avahi_unescape_label(&s, label, sizeof(label))) ++ return NULL; ++ ++ if ((e = strrchr(label, '-'))) { + const char *p; + + e++; +@@ -74,19 +79,18 @@ char *avahi_alternative_host_name(const char *s) { + + if (e) { + char *c, *m; +- size_t l; + int n; + + n = atoi(e)+1; + if (!(m = avahi_strdup_printf("%i", n))) + return NULL; + +- l = e-s-1; ++ len = e-label-1; + +- if (l >= AVAHI_LABEL_MAX-1-strlen(m)-1) +- l = AVAHI_LABEL_MAX-1-strlen(m)-1; ++ if (len >= AVAHI_LABEL_MAX-1-strlen(m)-1) ++ len = AVAHI_LABEL_MAX-1-strlen(m)-1; + +- if (!(c = avahi_strndup(s, l))) { ++ if (!(c = avahi_strndup(label, len))) { + avahi_free(m); + return NULL; + } +@@ -100,7 +104,7 @@ char *avahi_alternative_host_name(const char *s) { + } else { + char *c; + +- if (!(c = avahi_strndup(s, AVAHI_LABEL_MAX-1-2))) ++ if (!(c = avahi_strndup(label, AVAHI_LABEL_MAX-1-2))) + return NULL; + + drop_incomplete_utf8(c); +@@ -109,6 +113,13 @@ char *avahi_alternative_host_name(const char *s) { + avahi_free(c); + } + ++ alt = alternative; ++ len = sizeof(alternative); ++ ret = avahi_escape_label(r, strlen(r), &alt, &len); ++ ++ avahi_free(r); ++ r = avahi_strdup(ret); ++ + assert(avahi_is_valid_host_name(r)); + + return r; +-- +2.45.2 + diff --git a/SPECS/avahi/avahi.spec b/SPECS/avahi/avahi.spec index 0275002caf9..cbfcc8696e4 100644 --- a/SPECS/avahi/avahi.spec +++ b/SPECS/avahi/avahi.spec @@ -3,7 +3,7 @@ Summary: Local network service discovery Name: avahi Version: 0.8 -Release: 3%{?dist} +Release: 4%{?dist} License: LGPLv2+ Vendor: Microsoft Corporation Distribution: Azure Linux @@ -13,6 +13,11 @@ Patch0: %{name}-libevent-pc-fix.patch Patch1: CVE-2021-3468.patch Patch2: CVE-2021-3502.patch Patch3: CVE-2023-1981.patch +Patch4: CVE-2023-38469.patch +Patch5: CVE-2023-38472.patch +Patch6: CVE-2023-38473.patch +Patch7: CVE-2023-38470.patch +Patch8: CVE-2023-38471.patch BuildRequires: automake BuildRequires: dbus-devel >= 0.90 BuildRequires: dbus-glib-devel >= 0.70 @@ -420,6 +425,13 @@ exit 0 %endif %changelog +* Mon Dec 02 2024 Kanishk Bansal - 0.8-4 +- Fix CVE-2023-38471 with an upstream patch +- Fix CVE-2023-38470 with an upstream patch +- Fix CVE-2023-38473 with an upstream patch +- Fix CVE-2023-38472 with an upstream patch +- Fix CVE-2023-38469 with an upstream patch + * Tue Oct 29 2024 Daniel McIlvaney - 0.8-3 - Fix CVE-2023-1981 with an upstream patch, enable basic check section From c47a4dc53ea51eb804882fcfecbf46af22862ff7 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Wed, 18 Dec 2024 06:29:07 -0800 Subject: [PATCH 14/55] [AUTO-CHERRYPICK] ruby: update to 3.3.5 to resolve CVE-2024-39908 and CVE-2024-49761 - branch 3.0-dev (#11413) Co-authored-by: Saul Paredes <30801614+Redent0r@users.noreply.github.com> --- ...-another-race-condition-of-open-mode.patch | 45 +++++++ SPECS/ruby/CVE-2024-41946.patch | 111 ------------------ SPECS/ruby/CVE-2024-49761.patch | 46 ++++++++ .../Remove-the-lock-file-for-binstubs.patch | 99 ++++++++++++++++ SPECS/ruby/ruby.signatures.json | 2 +- SPECS/ruby/ruby.spec | 41 ++++--- cgmanifest.json | 4 +- 7 files changed, 217 insertions(+), 131 deletions(-) create mode 100644 SPECS/ruby/Avoid-another-race-condition-of-open-mode.patch delete mode 100644 SPECS/ruby/CVE-2024-41946.patch create mode 100644 SPECS/ruby/CVE-2024-49761.patch create mode 100644 SPECS/ruby/Remove-the-lock-file-for-binstubs.patch diff --git a/SPECS/ruby/Avoid-another-race-condition-of-open-mode.patch b/SPECS/ruby/Avoid-another-race-condition-of-open-mode.patch new file mode 100644 index 00000000000..f8d52d1a9d1 --- /dev/null +++ b/SPECS/ruby/Avoid-another-race-condition-of-open-mode.patch @@ -0,0 +1,45 @@ +From 2daad257bee7a500e18ebe553e79487b267fb140 Mon Sep 17 00:00:00 2001 +From: Nobuyoshi Nakada +Date: Mon, 12 Aug 2024 20:18:34 +0900 +Subject: [PATCH] Avoid another race condition of open mode + +Instead, just open in CREATE and APPEND mode. +Also, move the workaround for old Solaris as fallback to retry. +--- + lib/rubygems.rb | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +diff --git a/lib/rubygems.rb b/lib/rubygems.rb +index 2b52cde0a749..c51ba69203cb 100644 +--- a/lib/rubygems.rb ++++ b/lib/rubygems.rb +@@ -798,24 +798,20 @@ def self.open_file(path, flags, &block) + File.open(path, flags, &block) + end + ++ MODE_TO_FLOCK = IO::RDONLY | IO::APPEND | IO::CREAT # :nodoc: ++ + ## + # Open a file with given flags, and protect access with flock + + def self.open_file_with_flock(path, &block) +- flags = File.exist?(path) ? "r+" : "a+" +- +- File.open(path, flags) do |io| ++ File.open(path, MODE_TO_FLOCK) do |io| + begin + io.flock(File::LOCK_EX) + rescue Errno::ENOSYS, Errno::ENOTSUP ++ rescue Errno::ENOLCK # NFS ++ raise unless Thread.main == Thread.current + end + yield io +- rescue Errno::ENOLCK # NFS +- if Thread.main != Thread.current +- raise +- else +- open_file(path, flags, &block) +- end + end + end + diff --git a/SPECS/ruby/CVE-2024-41946.patch b/SPECS/ruby/CVE-2024-41946.patch deleted file mode 100644 index 63e3c821d91..00000000000 --- a/SPECS/ruby/CVE-2024-41946.patch +++ /dev/null @@ -1,111 +0,0 @@ -From 8f46a0155b5ff647fef8314b0b36491ea2d7de7b Mon Sep 17 00:00:00 2001 -From: Harshit Gupta -Date: Wed, 18 Sep 2024 09:34:21 -0700 -Subject: [PATCH] Patch for CVE-2024-41946 - -Based on upstream commit -https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368 - ---- - lib/rexml/parsers/baseparser.rb | 19 ++++++++++++++++++- - lib/rexml/parsers/pullparser.rb | 4 ++++ - lib/rexml/parsers/sax2parser.rb | 4 ++++ - 3 files changed, 26 insertions(+), 1 deletion(-) - -diff --git a/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/baseparser.rb -index d09237c..61f6787 100644 ---- a/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/baseparser.rb -+++ b/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/baseparser.rb -@@ -128,6 +128,7 @@ module REXML - def initialize( source ) - self.stream = source - @listeners = [] -+ @entity_expansion_count = 0 - end - - def add_listener( listener ) -@@ -135,6 +136,7 @@ module REXML - end - - attr_reader :source -+ attr_reader :entity_expansion_count - - def stream=( source ) - @source = SourceFactory.create_from( source ) -@@ -446,7 +448,9 @@ module REXML - def entity( reference, entities ) - value = nil - value = entities[ reference ] if entities -- if not value -+ if value -+ record_entity_expansion -+ else - value = DEFAULT_ENTITIES[ reference ] - value = value[2] if value - end -@@ -481,12 +485,17 @@ module REXML - } - matches.collect!{|x|x[0]}.compact! - if matches.size > 0 -+ sum = 0 - matches.each do |entity_reference| - unless filter and filter.include?(entity_reference) - entity_value = entity( entity_reference, entities ) - if entity_value - re = /&#{entity_reference};/ - rv.gsub!( re, entity_value ) -+ sum += rv.bytesize -+ if sum > Security.entity_expansion_text_limit -+ raise "entity expansion has grown too large" -+ end - else - er = DEFAULT_ENTITIES[entity_reference] - rv.gsub!( er[0], er[2] ) if er -@@ -499,6 +508,14 @@ module REXML - end - - private -+ -+ def record_entity_expansion -+ @entity_expansion_count += 1 -+ if @entity_expansion_count > Security.entity_expansion_limit -+ raise "number of entity expansions exceeded, processing aborted." -+ end -+ end -+ - def need_source_encoding_update?(xml_declaration_encoding) - return false if xml_declaration_encoding.nil? - return false if /\AUTF-16\z/i =~ xml_declaration_encoding -diff --git a/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/pullparser.rb b/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/pullparser.rb -index f8b232a..36b4595 100644 ---- a/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/pullparser.rb -+++ b/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/pullparser.rb -@@ -47,6 +47,10 @@ module REXML - @listeners << listener - end - -+ def entity_expansion_count -+ @parser.entity_expansion_count -+ end -+ - def each - while has_next? - yield self.pull -diff --git a/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/sax2parser.rb b/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/sax2parser.rb -index 6a24ce2..01cb469 100644 ---- a/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/sax2parser.rb -+++ b/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/sax2parser.rb -@@ -22,6 +22,10 @@ module REXML - @parser.source - end - -+ def entity_expansion_count -+ @parser.entity_expansion_count -+ end -+ - def add_listener( listener ) - @parser.add_listener( listener ) - end --- -2.34.1 - diff --git a/SPECS/ruby/CVE-2024-49761.patch b/SPECS/ruby/CVE-2024-49761.patch new file mode 100644 index 00000000000..c0c666e570a --- /dev/null +++ b/SPECS/ruby/CVE-2024-49761.patch @@ -0,0 +1,46 @@ +From 51474a44f41e1e26cac2168922034f675851855d Mon Sep 17 00:00:00 2001 +From: Saul Paredes +Date: Tue, 12 Nov 2024 12:30:10 -0800 +Subject: [PATCH] ruby: patch CVE-2024-49761 Patch adapted from + https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f + which fixes CVE-2024-49761 per + https://nvd.nist.gov/vuln/detail/CVE-2024-49761 + +Needed for rubygem-rexml versions < 3.3.9 + +Signed-off-by: Saul Paredes +--- + .../gems/rexml-3.3.6/lib/rexml/parsers/baseparser.rb | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/.bundle/gems/rexml-3.3.6/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.3.6/lib/rexml/parsers/baseparser.rb +index d11c276..e9ab0ee 100644 +--- a/.bundle/gems/rexml-3.3.6/lib/rexml/parsers/baseparser.rb ++++ b/.bundle/gems/rexml-3.3.6/lib/rexml/parsers/baseparser.rb +@@ -150,7 +150,7 @@ module REXML + PEDECL_PATTERN = "\\s+(%)\\s+#{NAME}\\s+#{PEDEF}\\s*>" + ENTITYDECL_PATTERN = /(?:#{GEDECL_PATTERN})|(?:#{PEDECL_PATTERN})/um + CARRIAGE_RETURN_NEWLINE_PATTERN = /\r\n?/ +- CHARACTER_REFERENCES = /�*((?:\d+)|(?:x[a-fA-F0-9]+));/ ++ CHARACTER_REFERENCES = /&#((?:\d+)|(?:x[a-fA-F0-9]+));/ + DEFAULT_ENTITIES_PATTERNS = {} + default_entities = ['gt', 'lt', 'quot', 'apos', 'amp'] + default_entities.each do |term| +@@ -564,8 +564,12 @@ module REXML + return rv if matches.size == 0 + rv.gsub!( Private::CHARACTER_REFERENCES ) { + m=$1 +- m = "0#{m}" if m[0] == ?x +- [Integer(m)].pack('U*') ++ if m.start_with?("x") ++ code_point = Integer(m[1..-1], 16) ++ else ++ code_point = Integer(m, 10) ++ end ++ [code_point].pack('U*') + } + matches.collect!{|x|x[0]}.compact! + if filter +-- +2.25.1 + diff --git a/SPECS/ruby/Remove-the-lock-file-for-binstubs.patch b/SPECS/ruby/Remove-the-lock-file-for-binstubs.patch new file mode 100644 index 00000000000..81b78251c0f --- /dev/null +++ b/SPECS/ruby/Remove-the-lock-file-for-binstubs.patch @@ -0,0 +1,99 @@ +From ace303c2d7bc0d98407e5e8b1ca77de07aa0eb75 Mon Sep 17 00:00:00 2001 +From: Nobuyoshi Nakada +Date: Tue, 13 Aug 2024 17:19:41 +0900 +Subject: [PATCH] Remove the lock file for binstubs + +https://github.com/rubygems/rubygems/pull/7806#issuecomment-2241662488 + +This patch is needed so other rubygems don't install unnecessary lock files per +https://src.fedoraproject.org/rpms/ruby/c/b7e197fb887200e4faaf8fae663a9df00bdc09d3?branch=rawhide + +--- + lib/rubygems.rb | 2 +- + lib/rubygems/installer.rb | 3 ++- + test/rubygems/test_gem_installer.rb | 10 ++++++++++ + 3 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/lib/rubygems.rb b/lib/rubygems.rb +index bd9f240e2091..7626ccfdf0d6 100644 +--- a/lib/rubygems.rb ++++ b/lib/rubygems.rb +@@ -794,7 +794,7 @@ def self.open_file(path, flags, &block) + File.open(path, flags, &block) + end + +- MODE_TO_FLOCK = IO::RDONLY | IO::APPEND | IO::CREAT # :nodoc: ++ MODE_TO_FLOCK = IO::RDONLY | IO::APPEND | IO::CREAT | IO::SHARE_DELETE | IO::BINARY # :nodoc: + + ## + # Open a file with given flags, and protect access with flock +diff --git a/lib/rubygems/installer.rb b/lib/rubygems/installer.rb +index d558c0be2bfa..8f95bab733f8 100644 +--- a/lib/rubygems/installer.rb ++++ b/lib/rubygems/installer.rb +@@ -538,7 +538,7 @@ def generate_plugins # :nodoc: + def generate_bin_script(filename, bindir) + bin_script_path = File.join bindir, formatted_program_filename(filename) + +- Gem.open_file_with_flock("#{bin_script_path}.lock") do ++ Gem.open_file_with_flock("#{bin_script_path}.lock") do |lock| + require "fileutils" + FileUtils.rm_f bin_script_path # prior install may have been --no-wrappers + +@@ -546,6 +546,7 @@ def generate_bin_script(filename, bindir) + file.write app_script_text(filename) + file.chmod(options[:prog_mode] || 0o755) + end ++ File.unlink(lock.path) + end + + verbose bin_script_path +diff --git a/test/rubygems/test_gem_installer.rb b/test/rubygems/test_gem_installer.rb +index a61d1b6fff28..2f4ff7349db4 100644 +--- a/test/rubygems/test_gem_installer.rb ++++ b/test/rubygems/test_gem_installer.rb +@@ -1083,6 +1083,8 @@ def test_install_creates_working_binstub + end + + assert_match(/ran executable/, e.message) ++ ++ assert_path_not_exist(File.join(installer.bin_dir, "executable.lock")) + end + + def test_conflicting_binstubs +@@ -1131,6 +1133,8 @@ def test_conflicting_binstubs + # We expect the bin stub to activate the version that actually contains + # the binstub. + assert_match("I have an executable", e.message) ++ ++ assert_path_not_exist(File.join(installer.bin_dir, "executable.lock")) + end + + def test_install_creates_binstub_that_understand_version +@@ -1160,6 +1164,8 @@ def test_install_creates_binstub_that_understand_version + end + + assert_includes(e.message, "can't find gem a (= 3.0)") ++ ++ assert_path_not_exist(File.join(installer.bin_dir, "executable.lock")) + end + + def test_install_creates_binstub_that_prefers_user_installed_gem_to_default +@@ -1192,6 +1198,8 @@ def test_install_creates_binstub_that_prefers_user_installed_gem_to_default + end + + assert_equal(e.message, "ran executable") ++ ++ assert_path_not_exist(File.join(installer.bin_dir, "executable.lock")) + end + + def test_install_creates_binstub_that_dont_trust_encoding +@@ -1222,6 +1230,8 @@ def test_install_creates_binstub_that_dont_trust_encoding + end + + assert_match(/ran executable/, e.message) ++ ++ assert_path_not_exist(File.join(installer.bin_dir, "executable.lock")) + end + + def test_install_with_no_prior_files diff --git a/SPECS/ruby/ruby.signatures.json b/SPECS/ruby/ruby.signatures.json index 9eb2f74004c..d996802d5e9 100644 --- a/SPECS/ruby/ruby.signatures.json +++ b/SPECS/ruby/ruby.signatures.json @@ -7,6 +7,6 @@ "rubygems.con": "eb804c6b50eeafdb2172285265bc487a80acaa9846233cd5f1d20a25f1dac2ea", "rubygems.prov": "b79c1f5873dd20d251e100b276a5e584c1fb677f3e1b92534fc09130fabe8ee5", "rubygems.req": "e85681d8fa45d214055f3b26a8c1829b3a4bd67b26a5ef3c1f6426e7eff83ad0", - "ruby-3.3.3.tar.gz": "83c05b2177ee9c335b631b29b8c077b4770166d02fa527f3a9f6a40d13f3cce2" + "ruby-3.3.5.tar.gz": "3781a3504222c2f26cb4b9eb9c1a12dbf4944d366ce24a9ff8cf99ecbce75196" } } diff --git a/SPECS/ruby/ruby.spec b/SPECS/ruby/ruby.spec index 9a384802039..9e80cb45d13 100644 --- a/SPECS/ruby/ruby.spec +++ b/SPECS/ruby/ruby.spec @@ -4,17 +4,17 @@ %global gem_dir %{_datadir}/ruby/gems # Default package version defined separately, because the %%version macro gets overwritten by 'Version' tags of the subpackages. -%global ruby_version 3.3.3 +%global ruby_version 3.3.5 %define ruby_version_majmin %(echo %{ruby_version} | cut -d. -f1-2) -%global rubygems_version 3.5.3 +%global rubygems_version 3.5.22 # Add version for default gems from https://stdgems.org/ # A helpful one-liner script to check the current default versions is available via RUBY_VER=%%{ruby_version_majmin} ./get_gem_versions.sh %global abbrev_version 0.1.2 %global base64_version 0.2.0 %global benchmark_version 0.3.0 %global bigdecimal_version 3.1.5 -%global bundler_version 2.5.3 +%global bundler_version 2.5.22 %global cgi_version 0.4.1 %global csv_version 3.2.8 %global date_version 3.3.4 @@ -32,15 +32,14 @@ %global find_version 0.2.0 %global forwardable_version 1.3.3 %global getoptlong_version 0.2.1 -%global io_console_version 0.7.1 +%global io_console_version 0.7.2 %global io_nonblock_version 0.3.0 %global io_wait_version 0.3.1 %global ipaddr_version 1.2.6 -%global irb_version 1.11.0 -%global json_version 2.7.1 +%global irb_version 1.13.1 %global logger_version 1.6.0 %global mutex_m_version 0.2.0 -%global net_http_version 0.4.0 +%global net_http_version 0.4.1 %global net_protocol_version 0.2.2 %global nkf_version 0.1.3 %global observer_version 0.1.2 @@ -55,9 +54,9 @@ %global prettyprint_version 0.2.0 %global pstore_version 0.1.3 %global psych_version 5.1.2 -%global rdoc_version 6.6.2 +%global rdoc_version 6.6.3.1 %global readline_version 0.0.4 -%global reline_version 0.4.1 +%global reline_version 0.5.10 %global resolv_version 0.3.0 %global resolv_replace_version 0.1.1 %global rinda_version 0.2.0 @@ -66,21 +65,21 @@ %global set_version 1.1.0 %global shellwords_version 0.2.0 %global singleton_version 0.2.0 -%global stringio_version 3.1.0 -%global strscan_version 3.0.7 +%global stringio_version 3.1.1 +%global strscan_version 3.0.9 %global syslog_version 0.1.2 -%global syntax_suggest_version 2.0.0 +%global syntax_suggest_version 2.0.1 %global tempfile_version 0.2.1 %global time_version 0.3.0 %global timeout_version 0.4.1 %global tmpdir_version 0.2.0 %global tsort_version 0.2.0 %global un_version 0.3.0 -%global uri_version 0.13.0 +%global uri_version 0.13.1 %global weakref_version 0.1.3 %global win32ole_version 1.8.10 %global yaml_version 0.3.0 -%global zlib_version 3.1.0 +%global zlib_version 3.1.1 Summary: Ruby Name: ruby @@ -88,7 +87,7 @@ Name: ruby # provides should be versioned according to the ruby version. # More info: https://stdgems.org/ Version: %{ruby_version} -Release: 2%{?dist} +Release: 1%{?dist} License: (Ruby OR BSD) AND Public Domain AND MIT AND CC0 AND zlib AND UCD Vendor: Microsoft Corporation Distribution: Azure Linux @@ -102,8 +101,11 @@ Source4: rubygems.con Source5: rubygems.prov Source6: rubygems.req Source7: macros.rubygems -Patch0: CVE-2024-41946.patch -# Updates default ruby-uri to 0.12.2 and vendored one to 0.10.3. Remove once ruby gets updated to a version that comes with both lib/uri/version.rb and lib/bundler/vendor/uri/lib/uri/version.rb versions >= 0.12.2 or == 0.10.3 +Patch0: CVE-2024-49761.patch +# patches below taken from https://src.fedoraproject.org/rpms/ruby/c/b7e197fb887200e4faaf8fae663a9df00bdc09d3?branch=rawhide +# to remove the lock file for binstubs and avoid race condition +Patch1: Avoid-another-race-condition-of-open-mode.patch +Patch2: Remove-the-lock-file-for-binstubs.patch BuildRequires: openssl-devel # Pkgconfig(yaml-0.1) is needed to build the 'psych' gem. BuildRequires: pkgconfig(yaml-0.1) @@ -408,6 +410,11 @@ sudo -u test make test TESTS="-v" %{_rpmconfigdir}/rubygems.con %changelog +* Fri Nov 08 2024 Saul Paredes - 3.3.5-1 +- Upgrade ruby to 3.3.5 to resolve CVE-2024-39908 +- Remove CVE-2024-41946.patch as it no longer applies as ruby 3.3.5 containers rubygem-rexml 3.3.6, where CVE-2024-41946 is already fixed +- Patch CVE-2024-49761 + * Wed Sep 18 2024 Harshit Gupta - 3.3.3-2 - Revert ruby back to 3.3.3 to avoid build failure of rubygems-* packages - Add patch for CVE-2024-41946 for bundled gem rexml diff --git a/cgmanifest.json b/cgmanifest.json index ca4564d91ed..60071887a39 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -25904,8 +25904,8 @@ "type": "other", "other": { "name": "ruby", - "version": "3.3.3", - "downloadUrl": "https://cache.ruby-lang.org/pub/ruby/3.3/ruby-3.3.3.tar.gz" + "version": "3.3.5", + "downloadUrl": "https://cache.ruby-lang.org/pub/ruby/3.3/ruby-3.3.5.tar.gz" } } }, From 713b235ae875aa78d1dbf5a2e98601aac1d8f563 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Wed, 18 Dec 2024 06:57:59 -0800 Subject: [PATCH 15/55] [AUTO-CHERRYPICK] Fix CVE-2024-27532 for fluent-bit - branch 3.0-dev (#11458) Co-authored-by: Sudipta Pandit --- SPECS/fluent-bit/CVE-2024-27532.patch | 42 +++++++++++++++++++++++++++ SPECS/fluent-bit/fluent-bit.spec | 6 +++- 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 SPECS/fluent-bit/CVE-2024-27532.patch diff --git a/SPECS/fluent-bit/CVE-2024-27532.patch b/SPECS/fluent-bit/CVE-2024-27532.patch new file mode 100644 index 00000000000..83b9b8f1ae9 --- /dev/null +++ b/SPECS/fluent-bit/CVE-2024-27532.patch @@ -0,0 +1,42 @@ +From bd866ae9686ea914f57e83bd5b2e9c7a5a2a7323 Mon Sep 17 00:00:00 2001 +From: Sudipta Pandit +Date: Thu, 14 Nov 2024 13:32:31 +0530 +Subject: [PATCH] Fix CVE-2024-27532 + +Reference: https://github.com/bytecodealliance/wasm-micro-runtime/pull/3133 + +--- + .../core/iwasm/interpreter/wasm_loader.c | 2 +- + .../core/iwasm/interpreter/wasm_mini_loader.c | 3 ++- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_loader.c b/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_loader.c +index 87af8526f..2254ba577 100644 +--- a/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_loader.c ++++ b/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_loader.c +@@ -6694,7 +6694,7 @@ wasm_loader_check_br(WASMLoaderContext *loader_ctx, uint32 depth, + uint16 cell_num; + + bh_assert(loader_ctx->csp_num > 0); +- if (loader_ctx->csp_num < depth + 1) { ++ if (loader_ctx->csp_num - 1 < depth) { + set_error_buf(error_buf, error_buf_size, + "unknown label, " + "unexpected end of section or function"); +diff --git a/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_mini_loader.c b/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_mini_loader.c +index 157a82cc3..ee01db71d 100644 +--- a/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_mini_loader.c ++++ b/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_mini_loader.c +@@ -5199,7 +5199,8 @@ wasm_loader_check_br(WASMLoaderContext *loader_ctx, uint32 depth, + int32 i, available_stack_cell; + uint16 cell_num; + +- if (loader_ctx->csp_num < depth + 1) { ++ bh_assert(loader_ctx->csp_num > 0); ++ if (loader_ctx->csp_num - 1 < depth) { + set_error_buf(error_buf, error_buf_size, + "unknown label, " + "unexpected end of section or function"); +-- +2.34.1 + diff --git a/SPECS/fluent-bit/fluent-bit.spec b/SPECS/fluent-bit/fluent-bit.spec index fbd0c432ea3..c41de3412bc 100644 --- a/SPECS/fluent-bit/fluent-bit.spec +++ b/SPECS/fluent-bit/fluent-bit.spec @@ -1,7 +1,7 @@ Summary: Fast and Lightweight Log processor and forwarder for Linux, BSD and OSX Name: fluent-bit Version: 3.1.9 -Release: 1%{?dist} +Release: 2%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -9,6 +9,7 @@ URL: https://fluentbit.io Source0: https://github.com/fluent/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Patch0: CVE-2024-34250.patch Patch1: CVE-2024-25431.patch +Patch2: CVE-2024-27532.patch BuildRequires: bison BuildRequires: cmake BuildRequires: cyrus-sasl-devel @@ -83,6 +84,9 @@ Development files for %{name} %{_libdir}/fluent-bit/*.so %changelog +* Tue Dec 10 2024 Sudipta Pandit - 3.1.9-2 +- Backport fixes for CVE-2024-27532 + * Tue Nov 23 2024 Paul Meyer - 3.1.9-1 - Update to 3.1.9 to enable Lua filter plugin using system luajit library. - Remove patches for CVE-2024-25629 and CVE-2024-28182 as they are fixed in 3.1.9. From aebe229d4153d4cf11309a6081e7154880383c3b Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Wed, 18 Dec 2024 06:58:29 -0800 Subject: [PATCH 16/55] [AUTO-CHERRYPICK] upgrade php to 8.3.14 - branch 3.0-dev (#11459) Co-authored-by: KavyaSree2610 <92566732+KavyaSree2610@users.noreply.github.com> --- ...phpinfo.patch => php-8.3.13-phpinfo.patch} | 2 +- SPECS/php/php-8.3.14-phpinfo.patch | 44 +++++++++++++++++++ SPECS/php/php.signatures.json | 2 +- SPECS/php/php.spec | 8 +++- cgmanifest.json | 4 +- 5 files changed, 54 insertions(+), 6 deletions(-) rename SPECS/php/{php-8.1.0-phpinfo.patch => php-8.3.13-phpinfo.patch} (98%) create mode 100644 SPECS/php/php-8.3.14-phpinfo.patch diff --git a/SPECS/php/php-8.1.0-phpinfo.patch b/SPECS/php/php-8.3.13-phpinfo.patch similarity index 98% rename from SPECS/php/php-8.1.0-phpinfo.patch rename to SPECS/php/php-8.3.13-phpinfo.patch index d19b2f4bab5..a02a2b8a9b7 100644 --- a/SPECS/php/php-8.1.0-phpinfo.patch +++ b/SPECS/php/php-8.3.13-phpinfo.patch @@ -25,7 +25,7 @@ diff -up ./ext/standard/tests/general_functions/phpinfo.phpt.phpinfo ./ext/stand @@ -17,7 +17,6 @@ PHP Version => %s System => %s - Build Date => %s%a + Build Date => %r(.+?)%r -Configure Command => %s Server API => Command Line Interface Virtual Directory Support => %s diff --git a/SPECS/php/php-8.3.14-phpinfo.patch b/SPECS/php/php-8.3.14-phpinfo.patch new file mode 100644 index 00000000000..a02a2b8a9b7 --- /dev/null +++ b/SPECS/php/php-8.3.14-phpinfo.patch @@ -0,0 +1,44 @@ + +Drop "Configure Command" from phpinfo as it doesn't +provide any useful information. +The available extensions are not related to this command. + +Replace full GCC name by gcc in php -v output + + +diff -up ./ext/standard/info.c.phpinfo ./ext/standard/info.c +--- ./ext/standard/info.c.phpinfo 2020-07-21 10:49:31.000000000 +0200 ++++ ./ext/standard/info.c 2020-07-21 11:41:56.295633523 +0200 +@@ -805,9 +805,6 @@ PHPAPI ZEND_COLD void php_print_info(int + #ifdef PHP_BUILD_ARCH + php_info_print_table_row(2, "Architecture", PHP_BUILD_ARCH); + #endif +-#ifdef CONFIGURE_COMMAND +- php_info_print_table_row(2, "Configure Command", CONFIGURE_COMMAND ); +-#endif + + if (sapi_module.pretty_name) { + php_info_print_table_row(2, "Server API", sapi_module.pretty_name ); +diff -up ./ext/standard/tests/general_functions/phpinfo.phpt.phpinfo ./ext/standard/tests/general_functions/phpinfo.phpt +--- ./ext/standard/tests/general_functions/phpinfo.phpt.phpinfo 2020-07-21 10:49:31.000000000 +0200 ++++ ./ext/standard/tests/general_functions/phpinfo.phpt 2020-07-21 11:41:56.296633522 +0200 +@@ -17,7 +17,6 @@ PHP Version => %s + + System => %s + Build Date => %r(.+?)%r +-Configure Command => %s + Server API => Command Line Interface + Virtual Directory Support => %s + Configuration File (php.ini) Path => %s +diff -up ./sapi/cli/php_cli.c.phpinfo ./sapi/cli/php_cli.c +--- ./sapi/cli/php_cli.c.phpinfo 2020-07-21 11:43:38.812475300 +0200 ++++ ./sapi/cli/php_cli.c 2020-07-21 11:43:45.783464540 +0200 +@@ -645,7 +645,7 @@ static int do_cli(int argc, char **argv) + "NTS" + #endif + #ifdef PHP_BUILD_COMPILER +- " " PHP_BUILD_COMPILER ++ " gcc" + #endif + #ifdef PHP_BUILD_ARCH + " " PHP_BUILD_ARCH diff --git a/SPECS/php/php.signatures.json b/SPECS/php/php.signatures.json index bf36916be81..1d5fd0b6db9 100644 --- a/SPECS/php/php.signatures.json +++ b/SPECS/php/php.signatures.json @@ -6,7 +6,7 @@ "nginx-fpm.conf": "5a222ab2c3fc0145cb67a1c5125471bbf097de304e77c9858e7077a3b4fcad59", "nginx-php.conf": "b3b3f744c4c122302fcb11f39cac78d01cef15ee6f8bd67e98b3438efcf8dc95", "opcache-default.blacklist": "4eef0875e1a0c6a75b8a2bafd4ddc029b83be74dd336a6a99214b0c32808cb38", - "php-8.3.12.tar.xz": "f774e28633e26fc8c5197f4dae58ec9e3ff87d1b4311cbc61ab05a7ad24bd131", + "php-8.3.14.tar.xz": "58b4cb9019bf70c0cbcdb814c7df79b9065059d14cf7dbf48d971f8e56ae9be7", "php-fpm-www.conf": "1cacdd4962c01a0a968933c38db503023940ad9105f021bdab85d6cdc46dcbb8", "php-fpm.conf": "bb261d53b9b42bb163a7637bb373ffa18a20dddf27a3efe6cb5ed1b1cf5981a9", "php-fpm.logrotate": "7d8279bebb9ffabc596a2699150e93d4ce4513245890b9b786d337288b19fa79", diff --git a/SPECS/php/php.spec b/SPECS/php/php.spec index 54e6b7f089f..1b106f2f3f7 100644 --- a/SPECS/php/php.spec +++ b/SPECS/php/php.spec @@ -32,7 +32,7 @@ %global with_qdbm 0 Summary: PHP scripting language for creating dynamic web sites Name: php -Version: 8.3.12 +Version: 8.3.14 Release: 1%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend @@ -77,7 +77,7 @@ Patch43: php-7.4.0-phpize.patch Patch45: php-7.4.0-ldap_r.patch # drop "Configure command" from phpinfo output # and only use gcc (instead of full version) -Patch47: php-8.1.0-phpinfo.patch +Patch47: php-8.3.14-phpinfo.patch # Upstream fixes (100+) # Security fixes (200+) # Fixes for tests (300+) @@ -1514,6 +1514,10 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || : %dir %{_datadir}/php/preload %changelog +* Wed Dec 04 2024 Kavya Sree Kaitepalli - 8.3.14-1 +- Upgrade to 8.3.14 to fix CVE-2024-8932, CVE-2024-11234, CVE-2024-11233, CVE-2024-11236 +- Update patch for phpinfo + * Wed Oct 16 2024 Archana Choudhary - 8.3.12-1 - Upgarde to 8.3.12 to fix CVE-2024-8927, CVE-2024-8925 - Refactor patch (with fuzzing) for system tzdata diff --git a/cgmanifest.json b/cgmanifest.json index 60071887a39..87c11b8f8ea 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -20833,8 +20833,8 @@ "type": "other", "other": { "name": "php", - "version": "8.3.12", - "downloadUrl": "https://www.php.net/distributions/php-8.3.12.tar.xz" + "version": "8.3.14", + "downloadUrl": "https://www.php.net/distributions/php-8.3.14.tar.xz" } } }, From 4d457279a46c48b56875bc14486b872db2e04fba Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Wed, 18 Dec 2024 06:59:19 -0800 Subject: [PATCH 17/55] [AUTO-CHERRYPICK] Patch CVE-2024-24786 in flannel - branch 3.0-dev (#11460) Co-authored-by: suresh-thelkar --- SPECS/flannel/CVE-2024-24786.patch | 40 ++++++++++++++++++++++++++++++ SPECS/flannel/flannel.spec | 11 ++++---- 2 files changed, 46 insertions(+), 5 deletions(-) create mode 100644 SPECS/flannel/CVE-2024-24786.patch diff --git a/SPECS/flannel/CVE-2024-24786.patch b/SPECS/flannel/CVE-2024-24786.patch new file mode 100644 index 00000000000..54f2436a58c --- /dev/null +++ b/SPECS/flannel/CVE-2024-24786.patch @@ -0,0 +1,40 @@ +From 4242a8a09f371163fb7f4ac2c5998d3e162f8923 Mon Sep 17 00:00:00 2001 +From: sthelkar +Date: Fri, 6 Dec 2024 04:36:49 +0000 +Subject: [PATCH] Vendor patch applied + +--- + .../protobuf/encoding/protojson/well_known_types.go | 4 ++++ + .../protobuf/internal/encoding/json/decode.go | 2 +- + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +index 6c37d41..70c2ba6 100644 +--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go ++++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +@@ -348,6 +348,10 @@ func (d decoder) skipJSONValue() error { + } + } + } ++ case json.EOF: ++ // This can only happen if there's a bug in Decoder.Read. ++ // Avoid an infinite loop if this does happen. ++ return errors.New("unexpected EOF") + } + return nil + } +diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +index d043a6e..d2b3ac0 100644 +--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go ++++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) { + + case ObjectClose: + if len(d.openStack) == 0 || +- d.lastToken.kind == comma || ++ d.lastToken.kind&(Name|comma) != 0 || + d.openStack[len(d.openStack)-1] != ObjectOpen { + return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString()) + } +-- +2.39.4 diff --git a/SPECS/flannel/flannel.spec b/SPECS/flannel/flannel.spec index 9d47ef9506b..d374de304a3 100644 --- a/SPECS/flannel/flannel.spec +++ b/SPECS/flannel/flannel.spec @@ -3,7 +3,7 @@ Summary: Simple and easy way to configure a layer 3 network fabric designed for Kubernetes Name: flannel Version: 0.24.2 -Release: 7%{?dist} +Release: 8%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -11,6 +11,7 @@ Group: System Environment/Libraries URL: https://github.com/flannel-io/flannel Source0: https://github.com/flannel-io/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: %{name}-%{version}-vendor.tar.gz +Patch0: CVE-2024-24786.patch BuildRequires: gcc BuildRequires: glibc-devel BuildRequires: glibc-static >= 2.38-8%{?dist} @@ -21,12 +22,9 @@ BuildRequires: kernel-headers Flannel is a simple and easy way to configure a layer 3 network fabric designed for Kubernetes. %prep -%autosetup -p1 +%autosetup -p1 -a 1 %build -# create vendor folder from the vendor tarball and set vendor mode -tar -xf %{SOURCE1} --no-same-owner - export GOPATH=%{our_gopath} export TAG=v%{version} %ifarch x86_64 @@ -50,6 +48,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./dist/flanneld %{_bindir}/flanneld %changelog +* Fri Dec 06 2024 sthelkar - 0.24.2-8 +- Patch CVE-2024-24786 + * Mon Aug 26 2024 Rachel Menge - 0.24.2-7 - Update to build dep latest glibc-static version From 124b475a97854473bac0630b232aea8ffeb020d3 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Wed, 18 Dec 2024 06:59:56 -0800 Subject: [PATCH 18/55] [AUTO-CHERRYPICK] pam: Fix CVE-2024-10963 with patch - branch 3.0-dev (#11461) Co-authored-by: Adit Jha <111916775+aditjha-msft@users.noreply.github.com> --- SPECS/pam/CVE-2024-10963.patch | 224 ++++++++++++++++++ SPECS/pam/pam.spec | 6 +- .../manifests/package/toolchain_aarch64.txt | 8 +- .../manifests/package/toolchain_x86_64.txt | 8 +- 4 files changed, 237 insertions(+), 9 deletions(-) create mode 100644 SPECS/pam/CVE-2024-10963.patch diff --git a/SPECS/pam/CVE-2024-10963.patch b/SPECS/pam/CVE-2024-10963.patch new file mode 100644 index 00000000000..57491a7aede --- /dev/null +++ b/SPECS/pam/CVE-2024-10963.patch @@ -0,0 +1,224 @@ +From 940747f88c16e029b69a74e80a2e94f65cb3e628 Mon Sep 17 00:00:00 2001 +From: Thorsten Kukuk +Date: Thu, 14 Nov 2024 10:27:28 +0100 +Subject: [PATCH] pam_access: rework resolving of tokens as hostname + +* modules/pam_access/pam_access.c: separate resolving of IP addresses + from hostnames. Don't resolve TTYs or display variables as hostname + (#834). + Add "nodns" option to disallow resolving of tokens as hostname. +* modules/pam_access/pam_access.8.xml: document nodns option +* modules/pam_access/access.conf.5.xml: document that hostnames should + be written as FQHN. +--- + modules/pam_access/access.conf.5.xml | 4 ++ + modules/pam_access/pam_access.8.xml | 46 ++++++++++++------ + modules/pam_access/pam_access.c | 72 +++++++++++++++++++++++++++- + 3 files changed, 105 insertions(+), 17 deletions(-) + +diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml +index 0b93db00e4..10b8ba9252 100644 +--- a/modules/pam_access/access.conf.5.xml ++++ b/modules/pam_access/access.conf.5.xml +@@ -233,6 +233,10 @@ + item and the line will be most probably ignored. For this reason, it is not + recommended to put spaces around the ':' characters. + ++ ++ Hostnames should be written as Fully-Qualified Host Name (FQHN) to avoid ++ confusion with device names or PAM service names. ++ + + + +diff --git a/modules/pam_access/pam_access.8.xml b/modules/pam_access/pam_access.8.xml +index c991d7a097..71a4f7ee94 100644 +--- a/modules/pam_access/pam_access.8.xml ++++ b/modules/pam_access/pam_access.8.xml +@@ -22,11 +22,14 @@ + + debug + ++ ++ noaudit ++ + + nodefgroup + + +- noaudit ++ nodns + + + accessfile=file +@@ -132,6 +135,33 @@ + + + ++ ++ ++ nodefgroup ++ ++ ++ ++ User tokens which are not enclosed in parentheses will not be ++ matched against the group database. The backwards compatible default is ++ to try the group database match even for tokens not enclosed ++ in parentheses. ++ ++ ++ ++ ++ ++ ++ nodns ++ ++ ++ ++ Do not try to resolve tokens as hostnames, only IPv4 and IPv6 ++ addresses will be resolved. Which means to allow login from a ++ remote host, the IP addresses need to be specified in access.conf. ++ ++ ++ ++ + + + fieldsep=separators +@@ -185,20 +215,6 @@ + + + +- +- +- nodefgroup +- +- +- +- User tokens which are not enclosed in parentheses will not be +- matched against the group database. The backwards compatible default is +- to try the group database match even for tokens not enclosed +- in parentheses. +- +- +- +- + + + +diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c +index 48e7c7e974..109115e9cf 100644 +--- a/modules/pam_access/pam_access.c ++++ b/modules/pam_access/pam_access.c +@@ -100,6 +100,7 @@ struct login_info { + int debug; /* Print debugging messages. */ + int only_new_group_syntax; /* Only allow group entries of the form "(xyz)" */ + int noaudit; /* Do not audit denials */ ++ int nodns; /* Do not try to resolve tokens as hostnames */ + const char *fs; /* field separator */ + const char *sep; /* list-element separator */ + int from_remote_host; /* If PAM_RHOST was used for from */ +@@ -150,7 +150,9 @@ parse_args(pam_handle_t *pamh, struct login_info *loginfo, + loginfo->only_new_group_syntax = YES; + } else if (strcmp (argv[i], "noaudit") == 0) { + loginfo->noaudit = YES; +- } else { ++ } else if (strcmp (argv[i], "nodns") == 0) { ++ loginfo->nodns = YES; ++ } else { + pam_syslog(pamh, LOG_ERR, "unrecognized option [%s]", argv[i]); + } + } +@@ -820,7 +823,7 @@ remote_match (pam_handle_t *pamh, char *tok, struct login_info *item) + if ((str_len = strlen(string)) > tok_len + && strcasecmp(tok, string + str_len - tok_len) == 0) + return YES; +- } else if (tok[tok_len - 1] == '.') { /* internet network numbers (end with ".") */ ++ } else if (tok[tok_len - 1] == '.') { /* internet network numbers/subnet (end with ".") */ + struct addrinfo hint; + + memset (&hint, '\0', sizeof (hint)); +@@ -895,6 +898,39 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string, + } + + ++static int ++is_device (pam_handle_t *pamh, const char *tok) ++{ ++ struct stat st; ++ const char *dev = "/dev/"; ++ char *devname; ++ ++ devname = malloc (strlen(dev) + strlen (tok) + 1); ++ if (devname == NULL) { ++ pam_syslog(pamh, LOG_ERR, "Cannot allocate memory for device name: %m"); ++ /* ++ * We should return an error and abort, but pam_access has no good ++ * error handling. ++ */ ++ return NO; ++ } ++ ++ char *cp = stpcpy (devname, dev); ++ strcpy (cp, tok); ++ ++ if (lstat(devname, &st) != 0) ++ { ++ free (devname); ++ return NO; ++ } ++ free (devname); ++ ++ if (S_ISCHR(st.st_mode)) ++ return YES; ++ ++ return NO; ++} ++ + /* network_netmask_match - match a string against one token + * where string is a hostname or ip (v4,v6) address and tok + * represents either a hostname, a single ip (v4,v6) address +@@ -956,10 +992,42 @@ network_netmask_match (pam_handle_t *pamh, + return NO; + } + } ++ else if (isipaddr(tok, NULL, NULL) == YES) ++ { ++ if (getaddrinfo (tok, NULL, NULL, &ai) != 0) ++ { ++ if (item->debug) ++ pam_syslog(pamh, LOG_DEBUG, "cannot resolve IP address \"%s\"", tok); ++ ++ return NO; ++ } ++ netmask_ptr = NULL; ++ } ++ else if (item->nodns) ++ { ++ /* Only hostnames are left, which we would need to resolve via DNS */ ++ return NO; ++ } + else + { ++ /* Bail out on X11 Display entries and ttys. */ ++ if (tok[0] == ':') ++ { ++ if (item->debug) ++ pam_syslog (pamh, LOG_DEBUG, ++ "network_netmask_match: tok=%s is X11 display", tok); ++ return NO; ++ } ++ if (is_device (pamh, tok)) ++ { ++ if (item->debug) ++ pam_syslog (pamh, LOG_DEBUG, ++ "network_netmask_match: tok=%s is a TTY", tok); ++ return NO; ++ } ++ + /* +- * It is either an IP address or a hostname. ++ * It is most likely a hostname. + * Let getaddrinfo sort everything out + */ + if (getaddrinfo (tok, NULL, NULL, &ai) != 0) diff --git a/SPECS/pam/pam.spec b/SPECS/pam/pam.spec index 18cb42a6858..231a01044b7 100644 --- a/SPECS/pam/pam.spec +++ b/SPECS/pam/pam.spec @@ -1,7 +1,7 @@ Summary: Linux Pluggable Authentication Modules Name: pam Version: 1.5.3 -Release: 2%{?dist} +Release: 3%{?dist} License: BSD and GPLv2+ URL: https://github.com/linux-pam/linux-pam Source0: https://github.com/linux-pam/linux-pam/releases/download/v%{version}/Linux-PAM-%{version}.tar.xz @@ -16,6 +16,7 @@ Requires: audit-libs Recommends: cracklib-dicts Patch0: CVE-2024-22365.patch +Patch1: CVE-2024-10963.patch %description The Linux PAM package contains Pluggable Authentication Modules used to @@ -104,6 +105,9 @@ EOF %{_libdir}/pkgconfig/pamc.pc %changelog +* Fri Dec 06 2024 Adit Jha - 1.5.3-3 +- Patching CVE-2024-10963. + * Wed Oct 30 2024 Pawel Winogrodzki - 1.5.3-2 - Patching CVE-2024-22365. diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index b3838e476e7..f23a69c8b80 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -296,10 +296,10 @@ p11-kit-debuginfo-0.25.0-1.azl3.aarch64.rpm p11-kit-devel-0.25.0-1.azl3.aarch64.rpm p11-kit-server-0.25.0-1.azl3.aarch64.rpm p11-kit-trust-0.25.0-1.azl3.aarch64.rpm -pam-1.5.3-2.azl3.aarch64.rpm -pam-debuginfo-1.5.3-2.azl3.aarch64.rpm -pam-devel-1.5.3-2.azl3.aarch64.rpm -pam-lang-1.5.3-2.azl3.aarch64.rpm +pam-1.5.3-3.azl3.aarch64.rpm +pam-debuginfo-1.5.3-3.azl3.aarch64.rpm +pam-devel-1.5.3-3.azl3.aarch64.rpm +pam-lang-1.5.3-3.azl3.aarch64.rpm patch-2.7.6-9.azl3.aarch64.rpm patch-debuginfo-2.7.6-9.azl3.aarch64.rpm pcre2-10.42-3.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index e15f53cd0d3..0d120809183 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -302,10 +302,10 @@ p11-kit-debuginfo-0.25.0-1.azl3.x86_64.rpm p11-kit-devel-0.25.0-1.azl3.x86_64.rpm p11-kit-server-0.25.0-1.azl3.x86_64.rpm p11-kit-trust-0.25.0-1.azl3.x86_64.rpm -pam-1.5.3-2.azl3.x86_64.rpm -pam-debuginfo-1.5.3-2.azl3.x86_64.rpm -pam-devel-1.5.3-2.azl3.x86_64.rpm -pam-lang-1.5.3-2.azl3.x86_64.rpm +pam-1.5.3-3.azl3.x86_64.rpm +pam-debuginfo-1.5.3-3.azl3.x86_64.rpm +pam-devel-1.5.3-3.azl3.x86_64.rpm +pam-lang-1.5.3-3.azl3.x86_64.rpm patch-2.7.6-9.azl3.x86_64.rpm patch-debuginfo-2.7.6-9.azl3.x86_64.rpm pcre2-10.42-3.azl3.x86_64.rpm From caa12903b08845ab14abeffcce03344b7f69ba8e Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Wed, 18 Dec 2024 07:00:38 -0800 Subject: [PATCH 19/55] [AUTO-CHERRYPICK] python3: Address CVE-2024-12254 - branch 3.0-dev (#11462) Co-authored-by: Ankita Pareek <56152556+Ankita13-code@users.noreply.github.com> --- SPECS/python3/CVE-2024-12254.patch | 203 ++++++++++++++++++ SPECS/python3/python3.spec | 6 +- .../manifests/package/pkggen_core_aarch64.txt | 6 +- .../manifests/package/pkggen_core_x86_64.txt | 6 +- .../manifests/package/toolchain_aarch64.txt | 14 +- .../manifests/package/toolchain_x86_64.txt | 14 +- 6 files changed, 228 insertions(+), 21 deletions(-) create mode 100644 SPECS/python3/CVE-2024-12254.patch diff --git a/SPECS/python3/CVE-2024-12254.patch b/SPECS/python3/CVE-2024-12254.patch new file mode 100644 index 00000000000..d88bbb9fbc0 --- /dev/null +++ b/SPECS/python3/CVE-2024-12254.patch @@ -0,0 +1,203 @@ +From bfc2e93d755bf496e5ef4cae9609d2823122c909 Mon Sep 17 00:00:00 2001 +From: "J. Nick Koston" +Date: Thu, 5 Dec 2024 10:01:10 -0600 +Subject: [PATCH 01/10] Ensure writelines pauses the protocol if needed + +--- + Lib/asyncio/selector_events.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/Lib/asyncio/selector_events.py b/Lib/asyncio/selector_events.py +index f94bf10b4225e7..f1ab9b12d69a5d 100644 +--- a/Lib/asyncio/selector_events.py ++++ b/Lib/asyncio/selector_events.py +@@ -1175,6 +1175,7 @@ def writelines(self, list_of_data): + # If the entire buffer couldn't be written, register a write handler + if self._buffer: + self._loop._add_writer(self._sock_fd, self._write_ready) ++ self._maybe_pause_protocol() + + def can_write_eof(self): + return True + +From e54226f50c0b6fc6f1b08493f32f4c8e5e735348 Mon Sep 17 00:00:00 2001 +From: "J. Nick Koston" +Date: Thu, 5 Dec 2024 10:38:03 -0600 +Subject: [PATCH 02/10] add test coverage + +--- + Lib/test/test_asyncio/test_selector_events.py | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/Lib/test/test_asyncio/test_selector_events.py b/Lib/test/test_asyncio/test_selector_events.py +index aaeda33dd0c677..efca30f37414f9 100644 +--- a/Lib/test/test_asyncio/test_selector_events.py ++++ b/Lib/test/test_asyncio/test_selector_events.py +@@ -805,6 +805,18 @@ def test_writelines_send_partial(self): + self.assertTrue(self.sock.send.called) + self.assertTrue(self.loop.writers) + ++ def test_writelines_pauses_protocol(self): ++ data = memoryview(b'data') ++ self.sock.send.return_value = 2 ++ self.sock.send.fileno.return_value = 7 ++ ++ transport = self.socket_transport() ++ transport._high_water = 1 ++ transport.writelines([data]) ++ self.assertTrue(self.protocol.pause_writing.called) ++ self.assertTrue(self.sock.send.called) ++ self.assertTrue(self.loop.writers) ++ + @unittest.skipUnless(selector_events._HAS_SENDMSG, 'no sendmsg') + def test_write_sendmsg_full(self): + data = memoryview(b'data') + +From 235085682fbd1d37ecd9838d74859dd447c81344 Mon Sep 17 00:00:00 2001 +From: "blurb-it[bot]" <43283697+blurb-it[bot]@users.noreply.github.com> +Date: Thu, 5 Dec 2024 21:35:22 +0000 +Subject: [PATCH 03/10] =?UTF-8?q?=F0=9F=93=9C=F0=9F=A4=96=20Added=20by=20b?= + =?UTF-8?q?lurb=5Fit.?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +--- + .../next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst | 1 + + 1 file changed, 1 insertion(+) + create mode 100644 Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst + +diff --git a/Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst b/Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst +new file mode 100644 +index 00000000000000..33a18014e74332 +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst +@@ -0,0 +1 @@ ++Fixed the :mod:`asyncio` selector transport not pausing the protocol when the buffer reaches the high water mark. + +From 8fcc087fabafb0b9a14c8f9c402fe963fdf0107b Mon Sep 17 00:00:00 2001 +From: "J. Nick Koston" +Date: Thu, 5 Dec 2024 15:36:53 -0600 +Subject: [PATCH 04/10] Update + Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst + +--- + .../Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst b/Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst +index 33a18014e74332..a44f54fdee407e 100644 +--- a/Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst ++++ b/Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst +@@ -1 +1 @@ +-Fixed the :mod:`asyncio` selector transport not pausing the protocol when the buffer reaches the high water mark. ++Fixed the :mod:`asyncio` selector transport not pausing writes for the protocol when the buffer reaches the high water mark. + +From 2d550302474ffafdd16b5f5eec9af96c133c98e5 Mon Sep 17 00:00:00 2001 +From: "J. Nick Koston" +Date: Thu, 5 Dec 2024 19:37:35 -0600 +Subject: [PATCH 05/10] Update + Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst + +--- + .../Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst b/Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst +index a44f54fdee407e..181112e3e38cfe 100644 +--- a/Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst ++++ b/Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst +@@ -1 +1 @@ +-Fixed the :mod:`asyncio` selector transport not pausing writes for the protocol when the buffer reaches the high water mark. ++Fixed the :mod:`asyncio` selector transport not pausing writes for the protocol when the buffer reaches the high water mark when using `writelines`. + +From 0cbbba61e903a738f0748213d8b2bf1e608db8ae Mon Sep 17 00:00:00 2001 +From: "J. Nick Koston" +Date: Thu, 5 Dec 2024 19:37:49 -0600 +Subject: [PATCH 06/10] Update + Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst + +--- + .../Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst b/Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst +index 181112e3e38cfe..8eadbf4abc781e 100644 +--- a/Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst ++++ b/Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst +@@ -1 +1 @@ +-Fixed the :mod:`asyncio` selector transport not pausing writes for the protocol when the buffer reaches the high water mark when using `writelines`. ++Fixed the :mod:`asyncio` selector transport not pausing writes for the protocol when the buffer reaches the high water mark when using ``writelines``. + +From 472df1700698a830c6f451f5febc6d34a1bbffb9 Mon Sep 17 00:00:00 2001 +From: "J. Nick Koston" +Date: Thu, 5 Dec 2024 19:41:59 -0600 +Subject: [PATCH 07/10] Update + Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst + +--- + .../Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst b/Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst +index 8eadbf4abc781e..28abf1e2928c94 100644 +--- a/Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst ++++ b/Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst +@@ -1 +1 @@ +-Fixed the :mod:`asyncio` selector transport not pausing writes for the protocol when the buffer reaches the high water mark when using ``writelines``. ++Fixed the :mod:`asyncio` selector transport not pausing writes for the protocol when the buffer reaches the high water mark when using :meth:`asyncio.StreamWriter.writelines`. + +From 28869e5520d66da89b5108adef6fa71ab3aef027 Mon Sep 17 00:00:00 2001 +From: "J. Nick Koston" +Date: Thu, 5 Dec 2024 19:46:36 -0600 +Subject: [PATCH 08/10] Update + Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst + +--- + .../Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst b/Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst +index 28abf1e2928c94..a7930e69ced5a0 100644 +--- a/Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst ++++ b/Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst +@@ -1 +1 @@ +-Fixed the :mod:`asyncio` selector transport not pausing writes for the protocol when the buffer reaches the high water mark when using :meth:`asyncio.StreamWriter.writelines`. ++Fixed the :mod:`asyncio` selector transport not pausing writes for the protocol when the buffer reaches the high water mark when using :meth:`asyncio.WriteTransport.writelines`. + +From 056974c5a5df3c5a8754479e5a04529e2f3a607c Mon Sep 17 00:00:00 2001 +From: "J. Nick Koston" +Date: Thu, 5 Dec 2024 19:53:25 -0600 +Subject: [PATCH 09/10] Update + Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst + +--- + .../Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst b/Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst +index a7930e69ced5a0..9deac957eb14e6 100644 +--- a/Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst ++++ b/Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst +@@ -1 +1 @@ +-Fixed the :mod:`asyncio` selector transport not pausing writes for the protocol when the buffer reaches the high water mark when using :meth:`asyncio.WriteTransport.writelines`. ++Fixed the :class:`asyncio.SelectorEventLoop` transport not pausing writes for the protocol when the buffer reaches the high water mark when using :meth:`asyncio.WriteTransport.writelines`. + +From 6b01a670de78bba61306bd91456ec6621e213c20 Mon Sep 17 00:00:00 2001 +From: "J. Nick Koston" +Date: Thu, 5 Dec 2024 22:07:34 -0600 +Subject: [PATCH 10/10] Update + Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst + +Co-authored-by: Kumar Aditya +--- + .../Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst b/Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst +index 9deac957eb14e6..76cfc58121d3bd 100644 +--- a/Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst ++++ b/Misc/NEWS.d/next/Security/2024-12-05-21-35-19.gh-issue-127655.xpPoOf.rst +@@ -1 +1 @@ +-Fixed the :class:`asyncio.SelectorEventLoop` transport not pausing writes for the protocol when the buffer reaches the high water mark when using :meth:`asyncio.WriteTransport.writelines`. ++Fixed the :class:`!asyncio.selector_events._SelectorSocketTransport` transport not pausing writes for the protocol when the buffer reaches the high water mark when using :meth:`asyncio.WriteTransport.writelines`. diff --git a/SPECS/python3/python3.spec b/SPECS/python3/python3.spec index 50058cdc7d0..21e9ec6b808 100644 --- a/SPECS/python3/python3.spec +++ b/SPECS/python3/python3.spec @@ -6,7 +6,7 @@ Summary: A high-level scripting language Name: python3 Version: 3.12.3 -Release: 4%{?dist} +Release: 5%{?dist} License: PSF Vendor: Microsoft Corporation Distribution: Azure Linux @@ -21,6 +21,7 @@ Patch1: CVE-2024-7592.patch Patch2: CVE-2024-6923.patch Patch3: CVE-2024-6232.patch Patch4: CVE-2024-8088.patch +Patch5: CVE-2024-12254.patch BuildRequires: bzip2-devel BuildRequires: expat-devel >= 2.1.0 @@ -242,6 +243,9 @@ rm -rf %{buildroot}%{_bindir}/__pycache__ %{_libdir}/python%{majmin}/test/* %changelog +* Mon Dec 10 2024 Ankita Pareek - 3.12.3-5 +- Patch CVE-2024-12254 + * Fri Sep 20 2024 Himaja Kesari - 3.12.3-4 - Patch CVE-2024-6232 and CVE-2024-8088 diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 3ab3b3d6642..a1c797e9457 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -240,9 +240,9 @@ ca-certificates-base-3.0.0-7.azl3.noarch.rpm ca-certificates-3.0.0-7.azl3.noarch.rpm dwz-0.14-2.azl3.aarch64.rpm unzip-6.0-21.azl3.aarch64.rpm -python3-3.12.3-4.azl3.aarch64.rpm -python3-devel-3.12.3-4.azl3.aarch64.rpm -python3-libs-3.12.3-4.azl3.aarch64.rpm +python3-3.12.3-5.azl3.aarch64.rpm +python3-devel-3.12.3-5.azl3.aarch64.rpm +python3-libs-3.12.3-5.azl3.aarch64.rpm python3-setuptools-69.0.3-4.azl3.noarch.rpm python3-pygments-2.7.4-2.azl3.noarch.rpm which-2.21-8.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 3871203b17b..6ac2297c298 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -240,9 +240,9 @@ ca-certificates-base-3.0.0-7.azl3.noarch.rpm ca-certificates-3.0.0-7.azl3.noarch.rpm dwz-0.14-2.azl3.x86_64.rpm unzip-6.0-21.azl3.x86_64.rpm -python3-3.12.3-4.azl3.x86_64.rpm -python3-devel-3.12.3-4.azl3.x86_64.rpm -python3-libs-3.12.3-4.azl3.x86_64.rpm +python3-3.12.3-5.azl3.x86_64.rpm +python3-devel-3.12.3-5.azl3.x86_64.rpm +python3-libs-3.12.3-5.azl3.x86_64.rpm python3-setuptools-69.0.3-4.azl3.noarch.rpm python3-pygments-2.7.4-2.azl3.noarch.rpm which-2.21-8.azl3.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index f23a69c8b80..77ca66d1ceb 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -529,18 +529,18 @@ pyproject-rpm-macros-1.12.0-2.azl3.noarch.rpm pyproject-srpm-macros-1.12.0-2.azl3.noarch.rpm python-markupsafe-debuginfo-2.1.3-1.azl3.aarch64.rpm python-wheel-wheel-0.43.0-1.azl3.noarch.rpm -python3-3.12.3-4.azl3.aarch64.rpm +python3-3.12.3-5.azl3.aarch64.rpm python3-audit-3.1.2-1.azl3.aarch64.rpm python3-cracklib-2.9.11-1.azl3.aarch64.rpm -python3-curses-3.12.3-4.azl3.aarch64.rpm +python3-curses-3.12.3-5.azl3.aarch64.rpm python3-Cython-3.0.5-2.azl3.aarch64.rpm -python3-debuginfo-3.12.3-4.azl3.aarch64.rpm -python3-devel-3.12.3-4.azl3.aarch64.rpm +python3-debuginfo-3.12.3-5.azl3.aarch64.rpm +python3-devel-3.12.3-5.azl3.aarch64.rpm python3-flit-core-3.9.0-1.azl3.noarch.rpm python3-gpg-1.23.2-2.azl3.aarch64.rpm python3-jinja2-3.1.2-1.azl3.noarch.rpm python3-libcap-ng-0.8.4-1.azl3.aarch64.rpm -python3-libs-3.12.3-4.azl3.aarch64.rpm +python3-libs-3.12.3-5.azl3.aarch64.rpm python3-libxml2-2.11.5-1.azl3.aarch64.rpm python3-lxml-4.9.3-1.azl3.aarch64.rpm python3-magic-5.45-1.azl3.noarch.rpm @@ -552,8 +552,8 @@ python3-pygments-2.7.4-2.azl3.noarch.rpm python3-rpm-4.18.2-1.azl3.aarch64.rpm python3-rpm-generators-14-11.azl3.noarch.rpm python3-setuptools-69.0.3-4.azl3.noarch.rpm -python3-test-3.12.3-4.azl3.aarch64.rpm -python3-tools-3.12.3-4.azl3.aarch64.rpm +python3-test-3.12.3-5.azl3.aarch64.rpm +python3-tools-3.12.3-5.azl3.aarch64.rpm python3-wheel-0.43.0-1.azl3.noarch.rpm readline-8.2-1.azl3.aarch64.rpm readline-debuginfo-8.2-1.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 0d120809183..b0c69a29cf4 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -535,18 +535,18 @@ pyproject-rpm-macros-1.12.0-2.azl3.noarch.rpm pyproject-srpm-macros-1.12.0-2.azl3.noarch.rpm python-markupsafe-debuginfo-2.1.3-1.azl3.x86_64.rpm python-wheel-wheel-0.43.0-1.azl3.noarch.rpm -python3-3.12.3-4.azl3.x86_64.rpm +python3-3.12.3-5.azl3.x86_64.rpm python3-audit-3.1.2-1.azl3.x86_64.rpm python3-cracklib-2.9.11-1.azl3.x86_64.rpm -python3-curses-3.12.3-4.azl3.x86_64.rpm +python3-curses-3.12.3-5.azl3.x86_64.rpm python3-Cython-3.0.5-2.azl3.x86_64.rpm -python3-debuginfo-3.12.3-4.azl3.x86_64.rpm -python3-devel-3.12.3-4.azl3.x86_64.rpm +python3-debuginfo-3.12.3-5.azl3.x86_64.rpm +python3-devel-3.12.3-5.azl3.x86_64.rpm python3-flit-core-3.9.0-1.azl3.noarch.rpm python3-gpg-1.23.2-2.azl3.x86_64.rpm python3-jinja2-3.1.2-1.azl3.noarch.rpm python3-libcap-ng-0.8.4-1.azl3.x86_64.rpm -python3-libs-3.12.3-4.azl3.x86_64.rpm +python3-libs-3.12.3-5.azl3.x86_64.rpm python3-libxml2-2.11.5-1.azl3.x86_64.rpm python3-lxml-4.9.3-1.azl3.x86_64.rpm python3-magic-5.45-1.azl3.noarch.rpm @@ -558,8 +558,8 @@ python3-pygments-2.7.4-2.azl3.noarch.rpm python3-rpm-4.18.2-1.azl3.x86_64.rpm python3-rpm-generators-14-11.azl3.noarch.rpm python3-setuptools-69.0.3-4.azl3.noarch.rpm -python3-test-3.12.3-4.azl3.x86_64.rpm -python3-tools-3.12.3-4.azl3.x86_64.rpm +python3-test-3.12.3-5.azl3.x86_64.rpm +python3-tools-3.12.3-5.azl3.x86_64.rpm python3-wheel-0.43.0-1.azl3.noarch.rpm readline-8.2-1.azl3.x86_64.rpm readline-debuginfo-8.2-1.azl3.x86_64.rpm From 17767e132bd7548195023b60585ef44a42f8d73e Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Wed, 18 Dec 2024 07:01:09 -0800 Subject: [PATCH 20/55] [AUTO-CHERRYPICK] Fix CVE-2024-36623 for docker-cli - branch 3.0-dev (#11463) Co-authored-by: Sudipta Pandit --- SPECS/docker-cli/CVE-2024-36623.patch | 45 +++++++++++++++++++++++++++ SPECS/docker-cli/docker-cli.spec | 6 +++- 2 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 SPECS/docker-cli/CVE-2024-36623.patch diff --git a/SPECS/docker-cli/CVE-2024-36623.patch b/SPECS/docker-cli/CVE-2024-36623.patch new file mode 100644 index 00000000000..a1722aa6a0e --- /dev/null +++ b/SPECS/docker-cli/CVE-2024-36623.patch @@ -0,0 +1,45 @@ +From 5689dabfb357b673abdb4391eef426f297d7d1bb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= +Date: Thu, 22 Feb 2024 18:01:40 +0100 +Subject: [PATCH] pkg/streamformatter: Make `progressOutput` concurrency safe +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Sync access to the underlying `io.Writer` with a mutex. + +Signed-off-by: Paweł Gronowski +--- + vendor/github.com/docker/docker/pkg/streamformatter/streamformatter.go | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/vendor/github.com/docker/docker/pkg/streamformatter/streamformatter.go b/vendor/github.com/docker/docker/pkg/streamformatter/streamformatter.go +index b0456e580dc9d..098df6b5236b9 100644 +--- a/vendor/github.com/docker/docker/pkg/streamformatter/streamformatter.go ++++ b/vendor/github.com/docker/docker/pkg/streamformatter/streamformatter.go +@@ -5,6 +5,7 @@ import ( + "encoding/json" + "fmt" + "io" ++ "sync" + + "github.com/docker/docker/pkg/jsonmessage" + "github.com/docker/docker/pkg/progress" +@@ -109,6 +110,7 @@ type progressOutput struct { + sf formatProgress + out io.Writer + newLines bool ++ mu sync.Mutex + } + + // WriteProgress formats progress information from a ProgressReader. +@@ -120,6 +122,9 @@ func (out *progressOutput) WriteProgress(prog progress.Progress) error { + jsonProgress := jsonmessage.JSONProgress{Current: prog.Current, Total: prog.Total, HideCounts: prog.HideCounts, Units: prog.Units} + formatted = out.sf.formatProgress(prog.ID, prog.Action, &jsonProgress, prog.Aux) + } ++ ++ out.mu.Lock() ++ defer out.mu.Unlock() + _, err := out.out.Write(formatted) + if err != nil { + return err diff --git a/SPECS/docker-cli/docker-cli.spec b/SPECS/docker-cli/docker-cli.spec index c08b378b243..5fd8c1d553d 100644 --- a/SPECS/docker-cli/docker-cli.spec +++ b/SPECS/docker-cli/docker-cli.spec @@ -3,7 +3,7 @@ Summary: The open-source application container engine client. Name: docker-cli Version: 25.0.3 -Release: 2%{?dist} +Release: 3%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -13,6 +13,7 @@ Source0: https://github.com/docker/cli/archive/v%{version}.tar.gz#/%{name Source1: %{name}-%{version}-govendor-v1.tar.gz Patch0: disable_manpage_vendor.patch Patch1: CVE-2024-24786.patch +Patch2: CVE-2024-36623.patch BuildRequires: git BuildRequires: go-md2man BuildRequires: golang @@ -81,6 +82,9 @@ install -p -m 644 contrib/completion/fish/docker.fish %{buildroot}%{_datadir}/fi %{_datadir}/fish/vendor_completions.d/docker.fish %changelog +* Tue Dec 10 2024 Sudipta Pandit - 25.0.3-3 +- Fix CVE-2024-36623 with patch + * Mon Nov 25 2024 Bala - 25.0.3-2 - Fix CVE-2024-24786 From 30a9fe75916e6e0a8b63c961beaafb9c0b1173df Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Wed, 18 Dec 2024 07:02:06 -0800 Subject: [PATCH 21/55] [AUTO-CHERRYPICK] [3.0 Fast-track] Upgrade nvidia container toolkit and libnvidia-container to v1.17.3 - branch 3.0-dev (#11464) Co-authored-by: Henry Li <69694695+henryli001@users.noreply.github.com> --- .../libnvidia-container.signatures.json | 2 +- SPECS/libnvidia-container/libnvidia-container.spec | 5 ++++- .../nvidia-container-toolkit.signatures.json | 4 ++-- .../nvidia-container-toolkit.spec | 13 +++++++++++-- cgmanifest.json | 8 ++++---- 5 files changed, 22 insertions(+), 10 deletions(-) diff --git a/SPECS/libnvidia-container/libnvidia-container.signatures.json b/SPECS/libnvidia-container/libnvidia-container.signatures.json index cb0ee199644..98ae0ebc573 100644 --- a/SPECS/libnvidia-container/libnvidia-container.signatures.json +++ b/SPECS/libnvidia-container/libnvidia-container.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { - "libnvidia-container-1.17.1.tar.gz": "861ee77bbf1d19531f4c65e57989d5f1a41b0a0b28d6a2d0e2c8e2ede14c1e25", + "libnvidia-container-1.17.3.tar.gz": "9c28e729f1677b6ff9edb3f4dccff4f9827ffe13c04fbcffa41aabacbc0fdd54", "nvidia-modprobe-550.54.14.tar.gz": "5687b0dfa6087dd480ae91e91ff1dca975794e35a2edcf9ec08d8f9cb98ef905" } } \ No newline at end of file diff --git a/SPECS/libnvidia-container/libnvidia-container.spec b/SPECS/libnvidia-container/libnvidia-container.spec index 9ef428fcb67..455226ccdca 100644 --- a/SPECS/libnvidia-container/libnvidia-container.spec +++ b/SPECS/libnvidia-container/libnvidia-container.spec @@ -3,7 +3,7 @@ %define mod_probe_dir deps/src/nvidia-modprobe-%{modprobe_version} Summary: NVIDIA container runtime library Name: libnvidia-container -Version: 1.17.1 +Version: 1.17.3 Release: 1%{?dist} License: BSD AND ASL2.0 AND GPLv3+ AND LGPLv3+ AND MIT AND GPLv2 Vendor: Microsoft Corporation @@ -135,6 +135,9 @@ This package contains command-line tools that facilitate using the library. %{_bindir}/* %changelog +* Thu Dec 05 2024 Henry Li - 1.17.3-1 +- Upgrade to v1.17.3 + * Mon Nov 11 2024 Henry Li - 1.17.1-1 - Upgrade to v1.17.1 diff --git a/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.signatures.json b/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.signatures.json index 0fa9f0cf7d0..092098cc515 100644 --- a/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.signatures.json +++ b/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { - "nvidia-container-toolkit-1.17.1-vendor.tar.gz": "894d10f0504e7a8a8fe8748d736288e90f23e24f13aac058b6b83c4ca99dc40f", - "nvidia-container-toolkit-1.17.1.tar.gz": "bf1e3ede225bfa41a932e00430e3efbc2c788d8a4e93e5133ff24b5a3b2ae1eb" + "nvidia-container-toolkit-1.17.3-vendor.tar.gz": "894d10f0504e7a8a8fe8748d736288e90f23e24f13aac058b6b83c4ca99dc40f", + "nvidia-container-toolkit-1.17.3.tar.gz": "58eb450e52d45483a26d9269cf4f74a8b9d0b765751581f1123b18dc48609791" } } diff --git a/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.spec b/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.spec index 4c41703fda2..8eb08e5bff1 100644 --- a/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.spec +++ b/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.spec @@ -1,7 +1,7 @@ %global debug_package %{nil} Summary: NVIDIA container runtime hook Name: nvidia-container-toolkit -Version: 1.17.1 +Version: 1.17.3 Release: 1%{?dist} License: ALS2.0 Vendor: Microsoft Corporation @@ -32,7 +32,8 @@ BuildRequires: golang >= 1.20.7 Obsoletes: nvidia-container-runtime <= 3.5.0-1, nvidia-container-runtime-hook <= 1.4.0-2 Provides: nvidia-container-runtime Provides: nvidia-container-runtime-hook -Requires: libnvidia-container-tools >= 1.13.5, libnvidia-container-tools < 2.0.0 +Requires: libnvidia-container-tools >= %{version}, libnvidia-container-tools < 2.0.0 +Requires: nvidia-container-toolkit-base == %{version}-%{release} %description Provides a OCI hook to enable GPU support in containers. @@ -58,12 +59,14 @@ tar -xvf %{SOURCE1} go build -ldflags "-s -w " -o "nvidia-container-runtime-hook" ./cmd/nvidia-container-runtime-hook go build -ldflags "-s -w " -o "nvidia-container-runtime" ./cmd/nvidia-container-runtime go build -ldflags "-s -w " -o "nvidia-ctk" ./cmd/nvidia-ctk +go build -ldflags "-s -w " -o "nvidia-cdi-hook" ./cmd/nvidia-cdi-hook %install mkdir -p %{buildroot}%{_bindir} install -m 755 -t %{buildroot}%{_bindir} nvidia-container-runtime-hook install -m 755 -t %{buildroot}%{_bindir} nvidia-container-runtime install -m 755 -t %{buildroot}%{_bindir} nvidia-ctk +install -m 755 -t %{buildroot}%{_bindir} nvidia-cdi-hook %posttrans ln -sf %{_bindir}/nvidia-container-runtime-hook %{_bindir}/nvidia-container-toolkit @@ -82,8 +85,14 @@ rm -f %{_bindir}/nvidia-container-toolkit %license LICENSE %{_bindir}/nvidia-container-runtime %{_bindir}/nvidia-ctk +%{_bindir}/nvidia-cdi-hook %changelog +* Thu Dec 05 2024 Henry Li - 1.17.3-1 +- Upgrade to v1.17.3 +- Add nvidia-cdi-hook binary to nvidia-container-toolkit-base package +- Add nvidia-container-toolkit-base as runtime requirement for nvidia-container-toolkit + * Mon Nov 11 2024 Henry Li - 1.17.1-1 - Upgrade to v1.17.1 to resolve CVE‑2024-0134 diff --git a/cgmanifest.json b/cgmanifest.json index 87c11b8f8ea..fe16e2bd795 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -10341,8 +10341,8 @@ "type": "other", "other": { "name": "libnvidia-container", - "version": "1.17.1", - "downloadUrl": "https://github.com/NVIDIA/libnvidia-container/archive/v1.17.1.tar.gz" + "version": "1.17.3", + "downloadUrl": "https://github.com/NVIDIA/libnvidia-container/archive/v1.17.3.tar.gz" } } }, @@ -14302,8 +14302,8 @@ "type": "other", "other": { "name": "nvidia-container-toolkit", - "version": "1.17.1", - "downloadUrl": "https://github.com/NVIDIA/nvidia-container-toolkit/archive/v1.17.1.tar.gz" + "version": "1.17.3", + "downloadUrl": "https://github.com/NVIDIA/nvidia-container-toolkit/archive/v1.17.3.tar.gz" } } }, From 38f93ab663402c4d3beec4cca79a62a70d851eb4 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Wed, 18 Dec 2024 07:03:29 -0800 Subject: [PATCH 22/55] [AUTO-CHERRYPICK] ruby: update to 3.3.5 to resolve CVE-2024-39908 and CVE-2024-49761 - branch 3.0-dev (#11413) Co-authored-by: Saul Paredes <30801614+Redent0r@users.noreply.github.com> From 0c5d7aebd93f4b05ee3424a063a2e728facc7ef6 Mon Sep 17 00:00:00 2001 From: Nan Liu <108544011+liunan-ms@users.noreply.github.com> Date: Wed, 18 Dec 2024 10:23:59 -0800 Subject: [PATCH 23/55] Upgrade runc version to 1.2.2 and libseccomp to 2.5.5 (#11029) As containerd 2.0 GA recently, we want to provide containerd 2.0 in azure linux 3.0 to enhance our distro. containerd 2.0 requires runc 1.2 as a dependency. The latest runc version 1.2.2 introduces security enhancement and supports new features, such as user namespace, so we want to upgrade runc to the latest version and align with the Fedora offerings. This PR is to upgrade runc version to 1.2.2 and libseccomp to 2.5.5. As a follow-up, containerd 2.0 will be added as a standalone package in a separate PR. --- SPECS/libseccomp/libseccomp.signatures.json | 2 +- SPECS/libseccomp/libseccomp.spec | 5 ++++- SPECS/runc/runc.signatures.json | 2 +- SPECS/runc/runc.spec | 12 ++++++++---- cgmanifest.json | 8 ++++---- 5 files changed, 18 insertions(+), 11 deletions(-) diff --git a/SPECS/libseccomp/libseccomp.signatures.json b/SPECS/libseccomp/libseccomp.signatures.json index 810e1646b60..e07a10271da 100644 --- a/SPECS/libseccomp/libseccomp.signatures.json +++ b/SPECS/libseccomp/libseccomp.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "libseccomp-2.5.4.tar.gz": "d82902400405cf0068574ef3dc1fe5f5926207543ba1ae6f8e7a1576351dcbdb" + "libseccomp-2.5.5.tar.gz": "248a2c8a4d9b9858aa6baf52712c34afefcf9c9e94b76dce02c1c9aa25fb3375" } } diff --git a/SPECS/libseccomp/libseccomp.spec b/SPECS/libseccomp/libseccomp.spec index 61b68835420..3916f24b162 100644 --- a/SPECS/libseccomp/libseccomp.spec +++ b/SPECS/libseccomp/libseccomp.spec @@ -1,6 +1,6 @@ Summary: Enhanced seccomp library Name: libseccomp -Version: 2.5.4 +Version: 2.5.5 Release: 1%{?dist} License: LGPLv2 Vendor: Microsoft Corporation @@ -62,6 +62,9 @@ find %{buildroot} -type f -name "*.la" -delete -print %{_mandir}/man3/* %changelog +* Tue Nov 05 2024 Nan Liu - 2.5.5-1 +- Upgrade to 2.5.5 as other older version is no longer supported upstream + * Fri Oct 27 2023 CBL-Mariner Servicing Account - 2.5.4-1 - Auto-upgrade to 2.5.4 - Azure Linux 3.0 - package upgrades diff --git a/SPECS/runc/runc.signatures.json b/SPECS/runc/runc.signatures.json index 4cdcc7d971a..18a8b03544d 100644 --- a/SPECS/runc/runc.signatures.json +++ b/SPECS/runc/runc.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "runc-1.1.12.tar.gz": "be31b07d6a54a8f234016501c300ad04b6c428c56588e7eca8c3b663308db208" + "runc-1.2.2.tar.gz": "0eabc936d481d123be92c429588f9d1de7cafd36b37a8a5085b1412e758796a1" } } diff --git a/SPECS/runc/runc.spec b/SPECS/runc/runc.spec index 332add7b584..8523a32c790 100644 --- a/SPECS/runc/runc.spec +++ b/SPECS/runc/runc.spec @@ -1,9 +1,9 @@ -%define commit_hash 51d5e94601ceffbbd85688df1c928ecccbfa4685 +%define commit_hash 7cb363254b69e10320360b63fb73e0ffb5da7bf2 Summary: CLI tool for spawning and running containers per OCI spec. Name: runc # update "commit_hash" above when upgrading version -Version: 1.1.12 -Release: 2%{?dist} +Version: 1.2.2 +Release: 1%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -12,7 +12,7 @@ URL: https://github.com/opencontainers/runc Source0: https://github.com/opencontainers/runc/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz BuildRequires: git BuildRequires: go-md2man -BuildRequires: golang < 1.23 +BuildRequires: golang BuildRequires: libseccomp-devel BuildRequires: make Requires: glibc @@ -43,6 +43,10 @@ make install-man DESTDIR=%{buildroot} PREFIX=%{_prefix} %{_mandir}/* %changelog +* Mon Nov 25 2024 Nan Liu - 1.2.2-1 +- Bump version to 1.2.2 +- Remove the golang version constraint + * Tue Oct 15 2024 Muhammad Falak - 1.1.12-2 - Pin golang version to <= 1.22 diff --git a/cgmanifest.json b/cgmanifest.json index fe16e2bd795..f5b99318796 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -10841,8 +10841,8 @@ "type": "other", "other": { "name": "libseccomp", - "version": "2.5.4", - "downloadUrl": "https://github.com/seccomp/libseccomp/releases/download/v2.5.4/libseccomp-2.5.4.tar.gz" + "version": "2.5.5", + "downloadUrl": "https://github.com/seccomp/libseccomp/releases/download/v2.5.5/libseccomp-2.5.5.tar.gz" } } }, @@ -27064,8 +27064,8 @@ "type": "other", "other": { "name": "runc", - "version": "1.1.12", - "downloadUrl": "https://github.com/opencontainers/runc/archive/v1.1.12.tar.gz" + "version": "1.2.2", + "downloadUrl": "https://github.com/opencontainers/runc/archive/v1.2.2.tar.gz" } } }, From 80d7fe2ea47fd739378a770e5a96f1dc8b4d4241 Mon Sep 17 00:00:00 2001 From: Nan Liu <108544011+liunan-ms@users.noreply.github.com> Date: Wed, 18 Dec 2024 10:25:19 -0800 Subject: [PATCH 24/55] Add containerd2 package (#11427) As containerd 2.0 GA recently, we want to provide containerd 2.0 in azure linux 3.0 to enhance our distro. Currently we wanted to keep the current containerd version in the existing package and offer container 2.0 in a new package so that users can try and test as their needs. This PR is adds a new containerd2 package with version 2.0.0. --- LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md | 2 +- LICENSES-AND-NOTICES/SPECS/data/licenses.json | 1 + SPECS/containerd2/containerd.service | 15 ++++ SPECS/containerd2/containerd.toml | 9 ++ SPECS/containerd2/containerd2.signatures.json | 7 ++ SPECS/containerd2/containerd2.spec | 85 +++++++++++++++++++ cgmanifest.json | 10 +++ 7 files changed, 128 insertions(+), 1 deletion(-) create mode 100644 SPECS/containerd2/containerd.service create mode 100644 SPECS/containerd2/containerd.toml create mode 100644 SPECS/containerd2/containerd2.signatures.json create mode 100644 SPECS/containerd2/containerd2.spec diff --git a/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md b/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md index bf93a05d117..a9942f9ccd1 100644 --- a/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md +++ b/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md @@ -9,7 +9,7 @@ The Azure Linux SPEC files originated from a variety of sources with varying lic | Fedora (Copyright Remi Collet) | [CC-BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/legalcode) | libmemcached-awesome
librabbitmq | | Fedora (ISC) | [ISC License](https://github.com/sarugaku/resolvelib/blob/main/LICENSE) | python-resolvelib | | Magnus Edenhill Open Source | [Magnus Edenhill Open Source BSD License](https://github.com/jemalloc/jemalloc/blob/dev/COPYING) | librdkafka | -| Microsoft | [Microsoft MIT License](/LICENSES-AND-NOTICES/LICENSE.md) | application-gateway-kubernetes-ingress
asc
azcopy
azure-iot-sdk-c
azure-nvme-utils
azure-storage-cpp
azurelinux-release
azurelinux-repos
azurelinux-rpm-macros
azurelinux-sysinfo
bazel
blobfuse2
bmon
bpftrace
ccache
cert-manager
cf-cli
check-restart
clamav
cloud-hypervisor-cvm
cmake-fedora
containerd
coredns
dcos-cli
debugedit
dejavu-fonts
distroless-packages
docker-buildx
docker-cli
docker-compose
doxygen
dtc
elixir
espeak-ng
espeakup
flannel
fluent-bit
freefont
gflags
gh
go-md2man
grpc
grub2-efi-binary-signed
GSL
gtk-update-icon-cache
helm
ig
intel-pf-bb-config
ivykis
jsonbuilder
jx
kata-containers-cc
kata-packages-uvm
keda
keras
kernel-64k-signed
kernel-signed
kernel-uki
kernel-uki-signed
kpatch
kube-vip-cloud-provider
kubernetes
libacvp
libconfini
libconfuse
libgdiplus
libmaxminddb
libmetalink
libsafec
libuv
libxml++
lld
local-path-provisioner
lsb-release
ltp
lttng-consume
mm-common
moby-containerd-cc
moby-engine
msgpack
ncompress
networkd-dispatcher
nlohmann-json
nmap
node-problem-detector
ntopng
opentelemetry-cpp
packer
pcaudiolib
pcre2
perl-Test-Warnings
perl-Text-Template
pigz
prebuilt-ca-certificates
prebuilt-ca-certificates-base
prometheus-adapter
python-cachetools
python-cherrypy
python-cstruct
python-execnet
python-google-pasta
python-libclang
python-libevdev
python-logutils
python-ml-dtypes
python-namex
python-nocasedict
python-omegaconf
python-opt-einsum
python-optree
python-pecan
python-pip
python-pyrpm
python-remoto
python-repoze-lru
python-routes
python-rsa
python-setuptools
python-sphinxcontrib-websupport
python-tensorboard
python-tensorboard-plugin-wit
python-yamlloader
R
rabbitmq-server
rocksdb
rubygem-addressable
rubygem-asciidoctor
rubygem-async
rubygem-async-http
rubygem-async-io
rubygem-async-pool
rubygem-bindata
rubygem-concurrent-ruby
rubygem-connection_pool
rubygem-console
rubygem-cool.io
rubygem-deep_merge
rubygem-digest-crc
rubygem-elastic-transport
rubygem-elasticsearch
rubygem-elasticsearch-api
rubygem-eventmachine
rubygem-excon
rubygem-faraday
rubygem-faraday-em_http
rubygem-faraday-em_synchrony
rubygem-faraday-excon
rubygem-faraday-httpclient
rubygem-faraday-multipart
rubygem-faraday-net_http
rubygem-faraday-net_http_persistent
rubygem-faraday-patron
rubygem-faraday-rack
rubygem-faraday-retry
rubygem-ffi
rubygem-fiber-local
rubygem-fluent-config-regexp-type
rubygem-fluent-logger
rubygem-fluent-plugin-elasticsearch
rubygem-fluent-plugin-kafka
rubygem-fluent-plugin-prometheus
rubygem-fluent-plugin-prometheus_pushgateway
rubygem-fluent-plugin-record-modifier
rubygem-fluent-plugin-rewrite-tag-filter
rubygem-fluent-plugin-systemd
rubygem-fluent-plugin-webhdfs
rubygem-fluent-plugin-windows-exporter
rubygem-fluentd
rubygem-hirb
rubygem-hocon
rubygem-hoe
rubygem-http_parser
rubygem-httpclient
rubygem-io-event
rubygem-jmespath
rubygem-ltsv
rubygem-mini_portile2
rubygem-minitest
rubygem-mocha
rubygem-msgpack
rubygem-multi_json
rubygem-multipart-post
rubygem-net-http-persistent
rubygem-nio4r
rubygem-nokogiri
rubygem-oj
rubygem-parallel
rubygem-power_assert
rubygem-prometheus-client
rubygem-protocol-hpack
rubygem-protocol-http
rubygem-protocol-http1
rubygem-protocol-http2
rubygem-public_suffix
rubygem-puppet-resource_api
rubygem-rdiscount
rubygem-rdkafka
rubygem-rexml
rubygem-ruby-kafka
rubygem-ruby-progressbar
rubygem-rubyzip
rubygem-semantic_puppet
rubygem-serverengine
rubygem-sigdump
rubygem-strptime
rubygem-systemd-journal
rubygem-test-unit
rubygem-thor
rubygem-timers
rubygem-tzinfo
rubygem-tzinfo-data
rubygem-webhdfs
rubygem-webrick
rubygem-yajl-ruby
rubygem-zip-zip
runc
sdbus-cpp
sgx-backwards-compatibility
shim
skopeo
span-lite
sriov-network-device-plugin
SymCrypt
SymCrypt-OpenSSL
systemd-boot-signed
tensorflow
tinyxml2
toml11
tracelogging
umoci
usrsctp
vala
valkey
vnstat
zstd | +| Microsoft | [Microsoft MIT License](/LICENSES-AND-NOTICES/LICENSE.md) | application-gateway-kubernetes-ingress
asc
azcopy
azure-iot-sdk-c
azure-nvme-utils
azure-storage-cpp
azurelinux-release
azurelinux-repos
azurelinux-rpm-macros
azurelinux-sysinfo
bazel
blobfuse2
bmon
bpftrace
ccache
cert-manager
cf-cli
check-restart
clamav
cloud-hypervisor-cvm
cmake-fedora
containerd
containerd2
coredns
dcos-cli
debugedit
dejavu-fonts
distroless-packages
docker-buildx
docker-cli
docker-compose
doxygen
dtc
elixir
espeak-ng
espeakup
flannel
fluent-bit
freefont
gflags
gh
go-md2man
grpc
grub2-efi-binary-signed
GSL
gtk-update-icon-cache
helm
ig
intel-pf-bb-config
ivykis
jsonbuilder
jx
kata-containers-cc
kata-packages-uvm
keda
keras
kernel-64k-signed
kernel-signed
kernel-uki
kernel-uki-signed
kpatch
kube-vip-cloud-provider
kubernetes
libacvp
libconfini
libconfuse
libgdiplus
libmaxminddb
libmetalink
libsafec
libuv
libxml++
lld
local-path-provisioner
lsb-release
ltp
lttng-consume
mm-common
moby-containerd-cc
moby-engine
msgpack
ncompress
networkd-dispatcher
nlohmann-json
nmap
node-problem-detector
ntopng
opentelemetry-cpp
packer
pcaudiolib
pcre2
perl-Test-Warnings
perl-Text-Template
pigz
prebuilt-ca-certificates
prebuilt-ca-certificates-base
prometheus-adapter
python-cachetools
python-cherrypy
python-cstruct
python-execnet
python-google-pasta
python-libclang
python-libevdev
python-logutils
python-ml-dtypes
python-namex
python-nocasedict
python-omegaconf
python-opt-einsum
python-optree
python-pecan
python-pip
python-pyrpm
python-remoto
python-repoze-lru
python-routes
python-rsa
python-setuptools
python-sphinxcontrib-websupport
python-tensorboard
python-tensorboard-plugin-wit
python-yamlloader
R
rabbitmq-server
rocksdb
rubygem-addressable
rubygem-asciidoctor
rubygem-async
rubygem-async-http
rubygem-async-io
rubygem-async-pool
rubygem-bindata
rubygem-concurrent-ruby
rubygem-connection_pool
rubygem-console
rubygem-cool.io
rubygem-deep_merge
rubygem-digest-crc
rubygem-elastic-transport
rubygem-elasticsearch
rubygem-elasticsearch-api
rubygem-eventmachine
rubygem-excon
rubygem-faraday
rubygem-faraday-em_http
rubygem-faraday-em_synchrony
rubygem-faraday-excon
rubygem-faraday-httpclient
rubygem-faraday-multipart
rubygem-faraday-net_http
rubygem-faraday-net_http_persistent
rubygem-faraday-patron
rubygem-faraday-rack
rubygem-faraday-retry
rubygem-ffi
rubygem-fiber-local
rubygem-fluent-config-regexp-type
rubygem-fluent-logger
rubygem-fluent-plugin-elasticsearch
rubygem-fluent-plugin-kafka
rubygem-fluent-plugin-prometheus
rubygem-fluent-plugin-prometheus_pushgateway
rubygem-fluent-plugin-record-modifier
rubygem-fluent-plugin-rewrite-tag-filter
rubygem-fluent-plugin-systemd
rubygem-fluent-plugin-webhdfs
rubygem-fluent-plugin-windows-exporter
rubygem-fluentd
rubygem-hirb
rubygem-hocon
rubygem-hoe
rubygem-http_parser
rubygem-httpclient
rubygem-io-event
rubygem-jmespath
rubygem-ltsv
rubygem-mini_portile2
rubygem-minitest
rubygem-mocha
rubygem-msgpack
rubygem-multi_json
rubygem-multipart-post
rubygem-net-http-persistent
rubygem-nio4r
rubygem-nokogiri
rubygem-oj
rubygem-parallel
rubygem-power_assert
rubygem-prometheus-client
rubygem-protocol-hpack
rubygem-protocol-http
rubygem-protocol-http1
rubygem-protocol-http2
rubygem-public_suffix
rubygem-puppet-resource_api
rubygem-rdiscount
rubygem-rdkafka
rubygem-rexml
rubygem-ruby-kafka
rubygem-ruby-progressbar
rubygem-rubyzip
rubygem-semantic_puppet
rubygem-serverengine
rubygem-sigdump
rubygem-strptime
rubygem-systemd-journal
rubygem-test-unit
rubygem-thor
rubygem-timers
rubygem-tzinfo
rubygem-tzinfo-data
rubygem-webhdfs
rubygem-webrick
rubygem-yajl-ruby
rubygem-zip-zip
runc
sdbus-cpp
sgx-backwards-compatibility
shim
skopeo
span-lite
sriov-network-device-plugin
SymCrypt
SymCrypt-OpenSSL
systemd-boot-signed
tensorflow
tinyxml2
toml11
tracelogging
umoci
usrsctp
vala
valkey
vnstat
zstd | | Netplan source | [GPLv3](https://github.com/canonical/netplan/blob/main/COPYING) | netplan | | Numad source | [LGPLv2 License](https://www.gnu.org/licenses/old-licenses/lgpl-2.1.txt) | numad | | NVIDIA | [ASL 2.0 License and spec specific licenses](http://www.apache.org/licenses/LICENSE-2.0) | libnvidia-container
mlnx-tools
mlx-bootctl
nvidia-container-toolkit
ofed-scripts
perftest | diff --git a/LICENSES-AND-NOTICES/SPECS/data/licenses.json b/LICENSES-AND-NOTICES/SPECS/data/licenses.json index 51aec95013e..80f62df89c0 100644 --- a/LICENSES-AND-NOTICES/SPECS/data/licenses.json +++ b/LICENSES-AND-NOTICES/SPECS/data/licenses.json @@ -2223,6 +2223,7 @@ "cloud-hypervisor-cvm", "cmake-fedora", "containerd", + "containerd2", "coredns", "dcos-cli", "debugedit", diff --git a/SPECS/containerd2/containerd.service b/SPECS/containerd2/containerd.service new file mode 100644 index 00000000000..06b501178b9 --- /dev/null +++ b/SPECS/containerd2/containerd.service @@ -0,0 +1,15 @@ +[Unit] +Description=containerd container runtime +Documentation=https://containerd.io +After=network.target + +[Service] +ExecStartPre=/sbin/modprobe overlay +ExecStart=/usr/bin/containerd +Restart=always +Delegate=yes +KillMode=process +OOMScoreAdjust=-999 + +[Install] +WantedBy=multi-user.target diff --git a/SPECS/containerd2/containerd.toml b/SPECS/containerd2/containerd.toml new file mode 100644 index 00000000000..422716a3c33 --- /dev/null +++ b/SPECS/containerd2/containerd.toml @@ -0,0 +1,9 @@ +version = 2 +[plugins] + [plugins."io.containerd.grpc.v1.cri"] + [plugins."io.containerd.grpc.v1.cri".containerd] + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes] + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] + runtime_type = "io.containerd.runc.v2" + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options] + SystemdCgroup = true \ No newline at end of file diff --git a/SPECS/containerd2/containerd2.signatures.json b/SPECS/containerd2/containerd2.signatures.json new file mode 100644 index 00000000000..d49f7f913eb --- /dev/null +++ b/SPECS/containerd2/containerd2.signatures.json @@ -0,0 +1,7 @@ +{ + "Signatures": { + "containerd.service": "a07bfcf412669b06673190b0779f48e652c9adcf1758289e849a00802804eec8", + "containerd.toml": "5b3821236f09b4c858e0e098bbe1400f4dbbb47d360e39d21c61858b088c2896", + "containerd-2.0.0.tar.gz": "346d644e1b96e1f4a39bfe9d1eb0eb01ca676f806c12d95e5dbe35325bbc1780" + } +} \ No newline at end of file diff --git a/SPECS/containerd2/containerd2.spec b/SPECS/containerd2/containerd2.spec new file mode 100644 index 00000000000..79013cc94f4 --- /dev/null +++ b/SPECS/containerd2/containerd2.spec @@ -0,0 +1,85 @@ +%global debug_package %{nil} +%define upstream_name containerd +%define commit_hash 207ad711eabd375a01713109a8a197d197ff6542 + +Summary: Industry-standard container runtime +Name: %{upstream_name}2 +Version: 2.0.0 +Release: 1%{?dist} +License: ASL 2.0 +Group: Tools/Container +URL: https://www.containerd.io +Vendor: Microsoft Corporation +Distribution: Azure Linux + +Source0: https://github.com/containerd/containerd/archive/v%{version}.tar.gz#/%{upstream_name}-%{version}.tar.gz +Source1: containerd.service +Source2: containerd.toml + +%{?systemd_requires} + +BuildRequires: golang +BuildRequires: go-md2man +BuildRequires: make +BuildRequires: systemd-rpm-macros + +Requires: runc >= 1.2.2 + +%description +containerd is an industry-standard container runtime with an emphasis on +simplicity, robustness and portability. It is available as a daemon for Linux +and Windows, which can manage the complete container lifecycle of its host +system: image transfer and storage, container execution and supervision, +low-level storage and network attachments, etc. + +containerd is designed to be embedded into a larger system, rather than being +used directly by developers or end-users. + +%prep +%autosetup -p1 -n %{upstream_name}-%{version} + +%build +export BUILDTAGS="-mod=vendor" +make VERSION="%{version}" REVISION="%{commit_hash}" binaries man + +%check +export BUILDTAGS="-mod=vendor" +make VERSION="%{version}" REVISION="%{commit_hash}" test + +%install +make VERSION="%{version}" REVISION="%{commit_hash}" DESTDIR="%{buildroot}" PREFIX="/usr" install install-man + +mkdir -p %{buildroot}/%{_unitdir} +install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/containerd.service +install -D -p -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/containerd/config.toml +install -vdm 755 %{buildroot}/opt/containerd/{bin,lib} + +%post +%systemd_post containerd.service + +if [ $1 -eq 1 ]; then # Package install + systemctl enable containerd.service > /dev/null 2>&1 || : + systemctl start containerd.service > /dev/null 2>&1 || : +fi + +%preun +%systemd_preun containerd.service + +%postun +%systemd_postun_with_restart containerd.service + +%files +%license LICENSE NOTICE +%{_bindir}/* +%{_mandir}/* +%config(noreplace) %{_unitdir}/containerd.service +%config(noreplace) %{_sysconfdir}/containerd/config.toml +%dir /opt/containerd +%dir /opt/containerd/bin +%dir /opt/containerd/lib + +%changelog +* Wed Dec 11 2024 Nan Liu - 2.0.0-1 +- Created a standalone package for containerd 2.0.0 +- Initial CBL-Mariner import from Azure +- Initial version and License verified \ No newline at end of file diff --git a/cgmanifest.json b/cgmanifest.json index f5b99318796..a835a331c21 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -2022,6 +2022,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "containerd2", + "version": "2.0.0", + "downloadUrl": "https://github.com/containerd/containerd/archive/v2.0.0.tar.gz" + } + } + }, { "component": { "type": "other", From f26ed9c2e9e9b77dc806894098f3d73db7ec877f Mon Sep 17 00:00:00 2001 From: Pawel Winogrodzki Date: Wed, 18 Dec 2024 11:08:18 -0800 Subject: [PATCH 25/55] Added distrusted CAs to the cert bundles. (#11440) --- .../ca-certificates.signatures.json | 1 + SPECS/ca-certificates/ca-certificates.spec | 22 +- SPECS/ca-certificates/certdata.distrusted.txt | 302 ++++++++++++++++++ .../prebuilt-ca-certificates-base.spec | 5 +- .../prebuilt-ca-certificates.spec | 5 +- .../manifests/package/pkggen_core_aarch64.txt | 8 +- .../manifests/package/pkggen_core_x86_64.txt | 8 +- .../manifests/package/toolchain_aarch64.txt | 10 +- .../manifests/package/toolchain_x86_64.txt | 10 +- 9 files changed, 350 insertions(+), 21 deletions(-) create mode 100644 SPECS/ca-certificates/certdata.distrusted.txt diff --git a/SPECS/ca-certificates/ca-certificates.signatures.json b/SPECS/ca-certificates/ca-certificates.signatures.json index 8348c78a905..1a2a357595b 100644 --- a/SPECS/ca-certificates/ca-certificates.signatures.json +++ b/SPECS/ca-certificates/ca-certificates.signatures.json @@ -11,6 +11,7 @@ "README.usr": "0d2e90b6cf575678cd9d4f409d92258ef0d676995d4d733acdb2425309a38ff8", "bundle2pem.sh": "a61e0d9f34e21456cfe175e9a682f56959240e66dfeb75bd2457226226aa413a", "certdata.base.txt": "771a6c9995ea00bb4ce50fd842a252454fe9b26acad8b0568a1055207442db57", + "certdata.distrusted.txt": "93aebf0f1e5253ed91fe269f7128fdb8b20630ef19558f629c79a8b7eb0ba30d", "certdata.microsoft.txt": "1707ab328312f4ecce167a886e866136b46d7f979a01cc6f9e4afd042174babd", "certdata2pem.py": "4f5848c14210758f19ab9fdc9ffd83733303a48642a3d47c4d682f904fdc0f33", "pem2bundle.sh": "f96a2f0071fb80e30332c0bd95853183f2f49a3c98d5e9fc4716aeeb001e3426", diff --git a/SPECS/ca-certificates/ca-certificates.spec b/SPECS/ca-certificates/ca-certificates.spec index 8b16547d594..9a58bad8480 100644 --- a/SPECS/ca-certificates/ca-certificates.spec +++ b/SPECS/ca-certificates/ca-certificates.spec @@ -6,6 +6,8 @@ %define p11_format_base_bundle ca-bundle.trust.base.p11-kit +%define p11_format_distrusted_bundle ca-bundle.trust.distrusted.p11-kit + %define p11_format_microsoft_bundle ca-bundle.trust.microsoft.p11-kit # List of packages triggering legacy certs generation if 'ca-certificates-legacy' @@ -45,7 +47,7 @@ Name: ca-certificates # When updating, "Epoch, "Version", AND "Release" tags must be updated in the "prebuilt-ca-certificates*" packages as well. Epoch: 1 Version: %{azl}.0.0 -Release: 7%{?dist} +Release: 8%{?dist} License: MPLv2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -69,6 +71,8 @@ Source21: certdata.base.txt Source22: bundle2pem.sh # The certdata.microsoft.txt is provided by Microsoft's Trusted Root Program. Source23: certdata.microsoft.txt +# The certdata.distrusted.txt is provided by Microsoft's Trusted Root Program. +Source24: certdata.distrusted.txt BuildRequires: /bin/ln BuildRequires: asciidoc @@ -146,6 +150,7 @@ cp -p %{SOURCE20} . %convert_certdata %{SOURCE21} %convert_certdata %{SOURCE23} +%convert_certdata %{SOURCE24} #manpage cp %{SOURCE10} %{name}/update-ca-trust.8.txt @@ -186,6 +191,9 @@ install -p -m 644 %{SOURCE18} %{buildroot}%{catrustdir}/source/README # Microsoft certs %install_bundles %{SOURCE23} %{p11_format_microsoft_bundle} +# Distrusted certs +%install_bundles %{SOURCE24} %{p11_format_distrusted_bundle} + # TODO: consider to dynamically create the update-ca-trust script from within # this .spec file, in order to have the output file+directory names at once place only. install -p -m 755 %{SOURCE2} %{buildroot}%{_bindir}/update-ca-trust @@ -257,13 +265,16 @@ rm -f %{pkidir}/tls/certs/*.{0,pem} %{_bindir}/bundle2pem.sh %{pkidir}/tls/certs/%{classic_tls_bundle} %files +%defattr(-,root,root) # Microsoft certs bundle file with trust %{_datadir}/pki/ca-trust-source/%{p11_format_microsoft_bundle} %files base +%defattr(-,root,root) %{_datadir}/pki/ca-trust-source/%{p11_format_base_bundle} %files shared +%defattr(-,root,root) %license LICENSE # symlinks for old locations @@ -307,6 +318,9 @@ rm -f %{pkidir}/tls/certs/*.{0,pem} %dir %{pkidir}/tls %dir %{pkidir}/tls/certs +# Distrusted CAs +%{_datadir}/pki/ca-trust-source/%{p11_format_distrusted_bundle} + %ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem %ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem %ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem @@ -315,15 +329,21 @@ rm -f %{pkidir}/tls/certs/*.{0,pem} %ghost %{catrustdir}/extracted/edk2/cacerts.bin %files tools +%defattr(-,root,root) # update/extract tool %{_bindir}/update-ca-trust %{_mandir}/man8/update-ca-trust.8.gz %files legacy +%defattr(-,root,root) %{_bindir}/bundle2pem.sh %changelog +* Wed Dec 11 2024 Pawel Winogrodzki - 3.0.0-8 +- Update adding Microsoft distrusted CAs. +- Explicitly set default file ownership to root:root. + * Tue Aug 13 2024 CBL-Mariner Servicing Account - 3.0.0-7 - Updating Microsoft trusted root CAs. diff --git a/SPECS/ca-certificates/certdata.distrusted.txt b/SPECS/ca-certificates/certdata.distrusted.txt new file mode 100644 index 00000000000..913d0e76496 --- /dev/null +++ b/SPECS/ca-certificates/certdata.distrusted.txt @@ -0,0 +1,302 @@ +# Release: December 2024 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +# +# certdata.txt +# +# This file contains the object definitions for the certs and other +# information "built into" NSS. +# +# Object definitions: +# +# Certificates +# +# -- Attribute -- -- type -- -- value -- +# CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +# CKA_TOKEN CK_BBOOL CK_TRUE +# CKA_PRIVATE CK_BBOOL CK_FALSE +# CKA_MODIFIABLE CK_BBOOL CK_FALSE +# CKA_LABEL UTF8 (varies) +# CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +# CKA_SUBJECT DER+base64 (varies) +# CKA_ID byte array (varies) +# CKA_ISSUER DER+base64 (varies) +# CKA_SERIAL_NUMBER DER+base64 (varies) +# CKA_VALUE DER+base64 (varies) +# CKA_NSS_EMAIL ASCII7 (unused here) +# CKA_NSS_SERVER_DISTRUST_AFTER DER+base64 (varies) +# CKA_NSS_EMAIL_DISTRUST_AFTER DER+base64 (varies) +# +# Trust +# +# -- Attribute -- -- type -- -- value -- +# CKA_CLASS CK_OBJECT_CLASS CKO_TRUST +# CKA_TOKEN CK_BBOOL CK_TRUE +# CKA_PRIVATE CK_BBOOL CK_FALSE +# CKA_MODIFIABLE CK_BBOOL CK_FALSE +# CKA_LABEL UTF8 (varies) +# CKA_ISSUER DER+base64 (varies) +# CKA_SERIAL_NUMBER DER+base64 (varies) +# CKA_CERT_HASH binary+base64 (varies) +# CKA_EXPIRES CK_DATE (not used here) +# CKA_TRUST_DIGITAL_SIGNATURE CK_TRUST (varies) +# CKA_TRUST_NON_REPUDIATION CK_TRUST (varies) +# CKA_TRUST_KEY_ENCIPHERMENT CK_TRUST (varies) +# CKA_TRUST_DATA_ENCIPHERMENT CK_TRUST (varies) +# CKA_TRUST_KEY_AGREEMENT CK_TRUST (varies) +# CKA_TRUST_KEY_CERT_SIGN CK_TRUST (varies) +# CKA_TRUST_CRL_SIGN CK_TRUST (varies) +# CKA_TRUST_SERVER_AUTH CK_TRUST (varies) +# CKA_TRUST_CLIENT_AUTH CK_TRUST (varies) +# CKA_TRUST_CODE_SIGNING CK_TRUST (varies) +# CKA_TRUST_EMAIL_PROTECTION CK_TRUST (varies) +# CKA_TRUST_IPSEC_END_SYSTEM CK_TRUST (varies) +# CKA_TRUST_IPSEC_TUNNEL CK_TRUST (varies) +# CKA_TRUST_IPSEC_USER CK_TRUST (varies) +# CKA_TRUST_TIME_STAMPING CK_TRUST (varies) +# CKA_TRUST_STEP_UP_APPROVED CK_BBOOL (varies) +# (other trust attributes can be defined) +# + +# +# The object to tell NSS that this is a root list and we don't +# have to go looking for others. +# +BEGINDATA +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_BUILTIN_ROOT_LIST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "Microsoft Builtin Distrusted Certificates" + +# +# Certificate "google.com" +# +# Issuer: CN=AC Certisign ICP-Brasil SSL EV G4,OU=Autoridade Certificadora Raiz Brasileira v10,O=ICP-Brasil,C=BR +# Serial Number:28:85:34:47:39:1a:72:1e:76:94:85:49:4e:73:57:52 +# Subject: CN=google.com,UID=b27bb194-0258-47ac-acba-c6f06f39787c,OID.2.5.4.97=OFBBR-ef0d9576-f46c-4c95-b690-e882e0b49bc0,L=Sao Paulo,ST=SP,O=GOOGLE PAY BRASIL INSTITUICAO DE PAGAMENTO LTDA,C=BR,serialNumber=43394419000188,incorporationCountry=BR,businessCategory=Private Organization +# Not Valid Before: Thu Nov 28 21:19:48 2024 +# Not Valid After : Fri Nov 28 21:19:48 2025 +# Fingerprint (SHA-256): 42:13:29:F0:DC:2F:68:3D:6E:96:C1:B5:B3:10:97:4D:09:97:AD:98:4E:F6:91:20:F5:53:72:B4:F4:8E:10:37 +# Fingerprint (SHA1): 1C:68:E6:97:AB:50:91:FE:76:16:D5:2F:A0:36:02:5C:47:43:BB:73 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "google.com" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\202\001\065\061\035\060\033\006\003\125\004\017\014\024\120 +\162\151\166\141\164\145\040\117\162\147\141\156\151\172\141\164 +\151\157\156\061\023\060\021\006\013\053\006\001\004\001\202\067 +\074\002\001\003\023\002\102\122\061\027\060\025\006\003\125\004 +\005\023\016\064\063\063\071\064\064\061\071\060\060\060\061\070 +\070\061\013\060\011\006\003\125\004\006\023\002\102\122\061\070 +\060\066\006\003\125\004\012\014\057\107\117\117\107\114\105\040 +\120\101\131\040\102\122\101\123\111\114\040\111\116\123\124\111 +\124\125\111\103\101\117\040\104\105\040\120\101\107\101\115\105 +\116\124\117\040\114\124\104\101\061\013\060\011\006\003\125\004 +\010\014\002\123\120\061\022\060\020\006\003\125\004\007\014\011 +\123\141\157\040\120\141\165\154\157\061\063\060\061\006\003\125 +\004\141\014\052\117\106\102\102\122\055\145\146\060\144\071\065 +\067\066\055\146\064\066\143\055\064\143\071\065\055\142\066\071 +\060\055\145\070\070\062\145\060\142\064\071\142\143\060\061\064 +\060\062\006\012\011\222\046\211\223\362\054\144\001\001\014\044 +\142\062\067\142\142\061\071\064\055\060\062\065\070\055\064\067 +\141\143\055\141\143\142\141\055\143\066\146\060\066\146\063\071 +\067\070\067\143\061\023\060\021\006\003\125\004\003\014\012\147 +\157\157\147\154\145\056\143\157\155 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\201\205\061\013\060\011\006\003\125\004\006\023\002\102\122 +\061\023\060\021\006\003\125\004\012\023\012\111\103\120\055\102 +\162\141\163\151\154\061\065\060\063\006\003\125\004\013\023\054 +\101\165\164\157\162\151\144\141\144\145\040\103\145\162\164\151 +\146\151\143\141\144\157\162\141\040\122\141\151\172\040\102\162 +\141\163\151\154\145\151\162\141\040\166\061\060\061\052\060\050 +\006\003\125\004\003\023\041\101\103\040\103\145\162\164\151\163 +\151\147\156\040\111\103\120\055\102\162\141\163\151\154\040\123 +\123\114\040\105\126\040\107\064 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\050\205\064\107\071\032\162\036\166\224\205\111\116\163 +\127\122 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\010\001\060\202\005\351\240\003\002\001\002\002\020\050 +\205\064\107\071\032\162\036\166\224\205\111\116\163\127\122\060 +\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060\201 +\205\061\013\060\011\006\003\125\004\006\023\002\102\122\061\023 +\060\021\006\003\125\004\012\023\012\111\103\120\055\102\162\141 +\163\151\154\061\065\060\063\006\003\125\004\013\023\054\101\165 +\164\157\162\151\144\141\144\145\040\103\145\162\164\151\146\151 +\143\141\144\157\162\141\040\122\141\151\172\040\102\162\141\163 +\151\154\145\151\162\141\040\166\061\060\061\052\060\050\006\003 +\125\004\003\023\041\101\103\040\103\145\162\164\151\163\151\147 +\156\040\111\103\120\055\102\162\141\163\151\154\040\123\123\114 +\040\105\126\040\107\064\060\036\027\015\062\064\061\061\062\070 +\062\061\061\071\064\070\132\027\015\062\065\061\061\062\070\062 +\061\061\071\064\070\132\060\202\001\065\061\035\060\033\006\003 +\125\004\017\014\024\120\162\151\166\141\164\145\040\117\162\147 +\141\156\151\172\141\164\151\157\156\061\023\060\021\006\013\053 +\006\001\004\001\202\067\074\002\001\003\023\002\102\122\061\027 +\060\025\006\003\125\004\005\023\016\064\063\063\071\064\064\061 +\071\060\060\060\061\070\070\061\013\060\011\006\003\125\004\006 +\023\002\102\122\061\070\060\066\006\003\125\004\012\014\057\107 +\117\117\107\114\105\040\120\101\131\040\102\122\101\123\111\114 +\040\111\116\123\124\111\124\125\111\103\101\117\040\104\105\040 +\120\101\107\101\115\105\116\124\117\040\114\124\104\101\061\013 +\060\011\006\003\125\004\010\014\002\123\120\061\022\060\020\006 +\003\125\004\007\014\011\123\141\157\040\120\141\165\154\157\061 +\063\060\061\006\003\125\004\141\014\052\117\106\102\102\122\055 +\145\146\060\144\071\065\067\066\055\146\064\066\143\055\064\143 +\071\065\055\142\066\071\060\055\145\070\070\062\145\060\142\064 +\071\142\143\060\061\064\060\062\006\012\011\222\046\211\223\362 +\054\144\001\001\014\044\142\062\067\142\142\061\071\064\055\060 +\062\065\070\055\064\067\141\143\055\141\143\142\141\055\143\066 +\146\060\066\146\063\071\067\070\067\143\061\023\060\021\006\003 +\125\004\003\014\012\147\157\157\147\154\145\056\143\157\155\060 +\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001 +\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000 +\245\071\062\166\146\112\020\362\222\260\147\320\324\326\000\245 +\162\170\155\042\014\366\350\006\234\273\346\243\106\262\207\204 +\365\316\016\143\113\113\351\240\024\326\123\263\340\043\116\355 +\201\352\030\177\366\120\142\300\126\373\004\303\011\033\263\025 +\110\177\001\170\272\370\214\026\336\360\057\320\301\103\271\005 +\336\135\034\023\341\103\247\050\130\355\027\324\072\376\174\222 +\360\006\062\201\354\321\230\061\114\025\072\162\013\314\154\030 +\230\241\170\130\202\215\017\366\016\110\003\325\202\331\300\376 +\236\320\033\267\330\334\217\332\331\107\030\277\212\346\126\160 +\310\326\015\051\365\172\366\252\230\347\322\005\307\135\351\037 +\312\236\236\377\176\217\070\203\262\003\026\025\272\170\136\271 +\044\126\313\012\217\257\006\311\057\321\275\055\302\201\124\130 +\042\132\315\142\113\221\247\012\167\301\152\276\254\274\344\163 +\206\013\020\217\110\141\263\046\133\164\110\004\207\122\145\373 +\151\241\005\022\012\373\335\137\226\323\165\051\047\256\316\236 +\250\021\054\170\147\214\275\125\374\300\152\224\353\165\217\131 +\002\003\001\000\001\243\202\002\270\060\202\002\264\060\030\006 +\003\125\035\021\001\001\377\004\016\060\014\202\012\147\157\157 +\147\154\145\056\143\157\155\060\011\006\003\125\035\023\004\002 +\060\000\060\037\006\003\125\035\043\004\030\060\026\200\024\027 +\111\323\106\270\151\244\056\077\011\203\116\024\215\111\076\220 +\325\014\050\060\201\232\006\003\125\035\040\004\201\222\060\201 +\217\060\201\202\006\006\140\114\001\002\001\152\060\170\060\166 +\006\010\053\006\001\005\005\007\002\001\026\152\150\164\164\160 +\072\057\057\151\143\160\055\142\162\141\163\151\154\056\143\145 +\162\164\151\163\151\147\156\056\143\157\155\056\142\162\057\162 +\145\160\157\163\151\164\157\162\151\157\057\144\160\143\057\141 +\143\137\143\145\162\164\151\163\151\147\156\137\151\143\160\137 +\142\162\137\163\163\154\057\104\120\103\137\101\103\137\103\145 +\162\164\151\163\151\147\156\137\111\143\160\137\102\162\137\123 +\163\154\056\160\144\146\060\010\006\006\147\201\014\001\002\002 +\060\201\312\006\003\125\035\037\004\201\302\060\201\277\060\136 +\240\134\240\132\206\130\150\164\164\160\072\057\057\151\143\160 +\055\142\162\141\163\151\154\056\143\145\162\164\151\163\151\147 +\156\056\143\157\155\056\142\162\057\162\145\160\157\163\151\164 +\157\162\151\157\057\154\143\162\057\101\103\103\145\162\164\151 +\163\151\147\156\111\103\120\102\122\123\123\114\105\126\107\064 +\057\114\141\164\145\163\164\103\122\114\056\143\162\154\060\135 +\240\133\240\131\206\127\150\164\164\160\072\057\057\151\143\160 +\055\142\162\141\163\151\154\056\157\165\164\162\141\154\143\162 +\056\143\157\155\056\142\162\057\162\145\160\157\163\151\164\157 +\162\151\157\057\154\143\162\057\101\103\103\145\162\164\151\163 +\151\147\156\111\103\120\102\122\123\123\114\105\126\107\064\057 +\114\141\164\145\163\164\103\122\114\056\143\162\154\060\016\006 +\003\125\035\017\001\001\377\004\004\003\002\003\250\060\035\006 +\003\125\035\045\004\026\060\024\006\010\053\006\001\005\005\007 +\003\001\006\010\053\006\001\005\005\007\003\002\060\023\006\012 +\053\006\001\004\001\326\171\002\004\003\001\001\377\004\002\005 +\000\060\201\275\006\010\053\006\001\005\005\007\001\001\004\201 +\260\060\201\255\060\151\006\010\053\006\001\005\005\007\060\002 +\206\135\150\164\164\160\072\057\057\151\143\160\055\142\162\141 +\163\151\154\056\143\145\162\164\151\163\151\147\156\056\143\157 +\155\056\142\162\057\162\145\160\157\163\151\164\157\162\151\157 +\057\143\145\162\164\151\146\151\143\141\144\157\163\057\101\103 +\137\103\145\162\164\151\163\151\147\156\137\111\143\160\137\102 +\162\137\123\163\154\137\105\126\137\107\064\056\160\067\143\060 +\100\006\010\053\006\001\005\005\007\060\001\206\064\150\164\164 +\160\072\057\057\157\143\163\160\055\141\143\055\143\145\162\164 +\151\163\151\147\156\055\151\143\160\055\142\162\055\163\163\154 +\056\143\145\162\164\151\163\151\147\156\056\143\157\155\056\142 +\162\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000 +\003\202\002\001\000\004\277\164\275\336\224\331\155\317\017\142 +\333\066\327\114\036\123\143\176\215\160\003\240\323\006\373\365 +\167\164\071\324\202\171\354\345\013\353\226\072\237\323\247\366 +\271\247\132\155\174\371\260\177\135\207\024\165\006\057\263\077 +\160\345\152\161\147\363\344\255\257\115\172\163\033\154\164\354 +\344\304\061\003\030\275\234\022\233\223\053\021\073\364\221\165 +\160\055\102\341\220\147\212\270\007\064\347\165\346\020\170\137 +\001\301\316\344\226\363\337\263\307\302\004\333\110\224\200\320 +\352\261\025\020\211\034\317\151\256\172\161\207\032\063\050\117 +\300\232\310\161\146\345\321\007\267\323\320\035\127\002\273\173 +\131\016\216\076\155\115\044\146\112\245\154\360\264\244\356\312 +\050\213\212\270\111\211\206\146\233\013\160\027\260\075\217\022 +\360\241\202\146\334\052\053\314\363\150\240\055\363\122\341\116 +\162\052\075\357\317\137\311\045\005\262\133\046\055\247\332\062 +\377\250\105\167\142\023\333\014\142\240\133\271\346\160\313\001 +\007\332\010\105\114\354\326\061\110\110\164\106\220\340\302\270 +\231\034\204\021\027\341\336\266\037\320\275\366\247\206\333\336 +\120\347\244\215\210\141\141\106\146\070\300\253\260\320\220\326 +\245\307\041\351\224\320\063\071\110\345\052\042\254\163\164\205 +\242\067\151\350\036\302\102\130\346\211\372\151\262\305\002\213 +\203\200\230\261\344\051\153\361\103\323\353\062\365\150\122\052 +\167\301\250\367\375\266\337\130\107\336\106\302\044\261\136\025 +\024\073\255\246\116\242\351\241\011\113\326\051\105\332\143\216 +\041\201\017\276\036\222\150\134\235\033\130\215\031\016\025\322 +\310\337\152\331\232\214\341\060\243\114\175\074\303\132\250\053 +\333\021\267\140\135\231\223\003\335\056\241\062\176\313\134\305 +\114\114\100\377\066\116\252\160\037\027\322\121\305\277\344\105 +\111\036\012\031\346\335\247\203\043\132\351\355\150\076\022\153 +\155\110\337\121\224\002\112\337\374\023\040\307\113\024\077\154 +\364\153\003\136\374\242\242\164\321\300\100\324\211\367\307\146 +\005\331\230\314\124\045\273\245\306\024\036\224\214\100\075\215 +\104\265\367\204\063\367\037\075\221\056\263\325\023\135\313\040 +\173\136\210\017\230 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "google.com" +# Issuer: CN=AC Certisign ICP-Brasil SSL EV G4,OU=Autoridade Certificadora Raiz Brasileira v10,O=ICP-Brasil,C=BR +# Serial Number:28:85:34:47:39:1a:72:1e:76:94:85:49:4e:73:57:52 +# Subject: CN=google.com,UID=b27bb194-0258-47ac-acba-c6f06f39787c,OID.2.5.4.97=OFBBR-ef0d9576-f46c-4c95-b690-e882e0b49bc0,L=Sao Paulo,ST=SP,O=GOOGLE PAY BRASIL INSTITUICAO DE PAGAMENTO LTDA,C=BR,serialNumber=43394419000188,incorporationCountry=BR,businessCategory=Private Organization +# Not Valid Before: Thu Nov 28 21:19:48 2024 +# Not Valid After : Fri Nov 28 21:19:48 2025 +# Fingerprint (SHA-256): 42:13:29:F0:DC:2F:68:3D:6E:96:C1:B5:B3:10:97:4D:09:97:AD:98:4E:F6:91:20:F5:53:72:B4:F4:8E:10:37 +# Fingerprint (SHA1): 1C:68:E6:97:AB:50:91:FE:76:16:D5:2F:A0:36:02:5C:47:43:BB:73 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "google.com" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\034\150\346\227\253\120\221\376\166\026\325\057\240\066\002\134 +\107\103\273\163 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\016\067\034\146\242\243\030\173\162\334\023\136\201\340\143\150 +END +CKA_ISSUER MULTILINE_OCTAL +\060\201\205\061\013\060\011\006\003\125\004\006\023\002\102\122 +\061\023\060\021\006\003\125\004\012\023\012\111\103\120\055\102 +\162\141\163\151\154\061\065\060\063\006\003\125\004\013\023\054 +\101\165\164\157\162\151\144\141\144\145\040\103\145\162\164\151 +\146\151\143\141\144\157\162\141\040\122\141\151\172\040\102\162 +\141\163\151\154\145\151\162\141\040\166\061\060\061\052\060\050 +\006\003\125\004\003\023\041\101\103\040\103\145\162\164\151\163 +\151\147\156\040\111\103\120\055\102\162\141\163\151\154\040\123 +\123\114\040\105\126\040\107\064 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\050\205\064\107\071\032\162\036\166\224\205\111\116\163 +\127\122 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE \ No newline at end of file diff --git a/SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec b/SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec index 4b0f03161d2..a891db4c20c 100644 --- a/SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec +++ b/SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec @@ -3,7 +3,7 @@ Name: prebuilt-ca-certificates-base # When updating, "Epoch, "Version", AND "Release" tags must be updated in the "ca-certificates" package as well. Epoch: 1 Version: %{azl}.0.0 -Release: 7%{?dist} +Release: 8%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -46,6 +46,9 @@ find %{buildroot} -name README -delete %{_sysconfdir}/pki/java/cacerts %changelog +* Wed Dec 11 2024 Pawel Winogrodzki - 3.0.0-8 +- Update adding Microsoft distrusted CAs. + * Tue Aug 13 2024 CBL-Mariner Servicing Account - 3.0.0-7 - Making 'Release' match with 'ca-certificates' diff --git a/SPECS/prebuilt-ca-certificates/prebuilt-ca-certificates.spec b/SPECS/prebuilt-ca-certificates/prebuilt-ca-certificates.spec index 0c9326f5c12..f1b153e627c 100644 --- a/SPECS/prebuilt-ca-certificates/prebuilt-ca-certificates.spec +++ b/SPECS/prebuilt-ca-certificates/prebuilt-ca-certificates.spec @@ -3,7 +3,7 @@ Name: prebuilt-ca-certificates # When updating, "Epoch, "Version", AND "Release" tags must be updated in the "ca-certificates" package as well. Epoch: 1 Version: %{azl}.0.0 -Release: 7%{?dist} +Release: 8%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -49,6 +49,9 @@ find %{buildroot} -name README -delete %{_sysconfdir}/pki/java/cacerts %changelog +* Wed Dec 11 2024 Pawel Winogrodzki - 3.0.0-8 +- Update adding Microsoft distrusted CAs. + * Tue Aug 13 2024 CBL-Mariner Servicing Account - 3.0.0-7 - Making 'Release' match with 'ca-certificates' diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index a1c797e9457..7509a242c85 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -234,10 +234,10 @@ libffi-devel-3.4.4-1.azl3.aarch64.rpm libtasn1-4.19.0-1.azl3.aarch64.rpm p11-kit-0.25.0-1.azl3.aarch64.rpm p11-kit-trust-0.25.0-1.azl3.aarch64.rpm -ca-certificates-shared-3.0.0-7.azl3.noarch.rpm -ca-certificates-tools-3.0.0-7.azl3.noarch.rpm -ca-certificates-base-3.0.0-7.azl3.noarch.rpm -ca-certificates-3.0.0-7.azl3.noarch.rpm +ca-certificates-shared-3.0.0-8.azl3.noarch.rpm +ca-certificates-tools-3.0.0-8.azl3.noarch.rpm +ca-certificates-base-3.0.0-8.azl3.noarch.rpm +ca-certificates-3.0.0-8.azl3.noarch.rpm dwz-0.14-2.azl3.aarch64.rpm unzip-6.0-21.azl3.aarch64.rpm python3-3.12.3-5.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 6ac2297c298..6f09f409b11 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -234,10 +234,10 @@ libffi-devel-3.4.4-1.azl3.x86_64.rpm libtasn1-4.19.0-1.azl3.x86_64.rpm p11-kit-0.25.0-1.azl3.x86_64.rpm p11-kit-trust-0.25.0-1.azl3.x86_64.rpm -ca-certificates-shared-3.0.0-7.azl3.noarch.rpm -ca-certificates-tools-3.0.0-7.azl3.noarch.rpm -ca-certificates-base-3.0.0-7.azl3.noarch.rpm -ca-certificates-3.0.0-7.azl3.noarch.rpm +ca-certificates-shared-3.0.0-8.azl3.noarch.rpm +ca-certificates-tools-3.0.0-8.azl3.noarch.rpm +ca-certificates-base-3.0.0-8.azl3.noarch.rpm +ca-certificates-3.0.0-8.azl3.noarch.rpm dwz-0.14-2.azl3.x86_64.rpm unzip-6.0-21.azl3.x86_64.rpm python3-3.12.3-5.azl3.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 77ca66d1ceb..85392cd638e 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -37,11 +37,11 @@ bzip2-1.0.8-1.azl3.aarch64.rpm bzip2-debuginfo-1.0.8-1.azl3.aarch64.rpm bzip2-devel-1.0.8-1.azl3.aarch64.rpm bzip2-libs-1.0.8-1.azl3.aarch64.rpm -ca-certificates-3.0.0-7.azl3.noarch.rpm -ca-certificates-base-3.0.0-7.azl3.noarch.rpm -ca-certificates-legacy-3.0.0-7.azl3.noarch.rpm -ca-certificates-shared-3.0.0-7.azl3.noarch.rpm -ca-certificates-tools-3.0.0-7.azl3.noarch.rpm +ca-certificates-3.0.0-8.azl3.noarch.rpm +ca-certificates-base-3.0.0-8.azl3.noarch.rpm +ca-certificates-legacy-3.0.0-8.azl3.noarch.rpm +ca-certificates-shared-3.0.0-8.azl3.noarch.rpm +ca-certificates-tools-3.0.0-8.azl3.noarch.rpm ccache-4.8.3-3.azl3.aarch64.rpm ccache-debuginfo-4.8.3-3.azl3.aarch64.rpm check-0.15.2-1.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index b0c69a29cf4..45de7f2ea2c 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -38,11 +38,11 @@ bzip2-1.0.8-1.azl3.x86_64.rpm bzip2-debuginfo-1.0.8-1.azl3.x86_64.rpm bzip2-devel-1.0.8-1.azl3.x86_64.rpm bzip2-libs-1.0.8-1.azl3.x86_64.rpm -ca-certificates-3.0.0-7.azl3.noarch.rpm -ca-certificates-base-3.0.0-7.azl3.noarch.rpm -ca-certificates-legacy-3.0.0-7.azl3.noarch.rpm -ca-certificates-shared-3.0.0-7.azl3.noarch.rpm -ca-certificates-tools-3.0.0-7.azl3.noarch.rpm +ca-certificates-3.0.0-8.azl3.noarch.rpm +ca-certificates-base-3.0.0-8.azl3.noarch.rpm +ca-certificates-legacy-3.0.0-8.azl3.noarch.rpm +ca-certificates-shared-3.0.0-8.azl3.noarch.rpm +ca-certificates-tools-3.0.0-8.azl3.noarch.rpm ccache-4.8.3-3.azl3.x86_64.rpm ccache-debuginfo-4.8.3-3.azl3.x86_64.rpm check-0.15.2-1.azl3.x86_64.rpm From 09af170f1b3e75f635ddcaa412480f315c66ba0f Mon Sep 17 00:00:00 2001 From: Archana Choudhary <36061892+arc9693@users.noreply.github.com> Date: Thu, 19 Dec 2024 21:08:20 +0530 Subject: [PATCH 26/55] fix: ISO installer encrypted root doesn't boot (#11324) --- toolkit/tools/imagegen/diskutils/diskutils.go | 4 +++- toolkit/tools/imagegen/diskutils/encryption.go | 10 +++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/toolkit/tools/imagegen/diskutils/diskutils.go b/toolkit/tools/imagegen/diskutils/diskutils.go index 72f0c8e02af..7d834888f79 100644 --- a/toolkit/tools/imagegen/diskutils/diskutils.go +++ b/toolkit/tools/imagegen/diskutils/diskutils.go @@ -32,7 +32,9 @@ var ( DefaultMkfsOptions = map[string][]string{ "ext2": {"-b", "4096", "-O", "none,sparse_super,large_file,filetype,resize_inode,dir_index,ext_attr"}, "ext3": {"-b", "4096", "-O", "none,sparse_super,large_file,filetype,resize_inode,dir_index,ext_attr,has_journal"}, - "ext4": {"-b", "4096", "-O", "none,sparse_super,large_file,filetype,resize_inode,dir_index,ext_attr,has_journal,extent,huge_file,flex_bg,metadata_csum,64bit,dir_nlink,extra_isize"}, + // grub2 doesn't recognize ext4 with metadata_csum_seed enabled + // ^metadata_csum_seed disables filesystem to store the metadata checksum seed in the superblock, hence disables changing uuid of mounted filesystem + "ext4": {"-b", "4096", "-O", "none,sparse_super,large_file,filetype,resize_inode,dir_index,ext_attr,has_journal,extent,huge_file,flex_bg,metadata_csum,64bit,dir_nlink,extra_isize,^metadata_csum_seed"}, } partedVersionRegex = regexp.MustCompile(`^parted \(GNU parted\) (\d+)\.(\d+)`) diff --git a/toolkit/tools/imagegen/diskutils/encryption.go b/toolkit/tools/imagegen/diskutils/encryption.go index 36098cf5172..aaaebd755da 100644 --- a/toolkit/tools/imagegen/diskutils/encryption.go +++ b/toolkit/tools/imagegen/diskutils/encryption.go @@ -173,8 +173,16 @@ func encryptRootPartition(partDevPath string, partition configuration.Partition, return } + mkfsOptions, ok := DefaultMkfsOptions[partition.FsType] + if !ok { + mkfsOptions = []string{} + } + mkfsArgs := []string{"-t", partition.FsType} + mkfsArgs = append(mkfsArgs, mkfsOptions...) + mkfsArgs = append(mkfsArgs, fullMappedPath) + // Create the file system - _, stderr, err = shell.Execute("mkfs", "-t", partition.FsType, fullMappedPath) + _, stderr, err = shell.Execute("mkfs", mkfsArgs...) if err != nil { err = fmt.Errorf("failed to mkfs for partition (%v):\n%v\n%w", partDevPath, stderr, err) } From 4370bdf352b0d7e685a6375063bc9d194320f05f Mon Sep 17 00:00:00 2001 From: Rachel Menge Date: Thu, 19 Dec 2024 13:31:53 -0800 Subject: [PATCH 27/55] =?UTF-8?q?Revert=20"TDX:=20Enable=20CONFIG=5FINTEL?= =?UTF-8?q?=5FTDX=5FGUEST,=20CONFIG=5FTDX=5FGUEST=5FDRIVER=20(=E2=80=A6=20?= =?UTF-8?q?(#11553)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Temporarily revert the TDX changes in order to update and publish kernel-64k as a work around build tools --- SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec | 5 +---- SPECS-SIGNED/kernel-signed/kernel-signed.spec | 5 +---- SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec | 5 +---- SPECS/kernel-64k/kernel-64k.spec | 5 +---- SPECS/kernel-headers/kernel-headers.spec | 5 +---- SPECS/kernel/config | 3 +-- SPECS/kernel/kernel-uki.spec | 5 +---- SPECS/kernel/kernel.signatures.json | 2 +- SPECS/kernel/kernel.spec | 5 +---- toolkit/resources/manifests/package/pkggen_core_aarch64.txt | 2 +- toolkit/resources/manifests/package/pkggen_core_x86_64.txt | 2 +- toolkit/resources/manifests/package/toolchain_aarch64.txt | 2 +- toolkit/resources/manifests/package/toolchain_x86_64.txt | 4 ++-- 13 files changed, 14 insertions(+), 36 deletions(-) diff --git a/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec b/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec index 1e881bfe37b..b0111d170d2 100644 --- a/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec +++ b/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec @@ -7,7 +7,7 @@ Summary: Signed Linux Kernel for %{buildarch} systems Name: kernel-64k-signed-%{buildarch} Version: 6.6.57.1 -Release: 6%{?dist} +Release: 5%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -105,9 +105,6 @@ echo "initrd of kernel %{uname_r} removed" >&2 %exclude /module_info.ld %changelog -* Mon Nov 25 2024 Ankita Pareek - 6.6.57.1-6 -- Bump release to match kernel - * Thu Nov 07 2024 Rachel Menge - 6.6.57.1-5 - Original version for Azure Linux - Starting with release 5 to align with kernel release. diff --git a/SPECS-SIGNED/kernel-signed/kernel-signed.spec b/SPECS-SIGNED/kernel-signed/kernel-signed.spec index 81d8d68ba96..14c6ac12d4a 100644 --- a/SPECS-SIGNED/kernel-signed/kernel-signed.spec +++ b/SPECS-SIGNED/kernel-signed/kernel-signed.spec @@ -10,7 +10,7 @@ Summary: Signed Linux Kernel for %{buildarch} systems Name: kernel-signed-%{buildarch} Version: 6.6.57.1 -Release: 6%{?dist} +Release: 5%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -145,9 +145,6 @@ echo "initrd of kernel %{uname_r} removed" >&2 %exclude /module_info.ld %changelog -* Mon Nov 25 2024 Ankita Pareek - 6.6.57.1-6 -- Bump release to match kernel - * Mon Nov 25 2024 Chris Co - 6.6.57.1-5 - Bump release to match kernel diff --git a/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec b/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec index 8189674d8b7..08983f26a80 100644 --- a/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec +++ b/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec @@ -6,7 +6,7 @@ Summary: Signed Unified Kernel Image for %{buildarch} systems Name: kernel-uki-signed-%{buildarch} Version: 6.6.57.1 -Release: 6%{?dist} +Release: 5%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -68,9 +68,6 @@ popd /boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi %changelog -* Mon Nov 25 2024 Ankita Pareek - 6.6.57.1-6 -- Bump release to match kernel - * Mon Nov 25 2024 Chris Co - 6.6.57.1-5 - Bump release to match kernel diff --git a/SPECS/kernel-64k/kernel-64k.spec b/SPECS/kernel-64k/kernel-64k.spec index f91783075cd..199000195e7 100644 --- a/SPECS/kernel-64k/kernel-64k.spec +++ b/SPECS/kernel-64k/kernel-64k.spec @@ -25,7 +25,7 @@ Summary: Linux Kernel Name: kernel-64k Version: 6.6.57.1 -Release: 6%{?dist} +Release: 5%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -370,9 +370,6 @@ echo "initrd of kernel %{uname_r} removed" >&2 %{_sysconfdir}/bash_completion.d/bpftool %changelog -* Mon Nov 25 2024 Ankita Pareek - 6.6.57.1-6 -- Bump release to match kernel - * Thu Nov 07 2024 Rachel Menge - 6.6.57.1-5 - Initial CBL-Mariner import from Photon (license: Apache2). - Starting with release 5 to align with kernel release. diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec index 3d645e24499..330136d2c8f 100644 --- a/SPECS/kernel-headers/kernel-headers.spec +++ b/SPECS/kernel-headers/kernel-headers.spec @@ -14,7 +14,7 @@ Summary: Linux API header files Name: kernel-headers Version: 6.6.57.1 -Release: 6%{?dist} +Release: 5%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -75,9 +75,6 @@ done %endif %changelog -* Mon Nov 25 2024 Ankita Pareek - 6.6.57.1-6 -- Bump release to match kernel - * Mon Nov 25 2024 Chris Co - 6.6.57.1-5 - Bump release to match kernel diff --git a/SPECS/kernel/config b/SPECS/kernel/config index b225406e6b8..0eecab7d127 100644 --- a/SPECS/kernel/config +++ b/SPECS/kernel/config @@ -380,7 +380,7 @@ CONFIG_ARCH_CPUIDLE_HALTPOLL=y CONFIG_PARAVIRT_CLOCK=y # CONFIG_JAILHOUSE_GUEST is not set # CONFIG_ACRN_GUEST is not set -CONFIG_INTEL_TDX_GUEST=y +# CONFIG_INTEL_TDX_GUEST is not set # CONFIG_MK8 is not set # CONFIG_MPSC is not set # CONFIG_MCORE2 is not set @@ -6157,7 +6157,6 @@ CONFIG_VMGENID=y # CONFIG_NITRO_ENCLAVES is not set # CONFIG_EFI_SECRET is not set CONFIG_SEV_GUEST=y -CONFIG_TDX_GUEST_DRIVER=m CONFIG_VIRTIO_ANCHOR=y CONFIG_VIRTIO=y CONFIG_VIRTIO_PCI_LIB=y diff --git a/SPECS/kernel/kernel-uki.spec b/SPECS/kernel/kernel-uki.spec index eafde865252..5a0322b8ec6 100644 --- a/SPECS/kernel/kernel-uki.spec +++ b/SPECS/kernel/kernel-uki.spec @@ -13,7 +13,7 @@ Summary: Unified Kernel Image Name: kernel-uki Version: 6.6.57.1 -Release: 6%{?dist} +Release: 5%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -70,9 +70,6 @@ cp %{buildroot}/boot/vmlinuz-uki-%{kernelver}.efi %{buildroot}/boot/efi/EFI/Linu /boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi %changelog -* Mon Nov 25 2024 Ankita Pareek - 6.6.57.1-6 -- Bump release to match kernel - * Mon Nov 25 2024 Chris Co - 6.6.57.1-5 - Bump release to match kernel diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json index eda9fcf8ddd..5b05220a50a 100644 --- a/SPECS/kernel/kernel.signatures.json +++ b/SPECS/kernel/kernel.signatures.json @@ -1,7 +1,7 @@ { "Signatures": { "azurelinux-ca-20230216.pem": "d545401163c75878319f01470455e6bc18a5968e39dd964323225e3fe308849b", - "config": "651f9cab61a3eb370f7e6451d2115cce2c5f137f5d7e5f28234b5d07bf841d0f", + "config": "53cf68442824f43df68ee1105d1fe428474da2cc723610114d0409ad15a424d1", "config_aarch64": "bfb4b4344045354a2ba518d11ae81fe5e3d45e9b11253ca2e199792543a9d624", "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985", "cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98", diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec index 6e132d92c6c..02f40d57d19 100644 --- a/SPECS/kernel/kernel.spec +++ b/SPECS/kernel/kernel.spec @@ -30,7 +30,7 @@ Summary: Linux Kernel Name: kernel Version: 6.6.57.1 -Release: 6%{?dist} +Release: 5%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -424,9 +424,6 @@ echo "initrd of kernel %{uname_r} removed" >&2 %{_sysconfdir}/bash_completion.d/bpftool %changelog -* Mon Nov 25 2024 Ankita Pareek - 6.6.57.1-6 -- Enable CONFIG_INTEL_TDX_GUEST and CONFIG_TDX_GUEST_DRIVER - * Mon Nov 25 2024 Chris Co - 6.6.57.1-5 - Enable ICE ethernet driver diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 7509a242c85..07c4696ff4f 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -1,5 +1,5 @@ filesystem-1.1-21.azl3.aarch64.rpm -kernel-headers-6.6.57.1-6.azl3.noarch.rpm +kernel-headers-6.6.57.1-5.azl3.noarch.rpm glibc-2.38-8.azl3.aarch64.rpm glibc-devel-2.38-8.azl3.aarch64.rpm glibc-i18n-2.38-8.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 6f09f409b11..31e58640021 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -1,5 +1,5 @@ filesystem-1.1-21.azl3.x86_64.rpm -kernel-headers-6.6.57.1-6.azl3.noarch.rpm +kernel-headers-6.6.57.1-5.azl3.noarch.rpm glibc-2.38-8.azl3.x86_64.rpm glibc-devel-2.38-8.azl3.x86_64.rpm glibc-i18n-2.38-8.azl3.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 85392cd638e..9c5680090ca 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -156,7 +156,7 @@ intltool-0.51.0-7.azl3.noarch.rpm itstool-2.0.7-1.azl3.noarch.rpm kbd-2.2.0-2.azl3.aarch64.rpm kbd-debuginfo-2.2.0-2.azl3.aarch64.rpm -kernel-headers-6.6.57.1-6.azl3.noarch.rpm +kernel-headers-6.6.57.1-5.azl3.noarch.rpm kmod-30-1.azl3.aarch64.rpm kmod-debuginfo-30-1.azl3.aarch64.rpm kmod-devel-30-1.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 45de7f2ea2c..c950a26e5ce 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -161,8 +161,8 @@ intltool-0.51.0-7.azl3.noarch.rpm itstool-2.0.7-1.azl3.noarch.rpm kbd-2.2.0-2.azl3.x86_64.rpm kbd-debuginfo-2.2.0-2.azl3.x86_64.rpm -kernel-cross-headers-6.6.57.1-6.azl3.noarch.rpm -kernel-headers-6.6.57.1-6.azl3.noarch.rpm +kernel-cross-headers-6.6.57.1-5.azl3.noarch.rpm +kernel-headers-6.6.57.1-5.azl3.noarch.rpm kmod-30-1.azl3.x86_64.rpm kmod-debuginfo-30-1.azl3.x86_64.rpm kmod-devel-30-1.azl3.x86_64.rpm From bdb6277146c8f15e7f3216a149b08433218a7756 Mon Sep 17 00:00:00 2001 From: Adit Jha <111916775+aditjha-msft@users.noreply.github.com> Date: Thu, 19 Dec 2024 14:15:25 -0800 Subject: [PATCH 28/55] pam: Add patch for CVE-2024-10041 (#11528) --- SPECS/pam/CVE-2024-10041.patch | 89 +++++++++++++++++++ SPECS/pam/pam.spec | 6 +- .../manifests/package/toolchain_aarch64.txt | 8 +- .../manifests/package/toolchain_x86_64.txt | 8 +- 4 files changed, 102 insertions(+), 9 deletions(-) create mode 100644 SPECS/pam/CVE-2024-10041.patch diff --git a/SPECS/pam/CVE-2024-10041.patch b/SPECS/pam/CVE-2024-10041.patch new file mode 100644 index 00000000000..27fc26ee959 --- /dev/null +++ b/SPECS/pam/CVE-2024-10041.patch @@ -0,0 +1,89 @@ +From b3020da7da384d769f27a8713257fbe1001878be Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" +Date: Mon, 1 Jan 2024 12:00:00 +0000 +Subject: [PATCH] pam_unix/passverify: always run the helper to obtain shadow + password file entries + +Initially, when pam_unix.so verified the password, it used to try to +obtain the shadow password file entry for the given user by invoking +getspnam(3), and only when that didn't work and the effective uid +was nonzero, pam_unix.so used to invoke the helper as a fallback. + +When SELinux support was introduced by commit +67aab1ff5515054341a438cf9804e9c9b3a88033, the fallback was extended +also for the case when SELinux was enabled. + +Later, commit f220cace205332a3dc34e7b37a85e7627e097e7d extended the +fallback conditions for the case when pam_modutil_getspnam() failed +with EACCES. + +Since commit 470823c4aacef5cb3b1180be6ed70846b61a3752, the helper is +invoked as a fallback when pam_modutil_getspnam() fails for any reason. + +The ultimate solution for the case when pam_unix.so does not have +permissions to obtain the shadow password file entry is to stop trying +to use pam_modutil_getspnam() and to invoke the helper instead. +Here are two recent examples. + +https://github.com/linux-pam/linux-pam/pull/484 describes a system +configuration where libnss_systemd is enabled along with libnss_files +in the shadow entry of nsswitch.conf, so when libnss_files is unable +to obtain the shadow password file entry for the root user, e.g. when +SELinux is enabled, NSS falls back to libnss_systemd which returns +a synthesized shadow password file entry for the root user, which +in turn locks the root user out. + +https://bugzilla.redhat.com/show_bug.cgi?id=2150155 describes +essentially the same problem in a similar system configuration. + +This commit is the final step in the direction of addressing the issue: +for password verification pam_unix.so now invokes the helper instead of +making the pam_modutil_getspnam() call. + +* modules/pam_unix/passverify.c (get_account_info) [!HELPER_COMPILE]: +Always return PAM_UNIX_RUN_HELPER instead of trying to obtain +the shadow password file entry. + +Complements: https://github.com/linux-pam/linux-pam/pull/386 +Resolves: https://github.com/linux-pam/linux-pam/pull/484 +Link: https://github.com/authselect/authselect/commit/1e78f7e048747024a846fd22d68afc6993734e92 +--- + modules/pam_unix/passverify.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c +index 2474fa7aa4..c48e3c5a79 100644 +--- a/modules/pam_unix/passverify.c ++++ b/modules/pam_unix/passverify.c +@@ -238,20 +238,21 @@ PAMH_ARG_DECL(int get_account_info, + return PAM_UNIX_RUN_HELPER; + #endif + } else if (is_pwd_shadowed(*pwd)) { ++#ifdef HELPER_COMPILE + /* +- * ...and shadow password file entry for this user, ++ * shadow password file entry for this user, + * if shadowing is enabled + */ +- *spwdent = pam_modutil_getspnam(pamh, name); +- if (*spwdent == NULL) { +-#ifndef HELPER_COMPILE +- /* still a chance the user can authenticate */ +- return PAM_UNIX_RUN_HELPER; +-#endif +- return PAM_AUTHINFO_UNAVAIL; +- } +- if ((*spwdent)->sp_pwdp == NULL) ++ *spwdent = getspnam(name); ++ if (*spwdent == NULL || (*spwdent)->sp_pwdp == NULL) + return PAM_AUTHINFO_UNAVAIL; ++#else ++ /* ++ * The helper has to be invoked to deal with ++ * the shadow password file entry. ++ */ ++ return PAM_UNIX_RUN_HELPER; ++#endif + } + } else { + return PAM_USER_UNKNOWN; diff --git a/SPECS/pam/pam.spec b/SPECS/pam/pam.spec index 231a01044b7..2342234b901 100644 --- a/SPECS/pam/pam.spec +++ b/SPECS/pam/pam.spec @@ -1,7 +1,7 @@ Summary: Linux Pluggable Authentication Modules Name: pam Version: 1.5.3 -Release: 3%{?dist} +Release: 4%{?dist} License: BSD and GPLv2+ URL: https://github.com/linux-pam/linux-pam Source0: https://github.com/linux-pam/linux-pam/releases/download/v%{version}/Linux-PAM-%{version}.tar.xz @@ -17,6 +17,7 @@ Recommends: cracklib-dicts Patch0: CVE-2024-22365.patch Patch1: CVE-2024-10963.patch +Patch2: CVE-2024-10041.patch %description The Linux PAM package contains Pluggable Authentication Modules used to @@ -105,6 +106,9 @@ EOF %{_libdir}/pkgconfig/pamc.pc %changelog +* Wed Dec 18 2024 Adit Jha - 1.5.3-4 +- Patching CVE-2024-10041. + * Fri Dec 06 2024 Adit Jha - 1.5.3-3 - Patching CVE-2024-10963. diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 9c5680090ca..49865ecfdf8 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -296,10 +296,10 @@ p11-kit-debuginfo-0.25.0-1.azl3.aarch64.rpm p11-kit-devel-0.25.0-1.azl3.aarch64.rpm p11-kit-server-0.25.0-1.azl3.aarch64.rpm p11-kit-trust-0.25.0-1.azl3.aarch64.rpm -pam-1.5.3-3.azl3.aarch64.rpm -pam-debuginfo-1.5.3-3.azl3.aarch64.rpm -pam-devel-1.5.3-3.azl3.aarch64.rpm -pam-lang-1.5.3-3.azl3.aarch64.rpm +pam-1.5.3-4.azl3.aarch64.rpm +pam-debuginfo-1.5.3-4.azl3.aarch64.rpm +pam-devel-1.5.3-4.azl3.aarch64.rpm +pam-lang-1.5.3-4.azl3.aarch64.rpm patch-2.7.6-9.azl3.aarch64.rpm patch-debuginfo-2.7.6-9.azl3.aarch64.rpm pcre2-10.42-3.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index c950a26e5ce..1b84d9210f3 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -302,10 +302,10 @@ p11-kit-debuginfo-0.25.0-1.azl3.x86_64.rpm p11-kit-devel-0.25.0-1.azl3.x86_64.rpm p11-kit-server-0.25.0-1.azl3.x86_64.rpm p11-kit-trust-0.25.0-1.azl3.x86_64.rpm -pam-1.5.3-3.azl3.x86_64.rpm -pam-debuginfo-1.5.3-3.azl3.x86_64.rpm -pam-devel-1.5.3-3.azl3.x86_64.rpm -pam-lang-1.5.3-3.azl3.x86_64.rpm +pam-1.5.3-4.azl3.x86_64.rpm +pam-debuginfo-1.5.3-4.azl3.x86_64.rpm +pam-devel-1.5.3-4.azl3.x86_64.rpm +pam-lang-1.5.3-4.azl3.x86_64.rpm patch-2.7.6-9.azl3.x86_64.rpm patch-debuginfo-2.7.6-9.azl3.x86_64.rpm pcre2-10.42-3.azl3.x86_64.rpm From 7e17b8d451b2bd5adc45bb9ae2a7b0dda5b7465a Mon Sep 17 00:00:00 2001 From: Rachel Menge Date: Thu, 19 Dec 2024 17:14:53 -0800 Subject: [PATCH 29/55] Update kernel-64k to have kexec signature verification (#11569) Update kernel-64k to include kexec_sig verification. Bump all other relevant kernel specs --- SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec | 5 ++++- SPECS-SIGNED/kernel-signed/kernel-signed.spec | 5 ++++- SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec | 5 ++++- SPECS/kernel-64k/config_aarch64 | 5 +++-- SPECS/kernel-64k/kernel-64k.signatures.json | 2 +- SPECS/kernel-64k/kernel-64k.spec | 5 ++++- SPECS/kernel-headers/kernel-headers.spec | 5 ++++- SPECS/kernel/kernel-uki.spec | 5 ++++- SPECS/kernel/kernel.spec | 5 ++++- toolkit/resources/manifests/package/pkggen_core_aarch64.txt | 2 +- toolkit/resources/manifests/package/pkggen_core_x86_64.txt | 2 +- toolkit/resources/manifests/package/toolchain_aarch64.txt | 2 +- toolkit/resources/manifests/package/toolchain_x86_64.txt | 4 ++-- 13 files changed, 37 insertions(+), 15 deletions(-) diff --git a/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec b/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec index b0111d170d2..a6ab283c372 100644 --- a/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec +++ b/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec @@ -7,7 +7,7 @@ Summary: Signed Linux Kernel for %{buildarch} systems Name: kernel-64k-signed-%{buildarch} Version: 6.6.57.1 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -105,6 +105,9 @@ echo "initrd of kernel %{uname_r} removed" >&2 %exclude /module_info.ld %changelog +* Wed Dec 18 2024 Rachel Menge - 6.6.57.1-6 +- Bump release to match kernel-64k + * Thu Nov 07 2024 Rachel Menge - 6.6.57.1-5 - Original version for Azure Linux - Starting with release 5 to align with kernel release. diff --git a/SPECS-SIGNED/kernel-signed/kernel-signed.spec b/SPECS-SIGNED/kernel-signed/kernel-signed.spec index 14c6ac12d4a..b45ec622577 100644 --- a/SPECS-SIGNED/kernel-signed/kernel-signed.spec +++ b/SPECS-SIGNED/kernel-signed/kernel-signed.spec @@ -10,7 +10,7 @@ Summary: Signed Linux Kernel for %{buildarch} systems Name: kernel-signed-%{buildarch} Version: 6.6.57.1 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -145,6 +145,9 @@ echo "initrd of kernel %{uname_r} removed" >&2 %exclude /module_info.ld %changelog +* Wed Dec 18 2024 Rachel Menge - 6.6.57.1-6 +- Bump release to match kernel-64k + * Mon Nov 25 2024 Chris Co - 6.6.57.1-5 - Bump release to match kernel diff --git a/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec b/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec index 08983f26a80..3dc88f1e79d 100644 --- a/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec +++ b/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec @@ -6,7 +6,7 @@ Summary: Signed Unified Kernel Image for %{buildarch} systems Name: kernel-uki-signed-%{buildarch} Version: 6.6.57.1 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -68,6 +68,9 @@ popd /boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi %changelog +* Wed Dec 18 2024 Rachel Menge - 6.6.57.1-6 +- Bump release to match kernel-64k + * Mon Nov 25 2024 Chris Co - 6.6.57.1-5 - Bump release to match kernel diff --git a/SPECS/kernel-64k/config_aarch64 b/SPECS/kernel-64k/config_aarch64 index f16e6660f02..f9ea766b12b 100644 --- a/SPECS/kernel-64k/config_aarch64 +++ b/SPECS/kernel-64k/config_aarch64 @@ -275,7 +275,8 @@ CONFIG_KEXEC_CORE=y CONFIG_HAVE_IMA_KEXEC=y # CONFIG_KEXEC is not set CONFIG_KEXEC_FILE=y -# CONFIG_KEXEC_SIG is not set +CONFIG_KEXEC_SIG=y +CONFIG_KEXEC_IMAGE_VERIFY_SIG=y CONFIG_CRASH_DUMP=y # end of Kexec and crash features # end of General setup @@ -10782,7 +10783,7 @@ CONFIG_X509_CERTIFICATE_PARSER=y # CONFIG_PKCS8_PRIVATE_KEY_PARSER is not set CONFIG_PKCS7_MESSAGE_PARSER=y # CONFIG_PKCS7_TEST_KEY is not set -# CONFIG_SIGNED_PE_FILE_VERIFICATION is not set +CONFIG_SIGNED_PE_FILE_VERIFICATION=y # CONFIG_FIPS_SIGNATURE_SELFTEST is not set # diff --git a/SPECS/kernel-64k/kernel-64k.signatures.json b/SPECS/kernel-64k/kernel-64k.signatures.json index d47af0ffb56..a935b60e887 100644 --- a/SPECS/kernel-64k/kernel-64k.signatures.json +++ b/SPECS/kernel-64k/kernel-64k.signatures.json @@ -1,7 +1,7 @@ { "Signatures": { "azurelinux-ca-20230216.pem": "d545401163c75878319f01470455e6bc18a5968e39dd964323225e3fe308849b", - "config_aarch64": "81527e718a88af9535ed5184f8c4d70eeece5374b197c9bade7cb6c818759cf8", + "config_aarch64": "2e511edb6a5a6236c6f7307f070df422bd6032b1e572f8f44ef4134ecea7d5b7", "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985", "cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", diff --git a/SPECS/kernel-64k/kernel-64k.spec b/SPECS/kernel-64k/kernel-64k.spec index 199000195e7..4f2ec85b6d4 100644 --- a/SPECS/kernel-64k/kernel-64k.spec +++ b/SPECS/kernel-64k/kernel-64k.spec @@ -25,7 +25,7 @@ Summary: Linux Kernel Name: kernel-64k Version: 6.6.57.1 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -370,6 +370,9 @@ echo "initrd of kernel %{uname_r} removed" >&2 %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Wed Dec 18 2024 Rachel Menge - 6.6.57.1-6 +- Enable kexec signature verification + * Thu Nov 07 2024 Rachel Menge - 6.6.57.1-5 - Initial CBL-Mariner import from Photon (license: Apache2). - Starting with release 5 to align with kernel release. diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec index 330136d2c8f..77d34b27719 100644 --- a/SPECS/kernel-headers/kernel-headers.spec +++ b/SPECS/kernel-headers/kernel-headers.spec @@ -14,7 +14,7 @@ Summary: Linux API header files Name: kernel-headers Version: 6.6.57.1 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -75,6 +75,9 @@ done %endif %changelog +* Wed Dec 18 2024 Rachel Menge - 6.6.57.1-6 +- Bump release to match kernel-64k + * Mon Nov 25 2024 Chris Co - 6.6.57.1-5 - Bump release to match kernel diff --git a/SPECS/kernel/kernel-uki.spec b/SPECS/kernel/kernel-uki.spec index 5a0322b8ec6..edc6c72e7ba 100644 --- a/SPECS/kernel/kernel-uki.spec +++ b/SPECS/kernel/kernel-uki.spec @@ -13,7 +13,7 @@ Summary: Unified Kernel Image Name: kernel-uki Version: 6.6.57.1 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -70,6 +70,9 @@ cp %{buildroot}/boot/vmlinuz-uki-%{kernelver}.efi %{buildroot}/boot/efi/EFI/Linu /boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi %changelog +* Wed Dec 18 2024 Rachel Menge - 6.6.57.1-6 +- Bump release to match kernel-64k + * Mon Nov 25 2024 Chris Co - 6.6.57.1-5 - Bump release to match kernel diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec index 02f40d57d19..f7a31ef1284 100644 --- a/SPECS/kernel/kernel.spec +++ b/SPECS/kernel/kernel.spec @@ -30,7 +30,7 @@ Summary: Linux Kernel Name: kernel Version: 6.6.57.1 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -424,6 +424,9 @@ echo "initrd of kernel %{uname_r} removed" >&2 %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Wed Dec 18 2024 Rachel Menge - 6.6.57.1-6 +- Bump release to match kernel-64k + * Mon Nov 25 2024 Chris Co - 6.6.57.1-5 - Enable ICE ethernet driver diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 07c4696ff4f..7509a242c85 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -1,5 +1,5 @@ filesystem-1.1-21.azl3.aarch64.rpm -kernel-headers-6.6.57.1-5.azl3.noarch.rpm +kernel-headers-6.6.57.1-6.azl3.noarch.rpm glibc-2.38-8.azl3.aarch64.rpm glibc-devel-2.38-8.azl3.aarch64.rpm glibc-i18n-2.38-8.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 31e58640021..6f09f409b11 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -1,5 +1,5 @@ filesystem-1.1-21.azl3.x86_64.rpm -kernel-headers-6.6.57.1-5.azl3.noarch.rpm +kernel-headers-6.6.57.1-6.azl3.noarch.rpm glibc-2.38-8.azl3.x86_64.rpm glibc-devel-2.38-8.azl3.x86_64.rpm glibc-i18n-2.38-8.azl3.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 49865ecfdf8..549a5490e50 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -156,7 +156,7 @@ intltool-0.51.0-7.azl3.noarch.rpm itstool-2.0.7-1.azl3.noarch.rpm kbd-2.2.0-2.azl3.aarch64.rpm kbd-debuginfo-2.2.0-2.azl3.aarch64.rpm -kernel-headers-6.6.57.1-5.azl3.noarch.rpm +kernel-headers-6.6.57.1-6.azl3.noarch.rpm kmod-30-1.azl3.aarch64.rpm kmod-debuginfo-30-1.azl3.aarch64.rpm kmod-devel-30-1.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 1b84d9210f3..fa1752caf9e 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -161,8 +161,8 @@ intltool-0.51.0-7.azl3.noarch.rpm itstool-2.0.7-1.azl3.noarch.rpm kbd-2.2.0-2.azl3.x86_64.rpm kbd-debuginfo-2.2.0-2.azl3.x86_64.rpm -kernel-cross-headers-6.6.57.1-5.azl3.noarch.rpm -kernel-headers-6.6.57.1-5.azl3.noarch.rpm +kernel-cross-headers-6.6.57.1-6.azl3.noarch.rpm +kernel-headers-6.6.57.1-6.azl3.noarch.rpm kmod-30-1.azl3.x86_64.rpm kmod-debuginfo-30-1.azl3.x86_64.rpm kmod-devel-30-1.azl3.x86_64.rpm From dd652a9b7578633b496dda102141ef6c2fb08144 Mon Sep 17 00:00:00 2001 From: jslobodzian Date: Thu, 19 Dec 2024 20:38:03 -0500 Subject: [PATCH 30/55] Revert "Release bump systemd-boot to use new keys (#11439)" This reverts commit c36b4284da0a05cd24ae2faab38f3e2b8c3890ec. --- .../systemd-boot-signed/systemd-boot-signed.spec | 9 +-------- SPECS/systemd/systemd.spec | 5 +---- 2 files changed, 2 insertions(+), 12 deletions(-) diff --git a/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec b/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec index 6178a71997b..59a3ed26055 100644 --- a/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec +++ b/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec @@ -14,7 +14,7 @@ Version: 255 # determine the build information from local checkout Version: %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/') %endif -Release: 19%{?dist} +Release: 18%{?dist} License: LGPL-2.1-or-later AND MIT AND GPL-2.0-or-later Vendor: Microsoft Corporation Distribution: Azure Linux @@ -53,9 +53,6 @@ Provides: version(systemd-boot)%{_isa} = %version Obsoletes: systemd-udev < 252.2^ Conflicts: grub2-efi-binary -Recommends: shim >= 15.8-3 -Conflicts: shim < 15.8-3 - %description -n systemd-boot systemd-boot (short: sd-boot) is a simple UEFI boot manager. It provides a graphical menu to select the entry to boot and an editor for the kernel command @@ -93,10 +90,6 @@ popd /boot/efi/EFI/BOOT/grubx64.efi %changelog -* Thu Dec 12 2024 Daniel McIlvaney - 255-19 -- Version bump to force signing with new Azure Linux secure boot key -- Add confilcts/recommends on shim to ensure the keys match - * Fri Sep 13 2024 Thien Trung Vuong - 255-18 - Update sd-boot install location diff --git a/SPECS/systemd/systemd.spec b/SPECS/systemd/systemd.spec index bf0b98fa483..291aa6bbbb4 100644 --- a/SPECS/systemd/systemd.spec +++ b/SPECS/systemd/systemd.spec @@ -50,7 +50,7 @@ Version: 255 # determine the build information from local checkout Version: %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/') %endif -Release: 19%{?dist} +Release: 18%{?dist} # FIXME - hardcode to 'stable' for now as that's what we have in our blobstore %global stable 1 @@ -1216,9 +1216,6 @@ rm -f %{name}.lang # %autochangelog. So we need to continue manually maintaining the # changelog here. %changelog -* Thu Dec 12 2024 Daniel McIlvaney - 255-19 -- Version bump to force signing with new Azure Linux secure boot key - * Fri Sep 13 2024 Thien Trung Vuong - 255-18 - Install systemd-boot binary to ESP From 78a3d9bc5d74ff69fda72ff7e834635e23ab4103 Mon Sep 17 00:00:00 2001 From: Rachel Menge Date: Thu, 19 Dec 2024 17:14:53 -0800 Subject: [PATCH 31/55] Update kernel-64k to have kexec signature verification (#11569) Update kernel-64k to include kexec_sig verification. Bump all other relevant kernel specs --- SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec | 5 ++++- SPECS-SIGNED/kernel-signed/kernel-signed.spec | 5 ++++- SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec | 5 ++++- SPECS/kernel-64k/config_aarch64 | 5 +++-- SPECS/kernel-64k/kernel-64k.signatures.json | 2 +- SPECS/kernel-64k/kernel-64k.spec | 5 ++++- SPECS/kernel-headers/kernel-headers.spec | 5 ++++- SPECS/kernel/kernel-uki.spec | 5 ++++- SPECS/kernel/kernel.spec | 5 ++++- toolkit/resources/manifests/package/pkggen_core_aarch64.txt | 2 +- toolkit/resources/manifests/package/pkggen_core_x86_64.txt | 2 +- toolkit/resources/manifests/package/toolchain_aarch64.txt | 2 +- toolkit/resources/manifests/package/toolchain_x86_64.txt | 4 ++-- 13 files changed, 37 insertions(+), 15 deletions(-) diff --git a/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec b/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec index b0111d170d2..a6ab283c372 100644 --- a/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec +++ b/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec @@ -7,7 +7,7 @@ Summary: Signed Linux Kernel for %{buildarch} systems Name: kernel-64k-signed-%{buildarch} Version: 6.6.57.1 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -105,6 +105,9 @@ echo "initrd of kernel %{uname_r} removed" >&2 %exclude /module_info.ld %changelog +* Wed Dec 18 2024 Rachel Menge - 6.6.57.1-6 +- Bump release to match kernel-64k + * Thu Nov 07 2024 Rachel Menge - 6.6.57.1-5 - Original version for Azure Linux - Starting with release 5 to align with kernel release. diff --git a/SPECS-SIGNED/kernel-signed/kernel-signed.spec b/SPECS-SIGNED/kernel-signed/kernel-signed.spec index 14c6ac12d4a..b45ec622577 100644 --- a/SPECS-SIGNED/kernel-signed/kernel-signed.spec +++ b/SPECS-SIGNED/kernel-signed/kernel-signed.spec @@ -10,7 +10,7 @@ Summary: Signed Linux Kernel for %{buildarch} systems Name: kernel-signed-%{buildarch} Version: 6.6.57.1 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -145,6 +145,9 @@ echo "initrd of kernel %{uname_r} removed" >&2 %exclude /module_info.ld %changelog +* Wed Dec 18 2024 Rachel Menge - 6.6.57.1-6 +- Bump release to match kernel-64k + * Mon Nov 25 2024 Chris Co - 6.6.57.1-5 - Bump release to match kernel diff --git a/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec b/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec index 08983f26a80..3dc88f1e79d 100644 --- a/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec +++ b/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec @@ -6,7 +6,7 @@ Summary: Signed Unified Kernel Image for %{buildarch} systems Name: kernel-uki-signed-%{buildarch} Version: 6.6.57.1 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -68,6 +68,9 @@ popd /boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi %changelog +* Wed Dec 18 2024 Rachel Menge - 6.6.57.1-6 +- Bump release to match kernel-64k + * Mon Nov 25 2024 Chris Co - 6.6.57.1-5 - Bump release to match kernel diff --git a/SPECS/kernel-64k/config_aarch64 b/SPECS/kernel-64k/config_aarch64 index f16e6660f02..f9ea766b12b 100644 --- a/SPECS/kernel-64k/config_aarch64 +++ b/SPECS/kernel-64k/config_aarch64 @@ -275,7 +275,8 @@ CONFIG_KEXEC_CORE=y CONFIG_HAVE_IMA_KEXEC=y # CONFIG_KEXEC is not set CONFIG_KEXEC_FILE=y -# CONFIG_KEXEC_SIG is not set +CONFIG_KEXEC_SIG=y +CONFIG_KEXEC_IMAGE_VERIFY_SIG=y CONFIG_CRASH_DUMP=y # end of Kexec and crash features # end of General setup @@ -10782,7 +10783,7 @@ CONFIG_X509_CERTIFICATE_PARSER=y # CONFIG_PKCS8_PRIVATE_KEY_PARSER is not set CONFIG_PKCS7_MESSAGE_PARSER=y # CONFIG_PKCS7_TEST_KEY is not set -# CONFIG_SIGNED_PE_FILE_VERIFICATION is not set +CONFIG_SIGNED_PE_FILE_VERIFICATION=y # CONFIG_FIPS_SIGNATURE_SELFTEST is not set # diff --git a/SPECS/kernel-64k/kernel-64k.signatures.json b/SPECS/kernel-64k/kernel-64k.signatures.json index d47af0ffb56..a935b60e887 100644 --- a/SPECS/kernel-64k/kernel-64k.signatures.json +++ b/SPECS/kernel-64k/kernel-64k.signatures.json @@ -1,7 +1,7 @@ { "Signatures": { "azurelinux-ca-20230216.pem": "d545401163c75878319f01470455e6bc18a5968e39dd964323225e3fe308849b", - "config_aarch64": "81527e718a88af9535ed5184f8c4d70eeece5374b197c9bade7cb6c818759cf8", + "config_aarch64": "2e511edb6a5a6236c6f7307f070df422bd6032b1e572f8f44ef4134ecea7d5b7", "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985", "cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", diff --git a/SPECS/kernel-64k/kernel-64k.spec b/SPECS/kernel-64k/kernel-64k.spec index 199000195e7..4f2ec85b6d4 100644 --- a/SPECS/kernel-64k/kernel-64k.spec +++ b/SPECS/kernel-64k/kernel-64k.spec @@ -25,7 +25,7 @@ Summary: Linux Kernel Name: kernel-64k Version: 6.6.57.1 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -370,6 +370,9 @@ echo "initrd of kernel %{uname_r} removed" >&2 %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Wed Dec 18 2024 Rachel Menge - 6.6.57.1-6 +- Enable kexec signature verification + * Thu Nov 07 2024 Rachel Menge - 6.6.57.1-5 - Initial CBL-Mariner import from Photon (license: Apache2). - Starting with release 5 to align with kernel release. diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec index 330136d2c8f..77d34b27719 100644 --- a/SPECS/kernel-headers/kernel-headers.spec +++ b/SPECS/kernel-headers/kernel-headers.spec @@ -14,7 +14,7 @@ Summary: Linux API header files Name: kernel-headers Version: 6.6.57.1 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -75,6 +75,9 @@ done %endif %changelog +* Wed Dec 18 2024 Rachel Menge - 6.6.57.1-6 +- Bump release to match kernel-64k + * Mon Nov 25 2024 Chris Co - 6.6.57.1-5 - Bump release to match kernel diff --git a/SPECS/kernel/kernel-uki.spec b/SPECS/kernel/kernel-uki.spec index 5a0322b8ec6..edc6c72e7ba 100644 --- a/SPECS/kernel/kernel-uki.spec +++ b/SPECS/kernel/kernel-uki.spec @@ -13,7 +13,7 @@ Summary: Unified Kernel Image Name: kernel-uki Version: 6.6.57.1 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -70,6 +70,9 @@ cp %{buildroot}/boot/vmlinuz-uki-%{kernelver}.efi %{buildroot}/boot/efi/EFI/Linu /boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi %changelog +* Wed Dec 18 2024 Rachel Menge - 6.6.57.1-6 +- Bump release to match kernel-64k + * Mon Nov 25 2024 Chris Co - 6.6.57.1-5 - Bump release to match kernel diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec index 02f40d57d19..f7a31ef1284 100644 --- a/SPECS/kernel/kernel.spec +++ b/SPECS/kernel/kernel.spec @@ -30,7 +30,7 @@ Summary: Linux Kernel Name: kernel Version: 6.6.57.1 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -424,6 +424,9 @@ echo "initrd of kernel %{uname_r} removed" >&2 %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Wed Dec 18 2024 Rachel Menge - 6.6.57.1-6 +- Bump release to match kernel-64k + * Mon Nov 25 2024 Chris Co - 6.6.57.1-5 - Enable ICE ethernet driver diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index f4643843a8d..3ab3b3d6642 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -1,5 +1,5 @@ filesystem-1.1-21.azl3.aarch64.rpm -kernel-headers-6.6.57.1-5.azl3.noarch.rpm +kernel-headers-6.6.57.1-6.azl3.noarch.rpm glibc-2.38-8.azl3.aarch64.rpm glibc-devel-2.38-8.azl3.aarch64.rpm glibc-i18n-2.38-8.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 6fd3c5ffec3..3871203b17b 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -1,5 +1,5 @@ filesystem-1.1-21.azl3.x86_64.rpm -kernel-headers-6.6.57.1-5.azl3.noarch.rpm +kernel-headers-6.6.57.1-6.azl3.noarch.rpm glibc-2.38-8.azl3.x86_64.rpm glibc-devel-2.38-8.azl3.x86_64.rpm glibc-i18n-2.38-8.azl3.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index c89eb87d70d..b3838e476e7 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -156,7 +156,7 @@ intltool-0.51.0-7.azl3.noarch.rpm itstool-2.0.7-1.azl3.noarch.rpm kbd-2.2.0-2.azl3.aarch64.rpm kbd-debuginfo-2.2.0-2.azl3.aarch64.rpm -kernel-headers-6.6.57.1-5.azl3.noarch.rpm +kernel-headers-6.6.57.1-6.azl3.noarch.rpm kmod-30-1.azl3.aarch64.rpm kmod-debuginfo-30-1.azl3.aarch64.rpm kmod-devel-30-1.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index fb2f79e3070..e15f53cd0d3 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -161,8 +161,8 @@ intltool-0.51.0-7.azl3.noarch.rpm itstool-2.0.7-1.azl3.noarch.rpm kbd-2.2.0-2.azl3.x86_64.rpm kbd-debuginfo-2.2.0-2.azl3.x86_64.rpm -kernel-cross-headers-6.6.57.1-5.azl3.noarch.rpm -kernel-headers-6.6.57.1-5.azl3.noarch.rpm +kernel-cross-headers-6.6.57.1-6.azl3.noarch.rpm +kernel-headers-6.6.57.1-6.azl3.noarch.rpm kmod-30-1.azl3.x86_64.rpm kmod-debuginfo-30-1.azl3.x86_64.rpm kmod-devel-30-1.azl3.x86_64.rpm From 9b82b55a0b48e40398bba991240aa2ce46e34510 Mon Sep 17 00:00:00 2001 From: Bala Date: Wed, 18 Dec 2024 11:30:07 +0530 Subject: [PATCH 32/55] Provide an option not to auto-clean toolchain during daily-build (#11279) --- toolkit/docs/building/building.md | 8 ++++++++ toolkit/scripts/daily_build.mk | 2 ++ toolkit/scripts/toolchain.mk | 2 ++ 3 files changed, 12 insertions(+) diff --git a/toolkit/docs/building/building.md b/toolkit/docs/building/building.md index 35069f0195c..64e6eca98f4 100644 --- a/toolkit/docs/building/building.md +++ b/toolkit/docs/building/building.md @@ -589,6 +589,14 @@ also augment the URL list. > Use the daily build sources for the given date. `lkg` will use the last known good build. +##### `DAILY_BUILD_SKIP_TOOLCHAIN_AUTO_CLEANUP=`**`n`** *(default)* + +> Delete the already downloaded toolchain RPMs and freshly download from LKG repo + +##### `DAILY_BUILD_SKIP_TOOLCHAIN_AUTO_CLEANUP=`**`y`** + +> Don't delete the already download tolchain RPMs to save time. Use only if are sure about this behaviour. + #### `DISABLE_UPSTREAM_REPOS=...` ##### `DISABLE_UPSTREAM_REPOS=`**`n`** *(default)* diff --git a/toolkit/scripts/daily_build.mk b/toolkit/scripts/daily_build.mk index d990a6ca09c..418d2d6b22f 100644 --- a/toolkit/scripts/daily_build.mk +++ b/toolkit/scripts/daily_build.mk @@ -24,6 +24,8 @@ DAILY_BUILD_ID ?= DAILY_BUILD_ID_UPDATE_MANIFESTS ?= y ##help:var:DAILY_BUILD_REPO={path to daily.repo}=Path to the daily build repo file to use. DAILY_BUILD_REPO ?= +##help:var:DAILY_BUILD_SKIP_TOOLCHAIN_AUTO_CLEANUP={y,n}=Skip Deleting all downloaded toolchain RPMs when using a daily build. +DAILY_BUILD_SKIP_TOOLCHAIN_AUTO_CLEANUP ?= n daily_lkg_workdir = $(BUILD_DIR)/daily_build_id diff --git a/toolkit/scripts/toolchain.mk b/toolkit/scripts/toolchain.mk index 18f551e088c..2d1aec34e16 100644 --- a/toolkit/scripts/toolchain.mk +++ b/toolkit/scripts/toolchain.mk @@ -94,8 +94,10 @@ clean-toolchain-rpms: # We leave the directory structure in place since docker based builds using re-usable chroots will have mounted the # toolchain subdirectories into the chroots. Removing the directories would break the mounts. $(STATUS_FLAGS_DIR)/toolchain_auto_cleanup.flag: $(STATUS_FLAGS_DIR)/daily_build_id.flag $(depend_VALIDATE_TOOLCHAIN_GPG) +ifeq ($(SKIP_TOOLCHAIN_AUTO_CLEANUP),n) @echo "Daily build ID or validation mode changed, sanitizing toolchain" find $(TOOLCHAIN_RPMS_DIR) -type f -name '*.rpm' -exec rm -f {} + +endif touch $@ copy-toolchain-rpms: From 0339d9bd9360a43e64a1939d9c7efa3848d5883c Mon Sep 17 00:00:00 2001 From: Gary Swalling <31018813+gjswalling@users.noreply.github.com> Date: Thu, 19 Dec 2024 18:30:46 -0800 Subject: [PATCH 33/55] Add AMD PMC repo for tdnf (#11330) --- .../azurelinux-amd-preview.repo | 19 +++++++++ SPECS/azurelinux-repos/azurelinux-amd.repo | 19 +++++++++ .../azurelinux-repos.signatures.json | 4 +- SPECS/azurelinux-repos/azurelinux-repos.spec | 39 ++++++++++++++++++- .../manifests/package/pkggen_core_aarch64.txt | 4 +- .../manifests/package/pkggen_core_x86_64.txt | 4 +- .../manifests/package/toolchain_aarch64.txt | 26 ++++++------- .../manifests/package/toolchain_x86_64.txt | 28 ++++++------- 8 files changed, 111 insertions(+), 32 deletions(-) create mode 100644 SPECS/azurelinux-repos/azurelinux-amd-preview.repo create mode 100644 SPECS/azurelinux-repos/azurelinux-amd.repo diff --git a/SPECS/azurelinux-repos/azurelinux-amd-preview.repo b/SPECS/azurelinux-repos/azurelinux-amd-preview.repo new file mode 100644 index 00000000000..0434974db96 --- /dev/null +++ b/SPECS/azurelinux-repos/azurelinux-amd-preview.repo @@ -0,0 +1,19 @@ +[azurelinux-official-amd-preview] +name=Azure Linux Official AMD Preview $releasever $basearch +baseurl=https://packages.microsoft.com/azurelinux/$releasever/preview/amd/$basearch +gpgkey=file:///etc/pki/rpm-gpg/MICROSOFT-RPM-GPG-KEY +gpgcheck=1 +repo_gpgcheck=1 +enabled=1 +skip_if_unavailable=True +sslverify=1 + +[azurelinux-official-amd-preview-source] +name=Azure Linux Official AMD Preview $releasever Source +baseurl=https://packages.microsoft.com/azurelinux/$releasever/preview/amd/srpms +gpgkey=file:///etc/pki/rpm-gpg/MICROSOFT-RPM-GPG-KEY +gpgcheck=1 +repo_gpgcheck=1 +enabled=0 +skip_if_unavailable=True +sslverify=1 diff --git a/SPECS/azurelinux-repos/azurelinux-amd.repo b/SPECS/azurelinux-repos/azurelinux-amd.repo new file mode 100644 index 00000000000..afcfbfe8537 --- /dev/null +++ b/SPECS/azurelinux-repos/azurelinux-amd.repo @@ -0,0 +1,19 @@ +[azurelinux-official-amd] +name=Azure Linux Official AMD $releasever $basearch +baseurl=https://packages.microsoft.com/azurelinux/$releasever/prod/amd/$basearch +gpgkey=file:///etc/pki/rpm-gpg/MICROSOFT-RPM-GPG-KEY +gpgcheck=1 +repo_gpgcheck=1 +enabled=1 +skip_if_unavailable=True +sslverify=1 + +[azurelinux-official-amd-source] +name=Azure Linux Official AMD $releasever Source +baseurl=https://packages.microsoft.com/azurelinux/$releasever/prod/amd/srpms +gpgkey=file:///etc/pki/rpm-gpg/MICROSOFT-RPM-GPG-KEY +gpgcheck=1 +repo_gpgcheck=1 +enabled=0 +skip_if_unavailable=True +sslverify=1 diff --git a/SPECS/azurelinux-repos/azurelinux-repos.signatures.json b/SPECS/azurelinux-repos/azurelinux-repos.signatures.json index 0dbba725064..a2771db1bd0 100644 --- a/SPECS/azurelinux-repos/azurelinux-repos.signatures.json +++ b/SPECS/azurelinux-repos/azurelinux-repos.signatures.json @@ -1,6 +1,8 @@ { "Signatures": { "MICROSOFT-RPM-GPG-KEY": "1092f37ec429e58bf9c7f898df17c3c32eb2ce3c4c037afb8ffe2d2b42e16e89", + "azurelinux-amd.repo": "cbe8cefea3cf99c1450d0b329c57bdb647ae15c10468c243573e33b9c4891120", + "azurelinux-amd-preview.repo": "723c3505d064c3b9ef436d700f748de7deca0de845d07d3fdeeafaf45949c070", "azurelinux-debuginfo-preview.repo": "af36f823d923dd8b1a27efa7199552339f9e1315813078a4591ef855654b3017", "azurelinux-debuginfo.repo": "ac8c1c699122e46e7501f04f1f0240e1eec322e5bb6102f6db5d1ce7215d7f5b", "azurelinux-extended-debuginfo-preview.repo": "d29514a9962b0975cd4b32132f5cb5290930f6d0d582b46ef5d2cde6840dc9e0", @@ -14,4 +16,4 @@ "azurelinux-official-base.repo": "b3351f3121c0600a0445a322bea8d500edaaa3d021b7cef96c1c9539d0eccab8", "azurelinux-official-preview.repo": "a03ea4539f17fac3fdfe73fb295663778733ba84ed37bb3908784604e52b0da6" } -} \ No newline at end of file +} diff --git a/SPECS/azurelinux-repos/azurelinux-repos.spec b/SPECS/azurelinux-repos/azurelinux-repos.spec index 7afc1ba4195..8935e2bd716 100644 --- a/SPECS/azurelinux-repos/azurelinux-repos.spec +++ b/SPECS/azurelinux-repos/azurelinux-repos.spec @@ -1,7 +1,7 @@ Summary: AzureLinux repo files, gpg keys Name: azurelinux-repos Version: %{azl}.0 -Release: 3%{?dist} +Release: 4%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -20,6 +20,8 @@ Source10: azurelinux-official-base.repo Source11: azurelinux-official-preview.repo Source12: azurelinux-extended-debuginfo.repo Source13: azurelinux-extended-debuginfo-preview.repo +Source14: azurelinux-amd.repo +Source15: azurelinux-amd-preview.repo Requires: %{name}-shared = %{version}-%{release} @@ -28,6 +30,24 @@ BuildArch: noarch %description Azure Linux repo files and gpg keys +%ifarch x86_64 +%package amd +Summary: Azure Linux AMD GPU repo file. +Group: System Environment/Base +Requires: %{name}-shared = %{version}-%{release} + +%description amd +%{summary} + +%package amd-preview +Summary: Azure Linux AMD GPU preview repo file. +Group: System Environment/Base +Requires: %{name}-shared = %{version}-%{release} + +%description amd-preview +%{summary} +%endif + %package debug Summary: Azure Linux Debuginfo repo file. Group: System Environment/Base @@ -142,6 +162,10 @@ install -m 644 %{SOURCE10} $REPO_DIRECTORY install -m 644 %{SOURCE11} $REPO_DIRECTORY install -m 644 %{SOURCE12} $REPO_DIRECTORY install -m 644 %{SOURCE13} $REPO_DIRECTORY +%ifarch x86_64 +install -m 644 %{SOURCE14} $REPO_DIRECTORY +install -m 644 %{SOURCE15} $REPO_DIRECTORY +%endif export RPM_GPG_DIRECTORY="%{buildroot}%{_sysconfdir}/pki/rpm-gpg" @@ -159,6 +183,16 @@ gpg --batch --yes --delete-keys 2BC94FFF7015A5F28F1537AD0CD9FED33135CE90 %defattr(-,root,root,-) %config(noreplace) %{_sysconfdir}/yum.repos.d/azurelinux-official-base.repo +%ifarch x86_64 +%files amd +%defattr(-,root,root,-) +%config(noreplace) %{_sysconfdir}/yum.repos.d/azurelinux-amd.repo + +%files amd-preview +%defattr(-,root,root,-) +%config(noreplace) %{_sysconfdir}/yum.repos.d/azurelinux-amd-preview.repo +%endif + %files debug %defattr(-,root,root,-) %config(noreplace) %{_sysconfdir}/yum.repos.d/azurelinux-debuginfo.repo @@ -208,6 +242,9 @@ gpg --batch --yes --delete-keys 2BC94FFF7015A5F28F1537AD0CD9FED33135CE90 %{_sysconfdir}/pki/rpm-gpg/MICROSOFT-RPM-GPG-KEY %changelog +* Thu Dec 19 2024 Gary Swalling - 3.0-4 +- Add amd .repo files. + * Thu May 30 2024 Andrew Phelps - 3.0-3 - Remove MICROSOFT-METADATA-GPG-KEY diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 7509a242c85..2022cb8d619 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -227,8 +227,8 @@ pinentry-1.2.1-1.azl3.aarch64.rpm gnupg2-2.4.4-2.azl3.aarch64.rpm gnupg2-lang-2.4.4-2.azl3.aarch64.rpm gpgme-1.23.2-2.azl3.aarch64.rpm -azurelinux-repos-shared-3.0-3.azl3.noarch.rpm -azurelinux-repos-3.0-3.azl3.noarch.rpm +azurelinux-repos-shared-3.0-4.azl3.noarch.rpm +azurelinux-repos-3.0-4.azl3.noarch.rpm libffi-3.4.4-1.azl3.aarch64.rpm libffi-devel-3.4.4-1.azl3.aarch64.rpm libtasn1-4.19.0-1.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 6f09f409b11..17e2713c5c6 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -227,8 +227,8 @@ pinentry-1.2.1-1.azl3.x86_64.rpm gnupg2-2.4.4-2.azl3.x86_64.rpm gnupg2-lang-2.4.4-2.azl3.x86_64.rpm gpgme-1.23.2-2.azl3.x86_64.rpm -azurelinux-repos-shared-3.0-3.azl3.noarch.rpm -azurelinux-repos-3.0-3.azl3.noarch.rpm +azurelinux-repos-shared-3.0-4.azl3.noarch.rpm +azurelinux-repos-3.0-4.azl3.noarch.rpm libffi-3.4.4-1.azl3.x86_64.rpm libffi-devel-3.4.4-1.azl3.x86_64.rpm libtasn1-4.19.0-1.azl3.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 549a5490e50..d35ee38a248 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -10,19 +10,19 @@ audit-libs-3.1.2-1.azl3.aarch64.rpm autoconf-2.72-2.azl3.noarch.rpm automake-1.16.5-2.azl3.noarch.rpm azurelinux-check-macros-3.0-7.azl3.noarch.rpm -azurelinux-repos-3.0-3.azl3.noarch.rpm -azurelinux-repos-debug-3.0-3.azl3.noarch.rpm -azurelinux-repos-debug-preview-3.0-3.azl3.noarch.rpm -azurelinux-repos-extended-3.0-3.azl3.noarch.rpm -azurelinux-repos-extended-debug-3.0-3.azl3.noarch.rpm -azurelinux-repos-extended-debug-preview-3.0-3.azl3.noarch.rpm -azurelinux-repos-extended-preview-3.0-3.azl3.noarch.rpm -azurelinux-repos-ms-non-oss-3.0-3.azl3.noarch.rpm -azurelinux-repos-ms-non-oss-preview-3.0-3.azl3.noarch.rpm -azurelinux-repos-ms-oss-3.0-3.azl3.noarch.rpm -azurelinux-repos-ms-oss-preview-3.0-3.azl3.noarch.rpm -azurelinux-repos-preview-3.0-3.azl3.noarch.rpm -azurelinux-repos-shared-3.0-3.azl3.noarch.rpm +azurelinux-repos-3.0-4.azl3.noarch.rpm +azurelinux-repos-debug-3.0-4.azl3.noarch.rpm +azurelinux-repos-debug-preview-3.0-4.azl3.noarch.rpm +azurelinux-repos-extended-3.0-4.azl3.noarch.rpm +azurelinux-repos-extended-debug-3.0-4.azl3.noarch.rpm +azurelinux-repos-extended-debug-preview-3.0-4.azl3.noarch.rpm +azurelinux-repos-extended-preview-3.0-4.azl3.noarch.rpm +azurelinux-repos-ms-non-oss-3.0-4.azl3.noarch.rpm +azurelinux-repos-ms-non-oss-preview-3.0-4.azl3.noarch.rpm +azurelinux-repos-ms-oss-3.0-4.azl3.noarch.rpm +azurelinux-repos-ms-oss-preview-3.0-4.azl3.noarch.rpm +azurelinux-repos-preview-3.0-4.azl3.noarch.rpm +azurelinux-repos-shared-3.0-4.azl3.noarch.rpm azurelinux-rpm-macros-3.0-7.azl3.noarch.rpm bash-5.2.15-3.azl3.aarch64.rpm bash-debuginfo-5.2.15-3.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index fa1752caf9e..71c81995c58 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -10,19 +10,21 @@ audit-libs-3.1.2-1.azl3.x86_64.rpm autoconf-2.72-2.azl3.noarch.rpm automake-1.16.5-2.azl3.noarch.rpm azurelinux-check-macros-3.0-7.azl3.noarch.rpm -azurelinux-repos-3.0-3.azl3.noarch.rpm -azurelinux-repos-debug-3.0-3.azl3.noarch.rpm -azurelinux-repos-debug-preview-3.0-3.azl3.noarch.rpm -azurelinux-repos-extended-3.0-3.azl3.noarch.rpm -azurelinux-repos-extended-debug-3.0-3.azl3.noarch.rpm -azurelinux-repos-extended-debug-preview-3.0-3.azl3.noarch.rpm -azurelinux-repos-extended-preview-3.0-3.azl3.noarch.rpm -azurelinux-repos-ms-non-oss-3.0-3.azl3.noarch.rpm -azurelinux-repos-ms-non-oss-preview-3.0-3.azl3.noarch.rpm -azurelinux-repos-ms-oss-3.0-3.azl3.noarch.rpm -azurelinux-repos-ms-oss-preview-3.0-3.azl3.noarch.rpm -azurelinux-repos-preview-3.0-3.azl3.noarch.rpm -azurelinux-repos-shared-3.0-3.azl3.noarch.rpm +azurelinux-repos-3.0-4.azl3.noarch.rpm +azurelinux-repos-amd-3.0-4.azl3.noarch.rpm +azurelinux-repos-amd-preview-3.0-4.azl3.noarch.rpm +azurelinux-repos-debug-3.0-4.azl3.noarch.rpm +azurelinux-repos-debug-preview-3.0-4.azl3.noarch.rpm +azurelinux-repos-extended-3.0-4.azl3.noarch.rpm +azurelinux-repos-extended-debug-3.0-4.azl3.noarch.rpm +azurelinux-repos-extended-debug-preview-3.0-4.azl3.noarch.rpm +azurelinux-repos-extended-preview-3.0-4.azl3.noarch.rpm +azurelinux-repos-ms-non-oss-3.0-4.azl3.noarch.rpm +azurelinux-repos-ms-non-oss-preview-3.0-4.azl3.noarch.rpm +azurelinux-repos-ms-oss-3.0-4.azl3.noarch.rpm +azurelinux-repos-ms-oss-preview-3.0-4.azl3.noarch.rpm +azurelinux-repos-preview-3.0-4.azl3.noarch.rpm +azurelinux-repos-shared-3.0-4.azl3.noarch.rpm azurelinux-rpm-macros-3.0-7.azl3.noarch.rpm bash-5.2.15-3.azl3.x86_64.rpm bash-debuginfo-5.2.15-3.azl3.x86_64.rpm From d0d18cf3b6efe1239419679110d512b289f0b1c6 Mon Sep 17 00:00:00 2001 From: Daniel McIlvaney Date: Fri, 20 Dec 2024 10:06:13 -0800 Subject: [PATCH 34/55] Fix issue when version pinning packages that are checked by the configvalidator tool (#11442) Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../imageconfigvalidator.go | 18 +- .../imageconfigvalidator_test.go | 290 ++++++++---------- .../testdata/bogus-list.json | 5 + .../testdata/dummy-list.json | 5 + .../testdata/fips-list.json | 5 + .../testdata/pinned-shadowutils-list.json | 5 + .../testdata/pinned-shadowutils-ws-list.json | 5 + .../testdata/selinux-policy-list.json | 5 + .../testdata/shadowutils-list.json | 5 + .../testdata/test-config.json | 59 ++++ 10 files changed, 239 insertions(+), 163 deletions(-) create mode 100644 toolkit/tools/imageconfigvalidator/testdata/bogus-list.json create mode 100644 toolkit/tools/imageconfigvalidator/testdata/dummy-list.json create mode 100644 toolkit/tools/imageconfigvalidator/testdata/fips-list.json create mode 100644 toolkit/tools/imageconfigvalidator/testdata/pinned-shadowutils-list.json create mode 100644 toolkit/tools/imageconfigvalidator/testdata/pinned-shadowutils-ws-list.json create mode 100644 toolkit/tools/imageconfigvalidator/testdata/selinux-policy-list.json create mode 100644 toolkit/tools/imageconfigvalidator/testdata/shadowutils-list.json create mode 100644 toolkit/tools/imageconfigvalidator/testdata/test-config.json diff --git a/toolkit/tools/imageconfigvalidator/imageconfigvalidator.go b/toolkit/tools/imageconfigvalidator/imageconfigvalidator.go index 4a6a0cbd654..5bc360b7b36 100644 --- a/toolkit/tools/imageconfigvalidator/imageconfigvalidator.go +++ b/toolkit/tools/imageconfigvalidator/imageconfigvalidator.go @@ -15,6 +15,7 @@ import ( "github.com/microsoft/azurelinux/toolkit/tools/imagegen/installutils" "github.com/microsoft/azurelinux/toolkit/tools/internal/exe" "github.com/microsoft/azurelinux/toolkit/tools/internal/logger" + "github.com/microsoft/azurelinux/toolkit/tools/internal/pkgjson" "github.com/microsoft/azurelinux/toolkit/tools/internal/timestamp" "github.com/microsoft/azurelinux/toolkit/tools/pkg/profile" @@ -114,6 +115,7 @@ func validatePackages(config configuration.Config) (err error) { const ( validateError = "failed to validate package lists in config" + kernelPkgName = "kernel" dracutFipsPkgName = "dracut-fips" fipsKernelCmdLine = "fips=1" userAddPkgName = "shadow-utils" @@ -134,16 +136,24 @@ func validatePackages(config configuration.Config) (err error) { } for _, pkg := range packageList { - if pkg == "kernel" { + // The installer tools have an undocumented feature which can support both "pkg-name" and "pkg-name=version" formats. + // This is in use, so we need to handle pinned versions in this check. Technically, 'tdnf' also supports "pkg-name-version" format, + // but it is not easily distinguishable from "long-package-name" format so it will not be supported here. + pkgVer, err := pkgjson.PackageStringToPackageVer(pkg) + if err != nil { + return fmt.Errorf("%s: %w", validateError, err) + } + + if pkgVer.Name == kernelPkgName { return fmt.Errorf("%s: kernel should not be included in a package list, add via config file's [KernelOptions] entry", validateError) } - if pkg == dracutFipsPkgName { + if pkgVer.Name == dracutFipsPkgName { foundDracutFipsPackage = true } - if pkg == selinuxPkgName { + if pkgVer.Name == selinuxPkgName { foundSELinuxPackage = true } - if pkg == userAddPkgName { + if pkgVer.Name == userAddPkgName { foundUserAddPackage = true } } diff --git a/toolkit/tools/imageconfigvalidator/imageconfigvalidator_test.go b/toolkit/tools/imageconfigvalidator/imageconfigvalidator_test.go index 4bec21327c6..1d30b7b2df8 100644 --- a/toolkit/tools/imageconfigvalidator/imageconfigvalidator_test.go +++ b/toolkit/tools/imageconfigvalidator/imageconfigvalidator_test.go @@ -6,6 +6,7 @@ package main import ( "fmt" "os" + "path" "path/filepath" "strings" "testing" @@ -73,188 +74,159 @@ func TestShouldFailEmptySystemConfig(t *testing.T) { assert.Equal(t, "invalid [SystemConfigs]:\nmissing [Name] field", err.Error()) } -func TestShouldFailDeeplyNestedParsingError(t *testing.T) { +func TestSELinuxRequiresSELinuxPackageInline(t *testing.T) { const ( - configDirectory string = "../../imageconfigs/" - targetPackage = "core-efi.json" + configDirectory = "./testdata/" + targetConfig = "test-config.json" + selinuxPkgName = "selinux-policy" ) - configFiles, err := os.ReadDir(configDirectory) - assert.NoError(t, err) - - // Pick the first config file and mess something up which is deeply - // nested inside the json - for _, file := range configFiles { - if !file.IsDir() && strings.Contains(file.Name(), targetPackage) { - configPath := filepath.Join(configDirectory, file.Name()) - - fmt.Println("Corrupting ", configPath) - - config, err := configuration.LoadWithAbsolutePaths(configPath, configDirectory) - assert.NoError(t, err) - - config.Disks[0].PartitionTableType = configuration.PartitionTableType("not_a_real_partition_type") - err = ValidateConfiguration(config) - assert.Error(t, err) - assert.Equal(t, "invalid [Disks]:\ninvalid [PartitionTableType]: invalid value for PartitionTableType (not_a_real_partition_type)", err.Error()) + configPath := filepath.Join(configDirectory, targetConfig) - return - } - } - assert.Failf(t, "Could not find config", "Could not find image config file '%s' to test", filepath.Join(configDirectory, targetPackage)) -} - -func TestShouldFailMissingFipsPackageWithFipsCmdLine(t *testing.T) { - const ( - configDirectory string = "../../imageconfigs/" - targetPackage = "core-fips.json" - fipsPackageListFile = "fips-packages.json" - ) - configFiles, err := os.ReadDir(configDirectory) + config, err := configuration.LoadWithAbsolutePaths(configPath, configDirectory) assert.NoError(t, err) - // Pick the core-fips config file, but remove the fips package list - for _, file := range configFiles { - if !file.IsDir() && strings.Contains(file.Name(), targetPackage) { - configPath := filepath.Join(configDirectory, file.Name()) - - fmt.Println("Corrupting ", configPath) + config.SystemConfigs[0].KernelCommandLine.SELinux = "enforcing" - config, err := configuration.LoadWithAbsolutePaths(configPath, configDirectory) - assert.NoError(t, err) - - newPackageList := []string{} - for _, pl := range config.SystemConfigs[0].PackageLists { - if !strings.Contains(pl, fipsPackageListFile) { - newPackageList = append(newPackageList, pl) - } - } - - config.SystemConfigs[0].PackageLists = newPackageList + err = ValidateConfiguration(config) + assert.Error(t, err) + assert.Equal(t, "failed to validate package lists in config: [SELinux] selected, but 'selinux-policy' package is not included in the package lists", err.Error()) - err = ValidateConfiguration(config) - assert.Error(t, err) - assert.Equal(t, "failed to validate package lists in config: 'fips=1' provided on kernel cmdline, but 'dracut-fips' package is not included in the package lists", err.Error()) + //Add required SELinux package in the inline package definition + newPackagesField := []string{selinuxPkgName} + config.SystemConfigs[0].Packages = newPackagesField - return - } - } - assert.Fail(t, "Could not find "+targetPackage+" to test") + err = ValidateConfiguration(config) + assert.NoError(t, err) } -func TestShouldFailMissingSELinuxPackageWithSELinux(t *testing.T) { - const ( - configDirectory = "../../imageconfigs/" - targetPackage = "core-efi.json" - targetPackageList = "selinux.json" - ) - configFiles, err := os.ReadDir(configDirectory) +func TestValidationAgainstTestConfig(t *testing.T) { + confiDirAbsPath, err := filepath.Abs("./testdata/") assert.NoError(t, err) - // Pick the core-efi config file, then enable SELinux - for _, file := range configFiles { - if !file.IsDir() && strings.Contains(file.Name(), targetPackage) { - configPath := filepath.Join(configDirectory, file.Name()) - - fmt.Println("Corrupting ", configPath) - - config, err := configuration.LoadWithAbsolutePaths(configPath, configDirectory) - for i, list := range config.SystemConfigs[0].PackageLists { - // Delete the packagelist from the config - if strings.Contains(list, targetPackageList) { - config.SystemConfigs[0].PackageLists = append(config.SystemConfigs[0].PackageLists[:i], config.SystemConfigs[0].PackageLists[i+1:]...) + tests := []struct { + name string + extraListPath string + configModifier func(*configuration.Config) + expectedError1 string + expectedError2 string + }{ + { + name: "Deeply nested parsing error", + extraListPath: "", + configModifier: func(config *configuration.Config) { + config.Disks[0].PartitionTableType = configuration.PartitionTableType("not_a_real_partition_type") + }, + expectedError1: "invalid [Disks]:\ninvalid [PartitionTableType]: invalid value for PartitionTableType (not_a_real_partition_type)", + // No action is taken to fix the error, so it will still be present + expectedError2: "invalid [Disks]:\ninvalid [PartitionTableType]: invalid value for PartitionTableType (not_a_real_partition_type)", + }, + { + name: "fips with dracut-fips", + extraListPath: "./testdata/fips-list.json", + configModifier: func(config *configuration.Config) { + config.SystemConfigs[0].KernelCommandLine.EnableFIPS = true + }, + expectedError1: "failed to validate package lists in config: 'fips=1' provided on kernel cmdline, but 'dracut-fips' package is not included in the package lists", + expectedError2: "", + }, + { + name: "selinux with selinux-policy", + extraListPath: "./testdata/selinux-policy-list.json", + configModifier: func(config *configuration.Config) { + config.SystemConfigs[0].KernelCommandLine.SELinux = "enforcing" + }, + expectedError1: "failed to validate package lists in config: [SELinux] selected, but 'selinux-policy' package is not included in the package lists", + expectedError2: "", + }, + { + name: "user with shadowutils", + extraListPath: "./testdata/shadowutils-list.json", + configModifier: func(config *configuration.Config) { + config.SystemConfigs[0].Users = []configuration.User{ + { + Name: "testuser", + }, } - } - assert.NoError(t, err) - - config.SystemConfigs[0].KernelCommandLine.SELinux = "enforcing" - - err = ValidateConfiguration(config) - assert.Error(t, err) - assert.Equal(t, "failed to validate package lists in config: [SELinux] selected, but 'selinux-policy' package is not included in the package lists", err.Error()) - - return - } + }, + expectedError1: "failed to validate package lists in config: the 'shadow-utils' package must be included in the package lists when the image is configured to add users or groups", + expectedError2: "", + }, + { + name: "Shadowutils pinned version", + extraListPath: "./testdata/pinned-shadowutils-list.json", + configModifier: func(config *configuration.Config) { + config.SystemConfigs[0].Users = []configuration.User{ + { + Name: "testuser", + }, + } + }, + expectedError1: "failed to validate package lists in config: the 'shadow-utils' package must be included in the package lists when the image is configured to add users or groups", + expectedError2: "", + }, + + { + name: "Shadowutils pinned version with whitespace", + extraListPath: "./testdata/pinned-shadowutils-ws-list.json", + configModifier: func(config *configuration.Config) { + config.SystemConfigs[0].Users = []configuration.User{ + { + Name: "testuser", + }, + } + }, + expectedError1: "failed to validate package lists in config: the 'shadow-utils' package must be included in the package lists when the image is configured to add users or groups", + expectedError2: "", + }, + { + name: "missing package list", + extraListPath: "./testdata/not-a-real-list.json", + configModifier: func(config *configuration.Config) {}, + expectedError1: "", + expectedError2: "failed to validate package lists in config: open " + path.Join(confiDirAbsPath, "not-a-real-list.json") + ": no such file or directory", + }, + { + name: "bad package name", + extraListPath: "./testdata/bogus-list.json", + configModifier: func(config *configuration.Config) {}, + expectedError1: "", + expectedError2: `failed to validate package lists in config: packages list entry "bad package = bad < version" does not match the '[name][optional_condition][optional_version]' format`, + }, } - assert.Fail(t, "Could not find "+targetPackage+" to test") -} -func TestShouldSucceedSELinuxPackageDefinedInline(t *testing.T) { - const ( - configDirectory = "../../imageconfigs/" - targetPackage = "core-efi.json" - targetPackageList = "selinux.json" - selinuxPkgName = "selinux-policy" - ) - configFiles, err := os.ReadDir(configDirectory) - assert.NoError(t, err) - - // Pick the core-efi config file, then enable SELinux - for _, file := range configFiles { - if !file.IsDir() && strings.Contains(file.Name(), targetPackage) { - configPath := filepath.Join(configDirectory, file.Name()) - - fmt.Println("Corrupting ", configPath) - - config, err := configuration.LoadWithAbsolutePaths(configPath, configDirectory) - for i, list := range config.SystemConfigs[0].PackageLists { - // Delete the packagelist from the config - if strings.Contains(list, targetPackageList) { - config.SystemConfigs[0].PackageLists = append(config.SystemConfigs[0].PackageLists[:i], config.SystemConfigs[0].PackageLists[i+1:]...) - } - } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + configPath := filepath.Join("./testdata/", "test-config.json") + config, err := configuration.LoadWithAbsolutePaths(configPath, "./testdata/") assert.NoError(t, err) - //Add required SELinux package in the inline package definition - newPackagesField := []string{selinuxPkgName} - config.SystemConfigs[0].Packages = newPackagesField - - config.SystemConfigs[0].KernelCommandLine.SELinux = "enforcing" + // Break the config + tt.configModifier(&config) + // Ensure the validation detects the expected failure err = ValidateConfiguration(config) - assert.NoError(t, err) - return - } - } - assert.Fail(t, "Could not find "+targetPackage+" to test") -} - -func TestShouldFailMissingShadowUtilsPackageWithUsers(t *testing.T) { - const ( - configDirectory = "../../imageconfigs/" - targetPackage = "core-efi.json" - targetPackageList = "core-packages-image.json" - ) - configFiles, err := os.ReadDir(configDirectory) - assert.NoError(t, err) - - // Pick the core-efi config file, then add a user, then remove shadow-utils from the package list (via dropping core... its a bit hacky) - for _, file := range configFiles { - if !file.IsDir() && strings.Contains(file.Name(), targetPackage) { - configPath := filepath.Join(configDirectory, file.Name()) - - fmt.Println("Corrupting ", configPath) - - config, err := configuration.LoadWithAbsolutePaths(configPath, configDirectory) - for i, list := range config.SystemConfigs[0].PackageLists { - // Delete the packagelist from the config - if strings.Contains(list, targetPackageList) { - config.SystemConfigs[0].PackageLists = append(config.SystemConfigs[0].PackageLists[:i], config.SystemConfigs[0].PackageLists[i+1:]...) - } + if tt.expectedError1 != "" { + assert.Error(t, err) + assert.Equal(t, tt.expectedError1, err.Error()) + } else { + assert.NoError(t, err) } - assert.NoError(t, err) - config.SystemConfigs[0].Users = []configuration.User{ - { - Name: "testuser", - }, + // Fix the config by adding the package list if provided + if tt.extraListPath != "" { + replacementPackageListAbsPath, err := filepath.Abs(tt.extraListPath) + assert.NoError(t, err) + config.SystemConfigs[0].PackageLists = append(config.SystemConfigs[0].PackageLists, replacementPackageListAbsPath) } + // Validate again err = ValidateConfiguration(config) - assert.Error(t, err) - assert.Equal(t, "failed to validate package lists in config: the 'shadow-utils' package must be included in the package lists when the image is configured to add users or groups", err.Error()) - - return - } + if tt.expectedError2 != "" { + assert.Error(t, err) + assert.Equal(t, tt.expectedError2, err.Error()) + } else { + assert.NoError(t, err) + } + }) } - assert.Fail(t, "Could not find "+targetPackage+" to test") } diff --git a/toolkit/tools/imageconfigvalidator/testdata/bogus-list.json b/toolkit/tools/imageconfigvalidator/testdata/bogus-list.json new file mode 100644 index 00000000000..bd8b2e53e0a --- /dev/null +++ b/toolkit/tools/imageconfigvalidator/testdata/bogus-list.json @@ -0,0 +1,5 @@ +{ + "packages": [ + "bad package = bad < version" + ] +} diff --git a/toolkit/tools/imageconfigvalidator/testdata/dummy-list.json b/toolkit/tools/imageconfigvalidator/testdata/dummy-list.json new file mode 100644 index 00000000000..b3d776e8d3a --- /dev/null +++ b/toolkit/tools/imageconfigvalidator/testdata/dummy-list.json @@ -0,0 +1,5 @@ +{ + "packages": [ + "words" + ] +} diff --git a/toolkit/tools/imageconfigvalidator/testdata/fips-list.json b/toolkit/tools/imageconfigvalidator/testdata/fips-list.json new file mode 100644 index 00000000000..eea216be224 --- /dev/null +++ b/toolkit/tools/imageconfigvalidator/testdata/fips-list.json @@ -0,0 +1,5 @@ +{ + "packages": [ + "dracut-fips" + ] +} diff --git a/toolkit/tools/imageconfigvalidator/testdata/pinned-shadowutils-list.json b/toolkit/tools/imageconfigvalidator/testdata/pinned-shadowutils-list.json new file mode 100644 index 00000000000..07519542cf9 --- /dev/null +++ b/toolkit/tools/imageconfigvalidator/testdata/pinned-shadowutils-list.json @@ -0,0 +1,5 @@ +{ + "packages": [ + "shadow-utils=some-version" + ] +} diff --git a/toolkit/tools/imageconfigvalidator/testdata/pinned-shadowutils-ws-list.json b/toolkit/tools/imageconfigvalidator/testdata/pinned-shadowutils-ws-list.json new file mode 100644 index 00000000000..a2e589ce3b7 --- /dev/null +++ b/toolkit/tools/imageconfigvalidator/testdata/pinned-shadowutils-ws-list.json @@ -0,0 +1,5 @@ +{ + "packages": [ + "shadow-utils = some-version" + ] +} diff --git a/toolkit/tools/imageconfigvalidator/testdata/selinux-policy-list.json b/toolkit/tools/imageconfigvalidator/testdata/selinux-policy-list.json new file mode 100644 index 00000000000..34ff7c3874b --- /dev/null +++ b/toolkit/tools/imageconfigvalidator/testdata/selinux-policy-list.json @@ -0,0 +1,5 @@ +{ + "packages": [ + "selinux-policy" + ] +} diff --git a/toolkit/tools/imageconfigvalidator/testdata/shadowutils-list.json b/toolkit/tools/imageconfigvalidator/testdata/shadowutils-list.json new file mode 100644 index 00000000000..9ea75c300bc --- /dev/null +++ b/toolkit/tools/imageconfigvalidator/testdata/shadowutils-list.json @@ -0,0 +1,5 @@ +{ + "packages": [ + "shadow-utils" + ] +} diff --git a/toolkit/tools/imageconfigvalidator/testdata/test-config.json b/toolkit/tools/imageconfigvalidator/testdata/test-config.json new file mode 100644 index 00000000000..cb814a36854 --- /dev/null +++ b/toolkit/tools/imageconfigvalidator/testdata/test-config.json @@ -0,0 +1,59 @@ +{ + + "_comment": "Based on core-efi.json", + + "Disks": [ + { + "PartitionTableType": "gpt", + "MaxSize": 4096, + "Artifacts": [ + { + "Name": "test", + "Type": "vhdx" + } + ], + "Partitions": [ + { + "ID": "boot", + "Flags": [ + "esp", + "boot" + ], + "Start": 1, + "End": 9, + "FsType": "fat32" + }, + { + "ID": "rootfs", + "Start": 9, + "End": 0, + "FsType": "ext4" + } + ] + } + ], + "SystemConfigs": [ + { + "Name": "Standard", + "BootType": "efi", + "PartitionSettings": [ + { + "ID": "boot", + "MountPoint": "/boot/efi", + "MountOptions" : "umask=0077" + }, + { + "ID": "rootfs", + "MountPoint": "/" + } + ], + "PackageLists": [ + "dummy-list.json" + ], + "KernelOptions": { + "default": "kernel" + }, + "Hostname": "azurelinux" + } + ] +} From c88ffe5f322cd68442a2647df2d804d7674b0272 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Fri, 20 Dec 2024 12:28:06 -0800 Subject: [PATCH 35/55] [AUTO-CHERRYPICK] Patch "gh" to fix CVE-2024-54132 - branch 3.0-dev (#11465) Co-authored-by: Sandeep Karambelkar Co-authored-by: jslobodzian --- SPECS/gh/CVE-2024-54132.patch | 1349 +++++++++++++++++++++++++++++++++ SPECS/gh/gh.spec | 7 +- 2 files changed, 1354 insertions(+), 2 deletions(-) create mode 100644 SPECS/gh/CVE-2024-54132.patch diff --git a/SPECS/gh/CVE-2024-54132.patch b/SPECS/gh/CVE-2024-54132.patch new file mode 100644 index 00000000000..a32a42eb48c --- /dev/null +++ b/SPECS/gh/CVE-2024-54132.patch @@ -0,0 +1,1349 @@ +From 8da27d2c8ac8b781cf34a5e04ed57cfe4b68fa55 Mon Sep 17 00:00:00 2001 +From: Andy Feller +Date: Tue, 19 Nov 2024 17:55:18 -0500 +Subject: [PATCH 1/5] Second attempt to address exploit + +This builds off suggestion to reuse logic used already within `gh run download` for detecting path traversals. + +This largely works but runs into an issue where detection logic doesn't handle non-separated traversal. +--- + pkg/cmd/run/download/download.go | 5 ++ + pkg/cmd/run/download/download_test.go | 102 ++++++++++++++++++++++++++ + pkg/cmd/run/download/zip.go | 3 + + 3 files changed, 110 insertions(+) + +diff --git a/pkg/cmd/run/download/download.go b/pkg/cmd/run/download/download.go +index 99ec45bbeec..168cb6fcc8c 100644 +--- a/pkg/cmd/run/download/download.go ++++ b/pkg/cmd/run/download/download.go +@@ -169,6 +169,11 @@ func runDownload(opts *DownloadOptions) error { + if len(wantPatterns) != 0 || len(wantNames) != 1 { + destDir = filepath.Join(destDir, a.Name) + } ++ ++ if !filepathDescendsFrom(destDir, opts.DestinationDir) { ++ return fmt.Errorf("error downloading %s: would result in path traversal", a.Name) ++ } ++ + err := opts.Platform.Download(a.DownloadURL, destDir) + if err != nil { + return fmt.Errorf("error downloading %s: %w", a.Name, err) +diff --git a/pkg/cmd/run/download/download_test.go b/pkg/cmd/run/download/download_test.go +index 3c1c8f2d862..f07d661289f 100644 +--- a/pkg/cmd/run/download/download_test.go ++++ b/pkg/cmd/run/download/download_test.go +@@ -289,6 +289,108 @@ func Test_runDownload(t *testing.T) { + }) + }, + }, ++ { ++ name: "given artifact name contains `..`, verify an error about path traversal is returned", ++ opts: DownloadOptions{ ++ RunID: "2345", ++ DestinationDir: ".", ++ }, ++ mockAPI: func(p *mockPlatform) { ++ p.On("List", "2345").Return([]shared.Artifact{ ++ { ++ Name: "..", ++ DownloadURL: "http://download.com/artifact1.zip", ++ Expired: false, ++ }, ++ }, nil) ++ }, ++ wantErr: "error downloading ..: would result in path traversal", ++ }, ++ { ++ name: "given artifact name contains `..`, verify an error about path traversal is returned", ++ opts: DownloadOptions{ ++ RunID: "2345", ++ DestinationDir: "imaginary-dir", ++ }, ++ mockAPI: func(p *mockPlatform) { ++ p.On("List", "2345").Return([]shared.Artifact{ ++ { ++ Name: "..", ++ DownloadURL: "http://download.com/artifact1.zip", ++ Expired: false, ++ }, ++ }, nil) ++ }, ++ wantErr: "error downloading ..: would result in path traversal", ++ }, ++ { ++ name: "given artifact name contains `../etc/passwd`, verify an error about path traversal is returned", ++ opts: DownloadOptions{ ++ RunID: "2345", ++ DestinationDir: ".", ++ }, ++ mockAPI: func(p *mockPlatform) { ++ p.On("List", "2345").Return([]shared.Artifact{ ++ { ++ Name: "../etc/passwd", ++ DownloadURL: "http://download.com/artifact1.zip", ++ Expired: false, ++ }, ++ }, nil) ++ }, ++ wantErr: "error downloading ../etc/passwd: would result in path traversal", ++ }, ++ { ++ name: "given artifact name contains `../etc/passwd`, verify an error about path traversal is returned", ++ opts: DownloadOptions{ ++ RunID: "2345", ++ DestinationDir: "imaginary-dir", ++ }, ++ mockAPI: func(p *mockPlatform) { ++ p.On("List", "2345").Return([]shared.Artifact{ ++ { ++ Name: "../etc/passwd", ++ DownloadURL: "http://download.com/artifact1.zip", ++ Expired: false, ++ }, ++ }, nil) ++ }, ++ wantErr: "error downloading ../etc/passwd: would result in path traversal", ++ }, ++ { ++ name: "given artifact name contains `../../etc/passwd`, verify an error about path traversal is returned", ++ opts: DownloadOptions{ ++ RunID: "2345", ++ DestinationDir: ".", ++ }, ++ mockAPI: func(p *mockPlatform) { ++ p.On("List", "2345").Return([]shared.Artifact{ ++ { ++ Name: "../../etc/passwd", ++ DownloadURL: "http://download.com/artifact1.zip", ++ Expired: false, ++ }, ++ }, nil) ++ }, ++ wantErr: "error downloading ../../etc/passwd: would result in path traversal", ++ }, ++ { ++ name: "given artifact name contains `../../etc/passwd`, verify an error about path traversal is returned", ++ opts: DownloadOptions{ ++ RunID: "2345", ++ DestinationDir: "imaginary-dir", ++ }, ++ mockAPI: func(p *mockPlatform) { ++ p.On("List", "2345").Return([]shared.Artifact{ ++ { ++ Name: "../../etc/passwd", ++ DownloadURL: "http://download.com/artifact1.zip", ++ Expired: false, ++ }, ++ }, nil) ++ }, ++ wantErr: "error downloading ../../etc/passwd: would result in path traversal", ++ }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { +diff --git a/pkg/cmd/run/download/zip.go b/pkg/cmd/run/download/zip.go +index ab5723e9468..f6a27afdd66 100644 +--- a/pkg/cmd/run/download/zip.go ++++ b/pkg/cmd/run/download/zip.go +@@ -73,6 +73,9 @@ func getPerm(m os.FileMode) os.FileMode { + func filepathDescendsFrom(p, dir string) bool { + p = filepath.Clean(p) + dir = filepath.Clean(dir) ++ if dir == "." && p == ".." { ++ return false ++ } + if dir == "." && !filepath.IsAbs(p) { + return !strings.HasPrefix(p, ".."+string(filepath.Separator)) + } + +From 83cf41155646380d3df4037d3f2ac683147f194a Mon Sep 17 00:00:00 2001 +From: Tyler McGoffin +Date: Tue, 19 Nov 2024 16:08:31 -0800 +Subject: [PATCH 2/5] Improve test names so there is no repetition + +--- + pkg/cmd/run/download/download_test.go | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/pkg/cmd/run/download/download_test.go b/pkg/cmd/run/download/download_test.go +index f07d661289f..fb445ccd4e9 100644 +--- a/pkg/cmd/run/download/download_test.go ++++ b/pkg/cmd/run/download/download_test.go +@@ -290,7 +290,7 @@ func Test_runDownload(t *testing.T) { + }, + }, + { +- name: "given artifact name contains `..`, verify an error about path traversal is returned", ++ name: "given artifact name contains `..` and the DestinationDir is `.`, verify an error about path traversal is returned", + opts: DownloadOptions{ + RunID: "2345", + DestinationDir: ".", +@@ -307,7 +307,7 @@ func Test_runDownload(t *testing.T) { + wantErr: "error downloading ..: would result in path traversal", + }, + { +- name: "given artifact name contains `..`, verify an error about path traversal is returned", ++ name: "given artifact name contains `..` and the DestinationDir is `imaginary-dir`, verify an error about path traversal is returned", + opts: DownloadOptions{ + RunID: "2345", + DestinationDir: "imaginary-dir", +@@ -324,7 +324,7 @@ func Test_runDownload(t *testing.T) { + wantErr: "error downloading ..: would result in path traversal", + }, + { +- name: "given artifact name contains `../etc/passwd`, verify an error about path traversal is returned", ++ name: "given artifact name contains `../etc/passwd` and the DestinationDir is `.`, verify an error about path traversal is returned", + opts: DownloadOptions{ + RunID: "2345", + DestinationDir: ".", +@@ -341,7 +341,7 @@ func Test_runDownload(t *testing.T) { + wantErr: "error downloading ../etc/passwd: would result in path traversal", + }, + { +- name: "given artifact name contains `../etc/passwd`, verify an error about path traversal is returned", ++ name: "given artifact name contains `../etc/passwd` and the DestinationDir is `imaginary-dir`, verify an error about path traversal is returned", + opts: DownloadOptions{ + RunID: "2345", + DestinationDir: "imaginary-dir", +@@ -358,7 +358,7 @@ func Test_runDownload(t *testing.T) { + wantErr: "error downloading ../etc/passwd: would result in path traversal", + }, + { +- name: "given artifact name contains `../../etc/passwd`, verify an error about path traversal is returned", ++ name: "given artifact name contains `../../etc/passwd` and the DestinationDir is `.`, verify an error about path traversal is returned", + opts: DownloadOptions{ + RunID: "2345", + DestinationDir: ".", +@@ -375,7 +375,7 @@ func Test_runDownload(t *testing.T) { + wantErr: "error downloading ../../etc/passwd: would result in path traversal", + }, + { +- name: "given artifact name contains `../../etc/passwd`, verify an error about path traversal is returned", ++ name: "given artifact name contains `../../etc/passwd` and the DestinationDir is `imaginary-dir`, verify an error about path traversal is returned", + opts: DownloadOptions{ + RunID: "2345", + DestinationDir: "imaginary-dir", + +From e7c5706336d851b39930c7315132f89b25e77d4d Mon Sep 17 00:00:00 2001 +From: Andy Feller +Date: Thu, 21 Nov 2024 17:02:20 -0500 +Subject: [PATCH 3/5] Refactor download testing, simpler file descends + +This incorporates the work done by @williammartin to improve reasoning about `gh run download` behavior through testing while verifying a simpler solution to checking if a path is contained within a directory. +--- + pkg/cmd/run/download/download.go | 1 + + pkg/cmd/run/download/download_test.go | 524 +++++++++++++++----------- + pkg/cmd/run/download/zip.go | 14 +- + 3 files changed, 309 insertions(+), 230 deletions(-) + +diff --git a/pkg/cmd/run/download/download.go b/pkg/cmd/run/download/download.go +index 168cb6fcc8c..5bda2ba3da0 100644 +--- a/pkg/cmd/run/download/download.go ++++ b/pkg/cmd/run/download/download.go +@@ -166,6 +166,7 @@ func runDownload(opts *DownloadOptions) error { + } + } + destDir := opts.DestinationDir ++ // Why do we only include the artifact name in the destination directory if there are multiple? + if len(wantPatterns) != 0 || len(wantNames) != 1 { + destDir = filepath.Join(destDir, a.Name) + } +diff --git a/pkg/cmd/run/download/download_test.go b/pkg/cmd/run/download/download_test.go +index fb445ccd4e9..0df94ccf498 100644 +--- a/pkg/cmd/run/download/download_test.go ++++ b/pkg/cmd/run/download/download_test.go +@@ -2,8 +2,11 @@ package download + + import ( + "bytes" ++ "errors" ++ "fmt" + "io" + "net/http" ++ "os" + "path/filepath" + "testing" + +@@ -14,7 +17,6 @@ import ( + "github.com/cli/cli/v2/pkg/iostreams" + "github.com/google/shlex" + "github.com/stretchr/testify/assert" +- "github.com/stretchr/testify/mock" + "github.com/stretchr/testify/require" + ) + +@@ -143,261 +145,350 @@ func Test_NewCmdDownload(t *testing.T) { + } + } + ++type testArtifact struct { ++ artifact shared.Artifact ++ files []string ++} ++ ++type fakePlatform struct { ++ runArtifacts map[string][]testArtifact ++} ++ ++func (f *fakePlatform) List(runID string) ([]shared.Artifact, error) { ++ var runIds []string ++ if runID != "" { ++ runIds = []string{runID} ++ } else { ++ for k := range f.runArtifacts { ++ runIds = append(runIds, k) ++ } ++ } ++ ++ var artifacts []shared.Artifact ++ for _, id := range runIds { ++ for _, a := range f.runArtifacts[id] { ++ artifacts = append(artifacts, a.artifact) ++ } ++ } ++ ++ return artifacts, nil ++} ++ ++func (f *fakePlatform) Download(url string, dir string) error { ++ if err := os.MkdirAll(dir, 0755); err != nil { ++ return err ++ } ++ // Now to be consistent, we find the artifact with the provided URL. ++ // It's a bit janky to iterate the runs, to find the right artifact ++ // rather than keying directly to it, but it allows the setup of the ++ // fake platform to be declarative rather than imperative. ++ // Think fakePlatform { artifacts: ... } rather than fakePlatform.makeArtifactAvailable() ++ for _, testArtifacts := range f.runArtifacts { ++ for _, testArtifact := range testArtifacts { ++ if testArtifact.artifact.DownloadURL == url { ++ for _, file := range testArtifact.files { ++ path := filepath.Join(dir, file) ++ return os.WriteFile(path, []byte{}, 0600) ++ } ++ } ++ } ++ } ++ ++ return errors.New("no artifact matches the provided URL") ++} ++ + func Test_runDownload(t *testing.T) { + tests := []struct { +- name string +- opts DownloadOptions +- mockAPI func(*mockPlatform) +- promptStubs func(*prompter.MockPrompter) +- wantErr string ++ name string ++ opts DownloadOptions ++ platform *fakePlatform ++ promptStubs func(*prompter.MockPrompter) ++ expectedFiles []string ++ wantErr string + }{ + { + name: "download non-expired", + opts: DownloadOptions{ + RunID: "2345", + DestinationDir: "./tmp", +- Names: []string(nil), + }, +- mockAPI: func(p *mockPlatform) { +- p.On("List", "2345").Return([]shared.Artifact{ +- { +- Name: "artifact-1", +- DownloadURL: "http://download.com/artifact1.zip", +- Expired: false, +- }, +- { +- Name: "expired-artifact", +- DownloadURL: "http://download.com/expired.zip", +- Expired: true, ++ platform: &fakePlatform{ ++ runArtifacts: map[string][]testArtifact{ ++ "2345": { ++ { ++ artifact: shared.Artifact{ ++ Name: "artifact-1", ++ DownloadURL: "http://download.com/artifact1.zip", ++ Expired: false, ++ }, ++ files: []string{ ++ "artifact-1-file", ++ }, ++ }, ++ { ++ artifact: shared.Artifact{ ++ Name: "expired-artifact", ++ DownloadURL: "http://download.com/expired.zip", ++ Expired: true, ++ }, ++ files: []string{ ++ "expired", ++ }, ++ }, ++ { ++ artifact: shared.Artifact{ ++ Name: "artifact-2", ++ DownloadURL: "http://download.com/artifact2.zip", ++ Expired: false, ++ }, ++ files: []string{ ++ "artifact-2-file", ++ }, ++ }, + }, +- { +- Name: "artifact-2", +- DownloadURL: "http://download.com/artifact2.zip", +- Expired: false, +- }, +- }, nil) +- p.On("Download", "http://download.com/artifact1.zip", filepath.FromSlash("tmp/artifact-1")).Return(nil) +- p.On("Download", "http://download.com/artifact2.zip", filepath.FromSlash("tmp/artifact-2")).Return(nil) ++ }, ++ }, ++ expectedFiles: []string{ ++ filepath.Join("artifact-1", "artifact-1-file"), ++ filepath.Join("artifact-2", "artifact-2-file"), + }, + }, + { +- name: "no valid artifacts", ++ name: "all artifacts are expired", + opts: DownloadOptions{ +- RunID: "2345", +- DestinationDir: ".", +- Names: []string(nil), ++ RunID: "2345", + }, +- mockAPI: func(p *mockPlatform) { +- p.On("List", "2345").Return([]shared.Artifact{ +- { +- Name: "artifact-1", +- DownloadURL: "http://download.com/artifact1.zip", +- Expired: true, ++ platform: &fakePlatform{ ++ runArtifacts: map[string][]testArtifact{ ++ "2345": { ++ { ++ artifact: shared.Artifact{ ++ Name: "artifact-1", ++ DownloadURL: "http://download.com/artifact1.zip", ++ Expired: true, ++ }, ++ files: []string{ ++ "artifact-1-file", ++ }, ++ }, ++ { ++ artifact: shared.Artifact{ ++ Name: "artifact-2", ++ DownloadURL: "http://download.com/artifact2.zip", ++ Expired: true, ++ }, ++ files: []string{ ++ "artifact-2-file", ++ }, ++ }, + }, +- { +- Name: "artifact-2", +- DownloadURL: "http://download.com/artifact2.zip", +- Expired: true, +- }, +- }, nil) ++ }, + }, +- wantErr: "no valid artifacts found to download", ++ expectedFiles: []string{}, ++ wantErr: "no valid artifacts found to download", + }, + { + name: "no name matches", + opts: DownloadOptions{ +- RunID: "2345", +- DestinationDir: ".", +- Names: []string{"artifact-3"}, ++ RunID: "2345", ++ Names: []string{"artifact-3"}, + }, +- mockAPI: func(p *mockPlatform) { +- p.On("List", "2345").Return([]shared.Artifact{ +- { +- Name: "artifact-1", +- DownloadURL: "http://download.com/artifact1.zip", +- Expired: false, +- }, +- { +- Name: "artifact-2", +- DownloadURL: "http://download.com/artifact2.zip", +- Expired: false, ++ platform: &fakePlatform{ ++ runArtifacts: map[string][]testArtifact{ ++ "2345": { ++ { ++ artifact: shared.Artifact{ ++ Name: "artifact-1", ++ DownloadURL: "http://download.com/artifact1.zip", ++ Expired: false, ++ }, ++ files: []string{ ++ "artifact-1-file", ++ }, ++ }, ++ { ++ artifact: shared.Artifact{ ++ Name: "artifact-2", ++ DownloadURL: "http://download.com/artifact2.zip", ++ Expired: false, ++ }, ++ files: []string{ ++ "artifact-2-file", ++ }, ++ }, + }, +- }, nil) ++ }, + }, +- wantErr: "no artifact matches any of the names or patterns provided", ++ expectedFiles: []string{}, ++ wantErr: "no artifact matches any of the names or patterns provided", + }, + { + name: "no pattern matches", + opts: DownloadOptions{ +- RunID: "2345", +- DestinationDir: ".", +- FilePatterns: []string{"artifiction-*"}, +- }, +- mockAPI: func(p *mockPlatform) { +- p.On("List", "2345").Return([]shared.Artifact{ +- { +- Name: "artifact-1", +- DownloadURL: "http://download.com/artifact1.zip", +- Expired: false, +- }, +- { +- Name: "artifact-2", +- DownloadURL: "http://download.com/artifact2.zip", +- Expired: false, +- }, +- }, nil) +- }, +- wantErr: "no artifact matches any of the names or patterns provided", +- }, +- { +- name: "prompt to select artifact", +- opts: DownloadOptions{ +- RunID: "", +- DoPrompt: true, +- DestinationDir: ".", +- Names: []string(nil), ++ RunID: "2345", ++ FilePatterns: []string{"artifiction-*"}, + }, +- mockAPI: func(p *mockPlatform) { +- p.On("List", "").Return([]shared.Artifact{ +- { +- Name: "artifact-1", +- DownloadURL: "http://download.com/artifact1.zip", +- Expired: false, +- }, +- { +- Name: "expired-artifact", +- DownloadURL: "http://download.com/expired.zip", +- Expired: true, ++ platform: &fakePlatform{ ++ runArtifacts: map[string][]testArtifact{ ++ "2345": { ++ { ++ artifact: shared.Artifact{ ++ Name: "artifact-1", ++ DownloadURL: "http://download.com/artifact1.zip", ++ Expired: false, ++ }, ++ files: []string{ ++ "artifact-1-file", ++ }, ++ }, ++ { ++ artifact: shared.Artifact{ ++ Name: "artifact-2", ++ DownloadURL: "http://download.com/artifact2.zip", ++ Expired: false, ++ }, ++ files: []string{ ++ "artifact-2-file", ++ }, ++ }, + }, +- { +- Name: "artifact-2", +- DownloadURL: "http://download.com/artifact2.zip", +- Expired: false, +- }, +- { +- Name: "artifact-2", +- DownloadURL: "http://download.com/artifact2.also.zip", +- Expired: false, +- }, +- }, nil) +- p.On("Download", "http://download.com/artifact2.zip", ".").Return(nil) +- }, +- promptStubs: func(pm *prompter.MockPrompter) { +- pm.RegisterMultiSelect("Select artifacts to download:", nil, []string{"artifact-1", "artifact-2"}, +- func(_ string, _, opts []string) ([]int, error) { +- return []int{1}, nil +- }) ++ }, + }, ++ expectedFiles: []string{}, ++ wantErr: "no artifact matches any of the names or patterns provided", + }, + { +- name: "given artifact name contains `..` and the DestinationDir is `.`, verify an error about path traversal is returned", ++ name: "avoid redownloading files of the same name", + opts: DownloadOptions{ +- RunID: "2345", +- DestinationDir: ".", ++ RunID: "2345", + }, +- mockAPI: func(p *mockPlatform) { +- p.On("List", "2345").Return([]shared.Artifact{ +- { +- Name: "..", +- DownloadURL: "http://download.com/artifact1.zip", +- Expired: false, ++ platform: &fakePlatform{ ++ runArtifacts: map[string][]testArtifact{ ++ "2345": { ++ { ++ artifact: shared.Artifact{ ++ Name: "artifact-1", ++ DownloadURL: "http://download.com/artifact1.zip", ++ Expired: false, ++ }, ++ files: []string{ ++ "artifact-1-file", ++ }, ++ }, ++ { ++ artifact: shared.Artifact{ ++ Name: "artifact-1", ++ DownloadURL: "http://download.com/artifact2.zip", ++ Expired: false, ++ }, ++ files: []string{ ++ "artifact-2-file", ++ }, ++ }, + }, +- }, nil) +- }, +- wantErr: "error downloading ..: would result in path traversal", +- }, +- { +- name: "given artifact name contains `..` and the DestinationDir is `imaginary-dir`, verify an error about path traversal is returned", +- opts: DownloadOptions{ +- RunID: "2345", +- DestinationDir: "imaginary-dir", ++ }, + }, +- mockAPI: func(p *mockPlatform) { +- p.On("List", "2345").Return([]shared.Artifact{ +- { +- Name: "..", +- DownloadURL: "http://download.com/artifact1.zip", +- Expired: false, +- }, +- }, nil) ++ expectedFiles: []string{ ++ filepath.Join("artifact-1", "artifact-1-file"), + }, +- wantErr: "error downloading ..: would result in path traversal", + }, + { +- name: "given artifact name contains `../etc/passwd` and the DestinationDir is `.`, verify an error about path traversal is returned", ++ name: "prompt to select artifact", + opts: DownloadOptions{ +- RunID: "2345", +- DestinationDir: ".", ++ RunID: "", ++ DoPrompt: true, ++ Names: []string(nil), + }, +- mockAPI: func(p *mockPlatform) { +- p.On("List", "2345").Return([]shared.Artifact{ +- { +- Name: "../etc/passwd", +- DownloadURL: "http://download.com/artifact1.zip", +- Expired: false, ++ platform: &fakePlatform{ ++ runArtifacts: map[string][]testArtifact{ ++ "2345": { ++ { ++ artifact: shared.Artifact{ ++ Name: "artifact-1", ++ DownloadURL: "http://download.com/artifact1.zip", ++ Expired: false, ++ }, ++ files: []string{ ++ "artifact-1-file", ++ }, ++ }, ++ { ++ artifact: shared.Artifact{ ++ Name: "expired-artifact", ++ DownloadURL: "http://download.com/expired.zip", ++ Expired: true, ++ }, ++ files: []string{ ++ "expired", ++ }, ++ }, + }, +- }, nil) +- }, +- wantErr: "error downloading ../etc/passwd: would result in path traversal", +- }, +- { +- name: "given artifact name contains `../etc/passwd` and the DestinationDir is `imaginary-dir`, verify an error about path traversal is returned", +- opts: DownloadOptions{ +- RunID: "2345", +- DestinationDir: "imaginary-dir", +- }, +- mockAPI: func(p *mockPlatform) { +- p.On("List", "2345").Return([]shared.Artifact{ +- { +- Name: "../etc/passwd", +- DownloadURL: "http://download.com/artifact1.zip", +- Expired: false, ++ "6789": { ++ { ++ artifact: shared.Artifact{ ++ Name: "artifact-2", ++ DownloadURL: "http://download.com/artifact2.zip", ++ Expired: false, ++ }, ++ files: []string{ ++ "artifact-2-file", ++ }, ++ }, + }, +- }, nil) ++ }, + }, +- wantErr: "error downloading ../etc/passwd: would result in path traversal", +- }, +- { +- name: "given artifact name contains `../../etc/passwd` and the DestinationDir is `.`, verify an error about path traversal is returned", +- opts: DownloadOptions{ +- RunID: "2345", +- DestinationDir: ".", ++ promptStubs: func(pm *prompter.MockPrompter) { ++ pm.RegisterMultiSelect("Select artifacts to download:", nil, []string{"artifact-1", "artifact-2"}, ++ func(_ string, _, opts []string) ([]int, error) { ++ for i, o := range opts { ++ if o == "artifact-2" { ++ return []int{i}, nil ++ } ++ } ++ return nil, fmt.Errorf("no artifact-2 found in %v", opts) ++ }) + }, +- mockAPI: func(p *mockPlatform) { +- p.On("List", "2345").Return([]shared.Artifact{ +- { +- Name: "../../etc/passwd", +- DownloadURL: "http://download.com/artifact1.zip", +- Expired: false, +- }, +- }, nil) ++ expectedFiles: []string{ ++ filepath.Join("artifact-2-file"), + }, +- wantErr: "error downloading ../../etc/passwd: would result in path traversal", + }, + { +- name: "given artifact name contains `../../etc/passwd` and the DestinationDir is `imaginary-dir`, verify an error about path traversal is returned", ++ name: "handling artifact name with path traversal exploit", + opts: DownloadOptions{ +- RunID: "2345", +- DestinationDir: "imaginary-dir", ++ RunID: "2345", + }, +- mockAPI: func(p *mockPlatform) { +- p.On("List", "2345").Return([]shared.Artifact{ +- { +- Name: "../../etc/passwd", +- DownloadURL: "http://download.com/artifact1.zip", +- Expired: false, ++ platform: &fakePlatform{ ++ runArtifacts: map[string][]testArtifact{ ++ "2345": { ++ { ++ artifact: shared.Artifact{ ++ Name: "..", ++ DownloadURL: "http://download.com/artifact1.zip", ++ Expired: false, ++ }, ++ files: []string{ ++ "etc/passwd", ++ }, ++ }, + }, +- }, nil) ++ }, + }, +- wantErr: "error downloading ../../etc/passwd: would result in path traversal", ++ expectedFiles: []string{}, ++ wantErr: "error downloading ..: would result in path traversal", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + opts := &tt.opts ++ if opts.DestinationDir == "" { ++ opts.DestinationDir = t.TempDir() ++ } else { ++ opts.DestinationDir = filepath.Join(t.TempDir(), opts.DestinationDir) ++ } ++ + ios, _, stdout, stderr := iostreams.Test() + opts.IO = ios +- opts.Platform = newMockPlatform(t, tt.mockAPI) ++ opts.Platform = tt.platform + + pm := prompter.NewMockPrompter(t) + opts.Prompter = pm +@@ -412,34 +503,31 @@ func Test_runDownload(t *testing.T) { + require.NoError(t, err) + } + ++ // Check that the exact number of files exist ++ require.Equal(t, len(tt.expectedFiles), countFilesInDirRecursively(t, opts.DestinationDir)) ++ ++ // Then check that the exact files are correct ++ for _, name := range tt.expectedFiles { ++ require.FileExists(t, filepath.Join(opts.DestinationDir, name)) ++ } ++ + assert.Equal(t, "", stdout.String()) + assert.Equal(t, "", stderr.String()) + }) + } + } + +-type mockPlatform struct { +- mock.Mock +-} ++func countFilesInDirRecursively(t *testing.T, dir string) int { ++ t.Helper() + +-func newMockPlatform(t *testing.T, config func(*mockPlatform)) *mockPlatform { +- m := &mockPlatform{} +- m.Test(t) +- t.Cleanup(func() { +- m.AssertExpectations(t) +- }) +- if config != nil { +- config(m) +- } +- return m +-} +- +-func (p *mockPlatform) List(runID string) ([]shared.Artifact, error) { +- args := p.Called(runID) +- return args.Get(0).([]shared.Artifact), args.Error(1) +-} ++ count := 0 ++ require.NoError(t, filepath.Walk(dir, func(_ string, info os.FileInfo, err error) error { ++ require.NoError(t, err) ++ if !info.IsDir() { ++ count++ ++ } ++ return nil ++ })) + +-func (p *mockPlatform) Download(url string, dir string) error { +- args := p.Called(url, dir) +- return args.Error(0) ++ return count + } +diff --git a/pkg/cmd/run/download/zip.go b/pkg/cmd/run/download/zip.go +index f6a27afdd66..52994199a9b 100644 +--- a/pkg/cmd/run/download/zip.go ++++ b/pkg/cmd/run/download/zip.go +@@ -71,16 +71,6 @@ func getPerm(m os.FileMode) os.FileMode { + } + + func filepathDescendsFrom(p, dir string) bool { +- p = filepath.Clean(p) +- dir = filepath.Clean(dir) +- if dir == "." && p == ".." { +- return false +- } +- if dir == "." && !filepath.IsAbs(p) { +- return !strings.HasPrefix(p, ".."+string(filepath.Separator)) +- } +- if !strings.HasSuffix(dir, string(filepath.Separator)) { +- dir += string(filepath.Separator) +- } +- return strings.HasPrefix(p, dir) ++ relativePath, _ := filepath.Rel(dir, p) ++ return !strings.HasPrefix(relativePath, "..") + } + +From cdfc12caf52754ea4026d5338a56ad4e6f822105 Mon Sep 17 00:00:00 2001 +From: Andy Feller +Date: Fri, 22 Nov 2024 15:26:11 -0500 +Subject: [PATCH 4/5] Expand logic and tests to handle edge cases + +This commit expands filepathDescendsFrom(string, string) to handle edge cases such as mixing absolute and relative paths or artifact name edge cases. + +Additionally, tests for filepathDescendsFrom() and downloadrun() have been expanded to verify additional use cases. +--- + pkg/cmd/run/download/download.go | 11 +- + pkg/cmd/run/download/download_test.go | 189 +++++++++++++++++++++++++- + pkg/cmd/run/download/zip.go | 21 ++- + pkg/cmd/run/download/zip_test.go | 80 +++++++++++ + 4 files changed, 297 insertions(+), 4 deletions(-) + +diff --git a/pkg/cmd/run/download/download.go b/pkg/cmd/run/download/download.go +index 5bda2ba3da0..04ce7434051 100644 +--- a/pkg/cmd/run/download/download.go ++++ b/pkg/cmd/run/download/download.go +@@ -166,8 +166,15 @@ func runDownload(opts *DownloadOptions) error { + } + } + destDir := opts.DestinationDir +- // Why do we only include the artifact name in the destination directory if there are multiple? +- if len(wantPatterns) != 0 || len(wantNames) != 1 { ++ ++ // Isolate the downloaded artifact file to avoid potential conflicts from other downloaded artifacts when: ++ // ++ // 1. len(wantPatterns) > 0: Any pattern can result in 2+ artifacts ++ // 2. len(wantNames) == 0: User wants all artifacts regardless what they are named ++ // 3. len(wantNames) > 1: User wants multiple, specific artifacts ++ // ++ // Otherwise if a single artifact is wanted, then the protective subdirectory is an unnecessary inconvenience. ++ if len(wantPatterns) > 0 || len(wantNames) != 1 { + destDir = filepath.Join(destDir, a.Name) + } + +diff --git a/pkg/cmd/run/download/download_test.go b/pkg/cmd/run/download/download_test.go +index 0df94ccf498..aeab2027893 100644 +--- a/pkg/cmd/run/download/download_test.go ++++ b/pkg/cmd/run/download/download_test.go +@@ -207,7 +207,7 @@ func Test_runDownload(t *testing.T) { + wantErr string + }{ + { +- name: "download non-expired", ++ name: "download non-expired to relative directory", + opts: DownloadOptions{ + RunID: "2345", + DestinationDir: "./tmp", +@@ -253,6 +253,53 @@ func Test_runDownload(t *testing.T) { + filepath.Join("artifact-2", "artifact-2-file"), + }, + }, ++ { ++ name: "download non-expired to absolute directory", ++ opts: DownloadOptions{ ++ RunID: "2345", ++ DestinationDir: "/tmp", ++ }, ++ platform: &fakePlatform{ ++ runArtifacts: map[string][]testArtifact{ ++ "2345": { ++ { ++ artifact: shared.Artifact{ ++ Name: "artifact-1", ++ DownloadURL: "http://download.com/artifact1.zip", ++ Expired: false, ++ }, ++ files: []string{ ++ "artifact-1-file", ++ }, ++ }, ++ { ++ artifact: shared.Artifact{ ++ Name: "expired-artifact", ++ DownloadURL: "http://download.com/expired.zip", ++ Expired: true, ++ }, ++ files: []string{ ++ "expired", ++ }, ++ }, ++ { ++ artifact: shared.Artifact{ ++ Name: "artifact-2", ++ DownloadURL: "http://download.com/artifact2.zip", ++ Expired: false, ++ }, ++ files: []string{ ++ "artifact-2-file", ++ }, ++ }, ++ }, ++ }, ++ }, ++ expectedFiles: []string{ ++ filepath.Join("artifact-1", "artifact-1-file"), ++ filepath.Join("artifact-2", "artifact-2-file"), ++ }, ++ }, + { + name: "all artifacts are expired", + opts: DownloadOptions{ +@@ -322,6 +369,53 @@ func Test_runDownload(t *testing.T) { + expectedFiles: []string{}, + wantErr: "no artifact matches any of the names or patterns provided", + }, ++ { ++ name: "pattern matches", ++ opts: DownloadOptions{ ++ RunID: "2345", ++ FilePatterns: []string{"artifact-*"}, ++ }, ++ platform: &fakePlatform{ ++ runArtifacts: map[string][]testArtifact{ ++ "2345": { ++ { ++ artifact: shared.Artifact{ ++ Name: "artifact-1", ++ DownloadURL: "http://download.com/artifact1.zip", ++ Expired: false, ++ }, ++ files: []string{ ++ "artifact-1-file", ++ }, ++ }, ++ { ++ artifact: shared.Artifact{ ++ Name: "non-artifact-2", ++ DownloadURL: "http://download.com/non-artifact-2.zip", ++ Expired: false, ++ }, ++ files: []string{ ++ "non-artifact-2-file", ++ }, ++ }, ++ { ++ artifact: shared.Artifact{ ++ Name: "artifact-3", ++ DownloadURL: "http://download.com/artifact3.zip", ++ Expired: false, ++ }, ++ files: []string{ ++ "artifact-3-file", ++ }, ++ }, ++ }, ++ }, ++ }, ++ expectedFiles: []string{ ++ filepath.Join("artifact-1", "artifact-1-file"), ++ filepath.Join("artifact-3", "artifact-3-file"), ++ }, ++ }, + { + name: "no pattern matches", + opts: DownloadOptions{ +@@ -357,6 +451,99 @@ func Test_runDownload(t *testing.T) { + expectedFiles: []string{}, + wantErr: "no artifact matches any of the names or patterns provided", + }, ++ { ++ name: "want specific single artifact", ++ opts: DownloadOptions{ ++ RunID: "2345", ++ Names: []string{"non-artifact-2"}, ++ }, ++ platform: &fakePlatform{ ++ runArtifacts: map[string][]testArtifact{ ++ "2345": { ++ { ++ artifact: shared.Artifact{ ++ Name: "artifact-1", ++ DownloadURL: "http://download.com/artifact1.zip", ++ Expired: false, ++ }, ++ files: []string{ ++ "artifact-1-file", ++ }, ++ }, ++ { ++ artifact: shared.Artifact{ ++ Name: "non-artifact-2", ++ DownloadURL: "http://download.com/non-artifact-2.zip", ++ Expired: false, ++ }, ++ files: []string{ ++ "non-artifact-2-file", ++ }, ++ }, ++ { ++ artifact: shared.Artifact{ ++ Name: "artifact-3", ++ DownloadURL: "http://download.com/artifact3.zip", ++ Expired: false, ++ }, ++ files: []string{ ++ "artifact-3-file", ++ }, ++ }, ++ }, ++ }, ++ }, ++ expectedFiles: []string{ ++ filepath.Join("non-artifact-2-file"), ++ }, ++ }, ++ { ++ name: "want specific multiple artifacts", ++ opts: DownloadOptions{ ++ RunID: "2345", ++ Names: []string{"artifact-1", "artifact-3"}, ++ }, ++ platform: &fakePlatform{ ++ runArtifacts: map[string][]testArtifact{ ++ "2345": { ++ { ++ artifact: shared.Artifact{ ++ Name: "artifact-1", ++ DownloadURL: "http://download.com/artifact1.zip", ++ Expired: false, ++ }, ++ files: []string{ ++ "artifact-1-file", ++ }, ++ }, ++ { ++ artifact: shared.Artifact{ ++ Name: "non-artifact-2", ++ DownloadURL: "http://download.com/non-artifact-2.zip", ++ Expired: false, ++ }, ++ files: []string{ ++ "non-artifact-2-file", ++ }, ++ }, ++ { ++ artifact: shared.Artifact{ ++ Name: "artifact-3", ++ DownloadURL: "http://download.com/artifact3.zip", ++ Expired: false, ++ }, ++ files: []string{ ++ "artifact-3-file", ++ }, ++ }, ++ }, ++ }, ++ }, ++ expectedFiles: []string{ ++ filepath.Join("artifact-1", "artifact-1-file"), ++ filepath.Join("artifact-3", "artifact-3-file"), ++ }, ++ }, + { + name: "avoid redownloading files of the same name", + opts: DownloadOptions{ +diff --git a/pkg/cmd/run/download/zip.go b/pkg/cmd/run/download/zip.go +index 52994199a9b..a68b75fd6b7 100644 +--- a/pkg/cmd/run/download/zip.go ++++ b/pkg/cmd/run/download/zip.go +@@ -71,6 +71,25 @@ func getPerm(m os.FileMode) os.FileMode { + } + + func filepathDescendsFrom(p, dir string) bool { +- relativePath, _ := filepath.Rel(dir, p) ++ // Regardless of the logic below, `p` is never allowed to be current directory `.` or parent directory `..` ++ // however we check explicitly here before filepath.Rel() which doesn't cover all cases. ++ p = filepath.Clean(p) ++ ++ if p == "." || p == ".." { ++ return false ++ } ++ ++ // filepathDescendsFrom() takes advantage of filepath.Rel() to determine if `p` is descended from `dir`: ++ // ++ // 1. filepath.Rel() calculates a path to traversal from fictious `dir` to `p`. ++ // 2. filepath.Rel() errors in a handful of cases where absolute and relative paths are compared as well as certain traversal edge cases ++ // For more information, https://github.com/golang/go/blob/00709919d09904b17cfe3bfeb35521cbd3fb04f8/src/path/filepath/path_test.go#L1510-L1515 ++ // 3. If the path to traverse `dir` to `p` requires `..`, then we know it is not descend from / contained in `dir` ++ // ++ // As-is, this function requires the caller to ensure `p` and `dir` are either 1) both relative or 2) both absolute. ++ relativePath, err := filepath.Rel(dir, p) ++ if err != nil { ++ return false ++ } + return !strings.HasPrefix(relativePath, "..") + } +diff --git a/pkg/cmd/run/download/zip_test.go b/pkg/cmd/run/download/zip_test.go +index ca401cdb9ed..b85122ec57a 100644 +--- a/pkg/cmd/run/download/zip_test.go ++++ b/pkg/cmd/run/download/zip_test.go +@@ -130,6 +130,86 @@ func Test_filepathDescendsFrom(t *testing.T) { + }, + want: false, + }, ++ { ++ name: "deny parent directory filename (`..`) escaping absolute directory", ++ args: args{ ++ p: filepath.FromSlash(".."), ++ dir: filepath.FromSlash("/var/logs/"), ++ }, ++ want: false, ++ }, ++ { ++ name: "deny parent directory filename (`..`) escaping current directory", ++ args: args{ ++ p: filepath.FromSlash(".."), ++ dir: filepath.FromSlash("."), ++ }, ++ want: false, ++ }, ++ { ++ name: "deny parent directory filename (`..`) escaping parent directory", ++ args: args{ ++ p: filepath.FromSlash(".."), ++ dir: filepath.FromSlash(".."), ++ }, ++ want: false, ++ }, ++ { ++ name: "deny parent directory filename (`..`) escaping relative directory", ++ args: args{ ++ p: filepath.FromSlash(".."), ++ dir: filepath.FromSlash("relative-dir"), ++ }, ++ want: false, ++ }, ++ { ++ name: "deny current directory filename (`.`) in absolute directory", ++ args: args{ ++ p: filepath.FromSlash("."), ++ dir: filepath.FromSlash("/var/logs/"), ++ }, ++ want: false, ++ }, ++ { ++ name: "deny current directory filename (`.`) in current directory", ++ args: args{ ++ p: filepath.FromSlash("."), ++ dir: filepath.FromSlash("."), ++ }, ++ want: false, ++ }, ++ { ++ name: "deny current directory filename (`.`) in parent directory", ++ args: args{ ++ p: filepath.FromSlash("."), ++ dir: filepath.FromSlash(".."), ++ }, ++ want: false, ++ }, ++ { ++ name: "deny current directory filename (`.`) in relative directory", ++ args: args{ ++ p: filepath.FromSlash("."), ++ dir: filepath.FromSlash("relative-dir"), ++ }, ++ want: false, ++ }, ++ { ++ name: "relative path, absolute dir", ++ args: args{ ++ p: filepath.FromSlash("whatever"), ++ dir: filepath.FromSlash("/a/b/c"), ++ }, ++ want: false, ++ }, ++ { ++ name: "absolute path, relative dir", ++ args: args{ ++ p: filepath.FromSlash("/a/b/c"), ++ dir: filepath.FromSlash("whatever"), ++ }, ++ want: false, ++ }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + +From 8720479b0bfc95450abb2ba88489f2893e4838a9 Mon Sep 17 00:00:00 2001 +From: Andy Feller +Date: Tue, 3 Dec 2024 13:33:00 -0500 +Subject: [PATCH 5/5] Consolidate logic for isolating artifacts + +--- + pkg/cmd/run/download/download.go | 34 ++++++++++++++++++++++---------- + 1 file changed, 24 insertions(+), 10 deletions(-) + +diff --git a/pkg/cmd/run/download/download.go b/pkg/cmd/run/download/download.go +index 04ce7434051..8f25e84a228 100644 +--- a/pkg/cmd/run/download/download.go ++++ b/pkg/cmd/run/download/download.go +@@ -151,8 +151,10 @@ func runDownload(opts *DownloadOptions) error { + opts.IO.StartProgressIndicator() + defer opts.IO.StopProgressIndicator() + +- // track downloaded artifacts and avoid re-downloading any of the same name ++ // track downloaded artifacts and avoid re-downloading any of the same name, isolate if multiple artifacts + downloaded := set.NewStringSet() ++ isolateArtifacts := isolateArtifacts(wantNames, wantPatterns) ++ + for _, a := range artifacts { + if a.Expired { + continue +@@ -165,16 +167,9 @@ func runDownload(opts *DownloadOptions) error { + continue + } + } +- destDir := opts.DestinationDir + +- // Isolate the downloaded artifact file to avoid potential conflicts from other downloaded artifacts when: +- // +- // 1. len(wantPatterns) > 0: Any pattern can result in 2+ artifacts +- // 2. len(wantNames) == 0: User wants all artifacts regardless what they are named +- // 3. len(wantNames) > 1: User wants multiple, specific artifacts +- // +- // Otherwise if a single artifact is wanted, then the protective subdirectory is an unnecessary inconvenience. +- if len(wantPatterns) > 0 || len(wantNames) != 1 { ++ destDir := opts.DestinationDir ++ if isolateArtifacts { + destDir = filepath.Join(destDir, a.Name) + } + +@@ -196,6 +191,25 @@ func runDownload(opts *DownloadOptions) error { + return nil + } + ++func isolateArtifacts(wantNames []string, wantPatterns []string) bool { ++ if len(wantPatterns) > 0 { ++ // Patterns can match multiple artifacts ++ return true ++ } ++ ++ if len(wantNames) == 0 { ++ // All artifacts wanted regardless what they are named ++ return true ++ } ++ ++ if len(wantNames) > 1 { ++ // Multiple, specific artifacts wanted ++ return true ++ } ++ ++ return false ++} ++ + func matchAnyName(names []string, name string) bool { + for _, n := range names { + if name == n { diff --git a/SPECS/gh/gh.spec b/SPECS/gh/gh.spec index a427d4ed703..4e8e16fa9d3 100644 --- a/SPECS/gh/gh.spec +++ b/SPECS/gh/gh.spec @@ -1,7 +1,7 @@ Summary: GitHub official command line tool Name: gh Version: 2.62.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -14,7 +14,7 @@ Source0: https://github.com/cli/cli/archive/refs/tags/v%{version}.tar.gz# Source1: %{name}-%{version}-vendor.tar.gz Patch0: 0001-Fix-false-negative-in-TestMigrationWriteErrors-when-.patch - +Patch1: CVE-2024-54132.patch BuildRequires: golang < 1.23 BuildRequires: git Requires: git @@ -57,6 +57,9 @@ make test %{_datadir}/zsh/site-functions/_gh %changelog +* Fri Dec 13 2024 Sandeep Karambelkar - 2.62.0-2 +- Patch CVE-2024-54132 + * Mon Nov 18 2024 Vince Perri - 2.62.0-1 - Update to v2.62.0 From 6c40bbbe43be36ce6396a55e5d7fbf26aeed56f3 Mon Sep 17 00:00:00 2001 From: nicolas guibourge Date: Fri, 20 Dec 2024 21:29:34 +0100 Subject: [PATCH 36/55] [AUTO-CHERRYPICK] telegraf: patch CVE-2024-45337 - branch 3.0-dev (#11572) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Aurélien Bombo --- SPECS/telegraf/CVE-2024-45337.patch | 77 +++++++++++++++++++++++++++++ SPECS/telegraf/telegraf.spec | 6 ++- 2 files changed, 82 insertions(+), 1 deletion(-) create mode 100644 SPECS/telegraf/CVE-2024-45337.patch diff --git a/SPECS/telegraf/CVE-2024-45337.patch b/SPECS/telegraf/CVE-2024-45337.patch new file mode 100644 index 00000000000..0c8df5f2421 --- /dev/null +++ b/SPECS/telegraf/CVE-2024-45337.patch @@ -0,0 +1,77 @@ +https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909.patch + +From b4f1988a35dee11ec3e05d6bf3e90b695fbd8909 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Tue, 3 Dec 2024 09:03:03 -0800 +Subject: [PATCH] ssh: make the public key cache a 1-entry FIFO cache + +Users of the the ssh package seem to extremely commonly misuse the +PublicKeyCallback API, assuming that the key passed in the last call +before a connection is established is the key used for authentication. +Some users then make authorization decisions based on this key. This +property is not documented, and may not be correct, due to the caching +behavior of the package, resulting in users making incorrect +authorization decisions about the connection. + +This change makes the cache a one entry FIFO cache, making the assumed +property, that the last call to PublicKeyCallback represents the key +actually used for authentication, actually hold. + +Thanks to Damien Tournoud, Patrick Dawkins, Vince Parker, and +Jules Duvivier from the Platform.sh / Upsun engineering team +for reporting this issue. + +Fixes golang/go#70779 +Fixes CVE-2024-45337 + +Change-Id: Ife7c7b4045d8b6bcd7e3a417bdfae370c709797f +Reviewed-on: https://go-review.googlesource.com/c/crypto/+/635315 +Reviewed-by: Roland Shoemaker +Auto-Submit: Gopher Robot +Reviewed-by: Damien Neil +Reviewed-by: Nicola Murino +LUCI-TryBot-Result: Go LUCI +--- + vendor/golang.org/x/crypto/ssh/server.go | 15 ++++++++++---- + +diff --git a/vendor/golang.org/x/crypto/ssh/server.go b/vendor/golang.org/x/crypto/ssh/server.go +index c0d1c29e6f..5b5ccd96f4 100644 +--- a/vendor/golang.org/x/crypto/ssh/server.go ++++ b/vendor/golang.org/x/crypto/ssh/server.go +@@ -149,7 +149,7 @@ func (s *ServerConfig) AddHostKey(key Signer) { + } + + // cachedPubKey contains the results of querying whether a public key is +-// acceptable for a user. ++// acceptable for a user. This is a FIFO cache. + type cachedPubKey struct { + user string + pubKeyData []byte +@@ -157,7 +157,13 @@ type cachedPubKey struct { + perms *Permissions + } + +-const maxCachedPubKeys = 16 ++// maxCachedPubKeys is the number of cache entries we store. ++// ++// Due to consistent misuse of the PublicKeyCallback API, we have reduced this ++// to 1, such that the only key in the cache is the most recently seen one. This ++// forces the behavior that the last call to PublicKeyCallback will always be ++// with the key that is used for authentication. ++const maxCachedPubKeys = 1 + + // pubKeyCache caches tests for public keys. Since SSH clients + // will query whether a public key is acceptable before attempting to +@@ -179,9 +185,10 @@ func (c *pubKeyCache) get(user string, pubKeyData []byte) (cachedPubKey, bool) { + + // add adds the given tuple to the cache. + func (c *pubKeyCache) add(candidate cachedPubKey) { +- if len(c.keys) < maxCachedPubKeys { +- c.keys = append(c.keys, candidate) ++ if len(c.keys) >= maxCachedPubKeys { ++ c.keys = c.keys[1:] + } ++ c.keys = append(c.keys, candidate) + } + + // ServerConn is an authenticated SSH connection, as seen from the diff --git a/SPECS/telegraf/telegraf.spec b/SPECS/telegraf/telegraf.spec index 10c199c24c9..f222039a727 100644 --- a/SPECS/telegraf/telegraf.spec +++ b/SPECS/telegraf/telegraf.spec @@ -1,7 +1,7 @@ Summary: agent for collecting, processing, aggregating, and writing metrics. Name: telegraf Version: 1.31.0 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -11,6 +11,7 @@ Source0: %{url}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}. # Use the generate_source_tarbbal.sh script to get the vendored sources. Source1: %{name}-%{version}-vendor.tar.gz Patch0: CVE-2024-37298.patch +Patch1: CVE-2024-45337.patch BuildRequires: golang BuildRequires: systemd-devel Requires: logrotate @@ -77,6 +78,9 @@ fi %dir %{_sysconfdir}/%{name}/telegraf.d %changelog +* Wed Dec 18 2024 Aurelien Bombo - 1.31.0-3 +- Patch CVE-2024-45337 + * Thu Jul 11 2024 Sumedh Sharma - 1.31.0-2 - Add patch for CVE-2024-37298 From 0ee34a679b5e65626c402b171c9938fdb5bb955f Mon Sep 17 00:00:00 2001 From: nicolas guibourge Date: Fri, 20 Dec 2024 21:30:00 +0100 Subject: [PATCH 37/55] [AUTO-CHERRYPICK] Patch python-zipp for CVE-2024-5569 - branch 3.0-dev (#11573) Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com> --- SPECS/python-zipp/CVE-2024-5569.patch | 88 +++++++++++++++++++++++++++ SPECS/python-zipp/python-zipp.spec | 8 ++- 2 files changed, 94 insertions(+), 2 deletions(-) create mode 100644 SPECS/python-zipp/CVE-2024-5569.patch diff --git a/SPECS/python-zipp/CVE-2024-5569.patch b/SPECS/python-zipp/CVE-2024-5569.patch new file mode 100644 index 00000000000..5150f7a6d88 --- /dev/null +++ b/SPECS/python-zipp/CVE-2024-5569.patch @@ -0,0 +1,88 @@ +From 5c5c9987169788d7cb55db9755f8b9981ebee515 Mon Sep 17 00:00:00 2001 +From: Kanishk-Bansal +Date: Wed, 18 Dec 2024 07:11:58 +0000 +Subject: [PATCH] Fix CVE Patch + +Signed-off-by: Kanishk-Bansal +--- + zipp/__init__.py | 64 +++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 63 insertions(+), 1 deletion(-) + +diff --git a/zipp/__init__.py b/zipp/__init__.py +index becd010..e980e9b 100644 +--- a/zipp/__init__.py ++++ b/zipp/__init__.py +@@ -84,7 +84,69 @@ class InitializedState: + super().__init__(*args, **kwargs) + + +-class CompleteDirs(InitializedState, zipfile.ZipFile): ++class SanitizedNames: ++ """ ++ ZipFile mix-in to ensure names are sanitized. ++ """ ++ ++ def namelist(self): ++ return list(map(self._sanitize, super().namelist())) ++ ++ @staticmethod ++ def _sanitize(name): ++ r""" ++ Ensure a relative path with posix separators and no dot names. ++ ++ Modeled after ++ https://github.com/python/cpython/blob/bcc1be39cb1d04ad9fc0bd1b9193d3972835a57c/Lib/zipfile/__init__.py#L1799-L1813 ++ but provides consistent cross-platform behavior. ++ ++ >>> san = SanitizedNames._sanitize ++ >>> san('/foo/bar') ++ 'foo/bar' ++ >>> san('//foo.txt') ++ 'foo.txt' ++ >>> san('foo/.././bar.txt') ++ 'foo/bar.txt' ++ >>> san('foo../.bar.txt') ++ 'foo../.bar.txt' ++ >>> san('\\foo\\bar.txt') ++ 'foo/bar.txt' ++ >>> san('D:\\foo.txt') ++ 'D/foo.txt' ++ >>> san('\\\\server\\share\\file.txt') ++ 'server/share/file.txt' ++ >>> san('\\\\?\\GLOBALROOT\\Volume3') ++ '?/GLOBALROOT/Volume3' ++ >>> san('\\\\.\\PhysicalDrive1\\root') ++ 'PhysicalDrive1/root' ++ ++ Retain any trailing slash. ++ >>> san('abc/') ++ 'abc/' ++ ++ Raises a ValueError if the result is empty. ++ >>> san('../..') ++ Traceback (most recent call last): ++ ... ++ ValueError: Empty filename ++ """ ++ ++ def allowed(part): ++ return part and part not in {'..', '.'} ++ ++ # Remove the drive letter. ++ # Don't use ntpath.splitdrive, because that also strips UNC paths ++ bare = re.sub('^([A-Z]):', r'\1', name, flags=re.IGNORECASE) ++ clean = bare.replace('\\', '/') ++ parts = clean.split('/') ++ joined = '/'.join(filter(allowed, parts)) ++ if not joined: ++ raise ValueError("Empty filename") ++ return joined + '/' * name.endswith('/') ++ ++ ++class CompleteDirs(InitializedState, SanitizedNames, zipfile.ZipFile): + """ + A ZipFile subclass that ensures that implied directories + are always included in the namelist. +-- +2.45.2 + diff --git a/SPECS/python-zipp/python-zipp.spec b/SPECS/python-zipp/python-zipp.spec index ce356c902ad..ff82f90e551 100644 --- a/SPECS/python-zipp/python-zipp.spec +++ b/SPECS/python-zipp/python-zipp.spec @@ -3,12 +3,13 @@ Summary: Backport of pathlib-compatible object wrapper for zip files Name: python-%{pypi_name} Version: 3.17.0 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux URL: https://github.com/jaraco/zipp Source0: %{pypi_source} +Patch0: CVE-2024-5569.patch BuildArch: noarch @@ -38,7 +39,7 @@ Summary: %{summary} A pathlib-compatible Zipfile object wrapper. A backport of the Path object. %prep -%autosetup -n %{pypi_name}-%{version} +%autosetup -n %{pypi_name}-%{version} -p1 %generate_buildrequires %pyproject_buildrequires -r @@ -61,6 +62,9 @@ rm -rf .pyproject-builddir %doc README.rst %changelog +* Wed Dec 18 2024 Kanishk Bansal - 3.17.0-3 +- Address CVE-2024-5569 with an upstream patch + * Fri Mar 01 2024 Andrew Phelps - 3.17.0-2 - Add BR for python-setuptools_scm From c4f5f08ebae697caeb9e682acf9b6ac8979bf3a1 Mon Sep 17 00:00:00 2001 From: nicolas guibourge Date: Fri, 20 Dec 2024 21:31:41 +0100 Subject: [PATCH 38/55] [AUTO-CHERRYPICK] Fix CVE-2024-24786 for etcd in 3.0 - branch 3.0-dev (#11574) Co-authored-by: bhagyapathak --- SPECS/etcd/CVE-2024-24786.patch | 40 +++++++++++++++++++++++++++++++++ SPECS/etcd/etcd.spec | 9 ++++++-- 2 files changed, 47 insertions(+), 2 deletions(-) create mode 100644 SPECS/etcd/CVE-2024-24786.patch diff --git a/SPECS/etcd/CVE-2024-24786.patch b/SPECS/etcd/CVE-2024-24786.patch new file mode 100644 index 00000000000..7d4b7aaf768 --- /dev/null +++ b/SPECS/etcd/CVE-2024-24786.patch @@ -0,0 +1,40 @@ +From bb1e9bdc04af19078578d008af166030916eef18 Mon Sep 17 00:00:00 2001 +From: bhapathak +Date: Tue, 3 Dec 2024 14:35:21 +0000 +Subject: [PATCH] Vendor patch applied + +--- + .../protobuf/encoding/protojson/well_known_types.go | 3 +++ + .../protobuf/internal/encoding/json/decode.go | 2 +- + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +index 6c37d41..3a7d3e7 100644 +--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go ++++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +@@ -348,6 +348,9 @@ func (d decoder) skipJSONValue() error { + } + } + } ++ ++ case json.EOF: ++ return errors.New("unexpected EOF") + } + return nil + } +diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +index d043a6e..d2b3ac0 100644 +--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go ++++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) { + + case ObjectClose: + if len(d.openStack) == 0 || +- d.lastToken.kind == comma || ++ d.lastToken.kind&(Name|comma) != 0 || + d.openStack[len(d.openStack)-1] != ObjectOpen { + return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString()) + } +-- +2.39.4 + diff --git a/SPECS/etcd/etcd.spec b/SPECS/etcd/etcd.spec index d178862b712..43fc23987a6 100644 --- a/SPECS/etcd/etcd.spec +++ b/SPECS/etcd/etcd.spec @@ -3,7 +3,7 @@ Summary: A highly-available key value store for shared configuration Name: etcd Version: 3.5.12 -Release: 1%{?dist} +Release: 2%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -44,6 +44,7 @@ Source1: etcd.service # --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \ # -cJf [tarball name] [folder to tar] Source2: %{name}-%{version}-vendor.tar.gz +Patch0: CVE-2024-24786.patch BuildRequires: golang >= 1.16 %description @@ -60,7 +61,7 @@ The etcd-tools package contains the etcd-dump-db and etcd-dump-logs diagnostic tools. %prep -%autosetup -p1 +%autosetup -N -p1 tar --no-same-owner -xf %{SOURCE2} %build @@ -71,6 +72,7 @@ mkdir -p %{ETCD_OUT_DIR} for component in server etcdctl etcdutl; do pushd $component tar --no-same-owner -xf %{_builddir}/%{name}-%{version}/vendor-$component.tar.gz + patch -p1 -s --fuzz=0 --no-backup-if-mismatch -f --input %{PATCH0} go build \ -o %{ETCD_OUT_DIR} \ -ldflags=-X=go.etcd.io/etcd/api/v3/version.GitSHA=v%{version} @@ -145,6 +147,9 @@ install -vdm755 %{buildroot}%{_sharedstatedir}/etcd /%{_docdir}/%{name}-%{version}-tools/* %changelog +* Tue Dec 03 2024 bhapathak - 3.5.12-2 +- Patch CVE-2024-24786 + * Fri May 24 2024 CBL-Mariner Servicing Account - 3.5.12-1 - Auto-upgrade to 3.5.12 - none From 3be92e2d7bc53a4586a1d7be5cf8e5d6368d3256 Mon Sep 17 00:00:00 2001 From: jslobodzian Date: Fri, 20 Dec 2024 17:07:18 -0500 Subject: [PATCH 39/55] Reapply "Release bump systemd-boot to use new keys (#11439)" This reverts commit dd652a9b7578633b496dda102141ef6c2fb08144. --- .../systemd-boot-signed/systemd-boot-signed.spec | 9 ++++++++- SPECS/systemd/systemd.spec | 5 ++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec b/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec index 59a3ed26055..6178a71997b 100644 --- a/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec +++ b/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec @@ -14,7 +14,7 @@ Version: 255 # determine the build information from local checkout Version: %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/') %endif -Release: 18%{?dist} +Release: 19%{?dist} License: LGPL-2.1-or-later AND MIT AND GPL-2.0-or-later Vendor: Microsoft Corporation Distribution: Azure Linux @@ -53,6 +53,9 @@ Provides: version(systemd-boot)%{_isa} = %version Obsoletes: systemd-udev < 252.2^ Conflicts: grub2-efi-binary +Recommends: shim >= 15.8-3 +Conflicts: shim < 15.8-3 + %description -n systemd-boot systemd-boot (short: sd-boot) is a simple UEFI boot manager. It provides a graphical menu to select the entry to boot and an editor for the kernel command @@ -90,6 +93,10 @@ popd /boot/efi/EFI/BOOT/grubx64.efi %changelog +* Thu Dec 12 2024 Daniel McIlvaney - 255-19 +- Version bump to force signing with new Azure Linux secure boot key +- Add confilcts/recommends on shim to ensure the keys match + * Fri Sep 13 2024 Thien Trung Vuong - 255-18 - Update sd-boot install location diff --git a/SPECS/systemd/systemd.spec b/SPECS/systemd/systemd.spec index 291aa6bbbb4..bf0b98fa483 100644 --- a/SPECS/systemd/systemd.spec +++ b/SPECS/systemd/systemd.spec @@ -50,7 +50,7 @@ Version: 255 # determine the build information from local checkout Version: %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/') %endif -Release: 18%{?dist} +Release: 19%{?dist} # FIXME - hardcode to 'stable' for now as that's what we have in our blobstore %global stable 1 @@ -1216,6 +1216,9 @@ rm -f %{name}.lang # %autochangelog. So we need to continue manually maintaining the # changelog here. %changelog +* Thu Dec 12 2024 Daniel McIlvaney - 255-19 +- Version bump to force signing with new Azure Linux secure boot key + * Fri Sep 13 2024 Thien Trung Vuong - 255-18 - Install systemd-boot binary to ESP From 49cf4ca6ae5d75ae684b5c783e874ad5dfc4f77e Mon Sep 17 00:00:00 2001 From: Rachel Menge Date: Fri, 20 Dec 2024 16:56:48 -0800 Subject: [PATCH 40/55] =?UTF-8?q?Reapply=20"TDX:=20Enable=20CONFIG=5FINTEL?= =?UTF-8?q?=5FTDX=5FGUEST,=20CONFIG=5FTDX=5FGUEST=5FDRIVER=20=E2=80=A6=20(?= =?UTF-8?q?#11623)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec | 5 ++++- SPECS-SIGNED/kernel-signed/kernel-signed.spec | 5 ++++- SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec | 5 ++++- SPECS/kernel-64k/kernel-64k.spec | 5 ++++- SPECS/kernel-headers/kernel-headers.spec | 5 ++++- SPECS/kernel/config | 3 ++- SPECS/kernel/kernel-uki.spec | 5 ++++- SPECS/kernel/kernel.signatures.json | 2 +- SPECS/kernel/kernel.spec | 5 ++++- toolkit/resources/manifests/package/pkggen_core_aarch64.txt | 2 +- toolkit/resources/manifests/package/pkggen_core_x86_64.txt | 2 +- toolkit/resources/manifests/package/toolchain_aarch64.txt | 2 +- toolkit/resources/manifests/package/toolchain_x86_64.txt | 4 ++-- 13 files changed, 36 insertions(+), 14 deletions(-) diff --git a/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec b/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec index a6ab283c372..4da14c6cea1 100644 --- a/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec +++ b/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec @@ -7,7 +7,7 @@ Summary: Signed Linux Kernel for %{buildarch} systems Name: kernel-64k-signed-%{buildarch} Version: 6.6.57.1 -Release: 6%{?dist} +Release: 7%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -105,6 +105,9 @@ echo "initrd of kernel %{uname_r} removed" >&2 %exclude /module_info.ld %changelog +* Mon Nov 25 2024 Ankita Pareek - 6.6.57.1-7 +- Bump release to match kernel + * Wed Dec 18 2024 Rachel Menge - 6.6.57.1-6 - Bump release to match kernel-64k diff --git a/SPECS-SIGNED/kernel-signed/kernel-signed.spec b/SPECS-SIGNED/kernel-signed/kernel-signed.spec index b45ec622577..ae0e53b6a95 100644 --- a/SPECS-SIGNED/kernel-signed/kernel-signed.spec +++ b/SPECS-SIGNED/kernel-signed/kernel-signed.spec @@ -10,7 +10,7 @@ Summary: Signed Linux Kernel for %{buildarch} systems Name: kernel-signed-%{buildarch} Version: 6.6.57.1 -Release: 6%{?dist} +Release: 7%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -145,6 +145,9 @@ echo "initrd of kernel %{uname_r} removed" >&2 %exclude /module_info.ld %changelog +* Mon Nov 25 2024 Ankita Pareek - 6.6.57.1-7 +- Bump release to match kernel + * Wed Dec 18 2024 Rachel Menge - 6.6.57.1-6 - Bump release to match kernel-64k diff --git a/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec b/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec index 3dc88f1e79d..bea6122dc88 100644 --- a/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec +++ b/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec @@ -6,7 +6,7 @@ Summary: Signed Unified Kernel Image for %{buildarch} systems Name: kernel-uki-signed-%{buildarch} Version: 6.6.57.1 -Release: 6%{?dist} +Release: 7%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -68,6 +68,9 @@ popd /boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi %changelog +* Mon Nov 25 2024 Ankita Pareek - 6.6.57.1-7 +- Bump release to match kernel + * Wed Dec 18 2024 Rachel Menge - 6.6.57.1-6 - Bump release to match kernel-64k diff --git a/SPECS/kernel-64k/kernel-64k.spec b/SPECS/kernel-64k/kernel-64k.spec index 4f2ec85b6d4..85265f408db 100644 --- a/SPECS/kernel-64k/kernel-64k.spec +++ b/SPECS/kernel-64k/kernel-64k.spec @@ -25,7 +25,7 @@ Summary: Linux Kernel Name: kernel-64k Version: 6.6.57.1 -Release: 6%{?dist} +Release: 7%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -370,6 +370,9 @@ echo "initrd of kernel %{uname_r} removed" >&2 %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Mon Nov 25 2024 Ankita Pareek - 6.6.57.1-7 +- Bump release to match kernel + * Wed Dec 18 2024 Rachel Menge - 6.6.57.1-6 - Enable kexec signature verification diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec index 77d34b27719..388e731a002 100644 --- a/SPECS/kernel-headers/kernel-headers.spec +++ b/SPECS/kernel-headers/kernel-headers.spec @@ -14,7 +14,7 @@ Summary: Linux API header files Name: kernel-headers Version: 6.6.57.1 -Release: 6%{?dist} +Release: 7%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -75,6 +75,9 @@ done %endif %changelog +* Mon Nov 25 2024 Ankita Pareek - 6.6.57.1-7 +- Bump release to match kernel + * Wed Dec 18 2024 Rachel Menge - 6.6.57.1-6 - Bump release to match kernel-64k diff --git a/SPECS/kernel/config b/SPECS/kernel/config index 0eecab7d127..b225406e6b8 100644 --- a/SPECS/kernel/config +++ b/SPECS/kernel/config @@ -380,7 +380,7 @@ CONFIG_ARCH_CPUIDLE_HALTPOLL=y CONFIG_PARAVIRT_CLOCK=y # CONFIG_JAILHOUSE_GUEST is not set # CONFIG_ACRN_GUEST is not set -# CONFIG_INTEL_TDX_GUEST is not set +CONFIG_INTEL_TDX_GUEST=y # CONFIG_MK8 is not set # CONFIG_MPSC is not set # CONFIG_MCORE2 is not set @@ -6157,6 +6157,7 @@ CONFIG_VMGENID=y # CONFIG_NITRO_ENCLAVES is not set # CONFIG_EFI_SECRET is not set CONFIG_SEV_GUEST=y +CONFIG_TDX_GUEST_DRIVER=m CONFIG_VIRTIO_ANCHOR=y CONFIG_VIRTIO=y CONFIG_VIRTIO_PCI_LIB=y diff --git a/SPECS/kernel/kernel-uki.spec b/SPECS/kernel/kernel-uki.spec index edc6c72e7ba..86776ad1fae 100644 --- a/SPECS/kernel/kernel-uki.spec +++ b/SPECS/kernel/kernel-uki.spec @@ -13,7 +13,7 @@ Summary: Unified Kernel Image Name: kernel-uki Version: 6.6.57.1 -Release: 6%{?dist} +Release: 7%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -70,6 +70,9 @@ cp %{buildroot}/boot/vmlinuz-uki-%{kernelver}.efi %{buildroot}/boot/efi/EFI/Linu /boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi %changelog +* Mon Nov 25 2024 Ankita Pareek - 6.6.57.1-7 +- Bump release to match kernel + * Wed Dec 18 2024 Rachel Menge - 6.6.57.1-6 - Bump release to match kernel-64k diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json index 5b05220a50a..eda9fcf8ddd 100644 --- a/SPECS/kernel/kernel.signatures.json +++ b/SPECS/kernel/kernel.signatures.json @@ -1,7 +1,7 @@ { "Signatures": { "azurelinux-ca-20230216.pem": "d545401163c75878319f01470455e6bc18a5968e39dd964323225e3fe308849b", - "config": "53cf68442824f43df68ee1105d1fe428474da2cc723610114d0409ad15a424d1", + "config": "651f9cab61a3eb370f7e6451d2115cce2c5f137f5d7e5f28234b5d07bf841d0f", "config_aarch64": "bfb4b4344045354a2ba518d11ae81fe5e3d45e9b11253ca2e199792543a9d624", "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985", "cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98", diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec index f7a31ef1284..dcb9af69ab6 100644 --- a/SPECS/kernel/kernel.spec +++ b/SPECS/kernel/kernel.spec @@ -30,7 +30,7 @@ Summary: Linux Kernel Name: kernel Version: 6.6.57.1 -Release: 6%{?dist} +Release: 7%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -424,6 +424,9 @@ echo "initrd of kernel %{uname_r} removed" >&2 %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Mon Nov 25 2024 Ankita Pareek - 6.6.57.1-7 +- Enable CONFIG_INTEL_TDX_GUEST and CONFIG_TDX_GUEST_DRIVER + * Wed Dec 18 2024 Rachel Menge - 6.6.57.1-6 - Bump release to match kernel-64k diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 2022cb8d619..061b5cfed51 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -1,5 +1,5 @@ filesystem-1.1-21.azl3.aarch64.rpm -kernel-headers-6.6.57.1-6.azl3.noarch.rpm +kernel-headers-6.6.57.1-7.azl3.noarch.rpm glibc-2.38-8.azl3.aarch64.rpm glibc-devel-2.38-8.azl3.aarch64.rpm glibc-i18n-2.38-8.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 17e2713c5c6..ab25a4670da 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -1,5 +1,5 @@ filesystem-1.1-21.azl3.x86_64.rpm -kernel-headers-6.6.57.1-6.azl3.noarch.rpm +kernel-headers-6.6.57.1-7.azl3.noarch.rpm glibc-2.38-8.azl3.x86_64.rpm glibc-devel-2.38-8.azl3.x86_64.rpm glibc-i18n-2.38-8.azl3.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index d35ee38a248..23f449f1015 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -156,7 +156,7 @@ intltool-0.51.0-7.azl3.noarch.rpm itstool-2.0.7-1.azl3.noarch.rpm kbd-2.2.0-2.azl3.aarch64.rpm kbd-debuginfo-2.2.0-2.azl3.aarch64.rpm -kernel-headers-6.6.57.1-6.azl3.noarch.rpm +kernel-headers-6.6.57.1-7.azl3.noarch.rpm kmod-30-1.azl3.aarch64.rpm kmod-debuginfo-30-1.azl3.aarch64.rpm kmod-devel-30-1.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 71c81995c58..c4c92d558ef 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -163,8 +163,8 @@ intltool-0.51.0-7.azl3.noarch.rpm itstool-2.0.7-1.azl3.noarch.rpm kbd-2.2.0-2.azl3.x86_64.rpm kbd-debuginfo-2.2.0-2.azl3.x86_64.rpm -kernel-cross-headers-6.6.57.1-6.azl3.noarch.rpm -kernel-headers-6.6.57.1-6.azl3.noarch.rpm +kernel-cross-headers-6.6.57.1-7.azl3.noarch.rpm +kernel-headers-6.6.57.1-7.azl3.noarch.rpm kmod-30-1.azl3.x86_64.rpm kmod-debuginfo-30-1.azl3.x86_64.rpm kmod-devel-30-1.azl3.x86_64.rpm From 757476aea67ad8607e1fd50ae7a94910af976fba Mon Sep 17 00:00:00 2001 From: Gary Swalling <31018813+gjswalling@users.noreply.github.com> Date: Fri, 20 Dec 2024 17:36:57 -0800 Subject: [PATCH 41/55] Enable arch conditionals in azurelinux-repos.spec (#11621) --- SPECS/azurelinux-repos/azurelinux-repos.spec | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/SPECS/azurelinux-repos/azurelinux-repos.spec b/SPECS/azurelinux-repos/azurelinux-repos.spec index 8935e2bd716..d1680ca2bfb 100644 --- a/SPECS/azurelinux-repos/azurelinux-repos.spec +++ b/SPECS/azurelinux-repos/azurelinux-repos.spec @@ -25,12 +25,17 @@ Source15: azurelinux-amd-preview.repo Requires: %{name}-shared = %{version}-%{release} +# Capture the built architecture before setting noarch in order to install the +# appropriate repos for x86_64 later in this spec +%ifarch x86_64 +%define buildx86 1 +%endif BuildArch: noarch %description Azure Linux repo files and gpg keys -%ifarch x86_64 +%if %{defined buildx86} %package amd Summary: Azure Linux AMD GPU repo file. Group: System Environment/Base @@ -162,7 +167,7 @@ install -m 644 %{SOURCE10} $REPO_DIRECTORY install -m 644 %{SOURCE11} $REPO_DIRECTORY install -m 644 %{SOURCE12} $REPO_DIRECTORY install -m 644 %{SOURCE13} $REPO_DIRECTORY -%ifarch x86_64 +%if %{defined buildx86} install -m 644 %{SOURCE14} $REPO_DIRECTORY install -m 644 %{SOURCE15} $REPO_DIRECTORY %endif @@ -183,7 +188,7 @@ gpg --batch --yes --delete-keys 2BC94FFF7015A5F28F1537AD0CD9FED33135CE90 %defattr(-,root,root,-) %config(noreplace) %{_sysconfdir}/yum.repos.d/azurelinux-official-base.repo -%ifarch x86_64 +%if %{defined buildx86} %files amd %defattr(-,root,root,-) %config(noreplace) %{_sysconfdir}/yum.repos.d/azurelinux-amd.repo @@ -242,7 +247,7 @@ gpg --batch --yes --delete-keys 2BC94FFF7015A5F28F1537AD0CD9FED33135CE90 %{_sysconfdir}/pki/rpm-gpg/MICROSOFT-RPM-GPG-KEY %changelog -* Thu Dec 19 2024 Gary Swalling - 3.0-4 +* Fri Dec 20 2024 Gary Swalling - 3.0-4 - Add amd .repo files. * Thu May 30 2024 Andrew Phelps - 3.0-3 From 96a8f874e2c7060512073a785e21d4a0a456925e Mon Sep 17 00:00:00 2001 From: jslobodzian Date: Sun, 22 Dec 2024 08:15:48 -0500 Subject: [PATCH 42/55] Bump Release for January 2025 Update (#11641) --- SPECS/azurelinux-release/azurelinux-release.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/SPECS/azurelinux-release/azurelinux-release.spec b/SPECS/azurelinux-release/azurelinux-release.spec index af9f904d209..116861abf90 100644 --- a/SPECS/azurelinux-release/azurelinux-release.spec +++ b/SPECS/azurelinux-release/azurelinux-release.spec @@ -5,7 +5,7 @@ Summary: Azure Linux release files Name: azurelinux-release Version: %{dist_version}.0 -Release: 22%{?dist} +Release: 23%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -118,6 +118,9 @@ install -Dm0644 %{SOURCE4} -t %{buildroot}%{_sysctldir}/ %{_sysctldir}/*.conf %changelog +* Sat Dec 21 2024 Jon Slobodzian - 3.0-23 +- Bump release for January 2025 Update + * Fri Nov 22 2024 CBL-Mariner Servicing Account - 3.0-22 - Bump release for December 2024 Update From 5b3ddc457609e55fdfe5d2075f27876ffd6cc50f Mon Sep 17 00:00:00 2001 From: nicolas guibourge Date: Sun, 22 Dec 2024 14:17:34 +0100 Subject: [PATCH 43/55] [AUTO-CHERRYPICK] Upgrade DPDK for CVE-2024-11614 - branch 3.0-dev (#11633) Co-authored-by: jslobodzian --- SPECS/dpdk/dpdk.signatures.json | 2 +- SPECS/dpdk/dpdk.spec | 9 ++++++--- cgmanifest.json | 4 ++-- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/SPECS/dpdk/dpdk.signatures.json b/SPECS/dpdk/dpdk.signatures.json index 94737603526..e9294c77ed3 100644 --- a/SPECS/dpdk/dpdk.signatures.json +++ b/SPECS/dpdk/dpdk.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "dpdk-23.11.tar.xz": "64fa58fdfc9e9510e8e414e3bedd165bd3d4ca465a231b280323f83cd53fd865" + "dpdk-23.11.3.tar.xz": "8e51836bc6524e0512f89eeca27532021fe0ccc7f764cf238ee283e7f416c185" } } diff --git a/SPECS/dpdk/dpdk.spec b/SPECS/dpdk/dpdk.spec index f4b67cc3564..e6980d1f545 100644 --- a/SPECS/dpdk/dpdk.spec +++ b/SPECS/dpdk/dpdk.spec @@ -29,8 +29,8 @@ %bcond_without tools Summary: Set of libraries and drivers for fast packet processing Name: dpdk -Version: 23.11 -Release: 2%{?dist} +Version: 23.11.3 +Release: 1%{?dist} License: BSD AND LGPLv2 AND GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -106,7 +106,7 @@ Vendor: Microsoft Corporation Distribution: Azure Linux %prep -%autosetup -p1 -n dpdk-%{version} +%autosetup -p1 -n dpdk-stable-%{version} %build CFLAGS="$(echo %{optflags} -fcommon)" \ @@ -179,6 +179,9 @@ CFLAGS="$(echo %{optflags} -fcommon)" \ %endif %changelog +* Fri Dec 20 2024 Jon Slobodzian - 23.11.3-1 +- Updgrade to 23.11.3 to resolve CVE-2024-11614. + * Thu Feb 22 2024 Pawel Winogrodzki - 23.11-2 - Updating naming for 3.0 version of Azure Linux. diff --git a/cgmanifest.json b/cgmanifest.json index a835a331c21..f8ae05f7559 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -2968,8 +2968,8 @@ "type": "other", "other": { "name": "dpdk", - "version": "23.11", - "downloadUrl": "https://fast.dpdk.org/rel/dpdk-23.11.tar.xz" + "version": "23.11.3", + "downloadUrl": "https://fast.dpdk.org/rel/dpdk-23.11.3.tar.xz" } } }, From fbe1da46707a16ae885b9502fee56ce981438186 Mon Sep 17 00:00:00 2001 From: nicolas guibourge Date: Sun, 22 Dec 2024 14:18:15 +0100 Subject: [PATCH 44/55] [AUTO-CHERRYPICK] docker-buildx, moby-engine: patch CVE-2024-45337 - branch 3.0-dev (#11630) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Aurélien Bombo --- SPECS/docker-buildx/CVE-2024-45337.patch | 77 ++++++++++++++++++++++++ SPECS/docker-buildx/docker-buildx.spec | 6 +- SPECS/moby-engine/CVE-2024-45337.patch | 77 ++++++++++++++++++++++++ SPECS/moby-engine/moby-engine.spec | 6 +- 4 files changed, 164 insertions(+), 2 deletions(-) create mode 100644 SPECS/docker-buildx/CVE-2024-45337.patch create mode 100644 SPECS/moby-engine/CVE-2024-45337.patch diff --git a/SPECS/docker-buildx/CVE-2024-45337.patch b/SPECS/docker-buildx/CVE-2024-45337.patch new file mode 100644 index 00000000000..0c8df5f2421 --- /dev/null +++ b/SPECS/docker-buildx/CVE-2024-45337.patch @@ -0,0 +1,77 @@ +https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909.patch + +From b4f1988a35dee11ec3e05d6bf3e90b695fbd8909 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Tue, 3 Dec 2024 09:03:03 -0800 +Subject: [PATCH] ssh: make the public key cache a 1-entry FIFO cache + +Users of the the ssh package seem to extremely commonly misuse the +PublicKeyCallback API, assuming that the key passed in the last call +before a connection is established is the key used for authentication. +Some users then make authorization decisions based on this key. This +property is not documented, and may not be correct, due to the caching +behavior of the package, resulting in users making incorrect +authorization decisions about the connection. + +This change makes the cache a one entry FIFO cache, making the assumed +property, that the last call to PublicKeyCallback represents the key +actually used for authentication, actually hold. + +Thanks to Damien Tournoud, Patrick Dawkins, Vince Parker, and +Jules Duvivier from the Platform.sh / Upsun engineering team +for reporting this issue. + +Fixes golang/go#70779 +Fixes CVE-2024-45337 + +Change-Id: Ife7c7b4045d8b6bcd7e3a417bdfae370c709797f +Reviewed-on: https://go-review.googlesource.com/c/crypto/+/635315 +Reviewed-by: Roland Shoemaker +Auto-Submit: Gopher Robot +Reviewed-by: Damien Neil +Reviewed-by: Nicola Murino +LUCI-TryBot-Result: Go LUCI +--- + vendor/golang.org/x/crypto/ssh/server.go | 15 ++++++++++---- + +diff --git a/vendor/golang.org/x/crypto/ssh/server.go b/vendor/golang.org/x/crypto/ssh/server.go +index c0d1c29e6f..5b5ccd96f4 100644 +--- a/vendor/golang.org/x/crypto/ssh/server.go ++++ b/vendor/golang.org/x/crypto/ssh/server.go +@@ -149,7 +149,7 @@ func (s *ServerConfig) AddHostKey(key Signer) { + } + + // cachedPubKey contains the results of querying whether a public key is +-// acceptable for a user. ++// acceptable for a user. This is a FIFO cache. + type cachedPubKey struct { + user string + pubKeyData []byte +@@ -157,7 +157,13 @@ type cachedPubKey struct { + perms *Permissions + } + +-const maxCachedPubKeys = 16 ++// maxCachedPubKeys is the number of cache entries we store. ++// ++// Due to consistent misuse of the PublicKeyCallback API, we have reduced this ++// to 1, such that the only key in the cache is the most recently seen one. This ++// forces the behavior that the last call to PublicKeyCallback will always be ++// with the key that is used for authentication. ++const maxCachedPubKeys = 1 + + // pubKeyCache caches tests for public keys. Since SSH clients + // will query whether a public key is acceptable before attempting to +@@ -179,9 +185,10 @@ func (c *pubKeyCache) get(user string, pubKeyData []byte) (cachedPubKey, bool) { + + // add adds the given tuple to the cache. + func (c *pubKeyCache) add(candidate cachedPubKey) { +- if len(c.keys) < maxCachedPubKeys { +- c.keys = append(c.keys, candidate) ++ if len(c.keys) >= maxCachedPubKeys { ++ c.keys = c.keys[1:] + } ++ c.keys = append(c.keys, candidate) + } + + // ServerConn is an authenticated SSH connection, as seen from the diff --git a/SPECS/docker-buildx/docker-buildx.spec b/SPECS/docker-buildx/docker-buildx.spec index ce095179b50..104ef7d328e 100644 --- a/SPECS/docker-buildx/docker-buildx.spec +++ b/SPECS/docker-buildx/docker-buildx.spec @@ -4,13 +4,14 @@ Summary: A Docker CLI plugin for extended build capabilities with BuildKi Name: docker-buildx # update "commit_hash" above when upgrading version Version: 0.14.0 -Release: 1%{?dist} +Release: 2%{?dist} License: ASL 2.0 Group: Tools/Container Vendor: Microsoft Corporation Distribution: Azure Linux URL: https://www.github.com/docker/buildx Source0: https://github.com/docker/buildx/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +Patch0: CVE-2024-45337.patch BuildRequires: bash BuildRequires: golang @@ -44,6 +45,9 @@ install -m 755 buildx "%{buildroot}%{_libexecdir}/docker/cli-plugins/docker-buil %{_libexecdir}/docker/cli-plugins/docker-buildx %changelog +* Fri Dec 20 2024 Aurelien Bombo - 0.14.0-2 +- Add patch for CVE-2024-45337 + * Thu May 02 2024 CBL-Mariner Servicing Account - 0.14.0-1 - Auto-upgrade to 0.14.0 - address CVE-2024-23653 diff --git a/SPECS/moby-engine/CVE-2024-45337.patch b/SPECS/moby-engine/CVE-2024-45337.patch new file mode 100644 index 00000000000..0c8df5f2421 --- /dev/null +++ b/SPECS/moby-engine/CVE-2024-45337.patch @@ -0,0 +1,77 @@ +https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909.patch + +From b4f1988a35dee11ec3e05d6bf3e90b695fbd8909 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Tue, 3 Dec 2024 09:03:03 -0800 +Subject: [PATCH] ssh: make the public key cache a 1-entry FIFO cache + +Users of the the ssh package seem to extremely commonly misuse the +PublicKeyCallback API, assuming that the key passed in the last call +before a connection is established is the key used for authentication. +Some users then make authorization decisions based on this key. This +property is not documented, and may not be correct, due to the caching +behavior of the package, resulting in users making incorrect +authorization decisions about the connection. + +This change makes the cache a one entry FIFO cache, making the assumed +property, that the last call to PublicKeyCallback represents the key +actually used for authentication, actually hold. + +Thanks to Damien Tournoud, Patrick Dawkins, Vince Parker, and +Jules Duvivier from the Platform.sh / Upsun engineering team +for reporting this issue. + +Fixes golang/go#70779 +Fixes CVE-2024-45337 + +Change-Id: Ife7c7b4045d8b6bcd7e3a417bdfae370c709797f +Reviewed-on: https://go-review.googlesource.com/c/crypto/+/635315 +Reviewed-by: Roland Shoemaker +Auto-Submit: Gopher Robot +Reviewed-by: Damien Neil +Reviewed-by: Nicola Murino +LUCI-TryBot-Result: Go LUCI +--- + vendor/golang.org/x/crypto/ssh/server.go | 15 ++++++++++---- + +diff --git a/vendor/golang.org/x/crypto/ssh/server.go b/vendor/golang.org/x/crypto/ssh/server.go +index c0d1c29e6f..5b5ccd96f4 100644 +--- a/vendor/golang.org/x/crypto/ssh/server.go ++++ b/vendor/golang.org/x/crypto/ssh/server.go +@@ -149,7 +149,7 @@ func (s *ServerConfig) AddHostKey(key Signer) { + } + + // cachedPubKey contains the results of querying whether a public key is +-// acceptable for a user. ++// acceptable for a user. This is a FIFO cache. + type cachedPubKey struct { + user string + pubKeyData []byte +@@ -157,7 +157,13 @@ type cachedPubKey struct { + perms *Permissions + } + +-const maxCachedPubKeys = 16 ++// maxCachedPubKeys is the number of cache entries we store. ++// ++// Due to consistent misuse of the PublicKeyCallback API, we have reduced this ++// to 1, such that the only key in the cache is the most recently seen one. This ++// forces the behavior that the last call to PublicKeyCallback will always be ++// with the key that is used for authentication. ++const maxCachedPubKeys = 1 + + // pubKeyCache caches tests for public keys. Since SSH clients + // will query whether a public key is acceptable before attempting to +@@ -179,9 +185,10 @@ func (c *pubKeyCache) get(user string, pubKeyData []byte) (cachedPubKey, bool) { + + // add adds the given tuple to the cache. + func (c *pubKeyCache) add(candidate cachedPubKey) { +- if len(c.keys) < maxCachedPubKeys { +- c.keys = append(c.keys, candidate) ++ if len(c.keys) >= maxCachedPubKeys { ++ c.keys = c.keys[1:] + } ++ c.keys = append(c.keys, candidate) + } + + // ServerConn is an authenticated SSH connection, as seen from the diff --git a/SPECS/moby-engine/moby-engine.spec b/SPECS/moby-engine/moby-engine.spec index 789167f9e9c..50f00c3f016 100644 --- a/SPECS/moby-engine/moby-engine.spec +++ b/SPECS/moby-engine/moby-engine.spec @@ -3,7 +3,7 @@ Summary: The open-source application container engine Name: moby-engine Version: 25.0.3 -Release: 8%{?dist} +Release: 9%{?dist} License: ASL 2.0 Group: Tools/Container URL: https://mobyproject.org @@ -22,6 +22,7 @@ Patch4: CVE-2024-24786.patch Patch5: CVE-2024-36621.patch Patch6: CVE-2024-36620.patch Patch7: CVE-2024-36623.patch +Patch8: CVE-2024-45337.patch %{?systemd_requires} @@ -117,6 +118,9 @@ fi %{_unitdir}/* %changelog +* Fri Dec 20 2024 Aurelien Bombo - 25.0.3-9 +- Add patch for CVE-2024-45337 + * Wed Dec 04 2024 Adit Jha - 25.0.3-8 - Fix CVE-2024-36620, CVE-2024-36621, and CVE-2024-36623 with patches From e238f1c71eb63adcb86afdc03d580f2b0ac6b1a5 Mon Sep 17 00:00:00 2001 From: nicolas guibourge Date: Sun, 22 Dec 2024 14:19:00 +0100 Subject: [PATCH 45/55] [AUTO-CHERRYPICK] cf-cli, kubevirt, packer: patch CVE-2024-45337 - branch 3.0-dev (#11629) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Aurélien Bombo --- SPECS/cf-cli/CVE-2024-45337.patch | 77 +++++++++++++++++++++++++++++ SPECS/cf-cli/cf-cli.spec | 7 ++- SPECS/kubevirt/CVE-2024-45337.patch | 77 +++++++++++++++++++++++++++++ SPECS/kubevirt/kubevirt.spec | 6 ++- SPECS/packer/CVE-2024-45337.patch | 77 +++++++++++++++++++++++++++++ SPECS/packer/packer.spec | 6 ++- 6 files changed, 247 insertions(+), 3 deletions(-) create mode 100644 SPECS/cf-cli/CVE-2024-45337.patch create mode 100644 SPECS/kubevirt/CVE-2024-45337.patch create mode 100644 SPECS/packer/CVE-2024-45337.patch diff --git a/SPECS/cf-cli/CVE-2024-45337.patch b/SPECS/cf-cli/CVE-2024-45337.patch new file mode 100644 index 00000000000..f7d2f6a6724 --- /dev/null +++ b/SPECS/cf-cli/CVE-2024-45337.patch @@ -0,0 +1,77 @@ +https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909.patch + +From b4f1988a35dee11ec3e05d6bf3e90b695fbd8909 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Tue, 3 Dec 2024 09:03:03 -0800 +Subject: [PATCH] ssh: make the public key cache a 1-entry FIFO cache + +Users of the the ssh package seem to extremely commonly misuse the +PublicKeyCallback API, assuming that the key passed in the last call +before a connection is established is the key used for authentication. +Some users then make authorization decisions based on this key. This +property is not documented, and may not be correct, due to the caching +behavior of the package, resulting in users making incorrect +authorization decisions about the connection. + +This change makes the cache a one entry FIFO cache, making the assumed +property, that the last call to PublicKeyCallback represents the key +actually used for authentication, actually hold. + +Thanks to Damien Tournoud, Patrick Dawkins, Vince Parker, and +Jules Duvivier from the Platform.sh / Upsun engineering team +for reporting this issue. + +Fixes golang/go#70779 +Fixes CVE-2024-45337 + +Change-Id: Ife7c7b4045d8b6bcd7e3a417bdfae370c709797f +Reviewed-on: https://go-review.googlesource.com/c/crypto/+/635315 +Reviewed-by: Roland Shoemaker +Auto-Submit: Gopher Robot +Reviewed-by: Damien Neil +Reviewed-by: Nicola Murino +LUCI-TryBot-Result: Go LUCI +--- + vendor/golang.org/x/crypto/ssh/server.go | 15 ++++++++++---- + +diff --git a/vendor/golang.org/x/crypto/ssh/server.go b/vendor/golang.org/x/crypto/ssh/server.go +index c0d1c29e6f..5b5ccd96f4 100644 +--- a/vendor/golang.org/x/crypto/ssh/server.go ++++ b/vendor/golang.org/x/crypto/ssh/server.go +@@ -142,7 +142,7 @@ func (s *ServerConfig) AddHostKey(key Signer) { + } + + // cachedPubKey contains the results of querying whether a public key is +-// acceptable for a user. ++// acceptable for a user. This is a FIFO cache. + type cachedPubKey struct { + user string + pubKeyData []byte +@@ -150,7 +150,13 @@ type cachedPubKey struct { + perms *Permissions + } + +-const maxCachedPubKeys = 16 ++// maxCachedPubKeys is the number of cache entries we store. ++// ++// Due to consistent misuse of the PublicKeyCallback API, we have reduced this ++// to 1, such that the only key in the cache is the most recently seen one. This ++// forces the behavior that the last call to PublicKeyCallback will always be ++// with the key that is used for authentication. ++const maxCachedPubKeys = 1 + + // pubKeyCache caches tests for public keys. Since SSH clients + // will query whether a public key is acceptable before attempting to +@@ -172,9 +178,10 @@ func (c *pubKeyCache) get(user string, pubKeyData []byte) (cachedPubKey, bool) { + + // add adds the given tuple to the cache. + func (c *pubKeyCache) add(candidate cachedPubKey) { +- if len(c.keys) < maxCachedPubKeys { +- c.keys = append(c.keys, candidate) ++ if len(c.keys) >= maxCachedPubKeys { ++ c.keys = c.keys[1:] + } ++ c.keys = append(c.keys, candidate) + } + + // ServerConn is an authenticated SSH connection, as seen from the diff --git a/SPECS/cf-cli/cf-cli.spec b/SPECS/cf-cli/cf-cli.spec index 10020f6b21e..81c451c70ae 100644 --- a/SPECS/cf-cli/cf-cli.spec +++ b/SPECS/cf-cli/cf-cli.spec @@ -5,7 +5,7 @@ Summary: The official command line client for Cloud Foundry. Name: cf-cli # Note: Upgrading the package also warrants an upgrade in the CF_BUILD_SHA Version: 8.7.3 -Release: 3%{?dist} +Release: 4%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -33,6 +33,7 @@ Source0: https://github.com/cloudfoundry/cli/archive/refs/tags/v%{version Source1: cli-%{version}-vendor.tar.gz Patch0: CVE-2023-39325.patch Patch1: CVE-2024-24786.patch +Patch2: CVE-2024-45337.patch BuildRequires: golang >= 1.18.3 %global debug_package %{nil} @@ -46,6 +47,7 @@ The official command line client for Cloud Foundry. tar --no-same-owner -xf %{SOURCE1} %patch 0 -p1 %patch 1 -p1 +%patch 2 -p1 %build export GOPATH=%{our_gopath} @@ -67,6 +69,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./out/cf %{_bindir}/cf %changelog +* Fri Dec 20 2024 Aurelien Bombo - 8.7.3-4 +- Add patch for CVE-2024-45337 + * Mon Nov 25 2024 Bala - 8.7.3-3 - Fix CVE-2024-24786 diff --git a/SPECS/kubevirt/CVE-2024-45337.patch b/SPECS/kubevirt/CVE-2024-45337.patch new file mode 100644 index 00000000000..f7d2f6a6724 --- /dev/null +++ b/SPECS/kubevirt/CVE-2024-45337.patch @@ -0,0 +1,77 @@ +https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909.patch + +From b4f1988a35dee11ec3e05d6bf3e90b695fbd8909 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Tue, 3 Dec 2024 09:03:03 -0800 +Subject: [PATCH] ssh: make the public key cache a 1-entry FIFO cache + +Users of the the ssh package seem to extremely commonly misuse the +PublicKeyCallback API, assuming that the key passed in the last call +before a connection is established is the key used for authentication. +Some users then make authorization decisions based on this key. This +property is not documented, and may not be correct, due to the caching +behavior of the package, resulting in users making incorrect +authorization decisions about the connection. + +This change makes the cache a one entry FIFO cache, making the assumed +property, that the last call to PublicKeyCallback represents the key +actually used for authentication, actually hold. + +Thanks to Damien Tournoud, Patrick Dawkins, Vince Parker, and +Jules Duvivier from the Platform.sh / Upsun engineering team +for reporting this issue. + +Fixes golang/go#70779 +Fixes CVE-2024-45337 + +Change-Id: Ife7c7b4045d8b6bcd7e3a417bdfae370c709797f +Reviewed-on: https://go-review.googlesource.com/c/crypto/+/635315 +Reviewed-by: Roland Shoemaker +Auto-Submit: Gopher Robot +Reviewed-by: Damien Neil +Reviewed-by: Nicola Murino +LUCI-TryBot-Result: Go LUCI +--- + vendor/golang.org/x/crypto/ssh/server.go | 15 ++++++++++---- + +diff --git a/vendor/golang.org/x/crypto/ssh/server.go b/vendor/golang.org/x/crypto/ssh/server.go +index c0d1c29e6f..5b5ccd96f4 100644 +--- a/vendor/golang.org/x/crypto/ssh/server.go ++++ b/vendor/golang.org/x/crypto/ssh/server.go +@@ -142,7 +142,7 @@ func (s *ServerConfig) AddHostKey(key Signer) { + } + + // cachedPubKey contains the results of querying whether a public key is +-// acceptable for a user. ++// acceptable for a user. This is a FIFO cache. + type cachedPubKey struct { + user string + pubKeyData []byte +@@ -150,7 +150,13 @@ type cachedPubKey struct { + perms *Permissions + } + +-const maxCachedPubKeys = 16 ++// maxCachedPubKeys is the number of cache entries we store. ++// ++// Due to consistent misuse of the PublicKeyCallback API, we have reduced this ++// to 1, such that the only key in the cache is the most recently seen one. This ++// forces the behavior that the last call to PublicKeyCallback will always be ++// with the key that is used for authentication. ++const maxCachedPubKeys = 1 + + // pubKeyCache caches tests for public keys. Since SSH clients + // will query whether a public key is acceptable before attempting to +@@ -172,9 +178,10 @@ func (c *pubKeyCache) get(user string, pubKeyData []byte) (cachedPubKey, bool) { + + // add adds the given tuple to the cache. + func (c *pubKeyCache) add(candidate cachedPubKey) { +- if len(c.keys) < maxCachedPubKeys { +- c.keys = append(c.keys, candidate) ++ if len(c.keys) >= maxCachedPubKeys { ++ c.keys = c.keys[1:] + } ++ c.keys = append(c.keys, candidate) + } + + // ServerConn is an authenticated SSH connection, as seen from the diff --git a/SPECS/kubevirt/kubevirt.spec b/SPECS/kubevirt/kubevirt.spec index 4f8a2dd3506..485280f1c6a 100644 --- a/SPECS/kubevirt/kubevirt.spec +++ b/SPECS/kubevirt/kubevirt.spec @@ -20,7 +20,7 @@ Summary: Container native virtualization Name: kubevirt Version: 1.2.0 -Release: 10%{?dist} +Release: 11%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -33,6 +33,7 @@ Source0: https://github.com/kubevirt/kubevirt/archive/refs/tags/v%{versio Patch0: Cleanup-housekeeping-cgroup-on-vm-del.patch Patch1: CVE-2023-48795.patch Patch2: CVE-2024-24786.patch +Patch3: CVE-2024-45337.patch %global debug_package %{nil} BuildRequires: swtpm-tools BuildRequires: glibc-devel @@ -273,6 +274,9 @@ install -p -m 0644 cmd/virt-launcher/qemu.conf %{buildroot}%{_datadir}/kube-virt %{_bindir}/virt-tests %changelog +* Fri Dec 20 2024 Aurelien Bombo - 1.2.0-11 +- Add patch for CVE-2024-45337 + * Mon Nov 25 2024 Bala - 1.2.0-10 - Fix for CVE-2024-24786 diff --git a/SPECS/packer/CVE-2024-45337.patch b/SPECS/packer/CVE-2024-45337.patch new file mode 100644 index 00000000000..f7d2f6a6724 --- /dev/null +++ b/SPECS/packer/CVE-2024-45337.patch @@ -0,0 +1,77 @@ +https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909.patch + +From b4f1988a35dee11ec3e05d6bf3e90b695fbd8909 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Tue, 3 Dec 2024 09:03:03 -0800 +Subject: [PATCH] ssh: make the public key cache a 1-entry FIFO cache + +Users of the the ssh package seem to extremely commonly misuse the +PublicKeyCallback API, assuming that the key passed in the last call +before a connection is established is the key used for authentication. +Some users then make authorization decisions based on this key. This +property is not documented, and may not be correct, due to the caching +behavior of the package, resulting in users making incorrect +authorization decisions about the connection. + +This change makes the cache a one entry FIFO cache, making the assumed +property, that the last call to PublicKeyCallback represents the key +actually used for authentication, actually hold. + +Thanks to Damien Tournoud, Patrick Dawkins, Vince Parker, and +Jules Duvivier from the Platform.sh / Upsun engineering team +for reporting this issue. + +Fixes golang/go#70779 +Fixes CVE-2024-45337 + +Change-Id: Ife7c7b4045d8b6bcd7e3a417bdfae370c709797f +Reviewed-on: https://go-review.googlesource.com/c/crypto/+/635315 +Reviewed-by: Roland Shoemaker +Auto-Submit: Gopher Robot +Reviewed-by: Damien Neil +Reviewed-by: Nicola Murino +LUCI-TryBot-Result: Go LUCI +--- + vendor/golang.org/x/crypto/ssh/server.go | 15 ++++++++++---- + +diff --git a/vendor/golang.org/x/crypto/ssh/server.go b/vendor/golang.org/x/crypto/ssh/server.go +index c0d1c29e6f..5b5ccd96f4 100644 +--- a/vendor/golang.org/x/crypto/ssh/server.go ++++ b/vendor/golang.org/x/crypto/ssh/server.go +@@ -142,7 +142,7 @@ func (s *ServerConfig) AddHostKey(key Signer) { + } + + // cachedPubKey contains the results of querying whether a public key is +-// acceptable for a user. ++// acceptable for a user. This is a FIFO cache. + type cachedPubKey struct { + user string + pubKeyData []byte +@@ -150,7 +150,13 @@ type cachedPubKey struct { + perms *Permissions + } + +-const maxCachedPubKeys = 16 ++// maxCachedPubKeys is the number of cache entries we store. ++// ++// Due to consistent misuse of the PublicKeyCallback API, we have reduced this ++// to 1, such that the only key in the cache is the most recently seen one. This ++// forces the behavior that the last call to PublicKeyCallback will always be ++// with the key that is used for authentication. ++const maxCachedPubKeys = 1 + + // pubKeyCache caches tests for public keys. Since SSH clients + // will query whether a public key is acceptable before attempting to +@@ -172,9 +178,10 @@ func (c *pubKeyCache) get(user string, pubKeyData []byte) (cachedPubKey, bool) { + + // add adds the given tuple to the cache. + func (c *pubKeyCache) add(candidate cachedPubKey) { +- if len(c.keys) < maxCachedPubKeys { +- c.keys = append(c.keys, candidate) ++ if len(c.keys) >= maxCachedPubKeys { ++ c.keys = c.keys[1:] + } ++ c.keys = append(c.keys, candidate) + } + + // ServerConn is an authenticated SSH connection, as seen from the diff --git a/SPECS/packer/packer.spec b/SPECS/packer/packer.spec index e2f50e20492..e818b1c155f 100644 --- a/SPECS/packer/packer.spec +++ b/SPECS/packer/packer.spec @@ -4,7 +4,7 @@ Summary: Tool for creating identical machine images for multiple platforms from a single source configuration. Name: packer Version: 1.9.5 -Release: 3%{?dist} +Release: 4%{?dist} License: MPLv2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -36,6 +36,7 @@ Patch1: CVE-2022-3064.patch Patch2: CVE-2023-49569.patch Patch3: CVE-2024-6104.patch Patch4: CVE-2024-24786.patch +Patch5: CVE-2024-45337.patch BuildRequires: golang >= 1.17.1 BuildRequires: kernel-headers BuildRequires: glibc-devel @@ -69,6 +70,9 @@ go test -mod=vendor %{_bindir}/packer %changelog +* Fri Dec 20 2024 Aurelien Bombo - 1.9.5-4 +- Add patch for CVE-2024-45337 + * Mon Nov 25 2024 Bala - 1.9.5-3 - Patched CVE-2024-24786 From 7af8ddc36c8a44f339466989d63197ed716c38ac Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Sun, 22 Dec 2024 13:49:26 -0800 Subject: [PATCH 46/55] [AUTO-CHERRYPICK] [AUTOPATCHER-CORE] Upgrade erlang to 26.2.5.6 fix cve CVE-2024-53846 - branch 3.0-dev (#11652) --- SPECS/erlang/OTP-24-Code.patch | 237 ---------------------------- SPECS/erlang/erlang.signatures.json | 8 +- SPECS/erlang/erlang.spec | 12 +- cgmanifest.json | 4 +- 4 files changed, 13 insertions(+), 248 deletions(-) delete mode 100644 SPECS/erlang/OTP-24-Code.patch diff --git a/SPECS/erlang/OTP-24-Code.patch b/SPECS/erlang/OTP-24-Code.patch deleted file mode 100644 index aff1a242cb2..00000000000 --- a/SPECS/erlang/OTP-24-Code.patch +++ /dev/null @@ -1,237 +0,0 @@ -From 8508cef07d5d559e48d51d159a30f64897c3903f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Bj=C3=B6rn=20Gustavsson?= -Date: Mon, 11 Mar 2024 07:41:23 +0100 -Subject: [PATCH 1/2] AArch64: Fix incorrect result for running code compiled - by OTP 24 - -On AArch64, when constructing a binary using the bit syntax, using a -unit greater than 16 and not being a power of two would, would cause -erroneous results. For example, given this module compiled with -Erlang/OTP 24: - - -module(t). - -export([bar/2]). - - bar(Contents, Size) -> - <>. - -only the first two bytes would be correctly set: - - 1> t:bar(-1, 1). - <<255,255,0,0:7>> - 2> t:bar(-1, 1). - <<255,255,149,35:7>> - 3> t:bar(-1, 1). - <<255,255,0,0:7>> - 4> t:bar(-1, 1). - <<255,255,3,0:7>> ---- - erts/emulator/beam/jit/arm/instr_bs.cpp | 9 ++------- - erts/emulator/test/Makefile | 1 + - erts/emulator/test/bs_construct_SUITE.erl | 10 ++++++++++ - 3 files changed, 13 insertions(+), 7 deletions(-) - -diff --git a/erts/emulator/beam/jit/arm/instr_bs.cpp b/erts/emulator/beam/jit/arm/instr_bs.cpp -index 2eb2d4201cf1..79349a095d91 100644 ---- a/erts/emulator/beam/jit/arm/instr_bs.cpp -+++ b/erts/emulator/beam/jit/arm/instr_bs.cpp -@@ -99,13 +99,8 @@ int BeamModuleAssembler::emit_bs_get_field_size(const ArgSource &Size, - a.lsl(out, out, imm(trailing_bits - _TAG_IMMED1_SIZE)); - } - } else { -- if (unit >= (1 << _TAG_IMMED1_SIZE)) { -- mov_imm(TMP1, unit >> _TAG_IMMED1_SIZE); -- } else { -- a.lsr(out, out, imm(_TAG_IMMED1_SIZE)); -- mov_imm(TMP1, unit); -- } -- -+ a.lsr(out, out, imm(_TAG_IMMED1_SIZE)); -+ mov_imm(TMP1, unit); - a.mul(out, out, TMP1); - } - -diff --git a/erts/emulator/test/Makefile b/erts/emulator/test/Makefile -index c058fe72d266..f87aabead35d 100644 ---- a/erts/emulator/test/Makefile -+++ b/erts/emulator/test/Makefile -@@ -152,6 +152,7 @@ NO_OPT= bs_bincomp \ - map - - R24= \ -+ bs_construct \ - process_max_heap_size - - R25= \ -diff --git a/erts/emulator/test/bs_construct_SUITE.erl b/erts/emulator/test/bs_construct_SUITE.erl -index adf893d9993a..3bbe53e5ab56 100644 ---- a/erts/emulator/test/bs_construct_SUITE.erl -+++ b/erts/emulator/test/bs_construct_SUITE.erl -@@ -1389,6 +1389,16 @@ do_zero_init_1(Size, LPad, RPad) -> - end()). - - error_info(_Config) -> -+ case ?MODULE of -+ bs_construct_r24_SUITE -> -+ %% Error information is not implemented for old bit syntax -+ %% instructions. -+ ok; -+ _ -> -+ error_info() -+ end. -+ -+error_info() -> - Atom = id(some_atom), - NegSize = id(-1), - HugeNegSize = id(-1 bsl 64), - -From 3ab2cc66a5c5abb049aec20043b45e428ece6d9a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Bj=C3=B6rn=20Gustavsson?= -Date: Mon, 11 Mar 2024 10:19:55 +0100 -Subject: [PATCH 2/2] AArch64: Fix crash for running bit syntax code compiled - by OTP 24 - -This bug was introduced in 67c52b69250ebf. - -Closes #8238 ---- - erts/emulator/beam/jit/arm/instr_bs.cpp | 2 +- - erts/emulator/test/bs_construct_SUITE.erl | 22 +++++++- - .../otp_24_code_gh_8238.S | 50 +++++++++++++++++++ - .../otp_24_code_gh_8238.erl | 10 ++++ - 4 files changed, 81 insertions(+), 3 deletions(-) - create mode 100644 erts/emulator/test/bs_construct_SUITE_data/otp_24_code_gh_8238.S - create mode 100644 erts/emulator/test/bs_construct_SUITE_data/otp_24_code_gh_8238.erl - -diff --git a/erts/emulator/beam/jit/arm/instr_bs.cpp b/erts/emulator/beam/jit/arm/instr_bs.cpp -index 79349a095d91..09db80c2048d 100644 ---- a/erts/emulator/beam/jit/arm/instr_bs.cpp -+++ b/erts/emulator/beam/jit/arm/instr_bs.cpp -@@ -148,7 +148,7 @@ void BeamModuleAssembler::emit_i_bs_init_fail_heap(const ArgSource &Size, - } - - if (emit_bs_get_field_size(Size, 1, fail, ARG4) >= 0) { -- a.lsr(ARG4, ARG4, imm(3)); -+ a.lsl(ARG4, ARG4, imm(3)); - mov_arg(ARG5, Heap); - mov_arg(ARG6, Live); - fragment_call(ga->get_bs_init_bits_shared()); -diff --git a/erts/emulator/test/bs_construct_SUITE.erl b/erts/emulator/test/bs_construct_SUITE.erl -index 3bbe53e5ab56..66d538e1a271 100644 ---- a/erts/emulator/test/bs_construct_SUITE.erl -+++ b/erts/emulator/test/bs_construct_SUITE.erl -@@ -30,7 +30,9 @@ - otp_7422/1, zero_width/1, bad_append/1, bs_append_overflow/1, - bs_append_offheap/1, - reductions/1, fp16/1, zero_init/1, error_info/1, little/1, -- heap_binary_unit/1]). -+ heap_binary_unit/1, -+ otp_24_code_gh_8238/1 -+ ]). - - -include_lib("common_test/include/ct.hrl"). - -@@ -45,7 +47,8 @@ all() -> - copy_writable_binary, kostis, dynamic, bs_add, otp_7422, zero_width, - bad_append, bs_append_overflow, bs_append_offheap, - reductions, fp16, zero_init, -- error_info, little, heap_binary_unit]. -+ error_info, little, heap_binary_unit, -+ otp_24_code_gh_8238]. - - init_per_suite(Config) -> - Config. -@@ -1706,6 +1709,21 @@ heap_binary_unit_2(Variant, Rest) -> - {error2, Bin2} - end. - -+otp_24_code_gh_8238(Config) -> -+ case ?MODULE of -+ bs_construct_SUITE -> -+ %% GH-8238. Code compiled with Erlang/OTP 24 would crash -+ %% when run on OTP-26.2.3. -+ DataDir = proplists:get_value(data_dir, Config), -+ Asm = filename:join(DataDir, atom_to_list(?FUNCTION_NAME) ++ ".S"), -+ {ok,Mod,Beam} = compile:file(Asm, [binary,from_asm,report]), -+ {module,Mod} = code:load_binary(Mod, "", Beam), -+ Mod:Mod(), -+ ok; -+ _ -> -+ {skip,"Enough to run once"} -+ end. -+ - %%% - %%% Common utilities. - %%% -diff --git a/erts/emulator/test/bs_construct_SUITE_data/otp_24_code_gh_8238.S b/erts/emulator/test/bs_construct_SUITE_data/otp_24_code_gh_8238.S -new file mode 100644 -index 000000000000..7944fa818a69 ---- /dev/null -+++ b/erts/emulator/test/bs_construct_SUITE_data/otp_24_code_gh_8238.S -@@ -0,0 +1,50 @@ -+{module, otp_24_code_gh_8238}. %% version = 0 -+ -+{exports, [{module_info,0},{module_info,1},{otp_24_code_gh_8238,0}]}. -+ -+{attributes, []}. -+ -+{labels, 7}. -+ -+ -+{function, otp_24_code_gh_8238, 0, 2}. -+ {label,1}. -+ {line,[{location,"otp_24_code_gh_8238.erl",4}]}. -+ {func_info,{atom,otp_24_code_gh_8238},{atom,otp_24_code_gh_8238},0}. -+ {label,2}. -+ {allocate,0,0}. -+ {move,{integer,1000},{x,0}}. -+ {line,[{location,"otp_24_code_gh_8238.erl",5}]}. -+ {call_ext,1,{extfunc,erlang,integer_to_binary,1}}. -+ {line,[{location,"otp_24_code_gh_8238.erl",6}]}. -+ {gc_bif,byte_size,{f,0},1,[{x,0}],{x,1}}. -+ {bs_add,{f,0},[{x,1},{integer,9},1],{x,1}}. -+ {bs_init2,{f,0},{x,1},2,2,{field_flags,[]},{x,1}}. -+ {bs_put_integer,{f,0}, -+ {integer,72}, -+ 1, -+ {field_flags,[unsigned,big]}, -+ {integer,1281499675772873685536}}. -+ {bs_put_binary,{f,0},{atom,all},8,{field_flags,[unsigned,big]},{x,0}}. -+ {put_list,{x,1},nil,{x,1}}. -+ {move,{literal,"~p\n"},{x,0}}. -+ {call_ext_last,2,{extfunc,io,format,2},0}. -+ -+ -+{function, module_info, 0, 4}. -+ {label,3}. -+ {line,[]}. -+ {func_info,{atom,otp_24_code_gh_8238},{atom,module_info},0}. -+ {label,4}. -+ {move,{atom,otp_24_code_gh_8238},{x,0}}. -+ {call_ext_only,1,{extfunc,erlang,get_module_info,1}}. -+ -+ -+{function, module_info, 1, 6}. -+ {label,5}. -+ {line,[]}. -+ {func_info,{atom,otp_24_code_gh_8238},{atom,module_info},1}. -+ {label,6}. -+ {move,{x,0},{x,1}}. -+ {move,{atom,otp_24_code_gh_8238},{x,0}}. -+ {call_ext_only,2,{extfunc,erlang,get_module_info,2}}. -diff --git a/erts/emulator/test/bs_construct_SUITE_data/otp_24_code_gh_8238.erl b/erts/emulator/test/bs_construct_SUITE_data/otp_24_code_gh_8238.erl -new file mode 100644 -index 000000000000..d18a7c096d0a ---- /dev/null -+++ b/erts/emulator/test/bs_construct_SUITE_data/otp_24_code_gh_8238.erl -@@ -0,0 +1,10 @@ -+-module(otp_24_code_gh_8238). -+-export([?MODULE/0]). -+ -+%% Produce otp_24_code_gh_8238.S using Erlang/OTP 24 like this: -+%% erlc -S +no_copt +no_ssa_opt otp_24_code_gh_8238.erl -+ -+?MODULE() -> -+ Bin = integer_to_binary(1000), -+ io:format("~p\n", [<<"Example: ", Bin/binary>>]). -+ diff --git a/SPECS/erlang/erlang.signatures.json b/SPECS/erlang/erlang.signatures.json index 1f7c2a71f30..a4dc48acefb 100644 --- a/SPECS/erlang/erlang.signatures.json +++ b/SPECS/erlang/erlang.signatures.json @@ -1,5 +1,5 @@ { - "Signatures": { - "erlang-26.2.3.tar.gz": "7a79e7955890b06572dbb3c3460771a71f729c15bc6ced018916a432669fd239" - } -} + "Signatures": { + "erlang-26.2.5.6.tar.gz": "371e59b98de59822e45fdbe50c18c8d8dd4c872990e7aaaba8a819e167186d03" + } +} \ No newline at end of file diff --git a/SPECS/erlang/erlang.spec b/SPECS/erlang/erlang.spec index 3ed804756ca..c6694b9ad93 100644 --- a/SPECS/erlang/erlang.spec +++ b/SPECS/erlang/erlang.spec @@ -1,15 +1,14 @@ %define debug_package %{nil} Summary: erlang Name: erlang -Version: 26.2.3 -Release: 2%{?dist} +Version: 26.2.5.6 +Release: 1%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation Distribution: Azure Linux Group: Development/Languages URL: https://erlang.org -Source0: https://github.com/erlang/otp/archive/OTP-%{version}/otp-OTP-%{version}.tar.gz#/%{name}-%{version}.tar.gz -Patch0: OTP-24-Code.patch +Source0: https://github.com/erlang/otp/archive/OTP-%{version}/otp-OTP-%{version}.tar.gz#/%{name}-%{version}.tar.gz BuildRequires: ncurses-devel BuildRequires: openssl-devel BuildRequires: unixODBC-devel @@ -54,6 +53,9 @@ export ERL_TOP=`pwd` %{_libdir}/erlang/* %changelog +* Fri Dec 13 2024 Ahmed Badawi - 26.2.5.6-1 +- Upgrade to 26.2.5.6 - fix cve CVE-2024-53846. Removed previous patch below as vulnerability is addressed in new version + * Mon Apr 01 2024 Sam Meluch - 26.2.3-2 - Add patch to fix issue when running with compiled code from OTP-24 on aarch64 @@ -91,4 +93,4 @@ export ERL_TOP=`pwd` - Updated Version * Mon Dec 12 2016 Priyesh Padmavilasom 19.1-1 -- Initial. +- Initial. \ No newline at end of file diff --git a/cgmanifest.json b/cgmanifest.json index f8ae05f7559..a3d80051169 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -3338,8 +3338,8 @@ "type": "other", "other": { "name": "erlang", - "version": "26.2.3", - "downloadUrl": "https://github.com/erlang/otp/archive/OTP-26.2.3/otp-OTP-26.2.3.tar.gz" + "version": "26.2.5.6", + "downloadUrl": "https://github.com/erlang/otp/archive/OTP-26.2.5.6/otp-OTP-26.2.5.6.tar.gz" } } }, From 3ae02d2825f176098ae9aec9e36fe13b456e3d5f Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Sun, 22 Dec 2024 13:50:35 -0800 Subject: [PATCH 47/55] [AUTO-CHERRYPICK] Patch "tuned" package to fix CVE-2024-52336 and CVE-2024-52337 - branch 3.0-dev (#11651) Co-authored-by: Sandeep Karambelkar --- SPECS/tuned/CVE-2024-52336.patch | 281 +++++++++++++++++++++++++++++ SPECS/tuned/CVE-2024-52337.nopatch | 0 SPECS/tuned/tuned.spec | 6 +- 3 files changed, 286 insertions(+), 1 deletion(-) create mode 100644 SPECS/tuned/CVE-2024-52336.patch create mode 100644 SPECS/tuned/CVE-2024-52337.nopatch diff --git a/SPECS/tuned/CVE-2024-52336.patch b/SPECS/tuned/CVE-2024-52336.patch new file mode 100644 index 00000000000..e4d75fdba49 --- /dev/null +++ b/SPECS/tuned/CVE-2024-52336.patch @@ -0,0 +1,281 @@ +From 391843d28461cf2904dd646bd845e2203132497f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= +Date: Tue, 26 Nov 2024 13:52:17 +0100 +Subject: [PATCH] new release (2.15.1) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Jaroslav Škarvada + +Modified patch 90c24eea037c7a5e9414c93f8fb3e549ed4a7b06 to apply to CBL-Mariner +Modified-by: Sandeep Karambelkar +--- + com.redhat.tuned.policy | 14 +++++++------- + tuned.spec | 10 +++++++++- + tuned/consts.py | 4 ++++ + tuned/daemon/controller.py | 15 +++++++++------ + tuned/plugins/base.py | 12 ++++++++++++ + tuned/plugins/plugin_script.py | 4 ++++ + tuned/utils/commands.py | 4 ++++ + tuned/version.py | 2 +- + 8 files changed, 50 insertions(+), 15 deletions(-) + +diff --git a/com.redhat.tuned.policy b/com.redhat.tuned.policy +index 824ae0c..89206f0 100644 +--- a/com.redhat.tuned.policy ++++ b/com.redhat.tuned.policy +@@ -43,7 +43,7 @@ + + auth_admin + auth_admin +- yes ++ auth_admin + + + +@@ -103,7 +103,7 @@ + + auth_admin + auth_admin +- yes ++ auth_admin + + + +@@ -113,7 +113,7 @@ + + auth_admin + auth_admin +- yes ++ auth_admin + + + +@@ -123,7 +123,7 @@ + + auth_admin + auth_admin +- yes ++ auth_admin + + + +@@ -163,7 +163,7 @@ + + auth_admin + auth_admin +- yes ++ auth_admin + + + +@@ -193,7 +193,7 @@ + + auth_admin + auth_admin +- yes ++ auth_admin + + + +@@ -203,7 +203,7 @@ + + auth_admin + auth_admin +- yes ++ auth_admin + + + +@@ -223,7 +223,7 @@ + + auth_admin + auth_admin +- yes ++ auth_admin + + + +diff --git a/tuned.spec b/tuned.spec +index 66e0936..d395829 100644 +--- a/tuned.spec ++++ b/tuned.spec +@@ -44,7 +44,7 @@ + + Summary: A dynamic adaptive system tuning daemon + Name: tuned +-Version: 2.21.0 ++Version: 2.21.1 + Release: 1%{?prerel1}%{?with_snapshot:.%{git_suffix}}%{?dist} + License: GPLv2+ + Source0: https://github.com/redhat-performance/%{name}/archive/v%{version}%{?prerel2}/%{name}-%{version}%{?prerel2}.tar.gz +@@ -557,6 +557,14 @@ fi + %{_mandir}/man7/tuned-profiles-openshift.7* + + %changelog ++* Tue Nov 26 2024 Jaroslav Škarvada - 2.21.1-1 ++- new release ++ - fixed privileged execution of arbitrary scripts by active local user ++ resolves: CVE-2024-52336 ++ - added sanity checks for API methods parameters ++ resolves: CVE-2024-52337 ++ - tuned-ppd: fixed controller init to correctly set _on_battery ++ + * Tue Aug 29 2023 Jaroslav Škarvada - 2.21.0-1 + - new release + - rebased tuned to latest upstream +diff --git a/tuned/consts.py b/tuned/consts.py +index b7fb215..7d22748 100644 +--- a/tuned/consts.py ++++ b/tuned/consts.py +@@ -1,4 +1,8 @@ + import logging ++import string ++ ++NAMES_ALLOWED_CHARS = string.ascii_letters + string.digits + " !@'+-.,/:;_$&*()%<=>?#[]{|}^~" + '"' ++NAMES_MAX_LENGTH = 4096 + + GLOBAL_CONFIG_FILE = "/etc/tuned/tuned-main.conf" + ACTIVE_PROFILE_FILE = "/etc/tuned/active_profile" +diff --git a/tuned/daemon/controller.py b/tuned/daemon/controller.py +index 1292a8a..e637ab4 100644 +--- a/tuned/daemon/controller.py ++++ b/tuned/daemon/controller.py +@@ -182,6 +182,8 @@ class Controller(tuned.exports.interfaces.ExportableInterface): + def switch_profile(self, profile_name, caller = None): + if caller == "": + return (False, "Unauthorized") ++ if not self._cmd.is_valid_name(profile_name): ++ return (False, "Invalid profile_name") + return self._switch_profile(profile_name, True) + + @exports.export("", "(bs)") +@@ -255,7 +257,7 @@ class Controller(tuned.exports.interfaces.ExportableInterface): + + @exports.export("s", "(bsss)") + def profile_info(self, profile_name, caller = None): +- if caller == "": ++ if caller == "" or not self._cmd.is_valid_name(profile_name): + return tuple(False, "", "", "") + if profile_name is None or profile_name == "": + profile_name = self.active_profile() +@@ -287,7 +289,7 @@ class Controller(tuned.exports.interfaces.ExportableInterface): + dictionary -- {plugin_name: {parameter_name: default_value}} + """ + if caller == "": +- return False ++ return {} + plugins = {} + for plugin_class in self._daemon.get_all_plugins(): + plugin_name = plugin_class.__module__.split(".")[-1].split("_", 1)[1] +@@ -300,8 +302,8 @@ class Controller(tuned.exports.interfaces.ExportableInterface): + @exports.export("s","s") + def get_plugin_documentation(self, plugin_name, caller = None): + """Return docstring of plugin's class""" +- if caller == "": +- return False ++ if caller == "" or not self._cmd.is_valid_name(plugin_name): ++ return "" + return self._daemon.get_plugin_documentation(str(plugin_name)) + + @exports.export("s","a{ss}") +@@ -314,8 +316,8 @@ class Controller(tuned.exports.interfaces.ExportableInterface): + Return: + dictionary -- {parameter_name: hint} + """ +- if caller == "": +- return False ++ if caller == "" or not self._cmd.is_valid_name(plugin_name): ++ return {} + return self._daemon.get_plugin_hints(str(plugin_name)) + + @exports.export("s", "b") +@@ -328,7 +330,7 @@ class Controller(tuned.exports.interfaces.ExportableInterface): + Return: + bool -- True on success + """ +- if caller == "": ++ if caller == "" or not self._cmd.is_valid_name(path): + return False + if self._daemon._application and self._daemon._application._unix_socket_exporter: + self._daemon._application._unix_socket_exporter.register_signal_path(path) +@@ -342,6 +344,10 @@ class Controller(tuned.exports.interfaces.ExportableInterface): + def instance_acquire_devices(self, devices, instance_name, caller = None): + if caller == "": + return (False, "Unauthorized") ++ if not self._cmd.is_valid_name(devices): ++ return (False, "Invalid devices") ++ if not self._cmd.is_valid_name(instance_name): ++ return (False, "Invalid instance_name") + found = False + for instance_target in self._daemon._unit_manager.instances: + if instance_target.name == instance_name: +diff --git a/tuned/plugins/base.py b/tuned/plugins/base.py +index 0c70987..d6db6ca 100644 +--- a/tuned/plugins/base.py ++++ b/tuned/plugins/base.py +@@ -212,6 +212,14 @@ class Plugin(object): + def _instance_post_static(self, instance, enabling): + pass + ++ def _safe_script_path(self, path): ++ path = os.path.realpath(path) ++ profile_paths = self._global_cfg.get_list(consts.CFG_PROFILE_DIRS, consts.CFG_DEF_PROFILE_DIRS) ++ for p in profile_paths: ++ if path.startswith(p): ++ return True ++ return False ++ + def _call_device_script(self, instance, script, op, devices, rollback = consts.ROLLBACK_SOFT): + if script is None: + return None +@@ -222,6 +230,10 @@ class Plugin(object): + log.error("Relative paths cannot be used in script_pre or script_post. " \ + + "Use ${i:PROFILE_DIR}.") + return False ++ if not self._safe_script_path(script): ++ log.error("Paths outside of the profile directories cannot be used in the " \ ++ + "script_pre or script_post, ignoring script: '%s'" % script) ++ return False + dir_name = os.path.dirname(script) + ret = True + for dev in devices: +diff --git a/tuned/plugins/plugin_script.py b/tuned/plugins/plugin_script.py +index ab605e4..5a5700f 100644 +--- a/tuned/plugins/plugin_script.py ++++ b/tuned/plugins/plugin_script.py +@@ -75,6 +75,10 @@ class ScriptPlugin(base.Plugin): + for script in scripts: + environ = os.environ + environ.update(self._variables.get_env()) ++ if not self._safe_script_path(script): ++ log.error("Paths outside of the profile directories cannot be used in the script, " \ ++ + "ignoring script: '%s'." % script) ++ continue + log.info("calling script '%s' with arguments '%s'" % (script, str(arguments))) + log.debug("using environment '%s'" % str(list(environ.items()))) + try: +diff --git a/tuned/utils/commands.py b/tuned/utils/commands.py +index 177474e..5ed4b2a 100644 +--- a/tuned/utils/commands.py ++++ b/tuned/utils/commands.py +@@ -523,3 +523,7 @@ class commands: + f.write(profile_name + "\n") + except (OSError,IOError) as e: + raise TunedException("Failed to save the active post-loaded profile: %s" % e.strerror) ++ ++ # Checks if name contains only valid characters and has valid length or is empty string or None ++ def is_valid_name(self, name): ++ return not name or (all(c in consts.NAMES_ALLOWED_CHARS for c in name) and len(name) <= consts.NAMES_MAX_LENGTH) +diff --git a/tuned/version.py b/tuned/version.py +index 28ff450..305b20d 100644 +--- a/tuned/version.py ++++ b/tuned/version.py +@@ -1,5 +1,5 @@ + TUNED_VERSION_MAJOR = 2 + TUNED_VERSION_MINOR = 21 +-TUNED_VERSION_PATCH = 0 ++TUNED_VERSION_PATCH = 1 + + TUNED_VERSION_STR = "%d.%d.%d" % (TUNED_VERSION_MAJOR, TUNED_VERSION_MINOR, TUNED_VERSION_PATCH) diff --git a/SPECS/tuned/CVE-2024-52337.nopatch b/SPECS/tuned/CVE-2024-52337.nopatch new file mode 100644 index 00000000000..e69de29bb2d diff --git a/SPECS/tuned/tuned.spec b/SPECS/tuned/tuned.spec index e6150186354..12d5c437017 100644 --- a/SPECS/tuned/tuned.spec +++ b/SPECS/tuned/tuned.spec @@ -7,12 +7,13 @@ Summary: A dynamic adaptive system tuning daemon Name: tuned Version: 2.21.0 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Vendor: Microsoft Corporation Distribution: Azure Linux Source0: https://github.com/redhat-performance/%{name}/archive/v%{version}%{?prerel2}/%{name}-%{version}%{?prerel2}.tar.gz Patch0: skip-gui-files.patch +Patch1: CVE-2024-52336.patch URL: http://www.tuned-project.org/ BuildArch: noarch @@ -428,6 +429,9 @@ fi %{_mandir}/man7/tuned-profiles-openshift.7* %changelog +* Wed Dec 11 2024 Sandeep Karambelkar 2.21.0-2 +- Fix CVEs - CVE-2024-52336 CVE-2024-52337 + * Tue Jan 16 2024 Sharath Srikanth Chellappa 2.21.0-1 - Upgrade package version to 2.21.0 - Modifying SPEC file to reflect upstream changes (https://github.com/redhat-performance/tuned/blob/v2.21.0/tuned.spec) From 4258356391524b6217785b36c3ce8b1a2c5b33e1 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Sun, 22 Dec 2024 13:51:22 -0800 Subject: [PATCH 48/55] [AUTO-CHERRYPICK] [AUTOPATCHER-CORE] Upgrade kubernetes to 1.30.3 Fix CVE-2024-10220 - branch 3.0-dev (#11649) --- SPECS/kubernetes/kubernetes.signatures.json | 2 +- SPECS/kubernetes/kubernetes.spec | 7 +++++-- cgmanifest.json | 4 ++-- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/SPECS/kubernetes/kubernetes.signatures.json b/SPECS/kubernetes/kubernetes.signatures.json index c3bc7fdb1d4..c665825e132 100644 --- a/SPECS/kubernetes/kubernetes.signatures.json +++ b/SPECS/kubernetes/kubernetes.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { "kubelet.service": "3be41509e18552113367252397cbd7a28e2c481de04ec54f09e232ffabda16d2", - "kubernetes-v1.30.1.tar.gz": "e06188c08ff6bd651cdb8d6baa37ceb7906eaf1e165bbe5d74d8e0cd1d19136e" + "kubernetes-v1.30.3.tar.gz": "64d800416cee3e1753452632fb39222de87e3f08d134e6f977f9613c5f3019c1" } } diff --git a/SPECS/kubernetes/kubernetes.spec b/SPECS/kubernetes/kubernetes.spec index d1cbb64168f..26a094aa632 100644 --- a/SPECS/kubernetes/kubernetes.spec +++ b/SPECS/kubernetes/kubernetes.spec @@ -9,8 +9,8 @@ %define container_image_components 'kube-proxy kube-apiserver kube-controller-manager kube-scheduler' Summary: Microsoft Kubernetes Name: kubernetes -Version: 1.30.1 -Release: 4%{?dist} +Version: 1.30.3 +Release: 1%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -271,6 +271,9 @@ fi %{_exec_prefix}/local/bin/pause %changelog +* Wed Dec 11 2024 CBL-Mariner Servicing Account - 1.30.3-1 +- Auto-upgrade to 1.30.3 - Fix CVE-2024-10220 + * Tue Oct 01 2024 Henry Li - 1.30.1-4 - Add patch to resolve CVE-2024-28180 diff --git a/cgmanifest.json b/cgmanifest.json index a3d80051169..e724680b882 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -8361,8 +8361,8 @@ "type": "other", "other": { "name": "kubernetes", - "version": "1.30.1", - "downloadUrl": "https://dl.k8s.io/v1.30.1/kubernetes-src.tar.gz" + "version": "1.30.3", + "downloadUrl": "https://dl.k8s.io/v1.30.3/kubernetes-src.tar.gz" } } }, From ec3754a88f2704d975db8b67ff0e3d3b9331f378 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Sun, 22 Dec 2024 13:52:31 -0800 Subject: [PATCH 49/55] [AUTO-CHERRYPICK] Fix CVE-2024-53899 for python-virtualenv - branch 3.0-dev (#11648) Co-authored-by: Sudipta Pandit --- SPECS/python-virtualenv/CVE-2024-53899.patch | 421 ++++++++++++++++++ .../python-virtualenv/python-virtualenv.spec | 8 +- 2 files changed, 427 insertions(+), 2 deletions(-) create mode 100644 SPECS/python-virtualenv/CVE-2024-53899.patch diff --git a/SPECS/python-virtualenv/CVE-2024-53899.patch b/SPECS/python-virtualenv/CVE-2024-53899.patch new file mode 100644 index 00000000000..798ad566216 --- /dev/null +++ b/SPECS/python-virtualenv/CVE-2024-53899.patch @@ -0,0 +1,421 @@ +From f18ac23159a5ec6763eb91be51218cb2ea29dbd2 Mon Sep 17 00:00:00 2001 +From: Sudipta Pandit +Date: Wed, 11 Dec 2024 14:14:56 +0530 +Subject: [PATCH] Backport fix for CVE-2024-53899 + +Reference: https://github.com/pypa/virtualenv/pull/2771 +--- + src/virtualenv/activation/bash/activate.sh | 8 ++++---- + src/virtualenv/activation/batch/__init__.py | 4 ++++ + src/virtualenv/activation/cshell/activate.csh | 8 ++++---- + src/virtualenv/activation/fish/activate.fish | 8 ++++---- + src/virtualenv/activation/nushell/__init__.py | 19 ++++++++++++++++++ + src/virtualenv/activation/nushell/activate.nu | 8 ++++---- + .../activation/powershell/__init__.py | 12 +++++++++++ + .../activation/powershell/activate.ps1 | 6 +++--- + src/virtualenv/activation/python/__init__.py | 6 +++++- + .../activation/python/activate_this.py | 8 ++++---- + src/virtualenv/activation/via_template.py | 13 +++++++++++- + tests/conftest.py | 6 +++++- + tests/unit/activation/conftest.py | 3 +-- + tests/unit/activation/test_batch.py | 10 +++++----- + tests/unit/activation/test_powershell.py | 20 ++++++++++++++----- + 15 files changed, 101 insertions(+), 38 deletions(-) + +diff --git a/src/virtualenv/activation/bash/activate.sh b/src/virtualenv/activation/bash/activate.sh +index b06e3fd..e412509 100644 +--- a/src/virtualenv/activation/bash/activate.sh ++++ b/src/virtualenv/activation/bash/activate.sh +@@ -45,18 +45,18 @@ deactivate () { + # unset irrelevant variables + deactivate nondestructive + +-VIRTUAL_ENV='__VIRTUAL_ENV__' ++VIRTUAL_ENV=__VIRTUAL_ENV__ + if ([ "$OSTYPE" = "cygwin" ] || [ "$OSTYPE" = "msys" ]) && $(command -v cygpath &> /dev/null) ; then + VIRTUAL_ENV=$(cygpath -u "$VIRTUAL_ENV") + fi + export VIRTUAL_ENV + + _OLD_VIRTUAL_PATH="$PATH" +-PATH="$VIRTUAL_ENV/__BIN_NAME__:$PATH" ++PATH="$VIRTUAL_ENV/"__BIN_NAME__":$PATH" + export PATH + +-if [ "x__VIRTUAL_PROMPT__" != x ] ; then +- VIRTUAL_ENV_PROMPT="__VIRTUAL_PROMPT__" ++if [ "x"__VIRTUAL_PROMPT__ != x ] ; then ++ VIRTUAL_ENV_PROMPT=__VIRTUAL_PROMPT__ + else + VIRTUAL_ENV_PROMPT=$(basename "$VIRTUAL_ENV") + fi +diff --git a/src/virtualenv/activation/batch/__init__.py b/src/virtualenv/activation/batch/__init__.py +index a6d58eb..3d74ba8 100644 +--- a/src/virtualenv/activation/batch/__init__.py ++++ b/src/virtualenv/activation/batch/__init__.py +@@ -15,6 +15,10 @@ class BatchActivator(ViaTemplateActivator): + yield "deactivate.bat" + yield "pydoc.bat" + ++ @staticmethod ++ def quote(string): ++ return string ++ + def instantiate_template(self, replacements, template, creator): + # ensure the text has all newlines as \r\n - required by batch + base = super().instantiate_template(replacements, template, creator) +diff --git a/src/virtualenv/activation/cshell/activate.csh b/src/virtualenv/activation/cshell/activate.csh +index f0c9cca..24de550 100644 +--- a/src/virtualenv/activation/cshell/activate.csh ++++ b/src/virtualenv/activation/cshell/activate.csh +@@ -10,15 +10,15 @@ alias deactivate 'test $?_OLD_VIRTUAL_PATH != 0 && setenv PATH "$_OLD_VIRTUAL_PA + # Unset irrelevant variables. + deactivate nondestructive + +-setenv VIRTUAL_ENV '__VIRTUAL_ENV__' ++setenv VIRTUAL_ENV __VIRTUAL_ENV__ + + set _OLD_VIRTUAL_PATH="$PATH:q" +-setenv PATH "$VIRTUAL_ENV:q/__BIN_NAME__:$PATH:q" ++setenv PATH "$VIRTUAL_ENV:q/"__BIN_NAME__":$PATH:q" + + + +-if ('__VIRTUAL_PROMPT__' != "") then +- setenv VIRTUAL_ENV_PROMPT '__VIRTUAL_PROMPT__' ++if (__VIRTUAL_PROMPT__ != "") then ++ setenv VIRTUAL_ENV_PROMPT __VIRTUAL_PROMPT__ + else + setenv VIRTUAL_ENV_PROMPT "$VIRTUAL_ENV:t:q" + endif +diff --git a/src/virtualenv/activation/fish/activate.fish b/src/virtualenv/activation/fish/activate.fish +index fcedde4..4c614c3 100644 +--- a/src/virtualenv/activation/fish/activate.fish ++++ b/src/virtualenv/activation/fish/activate.fish +@@ -58,7 +58,7 @@ end + # Unset irrelevant variables. + deactivate nondestructive + +-set -gx VIRTUAL_ENV '__VIRTUAL_ENV__' ++set -gx VIRTUAL_ENV __VIRTUAL_ENV__ + + # https://github.com/fish-shell/fish-shell/issues/436 altered PATH handling + if test (echo $FISH_VERSION | head -c 1) -lt 3 +@@ -66,12 +66,12 @@ if test (echo $FISH_VERSION | head -c 1) -lt 3 + else + set -gx _OLD_VIRTUAL_PATH $PATH + end +-set -gx PATH "$VIRTUAL_ENV"'/__BIN_NAME__' $PATH ++set -gx PATH "$VIRTUAL_ENV"'/'__BIN_NAME__ $PATH + + # Prompt override provided? + # If not, just use the environment name. +-if test -n '__VIRTUAL_PROMPT__' +- set -gx VIRTUAL_ENV_PROMPT '__VIRTUAL_PROMPT__' ++if test -n __VIRTUAL_PROMPT__ ++ set -gx VIRTUAL_ENV_PROMPT __VIRTUAL_PROMPT__ + else + set -gx VIRTUAL_ENV_PROMPT (basename "$VIRTUAL_ENV") + end +diff --git a/src/virtualenv/activation/nushell/__init__.py b/src/virtualenv/activation/nushell/__init__.py +index 68cd4a3..ef7a79a 100644 +--- a/src/virtualenv/activation/nushell/__init__.py ++++ b/src/virtualenv/activation/nushell/__init__.py +@@ -7,6 +7,25 @@ class NushellActivator(ViaTemplateActivator): + def templates(self): + yield "activate.nu" + ++ @staticmethod ++ def quote(string): ++ """ ++ Nushell supports raw strings like: r###'this is a string'###. ++ ++ This method finds the maximum continuous sharps in the string and then ++ quote it with an extra sharp. ++ """ ++ max_sharps = 0 ++ current_sharps = 0 ++ for char in string: ++ if char == "#": ++ current_sharps += 1 ++ max_sharps = max(current_sharps, max_sharps) ++ else: ++ current_sharps = 0 ++ wrapping = "#" * (max_sharps + 1) ++ return f"r{wrapping}'{string}'{wrapping}" ++ + def replacements(self, creator, dest_folder): # noqa: ARG002 + return { + "__VIRTUAL_PROMPT__": "" if self.flag_prompt is None else self.flag_prompt, +diff --git a/src/virtualenv/activation/nushell/activate.nu b/src/virtualenv/activation/nushell/activate.nu +index 19d4fa1..00a41e0 100644 +--- a/src/virtualenv/activation/nushell/activate.nu ++++ b/src/virtualenv/activation/nushell/activate.nu +@@ -32,8 +32,8 @@ export-env { + } + } + +- let virtual_env = '__VIRTUAL_ENV__' +- let bin = '__BIN_NAME__' ++ let virtual_env = __VIRTUAL_ENV__ ++ let bin = __BIN_NAME__ + + let is_windows = ($nu.os-info.family) == 'windows' + let path_name = (if (has-env 'Path') { +@@ -47,10 +47,10 @@ export-env { + let new_path = ($env | get $path_name | prepend $venv_path) + + # If there is no default prompt, then use the env name instead +- let virtual_env_prompt = (if ('__VIRTUAL_PROMPT__' | is-empty) { ++ let virtual_env_prompt = (if (__VIRTUAL_PROMPT__ | is-empty) { + ($virtual_env | path basename) + } else { +- '__VIRTUAL_PROMPT__' ++ __VIRTUAL_PROMPT__ + }) + + let new_env = { +diff --git a/src/virtualenv/activation/powershell/__init__.py b/src/virtualenv/activation/powershell/__init__.py +index 1f6d0f4..8489656 100644 +--- a/src/virtualenv/activation/powershell/__init__.py ++++ b/src/virtualenv/activation/powershell/__init__.py +@@ -7,6 +7,18 @@ class PowerShellActivator(ViaTemplateActivator): + def templates(self): + yield "activate.ps1" + ++ @staticmethod ++ def quote(string): ++ """ ++ This should satisfy PowerShell quoting rules [1], unless the quoted ++ string is passed directly to Windows native commands [2]. ++ ++ [1]: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_quoting_rules ++ [2]: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_parsing#passing-arguments-that-contain-quote-characters ++ """ # noqa: D205 ++ string = string.replace("'", "''") ++ return f"'{string}'" ++ + + __all__ = [ + "PowerShellActivator", +diff --git a/src/virtualenv/activation/powershell/activate.ps1 b/src/virtualenv/activation/powershell/activate.ps1 +index 5ccfe12..bd30e2e 100644 +--- a/src/virtualenv/activation/powershell/activate.ps1 ++++ b/src/virtualenv/activation/powershell/activate.ps1 +@@ -37,8 +37,8 @@ deactivate -nondestructive + $VIRTUAL_ENV = $BASE_DIR + $env:VIRTUAL_ENV = $VIRTUAL_ENV + +-if ("__VIRTUAL_PROMPT__" -ne "") { +- $env:VIRTUAL_ENV_PROMPT = "__VIRTUAL_PROMPT__" ++if (__VIRTUAL_PROMPT__ -ne "") { ++ $env:VIRTUAL_ENV_PROMPT = __VIRTUAL_PROMPT__ + } + else { + $env:VIRTUAL_ENV_PROMPT = $( Split-Path $env:VIRTUAL_ENV -Leaf ) +@@ -46,7 +46,7 @@ else { + + New-Variable -Scope global -Name _OLD_VIRTUAL_PATH -Value $env:PATH + +-$env:PATH = "$env:VIRTUAL_ENV/__BIN_NAME____PATH_SEP__" + $env:PATH ++$env:PATH = "$env:VIRTUAL_ENV/" + __BIN_NAME__ + __PATH_SEP__ + $env:PATH + if (!$env:VIRTUAL_ENV_DISABLE_PROMPT) { + function global:_old_virtual_prompt { + "" +diff --git a/src/virtualenv/activation/python/__init__.py b/src/virtualenv/activation/python/__init__.py +index 3126a39..e900f7e 100644 +--- a/src/virtualenv/activation/python/__init__.py ++++ b/src/virtualenv/activation/python/__init__.py +@@ -10,10 +10,14 @@ class PythonActivator(ViaTemplateActivator): + def templates(self): + yield "activate_this.py" + ++ @staticmethod ++ def quote(string): ++ return repr(string) ++ + def replacements(self, creator, dest_folder): + replacements = super().replacements(creator, dest_folder) + lib_folders = OrderedDict((os.path.relpath(str(i), str(dest_folder)), None) for i in creator.libs) +- lib_folders = os.pathsep.join(lib_folders.keys()).replace("\\", "\\\\") # escape Windows path characters ++ lib_folders = os.pathsep.join(lib_folders.keys()) + replacements.update( + { + "__LIB_FOLDERS__": lib_folders, +diff --git a/src/virtualenv/activation/python/activate_this.py b/src/virtualenv/activation/python/activate_this.py +index 8066af1..97e0777 100644 +--- a/src/virtualenv/activation/python/activate_this.py ++++ b/src/virtualenv/activation/python/activate_this.py +@@ -18,18 +18,18 @@ except NameError as exc: + raise AssertionError(msg) from exc + + bin_dir = os.path.dirname(abs_file) +-base = bin_dir[: -len("__BIN_NAME__") - 1] # strip away the bin part from the __file__, plus the path separator ++base = bin_dir[: -len(__BIN_NAME__) - 1] # strip away the bin part from the __file__, plus the path separator + + # prepend bin to PATH (this file is inside the bin directory) + os.environ["PATH"] = os.pathsep.join([bin_dir, *os.environ.get("PATH", "").split(os.pathsep)]) + os.environ["VIRTUAL_ENV"] = base # virtual env is right above bin directory +-os.environ["VIRTUAL_ENV_PROMPT"] = "__VIRTUAL_PROMPT__" or os.path.basename(base) # noqa: SIM222 ++os.environ["VIRTUAL_ENV_PROMPT"] = __VIRTUAL_PROMPT__ or os.path.basename(base) + + # add the virtual environments libraries to the host python import mechanism + prev_length = len(sys.path) +-for lib in "__LIB_FOLDERS__".split(os.pathsep): ++for lib in __LIB_FOLDERS__.split(os.pathsep): + path = os.path.realpath(os.path.join(bin_dir, lib)) +- site.addsitedir(path.decode("utf-8") if "__DECODE_PATH__" else path) ++ site.addsitedir(path.decode("utf-8") if __DECODE_PATH__ else path) + sys.path[:] = sys.path[prev_length:] + sys.path[0:prev_length] + + sys.real_prefix = sys.prefix +diff --git a/src/virtualenv/activation/via_template.py b/src/virtualenv/activation/via_template.py +index 239318c..94e3639 100644 +--- a/src/virtualenv/activation/via_template.py ++++ b/src/virtualenv/activation/via_template.py +@@ -2,6 +2,7 @@ from __future__ import annotations + + import os + import sys ++import shlex + from abc import ABCMeta, abstractmethod + + from .activator import Activator +@@ -21,6 +22,16 @@ class ViaTemplateActivator(Activator, metaclass=ABCMeta): + def templates(self): + raise NotImplementedError + ++ @staticmethod ++ def quote(string): ++ """ ++ Quote strings in the activation script. ++ ++ :param string: the string to quote ++ :return: quoted string that works in the activation script ++ """ ++ return shlex.quote(string) ++ + def generate(self, creator): + dest_folder = creator.bin_dir + replacements = self.replacements(creator, dest_folder) +@@ -61,7 +72,7 @@ class ViaTemplateActivator(Activator, metaclass=ABCMeta): + text = binary.decode("utf-8", errors="strict") + for key, value in replacements.items(): + value_uni = self._repr_unicode(creator, value) +- text = text.replace(key, value_uni) ++ text = text.replace(key, self.quote(value_uni)) + return text + + @staticmethod +diff --git a/tests/conftest.py b/tests/conftest.py +index bec6d8f..869ca10 100644 +--- a/tests/conftest.py ++++ b/tests/conftest.py +@@ -275,7 +275,11 @@ def is_inside_ci(): + + @pytest.fixture(scope="session") + def special_char_name(): +- base = "e-$ èрт🚒♞中片-j" ++ base = "'\";&&e-$ èрт🚒♞中片-j" ++ if IS_WIN: ++ # get rid of invalid characters on Windows ++ base = base.replace('"', "") ++ base = base.replace(";", "") + # workaround for pypy3 https://bitbucket.org/pypy/pypy/issues/3147/venv-non-ascii-support-windows + encoding = "ascii" if IS_WIN else sys.getfilesystemencoding() + # let's not include characters that the file system cannot encode) +diff --git a/tests/unit/activation/conftest.py b/tests/unit/activation/conftest.py +index 4811d07..bc66dd9 100644 +--- a/tests/unit/activation/conftest.py ++++ b/tests/unit/activation/conftest.py +@@ -6,7 +6,6 @@ import subprocess + import sys + from os.path import dirname, normcase + from pathlib import Path +-from shlex import quote + from subprocess import Popen + + import pytest +@@ -153,7 +152,7 @@ class ActivationTester: + assert out[-1] == "None", raw + + def quote(self, s): +- return quote(s) ++ return self.of_class.quote(s) + + def python_cmd(self, cmd): + return f"{os.path.basename(sys.executable)} -c {self.quote(cmd)}" +diff --git a/tests/unit/activation/test_batch.py b/tests/unit/activation/test_batch.py +index 10dc41b..5ea0652 100644 +--- a/tests/unit/activation/test_batch.py ++++ b/tests/unit/activation/test_batch.py +@@ -1,7 +1,5 @@ + from __future__ import annotations + +-from shlex import quote +- + import pytest + + from virtualenv.activation import BatchActivator +@@ -27,10 +25,12 @@ def test_batch(activation_tester_class, activation_tester, tmp_path): + return ["@echo off", "", "chcp 65001 1>NUL", *super()._get_test_lines(activate_script)] + + def quote(self, s): +- """double quotes needs to be single, and single need to be double""" +- return "".join(("'" if c == '"' else ('"' if c == "'" else c)) for c in quote(s)) ++ if '"' in s or " " in s: ++ text = s.replace('"', r"\"") ++ return f'"{text}"' ++ return s + + def print_prompt(self): +- return "echo %PROMPT%" ++ return 'echo "%PROMPT%"' + + activation_tester(Batch) +diff --git a/tests/unit/activation/test_powershell.py b/tests/unit/activation/test_powershell.py +index c454d69..8c66a9d 100644 +--- a/tests/unit/activation/test_powershell.py ++++ b/tests/unit/activation/test_powershell.py +@@ -1,7 +1,6 @@ + from __future__ import annotations + + import sys +-from shlex import quote + + import pytest + +@@ -21,10 +20,6 @@ def test_powershell(activation_tester_class, activation_tester, monkeypatch): + self.activate_cmd = "." + self.script_encoding = "utf-16" + +- def quote(self, s): +- """powershell double quote needed for quotes within single quotes""" +- return quote(s).replace('"', '""') +- + def _get_test_lines(self, activate_script): + # for BATCH utf-8 support need change the character code page to 650001 + return super()._get_test_lines(activate_script) +@@ -35,4 +30,19 @@ def test_powershell(activation_tester_class, activation_tester, monkeypatch): + def print_prompt(self): + return "prompt" + ++ def quote(self, s): ++ """ ++ Tester will pass strings to native commands on Windows so extra ++ parsing rules are used. Check `PowerShellActivator.quote` for more ++ details. ++ """ ++ text = PowerShellActivator.quote(s) ++ return text.replace('"', '""') if sys.platform == "win32" else text ++ ++ def activate_call(self, script): ++ # Commands are called without quotes in PowerShell ++ cmd = self.activate_cmd ++ scr = self.quote(str(script)) ++ return f"{cmd} {scr}".strip() ++ + activation_tester(PowerShell) +-- +2.34.1 + diff --git a/SPECS/python-virtualenv/python-virtualenv.spec b/SPECS/python-virtualenv/python-virtualenv.spec index b8f8b1499b9..ee8cf8739cf 100644 --- a/SPECS/python-virtualenv/python-virtualenv.spec +++ b/SPECS/python-virtualenv/python-virtualenv.spec @@ -1,7 +1,7 @@ Summary: Virtual Python Environment builder Name: python-virtualenv Version: 20.25.0 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -9,6 +9,7 @@ Group: Development/Languages/Python URL: https://pypi.python.org/pypi/virtualenv Source0: https://files.pythonhosted.org/packages/94/d7/adb787076e65dc99ef057e0118e25becf80dd05233ef4c86f07aa35f6492/virtualenv-20.25.0.tar.gz Patch0: 0001-replace-to-flit.patch +Patch1: CVE-2024-53899.patch BuildArch: noarch %description @@ -37,7 +38,7 @@ Provides: %{name}-doc = %{version}-%{release} virtualenv is a tool to create isolated Python environment. %prep -%autosetup -n virtualenv-%{version} +%autosetup -p1 -n virtualenv-%{version} %generate_buildrequires @@ -60,6 +61,9 @@ tox -e py %{_bindir}/virtualenv %changelog +* Wed Dec 11 2024 Sudipta Pandit - 20.25.0-3 +- Backport fix for CVE-2024-53899 + * Wed Apr 24 2024 Andrew Phelps - 20.25.0-2 - Add runtime requirement on python3-filelock From 8217fe355ad435258076912908de5229641c7cc1 Mon Sep 17 00:00:00 2001 From: Pawel Winogrodzki Date: Mon, 23 Dec 2024 15:08:40 +0100 Subject: [PATCH 50/55] Fixed `golang.org/x/crypto` and `golang.org/x/net` vulnerabilities. (#11678) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- toolkit/tools/go.mod | 8 ++++---- toolkit/tools/go.sum | 16 ++++++++-------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/toolkit/tools/go.mod b/toolkit/tools/go.mod index 5f53072b218..f5860e9fe65 100644 --- a/toolkit/tools/go.mod +++ b/toolkit/tools/go.mod @@ -22,7 +22,7 @@ require ( github.com/sirupsen/logrus v1.9.3 github.com/stretchr/testify v1.9.0 github.com/ulikunitz/xz v0.5.10 - golang.org/x/sys v0.21.0 + golang.org/x/sys v0.28.0 gonum.org/v1/gonum v0.15.0 gopkg.in/alecthomas/kingpin.v2 v2.2.6 gopkg.in/ini.v1 v1.67.0 @@ -48,8 +48,8 @@ require ( github.com/pmezard/go-difflib v1.0.0 // indirect github.com/rivo/uniseg v0.1.0 // indirect github.com/xrash/smetrics v0.0.0-20170218160415-a3153f7040e9 // indirect - golang.org/x/crypto v0.24.0 // indirect + golang.org/x/crypto v0.31.0 // indirect golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa // indirect - golang.org/x/net v0.26.0 // indirect - golang.org/x/text v0.16.0 // indirect + golang.org/x/net v0.33.0 // indirect + golang.org/x/text v0.21.0 // indirect ) diff --git a/toolkit/tools/go.sum b/toolkit/tools/go.sum index 88fbb4c6f23..da0e2a5c9cd 100644 --- a/toolkit/tools/go.sum +++ b/toolkit/tools/go.sum @@ -90,12 +90,12 @@ github.com/ulikunitz/xz v0.5.10 h1:t92gobL9l3HE202wg3rlk19F6X+JOxl9BBrCCMYEYd8= github.com/ulikunitz/xz v0.5.10/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= github.com/xrash/smetrics v0.0.0-20170218160415-a3153f7040e9 h1:w8V9v0qVympSF6GjdjIyeqR7+EVhAF9CBQmkmW7Zw0w= github.com/xrash/smetrics v0.0.0-20170218160415-a3153f7040e9/go.mod h1:N3UwUGtsrSj3ccvlPHLoLsHnpR27oXr4ZE984MbSER8= -golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI= -golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM= +golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U= +golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa h1:FRnLl4eNAQl8hwxVVC17teOw8kdjVDVAiFMtgUdTSRQ= golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa/go.mod h1:zk2irFbV9DP96SEBUUAy67IdHUaZuSnrz1n472HUCLE= -golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ= -golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= +golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I= +golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4= golang.org/x/sys v0.0.0-20190626150813-e07cf5db2756/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191018095205-727590c5006e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -103,12 +103,12 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= -golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= +golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= -golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= -golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= +golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= +golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= gonum.org/v1/gonum v0.15.0 h1:2lYxjRbTYyxkJxlhC+LvJIx3SsANPdRybu1tGj9/OrQ= gonum.org/v1/gonum v0.15.0/go.mod h1:xzZVBJBtS+Mz4q0Yl2LJTk+OxOg4jiXZ7qBoM0uISGo= From 06042813881e886fc80fea28ebf7fcb1b260983c Mon Sep 17 00:00:00 2001 From: jslobodzian Date: Mon, 23 Dec 2024 09:12:04 -0500 Subject: [PATCH 51/55] Resolve kernel changelog sequencing (#11664) --- SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec | 2 +- SPECS-SIGNED/kernel-signed/kernel-signed.spec | 2 +- SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec | 2 +- SPECS/kernel-64k/kernel-64k.spec | 2 +- SPECS/kernel-headers/kernel-headers.spec | 2 +- SPECS/kernel/kernel-uki.spec | 2 +- SPECS/kernel/kernel.spec | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec b/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec index 4da14c6cea1..993e94dfb6f 100644 --- a/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec +++ b/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec @@ -105,7 +105,7 @@ echo "initrd of kernel %{uname_r} removed" >&2 %exclude /module_info.ld %changelog -* Mon Nov 25 2024 Ankita Pareek - 6.6.57.1-7 +* Sun Dec 22 2024 Ankita Pareek - 6.6.57.1-7 - Bump release to match kernel * Wed Dec 18 2024 Rachel Menge - 6.6.57.1-6 diff --git a/SPECS-SIGNED/kernel-signed/kernel-signed.spec b/SPECS-SIGNED/kernel-signed/kernel-signed.spec index ae0e53b6a95..51bf71bb822 100644 --- a/SPECS-SIGNED/kernel-signed/kernel-signed.spec +++ b/SPECS-SIGNED/kernel-signed/kernel-signed.spec @@ -145,7 +145,7 @@ echo "initrd of kernel %{uname_r} removed" >&2 %exclude /module_info.ld %changelog -* Mon Nov 25 2024 Ankita Pareek - 6.6.57.1-7 +* Sun Dec 22 2024 Ankita Pareek - 6.6.57.1-7 - Bump release to match kernel * Wed Dec 18 2024 Rachel Menge - 6.6.57.1-6 diff --git a/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec b/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec index bea6122dc88..bcf7c0c4cb1 100644 --- a/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec +++ b/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec @@ -68,7 +68,7 @@ popd /boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi %changelog -* Mon Nov 25 2024 Ankita Pareek - 6.6.57.1-7 +* Sun Dec 22 2024 Ankita Pareek - 6.6.57.1-7 - Bump release to match kernel * Wed Dec 18 2024 Rachel Menge - 6.6.57.1-6 diff --git a/SPECS/kernel-64k/kernel-64k.spec b/SPECS/kernel-64k/kernel-64k.spec index 85265f408db..ff0277bfec8 100644 --- a/SPECS/kernel-64k/kernel-64k.spec +++ b/SPECS/kernel-64k/kernel-64k.spec @@ -370,7 +370,7 @@ echo "initrd of kernel %{uname_r} removed" >&2 %{_sysconfdir}/bash_completion.d/bpftool %changelog -* Mon Nov 25 2024 Ankita Pareek - 6.6.57.1-7 +* Sun Dec 22 2024 Ankita Pareek - 6.6.57.1-7 - Bump release to match kernel * Wed Dec 18 2024 Rachel Menge - 6.6.57.1-6 diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec index 388e731a002..96cebd1e25c 100644 --- a/SPECS/kernel-headers/kernel-headers.spec +++ b/SPECS/kernel-headers/kernel-headers.spec @@ -75,7 +75,7 @@ done %endif %changelog -* Mon Nov 25 2024 Ankita Pareek - 6.6.57.1-7 +* Sun Dec 22 2024 Ankita Pareek - 6.6.57.1-7 - Bump release to match kernel * Wed Dec 18 2024 Rachel Menge - 6.6.57.1-6 diff --git a/SPECS/kernel/kernel-uki.spec b/SPECS/kernel/kernel-uki.spec index 86776ad1fae..3c928626a97 100644 --- a/SPECS/kernel/kernel-uki.spec +++ b/SPECS/kernel/kernel-uki.spec @@ -70,7 +70,7 @@ cp %{buildroot}/boot/vmlinuz-uki-%{kernelver}.efi %{buildroot}/boot/efi/EFI/Linu /boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi %changelog -* Mon Nov 25 2024 Ankita Pareek - 6.6.57.1-7 +* Sun Dec 22 2024 Ankita Pareek - 6.6.57.1-7 - Bump release to match kernel * Wed Dec 18 2024 Rachel Menge - 6.6.57.1-6 diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec index dcb9af69ab6..6533a6d2545 100644 --- a/SPECS/kernel/kernel.spec +++ b/SPECS/kernel/kernel.spec @@ -424,7 +424,7 @@ echo "initrd of kernel %{uname_r} removed" >&2 %{_sysconfdir}/bash_completion.d/bpftool %changelog -* Mon Nov 25 2024 Ankita Pareek - 6.6.57.1-7 +* Sun Dec 22 2024 Ankita Pareek - 6.6.57.1-7 - Enable CONFIG_INTEL_TDX_GUEST and CONFIG_TDX_GUEST_DRIVER * Wed Dec 18 2024 Rachel Menge - 6.6.57.1-6 From ae7f8aba454713fba75a808805df5efc5665a439 Mon Sep 17 00:00:00 2001 From: Henry Li <69694695+henryli001@users.noreply.github.com> Date: Mon, 23 Dec 2024 17:05:13 -0800 Subject: [PATCH 52/55] [3.0] Add kernel-drivers-gpu package to NVIDIA GPU driver container build (#11297) Fix NVIDIA GPU driver container by onboarding kernel-drivers-gpu package into the build flow, who was recently added as a runtime requirement of the CUDA RPM Co-authored-by: Henry Li --- .pipelines/containerSourceData/cuda/core.pkg | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.pipelines/containerSourceData/cuda/core.pkg b/.pipelines/containerSourceData/cuda/core.pkg index 639a3992784..a51dbe11356 100644 --- a/.pipelines/containerSourceData/cuda/core.pkg +++ b/.pipelines/containerSourceData/cuda/core.pkg @@ -1,3 +1,4 @@ util-linux ca-certificates -kernel \ No newline at end of file +kernel +kernel-drivers-gpu \ No newline at end of file From 81fb40acaa37a0a98771b98eb764ac60261358a3 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Thu, 26 Dec 2024 19:18:52 -0800 Subject: [PATCH 53/55] [AUTO-CHERRYPICK] libxml2: address CVE-2024-40896 - branch 3.0-dev (#11720) Co-authored-by: Muhammad Falak R Wani --- SPECS/libxml2/CVE-2024-40896.patch | 37 +++++++++++++++++++ SPECS/libxml2/libxml2.spec | 6 ++- .../manifests/package/pkggen_core_aarch64.txt | 4 +- .../manifests/package/pkggen_core_x86_64.txt | 4 +- .../manifests/package/toolchain_aarch64.txt | 8 ++-- .../manifests/package/toolchain_x86_64.txt | 8 ++-- 6 files changed, 54 insertions(+), 13 deletions(-) create mode 100644 SPECS/libxml2/CVE-2024-40896.patch diff --git a/SPECS/libxml2/CVE-2024-40896.patch b/SPECS/libxml2/CVE-2024-40896.patch new file mode 100644 index 00000000000..9fddd1ec7cd --- /dev/null +++ b/SPECS/libxml2/CVE-2024-40896.patch @@ -0,0 +1,37 @@ +From ae8f0ac0a2900219c3d762ae0b513e199dcf19a5 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 6 Jul 2024 01:03:46 +0200 +Subject: [PATCH] [CVE-2024-40896] Fix XXE protection in downstream code + +Some users set an entity's children manually in the getEntity SAX +callback to restrict entity expansion. This stopped working after +renaming the "checked" member of xmlEntity, making at least one +downstream project and its dependants susceptible to XXE attacks. + +See #761. +--- + parser.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/parser.c b/parser.c +index 4feb21a28..8fe0a064d 100644 +--- a/parser.c ++++ b/parser.c +@@ -7148,6 +7148,14 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { + return; + } + ++ /* ++ * Some users try to parse entities on their own and used to set ++ * the renamed "checked" member. Fix the flags to cover this ++ * case. ++ */ ++ if (((ent->flags & XML_ENT_PARSED) == 0) && (ent->children != NULL)) ++ ent->flags |= XML_ENT_PARSED; ++ + /* + * The first reference to the entity trigger a parsing phase + * where the ent->children is filled with the result from +-- +GitLab + diff --git a/SPECS/libxml2/libxml2.spec b/SPECS/libxml2/libxml2.spec index f8efb567465..5e0ca582c4d 100644 --- a/SPECS/libxml2/libxml2.spec +++ b/SPECS/libxml2/libxml2.spec @@ -1,13 +1,14 @@ Summary: Libxml2 Name: libxml2 Version: 2.11.5 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux Group: System Environment/General Libraries URL: https://gitlab.gnome.org/GNOME/libxml2/-/wikis/home Source0: https://gitlab.gnome.org/GNOME/%{name}/-/archive/v%{version}/%{name}-v%{version}.tar.gz +Patch0: CVE-2024-40896.patch BuildRequires: python3-devel BuildRequires: python3-xml Provides: %{name}-tools = %{version}-%{release} @@ -78,6 +79,9 @@ find %{buildroot} -type f -name "*.la" -delete -print %{_libdir}/cmake/libxml2/libxml2-config.cmake %changelog +* Thu Dec 26 2024 Muhammad Falak - 2.11.5-2 +- Patch CVE-2024-40896 + * Tue Nov 21 2023 CBL-Mariner Servicing Account - 2.11.5-1 - Auto-upgrade to 2.11.5 - Azure Linux 3.0 - package upgrades diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 061b5cfed51..68985884f26 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -199,8 +199,8 @@ curl-8.8.0-3.azl3.aarch64.rpm curl-devel-8.8.0-3.azl3.aarch64.rpm curl-libs-8.8.0-3.azl3.aarch64.rpm createrepo_c-1.0.3-1.azl3.aarch64.rpm -libxml2-2.11.5-1.azl3.aarch64.rpm -libxml2-devel-2.11.5-1.azl3.aarch64.rpm +libxml2-2.11.5-2.azl3.aarch64.rpm +libxml2-devel-2.11.5-2.azl3.aarch64.rpm docbook-dtd-xml-4.5-11.azl3.noarch.rpm docbook-style-xsl-1.79.1-14.azl3.noarch.rpm libsepol-3.6-1.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index ab25a4670da..d7bf3caeb7a 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -199,8 +199,8 @@ curl-8.8.0-3.azl3.x86_64.rpm curl-devel-8.8.0-3.azl3.x86_64.rpm curl-libs-8.8.0-3.azl3.x86_64.rpm createrepo_c-1.0.3-1.azl3.x86_64.rpm -libxml2-2.11.5-1.azl3.x86_64.rpm -libxml2-devel-2.11.5-1.azl3.x86_64.rpm +libxml2-2.11.5-2.azl3.x86_64.rpm +libxml2-devel-2.11.5-2.azl3.x86_64.rpm docbook-dtd-xml-4.5-11.azl3.noarch.rpm docbook-style-xsl-1.79.1-14.azl3.noarch.rpm libsepol-3.6-1.azl3.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 23f449f1015..c8a14aeaf25 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -240,9 +240,9 @@ libtool-debuginfo-2.4.7-1.azl3.aarch64.rpm libxcrypt-4.4.36-2.azl3.aarch64.rpm libxcrypt-debuginfo-4.4.36-2.azl3.aarch64.rpm libxcrypt-devel-4.4.36-2.azl3.aarch64.rpm -libxml2-2.11.5-1.azl3.aarch64.rpm -libxml2-debuginfo-2.11.5-1.azl3.aarch64.rpm -libxml2-devel-2.11.5-1.azl3.aarch64.rpm +libxml2-2.11.5-2.azl3.aarch64.rpm +libxml2-debuginfo-2.11.5-2.azl3.aarch64.rpm +libxml2-devel-2.11.5-2.azl3.aarch64.rpm libxslt-1.1.39-1.azl3.aarch64.rpm libxslt-debuginfo-1.1.39-1.azl3.aarch64.rpm libxslt-devel-1.1.39-1.azl3.aarch64.rpm @@ -541,7 +541,7 @@ python3-gpg-1.23.2-2.azl3.aarch64.rpm python3-jinja2-3.1.2-1.azl3.noarch.rpm python3-libcap-ng-0.8.4-1.azl3.aarch64.rpm python3-libs-3.12.3-5.azl3.aarch64.rpm -python3-libxml2-2.11.5-1.azl3.aarch64.rpm +python3-libxml2-2.11.5-2.azl3.aarch64.rpm python3-lxml-4.9.3-1.azl3.aarch64.rpm python3-magic-5.45-1.azl3.noarch.rpm python3-markupsafe-2.1.3-1.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index c4c92d558ef..06043454bd9 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -245,9 +245,9 @@ libtasn1-debuginfo-4.19.0-1.azl3.x86_64.rpm libtasn1-devel-4.19.0-1.azl3.x86_64.rpm libtool-2.4.7-1.azl3.x86_64.rpm libtool-debuginfo-2.4.7-1.azl3.x86_64.rpm -libxml2-2.11.5-1.azl3.x86_64.rpm -libxml2-debuginfo-2.11.5-1.azl3.x86_64.rpm -libxml2-devel-2.11.5-1.azl3.x86_64.rpm +libxml2-2.11.5-2.azl3.x86_64.rpm +libxml2-debuginfo-2.11.5-2.azl3.x86_64.rpm +libxml2-devel-2.11.5-2.azl3.x86_64.rpm libxcrypt-4.4.36-2.azl3.x86_64.rpm libxcrypt-debuginfo-4.4.36-2.azl3.x86_64.rpm libxcrypt-devel-4.4.36-2.azl3.x86_64.rpm @@ -549,7 +549,7 @@ python3-gpg-1.23.2-2.azl3.x86_64.rpm python3-jinja2-3.1.2-1.azl3.noarch.rpm python3-libcap-ng-0.8.4-1.azl3.x86_64.rpm python3-libs-3.12.3-5.azl3.x86_64.rpm -python3-libxml2-2.11.5-1.azl3.x86_64.rpm +python3-libxml2-2.11.5-2.azl3.x86_64.rpm python3-lxml-4.9.3-1.azl3.x86_64.rpm python3-magic-5.45-1.azl3.noarch.rpm python3-markupsafe-2.1.3-1.azl3.x86_64.rpm From a113b8fbba9c7dadb21ab03ce10fae40c5e90dfe Mon Sep 17 00:00:00 2001 From: Pawel Winogrodzki Date: Mon, 6 Jan 2025 20:43:59 +0100 Subject: [PATCH 54/55] Fixing RPM macros check. (#11796) --- .github/workflows/check-manifests.yml | 4 +++- .github/workflows/check-package-cgmanifest.yml | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/check-manifests.yml b/.github/workflows/check-manifests.yml index a18ed1824bd..e2d4aafa507 100644 --- a/.github/workflows/check-manifests.yml +++ b/.github/workflows/check-manifests.yml @@ -21,7 +21,9 @@ jobs: # This PR runner uses an older Ubuntu with rpm version 4.17, which doesn't understand some newer macros like %bcond - name: Define missing rpm macros run: | - [[ -n $(rpm --eval '%bcond test 1') ]] && echo '%bcond() %[ (%{2}) ? "%{expand:%%bcond_without %{1}}" : "%{expand:%%bcond_with %{1}}" ]' > ~/.rpmmacros + if [[ -n $(rpm --eval '%bcond test 1') ]]; then + echo '%bcond() %[ (%{2}) ? "%{expand:%%bcond_without %{1}}" : "%{expand:%%bcond_with %{1}}" ]' > ~/.rpmmacros + fi - name: Check x86_64 manifests run: | diff --git a/.github/workflows/check-package-cgmanifest.yml b/.github/workflows/check-package-cgmanifest.yml index 59b72371c38..98e7cf1fdf5 100644 --- a/.github/workflows/check-package-cgmanifest.yml +++ b/.github/workflows/check-package-cgmanifest.yml @@ -22,7 +22,9 @@ jobs: # This PR runner uses an older Ubuntu with rpm version 4.17, which doesn't understand some newer macros like %bcond - name: Define missing rpm macros run: | - [[ -n $(rpm --eval '%bcond test 1') ]] && echo '%bcond() %[ (%{2}) ? "%{expand:%%bcond_without %{1}}" : "%{expand:%%bcond_with %{1}}" ]' > ~/.rpmmacros + if [[ -n $(rpm --eval '%bcond test 1') ]]; then + echo '%bcond() %[ (%{2}) ? "%{expand:%%bcond_without %{1}}" : "%{expand:%%bcond_with %{1}}" ]' > ~/.rpmmacros + fi - name: Get base commit for PRs if: ${{ github.event_name == 'pull_request' }} From fae72dc05adb403264fd7f06c9286c0074b2d78c Mon Sep 17 00:00:00 2001 From: Pawel Winogrodzki Date: Wed, 8 Jan 2025 02:45:00 +0100 Subject: [PATCH 55/55] Made `PackageBuild.yml` accept arbitrary input sources. (#11795) --- .pipelines/prchecks/PackageBuildPRCheck.yml | 48 ++++++++++++++++--- .pipelines/templates/PackageBuild.yml | 40 ++++++---------- .../templatesWithCheckout/SodiffCheck.yml | 13 ++--- 3 files changed, 59 insertions(+), 42 deletions(-) diff --git a/.pipelines/prchecks/PackageBuildPRCheck.yml b/.pipelines/prchecks/PackageBuildPRCheck.yml index 314773cada9..5d7b1fb4e13 100644 --- a/.pipelines/prchecks/PackageBuildPRCheck.yml +++ b/.pipelines/prchecks/PackageBuildPRCheck.yml @@ -80,9 +80,11 @@ extends: # GCC fails to build as a regular package. ignoredSpecs: ["gcc"] - - script: echo "##vso[task.setvariable variable=toolchainArtifactName;isOutput=true]$(ob_artifactBaseName)" + - script: | + echo "##vso[task.setvariable variable=toolchainArtifactName;isOutput=true]$(ob_artifactBaseName)" + echo "##vso[task.setvariable variable=toolchainTarballName;isOutput=true]toolchain_built_rpms_all.tar.gz" name: "ToolchainArtifactName" - displayName: "Set variable for published artifact name" + displayName: "Set variables for published toolchain tarball" # 1. Automatic publishing won't work if 'isCustom: true' is set on the pool. We cannot do 'isCustom: false' because # then OneBranch attempts to perform additional actions (adding build tags for instance), which require additional permissions @@ -104,24 +106,38 @@ extends: isCustom: true name: ${{ configuration.agentPool }} variables: + inputArtifactsLocation: $(Agent.TempDirectory) ob_artifactBaseName: $(rpmsArtifactNameBase)_${{ configuration.name }}_$(System.JobAttempt) ob_outputDirectory: $(Build.ArtifactStagingDirectory) + outputRPMsTarballName: "rpms.tar.gz" toolchainArtifactName: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['ToolchainArtifactName.toolchainArtifactName'] ] + toolchainTarballName: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['ToolchainArtifactName.toolchainTarballName'] ] steps: + - task: DownloadPipelineArtifact@2 + displayName: "Download toolchain" + inputs: + artifact: $(toolchainArtifactName) + patterns: "**/$(toolchainTarballName)" + targetPath: $(inputArtifactsLocation) + - template: .pipelines/templates/PackageBuild.yml@self parameters: checkBuildRetries: "1" - customToolchainArtifactName: $(toolchainArtifactName) + customToolchainTarballName: $(toolchainTarballName) + inputArtifactsFolder: $(inputArtifactsLocation) isCheckBuild: true isQuickRebuildPackages: true isUseCCache: true maxCPU: "${{ configuration.maxCPUs }}" outputArtifactsFolder: $(ob_outputDirectory) + outputRPMsTarballName: $(outputRPMsTarballName) pipArtifactFeeds: "mariner/Mariner-Pypi-Feed" selfRepoName: self testSuiteName: "[${{ configuration.name }}] Package test" - - script: echo "##vso[task.setvariable variable=rpmsArtifactName;isOutput=true]$(ob_artifactBaseName)" + - script: | + echo "##vso[task.setvariable variable=rpmsArtifactName;isOutput=true]$(ob_artifactBaseName)" + echo "##vso[task.setvariable variable=rpmsTarballName;isOutput=true]$(outputRPMsTarballName)" name: "RPMsArtifactName" displayName: "Set variable for published artifact name" @@ -142,15 +158,25 @@ extends: isCustom: true name: ${{ configuration.agentPool }} variables: + inputArtifactsLocation: $(Agent.TempDirectory) ob_artifactBaseName: $(toolchainTestsArtifactNameBase)_${{ configuration.name }}_$(System.JobAttempt) ob_outputDirectory: $(Build.ArtifactStagingDirectory) testListFromToolchain: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['CalculateToolchainPackageRetestList.toolchainPackageRetestList'] ] toolchainArtifactName: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['ToolchainArtifactName.toolchainArtifactName'] ] + toolchainTarballName: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['ToolchainArtifactName.toolchainTarballName'] ] steps: + - task: DownloadPipelineArtifact@2 + displayName: "Download toolchain" + inputs: + artifact: $(toolchainArtifactName) + patterns: "**/$(toolchainTarballName)" + targetPath: $(inputArtifactsLocation) + - template: .pipelines/templates/PackageBuild.yml@self parameters: checkBuildRetries: "1" - customToolchainArtifactName: $(toolchainArtifactName) + customToolchainTarballName: $(toolchainTarballName) + inputArtifactsFolder: $(inputArtifactsLocation) isAllowToolchainRebuilds: true isCheckBuild: true isQuickRebuildPackages: true @@ -179,8 +205,18 @@ extends: isCustom: true name: ${{ configuration.agentPool }} variables: + inputArtifactsLocation: $(Agent.TempDirectory) rpmsArtifactName: $[ stageDependencies.RPMs_${{ configuration.name }}.BuildAndTest.outputs['RPMsArtifactName.rpmsArtifactName'] ] + rpmsTarballName: $[ stageDependencies.RPMs_${{ configuration.name }}.BuildAndTest.outputs['RPMsArtifactName.rpmsTarballName'] ] steps: + - task: DownloadPipelineArtifact@2 + displayName: "Download RPMs tarball" + inputs: + artifact: $(rpmsArtifactName) + patterns: "**/$(rpmsTarballName)" + targetPath: $(inputArtifactsLocation) + - template: .pipelines/templatesWithCheckout/SodiffCheck.yml@self parameters: - inputArtifactName: $(rpmsArtifactName) + inputArtifactsFolder: $(inputArtifactsLocation) + inputRPMsTarballName: $(rpmsTarballName) diff --git a/.pipelines/templates/PackageBuild.yml b/.pipelines/templates/PackageBuild.yml index 4ce30b7e65f..abb9ac1d9ca 100644 --- a/.pipelines/templates/PackageBuild.yml +++ b/.pipelines/templates/PackageBuild.yml @@ -14,13 +14,9 @@ parameters: type: number default: 12 - - name: customToolchainArtifactName - type: string - default: "" - - name: customToolchainTarballName type: string - default: "toolchain_built_rpms_all.tar.gz" + default: "" - name: extraPackageRepos type: string @@ -30,12 +26,16 @@ parameters: type: boolean default: true - - name: inputCacheArtifacts + - name: inputArtifactsFolder + type: string + default: "$(Agent.TempDirectory)" + + - name: inputCacheRPMsTarballs type: object default: [] # Sample: - # - name: build-artifacts - # rpmsTarball: cache.tar.gz + # - cache.tar.gz + # - cache2.tar.gz - name: isAllowToolchainRebuilds type: string @@ -160,15 +160,9 @@ steps: artifactFeeds: "${{ parameters.pipArtifactFeeds }}" displayName: "Authenticate to custom pip artifact feeds" - - ${{ if parameters.customToolchainArtifactName }}: - - task: DownloadPipelineArtifact@2 - displayName: "Download toolchain" - inputs: - artifact: "${{ parameters.customToolchainArtifactName }}" - patterns: "**/${{ parameters.customToolchainTarballName }}" - + - ${{ if parameters.customToolchainTarballName }}: - script: | - toolchain_archive="$(find "$(Pipeline.Workspace)" -name "${{ parameters.customToolchainTarballName }}" -print -quit)" + toolchain_archive="$(find "${{ parameters.inputArtifactsFolder }}" -name "${{ parameters.customToolchainTarballName }}" -print -quit)" if [[ ! -f "$toolchain_archive" ]]; then echo "ERROR: toolchain archive not found!" >&2 exit 1 @@ -178,17 +172,11 @@ steps: sudo make -C "${{ parameters.buildRepoRoot }}/toolkit" toolchain TOOLCHAIN_ARCHIVE="$toolchain_archive" displayName: "Populate toolchain" - - ${{ each inputCacheArtifact in parameters.inputCacheArtifacts }}: - - task: DownloadPipelineArtifact@2 - displayName: "Download input cache RPM from ${{ inputCacheArtifact.name }}" - inputs: - artifact: "${{ inputCacheArtifact.name }}" - patterns: "**/${{ inputCacheArtifact.rpmsTarball }}" - + - ${{ each inputCacheRPMsTarball in parameters.inputCacheRPMsTarballs }}: - script: | - rpms_archive="$(find "$(Pipeline.Workspace)" -name "${{ inputCacheArtifact.rpmsTarball }}" -print -quit)" + rpms_archive="$(find "${{ parameters.inputArtifactsFolder }}" -name "${{ inputCacheRPMsTarball }}" -print -quit)" if [[ ! -f "$rpms_archive" ]]; then - echo "ERROR: cache RPMs archive '${{ inputCacheArtifact.rpmsTarball }}' not found!" >&2 + echo "ERROR: cache RPMs archive '${{ inputCacheRPMsTarball }}' not found!" >&2 exit 1 fi @@ -200,7 +188,7 @@ steps: check_build_retries_arg="CHECK_BUILD_RETRIES=${{ parameters.checkBuildRetries }}" fi - if [[ -n "${{ parameters.customToolchainArtifactName }}" ]]; then + if [[ -n "${{ parameters.customToolchainTarballName }}" ]]; then toolchain_archive_arg="TOOLCHAIN_ARCHIVE=$(toolchainArchive)" fi diff --git a/.pipelines/templatesWithCheckout/SodiffCheck.yml b/.pipelines/templatesWithCheckout/SodiffCheck.yml index c4103caa78c..004fbaaa1e9 100644 --- a/.pipelines/templatesWithCheckout/SodiffCheck.yml +++ b/.pipelines/templatesWithCheckout/SodiffCheck.yml @@ -6,8 +6,9 @@ parameters: type: string default: "$(Build.SourcesDirectory)" - - name: inputArtifactName + - name: inputArtifactsFolder type: string + default: "$(Agent.TempDirectory)" - name: inputRPMsTarballName type: string @@ -26,19 +27,11 @@ parameters: default: "$(Agent.TempDirectory)/SourcesWorkspace" steps: - - task: DownloadPipelineArtifact@2 - displayName: "Download sources for signing" - inputs: - artifact: ${{ parameters.inputArtifactName }} - patterns: | - **/${{ parameters.inputRPMsTarballName }} - targetPath: "$(Agent.TempDirectory)" - - script: | set -e mkdir -p "${{ parameters.sourcesWorkspace }}" - find "$(Agent.TempDirectory)" -name "${{ parameters.inputRPMsTarballName }}" -print0 | xargs -0 -n 1 tar -C "${{ parameters.sourcesWorkspace }}" -xkf + find "${{ parameters.inputArtifactsFolder }}" -name "${{ parameters.inputRPMsTarballName }}" -print0 | xargs -0 -n 1 tar -C "${{ parameters.sourcesWorkspace }}" -xkf displayName: "Extract sources tarball" - script: |