From 9ede848763c8702987c8b9d75f8dfa250d6b301c Mon Sep 17 00:00:00 2001 From: corvus-callidus <108946721+corvus-callidus@users.noreply.github.com> Date: Wed, 5 Jul 2023 08:29:01 -0700 Subject: [PATCH 1/9] Patch CVE-2023-31486 in perl (#5784) * Patch CVE-2023-31486 in perl --- SPECS/perl/CVE-2023-31486.patch | 154 ++++++++++++++++++ SPECS/perl/perl.spec | 10 +- .../manifests/package/pkggen_core_aarch64.txt | 2 +- .../manifests/package/pkggen_core_x86_64.txt | 2 +- .../manifests/package/toolchain_aarch64.txt | 4 +- .../manifests/package/toolchain_x86_64.txt | 4 +- 6 files changed, 168 insertions(+), 8 deletions(-) create mode 100644 SPECS/perl/CVE-2023-31486.patch diff --git a/SPECS/perl/CVE-2023-31486.patch b/SPECS/perl/CVE-2023-31486.patch new file mode 100644 index 00000000000..8142d109080 --- /dev/null +++ b/SPECS/perl/CVE-2023-31486.patch @@ -0,0 +1,154 @@ +From 77f557ef84698efeb6eed04e4a9704eaf85b741d Mon Sep 17 00:00:00 2001 +From: Stig Palmquist +Date: Mon, 5 Jun 2023 16:46:22 +0200 +Subject: [PATCH] Change verify_SSL default to 1, add ENV var to enable + insecure default + +- Changes the `verify_SSL` default parameter from `0` to `1` + + Based on patch by Dominic Hargreaves: + https://salsa.debian.org/perl-team/interpreter/perl/-/commit/1490431e40e22052f75a0b3449f1f53cbd27ba92 + + Fixes CVE-2023-31486 + +- Add check for `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` that + enables the previous insecure default behaviour if set to `1`. + + This provides a workaround for users who encounter problems with the + new `verify_SSL` default. + + Example to disable certificate checks: + ``` + $ PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 ./script.pl + ``` + +- Updates to documentation: + - Describe changing the verify_SSL value + - Describe the escape-hatch environment variable + - Remove rationale for not enabling verify_SSL + - Add missing certificate search paths + - Replace "SSL" with "TLS/SSL" where appropriate + - Use "machine-in-the-middle" instead of "man-in-the-middle" + +- Update `210_live_ssl.t` + - Use github.com, cpan.org and badssl.com hosts for checking + certificates. + - Add self signed snake-oil certificate for checking failures rather + than bypassing the `SSL_verify_callback` + - Test `verify_SSL` parameter in addition to low level SSL_options + - Test that `PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1` behaves as + expected against badssl.com + +- Added `180_verify_SSL.t` + - Test that `verify_SSL` default is `1` + - Test that `PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT` behaves as expected + - Test that using different values for `verify_SSL` and legacy `verify_ssl` + doesn't disable cert checks + +Modified 77f557ef84698efeb6eed04e4a9704eaf85b741d to apply to CBL-Mariner: + - Remove changes to `t/210_live_ssl.t` as it is not included in HTTP-Tiny v0.076 + - Remove changes to `t/180_verify_SSL.t` as it is not included HTTP-Tiny v0.076 + - Remove most changes to documentation +Modified by corvus-callidus <108946721+corvus-callidus@users.noreply.github.com> + +--- + cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | 72 ++++++++++++++---------- + 1 files changed, 277 insertions(+), 73 deletions(-) + +diff --git a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm +index 2ece5ca..58be640 100644 +--- a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm ++++ b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm +@@ -39,10 +39,14 @@ #pod This constructor returns a new HTTP::Tiny object. Valid attributes include: + #pod C<$ENV{no_proxy}> —) + #pod * C — Request timeout in seconds (default is 60) If a socket open, + #pod read or write takes longer than the timeout, an exception is thrown. +-#pod * C — A boolean that indicates whether to validate the SSL +-#pod certificate of an C — connection (default is false) ++#pod * C — A boolean that indicates whether to validate the TLS/SSL ++#pod certificate of an C — connection (default is true). Changed from false ++#pod to true in version 0.083. + #pod * C — A hashref of C — options to pass through to + #pod L ++#pod * C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}> - Changes the default ++#pod certificate verification behavior to not check server identity if set to 1. ++#pod Only effective if C is not set. Added in version 0.083. + #pod + #pod Passing an explicit C for C, C or C will + #pod prevent getting the corresponding proxies from the environment. +@@ -111,11 +116,17 @@ sub timeout { + sub new { + my($class, %args) = @_; + ++ # Support lower case verify_ssl argument, but only if verify_SSL is not ++ # true. ++ if ( exists $args{verify_ssl} ) { ++ $args{verify_SSL} ||= $args{verify_ssl}; ++ } ++ + my $self = { + max_redirect => 5, + timeout => defined $args{timeout} ? $args{timeout} : 60, + keep_alive => 1, +- verify_SSL => $args{verify_SSL} || $args{verify_ssl} || 0, # no verification by default ++ verify_SSL => defined $args{verify_SSL} ? $args{verify_SSL} : _verify_SSL_default(), + no_proxy => $ENV{no_proxy}, + }; + +@@ -134,6 +145,13 @@ sub new { + return $self; + } + ++sub _verify_SSL_default { ++ my ($self) = @_; ++ # Check if insecure default certificate verification behaviour has been ++ # changed by the user by setting PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 ++ return (($ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1; ++} ++ + sub _set_proxies { + my ($self) = @_; + +@@ -1060,7 +1078,7 @@ sub new { + timeout => 60, + max_line_size => 16384, + max_header_lines => 64, +- verify_SSL => 0, ++ verify_SSL => HTTP::Tiny::_verify_SSL_default(), + SSL_options => {}, + %args + }, $class; +From a22785783b17cbaa28afaee4a024d81a1903701d Mon Sep 17 00:00:00 2001 +From: Stig Palmquist +Date: Sun, 18 Jun 2023 11:36:05 +0200 +Subject: [PATCH] Fix incorrect env var name for verify_SSL default + +The variable to override the verify_SSL default differed slightly in the +documentation from what was checked for in the code. + +This commit makes the code use `PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT` +as documented, instead of `PERL_HTTP_TINY_INSECURE_BY_DEFAULT` which was +missing `SSL_` + +Modified a22785783b17cbaa28afaee4a024d81a1903701d to apply to CBL-Mariner: + - Removed changes to `t/180_verify_SSL.t` as it is not included in HTTP-Tiny v0.076 + - Removed changes to `t/210_live_ssl.t` as it is not included in HTTP-Tiny v0.076 +Modified by corvus-callidus <108946721+corvus-callidus@users.noreply.github.com> + +--- + cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm +index bf455b6..7240b65 100644 +--- a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm ++++ b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm +@@ -149,7 +149,7 @@ sub _verify_SSL_default { + my ($self) = @_; + # Check if insecure default certificate verification behaviour has been + # changed by the user by setting PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 +- return (($ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1; ++ return (($ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1; + } + + sub _set_proxies { diff --git a/SPECS/perl/perl.spec b/SPECS/perl/perl.spec index af973b70577..b7fcd865180 100644 --- a/SPECS/perl/perl.spec +++ b/SPECS/perl/perl.spec @@ -9,13 +9,14 @@ Summary: Practical Extraction and Report Language Name: perl Version: 5.30.3 -Release: 2%{?dist} +Release: 3%{?dist} License: GPL+ or Artistic URL: https://www.perl.org/ Group: Development/Languages Vendor: Microsoft Corporation Distribution: Mariner Source0: https://www.cpan.org/src/5.0/%{name}-%{version}.tar.gz +Patch0: CVE-2023-31486.patch Provides: perl >= 0:5.003000 Provides: perl(getopts.pl) Provides: perl(s) @@ -34,6 +35,7 @@ The Perl package contains the Practical Extraction and Report Language. %prep %setup -q +%patch0 -p1 sed -i 's/-fstack-protector/&-all/' Configure %build @@ -74,6 +76,10 @@ make test TEST_SKIP_VERSION_CHECK=1 %{_mandir}/*/* %changelog +* Fri Jun 30 2023 corvus-callidus <108946721+corvus-callidus@users.noreply.github.com> - 5.30.3-3 +- Add patch for CVE-2023-31486 +- Fix bogus date in changelog + * Mon Apr 24 2023 Sam Meluch 5.30.3-2 - Add -Dman3ext to Configure script in order to avoid manual page name conflicts on installs @@ -83,7 +89,7 @@ make test TEST_SKIP_VERSION_CHECK=1 - Added %%license line automatically * Fri May 8 2020 Nicolas Guibourge 5.28.1-3 - Undo caretx.c patch -* Thu Apr 29 2020 Nicolas Guibourge 5.28.1-2 +* Thu Apr 30 2020 Nicolas Guibourge 5.28.1-2 - Patch caretx.c so perl works from chroot inside Doccker container * Tue Apr 21 2020 Emre Girgin 5.28.1-1 - Upgrade to 5.28.1. diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 16fe5d7a23b..9f5a18a39e7 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -101,7 +101,7 @@ libpipeline-devel-1.5.0-4.cm1.aarch64.rpm gdbm-1.18-3.cm1.aarch64.rpm gdbm-devel-1.18-3.cm1.aarch64.rpm gdbm-lang-1.18-3.cm1.aarch64.rpm -perl-5.30.3-2.cm1.aarch64.rpm +perl-5.30.3-3.cm1.aarch64.rpm texinfo-6.5-7.cm1.aarch64.rpm autoconf-2.69-10.cm1.noarch.rpm automake-1.16.1-3.cm1.noarch.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index a91f8d16be9..29978b465ff 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -101,7 +101,7 @@ libpipeline-devel-1.5.0-4.cm1.x86_64.rpm gdbm-1.18-3.cm1.x86_64.rpm gdbm-devel-1.18-3.cm1.x86_64.rpm gdbm-lang-1.18-3.cm1.x86_64.rpm -perl-5.30.3-2.cm1.x86_64.rpm +perl-5.30.3-3.cm1.x86_64.rpm texinfo-6.5-7.cm1.x86_64.rpm autoconf-2.69-10.cm1.noarch.rpm automake-1.16.1-3.cm1.noarch.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 3a16053fb08..c51e8b3d28b 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -321,13 +321,13 @@ pcre-8.44-2.cm1.aarch64.rpm pcre-debuginfo-8.44-2.cm1.aarch64.rpm pcre-devel-8.44-2.cm1.aarch64.rpm pcre-libs-8.44-2.cm1.aarch64.rpm -perl-5.30.3-2.cm1.aarch64.rpm +perl-5.30.3-3.cm1.aarch64.rpm perl-DBD-SQLite-1.62-3.cm1.aarch64.rpm perl-DBD-SQLite-debuginfo-1.62-3.cm1.aarch64.rpm perl-DBI-1.641-3.cm1.aarch64.rpm perl-DBI-debuginfo-1.641-3.cm1.aarch64.rpm perl-DBIx-Simple-1.37-2.cm1.noarch.rpm -perl-debuginfo-5.30.3-2.cm1.aarch64.rpm +perl-debuginfo-5.30.3-3.cm1.aarch64.rpm perl-libintl-perl-1.29-4.cm1.aarch64.rpm perl-libintl-perl-debuginfo-1.29-4.cm1.aarch64.rpm perl-Object-Accessor-0.48-6.cm1.noarch.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index c9bb54358aa..878b1e50d27 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -321,13 +321,13 @@ pcre-8.44-2.cm1.x86_64.rpm pcre-debuginfo-8.44-2.cm1.x86_64.rpm pcre-devel-8.44-2.cm1.x86_64.rpm pcre-libs-8.44-2.cm1.x86_64.rpm -perl-5.30.3-2.cm1.x86_64.rpm +perl-5.30.3-3.cm1.x86_64.rpm perl-DBD-SQLite-1.62-3.cm1.x86_64.rpm perl-DBD-SQLite-debuginfo-1.62-3.cm1.x86_64.rpm perl-DBI-1.641-3.cm1.x86_64.rpm perl-DBI-debuginfo-1.641-3.cm1.x86_64.rpm perl-DBIx-Simple-1.37-2.cm1.noarch.rpm -perl-debuginfo-5.30.3-2.cm1.x86_64.rpm +perl-debuginfo-5.30.3-3.cm1.x86_64.rpm perl-libintl-perl-1.29-4.cm1.x86_64.rpm perl-libintl-perl-debuginfo-1.29-4.cm1.x86_64.rpm perl-Object-Accessor-0.48-6.cm1.noarch.rpm From 121dc0982158052c71cc4b6ca76de326243176af Mon Sep 17 00:00:00 2001 From: Mykhailo Bykhovtsev <108374904+mbykhovtsev-ms@users.noreply.github.com> Date: Wed, 5 Jul 2023 09:43:23 -0700 Subject: [PATCH 2/9] Adding nopatch for CVE-2022-28331 for apr package (#5787) * applying nopatch for CVE-2022-28331 * removing reference to nopatch in spec so that it does not try to apply it * applying linter suggestions * applying linter changes again --- SPECS/apr/CVE-2022-28331.nopatch | 1 + SPECS/apr/apr.spec | 31 ++++++++++++++++++++++++------- 2 files changed, 25 insertions(+), 7 deletions(-) create mode 100644 SPECS/apr/CVE-2022-28331.nopatch diff --git a/SPECS/apr/CVE-2022-28331.nopatch b/SPECS/apr/CVE-2022-28331.nopatch new file mode 100644 index 00000000000..cd84d4ca66f --- /dev/null +++ b/SPECS/apr/CVE-2022-28331.nopatch @@ -0,0 +1 @@ +CVE reference https://nvd.nist.gov/vuln/detail/CVE-2022-28331. Only affects windows version, therefore not CBL-Mariner. \ No newline at end of file diff --git a/SPECS/apr/apr.spec b/SPECS/apr/apr.spec index ff4fe21b449..6665d4ebb08 100644 --- a/SPECS/apr/apr.spec +++ b/SPECS/apr/apr.spec @@ -1,15 +1,14 @@ Summary: The Apache Portable Runtime Name: apr Version: 1.6.5 -Release: 5%{?dist} +Release: 6%{?dist} License: ASL 2.0 -URL: https://apr.apache.org/ -Group: System Environment/Libraries Vendor: Microsoft Corporation Distribution: Mariner +Group: System Environment/Libraries +URL: https://apr.apache.org/ Source0: http://archive.apache.org/dist/%{name}/%{name}-%{version}.tar.gz %define aprver 1 - %if %{with_check} # test_serv_by_name test requires /etc/services file from iana-etc package BuildRequires: iana-etc @@ -17,16 +16,19 @@ BuildRequires: iana-etc %description The Apache Portable Runtime. + %package devel Summary: Header and development files Requires: %{name} = %{version}-%{release} + %description devel It contains the libraries and header files to create applications %prep -%setup -q +%autosetup -p1 + %build -./configure --prefix=/usr \ +./configure --prefix=%{_prefix} \ --includedir=%{_includedir}/apr-%{aprver} \ --with-installbuilddir=%{_libdir}/apr/build-%{aprver} \ --with-devrandom=/dev/urandom \ @@ -52,7 +54,7 @@ make -j1 check %exclude %{_libdir}/pkgconfig %{_bindir}/* -%files devel +%files devel %defattr(-,root,root) %{_includedir}/* %{_libdir}/*.la @@ -61,29 +63,44 @@ make -j1 check %{_libdir}/pkgconfig %changelog +* Mon Jul 03 2023 Mykhailo Bykhovtsev - 1.6.5-6 +- Nopatch CVE-2022-28331 as it affects only Windows. +- Switch to use autosetup. + * Thu Oct 28 2021 Pawel Winogrodzki - 1.6.5-5 - Fixing tests further by making them run on a single thread. - Removed `%%sha1` macro. - License verified. + * Mon Dec 07 2020 Andrew Phelps - 1.6.5-4 - Fix check tests. + * Sat May 09 2020 Nick Samson - 1.6.5-3 - Added %%license line automatically + * Tue Sep 03 2019 Mateusz Malisz - 1.6.5-2 - Initial CBL-Mariner import from Photon (license: Apache2). + * Tue Sep 18 2018 Ankit Jain - 1.6.5-1 - Updated to version 1.6.5 + * Fri Dec 08 2017 Xiaolin Li - 1.5.2-7 - Fix CVE-2017-12613 + * Tue May 24 2016 Priyesh Padmavilasom - 1.5.2-6 - GA - Bump release of all rpms + * Mon Sep 21 2015 Harish Udaiya Kumar - 1.5.2-5 - Repacked to move the include files in devel package. + * Wed Jul 15 2015 Sarah Choi - 1.5.2-4 - Use aprver(=1) instead of version for mesos + * Mon Jul 13 2015 Alexey Makhalov - 1.5.2-3 - Exclude /usr/lib/debug + * Wed Jul 01 2015 Touseef Liaqat - 1.5.2-2 - Fix tags and paths. + * Wed May 20 2015 Touseef Liaqat - 1.5.2-1 - Initial build. First version From a31a526f4ac834f3453aaff630a4ea1e7621f035 Mon Sep 17 00:00:00 2001 From: Muhammad Falak R Wani Date: Thu, 6 Jul 2023 15:15:14 +0530 Subject: [PATCH 3/9] uclibc-ng: upgrade v1.0.41 -> v1.0.43 to address CVE-2022-29503 (#5792) Signed-off-by: Muhammad Falak R Wani --- SPECS/uclibc-ng/uclibc-ng.signatures.json | 4 ++-- SPECS/uclibc-ng/uclibc-ng.spec | 5 ++++- cgmanifest.json | 4 ++-- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/SPECS/uclibc-ng/uclibc-ng.signatures.json b/SPECS/uclibc-ng/uclibc-ng.signatures.json index 0a147afc75e..e5b9e5b81f7 100644 --- a/SPECS/uclibc-ng/uclibc-ng.signatures.json +++ b/SPECS/uclibc-ng/uclibc-ng.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { - "uClibc-ng-1.0.41.tar.xz": "b32a92a0218d95922d6976464e6ef51e2ebacfbcdb605820458d9dbb8a61e025", + "uClibc-ng-1.0.43.tar.xz": "8c1f550f14728a9c06ff1fb3e85069f7f10f4d684b03e163f4d9d41727124047", "uClibc.config": "5cd0bebdcc29597e6abdcfcbb0d7309633dd843b273b0baca718e6d5f2fb0f1f" } -} +} \ No newline at end of file diff --git a/SPECS/uclibc-ng/uclibc-ng.spec b/SPECS/uclibc-ng/uclibc-ng.spec index 2dea54015b3..83fe3a20e85 100644 --- a/SPECS/uclibc-ng/uclibc-ng.spec +++ b/SPECS/uclibc-ng/uclibc-ng.spec @@ -3,7 +3,7 @@ %global debug_package %{nil} Summary: C library for embedded Linux Name: uclibc-ng -Version: 1.0.41 +Version: 1.0.43 Release: 1%{?dist} License: LGPLv2 Vendor: Microsoft Corporation @@ -82,6 +82,9 @@ rm -rf %{buildroot}/include/ %{_libdir}/uClibc %changelog +* Wed Jul 05 2023 Muhammad Falak - 1.0.43-1 +- Bump version to 1.0.43 to fix CVE-2022-29503. + * Fri Jun 17 2022 Jon Slobodzian - 1.0.41-1 - Upgrade uclibc-ng to 1.0.41 to fix CVE-2022-30295. diff --git a/cgmanifest.json b/cgmanifest.json index dd5598e4788..bdcc7a6fa32 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -8496,8 +8496,8 @@ "type": "other", "other": { "name": "uclibc-ng", - "version": "1.0.41", - "downloadUrl": "https://downloads.uclibc-ng.org/releases/1.0.41/uClibc-ng-1.0.41.tar.xz" + "version": "1.0.43", + "downloadUrl": "https://downloads.uclibc-ng.org/releases/1.0.43/uClibc-ng-1.0.43.tar.xz" } } }, From a4e24b24d5d64fc70d1d00cddd64f34c455a14b3 Mon Sep 17 00:00:00 2001 From: Minghe Ren Date: Thu, 6 Jul 2023 17:05:56 -0700 Subject: [PATCH 4/9] add patches for cloud-init CVE-2022-2084, CVE-2023-1786 (#5778) * add patch for CVEs * modify change log --- SPECS/cloud-init/CVE-2022-2084.patch | 149 +++++++++++++++++++++++++++ SPECS/cloud-init/CVE-2023-1786.patch | 78 +++++++------- SPECS/cloud-init/cloud-init.spec | 6 +- 3 files changed, 196 insertions(+), 37 deletions(-) create mode 100644 SPECS/cloud-init/CVE-2022-2084.patch diff --git a/SPECS/cloud-init/CVE-2022-2084.patch b/SPECS/cloud-init/CVE-2022-2084.patch new file mode 100644 index 00000000000..1dd84d3197d --- /dev/null +++ b/SPECS/cloud-init/CVE-2022-2084.patch @@ -0,0 +1,149 @@ +diff -ruN a/cloudinit/config/schema.py b/cloudinit/config/schema.py +--- a/cloudinit/config/schema.py 2021-11-02 12:35:08.000000000 -0700 ++++ b/cloudinit/config/schema.py 2023-06-28 13:10:31.476935314 -0700 +@@ -14,6 +14,8 @@ + import sys + import yaml + ++ ++LOG = logging.getLogger(__name__) + _YAML_MAP = {True: 'true', False: 'false', None: 'null'} + SCHEMA_UNDEFINED = b'UNDEFINED' + CLOUD_CONFIG_HEADER = b'#cloud-config' +@@ -72,7 +74,7 @@ + isinstance(instance, (bytes,))) + + +-def validate_cloudconfig_schema(config, schema, strict=False): ++def validate_cloudconfig_schema(config, schema, strict=False, log_details: bool = True,): + """Validate provided config meets the schema definition. + + @param config: Dict of cloud configuration settings validated against +@@ -81,6 +83,9 @@ + for the cloud config module (config.cc_*). + @param strict: Boolean, when True raise SchemaValidationErrors instead of + logging warnings. ++ @param log_details: Boolean, when True logs details of validation errors. ++ If there are concerns about logging sensitive userdata, this should ++ be set to False. + + @raises: SchemaValidationError when provided config does not validate + against the provided schema. +@@ -118,11 +123,17 @@ + errors += ((path, error.message),) + if errors: + if strict: ++ # This could output/log sensitive data + raise SchemaValidationError(errors) ++ if log_details: ++ messages = ["{0}: {1}".format(k, msg) for k, msg in errors] ++ details = "\n" + "\n".join(messages) + else: +- messages = ['{0}: {1}'.format(k, msg) for k, msg in errors] +- logging.warning('Invalid config:\n%s', '\n'.join(messages)) +- ++ details = ( ++ "Please run 'sudo cloud-init schema --system' to " ++ "see the schema errors." ++ ) ++ LOG.warning("Invalid cloud-config provided: %s", details) + + def annotated_cloudconfig_file(cloudconfig, original_content, schema_errors): + """Return contents of the cloud-config file annotated with schema errors. +Binary files a/cloudinit/__pycache__/__init__.cpython-36.pyc and b/cloudinit/__pycache__/__init__.cpython-36.pyc differ +Binary files a/cloudinit/__pycache__/version.cpython-36.pyc and b/cloudinit/__pycache__/version.cpython-36.pyc differ +diff -ruN a/tests/integration_tests/modules/test_cli.py b/tests/integration_tests/modules/test_cli.py +--- a/tests/integration_tests/modules/test_cli.py 2021-11-02 12:35:08.000000000 -0700 ++++ b/tests/integration_tests/modules/test_cli.py 2023-06-28 21:13:45.841309945 -0700 +@@ -20,6 +20,20 @@ + """ + + ++# The '-' in 'hashed-password' fails schema validation ++INVALID_USER_DATA_SCHEMA = """\ ++#cloud-config ++users: ++ - default ++ - name: newsuper ++ gecos: Big Stuff ++ groups: users, admin ++ sudo: ALL=(ALL) NOPASSWD:ALL ++ hashed-password: asdfasdf ++ shell: /bin/bash ++ lock_passwd: true ++""" ++ + @pytest.mark.sru_2020_11 + @pytest.mark.user_data(VALID_USER_DATA) + def test_valid_userdata(client: IntegrationInstance): +@@ -43,3 +57,25 @@ + assert not result.ok + assert 'Cloud config schema errors' in result.stderr + assert 'needs to begin with "#cloud-config"' in result.stderr ++ ++ ++@pytest.mark.user_data(INVALID_USER_DATA_SCHEMA) ++def test_invalid_userdata_schema(client: IntegrationInstance): ++ """Test invalid schema represented as Warnings, not fatal ++ PR #1175 ++ """ ++ result = client.execute("cloud-init status --long") ++ assert result.ok ++ log = client.read_from_file("/var/log/cloud-init.log") ++ warning = ( ++ "[WARNING]: Invalid cloud-config provided: Please run " ++ "'sudo cloud-init schema --system' to see the schema errors." ++ ) ++ assert warning in log ++ assert "asdfasdf" not in log ++ ++ result = client.execute("cloud-init status --long") ++ if not result.ok: ++ raise AssertionError( ++ f"Unexpected error from cloud-init status: {result}" ++ ) +\ No newline at end of file +diff -ruN a/tests/unittests/test_handler/test_schema.py b/tests/unittests/test_handler/test_schema.py +--- a/tests/unittests/test_handler/test_schema.py 2021-11-02 12:35:08.000000000 -0700 ++++ b/tests/unittests/test_handler/test_schema.py 2023-06-28 21:17:02.071767654 -0700 +@@ -11,6 +11,7 @@ + from copy import copy + import itertools + import pytest ++import logging + from pathlib import Path + from textwrap import dedent + from yaml import safe_load +@@ -83,10 +84,31 @@ + schema = {'properties': {'p1': {'type': 'string'}}} + validate_cloudconfig_schema({'p1': -1}, schema, strict=False) + self.assertIn( +- "Invalid config:\np1: -1 is not of type 'string'\n", ++ "Invalid config: \np1: -1 is not of type 'string'\n", + self.logs.getvalue()) + + @skipUnlessJsonSchema() ++ def test_validateconfig_schema_sensitive(self, caplog): ++ """When log_details=False, ensure details are omitted""" ++ schema = { ++ "properties": {"hashed_password": {"type": "string"}}, ++ "additionalProperties": False, ++ } ++ validate_cloudconfig_schema( ++ {"hashed-password": "secret"}, ++ schema, ++ strict=False, ++ log_details=False, ++ ) ++ [(module, log_level, log_msg)] = caplog.record_tuples ++ assert "cloudinit.config.schema" == module ++ assert logging.WARNING == log_level ++ assert ( ++ "Invalid cloud-config provided: Please run 'sudo cloud-init " ++ "schema --system' to see the schema errors." == log_msg ++ ) ++ ++ @skipUnlessJsonSchema() + def test_validateconfig_schema_emits_warning_on_missing_jsonschema(self): + """Warning from validate_cloudconfig_schema when missing jsonschema.""" + schema = {'properties': {'p1': {'type': 'string'}}} diff --git a/SPECS/cloud-init/CVE-2023-1786.patch b/SPECS/cloud-init/CVE-2023-1786.patch index d9e14634864..cbf3585b507 100644 --- a/SPECS/cloud-init/CVE-2023-1786.patch +++ b/SPECS/cloud-init/CVE-2023-1786.patch @@ -65,7 +65,16 @@ diff -ruN a/cloudinit/sources/DataSourceVultr.py b/cloudinit/sources/DataSourceV diff -ruN a/cloudinit/sources/__init__.py b/cloudinit/sources/__init__.py --- a/cloudinit/sources/__init__.py 2021-11-02 12:35:08.000000000 -0700 -+++ b/cloudinit/sources/__init__.py 2023-06-15 14:29:08.864172606 -0700 ++++ b/cloudinit/sources/__init__.py 2023-06-29 16:07:33.755159240 -0700 +@@ -13,7 +13,7 @@ + import json + import os + from collections import namedtuple +-from typing import Dict, List # noqa: F401 ++from typing import Dict, List, Tuple # noqa: F401 + + from cloudinit import dmi + from cloudinit import importer @@ -103,7 +103,10 @@ sub_key_path = key_path + '/' + key else: @@ -128,9 +137,23 @@ diff -ruN a/cloudinit/sources/__init__.py b/cloudinit/sources/__init__.py _ci_pkl_version = 1 +diff -ruN a/cloudinit/stages.py b/cloudinit/stages.py +--- a/cloudinit/stages.py 2021-11-02 12:35:08.000000000 -0700 ++++ b/cloudinit/stages.py 2023-06-29 16:32:03.259644654 -0700 +@@ -204,7 +204,9 @@ + util.ensure_dirs(self._initial_subdirs()) + log_file = util.get_cfg_option_str(self.cfg, 'def_log_file') + if log_file: +- util.ensure_file(log_file, mode=0o640, preserve_mode=True) ++ # At this point the log file should have already been created ++ # in the setupLogging function of log.py ++ util.ensure_file(log_file, mode=0o640, preserve_mode=False) + perms = self.cfg.get('syslog_fix_perms') + if not perms: + perms = {} diff -ruN a/cloudinit/sources/tests/test_init.py b/cloudinit/sources/tests/test_init.py --- a/cloudinit/sources/tests/test_init.py 2021-11-02 12:35:08.000000000 -0700 -+++ b/cloudinit/sources/tests/test_init.py 2023-06-15 14:44:39.886499541 -0700 ++++ b/cloudinit/sources/tests/test_init.py 2023-06-29 17:07:56.129540654 -0700 @@ -353,10 +353,31 @@ 'availability_zone': 'myaz', 'local-hostname': 'test-subclass-hostname', @@ -166,58 +189,55 @@ diff -ruN a/cloudinit/sources/tests/test_init.py b/cloudinit/sources/tests/test_ datasource.sensitive_metadata_keys) sys_info = { "python": "3.7", -@@ -372,8 +393,12 @@ - expected = { +@@ -373,7 +394,10 @@ 'base64_encoded_keys': [], 'merged_cfg': REDACT_SENSITIVE_VALUE, -- 'sensitive_keys': [ + 'sensitive_keys': [ - 'ds/meta_data/some/security-credentials', 'merged_cfg'], -+ "sensitive_keys": [ -+ "ds/meta_data/VENDOR-DAta", -+ "ds/meta_data/some/security-credentials", -+ "ds/meta_data/someother/nested/userData", -+ "merged_cfg", -+ ], ++ 'ds/meta_data/VENDOR-DAta', ++ 'ds/meta_data/some/security-credentials', ++ 'ds/meta_data/someother/nested/userData', ++ 'merged_cfg'], 'sys_info': sys_info, 'v1': { '_beta_keys': ['subplatform'], -@@ -381,6 +406,7 @@ +@@ -381,6 +405,7 @@ 'availability_zone': 'myaz', 'cloud-name': 'subclasscloudname', 'cloud_name': 'subclasscloudname', -+ "cloud_id": "subclasscloudname", ++ 'cloud_id': 'subclasscloudname', 'distro': 'ubuntu', 'distro_release': 'focal', 'distro_version': '20.04', -@@ -401,12 +427,18 @@ +@@ -401,12 +426,18 @@ 'ds': { '_doc': EXPERIMENTAL_TEXT, 'meta_data': { -+ "VENDOR-DAta": REDACT_SENSITIVE_VALUE, ++ 'VENDOR-DAta': REDACT_SENSITIVE_VALUE, 'availability_zone': 'myaz', 'local-hostname': 'test-subclass-hostname', 'region': 'myregion', - 'some': {'security-credentials': REDACT_SENSITIVE_VALUE}}} -+ "some": {"security-credentials": REDACT_SENSITIVE_VALUE}, ++ 'some': {'security-credentials': REDACT_SENSITIVE_VALUE}, + "someother": { + "nested": {"userData": REDACT_SENSITIVE_VALUE} + }, -+ }, -+ }, ++ } ++ } } - self.assertCountEqual(expected, redacted) + self.assertEqual(expected, redacted) file_stat = os.stat(json_file) self.assertEqual(0o644, stat.S_IMODE(file_stat.st_mode)) -@@ -432,7 +464,16 @@ +@@ -432,7 +463,16 @@ "variant": "ubuntu", "dist": ["ubuntu", "20.04", "focal"]} self.assertCountEqual( - ('merged_cfg', 'security-credentials',), + ( -+ "merged_cfg", -+ "security-credentials", ++ 'merged_cfg', ++ 'security-credentials', + "userdata", + "user-data", + "user_data", @@ -228,23 +248,9 @@ diff -ruN a/cloudinit/sources/tests/test_init.py b/cloudinit/sources/tests/test_ datasource.sensitive_metadata_keys) with mock.patch("cloudinit.util.system_info", return_value=sys_info): datasource.get_data() -diff -ruN a/cloudinit/stages.py b/cloudinit/stages.py ---- a/cloudinit/stages.py 2021-11-02 12:35:08.000000000 -0700 -+++ b/cloudinit/stages.py 2023-06-15 14:33:32.175651581 -0700 -@@ -204,7 +204,9 @@ - util.ensure_dirs(self._initial_subdirs()) - log_file = util.get_cfg_option_str(self.cfg, 'def_log_file') - if log_file: -- util.ensure_file(log_file, mode=0o640, preserve_mode=True) -+ # At this point the log file should have already been created -+ # in the setupLogging function of log.py -+ util.ensure_file(log_file, mode=0o640, preserve_mode=False) - perms = self.cfg.get('syslog_fix_perms') - if not perms: - perms = {} diff -ruN a/cloudinit/tests/test_stages.py b/cloudinit/tests/test_stages.py --- a/cloudinit/tests/test_stages.py 2021-11-02 12:35:08.000000000 -0700 -+++ b/cloudinit/tests/test_stages.py 2023-06-15 14:49:05.304858409 -0700 ++++ b/cloudinit/tests/test_stages.py 2023-06-29 17:09:37.046934002 -0700 @@ -458,21 +458,24 @@ # Assert we create it 0o640 by default if it doesn't already exist assert 0o640 == stat.S_IMODE(log_file.stat().mode) diff --git a/SPECS/cloud-init/cloud-init.spec b/SPECS/cloud-init/cloud-init.spec index 5a2ff26c1d7..e3d8a7a2e89 100644 --- a/SPECS/cloud-init/cloud-init.spec +++ b/SPECS/cloud-init/cloud-init.spec @@ -3,7 +3,7 @@ Summary: Cloud instance init scripts Name: cloud-init Version: 21.4 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv3 Vendor: Microsoft Corporation Distribution: Mariner @@ -21,6 +21,7 @@ Patch4: mariner-21.4.patch # backport patch https://github.com/canonical/cloud-init/commit/0988fb89be06aeb08083ce609f755509d08fa459.patch to 21.4 Patch5: azureds-set-ovf_is_accesible.patch Patch6: CVE-2023-1786.patch +Patch7: CVE-2022-2084.patch BuildRequires: automake BuildRequires: dbus @@ -163,6 +164,9 @@ rm -rf %{buildroot} %config(noreplace) %{_sysconfdir}/cloud/cloud.cfg.d/10-azure-kvp.cfg %changelog +* Mon Jul 03 2023 Minghe Ren - 21.4-4 +- Add patch for CVE-2022-2084 and modify CVE-2023-1786.patch + * Thu Jun 15 2023 Minghe Ren - 21.4-3 - Add patch for CVE-2023-1786 From ca930570ae30d45ab2bc6a76b8fa3cea284d804f Mon Sep 17 00:00:00 2001 From: suresh-thelkar Date: Fri, 7 Jul 2023 15:19:01 +0530 Subject: [PATCH 5/9] Patch CVE-2023-2650 and CVE-2023-0465 in cloud-hypervisor (#5793) * Patch CVE-2023-2650 and CVE-2023-0465 in cloud-hypervisor --- SPECS/cloud-hypervisor/CVE-2023-0465.patch | 1 + SPECS/cloud-hypervisor/CVE-2023-2650.patch | 40 +++++++++++++++++++ .../cloud-hypervisor.signatures.json | 7 ++-- SPECS/cloud-hypervisor/cloud-hypervisor.spec | 23 ++++++----- 4 files changed, 58 insertions(+), 13 deletions(-) create mode 100644 SPECS/cloud-hypervisor/CVE-2023-0465.patch create mode 100644 SPECS/cloud-hypervisor/CVE-2023-2650.patch diff --git a/SPECS/cloud-hypervisor/CVE-2023-0465.patch b/SPECS/cloud-hypervisor/CVE-2023-0465.patch new file mode 100644 index 00000000000..a587353df7b --- /dev/null +++ b/SPECS/cloud-hypervisor/CVE-2023-0465.patch @@ -0,0 +1 @@ +The CVE-2023-2650.patch also fixes CVE-2023-0465 \ No newline at end of file diff --git a/SPECS/cloud-hypervisor/CVE-2023-2650.patch b/SPECS/cloud-hypervisor/CVE-2023-2650.patch new file mode 100644 index 00000000000..6443ed0124d --- /dev/null +++ b/SPECS/cloud-hypervisor/CVE-2023-2650.patch @@ -0,0 +1,40 @@ +From 724eeff414725dd8b6be8429f3acd316b92f7a56 Mon Sep 17 00:00:00 2001 +From: Suresh Thelkar +Date: Fri, 30 Jun 2023 09:49:24 +0530 +Subject: [PATCH] Patch for CVE-2023-2650 and CVE-2023-0465 + +--- + Cargo.lock | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/Cargo.lock b/Cargo.lock +index f99b516..99af0b2 100644 +--- a/Cargo.lock ++++ b/Cargo.lock +@@ -119,9 +119,9 @@ checksum = "14c189c53d098945499cdfa7ecc63567cf3886b3332b312a5b4585d8d3a6a610" + + [[package]] + name = "cc" +-version = "1.0.73" ++version = "1.0.79" + source = "registry+https://github.com/rust-lang/crates.io-index" +-checksum = "2fff2a6927b3bb87f9595d67196a70493f627687a71d87a0d692242c33f58c11" ++checksum = "50d30906286121d95be3d479533b458f87493b30a4b5f79a607db8f5d11aa91f" + + [[package]] + name = "cfg-if" +@@ -574,9 +574,9 @@ dependencies = [ + + [[package]] + name = "openssl-src" +-version = "111.17.0+1.1.1m" ++version = "111.26.0+1.1.1u" + source = "registry+https://github.com/rust-lang/crates.io-index" +-checksum = "05d6a336abd10814198f66e2a91ccd7336611f30334119ca8ce300536666fcf4" ++checksum = "efc62c9f12b22b8f5208c23a7200a442b2e5999f8bdf80233852122b5a4f6f37" + dependencies = [ + "cc", + ] +-- +2.38.1 + diff --git a/SPECS/cloud-hypervisor/cloud-hypervisor.signatures.json b/SPECS/cloud-hypervisor/cloud-hypervisor.signatures.json index 0898ec61d08..7a3b467929b 100644 --- a/SPECS/cloud-hypervisor/cloud-hypervisor.signatures.json +++ b/SPECS/cloud-hypervisor/cloud-hypervisor.signatures.json @@ -1,6 +1,7 @@ { "Signatures": { - "cloud-hypervisor-22.0-cargo.tar.gz": "550e2e2ad6c64ae7fa4786582c2357993cfad1f205566f6c80bcef7888cbd702", - "cloud-hypervisor-22.0.tar.gz": "5c5440435f78d4acdbb3ea91abe17d6704da6c18b6f52fe77f15835cfc60d17a" + "cloud-hypervisor-22.0-cargo-3.cm1.tar.gz": "c54238aa053bfcba7b507982a1e8583bd6885dddf261e1a908977dcc84434214", + "cloud-hypervisor-22.0.tar.gz": "5c5440435f78d4acdbb3ea91abe17d6704da6c18b6f52fe77f15835cfc60d17a", + "cloud-hypervisor-22.0-vendor-3.cm1.tar.gz": "61721dce31d7a5c5c55347ecef6f0752d0d28a1b48f5e03b8e4cbb07b2eb2e6a" } -} \ No newline at end of file +} diff --git a/SPECS/cloud-hypervisor/cloud-hypervisor.spec b/SPECS/cloud-hypervisor/cloud-hypervisor.spec index 0b39ccc1b54..203dc341a95 100644 --- a/SPECS/cloud-hypervisor/cloud-hypervisor.spec +++ b/SPECS/cloud-hypervisor/cloud-hypervisor.spec @@ -1,18 +1,19 @@ Summary: A Rust-VMM based cloud hypervisor from Intel Name: cloud-hypervisor Version: 22.0 -Release: 2%{?dist} +Release: 3%{?dist} License: ASL 2.0 or BSD URL: https://github.com/cloud-hypervisor/cloud-hypervisor Group: Development/Tools Vendor: Microsoft Corporation Distribution: Mariner -Source0: %{url}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz -# Note: the %%{name}-%%{version}-cargo.tar.gz file contains a cache created by capturing the contents downloaded into $CARGO_HOME. -# To update the cache run: -# [repo_root]/toolkit/scripts/build_cargo_cache.sh %%{name}-%%{version}.tar.gz -Source1: %{name}-%{version}-cargo.tar.gz +Source0: %{url}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +# Note: the %%{name}-%%{version}-cargo-%%{release}.tar.gz file contains a cache created by capturing the contents downloaded into $CARGO_HOME. +Source1: %{name}-%{version}-cargo-%{release}.tar.gz +# Note: the %%{name}-%%{version}-vendor-%%{release}.tar.gz file contains vendor sources by capturing the contents downloaded into "vendor" folder when "cargo vendor" is run. +Source2: %{name}-%{version}-vendor-%{release}.tar.gz Patch0: CVE-2023-28448.patch +Patch1: CVE-2023-2650.patch ExclusiveArch: x86_64 BuildRequires: gcc @@ -26,15 +27,14 @@ A Rust-VMM based cloud hypervisor from Intel. %prep # Setup .cargo directory -mkdir -p $HOME -pushd $HOME tar xf %{SOURCE1} --no-same-owner %patch0 -p1 -popd %setup -q +%patch1 -p1 +tar xf %{SOURCE2} -C ../ --no-same-owner %build -cargo build --release +CARGO_HOME=$(pwd)/../.cargo cargo build --release --offline %install install -d %{buildroot}%{_bindir} @@ -51,6 +51,9 @@ install -d %{buildroot}%{_libdir}/cloud-hypervisor %exclude %{_libdir}/debug %changelog +* Tue Jul 04 2023 Suresh Thelkar - 22.0-3 +- Patch CVE-2023-0465 and CVE-2023-2650 + * Wed Apr 05 2023 Henry Beberman - 22.0-2 - Patch CVE-2023-28448 in vendored versionize crate From f97cb7f9ea872db35cc5c71cc019a710f8c234a1 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Fri, 7 Jul 2023 19:48:22 +0200 Subject: [PATCH 6/9] [AUTOPATCHER-kernel] Kernel upgrade to version 5.10.185.1 - branch 1.0-dev (#5761) * Kernel upgrade to 5.10.185.1 version * Apply config changes to AMD64 * Attempt fix for ARM64 --------- Co-authored-by: Cameron Baird --- SPECS-SIGNED/kernel-signed/kernel-signed.spec | 5 ++++- .../hyperv-daemons.signatures.json | 2 +- SPECS/hyperv-daemons/hyperv-daemons.spec | 5 ++++- .../kernel-headers.signatures.json | 2 +- SPECS/kernel-headers/kernel-headers.spec | 5 ++++- SPECS/kernel-hyperv/config | 4 +--- .../kernel-hyperv.signatures.json | 4 ++-- SPECS/kernel-hyperv/kernel-hyperv.spec | 5 ++++- SPECS/kernel/config | 4 +--- SPECS/kernel/config_aarch64 | 12 +----------- SPECS/kernel/kernel.signatures.json | 6 +++--- SPECS/kernel/kernel.spec | 5 ++++- cgmanifest.json | 18 +++++++++--------- .../manifests/package/pkggen_core_aarch64.txt | 2 +- .../manifests/package/pkggen_core_x86_64.txt | 2 +- .../manifests/package/toolchain_aarch64.txt | 2 +- .../manifests/package/toolchain_x86_64.txt | 2 +- toolkit/scripts/toolchain/container/Dockerfile | 2 +- .../toolchain/container/toolchain-sha256sums | 2 +- .../container/toolchain_build_in_chroot.sh | 2 +- .../container/toolchain_build_temp_tools.sh | 2 +- 21 files changed, 47 insertions(+), 46 deletions(-) diff --git a/SPECS-SIGNED/kernel-signed/kernel-signed.spec b/SPECS-SIGNED/kernel-signed/kernel-signed.spec index 5d9601dbbde..79c03175b35 100644 --- a/SPECS-SIGNED/kernel-signed/kernel-signed.spec +++ b/SPECS-SIGNED/kernel-signed/kernel-signed.spec @@ -9,7 +9,7 @@ %define uname_r %{version}-%{release} Summary: Signed Linux Kernel for %{buildarch} systems Name: kernel-signed-%{buildarch} -Version: 5.10.183.1 +Version: 5.10.185.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -147,6 +147,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %endif %changelog +* Wed Jun 28 2023 CBL-Mariner Servicing Account - 5.10.185.1-1 +- Auto-upgrade to 5.10.185.1 + * Tue Jun 13 2023 CBL-Mariner Servicing Account - 5.10.183.1-1 - Auto-upgrade to 5.10.183.1 diff --git a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json index a3a32030bb6..01f210df714 100644 --- a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json +++ b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json @@ -7,6 +7,6 @@ "hypervkvpd.service": "25339871302f7a47e1aecfa9fc2586c78bc37edb98773752f0a5dec30f0ed3a1", "hypervvss.rules": "94cead44245ef6553ab79c0bbac8419e3ff4b241f01bcec66e6f508098cbedd1", "hypervvssd.service": "22270d9f0f23af4ea7905f19c1d5d5495e40c1f782cbb87a99f8aec5a011078d", - "kernel-5.10.183.1.tar.gz": "1c48f2fc668c57ffb99560e63d05af5ed9c04aa3c63b3aef0a35099e28e97125" + "kernel-5.10.185.1.tar.gz": "a86d1c424f6126ba3f55544703533a1b718bf955c817291887e4e67bbe965f71" } } \ No newline at end of file diff --git a/SPECS/hyperv-daemons/hyperv-daemons.spec b/SPECS/hyperv-daemons/hyperv-daemons.spec index 8e8e46ae5f9..562910f941e 100644 --- a/SPECS/hyperv-daemons/hyperv-daemons.spec +++ b/SPECS/hyperv-daemons/hyperv-daemons.spec @@ -8,7 +8,7 @@ %global udev_prefix 70 Summary: Hyper-V daemons suite Name: hyperv-daemons -Version: 5.10.183.1 +Version: 5.10.185.1 Release: 1%{?dist} License: GPLv2+ Vendor: Microsoft Corporation @@ -221,6 +221,9 @@ fi %{_sbindir}/lsvmbus %changelog +* Wed Jun 28 2023 CBL-Mariner Servicing Account - 5.10.185.1-1 +- Auto-upgrade to 5.10.185.1 + * Tue Jun 13 2023 CBL-Mariner Servicing Account - 5.10.183.1-1 - Auto-upgrade to 5.10.183.1 diff --git a/SPECS/kernel-headers/kernel-headers.signatures.json b/SPECS/kernel-headers/kernel-headers.signatures.json index 4b3b272f700..b7b554f0882 100644 --- a/SPECS/kernel-headers/kernel-headers.signatures.json +++ b/SPECS/kernel-headers/kernel-headers.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "kernel-5.10.183.1.tar.gz": "1c48f2fc668c57ffb99560e63d05af5ed9c04aa3c63b3aef0a35099e28e97125" + "kernel-5.10.185.1.tar.gz": "a86d1c424f6126ba3f55544703533a1b718bf955c817291887e4e67bbe965f71" } } \ No newline at end of file diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec index 4eaaa522cb0..a4adfdeacf5 100644 --- a/SPECS/kernel-headers/kernel-headers.spec +++ b/SPECS/kernel-headers/kernel-headers.spec @@ -1,6 +1,6 @@ Summary: Linux API header files Name: kernel-headers -Version: 5.10.183.1 +Version: 5.10.185.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -36,6 +36,9 @@ cp -rv usr/include/* /%{buildroot}%{_includedir} %{_includedir}/* %changelog +* Wed Jun 28 2023 CBL-Mariner Servicing Account - 5.10.185.1-1 +- Auto-upgrade to 5.10.185.1 + * Tue Jun 13 2023 CBL-Mariner Servicing Account - 5.10.183.1-1 - Auto-upgrade to 5.10.183.1 diff --git a/SPECS/kernel-hyperv/config b/SPECS/kernel-hyperv/config index c97901bc6fe..97daf7a5ff5 100644 --- a/SPECS/kernel-hyperv/config +++ b/SPECS/kernel-hyperv/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.10.183.1 Kernel Configuration +# Linux/x86_64 5.10.185.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 9.1.0" CONFIG_CC_IS_GCC=y @@ -1369,7 +1369,6 @@ CONFIG_HAVE_NET_DSA=y CONFIG_VLAN_8021Q=m CONFIG_VLAN_8021Q_GVRP=y CONFIG_VLAN_8021Q_MVRP=y -# CONFIG_DECNET is not set CONFIG_LLC=m # CONFIG_LLC2 is not set # CONFIG_ATALK is not set @@ -1671,7 +1670,6 @@ CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 # CONFIG_BLK_DEV_DRBD is not set # CONFIG_BLK_DEV_NBD is not set # CONFIG_BLK_DEV_SKD is not set -# CONFIG_BLK_DEV_SX8 is not set CONFIG_BLK_DEV_RAM=y CONFIG_BLK_DEV_RAM_COUNT=16 CONFIG_BLK_DEV_RAM_SIZE=4096 diff --git a/SPECS/kernel-hyperv/kernel-hyperv.signatures.json b/SPECS/kernel-hyperv/kernel-hyperv.signatures.json index e8f9830cf13..b2e1fa3c82e 100644 --- a/SPECS/kernel-hyperv/kernel-hyperv.signatures.json +++ b/SPECS/kernel-hyperv/kernel-hyperv.signatures.json @@ -1,8 +1,8 @@ { "Signatures": { "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", - "config": "3387855f3a5d67d9640385ca53da09a56d6f82c42ef1917d85185572e42bb6f5", + "config": "a6fcad6cf7f6fe88ca2fdfe1e108ddd3fb1c4c6ed3fb55190b76a5f1ff936e3a", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", - "kernel-5.10.183.1.tar.gz": "1c48f2fc668c57ffb99560e63d05af5ed9c04aa3c63b3aef0a35099e28e97125" + "kernel-5.10.185.1.tar.gz": "a86d1c424f6126ba3f55544703533a1b718bf955c817291887e4e67bbe965f71" } } \ No newline at end of file diff --git a/SPECS/kernel-hyperv/kernel-hyperv.spec b/SPECS/kernel-hyperv/kernel-hyperv.spec index b68ba2e613f..31042fad787 100644 --- a/SPECS/kernel-hyperv/kernel-hyperv.spec +++ b/SPECS/kernel-hyperv/kernel-hyperv.spec @@ -3,7 +3,7 @@ %define uname_r %{version}-%{release} Summary: Linux Kernel optimized for Hyper-V Name: kernel-hyperv -Version: 5.10.183.1 +Version: 5.10.185.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -270,6 +270,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_libdir}/perf/include/bpf/* %changelog +* Wed Jun 28 2023 CBL-Mariner Servicing Account - 5.10.185.1-1 +- Auto-upgrade to 5.10.185.1 + * Tue Jun 13 2023 CBL-Mariner Servicing Account - 5.10.183.1-1 - Auto-upgrade to 5.10.183.1 diff --git a/SPECS/kernel/config b/SPECS/kernel/config index 2e335aeb401..d963a58b1ac 100644 --- a/SPECS/kernel/config +++ b/SPECS/kernel/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.10.183.1 Kernel Configuration +# Linux/x86_64 5.10.185.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 9.1.0" CONFIG_CC_IS_GCC=y @@ -1495,7 +1495,6 @@ CONFIG_HAVE_NET_DSA=y CONFIG_VLAN_8021Q=m CONFIG_VLAN_8021Q_GVRP=y CONFIG_VLAN_8021Q_MVRP=y -# CONFIG_DECNET is not set CONFIG_LLC=m # CONFIG_LLC2 is not set # CONFIG_ATALK is not set @@ -1921,7 +1920,6 @@ CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 # CONFIG_BLK_DEV_DRBD is not set # CONFIG_BLK_DEV_NBD is not set # CONFIG_BLK_DEV_SKD is not set -# CONFIG_BLK_DEV_SX8 is not set CONFIG_BLK_DEV_RAM=y CONFIG_BLK_DEV_RAM_COUNT=16 CONFIG_BLK_DEV_RAM_SIZE=4096 diff --git a/SPECS/kernel/config_aarch64 b/SPECS/kernel/config_aarch64 index e3f15c6f4a1..0b3b770e210 100644 --- a/SPECS/kernel/config_aarch64 +++ b/SPECS/kernel/config_aarch64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 5.10.183.1 Kernel Configuration +# Linux/arm64 5.10.185.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 9.1.0" CONFIG_CC_IS_GCC=y @@ -1536,13 +1536,6 @@ CONFIG_IP6_NF_TARGET_NPT=m # end of IPv6: Netfilter Configuration CONFIG_NF_DEFRAG_IPV6=m - -# -# DECnet: Netfilter Configuration -# -CONFIG_DECNET_NF_GRABULATOR=m -# end of DECnet: Netfilter Configuration - CONFIG_NF_TABLES_BRIDGE=m CONFIG_NFT_BRIDGE_META=m CONFIG_NFT_BRIDGE_REJECT=m @@ -1627,8 +1620,6 @@ CONFIG_NET_DSA_TAG_TRAILER=m CONFIG_VLAN_8021Q=m CONFIG_VLAN_8021Q_GVRP=y CONFIG_VLAN_8021Q_MVRP=y -CONFIG_DECNET=m -# CONFIG_DECNET_ROUTER is not set CONFIG_LLC=m CONFIG_LLC2=m CONFIG_ATALK=m @@ -2467,7 +2458,6 @@ CONFIG_BLK_DEV_DRBD=m # CONFIG_DRBD_FAULT_INJECTION is not set CONFIG_BLK_DEV_NBD=m CONFIG_BLK_DEV_SKD=m -CONFIG_BLK_DEV_SX8=m CONFIG_BLK_DEV_RAM=m CONFIG_BLK_DEV_RAM_COUNT=16 CONFIG_BLK_DEV_RAM_SIZE=4096 diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json index 22bf81988a3..6a00bea0e55 100644 --- a/SPECS/kernel/kernel.signatures.json +++ b/SPECS/kernel/kernel.signatures.json @@ -1,9 +1,9 @@ { "Signatures": { "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", - "config": "907da610602c9e52b693da67777e4f22ecdaf44c7c79b24a67093e29e4f61ebc", - "config_aarch64": "1c3abe3a51d951ce5fee3b3fe9d376840854baa36df5dc6c8acf2835eac831d6", + "config": "56aefa0e0ca1743a6d6685235f4c8cfd51db8914d9167c6c1fef98e17d549f1a", + "config_aarch64": "746000e78bf7a5e98901495534253de9a678b32963d1bb94d5c9a75667694e1e", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", - "kernel-5.10.183.1.tar.gz": "1c48f2fc668c57ffb99560e63d05af5ed9c04aa3c63b3aef0a35099e28e97125" + "kernel-5.10.185.1.tar.gz": "a86d1c424f6126ba3f55544703533a1b718bf955c817291887e4e67bbe965f71" } } \ No newline at end of file diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec index d5ff5438af6..3eb69ba4de0 100644 --- a/SPECS/kernel/kernel.spec +++ b/SPECS/kernel/kernel.spec @@ -3,7 +3,7 @@ %define uname_r %{version}-%{release} Summary: Linux Kernel Name: kernel -Version: 5.10.183.1 +Version: 5.10.185.1 Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -634,6 +634,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Wed Jun 28 2023 CBL-Mariner Servicing Account - 5.10.185.1-1 +- Auto-upgrade to 5.10.185.1 + * Tue Jun 13 2023 CBL-Mariner Servicing Account - 5.10.183.1-1 - Auto-upgrade to 5.10.183.1 diff --git a/cgmanifest.json b/cgmanifest.json index bdcc7a6fa32..d7efeea5018 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -2156,8 +2156,8 @@ "type": "other", "other": { "name": "hyperv-daemons", - "version": "5.10.183.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.183.1.tar.gz" + "version": "5.10.185.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.185.1.tar.gz" } } }, @@ -2476,8 +2476,8 @@ "type": "other", "other": { "name": "kernel", - "version": "5.10.183.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.183.1.tar.gz" + "version": "5.10.185.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.185.1.tar.gz" } } }, @@ -2486,8 +2486,8 @@ "type": "other", "other": { "name": "kernel-headers", - "version": "5.10.183.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.183.1.tar.gz" + "version": "5.10.185.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.185.1.tar.gz" } } }, @@ -2496,8 +2496,8 @@ "type": "other", "other": { "name": "kernel-hyperv", - "version": "5.10.183.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.183.1.tar.gz" + "version": "5.10.185.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.185.1.tar.gz" } } }, @@ -8993,4 +8993,4 @@ } ], "Version": 1 -} +} \ No newline at end of file diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 9f5a18a39e7..3571f4f0320 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -1,5 +1,5 @@ filesystem-1.1-7.cm1.aarch64.rpm -kernel-headers-5.10.183.1-1.cm1.noarch.rpm +kernel-headers-5.10.185.1-1.cm1.noarch.rpm glibc-2.28-24.cm1.aarch64.rpm glibc-devel-2.28-24.cm1.aarch64.rpm glibc-i18n-2.28-24.cm1.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 29978b465ff..596094b81fd 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -1,5 +1,5 @@ filesystem-1.1-7.cm1.x86_64.rpm -kernel-headers-5.10.183.1-1.cm1.noarch.rpm +kernel-headers-5.10.185.1-1.cm1.noarch.rpm glibc-2.28-24.cm1.x86_64.rpm glibc-devel-2.28-24.cm1.x86_64.rpm glibc-i18n-2.28-24.cm1.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index c51e8b3d28b..b860a860a4f 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -152,7 +152,7 @@ json-c-debuginfo-0.14-3.cm1.aarch64.rpm json-c-devel-0.14-3.cm1.aarch64.rpm kbd-2.0.4-7.cm1.aarch64.rpm kbd-debuginfo-2.0.4-7.cm1.aarch64.rpm -kernel-headers-5.10.183.1-1.cm1.noarch.rpm +kernel-headers-5.10.185.1-1.cm1.noarch.rpm kmod-25-4.cm1.aarch64.rpm kmod-debuginfo-25-4.cm1.aarch64.rpm kmod-devel-25-4.cm1.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 878b1e50d27..bafcbc85012 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -152,7 +152,7 @@ json-c-debuginfo-0.14-3.cm1.x86_64.rpm json-c-devel-0.14-3.cm1.x86_64.rpm kbd-2.0.4-7.cm1.x86_64.rpm kbd-debuginfo-2.0.4-7.cm1.x86_64.rpm -kernel-headers-5.10.183.1-1.cm1.noarch.rpm +kernel-headers-5.10.185.1-1.cm1.noarch.rpm kmod-25-4.cm1.x86_64.rpm kmod-debuginfo-25-4.cm1.x86_64.rpm kmod-devel-25-4.cm1.x86_64.rpm diff --git a/toolkit/scripts/toolchain/container/Dockerfile b/toolkit/scripts/toolchain/container/Dockerfile index 01a24660687..b2564e1d74e 100644 --- a/toolkit/scripts/toolchain/container/Dockerfile +++ b/toolkit/scripts/toolchain/container/Dockerfile @@ -69,7 +69,7 @@ COPY [ "./toolchain-sha256sums", \ WORKDIR $LFS/sources RUN wget -nv --no-clobber --timeout=30 --no-check-certificate --continue --input-file=$LFS/tools/toolchain-local-wget-list --directory-prefix=$LFS/sources; exit 0 RUN wget -nv --no-clobber --timeout=30 --continue --input-file=$LFS/tools/toolchain-remote-wget-list --directory-prefix=$LFS/sources; exit 0 -RUN wget -nv --no-clobber --timeout=30 --continue https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.183.1.tar.gz -O kernel-5.10.183.1.tar.gz --directory-prefix=$LFS/sources; exit 0 +RUN wget -nv --no-clobber --timeout=30 --continue https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.185.1.tar.gz -O kernel-5.10.185.1.tar.gz --directory-prefix=$LFS/sources; exit 0 USER root RUN /tools/toolchain-jdk8-wget.sh; exit 0 RUN sha256sum -c $LFS/tools/toolchain-sha256sums && \ diff --git a/toolkit/scripts/toolchain/container/toolchain-sha256sums b/toolkit/scripts/toolchain/container/toolchain-sha256sums index d37a1f56944..9e693301a2c 100644 --- a/toolkit/scripts/toolchain/container/toolchain-sha256sums +++ b/toolkit/scripts/toolchain/container/toolchain-sha256sums @@ -59,7 +59,7 @@ b725c9b2e9793df7bf5d4d300390db11aa27bd98df9f33021d539be9bd603846 jdk8u212-b04-j 13ae78908151ad88ee3b375c72ca3f55a82b5265a3faba97f224f2a9b9d486fc jdk8u212-b04-nashorn.tar.bz2 6d28bdd752c056de98f6faf897b338d6ce8938810d72a69c2f5c1d81d628d44a jdk8u212-b04.tar.bz2 f882210b76376e3fa006b11dbd890e56ec0942bc56e65d1249ff4af86f90b857 kbproto-1.0.7.tar.bz2 -1c48f2fc668c57ffb99560e63d05af5ed9c04aa3c63b3aef0a35099e28e97125 kernel-5.10.183.1.tar.gz +a86d1c424f6126ba3f55544703533a1b718bf955c817291887e4e67bbe965f71 kernel-5.10.185.1.tar.gz c676146577d989189940f1959d9e3980d28513d74eedfbc6b7f15ea45fe54ee2 libarchive-3.6.1.tar.gz b630b7c484271b3ba867680d6a14b10a86cfa67247a14631b14c06731d5a458b libcap-2.26.tar.xz c97da36d2e56a2d7b6e4f896241785acc95e97eb9557465fd66ba2a155a7b201 libdmx-1.1.3.tar.bz2 diff --git a/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh b/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh index bfd0b302ada..c42b360c8f2 100755 --- a/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh +++ b/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh @@ -57,7 +57,7 @@ set -e # cd /sources -KERNEL_VERSION="5.10.183.1" +KERNEL_VERSION="5.10.185.1" echo Linux-${KERNEL_VERSION} API Headers tar xf kernel-${KERNEL_VERSION}.tar.gz pushd CBL-Mariner-Linux-Kernel-rolling-lts-mariner-${KERNEL_VERSION} diff --git a/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh b/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh index 4a5846fd4e3..7b9f94f8438 100755 --- a/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh +++ b/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh @@ -114,7 +114,7 @@ rm -rf gcc-9.1.0 touch $LFS/logs/temptoolchain/status_gcc_pass1_complete -KERNEL_VERSION="5.10.183.1" +KERNEL_VERSION="5.10.185.1" echo Linux-${KERNEL_VERSION} API Headers tar xf kernel-${KERNEL_VERSION}.tar.gz pushd CBL-Mariner-Linux-Kernel-rolling-lts-mariner-${KERNEL_VERSION} From ba426c8d7d417c2cba23cb4c924d3bd963c55b56 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Mon, 10 Jul 2023 20:16:40 +0200 Subject: [PATCH 7/9] Nopatch several kernel cves * CVE-2023-35788 CVE-2023-35829 CVE-2023-35823 CVE-2023-35824 CVE-2023-3220 CVE-2023-3212 CVE-2023-3090 CVE-2023-3358 CVE-2023-3439 CVE-2023-3357 CVE-2023-3359 CVE-2023-3355 --- SPECS/kernel/CVE-2023-3090.nopatch | 3 +++ SPECS/kernel/CVE-2023-3212.nopatch | 3 +++ SPECS/kernel/CVE-2023-3220.nopatch | 3 +++ SPECS/kernel/CVE-2023-3355.nopatch | 4 ++++ SPECS/kernel/CVE-2023-3357.nopatch | 4 ++++ SPECS/kernel/CVE-2023-3358.nopatch | 3 +++ SPECS/kernel/CVE-2023-3359.nopatch | 4 ++++ SPECS/kernel/CVE-2023-3439.nopatch | 4 ++++ SPECS/kernel/CVE-2023-35788.nopatch | 3 +++ SPECS/kernel/CVE-2023-35823.nopatch | 3 +++ SPECS/kernel/CVE-2023-35824.nopatch | 3 +++ SPECS/kernel/CVE-2023-35829.nopatch | 3 +++ 12 files changed, 40 insertions(+) create mode 100644 SPECS/kernel/CVE-2023-3090.nopatch create mode 100644 SPECS/kernel/CVE-2023-3212.nopatch create mode 100644 SPECS/kernel/CVE-2023-3220.nopatch create mode 100644 SPECS/kernel/CVE-2023-3355.nopatch create mode 100644 SPECS/kernel/CVE-2023-3357.nopatch create mode 100644 SPECS/kernel/CVE-2023-3358.nopatch create mode 100644 SPECS/kernel/CVE-2023-3359.nopatch create mode 100644 SPECS/kernel/CVE-2023-3439.nopatch create mode 100644 SPECS/kernel/CVE-2023-35788.nopatch create mode 100644 SPECS/kernel/CVE-2023-35823.nopatch create mode 100644 SPECS/kernel/CVE-2023-35824.nopatch create mode 100644 SPECS/kernel/CVE-2023-35829.nopatch diff --git a/SPECS/kernel/CVE-2023-3090.nopatch b/SPECS/kernel/CVE-2023-3090.nopatch new file mode 100644 index 00000000000..5d305a45e48 --- /dev/null +++ b/SPECS/kernel/CVE-2023-3090.nopatch @@ -0,0 +1,3 @@ +CVE-2023-3090 - patched in 5.10.181.1 - (generated by autopatch tool) +upstream 90cbed5247439a966b645b34eb0a2e037836ea8e - stable f4a371d3f5a7a71dff1ab48b3122c5cf23cc7ad5 + diff --git a/SPECS/kernel/CVE-2023-3212.nopatch b/SPECS/kernel/CVE-2023-3212.nopatch new file mode 100644 index 00000000000..909aec8d177 --- /dev/null +++ b/SPECS/kernel/CVE-2023-3212.nopatch @@ -0,0 +1,3 @@ +CVE-2023-3212 - patched in 5.10.183.1 - (generated by autopatch tool) +upstream 504a10d9e46bc37b23d0a1ae2f28973c8516e636 - stable d03d31d3a206093b9b8759dddf0ba9bd843606ba + diff --git a/SPECS/kernel/CVE-2023-3220.nopatch b/SPECS/kernel/CVE-2023-3220.nopatch new file mode 100644 index 00000000000..8a1d8913bb4 --- /dev/null +++ b/SPECS/kernel/CVE-2023-3220.nopatch @@ -0,0 +1,3 @@ +CVE-2023-3220 - patched in 5.10.173.1 - (generated by autopatch tool) +upstream 93340e10b9c5fc86730d149636e0aa8b47bb5a34 - stable e9743b3052e125c44b555f07f2876a4bdccfd983 + diff --git a/SPECS/kernel/CVE-2023-3355.nopatch b/SPECS/kernel/CVE-2023-3355.nopatch new file mode 100644 index 00000000000..30750f34f7d --- /dev/null +++ b/SPECS/kernel/CVE-2023-3355.nopatch @@ -0,0 +1,4 @@ +CVE-2023-3355 - Introducing commit(s) not present in LTS - (generated by autopatch tool) +upstream fix commit: d839f0811a31322c087a859c2b181e2383daa7be +upstream introducing commit: 20224d715a882210428ea62bba93f1bc4a0afe23 + diff --git a/SPECS/kernel/CVE-2023-3357.nopatch b/SPECS/kernel/CVE-2023-3357.nopatch new file mode 100644 index 00000000000..9ec379412a5 --- /dev/null +++ b/SPECS/kernel/CVE-2023-3357.nopatch @@ -0,0 +1,4 @@ +CVE-2023-3357 - Introducing commit(s) not present in LTS - (generated by autopatch tool) +upstream fix commit: 53ffa6a9f83b2170c60591da1ead8791d5a42e81 +upstream introducing commit: 4b2c53d93a4bc9d52cc0ec354629cfc9dc217f93 + diff --git a/SPECS/kernel/CVE-2023-3358.nopatch b/SPECS/kernel/CVE-2023-3358.nopatch new file mode 100644 index 00000000000..8522d245e02 --- /dev/null +++ b/SPECS/kernel/CVE-2023-3358.nopatch @@ -0,0 +1,3 @@ +CVE-2023-3358 - patched in 5.10.166.1 - (generated by autopatch tool) +upstream b3d40c3ec3dc4ad78017de6c3a38979f57aaaab8 - stable 7b4516ba56f1fcb13ffc91912f3074e28362228d + diff --git a/SPECS/kernel/CVE-2023-3359.nopatch b/SPECS/kernel/CVE-2023-3359.nopatch new file mode 100644 index 00000000000..1ceda28e3ef --- /dev/null +++ b/SPECS/kernel/CVE-2023-3359.nopatch @@ -0,0 +1,4 @@ +CVE-2023-3359 - Introducing commit(s) not present in LTS - (generated by autopatch tool) +upstream fix commit: b0576ade3aaf24b376ea1a4406ae138e2a22b0c0 +upstream introducing commit: 6e977eaa8280e957b87904b536661550f2a6b3e8 + diff --git a/SPECS/kernel/CVE-2023-3439.nopatch b/SPECS/kernel/CVE-2023-3439.nopatch new file mode 100644 index 00000000000..cece197e1ca --- /dev/null +++ b/SPECS/kernel/CVE-2023-3439.nopatch @@ -0,0 +1,4 @@ +CVE-2023-3439 - Introducing commit(s) not present in LTS - (generated by autopatch tool) +upstream fix commit: b561275d633bcd8e0e8055ab86f1a13df75a0269 +upstream introducing commit: 583be982d93479ea3d85091b0fd0b01201ede87d + diff --git a/SPECS/kernel/CVE-2023-35788.nopatch b/SPECS/kernel/CVE-2023-35788.nopatch new file mode 100644 index 00000000000..e30358180d8 --- /dev/null +++ b/SPECS/kernel/CVE-2023-35788.nopatch @@ -0,0 +1,3 @@ +CVE-2023-35788 - patched in 5.10.183.1 - (generated by autopatch tool) +upstream 4d56304e5827c8cc8cc18c75343d283af7c4825c - stable 7c5c67aa294444b53f697dc3ddce61b33ff8badd + diff --git a/SPECS/kernel/CVE-2023-35823.nopatch b/SPECS/kernel/CVE-2023-35823.nopatch new file mode 100644 index 00000000000..197e56645b7 --- /dev/null +++ b/SPECS/kernel/CVE-2023-35823.nopatch @@ -0,0 +1,3 @@ +CVE-2023-35823 - patched in 5.10.180.1 - (generated by autopatch tool) +upstream 30cf57da176cca80f11df0d9b7f71581fe601389 - stable 7dac96e9cc985328ec1fae92f0c245f559dc0e11 + diff --git a/SPECS/kernel/CVE-2023-35824.nopatch b/SPECS/kernel/CVE-2023-35824.nopatch new file mode 100644 index 00000000000..3b437da24b1 --- /dev/null +++ b/SPECS/kernel/CVE-2023-35824.nopatch @@ -0,0 +1,3 @@ +CVE-2023-35824 - patched in 5.10.180.1 - (generated by autopatch tool) +upstream 5abda7a16698d4d1f47af1168d8fa2c640116b4a - stable e9d64e90a0ada4d00ac6562e351ef10ae7d9b911 + diff --git a/SPECS/kernel/CVE-2023-35829.nopatch b/SPECS/kernel/CVE-2023-35829.nopatch new file mode 100644 index 00000000000..711cb278b60 --- /dev/null +++ b/SPECS/kernel/CVE-2023-35829.nopatch @@ -0,0 +1,3 @@ +CVE-2023-35829 - patched in 5.10.180.1 - (generated by autopatch tool) +upstream 3228cec23b8b29215e18090c6ba635840190993d - stable de19d02d734ef29f5dbd2c12fe810fa960ecd83f + From e5f8336e5a3b13ba0730870e44ed28f3d1a563b5 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Mon, 10 Jul 2023 22:34:47 +0200 Subject: [PATCH 8/9] Upgrade libtiff to 4.5.1 patch CVE-2023-26966 (#5809) --- SPECS/libtiff/CVE-2022-48281.patch | 25 -- SPECS/libtiff/CVE-2023-0795.patch | 341 -------------------------- SPECS/libtiff/CVE-2023-2731.patch | 33 --- SPECS/libtiff/libtiff.signatures.json | 2 +- SPECS/libtiff/libtiff.spec | 10 +- cgmanifest.json | 4 +- 6 files changed, 8 insertions(+), 407 deletions(-) delete mode 100644 SPECS/libtiff/CVE-2022-48281.patch delete mode 100644 SPECS/libtiff/CVE-2023-0795.patch delete mode 100644 SPECS/libtiff/CVE-2023-2731.patch diff --git a/SPECS/libtiff/CVE-2022-48281.patch b/SPECS/libtiff/CVE-2022-48281.patch deleted file mode 100644 index d3cf3cc110d..00000000000 --- a/SPECS/libtiff/CVE-2022-48281.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 97d65859bc29ee334012e9c73022d8a8e55ed586 Mon Sep 17 00:00:00 2001 -From: Su Laus -Date: Sat, 21 Jan 2023 15:58:10 +0000 -Subject: [PATCH] tiffcrop: Correct simple copy paste error. Fix #488. - ---- - tools/tiffcrop.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 14fa18da..7db69883 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -8591,7 +8591,7 @@ static int processCropSelections(struct image_data *image, - cropsize + NUM_BUFF_OVERSIZE_BYTES); - else - { -- prev_cropsize = seg_buffs[0].size; -+ prev_cropsize = seg_buffs[i].size; - if (prev_cropsize < cropsize) - { - next_buff = _TIFFrealloc( --- -GitLab - diff --git a/SPECS/libtiff/CVE-2023-0795.patch b/SPECS/libtiff/CVE-2023-0795.patch deleted file mode 100644 index 50055971fb9..00000000000 --- a/SPECS/libtiff/CVE-2023-0795.patch +++ /dev/null @@ -1,341 +0,0 @@ -From 9c22495e5eeeae9e00a1596720c969656bb8d678 Mon Sep 17 00:00:00 2001 -From: Su_Laus -Date: Fri, 3 Feb 2023 15:31:31 +0100 -Subject: [PATCH] tiffcrop correctly update buffersize after rotateImage() - fix#520 rotateImage() set up a new buffer and calculates its size - individually. Therefore, seg_buffs[] size needs to be updated accordingly. - Before this fix, the seg_buffs buffer size was calculated with a different - formula than within rotateImage(). - -diff -ru libtiff-v4.5.0-orig/tools/tiffcrop.c libtiff-v4.5.0/tools/tiffcrop.c ---- libtiff-v4.5.0-orig/tools/tiffcrop.c 2023-05-12 11:14:02.465594047 -0700 -+++ libtiff-v4.5.0/tools/tiffcrop.c 2023-05-12 14:50:24.152164015 -0700 -@@ -577,7 +577,7 @@ - static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t, - uint32_t, uint32_t, uint8_t *, uint8_t *); - static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *, -- unsigned char **); -+ unsigned char **, size_t *); - static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t, - unsigned char *); - static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t, -@@ -7243,7 +7243,7 @@ - } - - if (rotateImage(rotation, image, &image->width, &image->length, -- work_buff_ptr)) -+ work_buff_ptr, NULL)) - { - TIFFError("correct_orientation", "Unable to rotate image"); - return (-1); -@@ -8563,8 +8563,12 @@ - if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can - reallocate the buffer */ - { -+ /* rotateImage() set up a new buffer and calculates its size -+ * individually. Therefore, seg_buffs size needs to be updated -+ * accordingly. */ -+ size_t rot_buf_size = 0; - if (rotateImage(crop->rotation, image, &crop->combined_width, -- &crop->combined_length, &crop_buff)) -+ &crop->combined_length, &crop_buff, &rot_buf_size)) - { - TIFFError("processCropSelections", - "Failed to rotate composite regions by %" PRIu32 -@@ -8573,9 +8577,7 @@ - return (-1); - } - seg_buffs[0].buffer = crop_buff; -- seg_buffs[0].size = -- (((crop->combined_width * image->bps + 7) / 8) * image->spp) * -- crop->combined_length; -+ seg_buffs[0].size = rot_buf_size; - } - } - else /* Separated Images */ -@@ -8686,10 +8688,14 @@ - * ->yres, what it schouldn't do here, when more than one - * section is processed. ToDo: Therefore rotateImage() and its - * usage has to be reworked (e.g. like mirrorImage()) !! -- */ -- if (rotateImage(crop->rotation, image, -- &crop->regionlist[i].width, -- &crop->regionlist[i].length, &crop_buff)) -+ * Furthermore, rotateImage() set up a new buffer and calculates -+ * its size individually. Therefore, seg_buffs size needs to be -+ * updated accordingly. */ -+ size_t rot_buf_size = 0; -+ if (rotateImage( -+ crop->rotation, image, &crop->regionlist[i].width, -+ &crop->regionlist[i].length, &crop_buff, &rot_buf_size)) -+ - { - TIFFError("processCropSelections", - "Failed to rotate crop region by %" PRIu16 -@@ -8702,10 +8708,7 @@ - crop->combined_width = total_width; - crop->combined_length = total_length; - seg_buffs[i].buffer = crop_buff; -- seg_buffs[i].size = -- (((crop->regionlist[i].width * image->bps + 7) / 8) * -- image->spp) * -- crop->regionlist[i].length; -+ seg_buffs[i].size = rot_buf_size; - } - } /* for crop->selections loop */ - } /* Separated Images (else case) */ -@@ -8836,7 +8839,7 @@ - CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ - { - if (rotateImage(crop->rotation, image, &crop->combined_width, -- &crop->combined_length, crop_buff_ptr)) -+ &crop->combined_length, crop_buff_ptr, NULL)) - { - TIFFError("createCroppedImage", - "Failed to rotate image or cropped selection by %" PRIu16 -@@ -9552,7 +9555,7 @@ - /* Rotate an image by a multiple of 90 degrees clockwise */ - static int rotateImage(uint16_t rotation, struct image_data *image, - uint32_t *img_width, uint32_t *img_length, -- unsigned char **ibuff_ptr) -+ unsigned char **ibuff_ptr, size_t *rot_buf_size) - { - int shift_width; - uint32_t bytes_per_pixel, bytes_per_sample; -@@ -9610,6 +9613,8 @@ - return (-1); - } - _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES); -+ if (rot_buf_size != NULL) -+ *rot_buf_size = buffsize; - - ibuff = *ibuff_ptr; - switch (rotation) - -From 688012dca2c39033aa2dc7bcea9796787cfd1b44 Mon Sep 17 00:00:00 2001 -From: Su_Laus -Date: Sat, 4 Feb 2023 23:24:21 +0100 -Subject: [PATCH] tiffcrop correctly update buffersize after rotateImage() - fix#520 -- enlarge buffsize and check integer overflow within rotateImage(). - -diff -ru libtiff-v4.5.0-orig/tools/tiffcrop.c libtiff-v4.5.0/tools/tiffcrop.c ---- libtiff-v4.5.0-orig/tools/tiffcrop.c 2023-05-12 14:55:09.414735471 -0700 -+++ libtiff-v4.5.0/tools/tiffcrop.c 2023-05-12 14:59:17.352957542 -0700 -@@ -9561,7 +9561,8 @@ - uint32_t bytes_per_pixel, bytes_per_sample; - uint32_t row, rowsize, src_offset, dst_offset; - uint32_t i, col, width, length; -- uint32_t colsize, buffsize, col_offset, pix_offset; -+ uint32_t colsize, col_offset, pix_offset; -+ tmsize_t buffsize; - unsigned char *ibuff; - unsigned char *src; - unsigned char *dst; -@@ -9574,12 +9575,40 @@ - spp = image->spp; - bps = image->bps; - -+ if ((spp != 0 && bps != 0 && -+ width > (uint32_t)((UINT32_MAX - 7) / spp / bps)) || -+ (spp != 0 && bps != 0 && -+ length > (uint32_t)((UINT32_MAX - 7) / spp / bps))) -+ { -+ TIFFError("rotateImage", "Integer overflow detected."); -+ return (-1); -+ } - rowsize = ((bps * spp * width) + 7) / 8; - colsize = ((bps * spp * length) + 7) / 8; - if ((colsize * width) > (rowsize * length)) -- buffsize = (colsize + 1) * width; -+ { -+ if (((tmsize_t)colsize + 1) != 0 && -+ (tmsize_t)width > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) / -+ ((tmsize_t)colsize + 1))) -+ { -+ TIFFError("rotateImage", -+ "Integer overflow when calculating buffer size."); -+ return (-1); -+ } -+ buffsize = ((tmsize_t)colsize + 1) * width; -+ } - else -+ { -+ if (((tmsize_t)rowsize + 1) != 0 && -+ (tmsize_t)length > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) / -+ ((tmsize_t)rowsize + 1))) -+ { -+ TIFFError("rotateImage", -+ "Integer overflow when calculating buffer size."); -+ return (-1); -+ } - buffsize = (rowsize + 1) * length; -+ } - - bytes_per_sample = (bps + 7) / 8; - bytes_per_pixel = ((bps * spp) + 7) / 8; -@@ -9608,7 +9637,8 @@ - (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES))) - { - TIFFError("rotateImage", -- "Unable to allocate rotation buffer of %1u bytes", -+ "Unable to allocate rotation buffer of %" TIFF_SSIZE_FORMAT -+ " bytes ", - buffsize + NUM_BUFF_OVERSIZE_BYTES); - return (-1); - } - -From 69818e2f2d246e6631ac2a2da692c3706b849c38 Mon Sep 17 00:00:00 2001 -From: Su_Laus -Date: Sun, 29 Jan 2023 11:09:26 +0100 -Subject: [PATCH] tiffcrop: Amend rotateImage() not to toggle the input (main) - image width and length parameters when only cropped image sections are - rotated. Remove buffptr from region structure because never used. - -Closes #492 #493 #494 #495 #499 #518 #519 - -diff -ru libtiff-v4.5.0-orig/tools/tiffcrop.c libtiff-v4.5.0/tools/tiffcrop.c ---- libtiff-v4.5.0-orig/tools/tiffcrop.c 2023-05-12 15:01:50.666327711 -0700 -+++ libtiff-v4.5.0/tools/tiffcrop.c 2023-05-12 15:08:32.732858078 -0700 -@@ -296,7 +296,6 @@ - uint32_t width; /* width in pixels */ - uint32_t length; /* length in pixels */ - uint32_t buffsize; /* size of buffer needed to hold the cropped region */ -- unsigned char *buffptr; /* address of start of the region */ - }; - - /* Cropping parameters from command line and image data -@@ -577,7 +576,7 @@ - static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t, - uint32_t, uint32_t, uint8_t *, uint8_t *); - static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *, -- unsigned char **, size_t *); -+ unsigned char **, size_t *, int); - static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t, - unsigned char *); - static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t, -@@ -5779,7 +5778,6 @@ - cps->regionlist[i].width = 0; - cps->regionlist[i].length = 0; - cps->regionlist[i].buffsize = 0; -- cps->regionlist[i].buffptr = NULL; - cps->zonelist[i].position = 0; - cps->zonelist[i].total = 0; - } -@@ -7242,8 +7240,13 @@ - return (-1); - } - -- if (rotateImage(rotation, image, &image->width, &image->length, -- work_buff_ptr, NULL)) -+ /* Dummy variable in order not to switch two times the -+ * image->width,->length within rotateImage(), -+ * but switch xres, yres there. */ -+ uint32_t width = image->width; -+ uint32_t length = image->length; -+ if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL, -+ TRUE)) - { - TIFFError("correct_orientation", "Unable to rotate image"); - return (-1); -@@ -7312,7 +7315,6 @@ - /* These should not be needed for composite images */ - crop->regionlist[i].width = crop_width; - crop->regionlist[i].length = crop_length; -- crop->regionlist[i].buffptr = crop_buff; - - src_rowsize = ((img_width * bps * spp) + 7) / 8; - dst_rowsize = (((crop_width * bps * count) + 7) / 8); -@@ -7573,7 +7575,6 @@ - - crop->regionlist[region].width = crop_width; - crop->regionlist[region].length = crop_length; -- crop->regionlist[region].buffptr = crop_buff; - - src = read_buff; - dst = crop_buff; -@@ -8568,7 +8569,8 @@ - * accordingly. */ - size_t rot_buf_size = 0; - if (rotateImage(crop->rotation, image, &crop->combined_width, -- &crop->combined_length, &crop_buff, &rot_buf_size)) -+ &crop->combined_length, &crop_buff, &rot_buf_size, -+ FALSE)) - { - TIFFError("processCropSelections", - "Failed to rotate composite regions by %" PRIu32 -@@ -8692,10 +8694,10 @@ - * its size individually. Therefore, seg_buffs size needs to be - * updated accordingly. */ - size_t rot_buf_size = 0; -- if (rotateImage( -- crop->rotation, image, &crop->regionlist[i].width, -- &crop->regionlist[i].length, &crop_buff, &rot_buf_size)) -- -+ if (rotateImage(crop->rotation, image, -+ &crop->regionlist[i].width, -+ &crop->regionlist[i].length, &crop_buff, -+ &rot_buf_size, FALSE)) - { - TIFFError("processCropSelections", - "Failed to rotate crop region by %" PRIu16 -@@ -8839,7 +8841,7 @@ - CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ - { - if (rotateImage(crop->rotation, image, &crop->combined_width, -- &crop->combined_length, crop_buff_ptr, NULL)) -+ &crop->combined_length, crop_buff_ptr, NULL, TRUE)) - { - TIFFError("createCroppedImage", - "Failed to rotate image or cropped selection by %" PRIu16 -@@ -9555,7 +9557,8 @@ - /* Rotate an image by a multiple of 90 degrees clockwise */ - static int rotateImage(uint16_t rotation, struct image_data *image, - uint32_t *img_width, uint32_t *img_length, -- unsigned char **ibuff_ptr, size_t *rot_buf_size) -+ unsigned char **ibuff_ptr, size_t *rot_buf_size, -+ int rot_image_params) - { - int shift_width; - uint32_t bytes_per_pixel, bytes_per_sample; -@@ -9803,11 +9806,15 @@ - - *img_width = length; - *img_length = width; -- image->width = length; -- image->length = width; -- res_temp = image->xres; -- image->xres = image->yres; -- image->yres = res_temp; -+ /* Only toggle image parameters if whole input image is rotated. */ -+ if (rot_image_params) -+ { -+ image->width = length; -+ image->length = width; -+ res_temp = image->xres; -+ image->xres = image->yres; -+ image->yres = res_temp; -+ } - break; - - case 270: -@@ -9890,11 +9897,15 @@ - - *img_width = length; - *img_length = width; -- image->width = length; -- image->length = width; -- res_temp = image->xres; -- image->xres = image->yres; -- image->yres = res_temp; -+ /* Only toggle image parameters if whole input image is rotated. */ -+ if (rot_image_params) -+ { -+ image->width = length; -+ image->length = width; -+ res_temp = image->xres; -+ image->xres = image->yres; -+ image->yres = res_temp; -+ } - break; - default: - break; diff --git a/SPECS/libtiff/CVE-2023-2731.patch b/SPECS/libtiff/CVE-2023-2731.patch deleted file mode 100644 index c981ad79190..00000000000 --- a/SPECS/libtiff/CVE-2023-2731.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 9be22b639ea69e102d3847dca4c53ef025e9527b Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Sat, 29 Apr 2023 12:20:46 +0200 -Subject: [PATCH] LZWDecode(): avoid crash when trying to read again from a - strip whith a missing end-of-information marker (fixes #548) - ---- - libtiff/tif_lzw.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c -index ba75a07e..d631fa10 100644 ---- a/libtiff/tif_lzw.c -+++ b/libtiff/tif_lzw.c -@@ -423,6 +423,10 @@ static int LZWDecode(TIFF *tif, uint8_t *op0, tmsize_t occ0, uint16_t s) - - if (sp->read_error) - { -+ TIFFErrorExtR(tif, module, -+ "LZWDecode: Scanline %" PRIu32 " cannot be read due to " -+ "previous error", -+ tif->tif_row); - return 0; - } - -@@ -742,6 +746,7 @@ static int LZWDecode(TIFF *tif, uint8_t *op0, tmsize_t occ0, uint16_t s) - return (1); - - no_eoi: -+ sp->read_error = 1; - TIFFErrorExtR(tif, module, - "LZWDecode: Strip %" PRIu32 " not terminated with EOI code", - tif->tif_curstrip); diff --git a/SPECS/libtiff/libtiff.signatures.json b/SPECS/libtiff/libtiff.signatures.json index 26bde1fd01a..de27575094e 100644 --- a/SPECS/libtiff/libtiff.signatures.json +++ b/SPECS/libtiff/libtiff.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "libtiff-v4.5.0.tar.gz": "9c89263dc6b12d89ea0f0af3f36020797f17a6d3d247bf06d66fdbbef98609af" + "libtiff-v4.5.1.tar.gz": "f3a69013600bc847b6e884efafe340f9bce10cf687a2c9fa46efabfe9163284f" } } \ No newline at end of file diff --git a/SPECS/libtiff/libtiff.spec b/SPECS/libtiff/libtiff.spec index 72d645f14ad..d323e7f8176 100644 --- a/SPECS/libtiff/libtiff.spec +++ b/SPECS/libtiff/libtiff.spec @@ -1,16 +1,13 @@ Summary: TIFF libraries and associated utilities. Name: libtiff -Version: 4.5.0 -Release: 3%{?dist} +Version: 4.5.1 +Release: 1%{?dist} License: libtiff URL: https://gitlab.com/libtiff/libtiff Group: System Environment/Libraries Vendor: Microsoft Corporation Distribution: Mariner Source0: https://gitlab.com/libtiff/libtiff/-/archive/v%{version}/libtiff-v%{version}.tar.gz -Patch0: CVE-2022-48281.patch -Patch1: CVE-2023-0795.patch -Patch2: CVE-2023-2731.patch BuildRequires: autoconf BuildRequires: automake @@ -68,6 +65,9 @@ make %{?_smp_mflags} -k check %{_datadir}/doc/* %changelog +* Mon Jul 10 2023 CBL-Mariner Servicing Account - 4.5.1-1 +- Auto-upgrade to 4.5.1 - patch CVE-2023-26966 + * Fri May 26 2023 Rachel Menge - 4.5.0-3 - Patch CVE-2023-2731 diff --git a/cgmanifest.json b/cgmanifest.json index d7efeea5018..a9185b701a3 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -3496,8 +3496,8 @@ "type": "other", "other": { "name": "libtiff", - "version": "4.5.0", - "downloadUrl": "https://gitlab.com/libtiff/libtiff/-/archive/v4.5.0/libtiff-v4.5.0.tar.gz" + "version": "4.5.1", + "downloadUrl": "https://gitlab.com/libtiff/libtiff/-/archive/v4.5.1/libtiff-v4.5.1.tar.gz" } } }, From 31135fa91ff24e23a80f5e962c2ff90205827137 Mon Sep 17 00:00:00 2001 From: Muhammad Falak R Wani Date: Wed, 12 Jul 2023 10:39:00 +0530 Subject: [PATCH 9/9] uclibc-ng: introduce patch to fix gettimeofday static build (#5821) Signed-off-by: Muhammad Falak R Wani --- .../0001-gettimeofday-fix-static-build.patch | 144 ++++++++++++++++++ SPECS/uclibc-ng/uclibc-ng.spec | 6 +- 2 files changed, 149 insertions(+), 1 deletion(-) create mode 100644 SPECS/uclibc-ng/0001-gettimeofday-fix-static-build.patch diff --git a/SPECS/uclibc-ng/0001-gettimeofday-fix-static-build.patch b/SPECS/uclibc-ng/0001-gettimeofday-fix-static-build.patch new file mode 100644 index 00000000000..aec5fb656ab --- /dev/null +++ b/SPECS/uclibc-ng/0001-gettimeofday-fix-static-build.patch @@ -0,0 +1,144 @@ +From b19f8f360970ffd0c1a6ac41e07c66dc39790b16 Mon Sep 17 00:00:00 2001 +From: Waldemar Brodkorb +Date: Wed, 10 May 2023 08:35:25 +0200 +Subject: [PATCH 1/3] gettimeofday: fix static build + +Signed-off-by: Muhammad Falak R Wani +--- + libc/sysdeps/linux/common/gettimeofday.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libc/sysdeps/linux/common/gettimeofday.c b/libc/sysdeps/linux/common/gettimeofday.c +index e5141088e..12473a8e6 100755 +--- a/libc/sysdeps/linux/common/gettimeofday.c ++++ b/libc/sysdeps/linux/common/gettimeofday.c +@@ -9,8 +9,9 @@ + #include + #include + ++#ifdef SHARED + #include "ldso.h" +- ++#endif + + + #ifdef __VDSO_SUPPORT__ +-- +2.41.0 + + +From a04b282ef264c58aadff623ff648a67aeeb9d876 Mon Sep 17 00:00:00 2001 +From: Yann Sionneau +Date: Mon, 12 Jun 2023 09:47:40 +0200 +Subject: [PATCH 2/3] Revert "librt: avoid compilation error" + +This reverts commit 08d46f1ce21e4ec51b2b1626beeaea6cbe7fdc6b. + +Signed-off-by: Yann Sionneau +Signed-off-by: Muhammad Falak R Wani +--- + librt/clock_nanosleep.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/librt/clock_nanosleep.c b/librt/clock_nanosleep.c +index 1515cf5b0..4cf1e06b4 100644 +--- a/librt/clock_nanosleep.c ++++ b/librt/clock_nanosleep.c +@@ -36,9 +36,9 @@ clock_nanosleep (clockid_t clock_id, int flags, const struct timespec *req, + if (clock_id == CLOCK_PROCESS_CPUTIME_ID) + clock_id = MAKE_PROCESS_CPUCLOCK (0, CPUCLOCK_SCHED); + +-#if defined(SINGLE_THREAD_P) ++ if (SINGLE_THREAD_P) + r = INTERNAL_SYSCALL (clock_nanosleep, err, 4, clock_id, flags, req, rem); +-#else ++ else + { + int oldstate = LIBC_CANCEL_ASYNC (); + +@@ -47,7 +47,6 @@ clock_nanosleep (clockid_t clock_id, int flags, const struct timespec *req, + + LIBC_CANCEL_RESET (oldstate); + } +-#endif + + return (INTERNAL_SYSCALL_ERROR_P (r, err) + ? INTERNAL_SYSCALL_ERRNO (r, err) : 0); +-- +2.41.0 + + +From 82fdc29f5fc430a725b922ac2086c02e918e269a Mon Sep 17 00:00:00 2001 +From: Yann Sionneau +Date: Mon, 12 Jun 2023 09:47:41 +0200 +Subject: [PATCH 3/3] Fix compilation error on noMMU/nothread systems with old + compilers + +For instance with buildroot config sipeed_maix_bit_defconfig the pre-processor generates + + if (1) + r = ({ long _sys_result; { register long int _a7 __asm__ ("a7"); register long _a3 __asm__ ("a3"); long _a3tmp; register long _a2 __asm__ ("a2"); long _a2tmp; register long _a1 __asm__ ("a1"); long _a1tmp; long _a0tmp; register long _a0 __asm__ ("a0"); _a0tmp = (long) (clock_id); _a0 = _a0tmp; _a1tmp = (long) (flags); _a1 = _a1tmp; _a2tmp = (long) (req); _a2 = _a2tmp; _a3tmp = (long) (rem); _a3 = _a3tmp; _a7 = (115); __asm__ volatile ( "scall\n\t" : "=r" (_a0) : "r"(_a7) , "r" (_a0), "r" (_a1), "r" (_a2), "r" (_a3) : "memory"); _sys_result = _a0; } _sys_result; }); + else + { + int oldstate = LIBC_CANCEL_ASYNC (); + + r = ({ long _sys_result; { register long int _a7 __asm__ ("a7"); register long _a3 __asm__ ("a3"); long _a3tmp; register long _a2 __asm__ ("a2"); long _a2tmp; register long _a1 __asm__ ("a1"); long _a1tmp; long _a0tmp; register long _a0 __asm__ ("a0"); _a0tmp = (long) (clock_id); _a0 = _a0tmp; _a1tmp = (long) (flags); _a1 = _a1tmp; _a2tmp = (long) (req); _a2 = _a2tmp; _a3tmp = (long) (rem); _a3 = _a3tmp; _a7 = (115); __asm__ volatile ( "scall\n\t" : "=r" (_a0) : "r"(_a7) , "r" (_a0), "r" (_a1), "r" (_a2), "r" (_a3) : "memory"); _sys_result = _a0; } _sys_result; }) + ; + + LIBC_CANCEL_RESET (oldstate); + } + +And also the compiler issues these warnings: + +librt/clock_nanosleep.c: In function 'clock_nanosleep': +librt/clock_nanosleep.c:43:22: warning: implicit declaration of function +'LIBC_CANCEL_ASYNC'; did you mean 'LIBC_CANCEL_HANDLED'? +[-Wimplicit-function-declaration] + 43 | int oldstate = LIBC_CANCEL_ASYNC (); + | ^~~~~~~~~~~~~~~~~ + | LIBC_CANCEL_HANDLED +librt/clock_nanosleep.c:48:7: warning: implicit declaration of function +'LIBC_CANCEL_RESET'; did you mean 'LIBC_CANCEL_HANDLED'? +[-Wimplicit-function-declaration] + 48 | LIBC_CANCEL_RESET (oldstate); + | ^~~~~~~~~~~~~~~~~ + | LIBC_CANCEL_HANDLED + +So if the compiler is a bit picky and does not optimize the if (1) {} else {} it can fail to link with undefined symbols. +This patch fixes this issue: no more warning. + +Btw, that's the solution that is already used in the following cancellation point files: +* libc/sysdeps/linux/common/__syscall_fcntl.c +* libc/sysdeps/linux/common/__syscall_fcntl64.c +* libc/sysdeps/linux/common/ioctl.c +* libc/sysdeps/linux/common/openat.c +* libc/sysdeps/linux/common/open.c + +Signed-off-by: Yann Sionneau +Signed-off-by: Muhammad Falak R Wani +--- + librt/clock_nanosleep.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/librt/clock_nanosleep.c b/librt/clock_nanosleep.c +index 4cf1e06b4..85db72fb3 100644 +--- a/librt/clock_nanosleep.c ++++ b/librt/clock_nanosleep.c +@@ -40,12 +40,14 @@ clock_nanosleep (clockid_t clock_id, int flags, const struct timespec *req, + r = INTERNAL_SYSCALL (clock_nanosleep, err, 4, clock_id, flags, req, rem); + else + { ++#ifdef __NEW_THREADS + int oldstate = LIBC_CANCEL_ASYNC (); + + r = INTERNAL_SYSCALL (clock_nanosleep, err, 4, clock_id, flags, req, + rem); + + LIBC_CANCEL_RESET (oldstate); ++#endif + } + + return (INTERNAL_SYSCALL_ERROR_P (r, err) +-- +2.41.0 + diff --git a/SPECS/uclibc-ng/uclibc-ng.spec b/SPECS/uclibc-ng/uclibc-ng.spec index 83fe3a20e85..27f46aa7b9d 100644 --- a/SPECS/uclibc-ng/uclibc-ng.spec +++ b/SPECS/uclibc-ng/uclibc-ng.spec @@ -4,13 +4,14 @@ Summary: C library for embedded Linux Name: uclibc-ng Version: 1.0.43 -Release: 1%{?dist} +Release: 2%{?dist} License: LGPLv2 Vendor: Microsoft Corporation Distribution: Mariner URL: https://www.uclibc-ng.org/ Source0: https://downloads.uclibc-ng.org/releases/%{version}/%{uclibc_name}-%{version}.tar.xz Source1: uClibc.config +Patch0: 0001-gettimeofday-fix-static-build.patch BuildRequires: gcc @@ -82,6 +83,9 @@ rm -rf %{buildroot}/include/ %{_libdir}/uClibc %changelog +* Wed Jul 12 2023 Muhammad Falak - 1.0.43-2 +- Introduce patch to fix static build. + * Wed Jul 05 2023 Muhammad Falak - 1.0.43-1 - Bump version to 1.0.43 to fix CVE-2022-29503.