Merge branch '1.0-dev' into 1.0

microsoft · Jun 6, 2023 · 733c933 · 733c933
2 parents b2b239e + 193f866
commit 733c933
Show file tree

Hide file tree

Showing 8 changed files with 87 additions and 23 deletions.
diff --git a/SPECS/gnupg2/CVE-2022-34903.patch b/SPECS/gnupg2/CVE-2022-34903.patch
@@ -0,0 +1,44 @@
+From 09fa505d543c3d3fcaf8b9dee8f4bcec430d45b5 Mon Sep 17 00:00:00 2001
+From: Cameron Baird <[email protected]>
+Date: Thu, 1 Jun 2023 10:24:15 -0700
+Subject: [PATCH] cherry-picking upstream commit >
+ 34c649b3601383cd11dbc76221747ec16fd68e1b, which can be found at >
+ https://dev.gnupg.org/rG34c649b3601383cd11dbc76221747ec16fd68e1bi
+
+Signed-off-by: Cameron Baird <[email protected]>
+---
+ g10/cpr.c | 13 ++++---------
+ 1 file changed, 4 insertions(+), 9 deletions(-)
+
+diff --git a/g10/cpr.c b/g10/cpr.c
+index d502e8b..bc4b715 100644
+--- a/g10/cpr.c
++++ b/g10/cpr.c
+@@ -328,20 +328,15 @@ write_status_text_and_buffer (int no, const char *string,
+             }
+           first = 0;
+         }
+-      for (esc=0, s=buffer, n=len; n && !esc; s++, n--)
++      for (esc=0, s=buffer, n=len; n; s++, n--)
+         {
+           if (*s == '%' || *(const byte*)s <= lower_limit
+               || *(const byte*)s == 127 )
+             esc = 1;
+           if (wrap && ++count > wrap)
+-            {
+-              dowrap=1;
+-              break;
+-            }
+-        }
+-      if (esc)
+-        {
+-          s--; n++;
++            dowrap=1;
++          if (esc || dowrap)
++            break;
+         }
+       if (s != buffer)
+         es_fwrite (buffer, s-buffer, 1, statusfp);
+-- 
+2.25.1
+
diff --git a/SPECS/gnupg2/gnupg2.spec b/SPECS/gnupg2/gnupg2.spec
@@ -1,14 +1,17 @@
 Summary:        OpenPGP standard implementation used for encrypted communication and data storage.
 Name:           gnupg2
 Version:        2.2.20
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        BSD and CC0 and GPLv2+ and LGPLv2+
 URL:            https://gnupg.org/index.html
 Group:          Applications/Cryptography.
 Source0:        https://gnupg.org/ftp/gcrypt/gnupg/gnupg-%{version}.tar.bz2
+# CVE-2022-34903: cherry-pick upstream commit
+# 34c649b3601383cd11dbc76221747ec16fd68e1b, which can be found at
+# https://dev.gnupg.org/rG34c649b3601383cd11dbc76221747ec16fd68e1bi
+Patch0:         CVE-2022-34903.patch
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
-
 BuildRequires:  zlib-devel
 BuildRequires:  bzip2-devel
 BuildRequires:  readline-devel
@@ -39,7 +42,7 @@ functionality up into several modules. The S/MIME and smartcard functionality
 is provided by the gnupg2-smime package.
 
 %prep
-%setup -q -n gnupg-%{version}
+%autosetup -p1 -n gnupg-%{version}
 
 %build
 %configure
@@ -65,23 +68,34 @@ make %{?_smp_mflags} check
 %exclude /usr/share/doc/*
 
 %changelog
+*   Thu Jun 01 2023 Cameron Baird <[email protected]> 2.2.20-4
+-   Patch CVE-2022-34903.
+
 *   Mon Jun 01 2020 Pawel Winogrodzki <[email protected]> 2.2.20-3
 -   Adding a license reference.
 -   License verified.
+
 *   Thu Apr 16 2020 Nicolas Ontiveros <[email protected]> 2.2.20-2
 -   Rename gnupg to gnupg2
 -   Update description.
+
 *   Tue Mar 24 2020 Henry Beberman <[email protected]> 2.2.20-1
 -   Update to 2.2.20. License verified.
+
 *   Tue Sep 03 2019 Mateusz Malisz <[email protected]> 2.2.10-2
 -   Initial CBL-Mariner import from Photon (license: Apache2).
+
 *   Sat Oct 20 2018 Ankit Jain <[email protected]> 2.2.10-1
 -   Update to 2.2.10
+
 *   Wed Aug 30 2017 Alexey Makhalov <[email protected]> 2.1.20-3
 -   Add requires libgcrypt
+
 *   Wed Jun 07 2017 Danut Moraru <[email protected]> 2.1.20-2
 -   Add pinentry dependency
+
 *   Tue Apr 11 2017 Danut Moraru <[email protected]> 2.1.20-1
 -   Update to 2.1.20
+
 *   Wed Jul 27 2016 Kumar Kaushik <[email protected]> 2.0.30-1
 -   Initial Build.
diff --git a/SPECS/openjdk8/openjdk8.spec b/SPECS/openjdk8/openjdk8.spec
@@ -16,7 +16,7 @@
 Name:           openjdk8
 Summary:        OpenJDK
 Version:        %{_jdk_version}.%{_jdk_update}
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        ASL 1.1 AND ASL 2.0 AND BSD AND BSD WITH advertising AND GPL+ AND GPLv2 AND GPLv2 WITH exceptions AND IJG AND LGPLv2+ AND MIT AND MPLv2.0 AND Public Domain AND W3C AND zlib
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -113,6 +113,7 @@ unset JAVA_HOME &&
 	--with-freetype-lib=%{_libdir} \
 	--with-stdc++lib=dynamic \
 	--with-native-debug-symbols=none \
+	--with-zlib=system \
 	--disable-zip-debug-info
 
 make \
@@ -275,6 +276,10 @@ rm -rf %{buildroot}/*
 %{_libdir}/jvm/OpenJDK-%{version}/src.zip
 
 %changelog
+*   Mon Jun 05 2023 Daniel McIlvaney <[email protected]> - 1.8.0.332-2
+-   Explicitly set --with-zlib=system to ensure we do not use a version of
+-   zlib that is vulnerable to CVE-2018-25032
+
 *   Mon Feb 28 2022 Nicolas Guibourge <[email protected]> - 1.8.0.332-1
 -   Update to 1.8.0.332 to address the below CVEs:
 -   CVE-2022-21248 CVE-2022-21282 CVE-2022-21283 CVE-2022-21293

diff --git a/SPECS/qt5-qtsvg/CVE-2023-32573.patch b/SPECS/qt5-qtsvg/CVE-2023-32573.patch
@@ -33,4 +33,5 @@ Source: https://download.qt.io/archive/qt/5.15/CVE-2023-32573-qtsvg-5.15.diff
 +        unitsPerEm = QSvgFont::DEFAULT_UNITS_PER_EM;
 
      if (!name.isEmpty())
-         font->setFamilyName(name);
+         font->setFamilyName(name);
+
diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -155,7 +155,7 @@ libgcrypt-1.8.7-3.cm1.aarch64.rpm
 libksba-1.3.5-5.cm1.aarch64.rpm
 npth-1.6-3.cm1.aarch64.rpm
 pinentry-1.1.0-3.cm1.aarch64.rpm
-gnupg2-2.2.20-3.cm1.aarch64.rpm
+gnupg2-2.2.20-4.cm1.aarch64.rpm
 gpgme-1.13.1-6.cm1.aarch64.rpm
 mariner-repos-shared-1.0-16.cm1.noarch.rpm
 mariner-repos-1.0-16.cm1.noarch.rpm

diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -155,7 +155,7 @@ libgcrypt-1.8.7-3.cm1.x86_64.rpm
 libksba-1.3.5-5.cm1.x86_64.rpm
 npth-1.6-3.cm1.x86_64.rpm
 pinentry-1.1.0-3.cm1.x86_64.rpm
-gnupg2-2.2.20-3.cm1.x86_64.rpm
+gnupg2-2.2.20-4.cm1.x86_64.rpm
 gpgme-1.13.1-6.cm1.x86_64.rpm
 mariner-repos-shared-1.0-16.cm1.noarch.rpm
 mariner-repos-1.0-16.cm1.noarch.rpm

diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -125,8 +125,8 @@ gmock-devel-1.11.0-1.cm1.aarch64.rpm
 gmp-6.1.2-6.cm1.aarch64.rpm
 gmp-debuginfo-6.1.2-6.cm1.aarch64.rpm
 gmp-devel-6.1.2-6.cm1.aarch64.rpm
-gnupg2-2.2.20-3.cm1.aarch64.rpm
-gnupg2-debuginfo-2.2.20-3.cm1.aarch64.rpm
+gnupg2-2.2.20-4.cm1.aarch64.rpm
+gnupg2-debuginfo-2.2.20-4.cm1.aarch64.rpm
 golang-1.18.8-2.cm1.aarch64.rpm
 gperf-3.1-3.cm1.aarch64.rpm
 gperf-debuginfo-3.1-3.cm1.aarch64.rpm
@@ -292,12 +292,12 @@ nss-3.73-1.cm1.aarch64.rpm
 nss-debuginfo-3.73-1.cm1.aarch64.rpm
 nss-devel-3.73-1.cm1.aarch64.rpm
 nss-libs-3.73-1.cm1.aarch64.rpm
-openjdk8-1.8.0.332-1.cm1.aarch64.rpm
-openjdk8-debuginfo-1.8.0.332-1.cm1.aarch64.rpm
-openjdk8-doc-1.8.0.332-1.cm1.aarch64.rpm
-openjdk8-sample-1.8.0.332-1.cm1.aarch64.rpm
-openjdk8-src-1.8.0.332-1.cm1.aarch64.rpm
-openjre8-1.8.0.332-1.cm1.aarch64.rpm
+openjdk8-1.8.0.332-2.cm1.aarch64.rpm
+openjdk8-debuginfo-1.8.0.332-2.cm1.aarch64.rpm
+openjdk8-doc-1.8.0.332-2.cm1.aarch64.rpm
+openjdk8-sample-1.8.0.332-2.cm1.aarch64.rpm
+openjdk8-src-1.8.0.332-2.cm1.aarch64.rpm
+openjre8-1.8.0.332-2.cm1.aarch64.rpm
 openldap-2.4.57-3.cm1.aarch64.rpm
 openldap-debuginfo-2.4.57-3.cm1.aarch64.rpm
 openssl-1.1.1k-15.cm1.aarch64.rpm

diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -125,8 +125,8 @@ gmock-devel-1.11.0-1.cm1.x86_64.rpm
 gmp-6.1.2-6.cm1.x86_64.rpm
 gmp-debuginfo-6.1.2-6.cm1.x86_64.rpm
 gmp-devel-6.1.2-6.cm1.x86_64.rpm
-gnupg2-2.2.20-3.cm1.x86_64.rpm
-gnupg2-debuginfo-2.2.20-3.cm1.x86_64.rpm
+gnupg2-2.2.20-4.cm1.x86_64.rpm
+gnupg2-debuginfo-2.2.20-4.cm1.x86_64.rpm
 golang-1.18.8-2.cm1.x86_64.rpm
 gperf-3.1-3.cm1.x86_64.rpm
 gperf-debuginfo-3.1-3.cm1.x86_64.rpm
@@ -292,12 +292,12 @@ nss-3.73-1.cm1.x86_64.rpm
 nss-debuginfo-3.73-1.cm1.x86_64.rpm
 nss-devel-3.73-1.cm1.x86_64.rpm
 nss-libs-3.73-1.cm1.x86_64.rpm
-openjdk8-1.8.0.332-1.cm1.x86_64.rpm
-openjdk8-debuginfo-1.8.0.332-1.cm1.x86_64.rpm
-openjdk8-doc-1.8.0.332-1.cm1.x86_64.rpm
-openjdk8-sample-1.8.0.332-1.cm1.x86_64.rpm
-openjdk8-src-1.8.0.332-1.cm1.x86_64.rpm
-openjre8-1.8.0.332-1.cm1.x86_64.rpm
+openjdk8-1.8.0.332-2.cm1.x86_64.rpm
+openjdk8-debuginfo-1.8.0.332-2.cm1.x86_64.rpm
+openjdk8-doc-1.8.0.332-2.cm1.x86_64.rpm
+openjdk8-sample-1.8.0.332-2.cm1.x86_64.rpm
+openjdk8-src-1.8.0.332-2.cm1.x86_64.rpm
+openjre8-1.8.0.332-2.cm1.x86_64.rpm
 openldap-2.4.57-3.cm1.x86_64.rpm
 openldap-debuginfo-2.4.57-3.cm1.x86_64.rpm
 openssl-1.1.1k-15.cm1.x86_64.rpm