From 7aa47951fd9fce7a2f7d251ebbe790eb6f4ee607 Mon Sep 17 00:00:00 2001 From: Dan Streetman Date: Mon, 6 Feb 2023 16:50:22 -0500 Subject: [PATCH 01/27] Add patch for CVE-2022-3515 --- SPECS/libksba/CVE-2022-3515.patch | 42 +++++++++++++++++++ SPECS/libksba/libksba.spec | 5 ++- .../manifests/package/pkggen_core_aarch64.txt | 2 +- .../manifests/package/pkggen_core_x86_64.txt | 2 +- .../manifests/package/toolchain_aarch64.txt | 4 +- .../manifests/package/toolchain_x86_64.txt | 4 +- 6 files changed, 52 insertions(+), 7 deletions(-) create mode 100644 SPECS/libksba/CVE-2022-3515.patch diff --git a/SPECS/libksba/CVE-2022-3515.patch b/SPECS/libksba/CVE-2022-3515.patch new file mode 100644 index 00000000000..e2cb842a4d4 --- /dev/null +++ b/SPECS/libksba/CVE-2022-3515.patch @@ -0,0 +1,42 @@ +From 4b7d9cd4a018898d7714ce06f3faf2626c14582b Mon Sep 17 00:00:00 2001 +From: Werner Koch +Date: Wed, 5 Oct 2022 14:19:06 +0200 +Subject: [PATCH] Detect a possible overflow directly in the TLV parser. + +* src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly +used sum. +-- + +It is quite common to have checks like + + if (ti.nhdr + ti.length >= DIM(tmpbuf)) + return gpg_error (GPG_ERR_TOO_LARGE); + +This patch detects possible integer overflows immmediately when +creating the TI object. + +Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929 +--- + src/ber-help.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/ber-help.c b/src/ber-help.c +index 81c31ed..56efb6a 100644 +--- a/src/ber-help.c ++++ b/src/ber-help.c +@@ -182,6 +182,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info *ti) + ti->length = len; + } + ++ if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length) ++ { ++ ti->err_string = "header+length would overflow"; ++ return gpg_error (GPG_ERR_EOVERFLOW); ++ } ++ + /* Without this kludge some example certs can't be parsed */ + if (ti->class == CLASS_UNIVERSAL && !ti->tag) + ti->length = 0; +-- +2.34.1 + diff --git a/SPECS/libksba/libksba.spec b/SPECS/libksba/libksba.spec index eae9100aaf6..7c0a1f39c37 100644 --- a/SPECS/libksba/libksba.spec +++ b/SPECS/libksba/libksba.spec @@ -1,12 +1,13 @@ Summary: Library for accessing X.509 and CMS data structure. Name: libksba Version: 1.3.5 -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv3+ URL: https://www.gnupg.org/(fr)/download/index.html#libksba Group: Security/Libraries. Source0: https://www.gnupg.org/ftp/gcrypt/%{name}/%{name}-%{version}.tar.bz2 Patch0: CVE-2022-47629.patch +Patch1: CVE-2022-3515.patch %define sha1 libksba=a98385734a0c3f5b713198e8d6e6e4aeb0b76fde Vendor: Microsoft Corporation Distribution: Mariner @@ -47,6 +48,8 @@ make %{?_smp_mflags} -k check %exclude %{_datadir}/info/dir %changelog +* Mon Feb 06 2023 Dan Streetman - 1.3.5-5 +- Add patch to fix CVE-2022-3515 * Wed Jan 04 2023 Aadhar Agarwal - 1.3.5-4 - Add patch for CVE-2022-47629 diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index cd44e7100d9..2439200aa25 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -152,7 +152,7 @@ mariner-check-macros-1.0-8.cm1.noarch.rpm libassuan-2.5.1-3.cm1.aarch64.rpm libgpg-error-1.32-4.cm1.aarch64.rpm libgcrypt-1.8.7-3.cm1.aarch64.rpm -libksba-1.3.5-4.cm1.aarch64.rpm +libksba-1.3.5-5.cm1.aarch64.rpm npth-1.6-3.cm1.aarch64.rpm pinentry-1.1.0-3.cm1.aarch64.rpm gnupg2-2.2.20-3.cm1.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index e460dd7d1d5..6875e4a3998 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -152,7 +152,7 @@ mariner-check-macros-1.0-8.cm1.noarch.rpm libassuan-2.5.1-3.cm1.x86_64.rpm libgpg-error-1.32-4.cm1.x86_64.rpm libgcrypt-1.8.7-3.cm1.x86_64.rpm -libksba-1.3.5-4.cm1.x86_64.rpm +libksba-1.3.5-5.cm1.x86_64.rpm npth-1.6-3.cm1.x86_64.rpm pinentry-1.1.0-3.cm1.x86_64.rpm gnupg2-2.2.20-3.cm1.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index ed0c401ad1b..c3317c32698 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -193,8 +193,8 @@ libgpg-error-1.32-4.cm1.aarch64.rpm libgpg-error-debuginfo-1.32-4.cm1.aarch64.rpm libgpg-error-devel-1.32-4.cm1.aarch64.rpm libgpg-error-lang-1.32-4.cm1.aarch64.rpm -libksba-1.3.5-4.cm1.aarch64.rpm -libksba-debuginfo-1.3.5-4.cm1.aarch64.rpm +libksba-1.3.5-5.cm1.aarch64.rpm +libksba-debuginfo-1.3.5-5.cm1.aarch64.rpm libltdl-2.4.6-8.cm1.aarch64.rpm libltdl-devel-2.4.6-8.cm1.aarch64.rpm libmpc-1.1.0-5.cm1.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 63b55d42a4a..bf0ee78388b 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -193,8 +193,8 @@ libgpg-error-1.32-4.cm1.x86_64.rpm libgpg-error-debuginfo-1.32-4.cm1.x86_64.rpm libgpg-error-devel-1.32-4.cm1.x86_64.rpm libgpg-error-lang-1.32-4.cm1.x86_64.rpm -libksba-1.3.5-4.cm1.x86_64.rpm -libksba-debuginfo-1.3.5-4.cm1.x86_64.rpm +libksba-1.3.5-5.cm1.x86_64.rpm +libksba-debuginfo-1.3.5-5.cm1.x86_64.rpm libltdl-2.4.6-8.cm1.x86_64.rpm libltdl-devel-2.4.6-8.cm1.x86_64.rpm libmpc-1.1.0-5.cm1.x86_64.rpm From a8c68a4dca4311791300b6b9f45c0d396fb92302 Mon Sep 17 00:00:00 2001 From: Dan Streetman Date: Wed, 8 Feb 2023 10:56:38 -0500 Subject: [PATCH 02/27] CVE-2022-47016 --- SPECS/tmux/CVE-2022-47016.patch | 36 +++++++++++++++++++++++++++++++++ SPECS/tmux/tmux.spec | 9 +++++++-- 2 files changed, 43 insertions(+), 2 deletions(-) create mode 100644 SPECS/tmux/CVE-2022-47016.patch diff --git a/SPECS/tmux/CVE-2022-47016.patch b/SPECS/tmux/CVE-2022-47016.patch new file mode 100644 index 00000000000..7ba3039f33c --- /dev/null +++ b/SPECS/tmux/CVE-2022-47016.patch @@ -0,0 +1,36 @@ +diff -urpN a/cmd-pipe-pane.c b/cmd-pipe-pane.c +--- a/cmd-pipe-pane.c 2018-01-21 11:23:59.000000000 -0500 ++++ b/cmd-pipe-pane.c 2023-02-08 10:53:49.494664404 -0500 +@@ -165,6 +165,8 @@ cmd_pipe_pane_exec(struct cmd *self, str + cmd_pipe_pane_write_callback, + cmd_pipe_pane_error_callback, + wp); ++ if (wp->pipe_event == NULL) ++ fatalx("out of memory"); + if (out) + bufferevent_enable(wp->pipe_event, EV_WRITE); + if (in) +diff -urpN a/job.c b/job.c +--- a/job.c 2018-03-20 03:28:28.000000000 -0400 ++++ b/job.c 2023-02-08 10:52:51.502693393 -0500 +@@ -128,6 +128,8 @@ job_run(const char *cmd, struct session + + job->event = bufferevent_new(job->fd, job_read_callback, + job_write_callback, job_error_callback, job); ++ if (job->event == NULL) ++ fatalx("out of memory"); + bufferevent_enable(job->event, EV_READ|EV_WRITE); + + log_debug("run job %p: %s, pid %ld", job, job->cmd, (long) job->pid); +diff -urpN a/window.c b/window.c +--- a/window.c 2018-03-21 04:13:05.000000000 -0400 ++++ b/window.c 2023-02-08 10:52:19.990708833 -0500 +@@ -1017,6 +1017,8 @@ window_pane_spawn(struct window_pane *wp + + wp->event = bufferevent_new(wp->fd, window_pane_read_callback, NULL, + window_pane_error_callback, wp); ++ if (wp->event == NULL) ++ fatalx("out of memory"); + + bufferevent_setwatermark(wp->event, EV_READ, 0, READ_SIZE); + bufferevent_enable(wp->event, EV_READ|EV_WRITE); diff --git a/SPECS/tmux/tmux.spec b/SPECS/tmux/tmux.spec index 870661a3ea3..2eb745400de 100644 --- a/SPECS/tmux/tmux.spec +++ b/SPECS/tmux/tmux.spec @@ -1,7 +1,7 @@ Summary: Terminal multiplexer Name: tmux Version: 2.7 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv3+ URL: https://tmux.github.io/ Group: Applications/System @@ -9,12 +9,14 @@ Vendor: Microsoft Corporation Distribution: Mariner Source0: https://github.com/tmux/tmux/releases/download/%{version}/%{name}-%{version}.tar.gz %define sha1 tmux=a12bb094bf0baf0275b6d5cc718c938639712e97 +Patch0: CVE-2022-47016.patch Requires: libevent ncurses BuildRequires: libevent-devel ncurses-devel %description Terminal multiplexer %prep -%setup -q +%autosetup -p1 + %build ./configure \ --prefix=%{_prefix} @@ -33,6 +35,9 @@ make %{?_smp_mflags} check /usr/share/* %exclude /usr/src %changelog +* Wed Feb 08 2023 Dan Streetman - 2.7-4 +- CVE-2022-47016 + * Sat May 09 2020 Nick Samson - 2.7-3 - Added %%license line automatically From edfbebcd23769336e404a7656d54231890222ede Mon Sep 17 00:00:00 2001 From: Dan Streetman Date: Wed, 8 Feb 2023 11:06:48 -0500 Subject: [PATCH 03/27] Upgrade to 1.9.12p2 for CVE-2023-22809 --- SPECS/sudo/sudo.signatures.json | 2 +- SPECS/sudo/sudo.spec | 5 ++++- cgmanifest.json | 6 +++--- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/SPECS/sudo/sudo.signatures.json b/SPECS/sudo/sudo.signatures.json index 3ccd11e0695..69b2554d65d 100644 --- a/SPECS/sudo/sudo.signatures.json +++ b/SPECS/sudo/sudo.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "sudo-1.9.12p1.tar.gz": "475a18a8eb3da8b2917ceab063a6baf51ea09128c3c47e3e0e33ab7497bab7d8" + "sudo-1.9.12p2.tar.gz": "b9a0b1ae0f1ddd9be7f3eafe70be05ee81f572f6f536632c44cd4101bb2a8539" } } diff --git a/SPECS/sudo/sudo.spec b/SPECS/sudo/sudo.spec index f5bbf32429b..4da99bf3db6 100644 --- a/SPECS/sudo/sudo.spec +++ b/SPECS/sudo/sudo.spec @@ -1,6 +1,6 @@ Summary: Sudo Name: sudo -Version: 1.9.12p1 +Version: 1.9.12p2 Release: 1%{?dist} License: ISC URL: https://www.sudo.ws/ @@ -92,6 +92,9 @@ rm -rf %{buildroot}/* %exclude /etc/sudoers.dist %changelog +* Wed Feb 08 2023 Dan Streetman - 1.9.12p2-1 +- Upgrade to 1.9.12p2 for CVE-2023-22809 + * Tue Nov 08 2022 Pawel Winogrodzki - 1.9.12p1-1 - Updating to version 1.9.12p1 to fix CVE-2022-43995. * Mon Feb 22 2021 Mateusz Malisz 1.9.5p2-2 diff --git a/cgmanifest.json b/cgmanifest.json index ca031e7e05c..372543a7ffa 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -8186,8 +8186,8 @@ "type": "other", "other": { "name": "sudo", - "version": "1.9.12p1", - "downloadUrl": "https://www.sudo.ws/sudo/dist/sudo-1.9.12p1.tar.gz" + "version": "1.9.12p2", + "downloadUrl": "https://www.sudo.ws/sudo/dist/sudo-1.9.12p2.tar.gz" } } }, @@ -8993,4 +8993,4 @@ } ], "Version": 1 -} \ No newline at end of file +} From 4bc5a6549207068e5cd4592f8c9493b9e55b87a6 Mon Sep 17 00:00:00 2001 From: Dan Streetman Date: Wed, 8 Feb 2023 13:05:34 -0500 Subject: [PATCH 04/27] CVE-2022-44638 --- SPECS/pixman/CVE-2022-44638.patch | 29 +++++++++++++++++++++++++++++ SPECS/pixman/pixman.spec | 9 +++++++-- 2 files changed, 36 insertions(+), 2 deletions(-) create mode 100644 SPECS/pixman/CVE-2022-44638.patch diff --git a/SPECS/pixman/CVE-2022-44638.patch b/SPECS/pixman/CVE-2022-44638.patch new file mode 100644 index 00000000000..29804fca86e --- /dev/null +++ b/SPECS/pixman/CVE-2022-44638.patch @@ -0,0 +1,29 @@ +From a1f88e842e0216a5b4df1ab023caebe33c101395 Mon Sep 17 00:00:00 2001 +From: Matt Turner +Date: Wed, 2 Nov 2022 12:07:32 -0400 +Subject: [PATCH] Avoid integer overflow leading to out-of-bounds write + +Thanks to Maddie Stone and Google's Project Zero for discovering this +issue, providing a proof-of-concept, and a great analysis. + +Closes: https://gitlab.freedesktop.org/pixman/pixman/-/issues/63 +--- + pixman/pixman-trap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pixman/pixman-trap.c b/pixman/pixman-trap.c +index 91766fd..7560405 100644 +--- a/pixman/pixman-trap.c ++++ b/pixman/pixman-trap.c +@@ -74,7 +74,7 @@ pixman_sample_floor_y (pixman_fixed_t y, + + if (f < Y_FRAC_FIRST (n)) + { +- if (pixman_fixed_to_int (i) == 0x8000) ++ if (pixman_fixed_to_int (i) == 0xffff8000) + { + f = 0; /* saturate */ + } +-- +GitLab + diff --git a/SPECS/pixman/pixman.spec b/SPECS/pixman/pixman.spec index ad0ae469892..4a03076f00c 100644 --- a/SPECS/pixman/pixman.spec +++ b/SPECS/pixman/pixman.spec @@ -1,10 +1,11 @@ Summary: pixel manipulation library. Name: pixman Version: 0.36.0 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT URL: https://cgit.freedesktop.org/pixman/ Source0: https://xorg.freedesktop.org/archive/individual/lib/%{name}-%{version}.tar.bz2 +Patch0: CVE-2022-44638.patch Group: System Environment/Libraries Vendor: Microsoft Corporation Distribution: Mariner @@ -22,7 +23,8 @@ Provides: pkgconfig(pixman-1) It contains the libraries and header files to create applications %prep -%setup -q +%autosetup -p1 + %build ./configure \ --prefix=%{_prefix} \ @@ -57,6 +59,9 @@ make %{?_smp_mflags} -k check %{_libdir}/pkgconfig/*.pc %changelog +* Wed Feb 08 2023 Dan Streetman - 0.36.0-3 +- CVE-2022-44638 + * Sat May 09 2020 Nick Samson - 0.36.0-2 - Added %%license line automatically From 8479a42e877f5c525f89527c8ad5805e8d57220a Mon Sep 17 00:00:00 2001 From: Dan Streetman Date: Thu, 9 Feb 2023 08:20:43 -0500 Subject: [PATCH 05/27] CVE-2022-4285 --- SPECS/binutils/CVE-2022-4285.patch | 32 +++++++++++++++++++ SPECS/binutils/binutils.spec | 6 +++- .../manifests/package/pkggen_core_aarch64.txt | 4 +-- .../manifests/package/pkggen_core_x86_64.txt | 4 +-- .../manifests/package/toolchain_aarch64.txt | 6 ++-- .../manifests/package/toolchain_x86_64.txt | 6 ++-- 6 files changed, 47 insertions(+), 11 deletions(-) create mode 100644 SPECS/binutils/CVE-2022-4285.patch diff --git a/SPECS/binutils/CVE-2022-4285.patch b/SPECS/binutils/CVE-2022-4285.patch new file mode 100644 index 00000000000..05f08099f2e --- /dev/null +++ b/SPECS/binutils/CVE-2022-4285.patch @@ -0,0 +1,32 @@ +From 5c831a3c7f3ca98d6aba1200353311e1a1f84c70 Mon Sep 17 00:00:00 2001 +From: Nick Clifton +Date: Wed, 19 Oct 2022 15:09:12 +0100 +Subject: [PATCH] Fix an illegal memory access when parsing an ELF file + containing corrupt symbol version information. + + PR 29699 + * elf.c (_bfd_elf_slurp_version_tables): Fail if the sh_info field + of the section header is zero. +--- + bfd/ChangeLog | 6 ++++++ + bfd/elf.c | 4 +++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/bfd/elf.c b/bfd/elf.c +index fe00e0f9189..7cd7febcf95 100644 +--- a/bfd/elf.c ++++ b/bfd/elf.c +@@ -8730,7 +8730,9 @@ _bfd_elf_slurp_version_tables (bfd *abfd, bool default_imported_symver) + bfd_set_error (bfd_error_file_too_big); + goto error_return_verref; + } +- elf_tdata (abfd)->verref = (Elf_Internal_Verneed *) bfd_alloc (abfd, amt); ++ if (amt == 0) ++ goto error_return_verref; ++ elf_tdata (abfd)->verref = (Elf_Internal_Verneed *) bfd_zalloc (abfd, amt); + if (elf_tdata (abfd)->verref == NULL) + goto error_return_verref; + +-- +2.31.1 + diff --git a/SPECS/binutils/binutils.spec b/SPECS/binutils/binutils.spec index b836adce3c5..7b1c12cdc74 100644 --- a/SPECS/binutils/binutils.spec +++ b/SPECS/binutils/binutils.spec @@ -1,7 +1,7 @@ Summary: Contains a linker, an assembler, and other tools Name: binutils Version: 2.36.1 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ Vendor: Microsoft Corporation Distribution: Mariner @@ -9,6 +9,7 @@ Group: System Environment/Base URL: https://www.gnu.org/software/binutils Source0: https://ftp.gnu.org/gnu/binutils/%{name}-%{version}.tar.xz Patch0: CVE-2021-45078.patch +Patch1: CVE-2022-4285.patch %description The Binutils package contains a linker, an assembler, @@ -119,6 +120,9 @@ make %{?_smp_mflags} check %{_libdir}/libctf.so.0.* %changelog +* Thu Feb 09 2023 Dan Streetman 2.36.1-3 +- CVE-2022-4285 + * Thu Dec 23 2021 Muhammad Falak 2.36.1-2 - Fix CVE-2021-45078 diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 2439200aa25..d758d68b726 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -12,8 +12,8 @@ zlib-devel-1.2.12-2.cm1.aarch64.rpm file-5.38-1.cm1.aarch64.rpm file-devel-5.38-1.cm1.aarch64.rpm file-libs-5.38-1.cm1.aarch64.rpm -binutils-2.36.1-2.cm1.aarch64.rpm -binutils-devel-2.36.1-2.cm1.aarch64.rpm +binutils-2.36.1-3.cm1.aarch64.rpm +binutils-devel-2.36.1-3.cm1.aarch64.rpm gmp-6.1.2-6.cm1.aarch64.rpm gmp-devel-6.1.2-6.cm1.aarch64.rpm mpfr-4.0.1-3.cm1.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 6875e4a3998..0724e3c3590 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -12,8 +12,8 @@ zlib-devel-1.2.12-2.cm1.x86_64.rpm file-5.38-1.cm1.x86_64.rpm file-devel-5.38-1.cm1.x86_64.rpm file-libs-5.38-1.cm1.x86_64.rpm -binutils-2.36.1-2.cm1.x86_64.rpm -binutils-devel-2.36.1-2.cm1.x86_64.rpm +binutils-2.36.1-3.cm1.x86_64.rpm +binutils-devel-2.36.1-3.cm1.x86_64.rpm gmp-6.1.2-6.cm1.x86_64.rpm gmp-devel-6.1.2-6.cm1.x86_64.rpm mpfr-4.0.1-3.cm1.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index c3317c32698..2fefcabd71f 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -13,9 +13,9 @@ bash-4.4.23-1.cm1.aarch64.rpm bash-debuginfo-4.4.23-1.cm1.aarch64.rpm bash-devel-4.4.23-1.cm1.aarch64.rpm bash-lang-4.4.23-1.cm1.aarch64.rpm -binutils-2.36.1-2.cm1.aarch64.rpm -binutils-debuginfo-2.36.1-2.cm1.aarch64.rpm -binutils-devel-2.36.1-2.cm1.aarch64.rpm +binutils-2.36.1-3.cm1.aarch64.rpm +binutils-debuginfo-2.36.1-3.cm1.aarch64.rpm +binutils-devel-2.36.1-3.cm1.aarch64.rpm bison-3.1-4.cm1.aarch64.rpm bison-debuginfo-3.1-4.cm1.aarch64.rpm bzip2-1.0.6-15.cm1.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index bf0ee78388b..661ad251b7f 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -13,9 +13,9 @@ bash-4.4.23-1.cm1.x86_64.rpm bash-debuginfo-4.4.23-1.cm1.x86_64.rpm bash-devel-4.4.23-1.cm1.x86_64.rpm bash-lang-4.4.23-1.cm1.x86_64.rpm -binutils-2.36.1-2.cm1.x86_64.rpm -binutils-debuginfo-2.36.1-2.cm1.x86_64.rpm -binutils-devel-2.36.1-2.cm1.x86_64.rpm +binutils-2.36.1-3.cm1.x86_64.rpm +binutils-debuginfo-2.36.1-3.cm1.x86_64.rpm +binutils-devel-2.36.1-3.cm1.x86_64.rpm bison-3.1-4.cm1.x86_64.rpm bison-debuginfo-3.1-4.cm1.x86_64.rpm bzip2-1.0.6-15.cm1.x86_64.rpm From 33d88d329e8d572ad21dbc67286e18d7be1d38c6 Mon Sep 17 00:00:00 2001 From: rlmenge Date: Fri, 10 Feb 2023 11:28:17 -0800 Subject: [PATCH 06/27] Nopatch hyperv-daemons for CVE-2023-0266, CVE-2022-0742, CVE-2022-27666 (#4818) --- SPECS/hyperv-daemons/CVE-2022-0742.nopatch | 3 +++ SPECS/hyperv-daemons/CVE-2022-27666.nopatch | 3 +++ SPECS/hyperv-daemons/CVE-2023-0266.nopatch | 4 ++++ 3 files changed, 10 insertions(+) create mode 100644 SPECS/hyperv-daemons/CVE-2022-0742.nopatch create mode 100644 SPECS/hyperv-daemons/CVE-2022-27666.nopatch create mode 100644 SPECS/hyperv-daemons/CVE-2023-0266.nopatch diff --git a/SPECS/hyperv-daemons/CVE-2022-0742.nopatch b/SPECS/hyperv-daemons/CVE-2022-0742.nopatch new file mode 100644 index 00000000000..b07624d8537 --- /dev/null +++ b/SPECS/hyperv-daemons/CVE-2022-0742.nopatch @@ -0,0 +1,3 @@ +CVE-2023-0742 - Introducing commit not present (5.10.167.1) +Introducing commit: f185de28d9ae6c978135993769352e523ee8df06 +Upstream fix commit: 2d3916f3189172d5c69d33065c3c21119fe539fc \ No newline at end of file diff --git a/SPECS/hyperv-daemons/CVE-2022-27666.nopatch b/SPECS/hyperv-daemons/CVE-2022-27666.nopatch new file mode 100644 index 00000000000..82592fb08b1 --- /dev/null +++ b/SPECS/hyperv-daemons/CVE-2022-27666.nopatch @@ -0,0 +1,3 @@ +CVE-2022-27666 - fix present in 5.10.109 kernel +Upstream: ebe48d368e97d007bfeb76fcb065d6cfc4c96645 +Stable: 9248694dac20eda06e22d8503364dc9d03df4e2f \ No newline at end of file diff --git a/SPECS/hyperv-daemons/CVE-2023-0266.nopatch b/SPECS/hyperv-daemons/CVE-2023-0266.nopatch new file mode 100644 index 00000000000..0339ed0fd97 --- /dev/null +++ b/SPECS/hyperv-daemons/CVE-2023-0266.nopatch @@ -0,0 +1,4 @@ +CVE-2023-0266 - patched in 5.10.167.1 +Upstream: 56b88b50565cd8b946a2d00b0c83927b7ebb055e +Upstream: 1fa4445f9adf19a3028ce0e8f375bac75214fc10 +Stable (combination of above): df02234e6b87d2a9a82acd3198e44bdeff8488c6 \ No newline at end of file From 1d062c069bf5982c3fb1a7cce5e0726d5f478000 Mon Sep 17 00:00:00 2001 From: rlmenge Date: Fri, 10 Feb 2023 11:28:39 -0800 Subject: [PATCH 07/27] Nopatch kernel to address CVE-2023-0266 (#4820) --- SPECS/kernel/CVE-2023-0266.nopatch | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 SPECS/kernel/CVE-2023-0266.nopatch diff --git a/SPECS/kernel/CVE-2023-0266.nopatch b/SPECS/kernel/CVE-2023-0266.nopatch new file mode 100644 index 00000000000..0339ed0fd97 --- /dev/null +++ b/SPECS/kernel/CVE-2023-0266.nopatch @@ -0,0 +1,4 @@ +CVE-2023-0266 - patched in 5.10.167.1 +Upstream: 56b88b50565cd8b946a2d00b0c83927b7ebb055e +Upstream: 1fa4445f9adf19a3028ce0e8f375bac75214fc10 +Stable (combination of above): df02234e6b87d2a9a82acd3198e44bdeff8488c6 \ No newline at end of file From 6ad7071e5fbd50c57b85dbe5fc136be8d00d6f16 Mon Sep 17 00:00:00 2001 From: Dan Streetman Date: Mon, 13 Feb 2023 09:46:41 -0500 Subject: [PATCH 08/27] CVE-2022-47015 (#4831) --- SPECS/mariadb/CVE-2022-47015.patch | 271 +++++++++++++++++++++++++++++ SPECS/mariadb/mariadb.spec | 6 +- 2 files changed, 276 insertions(+), 1 deletion(-) create mode 100644 SPECS/mariadb/CVE-2022-47015.patch diff --git a/SPECS/mariadb/CVE-2022-47015.patch b/SPECS/mariadb/CVE-2022-47015.patch new file mode 100644 index 00000000000..a499337bff9 --- /dev/null +++ b/SPECS/mariadb/CVE-2022-47015.patch @@ -0,0 +1,271 @@ +From 9b32e4b192303421ca26625153ae1190429e307f Mon Sep 17 00:00:00 2001 +From: Nayuta Yanagisawa +Date: Tue, 27 Sep 2022 15:22:57 +0900 +Subject: [PATCH] MDEV-29644 a potential bug of null pointer dereference in + spider_db_mbase::print_warnings() + +The function spider_db_mbase::print_warnings() can potentially result +in a null pointer dereference. + +Remove the null pointer dereference by cleaning up the function. + +Some small changes to the original commit +422fb63a9bbee35c50b6c7be19d199afe0bc98fa. + +Co-Authored-By: Yuchen Pei +--- + .../spider/bugfix/r/mdev_29644.result | 41 +++++++++ + .../mysql-test/spider/bugfix/t/mdev_29644.cnf | 3 + + .../spider/bugfix/t/mdev_29644.test | 56 ++++++++++++ + storage/spider/spd_db_mysql.cc | 88 ++++++++----------- + storage/spider/spd_db_mysql.h | 4 +- + 5 files changed, 136 insertions(+), 56 deletions(-) + create mode 100644 storage/spider/mysql-test/spider/bugfix/r/mdev_29644.result + create mode 100644 storage/spider/mysql-test/spider/bugfix/t/mdev_29644.cnf + create mode 100644 storage/spider/mysql-test/spider/bugfix/t/mdev_29644.test + +diff --git a/storage/spider/mysql-test/spider/bugfix/r/mdev_29644.result b/storage/spider/mysql-test/spider/bugfix/r/mdev_29644.result +new file mode 100644 +index 00000000000..b52cecc5bb7 +--- /dev/null ++++ b/storage/spider/mysql-test/spider/bugfix/r/mdev_29644.result +@@ -0,0 +1,41 @@ ++# ++# MDEV-29644 a potential bug of null pointer dereference in spider_db_mbase::print_warnings() ++# ++for master_1 ++for child2 ++child2_1 ++child2_2 ++child2_3 ++for child3 ++connection child2_1; ++CREATE DATABASE auto_test_remote; ++USE auto_test_remote; ++CREATE TABLE tbl_a ( ++a CHAR(5) ++) ENGINE=InnoDB DEFAULT CHARSET=utf8; ++SET GLOBAL sql_mode=''; ++connection master_1; ++CREATE DATABASE auto_test_local; ++USE auto_test_local; ++CREATE TABLE tbl_a ( ++a CHAR(255) ++) ENGINE=Spider DEFAULT CHARSET=utf8 COMMENT='table "tbl_a", srv "s_2_1"'; ++SET sql_mode=''; ++INSERT INTO tbl_a VALUES ("this will be truncated"); ++NOT FOUND /\[WARN SPIDER RESULT\].* Warning 1265 Data truncated for column 'a' at row 1.*/ in mysqld.1.1.err ++SET GLOBAL spider_log_result_errors=4; ++INSERT INTO tbl_a VALUES ("this will be truncated"); ++FOUND 1 /\[WARN SPIDER RESULT\].* Warning 1265 Data truncated for column 'a' at row 1.*/ in mysqld.1.1.err ++connection master_1; ++SET GLOBAL spider_log_result_errors=DEFAULT; ++SET sql_mode=DEFAULT; ++DROP DATABASE IF EXISTS auto_test_local; ++connection child2_1; ++SET GLOBAL sql_mode=DEFAULT; ++DROP DATABASE IF EXISTS auto_test_remote; ++for master_1 ++for child2 ++child2_1 ++child2_2 ++child2_3 ++for child3 +diff --git a/storage/spider/mysql-test/spider/bugfix/t/mdev_29644.cnf b/storage/spider/mysql-test/spider/bugfix/t/mdev_29644.cnf +new file mode 100644 +index 00000000000..05dfd8a0bce +--- /dev/null ++++ b/storage/spider/mysql-test/spider/bugfix/t/mdev_29644.cnf +@@ -0,0 +1,3 @@ ++!include include/default_mysqld.cnf ++!include ../my_1_1.cnf ++!include ../my_2_1.cnf +diff --git a/storage/spider/mysql-test/spider/bugfix/t/mdev_29644.test b/storage/spider/mysql-test/spider/bugfix/t/mdev_29644.test +new file mode 100644 +index 00000000000..3a8fbb251e1 +--- /dev/null ++++ b/storage/spider/mysql-test/spider/bugfix/t/mdev_29644.test +@@ -0,0 +1,56 @@ ++--echo # ++--echo # MDEV-29644 a potential bug of null pointer dereference in spider_db_mbase::print_warnings() ++--echo # ++ ++# The test case below does not cause the potential null pointer dereference. ++# It is just for checking spider_db_mbase::fetch_and_print_warnings() works. ++ ++--disable_query_log ++--disable_result_log ++--source ../../t/test_init.inc ++--enable_result_log ++--enable_query_log ++ ++--connection child2_1 ++CREATE DATABASE auto_test_remote; ++USE auto_test_remote; ++eval CREATE TABLE tbl_a ( ++ a CHAR(5) ++) $CHILD2_1_ENGINE $CHILD2_1_CHARSET; ++ ++SET GLOBAL sql_mode=''; ++ ++--connection master_1 ++CREATE DATABASE auto_test_local; ++USE auto_test_local; ++eval CREATE TABLE tbl_a ( ++ a CHAR(255) ++) $MASTER_1_ENGINE $MASTER_1_CHARSET COMMENT='table "tbl_a", srv "s_2_1"'; ++ ++SET sql_mode=''; ++ ++let SEARCH_FILE= $MYSQLTEST_VARDIR/log/mysqld.1.1.err; ++let SEARCH_PATTERN= \[WARN SPIDER RESULT\].* Warning 1265 Data truncated for column 'a' at row 1.*; ++ ++INSERT INTO tbl_a VALUES ("this will be truncated"); ++--source include/search_pattern_in_file.inc # should not find ++ ++SET GLOBAL spider_log_result_errors=4; ++ ++INSERT INTO tbl_a VALUES ("this will be truncated"); ++--source include/search_pattern_in_file.inc # should find ++ ++--connection master_1 ++SET GLOBAL spider_log_result_errors=DEFAULT; ++SET sql_mode=DEFAULT; ++DROP DATABASE IF EXISTS auto_test_local; ++ ++--connection child2_1 ++SET GLOBAL sql_mode=DEFAULT; ++DROP DATABASE IF EXISTS auto_test_remote; ++ ++--disable_query_log ++--disable_result_log ++--source ../t/test_deinit.inc ++--enable_query_log ++--enable_result_log +diff --git a/storage/spider/spd_db_mysql.cc b/storage/spider/spd_db_mysql.cc +index e942d1d9063..b1c222d193a 100644 +--- a/storage/spider/spd_db_mysql.cc ++++ b/storage/spider/spd_db_mysql.cc +@@ -2090,7 +2090,7 @@ int spider_db_mbase::exec_query( + db_conn->affected_rows, db_conn->insert_id, + db_conn->server_status, db_conn->warning_count); + if (spider_param_log_result_errors() >= 3) +- print_warnings(l_time); ++ fetch_and_print_warnings(l_time); + } else if (log_result_errors >= 4) + { + time_t cur_time = (time_t) time((time_t*) 0); +@@ -2172,61 +2172,43 @@ bool spider_db_mbase::is_xa_nota_error( + DBUG_RETURN(xa_nota); + } + +-void spider_db_mbase::print_warnings( +- struct tm *l_time +-) { +- DBUG_ENTER("spider_db_mbase::print_warnings"); +- DBUG_PRINT("info",("spider this=%p", this)); +- if (db_conn->status == MYSQL_STATUS_READY) ++void spider_db_mbase::fetch_and_print_warnings(struct tm *l_time) ++{ ++ DBUG_ENTER("spider_db_mbase::fetch_and_print_warnings"); ++ ++ if (spider_param_dry_access() || db_conn->status != MYSQL_STATUS_READY || ++ db_conn->server_status & SERVER_MORE_RESULTS_EXISTS) ++ DBUG_VOID_RETURN; ++ ++ if (mysql_real_query(db_conn, SPIDER_SQL_SHOW_WARNINGS_STR, ++ SPIDER_SQL_SHOW_WARNINGS_LEN)) ++ DBUG_VOID_RETURN; ++ ++ MYSQL_RES *res= mysql_store_result(db_conn); ++ if (!res) ++ DBUG_VOID_RETURN; ++ ++ uint num_fields= mysql_num_fields(res); ++ if (num_fields != 3) + { +-#if MYSQL_VERSION_ID < 50500 +- if (!(db_conn->last_used_con->server_status & SERVER_MORE_RESULTS_EXISTS)) +-#else +- if (!(db_conn->server_status & SERVER_MORE_RESULTS_EXISTS)) +-#endif +- { +- if ( +- spider_param_dry_access() || +- !mysql_real_query(db_conn, SPIDER_SQL_SHOW_WARNINGS_STR, +- SPIDER_SQL_SHOW_WARNINGS_LEN) +- ) { +- MYSQL_RES *res = NULL; +- MYSQL_ROW row = NULL; +- uint num_fields; +- if ( +- spider_param_dry_access() || +- !(res = mysql_store_result(db_conn)) || +- !(row = mysql_fetch_row(res)) +- ) { +- if (mysql_errno(db_conn)) +- { +- if (res) +- mysql_free_result(res); +- DBUG_VOID_RETURN; +- } +- /* no record is ok */ +- } +- num_fields = mysql_num_fields(res); +- if (num_fields != 3) +- { +- mysql_free_result(res); +- DBUG_VOID_RETURN; +- } +- while (row) +- { +- fprintf(stderr, "%04d%02d%02d %02d:%02d:%02d [WARN SPIDER RESULT] " +- "from [%s] %ld to %ld: %s %s %s\n", ++ mysql_free_result(res); ++ DBUG_VOID_RETURN; ++ } ++ ++ MYSQL_ROW row= mysql_fetch_row(res); ++ while (row) ++ { ++ fprintf(stderr, ++ "%04d%02d%02d %02d:%02d:%02d [WARN SPIDER RESULT] from [%s] %ld " ++ "to %ld: %s %s %s\n", + l_time->tm_year + 1900, l_time->tm_mon + 1, l_time->tm_mday, +- l_time->tm_hour, l_time->tm_min, l_time->tm_sec, +- conn->tgt_host, (ulong) db_conn->thread_id, +- (ulong) current_thd->thread_id, row[0], row[1], row[2]); +- row = mysql_fetch_row(res); +- } +- if (res) +- mysql_free_result(res); +- } +- } ++ l_time->tm_hour, l_time->tm_min, l_time->tm_sec, conn->tgt_host, ++ (ulong) db_conn->thread_id, (ulong) current_thd->thread_id, row[0], ++ row[1], row[2]); ++ row= mysql_fetch_row(res); + } ++ mysql_free_result(res); ++ + DBUG_VOID_RETURN; + } + +diff --git a/storage/spider/spd_db_mysql.h b/storage/spider/spd_db_mysql.h +index 4d5327b7533..576162b2b55 100644 +--- a/storage/spider/spd_db_mysql.h ++++ b/storage/spider/spd_db_mysql.h +@@ -392,9 +392,7 @@ class spider_db_mbase: public spider_db_conn + bool is_xa_nota_error( + int error_num + ); +- void print_warnings( +- struct tm *l_time +- ); ++ void fetch_and_print_warnings(struct tm *l_time); + spider_db_result *store_result( + spider_db_result_buffer **spider_res_buf, + st_spider_db_request_key *request_key, +-- +2.34.1 + diff --git a/SPECS/mariadb/mariadb.spec b/SPECS/mariadb/mariadb.spec index 5094c4eee0d..da4a574899f 100644 --- a/SPECS/mariadb/mariadb.spec +++ b/SPECS/mariadb/mariadb.spec @@ -1,7 +1,7 @@ Summary: Database servers made by the original developers of MySQL. Name: mariadb Version: 10.3.36 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 WITH exceptions AND LGPLv2 AND BSD Vendor: Microsoft Corporation Distribution: Mariner @@ -12,6 +12,7 @@ Group: Applications/Databases URL: https://mariadb.org/ Source0: https://github.com/MariaDB/server/archive/%{name}-%{version}.tar.gz +Patch0: CVE-2022-47015.patch BuildRequires: cmake BuildRequires: curl-devel BuildRequires: e2fsprogs-devel @@ -372,6 +373,9 @@ rm -rf %{buildroot} %{_datadir}/mysql/hindi/errmsg.sys %changelog +* Fri Feb 10 2023 Dan Streetman - 10.3.36-2 +- CVE-2022-47015 + * Mon Sep 26 2022 Aadhar Agarwal - 10.3.36-1 - Upgrade to 10.3.36 to fix 3 CVEs: - CVE-2018-25032, CVE-2022-32091, CVE-2022-38791 From aa2bcf110cc8648465f5fff50c882846386c0549 Mon Sep 17 00:00:00 2001 From: Dan Streetman Date: Mon, 13 Feb 2023 09:51:08 -0500 Subject: [PATCH 09/27] CVE-2021-4217 (#4827) --- SPECS/unzip/CVE-2021-4217.patch | 55 +++++++++++++++++++ SPECS/unzip/unzip.spec | 6 +- .../manifests/package/toolchain_aarch64.txt | 4 +- .../manifests/package/toolchain_x86_64.txt | 4 +- 4 files changed, 64 insertions(+), 5 deletions(-) create mode 100644 SPECS/unzip/CVE-2021-4217.patch diff --git a/SPECS/unzip/CVE-2021-4217.patch b/SPECS/unzip/CVE-2021-4217.patch new file mode 100644 index 00000000000..ff6bf7ae415 --- /dev/null +++ b/SPECS/unzip/CVE-2021-4217.patch @@ -0,0 +1,55 @@ +From 731d698377dbd1f5b1b90efeb8094602ed59fc40 Mon Sep 17 00:00:00 2001 +From: Nils Bars +Date: Mon, 17 Jan 2022 16:53:16 +0000 +Subject: [PATCH] Fix null pointer dereference and use of uninitialized data +Reference: https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077/comments/7 + +This fixes a bug that causes use of uninitialized heap data if `readbuf` fails +to read as many bytes as indicated by the extra field length attribute. +Furthermore, this fixes a null pointer dereference if an archive contains an +`EF_UNIPATH` extra field but does not have a filename set. +--- + fileio.c | 5 ++++- + process.c | 6 +++++- + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/fileio.c b/fileio.c +index 6290824..95ea68b 100644 +--- a/fileio.c ++++ b/fileio.c +@@ -2301,8 +2301,11 @@ int do_string(__G__ length, option) /* return PK-type error code */ + seek_zipf(__G__ G.cur_zipfile_bufstart - G.extra_bytes + + (G.inptr-G.inbuf) + length); + } else { +- if (readbuf(__G__ (char *)G.extra_field, length) == 0) ++ unsigned bytes_read = readbuf(__G__ (char *)G.extra_field, length); ++ if (bytes_read == 0) + return PK_EOF; ++ if (bytes_read != length) ++ return PK_ERR; + /* Looks like here is where extra fields are read */ + if (getZip64Data(__G__ G.extra_field, length) != PK_COOL) + { +diff --git a/process.c b/process.c +index d2a846e..cba2463 100644 +--- a/process.c ++++ b/process.c +@@ -2054,10 +2054,14 @@ int getUnicodeData(__G__ ef_buf, ef_len) + G.unipath_checksum = makelong(offset + ef_buf); + offset += 4; + ++ if (!G.filename_full) { ++ /* Check if we have a unicode extra section but no filename set */ ++ return PK_ERR; ++ } ++ + /* + * Compute 32-bit crc + */ +- + chksum = crc32(chksum, (uch *)(G.filename_full), + strlen(G.filename_full)); + +-- +2.25.1 + diff --git a/SPECS/unzip/unzip.spec b/SPECS/unzip/unzip.spec index 0bf9fd001c4..ab1e23a46ee 100644 --- a/SPECS/unzip/unzip.spec +++ b/SPECS/unzip/unzip.spec @@ -1,7 +1,7 @@ Summary: Unzip-6.0 Name: unzip Version: 6.0 -Release: 18%{?dist} +Release: 19%{?dist} License: BSD URL: http://infozip.sourceforge.net/UnZip.html Source0: https://downloads.sourceforge.net/infozip/unzip60.tar.gz @@ -27,6 +27,7 @@ Patch13: CVE-2015-7697.patch Patch14: CVE-2018-1000035.patch # Upstream has fixed CVE-2008-0888 in 6.0 Patch15: CVE-2008-0888.nopatch +Patch16: CVE-2021-4217.patch %description The UnZip package contains ZIP extraction utilities. These are useful @@ -69,6 +70,9 @@ make %{?_smp_mflags} check %{_bindir}/* %changelog +* Fri Feb 10 2023 Dan Streetman 6.0-19 +- CVE-2021-4217 + * Fri Oct 23 2020 Nick Samson 6.0-18 - Renamed patch files for CVE-2019-13232 and CVE-2018-18384 to ensure detection by CVE tooling * Thu Oct 22 2020 Nicolas Ontiveros 6.0-17 diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 2fefcabd71f..ccc7c536383 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -407,8 +407,8 @@ tdnf-plugin-repogpgcheck-2.1.0-7.cm1.aarch64.rpm tdnf-python-2.1.0-7.cm1.aarch64.rpm texinfo-6.5-7.cm1.aarch64.rpm texinfo-debuginfo-6.5-7.cm1.aarch64.rpm -unzip-6.0-18.cm1.aarch64.rpm -unzip-debuginfo-6.0-18.cm1.aarch64.rpm +unzip-6.0-19.cm1.aarch64.rpm +unzip-debuginfo-6.0-19.cm1.aarch64.rpm util-linux-2.32.1-7.cm1.aarch64.rpm util-linux-debuginfo-2.32.1-7.cm1.aarch64.rpm util-linux-devel-2.32.1-7.cm1.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 661ad251b7f..c613312df0a 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -407,8 +407,8 @@ tdnf-plugin-repogpgcheck-2.1.0-7.cm1.x86_64.rpm tdnf-python-2.1.0-7.cm1.x86_64.rpm texinfo-6.5-7.cm1.x86_64.rpm texinfo-debuginfo-6.5-7.cm1.x86_64.rpm -unzip-6.0-18.cm1.x86_64.rpm -unzip-debuginfo-6.0-18.cm1.x86_64.rpm +unzip-6.0-19.cm1.x86_64.rpm +unzip-debuginfo-6.0-19.cm1.x86_64.rpm util-linux-2.32.1-7.cm1.x86_64.rpm util-linux-debuginfo-2.32.1-7.cm1.x86_64.rpm util-linux-devel-2.32.1-7.cm1.x86_64.rpm From 7b43f14eedc07b457bc48c5b694777b145749148 Mon Sep 17 00:00:00 2001 From: jslobodzian Date: Tue, 14 Feb 2023 17:18:33 -0800 Subject: [PATCH 10/27] Bump Release for Mariner 1.0 Feb Update 2 (#4855) --- SPECS/mariner-release/mariner-release.spec | 4 +++- toolkit/resources/manifests/package/pkggen_core_aarch64.txt | 2 +- toolkit/resources/manifests/package/pkggen_core_x86_64.txt | 2 +- toolkit/resources/manifests/package/toolchain_aarch64.txt | 2 +- toolkit/resources/manifests/package/toolchain_x86_64.txt | 2 +- 5 files changed, 7 insertions(+), 5 deletions(-) diff --git a/SPECS/mariner-release/mariner-release.spec b/SPECS/mariner-release/mariner-release.spec index c03d44aa1d5..d3017463c6e 100644 --- a/SPECS/mariner-release/mariner-release.spec +++ b/SPECS/mariner-release/mariner-release.spec @@ -1,7 +1,7 @@ Summary: CBL-Mariner release files Name: mariner-release Version: 1.0 -Release: 55%{?dist} +Release: 56%{?dist} License: MIT Group: System Environment/Base URL: https://aka.ms/cbl-mariner @@ -67,6 +67,8 @@ rm -rf $RPM_BUILD_ROOT %config(noreplace) /etc/issue.net %changelog +* Tue Feb 14 2023 Jon Slobodzian - 1.0-56 +- Updating version for February update 2. * Tue Feb 07 2023 Jon Slobodzian - 1.0-55 - Updating version for February update. * Fri Jan 20 2023 Riken Maharjan - 1.0-54 diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index d758d68b726..a09f033f590 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -58,7 +58,7 @@ findutils-lang-4.6.0-8.cm1.aarch64.rpm gettext-0.19.8.1-5.cm1.aarch64.rpm gzip-1.12-1.cm1.aarch64.rpm make-4.2.1-5.cm1.aarch64.rpm -mariner-release-1.0-55.cm1.noarch.rpm +mariner-release-1.0-56.cm1.noarch.rpm patch-2.7.6-7.cm1.aarch64.rpm util-linux-2.32.1-7.cm1.aarch64.rpm util-linux-devel-2.32.1-7.cm1.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 0724e3c3590..8265822e60b 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -58,7 +58,7 @@ findutils-lang-4.6.0-8.cm1.x86_64.rpm gettext-0.19.8.1-5.cm1.x86_64.rpm gzip-1.12-1.cm1.x86_64.rpm make-4.2.1-5.cm1.x86_64.rpm -mariner-release-1.0-55.cm1.noarch.rpm +mariner-release-1.0-56.cm1.noarch.rpm patch-2.7.6-7.cm1.x86_64.rpm util-linux-2.32.1-7.cm1.x86_64.rpm util-linux-devel-2.32.1-7.cm1.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index ccc7c536383..e4438f64377 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -259,7 +259,7 @@ m4-debuginfo-1.4.18-4.cm1.aarch64.rpm make-4.2.1-5.cm1.aarch64.rpm make-debuginfo-4.2.1-5.cm1.aarch64.rpm mariner-check-macros-1.0-8.cm1.noarch.rpm -mariner-release-1.0-55.cm1.noarch.rpm +mariner-release-1.0-56.cm1.noarch.rpm mariner-repos-1.0-16.cm1.noarch.rpm mariner-repos-extras-1.0-16.cm1.noarch.rpm mariner-repos-extras-preview-1.0-16.cm1.noarch.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index c613312df0a..db4589d30d7 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -259,7 +259,7 @@ m4-debuginfo-1.4.18-4.cm1.x86_64.rpm make-4.2.1-5.cm1.x86_64.rpm make-debuginfo-4.2.1-5.cm1.x86_64.rpm mariner-check-macros-1.0-8.cm1.noarch.rpm -mariner-release-1.0-55.cm1.noarch.rpm +mariner-release-1.0-56.cm1.noarch.rpm mariner-repos-1.0-16.cm1.noarch.rpm mariner-repos-extras-1.0-16.cm1.noarch.rpm mariner-repos-extras-preview-1.0-16.cm1.noarch.rpm From c6e41408046aff08d44559a2b96ab81c14247ee7 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Wed, 15 Feb 2023 09:43:45 -0800 Subject: [PATCH 11/27] [AUTOPATCHER-CORE] Upgrade bind to 9.16.37 to fix CVE-2022-3736, CVE-2022-3094, CVE-2022-3924 - (#4850) CVE-2022-3736, CVE-2022-3094, CVE-2022-3924 --- SPECS/bind/bind.signatures.json | 2 +- SPECS/bind/bind.spec | 45 +++++++++++++++++++-------------- cgmanifest.json | 6 ++--- 3 files changed, 30 insertions(+), 23 deletions(-) diff --git a/SPECS/bind/bind.signatures.json b/SPECS/bind/bind.signatures.json index b56d2c31d76..836ec2f6cc9 100644 --- a/SPECS/bind/bind.signatures.json +++ b/SPECS/bind/bind.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "bind-9.16.33.tar.xz": "ec4fbea4b2e368d1824971509e33fa159224ad14b436034c6bcd46104c328d91" + "bind-9.16.37.tar.xz": "0e4661d522a2fe1f111c1f0685e7d6993d657f81dae24e7a75dbd8db3ef2e2ab" } } \ No newline at end of file diff --git a/SPECS/bind/bind.spec b/SPECS/bind/bind.spec index 2e2d523cb36..08d660d9d08 100644 --- a/SPECS/bind/bind.spec +++ b/SPECS/bind/bind.spec @@ -1,24 +1,26 @@ Summary: Domain Name System software Name: bind -Version: 9.16.33 +Version: 9.16.37 Release: 1%{?dist} License: ISC +Vendor: Microsoft Corporation +Distribution: Mariner +Group: Development/Tools URL: https://www.isc.org/downloads/bind/ Source0: https://ftp.isc.org/isc/bind9/%{version}/%{name}-%{version}.tar.xz # CVE-2019-6470 is fixed by updating the dhcp package to 4.4.1 or greater Patch0: CVE-2019-6470.nopatch -Group: Development/Tools -Vendor: Microsoft Corporation -Distribution: Mariner -Requires: openssl -Requires: libuv -Requires(pre): /usr/sbin/useradd /usr/sbin/groupadd -Requires(postun):/usr/sbin/userdel /usr/sbin/groupdel -BuildRequires: openssl-devel BuildRequires: libcap-devel -BuildRequires: python3 -BuildRequires: python-ply BuildRequires: libuv-devel +BuildRequires: openssl-devel +BuildRequires: python-ply +BuildRequires: python3 +Requires: libuv +Requires: openssl +Requires(postun): %{_sbindir}/groupdel +Requires(postun): %{_sbindir}/userdel +Requires(pre): %{_sbindir}/groupadd +Requires(pre): %{_sbindir}/useradd # Enforce fix for CVE-2019-6470 Conflicts: dhcp < 4.4.1 @@ -28,13 +30,14 @@ for the Internet. It is a reference implementation of those protocols, but it is also production-grade software, suitable for use in high-volume and high-reliability applications. %package utils -Summary: BIND utilities +Summary: BIND utilities + %description utils %{summary}. - %prep %autosetup -p1 + %build ./configure \ --prefix=%{_prefix} @@ -44,29 +47,30 @@ make -C lib/bind9 %{?_smp_mflags} make -C lib/isccfg %{?_smp_mflags} make -C lib/irs %{?_smp_mflags} make -C bin/dig %{?_smp_mflags} + %install make -C bin/dig DESTDIR=%{buildroot} install -find %{buildroot} -name '*.la' -delete +find %{buildroot} -type f -name "*.la" -delete -print mkdir -p %{buildroot}/%{_sysconfdir} -mkdir -p %{buildroot}/%{_prefix}/lib/tmpfiles.d +mkdir -p %{buildroot}/%{_libdir}/tmpfiles.d cat << EOF >> %{buildroot}/%{_sysconfdir}/named.conf zone "." in { type master; allow-update {none;}; // no DDNS by default }; EOF -echo "d /run/named 0755 named named - -" > %{buildroot}/%{_prefix}/lib/tmpfiles.d/named.conf +echo "d /run/named 0755 named named - -" > %{buildroot}/%{_libdir}/tmpfiles.d/named.conf %pre if ! getent group named >/dev/null; then groupadd -r named fi if ! getent passwd named >/dev/null; then - useradd -g named -d /var/lib/bind\ + useradd -g named -d %{_sharedstatedir}/bind\ -s /bin/false -M -r named fi -%post -p /sbin/ldconfig +%post -p /sbin/ldconfig %postun /sbin/ldconfig if getent passwd named >/dev/null; then @@ -81,9 +85,12 @@ fi %license LICENSE %{_bindir}/* %{_sysconfdir}/* -%{_prefix}/lib/tmpfiles.d/named.conf +%{_libdir}/tmpfiles.d/named.conf %changelog +* Mon Feb 13 2023 CBL-Mariner Servicing Account - 9.16.37-1 +- Auto-upgrade to 9.16.37 - to fix CVE-2022-3736, CVE-2022-3094, CVE-2022-3924 + * Mon Nov 14 2022 CBL-Mariner Servicing Account - 9.16.33-1 - Auto-upgrade to 9.16.33 - CVE-2022-2795,CVE-2022-3080 diff --git a/cgmanifest.json b/cgmanifest.json index 372543a7ffa..a5781e73347 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -346,8 +346,8 @@ "type": "other", "other": { "name": "bind", - "version": "9.16.33", - "downloadUrl": "https://ftp.isc.org/isc/bind9/9.16.33/bind-9.16.33.tar.xz" + "version": "9.16.37", + "downloadUrl": "https://ftp.isc.org/isc/bind9/9.16.37/bind-9.16.37.tar.xz" } } }, @@ -8993,4 +8993,4 @@ } ], "Version": 1 -} +} \ No newline at end of file From 43d09713c9b150a2b55a3bb07d02d61261789254 Mon Sep 17 00:00:00 2001 From: Dallas Delaney <106280731+dallasd1@users.noreply.github.com> Date: Wed, 15 Feb 2023 09:45:25 -0800 Subject: [PATCH 12/27] Patch curl to resolve CVE-2022-43552 (#4847) CVE-2022-43552 --- SPECS/curl/CVE-2022-43552.patch | 94 +++++++++++++++++++ SPECS/curl/curl.spec | 6 +- .../manifests/package/pkggen_core_aarch64.txt | 6 +- .../manifests/package/pkggen_core_x86_64.txt | 6 +- .../manifests/package/toolchain_aarch64.txt | 8 +- .../manifests/package/toolchain_x86_64.txt | 8 +- 6 files changed, 113 insertions(+), 15 deletions(-) create mode 100644 SPECS/curl/CVE-2022-43552.patch diff --git a/SPECS/curl/CVE-2022-43552.patch b/SPECS/curl/CVE-2022-43552.patch new file mode 100644 index 00000000000..9fc8447b355 --- /dev/null +++ b/SPECS/curl/CVE-2022-43552.patch @@ -0,0 +1,94 @@ +From f3b4c5edf97c157a8ad3727827d1ac94062cfff8 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 7 Nov 2022 17:09:48 +0100 +Subject: [PATCH] smb/telnet: do not free the protocol struct in *_done() + +It is managed by the generic layer. +--- + lib/smb.c | 14 ++------------ + lib/telnet.c | 3 --- + 2 files changed, 2 insertions(+), 15 deletions(-) + +diff --git a/lib/smb.c b/lib/smb.c +index 2cfe041df..48d5a2fe0 100644 +--- a/lib/smb.c ++++ b/lib/smb.c +@@ -56,12 +56,10 @@ static CURLcode smb_setup_connection(struct Curl_easy *data, + struct connectdata *conn); + static CURLcode smb_connect(struct Curl_easy *data, bool *done); + static CURLcode smb_connection_state(struct Curl_easy *data, bool *done); + static CURLcode smb_do(struct Curl_easy *data, bool *done); + static CURLcode smb_request_state(struct Curl_easy *data, bool *done); +-static CURLcode smb_done(struct Curl_easy *data, CURLcode status, +- bool premature); + static CURLcode smb_disconnect(struct Curl_easy *data, + struct connectdata *conn, bool dead); + static int smb_getsock(struct Curl_easy *data, struct connectdata *conn, + curl_socket_t *socks); + static CURLcode smb_parse_url_path(struct Curl_easy *data, +@@ -72,11 +70,11 @@ static CURLcode smb_parse_url_path(struct Curl_easy *data, + */ + const struct Curl_handler Curl_handler_smb = { + "SMB", /* scheme */ + smb_setup_connection, /* setup_connection */ + smb_do, /* do_it */ +- smb_done, /* done */ ++ ZERO_NULL, /* done */ + ZERO_NULL, /* do_more */ + smb_connect, /* connect_it */ + smb_connection_state, /* connecting */ + smb_request_state, /* doing */ + smb_getsock, /* proto_getsock */ +@@ -99,11 +97,11 @@ const struct Curl_handler Curl_handler_smb = { + */ + const struct Curl_handler Curl_handler_smbs = { + "SMBS", /* scheme */ + smb_setup_connection, /* setup_connection */ + smb_do, /* do_it */ +- smb_done, /* done */ ++ ZERO_NULL, /* done */ + ZERO_NULL, /* do_more */ + smb_connect, /* connect_it */ + smb_connection_state, /* connecting */ + smb_request_state, /* doing */ + smb_getsock, /* proto_getsock */ +@@ -934,18 +932,10 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done) + request_state(data, next_state); + + return CURLE_OK; + } + +-static CURLcode smb_done(struct Curl_easy *data, CURLcode status, +- bool premature) +-{ +- (void) premature; +- Curl_safefree(data->req.p.smb); +- return status; +-} +- + static CURLcode smb_disconnect(struct Curl_easy *data, + struct connectdata *conn, bool dead) + { + struct smb_conn *smbc = &conn->proto.smbc; + (void) dead; +diff --git a/lib/telnet.c b/lib/telnet.c +index 24d3f1efb..22bc81e75 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -1246,13 +1246,10 @@ static CURLcode telnet_done(struct Curl_easy *data, + if(!tn) + return CURLE_OK; + + curl_slist_free_all(tn->telnet_vars); + tn->telnet_vars = NULL; +- +- Curl_safefree(data->req.p.telnet); +- + return CURLE_OK; + } + + static CURLcode telnet_do(struct Curl_easy *data, bool *done) + { +-- +2.38.1 + diff --git a/SPECS/curl/curl.spec b/SPECS/curl/curl.spec index 7b272986193..bfc6d22286b 100644 --- a/SPECS/curl/curl.spec +++ b/SPECS/curl/curl.spec @@ -2,7 +2,7 @@ Summary: An URL retrieval utility and library Name: curl # Heads up: 7.87 breaks perl-WWW-Curl (see #4588). Version: 7.86.0 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -10,6 +10,7 @@ Group: System Environment/NetworkingLibraries URL: https://curl.haxx.se Source0: https://curl.haxx.se/download/%{name}-%{version}.tar.gz Patch0: CVE-2022-43551.patch +Patch1: CVE-2022-43552.patch BuildRequires: krb5-devel BuildRequires: libssh2-devel BuildRequires: openssl-devel @@ -90,6 +91,9 @@ find %{buildroot} -type f -name "*.la" -delete -print %{_libdir}/libcurl.so.4* %changelog +* Mon Feb 13 2023 Dallas Delaney - 7.86.0-3 +- Apply patch to fix CVE-2022-43552 + * Thu Jan 12 2023 AurĂ©lien Bombo - 7.86.0-2 - Apply patch to fix CVE-2022-43551. diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index a09f033f590..f4e02fd1c8c 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -130,9 +130,9 @@ libsolv-0.7.20-1.cm1.aarch64.rpm libsolv-devel-0.7.20-1.cm1.aarch64.rpm libssh2-1.9.0-1.cm1.aarch64.rpm libssh2-devel-1.9.0-1.cm1.aarch64.rpm -curl-7.86.0-2.cm1.aarch64.rpm -curl-devel-7.86.0-2.cm1.aarch64.rpm -curl-libs-7.86.0-2.cm1.aarch64.rpm +curl-7.86.0-3.cm1.aarch64.rpm +curl-devel-7.86.0-3.cm1.aarch64.rpm +curl-libs-7.86.0-3.cm1.aarch64.rpm tdnf-2.1.0-7.cm1.aarch64.rpm tdnf-cli-libs-2.1.0-7.cm1.aarch64.rpm tdnf-devel-2.1.0-7.cm1.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 8265822e60b..79830695d3b 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -130,9 +130,9 @@ libsolv-0.7.20-1.cm1.x86_64.rpm libsolv-devel-0.7.20-1.cm1.x86_64.rpm libssh2-1.9.0-1.cm1.x86_64.rpm libssh2-devel-1.9.0-1.cm1.x86_64.rpm -curl-7.86.0-2.cm1.x86_64.rpm -curl-devel-7.86.0-2.cm1.x86_64.rpm -curl-libs-7.86.0-2.cm1.x86_64.rpm +curl-7.86.0-3.cm1.x86_64.rpm +curl-devel-7.86.0-3.cm1.x86_64.rpm +curl-libs-7.86.0-3.cm1.x86_64.rpm tdnf-2.1.0-7.cm1.x86_64.rpm tdnf-cli-libs-2.1.0-7.cm1.x86_64.rpm tdnf-devel-2.1.0-7.cm1.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index e4438f64377..867f4c635a0 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -51,10 +51,10 @@ cryptsetup-debuginfo-2.3.7-1.cm1.aarch64.rpm cryptsetup-devel-2.3.7-1.cm1.aarch64.rpm cryptsetup-libs-2.3.7-1.cm1.aarch64.rpm cryptsetup-reencrypt-2.3.7-1.cm1.aarch64.rpm -curl-7.86.0-2.cm1.aarch64.rpm -curl-debuginfo-7.86.0-2.cm1.aarch64.rpm -curl-devel-7.86.0-2.cm1.aarch64.rpm -curl-libs-7.86.0-2.cm1.aarch64.rpm +curl-7.86.0-3.cm1.aarch64.rpm +curl-debuginfo-7.86.0-3.cm1.aarch64.rpm +curl-devel-7.86.0-3.cm1.aarch64.rpm +curl-libs-7.86.0-3.cm1.aarch64.rpm cyrus-sasl-2.1.28-1.cm1.aarch64.rpm cyrus-sasl-debuginfo-2.1.28-1.cm1.aarch64.rpm device-mapper-2.03.05-6.cm1.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index db4589d30d7..b2b427d6b16 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -51,10 +51,10 @@ cryptsetup-debuginfo-2.3.7-1.cm1.x86_64.rpm cryptsetup-devel-2.3.7-1.cm1.x86_64.rpm cryptsetup-libs-2.3.7-1.cm1.x86_64.rpm cryptsetup-reencrypt-2.3.7-1.cm1.x86_64.rpm -curl-7.86.0-2.cm1.x86_64.rpm -curl-debuginfo-7.86.0-2.cm1.x86_64.rpm -curl-devel-7.86.0-2.cm1.x86_64.rpm -curl-libs-7.86.0-2.cm1.x86_64.rpm +curl-7.86.0-3.cm1.x86_64.rpm +curl-debuginfo-7.86.0-3.cm1.x86_64.rpm +curl-devel-7.86.0-3.cm1.x86_64.rpm +curl-libs-7.86.0-3.cm1.x86_64.rpm cyrus-sasl-2.1.28-1.cm1.x86_64.rpm cyrus-sasl-debuginfo-2.1.28-1.cm1.x86_64.rpm device-mapper-2.03.05-6.cm1.x86_64.rpm From b8ac824da6e692e7e2e5bfb195e873cc03d4998a Mon Sep 17 00:00:00 2001 From: Henry Li <69694695+henryli001@users.noreply.github.com> Date: Wed, 15 Feb 2023 10:36:55 -0800 Subject: [PATCH 13/27] upgrade redis to 6.2.9 (#4849) Co-authored-by: Henry Li --- SPECS/redis/CVE-2022-35977.patch | 122 ---------------------- SPECS/redis/CVE-2022-3647.patch | 165 ------------------------------ SPECS/redis/CVE-2023-22458.patch | 126 ----------------------- SPECS/redis/redis.signatures.json | 2 +- SPECS/redis/redis.spec | 11 +- cgmanifest.json | 4 +- 6 files changed, 7 insertions(+), 423 deletions(-) delete mode 100644 SPECS/redis/CVE-2022-35977.patch delete mode 100644 SPECS/redis/CVE-2022-3647.patch delete mode 100644 SPECS/redis/CVE-2023-22458.patch diff --git a/SPECS/redis/CVE-2022-35977.patch b/SPECS/redis/CVE-2022-35977.patch deleted file mode 100644 index 4d1139e2acd..00000000000 --- a/SPECS/redis/CVE-2022-35977.patch +++ /dev/null @@ -1,122 +0,0 @@ -From 1ec82e6e97e1db06a72ca505f9fbf6b981f31ef7 Mon Sep 17 00:00:00 2001 -From: Oran Agra -Date: Mon, 16 Jan 2023 13:49:30 +0200 -Subject: [PATCH] Avoid integer overflows in SETRANGE and SORT (CVE-2022-35977) - (#11720) - -Authenticated users issuing specially crafted SETRANGE and SORT(_RO) -commands can trigger an integer overflow, resulting with Redis attempting -to allocate impossible amounts of memory and abort with an OOM panic. ---- - src/sort.c | 6 ++++-- - src/t_string.c | 17 +++++++++++------ - tests/unit/sort.tcl | 11 +++++++++++ - tests/unit/type/string.tcl | 10 ++++++++++ - 4 files changed, 36 insertions(+), 8 deletions(-) - -diff --git a/src/sort.c b/src/sort.c -index 3b67cc6..e9c57a2 100644 ---- a/src/sort.c -+++ b/src/sort.c -@@ -320,8 +320,10 @@ void sortCommand(client *c) { - default: vectorlen = 0; serverPanic("Bad SORT type"); /* Avoid GCC warning */ - } - -- /* Perform LIMIT start,count sanity checking. */ -- start = (limit_start < 0) ? 0 : limit_start; -+ /* Perform LIMIT start,count sanity checking. -+ * And avoid integer overflow by limiting inputs to object sizes. */ -+ start = min(max(limit_start, 0), vectorlen); -+ limit_count = min(max(limit_count, -1), vectorlen); - end = (limit_count < 0) ? vectorlen-1 : start+limit_count-1; - if (start >= vectorlen) { - start = vectorlen-1; -diff --git a/src/t_string.c b/src/t_string.c -index 587d3ae..57efff0 100644 ---- a/src/t_string.c -+++ b/src/t_string.c -@@ -37,8 +37,14 @@ int getGenericCommand(client *c); - * String Commands - *----------------------------------------------------------------------------*/ - --static int checkStringLength(client *c, long long size) { -- if (!(c->flags & CLIENT_MASTER) && size > server.proto_max_bulk_len) { -+static int checkStringLength(client *c, long long size, long long append) { -+ if (mustObeyClient(c)) -+ return C_OK; -+ /* 'uint64_t' cast is there just to prevent undefined behavior on overflow */ -+ long long total = (uint64_t)size + append; -+ /* Test configured max-bulk-len represending a limit of the biggest string object, -+ * and also test for overflow. */ -+ if (total > server.proto_max_bulk_len || total < size || total < append) { - addReplyError(c,"string exceeds maximum allowed size (proto-max-bulk-len)"); - return C_ERR; - } -@@ -443,7 +449,7 @@ void setrangeCommand(client *c) { - } - - /* Return when the resulting string exceeds allowed size */ -- if (checkStringLength(c,offset+sdslen(value)) != C_OK) -+ if (checkStringLength(c,offset,sdslen(value)) != C_OK) - return; - - o = createObject(OBJ_STRING,sdsnewlen(NULL, offset+sdslen(value))); -@@ -463,7 +469,7 @@ void setrangeCommand(client *c) { - } - - /* Return when the resulting string exceeds allowed size */ -- if (checkStringLength(c,offset+sdslen(value)) != C_OK) -+ if (checkStringLength(c,offset,sdslen(value)) != C_OK) - return; - - /* Create a copy when the object is shared or encoded. */ -@@ -687,8 +693,7 @@ void appendCommand(client *c) { - - /* "append" is an argument, so always an sds */ - append = c->argv[2]; -- totlen = stringObjectLen(o)+sdslen(append->ptr); -- if (checkStringLength(c,totlen) != C_OK) -+ if (checkStringLength(c,stringObjectLen(o),sdslen(append->ptr)) != C_OK) - return; - - /* Append the value */ -diff --git a/tests/unit/sort.tcl b/tests/unit/sort.tcl -index 083c454..c868416 100644 ---- a/tests/unit/sort.tcl -+++ b/tests/unit/sort.tcl -@@ -314,5 +314,16 @@ start_server { - flush stdout - } - } -+ -+ test {SETRANGE with huge offset} { -+ r lpush L 2 1 0 -+ # expecting a different outcome on 32 and 64 bit systems -+ foreach value {9223372036854775807 2147483647} { -+ catch {[r sort_ro L by a limit 2 $value]} res -+ if {![string match "2" $res] && ![string match "*out of range*" $res]} { -+ assert_not_equal $res "expecting an error or 2" -+ } -+ } -+ } - } - } -diff --git a/tests/unit/type/string.tcl b/tests/unit/type/string.tcl -index 43968b2..0c95790 100644 ---- a/tests/unit/type/string.tcl -+++ b/tests/unit/type/string.tcl -@@ -574,4 +574,14 @@ start_server {tags {"string"}} { - test {LCS indexes with match len and minimum match len} { - dict get [r STRALGO LCS IDX KEYS virus1 virus2 WITHMATCHLEN MINMATCHLEN 5] matches - } {{{1 222} {13 234} 222}} -+ -+ test {SETRANGE with huge offset} { -+ foreach value {9223372036854775807 2147483647} { -+ catch {[r setrange K $value A]} res -+ # expecting a different error on 32 and 64 bit systems -+ if {![string match "*string exceeds maximum allowed size*" $res] && ![string match "*out of range*" $res]} { -+ assert_equal $res "expecting an error" -+ } -+ } -+ } - } diff --git a/SPECS/redis/CVE-2022-3647.patch b/SPECS/redis/CVE-2022-3647.patch deleted file mode 100644 index 24134382f22..00000000000 --- a/SPECS/redis/CVE-2022-3647.patch +++ /dev/null @@ -1,165 +0,0 @@ -diff --git a/src/debug.c b/src/debug.c -index 71ef51f8b..40fffec52 100644 ---- a/src/debug.c -+++ b/src/debug.c -@@ -1019,61 +1019,88 @@ void bugReportStart(void) { - } - - #ifdef HAVE_BACKTRACE --static void *getMcontextEip(ucontext_t *uc) { -+ -+/* Returns the current eip and set it to the given new value (if its not NULL) */ -+static void* getAndSetMcontextEip(ucontext_t *uc, void *eip) { -+#define NOT_SUPPORTED() do {\ -+ UNUSED(uc);\ -+ UNUSED(eip);\ -+ return NULL;\ -+} while(0) -+#define GET_SET_RETURN(target_var, new_val) do {\ -+ void *old_val = (void*)target_var; \ -+ if (new_val) { \ -+ void **temp = (void**)&target_var; \ -+ *temp = new_val; \ -+ } \ -+ return old_val; \ -+} while(0) - #if defined(__APPLE__) && !defined(MAC_OS_X_VERSION_10_6) - /* OSX < 10.6 */ - #if defined(__x86_64__) -- return (void*) uc->uc_mcontext->__ss.__rip; -+ GET_SET_RETURN(uc->uc_mcontext->__ss.__rip, eip); - #elif defined(__i386__) -- return (void*) uc->uc_mcontext->__ss.__eip; -+ GET_SET_RETURN(uc->uc_mcontext->__ss.__eip, eip); - #else -- return (void*) uc->uc_mcontext->__ss.__srr0; -+ GET_SET_RETURN(uc->uc_mcontext->__ss.__srr0, eip); - #endif - #elif defined(__APPLE__) && defined(MAC_OS_X_VERSION_10_6) - /* OSX >= 10.6 */ - #if defined(_STRUCT_X86_THREAD_STATE64) && !defined(__i386__) -- return (void*) uc->uc_mcontext->__ss.__rip; -+ GET_SET_RETURN(uc->uc_mcontext->__ss.__rip, eip); - #elif defined(__i386__) -- return (void*) uc->uc_mcontext->__ss.__eip; -+ GET_SET_RETURN(uc->uc_mcontext->__ss.__eip, eip); - #else - /* OSX ARM64 */ -- return (void*) arm_thread_state64_get_pc(uc->uc_mcontext->__ss); -+ void *old_val = (void*)arm_thread_state64_get_pc(uc->uc_mcontext->__ss); -+ if (eip) { -+ arm_thread_state64_set_pc_fptr(uc->uc_mcontext->__ss, eip); -+ } -+ return old_val; - #endif - #elif defined(__linux__) - /* Linux */ - #if defined(__i386__) || ((defined(__X86_64__) || defined(__x86_64__)) && defined(__ILP32__)) -- return (void*) uc->uc_mcontext.gregs[14]; /* Linux 32 */ -+ GET_SET_RETURN(uc->uc_mcontext.gregs[14], eip); - #elif defined(__X86_64__) || defined(__x86_64__) -- return (void*) uc->uc_mcontext.gregs[16]; /* Linux 64 */ -+ GET_SET_RETURN(uc->uc_mcontext.gregs[16], eip); - #elif defined(__ia64__) /* Linux IA64 */ -- return (void*) uc->uc_mcontext.sc_ip; -+ GET_SET_RETURN(uc->uc_mcontext.sc_ip, eip); - #elif defined(__arm__) /* Linux ARM */ -- return (void*) uc->uc_mcontext.arm_pc; -+ GET_SET_RETURN(uc->uc_mcontext.arm_pc, eip); - #elif defined(__aarch64__) /* Linux AArch64 */ -- return (void*) uc->uc_mcontext.pc; -+ GET_SET_RETURN(uc->uc_mcontext.pc, eip); -+ #else -+ NOT_SUPPORTED(); - #endif - #elif defined(__FreeBSD__) - /* FreeBSD */ - #if defined(__i386__) -- return (void*) uc->uc_mcontext.mc_eip; -+ GET_SET_RETURN(uc->uc_mcontext.mc_eip, eip); - #elif defined(__x86_64__) -- return (void*) uc->uc_mcontext.mc_rip; -+ GET_SET_RETURN(uc->uc_mcontext.mc_rip, eip); -+ #else -+ NOT_SUPPORTED(); - #endif - #elif defined(__OpenBSD__) - /* OpenBSD */ - #if defined(__i386__) -- return (void*) uc->sc_eip; -+ GET_SET_RETURN(uc->sc_eip, eip); - #elif defined(__x86_64__) -- return (void*) uc->sc_rip; -+ GET_SET_RETURN(uc->sc_rip, eip); -+ #else -+ NOT_SUPPORTED(); - #endif - #elif defined(__NetBSD__) - #if defined(__i386__) -- return (void*) uc->uc_mcontext.__gregs[_REG_EIP]; -+ GET_SET_RETURN(uc->uc_mcontext.__gregs[_REG_EIP], eip); - #elif defined(__x86_64__) -- return (void*) uc->uc_mcontext.__gregs[_REG_RIP]; -+ GET_SET_RETURN(uc->uc_mcontext.__gregs[_REG_RIP], eip); -+ #else -+ NOT_SUPPORTED(); - #endif - #elif defined(__DragonFly__) -- return (void*) uc->uc_mcontext.mc_rip; -+ GET_SET_RETURN(uc->uc_mcontext.mc_rip, eip); - #else - return NULL; - #endif -@@ -1800,6 +1827,10 @@ void dumpCodeAroundEIP(void *eip) { - } - } - -+void invalidFunctionWasCalled() {} -+ -+typedef void (*invalidFunctionWasCalledType)(); -+ - void sigsegvHandler(int sig, siginfo_t *info, void *secret) { - UNUSED(secret); - UNUSED(info); -@@ -1817,13 +1848,30 @@ void sigsegvHandler(int sig, siginfo_t *info, void *secret) { - - #ifdef HAVE_BACKTRACE - ucontext_t *uc = (ucontext_t*) secret; -- void *eip = getMcontextEip(uc); -+ void *eip = getAndSetMcontextEip(uc, NULL); - if (eip != NULL) { - serverLog(LL_WARNING, - "Crashed running the instruction at: %p", eip); - } - -- logStackTrace(getMcontextEip(uc), 1); -+ if (eip == info->si_addr) { -+ /* When eip matches the bad address, it's an indication that we crashed when calling a non-mapped -+ * function pointer. In that case the call to backtrace will crash trying to access that address and we -+ * won't get a crash report logged. Set it to a valid point to avoid that crash. */ -+ -+ /* This trick allow to avoid compiler warning */ -+ void *ptr; -+ invalidFunctionWasCalledType *ptr_ptr = (invalidFunctionWasCalledType*)&ptr; -+ *ptr_ptr = invalidFunctionWasCalled; -+ getAndSetMcontextEip(uc, ptr); -+ } -+ -+ logStackTrace(eip, 1); -+ -+ if (eip == info->si_addr) { -+ /* Restore old eip */ -+ getAndSetMcontextEip(uc, eip); -+ } - - logRegisters(uc); - #endif -@@ -1918,7 +1966,7 @@ void watchdogSignalHandler(int sig, siginfo_t *info, void *secret) { - - serverLogFromHandler(LL_WARNING,"\n--- WATCHDOG TIMER EXPIRED ---"); - #ifdef HAVE_BACKTRACE -- logStackTrace(getMcontextEip(uc), 1); -+ logStackTrace(getAndSetMcontextEip(uc, NULL), 1); - #else - serverLogFromHandler(LL_WARNING,"Sorry: no support for backtrace()."); - #endif diff --git a/SPECS/redis/CVE-2023-22458.patch b/SPECS/redis/CVE-2023-22458.patch deleted file mode 100644 index 257ed90eadf..00000000000 --- a/SPECS/redis/CVE-2023-22458.patch +++ /dev/null @@ -1,126 +0,0 @@ -From 16f408b1a0121cacd44cbf8aee275d69dc627f02 Mon Sep 17 00:00:00 2001 -From: Oran Agra -Date: Mon, 16 Jan 2023 13:50:27 +0200 -Subject: [PATCH] Fix range issues in ZRANDMEMBER and HRANDFIELD - (CVE-2023-22458) (#11674) - -missing range check in ZRANDMEMBER and HRANDIFLD leading to panic due -to protocol limitations ---- - src/t_hash.c | 7 ++++++- - src/t_zset.c | 7 ++++++- - tests/unit/type/hash.tcl | 5 +++++ - tests/unit/type/zset.tcl | 5 +++++ - 4 files changed, 22 insertions(+), 2 deletions(-) - -diff --git a/src/server.c b/src/server.c -index d887e58..7936198 100644 ---- a/src/server.c -+++ b/src/server.c -@@ -3568,6 +3568,11 @@ struct redisCommand *lookupCommandOrOriginal(sds name) { - return cmd; - } - -+/* Commands arriving from the master client or AOF client, should never be rejected. */ -+int mustObeyClient(client *c) { -+ return c->id == CLIENT_ID_AOF || c->flags & CLIENT_MASTER; -+} -+ - /* Propagate the specified command (in the context of the specified database id) - * to AOF and Slaves. - * -diff --git a/src/server.h b/src/server.h -index bc09ebd..4602cb7 100644 ---- a/src/server.h -+++ b/src/server.h -@@ -84,6 +84,12 @@ typedef long long ustime_t; /* microsecond time type. */ - #include "endianconv.h" - #include "crc64.h" - -+/* min/max */ -+#undef min -+#undef max -+#define min(a, b) ((a) < (b) ? (a) : (b)) -+#define max(a, b) ((a) > (b) ? (a) : (b)) -+ - /* Error codes */ - #define C_OK 0 - #define C_ERR -1 -@@ -2233,6 +2239,7 @@ void preventCommandReplication(client *c); - void slowlogPushCurrentCommand(client *c, struct redisCommand *cmd, ustime_t duration); - int prepareForShutdown(int flags); - void afterCommand(client *c); -+int mustObeyClient(client *c); - int inNestedCall(void); - #ifdef __GNUC__ - void _serverLog(int level, const char *fmt, ...) -diff --git a/src/t_hash.c b/src/t_hash.c -index 2720fdb..e7292f7 100644 ---- a/src/t_hash.c -+++ b/src/t_hash.c -@@ -1192,8 +1192,13 @@ void hrandfieldCommand(client *c) { - if (c->argc > 4 || (c->argc == 4 && strcasecmp(c->argv[3]->ptr,"withvalues"))) { - addReplyErrorObject(c,shared.syntaxerr); - return; -- } else if (c->argc == 4) -+ } else if (c->argc == 4) { - withvalues = 1; -+ if (l < LONG_MIN/2 || l > LONG_MAX/2) { -+ addReplyError(c,"value is out of range"); -+ return; -+ } -+ } - hrandfieldWithCountCommand(c, l, withvalues); - return; - } -diff --git a/src/t_zset.c b/src/t_zset.c -index f313b88..c67696e 100644 ---- a/src/t_zset.c -+++ b/src/t_zset.c -@@ -4235,8 +4235,13 @@ void zrandmemberCommand(client *c) { - if (c->argc > 4 || (c->argc == 4 && strcasecmp(c->argv[3]->ptr,"withscores"))) { - addReplyErrorObject(c,shared.syntaxerr); - return; -- } else if (c->argc == 4) -+ } else if (c->argc == 4) { - withscores = 1; -+ if (l < LONG_MIN/2 || l > LONG_MAX/2) { -+ addReplyError(c,"value is out of range"); -+ return; -+ } -+ } - zrandmemberWithCountCommand(c, l, withscores); - return; - } -diff --git a/tests/unit/type/hash.tcl b/tests/unit/type/hash.tcl -index f2a5037..4f22268 100644 ---- a/tests/unit/type/hash.tcl -+++ b/tests/unit/type/hash.tcl -@@ -68,6 +68,11 @@ start_server {tags {"hash"}} { - r hrandfield myhash 0 - } {} - -+ test "HRANDFIELD count overflow" { -+ r hmset myhash a 1 -+ assert_error {*value is out of range*} {r hrandfield myhash -9223372036854770000 withvalues} -+ } {} -+ - test "HRANDFIELD with against non existing key" { - r hrandfield nonexisting_key 100 - } {} -diff --git a/tests/unit/type/zset.tcl b/tests/unit/type/zset.tcl -index 94b2ab4..5ea619e 100644 ---- a/tests/unit/type/zset.tcl -+++ b/tests/unit/type/zset.tcl -@@ -1714,6 +1714,11 @@ start_server {tags {"zset"}} { - r zrandmember nonexisting_key 100 - } {} - -+ test "ZRANDMEMBER count overflow" { -+ r zadd myzset 0 a -+ assert_error {*value is out of range*} {r zrandmember myzset -9223372036854770000 withscores} -+ } {} -+ - # Make sure we can distinguish between an empty array and a null response - r readraw 1 - diff --git a/SPECS/redis/redis.signatures.json b/SPECS/redis/redis.signatures.json index 7f1d4dcdfbb..8f8d4bf738b 100644 --- a/SPECS/redis/redis.signatures.json +++ b/SPECS/redis/redis.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "redis-6.2.7.tar.gz": "b7a79cc3b46d3c6eb52fa37dde34a4a60824079ebdfb3abfbbfa035947c55319" + "redis-6.2.9.tar.gz": "9661b2c6b1cc9bf2999471b37a4d759fa5e747d408142c18af8792ebd8384a2a" } } \ No newline at end of file diff --git a/SPECS/redis/redis.spec b/SPECS/redis/redis.spec index 2a2a0a6345f..76a34748629 100644 --- a/SPECS/redis/redis.spec +++ b/SPECS/redis/redis.spec @@ -1,7 +1,7 @@ Summary: advanced key-value store Name: redis -Version: 6.2.7 -Release: 3%{?dist} +Version: 6.2.9 +Release: 1%{?dist} License: BSD Vendor: Microsoft Corporation Distribution: Mariner @@ -11,9 +11,6 @@ Source0: https://download.redis.io/releases/%{name}-%{version}.tar.gz Patch0: redis-conf.patch Patch1: disable_active_defrag_big_keys.patch Patch2: disable_defrag_test.patch -Patch3: CVE-2022-3647.patch -Patch4: CVE-2022-35977.patch -Patch5: CVE-2023-22458.patch BuildRequires: gcc BuildRequires: make BuildRequires: systemd @@ -87,8 +84,8 @@ exit 0 %config(noreplace) %attr(0640, %{name}, %{name}) %{_sysconfdir}/redis.conf %changelog -* Fri Feb 03 2023 Henry Li - 6.2.7-3 -- Add patch for CVE-2022-35977 and CVE-2023-22458 +* Mon Feb 13 2023 Henry Li - 6.2.9-1 +- Upgrade to version 6.2.9 to resolve CVE-2022-35977 and CVE-2023-22458 * Wed Oct 26 2022 AurĂ©lien Bombo - 6.2.7-2 - Apply patch for CVE-2022-3647. diff --git a/cgmanifest.json b/cgmanifest.json index a5781e73347..3444a1fb5ab 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -7036,8 +7036,8 @@ "type": "other", "other": { "name": "redis", - "version": "6.2.7", - "downloadUrl": "http://download.redis.io/releases/redis-6.2.7.tar.gz" + "version": "6.2.9", + "downloadUrl": "http://download.redis.io/releases/redis-6.2.9.tar.gz" } } }, From aefa37ac368fbb42c7f8cc829b723363696434fd Mon Sep 17 00:00:00 2001 From: Dan Streetman Date: Thu, 16 Feb 2023 14:33:02 -0500 Subject: [PATCH 14/27] grub2: CVE-2022-3775 --- .../grub2-efi-binary-signed.spec | 5 +- SPECS/grub2/CVE-2022-3775.patch | 91 +++++++++++++++++++ SPECS/grub2/grub2.spec | 7 +- 3 files changed, 101 insertions(+), 2 deletions(-) create mode 100644 SPECS/grub2/CVE-2022-3775.patch diff --git a/SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec b/SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec index 533a804d56b..d387c48f235 100644 --- a/SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec +++ b/SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec @@ -10,7 +10,7 @@ Summary: Signed GRand Unified Bootloader for %{buildarch} systems Name: grub2-efi-binary-signed-%{buildarch} Version: 2.06~rc1 -Release: 9%{?dist} +Release: 10%{?dist} License: GPLv3+ Vendor: Microsoft Corporation Distribution: Mariner @@ -54,6 +54,9 @@ cp %{SOURCE1} %{buildroot}/boot/efi/EFI/BOOT/%{grubefiname} /boot/efi/EFI/BOOT/%{grubefiname} %changelog +* Wed Feb 08 2023 Dan Streetman - 2.06~rc1-10 +- CVE-2022-3775 + * Wed Dec 28 2022 Osama Esmail - 2.06~rc1-9 - Bump release number to match grub release number diff --git a/SPECS/grub2/CVE-2022-3775.patch b/SPECS/grub2/CVE-2022-3775.patch new file mode 100644 index 00000000000..89f877c48e5 --- /dev/null +++ b/SPECS/grub2/CVE-2022-3775.patch @@ -0,0 +1,91 @@ +From 992c06191babc1e109caf40d6a07ec6fdef427af Mon Sep 17 00:00:00 2001 +From: Zhang Boyang +Date: Mon, 24 Oct 2022 08:05:35 +0800 +Subject: [PATCH] font: Fix an integer underflow in blit_comb() + +The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may +evaluate to a very big invalid value even if both ctx.bounds.height and +combining_glyphs[i]->height are small integers. For example, if +ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this +expression evaluates to 2147483647 (expected -1). This is because +coordinates are allowed to be negative but ctx.bounds.height is an +unsigned int. So, the subtraction operates on unsigned ints and +underflows to a very big value. The division makes things even worse. +The quotient is still an invalid value even if converted back to int. + +This patch fixes the problem by casting ctx.bounds.height to int. As +a result the subtraction will operate on int and grub_uint16_t which +will be promoted to an int. So, the underflow will no longer happen. Other +uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int, +to ensure coordinates are always calculated on signed integers. + +Fixes: CVE-2022-3775 + +Reported-by: Daniel Axtens +Signed-off-by: Zhang Boyang +Reviewed-by: Daniel Kiper +--- + grub-core/font/font.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/grub-core/font/font.c b/grub-core/font/font.c +index abd412a5e..3d3d803e8 100644 +--- a/grub-core/font/font.c ++++ b/grub-core/font/font.c +@@ -1197,12 +1197,12 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, + ctx.bounds.height = main_glyph->height; + + above_rightx = main_glyph->offset_x + main_glyph->width; +- above_righty = ctx.bounds.y + ctx.bounds.height; ++ above_righty = ctx.bounds.y + (int) ctx.bounds.height; + + above_leftx = main_glyph->offset_x; +- above_lefty = ctx.bounds.y + ctx.bounds.height; ++ above_lefty = ctx.bounds.y + (int) ctx.bounds.height; + +- below_rightx = ctx.bounds.x + ctx.bounds.width; ++ below_rightx = ctx.bounds.x + (int) ctx.bounds.width; + below_righty = ctx.bounds.y; + + comb = grub_unicode_get_comb (glyph_id); +@@ -1215,7 +1215,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, + + if (!combining_glyphs[i]) + continue; +- targetx = (ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x; ++ targetx = ((int) ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x; + /* CGJ is to avoid diacritics reordering. */ + if (comb[i].code + == GRUB_UNICODE_COMBINING_GRAPHEME_JOINER) +@@ -1225,8 +1225,8 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, + case GRUB_UNICODE_COMB_OVERLAY: + do_blit (combining_glyphs[i], + targetx, +- (ctx.bounds.height - combining_glyphs[i]->height) / 2 +- - (ctx.bounds.height + ctx.bounds.y), &ctx); ++ ((int) ctx.bounds.height - combining_glyphs[i]->height) / 2 ++ - ((int) ctx.bounds.height + ctx.bounds.y), &ctx); + if (min_devwidth < combining_glyphs[i]->width) + min_devwidth = combining_glyphs[i]->width; + break; +@@ -1299,7 +1299,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, + /* Fallthrough. */ + case GRUB_UNICODE_STACK_ATTACHED_ABOVE: + do_blit (combining_glyphs[i], targetx, +- -(ctx.bounds.height + ctx.bounds.y + space ++ -((int) ctx.bounds.height + ctx.bounds.y + space + + combining_glyphs[i]->height), &ctx); + if (min_devwidth < combining_glyphs[i]->width) + min_devwidth = combining_glyphs[i]->width; +@@ -1307,7 +1307,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, + + case GRUB_UNICODE_COMB_HEBREW_DAGESH: + do_blit (combining_glyphs[i], targetx, +- -(ctx.bounds.height / 2 + ctx.bounds.y ++ -((int) ctx.bounds.height / 2 + ctx.bounds.y + + combining_glyphs[i]->height / 2), &ctx); + if (min_devwidth < combining_glyphs[i]->width) + min_devwidth = combining_glyphs[i]->width; +-- +2.34.1 + diff --git a/SPECS/grub2/grub2.spec b/SPECS/grub2/grub2.spec index 6e59856234d..6b3c2b42925 100644 --- a/SPECS/grub2/grub2.spec +++ b/SPECS/grub2/grub2.spec @@ -6,7 +6,7 @@ Summary: GRand Unified Bootloader Name: grub2 Version: 2.06~rc1 -Release: 9%{?dist} +Release: 10%{?dist} License: GPLv3+ Vendor: Microsoft Corporation Distribution: Mariner @@ -48,6 +48,8 @@ Patch0157: 0157-linuxefi-fail-kernel-validation-without-shim-protoco.patch Patch0166: 0166-grub-install-disable-support-for-EFI-platforms.patch Patch0167: CVE-2021-3981.patch Patch0170: CVE-2022-2601.patch +# CVE-2022-3775 +Patch0171: CVE-2022-3775.patch # Add nopatches for tooling #Patch1000: CVE-2021-3418.nopatch #Patch1001: CVE-2020-14372.nopatch @@ -279,6 +281,9 @@ cp $GRUB_MODULE_SOURCE $EFI_BOOT_DIR/$GRUB_MODULE_NAME %endif %changelog +* Wed Feb 08 2023 Dan Streetman - 2.06~rc1-10 +- CVE-2022-3775 + * Wed Dec 28 2022 Osama Esmail - 2.06~rc1-9 - Fix CVE-2022-2601. From 9e2d076f94fd45aa0d4c5d0ae7db5abcc95ee451 Mon Sep 17 00:00:00 2001 From: Dan Streetman Date: Thu, 16 Feb 2023 14:33:43 -0500 Subject: [PATCH 15/27] libconfuse: CVE-2022-40320 (#4822) --- SPECS/libconfuse/CVE-2022-40320.patch | 39 +++++++++++++++++++++++++++ SPECS/libconfuse/libconfuse.spec | 6 ++++- 2 files changed, 44 insertions(+), 1 deletion(-) create mode 100644 SPECS/libconfuse/CVE-2022-40320.patch diff --git a/SPECS/libconfuse/CVE-2022-40320.patch b/SPECS/libconfuse/CVE-2022-40320.patch new file mode 100644 index 00000000000..de949c024a7 --- /dev/null +++ b/SPECS/libconfuse/CVE-2022-40320.patch @@ -0,0 +1,39 @@ +From d73777c2c3566fb2647727bb56d9a2295b81669b Mon Sep 17 00:00:00 2001 +From: Joachim Wiberg +Date: Fri, 2 Sep 2022 16:12:46 +0200 +Subject: [PATCH] Fix #163: unterminated username used with getpwnam() + +Signed-off-by: Joachim Wiberg +--- + src/confuse.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/src/confuse.c b/src/confuse.c +index 6d1fdbd..05566b5 100644 +--- a/src/confuse.c ++++ b/src/confuse.c +@@ -1863,18 +1863,20 @@ DLLIMPORT char *cfg_tilde_expand(const char *filename) + passwd = getpwuid(geteuid()); + file = filename + 1; + } else { +- /* ~user or ~user/path */ +- char *user; ++ char *user; /* ~user or ~user/path */ ++ size_t len; + + file = strchr(filename, '/'); + if (file == 0) + file = filename + strlen(filename); + +- user = malloc(file - filename); ++ len = file - filename - 1; ++ user = malloc(len + 1); + if (!user) + return NULL; + +- strncpy(user, filename + 1, file - filename - 1); ++ strncpy(user, &filename[1], len); ++ user[len] = 0; + passwd = getpwnam(user); + free(user); + } diff --git a/SPECS/libconfuse/libconfuse.spec b/SPECS/libconfuse/libconfuse.spec index 8187790d0cb..4f0d9789d6f 100644 --- a/SPECS/libconfuse/libconfuse.spec +++ b/SPECS/libconfuse/libconfuse.spec @@ -1,13 +1,14 @@ Summary: Configuration file parser library Name: libconfuse Version: 3.3 -Release: 1%{?dist} +Release: 2%{?dist} License: ISC Vendor: Microsoft Corporation Distribution: Mariner Group: Development/Libraries URL: https://github.com/libconfuse/libconfuse Source0: https://github.com/libconfuse/libconfuse/releases/download/v%{version}/confuse-%{version}.tar.gz +Patch0: CVE-2022-40320.patch BuildRequires: gcc BuildRequires: make @@ -55,6 +56,9 @@ find %{buildroot} -type f -name "*.la" -delete -print %{_libdir}/pkgconfig/libconfuse.pc %changelog +* Fri Feb 10 2023 Dan Streetman 3.3-2 +- CVE-2022-40320 + * Mon Feb 08 2021 Henry Beberman 3.3-1 - Add libconfuse spec - License verified From ff2f22d41ea5920d9a5ccf206c216bc20bd49908 Mon Sep 17 00:00:00 2001 From: Dan Streetman Date: Thu, 16 Feb 2023 14:34:04 -0500 Subject: [PATCH 16/27] helm: CVE-2022-23524 (#4824) --- SPECS/helm/CVE-2022-23524.patch | 189 ++++++++++++++++++++++++++++++++ SPECS/helm/helm.spec | 6 +- 2 files changed, 194 insertions(+), 1 deletion(-) create mode 100644 SPECS/helm/CVE-2022-23524.patch diff --git a/SPECS/helm/CVE-2022-23524.patch b/SPECS/helm/CVE-2022-23524.patch new file mode 100644 index 00000000000..da1b79ad557 --- /dev/null +++ b/SPECS/helm/CVE-2022-23524.patch @@ -0,0 +1,189 @@ +From 3caf8b586b47e838e492f9ec05396bf8c5851b92 Mon Sep 17 00:00:00 2001 +From: Martin Hickey +Date: Fri, 25 Nov 2022 18:16:43 +0000 +Subject: [PATCH] Update string handling + +Signed-off-by: Martin Hickey +(cherry picked from commit a59e58468430bf9b454426ff22f5f367185b7d77) +--- + pkg/strvals/parser.go | 28 ++++++++++++------ + pkg/strvals/parser_test.go | 58 ++++++++++++++++++++++++++++++++++++-- + 2 files changed, 76 insertions(+), 10 deletions(-) + +diff -urpN a/pkg/strvals/parser.go helm-3.4.1/pkg/strvals/parser.go +--- a/pkg/strvals/parser.go 2020-11-11 14:44:01.000000000 -0500 ++++ helm-3.4.1/pkg/strvals/parser.go 2023-02-10 10:43:36.839848912 -0500 +@@ -29,6 +29,10 @@ import ( + // ErrNotList indicates that a non-list was treated as a list. + var ErrNotList = errors.New("not a list") + ++// MaxNestedNameLevel is the maximum level of nesting for a value name that ++// will be allowed. ++var MaxNestedNameLevel = 30 ++ + // ToYAML takes a string of arguments and converts to a YAML document. + func ToYAML(s string) (string, error) { + m, err := Parse(s) +@@ -131,7 +135,7 @@ func newFileParser(sc *bytes.Buffer, dat + + func (t *parser) parse() error { + for { +- err := t.key(t.data) ++ err := t.key(t.data, 0) + if err == nil { + continue + } +@@ -150,7 +154,7 @@ func runeSet(r []rune) map[rune]bool { + return s + } + +-func (t *parser) key(data map[string]interface{}) (reterr error) { ++func (t *parser) key(data map[string]interface{}, nestedNameLevel int) (reterr error) { + defer func() { + if r := recover(); r != nil { + reterr = fmt.Errorf("unable to parse key: %s", r) +@@ -180,7 +184,7 @@ func (t *parser) key(data map[string]int + } + + // Now we need to get the value after the ]. +- list, err = t.listItem(list, i) ++ list, err = t.listItem(list, i, nestedNameLevel) + set(data, kk, list) + return err + case last == '=': +@@ -211,6 +215,12 @@ func (t *parser) key(data map[string]int + set(data, string(k), "") + return errors.Errorf("key %q has no value (cannot end with ,)", string(k)) + case last == '.': ++ // Check value name is within the maximum nested name level ++ nestedNameLevel++ ++ if nestedNameLevel > MaxNestedNameLevel { ++ return fmt.Errorf("value name nested level is greater than maximum supported nested level of %d", MaxNestedNameLevel) ++ } ++ + // First, create or find the target map. + inner := map[string]interface{}{} + if _, ok := data[string(k)]; ok { +@@ -218,12 +228,14 @@ func (t *parser) key(data map[string]int + } + + // Recurse +- e := t.key(inner) ++ if e := t.key(inner, nestedNameLevel); e != nil { ++ return e ++ } + if len(inner) == 0 { + return errors.Errorf("key map %q has no value", string(k)) + } + set(data, string(k), inner) +- return e ++ return nil + } + } + } +@@ -269,7 +281,7 @@ func (t *parser) keyIndex() (int, error) + return strconv.Atoi(string(v)) + + } +-func (t *parser) listItem(list []interface{}, i int) ([]interface{}, error) { ++func (t *parser) listItem(list []interface{}, i, nestedNameLevel int) ([]interface{}, error) { + if i < 0 { + return list, fmt.Errorf("negative %d index not allowed", i) + } +@@ -314,7 +326,7 @@ func (t *parser) listItem(list []interfa + } + } + // Now we need to get the value after the ]. +- list2, err := t.listItem(crtList, nextI) ++ list2, err := t.listItem(crtList, nextI, nestedNameLevel) + if err != nil { + return list, err + } +@@ -333,7 +345,7 @@ func (t *parser) listItem(list []interfa + } + + // Recurse +- e := t.key(inner) ++ e := t.key(inner, nestedNameLevel) + if e != nil { + return list, e + } +diff -urpN a/pkg/strvals/parser_test.go helm-3.4.1/pkg/strvals/parser_test.go +--- a/pkg/strvals/parser_test.go 2020-11-11 14:44:01.000000000 -0500 ++++ helm-3.4.1/pkg/strvals/parser_test.go 2023-02-10 10:43:36.839848912 -0500 +@@ -16,6 +16,7 @@ limitations under the License. + package strvals + + import ( ++ "fmt" + "testing" + + "sigs.k8s.io/yaml" +@@ -239,8 +240,9 @@ func TestParseSet(t *testing.T) { + err: true, + }, + { +- str: "name1.name2=", +- expect: map[string]interface{}{"name1": map[string]interface{}{"name2": ""}}, ++ "name1.name2=", ++ map[string]interface{}{}, ++ false, + }, + { + str: "name1.=name2", +@@ -645,3 +647,55 @@ func TestToYAML(t *testing.T) { + t.Errorf("Expected %q, got %q", expect, o) + } + } ++ ++func TestParseSetNestedLevels(t *testing.T) { ++ var keyMultipleNestedLevels string ++ for i := 1; i <= MaxNestedNameLevel+2; i++ { ++ tmpStr := fmt.Sprintf("name%d", i) ++ if i <= MaxNestedNameLevel+1 { ++ tmpStr = tmpStr + "." ++ } ++ keyMultipleNestedLevels += tmpStr ++ } ++ tests := []struct { ++ str string ++ expect map[string]interface{} ++ err bool ++ }{ ++ { ++ "outer.middle.inner=value", ++ map[string]interface{}{"outer": map[string]interface{}{"middle": map[string]interface{}{"inner": "value"}}}, ++ false, ++ }, ++ { ++ str: keyMultipleNestedLevels + "=value", ++ err: true, ++ }, ++ } ++ ++ for _, tt := range tests { ++ got, err := Parse(tt.str) ++ if err != nil { ++ if tt.err { ++ continue ++ } ++ t.Fatalf("%s: %s", tt.str, err) ++ } ++ if tt.err { ++ t.Errorf("%s: Expected error. Got nil", tt.str) ++ } ++ ++ y1, err := yaml.Marshal(tt.expect) ++ if err != nil { ++ t.Fatal(err) ++ } ++ y2, err := yaml.Marshal(got) ++ if err != nil { ++ t.Fatalf("Error serializing parsed value: %s", err) ++ } ++ ++ if string(y1) != string(y2) { ++ t.Errorf("%s: Expected:\n%s\nGot:\n%s", tt.str, y1, y2) ++ } ++ } ++} diff --git a/SPECS/helm/helm.spec b/SPECS/helm/helm.spec index 53c52e14afd..5e33841d79a 100644 --- a/SPECS/helm/helm.spec +++ b/SPECS/helm/helm.spec @@ -1,7 +1,7 @@ %global debug_package %{nil} Name: helm Version: 3.4.1 -Release: 14%{?dist} +Release: 15%{?dist} Summary: The Kubernetes Package Manager License: Apache 2.0 Vendor: Microsoft Corporation @@ -26,6 +26,7 @@ Patch0: CVE-2021-21303.patch Patch1: CVE-2021-32690.patch Patch2: CVE-2022-23525.patch Patch3: CVE-2022-23526.patch +Patch4: CVE-2022-23524.patch BuildRequires: golang >= 1.15.5 %description @@ -56,6 +57,9 @@ install -m 755 ./helm %{buildroot}%{_bindir} go test -v ./cmd/helm %changelog +* Fri Feb 10 2023 Dan Streetman - 3.4.1-15 +- CVE-2022-23524 + * Wed Dec 21 2022 Jon Slobodzian - 3.4.1-14 - Patch CVE-2022-23525, CVE-2022-23526 - Added Check Section From 356aecf418126bcd4177f6b47db92cdc5b080dd0 Mon Sep 17 00:00:00 2001 From: Dan Streetman Date: Thu, 16 Feb 2023 14:34:34 -0500 Subject: [PATCH 17/27] syslog-ng: CVE-2022-38725 (#4826) --- SPECS/syslog-ng/CVE-2022-38725.patch | 75 ++++++++++++++++++++++++++++ SPECS/syslog-ng/syslog-ng.spec | 9 +++- 2 files changed, 82 insertions(+), 2 deletions(-) create mode 100644 SPECS/syslog-ng/CVE-2022-38725.patch diff --git a/SPECS/syslog-ng/CVE-2022-38725.patch b/SPECS/syslog-ng/CVE-2022-38725.patch new file mode 100644 index 00000000000..03ad75f6f9e --- /dev/null +++ b/SPECS/syslog-ng/CVE-2022-38725.patch @@ -0,0 +1,75 @@ +From 8c6e2c1c41b0fcc5fbd464c35f4dac7102235396 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?L=C3=A1szl=C3=B3=20V=C3=A1rady?= + +Date: Sat, 20 Aug 2022 14:30:22 +0200 +Subject: [PATCH] timeutils: fix invalid calculation of ISO timestamp length +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: LĂ¡szlĂ³ VĂ¡rady +--- + lib/timeutils/scan-timestamp.c | 8 ++++++-- + lib/timeutils/tests/test_scan-timestamp.c | 7 +++++++ + 2 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/lib/timeutils/scan-timestamp.c b/lib/timeutils/scan-timestamp.c +index d22d50973..125264677 100644 +--- a/lib/timeutils/scan-timestamp.c ++++ b/lib/timeutils/scan-timestamp.c +@@ -250,19 +250,21 @@ __parse_usec(const guchar **data, gint *length) + static gboolean + __has_iso_timezone(const guchar *src, gint length) + { +- return (length >= 5) && ++ return (length >= 6) && + (*src == '+' || *src == '-') && + isdigit(*(src+1)) && + isdigit(*(src+2)) && + *(src+3) == ':' && + isdigit(*(src+4)) && + isdigit(*(src+5)) && +- !isdigit(*(src+6)); ++ (length < 7 || !isdigit(*(src+6))); + } + + static guint32 + __parse_iso_timezone(const guchar **data, gint *length) + { ++ g_assert(*length >= 6); ++ + gint hours, mins; + const guchar *src = *data; + guint32 tz = 0; +@@ -272,8 +274,10 @@ __parse_iso_timezone(const guchar **data, gint *length) + hours = (*(src + 1) - '0') * 10 + *(src + 2) - '0'; + mins = (*(src + 4) - '0') * 10 + *(src + 5) - '0'; + tz = sign * (hours * 3600 + mins * 60); ++ + src += 6; + (*length) -= 6; ++ + *data = src; + return tz; + } +diff --git a/lib/timeutils/tests/test_scan-timestamp.c b/lib/timeutils/tests/test_scan-timestamp.c +index 468bbf779..d18bdc65d 100644 +--- a/lib/timeutils/tests/test_scan-timestamp.c ++++ b/lib/timeutils/tests/test_scan-timestamp.c +@@ -138,6 +138,13 @@ Test(parse_timestamp, non_zero_terminated_rfc5424_input_is_handled_properly) + _expect_rfc3164_timestamp_eq("Dec 31 17:46:12", "2017-12-31T17:46:12.000+01:00"); + } + ++Test(parse_timestamp, non_zero_terminated_rfc5424_timestamp_only) ++{ ++ const gchar *ts = "2022-08-17T05:02:28.417+03:00"; ++ gint ts_len = strlen(ts); ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len, ts); ++} ++ + + Test(parse_timestamp, daylight_saving_behavior_at_spring_with_explicit_timezones) + { +-- +2.34.1 + diff --git a/SPECS/syslog-ng/syslog-ng.spec b/SPECS/syslog-ng/syslog-ng.spec index 23d385426d4..46a985ef128 100644 --- a/SPECS/syslog-ng/syslog-ng.spec +++ b/SPECS/syslog-ng/syslog-ng.spec @@ -3,7 +3,7 @@ Summary: Next generation system logger facilty Name: syslog-ng Version: 3.23.1 -Release: 3%{?dist} +Release: 4%{?dist} License: BSD and GPLv2+ and LGPLv2+ URL: https://syslog-ng.org/ Group: System Environment/Daemons @@ -15,6 +15,8 @@ Source1: 60-syslog-ng-journald.conf Source2: syslog-ng.service Source3: syslog-ng.conf +Patch0: CVE-2022-38725.patch + Requires: glib Requires: json-glib Requires: json-c @@ -65,7 +67,7 @@ Requires: %{name} = %{version}-%{release} needed to build applications using syslog-ng APIs. %prep -%setup -q +%autosetup -p1 rm -rf ../p3dir cp -a . ../p3dir %build @@ -201,6 +203,9 @@ rm -rf %{buildroot}/* %{_libdir}/pkgconfig/* %changelog +* Fri Feb 10 2023 Dan Streetman 3.23.1-4 +- CVE-2022-38725 + * Thu Sep 02 2021 Suresh Babu Chalamalasetty 3.23.1-3 - Add customized syslog-ng.conf * Tue Oct 13 2020 Pawel Winogrodzki 3.23.1-2 From 1765b134e1017c6a0eb8b6384398ae6f27f18fa7 Mon Sep 17 00:00:00 2001 From: rlmenge Date: Fri, 17 Feb 2023 13:01:35 -0800 Subject: [PATCH 18/27] Nopatch kernel to address CVE-2022-36280, CVE-2022-41218, CVE-2022-4139, CVE-2022-42328, CVE-2022-42329, CVE-2022-4662, CVE-2023-23559 (#4882) --- SPECS/kernel/CVE-2022-36280.nopatch | 2 ++ SPECS/kernel/CVE-2022-41218.nopatch | 2 ++ SPECS/kernel/CVE-2022-4139.nopatch | 2 ++ SPECS/kernel/CVE-2022-42328.nopatch | 2 ++ SPECS/kernel/CVE-2022-42329.nopatch | 2 ++ SPECS/kernel/CVE-2022-4662.nopatch | 2 ++ SPECS/kernel/CVE-2023-23559.nopatch | 2 ++ 7 files changed, 14 insertions(+) create mode 100644 SPECS/kernel/CVE-2022-36280.nopatch create mode 100644 SPECS/kernel/CVE-2022-41218.nopatch create mode 100644 SPECS/kernel/CVE-2022-4139.nopatch create mode 100644 SPECS/kernel/CVE-2022-42328.nopatch create mode 100644 SPECS/kernel/CVE-2022-42329.nopatch create mode 100644 SPECS/kernel/CVE-2022-4662.nopatch create mode 100644 SPECS/kernel/CVE-2023-23559.nopatch diff --git a/SPECS/kernel/CVE-2022-36280.nopatch b/SPECS/kernel/CVE-2022-36280.nopatch new file mode 100644 index 00000000000..732bbb15081 --- /dev/null +++ b/SPECS/kernel/CVE-2022-36280.nopatch @@ -0,0 +1,2 @@ +CVE-2022-36280 - patched in version 5.10.163 +upstream commit ID 4cf949c7fafe21e085a4ee386bb2dade9067316e -> stable commit ID 439cbbc1519547f9a7b483f0de33b556ebfec901 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2022-41218.nopatch b/SPECS/kernel/CVE-2022-41218.nopatch new file mode 100644 index 00000000000..1d857eae4a2 --- /dev/null +++ b/SPECS/kernel/CVE-2022-41218.nopatch @@ -0,0 +1,2 @@ +CVE-2022-41218 - patched in version 5.10.163 +upstream commit ID fd3d91ab1c6ab0628fe642dd570b56302c30a792 -> stable commit ID 3df07728abde249e2d3f47cf22f134cb4d4f5fb1 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2022-4139.nopatch b/SPECS/kernel/CVE-2022-4139.nopatch new file mode 100644 index 00000000000..a6076995fd1 --- /dev/null +++ b/SPECS/kernel/CVE-2022-4139.nopatch @@ -0,0 +1,2 @@ +CVE-2022-4139 - patched in version 5.10.157 +upstream commit ID 04aa64375f48a5d430b5550d9271f8428883e550 -> stable commit ID 86f0082fb9470904b15546726417f28077088fee \ No newline at end of file diff --git a/SPECS/kernel/CVE-2022-42328.nopatch b/SPECS/kernel/CVE-2022-42328.nopatch new file mode 100644 index 00000000000..51c7875220b --- /dev/null +++ b/SPECS/kernel/CVE-2022-42328.nopatch @@ -0,0 +1,2 @@ +CVE-2022-42328 - patched in version 5.10.159 +upstream commit ID 74e7e1efdad45580cc3839f2a155174cf158f9b5 -> stable commit ID 83632fc41449c480f2d0193683ec202caaa186c9 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2022-42329.nopatch b/SPECS/kernel/CVE-2022-42329.nopatch new file mode 100644 index 00000000000..b4ce2037d56 --- /dev/null +++ b/SPECS/kernel/CVE-2022-42329.nopatch @@ -0,0 +1,2 @@ +CVE-2022-42329 - patched in version 5.10.159 +upstream commit ID 74e7e1efdad45580cc3839f2a155174cf158f9b5 -> stable commit ID 83632fc41449c480f2d0193683ec202caaa186c9 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2022-4662.nopatch b/SPECS/kernel/CVE-2022-4662.nopatch new file mode 100644 index 00000000000..e83eef09cd9 --- /dev/null +++ b/SPECS/kernel/CVE-2022-4662.nopatch @@ -0,0 +1,2 @@ +CVE-2022-4662 - patched in version 5.10.142 +upstream commit ID 9c6d778800b921bde3bff3cff5003d1650f942d1 -> stable commit ID abe3cfb7a7c8e907b312c7dbd7bf4d142b745aa8 diff --git a/SPECS/kernel/CVE-2023-23559.nopatch b/SPECS/kernel/CVE-2023-23559.nopatch new file mode 100644 index 00000000000..feb18ed69e1 --- /dev/null +++ b/SPECS/kernel/CVE-2023-23559.nopatch @@ -0,0 +1,2 @@ +CVE-2023-23559 - patched in version 5.10.166 +upstream commit ID b870e73a56c4cccbec33224233eaf295839f228c -> stable commit ID 802fd7623e9ed19ee809b503e93fccc1e3f37bd6 \ No newline at end of file From 5744dad2ad16570198b0e7dd1887335fcffd4e3a Mon Sep 17 00:00:00 2001 From: Dallas Delaney <106280731+dallasd1@users.noreply.github.com> Date: Tue, 21 Feb 2023 08:33:40 -0800 Subject: [PATCH 19/27] libtiff: CVE 2023-0800 (#4876) CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804 --- SPECS/libtiff/CVE-2023-0800.patch | 125 ++++++++++++++++++++++++++++++ SPECS/libtiff/libtiff.spec | 6 +- 2 files changed, 130 insertions(+), 1 deletion(-) create mode 100644 SPECS/libtiff/CVE-2023-0800.patch diff --git a/SPECS/libtiff/CVE-2023-0800.patch b/SPECS/libtiff/CVE-2023-0800.patch new file mode 100644 index 00000000000..3d3f83ea6f4 --- /dev/null +++ b/SPECS/libtiff/CVE-2023-0800.patch @@ -0,0 +1,125 @@ +From 82a7fbb1fa7228499ffeb3a57a1d106a9626d57c Mon Sep 17 00:00:00 2001 +From: Su Laus +Date: Sun, 5 Feb 2023 15:53:15 +0000 +Subject: [PATCH] tiffcrop: added check for assumption on composite images + (fixes #496) + +tiffcrop: For composite images with more than one region, the combined_length or combined_width always needs to be equal, respectively. Otherwise, even the first section/region copy action might cause buffer overrun. This is now checked before the first copy action. + +Closes #496, #497, #498, #500, #501. +--- + tools/tiffcrop.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 66 insertions(+), 2 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 5a067a4..2b8a8e9 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -5364,18 +5364,40 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + + crop->regionlist[i].buffsize = buffsize; + crop->bufftotal += buffsize; ++ ++ /* For composite images with more than one region, the ++ * combined_length or combined_width always needs to be equal, ++ * respectively. ++ * Otherwise, even the first section/region copy ++ * action might cause buffer overrun. */ + if (crop->img_mode == COMPOSITE_IMAGES) + { + switch (crop->edge_ref) + { + case EDGE_LEFT: + case EDGE_RIGHT: ++ if (i > 0 && zlength != crop->combined_length) ++ { ++ TIFFError( ++ "computeInputPixelOffsets", ++ "Only equal length regions can be combined for " ++ "-E left or right"); ++ return (-1); ++ } + crop->combined_length = zlength; + crop->combined_width += zwidth; + break; + case EDGE_BOTTOM: + case EDGE_TOP: /* width from left, length from top */ + default: ++ if (i > 0 && zwidth != crop->combined_width) ++ { ++ TIFFError("computeInputPixelOffsets", ++ "Only equal width regions can be " ++ "combined for -E " ++ "top or bottom"); ++ return (-1); ++ } + crop->combined_width = zwidth; + crop->combined_length += zlength; + break; +@@ -6589,6 +6611,46 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop, + crop->combined_width = 0; + crop->combined_length = 0; + ++ /* If there is more than one region, check beforehand whether all the width ++ * and length values of the regions are the same, respectively. */ ++ switch (crop->edge_ref) ++ { ++ default: ++ case EDGE_TOP: ++ case EDGE_BOTTOM: ++ for (i = 1; i < crop->selections; i++) ++ { ++ uint32_t crop_width0 = ++ crop->regionlist[i - 1].x2 - crop->regionlist[i - 1].x1 + 1; ++ uint32_t crop_width1 = ++ crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; ++ if (crop_width0 != crop_width1) ++ { ++ TIFFError("extractCompositeRegions", ++ "Only equal width regions can be combined for -E " ++ "top or bottom"); ++ return (1); ++ } ++ } ++ break; ++ case EDGE_LEFT: ++ case EDGE_RIGHT: ++ for (i = 1; i < crop->selections; i++) ++ { ++ uint32_t crop_length0 = ++ crop->regionlist[i - 1].y2 - crop->regionlist[i - 1].y1 + 1; ++ uint32_t crop_length1 = ++ crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; ++ if (crop_length0 != crop_length1) ++ { ++ TIFFError("extractCompositeRegions", ++ "Only equal length regions can be combined for " ++ "-E left or right"); ++ return (1); ++ } ++ } ++ } ++ + for (i = 0; i < crop->selections; i++) + { + /* rows, columns, width, length are expressed in pixels */ +@@ -6613,7 +6675,8 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop, + default: + case EDGE_TOP: + case EDGE_BOTTOM: +- if ((i > 0) && (crop_width != crop->regionlist[i - 1].width)) ++ if ((crop->selections > i + 1) && ++ (crop_width != crop->regionlist[i + 1].width)) + { + TIFFError ("extractCompositeRegions", + "Only equal width regions can be combined for -E top or bottom"); +@@ -6694,7 +6757,8 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop, + break; + case EDGE_LEFT: /* splice the pieces of each row together, side by side */ + case EDGE_RIGHT: +- if ((i > 0) && (crop_length != crop->regionlist[i - 1].length)) ++ if ((crop->selections > i + 1) && ++ (crop_length != crop->regionlist[i + 1].length)) + { + TIFFError ("extractCompositeRegions", + "Only equal length regions can be combined for -E left or right"); diff --git a/SPECS/libtiff/libtiff.spec b/SPECS/libtiff/libtiff.spec index 98fa4fb2836..6b4c60da595 100644 --- a/SPECS/libtiff/libtiff.spec +++ b/SPECS/libtiff/libtiff.spec @@ -1,7 +1,7 @@ Summary: TIFF libraries and associated utilities. Name: libtiff Version: 4.4.0 -Release: 7%{?dist} +Release: 8%{?dist} License: libtiff URL: https://gitlab.com/libtiff/libtiff Group: System Environment/Libraries @@ -18,6 +18,7 @@ Patch4: CVE-2022-3597.patch Patch5: CVE-2022-3599.patch Patch6: CVE-2022-3970.patch Patch7: CVE-2022-48281.patch +Patch8: CVE-2023-0800.patch BuildRequires: autoconf BuildRequires: automake @@ -77,6 +78,9 @@ make %{?_smp_mflags} -k check %{_datadir}/man/man3/* %changelog +* Thu Feb 16 2023 Dallas Delaney - 4.4.0-8 +- Patch CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804 + * Thu Feb 02 2023 Henry Li - 4.4.0-7 - Patch CVE-2022-48281 From c827fb2fcc4293a259c7873fb78894a5a82cb75a Mon Sep 17 00:00:00 2001 From: Dan Streetman Date: Wed, 22 Feb 2023 10:21:42 -0500 Subject: [PATCH 20/27] CVE-2022-40617 (#4823) --- SPECS/strongswan/CVE-2022-40617.patch | 205 ++++++++++++++++++++++++++ SPECS/strongswan/strongswan.spec | 6 +- 2 files changed, 210 insertions(+), 1 deletion(-) create mode 100644 SPECS/strongswan/CVE-2022-40617.patch diff --git a/SPECS/strongswan/CVE-2022-40617.patch b/SPECS/strongswan/CVE-2022-40617.patch new file mode 100644 index 00000000000..4c100e46f15 --- /dev/null +++ b/SPECS/strongswan/CVE-2022-40617.patch @@ -0,0 +1,205 @@ +From 66d3b2e0e596a6eac1ebcd15c83a8d9368fe7b34 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Fri, 22 Jul 2022 15:37:43 +0200 +Subject: [PATCH] credential-manager: Do online revocation checks only after + basic trust chain validation + +This avoids querying URLs of potentially untrusted certificates, e.g. if +an attacker sends a specially crafted end-entity and intermediate CA +certificate with a CDP that points to a server that completes the +TCP handshake but then does not send any further data, which will block +the fetcher thread (depending on the plugin) for as long as the default +timeout for TCP. Doing that multiple times will block all worker threads, +leading to a DoS attack. + +The logging during the certificate verification obviously changes. The +following example shows the output of `pki --verify` for the current +strongswan.org certificate: + +new: + + using certificate "CN=www.strongswan.org" + using trusted intermediate ca certificate "C=US, O=Let's Encrypt, CN=R3" + using trusted ca certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1" + reached self-signed root ca with a path length of 1 +checking certificate status of "CN=www.strongswan.org" + requesting ocsp status from 'http://r3.o.lencr.org' ... + ocsp response correctly signed by "C=US, O=Let's Encrypt, CN=R3" + ocsp response is valid: until Jul 27 12:59:58 2022 +certificate status is good +checking certificate status of "C=US, O=Let's Encrypt, CN=R3" +ocsp response verification failed, no signer certificate 'C=US, O=Let's Encrypt, CN=R3' found + fetching crl from 'http://x1.c.lencr.org/' ... + using trusted certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1" + crl correctly signed by "C=US, O=Internet Security Research Group, CN=ISRG Root X1" + crl is valid: until Apr 18 01:59:59 2023 +certificate status is good +certificate trusted, lifetimes valid, certificate not revoked + +old: + + using certificate "CN=www.strongswan.org" + using trusted intermediate ca certificate "C=US, O=Let's Encrypt, CN=R3" +checking certificate status of "CN=www.strongswan.org" + requesting ocsp status from 'http://r3.o.lencr.org' ... + ocsp response correctly signed by "C=US, O=Let's Encrypt, CN=R3" + ocsp response is valid: until Jul 27 12:59:58 2022 +certificate status is good + using trusted ca certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1" +checking certificate status of "C=US, O=Let's Encrypt, CN=R3" +ocsp response verification failed, no signer certificate 'C=US, O=Let's Encrypt, CN=R3' found + fetching crl from 'http://x1.c.lencr.org/' ... + using trusted certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1" + crl correctly signed by "C=US, O=Internet Security Research Group, CN=ISRG Root X1" + crl is valid: until Apr 18 01:59:59 2023 +certificate status is good + reached self-signed root ca with a path length of 1 +certificate trusted, lifetimes valid, certificate not revoked + +Note that this also fixes an issue with the previous dual-use of the +`trusted` flag. It not only indicated whether the chain is trusted but +also whether the current issuer is the root anchor (the corresponding +flag in the `cert_validator_t` interface is called `anchor`). This was +a problem when building multi-level trust chains for pre-trusted +end-entity certificates (i.e. where `trusted` is TRUE from the start). +This caused the main loop to get aborted after the first intermediate CA +certificate and the mentioned `anchor` flag wasn't correct in any calls +to `cert_validator_t` implementations. + +Fixes: CVE-2022-40617 +--- + .../credentials/credential_manager.c | 54 +++++++++++++++---- + 1 file changed, 45 insertions(+), 9 deletions(-) + +diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c +index e93b5943a3a7..798785544e41 100644 +--- a/src/libstrongswan/credentials/credential_manager.c ++++ b/src/libstrongswan/credentials/credential_manager.c +@@ -555,7 +555,7 @@ static void cache_queue(private_credential_manager_t *this) + */ + static bool check_lifetime(private_credential_manager_t *this, + certificate_t *cert, char *label, +- int pathlen, bool trusted, auth_cfg_t *auth) ++ int pathlen, bool anchor, auth_cfg_t *auth) + { + time_t not_before, not_after; + cert_validator_t *validator; +@@ -570,7 +570,7 @@ static bool check_lifetime(private_credential_manager_t *this, + continue; + } + status = validator->check_lifetime(validator, cert, +- pathlen, trusted, auth); ++ pathlen, anchor, auth); + if (status != NEED_MORE) + { + break; +@@ -603,13 +603,13 @@ static bool check_lifetime(private_credential_manager_t *this, + */ + static bool check_certificate(private_credential_manager_t *this, + certificate_t *subject, certificate_t *issuer, bool online, +- int pathlen, bool trusted, auth_cfg_t *auth) ++ int pathlen, bool anchor, auth_cfg_t *auth) + { + cert_validator_t *validator; + enumerator_t *enumerator; + + if (!check_lifetime(this, subject, "subject", pathlen, FALSE, auth) || +- !check_lifetime(this, issuer, "issuer", pathlen + 1, trusted, auth)) ++ !check_lifetime(this, issuer, "issuer", pathlen + 1, anchor, auth)) + { + return FALSE; + } +@@ -622,7 +622,7 @@ static bool check_certificate(private_credential_manager_t *this, + continue; + } + if (!validator->validate(validator, subject, issuer, +- online, pathlen, trusted, auth)) ++ online, pathlen, anchor, auth)) + { + enumerator->destroy(enumerator); + return FALSE; +@@ -725,6 +725,7 @@ static bool verify_trust_chain(private_credential_manager_t *this, + auth_cfg_t *auth; + signature_params_t *scheme; + int pathlen; ++ bool is_anchor = FALSE; + + auth = auth_cfg_create(); + get_key_strength(subject, auth); +@@ -742,7 +743,7 @@ static bool verify_trust_chain(private_credential_manager_t *this, + auth->add(auth, AUTH_RULE_CA_CERT, issuer->get_ref(issuer)); + DBG1(DBG_CFG, " using trusted ca certificate \"%Y\"", + issuer->get_subject(issuer)); +- trusted = TRUE; ++ trusted = is_anchor = TRUE; + } + else + { +@@ -777,11 +778,18 @@ static bool verify_trust_chain(private_credential_manager_t *this, + DBG1(DBG_CFG, " issuer is \"%Y\"", + current->get_issuer(current)); + call_hook(this, CRED_HOOK_NO_ISSUER, current); ++ if (trusted) ++ { ++ DBG1(DBG_CFG, " reached end of incomplete trust chain for " ++ "trusted certificate \"%Y\"", ++ subject->get_subject(subject)); ++ } + break; + } + } +- if (!check_certificate(this, current, issuer, online, +- pathlen, trusted, auth)) ++ /* don't do online verification here */ ++ if (!check_certificate(this, current, issuer, FALSE, ++ pathlen, is_anchor, auth)) + { + trusted = FALSE; + issuer->destroy(issuer); +@@ -793,7 +801,7 @@ static bool verify_trust_chain(private_credential_manager_t *this, + } + current->destroy(current); + current = issuer; +- if (trusted) ++ if (is_anchor) + { + DBG1(DBG_CFG, " reached self-signed root ca with a " + "path length of %d", pathlen); +@@ -806,6 +814,34 @@ static bool verify_trust_chain(private_credential_manager_t *this, + DBG1(DBG_CFG, "maximum path length of %d exceeded", MAX_TRUST_PATH_LEN); + call_hook(this, CRED_HOOK_EXCEEDED_PATH_LEN, subject); + } ++ else if (trusted && online) ++ { ++ enumerator_t *enumerator; ++ auth_rule_t rule; ++ ++ /* do online revocation checks after basic validation of the chain */ ++ pathlen = 0; ++ current = subject; ++ enumerator = auth->create_enumerator(auth); ++ while (enumerator->enumerate(enumerator, &rule, &issuer)) ++ { ++ if (rule == AUTH_RULE_CA_CERT || rule == AUTH_RULE_IM_CERT) ++ { ++ if (!check_certificate(this, current, issuer, TRUE, pathlen++, ++ rule == AUTH_RULE_CA_CERT, auth)) ++ { ++ trusted = FALSE; ++ break; ++ } ++ else if (rule == AUTH_RULE_CA_CERT) ++ { ++ break; ++ } ++ current = issuer; ++ } ++ } ++ enumerator->destroy(enumerator); ++ } + if (trusted) + { + result->merge(result, auth, FALSE); +-- +2.25.1 + diff --git a/SPECS/strongswan/strongswan.spec b/SPECS/strongswan/strongswan.spec index 928e4ffe63c..54109aafa4f 100644 --- a/SPECS/strongswan/strongswan.spec +++ b/SPECS/strongswan/strongswan.spec @@ -1,7 +1,7 @@ Summary: The OpenSource IPsec-based VPN Solution Name: strongswan Version: 5.7.2 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2+ Vendor: Microsoft Corporation Distribution: Mariner @@ -13,6 +13,7 @@ Patch1: 0001-Extending-timeout-for-test-cases-with-multiple-read-.patch Patch2: CVE-2021-41990.patch Patch3: CVE-2021-41991.patch Patch4: CVE-2021-45079.patch +Patch5: CVE-2022-40617.patch BuildRequires: autoconf BuildRequires: gmp-devel @@ -50,6 +51,9 @@ find %{buildroot} -type f -name "*.a" -delete -print %{_datadir}/strongswan/* %changelog +* Fri Feb 10 2023 Dan Streetman - 5.7.2-6 +- CVE-2022-40617 + * Fri Feb 18 2022 Cameron Baird - 5.7.2-5 - Patch for CVE-2021-45079 From 37c5e7d38b22e6033b51b4c2ab68f76d2db9d879 Mon Sep 17 00:00:00 2001 From: rlmenge Date: Wed, 22 Feb 2023 12:43:48 -0800 Subject: [PATCH 21/27] Install vmlinux with root executable permissions (#4897) There was a bug where debug sources were missing from sources that were built into vmlinux. This is because find_debuginfo, the script which extracts debug sources, looks only at files which are executable. Because we were installing vmlinux as 644, it was being skipped. Therefore, change to install with permissions 744. --- SPECS-SIGNED/kernel-signed/kernel-signed.spec | 5 ++++- SPECS/kernel-headers/kernel-headers.spec | 5 ++++- SPECS/kernel-hyperv/kernel-hyperv.spec | 7 +++++-- SPECS/kernel/kernel.spec | 7 +++++-- .../resources/manifests/package/pkggen_core_aarch64.txt | 2 +- toolkit/resources/manifests/package/pkggen_core_x86_64.txt | 2 +- toolkit/resources/manifests/package/toolchain_aarch64.txt | 2 +- toolkit/resources/manifests/package/toolchain_x86_64.txt | 2 +- 8 files changed, 22 insertions(+), 10 deletions(-) diff --git a/SPECS-SIGNED/kernel-signed/kernel-signed.spec b/SPECS-SIGNED/kernel-signed/kernel-signed.spec index 4de1ad7b18b..bc9cd5f2ea5 100644 --- a/SPECS-SIGNED/kernel-signed/kernel-signed.spec +++ b/SPECS-SIGNED/kernel-signed/kernel-signed.spec @@ -10,7 +10,7 @@ Summary: Signed Linux Kernel for %{buildarch} systems Name: kernel-signed-%{buildarch} Version: 5.10.167.1 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner @@ -147,6 +147,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %endif %changelog +* Wed Feb 15 2023 Rachel Menge - 5.10.167.1-2 +- Bump release number to match kernel release + * Tue Feb 07 2023 CBL-Mariner Servicing Account - 5.10.167.1-1 - Auto-upgrade to 5.10.167.1 diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec index dd5d2a47aeb..9db911fa5ca 100644 --- a/SPECS/kernel-headers/kernel-headers.spec +++ b/SPECS/kernel-headers/kernel-headers.spec @@ -1,7 +1,7 @@ Summary: Linux API header files Name: kernel-headers Version: 5.10.167.1 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner @@ -36,6 +36,9 @@ cp -rv usr/include/* /%{buildroot}%{_includedir} %{_includedir}/* %changelog +* Wed Feb 15 2023 Rachel Menge - 5.10.167.1-2 +- Bump release number to match kernel release + * Tue Feb 07 2023 CBL-Mariner Servicing Account - 5.10.167.1-1 - Auto-upgrade to 5.10.167.1 diff --git a/SPECS/kernel-hyperv/kernel-hyperv.spec b/SPECS/kernel-hyperv/kernel-hyperv.spec index 1e763f2cd0d..6eb2cf2df3f 100644 --- a/SPECS/kernel-hyperv/kernel-hyperv.spec +++ b/SPECS/kernel-hyperv/kernel-hyperv.spec @@ -4,7 +4,7 @@ Summary: Linux Kernel optimized for Hyper-V Name: kernel-hyperv Version: 5.10.167.1 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner @@ -155,7 +155,7 @@ install -vm 600 arch/x86/boot/bzImage %{buildroot}/boot/vmlinuz-%{uname_r} install -vm 400 System.map %{buildroot}/boot/System.map-%{uname_r} install -vm 600 .config %{buildroot}/boot/config-%{uname_r} cp -r Documentation/* %{buildroot}%{_defaultdocdir}/linux-%{uname_r} -install -vm 644 vmlinux %{buildroot}%{_lib}/debug/lib/modules/%{uname_r}/vmlinux-%{uname_r} +install -vm 744 vmlinux %{buildroot}%{_lib}/debug/lib/modules/%{uname_r}/vmlinux-%{uname_r} # `perf test vmlinux` needs it ln -s vmlinux-%{uname_r} %{buildroot}%{_lib}/debug/lib/modules/%{uname_r}/vmlinux @@ -270,6 +270,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_libdir}/perf/include/bpf/* %changelog +* Wed Feb 15 2023 Rachel Menge - 5.10.167.1-2 +- Install vmlinux as root executable for debuginfo + * Tue Feb 07 2023 CBL-Mariner Servicing Account - 5.10.167.1-1 - Auto-upgrade to 5.10.167.1 diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec index 2a06e569861..f10c4bddada 100644 --- a/SPECS/kernel/kernel.spec +++ b/SPECS/kernel/kernel.spec @@ -4,7 +4,7 @@ Summary: Linux Kernel Name: kernel Version: 5.10.167.1 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner @@ -476,7 +476,7 @@ install -D -m 640 arch/arm64/boot/dts/freescale/imx8mq-evk.dtb %{buildroot}/boot install -vm 400 System.map %{buildroot}/boot/System.map-%{uname_r} install -vm 600 .config %{buildroot}/boot/config-%{uname_r} cp -r Documentation/* %{buildroot}%{_defaultdocdir}/linux-%{uname_r} -install -vm 644 vmlinux %{buildroot}%{_lib}/debug/lib/modules/%{uname_r}/vmlinux-%{uname_r} +install -vm 744 vmlinux %{buildroot}%{_lib}/debug/lib/modules/%{uname_r}/vmlinux-%{uname_r} # `perf test vmlinux` needs it ln -s vmlinux-%{uname_r} %{buildroot}%{_lib}/debug/lib/modules/%{uname_r}/vmlinux @@ -634,6 +634,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Wed Feb 15 2023 Rachel Menge - 5.10.167.1-2 +- Install vmlinux as root executable for debuginfo + * Tue Feb 07 2023 CBL-Mariner Servicing Account - 5.10.167.1-1 - Auto-upgrade to 5.10.167.1 diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index f4e02fd1c8c..77bf4ef1543 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -1,5 +1,5 @@ filesystem-1.1-7.cm1.aarch64.rpm -kernel-headers-5.10.167.1-1.cm1.noarch.rpm +kernel-headers-5.10.167.1-2.cm1.noarch.rpm glibc-2.28-24.cm1.aarch64.rpm glibc-devel-2.28-24.cm1.aarch64.rpm glibc-i18n-2.28-24.cm1.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 79830695d3b..295edcf82bd 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -1,5 +1,5 @@ filesystem-1.1-7.cm1.x86_64.rpm -kernel-headers-5.10.167.1-1.cm1.noarch.rpm +kernel-headers-5.10.167.1-2.cm1.noarch.rpm glibc-2.28-24.cm1.x86_64.rpm glibc-devel-2.28-24.cm1.x86_64.rpm glibc-i18n-2.28-24.cm1.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 867f4c635a0..283e3aa0b34 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -152,7 +152,7 @@ json-c-debuginfo-0.14-3.cm1.aarch64.rpm json-c-devel-0.14-3.cm1.aarch64.rpm kbd-2.0.4-7.cm1.aarch64.rpm kbd-debuginfo-2.0.4-7.cm1.aarch64.rpm -kernel-headers-5.10.167.1-1.cm1.noarch.rpm +kernel-headers-5.10.167.1-2.cm1.noarch.rpm kmod-25-4.cm1.aarch64.rpm kmod-debuginfo-25-4.cm1.aarch64.rpm kmod-devel-25-4.cm1.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index b2b427d6b16..0554be49a15 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -152,7 +152,7 @@ json-c-debuginfo-0.14-3.cm1.x86_64.rpm json-c-devel-0.14-3.cm1.x86_64.rpm kbd-2.0.4-7.cm1.x86_64.rpm kbd-debuginfo-2.0.4-7.cm1.x86_64.rpm -kernel-headers-5.10.167.1-1.cm1.noarch.rpm +kernel-headers-5.10.167.1-2.cm1.noarch.rpm kmod-25-4.cm1.x86_64.rpm kmod-debuginfo-25-4.cm1.x86_64.rpm kmod-devel-25-4.cm1.x86_64.rpm From ce72beadd1a61c074d3b9162493c7e072da6b7a7 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Thu, 23 Feb 2023 10:36:03 -0800 Subject: [PATCH 22/27] Upgrade kernel to 5.10.168.1 version (#4907) --- SPECS-SIGNED/kernel-signed/kernel-signed.spec | 7 +++++-- .../hyperv-daemons.signatures.json | 2 +- SPECS/hyperv-daemons/hyperv-daemons.spec | 5 ++++- .../kernel-headers.signatures.json | 2 +- SPECS/kernel-headers/kernel-headers.spec | 7 +++++-- SPECS/kernel-hyperv/config | 2 +- .../kernel-hyperv/kernel-hyperv.signatures.json | 4 ++-- SPECS/kernel-hyperv/kernel-hyperv.spec | 7 +++++-- SPECS/kernel/config | 2 +- SPECS/kernel/config_aarch64 | 2 +- SPECS/kernel/kernel.signatures.json | 6 +++--- SPECS/kernel/kernel.spec | 7 +++++-- cgmanifest.json | 16 ++++++++-------- .../manifests/package/pkggen_core_aarch64.txt | 2 +- .../manifests/package/pkggen_core_x86_64.txt | 2 +- .../manifests/package/toolchain_aarch64.txt | 2 +- .../manifests/package/toolchain_x86_64.txt | 2 +- toolkit/scripts/toolchain/container/Dockerfile | 2 +- .../toolchain/container/toolchain-sha256sums | 2 +- .../container/toolchain_build_in_chroot.sh | 2 +- .../container/toolchain_build_temp_tools.sh | 2 +- 21 files changed, 50 insertions(+), 35 deletions(-) diff --git a/SPECS-SIGNED/kernel-signed/kernel-signed.spec b/SPECS-SIGNED/kernel-signed/kernel-signed.spec index bc9cd5f2ea5..c40bc36248e 100644 --- a/SPECS-SIGNED/kernel-signed/kernel-signed.spec +++ b/SPECS-SIGNED/kernel-signed/kernel-signed.spec @@ -9,8 +9,8 @@ %define uname_r %{version}-%{release} Summary: Signed Linux Kernel for %{buildarch} systems Name: kernel-signed-%{buildarch} -Version: 5.10.167.1 -Release: 2%{?dist} +Version: 5.10.168.1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner @@ -147,6 +147,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %endif %changelog +* Wed Feb 22 2023 CBL-Mariner Servicing Account - 5.10.168.1-1 +- Auto-upgrade to 5.10.168.1 + * Wed Feb 15 2023 Rachel Menge - 5.10.167.1-2 - Bump release number to match kernel release diff --git a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json index 083f00acfad..1b444ffef3b 100644 --- a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json +++ b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json @@ -7,6 +7,6 @@ "hypervkvpd.service": "25339871302f7a47e1aecfa9fc2586c78bc37edb98773752f0a5dec30f0ed3a1", "hypervvss.rules": "94cead44245ef6553ab79c0bbac8419e3ff4b241f01bcec66e6f508098cbedd1", "hypervvssd.service": "22270d9f0f23af4ea7905f19c1d5d5495e40c1f782cbb87a99f8aec5a011078d", - "kernel-5.10.167.1.tar.gz": "7b72e96d8b6f88702038b3680e1350182bd4dba0f530dacb4abe2303711bd069" + "kernel-5.10.168.1.tar.gz": "58b6a524ec7773e4b8319abb4794d1a4d963a45386f6ad429b4956a475592ca1" } } \ No newline at end of file diff --git a/SPECS/hyperv-daemons/hyperv-daemons.spec b/SPECS/hyperv-daemons/hyperv-daemons.spec index 9590ccbe007..f7dddc72518 100644 --- a/SPECS/hyperv-daemons/hyperv-daemons.spec +++ b/SPECS/hyperv-daemons/hyperv-daemons.spec @@ -8,7 +8,7 @@ %global udev_prefix 70 Summary: Hyper-V daemons suite Name: hyperv-daemons -Version: 5.10.167.1 +Version: 5.10.168.1 Release: 1%{?dist} License: GPLv2+ Vendor: Microsoft Corporation @@ -221,6 +221,9 @@ fi %{_sbindir}/lsvmbus %changelog +* Wed Feb 22 2023 CBL-Mariner Servicing Account - 5.10.168.1-1 +- Auto-upgrade to 5.10.168.1 + * Tue Feb 07 2023 CBL-Mariner Servicing Account - 5.10.167.1-1 - Auto-upgrade to 5.10.167.1 diff --git a/SPECS/kernel-headers/kernel-headers.signatures.json b/SPECS/kernel-headers/kernel-headers.signatures.json index 906a2360cf9..2e0dde25772 100644 --- a/SPECS/kernel-headers/kernel-headers.signatures.json +++ b/SPECS/kernel-headers/kernel-headers.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "kernel-5.10.167.1.tar.gz": "7b72e96d8b6f88702038b3680e1350182bd4dba0f530dacb4abe2303711bd069" + "kernel-5.10.168.1.tar.gz": "58b6a524ec7773e4b8319abb4794d1a4d963a45386f6ad429b4956a475592ca1" } } \ No newline at end of file diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec index 9db911fa5ca..3a7de3e4642 100644 --- a/SPECS/kernel-headers/kernel-headers.spec +++ b/SPECS/kernel-headers/kernel-headers.spec @@ -1,7 +1,7 @@ Summary: Linux API header files Name: kernel-headers -Version: 5.10.167.1 -Release: 2%{?dist} +Version: 5.10.168.1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner @@ -36,6 +36,9 @@ cp -rv usr/include/* /%{buildroot}%{_includedir} %{_includedir}/* %changelog +* Wed Feb 22 2023 CBL-Mariner Servicing Account - 5.10.168.1-1 +- Auto-upgrade to 5.10.168.1 + * Wed Feb 15 2023 Rachel Menge - 5.10.167.1-2 - Bump release number to match kernel release diff --git a/SPECS/kernel-hyperv/config b/SPECS/kernel-hyperv/config index bbfdf3fceb6..03d16f0f334 100644 --- a/SPECS/kernel-hyperv/config +++ b/SPECS/kernel-hyperv/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.10.167.1 Kernel Configuration +# Linux/x86_64 5.10.168.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 9.1.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel-hyperv/kernel-hyperv.signatures.json b/SPECS/kernel-hyperv/kernel-hyperv.signatures.json index 0999f8ee7e6..267c2376d80 100644 --- a/SPECS/kernel-hyperv/kernel-hyperv.signatures.json +++ b/SPECS/kernel-hyperv/kernel-hyperv.signatures.json @@ -1,8 +1,8 @@ { "Signatures": { "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", - "config": "f2877f8df2a03b3214718461fdfab9bed623565783e1bc5b04750097431cc370", + "config": "7fd21961a18da210951911a12dd0b84d870a319cba42e689719f5332852c22b8", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", - "kernel-5.10.167.1.tar.gz": "7b72e96d8b6f88702038b3680e1350182bd4dba0f530dacb4abe2303711bd069" + "kernel-5.10.168.1.tar.gz": "58b6a524ec7773e4b8319abb4794d1a4d963a45386f6ad429b4956a475592ca1" } } \ No newline at end of file diff --git a/SPECS/kernel-hyperv/kernel-hyperv.spec b/SPECS/kernel-hyperv/kernel-hyperv.spec index 6eb2cf2df3f..c85dcb01399 100644 --- a/SPECS/kernel-hyperv/kernel-hyperv.spec +++ b/SPECS/kernel-hyperv/kernel-hyperv.spec @@ -3,8 +3,8 @@ %define uname_r %{version}-%{release} Summary: Linux Kernel optimized for Hyper-V Name: kernel-hyperv -Version: 5.10.167.1 -Release: 2%{?dist} +Version: 5.10.168.1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner @@ -270,6 +270,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_libdir}/perf/include/bpf/* %changelog +* Wed Feb 22 2023 CBL-Mariner Servicing Account - 5.10.168.1-1 +- Auto-upgrade to 5.10.168.1 + * Wed Feb 15 2023 Rachel Menge - 5.10.167.1-2 - Install vmlinux as root executable for debuginfo diff --git a/SPECS/kernel/config b/SPECS/kernel/config index e800414c6b2..67d7005f589 100644 --- a/SPECS/kernel/config +++ b/SPECS/kernel/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.10.167.1 Kernel Configuration +# Linux/x86_64 5.10.168.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 9.1.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel/config_aarch64 b/SPECS/kernel/config_aarch64 index 635b3d35d2d..6422d8ba620 100644 --- a/SPECS/kernel/config_aarch64 +++ b/SPECS/kernel/config_aarch64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 5.10.167.1 Kernel Configuration +# Linux/arm64 5.10.168.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 9.1.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json index 45be897d716..22720621775 100644 --- a/SPECS/kernel/kernel.signatures.json +++ b/SPECS/kernel/kernel.signatures.json @@ -1,9 +1,9 @@ { "Signatures": { "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", - "config": "d776947b6e6515b7131b596e71de5c37043b9a8a941e1725696e89930d2d90e0", - "config_aarch64": "86170136e24eef19260cff7c31e17cfb28573d344c35a10ed3c46bcf24dc6c6f", + "config": "8d386455b7b1132efaf47536fbeb85eeb2bb0f64283240b6705d4be26fa21614", + "config_aarch64": "dfd7ed039114dc6d5ee5f33b5fe0fccf4f1eb54c9ad6b0b7b557255bf645159a", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", - "kernel-5.10.167.1.tar.gz": "7b72e96d8b6f88702038b3680e1350182bd4dba0f530dacb4abe2303711bd069" + "kernel-5.10.168.1.tar.gz": "58b6a524ec7773e4b8319abb4794d1a4d963a45386f6ad429b4956a475592ca1" } } \ No newline at end of file diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec index f10c4bddada..f67b929adff 100644 --- a/SPECS/kernel/kernel.spec +++ b/SPECS/kernel/kernel.spec @@ -3,8 +3,8 @@ %define uname_r %{version}-%{release} Summary: Linux Kernel Name: kernel -Version: 5.10.167.1 -Release: 2%{?dist} +Version: 5.10.168.1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner @@ -634,6 +634,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Wed Feb 22 2023 CBL-Mariner Servicing Account - 5.10.168.1-1 +- Auto-upgrade to 5.10.168.1 + * Wed Feb 15 2023 Rachel Menge - 5.10.167.1-2 - Install vmlinux as root executable for debuginfo diff --git a/cgmanifest.json b/cgmanifest.json index 3444a1fb5ab..b866888b28a 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -2156,8 +2156,8 @@ "type": "other", "other": { "name": "hyperv-daemons", - "version": "5.10.167.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.167.1.tar.gz" + "version": "5.10.168.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.168.1.tar.gz" } } }, @@ -2476,8 +2476,8 @@ "type": "other", "other": { "name": "kernel", - "version": "5.10.167.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.167.1.tar.gz" + "version": "5.10.168.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.168.1.tar.gz" } } }, @@ -2486,8 +2486,8 @@ "type": "other", "other": { "name": "kernel-headers", - "version": "5.10.167.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.167.1.tar.gz" + "version": "5.10.168.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.168.1.tar.gz" } } }, @@ -2496,8 +2496,8 @@ "type": "other", "other": { "name": "kernel-hyperv", - "version": "5.10.167.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.167.1.tar.gz" + "version": "5.10.168.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.168.1.tar.gz" } } }, diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 77bf4ef1543..93f002fcf65 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -1,5 +1,5 @@ filesystem-1.1-7.cm1.aarch64.rpm -kernel-headers-5.10.167.1-2.cm1.noarch.rpm +kernel-headers-5.10.168.1-1.cm1.noarch.rpm glibc-2.28-24.cm1.aarch64.rpm glibc-devel-2.28-24.cm1.aarch64.rpm glibc-i18n-2.28-24.cm1.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 295edcf82bd..4fb9c579537 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -1,5 +1,5 @@ filesystem-1.1-7.cm1.x86_64.rpm -kernel-headers-5.10.167.1-2.cm1.noarch.rpm +kernel-headers-5.10.168.1-1.cm1.noarch.rpm glibc-2.28-24.cm1.x86_64.rpm glibc-devel-2.28-24.cm1.x86_64.rpm glibc-i18n-2.28-24.cm1.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 283e3aa0b34..ef0fa2c2bd9 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -152,7 +152,7 @@ json-c-debuginfo-0.14-3.cm1.aarch64.rpm json-c-devel-0.14-3.cm1.aarch64.rpm kbd-2.0.4-7.cm1.aarch64.rpm kbd-debuginfo-2.0.4-7.cm1.aarch64.rpm -kernel-headers-5.10.167.1-2.cm1.noarch.rpm +kernel-headers-5.10.168.1-1.cm1.noarch.rpm kmod-25-4.cm1.aarch64.rpm kmod-debuginfo-25-4.cm1.aarch64.rpm kmod-devel-25-4.cm1.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 0554be49a15..93cc66f33c0 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -152,7 +152,7 @@ json-c-debuginfo-0.14-3.cm1.x86_64.rpm json-c-devel-0.14-3.cm1.x86_64.rpm kbd-2.0.4-7.cm1.x86_64.rpm kbd-debuginfo-2.0.4-7.cm1.x86_64.rpm -kernel-headers-5.10.167.1-2.cm1.noarch.rpm +kernel-headers-5.10.168.1-1.cm1.noarch.rpm kmod-25-4.cm1.x86_64.rpm kmod-debuginfo-25-4.cm1.x86_64.rpm kmod-devel-25-4.cm1.x86_64.rpm diff --git a/toolkit/scripts/toolchain/container/Dockerfile b/toolkit/scripts/toolchain/container/Dockerfile index 4d4da4aa25c..8f3dd1a79c4 100644 --- a/toolkit/scripts/toolchain/container/Dockerfile +++ b/toolkit/scripts/toolchain/container/Dockerfile @@ -69,7 +69,7 @@ COPY [ "./toolchain-sha256sums", \ WORKDIR $LFS/sources RUN wget -nv --no-clobber --timeout=30 --no-check-certificate --continue --input-file=$LFS/tools/toolchain-local-wget-list --directory-prefix=$LFS/sources; exit 0 RUN wget -nv --no-clobber --timeout=30 --continue --input-file=$LFS/tools/toolchain-remote-wget-list --directory-prefix=$LFS/sources; exit 0 -RUN wget -nv --no-clobber --timeout=30 --continue https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.167.1.tar.gz -O kernel-5.10.167.1.tar.gz --directory-prefix=$LFS/sources; exit 0 +RUN wget -nv --no-clobber --timeout=30 --continue https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.168.1.tar.gz -O kernel-5.10.168.1.tar.gz --directory-prefix=$LFS/sources; exit 0 USER root RUN /tools/toolchain-jdk8-wget.sh; exit 0 RUN sha256sum -c $LFS/tools/toolchain-sha256sums && \ diff --git a/toolkit/scripts/toolchain/container/toolchain-sha256sums b/toolkit/scripts/toolchain/container/toolchain-sha256sums index 6960e1e18df..ab1b8850949 100644 --- a/toolkit/scripts/toolchain/container/toolchain-sha256sums +++ b/toolkit/scripts/toolchain/container/toolchain-sha256sums @@ -59,7 +59,7 @@ b725c9b2e9793df7bf5d4d300390db11aa27bd98df9f33021d539be9bd603846 jdk8u212-b04-j 13ae78908151ad88ee3b375c72ca3f55a82b5265a3faba97f224f2a9b9d486fc jdk8u212-b04-nashorn.tar.bz2 6d28bdd752c056de98f6faf897b338d6ce8938810d72a69c2f5c1d81d628d44a jdk8u212-b04.tar.bz2 f882210b76376e3fa006b11dbd890e56ec0942bc56e65d1249ff4af86f90b857 kbproto-1.0.7.tar.bz2 -7b72e96d8b6f88702038b3680e1350182bd4dba0f530dacb4abe2303711bd069 kernel-5.10.167.1.tar.gz +58b6a524ec7773e4b8319abb4794d1a4d963a45386f6ad429b4956a475592ca1 kernel-5.10.168.1.tar.gz c676146577d989189940f1959d9e3980d28513d74eedfbc6b7f15ea45fe54ee2 libarchive-3.6.1.tar.gz b630b7c484271b3ba867680d6a14b10a86cfa67247a14631b14c06731d5a458b libcap-2.26.tar.xz c97da36d2e56a2d7b6e4f896241785acc95e97eb9557465fd66ba2a155a7b201 libdmx-1.1.3.tar.bz2 diff --git a/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh b/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh index 78c6cfd66fc..14fe2aa2336 100755 --- a/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh +++ b/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh @@ -57,7 +57,7 @@ set -e # cd /sources -KERNEL_VERSION="5.10.167.1" +KERNEL_VERSION="5.10.168.1" echo Linux-${KERNEL_VERSION} API Headers tar xf kernel-${KERNEL_VERSION}.tar.gz pushd CBL-Mariner-Linux-Kernel-rolling-lts-mariner-${KERNEL_VERSION} diff --git a/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh b/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh index ba768349cac..1fe8756af2c 100755 --- a/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh +++ b/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh @@ -114,7 +114,7 @@ rm -rf gcc-9.1.0 touch $LFS/logs/temptoolchain/status_gcc_pass1_complete -KERNEL_VERSION="5.10.167.1" +KERNEL_VERSION="5.10.168.1" echo Linux-${KERNEL_VERSION} API Headers tar xf kernel-${KERNEL_VERSION}.tar.gz pushd CBL-Mariner-Linux-Kernel-rolling-lts-mariner-${KERNEL_VERSION} From 791127a627a0b07833d91f806829d89460cf3a1f Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Fri, 24 Feb 2023 09:56:50 -0800 Subject: [PATCH 23/27] Upgrade clamav to 0.103.8 CVE-2023-20032 (#4880) --- SPECS/clamav/clamav.signatures.json | 6 +++--- SPECS/clamav/clamav.spec | 7 +++++-- cgmanifest.json | 4 ++-- 3 files changed, 10 insertions(+), 7 deletions(-) diff --git a/SPECS/clamav/clamav.signatures.json b/SPECS/clamav/clamav.signatures.json index 3366885b5fe..2ddf83ed23c 100644 --- a/SPECS/clamav/clamav.signatures.json +++ b/SPECS/clamav/clamav.signatures.json @@ -1,5 +1,5 @@ { - "Signatures": { - "clamav-0.103.6.tar.gz": "aaa12e3dc19f1d323b1c50d7a10fa8af557e4390149e864d59bde39b6ad9ba33" - } + "Signatures": { + "clamav-0.103.8.tar.gz": "6f49da6ee927936de13d359e559d3944248e3a257d40b80b6c99ebe6fe8c8c3f" + } } \ No newline at end of file diff --git a/SPECS/clamav/clamav.spec b/SPECS/clamav/clamav.spec index a3d5e24c42e..0710741623b 100644 --- a/SPECS/clamav/clamav.spec +++ b/SPECS/clamav/clamav.spec @@ -2,8 +2,8 @@ %{!?python3_sitelib: %global python3_sitelib %(python3 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")} Summary: Open source antivirus engine Name: clamav -Version: 0.103.6 -Release: 2%{?dist} +Version: 0.103.8 +Release: 1%{?dist} License: ASL 2.0 AND BSD AND bzip2-1.0.4 AND GPLv2 AND LGPLv2+ AND MIT AND Public Domain AND UnRar Vendor: Microsoft Corporation Distribution: Mariner @@ -99,6 +99,9 @@ rm -f %{_var}/log/freshclam.log %ghost %attr(-,clamav,clamav) %{_var}/log/freshclam.log %changelog +* Fri Feb 17 2023 CBL-Mariner Servicing Account - 0.103.8-1 +- Auto-upgrade to 0.103.8 - CVE-2023-20032 + *Fri Jul 22 2022 Olivia Crain - 0.103.6-2 - Fix freshclam DB download (backport of Tom Fay's 2.0 changes) - Create/delete clamav user and group on preinstall/postuninstall diff --git a/cgmanifest.json b/cgmanifest.json index b866888b28a..f46d7071a10 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -676,8 +676,8 @@ "type": "other", "other": { "name": "clamav", - "version": "0.103.6", - "downloadUrl": "https://www.clamav.net/downloads/production/clamav-0.103.6.tar.gz" + "version": "0.103.8", + "downloadUrl": "https://www.clamav.net/downloads/production/clamav-0.103.8.tar.gz" } } }, From 3423de6a88cc6f1588d1de862b45bb27dc07a679 Mon Sep 17 00:00:00 2001 From: Mandeep Plaha <99760213+mandeepsplaha@users.noreply.github.com> Date: Fri, 24 Feb 2023 11:28:46 -0800 Subject: [PATCH 24/27] patch python cryptography for CVE-2023-23931 (#4917) * Patch python-cryptography for cve-2023-23931 --------- Co-authored-by: Pawel Winogrodzki --- .../python-cryptography/CVE-2023-23931.patch | 39 ++++++++++++ .../python-cryptography.spec | 61 ++++++++++++------- 2 files changed, 78 insertions(+), 22 deletions(-) create mode 100644 SPECS/python-cryptography/CVE-2023-23931.patch diff --git a/SPECS/python-cryptography/CVE-2023-23931.patch b/SPECS/python-cryptography/CVE-2023-23931.patch new file mode 100644 index 00000000000..30c468f1346 --- /dev/null +++ b/SPECS/python-cryptography/CVE-2023-23931.patch @@ -0,0 +1,39 @@ +From 94a50a9731f35405f0357fa5f3b177d46a726ab3 Tue Feb 07 2023 +From: Alex Gaynor +Date: Tue, Feb 07 2023 08:34:00 +0000 +Subject: Don't allow update_into to mutate immutable objects (CVE-2023-23931) + +--- + +diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py +index ad5dad3..020ca25 100644 +--- a/src/cryptography/hazmat/backends/openssl/ciphers.py ++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py +@@ -135,7 +135,7 @@ class _CipherContext(object): + data_processed = 0 + total_out = 0 + outlen = self._backend._ffi.new("int *") +- baseoutbuf = self._backend._ffi.from_buffer(buf) ++ baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True) + baseinbuf = self._backend._ffi.from_buffer(data) + + while data_processed != total_data_len: +diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py +index a9219fe..d5410a6 100644 +--- a/tests/hazmat/primitives/test_ciphers.py ++++ b/tests/hazmat/primitives/test_ciphers.py +@@ -310,6 +310,14 @@ class TestCipherUpdateInto(object): + with pytest.raises(ValueError): + encryptor.update_into(b"testing", buf) + ++ def test_update_into_immutable(self, backend): ++ key = b"\x00" * 16 ++ c = ciphers.Cipher(AES(key), modes.ECB(), backend) ++ encryptor = c.encryptor() ++ buf = b"\x00" * 32 ++ with pytest.raises((TypeError, BufferError)): ++ encryptor.update_into(b"testing", buf) ++ + @pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + AES(b"\x00" * 16), modes.GCM(b"\x00" * 12) diff --git a/SPECS/python-cryptography/python-cryptography.spec b/SPECS/python-cryptography/python-cryptography.spec index 148be9314b5..4eac39b6d22 100644 --- a/SPECS/python-cryptography/python-cryptography.spec +++ b/SPECS/python-cryptography/python-cryptography.spec @@ -4,33 +4,32 @@ Summary: Python cryptography library Name: python-cryptography Version: 3.3.2 -Release: 1%{?dist} -Url: https://pypi.python.org/pypi/cryptography +Release: 2%{?dist} License: ASL 2.0 -Group: Development/Languages/Python Vendor: Microsoft Corporation Distribution: Mariner +Group: Development/Languages/Python +Url: https://pypi.python.org/pypi/cryptography Source0: https://pypi.io/packages/source/c/cryptography/cryptography-%{version}.tar.gz - +Patch0: CVE-2023-23931.patch +BuildRequires: openssl-devel +BuildRequires: python-cffi +BuildRequires: python-setuptools BuildRequires: python2 -BuildRequires: python2-libs BuildRequires: python2-devel -BuildRequires: python-setuptools -BuildRequires: python-cffi -BuildRequires: openssl-devel - -Requires: python-cffi +BuildRequires: python2-libs Requires: openssl -Requires: python2 -Requires: python2-libs +Requires: python-asn1crypto +Requires: python-cffi +Requires: python-enum34 Requires: python-idna -Requires: python-pyasn1 Requires: python-ipaddress -Requires: python-setuptools Requires: python-packaging -Requires: python-enum34 -Requires: python-asn1crypto +Requires: python-pyasn1 +Requires: python-setuptools Requires: python-six +Requires: python2 +Requires: python2-libs %description Cryptography is a Python library which exposes cryptographic recipes and primitives. @@ -38,27 +37,26 @@ Cryptography is a Python library which exposes cryptographic recipes and primiti %package -n python3-cryptography Summary: python-cryptography BuildRequires: python3 +BuildRequires: python3-cffi BuildRequires: python3-devel BuildRequires: python3-libs -BuildRequires: python3-cffi BuildRequires: python3-setuptools BuildRequires: python3-xml - Requires: python3 -Requires: python3-libs +Requires: python3-asn1crypto Requires: python3-cffi Requires: python3-idna +Requires: python3-libs +Requires: python3-packaging Requires: python3-pyasn1 Requires: python3-six -Requires: python3-packaging -Requires: python3-asn1crypto %description -n python3-cryptography Cryptography is a Python library which exposes cryptographic recipes and primitives. This is a Python 3 version. %prep -%autosetup -n cryptography-%{version} +%autosetup -p1 -n cryptography-%{version} rm -rf ../p3dir cp -a . ../p3dir @@ -99,40 +97,59 @@ python3 setup.py test %{python3_sitelib}/* %changelog +* Wed Feb 22 2023 Mandeep Plaha 3.3.2-2 +- Patch CVE-2023-23931 + * Wed Feb 10 2021 Mateusz Malisz 3.3.2-1 - Update to version 3.3.2, fixing CVE-2020-36242 - Remove Patch for CVE-2020-25659. + * Wed Jan 20 2021 Henry Beberman 2.3.1-4 - Patch CVE-2020-25659 - License verified + * Sat May 09 2020 Nick Samson 2.3.1-3 - Added %%license line automatically + * Tue Sep 03 2019 Mateusz Malisz 2.3.1-2 - Initial CBL-Mariner import from Photon (license: Apache2). + * Sun Sep 09 2018 Tapas Kundu 2.3.1-1 - Update to version 2.3.1 + * Mon Aug 14 2017 Xiaolin Li 2.0.3-1 - Updated to version 2.0.3. + * Tue Jul 25 2017 Divya Thaluru 1.8.1-4 - Added missing requires python-six and python-enum34 - Removed python-enum from requires + * Wed Jun 07 2017 Xiaolin Li 1.8.1-3 - Add python3-setuptools and python3-xml to python3 sub package Buildrequires. + * Fri May 05 2017 Priyesh Padmavilasom 1.8.1-2 - Added missing requires python-enum + * Tue Apr 04 2017 Xiaolin Li 1.8.1-1 - Updated to version 1.8.1. + * Thu Feb 02 2017 Xiaolin Li 1.7.2-1 - Updated to version 1.7.2 and added python3 package. + * Mon Oct 03 2016 ChangLee 1.2.3-3 - Modified %check + * Tue May 24 2016 Priyesh Padmavilasom 1.2.3-2 - GA - Bump release of all rpms + * Mon Mar 07 2016 Anish Swaminathan 1.2.3-1 - Upgrade to 1.2.3 + * Fri Feb 26 2016 Anish Swaminathan 1.2.2-1 - Upgrade version to 1.2.2 + * Thu Jan 21 2016 Anish Swaminathan 1.2.1-1 - Upgrade version + * Wed Nov 18 2015 Divya Thaluru 1.1-1 - Initial packaging for Photon From 5210b13aa31984a9366c76eafbcc41d7c8a0e883 Mon Sep 17 00:00:00 2001 From: Andrew Phelps Date: Fri, 24 Feb 2023 12:51:34 -0800 Subject: [PATCH 25/27] update wget URL for mariner-nvidia.repo (#4922) --- toolkit/docs/nvidia/nvidia.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/toolkit/docs/nvidia/nvidia.md b/toolkit/docs/nvidia/nvidia.md index 0ee5eb0a737..6bccce044c2 100644 --- a/toolkit/docs/nvidia/nvidia.md +++ b/toolkit/docs/nvidia/nvidia.md @@ -15,5 +15,5 @@ The following instructions register the nvidia package store with the package ma cd /etc/yum.repos.d # Copy the configuration to your directory to register the NVIDIA RPM repository with your package manager -sudo wget https://raw.githubusercontent.com/microsoft/CBL-Mariner/toolkit/docs/nvidia/mariner-nvidia.repo +sudo wget https://raw.githubusercontent.com/microsoft/CBL-Mariner/1.0/toolkit/docs/nvidia/mariner-nvidia.repo ``` From 2813590624fa1edc623c105ca2b45e04cf3cf660 Mon Sep 17 00:00:00 2001 From: Dallas Delaney <106280731+dallasd1@users.noreply.github.com> Date: Fri, 24 Feb 2023 13:15:13 -0800 Subject: [PATCH 26/27] Patch CVE 2023-0795 thru CVE-2023-0799 in libtiff (#4877) Co-authored-by: Olivia Crain --- CVE-2023-0796.nopatch | 1 + CVE-2023-0797.nopatch | 1 + CVE-2023-0798.nopatch | 1 + CVE-2023-0799.nopatch | 1 + SPECS/libtiff/CVE-2023-0795.patch | 335 ++++++++++++++++++++++++++++++ SPECS/libtiff/libtiff.spec | 6 +- 6 files changed, 344 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-0796.nopatch create mode 100644 CVE-2023-0797.nopatch create mode 100644 CVE-2023-0798.nopatch create mode 100644 CVE-2023-0799.nopatch create mode 100644 SPECS/libtiff/CVE-2023-0795.patch diff --git a/CVE-2023-0796.nopatch b/CVE-2023-0796.nopatch new file mode 100644 index 00000000000..b685e4bde35 --- /dev/null +++ b/CVE-2023-0796.nopatch @@ -0,0 +1 @@ +The CVE-2023-0795.patch also fixes CVE-2023-0796 diff --git a/CVE-2023-0797.nopatch b/CVE-2023-0797.nopatch new file mode 100644 index 00000000000..b846e43c8ed --- /dev/null +++ b/CVE-2023-0797.nopatch @@ -0,0 +1 @@ +The CVE-2023-0795.patch also fixes CVE-2023-0797 diff --git a/CVE-2023-0798.nopatch b/CVE-2023-0798.nopatch new file mode 100644 index 00000000000..a24d8f534c0 --- /dev/null +++ b/CVE-2023-0798.nopatch @@ -0,0 +1 @@ +The CVE-2023-0795.patch also fixes CVE-2023-0798 diff --git a/CVE-2023-0799.nopatch b/CVE-2023-0799.nopatch new file mode 100644 index 00000000000..aec1601776a --- /dev/null +++ b/CVE-2023-0799.nopatch @@ -0,0 +1 @@ +The CVE-2023-0795.patch also fixes CVE-2023-0799 diff --git a/SPECS/libtiff/CVE-2023-0795.patch b/SPECS/libtiff/CVE-2023-0795.patch new file mode 100644 index 00000000000..e892a0ee05f --- /dev/null +++ b/SPECS/libtiff/CVE-2023-0795.patch @@ -0,0 +1,335 @@ +From 9c22495e5eeeae9e00a1596720c969656bb8d678 Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Fri, 3 Feb 2023 15:31:31 +0100 +Subject: [PATCH] tiffcrop correctly update buffersize after rotateImage() + fix#520 rotateImage() set up a new buffer and calculates its size + individually. Therefore, seg_buffs[] size needs to be updated accordingly. + Before this fix, the seg_buffs buffer size was calculated with a different + formula than within rotateImage(). + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 2b8a8e9..603729f 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -526,7 +526,7 @@ static int rotateContigSamples24bits(uint16_t, uint16_t, uint16_t, uint32_t, + static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t, + uint32_t, uint32_t, uint8_t *, uint8_t *); + static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *, +- unsigned char **); ++ unsigned char **, size_t *); + static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t, + unsigned char *); + static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t, +@@ -6557,7 +6557,7 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b + return (-1); + } + +- if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr)) ++ if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr, NULL)) + { + TIFFError ("correct_orientation", "Unable to rotate image"); + return (-1); +@@ -7781,16 +7781,19 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + + if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ + { ++ /* rotateImage() set up a new buffer and calculates its size ++ * individually. Therefore, seg_buffs size needs to be updated ++ * accordingly. */ ++ size_t rot_buf_size = 0; + if (rotateImage(crop->rotation, image, &crop->combined_width, +- &crop->combined_length, &crop_buff)) ++ &crop->combined_length, &crop_buff, &rot_buf_size)) + { + TIFFError("processCropSelections", + "Failed to rotate composite regions by %"PRIu32" degrees", crop->rotation); + return (-1); + } + seg_buffs[0].buffer = crop_buff; +- seg_buffs[0].size = (((crop->combined_width * image->bps + 7 ) / 8) +- * image->spp) * crop->combined_length; ++ seg_buffs[0].size = rot_buf_size; + } + } + else /* Separated Images */ +@@ -7890,9 +7893,12 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + { + /* rotateImage() changes image->width, ->length, ->xres and ->yres, what it schouldn't do here, when more than one section is processed. + * ToDo: Therefore rotateImage() and its usage has to be reworked (e.g. like mirrorImage()) !! +- */ ++ * Furthermore, rotateImage() set up a new buffer and calculates ++ * its size individually. Therefore, seg_buffs size needs to be ++ * updated accordingly. */ ++ size_t rot_buf_size = 0; + if (rotateImage(crop->rotation, image, &crop->regionlist[i].width, +- &crop->regionlist[i].length, &crop_buff)) ++ &crop->regionlist[i].length, &crop_buff, &rot_buf_size)) + { + TIFFError("processCropSelections", + "Failed to rotate crop region by %"PRIu16" degrees", crop->rotation); +@@ -7903,8 +7909,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + crop->combined_width = total_width; + crop->combined_length = total_length; + seg_buffs[i].buffer = crop_buff; +- seg_buffs[i].size = (((crop->regionlist[i].width * image->bps + 7 ) / 8) +- * image->spp) * crop->regionlist[i].length; ++ seg_buffs[i].size = rot_buf_size; + } + } /* for crop->selections loop */ + } /* Separated Images (else case) */ +@@ -8024,7 +8029,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, + if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ + { + if (rotateImage(crop->rotation, image, &crop->combined_width, +- &crop->combined_length, crop_buff_ptr)) ++ &crop->combined_length, crop_buff_ptr, NULL)) + { + TIFFError("createCroppedImage", + "Failed to rotate image or cropped selection by %"PRIu16" degrees", crop->rotation); +@@ -8687,7 +8692,7 @@ rotateContigSamples32bits(uint16_t rotation, uint16_t spp, uint16_t bps, uint32_ + /* Rotate an image by a multiple of 90 degrees clockwise */ + static int + rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width, +- uint32_t *img_length, unsigned char **ibuff_ptr) ++ uint32_t *img_length, unsigned char **ibuff_ptr, size_t *rot_buf_size) + { + int shift_width; + uint32_t bytes_per_pixel, bytes_per_sample; +@@ -8738,6 +8743,8 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width, + return (-1); + } + _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES); ++ if (rot_buf_size != NULL) ++ *rot_buf_size = buffsize; + + ibuff = *ibuff_ptr; + switch (rotation) + +From 688012dca2c39033aa2dc7bcea9796787cfd1b44 Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Sat, 4 Feb 2023 23:24:21 +0100 +Subject: [PATCH] tiffcrop correctly update buffersize after rotateImage() + fix#520 -- enlarge buffsize and check integer overflow within rotateImage(). + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 603729f..cf3ff8e 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -8698,7 +8698,8 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width, + uint32_t bytes_per_pixel, bytes_per_sample; + uint32_t row, rowsize, src_offset, dst_offset; + uint32_t i, col, width, length; +- uint32_t colsize, buffsize, col_offset, pix_offset; ++ uint32_t colsize, col_offset, pix_offset; ++ tmsize_t buffsize; + unsigned char *ibuff; + unsigned char *src; + unsigned char *dst; +@@ -8711,12 +8712,40 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width, + spp = image->spp; + bps = image->bps; + ++ if ((spp != 0 && bps != 0 && ++ width > (uint32_t)((UINT32_MAX - 7) / spp / bps)) || ++ (spp != 0 && bps != 0 && ++ length > (uint32_t)((UINT32_MAX - 7) / spp / bps))) ++ { ++ TIFFError("rotateImage", "Integer overflow detected."); ++ return (-1); ++ } + rowsize = ((bps * spp * width) + 7) / 8; + colsize = ((bps * spp * length) + 7) / 8; + if ((colsize * width) > (rowsize * length)) +- buffsize = (colsize + 1) * width; ++ { ++ if (((tmsize_t)colsize + 1) != 0 && ++ (tmsize_t)width > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) / ++ ((tmsize_t)colsize + 1))) ++ { ++ TIFFError("rotateImage", ++ "Integer overflow when calculating buffer size."); ++ return (-1); ++ } ++ buffsize = ((tmsize_t)colsize + 1) * width; ++ } + else ++ { ++ if (((tmsize_t)rowsize + 1) != 0 && ++ (tmsize_t)length > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) / ++ ((tmsize_t)rowsize + 1))) ++ { ++ TIFFError("rotateImage", ++ "Integer overflow when calculating buffer size."); ++ return (-1); ++ } + buffsize = (rowsize + 1) * length; ++ } + + bytes_per_sample = (bps + 7) / 8; + bytes_per_pixel = ((bps * spp) + 7) / 8; +@@ -8739,7 +8768,10 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width, + /* Add 3 padding bytes for extractContigSamplesShifted32bits */ + if (!(rbuff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES))) + { +- TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES); ++ TIFFError("rotateImage", ++ "Unable to allocate rotation buffer of %" TIFF_SSIZE_FORMAT ++ " bytes ", ++ buffsize + NUM_BUFF_OVERSIZE_BYTES); + return (-1); + } + _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES); + +From 69818e2f2d246e6631ac2a2da692c3706b849c38 Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Sun, 29 Jan 2023 11:09:26 +0100 +Subject: [PATCH] tiffcrop: Amend rotateImage() not to toggle the input (main) + image width and length parameters when only cropped image sections are + rotated. Remove buffptr from region structure because never used. + +Closes #492 #493 #494 #495 #499 #518 #519 + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index cf3ff8e..6013b83 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -271,7 +271,6 @@ struct region { + uint32_t width; /* width in pixels */ + uint32_t length; /* length in pixels */ + uint32_t buffsize; /* size of buffer needed to hold the cropped region */ +- unsigned char *buffptr; /* address of start of the region */ + }; + + /* Cropping parameters from command line and image data +@@ -526,7 +525,7 @@ static int rotateContigSamples24bits(uint16_t, uint16_t, uint16_t, uint32_t, + static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t, + uint32_t, uint32_t, uint8_t *, uint8_t *); + static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *, +- unsigned char **, size_t *); ++ unsigned char **, size_t *, int); + static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t, + unsigned char *); + static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t, +@@ -5224,7 +5223,6 @@ initCropMasks (struct crop_mask *cps) + cps->regionlist[i].width = 0; + cps->regionlist[i].length = 0; + cps->regionlist[i].buffsize = 0; +- cps->regionlist[i].buffptr = NULL; + cps->zonelist[i].position = 0; + cps->zonelist[i].total = 0; + } +@@ -6557,7 +6555,13 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b + return (-1); + } + +- if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr, NULL)) ++ /* Dummy variable in order not to switch two times the ++ * image->width,->length within rotateImage(), ++ * but switch xres, yres there. */ ++ uint32_t width = image->width; ++ uint32_t length = image->length; ++ if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL, ++ TRUE)) + { + TIFFError ("correct_orientation", "Unable to rotate image"); + return (-1); +@@ -6665,7 +6669,6 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop, + /* These should not be needed for composite images */ + crop->regionlist[i].width = crop_width; + crop->regionlist[i].length = crop_length; +- crop->regionlist[i].buffptr = crop_buff; + + src_rowsize = ((img_width * bps * spp) + 7) / 8; + dst_rowsize = (((crop_width * bps * count) + 7) / 8); +@@ -6904,7 +6907,6 @@ extractSeparateRegion(struct image_data *image, struct crop_mask *crop, + + crop->regionlist[region].width = crop_width; + crop->regionlist[region].length = crop_length; +- crop->regionlist[region].buffptr = crop_buff; + + src = read_buff; + dst = crop_buff; +@@ -7786,7 +7788,8 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + * accordingly. */ + size_t rot_buf_size = 0; + if (rotateImage(crop->rotation, image, &crop->combined_width, +- &crop->combined_length, &crop_buff, &rot_buf_size)) ++ &crop->combined_length, &crop_buff, &rot_buf_size, ++ FALSE)) + { + TIFFError("processCropSelections", + "Failed to rotate composite regions by %"PRIu32" degrees", crop->rotation); +@@ -7897,8 +7900,10 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + * its size individually. Therefore, seg_buffs size needs to be + * updated accordingly. */ + size_t rot_buf_size = 0; +- if (rotateImage(crop->rotation, image, &crop->regionlist[i].width, +- &crop->regionlist[i].length, &crop_buff, &rot_buf_size)) ++ if (rotateImage(crop->rotation, image, ++ &crop->regionlist[i].width, ++ &crop->regionlist[i].length, &crop_buff, ++ &rot_buf_size, FALSE)) + { + TIFFError("processCropSelections", + "Failed to rotate crop region by %"PRIu16" degrees", crop->rotation); +@@ -8029,7 +8034,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, + if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ + { + if (rotateImage(crop->rotation, image, &crop->combined_width, +- &crop->combined_length, crop_buff_ptr, NULL)) ++ &crop->combined_length, crop_buff_ptr, NULL, TRUE)) + { + TIFFError("createCroppedImage", + "Failed to rotate image or cropped selection by %"PRIu16" degrees", crop->rotation); +@@ -8692,7 +8697,8 @@ rotateContigSamples32bits(uint16_t rotation, uint16_t spp, uint16_t bps, uint32_ + /* Rotate an image by a multiple of 90 degrees clockwise */ + static int + rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width, +- uint32_t *img_length, unsigned char **ibuff_ptr, size_t *rot_buf_size) ++ uint32_t *img_length, unsigned char **ibuff_ptr, size_t *rot_buf_size, ++ int rot_image_params) + { + int shift_width; + uint32_t bytes_per_pixel, bytes_per_sample; +@@ -8917,11 +8923,15 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width, + + *img_width = length; + *img_length = width; +- image->width = length; +- image->length = width; +- res_temp = image->xres; +- image->xres = image->yres; +- image->yres = res_temp; ++ /* Only toggle image parameters if whole input image is rotated. */ ++ if (rot_image_params) ++ { ++ image->width = length; ++ image->length = width; ++ res_temp = image->xres; ++ image->xres = image->yres; ++ image->yres = res_temp; ++ } + break; + + case 270: if ((bps % 8) == 0) /* byte aligned data */ +@@ -8994,11 +9004,15 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width, + + *img_width = length; + *img_length = width; +- image->width = length; +- image->length = width; +- res_temp = image->xres; +- image->xres = image->yres; +- image->yres = res_temp; ++ /* Only toggle image parameters if whole input image is rotated. */ ++ if (rot_image_params) ++ { ++ image->width = length; ++ image->length = width; ++ res_temp = image->xres; ++ image->xres = image->yres; ++ image->yres = res_temp; ++ } + break; + default: + break; diff --git a/SPECS/libtiff/libtiff.spec b/SPECS/libtiff/libtiff.spec index 6b4c60da595..6ec21033a7f 100644 --- a/SPECS/libtiff/libtiff.spec +++ b/SPECS/libtiff/libtiff.spec @@ -1,7 +1,7 @@ Summary: TIFF libraries and associated utilities. Name: libtiff Version: 4.4.0 -Release: 8%{?dist} +Release: 9%{?dist} License: libtiff URL: https://gitlab.com/libtiff/libtiff Group: System Environment/Libraries @@ -19,6 +19,7 @@ Patch5: CVE-2022-3599.patch Patch6: CVE-2022-3970.patch Patch7: CVE-2022-48281.patch Patch8: CVE-2023-0800.patch +Patch9: CVE-2023-0795.patch BuildRequires: autoconf BuildRequires: automake @@ -78,6 +79,9 @@ make %{?_smp_mflags} -k check %{_datadir}/man/man3/* %changelog +* Thu Feb 16 2023 Dallas Delaney - 4.4.0-9 +- Patch CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799 + * Thu Feb 16 2023 Dallas Delaney - 4.4.0-8 - Patch CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804 From ab03f502d8a9f015c31a76d5b66932af939111a9 Mon Sep 17 00:00:00 2001 From: Olivia Crain Date: Fri, 24 Feb 2023 18:48:22 -0600 Subject: [PATCH 27/27] Bump release for February 2023 Release 3 (#4925) --- SPECS/mariner-release/mariner-release.spec | 4 +++- toolkit/resources/manifests/package/pkggen_core_aarch64.txt | 2 +- toolkit/resources/manifests/package/pkggen_core_x86_64.txt | 2 +- toolkit/resources/manifests/package/toolchain_aarch64.txt | 2 +- toolkit/resources/manifests/package/toolchain_x86_64.txt | 2 +- 5 files changed, 7 insertions(+), 5 deletions(-) diff --git a/SPECS/mariner-release/mariner-release.spec b/SPECS/mariner-release/mariner-release.spec index d3017463c6e..6defec38fce 100644 --- a/SPECS/mariner-release/mariner-release.spec +++ b/SPECS/mariner-release/mariner-release.spec @@ -1,7 +1,7 @@ Summary: CBL-Mariner release files Name: mariner-release Version: 1.0 -Release: 56%{?dist} +Release: 57%{?dist} License: MIT Group: System Environment/Base URL: https://aka.ms/cbl-mariner @@ -67,6 +67,8 @@ rm -rf $RPM_BUILD_ROOT %config(noreplace) /etc/issue.net %changelog +* Fri Feb 24 2023 Olivia Crain - 1.0-57 +- Updating version for February update 3. * Tue Feb 14 2023 Jon Slobodzian - 1.0-56 - Updating version for February update 2. * Tue Feb 07 2023 Jon Slobodzian - 1.0-55 diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 93f002fcf65..cb867ed81c8 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -58,7 +58,7 @@ findutils-lang-4.6.0-8.cm1.aarch64.rpm gettext-0.19.8.1-5.cm1.aarch64.rpm gzip-1.12-1.cm1.aarch64.rpm make-4.2.1-5.cm1.aarch64.rpm -mariner-release-1.0-56.cm1.noarch.rpm +mariner-release-1.0-57.cm1.noarch.rpm patch-2.7.6-7.cm1.aarch64.rpm util-linux-2.32.1-7.cm1.aarch64.rpm util-linux-devel-2.32.1-7.cm1.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 4fb9c579537..b166562e393 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -58,7 +58,7 @@ findutils-lang-4.6.0-8.cm1.x86_64.rpm gettext-0.19.8.1-5.cm1.x86_64.rpm gzip-1.12-1.cm1.x86_64.rpm make-4.2.1-5.cm1.x86_64.rpm -mariner-release-1.0-56.cm1.noarch.rpm +mariner-release-1.0-57.cm1.noarch.rpm patch-2.7.6-7.cm1.x86_64.rpm util-linux-2.32.1-7.cm1.x86_64.rpm util-linux-devel-2.32.1-7.cm1.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index ef0fa2c2bd9..da254d09657 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -259,7 +259,7 @@ m4-debuginfo-1.4.18-4.cm1.aarch64.rpm make-4.2.1-5.cm1.aarch64.rpm make-debuginfo-4.2.1-5.cm1.aarch64.rpm mariner-check-macros-1.0-8.cm1.noarch.rpm -mariner-release-1.0-56.cm1.noarch.rpm +mariner-release-1.0-57.cm1.noarch.rpm mariner-repos-1.0-16.cm1.noarch.rpm mariner-repos-extras-1.0-16.cm1.noarch.rpm mariner-repos-extras-preview-1.0-16.cm1.noarch.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 93cc66f33c0..228968c8804 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -259,7 +259,7 @@ m4-debuginfo-1.4.18-4.cm1.x86_64.rpm make-4.2.1-5.cm1.x86_64.rpm make-debuginfo-4.2.1-5.cm1.x86_64.rpm mariner-check-macros-1.0-8.cm1.noarch.rpm -mariner-release-1.0-56.cm1.noarch.rpm +mariner-release-1.0-57.cm1.noarch.rpm mariner-repos-1.0-16.cm1.noarch.rpm mariner-repos-extras-1.0-16.cm1.noarch.rpm mariner-repos-extras-preview-1.0-16.cm1.noarch.rpm