merge 1.0 into dev (#299)

* Update trademark section of the readme

Signed-off-by: Jim Perrin <Jim.Perrin@microsoft.com>

* Update building.md (#104)

* add wants=sshd-keygen.service to sshd (#58)

* add wants=sshd-keygen.service to sshd

Signed-off-by: Jim Perrin <Jim.Perrin@microsoft.com>

* modify signatures.json and bump release for pr

Signed-off-by: Jim Perrin <Jim.Perrin@microsoft.com>

* Fix libffi normal package build (#116)

* Fix libffi normal package build

* Add comment explaining the purpose of the sed call

* Upgrade golang to 1.13.15 (#93)

* Adding a small build tip to the quick start instructions. (#123)

* Add cloud-init-vmware-guestinfo package (#124)

* Add cloud-init-vmware-guestinfo package

* Updating 'ca-certificates' nssckbi.h header and unifying changelog entries with package version (#125)

* Updating changelog to be consistent with package version.

* Fixing missed update to 'nssckbi.h'.

* Updating manifests.

* Updating signatures.

* Markdown lint-induced clean-up of doc files. (#122)

* Makrdownlint-induced clean-up.

* Removing redundant lines.

* Removing redundant lines 2.

* Add  IMA feature to the kernel, add config for it (#135)

* Add  IMA feature to the kernel, add config for it

- Add IMA measurement configs to the x86_64, and aarch64 kernel configs (IMA_APPRAISE currently disabled).
- Add KernelCommandLine config field to control IMA, and allow additional configs to be passed.

Signed-off-by: Daniel McIlvaney <damcilva@microsoft.com>
Co-authored-by: Christopher Co <christopher.co@microsoft.com>

* Update tpm2 tools to 4.2, tss to 2.4.0 (#134)

Signed-off-by: Daniel McIlvaney <damcilva@microsoft.com>

* Enable Mellanox kernel configs

* Update tpm2-abrmd to 2.3.3 (#144)

* Update tpm2-abrmd to 2.3.3

* Create quickstart.yml (#119)

This patch adds a GitHub Action to verify our Quickstart instructions

* Nopatch httpd CVE-1999-0236, CVE-1999-1412 (#148)

* Nopatch httpd CVE-1999-0236, CVE-1999-1412

Signed-off-by: Daniel McIlvaney <damcilva@microsoft.com>

* Nopatch groff CVE-2000-0803 (#149)

* Nopatch groff CVE-2000-0803

Signed-off-by: Daniel McIlvaney <damcilva@microsoft.com>

* Nopatch apparmor CVE-2016-1585 (#150)

* Nopatch apparmor CVE-2016-1585

Signed-off-by: Daniel McIlvaney <damcilva@microsoft.com>

* Nopatch qemu CVE-2016-7161 (#152)

* Nopatch qemu CVE-2016-7161

Signed-off-by: Daniel McIlvaney <damcilva@microsoft.com>

* Nopatch lua CVE-2020-15889 (#153)

* nopatch lua CVE-2020-15889

Signed-off-by: Daniel McIlvaney <damcilva@microsoft.com>

* Nopatch unzip CVE-2008-0888 (#154)

Signed-off-by: Daniel McIlvaney <damcilva@microsoft.com>

* full: Always install the default kernel (#132)

Currently, when installing CBL-Mariner via ISO, the ISO will
install the standard kernel package or the kernel-hyperv package
depending on if installing on HyperV VM or not.

The HyperV kernel is still under evaluation so use the standard kernel
package across the board.

* Support downloading preview SRPMs (#160)

Replace SRPM_URL* with SRPM_URL_LIST

* Patch CVE-2020-14342 in cifs-utils

* Replace mariner-repos's %post script as %posttrans

- After looking at here, it shows that %post script for a new version runs before the %preun script for an old version. Which means, after an upgrade, the keys would be removed by the older version: https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#ordering

* Update pkggen_core_aarch64.txt

* Update pkggen_core_x86_64.txt

* Update toolchain_aarch64.txt

* Update toolchain_x86_64.txt

* Add a more verbose changelog

* Remove chrony-wait as a boot service dependency (#166)

* Remove chrony-wait as a boot service dependency

* Add cgmanifest entry for chrony

* Address changelog and prep section comments

* initramfs: Regenerate initrd using host-only mode on file-based trigger (#170)

* initramfs: Always use host-only mode

kdump currently uses the host system's initrd when enrolling a crash kernel
and initrd. There is a limitation where the kdump initrd must be generated
with dracut in "host-only" mode.

The -k option forces a host-only initrd build.
The -q option suppresses verbose output

If mkinitrd is called without <image> and <kernel-version> parameters, it will
default to calling dracut in "host-mode" mode on every kernel version it can
find in /boot.

If mkinitrd is called with <image> and <kernel-version> parameters, it will
default to calling dracut in "generic host" mode for rebuilding the specific
initrd. Therefore we need to make sure to add the -k option when invoking
mkinitrd with an explicit <image> and <kernel version>

* Reword comment block

* Fix kernel specs' %postun scripts (#164)

* Fix `kernel.spec`'s `%postun` script

* Fix `kernel-signed-aarch64`'s `%postun` script

* Fix kernel-signed-x64.spec's %postun script

* Fix kernel-hyperv.spec's %postun script

* Adding new 'preview' repository. (#146)

* Adding new 'preview' repository.

* Addressing comments.

* Fix kernel aarch64 package build break due to missing CONFIG_IMA_KEXEC (#171)

* Fix kernel aarch64 package build break due to missing CONFIG_IMA_KEXEC (#171)

* Update fontconfig to 2.13.91 (#175)

* Extending 'strongswan' test timeout. (#173)

* Fix CVE-2020-14342 patch to not depend on PATH

* installutils: Supply blank /etc/machine-id file (#147)

From https://www.freedesktop.org/software/systemd/man/machine-id.html:
For operating system images which are created once and used on multiple
machines, for example for containers or in the cloud, /etc/machine-id
should be an empty file in the generic file system image. An ID will be
generated during boot and saved to this file if possible.

* installutils: Remove root password expiry when no root user is specified in imageconfig file (#161)

* Add SELinux packages to Mariner. (#100)

* Add SELinux packages to Mariner.

This commit add the following packages to Mariner to provide basic
SELinux support:

- checkpolicy
- libsemanage
- mcstrans
- policycoreutils
- secilc
- selinux-policy
- setools

The selinux-policy provided here is a generic base policy, which is not
specifically tuned for Mariner, therefore only permissive mode support
is enabled in this commit.  (Although users could load a custom policy
to run in enforcing mode).  Future phases have been discussed to add
SELinux enforcing mode support.

This commit does not enable SELinux by default.  In order to enable
SELinux support, one must first install necessary packages (libselinux,
policycoreutils, secilc, selinux-policy), and then append "lsm=selinux
selinux=1" to the kernel command line.  This will trigger an initial
boot to relabel the system, at which point the system will reboot, and
boot into an SELinux enabled system.  SELinux state can be queried with
the "getenforce" command line tool.  If SELinux has not been enabled, it
will report "Disabled" (the default).  If SELinux support has been
enabled as described in this paragraph, it will report "permissive".

This commit also modifies the following packages to enabled SELinux
functionality in existing packages:

- coreutils
- cronie
- dbus
- openssh
- pam
- rpm
- shadow-utils
- systemd
- util-linux

This enables them to build with SELinux support so that when SELinux is
enabled, they have SELinux related functionality available.

Because coreutils is a basic package and requires building with
libselinux-devel present in order to enable key SELinux functionality,
several dependencies in other packages that rely on coreutils (namely
python2, python3 and systemd-bootstrap) had to be removed in order to
avoid circular dependencies.  There does not appear to be a functional
impact from this change based on my testing.

* Remove "::set-env" commands in GitHub Actions (#178)

* Adding a .nopatch for CVE-2007-0086. (#176)

* Updating cert bundle paths. (#181)

* Updating cert bundle paths.

* Updating cgmanifest.json.

* Adding the `gflags` and `rocksdb` packages. (#183)

* Adding the 'rocksdb' package.

* Adding the 'gflags' package.

* Add missing %libsepolver definition in secilc.spec (#192)

* Removing 'TERMINAL_ISO_INSTALLER' from the docs. (#189)

* Add architecture at the end of toolkit archive (#182)

- Also add `version.txt` file in the toolkit archive as an easy way to verify toolkit version.

* Adding a missing '%{?dist}' tag. (#195)

* enable fetching RPMs from pacakges.microsoft.com for Docker based build (#198)

* Update README.md (#180)

* Update README.md (#180)

* Build Break Fix:  Rollback selinux checkins.   (#204)

* Revert "Add missing %libsepolver definition in secilc.spec (#192)"

This reverts commit 9cff088bec.

* Revert "Add SELinux packages to Mariner. (#100)"

This reverts commit b2d918efac.

* Natively support pulling from the preview repo (#199)

* Fix CVE-2020-26159 in oniguruma (#211)

* Fix CVE-2020-26159

* Increment release, fix autosetup.

* Adding the 'syslog-ng' package. (#205)

* Adding the 'tinyxml2' package. (#206)

* Adding the 'toml11' package. (#207)

* Adding the 'tracelogging' and 'zipper' packages. (#208)

* Add mm-common and libxml++ packages (#215)

* Add liblogging package (#214)

* Add nlohmann-json package (#217)

* Add msgpack package (#216)

* Adding the 'span-lite' and 'telegraf' packages. (#220)

* Remove toolchain-local-wget-list after use (#212)

* Remove toolchain-local-wget-list after use

- toolchain-local-wget-list has been left at the end of a toolchain build. It shows up on `git status` whene toolchain is built locally.
- Another solution would be adding it to `.gitignore`.

* Add temporary toolchain build files to toolkit/.gitignore

* Remove implicit git repository dependency from toolkit (#197)

* Remove implicit git repository dependency

* Remove the new GIT_REV variable

* Add jsonbuilder package (#223)

* update libffi to use https source0 (#227)

* Update libestr (#213)

* Add babeltrace2 and lttng-consume packages (#226)

* Add pugixml package (#222)

* Disable debug package for nlohmann-json (#228)

* Add rapidjson package (#225)

* Upgrade ruby to 2.6.6 to resolve CVE-2019-16255, CVE-2019-16201, CVE-2020-10933, CVE-2020-5247, CVE-2019-15845, CVE-2019-16254 (#224)

* Upgrade ruby to 2.6.6 to resolve CVEs

* Update cgmanifest

* Nopatch qemu CVE-2015-7504 CVE-2017-5931 CVE-2017-14167 (#162)

* Fix CVE-2020-26159 in oniguruma (#211)

* Fix CVE-2020-26159

* Increment release, fix autosetup.

* Enable QAT kernel configs in CBL-Mariner

* Nopatch kernel CVE-2020-10757, CVE-2020-12653, CVE-2020-12657, CVE-2010-3865, CVE-2020-11668, CVE-2020-12654, CVE-2020-24394, CVE-2020-8428 (#193)

* Address CVE-2020-10757, CVE-2020-12653, CVE-2020-12657, CVE-2010-3865, CVE-2020-11668, CVE-2020-12654, CVE-2020-24394, CVE-2020-8428

* Adding the `bond`, `fluent-bit`, and `ivykis` packages. (#234)

* Joslobo/add azure storage (#232)

* Add azure-storage spec file to mariner-core

* Register with legal and update map file

* Fixed #source0 link

* Updated per code review comments

* Fixed URL to use https

* Initial spec lint action commit (#172) (#191)

* Initial spec-cleaner commit for CBL-Mariner

* Add cgmanifest.json file for GitHub workflows folder

* Set continue-on-error to true for a trial period

* patch openssh (#238)

* Update pull_request_template.md (#236)

* Fix check tests for git, make, krb5 and libcap-ng (#241)

* fix check tests

* update toolchain manifests

* fix blank spaces and tabs in make.spec

* Fix CVE-2019-12735 in vim (#230)

* Fix CVE-2019-12735 in vim

* Update the changelog to address only one CVE.

* Switching to correct source for the Microsoft bundle. (#244)

* Fix check tests for brotli, gzip and python-certifi (#245)

* fix check test for brotli, gzip, python-cerifi

* update manifest release version for gzip

* skip check for vim

* Patch unbound CVE-2020-12662 and CVE-2020-12663 (#246)

* Portablectl patches for to support --now --enable and --no-block flags (#139)

* Portablectl patches for to support --now --enable and --no-block flags

* Portablectl patches for to support --now --enable and --no-block flags

* Patch lua CVE-2019-6706, CVE-2020-15888, nopatch CVE-2020-24342 (#169)

* Patch lua CVE-2019-6706, CVE-2020-15888, CVE-2020-15945, nopatch CVE-2020-24342

Signed-off-by: Daniel McIlvaney <damcilva@microsoft.com>

* Roll back CVE-2020-15945, patch ineffective

Signed-off-by: Daniel McIlvaney <damcilva@microsoft.com>

* Nopatch ed CVE-2015-2987 (#209)

ed CVE-2015-2987 applies to a different program named ed.

* Patch gnutls CVE-2020-24659 (#247)

Upstream CVE discussion: https://gitlab.com/gnutls/gnutls/-/issues/1071

* update ant verision

* fix changelog comment

* update cgmanifest

* Nopatch sqlite CVE-2015-3717 (#254)

* Added omi package

* Adding the `ccache` and `clamav` packages. (#251)

* Generate ant signatures (#260)

* Add auoms package (#258)

* add auoms package

* add auoms original source url comments

* fix changelog history

* fix auoms signatures

* fix changelog

* use %license

* update licenses-map

* add omi to LICENSES-MAP

* merge latest LICENSES-MAP

* Implement "distroless" containers (#252)

* Create distroless container without bash and surplus dependencies
* Remove RPM database for distroless
* Add busybox and uclibc. Add distroless-packages-debug
* Update cgmanifest

Co-authored-by: Jon Slobodzian <joslobo@microsoft.com>
Co-authored-by: MateuszMalisz <mamalisz@microsoft.com>

* Updated mariner-release package version (#262)

* fix setup (#263)

* fix missed merge file

* Fixed bad file merge

* Fixed poorly merged files

* Merge distroless container revert to 1.0 (#265)

* Revert "Implement "distroless" containers (#252)"

This reverts commit e41efdda19.

* Revert "Implement "distroless" containers (#252)" (#264)

This reverts commit e41efdda19.

* fix package manifest merge issues

* fix issues building input-srpms

* fix package manifest issues

* remove duplicate patch and sed cmd from lua spec

* revert package ignore list and graphoptimizer changes

* remove runc from LICENSES-MAP.md

* Update pkggen merge (#316)

* Clean up lua.spec 1.0 to dev merge (#318)

* update lua.spec and licenses-map.md per feedback

* revert gzip changes

* revert krb5 change

Co-authored-by: Jim Perrin <Jim.Perrin@microsoft.com>
Co-authored-by: Jason Goscinski <jasongos@users.noreply.github.com>
Co-authored-by: Mateusz Malisz <maliszmat@outlook.com>
Co-authored-by: Nicolas Ontiveros <54044510+niontive@users.noreply.github.com>
Co-authored-by: Pawel Winogrodzki <pawelwi@microsoft.com>
Co-authored-by: Daniel McIlvaney <damcilva@microsoft.com>
Co-authored-by: Christopher Co <christopher.co@microsoft.com>
Co-authored-by: chalamalasetty <chalamalasetty@live.com>
Co-authored-by: chalamalasetty <42326515+chalamalasetty@users.noreply.github.com>
Co-authored-by: Joe Schmitt <1146681+schmittjoseph@users.noreply.github.com>
Co-authored-by: Henry Beberman <henry.beberman@microsoft.com>
Co-authored-by: Emre Girgin <50592283+mrgirgin@users.noreply.github.com>
Co-authored-by: Thomas Crain <thcrain@microsoft.com>
Co-authored-by: Jon Slobodzian <joslobo@microsoft.com>
Co-authored-by: Emre Girgin <mrgirgin@microsoft.com>
Co-authored-by: Daniel Burgener <burgener.daniel@gmail.com>
Co-authored-by: nicolas guibourge <nicogbg@gmail.com>
Co-authored-by: Chirag Shah <chsha@microsoft.com>
Co-authored-by: Henry Li <lihl@microsoft.com>
Co-authored-by: Henry Li <69694695+henryli001@users.noreply.github.com>
Co-authored-by: rychenf1 <rychenf1@gmail.com>
Co-authored-by: Nick Samson <nick.samson@microsoft.com>
Co-authored-by: MateuszMalisz <mamalisz@microsoft.com>
This commit is contained in:
Andrew Phelps 2020-11-03 17:40:59 -08:00 committed by GitHub
parent 2749d3a2c6
commit 498f926e43
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
204 changed files with 7505 additions and 730 deletions

View File

@ -11,6 +11,7 @@ Feel free to delete sections of the template which do not apply to your PR, or a
- [ ] Any updated packages successfully build (or no packages were changed)
- [ ] All package sources are available
- [ ] cgmanifest files are up-to-date and sorted (`./cgmanifest.json`, `./toolkit/tools/cgmanifest.json`, `./toolkit/scripts/toolchain/cgmanifest.json`)
- [ ] LICENSE-MAP files are up-to-date (`./SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md`, `./SPECS/LICENSES-AND-NOTICES/LICENSE-EXCEPTIONS.PHOTON`)
- [ ] All source files have up-to-date hashes in the `*.signatures.json` files
- [ ] `sudo make go-tidy-all` and `sudo make go-test-coverage` pass
- [ ] Documentation has been updated to match any changes to the build system

80
.github/workflows/quickstart.yml vendored Normal file
View File

@ -0,0 +1,80 @@
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.
#
# Workflow to automatedly verify the quickstart instructions
name: Verify Quickstart
on:
workflow_dispatch:
schedule:
- cron: "0 15 * * *"
jobs:
iso_quickstart:
runs-on: ubuntu-18.04
steps:
- name: Checkout
uses: actions/checkout@v2.3.2
with:
ref: '1.0-stable'
- name: Set up Go 1.13
uses: actions/setup-go@v2
with:
go-version: 1.13
id: go
- name: Install Remaining Prerequisites
run: |
# Golang and docker are already installed on the agent
sudo apt-get update
sudo apt -y install make tar wget curl rpm qemu-utils genisoimage pigz
- name: Configure the Environment
run: |
pushd toolkit
sudo make go-tools REBUILD_TOOLS=y
sudo make input-srpms DOWNLOAD_SRPMS=y
popd
- name: ISO Quick Start
run: |
pushd toolkit
sudo make iso REBUILD_TOOLS=y REBUILD_PACKAGES=n
popd
vhdx_quickstart:
runs-on: ubuntu-18.04
steps:
- name: Checkout
uses: actions/checkout@v2.3.2
with:
ref: '1.0-stable'
- name: Set up Go 1.13
uses: actions/setup-go@v2
with:
go-version: 1.13
id: go
- name: Install Remaining Prerequisites
run: |
# Golang and docker are already installed on the agent
sudo apt-get update
sudo apt -y install make tar wget curl rpm qemu-utils genisoimage pigz
- name: Configure Environment
run: |
pushd toolkit
sudo make go-tools REBUILD_TOOLS=y
sudo make input-srpms DOWNLOAD_SRPMS=y
popd
- name: VHDX Quick Start
run: |
pushd toolkit
sudo make image REBUILD_TOOLS=y REBUILD_PACKAGES=n
popd

View File

@ -2,7 +2,7 @@
Summary: Signed Linux Kernel for aarch64 systems
Name: kernel-signed-aarch64
Version: 5.4.51
Release: 5%{?dist}
Release: 11%{?dist}
License: GPLv2
URL: https://github.com/microsoft/WSL2-Linux-Kernel
Group: System Environment/Kernel
@ -67,7 +67,8 @@ echo "initrd of kernel %{uname_r} removed" >&2
%postun
if [ ! -e /boot/mariner.cfg ]
then
if [ `ls /boot/linux-*.cfg 1> /dev/null 2>&1` ]
ls /boot/linux-*.cfg 1> /dev/null 2>&1
if [ $? -eq 0 ]
then
list=`ls -tu /boot/linux-*.cfg | head -n1`
test -n "$list" && ln -sf "$list" /boot/mariner.cfg
@ -84,6 +85,18 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
%config %{_localstatedir}/lib/initramfs/kernel/%{uname_r}
%changelog
* Fri Oct 16 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> 5.4.51-11
- Update release number
* Fri Oct 02 2020 Chris Co <chrco@microsoft.com> 5.4.51-10
- Update release number to match kernel spec
* Fri Oct 02 2020 Chris Co <chrco@microsoft.com> 5.4.51-9
- Update release number
* Wed Sep 30 2020 Emre Girgin <mrgirgin@microsoft.com> 5.4.51-8
- Update postun script to deal with removal in case of another installed kernel.
* Fri Sep 25 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> 5.4.51-7
- Update release number
* Wed Sep 23 2020 Daniel McIlvaney <damcilva@microsoft.com> 5.4.51-6
- Update release number
* Thu Sep 03 2020 Daniel McIlvaney <damcilva@microsoft.com> 5.4.51-5
- Update release number
* Thu Sep 03 2020 Chris Co <chrco@microsoft.com> 5.4.51-4

View File

@ -2,7 +2,7 @@
Summary: Signed Linux Kernel for x86_64 systems
Name: kernel-signed-x64
Version: 5.4.51
Release: 5%{?dist}
Release: 11%{?dist}
License: GPLv2
URL: https://github.com/microsoft/WSL2-Linux-Kernel
Group: System Environment/Kernel
@ -67,7 +67,8 @@ echo "initrd of kernel %{uname_r} removed" >&2
%postun
if [ ! -e /boot/mariner.cfg ]
then
if [ `ls /boot/linux-*.cfg 1> /dev/null 2>&1` ]
ls /boot/linux-*.cfg 1> /dev/null 2>&1
if [ $? -eq 0 ]
then
list=`ls -tu /boot/linux-*.cfg | head -n1`
test -n "$list" && ln -sf "$list" /boot/mariner.cfg
@ -84,6 +85,18 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
%config %{_localstatedir}/lib/initramfs/kernel/%{uname_r}
%changelog
* Fri Oct 16 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> 5.4.51-11
- Update release number
* Fri Oct 02 2020 Chris Co <chrco@microsoft.com> 5.4.51-10
- Update release number to match kernel spec
* Fri Oct 02 2020 Chris Co <chrco@microsoft.com> 5.4.51-9
- Update release number
* Wed Sep 30 2020 Emre Girgin <mrgirgin@microsoft.com> 5.4.51-8
- Update postun script to deal with removal in case of another installed kernel.
* Fri Sep 25 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> 5.4.51-7
- Update release number
* Wed Sep 23 2020 Daniel McIlvaney <damcilva@microsoft.com> 5.4.51-6
- Update release number
* Thu Sep 03 2020 Daniel McIlvaney <damcilva@microsoft.com> 5.4.51-5
- Update release number
* Thu Sep 03 2020 Chris Co <chrco@microsoft.com> 5.4.51-4

File diff suppressed because one or more lines are too long

View File

@ -1,6 +1,6 @@
{
"Signatures": {
"apache-ant-1.10.8-src.tar.gz": "53d06ed062297366569fe563b77e8187973be1383749181938b597177514d318",
"apache-ant-1.10.9-src.tar.gz": "3f00fe29988ff1af83cb100089bfcbaf5d3e533d42fba3ea4861a982c920e874",
"hamcrest-1.3.tgz": "c6428e40d069fff3f99780efaae96c35ebdbf7cbfd475504254ebffcc19620c2",
"maven-ant-tasks-2.1.3.tar.gz": "ae5b6548dbb3f0d71865e1be9bffd13ca7bb65a3cb5d89eaee97ea7e70e1f0ba"
}

View File

@ -1,6 +1,6 @@
Summary: Apache Ant
Name: ant
Version: 1.10.8
Version: 1.10.9
Release: 1%{?dist}
License: ASL 2.0 and BSD and W3C
URL: https://ant.apache.org
@ -118,6 +118,8 @@ bootstrap/bin/ant -v run-tests
%{_bindir}/runant.pl
%changelog
* Wed Oct 21 2020 Henry Li <lihl@microsoft.com> - 1.10.9-1
- Updated to version 1.10.9 to resolve CVE-2020-11979
* Thu May 21 2020 Ruying Chen <v-ruyche@microsoft.com> - 1.10.8-1
- Updated to version 1.10.8 to resolve CVE-2020-1945
* Sat May 09 00:21:39 PST 2020 Nick Samson <nisamson@microsoft.com> - 1.10.5-8

View File

@ -0,0 +1 @@
# CVE-2016-1585 has no upstream fix.

View File

@ -1,15 +1,16 @@
%{!?python3_sitelib: %global python3_sitelib %(python3 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")}
Name: apparmor
Version: 2.13
Release: 10%{?dist}
Release: 11%{?dist}
Summary: AppArmor is an effective and easy-to-use Linux application security system.
License: GNU LGPL v2.1
URL: https://launchpad.net/apparmor
Source0: https://launchpad.net/apparmor/2.13/2.13.0/+download/%{name}-%{version}.tar.gz
%define sha1 apparmor=54202cafce24911c45141d66e2d1e037e8aa5746
Patch0: apparmor-set-profiles-complain-mode.patch
Patch1: apparmor-service-start-fix.patch
Patch2: apparmor-fix-make-check.patch
# CVE-2016-1585 has no upstream fix as of 2020/09/28
Patch100: CVE-2016-1585.nopatch
Vendor: Microsoft Corporation
Distribution: Mariner
Group: Productivity/Security
@ -354,9 +355,10 @@ make DESTDIR=%{buildroot} install
%exclude %{perl_archlib}/perllocal.pod
%changelog
* Sat May 09 00:20:37 PST 2020 Nick Samson <nisamson@microsoft.com> - 2.13-10
* Mon Sep 28 2020 Daniel McIlvaney <damcilva@microsoft.com> 2.13-11
- Nopatch CVE-2016-1585
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> 2.13-10
- Added %%license line automatically
* Tue Apr 28 2020 Emre Girgin <mrgirgin@microsoft.com> 2.13-9
- Renaming Linux-PAM to pam
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 2.13-8

480
SPECS/auoms/auoms.patch Normal file
View File

@ -0,0 +1,480 @@
diff --git a/build/Makefile b/build/Makefile
--- a/build/Makefile 2020-07-14 13:50:43.000000000 -0700
+++ b/build/Makefile 2020-10-15 11:48:50.361506677 -0700
@@ -24,8 +24,8 @@
$(error "ENABLE_DEBUG is not set. Please re-run configure")
endif
-INTERMEDIATE_DIR=$(BASE_DIR)/intermediate/$(BUILD_CONFIGURATION)
-TARGET_DIR := $(BASE_DIR)/target/$(BUILD_CONFIGURATION)
+INTERMEDIATE_DIR=$(BASE_DIR)/intermediate
+TARGET_DIR := $(BASE_DIR)/target
BUILD_DIR=$(INTERMEDIATE_DIR)/builddir
RELEASE_DIR=$(BUILD_DIR)/release
AUOMS_BIN=$(RELEASE_DIR)/bin/auoms
@@ -78,7 +78,7 @@
#--------------------------------------------------------------------------------
# Build targets
-.PHONY: all clean distclean clean-status kit
+.PHONY: all clean distclean clean-status packages kit
.PHONY: tests test
all : $(AUOMS_BIN) sepolicy kit
@@ -89,7 +89,7 @@
clean-kit :
$(RMDIR) $(BASE_DIR)/target
- $(RMDIR) $(INTERMEDIATE_DIR)/*.{tar,rpm,deb}
+ $(RMDIR) $(INTERMEDIATE_DIR)/*.{tar,rpm}
distclean : clean
-$(RM) $(BASE_DIR)/build/Makefile.version
@@ -131,7 +131,9 @@
@echo "========================= Building selinux policy module"
$(MKPATH) $(SEPOLICY_DIR)
$(COPY) $(SEPOLICY_SRC_DIR)/auoms.te $(SEPOLICY_SRC_DIR)/auoms.fc $(SEPOLICY_DIR)
- cd $(SEPOLICY_DIR); make -f /usr/share/selinux/devel/Makefile
+ # Will revert this change once SeLinux is supported in Mariner
+ # cd $(SEPOLICY_DIR); make -f /usr/share/selinux/devel/Makefile
+ touch $(SEPOLICY_DIR)/auoms.pp
else
$(SEPOLICY_DIR)/auoms.pp : $(SEPOLICY_SRC_DIR)/auoms.te $(SEPOLICY_SRC_DIR)/auoms.fc
@echo "========================= Building selinux policy module"
@@ -182,21 +184,28 @@
# While the "formal build" only builds ULINUX, we may build something else for DEV purposes.
# Assume we ALWAYS build RPM, but only build DPKG if --enable-ulinux is specified in configure.
+$(TARGET_DIR):
+ mkdir -p $(TARGET_DIR)
+
ifeq ($(ULINUX),1)
ifeq ($(CMAKE_BUILD_TYPE),RelWithDebInfo)
-kit : $(TARGET_DIR)/auoms-bundle-test.sh $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX).sh $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).rpm $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).deb
+
+packages: $(TARGET_DIR) $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX).rpm $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).rpm
+
+kit : $(TARGET_DIR)/auoms-bundle-test.sh $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX).sh $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).rpm
$(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).rpm : $(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).rpm
$(COPY) $(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).rpm $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).rpm
-$(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).deb : $(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).deb
- $(COPY) $(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).deb $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).deb
-
else
+packages: $(TARGET_DIR) $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).rpm $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).deb
kit : $(TARGET_DIR)/auoms-bundle-test.sh $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX).sh
endif
+$(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX).rpm : $(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX).rpm
+ $(COPY) $(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX).rpm $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX).rpm
+
$(TARGET_DIR)/auoms-bundle-test.sh : $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX).sh
$(COPY) ../installer/bundle/auoms-bundle-test.sh $(TARGET_DIR)/auoms-bundle-test.sh
@@ -205,13 +214,12 @@
$(MKPATH) $(TARGET_DIR)
../installer/bundle/create_bundle.sh $(TARGET_DIR) $(INTERMEDIATE_DIR) $(OUTPUT_PACKAGE_PREFIX).tar
-$(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX).tar : \
- $(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX).rpm $(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX).deb
+$(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX).tar : packages
@echo "========================= Performing Building .tar file"
# Build the tar file containing both .rpm and .deb packages
- cd $(INTERMEDIATE_DIR); tar cvf $(OUTPUT_PACKAGE_PREFIX).tar $(OUTPUT_PACKAGE_PREFIX).{deb,rpm}
+ cd $(INTERMEDIATE_DIR); tar cvf $(OUTPUT_PACKAGE_PREFIX).tar $(OUTPUT_PACKAGE_PREFIX).rpm
$(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX).rpm: $(AUOMS_BIN) sepolicy
@echo "========================= Performing Building RPM package"
@@ -237,32 +245,6 @@
$(INSTALLER_DATAFILES_RPM)
sudo $(RMDIR) $(STAGING_DIR)
-$(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX).deb: $(AUOMS_BIN) sepolicy
- @echo "========================= Performing Building DEB package"
- $(MKPATH) $(INSTALLER_TMPDIR)
-
- sudo $(RMDIR) $(STAGING_DIR)
- sudo python $(PAL_DIR)/installer/InstallBuilder/installbuilder.py \
- --BASE_DIR=$(BASE_DIR) \
- --TARGET_DIR=$(INTERMEDIATE_DIR) \
- --INTERMEDIATE_DIR=$(INSTALLER_TMPDIR) \
- --STAGING_DIR=$(STAGING_DIR) \
- --BUILD_TYPE=$(BUILD_TYPE) \
- --BUILD_CONFIGURATION=$(BUILD_CONFIGURATION) \
- --PFARCH=$(PF_ARCH) \
- --PFDISTRO=$(PF_DISTRO) \
- --PFMAJOR=$(PF_MAJOR) \
- --PFMINOR=$(PF_MINOR) \
- --VERSION=$(AUOMS_BUILDVERSION_MAJOR).$(AUOMS_BUILDVERSION_MINOR).$(AUOMS_BUILDVERSION_PATCH) \
- --RELEASE=$(AUOMS_BUILDVERSION_BUILDNR) \
- --VERSION_IDENT="$(AUOMS_BUILDVERSION_DATE) $(AUOMS_BUILDVERSION_STATUS)" \
- $(DPKG_LOCATION) \
- --DATAFILE_PATH=$(BASE_DIR)/installer/datafiles \
- --OUTPUTFILE=$(OUTPUT_PACKAGE_PREFIX) \
- $(INSTALLER_DATAFILES_DPKG)
- sudo chown --reference=$(BASE_DIR) $(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX).deb
- sudo $(RMDIR) $(STAGING_DIR)
-
ifeq ($(CMAKE_BUILD_TYPE),RelWithDebInfo)
$(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).rpm: $(AUOMS_BIN).debug
@echo "========================= Performing Building RPM package"
@@ -288,39 +270,16 @@
$(INSTALLER_DATAFILES_RPM)
sudo $(RMDIR) $(STAGING_DIR)
-$(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).deb: $(AUOMS_BIN).debug
- @echo "========================= Performing Building DEB package"
- $(MKPATH) $(INSTALLER_TMPDIR)
-
- sudo $(RMDIR) $(STAGING_DIR)
- sudo python $(PAL_DIR)/installer/InstallBuilder/installbuilder.py \
- --BASE_DIR=$(BASE_DIR) \
- --TARGET_DIR=$(INTERMEDIATE_DIR) \
- --INTERMEDIATE_DIR=$(INSTALLER_TMPDIR) \
- --STAGING_DIR=$(STAGING_DIR) \
- --BUILD_TYPE=$(BUILD_TYPE) \
- --BUILD_CONFIGURATION=$(BUILD_CONFIGURATION) \
- --PFARCH=$(PF_ARCH) \
- --PFDISTRO=$(PF_DISTRO) \
- --PFMAJOR=$(PF_MAJOR) \
- --PFMINOR=$(PF_MINOR) \
- --VERSION=$(AUOMS_BUILDVERSION_MAJOR).$(AUOMS_BUILDVERSION_MINOR).$(AUOMS_BUILDVERSION_PATCH) \
- --RELEASE=$(AUOMS_BUILDVERSION_BUILDNR) \
- --VERSION_IDENT="$(AUOMS_BUILDVERSION_DATE) $(AUOMS_BUILDVERSION_STATUS)" \
- $(DPKG_LOCATION) \
- --DATAFILE_PATH=$(BASE_DIR)/installer/datafiles-debug \
- --OUTPUTFILE=$(OUTPUT_PACKAGE_PREFIX_DEBUG) \
- $(INSTALLER_DATAFILES_DPKG)
- sudo chown --reference=$(BASE_DIR) $(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).deb
- sudo $(RMDIR) $(STAGING_DIR)
endif
else
ifeq ($(CMAKE_BUILD_TYPE),RelWithDebInfo)
-kit : $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX).$(PACKAGE_SUFFIX) $(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).rpm $(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).deb
+packages : $(TARGET_DIR) $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX).$(PACKAGE_SUFFIX) $(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX_DEBUG).rpm
+kit: packages
else
-kit : $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX).$(PACKAGE_SUFFIX)
+packages : $(TARGET_DIR) $(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX).$(PACKAGE_SUFFIX)
+kit: packages
endif
$(TARGET_DIR)/$(OUTPUT_PACKAGE_PREFIX).$(PACKAGE_SUFFIX) : $(AUOMS_BIN) sepolicy
diff --git a/CollectionMonitor.cpp b/CollectionMonitor.cpp
--- a/CollectionMonitor.cpp 2020-07-14 13:50:43.000000000 -0700
+++ b/CollectionMonitor.cpp 2020-10-15 14:43:21.914099396 -0700
@@ -207,15 +207,15 @@
_builder.CancelEvent();
return;
}
- if (_builder.AddField("pid", std::to_string(pid), nullptr, field_type_t::UNCLASSIFIED) != 1) {
+ if (_builder.AddField("pid", std::to_string(pid), "", field_type_t::UNCLASSIFIED) != 1) {
_builder.CancelEvent();
return;
}
- if(_builder.AddField("ppid", std::to_string(ppid), nullptr, field_type_t::UNCLASSIFIED) != 1) {
+ if(_builder.AddField("ppid", std::to_string(ppid), "", field_type_t::UNCLASSIFIED) != 1) {
_builder.CancelEvent();
return;
}
- if(_builder.AddField("exe", exe, nullptr, field_type_t::UNCLASSIFIED) != 1) {
+ if(_builder.AddField("exe", exe, "", field_type_t::UNCLASSIFIED) != 1) {
_builder.CancelEvent();
return;
}
diff --git a/Event.cpp b/Event.cpp
--- a/Event.cpp 2020-07-14 13:50:43.000000000 -0700
+++ b/Event.cpp 2020-10-15 14:44:10.713610363 -0700
@@ -421,7 +421,7 @@
size_t name_size = strlen(field_name);
size_t raw_size = strlen(raw_value);
std::string_view interp;
- if (interp_value != nullptr) {
+ if (interp_value != nullptr && strlen(interp_value) != 0) {
interp = std::string_view(interp_value, strlen(interp_value));
}
diff --git a/EventTests.cpp b/EventTests.cpp
--- a/EventTests.cpp 2020-07-14 13:50:43.000000000 -0700
+++ b/EventTests.cpp 2020-10-15 14:44:51.257204228 -0700
@@ -63,7 +63,7 @@
if (ret != 1) {
BOOST_FAIL("BeginRecord failed: " + std::to_string(ret));
}
- ret = builder.AddField("field1", "raw1", nullptr, field_type_t::UNCLASSIFIED);
+ ret = builder.AddField("field1", "raw1", "", field_type_t::UNCLASSIFIED);
if (ret != 1) {
BOOST_FAIL("AddField failed: " + std::to_string(ret));
}
diff --git a/installer/bundle/create_bundle.sh b/installer/bundle/create_bundle.sh
--- a/installer/bundle/create_bundle.sh 2020-07-14 13:50:43.000000000 -0700
+++ b/installer/bundle/create_bundle.sh 2020-10-15 11:52:05.299985451 -0700
@@ -115,27 +115,6 @@
# Fetch the bundle skeleton file
cp $SOURCE_DIR/$BUNDLE_FILE .
-# See if we can resolve git references for output
-# (See if we can find the master project)
-TEMP_FILE=/tmp/create_bundle.$$
-
-# Get the git reference hashes in a file
-(
-cd $SOURCE_DIR/../..
-echo "Entering 'OMS-Auditd-Plugin'" > $TEMP_FILE
-git rev-parse HEAD >> $TEMP_FILE
-cd ../pal
-echo "Entering 'pal'" >> $TEMP_FILE
-git rev-parse HEAD >> $TEMP_FILE
-)
-
-# Change lines like: "Entering 'pal'\n<refhash>" to "pal: <refhash>"
-perl -i -pe "s/Entering '([^\n]*)'\n/\$1: /" $TEMP_FILE
-
-# Grab the reference hashes in a variable
-SOURCE_REFS=`cat $TEMP_FILE`
-rm $TEMP_FILE
-
# Update the bundle file w/the ref hash (much easier with perl since multi-line)
perl -i -pe "s/-- Source code references --/${SOURCE_REFS}/" $BUNDLE_FILE
diff --git a/Metrics.cpp b/Metrics.cpp
--- a/Metrics.cpp 2020-07-14 13:50:43.000000000 -0700
+++ b/Metrics.cpp 2020-10-15 14:46:23.976275931 -0700
@@ -80,47 +80,47 @@
_builder->CancelEvent();
return false;
}
- if (_builder->AddField("version", AUOMS_VERSION, nullptr, field_type_t::UNCLASSIFIED) != 1) {
+ if (_builder->AddField("version", AUOMS_VERSION, "", field_type_t::UNCLASSIFIED) != 1) {
_builder->CancelEvent();
return false;
}
- if (_builder->AddField("StartTime", system_time_to_iso3339(snap.start_time), nullptr,
+ if (_builder->AddField("StartTime", system_time_to_iso3339(snap.start_time), "",
field_type_t::UNCLASSIFIED) != 1) {
_builder->CancelEvent();
return false;
}
- if (_builder->AddField("EndTime", system_time_to_iso3339(snap.end_time), nullptr,
+ if (_builder->AddField("EndTime", system_time_to_iso3339(snap.end_time), "",
field_type_t::UNCLASSIFIED) != 1) {
_builder->CancelEvent();
return false;
}
- if (_builder->AddField("Namespace", snap.namespace_name, nullptr, field_type_t::UNCLASSIFIED) != 1) {
+ if (_builder->AddField("Namespace", snap.namespace_name, "", field_type_t::UNCLASSIFIED) != 1) {
_builder->CancelEvent();
return false;
}
- if (_builder->AddField("Name", snap.name, nullptr, field_type_t::UNCLASSIFIED) != 1) {
+ if (_builder->AddField("Name", snap.name, "", field_type_t::UNCLASSIFIED) != 1) {
_builder->CancelEvent();
return false;
}
- if (_builder->AddField("SamplePeriod", std::to_string(snap.sample_period), nullptr,
+ if (_builder->AddField("SamplePeriod", std::to_string(snap.sample_period), "",
field_type_t::UNCLASSIFIED) != 1) {
_builder->CancelEvent();
return false;
}
- if (_builder->AddField("NumSamples", std::to_string(snap.num_samples), nullptr,
+ if (_builder->AddField("NumSamples", std::to_string(snap.num_samples), "",
field_type_t::UNCLASSIFIED) != 1) {
_builder->CancelEvent();
return false;
}
- if (_builder->AddField("Min", std::to_string(snap.min), nullptr, field_type_t::UNCLASSIFIED) != 1) {
+ if (_builder->AddField("Min", std::to_string(snap.min), "", field_type_t::UNCLASSIFIED) != 1) {
_builder->CancelEvent();
return false;
}
- if (_builder->AddField("Max", std::to_string(snap.max), nullptr, field_type_t::UNCLASSIFIED) != 1) {
+ if (_builder->AddField("Max", std::to_string(snap.max), "", field_type_t::UNCLASSIFIED) != 1) {
_builder->CancelEvent();
return false;
}
- if (_builder->AddField("Avg", std::to_string(snap.avg), nullptr, field_type_t::UNCLASSIFIED) != 1) {
+ if (_builder->AddField("Avg", std::to_string(snap.avg), "", field_type_t::UNCLASSIFIED) != 1) {
_builder->CancelEvent();
return false;
}
diff --git a/OperationalStatus.cpp b/OperationalStatus.cpp
--- a/OperationalStatus.cpp 2020-07-14 13:50:43.000000000 -0700
+++ b/OperationalStatus.cpp 2020-10-15 14:46:52.727988196 -0700
@@ -192,12 +192,12 @@
_builder.CancelEvent();
return false;
}
- if (_builder.AddField("version", AUOMS_VERSION, nullptr, field_type_t::UNCLASSIFIED) != 1) {
+ if (_builder.AddField("version", AUOMS_VERSION, "", field_type_t::UNCLASSIFIED) != 1) {
_builder.CancelEvent();
return false;
}
if (!errors.empty()) {
- if (_builder.AddField("errors", errors, nullptr, field_type_t::UNCLASSIFIED) != 1) {
+ if (_builder.AddField("errors", errors, "", field_type_t::UNCLASSIFIED) != 1) {
_builder.CancelEvent();
return false;
}
diff --git a/OutputInputTests.cpp b/OutputInputTests.cpp
--- a/OutputInputTests.cpp 2020-07-14 13:50:43.000000000 -0700
+++ b/OutputInputTests.cpp 2020-10-15 14:47:09.019825179 -0700
@@ -39,7 +39,7 @@
builder->CancelEvent();
return false;
}
- if (builder->AddField("seq", std::to_string(seq), nullptr, field_type_t::UNCLASSIFIED) != 1) {
+ if (builder->AddField("seq", std::to_string(seq), "", field_type_t::UNCLASSIFIED) != 1) {
builder->CancelEvent();
return false;
}
diff --git a/RawEventProcessor.cpp b/RawEventProcessor.cpp
--- a/RawEventProcessor.cpp 2020-07-14 13:50:43.000000000 -0700
+++ b/RawEventProcessor.cpp 2020-10-15 14:48:34.222972890 -0700
@@ -567,7 +567,7 @@
_path_ouid.append(SV_JSON_ARRAY_END);
_path_ogid.append(SV_JSON_ARRAY_END);
- auto ret = _builder->AddField(SV_PATH_NAME, _path_name, nullptr, field_type_t::UNCLASSIFIED);
+ auto ret = _builder->AddField(SV_PATH_NAME, _path_name, "", field_type_t::UNCLASSIFIED);
if (ret != 1) {
if (ret == Queue::CLOSED) {
throw std::runtime_error("Queue closed");
@@ -576,7 +576,7 @@
return false;
}
- ret = _builder->AddField(SV_PATH_NAMETYPE, _path_nametype, nullptr, field_type_t::UNCLASSIFIED);
+ ret = _builder->AddField(SV_PATH_NAMETYPE, _path_nametype, "", field_type_t::UNCLASSIFIED);
if (ret != 1) {
if (ret == Queue::CLOSED) {
throw std::runtime_error("Queue closed");
@@ -585,7 +585,7 @@
return false;
}
- ret = _builder->AddField(SV_PATH_MODE, _path_mode, nullptr, field_type_t::UNCLASSIFIED);
+ ret = _builder->AddField(SV_PATH_MODE, _path_mode, "", field_type_t::UNCLASSIFIED);
if (ret != 1) {
if (ret == Queue::CLOSED) {
throw std::runtime_error("Queue closed");
@@ -594,7 +594,7 @@
return false;
}
- ret = _builder->AddField(SV_PATH_OUID, _path_ouid, nullptr, field_type_t::UNCLASSIFIED);
+ ret = _builder->AddField(SV_PATH_OUID, _path_ouid, "", field_type_t::UNCLASSIFIED);
if (ret != 1) {
if (ret == Queue::CLOSED) {
throw std::runtime_error("Queue closed");
@@ -603,7 +603,7 @@
return false;
}
- ret = _builder->AddField(SV_PATH_OGID, _path_ogid, nullptr, field_type_t::UNCLASSIFIED);
+ ret = _builder->AddField(SV_PATH_OGID, _path_ogid, "", field_type_t::UNCLASSIFIED);
if (ret != 1) {
if (ret == Queue::CLOSED) {
throw std::runtime_error("Queue closed");
@@ -626,7 +626,7 @@
proctitle_field = EventRecordField();
_execve_converter.Convert(execve_recs, _cmdline);
- ret = _builder->AddField(SV_CMDLINE, _cmdline, nullptr, field_type_t::UNESCAPED);
+ ret = _builder->AddField(SV_CMDLINE, _cmdline, "", field_type_t::UNESCAPED);
if (ret != 1) {
if (ret == Queue::CLOSED) {
@@ -657,7 +657,7 @@
unescape_raw_field(_unescaped_val, proctitle_field.RawValuePtr(), proctitle_field.RawValueSize());
ExecveConverter::ConvertRawCmdline(_unescaped_val, _cmdline);
- ret = _builder->AddField(SV_PROCTITLE, _cmdline, nullptr, field_type_t::PROCTITLE);
+ ret = _builder->AddField(SV_PROCTITLE, _cmdline, "", field_type_t::PROCTITLE);
if (ret != 1) {
if (ret == Queue::CLOSED) {
throw std::runtime_error("Queue closed");
@@ -682,7 +682,7 @@
for (auto& field: dropped_rec) {
_field_name.assign(SV_DROPPED);
_field_name.append(field.FieldName());
- ret = _builder->AddField(_field_name, field.RawValue(), nullptr, field_type_t::UNCLASSIFIED);
+ ret = _builder->AddField(_field_name, field.RawValue(), "", field_type_t::UNCLASSIFIED);
if (ret != 1) {
if (ret == Queue::CLOSED) {
throw std::runtime_error("Queue closed");
@@ -707,7 +707,7 @@
containerid = p->_containerid;
}
- ret = _builder->AddField(SV_CONTAINERID, containerid, nullptr, field_type_t::UNCLASSIFIED);
+ ret = _builder->AddField(SV_CONTAINERID, containerid, "", field_type_t::UNCLASSIFIED);
if (ret != 1) {
if (ret == Queue::CLOSED) {
throw std::runtime_error("Queue closed");
@@ -842,7 +842,7 @@
}
bool RawEventProcessor::add_str_field(const std::string_view& name, const std::string_view& val, field_type_t ft) {
- int ret = _builder->AddField(name, val, nullptr, ft);
+ int ret = _builder->AddField(name, val, "", ft);
if (ret != 1) {
if (ret == Queue::CLOSED) {
throw std::runtime_error("Queue closed");
diff --git a/RawEventRecord.cpp b/RawEventRecord.cpp
--- a/RawEventRecord.cpp 2020-07-14 13:50:43.000000000 -0700
+++ b/RawEventRecord.cpp 2020-10-15 14:49:06.070654420 -0700
@@ -176,7 +176,7 @@
}
if (!_node.empty()) {
- ret = builder.AddField(SV_NODE, _node, nullptr, field_type_t::UNCLASSIFIED);
+ ret = builder.AddField(SV_NODE, _node, "", field_type_t::UNCLASSIFIED);
if (ret != 1) {
return ret;
}
@@ -185,7 +185,7 @@
// If record is marked as unparsable, then the text (after the 'audit():' section is included as the only value in
// _record_fields
if (_unparsable) {
- ret = builder.AddField(SV_UNPARSED_TEXT, _record_fields[0], nullptr, field_type_t::UNESCAPED);
+ ret = builder.AddField(SV_UNPARSED_TEXT, _record_fields[0], "", field_type_t::UNESCAPED);
if (ret != 1) {
return ret;
}
@@ -195,9 +195,9 @@
for (auto f: _record_fields) {
auto idx = f.find_first_of('=');
if (idx == std::string_view::npos) {
- ret = builder.AddField(f, std::string_view(), nullptr, field_type_t::UNCLASSIFIED);
+ ret = builder.AddField(f, std::string_view(), "", field_type_t::UNCLASSIFIED);
} else {
- ret = builder.AddField(f.substr(0, idx), f.substr(idx + 1), nullptr, field_type_t::UNCLASSIFIED);
+ ret = builder.AddField(f.substr(0, idx), f.substr(idx + 1), "", field_type_t::UNCLASSIFIED);
}
if (ret != 1) {
return ret;
diff --git a/TestEventData.h b/TestEventData.h
--- a/TestEventData.h 2020-07-14 13:50:43.000000000 -0700
+++ b/TestEventData.h 2020-10-15 14:49:48.162233590 -0700
@@ -33,7 +33,12 @@
field_type_t _field_type;
void Write(const std::shared_ptr<EventBuilder>& builder) {
- builder->AddField(_name, _raw, _interp, _field_type);
+ if (_interp == nullptr) {
+ builder->AddField(_name, _raw, "", _field_type);
+ }
+ else {
+ builder->AddField(_name, _raw, _interp, _field_type);
+ }
}
};

View File

@ -0,0 +1,8 @@
{
"Signatures": {
"auoms-2.2.5.tar.gz": "77fb7b561c597a99333d933fa738e184a6070c5f3c37fa09fb5bc8c5faacb0c3",
"msgpack-c-cpp-2.0.0.zip": "9f3860bc014355dbdf6519ffb78d54d120bb8d134dcb4eba35eb5103c1ac3cd1",
"pal-1.6.6-0.tar.gz": "f55a83636ed721ab2a347837b7ed517ece41fd179848995111032ebcd2370405",
"rapidjson-1.0.2.tar.gz": "c3711ed2b3c76a5565ee9f0128bb4ec6753dbcc23450b713842df8f236d08666"
}
}

193
SPECS/auoms/auoms.spec Normal file
View File

@ -0,0 +1,193 @@
%define debug_package %{nil}
Summary: Auditd plugin that forwards audit events to OMS Agent for Linux
Name: auoms
Version: 2.2.5
Release: 2%{?dist}
License: MIT
URL: https://github.com/microsoft/OMS-Auditd-Plugin
#Source0: https://github.com/microsoft/OMS-Auditd-Plugin/archive/v2.2.5-0.tar.gz
Source0: %{name}-%{version}.tar.gz
#Source1: https://github.com/microsoft/pal/archive/v1.6.6-0.tar.gz
Source1: pal-1.6.6-0.tar.gz
#Source2: https://github.com/msgpack/msgpack-c/archive/cpp-2.0.0.zip
Source2: msgpack-c-cpp-2.0.0.zip
#Source3: https://github.com/Tencent/rapidjson/archive/v1.0.2.tar.gz
Source3: rapidjson-1.0.2.tar.gz
Patch0: auoms.patch
Group: Applications/System
Vendor: Microsoft Corporation
Distribution: Mariner
BuildRequires: unzip
BuildRequires: cmake
BuildRequires: wget
BuildRequires: sudo
BuildRequires: grep
BuildRequires: sed
BuildRequires: bash
BuildRequires: bash-devel
BuildRequires: audit-devel
BuildRequires: boost-devel
BuildRequires: python2
BuildRequires: python2-devel
Requires: audit
Requires: sudo
Requires: bash
Requires: sed
Requires: libstdc++
Requires: perl
Requires: glibc
%description
OMS Audit data collection daemon
%prep
tar xf %{SOURCE1} --no-same-owner --one-top-level=pal --strip-components 1
cp %{SOURCE2} ./
cp %{SOURCE3} ./
%setup -q -n OMS-Auditd-Plugin-2.2.5-0
%patch0 -p1
%build
grep AUOMS_BUILDVERSION auoms.version | head -n 4 | cut -d'=' -f2 | tr '\n' '.' | sed 's/.$//' | sed 's/^/#define AUOMS_VERSION "/' > auoms_version.h
sed -i 's/$/"/' auoms_version.h
cp -R /usr/include/boost /usr/local/include/boost
mv /usr/include/boost /usr/include/boost148
cd build
./configure --enable-ulinux && make clean && make
%install
install -vdm 755 %{buildroot}%{_sysconfdir}/init.d
install -vdm 755 %{buildroot}%{_sysconfdir}/opt/microsoft/auoms
install -vdm 755 %{buildroot}%{_sysconfdir}/opt/microsoft/auoms/outconf.d
install -vdm 755 %{buildroot}%{_sysconfdir}/opt/microsoft/auoms/rules.d
install -vdm 755 %{buildroot}/opt/microsoft/auoms
install -vdm 755 %{buildroot}/opt/microsoft/auoms/bin
install -vdm 755 %{buildroot}/usr/share/selinux/packages/auoms
install -vdm 750 %{buildroot}/var/opt/microsoft/auoms/data
install -vdm 750 %{buildroot}/var/opt/microsoft/auoms/data/outputs
install -m 644 intermediate/selinux/* %{buildroot}/usr/share/selinux/packages/auoms
install -m 555 installer/auoms.init %{buildroot}%{_sysconfdir}/init.d/auoms
install -m 644 installer/conf/auoms.conf %{buildroot}%{_sysconfdir}/opt/microsoft/auoms
install -m 644 installer/conf/auomscollect.conf %{buildroot}%{_sysconfdir}/opt/microsoft/auoms
install -m 644 installer/conf/example_output.conf %{buildroot}%{_sysconfdir}/opt/microsoft/auoms
install -m 444 ./LICENSE %{buildroot}/opt/microsoft/auoms
install -m 444 ./THIRD_PARTY_IP_NOTICE %{buildroot}/opt/microsoft/auoms
install -m 444 installer/auoms.service %{buildroot}/opt/microsoft/auoms
install -m 755 intermediate/builddir/release/bin/auomscollect %{buildroot}/opt/microsoft/auoms/bin
install -m 755 intermediate/builddir/release/bin/auoms %{buildroot}/opt/microsoft/auoms/bin
install -m 755 intermediate/builddir/release/bin/auomsctl %{buildroot}/opt/microsoft/auoms/bin
%clean
rm -rf $RPM_BUILD_ROOT
%pre
#!/bin/sh
if [ $1 -gt 1 ] ; then
if [ -e /etc/audisp/plugins.d/auoms.conf ]; then
echo "Pre: found etc/audisp/plugins.d/auoms.conf"
if [ -e /etc/audisp/plugins.d/auoms.conf.auomssave ]; then
rm /etc/audisp/plugins.d/auoms.conf.auomssave
fi
cp -p /etc/audisp/plugins.d/auoms.conf /etc/audisp/plugins.d/auoms.conf.auomssave
fi
if [ -e /etc/audit/plugins.d/auoms.conf ]; then
echo "Pre: found etc/audit/plugins.d/auoms.conf"
if [ -e /etc/audit/plugins.d/auoms.conf.auomssave ]; then
rm /etc/audit/plugins.d/auoms.conf.auomssave
fi
cp -p /etc/audit/plugins.d/auoms.conf /etc/audit/plugins.d/auoms.conf.auomssave
fi
fi
%preun
#!/bin/sh
if [ $1 -eq 0 ]; then
/opt/microsoft/auoms/bin/auomsctl disable
fi
%post
#!/bin/sh
SERVICEDIR=/opt/microsoft/auoms
if [ $1 -gt 1 ] ; then
if [ -e /etc/audisp/plugins.d/auoms.conf.auomssave ]; then
echo "Post: found /etc/audisp/plugins.d/auoms.conf"
if [ -e /etc/audisp/plugins.d/auoms.conf ]; then
rm /etc/audisp/plugins.d/auoms.conf
fi
cp -p /etc/audisp/plugins.d/auoms.conf.auomssave /etc/audisp/plugins.d/auoms.conf
fi
if [ -e /etc/audit/plugins.d/auoms.conf.auomssave ]; then
echo "Post: found /etc/audit/plugins.d/auoms.conf"
if [ -e /etc/audit/plugins.d/auoms.conf ]; then
rm /etc/audit/plugins.d/auoms.conf
fi
cp -p /etc/audit/plugins.d/auoms.conf.auomssave /etc/audit/plugins.d/auoms.conf
fi
echo "Post: executing upgrade"
/opt/microsoft/auoms/bin/auomsctl upgrade
fi
for dir in /usr/lib/systemd/system /lib/systemd/system; do
if [ -e $dir ]; then
install -m 644 ${SERVICEDIR}/auoms.service $dir
systemctl enable auoms.service
break
fi
done
sudo /opt/microsoft/auoms/bin/auomsctl enable
rm -f /etc/audisp/plugins.d/auoms.conf.*
rm -f /etc/audit/plugins.d/auoms.conf.*
%postun
#!/bin/sh
if [ $1 -eq 0 ]; then
rm -f /etc/audisp/plugins.d/auoms.conf*
rm -f /etc/audit/plugins.d/auoms.conf*
rm -rf -v /etc/opt/microsoft/auoms
rm -rf -v /var/opt/microsoft/auoms
fi
for dir in /usr/lib/systemd/system /lib/systemd/system; do
if [ -e ${dir}/auoms.service ]; then
systemctl disable auoms.service
rm -f ${dir}/auoms.service
break
fi
done
%files
%defattr(-,root,root)
/usr/share/selinux/packages/auoms
/usr/share/selinux/packages/auoms/*
%{_sysconfdir}/init.d/auoms
%{_sysconfdir}/opt/microsoft/auoms
%{_sysconfdir}/opt/microsoft/auoms/auoms.conf
%{_sysconfdir}/opt/microsoft/auoms/auomscollect.conf
%{_sysconfdir}/opt/microsoft/auoms/example_output.conf
%{_sysconfdir}/opt/microsoft/auoms/outconf.d
%{_sysconfdir}/opt/microsoft/auoms/rules.d
/opt/microsoft/auoms
%license /opt/microsoft/auoms/LICENSE
%license /opt/microsoft/auoms/THIRD_PARTY_IP_NOTICE
/opt/microsoft/auoms/auoms.service
/opt/microsoft/auoms/bin
/opt/microsoft/auoms/bin/auomscollect
/opt/microsoft/auoms/bin/auoms
/opt/microsoft/auoms/bin/auomsctl
/var/opt/microsoft/auoms
/var/opt/microsoft/auoms/data
/var/opt/microsoft/auoms/data/outputs
%changelog
* Sat Oct 24 2020 Andrew Phelps <anphel@microsoft.com> 2.2.5-2
- Fix setup macro
* Thu Oct 22 2020 Andrew Phelps <anphel@microsoft.com> 2.2.5-1
- Initial CBL-Mariner version.

View File

@ -0,0 +1,5 @@
{
"Signatures": {
"azure-storage-cpp-7.3.0.tar.gz" : "d333757a6065ae2d63f8dfac5bf3033fa1e70bd6e518bf7f97e8d256b9154324"
}
}

View File

@ -0,0 +1,72 @@
%define _build_id_links none
Name: azure-storage-cpp
Summary: Azure Storage Client Library for C++
Version: 7.3.0
Release: 2%{?dist}
License: ASL 2.0
URL: https://azure.github.io/azure-storage-cpp/
Vendor: Microsoft Corporation
Distribution: Mariner
#Source0: https://github.com/Azure/azure-storage-cpp/archive/v%{version}.tar.gz
Source0: %{name}-%{version}.tar.gz
BuildRequires: util-linux-devel
BuildRequires: openssl-devel
BuildRequires: boost-devel
BuildRequires: libxml2-devel
BuildRequires: cpprest-devel
BuildRequires: cmake
Requires: openssl
Requires: libxml2
Requires: cpprest
Requires: util-linux
Requires: boost
%description
The Azure Storage Client Library for C++ allows you to build applications against Microsoft Azure Storage.
%package devel
Summary: Development files for %{name}
Requires: %{name} = %{version}
Requires: cpprest-devel
%description devel
The Azure Storage Client Library for C++ allows you to build applications against Microsoft Azure Storage.
%prep
%setup -q
%build
CMAKE_OPTS="\
-DCMAKE_BUILD_TYPE=Release \
-DCMAKE_INSTALL_PREFIX=%{_prefix} \
"
mkdir -pv Microsoft.WindowsAzure.Storage/build
cd Microsoft.WindowsAzure.Storage/build
cmake $CMAKE_OPTS ..
make %{?_smp_mflags}
%install
cd Microsoft.WindowsAzure.Storage/build
make %{?_smp_mflags} DESTDIR=%{buildroot} install
%files
%license LICENSE.txt
%doc README.md
%{_libdir}/*.so.*
%files devel
%{_includedir}/was/*
%{_includedir}/wascore/*
%{_libdir}/libazurestorage.so
%changelog
* Fri Oct 16 2020 Jonathan Slobodzian <joslobo@microsoft.com> 7.3.0-2
- License Verified. Update Source0 Location. Integrated into Mariner Core.
* Mon Mar 30 2020 Jonathan Chiu <jochi@microsoft.com> 7.3.0-1
- Original version for CBL-Mariner.

View File

@ -0,0 +1,23 @@
diff -Naur babeltrace2-2.0.1/src/plugins/ctf/common/msg-iter/msg-iter.c babeltrace2-2.0.1-copy/src/plugins/ctf/common/msg-iter/msg-iter.c
--- babeltrace2-2.0.1/src/plugins/ctf/common/msg-iter/msg-iter.c 2020-02-28 22:26:47.194726018 -0800
+++ babeltrace2-2.0.1-copy/src/plugins/ctf/common/msg-iter/msg-iter.c 2020-02-28 22:29:36.318373106 -0800
@@ -2001,6 +2001,9 @@
}
if (G_UNLIKELY(int_fc->storing_index >= 0)) {
+ if ((uint64_t) int_fc->storing_index >= msg_it->stored_values->len) {
+ g_array_set_size(msg_it->stored_values, (uint64_t) int_fc->storing_index + 1);
+ }
g_array_index(msg_it->stored_values, uint64_t,
(uint64_t) int_fc->storing_index) = value;
}
@@ -2090,6 +2093,9 @@
BT_ASSERT_DBG(int_fc->meaning == CTF_FIELD_CLASS_MEANING_NONE);
if (G_UNLIKELY(int_fc->storing_index >= 0)) {
+ if ((uint64_t) int_fc->storing_index >= msg_it->stored_values->len) {
+ g_array_set_size(msg_it->stored_values, (uint64_t) int_fc->storing_index + 1);
+ }
g_array_index(msg_it->stored_values, uint64_t,
(uint64_t) int_fc->storing_index) = (uint64_t) value;
}

View File

@ -0,0 +1,5 @@
{
"Signatures": {
"babeltrace2-2.0.1.tar.bz2": "87f0acc134bac8e897f4eb0f5a02cbfffeb94d3bc0396ecb74a6667581988ecf"
}
}

View File

@ -0,0 +1,99 @@
Summary: A trace manipulation toolkit
Name: babeltrace2
Version: 2.0.1
Release: 3%{?dist}
License: MIT AND GPLv2
Vendor: Microsoft Corporation
Distribution: Mariner
Group: System Environment
URL: https://www.efficios.com/babeltrace
Source0: https://www.efficios.com/files/babeltrace/%{name}-%{version}.tar.bz2
Patch0: 00-fix-lttng-live-array-access.patch
BuildRequires: elfutils-devel >= 0.154
BuildRequires: gcc
BuildRequires: glib-devel >= 2.28.0
Requires: libbabeltrace2%{?_isa} = %{version}-%{release}
%description
The Babeltrace 2 project offers a library with a C API, Python 3 bindings, and
a command-line tool which makes it very easy for mere mortals to view,
convert, transform, and analyze traces.
Babeltrace 2 is also the reference parser implementation of the Common Trace
Format (CTF), a very versatile trace format followed by various tracers and
tools such as LTTng and barectf.
%package -n libbabeltrace2
Summary: A trace manipulation library
Requires: glib >= 2.28.0
%description -n libbabeltrace2
The libbabeltrace2 package contains a library and plugin system to view,
convert, transform, and analyze traces.
%package -n libbabeltrace2-devel
Summary: Development files for libbabeltrace2
Requires: glib >= 2.28.0
Requires: libbabeltrace2%{?_isa} = %{version}-%{release}
%description -n libbabeltrace2-devel
The libbabeltrace2-devel package contains the header files and libraries
needed to develop programs that use the libbabeltrace2 trace manipulation
library.
%prep
%autosetup -p1
%build
%configure --disable-static \
--enable-debug-info \
--disable-Werror
%make_build
%check
make check
%install
%make_install
find %{buildroot} -type f -name "*.la" -delete -print
# Clean installed doc
rm -fv %{buildroot}%{_docdir}/babeltrace2/*
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%files
%defattr(-,root,root)
%license LICENSE gpl-2.0.txt mit-license.txt
%doc ChangeLog README.adoc
%{_bindir}/babeltrace2
%{_mandir}/man1/*.1*
%{_mandir}/man7/*.7*
%files -n libbabeltrace2
%defattr(-,root,root)
%{_libdir}/*.so.*
%{_libdir}/babeltrace2/plugins/*.so
%files -n libbabeltrace2-devel
%defattr(-,root,root)
%{_includedir}/*
%{_libdir}/*.so
%{_libdir}/pkgconfig/babeltrace2.pc
%{_libdir}/pkgconfig/babeltrace2-ctf-writer.pc
%changelog
* Wed Oct 14 2020 Thomas Crain <thcrain@microsoft.com> - 2.0.1-3
- Update Source0
- License verified
* Tue Feb 11 2020 Nick Bopp <nichbop@microsoft.com> - 2.0.1-2
- Initial import from Fedora 32 (license: MIT and GPLv2)
- Added runtime dependency on glib2
- Remove python requirements
- Removed ldconfig_scriptlets
- Fix installed file cleanup
* Mon Feb 10 2020 Michael Jeanson <mjeanson@efficios.com> - 2.0.1-1
- New upstream release

View File

@ -0,0 +1,7 @@
{
"Signatures": {
"bond-8.0.1.tar.gz": "d22428a40ab158813c6b0d6548a9a4c1304c1873bd4f2f62a0f36c0ba2855a8b",
"gbc-0.11.0.3-aarch64" : "2fa232b3ceb79ff2e002ad06f8da93bd59f81599102f95258b4dadb84d6b847d",
"gbc-0.11.0.3-x86_64": "c64f9db841b8cccad4c8ec0bd724e52d28b51a15af145fe40223cd92d7356d71"
}
}

73
SPECS/bond/bond.spec Normal file
View File

@ -0,0 +1,73 @@
Name: bond
Summary: Microsoft Bond Library
Version: 8.0.1
Release: 3%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Mariner
URL: https://github.com/microsoft/bond
#Source0: %{url}/archive/%{version}.tar.gz
Source0: %{name}-%{version}.tar.gz
Source1: gbc-0.11.0.3-%{_arch}
BuildRequires: clang
BuildRequires: cmake
BuildRequires: zlib-devel
BuildRequires: boost-devel
BuildRequires: ncurses-devel
BuildRequires: rapidjson-devel
BuildRequires: gmp-devel
%description
Bond is an open-source, cross-platform framework for working with schematized data.
It supports cross-language serialization/deserialization and powerful generic mechanisms
for efficiently manipulating data. Bond is broadly used at Microsoft in high scale services.
%package devel
Summary: Development files for %{name}
Requires: %{name} = %{version}
%description devel
Development files for %{name}
%prep
%setup -q
%build
CMAKE_OPTS="\
-DBOND_ENABLE_GRPC=FALSE \
-DBOND_FIND_RAPIDJSON=TRUE \
-DBOND_SKIP_CORE_TESTS=TRUE \
-DBOND_SKIP_GBC_TESTS=TRUE \
-DBOND_GBC_PATH=%{SOURCE1} \
-DCMAKE_INSTALL_PREFIX=%{_prefix} \
"
mkdir -v build
cd build
cmake $CMAKE_OPTS ..
make %{?_smp_mflags}
%install
cd build
make DESTDIR=%{buildroot} install
chmod 0755 %{buildroot}%{_bindir}/gbc
%files
%license LICENSE
%doc README.md
%{_bindir}/*
%files devel
%{_includedir}/%{name}/*
%{_libdir}/%{name}/*
%changelog
* Mon Oct 19 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 8.0.1-3
- License verified.
- Added source URL.
- Added 'Vendor' and 'Distribution' tags.
* Tue May 19 2020 Jonathan Chiu <jochi@microsoft.com> 8.0.1-2
- Add aarch64 support
* Mon Apr 06 2020 Jonathan Chiu <jochi@microsoft.com> 8.0.1-1
- Original version for CBL-Mariner.

BIN
SPECS/bond/gbc-0.11.0.3-aarch64 Executable file

Binary file not shown.

BIN
SPECS/bond/gbc-0.11.0.3-x86_64 Executable file

Binary file not shown.

View File

@ -4,7 +4,7 @@
Name: brotli
Version: 1.0.7
Release: 7%{?dist}
Release: 8%{?dist}
Summary: Lossless compression algorithm
Group: Applications/File
@ -18,6 +18,9 @@ Distribution: Mariner
BuildRequires: cmake
BuildRequires: python3-devel
BuildRequires: python3-setuptools
%if %{with_check}
BuildRequires: python3-xml
%endif
%description
Brotli is a generic-purpose lossless compression algorithm that compresses
@ -130,6 +133,9 @@ python3 setup.py test
%changelog
* Tue Oct 20 2020 Andrew Phelps <anphel@microsoft.com> 1.0.7-8
- Fix check test
* Mon Dec 9 2019 Emre Girgin <mrgirgin@microsoft.com> 1.0.7-7
- Initial CBL-Mariner import from Fedora 31 (license: MIT).

View File

@ -17,7 +17,7 @@
"certdata.microsoft.txt": "d647ba9622bd973b2a2cb5114825a8ff6016ba3a5499a6a7cccdc1d07af25fdb",
"certdata.txt": "cc6408bd4be7fbfb8699bdb40ccb7f6de5780d681d87785ea362646e4dad5e8e",
"certdata2pem.py": "0be02cecc27a6e55e1cad1783033b147f502b26f9fb1bb5a53e7a43bbcb68fa0",
"nssckbi.h": "4019b4b68df6b89b22d350ffea652707864ee995b399de2f876c6d52d41f11ac",
"nssckbi.h": "9d916fe1586259d94632f186a736449e8344b8a18f7ac97253f13efc764d77ea",
"pem2bundle.sh": "79012e7fabf560c3b950349e500770a314006e5b330621a50147eeda11c633ea",
"trust-fixes": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b",
"update-ca-trust": "0c0c0600587db7f59ba5e399666152ea6de6059f37408f3946c43438d607efdd",

View File

@ -74,7 +74,7 @@ Name: ca-certificates
# (but these files might have not yet been released).
Version: 20200720
Release: 7%{?dist}
Release: 9%{?dist}
License: MPLv2.0
URL: https://hg.mozilla.org
Group: System Environment/Security
@ -198,7 +198,7 @@ cp -p %{SOURCE20} .
%convert_certdata %{SOURCE0}
%convert_certdata %{SOURCE21}
%convert_certdata %{SOURCE22}
%convert_certdata %{SOURCE23}
#manpage
cp %{SOURCE10} %{name}/update-ca-trust.8.txt
@ -250,7 +250,7 @@ install -p -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{catrustdir}/ca-legacy.conf
%install_bundles %{SOURCE21} %{p11_format_base_bundle} %{legacy_default_base_bundle} %{legacy_disable_base_bundle}
# Microsoft certs
%install_bundles %{SOURCE22} %{p11_format_microsoft_bundle} %{legacy_default_microsoft_bundle} %{legacy_disable_microsoft_bundle}
%install_bundles %{SOURCE23} %{p11_format_microsoft_bundle} %{legacy_default_microsoft_bundle} %{legacy_disable_microsoft_bundle}
# TODO: consider to dynamically create the update-ca-trust script from within
# this .spec file, in order to have the output file+directory names at once place only.
@ -425,42 +425,48 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
%{_bindir}/bundle2pem.sh
%changelog
* Mon Sep 13 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 2020.7.20-7
* Wed Oct 21 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 20200720-9
- Switching to the correct source for the Microsoft bundle.
* Mon Sep 13 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 20200720-8
- Aligning 'nssckbi.h' with the used 'certdata.txt' version for the Mozilla bundle.
* Mon Sep 13 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 20200720-7
- Removing unused 'Requires*'.
* Wed Sep 09 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 2020.7.20-6
* Wed Sep 09 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 20200720-6
- Adding 2 Microsoft-trusted, intermediate CAs into 'ca-certificates-base'.
* Mon Aug 24 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 2020.7.20-5
* Mon Aug 24 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 20200720-5
- Adding 'ca-certificates-legacy' to support apps, which only work with
a single cert per *.pem file. Adding a new 'ca-certificates-microsoft' subpackage with CAs trusted through
the Microsoft Trusted Root Program. Converting common steps into parametrized macros.
* Tue Aug 11 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 2020.7.20-4
* Tue Aug 11 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 20200720-4
- Updating base certificates to current intermediate CAs.
- Re-assigning ownership of legacy bundles from '*-shared' to subpackages creating them.
- Removing commented lines.
* Fri Jul 31 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 2020.7.20-3
* Fri Jul 31 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 20200720-3
- Changing base certificates to trust packages.microsoft.com.
* Fri Jul 31 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 2020.7.20-2
* Fri Jul 31 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 20200720-2
- Removed redundant 'ca-bundle.trust.p11-kit' certs bundle.
- Removed unnecessary pre-install step.
- Moved license and config to 'ca-certificates-shared' subpackage
to guarantee these to be always present regardless of the installed
certificates bundle.
* Thu Jul 23 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 2020.7.20-1
* Thu Jul 23 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 20200720-1
- Updating certdata.txt to Mozilla version from 2020/07/20.
* Thu Jul 23 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 2020.4.28-4
* Thu Jul 23 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 20200428-4
- Fixing installation of 'ca-certificates-base` subpackage by making
shared files and directory structure a 'Requires' for all certificate packages.
- Updating '%%uninstall_clean_up' macro to use pk11kit tooling.
- Reordering (Build)Requires to increase clarity.
* Tue May 26 2020 Paul Monson <paulmon@microsoft.com> - 2020.4.28-3
* Tue May 26 2020 Paul Monson <paulmon@microsoft.com> - 20200428-3
- Initial CBL-Mariner import from Fedora 27 (license: MIT).
- License verified.
- Updated Mozilla certdata.txt to latest version from the "FIREFOX_76_0_RELEASE" release.

View File

@ -46,8 +46,8 @@
* It's recommend to switch back to 0 after having reached version 98/99.
*/
#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 40
#define NSS_BUILTINS_LIBRARY_VERSION "2.40"
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 42
#define NSS_BUILTINS_LIBRARY_VERSION "2.42"
/* These version numbers detail the semantic changes to the ckfw engine. */
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1

View File

@ -0,0 +1,5 @@
{
"Signatures": {
"ccache-3.6.tar.gz" : "a3f2b91a2353b65a863c5901251efe48060ecdebec46b5eaec8ea8e092b9e871"
}
}

38
SPECS/ccache/ccache.spec Normal file
View File

@ -0,0 +1,38 @@
Name: ccache
Summary: Compiler Cache
Version: 3.6
Release: 2%{?dist}
License: BeOpen and BSD and GPLv3+ and (Patrick Powell's and Holger Weiss' license) and Public Domain and Python and zlib
Vendor: Microsoft Corporation
Distribution: Mariner
URL: https://ccache.dev
Source0: https://github.com/%{name}/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz
BuildRequires: make
%description
Ccache (or “ccache”) is a compiler cache. It speeds up recompilation by caching previous
compilations and detecting when the same compilation is being done again.
%prep
%setup -q
%build
%configure
make %{?_smp_mflags}
%install
make install DESTDIR=%{buildroot}
%files
%license LICENSE.adoc
%doc README.md
%{_mandir}/*
%{_bindir}/ccache
%changelog
* Mon Oct 19 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 3.6-2
- License verified.
- Added 'Vendor' and 'Distribution' tags.
* Mon Mar 30 2020 Jonathan Chiu <jochi@microsoft.com> 3.6-1
- Original version for CBL-Mariner.

View File

@ -4,7 +4,7 @@
Name: chrony
Version: 3.5.1
Release: 1%{?dist}
Release: 2%{?dist}
Summary: An NTP client/server
Vendor: Microsoft Corporation
Distribution: Mariner
@ -77,13 +77,17 @@ sed -e 's|^pool.*|server time.windows.com|' \
-e 's|#\(keyfile\)|\1|' \
< examples/chrony.conf.example2 > chrony.conf
# use the example chrony-wait service, but comment out the line adding
# chrony-wait as a boot dependency
sed -i '/WantedBy=multi-user.target/s/^/#/g' examples/chrony-wait.service
cat >> chrony.conf << EOF
# Setting larger 'maxdistance' to tolerate time.windows.com delay
maxdistance 16.0
EOF
touch -r examples/chrony.conf.example2 chrony.conf
touch -r examples/chrony.conf.example2 examples/chrony-wait.service chrony.conf
# regenerate the file from getdate.y
rm -f getdate.c
@ -191,6 +195,9 @@ systemctl start chronyd.service
%dir %attr(-,chrony,chrony) %{_localstatedir}/log/chrony
%changelog
* Thu Oct 01 2020 Thomas Crain <thcrain@microsoft.com> - 3.5.1-2
- Remove chrony-wait service as a boot dependency
* Tue Sep 01 2020 Mateusz Malisz <mamalisz@microsoft.com> - 3.5.1-1
- Update version to 3.5.1
- Remove gpg signature check

View File

@ -0,0 +1,37 @@
From f7e13c34bc2f820ff124f1425c5d92dbdaa2e8da Mon Sep 17 00:00:00 2001
From: Leandro Pereira <lpereira@linux.microsoft.com>
Date: Thu, 1 Oct 2020 15:51:32 -0700
Subject: [PATCH] CVE-2020-13342: Do not rely on $PATH to find
systemd-ask-password
The execlp() call will look at the $PATH environment variable to
determine which binary to execute; if a binary naemd
"systemd-ask-password" is present, that will be called with the same
privileges as "mount.cifs", which could be elevated as that might be
executed under sudo or the executable might be SUID root. Moreover,
this could be used to exfiltrate the password if somebody has access to
the environment.
This patch makes the call using /usr/bin/systemd-ask-password directly.
Signed-off-by: Leandro Pereira <lpereira@linux.microsoft.com>
---
mount.cifs.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/mount.cifs.c b/mount.cifs.c
index 4feb397..af0a796 100644
--- a/mount.cifs.c
+++ b/mount.cifs.c
@@ -1669,7 +1669,8 @@ static int get_passwd_by_systemd(const char *prompt, char *input, int capacity)
if (pid == 0) {
close(fd[0]);
dup2(fd[1], STDOUT_FILENO);
- if (execlp("systemd-ask-password", "systemd-ask-password", prompt, NULL) == -1) {
+ if (execlp("/usr/bin/systemd-ask-password",
+ "/usr/bin/systemd-ask-password", prompt, NULL) == -1) {
fprintf(stderr, "Failed to execute systemd-ask-password: %s\n",
strerror(errno));
}
--
1.8.3.1

View File

@ -0,0 +1,121 @@
diff -Naur cifs-utils-6.8.orig/mount.cifs.c cifs-utils-6.8.mod/mount.cifs.c
--- cifs-utils-6.8.orig/mount.cifs.c 2020-09-30 17:26:48.250924409 -0700
+++ cifs-utils-6.8.mod/mount.cifs.c 2020-09-30 17:27:19.002733900 -0700
@@ -1646,6 +1646,73 @@
return 0;
}
+#ifdef ENABLE_SYSTEMD
+static int get_passwd_by_systemd(const char *prompt, char *input, int capacity)
+{
+ int fd[2];
+ pid_t pid;
+ int offs = 0;
+ int rc = 1;
+
+ if (pipe(fd) == -1) {
+ fprintf(stderr, "Failed to create pipe: %s\n", strerror(errno));
+ return 1;
+ }
+
+ pid = fork();
+ if (pid == -1) {
+ fprintf(stderr, "Unable to fork: %s\n", strerror(errno));
+ close(fd[0]);
+ close(fd[1]);
+ return 1;
+ }
+ if (pid == 0) {
+ close(fd[0]);
+ dup2(fd[1], STDOUT_FILENO);
+ if (execlp("systemd-ask-password", "systemd-ask-password", prompt, NULL) == -1) {
+ fprintf(stderr, "Failed to execute systemd-ask-password: %s\n",
+ strerror(errno));
+ }
+ exit(1);
+ }
+
+ close(fd[1]);
+ for (;;) {
+ if (offs+1 >= capacity) {
+ fprintf(stderr, "Password too long.\n");
+ kill(pid, SIGTERM);
+ rc = 1;
+ break;
+ }
+ rc = read(fd[0], input + offs, capacity - offs);
+ if (rc == -1) {
+ fprintf(stderr, "Failed to read from pipe: %s\n", strerror(errno));
+ rc = 1;
+ break;
+ }
+ if (!rc)
+ break;
+ offs += rc;
+ input[offs] = '\0';
+ }
+ if (wait(&rc) == -1) {
+ fprintf(stderr, "Failed to wait child: %s\n", strerror(errno));
+ rc = 1;
+ goto out;
+ }
+ if (!WIFEXITED(rc) || WEXITSTATUS(rc)) {
+ rc = 1;
+ goto out;
+ }
+
+ rc = 0;
+
+out:
+ close(fd[0]);
+ return rc;
+}
+#endif
+
/*
* If systemd is running and systemd-ask-password --
* is available, then use that else fallback on getpass(..)
@@ -1659,35 +1726,22 @@
int is_systemd_running;
struct stat a, b;
+ memset(input, 0, capacity);
+
/* We simply test whether the systemd cgroup hierarchy is
* mounted */
is_systemd_running = (lstat("/sys/fs/cgroup", &a) == 0)
&& (lstat("/sys/fs/cgroup/systemd", &b) == 0)
&& (a.st_dev != b.st_dev);
- if (is_systemd_running) {
- char *cmd, *ret;
- FILE *ask_pass_fp = NULL;
-
- cmd = ret = NULL;
- if (asprintf(&cmd, "systemd-ask-password \"%s\"", prompt) >= 0) {
- ask_pass_fp = popen (cmd, "re");
- free (cmd);
- }
-
- if (ask_pass_fp) {
- ret = fgets(input, capacity, ask_pass_fp);
- pclose(ask_pass_fp);
- }
-
- if (ret) {
- int len = strlen(input);
- if (input[len - 1] == '\n')
- input[len - 1] = '\0';
- return input;
- }
+ if (is_systemd_running && !get_passwd_by_systemd(prompt, input, capacity)) {
+ int len = strlen(input);
+ if (input[len - 1] == '\n')
+ input[len - 1] = '\0';
+ return input;
}
#endif
+ memset(input, 0, capacity);
/*
* Falling back to getpass(..)

View File

@ -1,12 +1,16 @@
Summary: cifs client utils
Name: cifs-utils
Version: 6.8
Release: 3%{?dist}
Release: 4%{?dist}
License: GPLv3
URL: http://wiki.samba.org/index.php/LinuxCIFS_utils
Group: Applications/Nfs-utils-client
Source0: https://ftp.samba.org/pub/linux-cifs/cifs-utils/cifs-utils-%{version}.tar.bz2
%define sha1 cifs-utils=3440625e73a2e8ea58c63c61b46a61f5b7f95bac
Patch0: CVE-2020-14342.patch
Patch1: CVE-2020-14342-fix.patch
Vendor: Microsoft Corporation
Distribution: Mariner
BuildRequires: libcap-ng-devel
@ -26,7 +30,7 @@ Requires: cifs-utils = %{version}-%{release}
Provides header files needed for Cifs-Utils development.
%prep
%setup -q
%autosetup
%build
autoreconf -fiv &&./configure --prefix=%{_prefix}
@ -48,9 +52,10 @@ make %{?_smp_mflags} check
%{_includedir}/cifsidmap.h
%changelog
* Sat May 09 00:20:52 PST 2020 Nick Samson <nisamson@microsoft.com> - 6.8-3
* Wed Sep 30 2020 Henry Beberman <henry.beberman@microsoft.com> 6.8-4
- Add patch for CVE-2020-14342
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> 6.8-3
- Added %%license line automatically
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 6.8-2
- Initial CBL-Mariner import from Photon (license: Apache2).
* Fri Sep 07 2017 Ajay Kaher <akaher@vmware.com> 6.8-1

View File

@ -0,0 +1,5 @@
{
"Signatures": {
"clamav-0.101.2.tar.gz": "0a12ebdf6ff7a74c0bde2bdc2b55cae33449e6dd953ec90824a9e01291277634"
}
}

77
SPECS/clamav/clamav.spec Normal file
View File

@ -0,0 +1,77 @@
%{!?python2_sitelib: %global python2_sitelib %(python2 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")}
%{!?python3_sitelib: %global python3_sitelib %(python3 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")}
Summary: Open source antivirus engine
Name: clamav
Version: 0.101.2
Release: 3%{?dist}
License: ASL 2.0 and BSD and bzip2-1.0.4 and GPLv2 and LGPLv2+ and MIT and Public Domain and UnRar
Group: System Environment/Security
Vendor: Microsoft Corporation
Distribution: Mariner
URL: https://www.clamav.net
Source0: %{url}/downloads/production/%{name}-%{version}.tar.gz
BuildRequires: libtool
BuildRequires: zlib-devel
# Workaround for coreutils missing requirement flex
BuildRequires: flex-devel
# Required to produce systemd files
BuildRequires: systemd-devel
BuildRequires: openssl-devel
Requires: zlib
Requires: openssl
%description
ClamAV® is an open source (GPL) anti-virus engine used in a variety of situations
including email scanning, web scanning, and end point security. It provides a number
of utilities including a flexible and scalable multi-threaded daemon, a command
line scanner and an advanced tool for automatic database updates.
%prep
%setup -q
%build
%configure
make %{?_smp_mflags}
%install
make install DESTDIR=%{buildroot}
%check
make %{?_smp_mflags} check
%post
/sbin/ldconfig
%postun
/sbin/ldconfig
%files
%defattr(-,root,root)
%license COPYING COPYING.bzip2 COPYING.file COPYING.getopt COPYING.LGPL COPYING.llvm COPYING.lzma COPYING.pcre COPYING.regex COPYING.unrar COPYING.YARA COPYING.zlib
%{_bindir}/*
%{_sysconfdir}/*.sample
%{_includedir}/*.h
%{_libdir}/*.la
%{_libdir}/*.so
%{_libdir}/*.so.*
%{_libdir}/pkgconfig/*.pc
/lib/systemd/*
%{_sbindir}/*
%{_mandir}/man1/*
%{_mandir}/man5/*
%{_mandir}/man8/*
%changelog
* Mon Oct 19 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 0.101.2-3
- License verified.
- Added %%license macro.
- Switching to using the %%configure macro.
- Extended package's summary and description.
* Wed Oct 02 2019 Mateusz Malisz <mamalisz@microsoft.com> 0.101.2-2
- Fix vendor and distribution. Add systemd files to the list.
* Thu Jul 25 2019 Chad Zawistowski <chzawist@microsoft.com> 0.101.2-1
- Initial CBL-Mariner import from Azure.

View File

@ -0,0 +1,5 @@
{
"Signatures": {
"cloud-init-vmware-guestinfo-1.3.1.tar.gz": "1f6c74b75d3697d62f0b5b8613e0d66bc06b2fd962f9b7c827c459d8c72505b9"
}
}

View File

@ -0,0 +1,43 @@
%{!?python3_sitelib: %define python3_sitelib %(python3 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")}
Name: cloud-init-vmware-guestinfo
Version: 1.3.1
Release: 2%{?dist}
Summary: A cloud-init datasource for VMware
Group: System/Management
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Mariner
URL: https://github.com/vmware/cloud-init-vmware-guestinfo
#Source0: https://github.com/vmware/%{name}/archive/v%{version}.tar.gz
Source0: %{name}-%{version}.tar.gz
BuildRequires: python3
Requires: cloud-init
BuildArch: noarch
%description
Provides a cloud-init datasource for pulling meta, user,
and vendor data from VMware vSphere's GuestInfo interface.
%prep
%setup -q
%build
%install
install -dm 0755 %{buildroot}%{_sysconfdir}/cloud/cloud.cfg.d
install -m 0644 99-DataSourceVMwareGuestInfo.cfg %{buildroot}%{_sysconfdir}/cloud/cloud.cfg.d/99-DataSourceVMwareGuestInfo.cfg
install -dm 0755 %{buildroot}%{python3_sitelib}/cloudinit/sources/
install -m 0644 DataSourceVMwareGuestInfo.py %{buildroot}%{python3_sitelib}/cloudinit/sources/DataSourceVMwareGuestInfo.py
%files
%license LICENSE
%config %{_sysconfdir}/cloud/cloud.cfg.d/99-DataSourceVMwareGuestInfo.cfg
%{python3_sitelib}/cloudinit/sources/DataSourceVMwareGuestInfo.py
%changelog
* Mon Oct 12 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 1.3.1-2
- Adding a missing %%{?dist} tag.
* Thu Sep 17 2020 Mateusz Malisz <mamalisz@microsoft.com> 1.3.1-1
- Original version for CBL-Mariner.
- License Verified

View File

@ -1,7 +1,7 @@
Summary: An URL retrieval utility and library
Name: curl
Version: 7.68.0
Release: 2%{?dist}
Release: 3%{?dist}
License: MIT
URL: http://curl.haxx.se
Group: System Environment/NetworkingLibraries
@ -49,7 +49,7 @@ This package contains minimal set of shared curl libraries.
--with-ssl \
--with-gssapi \
--with-libssh2 \
--with-ca-bundle=/etc/pki/tls/certs/ca-bundle.crt \
--with-ca-bundle=/etc/pki/tls/certs/ca-bundle.trust.crt \
--with-ca-path=/etc/ssl/certs
make %{?_smp_mflags}
@ -89,6 +89,8 @@ rm -rf %{buildroot}/*
%{_libdir}/libcurl.so.*
%changelog
* Wed Oct 07 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 7.68.0-3
- Updating certificate bundle path to include full set of trust information.
* Mon Sep 28 2020 Ruying Chen <v-ruyche@microsoft.com> 7.68.0-2
- Add explicit provides for libcurl and libcurl-devel
* Tue Aug 11 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 7.68.0-1

View File

View File

@ -1,7 +1,7 @@
Summary: Ed - A line-oriented text editor
Name: ed
Version: 1.14.2
Release: 7%{?dist}
Release: 8%{?dist}
URL: https://www.gnu.org/software/ed/
License: GPLv3
Group: Applications/System
@ -10,11 +10,15 @@ Distribution: Mariner
# Official source under https://ftp.gnu.org/gnu/ed/ed-1.14.2.tar.lz.
# We don't have lzip to decompress it.
Source0: https://src.fedoraproject.org/repo/pkgs/%{name}/%{name}-%{version}.tar.xz/sha512/de838a6df785c7dc80f4b5ba84330bbe743983fd81218321d4ab84c4c3688fdafb4c005502f3228f0bfa2b6bcf342d64d9523ab73ee440b4f305a033f567cbc2/%{name}-%{version}.tar.xz
# CVE-2015-2987 applies to a different program named ED
Patch0: CVE-2015-2987.nopatch
%description
Ed - A line-oriented text editor
%prep
%setup -q
%autosetup -p1
%build
./configure \
@ -42,6 +46,9 @@ make %{?_smp_mflags} check
%{_mandir}/man1/*
%changelog
* Wed Oct 14 2020 Henry Beberman <henry.beberman@microsoft.com> 1.14.2-8
- Nopatch CVE-2015-2987. Applies to a different program named ed.
- Switch setup to autosetup
* Wed Aug 05 2020 Andrew Phelps <anphel@microsoft.com> 1.14.2-7
- Remove conflicting 'dir' file from _infodir
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> 1.14.2-6

View File

@ -0,0 +1,5 @@
{
"Signatures": {
"fluent-bit-1.4.1.tar.gz" : "f5e2e10133d2a266e508db9d95e425108a1a7e43ca713bedd0d9005d962b0cff"
}
}

View File

@ -0,0 +1,58 @@
%define _build_id_links none
Name: fluent-bit
Summary: Fast and Lightweight Log processor and forwarder for Linux, BSD and OSX
Version: 1.4.1
Release: 2%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Mariner
URL: https://fluentbit.io
#Source0: https://github.com/fluent/%{name}/archive/v%{version}.tar.gz
Source0: %{name}-%{version}.tar.gz
BuildRequires: cmake
%description
Fluent Bit is a fast Log Processor and Forwarder for Linux, Embedded Linux, MacOS and BSD
family operating systems. It's part of the Fluentd Ecosystem and a CNCF sub-project.
%package devel
Summary: Development files for %{name}
Requires: %{name} = %{version}
%description devel
Development files for %{name}
%prep
%setup -q
%build
cd build
cmake -DCMAKE_INSTALL_PREFIX=%{_prefix} ..
make %{?_smp_mflags}
%install
cd build
make install DESTDIR=%{buildroot}
%files
%license LICENSE
%doc README.md
%exclude /usr/src/debug
/lib/systemd/system/fluent-bit.service
%{_bindir}/*
/usr/etc/fluent-bit/*
%files devel
%{_includedir}/*
/usr/lib64/*.so
%changelog
* Mon Oct 19 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 1.4.1-2
- License verified.
- Fixed source URL.
- Added 'Vendor' and 'Distribution' tags.
* Mon Mar 30 2020 Jonathan Chiu <jochi@microsoft.com> 1.4.1-1
- Original version for CBL-Mariner.

View File

@ -1,5 +1,5 @@
{
"Signatures": {
"fontconfig-2.13.1.tar.gz": "9f0d852b39d75fc655f9f53850eb32555394f36104a044bb2b2fc9e66dbbfa7f"
"fontconfig-2.13.91.tar.gz": "19e5b1bc9d013a52063a44e1307629711f0bfef35b9aca16f9c793971e2eb1e5"
}
}

View File

@ -1,7 +1,7 @@
Summary: library for configuring and customizing font access.
Name: fontconfig
Version: 2.13.1
Release: 4%{?dist}
Version: 2.13.91
Release: 1%{?dist}
License: BSD/GPL
URL: https://www.freedesktop.org/wiki/Software/fontconfig/
Group: System Environment/Libraries
@ -13,6 +13,7 @@ BuildRequires: libxml2
BuildRequires: expat-devel
BuildRequires: gperf
Provides: pkgconfig(fontconfig)
%description
Fontconfig can discover new fonts when installed automatically, removing a common source of configuration problems, perform font name substitution, so that appropriate alternative fonts can be selected if fonts are missing, identify the set of fonts required to completely cover a set of languages.
@ -32,6 +33,7 @@ It contains the libraries and header files to create applications
--localstatedir=/var \
--docdir=/usr/share/doc/%{name}-%{version} \
--disable-static
make %{?_smp_mflags}
%install
@ -66,9 +68,10 @@ make -k check
%{_mandir}/man3/*
%changelog
* Sat May 09 00:20:59 PST 2020 Nick Samson <nisamson@microsoft.com> - 2.13.1-4
* Mon Oct 5 2020 Mateusz Malisz <mamalisz@microsoft.com> - 2.13.91-1
- Update to 2.13.91
* Sat May 9 2020 Nick Samson <nisamson@microsoft.com> - 2.13.1-4
- Added %%license line automatically
* Fri Apr 17 2020 Nicolas Ontiveros <niontive@microsoft.com> 2.13.1-3
- Rename freetype2-devel to freetype-devel.
- Remove sha1 hash.

View File

@ -0,0 +1,5 @@
{
"Signatures": {
"gflags-2.2.2.tar.gz": "34af2f15cf7367513b352bdcd2493ab14ce43692d2dcd9dfc499492966c64dcf"
}
}

65
SPECS/gflags/gflags.spec Normal file
View File

@ -0,0 +1,65 @@
Name: gflags
Summary: The gflags package contains a C++ library that implements commandline flags processing.
Version: 2.2.2
Release: 3%{?dist}
License: BSD
Vendor: Microsoft Corporation
Distribution: Mariner
URL: https://gflags.github.io/gflags/
#Source0: https://github.com/%{name}/%{name}/archive/v%{version}.tar.gz
Source0: %{name}-%{version}.tar.gz
BuildRequires: cmake
BuildRequires: build-essential
%description
The gflags package contains a C++ library that implements commandline flags processing.
It includes built-in support for standard types such as string and the ability to define
flags in the source file in which they are used.
%package devel
Summary: Development files for %{name}
Requires: %{name} = %{version}
%description devel
Development files for %{name}
%prep
%setup -q
%build
mkdir build
cd build
%cmake -DBUILD_SHARED_LIBS=ON ..
make %{?_smp_mflags}
%install
cd build
make install DESTDIR=%{buildroot}
# Remove unused files
rm %{buildroot}/root/.cmake/packages/gflags/*
%files
%doc README.md
%license COPYING.txt
%{_bindir}/*
%{_libdir}/*.so*
%files devel
%{_includedir}/*
%{_libdir}/cmake/%{name}
%{_libdir}/*.so
%{_libdir}/pkgconfig/gflags.pc
%changelog
* Thu Oct 08 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 2.2.2-3
- License verified.
- Added %%license macro.
- Added debug package.
- Fixed extra file exclude.
- Fixed 'Source0' URL.
* Fri Jun 05 2020 Jonathan Chiu <jochi@microsoft.com> 2.2.2-2
- Exclude extra files
* Thu Apr 09 2020 Jonathan Chiu <jochi@microsoft.com> 2.2.2-1
- Original version for CBL-Mariner.

View File

@ -1,7 +1,7 @@
Summary: Fast distributed version control system
Name: git
Version: 2.23.3
Release: 2%{?dist}
Release: 3%{?dist}
License: GPLv2
URL: https://git-scm.com/
Group: System Environment/Programming
@ -57,10 +57,7 @@ install -m 0644 contrib/completion/git-completion.bash %{buildroot}/usr/share/ba
%{_fixperms} %{buildroot}/*
%check
# git expect nonroot user to run tests
chmod g+w . -R
useradd test -G root -m
sudo -u test make %{?_smp_mflags} test
make %{?_smp_mflags} test
%post
if [ $1 -eq 1 ];then
@ -92,6 +89,8 @@ rm -rf %{buildroot}/*
%defattr(-,root,root)
%changelog
* Mon Oct 19 2020 Andrew Phelps <anphel@microsoft.com> 2.23.3-3
- Fix check test
* Mon Oct 12 2020 Joe Schmitt <joschmit@microsoft.com> 2.23.3-2
- Use new perl package names.
- Provide git-core.

View File

@ -0,0 +1,97 @@
diff --git a/fuzz/gnutls_client_fuzzer.in/00ea40761ce11e769f1817a04b3d3f7dcc0ab4571cf0df3b67ab7e1005e9e7a8 b/fuzz/gnutls_client_fuzzer.in/00ea40761ce11e769f1817a04b3d3f7dcc0ab4571cf0df3b67ab7e1005e9e7a8
new file mode 100644
index 0000000000000000000000000000000000000000..73a2d97ba20483dc4f8c7766a043cb737e27c942
Binary files /dev/null and b/fuzz/gnutls_client_fuzzer.in/00ea40761ce11e769f1817a04b3d3f7dcc0ab4571cf0df3b67ab7e1005e9e7a8 differ
diff --git a/fuzz/gnutls_psk_client_fuzzer.in/b16434290b77e13d7a983d1da801fb3c6d1f7f846f227721e221adea08aa319c b/fuzz/gnutls_psk_client_fuzzer.in/b16434290b77e13d7a983d1da801fb3c6d1f7f846f227721e221adea08aa319c
new file mode 100644
index 0000000000000000000000000000000000000000..7ebb883f4d4c3401f32834f3bcc725d2404996f5
Binary files /dev/null and b/fuzz/gnutls_psk_client_fuzzer.in/b16434290b77e13d7a983d1da801fb3c6d1f7f846f227721e221adea08aa319c differ
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index bb6c19713851e1f59f98237b587deb86429ad0e0..31cec5c0cddbe2562d726368bebc5bba224f534c 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -1370,6 +1370,7 @@ typedef struct {
#define HSK_RECORD_SIZE_LIMIT_RECEIVED (1<<26) /* server: record_size_limit extension was seen but not accepted yet */
#define HSK_OCSP_REQUESTED (1<<27) /* server: client requested OCSP stapling */
#define HSK_CLIENT_OCSP_REQUESTED (1<<28) /* client: server requested OCSP stapling */
+#define HSK_SERVER_HELLO_RECEIVED (1<<29) /* client: Server Hello message has been received */
/* The hsk_flags are for use within the ongoing handshake;
* they are reset to zero prior to handshake start by gnutls_handshake. */
diff --git a/lib/handshake.c b/lib/handshake.c
index b40f84b3d972057be1c2dccdbc2f4fc4ab2948a8..ce2d160e2077c6d971de58e63ec86b9b035af853 100644
--- a/lib/handshake.c
+++ b/lib/handshake.c
@@ -2061,6 +2061,8 @@ read_server_hello(gnutls_session_t session,
if (ret < 0)
return gnutls_assert_val(ret);
+ session->internals.hsk_flags |= HSK_SERVER_HELLO_RECEIVED;
+
return 0;
}
@@ -2585,16 +2587,42 @@ int gnutls_rehandshake(gnutls_session_t session)
return 0;
}
+/* This function checks whether the error code should be treated fatal
+ * or not, and also does the necessary state transition. In
+ * particular, in the case of a rehandshake abort it resets the
+ * handshake's internal state.
+ */
inline static int
_gnutls_abort_handshake(gnutls_session_t session, int ret)
{
- if (((ret == GNUTLS_E_WARNING_ALERT_RECEIVED) &&
- (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION))
- || ret == GNUTLS_E_GOT_APPLICATION_DATA)
- return 0;
+ switch (ret) {
+ case GNUTLS_E_WARNING_ALERT_RECEIVED:
+ if (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION) {
+ /* The server always toleretes a "no_renegotiation" alert. */
+ if (session->security_parameters.entity == GNUTLS_SERVER) {
+ STATE = STATE0;
+ return ret;
+ }
+
+ /* The client should tolerete a "no_renegotiation" alert only if:
+ * - the initial handshake has completed, or
+ * - a Server Hello is not yet received
+ */
+ if (session->internals.initial_negotiation_completed ||
+ !(session->internals.hsk_flags & HSK_SERVER_HELLO_RECEIVED)) {
+ STATE = STATE0;
+ return ret;
+ }
- /* this doesn't matter */
- return GNUTLS_E_INTERNAL_ERROR;
+ return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
+ }
+ return ret;
+ case GNUTLS_E_GOT_APPLICATION_DATA:
+ STATE = STATE0;
+ return ret;
+ default:
+ return ret;
+ }
}
@@ -2756,13 +2784,7 @@ int gnutls_handshake(gnutls_session_t session)
}
if (ret < 0) {
- /* In the case of a rehandshake abort
- * we should reset the handshake's internal state.
- */
- if (_gnutls_abort_handshake(session, ret) == 0)
- STATE = STATE0;
-
- return ret;
+ return _gnutls_abort_handshake(session, ret);
}
/* clear handshake buffer */

View File

@ -1,7 +1,7 @@
Summary: The GnuTLS Transport Layer Security Library
Name: gnutls
Version: 3.6.14
Release: 1%{?dist}
Release: 3%{?dist}
License: GPLv3+ and LGPLv2+
URL: https://www.gnutls.org
Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz
@ -22,6 +22,8 @@ Requires: gmp
Requires: guile
Requires: gc
Patch0: CVE-2020-24659.patch
%description
GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and other required structures. It is aimed to be portable and efficient with focus on security and interoperability.
@ -36,7 +38,8 @@ The package contains libraries and header files for
developing applications that use gnutls.
%prep
%setup -q
%autosetup -p1
%build
%configure \
@ -44,7 +47,7 @@ developing applications that use gnutls.
--disable-openssl-compatibility \
--with-included-unistring \
--with-system-priority-file=%{_sysconfdir}/gnutls/default-priorities \
--with-default-trust-store-file=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt \
--with-default-trust-store-file=%{_sysconfdir}/pki/tls/certs/ca-bundle.trust.crt \
--with-default-trust-store-dir=%{_sysconfdir}/ssl/certs
make %{?_smp_mflags}
@ -88,6 +91,11 @@ make %{?_smp_mflags} check
%{_mandir}/man3/*
%changelog
* Wed Oct 21 2020 Henry Beberman <henry.beberman@microsoft.com> 3.6.14-3
- Apply patch for CVE-2020-24659 from upstream.
- Switch setup to autosetup.
* Wed Oct 07 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 3.6.14-2
- Updating certificate bundle path to include full set of trust information.
* Fri Aug 21 2020 Andrew Phelps <anphel@microsoft.com> 3.6.14-1
- Update to version 3.6.14 for CVE-2020-13777
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> 3.6.8-3

View File

@ -1,6 +1,6 @@
{
"Signatures": {
"go1.13.11.src.tar.gz": "89ed1abce25ad003521c125d6583c93c1280de200ad221f961085200a6c00679",
"go1.13.15.src.tar.gz": "5fb43171046cf8784325e67913d55f88a683435071eef8e9da1aa8a1588fcf5d",
"go1.4-bootstrap-20171003.tar.gz": "f4ff5b5eb3a3cae1c993723f3eab519c5bae18866b5e5f96fe1102f0cb5c3e52"
}
}

View File

@ -14,7 +14,7 @@
Summary: Go
Name: golang
Version: 1.13.11
Version: 1.13.15
Release: 1%{?dist}
License: BSD
URL: https://golang.org
@ -124,9 +124,11 @@ rm -rf %{buildroot}/*
%{_bindir}/*
%changelog
* Tue Sep 08 2020 Nicolas Ontiveros <niontive@microsoft.com> 1.13.15-1
- Updated to version 1.13.15, which fixes CVE-2020-14039 and CVE-2020-16845.
* Sun May 24 2020 Mateusz Malisz <mamalisz@microsoft.com> 1.13.11-1
- Updated to version 1.13.11
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 1.12.5-7
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> 1.12.5-7
- Added %%license line automatically
* Thu Apr 30 2020 Emre Girgin <mrgirgin@microsoft.com> 1.12.5-6
- Renaming go to golang

View File

@ -0,0 +1 @@
# No patch has been made available for CVE-2000-0803

View File

@ -1,19 +1,15 @@
Summary: Programs for processing and formatting text
Name: groff
Version: 1.22.3
Release: 5%{?dist}
Release: 6%{?dist}
License: GPLv3+
URL: http://www.gnu.org/software/groff
Group: Applications/Text
Vendor: Microsoft Corporation
Distribution: Mariner
Source0: http://ftp.gnu.org/gnu/groff/%{name}-%{version}.tar.gz
%define sha1 groff=61a6808ea1ef715df9fa8e9b424e1f6b9fa8c091
Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version))
Requires: perl-DBI
Requires: perl-DBIx-Simple
Requires: perl-DBD-SQLite
Requires: perl-File-HomeDir
# No patch has been made available for CVE-2000-0803
Patch0: CVE-2000-0803.nopatch
Provides: perl(oop_fh.pl) = %{version}-%{release}
Provides: perl(main_subs.pl) = %{version}-%{release}
@ -21,6 +17,12 @@ Provides: perl(man.pl) = %{version}-%{release}
Provides: perl(subs.pl) = %{version}-%{release}
Provides: groff-base = %{version}-%{release}
Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version))
Requires: perl-DBI
Requires: perl-DBIx-Simple
Requires: perl-DBD-SQLite
Requires: perl-File-HomeDir
%description
The Groff package contains programs for processing
and formatting text.
@ -45,10 +47,13 @@ rm -rf %{buildroot}%{_infodir}
%{_defaultdocdir}/%{name}-%{version}/*
%{_datarootdir}/%{name}/*
%{_mandir}/*/*
%changelog
* Mon Oct 12 2020 Joe Schmitt <joschmit@microsoft.com> 1.22.3-5
* Mon Oct 12 2020 Joe Schmitt <joschmit@microsoft.com> 1.22.3-6
- Use new perl package names.
- Provide groff-base.
* Mon Sep 28 2020 Daniel McIlvaney <damcilva@microsoft.com> 1.22.3-5
- Nopatch CVE-2000-0803.nopatch
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> 1.22.3-4
- Added %%license line automatically
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 1.22.3-3

View File

@ -0,0 +1 @@
# CVE-1999-0236 must be mitigated by the user. See "Server Side Includes" on https://httpd.apache.org/docs/2.4/misc/security_tips.html

View File

@ -0,0 +1 @@
# CVE-1999-1412 applies only to MacOS X

View File

@ -0,0 +1,9 @@
# CVE-2007-0086 has been disputed to be an actual vulnerability. Official Red Hat statement from 1st of November 2007:
"Red Hat does not consider this issue to be a security vulnerability. The pottential attacker has to send acknowledgement
packets periodically to make server generate traffic. Exactly the same effect could be achieved by simply downloading the file.
The statement that setting the TCP window size to arbitrarily high value would permit the attacker to disconnect and stop
sending ACKs is false, because Red Hat Enterprise Linux limits the size of the TCP send buffer to 4MB by default."
In case of CBL-Mariner the default max TCP send buffer size is set to 4 MBs as well.
The configuration is available under '/proc/sys/net/ipv4/tcp_wmem'.

View File

@ -1,7 +1,7 @@
Summary: The Apache HTTP Server
Name: httpd
Version: 2.4.46
Release: 1%{?dist}
Release: 3%{?dist}
License: ASL 2.0
URL: https://httpd.apache.org/
Group: Applications/System
@ -11,6 +11,13 @@ Source0: https://archive.apache.org/dist/%{name}/%{name}-%{version}.tar.b
Patch0: httpd-blfs_layout-1.patch
Patch1: httpd-uncomment-ServerName.patch
# CVE-1999-0236 must be mitigated by the user. See "Server Side Includes" at https://httpd.apache.org/docs/2.4/misc/security_tips.html
Patch100: CVE-1999-0236.nopatch
# CVE-1999-1412 applies only to MacOS X
Patch101: CVE-1999-1412.nopatch
# CVE-2007-0086 has been disputed to not be a vulnerability since 2007 due to default system configurations securing against it.
Patch102: CVE-2007-0086.nopatch
BuildRequires: openssl
BuildRequires: openssl-devel
BuildRequires: pcre-devel
@ -185,17 +192,18 @@ fi
%{_bindir}/dbmmanage
%changelog
* Tue Oct 06 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 2.4.46-3
- Mark CVE-2007-0086 as nopatch
* Mon Sep 28 2020 Daniel McIlvaney <damcilva@microsoft.com> 2.4.46-2
- Mark CVE-1999-0236 CVE-1999-1412 as nopatch
* Tue Aug 18 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 2.4.46-1
- Updated to 2.4.46 to resolve CVE-2020-11984.
* Tue May 19 2020 Ruying Chen <v-ruyche@microsoft.com> 2.4.43-1
- Updated to 2.4.43 to resolve the following CVEs
- CVE-2019-10081, CVE-2019-10082, CVE-2019-10092, CVE-2019-10097
- CVE-2019-10098, CVE-2020-1927, CVE-2020-1934
* Sat May 09 00:20:57 PST 2020 Nick Samson <nisamson@microsoft.com> - 2.4.39-4
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> 2.4.39-4
- Added %%license line automatically
* Tue Apr 07 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 2.4.39-3
- Updated and verified 'Source0', 'Patch0' and 'URL' tags.
- License verified.

View File

@ -1,7 +1,7 @@
Summary: initramfs
Name: initramfs
Version: 2.0
Release: 5%{?dist}
Release: 6%{?dist}
Source0: fscks.conf
License: Apache License
Group: System Environment/Base
@ -66,6 +66,22 @@ mkdir -p %{_localstatedir}/lib/rpm-state/initramfs \
touch %{_localstatedir}/lib/rpm-state/initramfs/regenerate \
echo "initramfs (re)generation" %* >&2
# kdump currently uses the host system's initrd when enrolling a crash kernel
# and initrd. There is a limitation where the kdump initrd must be generated
# with dracut in "host-only" mode.
#
# The -k option forces "host-only" initrd build for the specified kernel version.
# The -q option suppresses verbose output
#
# If mkinitrd is called without <image> and <kernel-version> parameters, it will
# default to invoking dracut in "host-mode" mode on every kernel version it can
# find in /boot.
#
# If mkinitrd is called with <image> and <kernel-version> parameters, it will
# default to invoking dracut in "generic host" mode to create an initrd.
#
# So in order to be compatible with kdump, we need to make sure to add the -k
# option when invoking mkinitrd with an explicit <image> and <kernel version>
%define file_trigger_action() \
cat > /dev/null \
if [ -f %{_localstatedir}/lib/rpm-state/initramfs/regenerate ]; then \
@ -74,7 +90,7 @@ if [ -f %{_localstatedir}/lib/rpm-state/initramfs/regenerate ]; then \
elif [ -d %{_localstatedir}/lib/rpm-state/initramfs/pending ]; then \
for k in `ls %{_localstatedir}/lib/rpm-state/initramfs/pending/`; do \
echo "(re)generate initramfs for $k," %* >&2 \
mkinitrd -q /boot/initrd.img-$k $k \
mkinitrd -q /boot/initrd.img-$k $k -k \
done; \
fi \
%removal_action
@ -111,6 +127,8 @@ echo "initramfs" %{version}-%{release} "postun" >&2
%dir %{_localstatedir}/lib/initramfs/kernel
%changelog
* Thu Oct 01 2020 Chris Co <chrco@microsoft.com> 2.0-6
- Update file-triggered initrd generation to workaround kdump initrd limitations
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 2.0-5
- Initial CBL-Mariner import from Photon (license: Apache2).
* Mon Aug 27 2018 Dheeraj Shetty <dheerajs@vmware.com> 2.0-4

View File

@ -0,0 +1,5 @@
{
"Signatures": {
"ivykis-0.42.4.tar.gz" : "1ce0341648daedd6d5408e8512bf3999d9aa4f1c1d1432f5eeb37436c9dbecdd"
}
}

48
SPECS/ivykis/ivykis.spec Normal file
View File

@ -0,0 +1,48 @@
Name: ivykis
Summary: Library for asynchronous I/O readiness notification
Version: 0.42.4
Release: 2%{?dist}
License: LGPLv2+
Vendor: Microsoft Corporation
Distribution: Mariner
URL: https://github.com/buytenh/ivykis
#Source0: %{url}/archive/v%{version}.tar.gz
Source0: %{name}-%{version}.tar.gz
%description
Ivykis is a library for asynchronous I/O readiness notification.
%package devel
Summary: Development files for %{name}
Requires: %{name} = %{version}
%description devel
Development files for %{name}
%prep
%setup -q
%build
%configure
make %{?_smp_mflags}
%install
make DESTDIR=%{buildroot} install
%files
%license COPYING
%{_libdir}/*.so.*
%{_mandir}/man3/*.3.gz
%files devel
%{_libdir}/{*.a,*.la,*.so}
%{_libdir}/pkgconfig/%{name}.pc
%{_includedir}/*
%changelog
* Mon Oct 19 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 0.42.4-2
- License verified.
- Added source URL.
- Added 'URL', 'Vendor', and 'Distribution' tags.
* Mon Apr 13 2020 Jonathan Chiu <jochi@microsoft.com> 0.42.4-1
- Original version for CBL-Mariner.

View File

@ -0,0 +1,5 @@
{
"Signatures": {
"jsonbuilder-0.2.1.tar.gz": "185010e7e4de00040d0245cd03d3a638698eabadd3b0e4f0591ad9f0f41d5158"
}
}

View File

@ -0,0 +1,68 @@
Summary: Modern C++ library for an efficient container for building JSON objects
Name: jsonbuilder
Version: 0.2.1
Release: 2%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Mariner
Group: System Environment
URL: https://github.com/microsoft/jsonbuilder
#Source0: https://github.com/microsoft/%{name}/archive/v%{version}.tar.gz
Source0: %{name}-%{version}.tar.gz
BuildRequires: catch-devel
BuildRequires: cmake
BuildRequires: gcc
BuildRequires: util-linux-devel
%description
JsonBuilder is a small C++ library for building a space-efficient binary representation of structured data and,
when ready, rendering it to JSON. The library offers STL-like syntax for adding and finding data as well as STL-like
iterators for efficiently tracking location.
%package devel
Summary: Development files for jsonbuilder
Group: System Environment/Libraries
Requires: jsonbuilder = %{version}-%{release}
%description devel
This package contains the headers and symlinks for using jsonbuilder from libraries and applications.
%prep
%setup -q
%build
mkdir build && cd build
%cmake ..
%make_build
%check
make test -C build
%install
%make_install -C build
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%files
%defattr(-,root,root)
%license LICENSE
%doc README.md
%{_libdir}/libjsonbuilder.so.*
%files devel
%defattr(-,root,root)
%{_libdir}/libjsonbuilder.so
%{_libdir}/cmake/jsonbuilder
%{_includedir}/jsonbuilder
%changelog
* Wed Oct 07 2020 Thomas Crain <thcrain@microsoft.com> - 0.2.1-2
- Updated #Source0 URL
- Verified License field and %%license macro
* Fri Aug 28 2020 Francisco Huelsz Prince <frhuelsz@microsoft.com> - 0.2.1-1
- Update to v0.2.1
* Wed Feb 12 2020 Nick Bopp <nichbop@microsoft.com> - 0.2-1
- Original version for CBL-Mariner.

View File

@ -2,7 +2,7 @@
Summary: Linux Kernel optimized for Hyper-V
Name: kernel-hyperv
Version: 5.4.51
Release: 3%{?dist}
Release: 4%{?dist}
License: GPLv2
URL: https://github.com/microsoft/WSL2-Linux-Kernel
Group: System Environment/Kernel
@ -202,7 +202,8 @@ echo "initrd of kernel %{uname_r} removed" >&2
%postun
if [ ! -e /boot/mariner.cfg ]
then
if [ `ls /boot/linux-*.cfg 1> /dev/null 2>&1` ]
ls /boot/linux-*.cfg 1> /dev/null 2>&1
if [ $? -eq 0 ]
then
list=`ls -tu /boot/linux-*.cfg | head -n1`
test -n "$list" && ln -sf "$list" /boot/mariner.cfg
@ -257,6 +258,8 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
%{_libdir}/perf/include/bpf/*
%changelog
* Wed Sep 30 2020 Emre Girgin <mrgirgin@microsoft.com> 5.4.51-4
- Update postun script to deal with removal in case of another installed kernel.
* Thu Sep 03 2020 Daniel McIlvaney <damcilva@microsoft.com> 5.4.51-3
- Add code to check for missing config flags in the checked in configs
* Tue Sep 01 2020 Chris Co <chrco@microsoft.com> 5.4.51-2

View File

@ -0,0 +1,3 @@
CVE-2010-3865 - Already patched in 5.4.51 stable kernel
Upstream commit - 1b1f693d7ad6d193862dcb1118540a030c5e761f
Same commit id in stable branch

View File

@ -0,0 +1,3 @@
CVE-2020-10757 - Already patched in 5.4.51 stable kernel
Upstream commit - 5bfea2d9b17f1034a68147a8b03b9789af5700f9
Stable commit - 5a047df0b5fce377df37de75380321d1c8ca07a0

View File

@ -0,0 +1,3 @@
CVE-2020-11668 - Already patched in 5.4.51 stable kernel
Upstream commit - a246b4d547708f33ff4d4b9a7a5dbac741dc89d8
Stable commit - cb595cb0a1e8e07213337f063cd39a3e80fc43a0

View File

@ -0,0 +1,3 @@
CVE-2020-12653 - Already patched in 5.4.51 stable kernel
Upstream commit - b70261a288ea4d2f4ac7cd04be08a9f0f2de4f4d
Stable commit - 3c822e1f31186767d6b7261c3c066f01907ecfca

View File

@ -0,0 +1,3 @@
CVE-2020-12654 - Already patched in 5.4.51 stable kernel
Upstream commit - 3a9b153c5591548612c3955c9600a98150c81875
Stable commit - c5b071e3f44d1125694ad4dcf1234fb9a78d0be6

View File

@ -0,0 +1,3 @@
CVE-2020-12657 - Already patched in 5.4.51 stable kernel
Upstream commit - 2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9
Stable commit - b2ae36d220eddd88f9a1264176e3104d988f72fe

View File

@ -0,0 +1,3 @@
CVE-2020-24394 - Already patched in 5.4.51 stable kernel
Upstream commit - 22cf8419f1319ff87ec759d0ebdff4cbafaee832
Stable commit - c506f985d8d151383559c0760bb1ef7466e218d4

View File

@ -0,0 +1,3 @@
CVE-2020-8428 - Already patched in 5.4.51 stable kernel
Upstream commit - d0cb50185ae942b03c4327be322055d622dc79f6
Stable commit - 454759886d0b463213fad0f1c733469e2c501ab9

View File

@ -974,6 +974,7 @@ CONFIG_UNIX_SCM=y
CONFIG_UNIX_DIAG=m
# CONFIG_TLS is not set
CONFIG_XFRM=y
CONFIG_XFRM_OFFLOAD=y
CONFIG_XFRM_ALGO=m
CONFIG_XFRM_USER=m
# CONFIG_XFRM_INTERFACE is not set
@ -1013,7 +1014,7 @@ CONFIG_NET_UDP_TUNNEL=m
# CONFIG_NET_FOU_IP_TUNNELS is not set
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
# CONFIG_INET_ESP_OFFLOAD is not set
CONFIG_INET_ESP_OFFLOAD=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_XFRM_TUNNEL=m
CONFIG_INET_TUNNEL=m
@ -1045,7 +1046,7 @@ CONFIG_IPV6_ROUTE_INFO=y
CONFIG_IPV6_OPTIMISTIC_DAD=y
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
# CONFIG_INET6_ESP_OFFLOAD is not set
CONFIG_INET6_ESP_OFFLOAD=m
CONFIG_INET6_IPCOMP=m
CONFIG_IPV6_MIP6=m
# CONFIG_IPV6_ILA is not set
@ -1546,7 +1547,7 @@ CONFIG_NET_MPLS_GSO=m
# CONFIG_MPLS_ROUTING is not set
CONFIG_NET_NSH=m
# CONFIG_HSR is not set
# CONFIG_NET_SWITCHDEV is not set
CONFIG_NET_SWITCHDEV=y
CONFIG_NET_L3_MASTER_DEV=y
# CONFIG_NET_NCSI is not set
CONFIG_RPS=y
@ -2424,7 +2425,9 @@ CONFIG_IXGBE=m
CONFIG_IXGBE_HWMON=y
CONFIG_IXGBE_DCA=y
CONFIG_IXGBE_DCB=y
CONFIG_IXGBE_IPSEC=y
CONFIG_IXGBEVF=m
CONFIG_IXGBEVF_IPSEC=y
CONFIG_I40E=m
CONFIG_I40E_DCB=y
CONFIG_IAVF=m
@ -2447,15 +2450,29 @@ CONFIG_MLX4_CORE=m
CONFIG_MLX4_DEBUG=y
# CONFIG_MLX4_CORE_GEN2 is not set
CONFIG_MLX5_CORE=m
# CONFIG_MLX5_FPGA is not set
CONFIG_MLX5_ACCEL=y
CONFIG_MLX5_FPGA=y
CONFIG_MLX5_CORE_EN=y
CONFIG_MLX5_EN_ARFS=y
CONFIG_MLX5_EN_RXNFC=y
CONFIG_MLX5_MPFS=y
CONFIG_MLX5_ESWITCH=y
CONFIG_MLX5_CORE_EN_DCB=y
CONFIG_MLX5_CORE_IPOIB=y
# CONFIG_MLXSW_CORE is not set
# CONFIG_MLXFW is not set
CONFIG_MLX5_FPGA_IPSEC=y
CONFIG_MLX5_EN_IPSEC=y
CONFIG_MLX5_SW_STEERING=y
CONFIG_MLXSW_CORE=m
CONFIG_MLXSW_CORE_HWMON=y
CONFIG_MLXSW_CORE_THERMAL=y
CONFIG_MLXSW_PCI=m
CONFIG_MLXSW_I2C=m
CONFIG_MLXSW_SWITCHIB=m
CONFIG_MLXSW_SWITCHX2=m
CONFIG_MLXSW_SPECTRUM=m
CONFIG_MLXSW_SPECTRUM_DCB=y
CONFIG_MLXSW_MINIMAL=m
CONFIG_MLXFW=m
# CONFIG_NET_VENDOR_MICREL is not set
CONFIG_NET_VENDOR_MICROCHIP=y
# CONFIG_LAN743X is not set
@ -2496,6 +2513,7 @@ CONFIG_8139TOO_8129=y
CONFIG_R8169=m
CONFIG_NET_VENDOR_RENESAS=y
CONFIG_NET_VENDOR_ROCKER=y
CONFIG_ROCKER=m
CONFIG_NET_VENDOR_SAMSUNG=y
# CONFIG_SXGBE_ETH is not set
# CONFIG_NET_VENDOR_SEEQ is not set
@ -2957,7 +2975,7 @@ CONFIG_IPMI_SI=m
# CONFIG_IPMI_SSIF is not set
CONFIG_IPMI_WATCHDOG=m
CONFIG_IPMI_POWEROFF=m
CONFIG_HW_RANDOM=m
CONFIG_HW_RANDOM=y
CONFIG_HW_RANDOM_TIMERIOMEM=m
CONFIG_HW_RANDOM_INTEL=m
CONFIG_HW_RANDOM_AMD=m
@ -2972,10 +2990,10 @@ CONFIG_HPET=y
CONFIG_HPET_MMAP=y
CONFIG_HPET_MMAP_DEFAULT=y
CONFIG_HANGCHECK_TIMER=m
CONFIG_TCG_TPM=m
CONFIG_TCG_TPM=y
CONFIG_HW_RANDOM_TPM=y
CONFIG_TCG_TIS_CORE=m
CONFIG_TCG_TIS=m
CONFIG_TCG_TIS_CORE=y
CONFIG_TCG_TIS=y
CONFIG_TCG_TIS_I2C_ATMEL=m
CONFIG_TCG_TIS_I2C_INFINEON=m
CONFIG_TCG_TIS_I2C_NUVOTON=m
@ -2983,7 +3001,7 @@ CONFIG_TCG_NSC=m
CONFIG_TCG_ATMEL=m
CONFIG_TCG_INFINEON=m
CONFIG_TCG_XEN=m
CONFIG_TCG_CRB=m
CONFIG_TCG_CRB=y
# CONFIG_TCG_VTPM_PROXY is not set
# CONFIG_TCG_TIS_ST33ZP24_I2C is not set
# CONFIG_TELCLOCK is not set
@ -5141,7 +5159,7 @@ CONFIG_MXM_WMI=m
# CONFIG_INTEL_PMC_IPC is not set
# CONFIG_SURFACE_PRO3_BUTTON is not set
CONFIG_INTEL_PUNIT_IPC=m
# CONFIG_MLX_PLATFORM is not set
CONFIG_MLX_PLATFORM=m
# CONFIG_INTEL_TURBO_MAX_3 is not set
# CONFIG_I2C_MULTI_INSTANTIATE is not set
# CONFIG_INTEL_ATOMISP2_PM is not set
@ -6027,7 +6045,22 @@ CONFIG_SECURITY_SAFESETID=y
CONFIG_INTEGRITY=y
# CONFIG_INTEGRITY_SIGNATURE is not set
CONFIG_INTEGRITY_AUDIT=y
# CONFIG_IMA is not set
CONFIG_IMA=y
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_LSM_RULES=y
# CONFIG_IMA_TEMPLATE is not set
# CONFIG_IMA_NG_TEMPLATE is not set
CONFIG_IMA_SIG_TEMPLATE=y
CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig"
# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
CONFIG_IMA_DEFAULT_HASH_SHA256=y
# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
CONFIG_IMA_DEFAULT_HASH="sha256"
CONFIG_IMA_WRITE_POLICY=y
CONFIG_IMA_READ_POLICY=y
# CONFIG_IMA_APPRAISE is not set
CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
# CONFIG_EVM is not set
# CONFIG_DEFAULT_SECURITY_SELINUX is not set
# CONFIG_DEFAULT_SECURITY_SMACK is not set
@ -6106,7 +6139,7 @@ CONFIG_CRYPTO_ENGINE=m
# Public-key cryptography
#
CONFIG_CRYPTO_RSA=y
# CONFIG_CRYPTO_DH is not set
CONFIG_CRYPTO_DH=m
CONFIG_CRYPTO_ECC=m
CONFIG_CRYPTO_ECDH=m
# CONFIG_CRYPTO_ECRDSA is not set
@ -6144,7 +6177,7 @@ CONFIG_CRYPTO_ESSIV=m
# Hash modes
#
CONFIG_CRYPTO_CMAC=m
CONFIG_CRYPTO_HMAC=m
CONFIG_CRYPTO_HMAC=y
# CONFIG_CRYPTO_XCBC is not set
# CONFIG_CRYPTO_VMAC is not set
@ -6253,12 +6286,13 @@ CONFIG_CRYPTO_HW=y
# CONFIG_CRYPTO_DEV_ATMEL_ECC is not set
# CONFIG_CRYPTO_DEV_ATMEL_SHA204A is not set
# CONFIG_CRYPTO_DEV_CCP is not set
# CONFIG_CRYPTO_DEV_QAT_DH895xCC is not set
# CONFIG_CRYPTO_DEV_QAT_C3XXX is not set
# CONFIG_CRYPTO_DEV_QAT_C62X is not set
# CONFIG_CRYPTO_DEV_QAT_DH895xCCVF is not set
# CONFIG_CRYPTO_DEV_QAT_C3XXXVF is not set
# CONFIG_CRYPTO_DEV_QAT_C62XVF is not set
CONFIG_CRYPTO_DEV_QAT=m
CONFIG_CRYPTO_DEV_QAT_DH895xCC=m
CONFIG_CRYPTO_DEV_QAT_C3XXX=m
CONFIG_CRYPTO_DEV_QAT_C62X=m
CONFIG_CRYPTO_DEV_QAT_DH895xCCVF=m
CONFIG_CRYPTO_DEV_QAT_C3XXXVF=m
CONFIG_CRYPTO_DEV_QAT_C62XVF=m
# CONFIG_CRYPTO_DEV_NITROX_CNN55XX is not set
# CONFIG_CRYPTO_DEV_CHELSIO is not set
CONFIG_CRYPTO_DEV_VIRTIO=m
@ -6393,6 +6427,8 @@ CONFIG_ARCH_HAS_UACCESS_FLUSHCACHE=y
CONFIG_ARCH_HAS_UACCESS_MCSAFE=y
CONFIG_ARCH_STACKWALK=y
CONFIG_SBITMAP=y
CONFIG_PARMAN=m
CONFIG_OBJAGG=m
# CONFIG_STRING_SELFTEST is not set
# end of Library routines
@ -6613,6 +6649,7 @@ CONFIG_RUNTIME_TESTING_MENU=y
# CONFIG_TEST_RHASHTABLE is not set
# CONFIG_TEST_HASH is not set
# CONFIG_TEST_IDA is not set
# CONFIG_TEST_PARMAN is not set
# CONFIG_TEST_LKM is not set
# CONFIG_TEST_VMALLOC is not set
# CONFIG_TEST_USER_COPY is not set
@ -6625,6 +6662,7 @@ CONFIG_RUNTIME_TESTING_MENU=y
# CONFIG_TEST_STATIC_KEYS is not set
# CONFIG_TEST_KMOD is not set
# CONFIG_TEST_MEMCAT_P is not set
# CONFIG_TEST_OBJAGG is not set
# CONFIG_TEST_STACKINIT is not set
# CONFIG_TEST_MEMINIT is not set
CONFIG_MEMTEST=y

View File

@ -2879,7 +2879,7 @@ CONFIG_IPMI_SI=m
CONFIG_IPMI_WATCHDOG=m
CONFIG_IPMI_POWEROFF=m
# CONFIG_IPMB_DEVICE_INTERFACE is not set
CONFIG_HW_RANDOM=m
CONFIG_HW_RANDOM=y
CONFIG_HW_RANDOM_TIMERIOMEM=m
CONFIG_HW_RANDOM_BCM2835=m
CONFIG_HW_RANDOM_IPROC_RNG200=m
@ -2894,10 +2894,10 @@ CONFIG_HW_RANDOM_CAVIUM=m
# CONFIG_APPLICOM is not set
CONFIG_RAW_DRIVER=m
CONFIG_MAX_RAW_DEVS=8192
CONFIG_TCG_TPM=m
CONFIG_TCG_TPM=y
CONFIG_HW_RANDOM_TPM=y
CONFIG_TCG_TIS_CORE=m
CONFIG_TCG_TIS=m
CONFIG_TCG_TIS_CORE=y
CONFIG_TCG_TIS=y
CONFIG_TCG_TIS_SPI=m
CONFIG_TCG_TIS_I2C_ATMEL=m
CONFIG_TCG_TIS_I2C_INFINEON=m
@ -2905,7 +2905,7 @@ CONFIG_TCG_TIS_I2C_NUVOTON=m
CONFIG_TCG_ATMEL=m
CONFIG_TCG_INFINEON=m
CONFIG_TCG_XEN=m
# CONFIG_TCG_CRB is not set
CONFIG_TCG_CRB=y
# CONFIG_TCG_VTPM_PROXY is not set
# CONFIG_TCG_TIS_ST33ZP24_I2C is not set
# CONFIG_TCG_TIS_ST33ZP24_SPI is not set
@ -6290,7 +6290,23 @@ CONFIG_SECURITY_SAFESETID=y
CONFIG_INTEGRITY=y
# CONFIG_INTEGRITY_SIGNATURE is not set
CONFIG_INTEGRITY_AUDIT=y
# CONFIG_IMA is not set
CONFIG_IMA=y
# CONFIG_IMA_KEXEC is not set
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_LSM_RULES=y
# CONFIG_IMA_TEMPLATE is not set
# CONFIG_IMA_NG_TEMPLATE is not set
CONFIG_IMA_SIG_TEMPLATE=y
CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig"
# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
CONFIG_IMA_DEFAULT_HASH_SHA256=y
# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
CONFIG_IMA_DEFAULT_HASH="sha256"
CONFIG_IMA_WRITE_POLICY=y
CONFIG_IMA_READ_POLICY=y
# CONFIG_IMA_APPRAISE is not set
CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
# CONFIG_EVM is not set
# CONFIG_DEFAULT_SECURITY_SELINUX is not set
# CONFIG_DEFAULT_SECURITY_SMACK is not set
@ -6399,7 +6415,7 @@ CONFIG_CRYPTO_ESSIV=m
# Hash modes
#
CONFIG_CRYPTO_CMAC=m
CONFIG_CRYPTO_HMAC=m
CONFIG_CRYPTO_HMAC=y
# CONFIG_CRYPTO_XCBC is not set
# CONFIG_CRYPTO_VMAC is not set
@ -6420,8 +6436,8 @@ CONFIG_CRYPTO_MD5=y
# CONFIG_CRYPTO_RMD256 is not set
# CONFIG_CRYPTO_RMD320 is not set
CONFIG_CRYPTO_SHA1=y
CONFIG_CRYPTO_LIB_SHA256=m
CONFIG_CRYPTO_SHA256=m
CONFIG_CRYPTO_LIB_SHA256=y
CONFIG_CRYPTO_SHA256=y
CONFIG_CRYPTO_SHA512=y
# CONFIG_CRYPTO_SHA3 is not set
# CONFIG_CRYPTO_SM3 is not set

View File

@ -1,7 +1,7 @@
{
"Signatures": {
"config": "cb99faaac82f05b84539e4b99633b5a444de5b2db01ed37946afa0360d1f94f0",
"config_aarch64": "98bcf0f9c9fa02e11ad255ae352461b8ef7d53daf02c707a8a9b53f9bfb32db3",
"config": "b8c9e2a875e4e6655fdbeb626088529fd1cef401b8f67a481fc301d2a3a026c5",
"config_aarch64": "3057cf5c5f04b57c4d69f9783d4809de217fb46a4278694c19f6c3ffd81249c5",
"linux-msft-5.4.51.tar.gz": "3bcd6b09e952fac4f708614658b508ce80c8e25c04780b6b44a481b1479a08e7"
}
}

View File

@ -2,7 +2,7 @@
Summary: Linux Kernel
Name: kernel
Version: 5.4.51
Release: 6%{?dist}
Release: 12%{?dist}
License: GPLv2
URL: https://github.com/microsoft/WSL2-Linux-Kernel
Group: System Environment/Kernel
@ -35,6 +35,14 @@ Patch1011: CVE-2020-8648.nopatch
Patch1012: CVE-2020-8649.nopatch
Patch1013: CVE-2020-9383.nopatch
Patch1014: CVE-2020-11725.nopatch
Patch1015: CVE-2020-10757.nopatch
Patch1016: CVE-2020-12653.nopatch
Patch1017: CVE-2020-12657.nopatch
Patch1018: CVE-2010-3865.nopatch
Patch1019: CVE-2020-11668.nopatch
Patch1020: CVE-2020-12654.nopatch
Patch1021: CVE-2020-24394.nopatch
Patch1022: CVE-2020-8428.nopatch
BuildRequires: bc
BuildRequires: diffutils
@ -264,7 +272,8 @@ echo "initrd of kernel %{uname_r} removed" >&2
%postun
if [ ! -e /boot/mariner.cfg ]
then
if [ `ls /boot/linux-*.cfg 1> /dev/null 2>&1` ]
ls /boot/linux-*.cfg 1> /dev/null 2>&1
if [ $? -eq 0 ]
then
list=`ls -tu /boot/linux-*.cfg | head -n1`
test -n "$list" && ln -sf "$list" /boot/mariner.cfg
@ -337,8 +346,21 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
%{_libdir}/perf/include/bpf/*
%changelog
* Thu Sep 24 2020 Emre Girgin <mrgirgin@microsoft.cpm> 5.4.51-6
* Fri Oct 16 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> 5.4.51-12
- Enable QAT kernel configs
* Fri Oct 02 2020 Chris Co <chrco@microsoft.com> 5.4.51-11
- Address CVE-2020-10757, CVE-2020-12653, CVE-2020-12657, CVE-2010-3865,
- CVE-2020-11668, CVE-2020-12654, CVE-2020-24394, CVE-2020-8428
* Fri Oct 02 2020 Chris Co <chrco@microsoft.com> 5.4.51-10
- Fix aarch64 build error
* Wed Sep 30 2020 Emre Girgin <mrgirgin@microsoft.com> 5.4.51-9
- Update postun script to deal with removal in case of another installed kernel.
* Fri Sep 25 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> 5.4.51-8
- Enable Mellanox kernel configs
* Thu Sep 24 2020 Emre Girgin <mrgirgin@microsoft.cpm> 5.4.51-7
- Replace the misuse of the 'archdir' and `arch` shell variables.
* Wed Sep 23 2020 Daniel McIlvaney <damcilva@microsoft.com> 5.4.51-6
- Enable CONFIG_IMA (measurement only) and associated configs
* Thu Sep 03 2020 Daniel McIlvaney <damcilva@microsoft.com> 5.4.51-5
- Add code to check for missing config flags in the checked in configs
* Thu Sep 03 2020 Chris Co <chrco@microsoft.com> 5.4.51-4

View File

@ -12,6 +12,7 @@ Requires: openssl
Requires: e2fsprogs-libs
BuildRequires: openssl-devel
BuildRequires: e2fsprogs-devel
Provides: pkgconfig(mit-krb5)
Provides: pkgconfig(mit-krb5-gssapi)
%description

View File

@ -4,7 +4,7 @@
Summary: POSIX capability Library
Name: libcap-ng
Version: 0.7.9
Release: 2%{?dist}
Release: 3%{?dist}
License: LGPLv2+
Group: System Environment/Libraries
URL: http://people.redhat.com/sgrubb/libcap-ng
@ -61,8 +61,7 @@ make DESTDIR=%{buildroot} install
find %{buildroot} -name '*.la' -delete
%check
chown -Rv nobody .
sudo -u nobody -s /bin/bash -c "PATH=$PATH make -k check"
make check
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
@ -90,6 +89,8 @@ sudo -u nobody -s /bin/bash -c "PATH=$PATH make -k check"
%{_libdir}/*.a
%changelog
* Mon Oct 19 2020 Andrew Phelps <anphel@microsoft.com> 0.7.9-3
- Fix check test
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> 0.7.9-2
- Initial CBL-Mariner import from Photon (license: Apache2).
- Added %%license line automatically

View File

@ -1,14 +1,15 @@
Summary: String handling essentials library
Name: libestr
Version: 0.1.10
Release: 4%{?dist}
Release: 5%{?dist}
License: LGPLv2+
URL: http://libestr.adiscon.com/
Source0: http://libestr.adiscon.com/files/download/%{name}-%{version}.tar.gz
%define sha1 libestr=35cc717f5ae737a28140dd1472e13ce2ec317c6c
Group: System Environment/Base
Vendor: Microsoft Corporation
Distribution: Mariner
Group: System Environment/Base
URL: https://libestr.adiscon.com/
Source0: http://%{name}.adiscon.com/files/download/%{name}-%{version}.tar.gz
BuildRequires: gcc
%description
This package compiles the string handling essentials library
used by the Rsyslog daemon.
@ -23,33 +24,45 @@ developing applications that use libestr.
%prep
%setup -q
%build
./configure \
--prefix=%{_prefix}
%configure
make %{?_smp_mflags}
%install
make DESTDIR=%{buildroot} install
find %{buildroot} -type f -name "*.la" -delete -print
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%files
%defattr(-,root,root)
%license COPYING
%{_libdir}/*.so.*
%{_libdir}/*.a
%{_libdir}/*.la
%files devel
%defattr(-,root,root)
%{_includedir}/*
%{_libdir}/*.so
%{_libdir}/pkgconfig/*.pc
%changelog
* Sat May 09 00:21:00 PST 2020 Nick Samson <nisamson@microsoft.com> - 0.1.10-4
* Mon Oct 12 2020 Thomas Crain <thcrain@microsoft.com> - 0.1.10-5
- Remove %%sha1 line
- Lint to Mariner style
- Remove *.la files
- License verified.
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 0.1.10-4
- Added %%license line automatically
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 0.1.10-3
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> - 0.1.10-3
- Initial CBL-Mariner import from Photon (license: Apache2).
* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 0.1.10-2
* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 0.1.10-2
- GA - Bump release of all rpms
* Wed Jun 17 2015 Divya Thaluru <dthaluru@vmware.com> 0.1.10-1
* Wed Jun 17 2015 Divya Thaluru <dthaluru@vmware.com> - 0.1.10-1
- Initial build. First version

View File

@ -1,13 +1,13 @@
Summary: A portable, high level programming interface to various calling conventions
Name: libffi
Version: 3.2.1
Release: 10%{?dist}
Release: 12%{?dist}
License: BSD
URL: http://sourceware.org/libffi/
Group: System Environment/GeneralLibraries
Vendor: Microsoft Corporation
Distribution: Mariner
Source0: ftp://sourceware.org/pub/libffi/%{name}-%{version}.tar.gz
Source0: https://gcc.gnu.org/pub/libffi/%{name}-%{version}.tar.gz
Provides: pkgconfig(libffi)
#%if %{with_check}
#BuildRequires: dejagnu
@ -29,17 +29,18 @@ It contains the libraries and header files to create applications
%build
sed -e '/^includesdir/ s:$(libdir)/@PACKAGE_NAME@-@PACKAGE_VERSION@/include:$(includedir):' \
-i include/Makefile.in &&
-i include/Makefile.in
# Fix .so files getting placed in $(libdir)/../lib64/
sed -e 's:$(DESTDIR)$(toolexeclibdir):$(DESTDIR)$(libdir):g' \
-i Makefile.in
sed -e '/^includedir/ s:${libdir}/@PACKAGE_NAME@-@PACKAGE_VERSION@/include:@includedir@:' \
-e 's/^Cflags: -I${includedir}/Cflags:/' \
-i libffi.pc.in &&
./configure \
CFLAGS="%{optflags}" \
CXXFLAGS="%{optflags}" \
--prefix=%{_prefix} \
--bindir=%{_bindir} \
--libdir=%{_libdir} \
-i libffi.pc.in
%configure \
--disable-static
make %{?_smp_mflags}
%install
[ %{buildroot} != "/"] && rm -rf %{buildroot}/*
@ -76,6 +77,11 @@ rm -rf %{buildroot}/*
%{_mandir}/man3/*
%changelog
* Thu Oct 15 2020 Andrew Phelps <anphel@microsoft.com> 3.2.1-12
- Update Source0 to use more reliable https URL instead of ftp
* Fri Sep 18 2020 Mateusz Malisz <mamalisz@microsoft.com> 3.2.1-11
- Fix normal libffi build by replacing destination for .so files from $(toolexeclibdir) to $(libdir)
- Replace ./configure and manual options with %%configure macro
* Tue Jul 07 2020 Henry Beberman <henry.beberman@microsoft.com> 3.2.1-10
- Comment out dejagnu dependency and check to prevent a rebuild.
* Wed May 13 2020 Nick Samson <nisamson@microsoft.com> 3.2.1-9

View File

@ -0,0 +1,5 @@
{
"Signatures": {
"liblogging-1.0.6.tar.gz": "338c6174e5c8652eaa34f956be3451f7491a4416ab489aef63151f802b00bf93"
}
}

View File

@ -0,0 +1,78 @@
Summary: Logging Libraries
Name: liblogging
Version: 1.0.6
Release: 3%{?dist}
License: BSD
Vendor: Microsoft Corporation
Distribution: Mariner
Group: System Environment/Libraries
URL: http://www.liblogging.org/
Source0: https://download.rsyslog.com/%{name}/%{name}-%{version}.tar.gz
BuildRequires: gcc
%description
liblogging (the upstream project) is a collection of several components.
Namely: stdlog, journalemu, rfc3195.
The stdlog component of liblogging can be viewed as an enhanced version of the
syslog(3) API. It retains the easy semantics, but makes the API more
sophisticated "behind the scenes" with better support for multiple threads
and flexibility for different log destinations (e.g. syslog and systemd
journal).
%package devel
Summary: Development libraries and header files for liblogging
Requires: liblogging
%description devel
The package contains libraries and header files for
developing applications that use liblogging.
%prep
%setup -q
%build
%configure --disable-journal
make %{?_smp_mflags}
%install
make DESTDIR=%{buildroot} install
find %{buildroot} -type f -name "*.la" -delete -print
%check
make %{?_smp_mflags} check
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%files
%defattr(-,root,root)
%license COPYING
%{_bindir}/*
%{_libdir}/*.so.*
%{_mandir}/man1/*
%{_mandir}/man3/*
%{_libdir}/*.a
%files devel
%defattr(-,root,root)
%{_libdir}/*.so
%{_libdir}/pkgconfig/*.pc
%{_includedir}/liblogging/*.h
%changelog
* Mon Oct 12 2020 Thomas Crain <thcrain@microsoft.com> - 1.0.6-3
- Remove .la files
- Lint to Mariner style
- License verified, %%license added
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> - 1.0.6-2
- Initial CBL-Mariner import from Photon (license: Apache2).
* Tue Apr 11 2017 Harish Udaiya Kumar <hudaiyakumar@vmware.com> - 1.0.6-1
- Updated to version 1.0.6
* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 1.0.5-2
- GA - Bump release of all rpms
* Wed Jun 17 2015 Divya Thaluru <dthaluru@vmware.com> - 1.0.5-1
- Initial build. First version

View File

@ -0,0 +1,5 @@
{
"Signatures": {
"libxml++-3.2.0.tar.xz": "b786fae7fd7820d356698069a787d107995c3efcbef50d8f4efd3766ab768e4f"
}
}

View File

@ -0,0 +1,73 @@
Summary: libxml++
Name: libxml++
Version: 3.2.0
Release: 3%{?dist}
License: LGPLv2+
Vendor: Microsoft Corporation
Distribution: Mariner
URL: http://libxmlplusplus.sourceforge.net/
Source0: https://ftp.gnome.org/pub/GNOME/sources/%{name}/3.2/%{name}-%{version}.tar.xz
BuildRequires: glibmm24-devel
BuildRequires: libxml2-devel
BuildRequires: mm-common
BuildRequires: pkg-config
Requires: glibmm24
Requires: libxml2
%description
This library provides a C++ interface to XML files. It uses libxml2 to access
the XML files, and in order to configure libxml++ you must have both libxml2 and
pkg-config installed.
%package doc
Summary: Documentation for %{name}
Group: Documentation/Other
Requires: %{name} = %{version}
%description doc
Documentation for %{name}
%package devel
Summary: Development files for %{name}
Requires: %{name} = %{version}
%description devel
This library provides a C++ interface to XML files.
%prep
%setup -q
%build
./autogen.sh
%configure
make %{?_smp_mflags}
%install
make install DESTDIR=%{buildroot}
find %{buildroot} -type f -name "*.la" -delete -print
%files
%license COPYING
%doc README
%{_libdir}/*.so.*
%files devel
%{_includedir}/*
%{_libdir}/libxml++-3.0/*
%{_libdir}/*.so
%{_libdir}/pkgconfig/*
%files doc
%{_docdir}/*
%{_datadir}/devhelp/*
%changelog
* Mon Oct 12 2020 Thomas Crain <thcrain@microsoft.com> - 3.2.0-3
- Remove .la files
- License verified
* Fri Jun 05 2020 Jonathan Chiu <jochi@microsoft.com> - 3.2.0-2
- Update dependency names
* Mon Mar 30 2020 Jonathan Chiu <jochi@microsoft.com> - 3.2.0-1
- Original version for CBL-Mariner

View File

@ -0,0 +1,5 @@
{
"Signatures": {
"lttng-consume-0.2.tar.gz": "c2d56990a28b59439e8bb14be2e342e285c1a3b66b20a21e96271ed886bdfeaa"
}
}

View File

@ -0,0 +1,70 @@
Summary: Modern C++ library for realtime consumption of LTTNG events
Name: lttng-consume
Version: 0.2
Release: 3%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Mariner
Group: System Environment
URL: https://github.com/microsoft/lttng-consume
#Source0: https://github.com/microsoft/%{name}/archive/v%{version}.tar.gz
Source0: lttng-consume-%{version}.tar.gz
BuildRequires: catch-devel
BuildRequires: cmake
BuildRequires: gcc
BuildRequires: jsonbuilder-devel
BuildRequires: libbabeltrace2-devel
# 'lttng' tool needed for tests to run
BuildRequires: lttng-tools
BuildRequires: lttng-ust-devel
BuildRequires: tracelogging-devel
%description
The lttng-consume project produces JsonBuilder structures from a realtime
LTTNG session.
%package devel
Summary: Development files for lttng-consume
Group: System Environment/Libraries
Requires: lttng-consume = %{version}-%{release}
%description devel
This package contains the headers and symlinks for applications and libraries to
use lttng-consume.
%prep
%setup -q
%build
mkdir build && cd build
%cmake ..
%make_build
%install
%make_install -C build
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%files
%defattr(-,root,root)
%doc README.md
%license LICENSE
%{_libdir}/liblttng-consume.so.*
%files devel
%defattr(-,root,root)
%{_libdir}/liblttng-consume.so
%{_libdir}/cmake/lttng-consume
%{_includedir}/lttng-consume
%changelog
* Wed Oct 07 2020 Thomas Crain <thcrain@microsoft.com> - 0.2-3
- Add #Source0 URL
- Verified License field and %%license macro
* Tue Apr 07 2020 Daniel McIlvaney <damcilva@microsoft.com> - 0.2-2
- Require lttng-ust packages.
* Wed Feb 12 2020 Nick Bopp <nichbop@microsoft.com> - 0.2-1
- Original version for CBL-Mariner.

View File

@ -0,0 +1,34 @@
From 6298903e35217ab69c279056f925fb72900ce0b7 Mon Sep 17 00:00:00 2001
From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
Date: Mon, 6 Jul 2020 12:11:54 -0300
Subject: [PATCH] Keep minimum size when shrinking a stack
When shrinking a stack (during GC), do not make it smaller than the
initial stack size.
---
src/ldo.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/ldo.c b/ldo.c
index c563b1d9..a89ac010 100644
--- a/src/ldo.c
+++ b/src/ldo.c
@@ -220,7 +220,7 @@ static int stackinuse (lua_State *L) {
void luaD_shrinkstack (lua_State *L) {
int inuse = stackinuse(L);
- int goodsize = inuse + (inuse / 8) + 2*EXTRA_STACK;
+ int goodsize = inuse + BASIC_STACK_SIZE;
if (goodsize > LUAI_MAXSTACK)
goodsize = LUAI_MAXSTACK; /* respect stack limit */
if (L->stacksize > LUAI_MAXSTACK) /* had been handling stack overflow? */
@@ -229,8 +229,7 @@ void luaD_shrinkstack (lua_State *L) {
luaE_shrinkCI(L); /* shrink list */
/* if thread is currently not handling a stack overflow and its
good size is smaller than current size, shrink its stack */
- if (inuse <= (LUAI_MAXSTACK - EXTRA_STACK) &&
- goodsize < L->stacksize)
+ if (inuse <= (LUAI_MAXSTACK - EXTRA_STACK) && goodsize < L->stacksize)
luaD_reallocstack(L, goodsize);
else /* don't change stack */
condmovestack(L,{},{}); /* (change only for debugging) */

View File

@ -0,0 +1,3 @@
# CVE-2020-15889 is in the Lua generational garbage collection code, which is new to 5.4.0. 5.3.5 is not affected.
# NOTE: Patches needed if updating to 5.4:
# - 127e7a6c8942b362aa3c6627f44d660a4fb75312

View File

@ -0,0 +1,3 @@
# CVE-2020-24342 appears to not affect 5.3.5 (no repro of exploit)
# NOTE: Patches needed if updating to 5.4:
# - 34affe7a63fc5d842580a9f23616d057e17dfe27

View File

@ -0,0 +1,61 @@
Submitted By: Igor Živković <contact@igor-zivkovic.from.hr>
Date: 2013-06-19
Initial Package Version: 5.2.2
Upstream Status: Rejected
Origin: Arch Linux packages repository
Description: Adds the compilation of a shared library.
diff -Naur lua-5.3.0.orig/Makefile lua-5.3.0/Makefile
--- lua-5.3.0.orig/Makefile 2014-10-30 00:14:41.000000000 +0100
+++ lua-5.3.0/Makefile 2015-01-19 22:14:09.822290828 +0100
@@ -52,7 +52,7 @@
all: $(PLAT)
$(PLATS) clean:
- cd src && $(MAKE) $@
+ cd src && $(MAKE) $@ V=$(V) R=$(R)
test: dummy
src/lua -v
diff -Naur lua-5.3.0.orig/src/Makefile lua-5.3.0/src/Makefile
--- lua-5.3.0.orig/src/Makefile 2015-01-05 17:04:52.000000000 +0100
+++ lua-5.3.0/src/Makefile 2015-01-19 22:14:52.559378543 +0100
@@ -7,7 +7,7 @@
PLAT= none
CC= gcc -std=gnu99
-CFLAGS= -O2 -Wall -Wextra -DLUA_COMPAT_5_2 $(SYSCFLAGS) $(MYCFLAGS)
+CFLAGS= -fPIC -O2 -Wall -Wextra -DLUA_COMPAT_5_2 $(SYSCFLAGS) $(MYCFLAGS)
LDFLAGS= $(SYSLDFLAGS) $(MYLDFLAGS)
LIBS= -lm $(SYSLIBS) $(MYLIBS)
@@ -29,6 +29,7 @@
PLATS= aix bsd c89 freebsd generic linux macosx mingw posix solaris
LUA_A= liblua.a
+LUA_SO= liblua.so
CORE_O= lapi.o lcode.o lctype.o ldebug.o ldo.o ldump.o lfunc.o lgc.o llex.o \
lmem.o lobject.o lopcodes.o lparser.o lstate.o lstring.o ltable.o \
ltm.o lundump.o lvm.o lzio.o
@@ -43,7 +44,7 @@
LUAC_O= luac.o
ALL_O= $(BASE_O) $(LUA_O) $(LUAC_O)
-ALL_T= $(LUA_A) $(LUA_T) $(LUAC_T)
+ALL_T= $(LUA_A) $(LUA_T) $(LUAC_T) $(LUA_SO)
ALL_A= $(LUA_A)
# Targets start here.
@@ -59,6 +60,12 @@
$(AR) $@ $(BASE_O)
$(RANLIB) $@
+$(LUA_SO): $(CORE_O) $(LIB_O)
+ $(CC) -shared -ldl -Wl,-soname,$(LUA_SO).$(V) -o $@.$(R) $? -lm $(MYLDFLAGS)
+ ln -sf $(LUA_SO).$(R) $(LUA_SO).$(V)
+ ln -sf $(LUA_SO).$(R) $(LUA_SO)
+
+
$(LUA_T): $(LUA_O) $(LUA_A)
$(CC) -o $@ $(LDFLAGS) $(LUA_O) $(LUA_A) $(LIBS)

View File

@ -8,14 +8,14 @@
Name: lua
Version: %{major_version}.5
Release: 9%{?dist}
Release: 11%{?dist}
Summary: Powerful light-weight programming language
License: MIT
URL: https://www.lua.org/
Group: Development/Tools
Vendor: Microsoft Corporation
Distribution: Mariner
Source0: http://www.lua.org/ftp/lua-%{version}.tar.gz
Source0: https://www.lua.org/ftp/%{name}-%{version}.tar.gz
# copied from doc/readme.html on 2014-07-18
Source1: mit.txt
Source2: http://www.lua.org/tests/lua-%{test_version}-tests.tar.gz
@ -23,12 +23,27 @@ Source2: http://www.lua.org/tests/lua-%{test_version}-tests.tar.gz
Source3: luaconf.h
# rpm-macro
Source1000: macros.lua
Patch0: %{name}-5.3.0-autotoolize.patch
Patch1: %{name}-5.3.0-idsize.patch
Patch2: %{name}-5.2.2-configure-linux.patch
Patch3: %{name}-5.3.0-configure-compat-module.patch
# Fixes CVE-2019-6706
# From http://lua.2524044.n2.nabble.com/CVE-2019-6706-use-after-free-in-lua-upvaluejoin-function-tt7685575.html
Patch4: CVE-2019-6706-use-after-free-lua_upvaluejoin.patch
Patch5: lua-5.3.4-shared_library-1.patch
# CVE-2020-15888 patch taken from Open Embedded's Lua meta layer https://github.com/openembedded/meta-openembedded/blob/master/meta-oe/recipes-devtools/lua/lua/CVE-2020-15888.patch
# NOTE: Upstream patches needed if updating to 5.4:
# - eb41999461b6f428186c55abd95f4ce1a76217d5
# - 6298903e35217ab69c279056f925fb72900ce0b7
Patch6: CVE-2020-15888.patch
# CVE-2020-15889 is in the Lua generational garbage collection code, which is new to 5.4.0. 5.3.5 is not affected.
# NOTE: Patches needed if updating to 5.4:
# - 127e7a6c8942b362aa3c6627f44d660a4fb75312
Patch7: CVE-2020-15889.nopatch
# CVE-2020-24342 appears to not affect 5.3.5 (no repro of exploit)
# NOTE: Patches needed if updating to 5.4:
# - 34affe7a63fc5d842580a9f23616d057e17dfe27
Patch8: CVE-2020-24342.nopatch
BuildRequires: automake autoconf libtool readline-devel ncurses-devel
Requires: lua-libs = %{version}-%{release}
@ -75,6 +90,9 @@ mv src/luaconf.h src/luaconf.h.template.in
%patch2 -p1 -z .configure-linux
%patch3 -p1 -z .configure-compat-all
%patch4 -p1 -b .CVE-2019-6706
%patch5 -p1
%patch6 -p1
sed -i 's/CFLAGS= -fPIC -O2 /CFLAGS+= -fPIC -O2 -DLUA_COMPAT_MODULE /' src/Makefile
# Put proper version in configure.ac, patch0 hardcodes 5.3.0
sed -i 's|5.3.0|%{version}|g' configure.ac
autoreconf -ifv
@ -152,6 +170,13 @@ install -Dpm 0644 %{SOURCE1000} $RPM_BUILD_ROOT/%{macrosdir}/macros.lua
%changelog
* Thu Oct 01 2020 Daniel McIlvaney <damcilva@microsoft.com> 5.3.5-11
- Nopatch CVE-2020-24342
- Apply patch for CVE-2020-15888 from Open Embedded
* Mon Sep 28 2020 Daniel McIlvaney <damcilva@microsoft.com> 5.3.5-10
- Nopatch CVE-2020-15889 since it only affects 5.4.0
* Mon Sep 28 2020 Joe Schmitt <joschmit@microsoft.com> - 5.3.5-9
- Update URL to https.
- License verified.

View File

@ -1,14 +1,13 @@
Summary: Program for compiling packages
Name: make
Version: 4.2.1
Release: 4%{?dist}
Release: 5%{?dist}
License: GPLv3+
URL: http://www.gnu.org/software/make
Group: Development/Tools
Vendor: Microsoft Corporation
Distribution: Mariner
Source0: http://ftp.gnu.org/gnu/make/%{name}-%{version}.tar.bz2
%define sha1 make=7d9d11eb36cfb752da1fb11bb3e521d2a3cc8830
%description
The Make package contains a program for compiling packages.
@ -31,6 +30,7 @@ rm -rf %{buildroot}%{_infodir}
%find_lang %{name}
%check
export PERL_USE_UNSAFE_INC=1
make %{?_smp_mflags} check
%files -f %{name}.lang
@ -41,9 +41,10 @@ make %{?_smp_mflags} check
%{_mandir}/*/*
%changelog
* Sat May 09 00:21:04 PST 2020 Nick Samson <nisamson@microsoft.com> - 4.2.1-4
* Mon Oct 19 2020 Andrew Phelps <anphel@microsoft.com> 4.2.1-5
- Fix check test
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> 4.2.1-4
- Added %%license line automatically
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 4.2.1-3
- Initial CBL-Mariner import from Photon (license: Apache2).
* Sun Sep 09 2018 Alexey Makhalov <amakhalov@vmware.com> 4.2.1-2

View File

@ -1,7 +1,7 @@
Summary: CBL-Mariner release files
Name: mariner-release
Version: 1.0
Release: 9%{?dist}
Release: 10%{?dist}
License: MIT
Group: System Environment/Base
URL: https://aka.ms/cbl-mariner
@ -67,6 +67,8 @@ rm -rf $RPM_BUILD_ROOT
%config(noreplace) /etc/issue.net
%changelog
* Sat Oct 24 2020 Jon Slobodzian <joslobo@microsoft.com> - 1.0-10
- Updating version for October update
* Fri Sep 04 2020 Mateusz Malisz <mamalisz@microsoft.com> - 1.0-9
- Remove empty %%post section, dropping dependency on /bin/sh
* Tue Aug 24 2020 Jon Slobodzian <joslobo@microsoft.com> - 1.0-8

View File

@ -0,0 +1,9 @@
[mariner-preview]
name=CBL-Mariner Official Preview $releasever $basearch
baseurl=https://packages.microsoft.com/cbl-mariner/$releasever/preview/update/$basearch/rpms
gpgkey=file:///etc/pki/rpm-gpg/MICROSOFT-RPM-GPG-KEY file:///etc/pki/rpm-gpg/MICROSOFT-METADATA-GPG-KEY
gpgcheck=1
repo_gpgcheck=1
enabled=1
skip_if_unavailable=True
sslverify=1

View File

@ -3,6 +3,7 @@
"MICROSOFT-RPM-GPG-KEY": "1092f37ec429e58bf9c7f898df17c3c32eb2ce3c4c037afb8ffe2d2b42e16e89",
"MICROSOFT-METADATA-GPG-KEY": "1824ecffeda90cfe4178a99bddde450f09fd40e8faf4f0124fba16ea79998c4c",
"mariner-official-base.repo": "af485f85c5c856536c6ec2f73f0afd1d9c424396fce1c9ae6f40745a5f41503d",
"mariner-official-update.repo": "d80ed87ba6cf1e535131a9a68499b832dc87fc9add29cbae0f6cc76ebc36fbf3"
"mariner-official-update.repo": "d80ed87ba6cf1e535131a9a68499b832dc87fc9add29cbae0f6cc76ebc36fbf3",
"mariner-preview.repo": "7b5731bce3d0c81647144822a886a01912e325db10f7519e105b5224a25f1568"
}
}

View File

@ -1,17 +1,18 @@
Summary: CBL-Mariner repo files, gpg keys
Name: mariner-repos
Version: 1.0
Release: 9%{?dist}
Release: 11%{?dist}
License: Apache License
Group: System Environment/Base
URL: https://aka.ms/mariner
Vendor: Microsoft Corporation
Distribution: Mariner
Source0: MICROSOFT-RPM-GPG-KEY
Source1: MICROSOFT-METADATA-GPG-KEY
Source2: mariner-official-base.repo
Source3: mariner-official-update.repo
Vendor: Microsoft Corporation
Distribution: mariner
Provides: mariner-repos
Source4: mariner-preview.repo
Requires(post): gpgme
Requires(post): rpm
Requires(preun): gpgme
@ -21,11 +22,20 @@ BuildArch: noarch
%description
CBL-Mariner repo files and gpg keys
%package preview
Summary: CBL-Mariner preview repo file.
Group: System Environment/Base
Requires: %{name} = %{version}-%{release}
%description preview
%{summary}
%install
rm -rf $RPM_BUILD_ROOT
install -d -m 755 $RPM_BUILD_ROOT/etc/yum.repos.d
install -m 644 %{SOURCE2} $RPM_BUILD_ROOT/etc/yum.repos.d
install -m 644 %{SOURCE3} $RPM_BUILD_ROOT/etc/yum.repos.d
install -m 644 %{SOURCE4} $RPM_BUILD_ROOT/etc/yum.repos.d
install -d -m 755 $RPM_BUILD_ROOT/etc/pki/rpm-gpg
install -m 644 %{SOURCE0} $RPM_BUILD_ROOT/etc/pki/rpm-gpg
@ -34,7 +44,7 @@ install -m 644 %{SOURCE1} $RPM_BUILD_ROOT/etc/pki/rpm-gpg
%clean
rm -rf $RPM_BUILD_ROOT
%post
%posttrans
gpg --import /etc/pki/rpm-gpg/MICROSOFT-METADATA-GPG-KEY
gpg --import /etc/pki/rpm-gpg/MICROSOFT-RPM-GPG-KEY
@ -52,7 +62,16 @@ gpg --batch --yes --delete-keys 2BC94FFF7015A5F28F1537AD0CD9FED33135CE90
%config(noreplace) /etc/yum.repos.d/mariner-official-base.repo
%config(noreplace) /etc/yum.repos.d/mariner-official-update.repo
%files preview
%defattr(-,root,root,-)
%config(noreplace) /etc/yum.repos.d/mariner-preview.repo
%changelog
* Thu Oct 01 2020 Emre Girgin <sarsoma@microsoft.com> - 1.0-11
- Change %%post scriptlet to %%posttrans in order to ensure it runs after %%postun during an upgrade.
* Mon Sep 28 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 1.0-10
- Adding configuration to access the preview repository.
- Removing redundant 'Provides'.
* Tue Aug 11 2020 Saravanan Somasundaram <sarsoma@microsoft.com> - 1.0-9
- Enable GPG Check and Import
* Mon Aug 10 2020 Saravanan Somasundaram <sarsoma@microsoft.com> - 1.0-8

View File

@ -0,0 +1,5 @@
{
"Signatures": {
"mm-common-1.0.0.tar.xz": "b97d9b041e5952486cab620b44ab09f6013a478f43b6699ae899b8a4da189cd4"
}
}

View File

@ -0,0 +1,52 @@
Summary: mm-common module
Name: mm-common
Version: 1.0.0
Release: 3%{?dist}
License: LGPLv2+
Vendor: Microsoft Corporation
Distribution: Mariner
Group: Development/Libraries/C and C++
URL: https://gtkmm.org
Source0: https://ftp.gnome.org/pub/GNOME/sources/%{name}/1.0/%{name}-%{version}.tar.xz
%define debug_package %{nil}
BuildRequires: pkg-config
BuildArch: noarch
%description
The mm-common module provides the build infrastructure and utilities
shared among the GNOME C++ binding libraries. It is only a required
dependency for building the C++ bindings from the gnome.org version
control repository.
%prep
%setup -q
%build
./autogen.sh
%configure
make %{?_smp_mflags}
%install
make install DESTDIR=%{buildroot}
%files
%license COPYING
%doc README
%{_bindir}/*
%{_datadir}/%{name}/*
%{_datadir}/pkgconfig/*
%{_datadir}/aclocal/*
%{_docdir}/%{name}/*
%{_mandir}/*
%changelog
* Mon Oct 12 2020 Thomas Crain <thcrain@microsoft.com> - 1.0.0-3
- Update Source0 (removes need for libstdc++.tag file)
- Lint for Mariner style
- License verified
* Tue Jun 09 2020 Jonathan Chiu <jochi@microsoft.com> - 1.0.0-2
- Include libstdc++.tag in source files so package can be built offline
* Mon Mar 30 2020 Jonathan Chiu <jochi@microsoft.com> - 1.0.0-1
- Original version for CBL-Mariner

View File

@ -0,0 +1,5 @@
{
"Signatures": {
"msgpack-c-cpp-3.2.1.tar.gz" : "464f46744a6be778626d11452c4db3c2d09461080c6db42e358e21af19d542f6"
}
}

View File

@ -0,0 +1,58 @@
Summary: MessagePack implementation for C and C++
Name: msgpack
Version: 3.2.1
Release: 2%{?dist}
License: Boost
Vendor: Microsoft Corporation
Distribution: Mariner
URL: https://msgpack.org
#Source0: https://github.com/%{name}/%{name}-c/archive/cpp-%{version}.tar.gz
Source0: %{name}-c-cpp-%{version}.tar.gz
%define _build_id_links none
BuildRequires: boost-devel
BuildRequires: cmake
BuildRequires: gcc
%description
MessagePack is an efficient binary serialization format,
which lets you exchange data among multiple languages like JSON,
except that it's faster and smaller.
%package devel
Summary: Development files for %{name}
Requires: %{name} = %{version}
%description devel
Development files for %{name}
%prep
%setup -q -n %{name}-c-cpp-%{version}
%build
mkdir build
cd build
cmake -DCMAKE_INSTALL_PREFIX=%{_prefix} ..
make %{?_smp_mflags}
%install
cd build
make install DESTDIR=%{buildroot}
%files
%license COPYING LICENSE_1_0.txt NOTICE
%{_libdir}/*.so.*
%files devel
%{_includedir}/*
%{_libdir}/cmake/*
%{_libdir}/pkgconfig/msgpack.pc
%{_libdir}/*.so
%{_libdir}/*.a
%changelog
* Mon Oct 12 2020 Thomas Crain <thcrain@microsoft.com> - 3.2.1-2
- License verified and %%license added
- Update Source0
* Mon Mar 30 2020 Jonathan Chiu <jochi@microsoft.com> - 3.2.1-1
- Original version for CBL-Mariner

View File

@ -0,0 +1,5 @@
{
"Signatures": {
"nlohmann-json-3.6.1.tar.gz": "80c45b090e40bf3d7a7f2a6e9f36206d3ff710acfa8d8cc1f8c763bb3075e22e"
}
}

View File

@ -0,0 +1,55 @@
Summary: Modern C++11 JSON library
Name: nlohmann-json
Version: 3.6.1
Release: 2%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Mariner
Group: System Environment
URL: https://github.com/nlohmann/json
#Source0: https://github.com/nlohmann/json/archive/v%{version}.tar.gz
Source0: %{name}-%{version}.tar.gz
%global debug_package %{nil}
BuildRequires: cmake
BuildRequires: gcc
%description
A modern C++ JSON library.
%package devel
Summary: Development files for %{name}
%description devel
Development files for %{name}
%prep
%setup -q -n json-%{version}
%build
mkdir build && cd build
%cmake ..
%make_build
%check
make test -C build
%install
%make_install -C build
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%files devel
%defattr(-,root,root)
%license LICENSE.MIT
%doc README.md
%{_includedir}/nlohmann
%{_libdir}/cmake/nlohmann_json
%changelog
* Mon Oct 12 2020 Thomas Crain <thcrain@microsoft.com> - 3.6.1-2
- Update Source0
- License verified
* Tue Feb 11 2020 Nick Bopp <nichbop@microsoft.com> - 3.6.1-1
- Original version for CBL-Mariner.

153
SPECS/omi/buildtool.patch Normal file
View File

@ -0,0 +1,153 @@
diff --git a/Unix/buildtool b/Unix/buildtool
--- a/Unix/buildtool 2020-09-29 10:33:36.055821162 -0700
+++ b/Unix/buildtool 2020-09-29 11:24:05.121922456 -0700
@@ -274,9 +274,9 @@
distro=`lsb_release -i | awk -F":" '{ print $2 }'`
distro_version=`lsb_release -r | awk -F":" '{ print $2 }'`
;;
- arm*:Linux:*)
+ aarch64*:Linux:*)
os=LINUX
- arch=ARM
+ arch=AARCH64
compiler=GNU
distro=`lsb_release -i | awk -F":" '{ print $2 }'`
distro_version=`lsb_release -r | awk -F":" '{ print $2 }'`
@@ -293,7 +293,7 @@
case "$platform" in
- LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_ARM_GNU)
+ LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_AARCH64_GNU)
compiler_version=`gcc --version | awk -F" " 'match($0, /[0-9]*\.[0-9]*\.[0-9]*/){ if (match($0, /[0-9]*\.[0-9]*\.[0-9]*/, m)) print m[0] }'`
compiler_major_version=`echo $compiler_version | awk -F'.' '{ print $1}'`
compiler_minor_version=`echo $compiler_version | awk -F'.' '{ print $2}'`
@@ -573,7 +573,7 @@
case "$platform" in
- LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_ARM_GNU)
+ LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_AARCH64_GNU)
echo gcc
;;
MONTAVISTA_IX86_GNU)
@@ -614,7 +614,7 @@
fi
case "$platform" in
- LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_ARM_GNU)
+ LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_AARCH64_GNU)
echo g++
;;
MONTAVISTA_IX86_GNU)
@@ -689,7 +689,7 @@
LINUX_IX86_GNU|LINUX_X86_64_GNU)
echo size
;;
- LINUX_ARM_GNU)
+ LINUX_AARCH64_GNU)
echo size
;;
MONTAVISTA_IX86_GNU)
@@ -778,7 +778,7 @@
r="$r -g"
case "$platform" in
- LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|MONTAVISTA_IX86_GNU|NETBSD_IX86_GNU|LINUX_ARM_GNU)
+ LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|MONTAVISTA_IX86_GNU|NETBSD_IX86_GNU|LINUX_AARCH64_GNU)
if test $cxx_opt ; then
r="$r -std=gnu++98"
fi
@@ -974,7 +974,7 @@
r=""
case "$platform" in
- LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_ARM_GNU)
+ LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_AARCH64_GNU)
r="$r -shared"
test -n "$libpath_opt" && r="$r -Wl,-rpath=$libpath_opt"
;;
@@ -1098,7 +1098,7 @@
r=""
case "$platform" in
- LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_ARM_GNU)
+ LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_AARCH64_GNU)
test -n "$libpath_opt" && r="$r -Wl,-rpath=$libpath_opt"
;;
MONTAVISTA_IX86_GNU)
@@ -1181,7 +1181,7 @@
r=""
case "$platform" in
- LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_ARM_GNU)
+ LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_AARCH64_GNU)
r="gcc -M"
;;
MONTAVISTA_IX86_GNU)
@@ -1225,7 +1225,7 @@
r=""
case "$platform" in
- LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_ARM_GNU)
+ LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_AARCH64_GNU)
r="-lpthread -ldl -lpam"
;;
MONTAVISTA_IX86_GNU)
@@ -1273,7 +1273,7 @@
args="$arg2 $arg3 $arg4 $arg5 $arg6 $arg7 $arg8 $arg9"
case "$platform" in
- LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_ARM_GNU)
+ LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_AARCH64_GNU)
for path in $args
do
r="$r -Wl,-rpath=$path"
@@ -1360,7 +1360,7 @@
r=""
case "$platform" in
- LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_ARM_GNU)
+ LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_AARCH64_GNU)
;;
MONTAVISTA_IX86_GNU)
;;
@@ -1441,7 +1441,7 @@
fi
case "$platform" in
- LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_ARM_GNU)
+ LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_AARCH64_GNU)
echo "lib$arg2.so"
;;
MONTAVISTA_IX86_GNU)
@@ -1485,7 +1485,7 @@
fi
case "$platform" in
- LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_ARM_GNU)
+ LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_AARCH64_GNU)
echo "so"
;;
MONTAVISTA_IX86_GNU)
@@ -1577,7 +1577,7 @@
if [ -z "$libdir" ]; then
case "$platform" in
- LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_ARM_GNU)
+ LINUX_IX86_GNU|LINUX_X86_64_GNU|LINUX_PPC_GNU|LINUX_AARCH64_GNU)
if [ -f "/usr/lib/libssl.so" ]; then
libdir=/usr/lib
fi
diff --git a/Unix/pal/palcommon.h b/Unix/pal/palcommon.h
--- a/Unix/pal/palcommon.h 2020-09-29 10:33:36.091821099 -0700
+++ b/Unix/pal/palcommon.h 2020-09-29 11:23:09.370299157 -0700
@@ -930,7 +930,7 @@
}
-#elif defined(CONFIG_ARCH_SPARC) || defined(CONFIG_ARCH_ARM)
+#elif defined(CONFIG_ARCH_SPARC) || defined(CONFIG_ARCH_AARCH64)
/* Sparc only does big endian */

Some files were not shown because too many files have changed in this diff Show More